Model Checking Lecture 5

Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking 3Symbolic algorithms for model checking 4Pushdown systems

From Finite to Inifinite-State Systems So far, algorithms for systems with finite state spaces Sources of infinite-state –Control: recursion –Data: unbounded numeric variables, lists –Time: Systems with real-time clocks –Parameters: arbitrary number of participating processes

From Finite to Inifinite-State Systems So far, algorithms for systems with finite state spaces Sources of infinite-state –Control: recursion –Data: unbounded numeric variables, lists –Time: Systems with real-time clocks –Parameters: arbitrary number of participating processes

Decidability vs. Expressiveness Unbounded state  Undecidable Is the unbounded system able to encode a Turing machine? –Single-counter machines? NO –Two-counter machines? YES –Single-stack machines? NO –Two-stack machines? YES

From Finite to Inifinite-State Systems So far, algorithms for systems with finite state spaces Sources of infinite-state –Control: recursion –Data: unbounded numeric variables, lists –Time: Systems with real-time clocks –Parameters: arbitrary number of participating processes

State representation Explicit representation infeasible Symbolic representation is the key –For the transition system –For the reachable states

Pushdown systems (G, L, g 0, l 0,  ) g, h  G : finite set of control states l, m  L : finite set of stack symbols g 0 : initial control state l 0 : initial stack symbol  : set of transitions

Three kinds of transitions: (g, l)  (h, m) (step) (g, l)  (h, m n) (call) (g, l)  (h,  ) (return) Configuration: g, l l  h, m g, l  h, n m g, l  h,

Modeling sequential programs An element in G is a valuation to global variables An element in L is a valuation to local variables and –current instruction address for the frame at the top of the stack –return instruction address for the other frames

Example bool a = F; void main( ) { L1: a = T; L2: flip(a); L3: } void flip(bool x) { L4: a = !x; L5: } (F,  ) (F,  _, L3  ) (F,  _, L3   T, L5  ) (T,  _, L3   T, L4  ) (T,  _, L2  ) (F,  _, L1  ) (a,  x, pc  )

Reachability problem Given pushdown system (G, L, g 0, l 0,  ) and control state g, does there exist a stack ls  L* such that (g 0, l 0 )  * (g, ls)?

Naïve algorithm Add (g 0, l 0 ) to R (g, ls)  R (g, ls)  (g’, ls’) Add (g’, ls’) to R

R is unbounded so algorithm won’t terminate Two solutions: –Summary-based (a.k.a. interprocedural dataflow analysis) –Automata-based Problem with the naïve algorithm

E(g, l, h, m) (step edges) E + (g, l, h, nm) (call edges) E - (g, l, h) (pop edges) Initially: Algorithm I E(g 0, l 0, g 0, l 0 ) E+ is empty E- is empty

Step rule E(g, l, h, m) (h, m)  (h’, m’) E(g, l, h’, m’)

Call rule E(g, l, h, m) (h, m)  (h’, n’m’) E + (g, l, h’, n’m’) E(h’, n’, h’, n’)

Return rule E(g, l, h, m) (h, m)  (h’,  ) E - (g, l, h’)

Summary rule E + (g, l, h, nm) E - (h, n, h’) E(g, l, h’, m)

int g = 0 main() { L0: incr() L1: g = 0 L2: incr() L3: } incr() { L4: g = g+1 L5: } E(0, L0, 0, L0) E + (0, L0, 0, L4·L1) E(0, L4, 0, L4) E(0, L4, 1, L5) E - (0, L4, 1) E(0, L0, 1, L1) E(0, L0, 0, L2) E + (0, L0, 0, L4·L3) E(0, L0, 1, L3) E - (0, L0, 1)

int g = 0 main() { L0: if (*) L1: foo(0) else L2: foo(1) L3: assert(g > 0) L4: } foo(r) { L5: if (r = 0) L6: foo(r) else L7: g = g + 1 L8: } E(0, L0, 0, L0) E + (0, L0, 0,  L5,0  ·L3) E(0,  L5,0 , 0,  L5,0  ) E(0,  L5,0 , 0,  L6,0  ) E(0, L0, 0, L1) E(0, L0, 0, L2) E + (0, L0, 0,  L5,1  ·L3) E(0,  L5,1 , 0,  L5,1  ) E(0,  L5,1 , 0,  L7,1  ) E(0,  L5,1 , 1,  L8,1  ) E - (0,  L5,1 , 1) E(0, L0, 1, L3) E(0, L0, 1, L4) E - (0, L0, 1) E + (0,  L5,0 , 0,  L5,0  ·  L8,0  )

Reachability problem Given pushdown system (G, L, g 0, l 0,  ) and control state g, does there exist a stack ls such that (g 0, l 0 )  * (g, ls)? Algorithm I: Summary-based Yes, if E(g’, l’, g, l) for some g’, l’, and l. No, otherwise.

Algorithm II Add (g 0, l 0 ) to R (g, ls)  R (g, ls)  (g’, ls’) Add (g’, ls’) to R Key idea: Use a finite automaton to symbolically represent R

Symbolic representation Pushdown system (G, L, g 0, l 0,  ) Representation automaton (Q, L, T, G, F) - Q (  G) is the set of states - L is the alphabet - T is the transition relation - G is the set of initial states - F is the set of final states

gs1s1 s2s2 l l m h m Represents the set of configurations: { (h, m), (g, l m* l) } A set C of configurations is regular if it is representable by an automaton Theorem (Buchi) : The set of configurations reachable from a regular set is also regular.

Pushdown system: (G, L, g 0, l 0,  ) - G = {g 0, g 1, g 2 } - L = {l 0, l 1, l 2 } - (g 0, l 0 )  (g 1, l 1 l 0 ) (g 1, l 1 )  (g 2, l 2 l 0 ) (g 2, l 2 )  (g 0, l 1 ) (g 0, l 1 )  (g 0,  ) g0g0 l0l0 s0s0

Pushdown system: (G, L, g 0, l 0,  ) - G = {g 0, g 1, g 2 } - L = {l 0, l 1, l 2 } - (g 0, l 0 )  (g 1, l 1 l 0 ) (g 1, l 1 )  (g 2, l 2 l 0 ) (g 2, l 2 )  (g 0, l 1 ) (g 0, l 1 )  (g 0,  ) g0g0 l0l0 s0s0 g1g1 g2g2

Pushdown system: (G, L, g 0, l 0,  ) - G = {g 0, g 1, g 2 } - L = {l 0, l 1, l 2 } - (g 0, l 0 )  (g 1, l 1 l 0 ) (g 1, l 1 )  (g 2, l 2 l 0 ) (g 2, l 2 )  (g 0, l 1 ) (g 0, l 1 )  (g 0,  ) g0g0 l0l0 s0s0 g1g1 g2g2 s 1,1 l1l1 s 2,2 l2l2

Pushdown system: (G, L, g 0, l 0,  ) - G = {g 0, g 1, g 2 } - L = {l 0, l 1, l 2 } - (g 0, l 0 )  (g 1, l 1 l 0 ) (g 1, l 1 )  (g 2, l 2 l 0 ) (g 2, l 2 )  (g 0, l 1 ) (g 0, l 1 )  (g 0,  ) g0g0 l0l0 s0s0 g1g1 g2g2 s 1,1 l0l0 l1l1 s 2,2 l2l2

Pushdown system: (G, L, g 0, l 0,  ) - G = {g 0, g 1, g 2 } - L = {l 0, l 1, l 2 } - (g 0, l 0 )  (g 1, l 1 l 0 ) (g 1, l 1 )  (g 2, l 2 l 0 ) (g 2, l 2 )  (g 0, l 1 ) (g 0, l 1 )  (g 0,  ) g0g0 l0l0 s0s0 g1g1 g2g2 s 1,1 l0l0 l1l1 s 2,2 l2l2 l0l0

Pushdown system: (G, L, g 0, l 0,  ) - G = {g 0, g 1, g 2 } - L = {l 0, l 1, l 2 } - (g 0, l 0 )  (g 1, l 1 l 0 ) (g 1, l 1 )  (g 2, l 2 l 0 ) (g 2, l 2 )  (g 0, l 1 ) (g 0, l 1 )  (g 0,  ) g0g0 l0l0 s0s0 g1g1 g2g2 s 1,1 l0l0 l1l1 s 2,2 l2l2 l0l0 l1l1

Pushdown system: (G, L, g 0, l 0,  ) - G = {g 0, g 1, g 2 } - L = {l 0, l 1, l 2 } - (g 0, l 0 )  (g 1, l 1 l 0 ) (g 1, l 1 )  (g 2, l 2 l 0 ) (g 2, l 2 )  (g 0, l 1 ) (g 0, l 1 )  (g 0,  ) g0g0 l0l0 s0s0 g1g1 g2g2 s 1,1 l0l0 l1l1 s 2,2 l2l2 l0l0 l1l1 

Pushdown system: (G, L, g 0, l 0,  ) - G = {g 0, g 1, g 2 } - L = {l 0, l 1, l 2 } - (g 0, l 0 )  (g 1, l 1 l 0 ) (g 1, l 1 )  (g 2, l 2 l 0 ) (g 2, l 2 )  (g 0, l 1 ) (g 0, l 1 )  (g 0,  ) g0g0 l0l0 s0s0 g1g1 g2g2 s 1,1 l0l0 l1l1 s 2,2 l2l2 l0l0 l1l1  l0l0

Pushdown system: (G, L, g 0, l 0,  ) - G = {g 0, g 1, g 2 } - L = {l 0, l 1, l 2 } - (g 0, l 0 )  (g 1, l 1 l 0 ) (g 1, l 1 )  (g 2, l 2 l 0 ) (g 2, l 2 )  (g 0, l 1 ) (g 0, l 1 )  (g 0,  ) g0g0 l0l0 s0s0 g1g1 g2g2 s 1,1 l0l0 l1l1 s 2,2 l2l2 l0l0 l1l1  l0l0 { (g 0, l 0  l 0 l 0 +  l 1 l 0 l 0 + ), (g 1, l 1 l 0 + ), (g 2, l 2 l 0 l 0 + ) }