Regular Model Checking
Parosh Aziz Abdulla
Uppsala UniversityCooperation with
B. Jonsson, M. Nilsson, J. d’Orso
Outline Model Checking
Infinite-State Systems
Parameterized Systems
Regular Model Checking
Column Transducer Construction
Sufficient Conditions for Exactness
Future Work
Model Checking
S sat ?
system specification
Infinite State Systems
1. Unbounded Data Structures
• Timed Automata• Push-Down Automata• Communicating Finite State Automata• Counter Automata
2. Unbounded Control Structures
• Parameterized Systems• Dynamic Systems
Parameterized Systems
• Mutual exclusion protocols• Cache coherence protocols• Broadcast protocols
Dynamic Systems
• Security protocols• Multi-threaded programs
Model CheckingS sat ?
Parameterized systemspecification
Classification• S :
Topology Components Communication mechanisms
Safety properties Liveness properties
•
Topology
set
array
Tree
Matrix
Components• Simple: finite state process• Extended: clocks, counters, buffers, etc.
Communication Mechanism• binary (rendez-vous)• broadcast• Neighbour• global
Simplest Case:Set + Finite-state + Rendez-vous
W
C
W
C
W
C
Example: Parameterized mutual exclusion
R=0?
R:=1
R:=0 R=0?
R:=1
R:=0R=0?
R:=1
R:=0
Counter abstraction = Petri net
Petri Net Model
W
C
R=0?
R:=1
R:=0 WC
R=0
Initial markingNo token in C, 1 token in (R=0)
Bad markingsAt least 2 tokens in C
Parameterized System of Finite-Sate Processes (Geman & Sistla)
Finite-state processSynchronize:
Parameterized System
Petri Net Representation
Parameterized System of Timed Processes –(Timed Networks)
timed process
Synchronize:
Parameterized System
Timed Petri Net Representation
x:=0
x<5
[0:0]
[0:5]
Array of Finite-State Processes
in general: undecidable
use Regular Model Checking [Kesten et al 97]
Example: Szymanski’s Algorithm
Pseudocode for process i
1: await j : j i :: sj
2: wi , si := true,true3: if j : j i :: (pcj 1 /\ wj) then si := false; goto 4 else wi := false; goto 54: await j : j i :: (sj /\ wj) then wi , si := false,true5: await j : j i :: wj
6: await j : j i :: sj
7: si := false; goto 1
Linear Process Networks: Token Passing
T N N N N
Linear Process Networks: Token Passing
N T N N N
Linear Process Networks: Token Passing
N N T N N
Alphabet : S = {N , T }
Configurations : words over S
Initial Configurations : T N* (regular lang.)
Transition Relation : transducer :
N/N
T/N N/T
N/N
Token Passing: Model
N/NT/N N/T
N/N
T N N N Initial configuration (T N*)
A Run of the Transducer :
R
N/NT/N N/T
N/N
T N N N
N T N N
Initial configuration (T N*)
A Run of the Transducer :
R
R
N/NT/N N/T
N/N
T N N N
N T N N
N N T N
Initial configuration (T N*)
A Run of the Transducer :
R
R
R
N/NT/N N/T
N/N
T N N N
N T N N
N N T N
N N N T
Initial configuration (T N*)
A Run of the Transducer :
R
R
R
R
N/NT/N N/T
N/N
T N* Initial configurations
Symbolic Run of the Transducer :
R
N/NT/N N/T
N/N
T N*
N T N*
Initial configurations
Symbolic Run of the Transducer :
RR
N/NT/N N/T
N/N
T N*
N T N*
N N T N*
Initial configurations
Symbolic Run of the Transducer :
RR
R
N/NT/N N/T
N/N
T N*
N T N*
N N T N*
N N N T N*
Initial configurations
Symbolic Run of the Transducer :
RR
R
R
Termination ?
Ideally: compute:
R* (T N*) = N* T N*
N/NT/N N/T
N/N
T N N N N
Column Transducer Rq0 q1 q2
N/NT/N N/T
N/N
T N N N N
Column Transducer Rq0 q1 q2
q2q0 q1 q2 q2 q2
N T N N N
N/NT/N N/T
N/N
T N N N N
Column Transducer Rq0 q1 q2
q2q0 q1 q2 q2 q2
N T N N Nq1q0 q0 q2 q2 q2
N N T N N
N/NT/N N/T
N/N
T N N N N
Column Transducer Rq0 q1 q2
q2q0 q1 q2 q2 q2
N T N N Nq1q0 q0 q2 q2 q2
N N T N N
q0q0 q0 q1 q2 q2
N N N T N
N/NT/N N/T
N/N
T N N N N
Column Transducer Rq0 q1 q2
q2q0 q1 q2 q2 q2
N T N N Nq1q0 q0 q2 q2 q2
N N T N N
q0q0 q0 q1 q2 q2
N N N T Nq0q0 q0 q0 q1 q2
N N N N T
N/NT/N N/T
N/N
T N N N N
Column Transducer Rq0 q1 q2
q2q0 q1 q2 q2 q2
N T N N Nq1q0 q0 q2 q2 q2
N N T N N
q0q0 q0 q1 q2 q2
N N N T Nq0q0 q0 q0 q1 q2
N N N N T
Column Transducer Configurations: columns – members of S
Transitions :
Initial configurations : columns of initial states Final configurations : columns of final states
aq0 r0
bq1 r1
q2 r2
q3 r3
c
d
e
xyx
a
e
+
y
N/NT/N N/T
N/N
Example : Token passingRq0 q1 q2
q0q0q0
q0q0q0
initial columns :q0q0q0q0
q2 q2q2
q2q2q2
final columns :q2q2q2q2
q2q1q0q0
q2q2q1q0
NN
q2q1q0q0
q2q2q1q0
N
N
NT
N
and therefore
transitions :
e.g.
N/NT/N N/T
N/N
Example : Token passingRq0 q1 q2
q0q0q0
q0q0q0
initial columns :q0q0q0q0
q2 q2q2
q2q2q2
final columns :q2q2q2q2
Transducer language = transitive closure Problem : number of columns infinite !! Solution: abstraction !!
=
Computing Abstract Transducer
Start with original transducer repeat
Define equivalence on columns
until construction stabilizes
Computing Abstract Transducer
Start with initial configurations (columns) repeat
then
add
Define equivalence on columns
x z
a
by w
bc
• if and
Xy
zw
a
c
until construction stabilizes
Computing Abstract Transducer
Start with initial configurations (columns) repeat
then
add
Define equivalence on columns
• if x y then merge x and y
x z
a
by w
bc
• if and
Xy
zw
a
c
until construction stabilizes
Defining
Left-copyingstates
Right-copyingstates
Non-copyingstates
NT N
T
TT
NN
TT
Defining
Left-copyingstates
Right-copyingstates
Non-copyingstates
NT N
T
TT
NN
TT
x yif
x = y modulo deletion of identicalleft- or right-copying neighbours
N/NT/N N/T
N/N
Example : Token passingRq0 q1 q2
Left-copying state : Right-copying state :q0 2
q
q0
q0
q1
q2
q2
q0
q1
q2
q2
N/NN/T
N/N
Example : Token passingq2
T/N q1q0
N/N
T/N
N/TN/N
Example : Token passingq2
q0q0
q1q0
T/N q1q0
N/N
T/N
N/TN/N
Example : Token passingq2
q0q0
q1q0
T/N q1q0
T/N
N/TN/N
Example : Token passingq2
q1q0
T/N q1q0N/N
N/NT/N
N/TN/N
Example : Token passingq2
q1q0
T/N q1q0
q2q1
N/N
N/NT/N
N/TN/N
Example : Token passingq2
q1q0
T/N q1q0
q2q1
q2q2
N/T
N/N
N/NT/N
N/TN/N
Example : Token passingq2
q1q0
T/N q1q0
q2q1
q2q2
N/T
N/N
N/NT/N
N/TN/N
Example : Token passingq2
q1q0
T/N q1q0
q2q1
N/T
N/N
N/NT/N
N/TN/N
Example : Token passingq2
q1q0
T/N q1q0
q2q1
N/T
q0
q2q1q0
q1q0
N/N
N/N
N/NT/N
N/TN/N
Example : Token passingq2
q1q0
T/N q1q0
q2q1
N/T
q0
q2q1q0
q1q0
N/N
N/N
N/NT/N
N/TN/N
Example : Token passingq2
T/N q1q0
q2q1
N/T
q2q1q0
q1q0
N/N
N/N
N/NT/N
N/TN/N
Example : Token passingq2
T/N q1q0
q2q1
N/T
q2q1q0
q1q0
N/N q2
q2q1
N/N
N/N
N/NT/N
N/TN/N
Example : Token passingq2
T/N q1q0
q2q1
N/T
q2q1q0
q1q0
N/N q2
q2q1
N/N
N/N
N/NT/N
N/TN/N
Example : Token passingq2
T/N q1q0
q2q1
N/T
q2q1q0
q1q0
N/N
N/N
N/N
N/NT/N
N/TN/N
Example : Token passingq2
T/N q1q0
q2q1
N/T
q2q1q0
q1q0
N/N
N/N
q2q1q0q0
N/N
N/N
N/NT/N
N/TN/N
Example : Token passingq2
T/N q1q0
q2q1
N/T
q2q1q0
q1q0
N/N
N/N
q2q1q0q0
N/N
N/N
N/NT/N
N/TN/N
Example : Token passingq2
T/N q1q0
q2q1
N/T
q2q1q0
q1q0
N/N
N/N
N/N
N/N
initialstates
equivalenceclass
finalstates
x
y
Exactness of
initialstates
equivalenceclass
finalstates
x
y
Exactness of
z
initialstates
equivalenceclass
finalstates
x
y
Exactness of
z
How to define ?
Forward Simulation Fx1
x2
y1
F
Forward Simulation Fx1
x2
y1
Fy
2
F
Forward Simulation Fx1
x2
y1
Fy
2
F
Backward Simulation B
x1 y1
y2
B
Forward Simulation Fx1
x2
y1
Fy
2
F
Backward Simulation B
x1 y1
y2
By
1
B
xy
z
w
yx
F
FB
B
iff
Equivalence
F B, independent:
y
w
z
FB
F
Bx
Example
Bx y x = y modulo deletion of
identicalleft-copying neighbours
Example
Bx y x = y modulo deletion of
identicalleft-copying neighboursq
0q0
q1
q2
q0
q1
q2
B
Example
Bx y x = y modulo deletion of
identicalleft-copying neighboursq
0q0
q1
q2
q0
q1
q2
B
Fx y
q0
q1
q2
F
x = y modulo deletion of identical
right-copying neighboursq0
q1
q2
q2
q0
q0
q1
q2
q0
q0
q0
q1
q2
q0
q0
q0
q1
q2
q0
q2
Independence
FB
q0
q0
q1
q2
q0
q0
q0
q1
q2
q0
q0
q0
q1
q2
q0
q2
Independence
F B
FB
q0
q0
q1
q2
q0
q0
q0
q1
q2
q0
q0
q0
q1
q2
q0
q2
q0
Independence
F B
FB
q0
q0
q1
q2
q0
q0
q0
q1
q2
q0
q0
q0
q1
q2
q0
q2
q0
q1
Independence
F B
FB
q0
q0
q1
q2
q0
q0
q0
q1
q2
q0
q0
q0
q1
q2
q0
q2
q0
q1
q2
q2
Independence
F B
FB
q0
q0
q1
q2
q0
q0
q0
q1
q2
q0
q0
q0
q1
q2
q0
q2
q0
q0
q1
q2
q0
q2
Independence
F B
FB
Example
Bx y x = y modulo deletion of
identicalleft-copying neighbours
Fx y x = y modulo deletion of
identicalright-copying neighbours
x x = y modulo deletion of identicalleft- or right-copying neighbours
y
Induced equivalence :
Consequence
wF
x y
Consequence
wF
x y
zB
F
[x0] [x1] [x2] [x3]
y1 y2 y3
[x0] [x1] [x2] [x3]
y1
w0
F
y2 y3
x0 =
[x0] [x1] [x2] [x3]
y1
w0 v1
F F
y2 y3
x0 =
[x0] [x1] [x2] [x3]
y1
w0 v1
F F
B
y2
w1
F
y3
x0 =
[x0] [x1] [x2] [x3]
y1
w0 v1
F F
B
y2
w1 v2
F F
B
y3
Fw2x0 =
[x0] [x1] [x2] [x3]
y1
w0 v1
F F
B
y2
w1 v2
F F
B
y3
w3v3
F F
Bw2
Fx0 =
[x0] [x1] [x2] [x3]
y1
w0 v1
F F
B
y2
w1 v2
F F
B
y3
w3v3
F F
Bw2
F
z3
B
x0 =
w3
[x0] [x1] [x2] [x3]
y1
w0 v1
F F
B
y2
w1 v2
F F
B
y3
w3v3
F F
Bw2
F
z3
Bz2
B
x0 =
w3
[x0] [x1] [x2] [x3]
y1
w0 v1
F F
B
y2
w1 v2
F F
B
y3
w3v3
F F
Bw2
F
z3
Bz2
Bz1
B
x0 =
w3
[x0] [x1] [x2] [x3]
y1
w0 v1
F F
B
y2
w1 v2
F F
B
y3
w3v3
F F
Bw2
F
z3
Bz2
Bz1
Bz0
B
x0 =
w3
Other Examples: Szymanski’s Algorithm (idealized)
Pseudocode for process i
1: await j : j i :: sj
2: wi , si := true,true3: if j : j i :: (pcj 1 /\ wj) then si := false; goto 4 else wi := false; goto 54: await j : j i :: (sj /\ wj) then wi , si := false,true5: await j : j i :: wj
6: await j : j i :: sj
7: si := false; goto 1
Built states in transitive closures
Token passing
Token ring Bakery Szymanski0
100200300400500600700800900
100011001200130014001500160017001800
668
1793
20658
605
164 25
335
11
Old equivalence
Bi-determinization
New equivalence
www.regularmodelchecking.com
• All implementation available
• Implementation of automata with symbolic edges (BDDs)
• Source available under GPL
Future Work
•Tree-like Topologies
•Liveness properties
•Non-structure-preserving
•Other kinds of systems: stacks, queues, timed, etc
Top Related