49 research outputs found
Equivalence-Checking on Infinite-State Systems: Techniques and Results
The paper presents a selection of recently developed and/or used techniques
for equivalence-checking on infinite-state systems, and an up-to-date overview
of existing results (as of September 2004)
Verifying nondeterministic probabilistic channel systems against -regular linear-time properties
Lossy channel systems (LCSs) are systems of finite state automata that
communicate via unreliable unbounded fifo channels. In order to circumvent the
undecidability of model checking for nondeterministic
LCSs, probabilistic models have been introduced, where it can be decided
whether a linear-time property holds almost surely. However, such fully
probabilistic systems are not a faithful model of nondeterministic protocols.
We study a hybrid model for LCSs where losses of messages are seen as faults
occurring with some given probability, and where the internal behavior of the
system remains nondeterministic. Thus the semantics is in terms of
infinite-state Markov decision processes. The purpose of this article is to
discuss the decidability of linear-time properties formalized by formulas of
linear temporal logic (LTL). Our focus is on the qualitative setting where one
asks, e.g., whether a LTL-formula holds almost surely or with zero probability
(in case the formula describes the bad behaviors). Surprisingly, it turns out
that -- in contrast to finite-state Markov decision processes -- the
satisfaction relation for LTL formulas depends on the chosen type of schedulers
that resolve the nondeterminism. While all variants of the qualitative LTL
model checking problem for the full class of history-dependent schedulers are
undecidable, the same questions for finite-memory scheduler can be solved
algorithmically. However, the restriction to reachability properties and
special kinds of recurrent reachability properties yields decidable
verification problems for the full class of schedulers, which -- for this
restricted class of properties -- are as powerful as finite-memory schedulers,
or even a subclass of them.Comment: 39 page
Automated verification of automata communicating via FIFO and bag buffers
International audienceThis article presents new results for the automated verification of automata communicating asynchronously via FIFO or bag buffers. The analysis of such systems is possible by comparing bounded asynchronous compositions using equivalence checking. When the composition exhibits the same behavior for a specific buffer bound, the behavior remains the same for larger bounds. This enables one to check temporal properties on the system for that bound and this ensures that the system will preserve them whatever larger bounds are used for buffers. In this article, we present several decidability results and a semi-algorithm for this problem considering FIFO and bag buffers, respectively, as communication model. We also study various equivalence notions used for comparing the bounded asynchronous systems
Verification for Timed Automata extended with Unbounded Discrete Data Structures
We study decidability of verification problems for timed automata extended
with unbounded discrete data structures. More detailed, we extend timed
automata with a pushdown stack. In this way, we obtain a strong model that may
for instance be used to model real-time programs with procedure calls. It is
long known that the reachability problem for this model is decidable. The goal
of this paper is to identify subclasses of timed pushdown automata for which
the language inclusion problem and related problems are decidable
Towards weak bisimilarity on a class of parallel processes.
A directed labelled graph may be used, at a certain abstraction, to represent a system's behaviour. Its nodes, the possible states the system can be in; its arrows labelled by the actions required to move from one state to another. Processes are, for our purposes, synonymous with these labelled transition systems. With this view a well-studied notion of behavioural equivalence is bisimilarity, where processes are bisimilar when whatever one can do, the other can match, while maintaining bisimilarity. Weak bisimilarity accommodates a notion of silent or internal action. A natural class of labelled transition systems is given by considering the derivations of commutative context-free grammars in Greibach Normal Form: the Basic Parallel Processes (BPP), introduced by Christensen in his PhD thesis. They represent a simple model of communication-free parallel computation, and for them bisimilarity is PSPACE-complete. Weak bisimilarity is believed to be decidable, but only partial results exist. Non-bisimilarity is trivially semidecidable on BPP (each process has finitely many next states, so the state space can be explored until a mis-match is found); the research effort in proving it fully decidable centred on semideciding the positive case. Conversely, weak bisimilarity has been known to be semidecidable for a decade, but no method for semideciding inequivalence has yet been found - the presence of silent actions allows a process to have infinitely many possible successor states, so simple exploration is no longer possible. Weak bisimilarity is defined coinductively, but may be approached, and even reached, by its inductively defined approximants. Game theoretically, these change the Defender's winning condition from survival for infinitely many turns to survival for K turns, for an ordinal k, creating a hierarchy of relations successively closer to full weak bisimilarity. It can be seen that on any set of processes this approximant hierarchy collapses: there will always exist some K such that the kth approximant coincides with weak bisimilarity. One avenue towards the semidecidability of non- weak bisimilarity is the decidability of its approximants. It is a long-standing conjecture that on BPP the weak approximant hierarchy collapses at o x 2. If true, in order to semidecide inequivalence it would suffice to be able to decide the o + n approximants. Again, there exist only limited results: the finite approximants are known to be decidable, but no progress has been made on the wth approximant, and thus far the best proven lower-bound of collapse is w1CK (the least non-recursive ordinal number). We significantly improve this bound to okx2(for a k-variable BPP); a key part of the proof being a novel constructive version of Dickson's Lemma. The distances-to-disablings or DD functions were invented by Jancar in order to prove the PSPACE-completeness of bisimilarity on BPP. At the end of his paper is a conjecture that weak bisimilarity might be amenable to the theory; a suggestion we have taken up. We generalise and extend the DD functions, widening the subset of BPP on which weak bisimilarity is known to be computable, and creating a new means for testing inequivalence. The thesis ends with two conjectures. The first, that our extended DD functions in fact capture weak bisimilarity on full BPP (a corollary of which would be to take the lower bound of approximant collapse to and second, that they are computable, which would enable us to semidecide inequivalence, and hence give us the decidability of weak bisimilarity
Self-Similarity Breeds Resilience
Self-similarity is the property of a system being similar to a part of itself. We posit that a special class of behaviourally self-similar systems exhibits a degree of resilience to adversarial behaviour. We formalise the notions of system, adversary and resilience in operational terms, based on transition systems and observations. While the general problem of proving systems to be behaviourally self-similar is undecidable, we show, by casting them in the framework of well-structured transition systems, that there is an interesting class of systems for which the problem is decidable. We illustrate our prescriptive framework for resilience with some small examples, e.g., systems robust to failures in a fail-stop model, and those avoiding side-channel attacks
Extrapolation-based Path Invariants for Abstraction Refinement of Fifo Systems
Rapport de Recherche RR-1459-09 LaBRIThe technique of counterexample-guided abstraction refinement (Cegar) has been successfully applied in the areas of software and hardware verification. Automatic abstraction refinement is also desirable for the safety verification of complex infinite-state models. This paper investigates Cegar in the context of formal models of network protocols, in our case, the verification of fifo systems. Our main contribution is the introduction of extrapolation-based path invariants for abstraction refinement. We develop a range of algorithms that are based on this novel theoretical notion, and which are parametrized by different extrapolation operators. These are utilized as subroutines in the refinement step of our Cegar semi-algorithm that is based on recognizable partition abstractions. We give suffcient conditions for the termination of Cegar by constraining the extrapolation operator. Our empirical evaluation confirms the benefit of extrapolation-based path invariants
Compatibility Checking for Asynchronously Communicating Software
International audienceCompatibility is a crucial problem that is encountered while constructing new software by reusing and composing existing components. A set of software components is called compatible if their composition preserves certain properties, such as deadlock freedom. However, checking compatibility for systems communicating asynchronously is an undecidable problem, and asynchronous communication is a common interaction mechanism used in building software systems. A typical approach in analyzing such systems is to bound the state space. In this paper, we take a different approach and do not impose any bounds on the number of participants or the sizes of the message buffers. Instead, we present a sufficient condition for checking compatibility of a set of asynchronously communicating components. Our approach relies on the synchronizability property which identifies systems for which interaction behavior remains the same when asynchronous communication is replaced with synchronous communication. Using the synchronizability property, we can check the compatibility of systems with unbounded message buffers by analyzing only a finite part of their behavior. We have implemented a prototype tool to automate our approach and we have applied it to many examples