Reduction of Nondeterministic Tree Automata

We present an efficient algorithm to reduce the size of nondeterministic tree automata, while retaining their language. It is based on new transition pruning techniques, and quotienting of the state space w.r.t. suitable equivalences. It uses criteria based on combinations of downward and upward simulation preorder on trees, and the more general downward and upward language inclusions. Since tree-language inclusion is EXPTIME-complete, we describe methods to compute good approximations in polynomial time. We implemented our algorithm as a module of the well-known libvata tree automata library, and tested its performance on a given collection of tree automata from various applications of libvata in regular model checking and shape analysis, as well as on various classes of randomly generated tree automata. Our algorithm yields substantially smaller and sparser automata than all previously known reduction techniques, and it is still fast enough to handle large instances.Comment: Extended version (including proofs) of material presented at TACAS 201

Performance evaluation of an emergency call center: tropical polynomial systems applied to timed Petri nets

We analyze a timed Petri net model of an emergency call center which processes calls with different levels of priority. The counter variables of the Petri net represent the cumulated number of events as a function of time. We show that these variables are determined by a piecewise linear dynamical system. We also prove that computing the stationary regimes of the associated fluid dynamics reduces to solving a polynomial system over a tropical (min-plus) semifield of germs. This leads to explicit formul{\ae} expressing the throughput of the fluid system as a piecewise linear function of the resources, revealing the existence of different congestion phases. Numerical experiments show that the analysis of the fluid dynamics yields a good approximation of the real throughput.Comment: 21 pages, 4 figures. A shorter version can be found in the proceedings of the conference FORMATS 201

Regular symmetry patterns

Symmetry reduction is a well-known approach for alleviating the state explosion problem in model checking. Automatically identifying symmetries in concurrent systems, however, is computationally expensive. We propose a symbolic framework for capturing symmetry patterns in parameterised systems (i.e. an infinite family of finite-state systems): two regular word transducers to represent, respectively, parameterised systems and symmetry patterns. The framework subsumes various types of "symmetry relations" ranging from weaker notions (e.g. simulation preorders) to the strongest notion (i.e. isomorphisms). Our framework enjoys two algorithmic properties: (1) symmetry verification: given a transducer, we can automatically check whether it is a symmetry pattern of a given system, and (2) symmetry synthesis: we can automatically generate a symmetry pattern for a given system in the form of a transducer. Furthermore, our symbolic language allows additional constraints that the symmetry patterns need to satisfy to be easily incorporated in the verification/synthesis. We show how these properties can help identify symmetry patterns in examples like dining philosopher protocols, self-stabilising protocols, and prioritised resource-allocator protocol. In some cases (e.g. Gries's coffee can problem), our technique automatically synthesises a safety-preserving finite approximant, which can then be verified for safety solely using a finite-state model checker.UPMAR

Parameterized Model-Checking for Timed-Systems with Conjunctive Guards (Extended Version)

In this work we extend the Emerson and Kahlon's cutoff theorems for process skeletons with conjunctive guards to Parameterized Networks of Timed Automata, i.e. systems obtained by an \emph{apriori} unknown number of Timed Automata instantiated from a finite set $U_1, \dots, U_n$ of Timed Automata templates. In this way we aim at giving a tool to universally verify software systems where an unknown number of software components (i.e. processes) interact with continuous time temporal constraints. It is often the case, indeed, that distributed algorithms show an heterogeneous nature, combining dynamic aspects with real-time aspects. In the paper we will also show how to model check a protocol that uses special variables storing identifiers of the participating processes (i.e. PIDs) in Timed Automata with conjunctive guards. This is non-trivial, since solutions to the parameterized verification problem often relies on the processes to be symmetric, i.e. indistinguishable. On the other side, many popular distributed algorithms make use of PIDs and thus cannot directly apply those solutions

Locality and Singularity for Store-Atomic Memory Models

Robustness is a correctness notion for concurrent programs running under relaxed consistency models. The task is to check that the relaxed behavior coincides (up to traces) with sequential consistency (SC). Although computationally simple on paper (robustness has been shown to be PSPACE-complete for TSO, PGAS, and Power), building a practical robustness checker remains a challenge. The problem is that the various relaxations lead to a dramatic number of computations, only few of which violate robustness. In the present paper, we set out to reduce the search space for robustness checkers. We focus on store-atomic consistency models and establish two completeness results. The first result, called locality, states that a non-robust program always contains a violating computation where only one thread delays commands. The second result, called singularity, is even stronger but restricted to programs without lightweight fences. It states that there is a violating computation where a single store is delayed. As an application of the results, we derive a linear-size source-to-source translation of robustness to SC-reachability. It applies to general programs, regardless of the data domain and potentially with an unbounded number of threads and with unbounded buffers. We have implemented the translation and verified, for the first time, PGAS algorithms in a fully automated fashion. For TSO, our analysis outperforms existing tools

On Automated Lemma Generation for Separation Logic with Inductive Definitions

Separation Logic with inductive definitions is a well-known approach for deductive verification of programs that manipulate dynamic data structures. Deciding verification conditions in this context is usually based on user-provided lemmas relating the inductive definitions. We propose a novel approach for generating these lemmas automatically which is based on simple syntactic criteria and deterministic strategies for applying them. Our approach focuses on iterative programs, although it can be applied to recursive programs as well, and specifications that describe not only the shape of the data structures, but also their content or their size. Empirically, we find that our approach is powerful enough to deal with sophisticated benchmarks, e.g., iterative procedures for searching, inserting, or deleting elements in sorted lists, binary search tress, red-black trees, and AVL trees, in a very efficient way

Graph-Based Shape Analysis Beyond Context-Freeness

We develop a shape analysis for reasoning about relational properties of data structures. Both the concrete and the abstract domain are represented by hypergraphs. The analysis is parameterized by user-supplied indexed graph grammars to guide concretization and abstraction. This novel extension of context-free graph grammars is powerful enough to model complex data structures such as balanced binary trees with parent pointers, while preserving most desirable properties of context-free graph grammars. One strength of our analysis is that no artifacts apart from grammars are required from the user; it thus offers a high degree of automation. We implemented our analysis and successfully applied it to various programs manipulating AVL trees, (doubly-linked) lists, and combinations of both

Interprocedural Reachability for Flat Integer Programs

We study programs with integer data, procedure calls and arbitrary call graphs. We show that, whenever the guards and updates are given by octagonal relations, the reachability problem along control flow paths within some language w1* ... wd* over program statements is decidable in Nexptime. To achieve this upper bound, we combine a program transformation into the same class of programs but without procedures, with an Np-completeness result for the reachability problem of procedure-less programs. Besides the program, the expression w1* ... wd* is also mapped onto an expression of a similar form but this time over the transformed program statements. Several arguments involving context-free grammars and their generative process enable us to give tight bounds on the size of the resulting expression. The currently existing gap between Np-hard and Nexptime can be closed to Np-complete when a certain parameter of the analysis is assumed to be constant.Comment: 38 pages, 1 figur

Efficacy of RTS,S malaria vaccines: individual-participant pooled analysis of phase 2 data.

BACKGROUND: The efficacy of RTS,S/AS01 as a vaccine for malaria is being tested in a phase 3 clinical trial. Early results show significant, albeit partial, protection against clinical malaria and severe malaria. To ascertain variations in vaccine efficacy according to covariates such as transmission intensity, choice of adjuvant, age at vaccination, and bednet use, we did an individual-participant pooled analysis of phase 2 clinical data. METHODS: We analysed data from 11 different sites in Africa, including 4453 participants. We measured heterogeneity in vaccine efficacy by estimating the interactions between covariates and vaccination in pooled multivariable Cox regression and Poisson regression analyses. Endpoints for measurement of vaccine efficacy were infection, clinical malaria, severe malaria, and death. We defined transmission intensity levels according to the estimated local parasite prevalence in children aged 2-10 years (PrP₂₋₁₀), ranging from 5% to 80%. Choice of adjuvant was either AS01 or AS02. FINDINGS: Vaccine efficacy against all episodes of clinical malaria varied by transmission intensity (p=0·001). At low transmission (PrP₂₋₁₀ 10%) vaccine efficacy was 60% (95% CI 54 to 67), at moderate transmission (PrP₂₋₁₀ 20%) it was 41% (21 to 57), and at high transmission (PrP₂₋₁₀ 70%) the efficacy was 4% (-10 to 22). Vaccine efficacy also varied by adjuvant choice (p<0·0001)--eg, at low transmission (PrP₂₋₁₀ 10%), efficacy varied from 60% (95% CI 54 to 67) for AS01 to 47% (14 to 75) for AS02. Variations in efficacy by age at vaccination were of borderline significance (p=0·038), and bednet use and sex were not significant covariates. Vaccine efficacy (pooled across adjuvant choice and transmission intensity) varied significantly (p<0·0001) according to time since vaccination, from 36% efficacy (95% CI 24 to 45) at time of vaccination to 0% (-38 to 38) after 3 years. INTERPRETATION: Vaccine efficacy against clinical disease was of limited duration and was not detectable 3 years after vaccination. Furthermore, efficacy fell with increasing transmission intensity. Outcomes after vaccination cannot be gauged accurately on the basis of one pooled efficacy figure. However, predictions of public-health outcomes of vaccination will need to take account of variations in efficacy by transmission intensity and by time since vaccination. FUNDING: Medical Research Council (UK); Bill & Melinda Gates Foundation Vaccine Modelling Initiative; Wellcome Trust

The ideal view on Rackoff's coverability technique

Rackoff’s small witness property for the coverability problem is the standard means to prove tight upper bounds in vector addition systems (VAS) and many extensions. We show how to derive the same bounds directly on the computations of the VAS instantiation of the generic backward coverability algorithm. This relies on a dual view of the algorithm using ideal decompositions of downwards-closed sets, which exhibits a key structural invariant in the VAS case. The same reasoning readily generalises to several VAS extensions