From Well Structured Transition Systems to Program Verification

by   Alain Finkel, et al.

We describe the use of the theory of WSTS for verifying programs.



There are no comments yet.


page 1

page 2

page 3

page 4


Verification of MPI programs

In this paper, we outline an approach to verifying parallel programs. A ...

Modular Verification of Concurrent Programs via Sequential Model Checking

This work utilizes the plethora of work on verification of sequential pr...

A benchmark for C program verification

We present twenty-five C programs, as a benchmark for C program verifica...

Compositional Verification of Heap-Manipulating Programs through Property-Guided Learning

Analyzing and verifying heap-manipulating programs automatically is chal...

Verification of Locally Tight Programs

ANTHEM is a proof assistant that can be used for verifying the correctne...

Formal Verification of Debates in Argumentation Theory

Humans engage in informal debates on a daily basis. By expressing their ...

Quantifiers on Demand

Automated program verification is a difficult problem. It is undecidable...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Preliminaries

A relation over a set is a quasi-ordering if it is reflexive and transitive, and a partial ordering if it is antisymmetric as well. It is well-founded if it has no infinite descending chain. A quasi-ordering is a well-quasi-ordering (resp. well partial order), wqo (resp. wpo) for short, if for every infinite sequence , there exist such that . This is strictly stronger than being well-founded.

One example of well-quasi-ordering is the componentwise ordering of tuples over . More formally, is well-quasi-ordered by where, for every , if and only if for every . We extend to where for every . ordered componentwise is also well-quasi-ordered. Let be a finite alphabet. We write to denote the set of finite words over . For every , we write if is a subword of , i.e. can be obtained from by removing zero, one or multiple letters. is well-quasi-ordered by .

2 Well Structured Transition Systems

2.1 Well structured transition systems: wqo and monotony

An ordered (labeled) transition system is a triple such that is a (labeled) transition system and is a quasi-ordering. An ordered transition system is a well structured transition system (WSTS) if is a well-quasi-ordering and is monotone, i.e. for all and such that and , there exists such that and . Many other types of monotonicities were defined in the literature (see  [14]), but, for our purposes, we only need to introduce strong monotonicities. We say that has strong monotonicity if for all and , and implies for some . We say that has strong-strict monotonicity111Strong-strict monotonicity should not be confused with strong and strict monotonicities. Here strongness and strictness have to hold at the same time. if it has strong monotonicity and for all and , and implies for some .

Theorem 1.

[11, 14, 3] Termination, boundedness, control-state reachability and coverability are decidable for effective WSTS with strong-strict monotony.

There are two main techniques for proving these decidability results: backward and forward analysis. The backward coverability algorithm allows to compute the finite basis of the set of all predecessors of the upward closure of a state. The forward coverability algorithm computes the finite reduced reachability tree and the finite (extended) Karp-Miller tree (under supplementary hypothesis): these two forward algorithms operate with inductive downward closed invariants.

2.2 A short story of well structured transition systems

Well structured transition systems (initially called structured transition systems in [11]) were initially defined and studied as monotone transition systems equipped with a well-quasi-ordering on their set of states. Termination was shown decidable for well structured transition systems with transitive monotonicity, while boundedness was shown decidable for well structured transition systems with strict monotonicity in [11]. For a subclass of finitely branching labeled well structured transition systems with strong-strict monotonicity, now called very well structured transition systems in [6], a generalization of the Karp-Miller algorithm was shown to compute their coverability sets [11, 6]. In [3], the coverability problem was shown to be decidable for a subclass of well structured transition systems, i.e. labeled well structured transition systems with strong monotonicity  [3, Def. 3.4] and satisfying an additional effective hypothesis: the existence of an algorithm to compute the finite set of minimal elements of , where is the set of immediate predecessors of the upward-closure of a state . In [14], mathematical properties were distinguished from effective properties, and the coverability problem was shown decidable for the entire class of well structured transition systems satisfying the similar additional effective hypothesis that there exists an algorithm to compute the finite set , i.e., the hypotheses of transitions labeling and strong monotonicity made in [3] turned out to be superfluous.

Today, following the presentation of [14], what is mathematically known as well structured transition systems (or shortly well structured systems) is exactly the original class of structured transition systems [11]; and necessary effective hypotheses are added for obtaining decidability of properties such as termination, control-state reachability, coverability and boundedness.

3 From Programs to Well Structured Transition Systems

3.1 The general method

Given a program and a safety property , let’s describe two steps for verifying that satisfies by using WSTS:

  1. The first step is to build a transition system associated with . This is well known as the operationnal semantics of the program and we are used to this. But the problem is the hudge size of the associated transition system. In general we will define and compute an abstraction of the original program because we may (and must) forget some useless parts of the program that have no effect on property . A kind of such activities is the (static and dynamic) slicing that computes parts of the program that may modify a set of variables and this computation can be done with a small cost. There exist other techniques to build abstractions of the program that produce smaller and tractable programs. We have also to translate the property on into a state-property in (sometimes a formula in a logic) that would be decidable for WSTS.

  2. The second step is to look for an ordering having these two desired properties (monotony and well ordering), i.e., such that is WSTS. Let us recall that the termination ordering makes of each transition system a WSTS [14] but this ordering is undecidable so the obtained WSTS is not effective and we cannot deduce the decidability of usual properties. If we find such decidable ordering , we just verify whether satisfies the state-property . To make this verification, one usually reduces to a coverability property in .

3.2 What can you do when you can’t find a monotone well ordering ?

Let us analyse two cases that are not directly translatable into WSTS.

3.2.1 We found a well ordering which is not strongly monotone

Let us consider the case in which we found a well ordering but is unfortunately not strongly monotone. Apart from the usual well ordering on integers (Dickson), there exist many well orderings on different kinds of sets: let us enumerate, the multiset ordering, the subword ordering on finite words (Higman), the homeomorphic embedding on finite trees (Kruskal), the minor ordering (Robertson Seymour) on finite graphs,…etc. These orderings can be often extended to the infinite. With Jean Goubault-Larrecq, we define in [12] an algebra allowing the composition of well orderings by many operators like finite cartesian product.

Let us consider a counter machine

. Recall that the usual ordering on positive integers (which extends to vectors of integers) is well (Dickson Lemma) but it is not (strongly) monotone on general counters machines because the guards containing tests to zero are typically not monotone. We may change the original machine into another one which will be a WSTS. We may change the operations and/or the states.

A first drastic action is to remove the tests to zero; another possibility is to replace tests to zero by resets (or by transfers). The new machine is now monotone, hence machine is a WSTS (for the usual ordering) that over-approximates the original counter machine . If never meets a bad state then one may deduce the same for . Other properties like termination, boundedness, non-reachability are also preserved by monotonic abstraction [4].

We may change the states by abstracting them modulo an equivalence relation or even with an ordering. One may also look for a computable abstraction of where and are an abstraction of such that the new transition relation (between abstract states in ) is monotone with respect to which must be still well and then is a WSTS. The Abstract Interpretation [8] could be completed in the direction to produce WSTSs.

Another way is to consider general non monotone models and to test if a particular instance of the model is strongly monotone. This question is decidable, for example, for Presburger counter machine [15].

3.2.2 We found a strongly monotone ordering which is not well

A first possibility is use algorithms in WSTS as semi-algorithms in strongly monotone transition systems. But there is another way. The ordering which is not well on the considered set of states could be well on the subset of reachable states. In general, the reachability set is not computable but in some cases, it is possible to compute an overapproximation of the reachability set on which the ordering is well.

Another way is to consider general strongly monotone non-well ordered transition systems and to test if a particular ordering is well. This question is decidable, for example, for orderings defined by Presburger formulas (Presburger orderings) (see [15] for the decidability for orderings in ).

4 Examples

4.1 Programs with integers

Many programs can be modeled as counter machines (for example programs with lists [5]). Presburger counter machines (PCM) are a general model that allows to express guards and operations as Presburger formulas. It is clear that PCM contain Minsky machines and, as an immediate consequence, all non-trivial properties are undecidable for PCM. Let us now illustrate some notions introduced in step of the strategy described before. Let be a Presburger counter machine with a set finite set of control-states and counters. Let us first consider the most natural well ordering on integers that we classically extend on vectors as follows: let where is the equality on the finite set and is the vector ordering component by component. By Dickson Lemma, we know that is still well. We cannot directly decide whether is strongly monotone for but we may decide the strong monotony property for because both the description of and of the strong monotony property can be expressed as Presburger formulas [15]. If is strongly monotone for , we may use the WSTS theory. In the case where is not strongly monotone for , we may use the following (non-terminating) semi-algorithm that enumerates Presburger formulas representing well orderings on and test, for all , whether is strongly -monotone. If there exists an integer such that is well and strongly monotone on , then the termination of the previous semi-algorithm is insured. But if there don’t exist such , this enumeration will never terminate and then it don’t provide an algorithm to decide whether there exists a strongly monotone Presburger well ordering for . Let us define the class of existentially (strongly) well structured Presburger counter machines as follows:

Definition 4.1.

A Presburger counter machine is existentially well structured (resp. existentially strongly well structured) if there exists a Presburger well ordering that is monotone (resp. strongly monotone) for .

Coverability and other properties (see Theorem 1) are decidable for existentially well structured PCMs. We may prove that the monotony property is undecidable [15] for PCM of dimension one (and for Minsky machines of dimension ) with the usual well ordering on integers and we conjecture that the existentially well structured problem (i.e., whether a PCM is existentially well structured) is also undecidable. Another natural (and still open) question is then to know whether the existential strongly well structured problem is decidable for PCMs.

4.2 Communication protocols

Let us consider a distributed program composed of a finite set of processes (finite automata, pushdown processes,…) that exchanges messages through fifo channels. We know that queue automata also called fifo machines (i.e., a finite automaton that communicates with an unique fifo buffer also called a bi-directional

fifo channel) may simulate Turing machines and counter machines

[16] and this is still true for two finite automata communicating through one-directional fifo channels [7]. Let us consider, for simplifying notations, fifo machines (a single sequential control-graph) communicating with channels and the most natural ordering on words, adapted to the fifo behavior, say the prefix ordering that is extended as previously by . Unfortunatly this ordering is not monotone neither well (except in the trivial case where the channel alphabets are reduced to an unique letter). The subword ordering on finite words is well (Higman’s Theorem) and its classical extension is also well but it is not monotone on fifo machines ; however, is monotone on fifo machines with other semantics (like lossy, insertion), hence such non-perfect fifo machines are WSTS for the extended subword ordering. These kind of non-perfect fifo machines over-approximates original perfect fifo machines and we may apply the monotonic abstraction described previously in Section .

4.3 Other programs

There exist many other illustrations of the power of WSTS to verify programs like hardware design, multithreaded programs, distributed systems. Let’s quote programs with pointers and the use of graphs and orderings on graphs (subgraph ordering and minor ordering) to model the state of the memory [2], parameterized verification of distributed algorithms [9], programs with time constraints (timed Petri nets), cryptographic protocols [10], broadcast protocols,…etc.