Some theoretical aspects of verification (with a focus on bisimilarity)
Some theoretical aspects of verification (with a focus on bisimilarity)
Some theoretical aspects of verification (with a focus on bisimilarity)
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>theoretical</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
(<str<strong>on</strong>g>with</str<strong>on</strong>g> a <str<strong>on</strong>g>focus</str<strong>on</strong>g> <strong>on</strong> <strong>bisimilarity</strong>)<br />
Petr Jančar<br />
Dept <str<strong>on</strong>g>of</str<strong>on</strong>g> Computer Science<br />
Technical University Ostrava (FEI VˇSB-TU)<br />
Czech Republic<br />
www.cs.vsb.cz/jancar<br />
Informatik-Kolloquium, Jena, 14 May 2007<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g> Kolloquium Jena, 14 May 2007 1 / 89
A (hardware) design process<br />
(From K. Schneider: Verificati<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> reactive systems)<br />
Specificati<strong>on</strong><br />
Equivalence<br />
proving<br />
Specificati<strong>on</strong><br />
Design<br />
Verificati<strong>on</strong><br />
Design<br />
Verificati<strong>on</strong><br />
VHDL<br />
Implementati<strong>on</strong><br />
Verificati<strong>on</strong><br />
RT/Gate level<br />
Switch level<br />
Chip<br />
Implementati<strong>on</strong><br />
Verificati<strong>on</strong><br />
Fabricati<strong>on</strong><br />
Test<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g> Kolloquium Jena, 14 May 2007 2 / 89
Outline <str<strong>on</strong>g>of</str<strong>on</strong>g> the talk<br />
Historical remarks, logics, decisi<strong>on</strong> problems,<br />
theorem proving, program <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
(Temporal) logics <str<strong>on</strong>g>of</str<strong>on</strong>g> runs; linear vs. branching time;<br />
model checking<br />
Behavioural equivalences; bisimulati<strong>on</strong><br />
Undecidability <str<strong>on</strong>g>of</str<strong>on</strong>g> <strong>bisimilarity</strong> <strong>on</strong> Type -1 systems (an extensi<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g><br />
pushdown automata) [Jančar and Srba, FOSSACS 2006]<br />
Final remarks<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g> Kolloquium Jena, 14 May 2007 3 / 89
Leibniz’ programme<br />
Gottfried Wilhelm Leibniz (1646 - 1716)<br />
Whenever there are different opini<strong>on</strong>s about certain facts, <strong>on</strong>e<br />
should not discuss them like philosophers usually do;<br />
instead <strong>on</strong>e should ‘calculate’ the truth.<br />
lingua characteristica (to express all kinds <str<strong>on</strong>g>of</str<strong>on</strong>g> properties)<br />
calculus ratiocinator (laws to allow a ‘decisi<strong>on</strong> procedure’)<br />
(using universal encyclopedia)<br />
Leibniz planned the project for the next three centuries !<br />
(His research in the differential calculus went in that directi<strong>on</strong>.)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g> Kolloquium Jena, 14 May 2007 4 / 89
Propositi<strong>on</strong>al logic<br />
Augustus de Morgan (1806-1871)<br />
George Boole (1815-1864) ...<br />
‘Leibniz sense’ calculus for propositi<strong>on</strong>al logic<br />
¬(x ∧ y) = ¬x ∨ ¬y<br />
x ∧ true = x<br />
. . .<br />
(Boole viewed this as a c<strong>on</strong>tributi<strong>on</strong> to Leibniz’ research<br />
programme)<br />
Stanley Javins in 1869 ... a machine checking boolean expressi<strong>on</strong>s<br />
(something like a cash register at that time)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g> Kolloquium Jena, 14 May 2007 5 / 89
Logical basis for mathematics<br />
Gottlob Frege (1848-1925)<br />
in 1879, Begriffschrift<br />
(boolean c<strong>on</strong>nectives ... but also quantifiers, relati<strong>on</strong>s, functi<strong>on</strong>s)<br />
beginnings <str<strong>on</strong>g>of</str<strong>on</strong>g> first order logic<br />
Frege the first to distinguish between syntax and semantics.<br />
David Hilbert (1862-1943) ... wanted logical basis for mathematics<br />
Alfred Whitehead (1861-1947), Bertrand Russell (1872-1970):<br />
Principia mathematica (1910-1913)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g> Kolloquium Jena, 14 May 2007 6 / 89
First order predicate calculus<br />
Alfred Tarski (1902-1983) (till 1923 Alfred Teitelbaum):<br />
end <str<strong>on</strong>g>of</str<strong>on</strong>g> 1920s ... interpretati<strong>on</strong> (semantics)<br />
e.g., ∀x.∀y.∃z.(x + y < z) is true in (N, +,
Herbrand’s Theorem; resoluti<strong>on</strong> principle<br />
Jacques Herbrand (1908-1931)<br />
in 1930 ... a semi-decisi<strong>on</strong> procedure for valid (or unsatisfiable) sentences<br />
<str<strong>on</strong>g>of</str<strong>on</strong>g> first order predicate calculus:<br />
Φ ≡ ∀x1.∀x2. . . . ∀xn.F is unsatisfiable iff<br />
there is a finite set <str<strong>on</strong>g>of</str<strong>on</strong>g> ground clauses <str<strong>on</strong>g>of</str<strong>on</strong>g> F which is<br />
unsatisfiable in propositi<strong>on</strong>al calculus.<br />
E.g. we prove validity <str<strong>on</strong>g>of</str<strong>on</strong>g><br />
( (∀x.M(x) ⇒ D(x)) ∧ M(f (s)) ) ⇒ D(f (s))<br />
The negati<strong>on</strong><br />
∀x. (¬M(x) ∨ D(x)) ∧ M(f (s)) ∧ ¬D(f (s))<br />
is unsatisfiable since<br />
{ ¬M(f (s)) ∨ D(f (s)) , M(f (s)) , ¬D(f (s)) } is unsatisfiable:<br />
By Robins<strong>on</strong>’s resoluti<strong>on</strong> (1965) we can derive D(f (s)) and then the<br />
empty clause � (c<strong>on</strong>tradicti<strong>on</strong>).<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g> Kolloquium Jena, 14 May 2007 8 / 89
Axiomatizati<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> first order predicate calculus<br />
David Hilbert (1862-1943) and Wilhelm Ackermann (1896-1962)<br />
in 1928 ... an axiomatizati<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> first order predicate calculus<br />
Ax 1 φ ⇒ (ψ ⇒ φ)<br />
Ax 2 (φ ⇒ (ψ ⇒ η)) ⇒ ((φ ⇒ ψ) ⇒ (φ ⇒ η))<br />
Ax 3 (¬φ ⇒ ψ) ⇒ ((¬φ ⇒ ¬ψ) ⇒ φ))<br />
Ax 4 (∀x(φ ⇒ ψ)) ⇒ (φ ⇒ ∀xψ)), x not free in φ<br />
Ax 5 ∀x(φ(x)) ⇒ φ(e)<br />
Ax 6 e ≡ e<br />
Ax 7 ei ≡ e ′ i ⇒ f (e1, . . . , ei, . . . , en) ≡ f (e1, . . . , ei, . . . , en)<br />
Ax 8 ei ≡ e ′ i ⇒ R(e1, . . . , ei, . . . , en) ≡ R(e1, . . . , ei, . . . , en)<br />
Rule MP (modus p<strong>on</strong>ens)<br />
φ, φ ⇒ ψ<br />
ψ<br />
Rule GEN (generalizati<strong>on</strong>)<br />
φ<br />
∀xφ<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g> Kolloquium Jena, 14 May 2007 9 / 89
Questi<strong>on</strong>s <str<strong>on</strong>g>of</str<strong>on</strong>g> completeness and (algorithmic) decidability<br />
Kurt Gödel (1906-1978)<br />
in 1930 completeness (Γ ⊢ φ iff Γ |= φ)<br />
(Every c<strong>on</strong>sistent 1st order theory has a model.)<br />
Presburger arithmetic (theory <str<strong>on</strong>g>of</str<strong>on</strong>g> additi<strong>on</strong>; symbols 0, 1, + [and =])<br />
1. ∀x : ¬(0 = x + 1)<br />
2. ∀x∀y : ¬(x = y) ⇒ ¬(x + 1 = y + 1)<br />
3. ∀x : x + 0 = x<br />
4. ∀x∀y : (x + y) + 1 = x + (y + 1)<br />
5. An axiom scheme:<br />
(P(0) ∧ ∀x : P(x) ⇒ P(x + 1)) ⇒ ∀x : P(x)<br />
P(x) ... any formula c<strong>on</strong>structed from 0, 1, +, =<br />
and c<strong>on</strong>taining a single free variable x<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 10 /<br />
89
Presburger arithmetic<br />
Example sentence (the sum <str<strong>on</strong>g>of</str<strong>on</strong>g> two even numbers is even):<br />
∀x.∀y. ((∃x1.x = x1 + x1) ∧ (∃y1.y = y1 + y1)) ⇒ (∃z.x + y = z + z)<br />
Mojzesz Presburger (1904-1943)<br />
in 1929 ... completeness and decidability<br />
(for the ‘Presburger arithmetic’)<br />
Lower bound 22n, upper bound 222p(n) (from 1970s)<br />
The idea <str<strong>on</strong>g>of</str<strong>on</strong>g> a pro<str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> decidability:<br />
- the prenex form <str<strong>on</strong>g>with</str<strong>on</strong>g> just <strong>on</strong>e ternary predicate,<br />
- use <str<strong>on</strong>g>of</str<strong>on</strong>g> finite automata (for quantifier eliminati<strong>on</strong>)<br />
Our example sentence (the sum <str<strong>on</strong>g>of</str<strong>on</strong>g> two even numbers is even)<br />
∀x.∀y.∀x1.∀y1.∃z.∃z1.<br />
¬(x1 + x1 = x) ∨ ¬(y1 + y1 = y) ∨ ((x + y = z1) ∧ (z + z = z1))<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 11 /<br />
89
(N<strong>on</strong>deterministic) finite automata; determinizati<strong>on</strong><br />
a,b<br />
1<br />
b<br />
2<br />
1 1, 2<br />
a,b<br />
3<br />
a,b<br />
4<br />
1, 4<br />
1, 3 1, 2, 4<br />
1, 2, 3 1, 3, 4<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
1, 2, 3, 4<br />
b<br />
Kolloquium Jena, 14 May 2007 12 /<br />
89
(N<strong>on</strong>deterministic) finite automata; determinizati<strong>on</strong><br />
a,b<br />
1<br />
b<br />
2<br />
1 1, 2<br />
a,b<br />
3<br />
a,b<br />
4<br />
1, 4<br />
1, 3 1, 2, 4<br />
1, 2, 3 1, 3, 4<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
1, 2, 3, 4<br />
b<br />
Kolloquium Jena, 14 May 2007 12 /<br />
89
(N<strong>on</strong>deterministic) finite automata; determinizati<strong>on</strong><br />
a,b<br />
1<br />
1<br />
a<br />
b<br />
2<br />
1, 2<br />
a,b<br />
3<br />
a,b<br />
4<br />
1, 4<br />
1, 3 1, 2, 4<br />
1, 2, 3 1, 3, 4<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
1, 2, 3, 4<br />
b<br />
Kolloquium Jena, 14 May 2007 12 /<br />
89
(N<strong>on</strong>deterministic) finite automata; determinizati<strong>on</strong><br />
a,b<br />
1<br />
1<br />
a<br />
b<br />
b<br />
2<br />
1, 2<br />
a,b<br />
3<br />
a,b<br />
4<br />
1, 4<br />
1, 3 1, 2, 4<br />
1, 2, 3 1, 3, 4<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
1, 2, 3, 4<br />
b<br />
Kolloquium Jena, 14 May 2007 12 /<br />
89
(N<strong>on</strong>deterministic) finite automata; determinizati<strong>on</strong><br />
a,b<br />
1<br />
1<br />
a<br />
b<br />
b<br />
2<br />
1, 2<br />
a,b<br />
a<br />
3<br />
a,b<br />
4<br />
1, 4<br />
1, 3 1, 2, 4<br />
1, 2, 3 1, 3, 4<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
1, 2, 3, 4<br />
b<br />
Kolloquium Jena, 14 May 2007 12 /<br />
89
(N<strong>on</strong>deterministic) finite automata; determinizati<strong>on</strong><br />
a,b<br />
1<br />
1<br />
a<br />
b<br />
b<br />
2<br />
1, 2<br />
a,b<br />
a<br />
b<br />
3<br />
a,b<br />
4<br />
1, 4<br />
1, 3 1, 2, 4<br />
1, 2, 3 1, 3, 4<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
1, 2, 3, 4<br />
b<br />
Kolloquium Jena, 14 May 2007 12 /<br />
89
(N<strong>on</strong>deterministic) finite automata; determinizati<strong>on</strong><br />
a,b<br />
1<br />
1<br />
a<br />
b<br />
b<br />
2<br />
1, 2<br />
a,b<br />
a<br />
b<br />
3<br />
1, 3<br />
a,b<br />
4<br />
a<br />
1, 4<br />
1, 2, 4<br />
1, 2, 3 1, 3, 4<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
1, 2, 3, 4<br />
b<br />
Kolloquium Jena, 14 May 2007 12 /<br />
89
(N<strong>on</strong>deterministic) finite automata; determinizati<strong>on</strong><br />
a,b<br />
1<br />
1<br />
a<br />
b<br />
b<br />
2<br />
1, 2<br />
a,b<br />
a<br />
a<br />
b<br />
3<br />
b<br />
1, 3<br />
a,b<br />
1, 2, 3<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
4<br />
a<br />
b<br />
a<br />
a<br />
b<br />
1, 4<br />
1, 2, 4<br />
b<br />
1, 3, 4<br />
a<br />
1, 2, 3, 4<br />
b<br />
a<br />
Kolloquium Jena, 14 May 2007 12 /<br />
89
Finite automata - closure properties<br />
b<br />
b<br />
1<br />
1, A<br />
a<br />
a<br />
2<br />
b<br />
b<br />
b<br />
A<br />
a<br />
a<br />
B<br />
2, B 1, B 1, C<br />
2, C 2, A 2, D<br />
1, D<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> b <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
b<br />
b<br />
C<br />
a<br />
a,b<br />
D<br />
Kolloquium Jena, 14 May 2007 13 /<br />
89
Finite automata - closure properties<br />
b<br />
1<br />
a<br />
a<br />
2<br />
b<br />
b<br />
1, A 2, B 1, B 1, C<br />
b<br />
A<br />
a<br />
a<br />
B<br />
2, C 2, A 2, D<br />
1, D<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> b <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
b<br />
b<br />
C<br />
a<br />
a,b<br />
D<br />
Kolloquium Jena, 14 May 2007 13 /<br />
89
Finite automata - closure properties<br />
b<br />
1<br />
1, A<br />
a<br />
a<br />
a<br />
2<br />
b<br />
b<br />
b<br />
A<br />
a<br />
a<br />
B<br />
2, B 1, B 1, C<br />
2, C 2, A 2, D<br />
1, D<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> b <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
b<br />
b<br />
C<br />
a<br />
a,b<br />
D<br />
Kolloquium Jena, 14 May 2007 13 /<br />
89
Finite automata - closure properties<br />
b<br />
b<br />
1<br />
1, A<br />
a<br />
a<br />
a<br />
2<br />
b<br />
b<br />
b<br />
A<br />
a<br />
a<br />
B<br />
2, B 1, B 1, C<br />
2, C 2, A 2, D<br />
1, D<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> b <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
b<br />
b<br />
C<br />
a<br />
a,b<br />
D<br />
Kolloquium Jena, 14 May 2007 13 /<br />
89
Finite automata - closure properties<br />
b<br />
b<br />
1<br />
1, A<br />
a<br />
a<br />
a<br />
2<br />
b<br />
2, B<br />
b<br />
2, C<br />
b<br />
a<br />
a<br />
a<br />
b<br />
b<br />
A<br />
1, B<br />
a<br />
2, A<br />
1, D<br />
a<br />
a<br />
b<br />
b<br />
B<br />
b<br />
b<br />
1, C<br />
a<br />
2, D<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> b <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
a<br />
a<br />
b<br />
C<br />
a<br />
a,b<br />
D<br />
Kolloquium Jena, 14 May 2007 13 /<br />
89
Finite automata - summary<br />
N<strong>on</strong>deterministic FA −→ equivalent deterministic FA<br />
(possibly <str<strong>on</strong>g>with</str<strong>on</strong>g> an exp<strong>on</strong>ential increase <str<strong>on</strong>g>of</str<strong>on</strong>g> the number <str<strong>on</strong>g>of</str<strong>on</strong>g> states)<br />
(but e.g. traversing its state space<br />
can be d<strong>on</strong>e in polynomial space)<br />
The class <str<strong>on</strong>g>of</str<strong>on</strong>g> regular languages is (effectively) closed wrt<br />
uni<strong>on</strong>, intersecti<strong>on</strong>, complement,<br />
c<strong>on</strong>catenati<strong>on</strong>, iterati<strong>on</strong> (star: L ∗ ),<br />
reversal, ...<br />
Questi<strong>on</strong>s like L(A) ? = ∅,<br />
or “is there a cycle c<strong>on</strong>taining a particular state ?”<br />
can be decided ‘quickly’<br />
( e.g. by depth-first-search in O(n + m) )<br />
(NLOGSPACE-complete problems)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 14 /<br />
89
Finite automat<strong>on</strong> - an outside view<br />
a b b a b<br />
q0<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 15 /<br />
89
Decidability <str<strong>on</strong>g>of</str<strong>on</strong>g> Presburger arithmetic (by automata)<br />
∀x.∀y.∀x1.∀y1.∃z.∃z1.<br />
¬(x1 + x1 = x) ∨ ¬(y1 + y1 = y) ∨ ((x + y = z1) ∧ (z + z = z1))<br />
An automat<strong>on</strong> accepting all (binary codes <str<strong>on</strong>g>of</str<strong>on</strong>g>) (i, j, k)<br />
which satisfy i + j = k<br />
i 0 0 1 0 1<br />
j 0 1 1 0 0<br />
k 1 0 0 0 1<br />
q0<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 16 /<br />
89
Decidability <str<strong>on</strong>g>of</str<strong>on</strong>g> Presburger arithmetic - c<strong>on</strong>t.<br />
An automat<strong>on</strong> accepting all (binary codes <str<strong>on</strong>g>of</str<strong>on</strong>g>) (k1, k2, . . . , kn)<br />
which satisfy quantifier-free φ(x1, x2, . . . , xn)<br />
k1 1 0 0 1 1<br />
k2 0 1 1 0 1<br />
. .<br />
kn 1 1 0 1 0<br />
q0<br />
By projecti<strong>on</strong>, an automat<strong>on</strong> accepting (k1, k2, . . . , kn−1)<br />
satisfying ∃xn.φ(x1, x2, . . . , xn)<br />
Formula ∀x.φ is rewritten by ¬∃x.¬φ ...<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 17 /<br />
89
Decidability <str<strong>on</strong>g>of</str<strong>on</strong>g> Presburger arithmetic - c<strong>on</strong>t.<br />
Summary:<br />
To a general Φ(x1, x2, . . . , xn) (defining a subset [[Φ]] ⊆ N n )<br />
we c<strong>on</strong>struct automat<strong>on</strong> AΦ accepting precisely<br />
(the binary codes <str<strong>on</strong>g>of</str<strong>on</strong>g>) (k1, k2, . . . , kn) ∈ [[Φ]], i.e.<br />
For closed Φ we have:<br />
[[Φ]] corresp<strong>on</strong>ds to L(AΦ)<br />
Φ is true iff ε ∈ L(AΦ) iff L(AΦ) �= ∅<br />
Φ is true iff L(A¬Φ) = ∅<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 18 /<br />
89
Presburger definable sets = semilinear sets<br />
A set L ⊆ N k is linear if there are:<br />
a basis b ∈ N k and periods p1, p2, . . . , pn ∈ N k so that<br />
L = { b + c1p1 + c2p2 + · · · + cnpn | c1, c2, . . . , cn ∈ N }<br />
◦ ◦ ◦ ◦ • ◦ • • •<br />
◦ ◦ ◦ ◦ ◦ • ◦ • •<br />
◦ ◦ ◦ • ◦ • • • •<br />
◦ ◦ ◦ ◦ • ◦ • ◦ •<br />
◦ ◦ • ◦ • ◦ • ◦ •<br />
◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦<br />
A set S ⊆ N k is semilinear iff it is a finite uni<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> linear sets.<br />
Ginsburg, Spanier 1966:<br />
Presburger-definable subsets <str<strong>on</strong>g>of</str<strong>on</strong>g> Nk are precisely the semilinear sets.<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 19 /<br />
89
Additi<strong>on</strong> and multiplicati<strong>on</strong><br />
Theory N ; symbols 0, S, +, ·, < [and =]).<br />
A basic axiom system for the arithmetic <strong>on</strong> natural numbers<br />
(<str<strong>on</strong>g>with</str<strong>on</strong>g>out the inducti<strong>on</strong> principle)<br />
1. Sx �= 0<br />
2. Sx = Sy ⇒ x = y<br />
3. x + 0 = x<br />
4. x + Sy = S(x + y)<br />
5. x · 0 = 0<br />
6. x · Sy = (x · y) + x<br />
7. ¬(x < 0)<br />
8. (x < Sy) ⇔ (x < y) ∨ (x = y)<br />
9. (x < y) ∨ (x = y) ∨ (y < x)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 20 /<br />
89
Undecidability, incompleteness (<str<strong>on</strong>g>of</str<strong>on</strong>g> arithmetic)<br />
Gödel in 1931 .... incompleteness<br />
(Every formal system able to express arithmetic (i.e., theory N) ...)<br />
Alan Turing (1913-1954), Al<strong>on</strong>zo Church (1903-1995)<br />
1936 ... Turing machines, λ-calculus,<br />
a stable noti<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> computable functi<strong>on</strong>s (Church-Turing thesis)<br />
(also undecidability <str<strong>on</strong>g>of</str<strong>on</strong>g> (validity in) first order logic; thus<br />
answering negatively the questi<strong>on</strong> stated by Hilbert and<br />
Ackermann)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 21 /<br />
89
Absolute limits (for automated <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g>)<br />
Negative side:<br />
The incompleteness and undecidability results revealed<br />
some absolute limits for finitistic reas<strong>on</strong>ing<br />
(and for automated computati<strong>on</strong>s),<br />
i.e., limits for Hilbert’s program and Leibniz’ calculus ratiocinator.<br />
Positive side:<br />
completeness <str<strong>on</strong>g>of</str<strong>on</strong>g> axiomatizati<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> first order logic,<br />
semidecidability <str<strong>on</strong>g>of</str<strong>on</strong>g> validity (unsatisfiability)<br />
decidability results for special cases<br />
(though computati<strong>on</strong>al complexity plays an important role)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 22 /<br />
89
Electr<strong>on</strong>ic computer era<br />
In 1946, John Mauchly and J Presper Eckert developed<br />
ENIAC I<br />
Electrical Numerical Integrator And Calculator<br />
the world’s first electr<strong>on</strong>ic digital computer<br />
The fascinating era <str<strong>on</strong>g>of</str<strong>on</strong>g> electr<strong>on</strong>ic computers started ...<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 23 /<br />
89
Automated theorem proving<br />
M. Davis in 1954 ... implementati<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> the decisi<strong>on</strong> procedure for<br />
Presburger arithmetic:<br />
the first success: computer proved that<br />
the sum <str<strong>on</strong>g>of</str<strong>on</strong>g> two even numbers is an even number<br />
Wang in 1958-1964 ... automated theorem prover<br />
(proved the simple laws <str<strong>on</strong>g>of</str<strong>on</strong>g> predicate calculus in Principia Mathematica)<br />
Davis, Putnam, Prawitz ... unificati<strong>on</strong><br />
Robins<strong>on</strong> 1965 ... resoluti<strong>on</strong> principle<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 24 /<br />
89
Automated theorem proving - c<strong>on</strong>t.<br />
1970s, 1980s, 1990s, 2000s<br />
dozens <str<strong>on</strong>g>of</str<strong>on</strong>g> various (s<str<strong>on</strong>g>of</str<strong>on</strong>g>tware) theorem provers (or pro<str<strong>on</strong>g>of</str<strong>on</strong>g> assistants)<br />
Used for verifying (computer) systems<br />
usually extend first order logic: inducti<strong>on</strong> principles, higher order logics<br />
(reas<strong>on</strong>ing <strong>on</strong> data structures like lists, trees, graphs, ...<br />
functi<strong>on</strong>al programming, functi<strong>on</strong>s <str<strong>on</strong>g>of</str<strong>on</strong>g> higher order types, ...)<br />
One example:<br />
Hunt W.: Microprocessor design <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g>,<br />
Journal <str<strong>on</strong>g>of</str<strong>on</strong>g> Automated Reas<strong>on</strong>ing 5, 4(1989), 429 - 460<br />
(<str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> the 32-bit processor FM8502), a part <str<strong>on</strong>g>of</str<strong>on</strong>g> a bigger project:<br />
Bevier W., Hunt W., Moore J., Young W.:<br />
An approach to system <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g>,<br />
Journal <str<strong>on</strong>g>of</str<strong>on</strong>g> Automated Reas<strong>on</strong>ing 5, 4(1989), 411 - 428<br />
(<str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> code generator, assembler, kernel <str<strong>on</strong>g>of</str<strong>on</strong>g> an operating system)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 25 /<br />
89
<str<strong>on</strong>g>Some</str<strong>on</strong>g> available theorem provers (pro<str<strong>on</strong>g>of</str<strong>on</strong>g> assistants)<br />
PVS Specificati<strong>on</strong> and Verificati<strong>on</strong> System<br />
http://pvs.csl.sri.com/<br />
Stanford research institute<br />
The HOL System<br />
http://www.cl.cam.ac.uk/Research/HVG/HOL/<br />
Cambridge university, UK<br />
Coq<br />
http://pauillac.inria.fr/coq/<br />
Inria, France<br />
Further available tools:<br />
ACL2 at Univ. <str<strong>on</strong>g>of</str<strong>on</strong>g> Texas at Austin, USA, Isabelle at Cambridge, UK, Larch,<br />
MIT, USA, Nuprl, Cornell, USA, TPS, Carnegie Mell<strong>on</strong> Univ., USA<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 26 /<br />
89
Program <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Late 1960s:<br />
specialized logics and pro<str<strong>on</strong>g>of</str<strong>on</strong>g> procedures for<br />
<str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> computer programs and systems<br />
Am<strong>on</strong>g the pi<strong>on</strong>eers:<br />
Floyd, Hoare, Dijkstra, Gries, Lamport, Owicki, Manna, Pnueli<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 27 /<br />
89
Verificati<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> a computer program (divisi<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> numbers)<br />
{ x1, x2 are integers satisfying C1: x1 ≥ 0, x2 > 0 }<br />
Program P<br />
{ C2: x1 = z1x2 + z2 ∧ 0 ≤ z2 < x2 }<br />
We want to verify: {C1}P{C2} ... (specificati<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> P)<br />
Generated <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g> c<strong>on</strong>diti<strong>on</strong>s:<br />
{C1} y1 := 0; y2 := x1 {INV}<br />
{INV ∧ y2 ≥ x2} y1 := y1 + 1; y2 := y2 − x2 {INV}<br />
{INV ∧ ¬(y2 ≥ x2)} z1 := y1; z2 := y2 {C2}<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 28 /<br />
89
Verificati<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> a computer program (divisi<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> numbers)<br />
{ x1, x2 are integers satisfying C1: x1 ≥ 0, x2 > 0 }<br />
Program P<br />
y1 := 0; y2 := x1;<br />
while y2 ≥ x2 do (y1 := y1 + 1; y2 := y2 − x2);<br />
z1 := y1; z2 := y2<br />
{ C2: x1 = z1x2 + z2 ∧ 0 ≤ z2 < x2 }<br />
We want to verify: {C1}P{C2} ... (specificati<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> P)<br />
Generated <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g> c<strong>on</strong>diti<strong>on</strong>s:<br />
{C1} y1 := 0; y2 := x1 {INV}<br />
{INV ∧ y2 ≥ x2} y1 := y1 + 1; y2 := y2 − x2 {INV}<br />
{INV ∧ ¬(y2 ≥ x2)} z1 := y1; z2 := y2 {C2}<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 28 /<br />
89
Verificati<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> a computer program (divisi<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> numbers)<br />
{ x1, x2 are integers satisfying C1: x1 ≥ 0, x2 > 0 }<br />
Program P<br />
y1 := 0; y2 := x1;<br />
{ x1 = y1x2 + y2 ∧ 0 ≤ y2 } ... INV<br />
while y2 ≥ x2 do (y1 := y1 + 1; y2 := y2 − x2);<br />
z1 := y1; z2 := y2<br />
{ C2: x1 = z1x2 + z2 ∧ 0 ≤ z2 < x2 }<br />
We want to verify: {C1}P{C2} ... (specificati<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> P)<br />
Generated <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g> c<strong>on</strong>diti<strong>on</strong>s:<br />
{C1} y1 := 0; y2 := x1 {INV}<br />
{INV ∧ y2 ≥ x2} y1 := y1 + 1; y2 := y2 − x2 {INV}<br />
{INV ∧ ¬(y2 ≥ x2)} z1 := y1; z2 := y2 {C2}<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 28 /<br />
89
Axiomatic semantics (partial correctness)<br />
{A}skip{A}<br />
{B[a/X ]}X := a{B}<br />
{A}c0{C} {C}c1{B}<br />
{A}c0; c1{B}<br />
{A ∧ b}c0{B} {A ∧ ¬b}c1{B}<br />
{A}if b then c0 else c1{B}<br />
{A ∧ b}c{A}<br />
{A}while b do c{A ∧ ¬b}<br />
|= (A ⇒ A ′ ) {A ′ }c{B} |= (B ′ ⇒ B)<br />
{A}c{B}<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 29 /<br />
89
Program-and-pro<str<strong>on</strong>g>of</str<strong>on</strong>g> development<br />
Stephen A. Cook (in late 1970s) showed relative completeness:<br />
|= {A}c{B} implies ⊢ {A}c{B}<br />
(though ‘being a pro<str<strong>on</strong>g>of</str<strong>on</strong>g>’ depends <strong>on</strong> some asserti<strong>on</strong>s to be valid)<br />
David Gries (The science <str<strong>on</strong>g>of</str<strong>on</strong>g> programming):<br />
“the study <str<strong>on</strong>g>of</str<strong>on</strong>g> program correctness pro<str<strong>on</strong>g>of</str<strong>on</strong>g>s has led to the discovery<br />
and elucidati<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> methods for developing programs.<br />
Basically, <strong>on</strong>e attempts to<br />
develop a program and its pro<str<strong>on</strong>g>of</str<strong>on</strong>g> hand-in-hand,<br />
<str<strong>on</strong>g>with</str<strong>on</strong>g> the pro<str<strong>on</strong>g>of</str<strong>on</strong>g> ideas leading the way !”<br />
(For tedious things like detailed pro<str<strong>on</strong>g>of</str<strong>on</strong>g>s <str<strong>on</strong>g>of</str<strong>on</strong>g> elementary bits <str<strong>on</strong>g>of</str<strong>on</strong>g> mathematics<br />
etc. ... use automated pro<str<strong>on</strong>g>of</str<strong>on</strong>g> assistants.)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 30 /<br />
89
<str<strong>on</strong>g>Some</str<strong>on</strong>g> specialized tools for deductive program <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g>s<br />
The Stanford Temporal Prover, STeP<br />
http://www-step.stanford.edu/<br />
Stanford university, USA<br />
TLV - Temporal Logic Verifier<br />
http://www.wisdom.weizmann.ac.il/ verify/tlv/<br />
Weizmann Institute <str<strong>on</strong>g>of</str<strong>on</strong>g> Science, Israel<br />
———————————–<br />
A comprehensive survey <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g> tools<br />
at Faculty <str<strong>on</strong>g>of</str<strong>on</strong>g> Informatics, Masaryk University Brno, Czech Rep.<br />
http://anna.fi.muni.cz/yahoda/<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 31 /<br />
89
Denotati<strong>on</strong>al semantics, while-command<br />
for command c ... semantics C[[c]] : Σ → Σ⊥<br />
C[[while b do c]] ... (σ, σ ′ ) s.t. σ<br />
if B[[b]]σ = false then σ<br />
if B[[b]]σ = true and σ c<br />
then σ<br />
while b do c<br />
−→ σ ′<br />
while b do c<br />
−→ σ ′<br />
while b do c<br />
−→ σ<br />
−→ σ ′<br />
−→ σ ′′ and σ ′′ while b do c<br />
I.e., we apply a functi<strong>on</strong>al Γ : (Σ → Σ⊥) → (Σ → Σ⊥):<br />
⊥ ⊆ Γ(⊥) ⊆ Γ(Γ(⊥)) ⊆ Γ(Γ(Γ(⊥))) ⊆ . . .<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 32 /<br />
89
Fixpoints <str<strong>on</strong>g>of</str<strong>on</strong>g> m<strong>on</strong>ot<strong>on</strong>ic functi<strong>on</strong>als<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 33 /<br />
89
Fixpoints <str<strong>on</strong>g>of</str<strong>on</strong>g> m<strong>on</strong>ot<strong>on</strong>ic functi<strong>on</strong>als<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 33 /<br />
89
Fixpoints <str<strong>on</strong>g>of</str<strong>on</strong>g> m<strong>on</strong>ot<strong>on</strong>ic functi<strong>on</strong>als<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 33 /<br />
89
Fixpoints <str<strong>on</strong>g>of</str<strong>on</strong>g> m<strong>on</strong>ot<strong>on</strong>ic functi<strong>on</strong>als<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 33 /<br />
89
Fixpoints <str<strong>on</strong>g>of</str<strong>on</strong>g> m<strong>on</strong>ot<strong>on</strong>ic functi<strong>on</strong>als<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 33 /<br />
89
Fixpoints <str<strong>on</strong>g>of</str<strong>on</strong>g> m<strong>on</strong>ot<strong>on</strong>ic functi<strong>on</strong>als<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 33 /<br />
89
Knaster-Tarski theorem<br />
Br<strong>on</strong>islaw Knaster (1893-1990)<br />
Alfred Tarski (1902-1983) (till 1923 Alfred Teitelbaum):<br />
Assume a m<strong>on</strong>ot<strong>on</strong>ic functi<strong>on</strong>al Γ : 2 A → 2 A<br />
(B ⊆ C ⇒ Γ(B) ⊆ Γ(C)).<br />
Then Y = � {X | Γ(X ) ⊆ X }<br />
(intersecti<strong>on</strong>, i.e. glb, <str<strong>on</strong>g>of</str<strong>on</strong>g> all prefixed points)<br />
is the least fixpoint <str<strong>on</strong>g>of</str<strong>on</strong>g> Γ. (Γ(Y ) = Y )<br />
Dually, (Γ is m<strong>on</strong>ot<strong>on</strong>ic also <strong>on</strong> (2 A , ⊇), and)<br />
Z = � {X | X ⊆ Γ(X )}<br />
(uni<strong>on</strong>, i.e. lub, <str<strong>on</strong>g>of</str<strong>on</strong>g> all postfixed points)<br />
is the greatest fixpoint <str<strong>on</strong>g>of</str<strong>on</strong>g> Γ. (Γ(Z) = Z)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 34 /<br />
89
Fixpoints for c<strong>on</strong>tinuous functi<strong>on</strong>als<br />
Suppose a m<strong>on</strong>ot<strong>on</strong>ic Γ : 2 A → 2 A<br />
For f0 ⊆ f1 ⊆ f2 ⊆ · · · ⊆ �<br />
n∈ω fn we get<br />
�<br />
Γ(fn) ⊆ Γ( �<br />
fn)<br />
n∈ω<br />
(M<strong>on</strong>ot<strong>on</strong>ic) Γ is c<strong>on</strong>tinuous if �<br />
�<br />
�<br />
Γ(fn) = Γ<br />
n∈ω<br />
n∈ω<br />
Then we get lfp(Γ) as<br />
∅ ⊆ Γ(∅) ⊆ Γ(Γ(∅)) ⊆ · · · ⊆ �<br />
n∈ω Γn (∅) = Γ ��<br />
n∈ω Γn (∅) �<br />
fn<br />
�<br />
n∈ω<br />
Similarly for the gfp(Γ):<br />
A ⊇ Γ(A) ⊇ Γ(Γ(A)) ⊇ · · · ⊇ �<br />
n∈ω Γn (A) = Γ ��<br />
n∈ω Γn (A) �<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 35 /<br />
89
Verifying ‘simple’ properties<br />
C<strong>on</strong>current, parallel, interactive, ‘n<strong>on</strong>deterministic’ systems,<br />
<str<strong>on</strong>g>with</str<strong>on</strong>g> <strong>on</strong>going behaviour ...<br />
No input-output characterizati<strong>on</strong> (specificati<strong>on</strong>) ...<br />
Verificati<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> ‘simple’ properties ...<br />
Peters<strong>on</strong>’s protocol (to avoid critical secti<strong>on</strong> clash)<br />
Process A :<br />
** n<strong>on</strong>critical regi<strong>on</strong> **<br />
flagA := true<br />
turn := B<br />
waitfor<br />
(flagB = false ∨ turn = A)<br />
** critical regi<strong>on</strong> **<br />
flagA := false<br />
** n<strong>on</strong>critical regi<strong>on</strong> **<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Process B :<br />
** n<strong>on</strong>critical regi<strong>on</strong> **<br />
flagB := true<br />
turn := A<br />
waitfor<br />
(flagA = false ∨ turn = B)<br />
** critical regi<strong>on</strong> **<br />
flagB := false<br />
** n<strong>on</strong>critical regi<strong>on</strong> **<br />
Kolloquium Jena, 14 May 2007 36 /<br />
89
Kripke structure (transiti<strong>on</strong> system)<br />
¬critA, ¬critB,<br />
flag A, ¬flag B,<br />
turn = B<br />
¬critA, ¬critB,<br />
flag A, ¬flag B,<br />
turn = ⊥<br />
¬critA, ¬critB,<br />
¬flag A, ¬flag B,<br />
turn = ⊥<br />
¬critA, ¬critB,<br />
flag A,flag B,<br />
turn = ⊥<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
¬critA, ¬critB,<br />
¬flag A,flag B,<br />
turn = ⊥<br />
¬critA, ¬critB,<br />
¬flag A, ¬flag B,<br />
turn = A<br />
Kolloquium Jena, 14 May 2007 37 /<br />
89
Simple (temporal) properties<br />
(we refer to Peters<strong>on</strong>’s protocol)<br />
a safety property: ∀t : (¬critA(t) ∨ ¬critB(t))<br />
“something bad never happens”<br />
a liveness property: ∀t : flagA(t) ⇒ (∃t ′ : t ≤ t ′ ∧ critA(t ′ ))<br />
“something good eventually happens”<br />
(e.g., also fairness properties ... more complicated)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 38 /<br />
89
First order logic <str<strong>on</strong>g>of</str<strong>on</strong>g> order (FOLO)<br />
Reas<strong>on</strong>ing about finite runs (later also infinite runs)<br />
We assume a set AP (atomic propositi<strong>on</strong>s) <str<strong>on</strong>g>of</str<strong>on</strong>g> unary predicates P1, P2, . . .<br />
φ ::= P(x) | x = y | x < y | ¬φ | φ1 ∧ φ2 | ∃x.φ<br />
E.g. ∀x : flagA(x) ⇒ (∃x ′ : x ≤ x ′ ∧ critA(x ′ ))<br />
Interpreted <strong>on</strong> {0, 1, . . . , n} <str<strong>on</strong>g>with</str<strong>on</strong>g> the natural meaning <str<strong>on</strong>g>of</str<strong>on</strong>g> < .<br />
we can add (define): φ1 ∨ φ2, true, false, succ(x, y), ...<br />
The structure (interpretati<strong>on</strong>) can be viewed as<br />
w =<br />
� P1<br />
¬P2<br />
P3<br />
..<br />
i.e., as a word in alphabet 2 AP<br />
� � ¬P1<br />
P2<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
P3<br />
..<br />
� � �<br />
¬P1<br />
P2 . . .<br />
¬P3<br />
..<br />
Kolloquium Jena, 14 May 2007 39 /<br />
89
Semantics <str<strong>on</strong>g>of</str<strong>on</strong>g> FOLO<br />
For interpreting free variables we need a valuati<strong>on</strong>:<br />
Then<br />
V : {x, y, z, . . . } → {0, 1, . . . , n}<br />
w |=V φ ... w satisfies (is a model <str<strong>on</strong>g>of</str<strong>on</strong>g>) φ in valuati<strong>on</strong> V<br />
can be defined by structural inducti<strong>on</strong>:<br />
w |=V P(x) . . . w(V(x)) ∋ P (P(V(x)))<br />
w |=V x = y . . . V(x) = V(y)<br />
w |=V x < y . . . V(x) < V(y)<br />
w |=V ¬φ . . . w �|=V φ<br />
w |=V φ1 ∧ φ2 . . . w |=V φ1 and w |=V φ2<br />
w |=V ∃x.φ . . . there is j s.t. w |= V[j/x] φ<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 40 /<br />
89
Decidability <str<strong>on</strong>g>of</str<strong>on</strong>g> validity in FOLO by finite automata<br />
φ ::= P(x) | x = y | x < y | ¬φ | φ1 ∧ φ2 | ∃x.φ<br />
flagA(x) ⇒ (∃x ′ : x ≤ x ′ ∧ critA(x ′ )) ... Φ(flagA, critA; x)<br />
Φ(P1, P2, P3; x1, x2, x3)<br />
P1 1 0 0 0 0 1 0 1<br />
P2 1 1 1 0 1 1 0 0<br />
P3 0 0 1 1 1 0 0 1<br />
x1 0 0 1 0 0 0 0 0<br />
x2 0 0 0 0 0 0 1 0<br />
x3 1 0 0 0 0 0 0 0<br />
q0<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 41 /<br />
89
Decidability <str<strong>on</strong>g>of</str<strong>on</strong>g> validity in FOLO by finite automata - c<strong>on</strong>t.<br />
Büchi (early 1960s)<br />
To each closed Φ (<str<strong>on</strong>g>with</str<strong>on</strong>g> predicates P1, P2, . . . , Pk)<br />
c<strong>on</strong>struct a finite automat<strong>on</strong> AΦ, over the alphabet 2 {P1,P2,...,Pk} , such that<br />
w |= Φ iff w ∈ L(AΦ) .... L(Φ) = L(AΦ)<br />
So we have: Φ valid iff ¬Φ unsatisfiable iff L(A¬Φ) = ∅<br />
Model checking:<br />
decide if K, s |= Φ (i.e., if all runs from s satisfy Φ)<br />
c<strong>on</strong>struct automat<strong>on</strong> A¬Φ<br />
c<strong>on</strong>struct the product automat<strong>on</strong> A = (K, s) × A¬Φ<br />
decide if L(A) = ∅ (if NO then provide counterexample)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 42 /<br />
89
M<strong>on</strong>adic sec<strong>on</strong>d order logic <str<strong>on</strong>g>of</str<strong>on</strong>g> order (MSOLO)<br />
FOLO-languages are a (proper) subclass <str<strong>on</strong>g>of</str<strong>on</strong>g> regular languages:<br />
Star-free regular languages is the least class which c<strong>on</strong>tains<br />
elementary (finite) languages and is closed wrt<br />
∪ (uni<strong>on</strong>), · (c<strong>on</strong>catenati<strong>on</strong>), ¯ (complement).<br />
E.g., “<strong>on</strong> each even positi<strong>on</strong> (and maybe elsewhere) is b”<br />
can not be expressed. ..... ababbbababbb<br />
We need M<strong>on</strong>adic sec<strong>on</strong>d order logic (MSOLO)<br />
φ ::= P(x) | x = y | x < y | ¬φ | φ1 ∧ φ2 | ∃x.φ | ∃X .φ | x ∈ X<br />
∃X .0 ∈ X ∧ ∀y∀z.(succ(y, z) ⇒ (y ∈ X ⇔ ¬z ∈ X ))<br />
∧ ∀y.y ∈ X ⇒ Qb(y)<br />
Büchi: MSOLO-languages are exactly regular languages.<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 43 /<br />
89
Logics and automata <strong>on</strong> infinite words<br />
Infinite runs w =<br />
� P1<br />
¬P2<br />
P3<br />
..<br />
� � ¬P1<br />
P2<br />
P3<br />
..<br />
� � �<br />
¬P1<br />
P2 . . .<br />
¬P3<br />
..<br />
No problem <str<strong>on</strong>g>with</str<strong>on</strong>g> interpreting logics (L(Φ) ⊆ Σ ω )<br />
φ ::= P(x) | x = y | x < y | ¬φ | φ1 ∧ φ2 | ∃x.φ<br />
φ ::= P(x) | x = y | x < y | ¬φ | φ1 ∧ φ2 | ∃x.φ | ∃X .φ | x ∈ X<br />
What about automata ?<br />
Büchi: accepts when an accepting state appears infinitely <str<strong>on</strong>g>of</str<strong>on</strong>g>ten<br />
a,b b Lω(A) = { w ∈ {a, b} ω |<br />
b<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
w c<strong>on</strong>tains just<br />
finitely many a’s }<br />
Kolloquium Jena, 14 May 2007 44 /<br />
89
Automata <strong>on</strong> infinite words<br />
(N<strong>on</strong>deterministic) Büchi automata ... ω-regular languages<br />
The same as MSOLO ω-languages:<br />
NBA → MSOLO easy<br />
(∃X1 (positi<strong>on</strong>s for state q1) ∃X2 (state q2) ....)<br />
MSOLO → NBA similarly as in the finite word case<br />
but intersecti<strong>on</strong> a bit more complicated,<br />
and determizati<strong>on</strong> does not hold ! (see the previous example),<br />
complementati<strong>on</strong> still holds but more difficult<br />
(a nice applicati<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> Ramsey theorem for the countable case)<br />
Muller automata {I1, I2, . . . , Ik} ... <strong>on</strong>e coincides <str<strong>on</strong>g>with</str<strong>on</strong>g> inf. <str<strong>on</strong>g>of</str<strong>on</strong>g>ten visited <strong>on</strong><br />
a (run <strong>on</strong> a) word<br />
Rabin automata {(G1, R1), (G2, R2), . . . , (Gk, Rk)}<br />
for <strong>on</strong>e pair, Gi is visited infinitely <str<strong>on</strong>g>of</str<strong>on</strong>g>ten but Ri <strong>on</strong>ly finitely <str<strong>on</strong>g>of</str<strong>on</strong>g>ten<br />
Streett automata, Mostowski (parity) automata, ...<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 45 /<br />
89
Validity and model checking for infinite words<br />
Validity<br />
To a MSOLO formula Φ, c<strong>on</strong>struct NBA L(A¬Φ) so that<br />
|= Φ iff L(A¬Φ) = ∅<br />
Model checking<br />
To decide if K, s |= Φ , check if L(A) = ∅ for A = (K, s) × A¬Φ<br />
Warning. Already satisfiability <str<strong>on</strong>g>of</str<strong>on</strong>g> FOLO n<strong>on</strong>elementary<br />
(for input size n, we get at least the tower 222... <str<strong>on</strong>g>of</str<strong>on</strong>g> height n),<br />
so Aφ must be generally very large.<br />
Nevertheless, see:<br />
MONA project<br />
http://www.brics.dk/m<strong>on</strong>a/<br />
Brics, Denmark<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 46 /<br />
89
Linear Temporal Logic (LTL)<br />
In practical life (<str<strong>on</strong>g>of</str<strong>on</strong>g> ‘small things’), it is <str<strong>on</strong>g>of</str<strong>on</strong>g>ten c<strong>on</strong>venient to use just<br />
LTL (or PLTL - Propositi<strong>on</strong>al Linear(-time) Temporal Logic)<br />
(Amir Pnueli in late 1970s advocated the use in <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g>;<br />
the logic goes back to Prior (1957,1967), etc.)<br />
φ ::= P | ¬φ | φ1 ∧ φ2 | X φ | φ1Uφ2<br />
F φ ≡ true U φ, Gφ ≡ ¬F ¬φ, . . .<br />
Recall the safety property and the liveness property (in FOLO)<br />
∀t : (¬critA(t) ∨ ¬critB(t)), ∀t : flagA(t) ⇒ (∃t ′ : t ≤ t ′ ∧ critA(t))<br />
in LTL: G(¬critA ∨ ¬critB), G(flagA ⇒ F (critA))<br />
Kamp (1968), Gabbay,Pnueli,Shelah,Stavi (1980):<br />
FOLO and LTL equally expressive<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 47 /<br />
89
Model checking LTL<br />
Decide if K, s |= Φ (i.e., if all runs from s satisfy LTL-formula Φ):<br />
c<strong>on</strong>struct automat<strong>on</strong> A¬Φ<br />
c<strong>on</strong>struct the product automat<strong>on</strong> A = (K, s) × A¬Φ<br />
decide if L(A) = ∅ (if NO then provide counterexample)<br />
Moshe Vardi:<br />
LTL-formula Φ ... Alternating BA ... NBA<br />
(subset c<strong>on</strong>structi<strong>on</strong>; exp<strong>on</strong>ential increase)<br />
Model checking LTL is PSPACE-complete<br />
(the state space <strong>on</strong> demand, <strong>on</strong> the fly ...)<br />
Time complexity <str<strong>on</strong>g>of</str<strong>on</strong>g> used algorithms O( |K| · 2 |Φ| )<br />
SPIN (LTL model checker)<br />
http://spinroot.com/<br />
Bell Labs<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 48 /<br />
89
Vending machines<br />
V1<br />
V3<br />
def<br />
= 5k.5k.( c<str<strong>on</strong>g>of</str<strong>on</strong>g>fee.collect.V1<br />
+ tea.collect.V1 )<br />
def<br />
= 5k.5k.c<str<strong>on</strong>g>of</str<strong>on</strong>g>fee.collect.V3<br />
+ 5k.5k.tea.collect.V3<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
c<str<strong>on</strong>g>of</str<strong>on</strong>g>fee tea<br />
5k<br />
collect<br />
Kolloquium Jena, 14 May 2007 49 /<br />
89
Vending machines - c<strong>on</strong>t.<br />
V1<br />
V2<br />
def<br />
= 5k.5k.( c<str<strong>on</strong>g>of</str<strong>on</strong>g>fee.collect.V1 + tea.collect.V1 )<br />
✤<br />
V1<br />
✣<br />
5k 5k<br />
collect<br />
c<str<strong>on</strong>g>of</str<strong>on</strong>g>fee<br />
tea<br />
def<br />
= 5k.5k.c<str<strong>on</strong>g>of</str<strong>on</strong>g>fee.collect.V2 + 5k.5k.tea.collect.V2<br />
✤<br />
✣<br />
5k<br />
5k<br />
5k<br />
5k<br />
collect<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
c<str<strong>on</strong>g>of</str<strong>on</strong>g>fee<br />
tea<br />
✜<br />
✢<br />
✜<br />
✢<br />
Kolloquium Jena, 14 May 2007 50 /<br />
89
Branching time<br />
LTL does not make difference between<br />
•<br />
•<br />
coin coin<br />
coin<br />
• •<br />
•<br />
c<str<strong>on</strong>g>of</str<strong>on</strong>g>fee<br />
tea<br />
c<str<strong>on</strong>g>of</str<strong>on</strong>g>fee tea<br />
• •<br />
CTL (Computati<strong>on</strong> Tree Logic)<br />
• •<br />
φ ::= P | ¬φ | φ1 ∧ φ2 | EX φ | AX φ | E(φ1Uφ2) | A(φ1Uφ2)<br />
Model checking: decide if K, s |= Φ<br />
complexity O( |K| · |Φ| )<br />
(number <str<strong>on</strong>g>of</str<strong>on</strong>g> pairs (state s, subformula ψ))<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 51 /<br />
89
Model checking CTL<br />
The ‘most complicated’ subcase: A(φUψ)<br />
ϕ<br />
ψ<br />
ϕ ϕ<br />
SMV (Symbolic model checking; author Ken McMillan)<br />
http://www-cad.eecs.berkeley.edu/ kenmcmil/smv/<br />
Cadence Berkeley Laboratories<br />
CTL ∗ ... Eφ <str<strong>on</strong>g>with</str<strong>on</strong>g>out restricti<strong>on</strong>s, subsumes LTL, CTL<br />
(model checking PSPACE-complete, as for LTL)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
ψ<br />
Kolloquium Jena, 14 May 2007 52 /<br />
89
Model checking CTL<br />
The ‘most complicated’ subcase: A(φUψ)<br />
ϕ<br />
2<br />
ψ<br />
2<br />
ϕ ϕ<br />
SMV (Symbolic model checking; author Ken McMillan)<br />
http://www-cad.eecs.berkeley.edu/ kenmcmil/smv/<br />
Cadence Berkeley Laboratories<br />
CTL ∗ ... Eφ <str<strong>on</strong>g>with</str<strong>on</strong>g>out restricti<strong>on</strong>s, subsumes LTL, CTL<br />
(model checking PSPACE-complete, as for LTL)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
1<br />
ψ<br />
Kolloquium Jena, 14 May 2007 52 /<br />
89
Model checking CTL<br />
The ‘most complicated’ subcase: A(φUψ)<br />
ϕ<br />
2<br />
ψ<br />
2<br />
ϕ ϕ<br />
SMV (Symbolic model checking; author Ken McMillan)<br />
http://www-cad.eecs.berkeley.edu/ kenmcmil/smv/<br />
Cadence Berkeley Laboratories<br />
CTL ∗ ... Eφ <str<strong>on</strong>g>with</str<strong>on</strong>g>out restricti<strong>on</strong>s, subsumes LTL, CTL<br />
(model checking PSPACE-complete, as for LTL)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
1<br />
ψ<br />
Kolloquium Jena, 14 May 2007 52 /<br />
89
Model checking CTL<br />
The ‘most complicated’ subcase: A(φUψ)<br />
ϕ<br />
1<br />
ψ<br />
1<br />
ϕ ϕ<br />
SMV (Symbolic model checking; author Ken McMillan)<br />
http://www-cad.eecs.berkeley.edu/ kenmcmil/smv/<br />
Cadence Berkeley Laboratories<br />
CTL ∗ ... Eφ <str<strong>on</strong>g>with</str<strong>on</strong>g>out restricti<strong>on</strong>s, subsumes LTL, CTL<br />
(model checking PSPACE-complete, as for LTL)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
1<br />
ψ<br />
Kolloquium Jena, 14 May 2007 52 /<br />
89
Model checking CTL<br />
The ‘most complicated’ subcase: A(φUψ)<br />
ϕ<br />
1<br />
ψ<br />
1<br />
ϕ ϕ<br />
SMV (Symbolic model checking; author Ken McMillan)<br />
http://www-cad.eecs.berkeley.edu/ kenmcmil/smv/<br />
Cadence Berkeley Laboratories<br />
CTL ∗ ... Eφ <str<strong>on</strong>g>with</str<strong>on</strong>g>out restricti<strong>on</strong>s, subsumes LTL, CTL<br />
(model checking PSPACE-complete, as for LTL)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
1<br />
ψ<br />
Kolloquium Jena, 14 May 2007 52 /<br />
89
Model checking CTL<br />
The ‘most complicated’ subcase: A(φUψ)<br />
ϕ<br />
1<br />
ψ<br />
1<br />
ϕ ϕ<br />
SMV (Symbolic model checking; author Ken McMillan)<br />
http://www-cad.eecs.berkeley.edu/ kenmcmil/smv/<br />
Cadence Berkeley Laboratories<br />
CTL ∗ ... Eφ <str<strong>on</strong>g>with</str<strong>on</strong>g>out restricti<strong>on</strong>s, subsumes LTL, CTL<br />
(model checking PSPACE-complete, as for LTL)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
0<br />
ψ<br />
Kolloquium Jena, 14 May 2007 52 /<br />
89
Model checking CTL<br />
The ‘most complicated’ subcase: A(φUψ)<br />
ϕ<br />
1<br />
ψ<br />
1<br />
ϕ ϕ<br />
SMV (Symbolic model checking; author Ken McMillan)<br />
http://www-cad.eecs.berkeley.edu/ kenmcmil/smv/<br />
Cadence Berkeley Laboratories<br />
CTL ∗ ... Eφ <str<strong>on</strong>g>with</str<strong>on</strong>g>out restricti<strong>on</strong>s, subsumes LTL, CTL<br />
(model checking PSPACE-complete, as for LTL)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
0<br />
ψ<br />
Kolloquium Jena, 14 May 2007 52 /<br />
89
Model checking CTL<br />
The ‘most complicated’ subcase: A(φUψ)<br />
ϕ<br />
1<br />
ψ<br />
0<br />
ϕ ϕ<br />
SMV (Symbolic model checking; author Ken McMillan)<br />
http://www-cad.eecs.berkeley.edu/ kenmcmil/smv/<br />
Cadence Berkeley Laboratories<br />
CTL ∗ ... Eφ <str<strong>on</strong>g>with</str<strong>on</strong>g>out restricti<strong>on</strong>s, subsumes LTL, CTL<br />
(model checking PSPACE-complete, as for LTL)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
0<br />
ψ<br />
Kolloquium Jena, 14 May 2007 52 /<br />
89
Model checking CTL<br />
The ‘most complicated’ subcase: A(φUψ)<br />
ϕ<br />
1<br />
ψ<br />
0<br />
ϕ ϕ<br />
SMV (Symbolic model checking; author Ken McMillan)<br />
http://www-cad.eecs.berkeley.edu/ kenmcmil/smv/<br />
Cadence Berkeley Laboratories<br />
CTL ∗ ... Eφ <str<strong>on</strong>g>with</str<strong>on</strong>g>out restricti<strong>on</strong>s, subsumes LTL, CTL<br />
(model checking PSPACE-complete, as for LTL)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
0<br />
ψ<br />
Kolloquium Jena, 14 May 2007 52 /<br />
89
Model checking CTL<br />
The ‘most complicated’ subcase: A(φUψ)<br />
ϕ<br />
1<br />
ψ<br />
0<br />
ϕ ϕ<br />
SMV (Symbolic model checking; author Ken McMillan)<br />
http://www-cad.eecs.berkeley.edu/ kenmcmil/smv/<br />
Cadence Berkeley Laboratories<br />
CTL ∗ ... Eφ <str<strong>on</strong>g>with</str<strong>on</strong>g>out restricti<strong>on</strong>s, subsumes LTL, CTL<br />
(model checking PSPACE-complete, as for LTL)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
0<br />
ψ<br />
Kolloquium Jena, 14 May 2007 52 /<br />
89
Tree automata<br />
Tree automata (not <strong>on</strong> words but <strong>on</strong> trees)<br />
∗<br />
+ a<br />
a a<br />
(q0, ∗) → {(q0, q0), (q0, qa), (qa, q0), (qa, qa)}<br />
(q0, +) → {(q0, q0), (q0, qa), (qa, q0), (qa, qa)}<br />
(qa, a) → {qF }<br />
Finite tree automata:<br />
top-down, bottom-up, n<strong>on</strong>deterministic, deterministic,<br />
regular tree-languages,<br />
closed wrt ∪, ∩, ¯, ...<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 53 /<br />
89
More <strong>on</strong> tree unfoldings<br />
Unfolding <str<strong>on</strong>g>of</str<strong>on</strong>g> a graph (<str<strong>on</strong>g>with</str<strong>on</strong>g>out dead-ends) ... an infinite tree<br />
binary tree ... { ε, 0, 1, 00, 01, 10, 11, . . . }<br />
ɛ<br />
0 1<br />
00 01 10 11<br />
Theory S2S (two successors) ... s1(u, u0), s2(u, u1)<br />
φ ::= P(x) | x ∈ X | s1(x, y) | s2(x, y) |<br />
¬φ | φ1 ∧ φ2 | ∃xφ | ∃X φ<br />
x −→ ∗ y ... expressible in S2S (but not in first order)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 54 /<br />
89
Decidability <str<strong>on</strong>g>of</str<strong>on</strong>g> S2S<br />
A tree t (whose vertices are) labelled by elements <str<strong>on</strong>g>of</str<strong>on</strong>g> 2 {P1,P2,...,Pn}<br />
t |=V φ<br />
t |= φ for closed φ<br />
|= φ ... φ valid (¬φ unsatisfiable)<br />
M. Rabin (late 1960s): Büchi-like tree automat<strong>on</strong>;<br />
not closed wrt complementati<strong>on</strong><br />
more powerful Rabin (tree) automata closed wrt ∪, ∩, and ¯<br />
(complementati<strong>on</strong> difficult)<br />
(No hope for determinizati<strong>on</strong>: T ∃a )<br />
|= Φ iff T (A¬Φ) = ∅<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 55 /<br />
89
µ-calculus<br />
Kozen, Pratt (1980s)<br />
Bradfield, Emers<strong>on</strong>, Stirling, Vardi, Walukiewicz, ...<br />
µ-calculus ... modal logic <str<strong>on</strong>g>with</str<strong>on</strong>g> fixpoints<br />
φ ::= P | X | ¬φ | φ1 ∧ φ2 | 〈a〉φ | µX .φ<br />
each X in the scope <str<strong>on</strong>g>of</str<strong>on</strong>g> an even number <str<strong>on</strong>g>of</str<strong>on</strong>g> negati<strong>on</strong>s<br />
Examples:<br />
µX .P ∨ 〈−〉X (reaches P (in finitely many steps))<br />
νX .〈a〉X (can perform a forever)<br />
An interesting problem:<br />
model checking µ-calculus (K, s |= Φ)<br />
in NP ∩ co-NP<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 56 /<br />
89
Parity games (in NP and co-NP)<br />
n<br />
7<br />
6<br />
5<br />
4<br />
3<br />
2<br />
1<br />
.<br />
“A lift game for 2 players”<br />
(a directed graph <str<strong>on</strong>g>with</str<strong>on</strong>g> ordered nodes;<br />
the nodes are partiti<strong>on</strong>ed into red and blue;<br />
each node has out-degree ≥ 1 )<br />
in red nodes (floors), player RED chooses the next<br />
node (floor)<br />
in blue nodes (floors), player BLUE chooses the<br />
next node (floor)<br />
The player winning an infinite play is determined by<br />
the colour <str<strong>on</strong>g>of</str<strong>on</strong>g> the lowest node (floor) visited<br />
infinitely <str<strong>on</strong>g>of</str<strong>on</strong>g>ten<br />
Who has a winning strategy where ?<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 57 /<br />
89
Specificati<strong>on</strong>; process algebras<br />
Operati<strong>on</strong>al semantics <str<strong>on</strong>g>of</str<strong>on</strong>g> some process c<strong>on</strong>structs<br />
Acti<strong>on</strong> Prefix: a.E<br />
✿✿✿✿✿✿✿✿✿✿✿✿✿✿<br />
Choice: E + F<br />
✿✿✿✿✿✿✿<br />
✓<br />
E a → E ′<br />
✒E<br />
+ F a → E ′<br />
✓<br />
✞ ☎<br />
✝a.E<br />
✆<br />
a → E<br />
�<br />
{Ei : i ∈ I }<br />
✏<br />
✑<br />
Ej a → F<br />
�<br />
{Ei : i ∈ I }<br />
✒<br />
a → F<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
✓<br />
F a → F ′<br />
✒E<br />
+ F a → F ′<br />
(j ∈ I )<br />
✏<br />
✑<br />
✏<br />
✑<br />
Kolloquium Jena, 14 May 2007 58 /<br />
89
Process algebras - c<strong>on</strong>t.<br />
def<br />
Nil: 0 = � ∅<br />
✿✿✿<br />
Process Definiti<strong>on</strong>: X ✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿<br />
def<br />
= E<br />
✓<br />
✞<br />
☎<br />
✝No<br />
transiti<strong>on</strong>s for 0 — no rules ✆<br />
E a → F<br />
✒X<br />
a → F<br />
(X def<br />
= E)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
✏<br />
✑<br />
Kolloquium Jena, 14 May 2007 59 /<br />
89
Synchr<strong>on</strong>isati<strong>on</strong> Merge<br />
✓<br />
E a → E ′<br />
E||F<br />
✒<br />
a → E ′ ||F<br />
✓<br />
(a �∈ L(F ))<br />
✏<br />
✑<br />
E a → E ′ F a → F ′<br />
✒<br />
E||F a → E ′ ||F ′<br />
✓<br />
F a → F ′<br />
E||F<br />
✒<br />
a → E||F ′<br />
A process E is equipped <str<strong>on</strong>g>with</str<strong>on</strong>g> an associated<br />
synchr<strong>on</strong>isati<strong>on</strong> sort L(E).<br />
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿<br />
C<strong>on</strong>current processes must synchr<strong>on</strong>ise <strong>on</strong><br />
acti<strong>on</strong>s comm<strong>on</strong> to their respective sorts.<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
(a ∈ L(E) ∩ L(F ))<br />
(a �∈ L(E))<br />
✏<br />
✑<br />
✏<br />
✑<br />
Kolloquium Jena, 14 May 2007 60 /<br />
89
Example: a railway level crossing (from Far<strong>on</strong> Moller)<br />
Rail<br />
tcross train<br />
car<br />
up<br />
down<br />
Road<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
ccross<br />
green<br />
red<br />
Kolloquium Jena, 14 May 2007 61 /<br />
89
Railway Comp<strong>on</strong>ents<br />
Road<br />
Rail<br />
down<br />
red<br />
car<br />
ccross<br />
train<br />
tcross<br />
✞<br />
✝<br />
✞<br />
Road def<br />
✝<br />
up<br />
Rail def<br />
green<br />
☎<br />
= car.up.ccross.down.Road<br />
✆<br />
�<br />
L(Road) = car, ccross,<br />
�<br />
up, down<br />
☎<br />
= train.green.tcross.red.Rail<br />
✆<br />
�<br />
L(Rail) = train, tcross,<br />
�<br />
green, red<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 62 /<br />
89
Railway Comp<strong>on</strong>ents - c<strong>on</strong>t.<br />
C<strong>on</strong>troller<br />
green<br />
down<br />
red<br />
up<br />
✎<br />
C<strong>on</strong>troller def<br />
✍<br />
L(C<strong>on</strong>troller) =<br />
= green.red.C<strong>on</strong>troller<br />
+ up.down.C<strong>on</strong>troller<br />
�<br />
green, red,<br />
�<br />
up, down<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
☞<br />
✌<br />
Kolloquium Jena, 14 May 2007 63 /<br />
89
The Complete Railway System<br />
✞<br />
Crossing def<br />
✝<br />
up<br />
☎<br />
= Road || C<strong>on</strong>troller || Rail<br />
✆<br />
Road C<strong>on</strong>troller Rail<br />
down<br />
down<br />
ccross up car<br />
train<br />
train<br />
train<br />
Crossing<br />
ccross up car<br />
down<br />
train<br />
green<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
red<br />
green<br />
car<br />
tcross<br />
red<br />
green<br />
red<br />
tcross<br />
car<br />
Kolloquium Jena, 14 May 2007 64 /<br />
89
Behavioural equivalences and preorders; simulati<strong>on</strong><br />
Does a system implement another <strong>on</strong>e ? Are they equivalent ?<br />
(system = labelled transiti<strong>on</strong> system)<br />
Language (trace) equivalence is <str<strong>on</strong>g>of</str<strong>on</strong>g>ten too coarse<br />
c<str<strong>on</strong>g>of</str<strong>on</strong>g>fee<br />
•<br />
coin coin<br />
•<br />
•<br />
tea<br />
• •<br />
• •<br />
A binary relati<strong>on</strong> R over STATES is a simulati<strong>on</strong> if<br />
whenever (s, t) ∈ R then for every acti<strong>on</strong> a<br />
if s<br />
•<br />
coin<br />
•<br />
c<str<strong>on</strong>g>of</str<strong>on</strong>g>fee tea<br />
a<br />
−→ s ′ a<br />
then t −→ t ′ for some t ′ such that (s ′ , t ′ ) ∈ R.<br />
s is simulated by t if there is a simulati<strong>on</strong> R ∋ (s, t).<br />
The uni<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> (all) simulati<strong>on</strong>s is the (maximal) simulati<strong>on</strong><br />
(the greatest fixpoint)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 65 /<br />
89
Bisimulati<strong>on</strong> equivalence<br />
Milner, Park (1980s)<br />
A binary relati<strong>on</strong> R over STATES is a bisimulati<strong>on</strong> if<br />
it is a symmetric simulati<strong>on</strong>, i.e.<br />
whenever (s, t) ∈ R then for every acti<strong>on</strong> a<br />
if s<br />
a<br />
−→ s ′ a<br />
then t −→ t ′ for some t ′ such that (s ′ , t ′ ) ∈ R.<br />
whenever (s, t) ∈ R then for every acti<strong>on</strong> a<br />
if t<br />
a<br />
−→ t ′ a<br />
then s −→ s ′ for some s ′ such that (s ′ , t ′ ) ∈ R.<br />
s is bisimilar <str<strong>on</strong>g>with</str<strong>on</strong>g> t if there is a bisimulati<strong>on</strong> R ∋ (s, t).<br />
The uni<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> (all) bisimulati<strong>on</strong>s is the (maximal) bisimulati<strong>on</strong><br />
(the bisimulati<strong>on</strong> equivalence).<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 66 /<br />
89
Linear Time / Branching Time Spectrum<br />
Bisimulati<strong>on</strong> equivalence<br />
2-nested simulati<strong>on</strong> equivalence<br />
Ready simulati<strong>on</strong> equivalence<br />
Possible-futures equivalence Ready trace equivalence<br />
Readiness equivalence Failure trace equivalence<br />
Failures equivalence<br />
Completed trace equivalence<br />
Trace equivalence<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Simulati<strong>on</strong> equivalence<br />
Kolloquium Jena, 14 May 2007 67 /<br />
89
Minsky counter machines<br />
A Minsky counter machine C is given by<br />
a fixed number <str<strong>on</strong>g>of</str<strong>on</strong>g> (n<strong>on</strong>negative integer) counters c1, c2, . . . , cm<br />
a program (in fact, a set <str<strong>on</strong>g>of</str<strong>on</strong>g> labelled instructi<strong>on</strong>s)<br />
1 : com1; 2 : com2; ...... ; n : comn , where<br />
comn is instructi<strong>on</strong> HALT<br />
comi (i = 1, 2, ..., n − 1) are commands <str<strong>on</strong>g>of</str<strong>on</strong>g> two types:<br />
cj := cj + 1; goto k<br />
if cj = 0 then goto k1 else (cj := cj − 1; goto k2)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 68 /<br />
89
Undecidability <str<strong>on</strong>g>of</str<strong>on</strong>g> behavioural equivalences for Petri nets<br />
Fact.<br />
It is undecidable if a 2-counter machine C halts <strong>on</strong> the zero input (i.e.,<br />
when starting <str<strong>on</strong>g>with</str<strong>on</strong>g> c1 = c2 = 0).<br />
Jančar 1994: an algorithm A<br />
so that<br />
C −→ A −→ N C 1 , NC 2<br />
if C halts (<strong>on</strong> zero input) then the behaviours <str<strong>on</strong>g>of</str<strong>on</strong>g> N C 1 , NC 2 differ<br />
‘drastically’ (<strong>on</strong>e can perform a trace which the other cannot)<br />
if C does not halt then the behaviours <str<strong>on</strong>g>of</str<strong>on</strong>g> N C 1 , NC 2<br />
in a strict sense (the nets are bisimilar)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
are the same<br />
Kolloquium Jena, 14 May 2007 69 /<br />
89
Reducti<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> halting problem to Petri net equivalences<br />
c2 s1 s2 s3 s4 s5 sn<br />
c1<br />
•<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
s6<br />
. . .<br />
Kolloquium Jena, 14 May 2007 70 /<br />
89
Reducti<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> halting problem to Petri net equivalences<br />
c2 s1 s2 s3 s4 s5 sn<br />
c1<br />
•<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
s6<br />
. . .<br />
Kolloquium Jena, 14 May 2007 70 /<br />
89
Reducti<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> halting problem to Petri net equivalences<br />
•<br />
c2 s1 s2 s3 s4 s5 sn<br />
• . . .<br />
c1<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
s6<br />
Kolloquium Jena, 14 May 2007 70 /<br />
89
Reducti<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> halting problem to Petri net equivalences<br />
c2 s1 s2 s3 s4 s5 sn<br />
•<br />
c1<br />
•<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
s6<br />
. . .<br />
Kolloquium Jena, 14 May 2007 70 /<br />
89
Reducti<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> halting problem to Petri net equivalences<br />
c2 s1 s2 s3 s4 s5 sn<br />
•<br />
c1<br />
•<br />
+<br />
+<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
s6<br />
. . .<br />
Kolloquium Jena, 14 May 2007 70 /<br />
89
Reducti<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> halting problem to Petri net equivalences<br />
c2 s1 s2 s3 s4 s5 sn<br />
c1<br />
•<br />
+ +<br />
+ +<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
s6<br />
. . .<br />
Kolloquium Jena, 14 May 2007 70 /<br />
89
Reducti<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> halting problem to Petri net equivalences<br />
c2 s1 s2 s3 s4 s5 sn<br />
c1<br />
•<br />
+ +<br />
+ +<br />
p2<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
s6<br />
. . .<br />
p1<br />
Kolloquium Jena, 14 May 2007 70 /<br />
89
Reducti<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> halting problem to Petri net equivalences<br />
c2 s1 s2 s3 s4 s5 sn<br />
c1<br />
•<br />
+ +<br />
+ +<br />
p2<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
s6<br />
. . .<br />
•<br />
p1<br />
Kolloquium Jena, 14 May 2007 70 /<br />
89
Reducti<strong>on</strong> - c<strong>on</strong>t.<br />
•<br />
•<br />
.<br />
• •<br />
• •<br />
• • • •<br />
• •<br />
• •<br />
• • • •<br />
• •<br />
• •<br />
• •<br />
• •<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
•<br />
•<br />
Kolloquium Jena, 14 May 2007 71 /<br />
89<br />
•<br />
.
Simulati<strong>on</strong> <strong>on</strong> <strong>on</strong>e-counter nets - semilinear<br />
p(m) is not simulated by q(n) ... red<br />
p(m) is simulated by q(n) ... black<br />
• • • • • • • • •<br />
n • • • • • • • • •<br />
. • • • • • • • • •<br />
• • • • • • • • •<br />
1 • • • • • • • • •<br />
0 • • • • • • • • •<br />
0 1 2 . . . m<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
??<br />
Kolloquium Jena, 14 May 2007 72 /<br />
89
Bisimilarity over ‘c<strong>on</strong>text-free’ processes decidable<br />
C<strong>on</strong>text-free grammar (in Greibach NF)<br />
finitely many rules <str<strong>on</strong>g>of</str<strong>on</strong>g> the type A1 → aB1B2 . . . Bk<br />
Processes BPA (sequential)<br />
A1A2 . . . An<br />
a<br />
b<br />
B1B2 . . . BkA2 . . . An<br />
a a b<br />
. . .<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Processes BPP (parallel)<br />
A1<br />
a<br />
B1B2 . . . Bk<br />
Christensen, Hirshfeld, Moller (1993)<br />
decidable (n<strong>on</strong>primitive recursive<br />
upper bound)<br />
Srba (2002) PSPACE-hard<br />
Jančar (2003) PSPACE-complete<br />
Kolloquium Jena, 14 May 2007 73 /<br />
89
DPDA language equivalence, PDA <strong>bisimilarity</strong><br />
G. Sénizergues (1997, 2001)<br />
The language equivalence problem for deterministic pushdown automata is<br />
decidable<br />
C. Stirling (2002)<br />
Simplified the pro<str<strong>on</strong>g>of</str<strong>on</strong>g> substantially, and showed that it is primitive recursive<br />
———————————–<br />
G. Sénizergues (1998, 2005)<br />
Decidability <str<strong>on</strong>g>of</str<strong>on</strong>g> bisimulati<strong>on</strong> equivalence for equati<strong>on</strong>al graphs <str<strong>on</strong>g>of</str<strong>on</strong>g> finite<br />
out-degree.<br />
———————————–<br />
An open problem (a possible extensi<strong>on</strong> to Type -1 systems) solved<br />
negatively:<br />
Jančar, Srba: Undecidability results for <strong>bisimilarity</strong> <strong>on</strong> prefix rewrite<br />
systems (FoSSaCS 2006)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 74 /<br />
89
Bisimulati<strong>on</strong> game<br />
2 Players: Attacker and Defender<br />
Game board: a labelled transiti<strong>on</strong> system<br />
Rules for playing from an initial positi<strong>on</strong> (s0, t0):<br />
REPEAT<br />
in the current positi<strong>on</strong> (s, t)<br />
Attacker performs a move from <strong>on</strong>e <str<strong>on</strong>g>of</str<strong>on</strong>g> the states s, t<br />
a<br />
(either s −→ s ′ a<br />
or t −→ t ′ ); if not possible, Defender has w<strong>on</strong>.<br />
Defender resp<strong>on</strong>ds by a move from the other state, labelled by the<br />
same acti<strong>on</strong> a; thus a new positi<strong>on</strong> (s ′ , t ′ ) arises.<br />
If Defender cannot resp<strong>on</strong>d, Attacker has w<strong>on</strong>.<br />
Any infinite play is viewed as Defender’s winning.<br />
Fact: s0 ∼ t0 iff Defender has a winning strategy from (s0, t0).<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 75 /<br />
89
Pushdown graphs; generated by Type 0 systems<br />
pX<br />
pX<br />
qA<br />
pX<br />
c<br />
b<br />
−→ pXA<br />
c<br />
−→ qε<br />
a<br />
−→ qε<br />
b<br />
pXA<br />
q qA<br />
a<br />
c<br />
b<br />
pXAA<br />
c<br />
qAA<br />
Type 0 system: finite sets <str<strong>on</strong>g>of</str<strong>on</strong>g> rules w1<br />
(the same class <str<strong>on</strong>g>of</str<strong>on</strong>g> generated graphs)<br />
a<br />
b<br />
a<br />
a<br />
−→ w2<br />
An involved result: Bisimilarity is decidable<br />
(Sénizergues (1998,2005), then Stirling)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
pXAAA<br />
c<br />
qAAA<br />
b<br />
a<br />
. . .<br />
. . .<br />
Kolloquium Jena, 14 May 2007 76 /<br />
89
Type -1 systems; rules R a → w<br />
X<br />
XA∗ A<br />
c<br />
X<br />
b<br />
−→ XA<br />
c<br />
−→ ε<br />
a<br />
−→ ε<br />
c<br />
b<br />
XA<br />
ε A<br />
a<br />
b<br />
a<br />
XAA<br />
AA<br />
b<br />
a<br />
c<br />
XAAA<br />
c<br />
AAA<br />
Stirling, Sénizergues: is <strong>bisimilarity</strong> decidable ?<br />
Sénizergues’ decidability result for equati<strong>on</strong>al graphs <str<strong>on</strong>g>of</str<strong>on</strong>g> finite out-degree<br />
(equivalent to the case R a<br />
−→ w <str<strong>on</strong>g>with</str<strong>on</strong>g> prefix-free R)<br />
Maybe in the normed case ?<br />
(u is normed if each path from u can be prol<strong>on</strong>ged to reach ε)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
b<br />
a<br />
. . .<br />
. . .<br />
Kolloquium Jena, 14 May 2007 77 /<br />
89
Hierarchy <str<strong>on</strong>g>of</str<strong>on</strong>g> prefix rewriting<br />
Type Form <str<strong>on</strong>g>of</str<strong>on</strong>g> Rewrite Rules<br />
Type -2 R1<br />
a<br />
−→ R2<br />
Type -1a/-1b R a<br />
−→ w / w a<br />
−→ R<br />
Type 0 w a<br />
−→ w ′<br />
Type 1 1<br />
2 pX a<br />
Type 2<br />
−→ qw<br />
X a<br />
−→ w<br />
Type 3 X a<br />
−→ Y , X a<br />
−→ ε<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Type -2<br />
Type -1a Type -1b<br />
Type 0 = Type 1 1<br />
2<br />
Type 2<br />
Type 3<br />
Kolloquium Jena, 14 May 2007 78 /<br />
89
Our results<br />
Normed Processes Unnormed Processes<br />
Type -2<br />
Type -1b<br />
Type -1a<br />
Type 0, and decidable decidable<br />
Type 1 1<br />
2<br />
Type 2<br />
EXPTIME-hard<br />
∈ P<br />
EXPTIME-hard<br />
∈ 2-EXPTIME (?)<br />
P-hard PSPACE-hard<br />
Type 3 P-complete P-complete<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 79 /<br />
89
Our results<br />
Normed Processes Unnormed Processes<br />
Type -2 Σ 1 1 -complete Σ1 1 -complete<br />
Type -1b Π 0 1 -complete Σ1 1 -complete<br />
Type -1a Π 0 1 -complete Π0 1 -complete<br />
Type 0, and decidable decidable<br />
Type 1 1<br />
2 EXPTIME-hard EXPTIME-hard<br />
Type 2 ∈ P ∈ 2-EXPTIME (?)<br />
P-hard PSPACE-hard<br />
Type 3 P-complete P-complete<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 79 /<br />
89
Our results<br />
Normed Processes Unnormed Processes<br />
Type -2 Σ 1 1 -complete Σ1 1 -complete<br />
Type -1b Π 0 1 -complete Σ1 1 -complete<br />
Type -1a Π 0 1 -complete Π0 1 -complete<br />
Type 0, and decidable decidable<br />
Type 1 1<br />
2 EXPTIME-hard EXPTIME-hard<br />
Type 2 ∈ P ∈ 2-EXPTIME (?)<br />
P-hard PSPACE-hard<br />
Type 3 P-complete P-complete<br />
The main new result: Bisimilarity is undecidable <strong>on</strong> Type -1a systems.<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 79 /<br />
89
Inf-PCP (a versi<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> Post Corresp<strong>on</strong>dence Problem)<br />
A PCP-instance :<br />
u1 u2 . . . un<br />
v1 v2 . . . vn<br />
ui, vi : n<strong>on</strong>empty words in an alphabet<br />
An infinite initial soluti<strong>on</strong>: a sequence i1, i2, i3, . . . from {1, 2, . . . , n} such<br />
that i1=1 and ui1ui2 ui3ui4 · · · = vi1vi2 vi3vi4 · · ·<br />
Given a Turing machine M, <str<strong>on</strong>g>with</str<strong>on</strong>g> instructi<strong>on</strong>s (q0, a) → (q1, b, +1), . . . ,<br />
and an input word, say w = aabab, we can c<strong>on</strong>struct PCP-instance so<br />
that: M does not halt <strong>on</strong> w ⇐⇒ there is an infinite initial soluti<strong>on</strong>.<br />
# q0a . . . a b . . .<br />
#q0aabab# bq1 . . . a b . . .<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 80 /<br />
89
Inf-PCP (a versi<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> Post Corresp<strong>on</strong>dence Problem)<br />
A PCP-instance :<br />
u1 u2 . . . un<br />
v1 v2 . . . vn<br />
ui, vi : n<strong>on</strong>empty words in an alphabet<br />
An infinite initial soluti<strong>on</strong>: a sequence i1, i2, i3, . . . from {1, 2, . . . , n} such<br />
that i1=1 and ui1ui2 ui3ui4 · · · = vi1vi2 vi3vi4 · · ·<br />
Given a Turing machine M, <str<strong>on</strong>g>with</str<strong>on</strong>g> instructi<strong>on</strong>s (q0, a) → (q1, b, +1), . . . ,<br />
and an input word, say w = aabab, we can c<strong>on</strong>struct PCP-instance so<br />
that: M does not halt <strong>on</strong> w ⇐⇒ there is an infinite initial soluti<strong>on</strong>.<br />
# q0a . . . a b . . .<br />
#q0aabab# bq1 . . . a b . . .<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 80 /<br />
89
Inf-PCP (a versi<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> Post Corresp<strong>on</strong>dence Problem)<br />
A PCP-instance :<br />
u1 u2 . . . un<br />
v1 v2 . . . vn<br />
ui, vi : n<strong>on</strong>empty words in an alphabet<br />
An infinite initial soluti<strong>on</strong>: a sequence i1, i2, i3, . . . from {1, 2, . . . , n} such<br />
that i1=1 and ui1ui2 ui3ui4 · · · = vi1vi2 vi3vi4 · · ·<br />
Given a Turing machine M, <str<strong>on</strong>g>with</str<strong>on</strong>g> instructi<strong>on</strong>s (q0, a) → (q1, b, +1), . . . ,<br />
and an input word, say w = aabab, we can c<strong>on</strong>struct PCP-instance so<br />
that: M does not halt <strong>on</strong> w ⇐⇒ there is an infinite initial soluti<strong>on</strong>.<br />
# q0a . . . a b . . .<br />
#q0aabab# bq1 . . . a b . . .<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 80 /<br />
89
Inf-PCP (a versi<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> Post Corresp<strong>on</strong>dence Problem)<br />
A PCP-instance :<br />
u1 u2 . . . un<br />
v1 v2 . . . vn<br />
ui, vi : n<strong>on</strong>empty words in an alphabet<br />
An infinite initial soluti<strong>on</strong>: a sequence i1, i2, i3, . . . from {1, 2, . . . , n} such<br />
that i1=1 and ui1ui2 ui3ui4 · · · = vi1vi2 vi3vi4 · · ·<br />
Given a Turing machine M, <str<strong>on</strong>g>with</str<strong>on</strong>g> instructi<strong>on</strong>s (q0, a) → (q1, b, +1), . . . ,<br />
and an input word, say w = aabab, we can c<strong>on</strong>struct PCP-instance so<br />
that: M does not halt <strong>on</strong> w ⇐⇒ there is an infinite initial soluti<strong>on</strong>.<br />
# q0a . . . a b . . .<br />
#q0aabab# bq1 . . . a b . . .<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 80 /<br />
89
Inf-PCP (a versi<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> Post Corresp<strong>on</strong>dence Problem)<br />
A PCP-instance :<br />
u1 u2 . . . un<br />
v1 v2 . . . vn<br />
ui, vi : n<strong>on</strong>empty words in an alphabet<br />
An infinite initial soluti<strong>on</strong>: a sequence i1, i2, i3, . . . from {1, 2, . . . , n} such<br />
that i1=1 and ui1ui2 ui3ui4 · · · = vi1vi2 vi3vi4 · · ·<br />
Given a Turing machine M, <str<strong>on</strong>g>with</str<strong>on</strong>g> instructi<strong>on</strong>s (q0, a) → (q1, b, +1), . . . ,<br />
and an input word, say w = aabab, we can c<strong>on</strong>struct PCP-instance so<br />
that: M does not halt <strong>on</strong> w ⇐⇒ there is an infinite initial soluti<strong>on</strong>.<br />
# q0a . . . a b . . .<br />
#q0aabab# bq1 . . . a b . . .<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
#<br />
#q0aabab#<br />
Kolloquium Jena, 14 May 2007 80 /<br />
89
Inf-PCP (a versi<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> Post Corresp<strong>on</strong>dence Problem)<br />
A PCP-instance :<br />
u1 u2 . . . un<br />
v1 v2 . . . vn<br />
ui, vi : n<strong>on</strong>empty words in an alphabet<br />
An infinite initial soluti<strong>on</strong>: a sequence i1, i2, i3, . . . from {1, 2, . . . , n} such<br />
that i1=1 and ui1ui2 ui3ui4 · · · = vi1vi2 vi3vi4 · · ·<br />
Given a Turing machine M, <str<strong>on</strong>g>with</str<strong>on</strong>g> instructi<strong>on</strong>s (q0, a) → (q1, b, +1), . . . ,<br />
and an input word, say w = aabab, we can c<strong>on</strong>struct PCP-instance so<br />
that: M does not halt <strong>on</strong> w ⇐⇒ there is an infinite initial soluti<strong>on</strong>.<br />
# q0a . . . a b . . .<br />
#q0aabab# bq1 . . . a b . . .<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
#q0a<br />
#q0aabab#bq1<br />
Kolloquium Jena, 14 May 2007 80 /<br />
89
Inf-PCP (a versi<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> Post Corresp<strong>on</strong>dence Problem)<br />
A PCP-instance :<br />
u1 u2 . . . un<br />
v1 v2 . . . vn<br />
ui, vi : n<strong>on</strong>empty words in an alphabet<br />
An infinite initial soluti<strong>on</strong>: a sequence i1, i2, i3, . . . from {1, 2, . . . , n} such<br />
that i1=1 and ui1ui2 ui3ui4 · · · = vi1vi2 vi3vi4 · · ·<br />
Given a Turing machine M, <str<strong>on</strong>g>with</str<strong>on</strong>g> instructi<strong>on</strong>s (q0, a) → (q1, b, +1), . . . ,<br />
and an input word, say w = aabab, we can c<strong>on</strong>struct PCP-instance so<br />
that: M does not halt <strong>on</strong> w ⇐⇒ there is an infinite initial soluti<strong>on</strong>.<br />
# q0a . . . a b . . .<br />
#q0aabab# bq1 . . . a b . . .<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
#q0aa<br />
#q0aabab#bq1 a<br />
Kolloquium Jena, 14 May 2007 80 /<br />
89
Inf-PCP (a versi<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> Post Corresp<strong>on</strong>dence Problem)<br />
A PCP-instance :<br />
u1 u2 . . . un<br />
v1 v2 . . . vn<br />
ui, vi : n<strong>on</strong>empty words in an alphabet<br />
An infinite initial soluti<strong>on</strong>: a sequence i1, i2, i3, . . . from {1, 2, . . . , n} such<br />
that i1=1 and ui1ui2 ui3ui4 · · · = vi1vi2 vi3vi4 · · ·<br />
Given a Turing machine M, <str<strong>on</strong>g>with</str<strong>on</strong>g> instructi<strong>on</strong>s (q0, a) → (q1, b, +1), . . . ,<br />
and an input word, say w = aabab, we can c<strong>on</strong>struct PCP-instance so<br />
that: M does not halt <strong>on</strong> w ⇐⇒ there is an infinite initial soluti<strong>on</strong>.<br />
# q0a . . . a b . . .<br />
#q0aabab# bq1 . . . a b . . .<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
#q0aa b . . .<br />
#q0aabab#bq1 ab. . .<br />
Kolloquium Jena, 14 May 2007 80 /<br />
89
Inf-PCP (a versi<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> Post Corresp<strong>on</strong>dence Problem)<br />
A PCP-instance :<br />
u1 u2 . . . un<br />
v1 v2 . . . vn<br />
ui, vi : n<strong>on</strong>empty words in an alphabet<br />
An infinite initial soluti<strong>on</strong>: a sequence i1, i2, i3, . . . from {1, 2, . . . , n} such<br />
that i1=1 and ui1ui2 ui3ui4 · · · = vi1vi2 vi3vi4 · · ·<br />
Given a Turing machine M, <str<strong>on</strong>g>with</str<strong>on</strong>g> instructi<strong>on</strong>s (q0, a) → (q1, b, +1), . . . ,<br />
and an input word, say w = aabab, we can c<strong>on</strong>struct PCP-instance so<br />
that: M does not halt <strong>on</strong> w ⇐⇒ there is an infinite initial soluti<strong>on</strong>.<br />
# q0a . . . a b . . .<br />
#q0aabab# bq1 . . . a b . . .<br />
#q0aa b . . .<br />
#q0aabab#bq1 ab. . .<br />
So neg-HP is reducible to inf-PCP; inf-PCP is Π 0 1 -complete.<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 80 /<br />
89
Inf-PCP (a versi<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> Post Corresp<strong>on</strong>dence Problem)<br />
A PCP-instance :<br />
u1 u2 . . . un<br />
v1 v2 . . . vn<br />
ui, vi : n<strong>on</strong>empty words in an alphabet<br />
An infinite initial soluti<strong>on</strong>: a sequence i1, i2, i3, . . . from {1, 2, . . . , n} such<br />
that i1=1 and ui1ui2 ui3ui4 · · · = vi1vi2 vi3vi4 · · ·<br />
Given a Turing machine M, <str<strong>on</strong>g>with</str<strong>on</strong>g> instructi<strong>on</strong>s (q0, a) → (q1, b, +1), . . . ,<br />
and an input word, say w = aabab, we can c<strong>on</strong>struct PCP-instance so<br />
that: M does not halt <strong>on</strong> w ⇐⇒ there is an infinite initial soluti<strong>on</strong>.<br />
# q0a . . . a b . . .<br />
#q0aabab# bq1 . . . a b . . .<br />
#q0aa b . . .<br />
#q0aabab#bq1 ab. . .<br />
So neg-HP is reducible to inf-PCP; inf-PCP is Π 0 1 -complete.<br />
Note: we can even require |ui| ≤ |vi|<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 80 /<br />
89
Inf-PCP is reducible to <strong>bisimilarity</strong> <strong>on</strong> (normed) Type -1a<br />
u1 u2 . . . un<br />
v1 v2 . . . vn<br />
ui, vi ∈ {A, B} + , |ui| ≤ |vi|<br />
Observati<strong>on</strong>: The following c<strong>on</strong>diti<strong>on</strong>s are equivalent<br />
ui1ui2 ui3 · · · = vi1vi2 vi3 · · ·<br />
∀m: ui1ui2 · · · uim is a prefix <str<strong>on</strong>g>of</str<strong>on</strong>g> vi1vi2 · · · vim<br />
∀m: (ui1ui2 · · · uim) R is a suffix <str<strong>on</strong>g>of</str<strong>on</strong>g> (vi1vi2 · · · vim) R<br />
∀m: (uim) R (uim−1 )R · · · (ui1 )R is a suffix <str<strong>on</strong>g>of</str<strong>on</strong>g> (vim) R (vim−1 )R · · · (vi1 )R<br />
A game: Defender stepwise generates a sequence<br />
. . . Iim . . . Ii3Ii2 Ii1 (<str<strong>on</strong>g>with</str<strong>on</strong>g><br />
i1 = 1)<br />
Attacker has a possibility to stop this process and win whenever<br />
(uim) R (uim−1 )R · · · (ui1 )R is not a suffix <str<strong>on</strong>g>of</str<strong>on</strong>g> (vim) R (vim−1 )R · · · (vi1 )R<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 81 /<br />
89
Implementati<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> the game; generating rules<br />
X c<br />
−→ Y<br />
X c<br />
−→ Yi X ′ c<br />
−→ Yi<br />
Yi<br />
i<br />
−→ X ′ Ii<br />
Y i<br />
−→ XIi<br />
XI1 ⊥<br />
Yi<br />
c c<br />
j<br />
−→ XIj<br />
YI1 ⊥ . . . Y8I1 ⊥ . . .<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
for all i ∈ {1, 2, . . . , n}<br />
for all i ∈ {1, 2, . . . , n}<br />
for all i, j ∈ {1, 2, . . . , n}, i �= j<br />
X ′ I1 ⊥<br />
c<br />
. . . Y8I1 ⊥ . . .<br />
Kolloquium Jena, 14 May 2007 82 /<br />
89
Implementati<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> the game; generating rules<br />
X c<br />
−→ Y<br />
X c<br />
−→ Yi X ′ c<br />
−→ Yi<br />
Yi<br />
i<br />
−→ X ′ Ii<br />
Y i<br />
−→ XIi<br />
YI1 ⊥<br />
XI1 ⊥<br />
Yi<br />
c c<br />
5<br />
j<br />
−→ XIj<br />
. . . Y8I1 ⊥ . . .<br />
8<br />
. . . XI5I1 ⊥ . . . XI8I1 ⊥<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
for all i ∈ {1, 2, . . . , n}<br />
for all i ∈ {1, 2, . . . , n}<br />
for all i, j ∈ {1, 2, . . . , n}, i �= j<br />
X ′ I1 ⊥<br />
c<br />
. . . Y8I1 ⊥<br />
5 8<br />
. . .<br />
XI5I1 ⊥ . . . X ′ I8I1 ⊥<br />
Kolloquium Jena, 14 May 2007 82 /<br />
89
Implementati<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> the game; generating rules<br />
X c<br />
−→ Y<br />
X c<br />
−→ Yi X ′ c<br />
−→ Yi<br />
Yi<br />
i<br />
−→ X ′ Ii<br />
Y i<br />
−→ XIi<br />
YI1 ⊥<br />
XI1 ⊥<br />
Yi<br />
c c<br />
5<br />
j<br />
−→ XIj<br />
. . . Y8I1 ⊥ . . .<br />
8<br />
. . . XI5I1 ⊥ . . . XI8I1 ⊥<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
for all i ∈ {1, 2, . . . , n}<br />
for all i ∈ {1, 2, . . . , n}<br />
for all i, j ∈ {1, 2, . . . , n}, i �= j<br />
X ′ I1 ⊥<br />
c<br />
. . . Y8I1 ⊥<br />
5 8<br />
. . .<br />
XI5I1 ⊥ . . . X ′ I8I1 ⊥<br />
Kolloquium Jena, 14 May 2007 82 /<br />
89
Switch-to-checking rules<br />
XI7I15I3I8I1 ⊥ X ′ I7I15I3I8I1 ⊥<br />
(ui7 )R (ui15 )R (ui3 )R (ui8 )R (ui1 )R (vi7 )R (vi15 )R (vi3 )R (vi8 )R (vi1 )R<br />
X d<br />
−→ C<br />
X (I ∗ )Ii<br />
d<br />
−→ C ′ w X ′ (I ∗ )Ii<br />
Notati<strong>on</strong>: I ∗ stands for (I1 + I2 + · · · + In) ∗ ;<br />
XI7I15I3I8I1 ⊥<br />
d<br />
d<br />
−→ C ′ w for all i ∈ {1, 2, . . . , n}<br />
and all suffices w <str<strong>on</strong>g>of</str<strong>on</strong>g> v R<br />
i<br />
X ′ I7I15I3I8I1 ⊥<br />
CI7I15I3I8I1 ⊥ C ′ wI8I1 ⊥<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
d<br />
Kolloquium Jena, 14 May 2007 83 /<br />
89
Checking rules<br />
CI7I15I3I8I1 ⊥ C ′ wI8I1 ⊥<br />
We want to guarantee: CI7I15I3I8I1 ⊥ is bisimilar to C ′ wI8I1 ⊥<br />
iff<br />
(ui7 )R (ui15 )R (ui3 )R (ui8 )R (ui1 )R = w(vi8 )R (vi1 )R<br />
CA a<br />
−→ C C ′ A a<br />
−→ C ′<br />
CB b<br />
C⊥ e<br />
CIi<br />
−→ C C ′ B b<br />
−→ C ′<br />
−→ ε C ′ ⊥ e<br />
−→ ε<br />
h(uR i )<br />
−→ C tail(uR i ) C ′ Ii<br />
h(v R<br />
i )<br />
−→ C ′ tail(v R<br />
i )<br />
for all i ∈ {1, 2, . . . , n}<br />
Notati<strong>on</strong>. h(w) = a when head(w) = A, h(w) = b when head(w) = B<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 84 /<br />
89
Summary <str<strong>on</strong>g>of</str<strong>on</strong>g> the reducti<strong>on</strong>: inf-PCP → bisim-Type-1a<br />
u1 u2 . . . un<br />
v1 v2 . . . vn<br />
−→<br />
generating rules<br />
switch-to-checking rules<br />
checking rules<br />
There is an infinite initial soluti<strong>on</strong> ⇐⇒ XI1 ⊥ is bisimilar <str<strong>on</strong>g>with</str<strong>on</strong>g> X ′ I1 ⊥<br />
(Moreover: XI1 ⊥, X ′ I1 ⊥ are normed processes.)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 85 /<br />
89
Formal methods (formal <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g>) in industry<br />
In reality, mainly simulati<strong>on</strong> and testing,<br />
but the need <str<strong>on</strong>g>of</str<strong>on</strong>g> formal methods is felt more and more widely<br />
(need <str<strong>on</strong>g>of</str<strong>on</strong>g> incorporating them into the s<str<strong>on</strong>g>of</str<strong>on</strong>g>tware engineering technologies)<br />
complex, distributed, parallel hardware and s<str<strong>on</strong>g>of</str<strong>on</strong>g>tware<br />
(e.g. in embedded systems hardware/s<str<strong>on</strong>g>of</str<strong>on</strong>g>tware mixture)<br />
Brief ‘history’ <str<strong>on</strong>g>of</str<strong>on</strong>g> model checking:<br />
1980s (Clarke, Emers<strong>on</strong>, Sifakis, ...)<br />
finite state systems (traffic light c<strong>on</strong>troller)<br />
1990s<br />
MC penetrates the hardware industry (Intel, Motorola, ...)<br />
(also communicati<strong>on</strong> protocols, ...)<br />
2000s<br />
penetrati<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> (infinite state) MC into industry (s<str<strong>on</strong>g>of</str<strong>on</strong>g>tware)<br />
R. Leino (Micros<str<strong>on</strong>g>of</str<strong>on</strong>g>t research, USA) (AVIS 2005),<br />
BLAST (Berkeley lazy abstracti<strong>on</strong> s<str<strong>on</strong>g>of</str<strong>on</strong>g>tware tool), ...<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 86 /<br />
89
Active research areas<br />
specificati<strong>on</strong> formalisms<br />
(oriented <strong>on</strong> the user; graphical toolkits,<br />
interface for theorem provers, ...)<br />
process calculi (π-calculus, mobile agents, security, typing, ...)<br />
coping <str<strong>on</strong>g>with</str<strong>on</strong>g> the state explosi<strong>on</strong><br />
(data domains, recursi<strong>on</strong>, c<strong>on</strong>currency, real time, ...)<br />
reducti<strong>on</strong> (partial order reducti<strong>on</strong>, symmetries [hardware], ...)<br />
encoding (BDD’s, symbolic model checking, ...)<br />
abstracti<strong>on</strong> (data, predicates, c<strong>on</strong>trol ...)<br />
compositi<strong>on</strong>ality<br />
effective algorithms (complexity, decidability)<br />
methods for <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> infinite state systems, parametrized systems<br />
real time systems, hybrid systems, probabilistic systems<br />
heuristics, experiments, ...<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 87 /<br />
89
C<strong>on</strong>ferences<br />
<str<strong>on</strong>g>Some</str<strong>on</strong>g> specialized c<strong>on</strong>ferences in the area <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Tools and algorithms for the c<strong>on</strong>structi<strong>on</strong> and analysis <str<strong>on</strong>g>of</str<strong>on</strong>g> systems (TACAS)<br />
(part <str<strong>on</strong>g>of</str<strong>on</strong>g> European Joint C<strong>on</strong>ferences <strong>on</strong> Theory and Practice <str<strong>on</strong>g>of</str<strong>on</strong>g> S<str<strong>on</strong>g>of</str<strong>on</strong>g>tware<br />
(ETAPS))<br />
(TACAS 2006, 12th Int. C<strong>on</strong>f., March 27-30, Vienna, Austria)<br />
Computer Aided Verificati<strong>on</strong> (CAV)<br />
(CAV 2006, 18th Int. C<strong>on</strong>f., August 16-21, Seattle, Washingt<strong>on</strong>, USA)<br />
C<strong>on</strong>currency theory (C<strong>on</strong>cur)<br />
(C<strong>on</strong>cur 2006, 17th Int. C<strong>on</strong>f., August 27-30, B<strong>on</strong>n, Germany)<br />
Automated Technology for Verificati<strong>on</strong> and Analysis (ATVA)<br />
(ATVA 2006, 4th Int. Symposium, October 23-26, Beijing, China)<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 88 /<br />
89
Textbooks, survey books<br />
<str<strong>on</strong>g>Some</str<strong>on</strong>g> recent survey books <strong>on</strong> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g> (and related topics)<br />
Clarke E. and Grumberg O. and Peled D.<br />
Model checking, MIT Press 1999<br />
Bergstra J. and P<strong>on</strong>se A. and Smolka S.(editors)<br />
Handbook <str<strong>on</strong>g>of</str<strong>on</strong>g> Process Algebra, Elsevier 2001<br />
Bérard B. and others (from LSV ENS Cachan, France)<br />
Systems and S<str<strong>on</strong>g>of</str<strong>on</strong>g>tware Verificati<strong>on</strong>, Springer 2001<br />
Peled D.<br />
S<str<strong>on</strong>g>of</str<strong>on</strong>g>tware reliability methods, Springer 2001<br />
Schneider K.<br />
Verificati<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> reactive systems, Springer 2004<br />
Petr Jančar (TU Ostrava) <str<strong>on</strong>g>Some</str<strong>on</strong>g> <str<strong>on</strong>g>aspects</str<strong>on</strong>g> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>verificati<strong>on</strong></str<strong>on</strong>g><br />
Kolloquium Jena, 14 May 2007 89 /<br />
89
Change language