regular model checking using solver technologies and ... · regular model checking using solver...
Post on 29-May-2020
8 Views
Preview:
TRANSCRIPT
Regular Model Checking Using Solver
Technologies and Automata Learning
Daniel Neider Nils Jansen
RWTH Aachen University, Germany
May 14th, 2013
NASA Formal Methods Symposium
NASA Ames Research Center, Mo�ett Field, CA, USA
Token Ring Example
1
2
3
4
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 1/16
Token Ring Example
1
2
3
4
Modeling Programs
Con�gurations:
Transitions:
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 1/16
Token Ring Example
1
2
3
4
Modeling Programs
Con�gurations: 1000
, 0100, 0010, 0001, 0000, 1100, . . .
Transitions:
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 1/16
Token Ring Example
1
2
3
4
Modeling Programs
Con�gurations: 1000, 0100
, 0010, 0001, 0000, 1100, . . .
Transitions:
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 1/16
Token Ring Example
1
2
3
4
Modeling Programs
Con�gurations: 1000, 0100, 0010, 0001, 0000, 1100, . . .
Transitions:
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 1/16
Token Ring Example
1
2
3
4
Modeling Programs
Con�gurations: 1000, 0100, 0010, 0001, 0000, 1100, . . .
Transitions:
[10
][01
][00
][00
]
,
[00
][10
][01
][00
],. . . ,
[01
][00
][00
][10
]
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 1/16
Token Ring Example
1
2
3
4
Modeling Programs
Con�gurations: 1000, 0100, 0010, 0001, 0000, 1100, . . .
Transitions:
[10
][01
][00
][00
],
[00
][10
][01
][00
]
,. . . ,
[01
][00
][00
][10
]
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 1/16
Token Ring Example
1
2
3
4
Modeling Programs
Con�gurations: 1000, 0100, 0010, 0001, 0000, 1100, . . .
Transitions:
[10
][01
][00
][00
],
[00
][10
][01
][00
],. . . ,
[01
][00
][00
][10
]
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 1/16
Token Ring Example
1
2 3
4
56
Modeling Programs
Con�gurations: 100000, 010000, 001000, 000000, . . .
Transitions:
[10
][01
][00
][00
][00
][00
], . . . ,
[10
][00
][00
][00
][00
][01
]
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 1/16
Token Ring Example
1
2
3
4
5
6
7
8
Modeling Programs
Con�gurations: (0 + 1)∗
Transitions:
[00
]∗[10
][01
][00
]∗+
[01
][00
]∗[10
]
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 1/16
Token Ring Example
1
2
3
4
5
6
7
8
The question we want to address
Initial con�gurations I = 10∗
Transitions T = . . .
Bad con�gurations B = 0∗ + 0∗10∗1(0 + 1)∗
Is there a path from some c ∈ I to some c′ ∈ B along T?
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 1/16
Regular Model Checking
Input
A regular set of initial con�gurations I,
a regular set of bad con�gurations B, and
a transducer T de�ning the transitions.
an NFA T = (Q,Σ× Σ, q0,∆, F )Question
Does ReachT (I) ∩B = ∅ hold?
RemarkThe Regular Model Checking Problem is undecidable.
Thus, all algorithms are necessarily semi-algorithms.
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 2/16
Regular Model Checking
Input
A regular set of initial con�gurations I,
a regular set of bad con�gurations B, and
a transducer T de�ning the transitions.
an NFA T = (Q,Σ× Σ, q0,∆, F )
Question
Does ReachT (I) ∩B = ∅ hold?
RemarkThe Regular Model Checking Problem is undecidable.
Thus, all algorithms are necessarily semi-algorithms.
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 2/16
Regular Model Checking
Input
A regular set of initial con�gurations I,
a regular set of bad con�gurations B, and
a transducer T de�ning the transitions.
an NFA T = (Q,Σ× Σ, q0,∆, F )
Question
Does ReachT (I) ∩B = ∅ hold?
RemarkThe Regular Model Checking Problem is undecidable.
Thus, all algorithms are necessarily semi-algorithms.
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 2/16
Regular Model Checking
Input
A regular set of initial con�gurations I,
a regular set of bad con�gurations B, and
a transducer T de�ning the transitions.
an NFA T = (Q,Σ× Σ, q0,∆, F )
Question
Does ReachT (I) ∩B = ∅ hold?
RemarkThe Regular Model Checking Problem is undecidable.
Thus, all algorithms are necessarily semi-algorithms.
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 2/16
Motivation
IB
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 3/16
Motivation
P
IB
ProofA (regular) proof is a (regular) set P with
I ⊆ P ,B ∩ P = ∅, andP is inductive, i.e., u ∈ P and (u, u′) ∈ L(T ) implies u′ ∈ P .
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 3/16
Motivation
P
IB
Tools for Regular Model Checking
Faster and
T(O)RMC
Problem: The performance is poor for large representations of I!
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 3/16
Motivation
P
IB
What we do
We approximate I and B with �nite sets.
We use sampling strategies known from automata learning.
We compute smallest proofs using logic solvers.
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 3/16
Outline
1. Automata Learning
2. Regular Model Checking via Automata Learning
3. Experiments
4. Conclusion
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 4/16
Outline
1. Automata Learning
2. Regular Model Checking via Automata Learning
3. Experiments
4. Conclusion
Angluin's Learning Framework
Is ab ∈ L??a, b
Yes!No, counterexample aa!
ab
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 5/16
Angluin's Learning Framework
Is ab ∈ L?
?
a, bYes!No, counterexample aa!
ab
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 5/16
Angluin's Learning Framework
Is ab ∈ L??a, b
Yes!
No, counterexample aa!
ab
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 5/16
Angluin's Learning Framework
Is ab ∈ L?
?
a, b
Yes!No, counterexample aa!
ab
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 5/16
Angluin's Learning Framework
Is ab ∈ L??a, b
Yes!
No, counterexample aa!
ab
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 5/16
Our Learning Framework
Is ab ∈ L??a, b
Yes!No, counterexample aa!
ab
�yes��no�
?
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 5/16
Our Learning Framework
Is ab ∈ L??a, b
Yes!No, counterexample aa!
ab
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 5/16
Outline
1. Automata Learning
2. Regular Model Checking via Automata Learning
3. Experiments
4. Conclusion
CEGAR-style Regular Model Checking
Maintain asample S
Compute a smallestinductive DFA Aconsistent with S
Equivalencequery
S A
�no�
Add counterexample to S
�yes�
L(A) isa proof
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 6/16
CEGAR-style Regular Model Checking
Maintain asample S
Compute a smallestinductive DFA Aconsistent with S
Equivalencequery
S A
�no�
Add counterexample to S
�yes�
L(A) isa proof
1. Sample S = (S+, S−) where S+, S− ⊆ Σ∗ are �nite.
2. Compute a smallest inductive DFA A consistent with S, i.e.,
S+ ⊆ L(A) and S− ∩ L(A) = ∅.
3. Equivalence query: if A is inductive, it is enough to check
I ⊆ L(A) and B ∩ L(A) = ∅.
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 6/16
CEGAR-style Regular Model Checking
Maintain asample S
Compute a smallestinductive DFA Aconsistent with S
Equivalencequery
S A
�no�
Add counterexample to S
�yes�
L(A) isa proof
1. Sample S = (S+, S−) where S+, S− ⊆ Σ∗ are �nite.
2. Compute a smallest inductive DFA A consistent with S, i.e.,
S+ ⊆ L(A) and S− ∩ L(A) = ∅.
3. Equivalence query: if A is inductive, it is enough to check
I ⊆ L(A) and B ∩ L(A) = ∅.
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 6/16
CEGAR-style Regular Model Checking
Maintain asample S
Compute a smallestinductive DFA Aconsistent with S
Equivalencequery
S A
�no�
Add counterexample to S
�yes�
L(A) isa proof
1. Sample S = (S+, S−) where S+, S− ⊆ Σ∗ are �nite.
2. Compute a smallest inductive DFA A consistent with S, i.e.,
S+ ⊆ L(A) and S− ∩ L(A) = ∅.
3. Equivalence query: if A is inductive, it is enough to check
I ⊆ L(A) and B ∩ L(A) = ∅.
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 6/16
CEGAR-style Regular Model Checking
Maintain asample S
Compute a smallestinductive DFA Aconsistent with S
Equivalencequery
S A
�no�
Add counterexample to S
�yes�
L(A) isa proof
Correctness
The algorithm terminates once L(A) is a proof.
Successive DFAs are di�erent and the size of successive DFAs
increases monotonically.
Computing minimal DFAs guarantees termination if a proof
exists.
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 6/16
Angluin-style Regular Model Checking
Maintain asample S
Compute a smallestinductive DFA Aconsistent with S
Equivalencequery
Membership query
S A
�no�
Add counterexample
�yes�
L(A) isa proof
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 7/16
Angluin-style Regular Model Checking
Maintain asample S
Compute a smallestinductive DFA Aconsistent with S
Equivalencequery
Membership query
S A
�no�
Add counterexample
�yes�
L(A) isa proof
u �yes� / �no� / �?�
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 7/16
Realizing the Black Box
Given a sample S and a transducer T .
Main IdeaConstruct a formula ϕS,Tn such that
ϕS,Tn is satis�able
⇔there exists a DFA A with n states such that A is consistent with
S and inductive with respect to T .
TheoremBy increasing the value of n, we will �nd a smallest DFA consistent
with S and inductive with respect to T if one exists.
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 8/16
Realizing the Black Box
Given a sample S and a transducer T .
Main IdeaConstruct a formula ϕS,Tn such that
ϕS,Tn is satis�able
⇔there exists a DFA A with n states such that A is consistent with
S and inductive with respect to T .
TheoremBy increasing the value of n, we will �nd a smallest DFA consistent
with S and inductive with respect to T if one exists.
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 8/16
Encoding DFAs
A =(Q,Σ, q0, δ, F
)If Q, Σ, and q0 are �xed, then every DFA is completely de�ned by δand F .
Use Boolean variables dp,a,q with the meaning:
if dp,a,q ≡ true, then δ(p, a) = q.
Use Boolean variables fq with the meaning:
if fq ≡ true, then q ∈ F .Use constraints
¬dp,a,q ∨ ¬dp,a,q′∨q∈Q
dp,a,q
Let ϕDFAn be the conjunction of these constraints.
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 9/16
Encoding DFAs
A =(Q,Σ, q0, δ, F
)If Q, Σ, and q0 are �xed, then every DFA is completely de�ned by δand F .
Use Boolean variables dp,a,q with the meaning:
if dp,a,q ≡ true, then δ(p, a) = q.
Use Boolean variables fq with the meaning:
if fq ≡ true, then q ∈ F .
Use constraints
¬dp,a,q ∨ ¬dp,a,q′∨q∈Q
dp,a,q
Let ϕDFAn be the conjunction of these constraints.
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 9/16
Encoding DFAs
A =(Q,Σ, q0, δ, F
)If Q, Σ, and q0 are �xed, then every DFA is completely de�ned by δand F .
Use Boolean variables dp,a,q with the meaning:
if dp,a,q ≡ true, then δ(p, a) = q.
Use Boolean variables fq with the meaning:
if fq ≡ true, then q ∈ F .Use constraints
¬dp,a,q ∨ ¬dp,a,q′∨q∈Q
dp,a,q
Let ϕDFAn be the conjunction of these constraints.
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 9/16
Encoding DFAs
Construction of a DFA from a ModelLet M |= ϕDFAn . Then, we construct a DFA
AM = ({q0, . . . , qn−1},Σ, q0, δ, F ) as follows:
δ(p, a) = q for the unique q ∈ Q such that M(dp,a,q) = true.
q ∈ F if and only if M(fq) = true.
Impose restrictions on the behavior of AM by introducing the two
formulas
ϕSn that enforces that AM is consistent with S, andϕTn that enforces that AM is inductive with respect to T .
ϕS,Tn := ϕDFAn ∧ ϕSn ∧ ϕTn is the desired formula.
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 10/16
Encoding DFAs
Construction of a DFA from a ModelLet M |= ϕDFAn . Then, we construct a DFA
AM = ({q0, . . . , qn−1},Σ, q0, δ, F ) as follows:
δ(p, a) = q for the unique q ∈ Q such that M(dp,a,q) = true.
q ∈ F if and only if M(fq) = true.
Impose restrictions on the behavior of AM by introducing the two
formulas
ϕSn that enforces that AM is consistent with S, andϕTn that enforces that AM is inductive with respect to T .
ϕS,Tn := ϕDFAn ∧ ϕSn ∧ ϕTn is the desired formula.
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 10/16
Encoding DFAs
Construction of a DFA from a ModelLet M |= ϕDFAn . Then, we construct a DFA
AM = ({q0, . . . , qn−1},Σ, q0, δ, F ) as follows:
δ(p, a) = q for the unique q ∈ Q such that M(dp,a,q) = true.
q ∈ F if and only if M(fq) = true.
Impose restrictions on the behavior of AM by introducing the two
formulas
ϕSn that enforces that AM is consistent with S, andϕTn that enforces that AM is inductive with respect to T .
ϕS,Tn := ϕDFAn ∧ ϕSn ∧ ϕTn is the desired formula.
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 10/16
Formula ϕSn
Let S = (S+, S−). Establish S+ ⊆ L(AM) and S− ∩ L(AM) = ∅!
Introduce variables xu,q for u ∈ Pref(S+ ∪ S−) with the meaning:
if AM : q0u−→ q, then xu,q ≡ true.
Introduce constraints:
xε,q0
(xu,p ∧ dp,a,q)→ xua,q for ua ∈ Pref(S+ ∪ S−)
xu,q → fq for u ∈ S+
xu,q → ¬fq for u ∈ S−
Let ϕSn be the conjunction of these constraints. Then,
M |= ϕDFAn ∧ ϕSn implies S+ ⊆ L(AM)) and S− ∩ L(AM) = ∅.
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 11/16
Formula ϕSn
Let S = (S+, S−). Establish S+ ⊆ L(AM) and S− ∩ L(AM) = ∅!
Introduce variables xu,q for u ∈ Pref(S+ ∪ S−) with the meaning:
if AM : q0u−→ q, then xu,q ≡ true.
Introduce constraints:
xε,q0
(xu,p ∧ dp,a,q)→ xua,q for ua ∈ Pref(S+ ∪ S−)
xu,q → fq for u ∈ S+
xu,q → ¬fq for u ∈ S−
Let ϕSn be the conjunction of these constraints. Then,
M |= ϕDFAn ∧ ϕSn implies S+ ⊆ L(AM)) and S− ∩ L(AM) = ∅.
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 11/16
Formula ϕSn
Let S = (S+, S−). Establish S+ ⊆ L(AM) and S− ∩ L(AM) = ∅!
Introduce variables xu,q for u ∈ Pref(S+ ∪ S−) with the meaning:
if AM : q0u−→ q, then xu,q ≡ true.
Introduce constraints:
xε,q0
(xu,p ∧ dp,a,q)→ xua,q for ua ∈ Pref(S+ ∪ S−)
xu,q → fq for u ∈ S+
xu,q → ¬fq for u ∈ S−
Let ϕSn be the conjunction of these constraints. Then,
M |= ϕDFAn ∧ ϕSn implies S+ ⊆ L(AM)) and S− ∩ L(AM) = ∅.
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 11/16
Formula ϕSn
Let S = (S+, S−). Establish S+ ⊆ L(AM) and S− ∩ L(AM) = ∅!
Introduce variables xu,q for u ∈ Pref(S+ ∪ S−) with the meaning:
if AM : q0u−→ q, then xu,q ≡ true.
Introduce constraints:
xε,q0
(xu,p ∧ dp,a,q)→ xua,q for ua ∈ Pref(S+ ∪ S−)
xu,q → fq for u ∈ S+
xu,q → ¬fq for u ∈ S−
Let ϕSn be the conjunction of these constraints. Then,
M |= ϕDFAn ∧ ϕSn implies S+ ⊆ L(AM)) and S− ∩ L(AM) = ∅.
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 11/16
Formula ϕTn
Let T = (QT ,Σ× Σ, qT0 ,∆T , F T ). Establish
u ∈ L(AM) ∧ (u, u′) ∈ L(T ) ⇒ u′ ∈ L(AM)!
Introduce variables yq,q′,q′′ with with the meaning:
if there are u, u′ ∈ Σ∗ such that
AM : q0u−→ q
T : qT0(u,u′)−−−→ q′
AM : q0u′−→ q′′
,
then yq,q′,q′′ ≡ true.
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 12/16
Formula ϕTn
Let T = (QT ,Σ× Σ, qT0 ,∆T , F T ). Establish
u ∈ L(AM) ∧ (u, u′) ∈ L(T ) ⇒ u′ ∈ L(AM)!
Introduce variables yq,q′,q′′ with with the meaning:
if there are u, u′ ∈ Σ∗ such that
AM : q0u−→ q
T : qT0(u,u′)−−−→ q′
AM : q0u′−→ q′′
,
then yq,q′,q′′ ≡ true.
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 12/16
Formula ϕTn
Introduce constraints:
yq0,qT0 ,q0(yp,p′,p′′ ∧ dp,a,q ∧ dp′′,b,q′′
)→ zq,q′,q′′ for (p′, (a, b), q′) ∈ ∆T(
yq,q′,q′′ ∧ fq)→ fq′′ for q′ ∈ F T
Let ϕTn be the conjunction of these constraints.
Then, M |= ϕDFAn ∧ ϕTn implies
u ∈ L(AM) ∧ (u, u′) ∈ L(T )⇒ u′ ∈ L(AM).
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 13/16
Outline
1. Automata Learning
2. Regular Model Checking via Automata Learning
3. Experiments
4. Conclusion
Experiments - Integer Linear Systems
Petri Berkeley Synapse Lift Mesi
0.01
0.1
1
10Runtimein
seconds
CEG (SAT) ANG (SAT) T(O)RMC FASTer
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 14/16
Experiments - Token Ring
0 100 200 300 400
0.1
1
10
100
Size of I (# states)
Runtimein
seconds
CEGAR
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 15/16
Experiments - Token Ring
0 100 200 300 400
0.1
1
10
100
Size of I (# states)
Runtimein
seconds
CEGAR ANGLUIN
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 15/16
Experiments - Token Ring
0 100 200 300 400
0.1
1
10
100
Size of I (# states)
Runtimein
seconds
CEGAR ANGLUIN T(O)RMC
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 15/16
Outline
1. Automata Learning
2. Regular Model Checking via Automata Learning
3. Experiments
4. Conclusion
Conclusion and Further Research
Summary
We presented a new technique for Regular Model Checking
based upon automata learning and logic solver.
Large sets of initial and bad con�gurations are approximated.
Experiments show competitiveness to other available tools.
Further Research
Possible directions of future research are
suitable non-regular representations of I and B,
nondeterministic automata as proofs, and
an incremental SAT approach.
An interesting extension would be to also approximate the
transducer.
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 16/16
Conclusion and Further Research
Summary
We presented a new technique for Regular Model Checking
based upon automata learning and logic solver.
Large sets of initial and bad con�gurations are approximated.
Experiments show competitiveness to other available tools.
Further Research
Possible directions of future research are
suitable non-regular representations of I and B,
nondeterministic automata as proofs, and
an incremental SAT approach.
An interesting extension would be to also approximate the
transducer.
Daniel Neider RWTH Aachen RMC Using Logic Solvers and Automata Learning 16/16
top related