Presented by Maya Arbel , May 2012

Symbolic model checking with rich assertional languagesY. Kesten, O. Maler, M. Marcus, A. Pnueli, E. Shahar

Presented by Maya Arbel, May 2012

Parameterized Systems In the previous lecture we saw the problem of verification

of parameterized systems. Given a network of processes, such that each process is a

finite state machine, verify some property for the entire network.

This is the uniform verification problem: can we model check that the network is correct for all possible configuration?

Parameterized Systems (Cont.) In general the problem of uniform verification is

undecidable. In the previous lecture we saw:

The use of network grammars as a representation of the topology.

The use of regular language for representing the behavior of a single process.

In this lecture we will see a simplified solution using a single regular language to describe both the topology and the local state of each process.

The Solution Idea With an appropriate choice of an assertional language, the

paradigm of symbolic model checking is adequate for uniform verification of parameterized systems.

The resulting process: Process Network

Dist. Algorithm

Translation toAssertional Language

Symbolic Model Checking

The Solution Idea (Cont.) Advantage:

Simple approach. Disadvantage:

Each topology require the development of a different assertional language.

Symbolic Model Checking Procedure SYMB-MC is a symbolic model checking

procedure for showing that the invariance property is satisfied by system . g- State

formula

-All states that have a stae as a successor

- All initial states in P

Symbolic Model Checking (Cont.) Procedure SYMB-MC attempts to compute an assertion

characterizing all the states from which a -state can be reached by a finite number of steps.

If the search loop terminates at iteration , then provides such an assertion.

Since the problem is undecidable, the procedure may fail to terminate.

Symbolic Model Checking (Cont.) In order to apply the SYMB-MC procedure one chooses

an assertional language . The language should satisfy the following requirements:

The property and the assertion should be expressible in . The language should be effectively closed under negation

and disjunction, and possess an algorithm for deciding equivalence of two assertions.

There should exist an algorithm for constructing .

We refer to a language satisfying these three requirements as a language adequate for symbolic model checking.

Process Array MUX Example

N CT

When If then

Await

Goal: Verify that at most one process is in the critical section.

Process Array MUX Example (Cont.) Each process has two local state variables:

a local boolean variable . a control variable ranging over the set of locations .

Process sends the boolean value T on channel to its right neighbor (if )

Process reads into variable has a boolean value from its left neighbor on channel (if ).

N CTAwait

Process Array MUX Example (Cont.) We have our Distributed Algorithm. Next step: Define an adequate assertional language.

Process Network Dist. Algorithm



Logic We will use the logic FS1S as a specification language for

the sets of global states of parameterized systems. FS1S has the expressive power of regular expressions, as

well as finite automata, which are the representation underlying our implementation.

The Logic FS1S Syntax: We assume a signature consisting of a finite set of

finite alphabets. The vocabulary consists of :

Position variables … Array variables

The Logic FS1S(Cont.) Positions (first order) terms:

The constant 0 Any position variable . , where is a position term.

Letter terms Every is a -term If is a -array variable and is a position term, then is a -term.

Process Array MUX and FS1S Our signature contains two alphabets:

Each alphabet has an array variable:

- array - array

Each array variable is of size , the number of processes

The Logic FS1S- Formulas Atomic formulas:

, where and are position terms and . , where and are -term for some

Formulas: An atomic formula is a formula. Let and be formulas. Then , , , are formulas, where is a

position variable and is an array variable.

The Logic FS1S(Cont.) Semantics: Let be an FS1S formula. A model for is given by ,

where is a positive integer. assigns to each position variable a natural number assigns to each -array variable a -word of size .

The Logic FS1S(Cont.) Given a model , we inductively define the interpretation

induced by as follows: interprets every Position term into a natural number , as

follows: The constant symbol 0 is interpreted as the natural number 0. For position variable , . modulo .


induced by as follows: A -term is interpreted into a -letter, as follows:

The constant symbol is interpreted ad the -letter . If and , then


induced by as follows: Formulas are interpreted into values as follows:

For propostion terms and , evaluates to 1 if the relation holds between and

For -term and , evaluates to 1 if equals , , , , where and are formulas, are interpreted in the standard way,

after the formulas and are interpreted.



is true if there exists a model , such that and ’ differ at most in the interpretation of the position variable , and such that .

is true if there exists a model , such that and ’ differ at most in the interpretation of the array variable , and such that .

FS1S is Adequate Remainder: a language is adequate if it satisfy the three

requirements The property and the assertion should be expressible in . The language should be effectively closed under negation

and disjunction, and possess an algorithm for deciding equivalence of two assertions.

There should exist an algorithm for constructing .

FS1S is Adequate (Cont.) Expressing and the invariant

𝑖𝑛𝑖𝑡𝑀𝑈𝑋 :∀ 𝑖 [ Π [ 𝑖 ]=𝑁∧𝐻 [ 𝑖 ]⟷𝑖=0 ]

𝑔 :¬∃𝑖 , 𝑗 [ 𝑖≠ 𝑗∧Π [𝑖 ]=𝐶∧Π [ 𝑗 ]=𝐶 ]

FS1S is Adequate (Cont.) Expressing the transformer.

We define some helper formulas:

𝑝𝑟𝑒𝑠≠ 𝑖 (𝑋 ) :∀ 𝑗 [ 𝑗≠ 𝑖→ 𝑋 [ 𝑗 ]=𝑋 ′ [ 𝑗] ]

𝑝𝑟𝑒𝑠≠ 𝑖 ,𝑖+1 (𝑋 ) :∀ 𝑗 [( 𝑗 ≠𝑖⋀ 𝑗≠𝑖+1)→𝑋 [ 𝑗 ]=𝑋 ′ [ 𝑗 ]]


There are transitions that affect only a single process: express internal movements and variable changes within the process

𝜌𝑆 (𝑉 ,𝑉 ′ ) :∃𝑖( Π [𝑖 ]=𝑁∧Π ′ [𝑖 ]=𝑇∨Π [ 𝑖 ]=𝐶∧Π ′ [𝑖 ]=𝑁∨Π [ 𝑖 ]=𝑇 ∧Π ′ [𝑖]=𝐶∧𝐻 [ 𝑖 ] )∧𝑝𝑟𝑒𝑠≠𝑖( Π)∧𝑝𝑟𝑒𝑠(𝐻)


The other kind of transition involves two contiguous processes, i.e., and for some . This corresponds to communication in which process sends the

boolean value which process stores into .


The formula represents a transition of a single process The formula represent a joint communication transition. The FS1S formula representing all transitions is:

Finally we get:

𝜌𝑀𝑈𝑋 (𝑉 ,𝑉 ′ ) :𝜌 𝑠 (𝑉 ,𝑉 ′ )⋁ 𝜌 𝑐(𝑉 ,𝑉 ′ )

𝑝𝑟𝑒𝑑𝑀𝑈𝑋 (𝜑 ) :∃𝑉 ′ 𝜌𝑀𝑈𝑋 (𝑉 ,𝑉 ′ )⋀𝜑 (𝑉 ′)

Process Array MUX Example (Cont.) We showed that FS1S is adequate. Now we can use SYMB-MC to prove for MUX.

Process Network Dist. Algorithm



Applying SYMB-MC to MUX We start the iteration with the negation of the property we

want to verify:

Next we apply to , as follows:

𝜑0=¬𝑔=∃𝑖 , 𝑗 [𝑖≠ 𝑗⋀Π [𝑖 ]=𝐶⋀Π [ 𝑗 ]=𝐶 ]

𝜑1=𝜑0⋁ ∃𝑉 ′ ∙ 𝜌𝑀𝑈𝑋 (𝑉 ,𝑉 ′ )⋀𝜑0(𝑉 ′)

¿𝜑0 ⋁ ∃𝑖 , 𝑗 [ 𝑖≠ 𝑗⋀ Π [ 𝑖 ]=𝑇 ⋀𝐻 [𝑖]⋀ Π [ 𝑗 ]=𝐶 ]

Applying SYMB-MC to MUX (Cont.) We continue iterating until the result converges:

𝜑2=𝜑1⋁ ∃𝑖 , 𝑗[𝑖≠ 𝑗⋀ ( Π [ 𝑖 ]=𝑁 ⋀𝐻 [𝑖 ]⋀ Π [ 𝑗 ]=𝐶⋁ Π [ 𝑖 ]=𝑇 ⋀𝐻 [ 𝑖 ]⋀Π [ 𝑗 ]=𝑇 ⋀𝐻 [ 𝑗 ])]

𝜑3=𝜑2 ⋁∃𝑖 , 𝑗 [ 𝑖≠ 𝑗 ⋀Π [ 𝑖 ]=𝑁 ⋀𝐻 [𝑖 ]⋀ Π [ 𝑗 ]=𝑇 ⋀𝐻 [ 𝑗 ] ]

𝜑4=𝜑 3⋁ ∃𝑖 , 𝑗 [𝑖≠ 𝑗∧Π [𝑖 ]=𝑁 ⋀𝐻 [ 𝑖 ]⋀ Π [ 𝑗 ]=𝑁 ⋀𝐻 [ 𝑗 ] ]

𝜑5=𝜑4

Applying SYMB-MC to MUX (Cont.) The iteration converges at with the final value:

Finally, we check the intersection with the initial condition:

Since the intersection is false a configuration satisfying cannot be reached from an initial configuration. We can conclude that MUX satisfy .

𝜑5=∃𝑖 , 𝑗 [ 𝑖≠ 𝑗∧(Π [ 𝑖 ]=𝐶∨𝐻 [𝑖 ])⋀ (Π [ 𝑗 ]=𝐶∨𝐻 [ 𝑗 ])]

𝜑5 ⋀ 𝑖𝑛𝑖𝑡𝑀𝑈𝑋=𝐹

Additional Examples – Processor Ring Example MUX considered processes arranged in an array.

Once the rightmost process obtains the token, it cannot deliver it to any other process.

This is a degenerate version of the real protocol, in which the processes are arranged in a ring.

The transition relation for the ring configuration is:

𝜌𝑅𝐼𝑁𝐺 (𝑉 ,𝑉 ′ ) :𝜌 𝑠 (𝑉 ,𝑉 ′ )⋁ 𝜌𝑐−𝑅𝐼𝑁𝐺 (𝑉 ,𝑉 ′ )

Additional Examples – Processor Ring (Cont.) The transition relation for the ring configuration is:

The execution of procedure SYMB-MC converges, and is found to be an invariant of program PROC-RING.

𝜌𝑅𝐼𝑁𝐺 (𝑉 ,𝑉 ′ ) :𝜌 𝑠 (𝑉 ,𝑉 ′ )⋁ 𝜌𝑐−𝑅𝐼𝑁𝐺 (𝑉 ,𝑉 ′ )

Additional Examples – Request Messages The MUX satisfies the safety property of mutual

exclusion, but does not satisfy the liveness property. It does not guarantee that any process wishing to enter its

critical section will eventually do so. Example: consider the following 3-process configuration:

P[0] has the token. P[2] is interested in entering its critical section. P[2] will not be able to obtain the token until P[1] moves to state

Additional Examples – Request Messages(Cont.) An efficient solution which ensures accessibility, uses an

additional local boolean variable . Variable is true for all processes having some right

neighbor who is interested in entering its critical section. The improved protocol introduces an token which moves

from right to left.

Additional Examples – Request Messages(Cont.)

N CT

When 𝑟 [𝑖−1]⟸𝑇

Await

e

Additional Examples – Request Messages(Cont.) The initial condition for program MUX-REQ is given by

the FS1S formula:

𝑖𝑛𝑖𝑡𝑀𝑈𝑋 −𝑅𝐸𝑄 :∀ 𝑖Π [𝑖 ]=𝑁 ⋀𝐻 [ 𝑖 ]= (𝑖=0 )⋀ 𝑅 [ 𝑖 ]=𝐹

Additional Examples – Request Messages(Cont.) The transition relation for program MUX-REQ is given by

the disjunction:

is the idling transition. describes changes in the control location of sub-process. describes transitions related to communications on channel t. describes transitions related to communications on channel r.

𝜌𝑀𝑈𝑋−𝑅𝐸𝑄 :𝜌 𝐼⋁ 𝜌𝑙⋁ 𝜌𝑡⋁ 𝜌𝑟

Additional Examples – Request Messages(Cont.) Transition relation is given by:

Transition relation is given by:

𝜌𝑙 :∃ 𝑖( Π [ 𝑖 ]=𝑁∧Π ′ [𝑖 ]=𝑇∨Π [ 𝑖 ]=𝐶∧Π ′ [𝑖 ]=𝑁∨Π [ 𝑖 ]=𝑇 ∧Π ′ [ 𝑖 ]=𝐶∧𝐻 [𝑖 ])∧𝑝𝑟𝑒𝑠≠ 𝑖(Π )∧𝑝𝑟𝑒𝑠 (𝐻 )∧𝑝𝑟𝑒𝑠(𝑅)

Additional Examples – Request Messages(Cont.) Transition relation is given by:

Applying procedure SYMB-MC to program MUX-REQ and the mutual-exclusion specification the procedure converges.

Tree Languages We extend the method of regular expressions over strings

to deal with regular tree languages. Process trees may have different out-degrees for different

nodes. We use the logic FS∗S as a specification language for

regular sets of trees.

Tree Languages (Cont.) We define a tree structure to be a finite subset of .

contains the empty sequence . If contains then it also contains:

for every Λ(0) (1)

(1 , 0) (1 , 1)(0 , 0 , 0)

(0 , 0)

Tree Languages (Cont.) Let be an arbitrary alphabet. A -tree consists of:

A tree structure S. A labeling function , mapping each node of the tree to a

symbol.

The Logic FS*S Syntax: We assume a signature consisting of a finite set of

finite alphabets. The vocabulary consists of :

Position variables … Tree variables

The Logic FS*S(Cont.) Positions (first order) terms:

The constant Any position variable .

Letter terms Every is a -term If is a -tree variable and is a position term, then is a -term.

The Logic FS*S- Formulas Atomic formulas:

, where and are position terms and . , where and are -term for some

Formulas: An atomic formula is a formula. Let and be formulas. Then , , , are formulas, where is a

position variable and is an tree variable.

The Logic FS*S(Cont.) Semantics: Let be an FS*S formula. A model for is given by ,

where is a tree structure. assigns to each position variable a sequence of natural

number assigns to each -tree variable a -tree with tree structure .

The Logic FS*S(Cont.) Given a model , we inductively define the interpretation

induced by as follows: interprets every Position term into a sequence of natural

numbers , as follows: The constant symbol is interpreted as the empty sequence. For position variable , .

A -term is interpreted into a -letter, as follows: The constant symbol is interpreted ad the -letter . If , and then



For propostion terms and , evaluates to 1 if evaluates to 1 if is prefix of evaluates to 1 if is smaller then in lexicographic order.

For -term and , evaluates to 1 if equals , , , , where and are formulas, are interpreted in the standard way,

after the formulas and are interpreted.



is true if there exists a model , such that and ’ differ at most in the interpretation of the position variable , and such that .

is true if there exists a model , such that and ’ differ at most in the interpretation of the array variable , and such that .

Logic FS*S- Examples The following are FS*S formulas (will be later used as

shortcut notation):

𝒔𝒐𝒏 (𝒙 , 𝒚 ) :𝑥< 𝑦∧¬∃𝑧 [𝑥<𝑧∧𝑧<𝑦 ]

𝒆𝒍𝒅𝒆𝒓 −𝒃𝒓𝒐𝒕𝒉𝒆𝒓 (𝒙 , 𝒚 ):𝑏𝑟𝑜𝑡 h𝑒𝑟 (𝑥 , 𝑦)∧¬∃ 𝑧 [𝑏𝑟𝑜𝑡 h𝑒𝑟 (𝑥 , 𝑧 )∧𝑥≺ 𝑧∧𝑧≺𝑦 ]

𝒍𝒆𝒂𝒇 (𝒙 ):¬∃ 𝑦 [ 𝑥<𝑦 ]

Tree Languages- Example We consider the following program PERCOLATE:

In : tree structureLocal where

::

Repeat if

then Until

The purpose of the program PERCULATE is to percolate to the root the value 1 if at least one leaf has the value 1, and

percolate 0 otherwise.

Tree Languages- Example (Cont.) Example run of PERCOLATE:

u

u u

1 00

u


u

u u

1 00

u


u

u u

1 00

0


u

u u

1 00

0


u

u 1

1 00

0


u

u 1

1 00

0

∃𝑠𝑜𝑛(𝑥 , 𝑧) [𝑃 [𝑧 ]=𝑢 ]


u

u 1

1 00

0


u

u 1

1 00

0


u

0 1

1 00

0


u

0 1

1 00

0


1

0 1

1 00

0


1

0 1

1 00

0

FINISHED

Tree Languages- Example (Cont.) PERCOLATE in FS∗S is represented by a -tree variable

over the alphabet The initial condition of program PERCOLATE is:

𝑖𝑛𝑖𝑡𝑝𝑒𝑟𝑐𝑜𝑙𝑎𝑡𝑒 :∀𝑥 [𝑙𝑒𝑎𝑓 (𝑥 )↔ (𝑃 [ 𝑥 ]=1⋁ 𝑃 [𝑥 ]=0 ) ]

Tree Languages- Example (Cont.) The transition relation of program PERCOLATE is:

∃𝑥¿

Tree Languages- Example (Cont.) The property to be verified can be specified by the

following assertion:

The execution of the symbolic model checking algorithm does not converge. In order to reach convergence we need to construct a meta-

transition for PERCOLATE. Using the meta-transition the execution of SYMB-MC converges

and the assertion g is found to be an invariant of program PERCOLATE

𝑔 :∀ 𝑦 [𝑃 [ 𝑦 ]=1 →∃ 𝑥 [𝑦 ≤ 𝑥⋀ 𝑙𝑒𝑎𝑓 (𝑥 )⋀ 𝑃 [𝑥 ]=1 ] ]

Implementation Status There are two implementations of systems which use the

SMV input language of either FS1S or FS∗S. The representation of the model in the FS1S

implementation uses OBDD-encoded assertions instead of explicit enumeration

The examples presented in this paper where model checked using the FS1S implementation.

The FS∗S implementation can handle simple examples as PERCOLATE.

Conclusions and Further Research The paper extended the method of symbolic model

checking to deal with systems with infinitely many states. The notion of adequate assertional language is general

enough to accommodate many additional types of parameterized systems.

An interesting question is how to extend the method to apply to other types of temporal properties, in particular, liveness properties.

Another promising line of research is how to handle the case that the iteration does not converge.

Questions?

Presented by Maya Arbel , May 2012

Documents

mux cont

adequate cont

process network

parameterized systems

single process

logic fs1sthe logic

resulting process

rightmost process