Hierarchical and Recursive State Machines with Context- Dependent Properties Salvatore La Torre, Margherita Napoli, Mimmo Parente and Gennaro Parlato Dipartimento di Informatica ed Applicazioni Università degli Studi di Salerno

Given : –A system model M (Kripke structure) –A high-level specification  (logic formula) Is M a model of  ? System Verification (Model Checking) Complexity of model checking O ( ·2 |  | ) |M||M| State-Space Explosion O (| M |·2 |  | )

Our Target Propose a “new model” to represent models succintly And solve model cheching problems efficiently on it –Reachability –Cycle detection –L TL -ModelChecking

Recursive State Machine A RSM M =(M 1,…, M k ) is composed by –k machines modelling k procedures –machines can call each other recursively –Machines are represented through graphs

Vertices Machines has two kind of vertices: Nodes (internal state) Boxes (procedure-call)

Entry and Exit Nodes parameters e3e3 e2e2 e1e1 ex 3 ex 4 ex 2 ex 1 Entry nodes Exit nodes return values

Edges Node-to-Node Box-to-NodeNode-to-Box Box-to-Box

Labelling Given a set of Atomic Proposition We associates to both nodes and boxes set of AP p,q,r t,r,p

M1M1 M2M2 M3M3 second 0 second 59 minute 0 minute 59 hour 0 hour 23 Seconds Minutes Hours Example: Digital Clock modelled by Hierarchical State Machine min 59 min 0 out 3 start 3 h 23 h0h0 start 2 out 2 sec 0 out 1 sec 59 start 1

sec 0 sec 60 Flat Model M1FM1F out 2 start 2 M2FM2F min 59 min 0 minute 0 minute 59 sec 0 sec 60 sec 0 sec 60 The flat model has 24·60·60=86,400 states Our model has =150 vertices. sec 0 sec 60 M1FM1F

HSMs in [AY98] Only nodes are labeled with atomic propositions: a model and its flat have the same number of different labels To check properties with a precise time (i.e., check for time 10:20: 45 ) the model must have at least a node for each possible hh.mm.ss. Our model can be exponentially more succinct

Related Work Model checking of hierarchical state machines. [Alur, Yannakakis 1998] Analysis of recursive state machines. [Alur, Etessami, Yannakakis 2001] Model checking of unrestricted hierarchical state machines. [Benedikt, Godefroid, Reps 2001] Visibly pushdown languages [Alur, Madhusudan 2004] A temporal logic of nested calls and returns[Alur,Etessami,Madhusudan 2004]

Outline Overview  Reachability problem LTL-Model Checking Conclusion

MFMF [in k ] Reachability Problem Given a HSM M and a propositional boolean formula , the Reachability Problem is: Is there a reachable state (in the flat of M ) on which  holds ? X  (label(X))=TRUE

Computational Complexity The reachability problem is NP-complete –NP-hardness 3-CNF-SAT  Reachability (with AND of literals) –NP-membership 1.guess a state X of M F 2.check if X is reachable in M F 3.verify  on X We can solve Reachability in O (| M |·|  |·2 |AP| ) time

A Solution in O (λ·|M|·|  |) MiFMiF Start i q  (L(q)UP)=TRUE Reach  (i,P)=TRUE   a reachable state of M i F satisfying  (assume propositions P hold TRUE on all states of M i F ) Reach  (k,Ø) P

Reach  (expand(b), )=TRUE Start i q  (L(q)UP)=TRUE How to compute Reach  (i,P) MiMi b L(b) PP U

Our Algorithm Reach  (i,P) = = V  (P U label (u)) V u is a reachable node of M i V Reach  (expand (b),P U label (b)) b is reachable box of M i Reach  (i,P) takes O(|M i |·|φ|) time + time for calls Reach  (expand (b),P U label (b)) Total time is O(λ·|M|·|  |) (λ is the max # of different sets P for machine)

Good cases Reach  (k,Ø) takes O(λ·|M|·|  |) with λ≤2 |AP| If λ is bounded by a costant, then Reach  (k,Ø) takes O(|M|·|  |) In particular, if M is a Alur and Yannakakis machine, every M i inherits only the empty set (λ =1)

u p Restricted HSM p

Efficient Solution on Restricted HSM Reachability on Restricted HSM and formulas in DNF is decidable in O(|M|·|  |) time Reachability is NP-hard if either: –M is a nonrestricted HSM or –  is a (general) boolean formula Reachability is decidable in O(|M|·2 |  | ) time on Restricted HSM

Outline Overview Reachability problem  L TL -Model Checking Conclusion

L TL Model Checking We use the automata-theoretic approach Given a HSM M and an L TL -formula , the problem is: Does every trace of the flat model of M satisfy  ?

Automata-Theoretic Approach 1. Given an L TL -formula , we build a Büchi automaton A ¬ . 3.  is satisfied on M  L ( M ‘)=Ø. O (2 |  | ) [Vardi and Wolper] O (| M |·16 |  | ) O ( M‘ ) [Alur at al.] 2. We build a new HSM M ‘ as a product of M and A ¬ . Main Result LTL Model-Checking can be solved in O (| M |·16 |  | ) time

Structures of M ’ M ‘ consists of graphs M (i,j,P) M (i,j,P) is contained in the Cartesian product of M i and A ¬  : –start i is coupled with j (A ¬  state) –the set of atomic propositions P is inherited from its ancestors

Nodes of M (i,j,P) PUP u =P q Node of M (i,j,P) [u,q,j,P] PuPu State of A ¬  q PqPq Node of M i u PuPu

Boxes of M (i,j,P) State of A ¬  q PqPq PUP b U P start h =P q Box of M i b start h P start h PbPb Box of M (i,j,P) [b,q,j,P] PbPb M (h,q,PUP b )

Edges from node of M (i,j,P) Edge from node of M i u v Node of M (i,j,P) [u,q’,j,P] [v,q’’,j,P] Edge of A ¬  q’ q’’

Edges from box of M (i,j,P) A edge of A ¬  q’’q’ A edge from box of M i b v o A edge from box of M (i,j,P) [b,q,j,P] [v,q’’,j,P] [o,q’,h,P’]

Outline Overview Reachability problem L TL -Model Checking  Conclusion

Cycle Detection Cycle detection problem: Is there a cycle in M F containing a reachable state on which  holds? Computational complexity: –NP-complete –solution in time O(| M |·|  |·2 |  | ) (same as reachability)

Conclusion Decision problems: –Reachability –Cycle detection –LTL model-checking Restricted HSMs Recursive Finite State Machines (Expansions model recursive calls)

Recursive Finite State Machines RSM = HSM with recursive expansions b MiMi MiMi b

Main results Reachability Cycle detection L TL Model Cheching RSM NP-complete O(| M |·|  |·2 |  | ) Pspace-complete O(|M|·16 |  | ) restricted HSM  in DNF O(|M|·|  |) Pspace-complete O(|M|·8 |  | )