Hierarchical and Recursive

State Machines with Context-

Dependent Properties

Salvatore La Torre, Margherita Napoli, Mimmo Parente and Gennaro Parlato

Dipartimento di Informatica ed ApplicazioniUniversità degli Studi di Salerno

• Given: – A system model M (Kripke structure)– A high-level specification (logic formula)

Is M a model of ?

System Verification (Model Checking)

•Complexity of model checking

O ( ·2||)|M| State-Space Explosion O (|M|·2||)

Our Target

• Propose a “new model” to represent models succintly

• And solve model cheching problems efficiently on it– Reachability – Cycle detection– LTL-ModelChecking

Recursive State Machine

A RSM M =(M1,…, Mk) is composed by

– k machines modelling k procedures

– machines can call each other recursively

– Machines are represented through graphs

VerticesMachines has two kind of vertices:• Nodes (internal state)• Boxes (procedure-call)

Entry and Exit Nodes

parameters

e3

e2

e1

ex3

ex4

ex2

ex1

Entry

node

s

Exit

node

s

return values

Edges

Node-to-Node

Box-to-NodeNode-to-Box

Box-to-Box

Labelling• Given a set of Atomic Proposition• We associates to both nodes and

boxes set of AP

p,q,r

t,r,p

M1

M2

M3

second0 second59

minute0 minute59

hour0hour23

Seconds

Minutes

Hours

Example: Digital Clock modelled by Hierarchical State

Machine

min59min0

out3start3 h23h0

start2 out2

sec0 out1sec59start1

sec0 sec60

Flat Model

M1F

out2start2

M2F

min59min0

minute0

minute59

sec0 sec60sec0 sec60

•The flat model has 24·60·60=86,400 states

• Our model has 24+60+60+6=150

vertices.

sec0 sec60

M1F

HSMs in [AY98]

• Only nodes are labeled with atomic propositions:a model and its flat have the same number of different labels

• To check properties with a precise time (i.e., check for time 10:20:45) the model must have at least a node for each possible hh.mm.ss.

• Our model can be exponentially more succinct

Related Work• Model checking of hierarchical state

machines. [Alur, Yannakakis 1998]• Analysis of recursive state machines. [Alur,

Etessami, Yannakakis 2001]• Model checking of unrestricted hierarchical

state machines. [Benedikt, Godefroid, Reps 2001]

• Visibly pushdown languages [Alur, Madhusudan 2004]

• A temporal logic of nested calls and returns[Alur,Etessami,Madhusudan 2004]

Outline

Overview

Reachability problem

• LTL-Model Checking

• Conclusion

MF

[ink]

Reachability Problem

Given a HSM M and a propositional boolean formula , the Reachability Problem is:

Is there a reachable state (in the flat of M) on which holds ?

X

(label(X))=TRUE

Computational Complexity

• The reachability problem is NP-complete – NP-hardness

3-CNF-SAT Reachability (with AND of literals)

– NP-membership1. guess a state X of M F

2. check if X is reachable in M F 3. verify on X

• We can solve Reachability in O (|M|·||·2|AP|) time

A Solution in O (λ·|M|·||)

MiF

Starti q

(L(q)UP)=TRUE

Reach(i,P)=TRUE

a reachable state of MiF satisfying

(assume propositions P hold TRUE on all states of MiF)

Reach(k,Ø)

P

Reach(expand(b), )=TRUE

Starti q

(L(q)UP)=TRUE

How to compute Reach(i,P)

Mi

bL(b)

PPL(b)

U

Our AlgorithmReach(i,P) =

= V (P U label (u)) V u is a reachable node of Mi

V Reach(expand (b),P U label (b)) b is reachable box of Mi

• Reach(i,P) takes O(|Mi|·|φ|) time +

time for calls Reach(expand (b),P U label (b))

• Total time is O(λ·|M|·||)(λ is the max # of different sets P for machine)

Good cases

Reach(k,Ø) takes O(λ·|M|·||) with λ≤2|AP|

• If λ is bounded by a costant, then Reach(k,Ø) takes O(|M|·||)

• In particular, if M is a Alur and Yannakakis machine, every Mi inherits only the empty set (λ =1)

u

p

Restricted HSM

p

Efficient Solution on Restricted HSM

• Reachability on Restricted HSM and formulas in DNF is decidable in O(|M|·||) time

• Reachability is NP-hard if either:– M is a nonrestricted HSM or

is a (general) boolean formula

• Reachability is decidable in O(|M|·2||) time on Restricted HSM

Outline

Overview

Reachability problem

LTL-Model Checking

• Conclusion

LTL Model Checking

• We use the automata-theoretic approach

Given a HSM M and an LTL-formula , the problem is:

Does every trace of the flat model of M satisfy ?

Automata-Theoretic Approach

1. Given an LTL-formula , we build a Büchi automaton A¬ .

3. is satisfied on M L(M ‘)=Ø.

O (2||) [Vardi and Wolper]

O (|M|·16||)

O (M‘) [Alur at al.]

2. We build a new HSM M ‘ as a product of M and A¬ .

Main ResultLTL Model-Checking can be solved

in O (|M|·16||) time

Structures of M ’

• M ‘ consists of graphs M(i,j,P)

• M(i,j,P) is contained in the Cartesian product of Mi and A¬:

– starti is coupled with j (A¬ state)

– the set of atomic propositions P is inherited from its ancestors

Nodes of M(i,j,P)

PUPu=Pq

Node of M(i,j,P)

[u,q,j,P]Pu

State of A¬

qPq

Node of Mi

uPu

Boxes of M(i,j,P)

State of A¬

qPq

PUPb U Pstarth =Pq

Box of Mi

bstarth

Pstarth

Pb

Box of M(i,j,P)

[b,q,j,P]

Pb

M(h,q,PUPb)

Edges from node of M(i,j,P)

Edge from node of Mi

u v

Node of M(i,j,P)

[u,q’,j,P] [v,q’’,j,P]

Edge of A¬

q’ q’’

Edges from box of M(i,j,P)

A edge of A¬

q’’q’

A edge from box of Mi

b vo

A edge from box of M(i,j,P)

[b,q,j,P] [v,q’’,j,P][o,q’,h,P’]

Outline

Overview

Reachability problem

LTL-Model Checking

Conclusion

Conclusion

• Decision problems:– Reachability– Cycle detection– LTL model-checking

• Restricted HSMs

• Recursive Finite State Machines(Expansions model recursive calls)

Main results

Reachability Cycle

detection

LTL Model Cheching

RSMNP-completeO(|M|·||·2||)

Pspace-complete

O(|M|·16||)

restricted HSM

in DNFO(|M|·||)

Pspace-completeO(|M|·8||)