parameterized model checking for timed systems with conjunctive guards

Parameterized Model-Checking for Timed Systems withConjunctive Guards

Luca Spalazzi, and Francesco Spegni{spalazzi,spegni}@dii.univpm.it

DII @ UnivPM, Ancona, Italy

Verified Software: Theories, Tools and Experiments18th July 2014

L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 1 / 31

You are here...

1 Intro

2 System Model

3 Specification

4 Cutoff Theorems

5 An example

6 Final discussion

Parameterized Model-Checking Problem

Definition

INPUT: process templates P1, . . . ,Pm, specification φOUTPUT:

True: if ∀(n1, . . . , nk) . P(n1)|| . . . ||P(nk ) |= φ

False: otherwise (+ counterexample)

Undecidable in general

see. (Apt and Kozen, ’86), parameterized reachability

Relevance to Software Verification

(Fault Tolerant) Distributed AlgorithmsSecurity Protocols. . .

Definition

Cutoff

upper bound to the number of copies for each process template

Cutoff Theorem for Untimed Systems with Conjunctive/Disjunctiveguards (Emerson and Kahlon, 2003)

plus: automatic, modular approach (reuse model checkers)

minus: complexity may be high (i.e. non optimal)

until now, no work on cutoff for timed systems (that we know. . . )

Parameterized Verification of Timed Systems

Several formalisms (Timed Automata, Hybrid Systems, . . . )

Some negative results on parameterized verification . . .

. . . all these results require synchronous rendezvous

Let’s try different synchronization (e.g. conjunctive guards . . . )

System Model

You are here...

1 Intro

2 System Model

3 Specification

4 Cutoff Theorems

5 An example

6 Final discussion

System Model

Parameterized Networks of Timed Automata - 1

Timed Automaton:P = (S , s,C , Γ, τ, I )

S : set of statess ∈ S : initial stateC : set of clock variablesΓ: set of boolean expressions on Sτ ⊆ S × TCC × 2C × Γ× S : transition relationI : S → TCC : state invariant mapping

System Model

Network of TA with Conjunctive Guards:

P(n1)1 || . . . ||P(nm)

guards in Γl have the form:∧m≤nlm 6=i

(sml ∨ pml ∨ · · · ∨ qml ) ∧∧h≤kh 6=l

(∧j≤nh

(s jh ∨ pjh ∨ · · · ∨ qjh))

where pml , . . . , qml ∈ Sm

l , pjh, . . . , qjh ∈ S j

h, and sml , s jh are the initial

states of Uml and U j

h, respectively.

System Model

Network of TA with Conjunctive Guards:

P(n1)1 || . . . ||P(nm)

guards in Γl have the form:∧m≤nlm 6=i

(sml ∨ pml ∨ · · · ∨ qml ) ∧∧h≤kh 6=l

(∧j≤nh

(s jh ∨ pjh ∨ · · · ∨ qjh))

where pml , . . . , qml ∈ Sm

l , pjh, . . . , qjh ∈ S j

h, and sml , s jh are the initial

states of Uml and U j

h, respectively.

System Model

Network Semantics

Configuration:(〈s1, u1〉, . . . , 〈sm, um〉)

s l : [1..nl ]→ Sl maps an instance to its current state, andul : [1..nl ]→ (Cl → R≥0), maps an instance to its clock function

Continuous time model

delay: clocks update, local states unchangedlocal: local state changes instantaneously, guard must hold

State invariants: ∀i ∈ [1, nl ] . ul(i) |= I il (s l(i))

Interleaving semantics

System Model

Network Semantics

System Model

Network Semantics

System Model

Network Semantics

System Model

Network Semantics

Specification

You are here...

1 Intro

2 System Model

3 Specification

4 Cutoff Theorems

5 An example

6 Final discussion

Specification

ITCTL? - Syntax

Indexed-Timed CTL?

Syntax

φ ::= > | p(il) | φ ∧ φ | ¬φ | AΦ |∧

Φ ::= φ | Φ ∧ Φ | ¬Φ | Φ U∼c Φ

where ∼ ∈ {<,≤,≥, >}Example ∧

AG≥0!(CS mypid(i) ∧ CS mypid(j))

Specification

ITCTL? - Syntax

Indexed-Timed CTL?

Syntax

φ ::= > | p(il) | φ ∧ φ | ¬φ | AΦ |∧

Φ ::= φ | Φ ∧ Φ | ¬Φ | Φ U∼c Φ

where ∼ ∈ {<,≤,≥, >}Example ∧

AG≥0!(CS mypid(i) ∧ CS mypid(j))

Specification

ITCTL? - Semantics

Semantics

c |= p(il) iff p(il) = state(c(l , i))c |=

∧ilφ(il) iff ∀i ∈ [1, nl ] . c |= φ(il)

c |= AΦ iff ∀ρ ∈ paths(c) . ρ |= Φρ |= Φ1 U∼c Φ2 iff ∃t ′ ∼ c . ρbt′ |= Φ2 ∧

∀t ∈ [0, t ′) . ρbt |= Φ1

c is a configurationρ is a path; ρbt is a suffix originating at time t∼ ∈ {≤,≥, <,>,=}

Cutoff Theorems

You are here...

1 Intro

2 System Model

3 Specification

4 Cutoff Theorems

5 An example

6 Final discussion

Cutoff Theorems

Cutoff Theorem for NTA with DG - 1

Monotonicity Lemma

(i) P(1)1 ||P

(n)2 |= EΦ(12)⇒ P

(1)1 ||P

(n+1)2 |= EΦ(12)

(ii) P(1)1 ||P

(n)2 |= EΦ(11)⇒ P

(1)1 ||P

(n+1)2 |= EΦ(11)

where Φ is a MITL formula

Proof idea: in the “big” system, every instance behaves as in the“small” one, except the (n + 1)-th that stutters in its initial state

Cutoff Theorems

Monotonicity Lemma

(i) P(1)1 ||P

(n)2 |= EΦ(12)⇒ P

(1)1 ||P

(n+1)2 |= EΦ(12)

(ii) P(1)1 ||P

(n)2 |= EΦ(11)⇒ P

(1)1 ||P

(n+1)2 |= EΦ(11)

where Φ is a MITL formula

Proof idea: in the “big” system, every instance behaves as in the“small” one, except the (n + 1)-th that stutters in its initial state

Cutoff Theorems

Bounding Lemma

(i) ∀n ≥ c2.P(1)1 ||P

(n)2 |= EΦ(12) iff P

(1)1 ||P

(c2)2 |= EΦ(12)

(ii) ∀n ≥ c1.P(1)1 ||P

(n)2 |= EΦ(11) iff P

(1)1 ||P

(c1)2 |= EΦ(11)

Φ is a MITL formula,c1 = 2|P2| and c2 = 2|P2|+ 1

Proof idea: given a path x in the “big” system, find a path y in the“small” one, such that:

instances 11 and 12 are mimicked exactlyinstance 22 is any instance with infinite behaviorinstances i2, for i ≥ 3 are for detecting deadlock

Cutoff Theorems

Bounding Lemma

(i) ∀n ≥ c2.P(1)1 ||P

(n)2 |= EΦ(12) iff P

(1)1 ||P

(c2)2 |= EΦ(12)

(ii) ∀n ≥ c1.P(1)1 ||P

(n)2 |= EΦ(11) iff P

(1)1 ||P

(c1)2 |= EΦ(11)

Φ is a MITL formula,c1 = 2|P2| and c2 = 2|P2|+ 1

Proof idea: given a path x in the “big” system, find a path y in the“small” one, such that:

instances 11 and 12 are mimicked exactlyinstance 22 is any instance with infinite behaviorinstances i2, for i ≥ 3 are for detecting deadlock

Cutoff Theorems

Cutoff Theorem

∀(n1, . . . , nk) . P(n1)1 || . . . ||P(nk )

k |= φ iff

∀(d1, . . . , dk) � (c1, . . . , ck) . P(d1)1 || . . . ||P(dk )

k |= φ

Follows from Monotonicity Lemma, Bounding Lemma and duality ofE/A path quantifiers

Trace equivalence of “small” and “big” systems (restricted to 1st

instance)

Smaller cutoffs:

c1 = 1, c2 = 2 for Einf/Ainf

c1 = 1, c2 = 1 for Efin/Afin

Cutoff Theorems

Cutoff Theorem

∀(n1, . . . , nk) . P(n1)1 || . . . ||P(nk )

k |= φ iff

∀(d1, . . . , dk) � (c1, . . . , ck) . P(d1)1 || . . . ||P(dk )

k |= φ

instance)

Smaller cutoffs:

Cutoff Theorems

Cutoff Theorem

∀(n1, . . . , nk) . P(n1)1 || . . . ||P(nk )

k |= φ iff

∀(d1, . . . , dk) � (c1, . . . , ck) . P(d1)1 || . . . ||P(dk )

k |= φ

instance)

Smaller cutoffs:

Cutoff Theorems

Cutoff Theorem

∀(n1, . . . , nk) . P(n1)1 || . . . ||P(nk )

k |= φ iff

∀(d1, . . . , dk) � (c1, . . . , ck) . P(d1)1 || . . . ||P(dk )

k |= φ

instance)

Smaller cutoffs:

Cutoff Theorems

Complexity of Parameterized Model Checking Problem

PMCP for Timed Systems with Conjunctive Guards is:

UNDECIDABLE for Φ ∈ ITCTL?

DECIDABLE and 2-EXPSPACE for Φ ∈ IMITLDECIDABLE and EXPSPACE for Φ ∈ TCTL

An example

You are here...

1 Intro

2 System Model

3 Specification

4 Cutoff Theorems

5 An example

6 Final discussion

An example

Example: Fischer’s Protocol - 1

initstart b1 b2 csv = 0, c := 0 v := PID, c := 0 v = PID, c > k

v 6= PID, c > k

v := 0

Standard process definition in Fischer’s protocol

c : local clock variable

k : timeout constant

v : shared integer variable

PID: integer constant, unique for every process

An example

Abstracting PID variable

v0start

· · ·

Figure: V: a shared variable

diffpidstart mypid

Figure: W: a process-centric view of ashared PID variable

An example

Resulting model: P ′′ = (P ×W ) (with conjunctive guards)P: standard process definition in Fischer’s protocolW : process abstraction of shared PID variableconjunctive guards: obtained translating guards (v = PID, v 6= PID)

An example

Simplification: removed states without incoming transition

Lower the required cutoff (9 = 2 * 4 + 1)

An example

Verification results

Formula Out Time (s) Mem (M)∧i EF (CS mypid(i)) T 0.01 155.2∧i 6=j AG !(CS mypid(i) ∧ CS mypid(j)) T 30.1 155.2∧i AF (CS mypid(i)) F 0.59 155.2

Final discussion

You are here...

1 Intro

2 System Model

3 Specification

4 Cutoff Theorems

5 An example

6 Final discussion

Final discussion

Some take-home messages

Cutoff theorems are useful for verifying real-time systems in practice

May be non optimal :-/

Systems are too complex (i.e. infeasible)

Verification chains needs to be defined (i.e. abstractions . . . )

Conjunctive guards can be used to abstract PID variables

For the future:

Extend cutoff for timed systems with disjunctive guards(pairwise rendezvous don’t admit cutoff!)Explore systems mixing templates with CG/DG(but not arbitrary boolean formula: PMCP is UNDECIDABLE!)Compute cutoff for specific process templatesVerify more complex benchmarks/real-world examples(suggestions are welcome :-))

Final discussion

For the future:

Final discussion

For the future:

Final discussion

For the future:

Final discussion

For the future:

Final discussion

For the future:

Final discussion

For the future:

Final discussion

For the future:

Final discussion

For the future:

Final discussion

For the future:

Final discussion

So long and thanks for all the fish

Some approaches to PMCP

Abstraction (precise, CEGAR, . . . )

Proof theoretic

Inductive invariants

Satisfiability Modulo Theories

plus: semi-automaticminus: semi-automatic

Cutoff

upper bound to the number of copies for each process templateplus: automatic, modular approach (reuse model checkers)minus: complexity may be high (i.e. non optimal)

Some results on parameterized verification

Controller state reachability is undecidable in multi-clock dense timednetworks (Abdulla et al., 2004)Controller state reachability is decidable in multi-clock discrete timednetworks (Abdulla et al., 2004)Recurrent state problem is undecidable in timed networks (Abdulla andJonsson, 2003)All these results require synchronous rendezvous . . .

No results on cutoffs for timed systems

No rendezvous (parameterized rendezvous systems don’t have cutoff)

Cutoff for Timed Systems - Simple solution

reuse (untimed) cutoff theorem1 design timed process template2 apply clock/zone abstraction3 compute cutoff on abstract states and instantiate4 model check

plus: no need for theoretical results

minus: high cutoff, cannot reuse model checkers for timed systems

Cutoff for Timed Systems - Alternative solution

prove timed cutoff theorems1 design timed process template2 compute cutoff on original template and instantiate3 model check

plus: the timed cutoff theorems can be reused, can reuse existingmodel checkers for timed systems, the cutoff is smaller

minus: required some theoretical effort

parameterized model checking for timed systems with conjunctive guards

Science

spegni univpm

ancona pmc

guards vstte

timed automaton

untimed systems

hybrid systems

s s tcc

francesco spegni