Reduce the search space

As the problem is the size of the search space, a number of authors developed methods to limit it. Starting from the paradigm that it is better to focus on a few

2.4. Tackling the State space explosion 29 representative paths rather than analyzing everything. The overall idea is to define an equivalence relation among the paths and to only analyze representatives of each equivalence class. These techniques can be split in three sub-categories:

Partial orders In asynchronous systems (i.e.,communicating concurrent pro-cesses), the behaviors of the system are modeled by the interleavings of the events of the individual processes (e.g., CCS). This is one of the origins of the state space explosion at it generates a factorial (n!) possible interleavings of the local actions. In the best case, when the processes are completely independent (e.g.,no synchronization via shared variables), all interleavings are equivalent as they lead to the same final state. For all equivalent interleavings, it is sufficient to explore one representative. Therefore, it is sufficient to search among the representatives.

This approach leads to important reductions (exponential in the best case). This concept has been used in many flavors denoted as Partial Order Reduction tech-niques [KP89, Pel93, God91, GW94, Val92]. We only describe partial-order re-ductions briefly here. For a more detailled overview on partial-order reduction techniques please refer to [GV03].

A central notion in partial order reduction is the concept of transitions (e.g.,a program statement, a user input) also known as actions. An action may yield many transitions in a Kripke structure depending on the source state from which it is fired.

As a Kripke structure does not tell which transition led to a given state, let us first extend the notion of Kripke structure to the notion of Extended Kripke Structure (EKS). The main difference being that in an EKS the edges between states are labeled with the name of the transition that led from one state to another.

Definition 2.4.1 (Extended Kripke Structure). —AnExtended Kripke Struc-tureis a tupleMEK =hAP,S,L,T,S0iwhere:

• APis a set of atomic propositions usually expressed in propositional logic,

• S is a finite set of states,

• L:S → P(AP) is a labeling function that associates to each state a set of atomic propositions that hold in this state,

• T ⊆ P(S ×S) is a set of transition relations,i.e.,∀α∈T, α⊆ S ×S,

• S₀is the set of initial states of the system.

Besides, we define that:

• A transitionα∈T is enabled in a states∈S, iff∃s⁰ |α(s,s⁰),

30 Chapter 2. State of the art&contribution

• The set of transitions enabled in s ∈ S is noted enabled(s) = {α|αis enabled ins},

• A transition αis deterministic iff ∀s,s⁰,s⁰⁰ ∈ S : (s,s⁰) ∈ α∧(s,s⁰⁰) ∈ α =⇒ s⁰ = s⁰⁰. When αis deterministic we note α(s) = s⁰ instead of α(s,s⁰).

Remark 2.4.1. —In the sequel, we only system that are deterministic. In other words, systems in which∀α∈T,αis a function.

Example 2.4.2. —Let us consider Example2.2.2in which we add a set of tran-sitions A = {α, β, γ} where α stands for “move collimator”, β stands for “start irradiation” andγstands for “stop irradiation”.

s1

{¬C,¬X} s₂ {C,¬X}

s

β β

α γ α

Figure 2.3: AnEKSthat is an extension of Example2.2.2

In order to apply this technique, it is necessary to identify actions that are independent (a.k.a. the diamond property). These are actions that do not enable nor disable each other and for which any order of application yields the same result. In other words, letαandβare two actions (i.e.,transitions), let also sbe a state of the system andenabled(α) be a set of state in which the actionαis enabled thenαandβare independent iff:

α(s)∈enabled(β) (2.4.1)

β(s)∈enabled(α) (2.4.2)

α(β(s))=β(α(s)) (2.4.3)

2.4. Tackling the State space explosion 31 The efficiency of this technique depends on the process autonomy (few synchro-nizations, no shared variables, . . . ) as well as on the fact that the property to check does not depend on the states that have been ignored. It can be proved that the model istrace equivalentand thus LTL\X-equivalent. Where LTL\Xrepresents LTLwith thenextoperator. In order words:

M⁺|= φ_LTL\X ≡ M |=φ_LTL\X

if M⁺ is the fragment of M obtained by ignoring the independent actions and φ_LTL\X is an LTL\X-property. Henceforth, deadlock detection and invariant checks are preserved bypartial order reductions[CGP99].

Example 2.4.3. —In Fig.2.3, the transition (i.e.,actions)αandβare independent and therefore only one of the combinations α(β(s)) or β(α(s)) must be explored.

Exploring only one of the combination does not prevent from exploring all the states of the system and therefore it does not prevent model checking from dis-covering the bad state s3.

Abstractions A system can be modeled at various abstraction levels. The lower the abstraction is, the closer from the actual implementation it is. High abstraction levels ignore details and are therefore easier to understand and to manage. LetM⁺ and M be two models, M⁺ is said to be an abstraction of M, noted M⁺ M if M⁺ is less detailed than M. Besides, M is said to be a refinement of M⁺, noted M M⁺. Provided that the abstraction (this is hopefully easier to check) preserves the property to check we can conclude that:

M⁺|= φ =⇒ M|= φ

Some of the abstraction relations are stronger than others. The strongest form of abstraction preserves bisimulation with respect to a property to check. Bisim-ulation implies to preserve all Computation Tree Logic* (CTL*) properties.

Techniques such as the cone of influence (i.e.,slicing) do preserve bisimulation.

Weaker relations such as simulation and trace equivalence preserve only a subset ofCTL*properties (e.g.,safety properties). Abstraction is arguably the most in-tuitive way to reduce the search space in model checking. This activity happens before (or at the same time) modelization. Two well-known methods of abstrac-tions are:

The cone of influence This technique aims at reducing the number of variables to consider. It starts by selecting only the variables that occur in the property

32 Chapter 2. State of the art&contribution to check and then it recursively adds all the variables that may impact these variables. It can be proved that using slicing techniques, we have

M⁺|= φ_CTL^∗ ≡ M |=φ_CTL^∗

withM⁺the sliced model andφCTL^∗ is a CTL^∗-property [CGP99].

Data abstraction Sometimes, the complex structures and the large domains man-aged by the system do not impact the property to check. Data abstrac-tion consists in mapping the domain of system’s variables to smaller ones.

This technique does not preserve bisimulation and therefore does not pre-serveCTL*properties. It can, however, be prove [CGP99] that it preserves a subset ofCTL*calledA Computation Tree Logic* (ACTL*)that restricts the properties to theAoperator and only allows negation on atomic formula.

We obtain that

M⁺ |=φACTL^∗ =⇒ M |= φACTL^∗

with M⁺ the data abstracted model and φACTL^∗ be an ACTL^∗-property. As the formula suggest, M⁺ 6|= φ_ACTL^∗ does not implies that M 6|= φ_ACTL^∗ and therefore spurious counterexample may be generated. This is due to the ab-straction, as the abstract model has more behaviors than the original model.

To circumvent this problem, the idea is to perform several round-trips: first the abstract model is checked, if a counterexample is returned then it is checked it against the original model. If the counterexample does not vi-olate φ on the original model that it is an artifact of the abstraction and the abstract model should be refined to eliminate this spurious counterex-ample. Then model checking is resumed on the abstract model until the property holds on the original model or the counterexample does really vi-olate the property in the original model. This approach has been described in [CGJ⁺00].

Example 2.4.4. —Obviously, the Therac-25 that is a very complex system com-posed of many variables. Not all variables contribute to the truth value of the property¬C∧X. Therefore, using thecone of influence, the variables of the sys-tem that are taken into account by the model checking activity can be narrowed down to the variables that affect the property and that are required by the actions.

Besides, following thedata abstractionapproach, the domain of the variables that affect the behavior of the system may be reduced without changing the truth value of the property to check (for more details see Section4.6).

2.4. Tackling the State space explosion 33 Symmetries Asynchronous systems often present many similarities among their components. For instance, processes having similar behaviors or data structures can be symmetrically decomposed. More generally, components that have repli-cated structure modulo renaming or minor differences are symmetrically decom-posable. Many techniques have been developed to leverage such structural proper-ties [CEFJ96,ES96]. The idea is that the symmetries exhibited by the system im-ply an equivalence relation that preserves state labeling and the relation between the states (i.e.,equivalence under permutation). Most of the time, the quotient model induced by the transition relation is smaller then the original model. More formally, let MEK = hAP,S,L,T,S₀ibe an extended Kripke structure, the goal is to detect a set of bijectionsΓsuch that∀γ ∈Γ:

∀s₀ ∈S₀, γ(s₀)∈S₀ (2.4.4)

∀hs,ti ∈R,hγ(s), γ(t)i ∈R (2.4.5) The bijectionsγ ∈ Γon the graph of the Kripke structure M are called automor-phisms and they form a group A=hΓ,◦,Idithat induces a quotient structure M⁺. It can be proved [CGP99] that symmetry reductions are bisimulation equivalent and thus they preserve any property expressed inCTL*:

M⁺|=φCTL^∗ ≡ M |=φCTL^∗

where M⁺ is the quotient of M obtained by the automorphismG and φ_CTL^∗ is a CTL^∗-property.

Compositional Reasoning Many IT-systems are composed of different mod-ules running concurrently. The specifications of such systems can often be de-composed with respect to each module. If each module satisfies the part of the specification that it is related to, and the satisfaction of all parts of the specification implies the satisfaction of the whole specification, we deduce that the whole sys-tem satisfies the global specification. As this technique only analyzes local state spaces, it avoids representing the whole Kripke structure and therefore mitigates the state space explosion. The framework to implement compositional reasoning is called assume-guarantee [CGP99]. The idea is, for each module, to express assumptions it makes about the other modules and, in return, guarantees it offers about its own behavior. Based on that, we can generate a proof system in which assumptions is what we verify and conclusions are the properties we want to check (i.e.,divide and conquer). In other words, letAandBbe two modules andA||Bbe the entire system composed ofAandBsuch thatAguarantees to satisfyφAandB

34 Chapter 2. State of the art&contribution guarantees to satisfyφB ifA|=φA:

Compositional reasoning:

hTrueiAhφAi hφAiBhφBi hTrueiA||BhφBi

In this framework, it is enough to prove that each module actually satisfies the property it claims it guarantees. The conclusion (i.e.,the actual global properties) logically follows without constructing the complete Kripke structure.

Bounded model checking This technique [Bie09, BCCZ99, CBRZ01] repre-sents a shift in the paradigm. This approach proposes to sacrifice a part of the model checking completeness in exchange to better performance for discovering counterexample. It limits the depth of the search of the state space to a random depth k and therefore only validates the first k steps of each and every path of execution. Using this method, the first step is to forge an expression with vari-ables that represents a path that does not satisfies the property to check. This technique then relies onSatisfiability (SAT)-solvers to find a valid assignment to the variables of the previous expression. AsSAT-solvers are very efficient to find counterexamples, this method is very efficient at an early stage of the development but does not fully replace standard model checking.