Reachability Analysis for Some Models of Infinite-State Transition Systems

Oscar H. Ibarra, Tevfik Bultan, and Jianwen Su

Department of Computer Science

University of California, Santa Barbara

{ibarra,bultan,su}@cs.ucsb.edu

Problem

Automated verification techniques have been successful for finite state systems

In general verification problems are undecidable for infinite state systems

What kind of restrictions can we place on infinite state systems to make verification problems decidable?

Outline

Restricted computational models– Reversal-bounded, finite-crossing, phase-bounded

machines

Language acceptors vs. behavior generators Decidable properties as language acceptors Decidable verification queries as behavior generators Extensions to computational models Applications Conclusions and future work

Shankar’s Example This Morning

P can be verified with a Presburger arithmetic model checker that uses standard backward fixpoint computations [Bultan et al. 99]

Fixpoint computation for AG(State1 x 6) does not converge, we can use widening

However, this system is a reversal bounded counter machine, hence we do not need approximations, we can verify its invariants exactly.

State0State0 State1State1

x’=x+1x’=x+1

x’=x+1x’=x+1

Initial: x=0 Initial: x=0 State0 State0

P: AG(State1 P: AG(State1 ( ( . x =2 . x =2+1))+1))

Examples of Infinite State Systems

Timed-automata [Alur, Dill 90]– Finite state control + real valued clocks which increase

uniformly or reset based on clock constraints– Clock constraints are restricted to x # c (# is one of , , , , ) – Verification results: Region reachability, TCTL model

checking [Alur et al. 93], binary reachability [Comon, Jurski 99]

Pushdown automata– Finite state control plus an unrestricted stack– Verification results: -calculus model checking [Walukiewicz

96, Bouajjani et al. 97]

Restricted Infinite-State Systems

Basic Model: Reversal-bounded counter machines (CM)

A nondeterministic finite automaton augmented with finite number of counters

Each counter can be incremented or decremented by 1 and tested for zero

The counters are reversal-bounded : The number of times a counter can change from non-decreasing to non-increasing and vice-versa is bounded by a constant

Reversal-Bounded Computation

ComputationComputation

CounterCountervaluevalue

ReversalReversal

ReversalReversal

Reversal-Bounded Counters (CM)

Note that a counter can take any value in The number of states (i.e., configurations of the

machine) is infinite Without the reversal-boundedness restriction basic

properties of counter machines (such as emptiness) are undecidable (two unrestricted counters TM)

Adding a Pushdown to CM

Reversal-bounded counter machine CM can be extended with additional data structures

A pushdown counter machine (PCM) is a reversal-bounded counter machine augmented with a single unrestricted pushdown stack

PCMs are more powerful than CMs and pushdown automata

Emptiness is undecidable for two-way input or two pushdown

Adding a Restricted Tape to CM

A tape counter machine (TCM) is a reversal-bounded counter machine augmented with a single restricted two-way read/write worktape

The tape is finite-crossing : The number of times the head crosses the boundary between any two adjacent cells of the worktape is bounded by a constant

TCMs and PCMs are incomparable

Adding a Restricted Queue to CM

A queue counter machine (QCM) is a CM augmented with a single restricted queue

The queue is phase-bounded : The number of alternations between non-deletion phase and non-insertion phase is bounded by a constant

TCMs can effectively simulate QCMs Unrestricted queue can simulate a TM

An Simple Example

Producer has a produce state which has a write transition that increments the produced counter and writes a symbol to the queue from a finite alphabet {a, b}

Consumer has a consume state which has a read transition that increments the consumed counter and reads a symbol from the queue

We can check invariants such as: produced - consumed equals the number of items in the queue and the number of a’s in the queue is less than or equal to number of b’s

queuequeue

finite statefinite statecontrolcontrol

finite statefinite statecontrolcontrol

countercounter countercounter

producedproduced consumedconsumed

PRODUCERPRODUCER CONSUMERCONSUMER

Language Acceptors vs. Behavior Generators

Computational models can be used as language recognizers when they are augmented with a one-way read-only input tape

We are interested in the behaviors they generate: Use computational models as system specifications rather than language recognizers

Machines with input tape can be used to analyze parametric systems where the parameters can be specified on the input tape

Interesting Properties for Language Acceptors

Given arbitrary language acceptor machines M1, M2:

– Emptiness: Is L(M1) (the language accepted by M1) empty ?

– Containment: Is L(M1) L(M2) ?

– Equivalence: Is L(M1) = L(M2) ?

Simplest acceptors: Finite automata (deterministic, nondeterministic, one-way input tape, two-way input tape). Above properties are decidable.

Interesting Properties for Behavior Generators

Binary-Reachability: Given two configurations , of machine M, is there a behavior which starts at and reaches ?

Forward-Reachability: Given a set of configurations S, what is the set of configurations that the machine M can reach starting from a configuration in S ?

Backward-Reachability: Given a set of configurations S, what is the set of configurations that the machine M can start from and reach a configuration in S ?

Interesting Properties for Behavior Generators

Nonsafety: Given a machine M, an initial set I and a set P of configurations, is there a configuration in I which reaches a configuration in P ?

Invariance: Given a machine M, an initial set I and a set P of configurations, are all the configurations on all the behaviors which start from I in P ?

Basic Approach

First show decidability of the emptiness problem for a class of language acceptors

Reduce verification problems to emptiness problem Given an arbitrary machine M

– Show that a verification property of M can be specified as a language

– Show that a language-acceptor M’ can be effectively constructed which accepts this language

– Show that the the verification query can be answered by checking language emptiness of the language-acceptor M’

Emptiness problem for PCM-acceptors

Theorem: Emptiness problem for PCM-acceptors is decidable [Ibarra 78]

Proof Idea: Given an alphabet A with symbols a1, ..., ak for each word w in A* define f(w) = (i1, ..., ik) where ij is the number of occurances of aj in w (Parikh map)

Given a PCM-acceptor M, f(L(M)) is an effectively computable Presburger formula (equivalently, it is a semilinear set)

L(M) is empty iff f (L(M)) is empty (which is decidable since f (L(M)) is Presburger)

Emptiness Problem for CM-acceptors

Corollary: Emptiness problem for CM acceptors is decidable

Emptiness problem for CM acceptors is decidable in nckr for some constant c, where n is the size of the finite state control, k is the number of counters, and r is the reversal-bound on each counter [Gurari and Ibarra 81]

Emptiness Problem for TCM-acceptors

Theorem: The emptiness problem for TCM-acceptors is decidable

Lemma 1 : Let M be a TCM-acceptor. We can effectively construct a TCM M’ such that L(M) = L(M’) and in any computation of M’ its read/write head moves left or right of a cell in every step

Lemma 2 : Let M be a TCM-acceptor. We can effectively construct a TCM M’ such that L(M) is nonempty iff M’ when started with a blank worktape and zero counters has a halting sequence of moves

Binary Reachability

Given a machine M, define reachability set R(M) of M as the set of all pairs of configurations (, ) such that can reach in 0 or more transitions

Theorem: Given a PCM M, we can effectively construct a PCM acceptor M’ accepting R(M)

Proof Idea : First, M’ reads configuration and records it. Then M’ simulates the computation of M. At some point it guesses that it reached and verifies its guess by comparing it with the input

Theorem: Given a TCM M, we can effectively construct a TCM acceptor M’ accepting R(M)

Safety

Theorem: Given a PCM (TCM) M and two sets of configurations I and P accepted by CM acceptors, we can effectively construct a PCM (TCM) M’ that accepts a configuration iff 1) is in I, and 2) M when started in can reach a configuration in P

Proof Idea: Let MI and MP be CM acceptors accepting I and P, respectively. We construct a PCM acceptor M which first checks that its input is accepted by MI. Then it simulates M starting from this input configuration. Then it guesses that it reached a configuration in MP and verifies this guess by checking if the configuration is accepted by MP

Safety

Corollary 2 : Given a PCM (TCM) M and two sets of configurations I and P accepted by a CM acceptor and a deterministic CM-acceptor, respectively, we can effectively construct a PCM (TCM) M’ that accepts a configuration iff 1) is in I, and 2) M when started in can reach a configuration not in P

Forward and Backward Reachability

Given a machine M and a set of configurations P, define set of configurations FM(P) (BM(P)) as the set of configurations that can be reached from (that can reach) configurations in P in 0 or more transitions

Theorem: Given a PCM (TCM) M and a set of configurations P accepted by a CM-acceptor, we can effectively construct a PCM (TCM) acceptor accepting FM(P)

Same result holds for BM(P)

Forward and Backward Reachability

Theorem: Let M be a CM and P be a set of configurations. Then BM(P) (FM(P)) accepted by a CM acceptor iff P is accepted by a CM acceptor

Corollary: Let M be a CM and P be a set of configurations. Then BM(P) (FM(P)) is Presburger iff P is Presburger

Extensions to Computational Models

Allowing counters to store negative integer values Allowing counters to increment decrement by integer constant c Allowing tests of the form x # c where x is a counter, c is an

integer constant, and # is one of , , , ,

One can show that for al the computational models we discussed a machine M using such extensions can be converted to a machine M’ which does not use these extensions and L(M) = L(M’)

Extensions to Computational Models

Consider linear relation tests constructed using atomic linear relations in the form x Caxx < b (where C is the set of counters)

– and logical connectives , The emptiness problem for deterministic CM-acceptors using

linear relation tests is undecidable

If we restrict PCM (TCM) to be mode-bounded (i.e., the number of changes between the modes increasing, decreasing, and no-change is bounded by a constant) then emptiness problem is decidable even when linear tests are used [Ibarra et al. 00]

Applications

One can show the decidability of verification problems for a system by reducing it to one of the systems we presented

Binary reachability of discrete timed-automata with pushdown is decidable [Dang et al. 00]

Applications

By restricting the behaviors of a given infinite-state system one can obtain a conservative approximation of the given system – in the sense that when an error is found in the restricted

system this implies that the error exists in the original system

Finding bugs is as important as verifying a system Restrictions we discussed are not as severe as

bounded model checking [Biere et al. 99] which limits the number of execution steps

Conclusions and Future Work

We showed that there are various restrictions one can put on computational models which will ensure the decidability of reachability problems

We need to investigate the complexity of the verification problems for these restricted models

We need to investigate extending these results to liveness properties, temporal logics