Unbounded Integer Variables: Symbolic. Representations, Approximations and Experimental. Results y. Abstract

Transcription

1 Model Checking Concurrent Systems with Unbounded Integer Variables: Symbolic Reresentations, Aroximations and Exerimental Results y Tevk Bultan, Richard Gerber and William Pugh Deartment of Comuter Science University of Maryland, College Park, MD 20742, USA fbultan,rich,ughg@cs.umd.edu Abstract Model checking is a owerful technique for analyzing large, nite-state systems. In an innite-state system, however, many basic roerties are undecidable. In this aer, we resent a new symbolic model checker which conservatively evaluates safety and liveness roerties on innite-state rograms. We use Presburger formulas to symbolically encode a rogram's transition system, as well as its model-checking comutations. All xoint calculations are executed symbolically, and their convergence is guaranteed by using aroximation techniques. We demonstrate the romise of this technology on some well-known innite-state concurrency roblems. 1 Introduction In recent years, there has been a surge of rogress in the area of automated analysis for nitestate systems. Several reasons for this success are: (1) the develoment of owerful techniques such asmodel-checking (e.g., [6, 8]), which can eciently verify safety and liveness roerties (2) innovative new data structures that symbolically encode large sets of states in comact formats (e.g., [5, 6,25]) and (3) new ways of carrying out comositional and local analysis, to assuage the \state exlosion" usually associated with concurrency (e.g., [7, 10, 18]). But when transition systems are not restricted to be nite, most of these techniques are no longer alicable, as they inherently deend on all underlying tyes being bounded. Also, general safety and liveness roerties become undecidable for innite transition systems. We have develoed a symbolic model checker to attack this roblem, which is based on the following key concets: Symbolically encoding transition relations and sets of states using ane constraints on integer variables, logical connectives and quantiers (i.e., Presburger formulas). Preliminary results from this aer aeared as an extended abstract in the Proceedings of the 9th Conference on Comuter Aided Verication (CAV '97). y This work was suorted in art by ONR grant N , NSF CCR and a Packard Fellowshi. 1

2 Translation Phase Partitioning Phase Temoral Proerties Analysis Phase Event-Action Language Program Presburger Comiler Presburger Relations DNF Partitioning Partition Classes Control-Point Partitioning Event-Domain Partitioning Presburger Relations Reachability Analysis Forward or Backward Fixoint Comutations Exact or Aroximate Fixoint Comutations Program Proerty or Counter-Examle Figure 1: Overview of the Analysis Tool. Eciently maniulating these formulas (via a fast Presburger solver called the Omega library [21, 28]) to derive truth sets of temoral logic formulas and their xoint comutations. Using conservative aroximation techniques in analysis of innite state rograms, which guarantee convergence by allowing false negatives. In any comuter system variables are eventually maed to nite reresentations. Thus, it might be argued that integer variables can be given a nite range, and rograms can then be analyzed as nite-state machines { for examle, using BDD's [6, 25]. For several reasons, however, this may not always be the best way to roceed. First, maing integer variables and oerations to their binary imlementations may lead to highly inecient static analysis. More imortantly, one may wish to analyze an algorithm as an abstraction, and rove its correctness in a general sense for any imlementation of integers. Given a nite but very large transition system, an analysis technique which hasaworst case comlexity roortional to the size of the inut transition system will run out of resources (i.e., memory) when the worst case is realized. Comlexity analysis of model checking for all interesting temoral logics shows that worst case comlexity is at least linear in the size of the inut transition system. I.e., although model checking nite state systems is decidable (as oosed to innite state systems) for very large systems it can be intractable. Hence, from a ractical stand oint, our techniques for analyzing innite state systems can be viewed as techniques for analyzing very large nite state systems which do not rely on the niteness of the state sace. In this aer we demonstrate our model checker's eectiveness on some classical innite-state rograms taken from the concurrency literature [3, 30]. While relatively small, they ossess some interesting subtleties, esecially in the tricky way their innite-state variables inuence control ow. A summary of our aroach is shown in Figure 1, and it deicts how we structure the three main hases: translation, artitioning and analysis. In the translation hase, the system accets as inut a rogram written in a simle event action language then it roduces the corresonding set of Presburger relations. These Presburger 2

3 relations are just a symbolic encoding of the rogram's underlying transition relation. In the artitioning hase, the rogram's states and transitions are segregated into a set of artition classes, with the objective of reducing the comlexity ofverication. The motivation here is easy to understand: Consider treating a comlex rogram as a single relation, which might contain multile if-then-else branches and loos. Then consider ushing through a nontrivial weakestrecondition transform { say, to automatically derive a loo-invariant. In most cases, the result will exlode into an unmanageable (otentially innite) number of constraints. It is true that the general form of our verication roblem is undecidable hence, we cannot eliminate this issue entirely. However, artitioning lets us dam some of its eects { and more imortantly, it increases the recision of our conservative techniques. The \default" artitioning strategies are: DNF Partitioning: This method decomoses the rogram's transition relation into a disjunctive-normal-form then re- and ost-condition transforms are carried out for each disjunct, one at a time. Control-Point Partitioning: This method symbolically decomoses the state-sace into artition classes, based on valuations of selected variables (we call these control-oints). Event-Domain Partitioning: This method is a ner-grained version of Control-Point Partitioning. It forms its artition classes based on the enabling conditions of events so that in each artition class an event is either enabled for all states or disabled for all states. We describe these strategies in the following sections. However, we stresstwooints here: (a) they are used to segregate the rogram (and its states) into large regions, which distinguish the truth or falsity of crucial temoral roerties and (b) these decomositions do not alter the underlying transition relation of the original rogram hence, they reserve all temoral roerties. In the analysis hase, verication rocedures are alied to hel rove (or disrove) roerties of interest. Many of these are inter-deendent i.e., they automatically \call" each other as \subroutines" to obtain the original goal. Nonetheless, many high-level strategy decisions are left to the user. In the sequel, we demonstrate situations in which human inut can hel secically, we show a set of rograms (and requirements) which heled reveal the relative strengths and weaknesses of each aroach. While some rograms were easily veried with certain strategies, the same strategies diverged when used on other rograms. We note, however, that the user need not be a model-checking \exert" er se rather, the tye of exerience we consider useful is more like that a rogrammer draws on when setting comiler-otimization levels. As for the techniques, all of the \to-level" techniques we reort are at least conservative, and several are exact. Some rograms can, in fact, be quickly veried using exact symbolic modelchecking algorithms, similar to those resented in [25] for BDDs. In our domain, the analogue of a CTL \atomic roosition" is ostulated over the Presburger logic, and is roagated through 3

4 the rogram as such. We suly both backward and forward rocedures for exact analysis. (The backward version starts with the desired goal, and erforms recursive re-condition transforms to get back to the initial states the forward rocedure works in the oosite fashion.) Additionally, we exort conservative variants of the backward and forward techniques, which can obtain lower and uer aroximations to the exact xoint. Two of the methods use a generalized form of \widening" technique discussed in [13] for abstract interretation. We demonstrate how the aroximate methods work together (with minimal user intervention) i.e., how our driver rogram integrates lower and uer bounds for sub-formulas, and then derives a conservative result for the high-level goal. Finally, we describe two rocedures which can be run as a re-rocessing ste before modelchecking. These will often accelerate convergence for all of the xoint techniques, both aroximate and exact. One technique derives an uer bound for the rogram's reachable state sace the other is a related function which aroximates the transitive closure of the transition relation. Both methods are guaranteed to converge, and both are used for the following uroses: (1) to reduce the sizes of the Presburger formulas generated during model-checking and (2) to increase the recision of aroximate analysis. The remainder of the aer is organized as follows. In the following section we overview some related work in the eld. Then, we resent the syntax and semantics for concurrent rograms and their roerties. After introducing the Presburger encodings and artitioning techniques, we describe our symbolic model checker, and show how it exloits the Presburger reresentation. After formally dening conservative aroximations, we discuss the secic aroximation techniques for comuting uer and lower bounds of xoints. Then, we resent avariety of dierent examle rograms, and show how the various methods erformed on them. Finally, we conclude with some discussion on our results. 2 Related Work Other methods have been roosed to deal with innite-state concurrent rograms, and we note some of them here. In [9], Clarke et al. resent a conservative model checking technique, by roducing a nite abstraction of the rogram (e.g., via a congruence relation modulo a suitable integer), and then checking the roerty ofinterest on the abstraction. In [16], Dingel and Filkorn extend this method using \assumtion-commitment" style reasoning and theorem roving. While these techniques require the user to nd the aroriate abstractions { and hence are not comletely automatable { we see them as being orthogonal to our aroach. There may be cases where abstraction methods can vastly reduce the state sace without achieving a nite reresentation. In these cases our model checker can be used on the innite abstract models. Another aroach istousesymbolic execution technique [15, 19], which symbolically generates 4

5 a rogram's execution aths. In ractice, this method may end u generating an innite number of nodes, and thus never terminate. This limitation can be overcome by having the user secify assertions about a rocess's behavior, which can be veried locally. Then the local roofs can be checked for cooeration [15]. Although this method has the benet of incrementally roving correctness (as oosed to generating all ossible interleavings), it relies on users to come u with the correct assertions. Our work has some historical antecedents. Cooer [11] develoed a technique which encodes transition relations as sets of Presburger formulas, and then converts queries about a rogram's roerties to validity checks in Presburger arithmetic. The decision rocedure used by Cooer was comutationally very exensive which made the validity checks intractable. Also roving correctness as a single Presburger decision roblem is not a method that can scale very well. We have found it more benecial to use model checking as our rimary technology, and use a Presburger solver for some subservient set-theoretic comutations. Our work was also inuenced by known techniques from abstract interretation [12, 13] secifically, we use some aroximation methods rst develoed for that domain. Most reachability roerties can be formulated as least xoints over sets of a rogram's states if the state sace is innite, these xoints may not be comutable. Abstract interretation rovides away of aroximating these xoints via a technique known as \widening" { which can comute a least xoint's uer bound in nite time. Since our basic temoral oerators require similar comutations, we were able to successfully use this method in conjunction with the Omega library. Our recursive aroximation technique for temoral roerties with nested temoral oerators is similar to the one used by Kelbet al. in [20]. In [20] a temoral roerty exressed in mucalculus is comuted conservatively using two abstractions of the same rogram. One abstraction over estimates the behavior of the rogram and used for comuting universal roerties. Another abstraction underestimates the behavior of the rogram and is used for comuting existential roerties. Together they can be used to conservatively aroximate any mu-calculus roerty. Similar methods are also used in [14, 27] where an aroximation for a temoral formula exressed in mucalculus is comuted using lower or uer aroximations of its subformulas. Our aroximation techniques are based on aroximating the xoint comutations instead of aroximating the rogram as a whole using abstractions. It is ossible to use both of these techniques together. Finally, our encoding of rogram states is similar to that used by Aluret al. in verifying hybrid systems [1, 2]. Ahybrid system is a discrete control automaton, which interacts with continuouslychanging, external arameters. Like us, Alur et al. used an alication of widening to hel solve verication queries over linear hybrid automata { in which transition relations are dened in terms of ane constraints over the variables of the system. A fundamental dierence between our work and the work of Alur et al. is that we encode sets of integers { as oosed to the real numbers used in hybrid systems { thus, we can use Presburger 5

6 Program: Unbounded Buer Data Variables: c q 1 q 2: ositive integer Control Variables: c : fidle Sendg Initial Condition: = c = q 1 = q 2 =0 Events: e IS enabled: c = Idle action: c 0 = Send e S enabled: c = Send action: 0 = +1^ (q1 0 = q 1 +1 _ q2 0 = q 2 +1) e SI enabled: c = Send action: c 0 = Idle e R enabled: q 1 > 0 _ q 2 > 0 action: (q 1 > 0 ^ q1 0 = q 1 ; 1 ^ c 0 = c +1)_ (q 2 > 0 ^ q2 0 = q 2 ; 1 ^ c 0 = c +1) Figure 2: Examle (UB) { Indexing for Two Unbounded Buers. formulas as our symbolic reresentation. This enables us to exress and rove roerties such as \x is even," using quantication. In general, satisability roblems over constraints with integer variables are signicantly harder to deal with. For examle, checking to see if there exists an integer solution to a set of linear constraints is NP-hard, while the analogous real-valued roblem can be solved in olynomial time. 3 Programs and Proerties We use the event-action language from [30] as our syntax for concurrent rograms, with a semantics dened in terms of innite transition systems. A concurrent rogram C =(V I E) is reresented by (1) a nite set of data and control variables V (2) an initial condition I, which secies the starting states of the rogram and (3) a nite set of events E, where each event is considered atomic [30]. The state of a rogram is determined by the values of its data and control variables. We assume that the domain of each variable is a countable set. Each event is reresented with an enabling condition and an action, where the enabling condition constrains the states in which the event can occur, and the action denes a transformation on the variables of the rogram. Consider the concurrent rogram (UB) shown in Figure 2, which handles the counters for two unbounded buers. Note that there is a single control variable c which is used to attenuate the roducer { and it can either be idle (i.e., c = Idle) or ready-to-send (i.e., c = Send). Alternatively, the consumer has only one event (e R ), which can execute whenever outstanding data is sitting in either of the buers. Four data variables are used to kee track of the the data items, from the ersective of 6

7 the roducer, the consumer and the two buers. The total number of items roduced (over the rogram's lifetime) is ket in the integer similarly, the number of items consumed is counted in variable c. The other two variables { q 1 and q 2 {kee track of the outstanding items in the buers. Note that all the data variables can increase without bound, i.e., this rogram is not a nite-state rogram. In our event-action language, if a variable v is used in an event, then the symbol v 0 denotes the new value of v after the action. (If v is not mentioned in the action of an event, then we assume that its value is not altered by that event.) Three roerties of interest are as follows: (UB1) The total number of items roduced is equal to the number of items consumed, lus the number of items sitting in the two buers. (UB2) If the sender is idle, the total number of items in the buers monotonically decreases. (UB3) The number of items consumed never exceeds the number roduced. Given scale of the rogram, one need not ossess extraordinary skills to understand that the roerties are indeed true. Yet, while we may know that this rogram is correct, its innite state sace will overcome most contemorary automated analysis engines. Hence, it is easy to see how a larger, more comlex rogram would, in fact, be inaccessible to a both a rogrammer's (informal) "what-if" checks, and to an automated nite-state analyzer. Given a rogram C =(V I E) in the above language, we model it as an innite transition system M =(S I X L), wheres is the set of states, I is the set of initial states, X S S is the transition relation (derived from the set of events E), and L : S SF!fTrue Falseg is the valuation function for state formulas over the rogram's variables. (We dene the set of state formulas SF below.) The set of states S is obtained by taking the Cartesian roduct of domains of all rogram variables, i.e., given a rogram with n variables V = fv 1 v 2 ::: v n g,each state s 2 S corresonds to a valuation of all the variables of the rogram n^ s v i = x i i=1 where x i 2 domain(v i ). Every event e 2 E denes a binary relation on the rogram's states, X e S S, interreted as follows: If (s s 0 ) 2 X e,thens and s 0 denote rogram's states before and after the execution of event e, resectively. We dene the domain and range of an event e as: domain(e) =f s j9(s s 0 ) : (s s 0 ) 2 X e g range(e) =f s 0 j9(s s 0 ) : (s s 0 ) 2 X e g The global transition relation is X W e2e X e.notethatwe use an interleaving model, where each transition reresents execution of a single event, i.e., only one event can occur at a time. 7

8 Presburger Formulas. Recall requirement (UB3) above, which asserts that the following roerty stays invariant over all executions: c. We call this tye of assertion a state formula. And in general, we dene the set of state formulas SF for a rogram C as the Presburger formulas generated by the following grammar: f ::= t t j (f) j f ^ f j:f j9intvar (f) t ::= (t) j t + t j intvar j intcons Here, the terminals intcons and intvar reresent integer constants and variables, resectively. Using this base language, we can easily reresent formulas including <, =,_, 8, aswell as multilication by a constant. The set of closed formulas dened by the above grammar forms the theory of integers with addition, called Presburger arithmetic. An imortant roerty of Presburger arithmetic is that validity is decidable. Hence, given a state formula f 2 SF and a rogram state s we can decide if s j= f by substituting the values of rogram variables in state s to corresonding oen variables in formula f and using a Presburger decision rocedure (this is equivalent tochecking if s ^ f is satisable). In general, the worst-case time bound for determining validity in Presburger arithmetic is rohibitive, with a deterministic uer bound of 2 22n (forsomeconstant > 1) [26], and a nondeterministic lower bound of 2 2cn (for some constant c>0) [17], where n denotes the length of the formula. Yet we have found that the Omega library [21, 28] is quite ecient at solving the roblems that arise in our analysis, which tyically ossess a small number of constraints, and do not contain multile levels of alternating quantiers. The Omega library uses extensions of Fourier variable elimination to solve integer rogramming roblems, along with a set of transformation functions and heuristics to hel convert real-valued aroximations into discrete-valued solutions. Temoral Proerties. We use the temoral logic called Comutation Tree Logic (CTL) [8] to secify roerties of rograms. Four CTL oerators form the basis of our logic: quantied-nextstate oerators 9 and 8, and quantied-until oerators 9U and 8U. Thus, the logic we use to reason about a rogram is generated over the set f f 2 SF 9 8 9U 8U ^ _ :g: As usual, quantied-eventuality (93 and 83) andquantied-invariant (92 and 82) oerators can be reresented as follows: 93f True 9U f 92f :(True 8U :f) 83f True 8U f 82f :(True 9U f) We dene the semantics of our CTL temoral oerators on the aths of a rogram's transition system, M =(S I X L). A ath (s 0 s 1 s 2 :::) is a nite or innite sequence of states, such that for each successive air of states (s i s i+1 ) 2 X. Unlike Clarke et al. [8], we do not require the 8

9 s j= f i L(s f) =True, where f 2 SF s j= :f i s 6j= f s j= f ^ g i s j= f and s j= g s j= f _ g i s j= f or s j= g s 0 j= 9f i for some maximal ath (s 0 s 1 s 2 :::), with length 2, s 1 j= f s 0 j= 8f i for all maximal aths (s 0 s 1 s 2 :::), with length 2, s 1 j= f s 0 j= f 9U g i for some maximal ath (s 0 s 1 s 2 :::), there exists an i, s i j= g, and for all j<i, s j j= f. s 0 j= f 8U g i for all maximal aths (s 0 s 1 s 2 :::), there exists an i, s i j= g, and for all j<i, s j j= f. Table 1: Semantics of our temoral logic. transition relation X to be total. Rather, the semantics is dened using maximal aths [4] (as oosed to innite aths). A maximal ath is one which is either innite, or ends with a state that has no successors. The semantics of the temoral oerators can then be dened on a rogram's transition system M =(S I X L), as shown in Table 1. If all the initial states of a rogram satisfy a temoral roerty, then we say that the rogram itself satises the temoral roerty. Formally, given a temoral formula f and a transition system M =(S I X L), M j= f only if 8s 2 I : s j= f. Based on the temoral logic dened above, we can secify the roerties of the unboundedbuer rogram as follows: (UB1) 82( = c + q 1 + q 2 ) : The total number of items roduced is equal to the number of items consumed, lus the number of items sitting in the two buers. (UB2) 82((c = Idle ^ q 1 + q 2 = i)!8(q 1 + q 2 i)) : If the sender is idle, the number of items in the buers monotonically decreases. (UB3) 82( c) : The number of items consumed never exceeds the number roduced. Note that the variable i in (UB2) is not a rogram variable rather, it is an oen integer variable. This oints out one of the strengths of our aroach { since i can be treated as a symbolic constant within a temoral exression. The interretation is that i is bound by a universal quantier (and our Presburger solver treats it as such). 4 Symbolic Reresentations Presburger formulas { and their corresonding set-theoretic interretations { give usaconvenient, comact way tosymbolically encode large sets of rogram states and transitions. For our uroses, 9

10 the benet of the Presburger encoding is often realized via the arithmetic inequality oerators { which we use to imlicitly describe large, nontrivial ortions of a rogram's state sace. For examle, consider the following formula: ; c q 1 + q 2 ^ c q 1 q 2 0 In geometric terms, the constraints reresent all oints in an unbounded, 4-dimensional olytoe. Yet in terms of our examle, the shae corresonds to all of the rogram's reachable states (minus the rogram-counter). Similar gains are realized for transitions. Recall that events are described in terms of ane constraints. (This revents us from using multilication in a single event, and ensures that singleste image comutations are decidable.) Hence, for a given event e, the transition relation of event e, X e, is reresentable as a Presburger formula. So using jej Presburger formulas, one for each event, we can symbolically encode the transition relation X as X _ X e : e2e The fundamental challenge in the Presburger formula encoding is to kee the sizes of the formulas small during the xoint comutations. Our symbolic maniulator stores Presburger formulas in a disjunctive form where each disjunct corresonds to a convex region in the rogram's state sace. Since each xoint iteration is essentially a re- or ost-condition comutation, the number of convex regions may increase very quickly in the resence of if-then-else branches and loos. Given a Presburger formula in a disjunctive form, our minimization rocedures try to merge the disjuncts (i.e., convex regions) to reduce the size of the Presburger reresentation. Assume that we reresent each xoint iterate using one Presburger formula. After a coule of xoint iterations such a reresentation would generate a Presburger formula with a large number of convex regions. Trying to merge each air of convex regions one by one would be comutationally very exensive. Instead, we use artitioning heuristics. We artition the state sace of the rogram so that the states with similar roerties are laced to the same artition class. Then, we reresent each xoint iterate using one Presburger formula er artition class. This reduces the comlexity of the minimization rocedures by segregating convex regions which are unlikely to be merged. We also use aroximation techniques to limit the growth of xoint iterates. Since the temoral roerties we analyze are undecidable, the xoint iterations are not guaranteed the converge. Using conservative aroximation techniques, we increase the convergence rate of the xoint comutations. Partitioning heuristics can increase the recision of these aroximation techniques. For examle one aroximation technique could be to merge two convex regions aroximately using an uer or a lower bound. Such atechnique is more likely to succeed if the merged regions contain states with similar characteristics. 10

11 Below we describe our artitioning heuristics. First we describe transition relation artitioning which enables us to comute xoint iterations incrementally using one artition class at a time. Then we resent our state-sace artitioning strategies. 4.1 Transition Relation Partitioning The most obvious artitioning of the transition relation, X, comes immediately from the event syntax. That is, we can simly erform all transition comutations using one event at a time, akin to the way a rogram's control-oints are used in data ow analysis. However, when events contain multile disjuncts (e.g., from if-then-else constructs), this method roves insucient for our uroses { since it still generates too many constraints when we carry out automated analysis. In these cases we require a ner-grained technique. DNF Decomosition. Given two rograms C 1 =(V I E 1 )andc 2 =(V I E 2 ), with the same variables and initial states, assume the following equivalence holds: X e X e e2e 1 e2e 2 Then C 1 and C 2 are semantically equivalent, since they satisfy exactly the same set of temoral formulas. However, due to their structural dierences (and to the methods used in model-checking), one rogram may be signicantly more comutationally exensive to analyze than the other. Hence, it often makes sense to transform E 1 into some tye of normal-form E 2 { esecially when the normal-form has, on average, demonstrated more ecient analysis results. Such is the case for disjunctive normal form (DNF), i.e., where X _ X e X e ^ e2e i and where each c e i is a single ane constraint over rimed and unrimed rogram variables in V. I.e., each X e corresonds to a convex olytoe in S S. Clearly, any transition relation X canbesoreresented { it is simly a matter of converting X into DNF, and then considering each disjunct as a searate event. For examle, Figure 3 shows the DNF decomosition of our running rogram from Figure 2, where for the sake of conciseness, we do not dierentiate between an event's \enabled art" and its \action art" (since this is given imlicitly by the rimed and unrimed variables). Note that the transformation simly slit the searate disjuncts from the original events e S and e R, and renamed them as searate events. 4.2 State Sace Partitioning Let P be a artitioning of a rogram's state-sace S, where _ P = fs 1 S 2 ::: S g S S i i 6= j ) S i ^ S j : i=1 11 c e i

12 e IS : c = Idle ^ c 0 = Send e S1 : c = Send ^ 0 = +1 ^ q 0 1 = q 1 +1 e S2 : c = Send ^ 0 = +1 ^ q 0 2 = q 2 +1 e SI : c = Send ^ c 0 = Idle e R1 : q 1 > 0 ^ q 0 = 1 q 1 ; 1 ^ c 0 = c +1 e R2 : q 2 > 0 ^ q 0 2 = q 2 ; 1 ^ c 0 = c +1 Figure 3: DNF Event-Decomosition. Then if Q S is a subset of rogram states, we can decomose Q via our artitioning P of S: _ Q q i where q i Q ^ S i : i=1 This technique will only rove worthwhile where each S i unites states with common characteristics (that is, when key formulas are true either for all the states in S i or none of the states in S i ), and when P distinguishes between large regions of S ossessing dierent characteristics. Below we resent two techniques which can often create such a artitioning, and which are two of the \default otions" in our model-checker. Control-Point Partitioning. into two classes: Given a rogram C =(V I E),assumewe artition the variables V = V 1 [ V 2 s:t: V 1 \ V 2 = : The valuations for V 1 (or V 2 ) induce a natural artitioning of S. Letting V 1 = fv 11 ::: v 1m g, equivalence classes are dened simly as: m^ v 1j = x 1j s:t: x 1j 2 domain(v 1j ): S (x11 ::: x 1m ) j=1 Of course, if V 1 contains many variables, or if their domains are large, we may end u with a huge number of classes hence the artition variables have tobechosen with care. Fortunately, many rograms yield a natural choice for V 1 { the control oints { the number of which are usually far fewer than state valuations. To enable this tye of artitioning, our event language makes a syntactic distinction between control and data variables (while semantically, they are considered the same). When our rerocessor translates event-action language code into events, the control variables are isolated as such, which then allows a default artitioning according to their values. When alied to the rogram in Figure 2, this strategy yields V 1 = fcg and the following two artition classes (shown ictorially in Figure 4): S Idle c = Idle S Send c = Send 12

13 e R e S e R S Idle : c = Idle e IS e SI S Send : c = Send Figure 4: Control-Point Partitioning. e R S (IS R) e R S (IS) e IS e SI e IS e SI e R S (S SI R) e S S (S SI) e S e R Figure 5: Event-Domain Partitioning. and so, our artitioning is P = fs Idle S Send g. Now consider a formula Q >c, reresenting all states in which more items were roduced than consumed. The formula is artitioned as P Q = fq Idle Q Send g, where, Q Idle c = Idle^ >c Q Send c = Send ^ >c with Q Q Idle _ Q Send. Event-Domain Partitioning. The method above can also be generalized to the \imlicit control oints" inherent intherawevents themselves. In essence, an event's natural control oint is just its enabling condition. And, using the enabling conditions as artitioning criterion can yield a much ner-grained decomosition. (This is obviously true when no control variables are isolated in a rogram.) In this artitioning, each class denotes a region of S in which a secic set of events are enabled to re. So, given C =(V I E), we dene its event-domain artitioning P as: P = f S i j8e 2 E : (S i ^ domain(e)) S i _ (S i ^:domain(e)) S i g While this technique yields otentially 2 jej artition classes, note that most of these artition classes will robably be emty. The reason is that most of the events will tyically have mutually exclusive enabling conditions. 13

14 Symbolic Omega Oerations F ^ G : symbolic intersection F _ G : symbolic union :F : symbolic comlement F ;1 : symbolic inverse of relation F F [G] : restrict domain of relation F to constraint G and return the range of the result hull(f ) : convex hull of F Figure 6: Symbolic Omega Functions. This is certainly the case when we aly the technique to our running examle from Figure 2. Event-domain artitioning yields only 4 feasible artition classes (shown ictorially in Figure 5), which is signicantly less than 2 jej =2 4 = 16. These 4 artition classes are as follows (where each artition class is indexed by the events enabled in the class): S (IS R) c = Idle^ (q 1 > 0 _ q 2 > 0) S (S SI) c = Send ^ q 1 =0^q 2 =0 S (S SI R) c = Send ^ (q 1 > 0 _ q 2 > 0) S (IS) c = Idle^ q 1 =0^q 2 =0 Note that if we have had used the DNF event artitioning rst (from Figure 3), we would have roduced a ner artitioning with more classes. 5 Symbolic Model-Checker After generating our symbolic reresentations in terms of Presburger formulas, we use the Omega library [21] to hel symbolically comute the truth sets for the temoral roerties at hand. The Omega library includes a large collection of object classes to eciently maniulate Presburger formulas to date it has mainly been used in high-erformance comilers, secically for deendence analysis, rogram transformations, and detecting redundant synchronization [22, 28, 29]. articular Omega functions we use are shown in Figure 6. These functions take symbolic reresentations of sets or relations as inuts (i.e., a Presburger formula reresenting a set or a relation), and return the symbolic form of a set or a relation as outut. To symbolically comute the temoral oerators, we dene a function re :2 S! 2 S, called the recondition function, which, given a set of states, returns all the states that can reach this set in one ste (i.e. after execution of a single event): re(q) def = f s j9s 0 : s 0 2 Q ^ (s s 0 ) 2 Xg: Using the Omega oerator in Figure 6 we have re(q) X ;1 [Q]. Moreover, we can symbolically comute re with resect to our rogram's artitioning, and maintain a formula for each artition 14 The

15 class, as follows: re(q) re( _ (Q ^ S i )) _ re(q ^ S i ) Si2P Si2P _ Si2P e2e X ;1 e [Q ^ S i ] By erforming this comutation individually for each artition class, we exloit the fact that many formulas inherently involve only small arts of the rogram's state sace. For examle, consider the unbounded buer examle { and secically, the states where roducer is Idle and buers are emty: Using control oint artitioning, we have re(q) _ e2fer es2g Q c = Idle^ q 1 =0^ q 2 =0: X ;1 e [Q ^ S Idle ] c = Idle^ (q 1 =1^ q 2 =0_ q 2 =1^ q 1 =0)_ c = Send ^ q 1 =0^ q 2 =0 Now, given a symbolic reresentation for a set f, we can symbolically comute 9f and 8f using re, as follows: 9f re(f) and 8f :re(:f): As for 9U and 8U, consider the following functionals: F f1 9Uf 2 y : f 2 _ (f 1 ^9y) and F f1 8Uf 2 y : f 2 _ (f 1 ^8y ^9y): The least xoints of F f1 9Uf 2 and F f1 8Uf 2 are equal to f 1 9U f 2 and f 1 8U f 2,resectively. We have the following result from elementary lattice theory: Proerty 1 For all transition systems, for all n 2Z, f 1 9U f 2 f 1 8U f 2 n_ n_ (y : f 2 _ (f 1 ^9y)) i (False) i=0 n_ (y : f 2 _ (f 1 ^8y ^9y)) i (False) Ff i 1 9Uf 2 (False) i=0 Ff i 1 8Uf 2 (False) i=0 i=0 n_ where, given a functional F, F i (f) is dened as: By the monotonicity off f1 9Uf 2 F i (f) def = F(F(:::F( f)) :::): {z } i times and F f1 8Uf 2,weget n_ Ff i 1 9Uf 2 ( ) Ff n 1 9Uf 2 ( ) i=0 and 15 n_ Ff i 1 8Uf 2 ( ) Ff n 1 8Uf 2 ( ): i=0

16 Procedure Check(f) Case f 2 SF : Return(f) f = :f 1 : Return(:f 1 ) f = f 1 ^ f 2 : Return(f 1 ^ f 2 ) f = f 1 _ f 2 : Return(f 1 _ f 2 ) f = 9f 1 : Return(re(f 1 )) f = 8f 1 : Return(:re(:f 1 )) f = f 1 9U f 2 : Q 0 f 2 Q i+1 Q i _ (f 1 ^ re(q i )) Return(Q n ) when Q n Q n+1 f = f 1 8U f 2 : Q 0 f 2 Q i+1 Q i _ (f 1 ^ re(q i ) ^ (:re(:q i ))) Return(Q n ) when Q n Q n+1 Figure 7: Symbolic Model Checker. Then using Proerty 1,itcanbeshown that every element in the sequence False, F f1 9Uf 2 ( ), F 2 f 1 9Uf 2 ( ), F 3 f 1 9Uf 2 ( ) :::, is a subset of the least xoint off f1 9Uf 2 similarly, every element in the sequence False, F f1 8Uf 2 ( ), F 2 f 1 8Uf 2 ( ), F 3 f 1 8Uf 2 ( ) :::, is a subset of the least xoint of F f1 8Uf 2. Since F f1 9Uf 2 and F f1 8Uf 2 are both monotonic, and since we start the sequence with, these sequences are non-decreasing. When these monotonically increasing sequences reach a xoint, we know that it is the least xoint [25]. These methods lead directly to the model checking rocedure shown in Figure 7 (subformulas are comuted recursively). Given a rogram and a temoral logic formula, the model checker will (attemt to) symbolically comute the set of rogram states that satisfy the inut formula { and the rocedure will yield an exact answer if it converges. Note that this rocedure is a artial-function, i.e., it is not guaranteed to terminate. We analyzed the running examle given in Figure 2 using control oint artitioning and the exact model checking rocedure given in Figure 7. Recall that one of the requirements for this rogram was 82( = c + q 1 + q 2 ) which is equivalent to::(true 9U ( 6= c + q 1 + q 2 )) or :93( 6= c+q 1 +q 2 ). (Although our basic temoral oerators are 9U and AU, when ossible we will use their 93 and 83 equivalents for clarity of resentation). To comute the least xoint 93( 6= c+q 1 +q 2 ), the model checker initialized the rst iterate to Q 0 6= c + q 1 + q 2. The xoint comutation trivially converged after one iteration to Q, whereq is artitioned as follows: Q Idle c = Idle^ 6= c + q 1 + q 2 Q Send c = Send ^ 6= c + q 1 + q 2 Our to-level formula is :93( 6= c + q 1 + q 2 ) hence, the model checker comutes :Q. This yields the set of states which can never reach a violation of the assertion = c + q 1 + q 2. Since the initial condition for the rogram is I =0^c =0^q 1 =0^q 2 = 0, it is easy to see that I :Q (i.e., all 16

17 of the initial states satisfy the safety roerty). Hence, the model checker reorts that the roerty is roved (for a total comutation time of 0.88 seconds on a Sun SPARCstation 5). The exact model checker also successfully roved the roerty 82((cs = Idle^ q 1 + q 2 = i)!8(q 1 + q 2 i)) in 0.77 seconds. 6 Aroximation Techniques Since wehave aturing-comutable language, our exact model-checker in Figure 7 may kee iterating forever without reaching a xoint. Thus, we also need a conservative aroximation method, which will always converge. We dene a conservative analyzer as one which always terminates and never yields a surious result, but may not be able to roduce a denite answer in certain cases. Indeed, our exact analyzer diverged when we fed the unbounded-buer rogram, along with its other requirement: 82( c). When the exact analyzer went towork on this roerty, it attemted to symbolically enumerate ways that could be less than c. Since c is unbounded, this method failed to converge. But as we show in the sequel, the same roerty was easily roved using a conservative aroximation. 6.1 Conservative Analysis If we cannot directly comute a roerty f for a rogram C, the next best thing is to generate a lower-bound for f, denoted f ;, such that f ; f. Thenifwe determine that I f ;,wehave also achieved our objective {thati f, (i.e., we roved that C j= f). However, if I 6 f ;,we cannot conclude anything because it can be a false negative. In that case we can comute a lower bound for the negated roerty: (:f) ;. If we can nd a state s such that s 2 I \ (:f) ;, then we can generate a counter examle which would be a true negative. If both cases fail, i.e., both I 6 f ; and I \ (:f) ;, then the analyzer can not reort a denite answer. Since we seek to carry out our analysis in a recursive manner (as in the exact analyzer in Figure 7), we have to comute an aroximation to a formula by rst comuting aroximations for its subformulas. Hence, to comute a lower bound to a roerty like g :h, we rst need to comute an uer aroximation h + for the subformula h, and then let g ; S ; h +. This follows directly from set theory, since (:f) ; :(f + ) and (:f) + :(f ; ). Thus, we need algorithms to comute both lower and uer bounds of temoral formulas. When analyzing a negation-free formula, the comositionality ofanaroximation follows directly from the fact that all oerators other than \:" are monotonic. This means that any lower/uer aroximation for a negation free formula can be comuted using the corresonding lower/uer aroximation for its subformulas. As for handling arbitrary levels of negation, we can easily generalize the above mentioned method for outermost negation oerators. That is, to 17

18 aroximate a temoral formula f, the following rocedure determines which off's subformulas require an uer bound, and which require a lower bound. 1. Mark the root of the arse tree for formula f withaminus sign (\;") if a lower bound is desired, and with a lus sign (\+") if an uer bound is desired. 2. Using a reorder tree traversal, visit each nodeinthetree,markeach node with the mark of its arent, unless its arent isa: oerator. In that case, mark the node with the oosite bound. 6.2 Comuting Uer Bounds with Widening Technique When the algorithms in Figure 7 attemt to comute xoints for 9U and 8U, theymay generate sequences of increasing lower bounds which never converge. From elementary xoint theory, we know that a least xoint exists { but it may simly not be comutable. Hence, our job is to accelerate the comutation, and \lea-frog" over multile members of the chain { erhas at the risk of over-shooting the exact least xoint. As long as the result is larger than the exact xoint, we have an uer aroximation. The way we go about this is as follows. If the exact iteration sequence is Q 0 Q 1 Q 2 :::, then we nd a majorizing sequence ^Q 0 ^Q 1 ^Q 2 :::, such that (1) for each i, Q i ^Q i, and (2) the ^Q i sequence reaches a xoint after nitely many iterates. Thus the xoint ofthe ^Qi 's is an uer aroximation to the least xoint of the Q i 's. To generate the ^Q i 's, we currently adot a method develoed by Cousot and Cousot, within the framework of abstract interretation [12]. That is, we dene an oerator called widening, or \5", which majorizes the union comutation as follows: For any air of sets P P 0, P _ P 0 P 5 P 0. Using a suitable widening oerator, we can comute an uer bound for f 1 9U f 2 as: 8 < Q i if 0 i s ^Q i : ^Q i;1 5 ( ^Q i;1 _ (f 1 ^ re( ^Q i;1 ))) if i>s (f 1 9U f 2 ) + ^Q n when ^Q n ^Q n+1 where Q 0 Q 1 Q 2 :::, is the sequence generated by the rocedure for f 1 9U f 2 in Figure 7, and s is the seed of the widening sequence. From the monotonicity of the re oerator, one can easily show by induction that iterates of this sequence do indeed majorize the Q i 's comuted in Figure 7. And when this sequence terminates, the nal iterate is an uer bound for f 1 9U f 2.For the f 1 8U f 2 we can generate a similar majorizing sequence as: 8 < Q i if 0 i s ^Q i : ^Q i;1 5 ( ^Qi;1 _ (f 1 ^ re( ^Qi;1 ) ^ (:re(: ^Qi;1 )))) if i>s (f 1 8U f 2 ) + ^Q n when ^Q n ^Q n+1 18

19 Q 0 Q 1 Q 2 Q1 b 5Q2 y a Q 0 Q 1 Q 2 a ; 1 a ; 2 Q 1 b 5Q2 a x Figure 8: A simle examle demonstrating how the widening oerator b 5 works. where Q 0 Q 1 Q 2 :::, is the sequence generated by the rocedure for f 1 8U f 2 in Figure 7. Our goal is to nd a widening oerator which (1) yields a suitable (i.e., reasonably tight) uer bound for union, and (2) forces the ^Qi sequences to converge. In dening our widening oerator, we generalized a technique used by Cousot and Halbwachs in [13]. The idea is to \guess" the direction of growth in the model-checker's Q i iterates, and to extend the successive iterates in these directions. Cousot and Halbwachs' widening oerator 5 b does this for convex olyhedra { i.e., regions formed by a conjunction of ane constraints. If both P and P 0 are convex, then P 5P b 0 is dened by the constraints in P which are also satised by P 0.For examle, (x ; 1 y x) 5 b (x ; 2 y x) y x Intuitively, if a constraint ofp is not satised by P 0 this means that the iterates are increasing in that direction. By removing that constraint we extend the iterates in the direction of growth as much as ossible without violating other constraints. Since P 5P b 0 is built by simly removing constraints from P and since we cannot remove innitely many constraints, the niteness roerty is satised. We will demonstrate how widening can be used in the context of our event-action language and with Presburger sets. Consider the following rogram, which consists of only one event: Data Variables: x y: ositive integer Events: e enabled: x>0 action: x 0 = x ; 1 ^ y 0 = y +1 Assume that we wishtocheck the roerty 82(y 6= a), where a is a ositive constant. Our symbolic model checker will convert this roerty to:(true 9U (y = a)), and rst try to comute an exact xoint for True 9U (y = a). Figure 8 shows the regions Q 0 Q 1 Q 2 generated by the rst iterations of the exact algorithm. At this oint, we can see that the sequence will diverge. 19

20 If we use a widening sequence with seed s = 1, then ^Q 0 Q 0 and ^Q 1 Q 1, and then note that Q 2 ^Q1 _ (True ^ re( ^Q1 )). We then obtain ^Q2 by comuting Q 1 b 5Q2 : Q 1 b 5Q2 (a x + y ^ a ; 1 y a) b 5 (a x + y ^ a ; 2 y a) (a x + y ^ y a) The iterations converge, since this formula is also generated for ^Q3. When we negate the result, we get x + y<a_ a<y. In other words, if our initialization of x and y satises this condition, then the invariant will indeed hold. There are several oints that should be claried. First, note that the widening oerator works on the syntax of the formula. Hence, dierent reresentations of the same formula may give dierent results when fed into the widening oerator. In the simle examle discussed above, if we start with s =0,we end u comuting ^Q1 via Q 0 b 5Q1,where Q 0 y = a and Q 1 a x + y ^ a ; 1 y a: Then the result will be Q 0 b 5Q1 True. widening sequences require higher seeds to get started. And indeed, in our exeriments, we found that most By using a higher seed, we gain more exact information about the rogram before taking any aroximations { and hence, loo growth directions can be (roughly) redicted. Another way to revent over aroximations is to avoid using the widening oerator when two olytoes have dierent dimensions. Note that for the examle given above Q 0 is a line (i.e., a one-dimensional olytoe) whereas Q 1 is a lane (i.e., a two-dimensional olytoe). In our imlementation, we start with a low seed(between s = 0 and s = 2). If the aroximation is too coarse, we gradually ratchet u seed's value, and generate a new widening sequence. In this way, successively tighter aroximations can be obtained. We also allow selective bounding of the seed { since, after all, there may be cases where a roerty cannot be roved or disroved. The widening oerator b 5 is sucient ifwealways have convex sets. However, a rogram's state sace is not always convex in fact, most (exact) xoint comutations are comosed of a otentially large number of disjuncts, each dening a convex olytoe. Since the widening oerator b5 folds all arguments into a single convex region, a direct alication of this method failed to work. The reason is that on all of our examles to date, all xoint comutations were comosed of a otentially large number of disjuncts, each dening a convex olytoe. To accommodate this we generalized b 5 to handle multile olyhedra. Assume that we have two Presburger sets Q and R, where Q R. Then Q and R can be reresented as: Q q 1 _ q 2 _ ::: _ q m and R r 1 _ r 2 _ ::: _ r m _ ::: _ r n where all the q i 's and r i 's are convex olytoes. In Figure 9 we resent how our multi-olyhedra widening oerator is comuted with such an inut. The until loo (lines 1 to 9) reduces the number 20

21 Algorithm for Multi-Polyhedra Widening Inut Q W m j=1 qj, R W n ri i=1 s.t. qj ri are all convex olytoes, and Q R Outut P Q 5 R 1 Reeat 2 R 0 False marked[1::n] False deleted 0 3 For 1 i<j n Do 4 If marked[i] marked[j] False ^ hull(r i rj) ri _ r j 5 Then R 0 R 0 _ hull(r i rj) marked[i] marked[j] True deleted deleted +1 6 For 1 i n Do 7 If marked[i] False Then R 0 R 0 _ r i 8 R R 0 n n ; deleted 9 Until deleted 0 10 P False marked[1::n] False 11 For 1 i n ^ 1 j m Do 12 If q j r i Then P P _ q j5ri b marked[i] True 13 For 1 i n Do 14 If marked[i] False Then P P _ r i 15 Return P Figure 9: Multi-Polyhedra Widening. of disjuncts in R by merging adjacent convex olytoes. Two convex olytoes are relaced by their hull if their hull is equal to their union. We continue doing this until no reduction is ossible. Note that the resulting reresentation of R deends on the order of execution of the rst for loo (lines 3 to 5). Traversing the list of olytoes in dierent order may lead to dierent results. After minimizing R, we look for convex olytoes (i.e., disjuncts) in Q and R such that q j r i. When we nd such a air, we use Cousot and Halbwachs' widening oerator to comute q j5ri b. This new convex olytoe is aended to the outut Presburger set P. Finally we coy the disjuncts from R which are not widened to P, and return P as the result. Note that the order of the for loo in lines 11 to 12 can again eect the result. The nal result may include too many disjuncts. To ensure convergence, we also assign an uer bound to the number of disjoint convex regions we wish to reresent. When we reach this bound we force-merge disjoint regions by relacing them with their convex hull { even if that loses recision (which isvalid since we are comuting uer bounds). In the exeriments we conducted so far we never had to resort to this technique. 21

22 6.3 Comuting Lower Bounds Recall that each iteration of an exact xoint comutation will yield a lower a bound for f 1 9U f 2 and f 1 8U f 2. So to obtain a lower aroximation for the uroses of analysis, we need only sto after a nite number of iterations in this manner we are guaranteed to have a conservative aroximation. Of course the question is: when do we sto? Our verier uses the following rules: if it is handling the outermost formula, then after each iteration it checks whether the initial states are included in the current lower bound. If so, it stos, since the roerty isroved if not, it kees going. Obviously, there will be cases where this method fails to converge, and if this haens the tool will not be able to rove or disrove the roerty. However, the user is able to interact with the analyzer, and eriodically monitor its rogress thus, the user can otionally \ull the lug" on waiting for a resonse. If the xoint we are comuting is a subformula of another comutation, the analyzer sets a user secied time limit to sto generating an aroximation { after which it is used in the nexthigher formula. But if the analyzer is unable to rove or disrove the outermost formula, the user may otionally return and imrove the lower bound by continuing the xoint sequence. Aroximate Analysis of the Running Examle. We analyzed the running examle given in Figure 2 and its requirement 82( c). Using the negation-labeling algorithm, the requirement is rendered as (:(93( c) + ) + ) ;. The temoral oerator 93 is marked with \+" which means that we need an uer bound for the set of states violating the requirement. The symbolic model checker comutes the uer bound using the multi-olyhedra widening technique, and it converges after 2 iterations. The result is the set ^Q which is artitioned as ^Q Idle cs = Idle ^ <c+ q 1 + q 2 ^QSend cs = Send ^ <c+ q 1 + q 2 However, since we are actually comuting :93( c), the model checker comutes : ^Q, which gives alower aroximation for the states which satisfy the roerty 82( c). Recall that the set of initial states of the running examle is I =0^c =0^q 1 =0^q 2 = 0, and observe that I :^Q. Hence, the model checker reorts that the roerty is roved (with a CPU time of 1.74 seconds). 7 Reachability Analysis In the revious section we discussed state-based aroximations for general model-checking decision roblems, where we have toverify a general CTL formula over innite state-saces. However, we alsomake use of two secial-urose techniques, which fall into the generic category of reachability-analysis. One variant of this is state-based, and it comutes an uer bound for the rogram's reachable state-sace. The other method is transition-based, it roduces aroximations 22