Distributed Memory LTL Model Checking

Transcription

1 ! " #$ %& D E ')(+*,.-0/132?@ACB 46587:9<;>= F GH Faculty of Informatics Masaryk University Brno Distributed Memory LTL Model Checking Ph.D. Thesis Jiří Barnat September 2004

2

3 Abstract Distribution and parallelization of model checking algorithms is receiving a growing interest as an additional technique to attack the state space explosion problem. In particular, networks of workstations are used to provide model checking algorithms with aggregate memory and computational power of several interconnected computers. Thus they allow distributed memory algorithms to verify larger (hence more realistic) systems. The thesis focuses on the automata-based approach to the LTL model checking problem. This approach reduces the problem of LTL model checking to the problem of non-emptiness of a Büchi automaton which can be further reduced to the problem of the existence of an accepting cycle in the corresponding automaton graph. Unfortunately, the standard Nested DFS algorithm, which is used to solve the problem in the sequential case, is hardly parallelized because it builds on the depth first search postorder whose computation is an inherently sequential problem. There are three completely new algorithms suggested in this thesis to solve the accepting cycle detection problem in a distributed memory environment. The first one employs the verified LTL formula to achieve such a distribution of the graph that it suffices to perform local cycle detection only (hence, the standard sequential Nested DFS algorithm can be used). However, such a distribution of the graph is quite limited. The second suggested algorithm exploits an additional data structure that is built during the exploration of the graph to reveal the presence of a distributed cycle. Local cycles are detected locally using the standard Nested DFS algorithm again. The additional data structure, called dependency structure, covers mutual reachability of selected states of the graph, and is distributed among participating workstation in the same way as the graph. The third presented algorithm builds on the breadth first search of the graph and thus it avoids the problematic depth first search postorder. It employs the fact that every cycle has to contain a back-level edge, i.e. an edge that does not increase the distance of the target state of the edge from an initial state of the graph. All backlevel edges are detected by the primary search procedure of the algorithm and then they are tested for being the part of a cycle by nested search procedures. All suggested algorithms are formally protein and experimentally evaluated in the thesis. iii

4

5 Acknowledgments I would like to thank all the people who have helped me to finish my PhD studies. Namely, I thank my supervisor Luboš Brim for many interesting and investigating suggestions he gave me, and for the fruitful (and often very long) discussions we had. My thanks go also to all the members of our Parallel and Distributed System Laboratory. In particular, I acknowledge the contributions of those who have participated the DiVinE project. Special thanks go to Rahul Kumar for reading the draft. Finally, I thank my wife and my daughter for their nearly unlimited patience. Jiří Barnat v

6

7 Contents 1 Introduction Motivation Thesis Objective Thesis Contribution Thesis Structure Model Checking Model Checking Concept Modeling System Modeling Formalisms State Space Generation Problem Network of Extended Finite State Machines Representing State in Computer Linear Time Logic Syntax, Semantics Automata over Infinite Words Classification of LTL Formulas Automata-based LTL Model Checking Principle Nested DFS Algorithm On-the-fly Model Checking Safety Properties Partial Order Reduction Distributed Memory Computing Network of Workstations Network Topologies Distributed Memory Algorithms Types of Algorithms Performing Distributed Memory Algorithm Network Message Passing Synchronization and Termination Detection Load Balancing vii

8 viii CONTENTS 4 Related Work Distributed Memory State Space Generation Ciardo et al Allmaier et al Haverkort et al Knottenbelt et al Stern et al Lerda et al Garavel et al Distributed Memory LTL Model Checking Brim et al Černá et al New Approaches Nested DFS in Distributed Memory Environment Incorrect Behavior Token Based Nested DFS Property Driven Distribution Partition Function Accepting Cycles Property Driven Nested DFS Limits, Advantages, and Improvements Dependency Structure Dependency Graph Dependency Structure and Local Cycles Detecting Distributed Cycles Complexity Algorithm Optimizations Counterexample Generation Algorithm Variants Back-level Edges Back-level Edge Concept Cycle Detection Improving the Algorithm Accepting Cycle Detection Counterexample Generation Partial Order Reduction Complexity Experimental Evaluation Implementation and Input Data DiVinE Hardware and Measurement Techniques Models Distributed Memory Computing Network Initialization Delay

9 CONTENTS ix Buffering Partition Function Synchronization Detection Nested DFS Speed Degradation and Memory Nested DFS vs. Token Based Nested DFS Employing Verified Property Property Automaton Decomposition Property Driven Nested DFS Dependency Structure Memory Consumption and Scalability Partially Accepting Components Back-level edges Back-Level Edge Distribution Scalability Counterexample Generation C3-BFS Partial Order Reduction Comparison Conclusion Summary Conclusions Future Work Bibliography 165

10

11 Chapter 1 Introduction 1.1 Motivation We live in a computer controlled epoch. We do not even realize how often our lives depend on machines and their programming. For example, medical instruments, air traffic control systems, and many others all depend on computers to ensure correct functionality in our everyday lives. There is no doubt that the software and hardware used to build these machines has to be reliable and fault tolerant. If not, human lives and expensive equipment are in danger. Speaking of reliability, life critical systems should not be the only ones taken into consideration. An incorrectly working mobile phone or washing machine can also annoy us. Taking these factors into consideration it is not a surprise that we would pay a fortune for correctly working devices. Unfortunately, there are many factors that decrease the probability of developing reliable systems. Due to stiff competition in business and research industries both hardware and software are developed under great pressure of upcoming deadlines. This causes designs of components to be reused from previous projects without checking their compatibility, and manufacturing them before a complete specification has been created. Sometimes the complexity of a system under development is so large that ensuring the system reliability is simply beyond human abilities. All these factors combined can result in a mass of unreliable and dis-functional products. To prevent faulty systems from being released a plethora of techniques have been developed. The best known and probably most widely used technique is called testing and simulation [20]. In the testing procedure the product to be released is examined for correct behavior on a set of chosen test cases to reveal errors. Due to the time constraints it is usually impossible to test the behavior of the product in all possible situations; thus, the set must be chosen carefully to cover as many distinct scenarios as possible. However, there is no guarantee that the product is faultless even if released after a comprehensive testing procedure. Therefore, other mechanisms for ensuring the correctness of products are also employed. Another technique that is used for ensuring correctness of systems is formal verification [36]. Formal verification does not try to reveal an error, contrary to the testing procedure, but tries to directly confirm (prove) the correctness of the system under consideration. The high requirements laid on human resources is one of the most serious handicaps formal verification suffers from. Therefore, developing techniques 1

12 2 CHAPTER 1. INTRODUCTION that can at least partially automate verification procedures and improve already existing verification tools has been one of the main focus of research in computer science. Namely, the theorem proving, equivalence checking, and model checking are the three primary approaches to the formal verification problem. The theorem proving approach is applied mostly to the verification of software. A set of lemmas and theorems implying the correctness of the system under consideration is formulated and proven. Since this approach involves employing welleducated specialists performing extensive mathematical work, the approach as such is extremely expensive and hardly automated; thus, the approach is rarely used. Another approach to formal verification is equivalence checking. This approach tests the equivalence (mostly with respect to the bisimulation relation) of two systems. For example, to check the equivalence of two different levels of abstraction of a system, or to verify the final implementation by checking its equivalence with the given specification. Note that if an implementation and a design are bisimularly equivalent then the correctness of the implementation is proven. As for hardware systems, the equivalence checking approach can be used to confirm the correctness of synthesis of logical circuits from the description language specification. The third major and the most popular approach to formal verification is model checking. The model checking procedure checks whether a model of a system satisfies a given property. One of the main advantages of the model checking procedure is that in the case of a negative answer to the model checking question, it provides a user with a single execution of the model that demonstrates how the model violates the property. This execution is called the counterexample. Certainly, this is a useful feature for all developers because if they are given a counterexample, they can investigate the suspicious execution of the model and thereafter check and repair the system. The properties to be checked are usually extracted from the system specification in text form; however, for model checking purposes they have to be correctly formalized. Temporal logics like LTL or CTL showed provide a good means of doing so. Contrary to the theorem proving approach, equivalence checking and model checking are growing in popularity because they can be partially automated; thus, the verification can be performed within reasonable costs. For this reason many verification tools have have been built [29]. Unfortunately, the model checking and equivalence checking tools (also called model checkers and equivalence checkers) have their practical limits that considerably restrict the size of systems that can be verified. The following paragraphs discuss the model checking tools and their limitations in greater detail. To answer the model checking question a model checker has to examine all possible system behaviors. In general, it explores the set of all states the model can reach. This set is called a state space. Unfortunately, the size of the state space limits the models that can be verified by a model checker as the number of states in the state space can be exponentially bigger than the size of the corresponding model description. This fact is generally referred to as the state space explosion problem. The core of the problem is that the model checking algorithms have to distinguish unexplored states from the explored ones to prevent their re-exploration. Due to this, they have to maintain a set of already explored states. This set is accessed repeatedly by the algorithms and thus, it has to fit into the main memory of a computer. Otherwise the operating sys-

13 1.1. MOTIVATION 3 tem starts swapping intensively and the computation of a model checking algorithm is practically halted. In general, we distinguish two basic approaches to the model checking. These are the enumerative (explicit) approach and the symbolic approach. There is also a special class of model checkers that reduces the model checking problem to the problem of satisfiability of a boolean formula, which are not discussed in this thesis. The main difference between enumerative and symbolic approaches is in the way they maintain and manipulate the set of explored states during the computation. The enumerative model checking algorithms traverse through the state space state by state. Therefore, the most frequent operation performed by the algorithm is probing whether the currently examined state has been previously enumerated. That is why the data structure that implements the set of already visited states has to be optimized for the state presence query and state insertion operations. Typically, this is ensured by some kind of hashing mechanism. The symbolic model checking algorithms start either with the set of initial states or with the set of valid states and compute all the successors or predecessors respectively unless the state space is completely generated or an error is found. The standard data structure used to store the states in the symbolic model checking algorithms is the Binary Decision Diagram (BDD) [19]. The BDD structure is capable of storing a large number of the states in a more efficient way than the hash table; however, operations on BDDs are quite complex and dependent on the size of BDD. On the other hand, complexity of BDD operations do not worsen if they are manipulated with sets of states instead of single states. This is why the symbolic model checking algorithms generate the state space not in a state-by-state manner, but in a set-by-set manner. It is slightly complicated to reveal the main factors that limit the symbolic approach. In some cases it may be the time needed to complete the computation, or space needed for storing the BDD structure, or a memory peak that occurs when a BDD operation is executed. Note that the models have to be encoded in a special way for symbolic model checking purposes. We consider only the enumerative approach to model checking in this thesis. Many techniques to fight the limits of enumerative model checkers have been developed to increase model checkers ability [26]. Some techniques are general and some are specific for the given problem. A natural and commonly used technique is abstraction [27]. Abstraction is used to hide details in the model that are irrelevant to the satisfaction of the verified property, hence reducing the total number of reachable states in the state space. As a typical case we can consider a data abstraction that covers the real content of a variable replacing it, e.g., by either a zero or nonzero value. Probably the most intuitive technique to fight the limits in the enumerative approach is state compression. See e.g. [43]. It employs the simple fact that the less space a state representation occupies the more states can be saved in memory. General compression methods (for example RLE or Huffman s encoding) are commonly used in model checking tools. Nevertheless, there are also other cleverer compression methods frequently used that utilize, for example, information obtained from a static analysis of the model. Another popular technique to fight the state explosion problem is partial order reduction [65]. The technique partitions the state space into equivalence classes (using an

14 4 CHAPTER 1. INTRODUCTION equivalence relation) and then verify only representative executions for each equivalence class. This technique works well mainly for systems that are made of asynchronous and interleaving components in which case the stuttering equivalence is used to reduce the state space size significantly. Also probabilistic techniques found their applications in model checking. The random walk method employs probabilistic choice to build random system executions that are examined for presence of an error. If an error is found, the trace of random walk provides the needed counterexample, if not, either more random walks can be executed or the model is declared correct. Due to this the correctness of the system is ensured only with a certain probability. This method is a typical example of an error discovery method and it may be considered much closer to testing than to verification methods. However, there are other probabilistic methods that support model checking algorithms and have nothing common with testing. A good example is a technique that employs probabilistic choices to make the decision of whether to save a state in the set of visited states; thus, trading time for space [11]. All above mentioned techniques have one common attribute: they try to reduce the state space. Some do that by reducing the number of states in the state space and others by improving data structures used to save the set of visited states. This thesis focuses on a technique that does not reduce the state space, but, contrary to all previously mentioned approaches, increases the available computational and storage power. This technique builds on the idea of storing the state space in a distributed memory environment. The distributed memory environment is made of several Local Area Network (LAN) interconnected computers that communicate via a message passing interface (MPI). The environment provides not only the larger amount of aggregate memory, but also the advantages of parallel computing. In the distributed memory environment we can also overcome the virtual memory limit of a 32-bit process (4GB) that fairly restricts practical applicability of today s model checking tools. The idea of employing distributed memory environment techniques is not completely new in the formal verification field. In [69] the authors describe a parallel version of the verifier Mur [34]. In their approach, the set of all visited states is partitioned over the nodes of the virtual parallel machine, which allows the combined hash table to be larger than on a single node. The explicit state enumeration is then performed in parallel. For the model checker SPIN [48], a similar approach towards distributed reachability analysis was proposed in [53]. This distributed version of SPIN uses different ways to partition the state space than Parallel Mur. A distributed version of the UPPAAL model checker based on the same idea as parallel Mur has been reported in [10]. Yet another distributed reachability algorithm was proposed in [1], but has not been implemented. Let us stress that all the mentioned distributed algorithms solve only the reachability problem which is not the entire model checking problem that we intend to solve in this thesis. A distributed memory version of the model checker SPIN has been explored in [9]. A novel approach to the distributed model checking has been also proposed in [17]. Other recent papers attempt to use distributed memory environment for parallel symbolic model checking. [47] presents a parallel reachability analysis algorithm based on BDDs while in [13] distributed symbolic method has been applied to check safety RCTL properties. Papers [44, 14] significantly extend the scope of the properties that can be verified by presenting a

15 1.2. THESIS OBJECTIVE 5 distributed symbolic model checking algorithm for -calculus and alternation-free - calculus. For a more detailed description of work on distributed memory verification related to LTL model checking see Chapter Thesis Objective The goal of this thesis is to solve the distributed memory LTL model checking problem by implementing and discussing modifications of previously used as well as new algorithms for state space exploration in a theoretical as well as empirical manner. 1.3 Thesis Contribution The thesis contribution to the problem of distributed memory LTL model checking is as follows. A new distributed memory algorithm that builds on partition function defined using the structure of verified property. The algorithm has been proposed in [4] and [3]. A new distributed memory algorithm that employs additional data structure to detect cycles whose states are distributed among workstations. The idea of the algorithm has been published in [9]. Another distributed memory algorithm that detects distributed cycles but builds on breadth first search and back-level edges. The algorithm has been suggested in [5] and [7]. Algorithm implementations and experimental evaluations that were done using the DiVinE library [35]. An experimental comparison of all the presented algorithms. 1.4 Thesis Structure The rest of the thesis is organized as follows. Chapter 2 briefly presents the framework of the automata-based LTL model checking techniques. It give examples of models, defines the Linear Temporal Logic (LTL) and describes the automata-based approach to LTL model checking including the standard Nested DFS algorithm. Chapter 3 presents the basic concepts of distributed memory computing and their applications to the investigated problem. In Chapter 4 work related to the distributed memory state space generation and distributed memory LTL model checking is discussed. Chapter 5 discusses new approaches to the distributed memory LTL model checking problem. It explains the incompatibility of the standard Nested DFS algorithm with a distributed memory environment and discusses modifications to overcome it. It also presents techniques to investigate the property to be checked in order to gain more efficient distributed memory algorithms. Chapter 5 also proposes completely

16 6 CHAPTER 1. INTRODUCTION new approaches to the cycle detection algorithm in a distributed memory environment, which is in the core of all automata-based LTL model checking algorithms. Chapter 6 gives an experimental evaluation of all suggested techniques including detailed comments on individual experiments. Finally, a brief summary of the presented work, conclusions, and major ideas for future research are given in Chapter 7.

17 Chapter 2 Model Checking In this chapter we explain what the model checking is. We show what formalisms are commonly used to give the model of a system, we define the Linear Time Logic, and present a hierarchy of LTL formulas. Furthermore, we describe the automata-based approach to LTL model checking and the standard Nested DFS algorithm. 2.1 Model Checking Concept The model checking is one of the major techniques used in the formal verification. This technique builds on an automatic procedure that takes a model of a system in question and decides whether it satisfies a given property or not. In the latter case not only the negative answer is expected from the model checking procedure, but also the counterexample, i.e. specific behavior of the model which breaks the property. If we want to verify a system using a model checking procedure, we have to model the system at first. Various formalisms can be used to do so. See Section 2.2. In general, such a formalism should be used to model the system that allows to model the system as faithfully as possible. Note that unless the model is inaccurate, we can conclude the correctness of the system from the correctness of the model. Moreover, if the model corresponds faithfully to the system, the counterexamples given by the model checking procedure correspond perfectly to invalid executions of the system and so they can be used directly for debugging purposes. The system properties have to be transformed into appropriate formalism as well. Various temporal logics [56] are used for this purpose. The expression power of most temporal logics is high enough to express all the interesting and generally important system properties such as deadlock, livelock, or reachability of a given good or bad situation. The temporal logics may express even more complex and structural properties like, e.g., whenever a situation occurs then a situation occurs eventually. Temporal logics come in two variants, linear time and branching time. Linear time properties are concerned with properties of paths. So a state in the model is said to satisfy a linear time property if all the paths emanating from the state satisfy the property. On the other hand, branching time logics describe properties that depend on the branching structure of the model. Unfortunately, model checking procedures differ significantly for both kind of logics. In [74] advantages and disadvantages of linear and branching time logics are discussed with respect to their application to the model 7

18 8 CHAPTER 2. MODEL CHECKING checking problem. This thesis deals only with the linear time logic model checking problem. An automata-based approach to the problem is described in details in Section 2.4. However, the definition of the linear time logic is given at first in Section 2.3. Model checking procedures may be further classify into local and global ones. While a global model checking procedure checks if the property is satisfied in all states of the system, the local model checking procedure checks that the property is valid for a given state (most often the initial one). We consider only local model checking problem in this thesis. The basics presented in the next subsections were partially drown from [59]. 2.2 Modeling System To perform the model checking procedure on the system under consideration we must have a suitable system representation (so called model) which can be easily handled by computers. A system can be naturally modeled as a graph whose vertices correspond to system states. A system state is like a snapshot of the system at a given time. Thus it carries information about the variable contents, the number of simultaneously active processes, currently allocated resources, etc. As the time passes and the state of the system changes the state in the system graph evolves into a new state. The process of this evolution is covered by a directed edge in the system graph which is labeled by the identification of the internal system action that caused the change. Let us note that due to the possible interaction of parallel processes in the system and due to various data structures the number of states in the model of the system can be exponentially bigger than the size of the system description. This is so called state explosion problem. Note that the problem is common to all model checking approaches Modeling Formalisms Formally, a state space can be given as a Kripke structure. Definition A Kripke structure over a set of atomic propositions is a triple, where is a set of states, is a transition relation and is an interpretation function. The set of atomic propositions represent the set of basic qualities that individual states can have. The interpretation function thus for each state gives the set of those properties the state enjoys. The sets and are typically finite. However, a model checking on infinite structures has been presented in [15]. A different formalism used to model system quite often is the formalism known as Labeled Transition System. Definition A labeled transition system is a triple!! "#, where is a set of states, " is a set of actions, and $! %& is a transition relation. A transition (') *+,'.-/10 (often also given in its infix form as '32 '4- ) says that the state ' can evolve to the state '5- by taking the action *. In contrary to the Kripke

19 2.2. MODELING SYSTEM 9 structure, the Labeled Transition System presents no information associated to a state, but instead it introduces actions on transitions. Naturally, taking advantages of both approaches various mixtures of mentioned formalisms (generally referred to as Kripke Transition Systems) were defined and are used in practice. For our model checking purposes we use an extended Kripke structure formalism. This very natural and common extension lies in supplying each Kripke structure with a distinguishable initial state. Hence, given a finite set of atomic propositions the model of a system is a tuple +,', where is a Kripke structure, as defined above, and ' 0 is an initial state. We further suppose an additional transition labeling function, that assigns to each transition in an identification of the corresponding action taken by the system. If! is the set of all possible actions then!. Although, this labeling has no impact on model structure at all and thus it is not included in the tuple defining the model, it can be used by a model checker for various purposes, like e.g. the counterexample generation or application of the partial order reduction. For given model the Kripke structure is also referred to as the state space. Quite often only those states of the Kripke structure are considered that are reachable from the given initial state ' through transitions given in. In such a case we should speak about the reachable part of the state space, or simply a reachable state space. However, we deal with reachable state spaces only in this work and thus we omit the reachable attribute at the state space term in the rest of the text State Space Generation Problem In model checking applications a model can be given either explicitly or implicitly. To give the model,' explicitly means to give all its components. In particular, it means to name all its transitions in, all its states in, and the corresponding state interpretation function. Let us imagine that we should pass an explicitly given model of a simple program that repeatedly adds one to a single local 32-bit variable to the input of a model checking procedure. This would mean to name states and transitions. This is quite a lot even for such a small system that can be, in fact, described by a few lines of source code. That is why the explicit representation of a model is not used in practice, but the implicit representation is used instead. Basically, to give the model implicitly means to give the functions and instead of the sets and and the state '. The function model. Hence The function # %$ takes a state and returns the set of its immediate successors. Hence,.' "! returns the initial state of the 4 (' # &4 (' (' 0 ) "! The State Space Generation Problem is then a problem of computing the explicit representation of a model from the implicit one. Generally, graph traversal algorithms are used to solve the state space generation problem. An example of such an algorithm is given in Figure 2.1. The algorithm takes

20 10 CHAPTER 2. MODEL CHECKING 1 proc State Space Generation F F 2 S T 3 U F 4 while U do 5 V Head U 6 if V 0 S then 7 S S V 8 foreach W 0 F V do 9 U U W 10 T T V W 11 od 12 fi 13 od 14 end Figure 2.1: State space generation algorithm. the functions and and uses them to generate the state space in breadth first manner. When the algorithm finishes the set of all reachable states can be found in the set variable while the set of all transitions in the set variable. The algorithm maintain also variables and for storing currently processed state and one of its successors, respectively. We emphasized the line number 6 of the pseudo-code where the set of already explored states is tested for the containment of the currently explored state. Due to this line an efficient implementation of the algorithm has to ensure fast access to the contents of the set which may be problematic as soon as the set becomes so large that it cannot be completely kept in memory. Therefore, unless the functions and are ineffective, the main limiting factor of state space generation algorithms is the amount of available memory. Having the procedure for conversion of the implicit representation of a model into the explicit one we face the problem of encoding a model implicitly, i. e. in such a way that allows en easy extraction of and functions. We introduce network of extended finite state machines for this purpose in the next subsection Network of Extended Finite State Machines Technically, each system consists of several more or less independent processes. These may communicate among each other via shared memory (shared variables), which is the case of most programs, or via channels, which is the case of various communication protocols. We describe behavior of a single process in the system with an extended finite state machine (EFSM). Thus the full system is modeled as a set of EFSMs plus set of global variables plus set of communication channels. Intuitively, the system behavior is described by all the EFSMs that interleaves their individual steps. Let us suppose that the set of all variables is, set of all channels is, and set of all possible states is. Before defining the extended finite state machines we introduce expressions, effects, and synchronizations.

21 O 2.2. MODELING SYSTEM 11 The set of all expressions over, is denoted by and is defined as follows: ' ' ' ' ' ' ' ' * where stands for an integer value (,,,,!!! ), stands for a boolean value (,! * ' ), stands for an integer or boolean variable ( 0 ), " stands for an integer operator (#,,$,%,!!! ), stands for a Boolean operator (&,' ), and ( stands for a relation operator (),*,+,,, ). The set of all effects over, is denoted by-!.! and is defined as!.!& / '!.!!.! where 0 and 0. The set of all synchronizations over is denoted by 21 and is defined as ' 3 ' 4 '5(5 where 0 and 3 0. Definition The Extended Finite State Machine over the finite set of variables, set of channels, and set of possible states is a tuple "6 7%5 7, where 6 is a finite set of states, 086 is the initial state,/69 :; < =!.! 21 >6 is a finite set of transitions, and /6 is a set of accepting states. Having the definition of a single extended finite state machine we can define the network of extended finite state machines as follows. Definition The network of EFSMs is a tuple? A@!!! B CDFEGIH, where is the finite set of variables, B CDAEGJH LK is a function that assigns to each variable 0 its domain, i.e. a finite nonempty interval in K, is a finite set of communication channels, and "6 7 7 are the EFSMs over the,, and S W 6. The EFSM is, in fact, the standard FSM whose transitions are enriched by guards and effects. The guard restricts the situations in which the transition can be executed. It consists of an expression and a synchronization condition. The transition is enabled (i.e. allowed to be executed) if the expression is evaluated to and the synchronization condition is satisfied. The synchronization condition is satisfied either if it is empty (denoted by 3 ) or there is another transition of a different EFSM that is enabled and has the dual synchronization primitive (for 0 the duals are X4 and Y5 ). The transition with a nonempty synchronization can be executed only together with the dual synchronization transition. Finally, the effect of a transition describes the modification (updates) of values of variables if the transition is executed. If two transitions are executed together the effects of both are considered. Formally, we can define the operational semantics in terms of Kripke structure as follows. B CDFEGIH be a network of extended finite state machines such that " Then the set of all possible states is [6!!!\6. To interpret the values of variables we introduce a ]E^`_aEbLGLCH function c dk that assigns to each variable 0 a value from its domain B CDAEGJH I. The set of all valuation functions over is denoted by egf. A state of the Kripke structure is given by the states of all individual extended finite state machines in the network and

22 2 2 2 ' ' 12 CHAPTER 2. MODEL CHECKING the valuation function, i.e. a state is a double L c, where c0/e f and 0, i.e. 7 where 086. The function that evaluates an expression in a state L c is denoted by S and is defined in the standard way. We only note that an integer value can be understood as a boolean value for boolean operation purposes (! * ' if the integer equals to, otherwise) and a boolean can be understood as an integer value for integer operations ( if the boolean value is! * ', if it is ). The only unusual boolean expression is the *) one that is evaluated to, if an EFSM is at state (i.e. / ), and evaluated to! * ' otherwise. A transition effects are interpreted as functions of type \e f# e f. If an effect! is applied to a valuation function it yields an updated valuation function. The transition effects are either assignments ( ) or effect sequences ). The updates of valuation function are made according to the semantic function! L c c S if S 0 B CDFEGIH I c otherwise as L c! S!"# where c$ 1 is such a valuation function that differs from the valuation function c only in the value of. As for the synchronization we only define two predicates b"e_ (' and B_aE^&% for The predicate b"e_ (' is true if and only if ' 3, the predicate B_aE^'% is true if and only if ';@ and ' are duals, i.e. either 4 and ' Y5 or Y5 and ' X4, where 0. Finally, we assume that the set of atomic propositions is a finite subset of the set of all expressions over and, i.e. :. Now we can define the Kripke structure that gives the operational semantics for the given network of EFSMs. Definition Let? -@4!!! + B CDFEGIH be the network of EFSMs. The underlying Kripke structure ( is defined as follows. The set of states is a subset of e f, the interpretation function f S&01 *),+.-/ maps a state L c to the set ' S, and the transition relation is defined as follows: L 7.- ' L@4!!!. 7 " c " 5- L5-@!!!. 7.- " c - " 2 A+ )!,' L - 0\ '343 * / ' ' - - ' ' b"e_ (' ' c -! L L 7.- ' L@4!!!. 7 " c " 5- L5-@!!!. 7.- " c - " T@ T A+ T@ ) @ L -@ 0 '3 3+*) / T@ 8 / - -@ ' ;: ' ;: - / ' ' B_aE^&% ' c-! L@4!!! 7 L!,' L - 0> ;:

23 2.2. MODELING SYSTEM 13 To obtain the model +,' from the Kripke structure ( described by network of B CDFEGIH we have to identify the initial state ' 0$. The initial states of individual extended finite state machines are given, hence the only missing piece is the initial valuation function c 0 e f. For a variable 0 we define the value of c I to be either if 0 B CDAEGJH I or D GJHaGID _ D TB CDFEGIH I if 0 B CDAEGJH I Representing State in Computer As we explained above the two function # and can encode the,, and ' elements of a model +,'. Naturally, the last element # ) has to be supplied to the model checker as well. Basically, the states can be represented by anything if the interpretation function is available to the model checking procedure. However, such an approach suffer from the same problem as the explicit representation of a model, i.e. the enormous amount of data to be stored and passed to the input of model checking procedure. Therefore, an implicit approach to the definition of interpretation function is being used in practice. This approach builds on the basic fact that the semantic function as defined in the previous subsection employs only finite information to evaluate an expression. Since an atomic proposition is, in fact, an expression, the same finite information suffices to evaluate the atomic proposition as well. If an implicit approach to the interpretation function is used then the finite information needed to evaluate the atomic propositions has to be stored at, or maybe more precisely in, the state. A state of the Kripke structure thus has to describe all the necessary inputs of expression evaluation function. These are the current states of all the EFSMs in the network and the current valuation function. A state of the Kripke structure represents these as a bit vector. The current states of all the extended finite state machines-@4!!!4 (, where ) "6 7 7, can be described using2@ bits 5 6! ) if the states are numbered. Having the numbering of states of an EFSM we can further require the initial state to be identified by the number. As for the valuation function, if all the variables in T, then the valuation function can be described using bits ( ; * " I 5! ). The domain of each variable depends on its type. There are three basic types typically used in modeling languages. These are the boolean type with the domain L (, the with the domain L,, and the integer type that has the domain, #N or #. The required numbers of bits representing the boolean, byte, and or, respectively. Thus a state of the Kripke structure can be represented by a bit : whose length #. Finally, we can define the functions # and. The definition of the function is quite easy in practice. The function returns a bit vector of appropriate length that containing zeros only. Note that such a state is the initial state of the Kripke structure as the identifications of all initial states of EFSMs in the network equal to zero as well as the initial values of all defined variables. Slightly more complicated is the definition of the function that should return all the successors of the state for which it is called. So let us suppose that the function is called for a bit vector. It has to decode the state from the bit vector, compute the set of transitions@!!!. 5 integer are,, and either

24 2 14 CHAPTER 2. MODEL CHECKING ' iff 0 ' iff ' iff or ' ' iff and ' 5 ' % iff 8 7A+ 8 ) 4 ' and 6, 7A+ ) 8 5 ' % iff ' % or 618 7F ' ' Figure 2.2: Semantics of LTL. enabled at the state, produce 8 copies of bit vector, and modify each copy according to the effect of corresponding transition. 2.3 Linear Time Logic Syntax, Semantics Propositional linear time logic (LTL) is the basic prototypical logic used in formal verification. Its formulas are constructed as follows, where ranges over a set of atomic propositions: ' ' ' g@4 Formulas of LTL are interpreted over paths of the model 3,'" over the set. A finite path is a finite sequence ('%5,'@4!!!4,' of states from such that 0 for ) 8). The length of such a path is and is denoted by. An infinite path is a infinite sequence of states from such that for all,. The length of an infinite path is. For A+ ), denotes a tail of the path starting at the state '%, i.e. for A maximal path is such a path that cannot be extended by another state, hence each infinite path is maximal, while a finite path is maximal if and only if there is no transition that could enlarge the path sequence. A maximal path of the model emanating from the initial state ' is called run. The inductive definition of when the run ( ) of a model,' satisfies an LTL formula ( ) is given in Figure 2.2. We say a model satisfies the formula, written as ', if and only if all its runs emanating from the initial state ' satisfy. Intuitively, satisfies an atomic proposition, if its first state does. The meaning of and & are obvious, further Boolean connectives may be introduces as abbreviations in the usual way. The modal operators,, and are the key operators for expressing properties of a system. The modality (read as next ) requires the property to be valid in the second state of the path, i.e. the holds true if does for the path obtained by removing the first state. The modality (read as until ) requires to become true at a state of the path and to be valid in all states before. This modality is also sometimes referred to as the strong until because

25 2.3. LINEAR TIME LOGIC 15 % % Figure 2.3: Illustration of LTL modalities. it requires to become true eventually. The last modality % (read as weak until ) is the weak version of until operator, i.e. a version that do not require the to be valid eventually. Other modalities can be defined similarly to the Boolean connectives as abbreviations. The most popular additional modalities are the (read as future ) and (read as globally ) that are defined as follows. #! * ' The modality requires to become true at a state of the path while the modality requires to be valid in all states of the path. The graphical illustration of most common LTL modalities is given in Figure Automata over Infinite Words Every path in the model 3 +,' is either finite or infinite. However, a finite path ('!!!4,' can be extended to an infinite one (' 5!!!.,',','!!! by repeating the last member of the finite sequence. This can be done without impact on the validity of an LTL formula and so we can restrict us only to infinite paths with respect to the validity of an LTL formula in the following. An infinite path as defined above may be also given by an infinite word over the alphabet. Note that letters of the alphabet equal to subsets of the set of atomic propositions. The word describing the path is given by the interpretation function, hence (' " In a straightforward way, a validity of LTL formula can be also defined for such a word. Now, every LTL formula induces a language of infinite words containing just those words that satisfy. Since the language is -regular, a Büchi automaton can be build that accepts just the language. Definition A Büchi automaton is a tuple ",', where is a finite alphabet, is a finite set of states, '10# is the initial state, $ is a transition relation, and is a set of accepting states. A run of over an infinite word *!!! is a sequence ' such that for all ' 0 ('.@ *. A run '5,'@!!! over is accepting iff ' ' and 4 0 '

26 16 CHAPTER 2. MODEL CHECKING appears in the run infinitely many times. A word is accepted by if there is an accepting run over. The set of words accepted by is denoted by. A crucial fact that lies in the core of the automata-based approach to the LTL model checking is that the automaton can be constructed systematically from the formula [73, 67]. Note that the size of automaton may be exponentially bigger than the size of the formula. Nevertheless, the formulas specified in practice are typically small and so this exponential accrual is not restrictive. The automaton can be also used to check the satisfiability of the formula. In particular, it suffices to test whether the language accepted by the automaton is nonempty, i.e. whether the underlying graph of the automaton contains at least one reachable accepting cycle. The most efficient algorithmic solution known to this problem employs two nested depth first search procedures [28, 49]. However, the test can be made more efficiently if the tested Büchi automaton, and so the corresponding graph, has a specific structure. There are two general structure properties (weak and terminal) a Büchi automata can have. A weak Büchi automaton has its states partitioned into components in such a way that each component consists of either accepting states only or non accepting states only. The non-emptiness problem for a weak Büchi automaton is then reduced to the problem of presence of a reachable cycle in a fully accepting component. Thus the best algorithm to detect accepting cycle in the graph of a weak Büchi automaton employs only a single depth first search [39]. A terminal Büchi automaton is such an automaton that reaches an accepting state during the run on a word if and only if the word is accepted. Hence, the a terminal Büchi automaton accepts a non-empty language if and only if there is a reachable accepting state in the corresponding graph. This can be easily decided by a simple reachability analysis Classification of LTL Formulas Any system property expressible by an LTL formula can be classified according to the hierarchy given in [57] where the authors describe six classes of properties (LTL formulas). These are the Guarantee class, Safety class, Obligation class, Recurrence class, Persistence class, and Reactivity class. The authors defined the hierarchy in terms of Street predicate automata. Nevertheless, in [23] two new characterizations were proposed. One defines the hierarchy in terms of various automata over infinity words while the second employs the alternation depth of modal operators in the formula (so called Until-Release hierarchy). The schema of the hierarchy is given in Figure 2.4. The classes that are on the same level are dual with respect to complementation. Furthermore, each class properly contain all the classes below. Thus the reactivity class is made of all the properties that emerged from boolean combination of recurrence and persistence properties and the obligation class is made of all the properties that emerged from boolean combination of safety and guarantee properties. The hierarchy also gives criteria for the cases when the property is expressible by means of weak or terminal Büchi automaton. A very interesting conclusion is given in [23] where the authors claim that most of formulas used in practice are expressible by means of terminal or weak Büchi au-