{

Beyond RegularModel Checking

By Prof. Dana Fisman and Prof. Amir Pnueli

Presented by Yanir Damti

State explosion problem Parameterized systems Variables over infinite range

Symbolic model checking solves this problem by representing the model implicitly

For example with BDDs

Background2

Use {formal languages} for model representation

One established method is using Regular languages

Verification and formal languages3

{“x is even”:

This is a counter system. Sets of states are over alphabet , and the transition relation is over alphabet

Regular model checking - Example4

– Alphabet – A language over the alphabet We denote a word in :

Projection:

L - A language over Lifting:

Few Basic Definitions5

𝑤=𝑎1𝑎2⋯𝑎𝑛

𝑢=𝑏1𝑏2⋯𝑏𝑛

Regular languages can be applied to several types of parameterized problems.

Many interesting parameterized systems cannot be represented by regular languages.

The Peterson mutual exclusion algorithm that we’ll see later.

We’ll see three methods using non-regular classes of languages.

Non-Regular model checking6

{ {On one hand:

More expressive than the regular languages

On the other hand:

Adequate for symbolic model checking

Aim: Find a class of languages7

{Size of an adequate class of languages is bounded by a set of requirements.

8

Adequacy for Symbolic Model Checking

The following languages describe a model: - property to be verified - set of initial states - transition relation

Next, we see an algorithm using them.General method for symbolic model checking9

For repeat

until return

Procedure Backward MC

Complementation

Intersection

Projection

Lifting

Equivalence

Emptiness

10

For repeat

until return

– property to be verified, – set of initial states, – transition relation - classes of languages

We say are adequate for symbolic model checking if the requirements to follow hold.

More accurately…11

Requirements for Backward MC:1. are adequate for representing

respectively.2. is closed under complementation.3. is closed under lifting.4. is closed under intersection with .5. is closed under projection.6. is closed under intersection with , and

emptiness is decidable for .7. Equivalence is decidable for two

languages in .

More accurately…12

For repeat

until return

3 Methods13

1Initial states – non-regular,

the rest – regulars

2

Define a new non-regularclass of

languages

3

Private case of 2

: natural initially Number of processes

: array of initially Array of priorities

: array of Array of signatures

The Peterson Algorithm for Mutual Exclusion14

: integer : loop forever do

: Non-Critical : for to do

: : await

: Critical : The Peterson

Algorithm for Mutual Exclusion15

: Number of processes : Priority array : Signature array

Process :

Initial states – non-regular, the rest – regulars16

1

{ {Set of initial states

Context-freelanguage

Property to be verified, transition relation

Regularlanguage

Main Principle17

1

We take to be the context-free languages class

We take and to be the regular languages class

The extra help from the context-free class will make Peterson’s algorithm verification possible.

Main Principle18

1

For repeat

until return

⊕⋯⊕⏟0

∨⊕⋯⊕⏟1

∨⋯∨⊕⋯⊕⏟𝑁−1

∨⊕⋯⊕⏟𝑁−1

Representing Peterson’s System19

1

Σ={⊕ , |}

Priority(waiting processes)

Critical(priority still )

Transition relation:

Property’s negation:

Representing Peterson’s System20

Θ= {⊕𝑖 |𝑖 : 𝑖>1}

1

We defined initial states as a context-free language.

We defined the transition relation and property with regular languages.

We can model check with the Backward-MC algorithm

Goal: Show Mutual Exclusion21

1

For repeat

until return

Define a new non regular class of languages22

2

A DPDA is a tuple – Input alphabet – Set of states - Initial state – Stack alphabet – Stack bottom symbol – Transition relation: – Set of accepting states

Reminder: Pushdown Automata23

2

The class of languages accepted by pushdown automata is denoted:

We also denote the regulars as:

Pushdown Automata Language Class24

2

We define an operation:

We take a specific 1DPDA: We look at the set of all DPDA that is a

result of the above operation on with some FA, :

Main Principle25

2

DPDA with one state

Let be a 1DPDA:

can be considered:

Let be a DFA:

Cascade Product26

2

Δ :Σ× Γ⟶ Γ∗𝑆× 𝑆×

𝐷𝑃𝐷𝐴≜ ⟨ Σ ,𝑆 ,𝑠0 , Γ ,⊥ , 𝜌 ,𝐹 ⟩

The cascade product is a DPDA:

The transition relation:

Cascade Product27

2

Let be over alphabet , for some . Let be a mapping from to . The cascade product with respect to , :

Let’s complicate…28

2

Let be as before. Let be a DPDA: If for some and some , then we say is . We define the class of languages

accepted by any DPDA:

Define a Class of Languages29

2

2

We will show effective closure under: Complementation Lifting Intersection with a regular language

And we will also show: Equivalence is effectively decidable Emptiness is effectively decidable

The hard part: showing closure under projection. is Adequate for Symbolic Model Checking30

For repeat

until return

Let For simplification assume:

Input alphabet of A is

We compute the automaton of the projection of on the first coordinate:

Computing Projection31

2

Special Case of Cascade Product32

3

We consider the cascade product where:

does not look at the stack To accepted a word, stack have to be

emptied

Simple Product33

3

Separate the DFA part of the representation so that projection can be computed only using the DFA.

If we can write where is regular and has certain properties, than we can use the following algorithm for model checking.

Main Principle34

3

For repeat

until return

Modified Backward MC35

Original algorithm:For repeat

until return

3

The computation of in both versions is identical. That is:

The Main Claim36

For repeat

until return

Originalalgorithm

𝑀 𝑖

Induction

3

Definition: A language is left preserved by a bi-language if:

If and is left preserved by , than we can use the modified Forward MC

Preserved Language37

3

is left preserved by

We can use the modified Forward MC

Peterson example38

3

Claim: Proof:

Problem in the Claim39

3

Definition:

Fixing the Problem40