Enhancing Approximations for Regular Reachability Analysis
EEnhancing Approximations for RegularReachability Analysis
Aloïs Dreyfus, Pierre-Cyrille Héam, and Olga Kouchnarenko
FEMTO-ST CNRS 6174, University of Franche-Comté & Inria/CASSIS, France [email protected]
Abstract.
This paper introduces two mechanisms for computing over-approximations of sets of reachable states, with the aim of ensuringtermination of state-space exploration. The first mechanism consists inover-approximating the automata representing reachable sets by merg-ing some of their states with respect to simple syntactic criteria, or acombination of such criteria. The second approximation mechanism con-sists in manipulating an auxiliary automaton when applying a transducerrepresenting the transition relation to an automaton encoding the initialstates. In addition, for the second mechanism we propose a new approachto refine the approximations depending on a property of interest. Theproposals are evaluated on examples of mutual exclusion protocols.
Reachability analysis is a challenging issue in formal software verification. Sincethe reachability problem is in general undecidable in most formalisms, severalad-hoc approaches have been developed, such as symbolic reachability analy-sis using finite representations of infinite sets of states.
Regular model checking (RMC for short) – a symbolic approach using regular sets to represent sets ofstates – tackles undecidability in either of two ways: pointing out classes ofregulars sets and relations for which the reachability problem is decidable (seefor instance [21]), or developing semi-algorithmic and/or approximation-basedapproaches (see for instance [15,16]) to semi-decide the reachability problem.In this paper we present new approximation techniques for RMC, with theaim of providing quite efficient (semi-)algorithms. The first technique consists inover-approximating the automata representing reachable sets by merging someof their states with respect to simple syntactic criteria, or a combination ofsuch criteria (Section 2). The second approximation technique consists in usingan auxiliary automaton when applying a transducer representing the transitionrelation to an automaton encoding the initial states (Section 3). Moreover, for thesecond technique we develop a new approach to refine the approximations, closeto the well-known CEGAR technique (Section 4). The proposals are evaluated onexamples of mutual exclusion protocols (Section 5). Omitted proofs are availableonline . http://disc.univ-fcomte.fr/~adreyfus/ciaa13/version_longue.pdf a r X i v : . [ c s . F L ] N o v elated Work. Regular model-checking remains an active research domain incomputer science (see [14] and [4] for a thorough overview). In [23] the authorspropose to use regular sets of strings to represent states of parametrized arraysof processes, and to represent the effect of performing an action by a predi-cate transformer (transducer). In this work only transducers representing theeffect of a single application of a transition are considered, and consequentlythe reachability analysis does not terminate for a lot of protocols. To bypass thisproblem and still reach a fixpoint, the principal methods are acceleration (provid-ing exact computations) [22,11,15,16,3,8], widening (extrapolating) [11,25,24],and automata abstraction [10]. Recently, new results in RMC have been ob-tained for specific protocols (i.e., CLP [19], communicating systems [20], treelanguage [1,12], or relational string verification using multi-track automata [26]),using domain-specific techniques [7]. Our contributions aim at improving thegeneric method in [10] by giving means to build over-approximations by merg-ing abstract states of the system (and not of the transducer, which is nevermodified). Unlike [11,10], our proposals do not require the subset-construction,minimization and determinization of the obtained automaton at each RMC step.
Formal Background.
We assume the reader familiar with basic notions of lan-guage theory. An automaton A on an alphabet Σ is a tuple ( Q, Σ, E, I, F ) where Q is the finite set of states , E ⊆ Q × Σ × Q is the set of transitions , I ⊆ Q isthe set of initial states and F ⊆ Q is the set of final states . We define the sizeof A by |A| = | Q | + | E | . An automaton is deterministic [resp. complete ] if I is a singleton and for each ( q, a ) ∈ Q × Σ there is at most [resp. at least] one p ∈ Q such that ( q, a, p ) ∈ E . A path in A is a (possibly empty) finite se-quence of transitions ( p , a , q ) . . . ( p n , a n , q n ) such that for each i , q i = p i +1 .The integer n is the length of the path and the word a . . . a n is its label. Apath is successful if p is initial and p n is final. A word w is accepted by A if w is the label of a successful path. The set of words accepted by A is de-noted L ( A ) . If A is deterministic and complete, for every state q and every word w , there exists a unique state of A , denoted q · A w reachable from q by read-ing a path labeled by w . If there is no ambiguity on A , it is simply denoted q · w . By convention, q · ε = { q } . A state q is accessible [resp. co-accessible ] ifthere exists a path from an initial state to q [resp. if there exists a path from q to a final state]. An automaton whose states are all both accessible and co-accessible is called trim . If A is not a trim automaton, removing from A allstates that are not both accessible and co-accessible together with all relatedtransitions provides an equivalent trim automaton. Let A = ( Q , Σ, E , I , F ) and A = ( Q , Σ, E , I , F ) be two automata over the same alphabet, the prod-uct of A and A is the automaton ( Q × Q , Σ, E, I × I , F × F ) , denoted A × A , where E = { (( p , p ) , a, ( q , q )) | ( p , a, q ) ∈ E ∧ ( p , a, q ) ∈ E } .By definition, L ( A × A ) = L ( A ) ∩ L ( A ) . Let ˆ A = ( ˆ Q, Σ, ˆ E, ˆ I, ˆ F ) be thetrim automaton obtained from A , given an equivalence relation ∼⊆ Q × Q , A / ∼ denotes the automaton ( ˆ Q/ ∼ , Σ, E (cid:48) , ˆ I/ ∼ , ˆ F / ∼ ) where E (cid:48) = { (˜ p, a, ˜ q ) | ∃ p ∈ ˜ p and ∃ q ∈ ˜ q s.t. ( p, a, q ) ∈ ˆ E } . One can easily check that L ( A ) ⊆ L ( A / ∼ ) .For instance, given the automata of Fig. 1 and the relation ∼ exe whose classes aa, b b (a) A a, b )( b, a ) ( b, a ) ( a, b ) (b) T , , , , bb abaa ab (c) T ( A ) baa, b (d) T ( A ) / ∼ exe Fig. 1.
Illustrating examples are { (1 , , (2 , , (1 , } and { (2 , } , the automaton T ( A ) / ∼ exe is depicted onFig. 1. Two automata A = ( Q , Σ, E , I , F ) and A = ( Q , Σ, E , I , F ) are isomorphic if there exists a one-to-one function f : Q → Q satisfying ( p, a, q ) ∈ E iff (( f ( p ) , a, f ( q )) ∈ E , and f ( I ) = I , f ( F ) = F when liftedto sets. Informally, two automata are isomorphic if they are equal up to statenames.Let Σ and Σ be two alphabets, a transducer on Σ , Σ is an automatonon Σ × Σ . Each transducer T on Σ , Σ induces a relation R T on Σ ∗ × Σ ∗ defined by: for the a i ’s in Σ and the b j ’s in Σ , ( a . . . a n , b . . . b m ) ∈ R T iff n = m and the word ( a , b ) . . . ( a n , b n ) is accepted by T . The reflexive transitiveclosure of R T is denoted R ∗T . Let A = ( Q , Σ, E , I , F ) be an automaton on Σ , and T = ( Q , Σ × Σ , E , I , F ) a transducer on Σ × Σ , we denoteby T ( A ) the automaton ( Q × Q , Σ , E, I × I , F × F ) on Σ where E = { (( p , p ) , b, ( q , q )) | ( p , a, q ) ∈ E ∧ ( p , ( a, b ) , q ) ∈ E } . An example isdepicted on Fig. 1. By definition, L ( T ( A )) is the set of words v satisfying ( u, v ) ∈ R T for some words u ∈ L ( A ) . If T = ( Q , Σ × Σ , E , I , F ) is a transducer, wedenote by T − the transducer ( Q , Σ × Σ , E (cid:48) , I , F ) with E (cid:48) = { ( p, ( a, b ) , q ) | ( p, ( b, a ) , q ) ∈ E } . One can check that ( u, v ) ∈ R T iff ( v, u ) ∈ R T − . Regular Reachability Problem.
The following regular reachability problem – cen-tral for RMC – is known to be undecidable in general; its variants have beenaddressed in most of the papers in Sect. 1.
Input:
Two finite automata A and B on a same alphabet Σ , and a transducer T on Σ × Σ . Output: 1 if R ∗T ( L ( A )) ∩ L ( B ) = ∅ , and otherwise.Since the problem is concerned with the reflexive-transitive closure, we mayassume without loss of generality that for every u ∈ Σ ∗ , ( u, u ) ∈ R T . In the restof the paper, all considered relations contain the identity. ba a ba (a) A tr (down) and Left [ A tr1 ] (up) a, b )( a, a ) , ( b, b )( b, a ) (b) T tr , , , ab ba (c) A tr1 = T tr ( A tr ) after trim-ming Fig. 2.
Token ring
This section introduces the first mechanism for computing over-approximationsof sets of reachable states, which consists in over-approximating the automatarepresenting reachable sets by merging some of their states. For doing this, basicelementary policies as well as their combinations are introduced.Given an automaton A , we define an approximation as a function mappingeach automaton A to an equivalence relation ∼ A over the states of A . Theapproximation function F is isomorphism-compatible if for every pair of automata A and A , every isomorphism ϕ from A to A , p ∼ A q iff ϕ ( p ) ∼ A ϕ ( q ) . Wedenote F [ A ] the automaton ˆ A / F ( ˆ A ) , where ˆ A is the trim automaton obtainedfrom A . We inductively define F n [ A ] by F [ A ] = A , and F n [ A ] = F [ F n − [ A ]] for n > .Let us now introduce two isomorphism-compatible approximation functions.They are easily computable, and represent simple criteria naturally used by thespecifier, as for example in [10] for computing equivalence relations, or in [5] formonitoring LTL properties. – Left , mapping each automaton ( Q, Σ, E, I, F ) to the reflexive-transitiveclosure of the relation R left , defined by pR left q iff L ( Q, Σ, E, I, { p } ) ∩ L ( Q, Σ, E, I, { q } ) (cid:54) = ∅ . – Right , mapping each automaton ( Q, Σ, E, I, F ) to the reflexive-transitiveclosure of the relation R right , defined by pR right q iff L ( Q, Σ, E, { p } , F ) ∩ L ( Q, Σ, E, { q } , F ) (cid:54) = ∅ .Let us consider the example of the token ring protocol for which the automataare depicted on Fig. 2. Let A tr1 be the automaton obtained by trimming T tr ( A tr ) .The relation Right [ A tr1 ] is the identity relation, therefore Right [ A tr1 ] = A tr1 .However, for the relation Left , the states (1 , and (2 , are equivalent sincethey can be reached from the initial state by reading b . The automaton Left [ A tr1 ] is depicted on Fig. 2(a) (up). Proposition 1.
For each automaton A , if F is an isomorphism-compatible ap-proximation function, then the sequence ( F n [ A ]) n ∈ N is ultimately constant, up to aa b bb b b (a) A aa b bb (b) Right [ A ] 1 32456 a b b (c) Right2 [ A ] = C Right ( A ) Fig. 3.
Computing C Right ( A ) Semi-Algorithm
FixPoint
Input: A , T , B , F If L ( C F ( T ( A ))) ∩ L ( B ) (cid:54) = ∅ thenreturn Inconclusive
EndIfIf L ( C F ( T ( A ))) = L ( A ) thenreturn Safe
EndIfReturn
FixPoint ( C F ( T ( A )) , T , B , F )(a) FixPoint
Semi-Algorithm
FixPointT
Input: A , T , B , C Variable: k k:=0 While ( L ( T k +1 C ( A )) (cid:54) = L ( T k C ( A )) ) do k := k + 1 EndWhileIf ( L ( T k C ( A )) ∩ L ( B ) = ∅ ) thenReturn Safe
Else Return
Inconclusive
EndIfElse (b)
FixPointT
Fig. 4.
Fixpoint algorithms isomorphism. Let C F ( A ) denote the limit of ( F n [ A ]) n ∈ N . Moreover, if for eachautomaton A and each pair of states p, q of A , one can check in polynomial timewhether p ∼ A q , then C F ( A ) can be computed in polynomial time as well. In the
FixPoint algorithm depicted in Fig. 4(a), given a finite automa-ton A (state of the system), a transducer T (transition relation), a finite au-tomaton B (bad property), and an isomorphism-compatible function F (approx-imation criterion), the first check (emptiness) can be performed in polynomialtime. Then, unfortunately, the equality of the languages cannot be checked inpolynomial time, since the involved automata are not deterministic. Neverthe-less, recently developed algorithms [17,2,9] allow solving this problem very ef-ficiently. Note also that the equality test can be replaced by another test –e.g., isomorphism or (bi)simulation – implying language equality or inclusion, as L ( A ) ⊆ L ( C F ( T ( A ))) ) by construction. Proposition 2.
The
FixPoint semi-algorithm is correct: if it returns
Safe , then R ∗T ( L ( A )) ∩ L ( B ) = ∅ . The approach can be illustrated on the example in Fig. 2 with F = Left : C Left ( T tr ( A tr )) = Left ( A tr ) . One can check that C Left ( T tr ( C Left ( T tr ( A tr )))) and Left ( T tr ( A tr )) are isomorphic. Therefore FixPoint stops after one recursive calland returns
Safe .From now on, given two approximation functions F and G , we denote F . G the approximation function defined by ( F . G )( A ) = F ( A ) ∩ G ( A ) for every au-tomaton A . In addition, the approximation function F + G is defined by: forevery automaton A , ( F + G )( A ) is the smallest equivalence relation containingboth F ( A ) and G ( A ) . Then using several approximation functions and combin-ing them allow us to obtain new – stronger or weaker – approximations. Section 5gives experimental results for the Left , Right approximations together with the In and Out approximations, and for their combinations.
This section introduces another approximation mechanism consisting in reason-ing about the application of k copies of a transducer representing the transitionrelation to an automaton representing the initial states. The states reached inthe transducers are encoded as a finite word, and an additional automaton isused for specifying what are the combinations of transducer states that haveto be merged. This technique is inspired by an automata theoretic constructionin [11], with the difference concerning the equivalence relation, and the use ofautomata at step k (the transducer is never modified).Let A = ( Q, Σ, E, I, F ) be a finite automaton, T = ( Q T , Σ × Σ, E T , I T , F T ) a transducer, and C = ( Q C , Q T , E C , { q init } , ∅ ) a deterministic complete finiteautomaton on Q T (i.e., the transitions of C are labeled with states of T ). Let ϕ k be a one-to-one mapping from the set ((( Q × Q T ) × Q T ) . . . × Q T ) of statesof T k ( A ) to Q × Q kT , where Q kT is the set of words of length k on Q T . Weset a relation ∼ C on states of T k ( A ) as follows: if p and q are states of T k ( A ) such that ϕ k ( p ) = ( p , w p ) and ϕ k ( q ) = ( q , w q ) , then p ∼ C q iff p = q and q init · w p = q init · w q . The automaton T k ( A ) / ∼ C is denoted T k C ( A ) . One can easilycheck that ∼ C is an equivalence relation.Let us consider again A tr and T tr from Fig. 2. We consider the automaton C depicted in Fig. 5(a). The automaton T ( A tr ) (after trimming) is depictedin Fig. 5(b). The automata T tr ( A tr ) / ∼ C and T ( A tr ) / ∼ C are depicted in Fig. 6.For instance, in T ( A tr ) states (1 , , and (1 , , are ∼ C -equivalent since theyhave both as the first element, and q init ·
34 = q init ·
43 = (cid:53) . Proposition 3.
An automaton isomorphic to T k ( A ) / ∼ C can be computed inpolynomial time in k and in the sizes of A , T and C . Now, given a finite automaton B , we can use the computed automata whenapplying the FixPointT semi-algorithm described in Fig. 4(b). It may provide anover-approximation of reachable states: if
FixPointT stops on a not too coarseapproximation we can deduce that R ∗T ( L ( A )) ∩ L ( B ) = ∅ . The proof of Propo-sition 4 is similar to this of Proposition 2. Proposition 4.
The
FixPointT semi-algorithm is correct: if it returns safe then R ∗T ( L ( A )) ∩ L ( B ) = ∅ . init (cid:13) (cid:3) (cid:53)
433 3 ,
44 3 , (a) C , , , , , , , , a bbb a aa (b) T ( A tr ) Fig. 5.
Token ring: Transducer-based approximation (1) , (cid:13) , (cid:3) , (cid:3) ab ba (a) T tr ( A tr ) / ∼ C , q init , q init , (cid:53) a abb a (b) T ( A tr ) / ∼ C Fig. 6.
Token ring: Transducer-based approximation (2)
In this section we propose to refine transducer-based approximations when theapproximate iteration is inconclusive. Intuitively, this happens when the se-quence of approximations is too coarse: the result intersects with the set of badstates after k steps while the backward iteration of k copies of the transducerfrom the bad states does not intersect with the initial states. Our algorithm canbe seen as a kind of CEGAR algorithms – the paradigm introduced in [13] andintensively studied during the last decade (see for example [10,6]), with the aimof obtaining finer approximations/abstractions by exploiting counter-examples. Proposition 5. If L ( T k C ( A )) ∩ L ( B ) (cid:54) = ∅ , then either L ( A ) ∩ L ( T − k ( B )) (cid:54) = ∅ , or there exists j , ≤ j ≤ k such that L ( T j C ( A )) ∩ L ( T j − k ( B )) (cid:54) = ∅ and L ( T ( T j − C ( A ))) ∩ L ( T j − k ( B )) = ∅ . Assume that L ( T j C ( A )) ∩ L ( T j − k ( B )) (cid:54) = ∅ and L ( T ( T j − C ( A ))) ∩ L ( T j − k ( B )) = ∅ . As it is classically done in the CEGAR framework, one can compute a relation ≡ on T j C ( A ) such that ≡⊆∼ C and L ( T j C ( A )) / ≡ ∩ L ( T k − j ( B )) = ∅ . The existenceof ≡ is trivial since the results hold for the identity relation. However, whenusing the CEGAR approach, our goal is to compute a relation ≡ as large aspossible, with the aim of ensuring termination of state-space exploration.To achieve this goal, several heuristics may be used. Instead of computingthe ≡ relation, building the corresponding T j C ( A ) / ≡ automaton, and then per-forming the fixpoint computation, we propose to use a dynamic approach. More ( A ) L ( T C ( A )) L L ( T j C ( A )) L j L ( T j +1 C ( A )) L j +1 L ( T k − C ( A )) L k − L ( A k ) L k L ( B ) L ( T − ( B )) L ( T j +1 − k ( B )) L ( T j − k ( B )) Fig. 7.
Refinement: L i ’s represent the languages L ( T ( T i − C ( A )) ’s. Algorithm
Split
Input: S = ( Q S , Q T , E S , { q } , ∅ ) a deterministic automaton, p, q ∈ Q S and α, β ∈ Q T such that p · S α = q · S βQ (cid:48) S := Q S ∪ { r } where r / ∈ Q S I (cid:48) S := { q } E (cid:48) S := E S \ { ( q, β, q · S β ) } E (cid:48) S := E (cid:48) S ∪ { ( q, β, r ) } ∪ { ( r, a, s ) | ( p · α, a, s ) ∈ E S and s ∈ Q S \ { p · S α }} E (cid:48) S := E (cid:48) S ∪ { ( r, a, r ) | ( p · α, a, p · α ) ∈ E S } Return ( Q (cid:48) S , Q T , E (cid:48) S , I (cid:48) S , ∅ ) Fig. 8.
Algorithm
Split precisely, we prefer to modify C according to ≡ to avoid similar states mergingwhich may lead to a coarser over-approximation. To modify C according to ≡ , wepropose to use the algorithms in Figs. 8 and 10. The Split algorithm modifiesthe given deterministic automaton to provide a weaker abstraction. Its idea isquite natural: if two equivalent states must be distinguished, the automaton C is refined to take this constraint into account. For example, Figure 9(a) displaysthe automaton C (cid:48) resulting from Split ( C , (cid:13) , (cid:3) , , , where C is the automatonfrom Fig. 5(a). The Split algorithm dissociating two states, can be used so faras necessary to obtain the refined approximation in the
Refine algorithm inFig. 10.
Proposition 6.
The
Refine algorithm always terminates.
For example, let us consider the ≡ relation whose classes are { , (cid:3) , } , { (2 , (cid:3) , } , { (1 , (cid:13) , , (1 , (cid:13) , } and { (1 , (cid:3) , } . We apply the Refine algorithm to the au-tomata T tr (Fig. 2(b)), C (Fig. 5(a)), T tr ( A tr ) / ∼ C (Fig. 6(a)). Since (1 , (cid:13) , ∼ C (1 , (cid:3) , , ∼ C (cid:54)⊆≡ . Therefore, the algorithm may compute C (cid:48) = Split ( C , (cid:13) , (cid:3) , , as depicted in Fig. 9(a). Then one can check that ∼ C (cid:48) ⊆≡ . The automaton T tr ( T tr ( A tr ) / ∼ C ) / ∼ C(cid:48) is depicted in Fig. 9(b). init (cid:13) (cid:3) (cid:53) r
433 3 ,
44 3 , , (a) C (cid:48) = Split ( C , (cid:13) , (cid:3) , ,
4) 1 , q init , r , q init , r a b bba aaa (b) T tr ( T tr ( A tr ) / ∼ C ) / ∼ C(cid:48)
Fig. 9.
Examples for the
Split and
Refine algorithms
Algorithm
Refine
Input: T (transducer), C a deterministic automaton, S = ( Q S × Q C , Q, E, { q } , F S ) afinite automaton, a relation ≡ such that ≡⊆∼ C and L ( T C ( A )) / ≡ ∩ L ( T − ( B )) = ∅ While ( ∼ C (cid:54)⊆≡ ) doChoose ( p, q, α ) and ( p, q (cid:48) , α (cid:48) ) states of T ( S ) such that ( p, q, α ) ∼ C ( p, q (cid:48) , α (cid:48) ) but ( p, q, α ) (cid:54)≡ ( p, q (cid:48) , α (cid:48) ) C := Split ( C , q, α, q (cid:48) , α (cid:48) ) EndWhileReturn C Fig. 10.
Algorithm
Refine If L ( T k C ( A )) ∩ L ( B ) (cid:54) = ∅ and L ( A ) ∩ L ( T − k ( B )) = ∅ , then we denote by J ( A , B , C , T , k ) the maximal integer j such that ≤ j ≤ k and L ( T j C ( A )) ∩ L ( T j − k ( B )) (cid:54) = ∅ and L ( T ( T j − C ( A ))) ∩ L ( T j − k ( B )) = ∅ . Now, the Reach-CEGAR semi-algorithm in Fig. 11 encodes the whole approach: each time a too strongapproximation is detected, it is refined. This semi-algorithm may terminate byreturning
Safe if an over-approximation of accessible states that does not containany bad states. It may also terminate by returning
Unsafe if it detects a reachablebad state. It may also diverge if the computed approximations have to be refinedagain and again.
Thanks to a prototype tool, the present paper’s proposals have been evaluatedon the well-known examples of the Bakery algorithm by Lamport, the token ringalgorithm, Dijkstra’s, and Burns [25] protocols.For the quotient-based approximations (Sect. 2), the results are displayedin Fig. 13. In addition to
Left and
Right , two additional simple isomorphism-compatible approximations are examined:– In , mapping each automaton ( Q, Σ, E, I, F ) to the reflexive-transitive closureof the relation R in , defined by pR in q iff { a p ∈ Σ | ∃ p (cid:48) ∈ Q, ( p (cid:48) , a p , p ) ∈ E } = { a q ∈ Σ | ∃ q (cid:48) ∈ Q, ( q (cid:48) , a q , q ) ∈ E } ; and– Out , mapping each automaton ( Q, Σ, E, I, F ) to the reflexive-transitive closure emi-Algorithm Reach-CEGAR
Input: A , B finite automata, T (transducer), C a deterministic automaton, an integer (cid:96) Variables: integers j, k , and equivalence relation ≡ k := (cid:96) While ( L ( T k C ( A )) ∩ L ( B ) = ∅ and L ( T k +1 C ( A )) (cid:54) = L ( T k C ( A )) ) do k := k + 1 EndWhileIf ( L ( T k +1 C ( A )) = L ( T k C ( A )) and L ( T k C ( A )) ∩ L ( B ) = ∅ ) thenReturn Safe
EndIfIf L ( A ) ∩ L ( T − k ( B )) (cid:54) = ∅ thenReturn Unsafe
EndIf j := J ( A , B , C , T , k ) Let ≡ be such that ≡⊆∼ C and L ( T j C ( A )) / ≡ ∩ L ( T k − j ( B )) = ∅ Return
Reach-CEGAR ( A , T − k ( B ) , T , Refine ( T , C , T j ( A ) , ≡ ) , j ) Fig. 11.
Semi-algorithm
Reach-CEGAR of the relation R out , defined by pR out q iff { a p ∈ Σ | ∃ p (cid:48) ∈ Q, ( p, a p , p (cid:48) ) ∈ E } = { a q ∈ Σ | ∃ q (cid:48) ∈ Q, ( q, a q , q (cid:48) ) ∈ E } .In Fig. 13, the first column describes the protocol to verify: its name, the size (i.e., | Q | + | E | ) of the initial automaton, and that of the transducer. The remainingcolumns give the results for each specific criterion: the first line gives the stepof the language equality, or No when not reached; the second line indicates thestep when the intersection with the bad-property language is non empty, or ∅ ifit remains empty; the third line gives the size of the last obtained automaton. Ifa step of the languages equality occurs while having the empty intersection withthe bad-property language (cf. values highlighted in bold), the protocol is safe.For the refinement method, the above mentioned protocols have been studiedusing different kinds of C -automata: either a one-state C , or a specific C . Whenstarting the refinement with a one-state C in Fig. 12(a), all the states are obvi-ously considered as C -equivalent. On the contrary, a specific C models a propertyof interest. For example, if two consecutive a are forbidden, and there is a tran-sition ( p, ( x, a ) , q ) in the transducer of the considered protocol, then the specific C is like in Fig. 12(b). The two token ring protocols are shown to be safe infour steps using the refinement approach with a one-state automaton. Dijkstra’sprotocol was proved safe without refinement in 15 steps using a specific automa-ton. The Bakery and Burns protocols are proved safe in respectively 6 and 14steps, by using the refinement and specific automata. For all these protocols, theobtained automata have sizes similar to the sizes of the input automata: there isno state explosion. To conclude, the experiments show that our techniques workfor all the considered cases, and that they are complementary. Σ (a) one-state C i b p b q pqΣ − { p, q } q Σ − { q } p Σ − { p } (b) specific C for mutual exclusionprotocols Fig. 12.
Different kinds of C automata In Out In + Out In . Out Left Right L + R L . R ( L + R ) . ( In + Out ) Token ring
Step 3 Step 3 Step 3 Step 4 Step 3 Step 2 Step 2 Step 3 Step 3 size I : 4 ∅ ∅ ∅ ∅ ∅ ∅ ∅ ∅ ∅ size T : 6 8 8 5 12 8 5 5 8 5Token ring
Step 3 Step 3 Step 3 Step 4
T.o(Step 10)
Step 2 Step 2
T.o(Step 10)
Step 3 size I : 4 ∅ ∅ ∅ ∅ ∅ ∅ ∅ ∅ ∅ size T : 9 8 8 5 12 109 5 5 109 5Dijkstra
Step 6 Step 6 Step 5 Step 7
T.o(Step 10)
Step 5 Step 5
T.o(115 hours)
Step 5 size I : 5 ∅ ∅ ∅ ∅ ∅ ∅ ∅
T.o(115 hours) ∅ size T : 62 49 118 20 246 745 11 10 T.o(115 hours) 15Bakery Step 7
No No
Step 10
T.o(Step 10) No No T.o(Step 10) Nosize I : 2 ∅ Step 7 Step 6 ∅ ∅
Step 3 Step 3 ∅ Step 6size T : 24 43 75 89 97 368 31 31 1253 101Burns No
Step 6
No No No No No No Nosize I : 2 Step 5 ∅ Step 3 Step 7 Step 4 Step 3 Step 3 Step 4 Step 3size T : 22 100 46 53 365 22 18 18 50 53
Fig. 13.
Results with syntactic criteria
Developing efficient approximation-based techniques is a critical challenging is-sue to tackle reachability problems when exact approaches do not work. In thispaper two new approximation techniques for the regular reachability problemhave been presented. Our techniques use polynomial time algorithms, providedthat recent algorithms for checking automata equivalence are used; the only ex-ception being language inclusion testing as in [17,2,9]. As a future direction, weplan to upgrade our refinement approach, both on the precision of the approx-imations and on computation time. Another possible direction is to generalizeour approximation mechanisms and to apply them to other RMC applications,e.g., counter systems or push-down systems.
References
1. P. Abdulla, B. Jonsson, P. Mahata, and J. d’Orso. Regular tree model checking.In
CAV , page 452–466, 2002.2. P.A. Abdulla, Y.-F. Chen, L. Holík, R. Mayr, and T. Vojnar. When simulationmeets antichains. In Esparza and Majumdar [18], pages 158–174.. P.A. Abdulla, B. Jonsson, M. Nilsson, and J. d’Orso. Algorithmic improvementsin regular model checking. In
CAV , pages 236–248. Springer, 2003.4. C. Baier, J.P. Katoen, and Inc ebrary.
Principles of model checking , volume 950.MIT press, 2008.5. A. Bauer and Y. Falcone. Decentralised LTL monitoring. In D. Giannakopoulouand D. Méry, editors, FM , volume 7436 of LNCS , pages 85–100. Springer, 2012.6. Y. Boichut, R. Courbis, P.-C. Héam, and O. Kouchnarenko. Finer is better: Ab-straction refinement for rewriting approximations. In A. Voronkov, editor,
RTA ,volume 5117 of
LNCS , pages 48–62. Springer, 2008.7. B. Boigelot. Domain-specific regular acceleration.
STTT , 14(2):193–206, 2012.8. B. Boigelot, A. Legay, and P. Wolper. Iterating transducers in the large. In
CAV ,page 223–235, 2003.9. F. Bonchi and D. Pous. Checking NFA equivalence with bisimulations up to con-gruence. Technical report, January 2012. 13p.10. A. Bouajjani, P. Habermehl, and T. Vojnar. Abstract regular model checking. In
CAV , page 378–379, 2004.11. A. Bouajjani, B. Jonsson, M. Nilsson, and T. Touili. Regular model checking. In
CAV , page 403–418, 2000.12. A. Bouajjani and T. Touili. Widening techniques for regular tree model checking.
STTT , page 1–21, 2011.13. E.M. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith. Counterexample-guidedabstraction refinement. In E. Allen Emerson and A. Prasad Sistla, editors,
CAV ,volume 1855 of
LNCS , pages 154–169. Springer, 2000.14. E.M. Clarke, O. Grumberg, and D. Peled.
Model Checking. 2000 . MIT press, 2000.15. D. Dams, Y. Lakhnech, and M. Steffen. Iterating transducers. In
CAV , page286–297, 2001.16. D. Dams, Y. Lakhnech, and M. Steffen. Iterating transducers.
Journal of Logicand Algebraic Programming , 52:109–127, 2002.17. L. Doyen and J.-F. Raskin. Antichain algorithms for finite automata. In Esparzaand Majumdar [18], pages 2–22.18. J. Esparza and R. Majumdar, editors.
TACAS , volume 6015 of
LNCS . Springer,2010.19. F. Fioravanti, A. Pettorossi, M. Proietti, and V. Senni. Program specialization forverifying infinite state systems: An experimental evaluation.
Logic-Based ProgramSynthesis and Transformation , page 164–183, 2011.20. T. Le Gall and B. Jeannet. Lattice automata: A representation for languages oninfinite alphabets, and some applications to verification. In
SAS , volume 4634 of
Lecture Notes in Computer Science , pages 52–68. Springer, 2007.21. A. Cano Gómez, G. Guaiana, and J.-E. Pin. When does partial commutativeclosure preserve regularity? In
ICALP (2) , volume 5126 of
LNCS , pages 209–220.Springer, 2008.22. B. Jonsson and M. Nilsson. Transitive closures of regular relations for verifyinginfinite-state systems.
TACAS , page 220–235, 2000.23. Y. Kesten, O. Maler, M. Marcus, A. Pnueli, and E. Shahar. Symbolic modelchecking with rich assertional languages. In
CAV , page 424–435, 1997.24. A. Legay. Extrapolating (omega-) regular model checking.
STTT , 14(2):119–143,2012.25. T. Touili. Regular model-checking using widening techniques. In
VEPAS , vol-ume 50 of
ENTCS , pages 342–356, 2001.26. F. Yu, T. Bultan, and O. Ibarra. Relational string verification using multi-trackautomata.