Proceedings of SUMo and CompoNet 2011

International audienc

Component-wise incremental LTL model checking

Efficient symbolic and explicit-state model checking approaches have been developed for the verification of linear time temporal logic (LTL) properties. Several attempts have been made to combine the advantages of the various algorithms. Model checking LTL properties usually poses two challenges: one must compute the synchronous product of the state space and the automaton model of the desired property, then look for counterexamples that is reduced to finding strongly connected components (SCCs) in the state space of the product. In case of concurrent systems, where the phenomenon of state space explosion often prevents the successful verification, the so-called saturation algorithm has proved its efficiency in state space exploration. This paper proposes a new approach that leverages the saturation algorithm both as an iteration strategy constructing the product directly, as well as in a new fixed-point computation algorithm to find strongly connected components on-the-fly by incrementally processing the components of the model. Complementing the search for SCCs, explicit techniques and component-wise abstractions are used to prove the absence of counterexamples. The resulting on-the-fly, incremental LTL model checking algorithm proved to scale well with the size of models, as the evaluation on models of the Model Checking Contest suggests

Alternative Automata-based Approaches to Probabilistic Model Checking

In this thesis we focus on new methods for probabilistic model checking (PMC) with linear temporal logic (LTL). The standard approach translates an LTL formula into a deterministic ω-automaton with a double-exponential blow up. There are approaches for Markov chain analysis against LTL with exponential runtime, which motivates the search for non-deterministic automata with restricted forms of non-determinism that make them suitable for PMC. For MDPs, the approach via deterministic automata matches the double-exponential lower bound, but a practical application might benefit from approaches via non-deterministic automata. We first investigate good-for-games (GFG) automata. In GFG automata one can resolve the non-determinism for a finite prefix without knowing the infinite suffix and still obtain an accepting run for an accepted word. We explain that GFG automata are well-suited for MDP analysis on a theoretic level, but our experiments show that GFG automata cannot compete with deterministic automata. We have also researched another form of pseudo-determinism, namely unambiguity, where for every accepted word there is exactly one accepting run. We present a polynomial-time approach for PMC of Markov chains against specifications given by an unambiguous Büchi automaton (UBA). Its two key elements are the identification whether the induced probability is positive, and if so, the identification of a state set inducing probability 1. Additionally, we examine the new symbolic Muller acceptance described in the Hanoi Omega Automata Format, which we call Emerson-Lei acceptance. It is a positive Boolean formula over unconditional fairness constraints. We present a construction of small deterministic automata using Emerson-Lei acceptance. Deciding, whether an MDP has a positive maximal probability to satisfy an Emerson-Lei acceptance, is NP-complete. This fact has triggered a DPLL-based algorithm for deciding positiveness

Library abstraction for C/C++ concurrency

When constructing complex concurrent systems, abstraction is vital: programmers should be able to reason about concurrent libraries in terms of abstract specifications that hide the implementation details. Relaxed memory models present substantial challenges in this respect, as libraries need not provide sequentially consistent abstractions: to avoid unnecessary synchronisation, they may allow clients to observe relaxed memory effects, and library specifications must capture these. In this paper, we propose a criterion for sound library abstraction in the new C11 and C++11 concurrency model, generalising the standard sequentially consistent notion of linearizability. We prove that our criterion soundly captures all client-library interactions, both through call and return values, and through the subtle synchronisation effects arising from the memory model. To illustrate our approach, we verify implementations against specifications for the lock-free Treiber stack and a producer-consumer queue. Ours is the first approach to compositional reasoning for concurrent C11/C++11 programs. 1

Synthesis of distributed systems

This thesis offers a comprehensive solution of the distributed synthesis problem. It starts with the problem of solving Parity games, which form an integral part of the automata-theoretic synthesis algorithms we use. We improve the known complexity bound for solving parity games with n positions and c colors approximately from O(n^(1/2*c)) to O(n^(1/3*c)), and introduce an accelerated strategy improvement technique that can consider all combinations of local improvements in every update step, selecting the globally optimal combination. We then demonstrate the decidability and finite model property of alternating-time specification languages, and determine the complexity of the satisfiability and synthesis problem for the alternating-time μ-calculus and the temporal logic ATL*. The impact of the architecture, that is, the set of system processes with known (white-box) and unknown (black-box) implementation, and the com- munication structure between them, is determined. We introduce information forks, a simple but comprehensive criterion that characterizes all architectures for which the synthesis problem is undecidable. The information fork crite- rion takes the impact of nondeterminism, the communication topology, and the specification language into account. For decidable architectures, we present an automata-based synthesis algorithm. We introduce bounded synthesis, which deviates from general synthesis by considering only implementations up to a predefined size, and thus avoids the expensive representation of all solutions. We develop a SAT based approach to bounded synthesis, which is nondeterministic quasilinear in the minimal implementation instead of nonelementary in the system specification. We determine the complexity of open synthesis under the assumption of probabilistic or reactive environments. Our automata based approach allows for a seamless integration of the new environment models into the uniform synthesis algorithm. Finally, we study the synthesis problem for asynchronous systems. We show that distributed synthesis remains only decidable for architectures with a single black-box process, and determine the complexity of the synthesis problem for different scheduler types. Furthermore, we combine the undecidability results and synthesis procedures for synchronous and asynchronous systems; systems that are globally asynchronous and locally synchronous are decidable if all black-box components are contained in a single fork-free synchronized component.Diese Dissertation löst das Syntheseproblem für verteilte Systeme. Sie beginnt mit verbesserten Algorithmen zum Lösen von Parity Spielen, die einen integralen Bestandteil der Automaten basierten Synthese bilden. Die bekannte Komplexitätsschranke für das Lösen von Parity Spielen mit n Knoten und c Farben wird von ca. O(n^(1/2*c)) auf ca. O(n^(1/3*c)) verbessert, und es wird eine beschleunigte Strategie Verbesserungsmethode entwickelt, die, in jedem Schritt, die optimale Kombination aller lokalen Verbesserungen findet. Die Entscheidbarkeit alternierender Logiken wird gezeigt, und die Komplexität des Erfüllbarkeits- und Syntheseproblems für das Alternierende µ-Kalkül (EXPTIME-vollständig) und die Temporallogik ATL* (2EXPTIME-vollständig) bestimmt. Der Einfluss der Systemarchitektur, der Spezifikationssprache und, damit verbunden, des Implementierungsmodells (deterministisch vs. nichtdeterministisch) auf die Entscheidbarkeit und Komplexität des Syntheseproblems wird herausgearbeitet. Es wird gezeigt, dass die Klasse der entscheidbaren Architekturen durch die Abwesenheit von Information Forks, einem einfachen und leicht prüfbaren Kriterium auf der Kommunikationsarchitektur, vollständig beschrieben werden kann. Für entscheidbare Architekturen wird ein einheitliches Automaten basiertes Syntheseverfahren entwickelt. Darüber hinaus wird ein SAT basiertes Verfahren entwickelt, dass die Repräsentation aller Lösungen in einem Automaten umgeht. Die Komplexität des SAT basierten Verfahrens ist nichtdeterministisch quasilinear in der Größe des minimalen Modells, statt nicht-elementar in der Größe der Spezifikation. Für probabilistische und reaktive Umgebungen wird die Komplexität des offenen Syntheseproblems bestimmt, und jeweils ein Automaten basiertes Syntheseverfahren entwickelt, dass sich nahtlos in das Syntheseverfahren für verteilte Systeme integrieren lässt. Ferner wird gezeigt, dass verteilte Synthese für asynchrone Systeme nur dann entscheidbar bleibt, wenn lediglich die Implementierung einer Komponente konstruiert werden soll. Schließlich werden die Entscheidbarkeitsresultate und Synthese Algorithmen für synchrone und asynchrone Modelle zusammengeführt: Global asynchrone lokal synchrone Systeme sind entscheidbar, wenn alle zu synthetisierenden Prozesse in der gleichen synchronisierten Komponente liegen, und diese Komponente keine Information Forks enthält