Japan Institute of Advanced Industrial Science and Technology Research Center for Specification and Verification LATA 2012 On Model Checking for Visibly Pushdown Automata Nguyen Van Tang and Hitoshi Ohsaki March 06, 2012 1
Outline Motivation Model Checking and Inclusion Problem Visibly Pushdown Automata P-Automata Computing Reachable Configurations On-the-fly model checking for VPA On-the-fly: Minimal determinization + P-automata Optimize Reachable Configurations Experiments Conclusions 2
M S Model Checking 1980s: Clarke, Sifakis, Holzmann, Alur, Model Checker Yes/proof No/Counter-example Model Checking L(M) L(S) Advantages: Automated formal verification, effective debugging tool Industrial Success: SMV/NuSMV, SPIN, UPPAAL, 3
Inclusion Problems: L(M) L(S) Model checking regular properties (CTL, LTL): SPIN Pushdown model checking regular properties: MoPed M: FA, S: FA Decidable M: PDA, S: FA Decidable M: PDA, S: PDA Undecidable Pushdown model checking context-free properties: High complexity, no efficient implementation. M: VPA, S: VPA Decidable (2004) Our Focus 4
Input tape Pushdown Automata Pushdown stack Control Locations Pushdown Automaton = Finite Automaton + 1 stack Deter. Union Inter. Comp. Emptiness Inclusion No Yes No No Yes No Emptiness checking Pumping lemma: easy to understand, but inefficient P-automata: finite automata-based representation, efficient Esparza et al. CAV 2000 5
Visibly Pushdown Automata Alur & Madhusudan, STOC 2004 a call q X Y Z a call Σ c e.g., call, <html> q Y Z a int q Y Z a int Σ i a ret q Z a ret Σ r e.g., return, </html> Relationships: FA Parenthesis languages VPA PDA Properties: Have good closure properties and decidability results 6
Model Checking and Inclusion Problems Model checking as inclusion problem L(M) L(S) L(M) L(S) = S : determinization and take complement S M S : product M S : emptiness (equivalent to reachability) checking Decidable Instances M, S : Finite (Büchi) Automata (e.g., SPIN) M : Pushdown Automaton, S : Finite Automaton (e.g., MoPed) M, S : Visibly Pushdown Automata M, S : Pushdown Automata 7 OK
Practically Efficient Algorithms Determinization/complementaion step is heavy Finite automata O(2 n ) Antichain CAV 2006 Büchi automata O(2 n log n ) VPA O(2 n 2) Efficient emptiness checking for PDA P-automata (Esparza et.al. 2000) Our Contribution Practically efficient algorithms for VPA On-the-fly: on-demand determinization/p-automata Optimized: minimal determinization/p-automata 8
Antichain Idea: Universality of Finite Automata In subset construction... u Set Keep minimal one is enough! I w Set Wulf. et al., CAV 2006 If u is accepted, w is accepted 9
Computing Antichains for Finite Automata Antichain (incomparable set) of minimal post-sets C 0 = {{1}} (Initial states) C 1 = {{1}, {2}} (= Min {{1} ε, {1,3} 0, {2} 1 }) C 2 = {{1}, {2}, {5}} C 3 = {{1}, {2}, {5}, {7}} C 4 = {{1}, {2}, {5}, {7}, {6,8}} C 5 = {{1}, {2}, {5}, {7}, {8}} (converged) Wulf. et al., CAV 2006 {7} does not intersect with F Detect not universal! 10
Antichains = On-demand Determinization Nondeterministic finite automaton Reduce search space On-demand determinization Not universal! 11
For VPA: On-the-fly instead of Antichain A: VPA 1) L(A) = *? 2) L(A) L(B)? Standard Method: 1) Deter. + reach. check 2) Deter. + product + reach. check ON-THE-FLY Our contribution Minimal-Determinization P-automaton Generation On-demand generation 12
On-the-fly: Key Ideas Determization + searching for a rejecting configuration: u nn-1 S1 Keep minimal one is enough! I w θ n θn-1 S2 S1 S2, if S1 F S2 F Namely, if u is accepted, w is accepted 13
P-Automata: Underlying Ideas q nn-1 q n n-1 Configuration of PDA: (state, stack content) A run of a finite automaton To represent set of reachable configurations as a finite automaton 14
P-Automata A P-automaton is an FA represent a set of regular configurations C Start with a P-automaton A C that represents C Construct a P-automaton A Post*(C) via extending A C until saturation by: (p,) (p, ) Δ p p add push internal pop = q p, q p new state ε* ε* (p,) (p,) Δ p add q p (p,) (p,ε) Δ ε p 15 add q
Compute Reachable Configurations (1/3) C Reachable from C by P Post*(C) P-automata A C A Post*(C) (p,) (p, ) Δ p push q (p,) (p, ) Δ p p add push 16 q p, q new state
Compute Reachable Configurations (2/3) C Reachable from C by P Post*(C) P-automata A C A Post*(C) p internal (p,) (p,) Δ q (p,) (p,) Δ p p 17 add internal q
Compute Reachable Configurations (3/3) C Reachable from C by P Post*(C) P-automata A C A Post*(C) p pop (p,) (p,ε) Δ = q ε* ε* (p,) (p,ε) Δ p 18 add ε p pop q
Example: Reachable Configurations a/ + s b/ - s s 0 s a/ + s 0 c 1 c 0 s q 0,s s 0 \bot f VPA s s s s, e 1 s q 1,s 1 \bot e 0 f 1 A C A Post*(C) 19
P-Automata: Minimization Strategy Ordering over configurations (q 1, 1 σ) (q 2, 2 σ) q 1 q 2 1 2 q 1 1 p σ f q 2 2 Minimization for P-Automaton σ q 1 1 p f Theorem. M is a NVPA. M i and A i is a optimized DVPA and P-automaton at step i. M is not universal iff i. L(A i ) RejectingConf(M i ). 20
Simulation Antichains Method for VPA Minimal Determinized VPA q 1 a/ c/ b q 2 q 3 q 4 a/ b q 5 q 6 Update P-automaton with minimization q 5 q 2, q 2 q 2 q 6 Minimal P- automaton q 6 q 1 q 1, q 3 q 4 q 1 q 3 ; q 1 q 4 f Update determinized VPA using states + top-of-stack symbols of frontier q 1, a b q 2, q 3, a q 5, Stop + No A rejecting state added c q 4, Minimal Reachable Configurations 21
Implementation and Experiments Standard stuck A Prototype Tool: VPA-Checker Developed in Java 1.5.0/NetBeans 6.0 Determinization, Boolean Operations, P-automata, Universality, and Inclusion Tests Parameter Setting: c = r = i = 2; Γ = 3; f = F / Q Example: a random VPA with 10 states has 200 transitions o reb mu N 20 18 16 14 12 10 8 6 4 2 0 f=0.2 f=0.4 f=0.6 f=0.8 f=1.0 Op-Onthefly outperforms Onthefly Standard Onthefly OntheflyOp rate of final states Universality Checking for random VPAs with 10 states. Timeout 22 = 180s!
Experimental Results: Universality Checking o reb mu N 20 18 16 14 12 10 8 6 4 2 0 Standard stuck ccus f 3 5 10 15 20 25 30 Onthefly-Op outperforms Onthefly Standard Onthefly OntheflyOp number of states wtset. hti ni Universality Checking for random VPAs with f=0.6. Timeout = 180s! 23 1
Experimental Results: Inclusion Checking Inclusion Checking for VPAs: f = 0.6 OP-ON-THE- FLY Included 14 60 Not Included 5 6.06 1000-5 3000-5 ON-THE-FLY 1000-5 3000-5 6 110 13 40.5 Included 6 54 Not Included 5 5.89 Timeout (300 s) 6 6 Timeout (300 s) 14 15 0-10 37.8 Inclusion: L(A) L(B) L(A B) = 24
Conclusions Conclusion On-the-fly universality checking for VPA On-the-fly inclusion checking for VPA Implementation Future Directions: VPA-based model checker VPA-based theoretical foundations for XML VPA-based tool: Validate DTD, XPath constraints 25
Thank you for attention! Q & A 26