Reachability Analysis for Some Models of Infinite-State Transition Systems Oscar H. Ibarra, Tevfik Bultan, and Jianwen Su Department of Computer Science University of California, Santa Barbara

Problem Automated verification techniques have been successful for finite state systems In general verification problems are undecidable for infinite state systems What kind of restrictions can we place on infinite state systems to make verification problems decidable?

Outline Restricted computational models –Reversal-bounded, finite-crossing, phase-bounded machines Language acceptors vs. behavior generators Decidable properties as language acceptors Decidable verification queries as behavior generators Extensions to computational models Applications Conclusions and future work

Shankar’s Example This Morning P can be verified with a Presburger arithmetic model checker that uses standard backward fixpoint computations [Bultan et al. 99] Fixpoint computation for AG(State1  x  6) does not converge, we can use widening However, this system is a reversal bounded counter machine, hence we do not need approximations, we can verify its invariants exactly. State0 State1 x’=x+1 x’=x+1 Initial: x=0  State0 P: AG(State1  ( . x =2  +1))

Examples of Infinite State Systems Timed-automata [Alur, Dill 90] –Finite state control + real valued clocks which increase uniformly or reset based on clock constraints –Clock constraints are restricted to x # c (# is one of , , , ,  ) –Verification results: Region reachability, TCTL model checking [Alur et al. 93], binary reachability [Comon, Jurski 99] Pushdown automata –Finite state control plus an unrestricted stack –Verification results:  -calculus model checking [Walukiewicz 96, Bouajjani et al. 97]

Restricted Infinite-State Systems Basic Model: Reversal-bounded counter machines (CM) A nondeterministic finite automaton augmented with finite number of counters Each counter can be incremented or decremented by 1 and tested for zero The counters are reversal-bounded : The number of times a counter can change from non-decreasing to non-increasing and vice-versa is bounded by a constant

Reversal-Bounded Computation Computation Countervalue Reversal Reversal

Reversal-Bounded Counters (CM) Note that a counter can take any value in  The number of states (i.e., configurations of the machine) is infinite Without the reversal-boundedness restriction basic properties of counter machines (such as emptiness) are undecidable (two unrestricted counters  TM)

Adding a Pushdown to CM Reversal-bounded counter machine CM can be extended with additional data structures A pushdown counter machine (PCM) is a reversal- bounded counter machine augmented with a single unrestricted pushdown stack PCMs are more powerful than CMs and pushdown automata Emptiness is undecidable for two-way input or two pushdown

Adding a Restricted Tape to CM A tape counter machine (TCM) is a reversal-bounded counter machine augmented with a single restricted two-way read/write worktape The tape is finite-crossing : The number of times the head crosses the boundary between any two adjacent cells of the worktape is bounded by a constant TCMs and PCMs are incomparable

Adding a Restricted Queue to CM A queue counter machine (QCM) is a CM augmented with a single restricted queue The queue is phase-bounded : The number of alternations between non-deletion phase and non- insertion phase is bounded by a constant TCMs can effectively simulate QCMs Unrestricted queue can simulate a TM

An Simple Example Producer has a produce state which has a write transition that increments the produced counter and writes a symbol to the queue from a finite alphabet {a, b} Consumer has a consume state which has a read transition that increments the consumed counter and reads a symbol from the queue We can check invariants such as: produced - consumed equals the number of items in the queue and the number of a’s in the queue is less than or equal to number of b’s queue finite state control control countercounter producedconsumed PRODUCERCONSUMER

Language Acceptors vs. Behavior Generators Computational models can be used as language recognizers when they are augmented with a one- way read-only input tape We are interested in the behaviors they generate: Use computational models as system specifications rather than language recognizers Machines with input tape can be used to analyze parametric systems where the parameters can be specified on the input tape

Interesting Properties for Language Acceptors Given arbitrary language acceptor machines M 1, M 2 : –Emptiness: Is L(M 1 ) (the language accepted by M 1 ) empty ? –Containment: Is L(M 1 )  L(M 2 ) ? –Equivalence: Is L(M 1 ) = L(M 2 ) ? Simplest acceptors: Finite automata (deterministic, nondeterministic, one-way input tape, two-way input tape). Above properties are decidable.

Interesting Properties for Behavior Generators Binary-Reachability: Given two configurations ,  of machine M, is there a behavior which starts at  and reaches  ? Forward-Reachability: Given a set of configurations S, what is the set of configurations that the machine M can reach starting from a configuration in S ? Backward-Reachability: Given a set of configurations S, what is the set of configurations that the machine M can start from and reach a configuration in S ?

Interesting Properties for Behavior Generators Nonsafety: Given a machine M, an initial set I and a set P of configurations, is there a configuration in I which reaches a configuration in P ? Invariance: Given a machine M, an initial set I and a set P of configurations, are all the configurations on all the behaviors which start from I in P ?

Basic Approach First show decidability of the emptiness problem for a class of language acceptors Reduce verification problems to emptiness problem Given an arbitrary machine M –Show that a verification property of M can be specified as a language –Show that a language-acceptor M’ can be effectively constructed which accepts this language –Show that the the verification query can be answered by checking language emptiness of the language-acceptor M’

Emptiness problem for PCM-acceptors Theorem: Emptiness problem for PCM-acceptors is decidable [Ibarra 78] Proof Idea: Given an alphabet A with symbols a 1,..., a k for each word w in A * define f(w) = (i 1,..., i k ) where i j is the number of occurances of a j in w (Parikh map) Given a PCM-acceptor M, f(L(M)) is an effectively computable Presburger formula (equivalently, it is a semilinear set) L(M) is empty iff f (L(M)) is empty (which is decidable since f (L(M)) is Presburger)

Emptiness Problem for CM-acceptors Corollary: Emptiness problem for CM acceptors is decidable Emptiness problem for CM acceptors is decidable in n ckr for some constant c, where n is the size of the finite state control, k is the number of counters, and r is the reversal-bound on each counter [Gurari and Ibarra 81]

Emptiness Problem for TCM-acceptors Theorem: The emptiness problem for TCM-acceptors is decidable Lemma 1 : Let M be a TCM-acceptor. We can effectively construct a TCM M’ such that L(M) = L(M’) and in any computation of M’ its read/write head moves left or right of a cell in every step Lemma 2 : Let M be a TCM-acceptor. We can effectively construct a TCM M’ such that L(M) is nonempty iff M’ when started with a blank worktape and zero counters has a halting sequence of moves

Binary Reachability Given a machine M, define reachability set R(M) of M as the set of all pairs of configurations ( ,  ) such that  can reach  in 0 or more transitions Theorem: Given a PCM M, we can effectively construct a PCM acceptor M’ accepting R(M) Proof Idea : First, M’ reads configuration  and records it. Then M’ simulates the computation of M. At some point it guesses that it reached  and verifies its guess by comparing it with the input Theorem: Given a TCM M, we can effectively construct a TCM acceptor M’ accepting R(M)

Safety Theorem: Given a PCM (TCM) M and two sets of configurations I and P accepted by CM acceptors, we can effectively construct a PCM (TCM) M’ that accepts a configuration  iff 1)  is in I, and 2) M when started in  can reach a configuration in P Proof Idea: Let M I and M P be CM acceptors accepting I and P, respectively. We construct a PCM acceptor M which first checks that its input is accepted by M I. Then it simulates M starting from this input configuration. Then it guesses that it reached a configuration in M P and verifies this guess by checking if the configuration is accepted by M P

Safety Corollary 2 : Given a PCM (TCM) M and two sets of configurations I and P accepted by a CM acceptor and a deterministic CM- acceptor, respectively, we can effectively construct a PCM (TCM) M’ that accepts a configuration  iff 1)  is in I, and 2) M when started in  can reach a configuration not in P

Forward and Backward Reachability Given a machine M and a set of configurations P, define set of configurations F M (P) (B M (P)) as the set of configurations that can be reached from (that can reach) configurations in P in 0 or more transitions Theorem: Given a PCM (TCM) M and a set of configurations P accepted by a CM-acceptor, we can effectively construct a PCM (TCM) acceptor accepting F M (P) Same result holds for B M (P)

Forward and Backward Reachability Theorem: Let M be a CM and P be a set of configurations. Then B M (P) (F M (P)) accepted by a CM acceptor iff P is accepted by a CM acceptor Corollary: Let M be a CM and P be a set of configurations. Then B M (P) (F M (P)) is Presburger iff P is Presburger

Extensions to Computational Models Allowing counters to store negative integer values Allowing counters to increment decrement by integer constant c Allowing tests of the form x # c where x is a counter, c is an integer constant, and # is one of , , , ,  One can show that for al the computational models we discussed a machine M using such extensions can be converted to a machine M’ which does not use these extensions and L(M) = L(M’)

Extensions to Computational Models Consider linear relation tests constructed using atomic linear relations in the form –  x  C a x x < b (where C is the set of counters) –and logical connectives ,  The emptiness problem for deterministic CM-acceptors using linear relation tests is undecidable If we restrict PCM (TCM) to be mode-bounded (i.e., the number of changes between the modes increasing, decreasing, and no- change is bounded by a constant) then emptiness problem is decidable even when linear tests are used [Ibarra et al. 00]

Applications One can show the decidability of verification problems for a system by reducing it to one of the systems we presented Binary reachability of discrete timed-automata with pushdown is decidable [Dang et al. 00]

Applications By restricting the behaviors of a given infinite-state system one can obtain a conservative approximation of the given system –in the sense that when an error is found in the restricted system this implies that the error exists in the original system Finding bugs is as important as verifying a system Restrictions we discussed are not as severe as bounded model checking [Biere et al. 99] which limits the number of execution steps

Conclusions and Future Work We showed that there are various restrictions one can put on computational models which will ensure the decidability of reachability problems We need to investigate the complexity of the verification problems for these restricted models We need to investigate extending these results to liveness properties, temporal logics