Verification of Infinite-State Systems Ahmed Bouajjani LIAFA - - - PowerPoint PPT Presentation

Verification of Infinite-State Systems

Ahmed Bouajjani LIAFA - University of Paris 7 Genova - November 2002

1

Why Consider Infinite-State Systems ? Real-time Constraints Embedded systems, telecommunication protocols, etc. Infinite Data Domains - Unbounded Data Structures Counters, queues, etc. Unbounded Control Structures Recursive calls, dynamic creation of processes, mobility, etc. Parametrization Parametric bounds, networks of arbitrary number of identical processes.

2

Various Models Extended Automata = FSA + Guarded Commands

• Timed automata - Hybrid automata
• Petri Nets - Vector Addition Systems - Counter automata
• Pushdown automata
• FIFO Channel Systems

Process Calculi - Rewrite Systems CCS, π-calculus, Process Rewrite Systems (BPA, BPP, PA, . . .), etc.

3

Parametrized Networks Sn = P1 || P2|| · · · || Pn ∀n. Sn | = ϕ(n)

4

Parametrized Networks Sn = P1 || P2|| · · · || Pn ∀n. Sn | = ϕ(n) Dimensions of Infinity Pi : finite-state / infinite-state Network Topology

• Unstructured networks
• Linear / Ring topology
• Tree-like topology
• Grids, Hypercubes, etc.

5

Unstructured Parametrized Networks Identities of processes are not relevant

6

Unstructured Parametrized Networks Identities of processes are not relevant Counter Abstraction

• Associate with each control location q a counter cq
• Associate with a transition q → r :

cq > 0 / {cq := cq − 1; cr := cr + 1}

7

Unstructured Parametrized Networks Identities of processes are not relevant Counter Abstraction

• Associate with each control location q a counter cq
• Associate with a transition q → r :

cq > 0 / {cq := cq − 1; cr := cr + 1} Exact Abstraction for Unstructured Networks

• Broadcast protocols [Emerson et al.], [Esparza, Finkel, Mayr], [Delzanno]
• Cache coherence protocols [Lesens, Saidi, 97], [Delzanno, 00],
• Multithreaded programs [Delzanno, Raskin, et al., 02], [Ball, Rajamani, 02],
• Group membership algorithms [B., Merceron, 02]

8

Word Rewriting Systems Let Σ be a finite alphabet. Rewrite systems Set of rewrite rules : α ֒ → β , where α, β ∈ Σ∗.

9

Word Rewriting Systems Let Σ be a finite alphabet. Rewrite systems Set of rewrite rules : α ֒ → β , where α, β ∈ Σ∗. Rewrite policy

• Prefix rewriting:

u = ⇒ v iff u = αw and v = βw

• Cyclic rewriting:

u = ⇒ v iff u = αw and v = wβ

• Factor rewriting:

u = ⇒ v iff u = w1αw2 and v = w1βw2

10

Sequential Programs with Recursive Procedures

• Finite (abstract) data domain
• Program

− → Control Flow Graph − → Prefix Rewriting System Internal Action : ℓ1

a

− → ℓ2 L1 ֒ → L2 Procedure Call : ℓ1

call(X)

− → ℓ2 L1 ֒ → Xinit · L2 Termination : ℓ : END L ֒ → ǫ

11

Parametrized Networks with a Linear/Ring Topology Let P be a finite-state process. Let Q be the set of control states of P. Consider n copies of P: P1 P2 . . . Pn

12

Parametrized Networks with a Linear/Ring Topology Let P be a finite-state process. Let Q be the set of control states of P. Consider n copies of P: P1 P2 . . . Pn Uniform reasoning for an arbitrary n

• A configuration = word over the alphabet Q,
• An operation = word rewrite rule.

13

Parametrized Networks with a Linear/Ring Topology Let P be a finite-state process. Let Q be the set of control states of P. Consider n copies of P: P1 P2 . . . Pn Uniform reasoning for an arbitrary n

• A configuration = word over the alphabet Q,
• An operation = word rewrite rule.

Example : Token passing

• P has two states 0 and 1
• A configuration : a word over {0, 1}∗
• Left to right token passing action :

10 ֒ → 01

14

Term Rewriting Systems Let Σ = Σ0 ∪ Σ1 ∪ Σ2 ∪ . . . be a ranked alphabet. Let X be a set of variables. Σ-terms The set of Σ-terms T (Σ) is the smallest set such that:

• X ⊆ T (Σ),
• ∀a ∈ Σk. ∀t1, . . . , tk ∈ T (Σ). a(t1, . . . , tk) ∈ T (Σ)

15

Term Rewriting Systems Let Σ = Σ0 ∪ Σ1 ∪ Σ2 ∪ . . . be a ranked alphabet. Let X be a set of variables. Σ-terms The set of Σ-terms T (Σ) is the smallest set such that:

• X ⊆ T (Σ),
• ∀a ∈ Σk. ∀t1, . . . , tk ∈ T (Σ). a(t1, . . . , tk) ∈ T (Σ)

Term Rewrite Systems Set of rewrite rules : t1 ֒ → t2, where t1, t2 ∈ T (Σ)

16

Term Rewriting Systems Let Σ = Σ0 ∪ Σ1 ∪ Σ2 ∪ . . . be a ranked alphabet. Let X be a set of variables. Σ-terms The set of Σ-terms T (Σ) is the smallest set such that:

• X ⊆ T (Σ),
• ∀a ∈ Σk. ∀t1, . . . , tk ∈ T (Σ). a(t1, . . . , tk) ∈ T (Σ)

Term Rewrite Systems Set of rewrite rules : t1 ֒ → t2, where t1, t2 ∈ T (Σ) Rewrite policy Constaints on the context of rewriting, Closure under equivalences (e.g. associativity-commutativity of some symbols).

17

Parallel Programs with Recursive Procedures Program − → Control Flow Graph − → PA rewrite system Internal Action : ℓ1

a

− → ℓ2 L1 ֒ → L2 Procedure Call : ℓ1

call(X)

− → ℓ2 L1 ֒ → Xinit · L2 Parallel Call : ℓ1

pcall(X)

− → ℓ2 L1 ֒ → Xinit || L2 Termination : ℓ : END L ֒ → 0

18

1 1 1 1 ⊥(1(x, y), z) ֒ → 1(1(x, y), z) ⊥(z, 1(x, y)) ֒ → 1(z, 1(x, y)) ⊥(0(x, y), 0(z, t)) ֒ → 0(0(x, y), 0(z, t)) ⊥ ⊥ ⊥ ⊥ ⊥ ⊥ ⊥

Figure 1: Parametrized Networks with a Tree-like Topology 19

1 1 1 1 ⊥(1(x, y), z) ֒ → 1(1(x, y), z) ⊥(z, 1(x, y)) ֒ → 1(z, 1(x, y)) ⊥(0(x, y), 0(z, t)) ֒ → 0(0(x, y), 0(z, t)) 1 1 1 ⊥ ⊥ ⊥

Figure 2: Parametrized Networks with a Tree-like Topology 20

1 1 1 1 ⊥(1(x, y), z) ֒ → 1(1(x, y), z) ⊥(z, 1(x, y)) ֒ → 1(z, 1(x, y)) ⊥(0(x, y), 0(z, t)) ֒ → 0(0(x, y), 0(z, t)) 1 1 1 ⊥ 1 1

Figure 3: Parametrized Networks with a Tree-like Topology 21

1 1 1 1 ⊥(1(x, y), z) ֒ → 1(1(x, y), z) ⊥(z, 1(x, y)) ֒ → 1(z, 1(x, y)) ⊥(0(x, y), 0(z, t)) ֒ → 0(0(x, y), 0(z, t)) 1 1 1 1 1 1

Figure 4: Parametrized Networks with a Tree-like Topology 22

Reachability Analysis Let C be the set of all configurations, and let ρ ⊆ C × C be a transition relation. Given a set of configuration C ⊆ C, Compute ρ∗(C) = C ∪ ρ(C) ∪ ρ2(C) ∪ · · · Forward reachability analysis: ρ = post Backward reachability analysis: ρ = pre

23

Verification of (Safety) Properties Example : Invariance properties Init ⇒ ✷Good Forward analysis post∗(Init) ∩ Good = ∅ Backward analysis Init ∩ pre∗(Good) = ∅

24

Generation of Finite Abstractions Let G = (C, Init, ⇒) be the infinite transition graph of a system. Given a finite partition ∼ of post∗(Init), let G∼ be the finite quotient graph (post∗(Init), Init, ⇒)/ ∼.

• G∼ simulates G (i.e., G ⊑ G∼),
• G∼ |

= ϕ ⇒ G | = ϕ, for ϕ in some universal fragment of a temporal logic (e.g. ∀CTL∗).

25

Computing Transitive Closures Find

• Classes of Relations R, and
• Classes of Sets of Configurations C, such that

– ∀ρ ∈ R. ∀C ∈ C. ρ∗(C) ∈ C and is effectively constructible,

26

Computing Transitive Closures Find

• Classes of Relations R, and
• Classes of Sets of Configurations C, such that

– ∀ρ ∈ R. ∀C ∈ C. ρ∗(C) ∈ C and is effectively constructible, – The class C is effectively closed under boolean operation (∪ and ∩), and the emptyness (and inclusion) problem(s) is (are) decidable.

27

Computing Transitive Closures Find

• Classes of Relations R, and
• Classes of Sets of Configurations C, such that

– ∀ρ ∈ R. ∀C ∈ C. ρ∗(C) ∈ C and is effectively constructible, – The class C is effectively closed under boolean operation (∪ and ∩), and the emptyness (and inclusion) problem(s) is (are) decidable. Usual Restrictions

• Operations (tests, updates, etc)
• Control Structure the Models (control loops, sets of self-loops, etc)
• Network topology (unstructured, rings, sequences, etc)

28

When it works Pushdown Systems Configuration = q, w where q is a control state, and w is a word. Set of configurations =

q{q} × Lq where Lq is a word language.

29

When it works Pushdown Systems Configuration = q, w where q is a control state, and w is a word. Set of configurations =

q{q} × Lq where Lq is a word language.

Thm [B., Esparza, Maler, 97]: For every regular set of configurations C, the sets post∗(C) and pre∗(C) are regular and effectively constructible. [B¨ uchi 60’s], [Caucal 92], [Finkel, Wolper, Willems, 97], ...

30

When it works Pushdown Systems Configuration = q, w where q is a control state, and w is a word. Set of configurations =

q{q} × Lq where Lq is a word language.

Thm [B., Esparza, Maler, 97]: For every regular set of configurations C, the sets post∗(C) and pre∗(C) are regular and effectively constructible. [B¨ uchi 60’s], [Caucal 92], [Finkel, Wolper, Willems, 97], ... Application to Interprocedural Program Analysis [Esparza, Knoop, 99], [Esparza, Schwoon, 01], [Ball, Rajamani, et al.]

31

When it works (cont.) PA processes Configuration = PA term = tree. Set of configurations = tree language.

32

When it works (cont.) PA processes Configuration = PA term = tree. Set of configurations = tree language. Thm [Lugiez, Schnoebelen, 98]: For every regular (finite tree-automata definable) set C, the sets post∗(C) and pre∗(C) are regular and effectively constructible. (structural equivalences are not considered.)

33

When it works (cont.) PA processes Configuration = PA term = tree. Set of configurations = tree language. Thm [Lugiez, Schnoebelen, 98]: For every regular (finite tree-automata definable) set C, the sets post∗(C) and pre∗(C) are regular and effectively constructible. (structural equivalences are not considered.) Application to the analysis of parallel recursive programs [Esparza, Podelski, 00]

34

Reachability Analysis (revisited) Let ρ ⊆ C × C be a transition relation. Iterative fixpoint computation Given a set of configurations C ⊆ C, compute X0, X1, X2, . . . where, X0 = C Xi+1 := Xi ∪ ρ(Xi) until the condition Xi+1 ⊆ Xi holds.

35

Symbolic Reachability Analysis Let ρ ⊆ C × C be a transition relation. Iterative fixpoint computation Given a set of configurations C ⊆ C, compute X0, X1, X2, . . . where, X0 = C Xi+1 := Xi ∪ ρ(Xi) until the condition Xi+1 ⊆ Xi holds. Finite Symbolic Representation Structures

• Effectively closed under ∪ and ∩, and the application of ρ,
• Inclusion and emptyness problems are decidable.

36

Symbolic Reachability Analysis : Termination Let ρ ⊆ C × C be a transition relation. Iterative fixpoint computation Given a set of configurations C ⊆ C, compute X0, X1, X2, . . . where, X0 = C Xi+1 := Xi ∪ ρ(Xi) until the condition Xi+1 ⊆ Xi holds. Finite Symbolic Representation Structures

• Effectively closed under ∪ and ∩, and the application of ρ,
• Inclusion and emptyness problems are decidable.

Termination ⇒ ∃i > 0. Xi+1 ⊆ Xi ?

37

When it terminates

[Abdulla, Jonsson, et al., 96]

• ⊑ a Well Quasi Ordering: ∀a0, a1, a2, . . . , ∃i < j, ai ⊑ aj
• Monotonic System w.r.t. ⊑

∀c1, c′

• 1. c1 =

⇒ c′

• 1. ∀c2. c1 ⊑ c2. ∃c′
• 2. c2 =

⇒ c′

2 and c′ 1 ⊑ c′ 2

38

When it terminates

[Abdulla, Jonsson, et al., 96]

• ⊑ a Well Quasi Ordering: ∀a0, a1, a2, . . . , ∃i < j, ai ⊑ aj
• Monotonic System w.r.t. ⊑

∀c1, c′

• 1. c1 =

⇒ c′

• 1. ∀c2. c1 ⊑ c2. ∃c′
• 2. c2 =

⇒ c′

2 and c′ 1 ⊑ c′ 2

• Strongly Monotonic System w.r.t. ⊑

∀c1, c′

• 1. c1 =

⇒ c′

• 1. ∀c2. c1 ⊑ c2. c2 =

⇒ c′

1

39

When it terminates

[Abdulla, Jonsson, et al., 96]

• ⊑ a Well Quasi Ordering: ∀a0, a1, a2, . . . , ∃i < j, ai ⊑ aj
• Monotonic System w.r.t. ⊑

∀c1, c′

• 1. c1 =

⇒ c′

• 1. ∀c2. c1 ⊑ c2. ∃c′
• 2. c2 =

⇒ c′

2 and c′ 1 ⊑ c′ 2

• Strongly Monotonic System w.r.t. ⊑

∀c1, c′

• 1. c1 =

⇒ c′

• 1. ∀c2. c1 ⊑ c2. c2 =

⇒ c′

1

• Lemma: For MS (SMS), pre and pre∗ -images of ⊑-upward closed sets

(any sets) are ⊑-upward closed sets.

40

When it terminates

[Abdulla, Jonsson, et al., 96]

• ⊑ a Well Quasi Ordering: ∀a0, a1, a2, . . . , ∃i < j, ai ⊑ aj
• Monotonic System w.r.t. ⊑

∀c1, c′

• 1. c1 =

⇒ c′

• 1. ∀c2. c1 ⊑ c2. ∃c′
• 2. c2 =

⇒ c′

2 and c′ 1 ⊑ c′ 2

• Strongly Monotonic System w.r.t. ⊑

∀c1, c′

• 1. c1 =

⇒ c′

• 1. ∀c2. c1 ⊑ c2. c2 =

⇒ c′

1

• Lemma: For MS (SMS), pre and pre∗ -images of ⊑-upward closed sets

(any sets) are ⊑-upward closed sets.

• Lemma: Upward closed set ⇒ finite number of minimals.

41

When it terminates

[Abdulla, Jonsson, et al., 96]

• ⊑ a Well Quasi Ordering: ∀a0, a1, a2, . . . , ∃i < j, ai ⊑ aj
• Monotonic System w.r.t. ⊑

∀c1, c′

• 1. c1 =

⇒ c′

• 1. ∀c2. c1 ⊑ c2. ∃c′
• 2. c2 =

⇒ c′

2 and c′ 1 ⊑ c′ 2

• Strongly Monotonic System w.r.t. ⊑

∀c1, c′

• 1. c1 =

⇒ c′

• 1. ∀c2. c1 ⊑ c2. c2 =

⇒ c′

1

• Lemma: For MS (SMS), pre and pre∗ -images of ⊑-upward closed sets

(any sets) are ⊑-upward closed sets.

• Lemma: Upward closed set ⇒ finite number of minimals.
• Thm: For MS (SMS), the backward reachability analysis terminates, starting

from a ⊑-upward closed set (any set).

42

Examples Petri Nets (coverability problem)

• Let ≤ = the natural ordering on integers, generalized to vectors,
• ≤ is a WQO (Dickson),
• PN are monotonic w.r.t. ≤.

43

Examples Petri Nets (coverability problem)

• Let ≤ = the natural ordering on integers, generalized to vectors,
• ≤ is a WQO (Dickson),
• PN are monotonic w.r.t. ≤.

Lossy FIFO Channel Systems

• Let = subword relation, generalized to vectors of words,
• Weak transition relation: ❀ = −1 ◦ =

⇒ ◦ −1,

• is a WQO (Higman),
• Lossy FIFO Channel Systems are strongly monotonic w.r.t. .

44

Other Examples

• Broadcast protocols [Emerson, Namjoshi, 98], [Esparza, Finkel, Mayr, 99]
• Timed automata [Alur, Dill, 90]
• Parametrized networks of 1-clock automata (unstructured networks)

[Abdulla, Jonsson, 98]

• Timed Petri Nets [Abdulla, Nylen, 01]
• Multiset rewrite systems [Delzanno, 02]

45

Symbolic Reachability Analysis (Again) Let ρ ⊆ C × C be a transition relation. Iterative fixpoint computation Given a set of configurations C ⊆ C, compute X0, X1, X2, . . . where, X0 = C Xi+1 := Xi ∪ ρ(Xi) until the condition Xi+1 ⊆ Xi holds.

46

Symbolic Reachability Analysis + Acceleration Let ρ ⊆ C × C be a transition relation. Let ρ = ρ1 ∪ · · · ∪ ρn ∪ θ. Iterative fixpoint computation with meta-transitions Given a set of configurations C ⊆ C, compute X0, X1, X2, . . . where, X0 = C Xi+1 := Xi ∪ (ρ∗

1 ∪ · · · ∪ ρ∗ n ∪ θ)(Xi)

until the condition Xi+1 ⊆ Xi holds.

47

k!m0 E(m) k!m1 E(m) ℓ?0 ℓ?1 timeout timeout ℓ?0 ℓ?1 R(m) R(m) k?m1 k?m0 ℓ!1 ℓ!0 k?m1

Sender

k?m0

Receiver

Figure 5: Alternating Bit Protocol 48

FIFO Channel Systems 1-channel systems

• Symbolic representation structures = Finite state automata
• Thm [Boigelot & al., 97]:

For every control loop Θ, and any regular set C, Θ∗(C) is regular and effectively constructible.

49

FIFO Channel Systems n-channels systems

• Symbolic representation structures = Products of finite state automata

50

FIFO Channel Systems n-channels systems

• Symbolic representation structures = Products of finite state automata
• Effect of iterating control loops is not recognizable, in general.

E.g., {(an, bn) | n ≥ 0}

51

FIFO Channel Systems n-channels systems

• Symbolic representation structures = Products of finite state automata
• Effect of iterating control loops is not recognizable, in general.

E.g., {(an, bn) | n ≥ 0}

• ⇒ Conditions for preserving recognizability. [Boigelot & al., 97]

52

FIFO Channel Systems n-channels systems

• Symbolic representation structures = Products of finite state automata
• Effect of iterating control loops is not recognizable, in general.

E.g., {(an, bn) | n ≥ 0}

• ⇒ Conditions for preserving recognizability. [Boigelot & al., 97]
• ⇒ Structures for representing the effects of control loops:

CQDD = FSA + arithmetical constraints. [B., Habermehl, 97]

• Thm [B., Habermehl, 97]:

For every control loop Θ, and any CQDD set C, Θ∗(C) is CQDD definable and effectively constructible.

53

Lossy FIFO Channel Systems

• Thm [Abdulla,Jonsson/C´

ec´ e,Finkel,Iyer, 96] pre∗ and post∗ images are recognizable (regular) sets.

54

Lossy FIFO Channel Systems

• Thm [Abdulla,Jonsson/C´

ec´ e,Finkel,Iyer, 96] pre∗ and post∗ images are recognizable (regular) sets.

• Thm [Mayr 00] post∗ images are not constructible.

55

Lossy FIFO Channel Systems

• Thm [Abdulla,Jonsson/C´

ec´ e,Finkel,Iyer, 96] pre∗ and post∗ images are recognizable (regular) sets.

• Thm [Mayr 00] post∗ images are not constructible.
• Thm [Abdulla, B., Jonsson, 98]:

For every control loop Θ, and any recognizable set C, Θ∗(C) is recog- nizable and effectively constructible.

56

Lossy FIFO Channel Systems

• Thm [Abdulla,Jonsson/C´

ec´ e,Finkel,Iyer, 96] pre∗ and post∗ images are recognizable (regular) sets.

• Thm [Mayr 00] post∗ images are not constructible.
• Thm [Abdulla, B., Jonsson, 98]:

For every control loop Θ, and any recognizable set C, Θ∗(C) is recog- nizable and effectively constructible.

• Thm [Abdulla, Boasson, B., 01]:

For every set of “context-free” self-loops, and any recognizable set C, Θ∗(C) is recognizable and effectively constructible. κi ? a ; κ(i+1 mod n) ! w

57

Counter/Clock Automata Counter automata with Linear Operations Θ(X, X′) : X ≤ AX + B ∧ X′ = MX + N

58

Counter/Clock Automata Counter automata with Linear Operations Θ(X, X′) : X ≤ AX + B ∧ X′ = MX + N ⇒ Characterizing Θ such that Θ∗ is definable in Presburger arithmetic. [Boigelot, Wolper, 94], [Boigelot, 98], [Finkel, Leroux, 02] M, M2, M3, . . . ∃i, j. i < j. Mj = Mi

59

Counter/Clock Automata Counter automata with Linear Operations Θ(X, X′) : X ≤ AX + B ∧ X′ = MX + N ⇒ Characterizing Θ such that Θ∗ is definable in Presburger arithmetic. [Boigelot, Wolper, 94], [Boigelot, 98], [Finkel, Leroux, 02] M, M2, M3, . . . ∃i, j. i < j. Mj = Mi Timed automata Thm: The reachability relation is expressible in (mixed) linear arithmetic. [Comon, Jursky, 98], [Dima, 02]

60

Symobolic Reachability Analysis (again and again) Let ρ ⊆ C × C be a transition relation. Iterative fixpoint computation Given a set of configurations C ⊆ C, compute X0, X1, X2, . . . where, X0 = C Xi+1 := Xi ∪ ρ(Xi) until the condition Xi+1 ⊆ Xi holds.

61

Symobolic Reachability Analysis + Acceleration (version 2) Let ρ ⊆ C × C be a transition relation. Iterative fixpoint computation with extrapolation Given a set of configurations C ⊆ C, compute X0, X1, X2, . . . where, X0 = C Xi+1 := Xi ∪ ∇(Xi, ρ(Xi)) until the condition Xi+1 ⊆ Xi holds. ⇒ ∇ = Widening operator [Cousot, Cousot, 77].

62

Extrapolation techniques (examples) Widening on polyhedra Principle : Remove translated bounds [Cousot, Halbwachs, 78] [2, 2], [2, 4], [2, 6], . . .

63

Extrapolation techniques (examples) Widening on polyhedra Principle : Remove translated bounds [Cousot, Halbwachs, 78] [2, 2], [2, 4], [2, 6], . . . ❀ [2, +∞)

64

Extrapolation techniques (examples) Widening on polyhedra Principle : Remove translated bounds [Cousot, Halbwachs, 78] [2, 2], [2, 4], [2, 6], . . . ❀ [2, +∞) ⇒ Termination is guaranteed.

65

Extrapolation techniques (examples) Widening on polyhedra Principle : Remove translated bounds [Cousot, Halbwachs, 78] [2, 2], [2, 4], [2, 6], . . . ❀ [2, +∞) ⇒ Termination is guaranteed. Widening on Parametric DBMs Principle : Detect periodicities [Asarin, Annichini, B., 00] [2, 2], [2, 4], [2, 6], . . .

66

Extrapolation techniques (examples) Widening on polyhedra Principle : Remove translated bounds [Cousot, Halbwachs, 78] [2, 2], [2, 4], [2, 6], . . . ❀ [2, +∞) ⇒ Termination is guaranteed. Widening on Parametric DBMs Principle : Detect periodicities [Asarin, Annichini, B., 00] [2, 2], [2, 4], [2, 6], . . . [2, 4] − [2, 2] = [2, 6] − [2, 4] = [0, 2]

67

Extrapolation techniques (examples) Widening on polyhedra Principle : Remove translated bounds [Cousot, Halbwachs, 78] [2, 2], [2, 4], [2, 6], . . . ❀ [2, +∞) ⇒ Termination is guaranteed. Widening on Parametric DBMs Principle : Detect periodicities [Asarin, Annichini, B., 00] [2, 2], [2, 4], [2, 6], . . . ❀ [2, 2] + n[0, 2], n ≥ 0 [2, 4] − [2, 2] = [2, 6] − [2, 4] = [0, 2]

68

Symbolic Reachability Analysis + Acceleration (version 3) Combined acceleration techniques = meta-transitions + widening Let ρ ⊆ C × C be a transition relation. Let ρ = ρ1 ∪ · · · ∪ ρn ∪ θ. Given a set of configurations C ⊆ C, compute X0, X1, X2, . . . where, X0 = C Xi+1 := Xi ∪ ∇(Xi, (ρ∗

1 ∪ · · · ∪ ρ∗ n ∪ θ)(Xi))

until the condition Xi+1 ⊆ Xi holds.

69

Regular Model Checking Finite State Automata = BDD for Infinite State Systems A Generic Framework

[Pnueli et al., 97], [Boigelot, Wolper, 98], [B., Nilsson, Jonsson, Touili, 00]

• Set of configurations = regular set of words / trees
• Operations = relations between configurations = word / tree transducers
• Reachability analysis =

⇒ computing transitive closures of regular relations Applications

• Linear arithmetical constraints (e.g., LASH [Boigelot, Wolper, et al.])
• Sequence / tree - like data structures (stacks, queues, etc.)
• Parametrized networks
• Term rewrite systems (e.g., multithreaded programs [B., Touili, 02])

70

Regular Model Checking Finite State Automata = BDD for Infinite State Systems Computing transitive closures

• Transducer state-space quotienting

[Jonsson, Nilsson, 00], [B., Jonsson, Nilsson, Touili, 00], [Dams, Martin, Lakhnech, 01], [Abdulla, Jonsson, Mahata, d’Orso, 02], [Abdulla, Jonsson, Nilsson, d’Orso, 02]

• Widening operations on word/tree automata

[B., Jonsson, Nilsson, Touili, 00], [Touili 01], [B., Touili 02]

Completeness results

[Jonsson, Nilsson, 00], [Touili, 01], [B., Touili, 02]

71

Other approaches / related work

• Finite-quotient w.r.t. behavioural equivalences

(e.g., [Alur, Dill, 90], [Henzinger, et al.] for linear hybrid systems)

• Finite abstraction (Predicate abstraction)

[Graf, Saidi, 97], [Bensalem, Lakhnech, Owre, 97], [Kesten, Pnueli, et al.], [Dill et al], ...

• Invariant checking / Network invariant checking

[Manna, Pnueli, et al], [Wolper, Lovinfosse, 89], [Clarke, Grumberg, Jha, 95], etc.

• Abstract interpretation

[Cousot, Cousot, 77], etc.

72

Further Work

• Dynamism, mobility, etc. : more complex structures
• Multiple sources of infinity, multi-dimensional parametrization
• Symbolic techniques for heterogeneous systems
• Liveness properties
• Quantitative aspects, probabilistic models

73