Parameterized Verification of Graph Transformation Systems with Whole Neighbourhood Operations

We introduce a new class of graph transformation systems in which rewrite rules can be guarded by universally quantified conditions on the neighbourhood of nodes. These conditions are defined via special graph patterns which may be transformed by the rule as well. For the new class for graph rewrite rules, we provide a symbolic procedure working on minimal representations of upward closed sets of configurations. We prove correctness and effectiveness of the procedure by a categorical presentation of rewrite rules as well as the involved order, and using results for well-structured transition systems. We apply the resulting procedure to the analysis of the Distributed Dining Philosophers protocol on an arbitrary network structure.Comment: Extended version of a submittion accepted at RP'14 Worksho

Backward Reachability of Array-based Systems by SMT solving: Termination and Invariant Synthesis

The safety of infinite state systems can be checked by a backward reachability procedure. For certain classes of systems, it is possible to prove the termination of the procedure and hence conclude the decidability of the safety problem. Although backward reachability is property-directed, it can unnecessarily explore (large) portions of the state space of a system which are not required to verify the safety property under consideration. To avoid this, invariants can be used to dramatically prune the search space. Indeed, the problem is to guess such appropriate invariants. In this paper, we present a fully declarative and symbolic approach to the mechanization of backward reachability of infinite state systems manipulating arrays by Satisfiability Modulo Theories solving. Theories are used to specify the topology and the data manipulated by the system. We identify sufficient conditions on the theories to ensure the termination of backward reachability and we show the completeness of a method for invariant synthesis (obtained as the dual of backward reachability), again, under suitable hypotheses on the theories. We also present a pragmatic approach to interleave invariant synthesis and backward reachability so that a fix-point for the set of backward reachable states is more easily obtained. Finally, we discuss heuristics that allow us to derive an implementation of the techniques in the model checker MCMT, showing remarkable speed-ups on a significant set of safety problems extracted from a variety of sources.Comment: Accepted for publication in Logical Methods in Computer Scienc

Stochastic Stability Analysis of Discrete Time System Using Lyapunov Measure

In this paper, we study the stability problem of a stochastic, nonlinear, discrete-time system. We introduce a linear transfer operator-based Lyapunov measure as a new tool for stability verification of stochastic systems. Weaker set-theoretic notion of almost everywhere stochastic stability is introduced and verified, using Lyapunov measure-based stochastic stability theorems. Furthermore, connection between Lyapunov functions, a popular tool for stochastic stability verification, and Lyapunov measures is established. Using the duality property between the linear transfer Perron-Frobenius and Koopman operators, we show the Lyapunov measure and Lyapunov function used for the verification of stochastic stability are dual to each other. Set-oriented numerical methods are proposed for the finite dimensional approximation of the Perron-Frobenius operator; hence, Lyapunov measure is proposed. Stability results in finite dimensional approximation space are also presented. Finite dimensional approximation is shown to introduce further weaker notion of stability referred to as coarse stochastic stability. The results in this paper extend our earlier work on the use of Lyapunov measures for almost everywhere stability verification of deterministic dynamical systems ("Lyapunov Measure for Almost Everywhere Stability", {\it IEEE Trans. on Automatic Control}, Vol. 53, No. 1, Feb. 2008).Comment: Proceedings of American Control Conference, Chicago IL, 201

Parameterized verification of publish/subcribe protocols via Infinite-State Model Checking

We apply the Infinite-State Model Checking to formally specify and validate protocol skeletons for distributed systems with asynchronous communication and synchronous access to local data structures. More precisely, we validate the Redis Pub/Sub key-value Server. Redis is based on a publish-subscribe architecture used in Cloud Storage and Internet of Things ecosystems. For the considered protocol, we present a formal specification that combines ideas coming from round-based and shared-memory specification languages. The resulting model is validated via the SMT-based Infinite-state Model Checker Cubicle. In this setting we use unbounded arrays to model (1) arbitrary collections of publishers and subscribers, (2) unbounded shared memory used as a communication media between processes. Our model is validated using the symbolic backward reachability algorithm implemented in the tool. The peculiarity of the algorithm is that, upon termination, the resulting correctness proof is guaranteed to hold for every number of process instances

A Perturbation Scheme for Passivity Verification and Enforcement of Parameterized Macromodels

This paper presents an algorithm for checking and enforcing passivity of behavioral reduced-order macromodels of LTI systems, whose frequency-domain (scattering) responses depend on external parameters. Such models, which are typically extracted from sampled input-output responses obtained from numerical solution of first-principle physical models, usually expressed as Partial Differential Equations, prove extremely useful in design flows, since they allow optimization, what-if or sensitivity analyses, and design centering. Starting from an implicit parameterization of both poles and residues of the model, as resulting from well-known model identification schemes based on the Generalized Sanathanan-Koerner iteration, we construct a parameter-dependent Skew-Hamiltonian/Hamiltonian matrix pencil. The iterative extraction of purely imaginary eigenvalues ot fhe pencil, combined with an adaptive sampling scheme in the parameter space, is able to identify all regions in the frequency-parameter plane where local passivity violations occur. Then, a singular value perturbation scheme is setup to iteratively correct the model coefficients, until all local passivity violations are eliminated. The final result is a corrected model, which is uniformly passive throughout the parameter range. Several numerical examples denomstrate the effectiveness of the proposed approach.Comment: Submitted to the IEEE Transactions on Components, Packaging and Manufacturing Technology on 13-Apr-201

A Semi-Definite Programming Approach to Stability Analysis of Linear Partial Differential Equations

We consider the stability analysis of a large class of linear 1-D PDEs with polynomial data. This class of PDEs contains, as examples, parabolic and hyperbolic PDEs, PDEs with boundary feedback and systems of in-domain/boundary coupled PDEs. Our approach is Lyapunov based which allows us to reduce the stability problem to the verification of integral inequalities on the subspaces of Hilbert spaces. Then, using fundamental theorem of calculus and Green's theorem, we construct a polynomial problem to verify the integral inequalities. Constraining the solution of the polynomial problem to belong to the set of sum-of-squares polynomials subject to affine constraints allows us to use semi-definite programming to algorithmically construct Lyapunov certificates of stability for the systems under consideration. We also provide numerical results of the application of the proposed method on different types of PDEs

Tree Regular Model Checking for Lattice-Based Automata

Tree Regular Model Checking (TRMC) is the name of a family of techniques for analyzing infinite-state systems in which states are represented by terms, and sets of states by Tree Automata (TA). The central problem in TRMC is to decide whether a set of bad states is reachable. The problem of computing a TA representing (an over- approximation of) the set of reachable states is undecidable, but efficient solutions based on completion or iteration of tree transducers exist. Unfortunately, the TRMC framework is unable to efficiently capture both the complex structure of a system and of some of its features. As an example, for JAVA programs, the structure of a term is mainly exploited to capture the structure of a state of the system. On the counter part, integers of the java programs have to be encoded with Peano numbers, which means that any algebraic operation is potentially represented by thousands of applications of rewriting rules. In this paper, we propose Lattice Tree Automata (LTAs), an extended version of tree automata whose leaves are equipped with lattices. LTAs allow us to represent possibly infinite sets of interpreted terms. Such terms are capable to represent complex domains and related operations in an efficient manner. We also extend classical Boolean operations to LTAs. Finally, as a major contribution, we introduce a new completion-based algorithm for computing the possibly infinite set of reachable interpreted terms in a finite amount of time.Comment: Technical repor

Structural Invariants for the Verification of Systems with Parameterized Architectures

We consider parameterized concurrent systems consisting of a finite but unknown number of components, obtained by replicating a given set of finite state automata. Components communicate by executing atomic interactions whose participants update their states simultaneously. We introduce an interaction logic to specify both the type of interactions (e.g.\ rendez-vous, broadcast) and the topology of the system (e.g.\ pipeline, ring). The logic can be easily embedded in monadic second order logic of finitely many successors, and is therefore decidable. Proving safety properties of such a parameterized system, like deadlock freedom or mutual exclusion, requires to infer an inductive invariant that contains all reachable states of all system instances, and no unsafe state. We present a method to automatically synthesize inductive invariants directly from the formula describing the interactions, without costly fixed point iterations. We experimentally prove that this invariant is strong enough to verify safety properties of a large number of systems including textbook examples (dining philosophers, synchronization schemes), classical mutual exclusion algorithms, cache-coherence protocols and self-stabilization algorithms, for an arbitrary number of components.Comment: preprint; to be published in the proceedings of TACAS2