Model Checking Lecture 5

Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking 3Symbolic algorithms for model checking 4Pushdown systems

From Finite to Inifinite-State Systems So far, algorithms for systems with finite state spaces Sources of infinite-state –Control: recursion –Data: unbounded numeric variables, lists –Time: Systems with real-time clocks –Parameters: arbitrary number of participating processes

From Finite to Infinite-State Systems So far, algorithms for systems with finite state spaces Sources of infinite-state –Control: recursion –Data: unbounded numeric variables, lists –Time: Systems with real-time clocks –Parameters: arbitrary number of participating processes

Decidability vs. Expressiveness Unbounded state  Undecidable Is the unbounded system able to encode a Turing machine? –Single-counter machines? NO –Two-counter machines? YES –Single-stack machines? NO –Two-stack machines? YES

From Finite to Infinite-State Systems So far, algorithms for systems with finite state spaces Sources of infinite-state –Control: recursion –Data: unbounded numeric variables, lists –Time: Systems with real-time clocks –Parameters: arbitrary number of participating processes

State representation Explicit representation infeasible Symbolic representation is the key –For the transition system –For the reachable states

Pushdown systems (G, L, g 0, l 0,  ) g, h  G : finite set of control states l, m  L : finite set of stack symbols g 0 : initial control state l 0 : initial stack symbol  : set of transitions

Remarks The classical definition of a pushdown system has, in addition, an alphabet I of input symbols. Each transition depends on the control state, the top of the stack, and the input symbol. The language L  I* of a classical pushdown system contains those input sequences for which there is an execution leading to the empty stack. We are only concerned with reachability analysis and will therefore ignore I.

Three kinds of transitions: (g, l)  (h, m) (step) (g, l)  (h, m n) (call) (g, l)  (h,  ) (return) Configuration: g, l l  h, m g, l  h, n m g, l  h,

Modeling sequential programs An element in G is a valuation to global variables An element in L is a valuation to local variables and –current instruction address for the frame at the top of the stack –return instruction address for the other frames

Example bool a = F; void main( ) { L1: a = T; L2: flip(a); L3: } void flip(bool x) { L4: a = !x; L5: } (F,  ) (F,  _, L3  ) (F,  _, L3   T, L5  ) (T,  _, L3   T, L4  ) (T,  _, L2  ) (F,  _, L1  ) (a,  x, pc  )

Reachability problem Given pushdown system (G, L, g 0, l 0,  ) and control state g, does there exist a stack ls  L* such that (g 0, l 0 )  * (g, ls)?

Naïve algorithm Add (g 0, l 0 ) to R (g, ls)  R (g, ls)  (g’, ls’) Add (g’, ls’) to R

R is unbounded so algorithm won’t terminate Two solutions: –Summary-based (a.k.a. interprocedural dataflow analysis) –Automata-based Problem with the naïve algorithm

E(g, l, h, m) (step edges) E + (g, l, h, nm) (call edges) E - (g, l, h) (pop edges) Initially: Algorithm I E(g 0, l 0, g 0, l 0 ) E+ is empty E- is empty

Step rule E(g, l, h, m) (h, m)  (h’, m’) E(g, l, h’, m’)

Call rule E(g, l, h, m) (h, m)  (h’, n’m’) E + (g, l, h’, n’m’) E(h’, n’, h’, n’)

Return rule E(g, l, h, m) (h, m)  (h’,  ) E - (g, l, h’)

Summary rule E + (g, l, h, nm) E - (h, n, h’) E(g, l, h’, m)

int g = 0 main() { L0: incr() L1: g = 0 L2: incr() L3: } incr() { L4: g = g+1 L5: } E(0, L0, 0, L0) E + (0, L0, 0, L4·L1) E(0, L4, 0, L4) E(0, L4, 1, L5) E - (0, L4, 1) E(0, L0, 1, L1) E(0, L0, 0, L2) E + (0, L0, 0, L4·L3) E(0, L0, 1, L3) E - (0, L0, 1)

int g = 0 main() { L0: if (*) L1: foo(0) else L2: foo(1) L3: assert(g > 0) L4: } foo(r) { L5: if (r = 0) L6: foo(r) else L7: g = g + 1 L8: } E(0, L0, 0, L0) E + (0, L0, 0,  L5,0  ·L3) E(0,  L5,0 , 0,  L5,0  ) E(0,  L5,0 , 0,  L6,0  ) E(0, L0, 0, L1) E(0, L0, 0, L2) E + (0, L0, 0,  L5,1  ·L3) E(0,  L5,1 , 0,  L5,1  ) E(0,  L5,1 , 0,  L7,1  ) E(0,  L5,1 , 1,  L8,1  ) E - (0,  L5,1 , 1) E(0, L0, 1, L3) E(0, L0, 1, L4) E - (0, L0, 1) E + (0,  L5,0 , 0,  L5,0  ·  L8,0  )

Termination Maximum number of step edges = |G| 2 |L| 2 Maximum number of call edges = |G| 2 |L| 3 Maximum number of return edges = |G| 2 |L|

Reachability problem Given pushdown system (G, L, g 0, l 0,  ) and control state g, does there exist a stack ls such that (g 0, l 0 )  * (g, ls)? Algorithm I: Summary-based Yes, if E(g’, l’, g, l) for some g’, l’, and l. No, otherwise.

Algorithm II Add (g 0, l 0 ) to R (g, ls)  R (g, ls)  (g’, ls’) Add (g’, ls’) to R Key idea: Use a finite automaton to symbolically represent R

Symbolic representation Pushdown system (G, L, g 0, l 0,  ) Representation automaton (Q, L, T, G, F) - Q (  G) is the set of states - L is the alphabet - T is the transition relation - G is the set of initial states - F is the set of final states

gs1s1 s2s2 l l m h m Represents the set of configurations: { (h, m), (g, l m* l) } A set C of configurations is regular if it is representable by an automaton Theorem (Buchi) : The set of configurations reachable from a regular set is also regular.

Remark Buchi’s theorem does not contradict the fact that pushdown systems can accept non-regular languages over the input alphabet I. The classical definition of a pushdown system has, in addition, an alphabet I of input symbols. The language of reachable stack configurations is a language over the alphabet L. The accepted language is a language over the alphabet I.

Pushdown system: (G, L, g 0, l 0,  ) - G = {g 0, g 1, g 2 } - L = {l 0, l 1, l 2 } - (g 0, l 0 )  (g 1, l 1 l 0 ) (g 1, l 1 )  (g 2, l 2 l 0 ) (g 2, l 2 )  (g 0, l 1 ) (g 0, l 1 )  (g 0,  ) g0g0 l0l0 s0s0

Pushdown system: (G, L, g 0, l 0,  ) - G = {g 0, g 1, g 2 } - L = {l 0, l 1, l 2 } - (g 0, l 0 )  (g 1, l 1 l 0 ) (g 1, l 1 )  (g 2, l 2 l 0 ) (g 2, l 2 )  (g 0, l 1 ) (g 0, l 1 )  (g 0,  ) g0g0 l0l0 s0s0 g1g1 g2g2

Pushdown system: (G, L, g 0, l 0,  ) - G = {g 0, g 1, g 2 } - L = {l 0, l 1, l 2 } - (g 0, l 0 )  (g 1, l 1 l 0 ) (g 1, l 1 )  (g 2, l 2 l 0 ) (g 2, l 2 )  (g 0, l 1 ) (g 0, l 1 )  (g 0,  ) g0g0 l0l0 s0s0 g1g1 g2g2 s 1,1 l1l1 s 2,2 l2l2

Pushdown system: (G, L, g 0, l 0,  ) - G = {g 0, g 1, g 2 } - L = {l 0, l 1, l 2 } - (g 0, l 0 )  (g 1, l 1 l 0 ) (g 1, l 1 )  (g 2, l 2 l 0 ) (g 2, l 2 )  (g 0, l 1 ) (g 0, l 1 )  (g 0,  ) g0g0 l0l0 s0s0 g1g1 g2g2 s 1,1 l0l0 l1l1 s 2,2 l2l2

Pushdown system: (G, L, g 0, l 0,  ) - G = {g 0, g 1, g 2 } - L = {l 0, l 1, l 2 } - (g 0, l 0 )  (g 1, l 1 l 0 ) (g 1, l 1 )  (g 2, l 2 l 0 ) (g 2, l 2 )  (g 0, l 1 ) (g 0, l 1 )  (g 0,  ) g0g0 l0l0 s0s0 g1g1 g2g2 s 1,1 l0l0 l1l1 s 2,2 l2l2 l0l0

Pushdown system: (G, L, g 0, l 0,  ) - G = {g 0, g 1, g 2 } - L = {l 0, l 1, l 2 } - (g 0, l 0 )  (g 1, l 1 l 0 ) (g 1, l 1 )  (g 2, l 2 l 0 ) (g 2, l 2 )  (g 0, l 1 ) (g 0, l 1 )  (g 0,  ) g0g0 l0l0 s0s0 g1g1 g2g2 s 1,1 l0l0 l1l1 s 2,2 l2l2 l0l0 l1l1

Pushdown system: (G, L, g 0, l 0,  ) - G = {g 0, g 1, g 2 } - L = {l 0, l 1, l 2 } - (g 0, l 0 )  (g 1, l 1 l 0 ) (g 1, l 1 )  (g 2, l 2 l 0 ) (g 2, l 2 )  (g 0, l 1 ) (g 0, l 1 )  (g 0,  ) g0g0 l0l0 s0s0 g1g1 g2g2 s 1,1 l0l0 l1l1 s 2,2 l2l2 l0l0 l1l1 

Pushdown system: (G, L, g 0, l 0,  ) - G = {g 0, g 1, g 2 } - L = {l 0, l 1, l 2 } - (g 0, l 0 )  (g 1, l 1 l 0 ) (g 1, l 1 )  (g 2, l 2 l 0 ) (g 2, l 2 )  (g 0, l 1 ) (g 0, l 1 )  (g 0,  ) g0g0 l0l0 s0s0 g1g1 g2g2 s 1,1 l0l0 l1l1 s 2,2 l2l2 l0l0 l1l1  l0l0

Pushdown system: (G, L, g 0, l 0,  ) - G = {g 0, g 1, g 2 } - L = {l 0, l 1, l 2 } - (g 0, l 0 )  (g 1, l 1 l 0 ) (g 1, l 1 )  (g 2, l 2 l 0 ) (g 2, l 2 )  (g 0, l 1 ) (g 0, l 1 )  (g 0,  ) g0g0 l0l0 s0s0 g1g1 g2g2 s 1,1 l0l0 l1l1 s 2,2 l2l2 l0l0 l1l1  l0l0 { (g 0, l 0  l 0 l 0 +  l 1 l 0 l 0 + ), (g 1, l 1 l 0 + ), (g 2, l 2 l 0 l 0 + ) }

Lemma 1: If (g,ls)  Begin and (g,ls)  * (g’,ls’), then g’ can reach a final state q of End along a path labeled ls’. Proof: Simple induction on the number of steps in  *. Let Begin be the initial configuration automaton Let End be the final configuration automaton

Lemma 2: Suppose g goes to state q in End via a path labeled ls. (1) If q is a state of Begin, then (g’,ls’)  * (g,ls) and g’ goes to state q via a path labeled ls’ in Begin (2) If q = s g’,l’ is a new state in End, then (g’,l’)  * (g,ls)

Begin = A 0, A 1, …, A n = End For each i  [0,n-1]: A i+1 is obtained from A i by adding a single edge Restatement of Lemma 2: Suppose g goes to state q in A i via a path of length j labeled ls. (1) If q is a state of Begin, then (g’,ls’)  * (g,ls) and g’ goes to state q via a path labeled ls’ in Begin (2) If q = s g’,l’ is a new state in End, then (g’,l’)  * (g,ls)