Linear Programming for Software Verification Model Checking Group

Linear Programming for Software Verification Model Checking Group Talk

Linear Programming for Software Verification Dellacherie et al LPV Technology patent #97 15217 [ France Telecom, the CNRS, and the University of Caen ]

Problem Definition • Given a software S and a property P, determine whether a path of S satisfies P. – If yes, show the path – If not, generate a proof of its non-existence.

Synchronized Automata - I A small example of synchronized automata • Each automata has a single token that can move from state to state using the transitions. • Transitions carry (possibly multiple) synchronization messages. • An automaton can go (i. e. move its token) from a state to another if and only if ü there exists a transition between those two states and ü all the synchronization messages present on that transition can be emitted.

Synchronized Automata - II • A message can be emitted if and only if all automata that know the message (i. e. that have at least one transition carrying this message) can use simultaneously a transition carrying this message. • For example, automaton A can go from state Ae 1 to state Ae 2 if and only if both synchronization messages m 1 and m 2 can be emitted. • This is possible if, for example, automata B and C are (i. e. have their token) respectively in states Be 1 and Ce 1. • In this situation, the three automata will arrive in state Ae 2 , Be 2 and Ce 2 respectively

Definition: System of Automata • A system of automata S is composed of N subsystems Sn (1 · n · N) called automata, and of a set M = { mj, , 1 · k · |M| } containing the messages mj of S. • Every automaton Sn is described by – 1. the set En = { ein ; 1 · i · |En| } of its states; – 2. the set An = { ajn; 1 · j · |An| } of its transitions; – 3. the set of messages Mn ½ M carried by An.

Definition: Synchronization Rule • Let us call configuration a mapping C which associates to every automaton Sn a unique state en 2 Sn called the activated state of Sn, and let us call syn a subset s of M. We then define the sync rule as follows: • The synchronization s has the automata system S changed from configuration C to configuration C’ if and only if 8 Sn 2 S, • 1. if s Å Mn = ; then C’ (Sn) = C (Sn) – If s does not share a message with Sn, then the token on Sn does not move. • 2. if s Å Mn and 9 ajn = ( ej 1 n, ej 2 n 2 An, such that Mjn = s Å Mn, then ej 1 n = C (Sn) and ej 2 n = C’ (Sn) – If s does share a message with S_n, then the transition labeled with a subset of s are enabled.

Definition: Synchronized Automata • A system of synchronized automata is a system of automata endowed with the (previously discussed) synchronization rule. • Accessibility Properties: The kind of requests we will check on a system of synchronized automata corresponds to the classical set of accessibility (or reachability) properties.

Definition: Path Satisfiability • An accessibility property P = (C; C’) on S has a path satisfying P if and only if there exists a path in N steps going from the initial conguration C 0 to a conguration C’n such that 8 Sn 2 S, • if En Å C , then C 0 (Sn) 2 C • if En Å C’ , then C’n (Sn) 2 C’

Flow-Synchronized Automata • Message-flow: A message-flow is a function fm which associates to every message m of S a real quantity fm(m) 2 [0, 1]. • Transition-flow: A transition-flow is a function fa which associates to every transition ajn of S a real quantity fa(ajn) 2 [0, 1]. • State-flow: A state-flow is a function fe which associates to every state ein of S a real quantity fe(ein) 2 [0, 1].

Flow-Synchronization Rules - I • Amn is the set of transitions of automata Sn carrying message m: – A mn = { a j n 2 A n / m 2 M j n } • Ei+n is the set of transitions of Sn having ein as starting state: – Ei+n = { ajn 2 An / 9 e, ajn = (ein, e) } • Ei−n is the set of transitions of Sn having ein as arriving state: – Ei−n = { ajn 2 An / 9 e; ajn = (e, ein) }.

Flow-Synchronization Rules - II • Conservation of tokens in state-flow of automata: 8 Sn, ein 2 Sn f. C(ein) = 1 – i. e. the quantity of token on each automaton is equal to 1 • Relation between Transition Flow and Message Flow for valid synchronization: 8 m 2 M, 8 Sn, Amn ) fs(m) = ajn 2 Amn fa (ajn) – i. e. for all automata that know m, the quantity of m emitted is equal to the flow going through the transitions carrying m.

Flow Synchronization Rules - III • 1. ajn 2 Ei+n fa(ajn) · f. C(ein) – (i. e. the flow leaving ein is not greater than the quantity of token which is on ein), • 2. ajn 2 E(i-)N fa(ajn) · f. C’ (ein) – (i. e. the flow arriving on ein is not greater than the total amount of token which is on ein), • 3. f. C(ein)− ajn 2 Ei+n fa(ajn) = f. C’ (ein) − ajn 2 Ei−n fa(ajn) – (i. e. the new quantity of token on ein is the previous quantity plus the flow arriving on ein and less the flow leaving ein).

Flow Synchronization Automata • A system of flow-synchronized automata is a system of automata endowed with the flowsynchronization rule. • Furthermore, let f. C and f. C’ be two flowconfigurations of S. The change from f. C to f. C’ by flow-synchronization fs defines a flow-step (f. C, fs, f. C’) for S. • A succession of flow-steps (f. C 0, fs 0, f. C’ 0 ), …, (f. Cn− 1, fsn− 1, f. C’n ) such that f. C’i = f. Ci+1 defines a flow-path for S.

Storied Automata • Let S be a system of automata. We consider S on T + 1 time steps as follow: for each automaton Sn 2 S we associate – To every value t 2 { 0; … ; T} and every state ein, a state ein(t); – To every value t 2 { 1; … ; T} and every transition ajn = (ej 1 n ; ej 2 n ), a transition ajn(t) = (ej 1 n (t − 1), ej 2 n (t)); – To to every value t 2 {1; … ; T} and every message mk 2 Majn, a message mk(t) 2 Majn(t); – To every value t 2 {1; … ; T} and every state ein, an transition in(t) = (ein(t − 1), ein(t)). • The system thus constructed from S is called the storied system of automata ST of S on T time steps.

System of Equations: L(ST, P) • Flow equations: 8 Sn 2 S; 8 t 2 {1; … ; T}, 8 ein 2 Sn, we have – ein(t − 1) = j 1 2 Ei+n aj 1 n (t) + in(t) – ein(t) = j 2 2 Ei−n aj 2 n (t) + in(t) • Synchronization equations: 8 Sn 2 S; forall t 2 {1, … , T}; 8 m 2 Mn, we have – m(t) = j 3 2 Amn aj 3 n (t) • Property equations: 8 Sn 2 S, we have ein 2 i (0)=1 e m A n n – If C Å En then ein 2 C Å En ein (0) = 1 – If C’ Å En then ein 2 C’ Å En ein (T) = 1

Key Result • The solving of L(ST ; P) gives either a flow -path or a proof of the inexistence of any path of length N on a model of T stories. – If we find a flow path, it may be spurious. – If we find a proof of the inexistence of any path, we are done.

Examples Analyzed - I • Telephone System: The systems is made of more than 800 automata and uses more than 2500 different synchronization messages. The state space is more than 1040 wide. • The property checked was to know whether phone#2 ring while nobody ever called it ?

Examples Analyzed - II • An Access Control System: On this last instance the resulting system is made of 230 automata and uses more than 2800 different synchronization messages. The state space is more than 1052 wide • The property checked was: – Can card#1, who entered building#1, enter building#2 without first getting out of building#1 ?

Examples Analyzed - III • Bus Arbiter: Systems with up to 1200 cells were analyzed. The state space is then at least 10500 wide, and the computation took around one hour • The property checked was to know whether a client could access the bus at the same time as client#1.

Deeper Insights • There is a Ph. D thesis in German which perhaps contain the details: – [Del 99 b] S. Dellacherie. Vrication logicielle base sur la programmation linaire. Ph. D thesis, Universit de Caen, 1999. To appear. – [Dev 99] S. Devulder. Un modle de preuve de logiciels fond sur la programmationlinaire. Ph. D thesis, Universit de Caen, 1999. To appear.

US Patent October 15, 2002 Dellacherie; Samuel (Caen, FR), Broult; Christophe (Briouze, FR), Devulder; Samuel (Saint-Contest, FR), Lambert; Jean-Luc (Amfreville, FR) • Farkas Lemma: Let A be a matrix and b be vectors. Then the system A x = b for some x ¸ 0 has no solution iff the system ATy ¸ 0 and b. Ty < 0 has a solution, where x is a vector. Fang, S. -C. and Puthenpura, S. Linear Optimization and Extensions: Theory and Algorithms. Englewood Cliffs, NJ: Prentice-Hall, p. 60, 1993.