Dans le document Symbolic model-checking with Set Rewriting (Page 33-39)

In the end we can seeDecision Diagramsas a model checkingAPI(Application Pro-gramming Interface), and formalisms and model checking algorithms as their clients.

Formalisms have data and behavior that needs to be expressed in thisAPI. Other than that, thisAPIhas to allow the description of the model checking algorithm,e.g.,CTL verification, state space calculation, etc. Finally, this API has to allow some way to perform optimizations. We highlight the fact that we are not interested in the intrinsic characteristics of DDs; the reader interested in DDs can consult [LPAK+10] where Linard et al. propose a generalization of DDsand do a survey of different types of DDs.

We focus here on the services that DDs offer their clients and how they can be accessed. As said earlier, a higher level API narrows the semantic gap between the formal representation and the DD. In Table 2.1 we show how this API has evolved from the firstDDsto the most recent ones.

The first column of the table lists the discussed types of DDs in chronological order. The second one lists the API for model checking provided by those DDs. It is clear that the structures quickly evolved from Boolean operations as only possible operations of the model checking algorithm. In this aspect we have two categories,

2.6. Summary 15 Table2.1 – AvailableAPIsfrom differentDDs

DDname Model checking Data types Data operations Optimization

BDD Boolean ops. B Boolean/fix. Mixed

MDD Mixed N native/fix. Mixed

DDD Homs. N native/fix. Homs.

SDD Homs. Non specified native/fix. Homs.

IDD Mixed R+ native/fix. Mixed

ΣDD Homs. User def. Rew./User def. Homs.

Abbreviations: ops. (operations), fix. (fixed), Homs. (homomorphisms), Rew. (Rewriting), User def.

(User defined)

mixed and homomorphism. By a mixedAPIwe mean that the model checking algo-rithm is described by pseudo-code. The pseudo-code uses theDDprovided API, but also other standard programming primitives,i.e.,theDDprovidedAPIis not enough to describe the task. Homomorphisms on the other hand allow to describe entirely the model checking process. The problem with the mixed approach is that it breaks the encapsulation of the technique, as the client has to directly manipulate the structure to accomplish its task

The third column represents the data types provided by each structures. Once again, the trend towards higher level data types jumps out. The fourth column is intimately bound to the previous one. We can see that after BDDs, most DDs use native and fixed operations. By native and fixed, we mean that each implementation will offer a set of native operations to a model checking algorithm, and that the client of theAPIcannot add new operations to thisAPI. This entails that the richer the source formalism for a translation, the heavier the translation, since the target data types are not only limited but also fixed. The onlyDD that breaks the pattern are ΣDDs that allow to user defined types through the use of abstract data types. It also allows the definition of user defined operations on the data types usingterm rewriting[DW91].

The last column represents the OptimizationAPI. As seen in Section2.3, the way the computation is done can be a critical parameter for DD-based model checking.

Once again, in this domain we have mixed technique and homomorphisms. The prob-lem is the same that appeared before,i.e.,the lack of encapsulation.

2.6 Summary

In this chapter, we have given a general overview of model checking, covering the most important techniques. For symbolic model checking, we have given a detailed history. We presented a detailed account ofDDsevolution focusing particularly on the expressivity of the technique. The reader should by now be familiar with the problem this thesis deals with and the different solutions in the literature. In the next chapter we present in detail the mathematical tools that we are using for our proposed solution.

16 Chapter 2. State of the art: Symbolic Model-Checking

Chapter 3


In this chapter we introduce the different mathematical concepts needed to understand our work. First we introduce some general concepts and notations. Then, we define Term Rewriting (TR)andStructured Operational Semantics (SOS)semantics. These are standard techniques to describe the semantics of systems. We define the parts of them that we plan to use to make this work self-contained.

3.1 Mathematical fundamentals

3.1.1 Boolean lattices

We start by presenting Boolean lattices. We use them to define a structure for the encoding of sets of terms. We are interested in them because we need a mathematical structure that can be related to subsets of the powerset. Lattices are such structure.

The formal definition of lattices is given in Def.3.1.1.

Definition 3.1.1 (Boolean Lattice) An algebraic structure L = hL,∨,∧, 0, 1i, is a Boolean lattice if the following axioms holds. For each a,b∈L:

commutative a∨b= b∨a and a∧b=b∧a;

associative a∨(b∨c)= (a∨b)∨c and a∧(b∧c)=(a∧b)∧c;

idempotent a∨a=a and a∧a=a;

absorption law a∨(a∧b)=a and a∧(a∨b)= a;

distributivity a∨(b∧c)=(a∨b)∧(a∨c)and a∧(b∨c)= (a∧b)∨(a∧c);

absorbing and identity element a∧ 0 = 0 and a∨ 0 = a;

complement a has a unique complement ac ∈L,i.e.,a∧ac = 0 and a∨ac = 1. Notation We use L to refer to the algebraic structure and L to refer to the carrier set. Usually we shall be a little slovenly and say that L is a lattice. The∨symbol in a lattice is known as thejoin and the ∧symbols as themeet. We use as well be the


18 Chapter 3. Preliminaries symbols∪(resp. ∩) to denote the join (resp. meet) of a lattice, since the lattices we consider are isomorphic to sets . The lower bound 0 of the lattice is also called the bottom elementand the the upper bound 1 thetop element. We use the symbol to denote isomorphism.

The first 4 axioms are the basic axioms for lattices. The rest of the axioms make the lattice Boolean. Boolean lattices have interesting properties. When they are finite, they are isomorphic to the powersetP(X) of some finite setX[DP02]. However, to be isomorphic to the powersetP(X) for any setX, the Boolean lattice has to becomplete andcompletely distributive. Completeness means that for each set of elements there is a supremum. Completely distributiveness means that arbitrary conjunctions distribute over arbitrary disjunctions (and vice versa). Intuitively, the former guarantees that the lattice is closed under arbitrary joins and meets, the latter is just a stronger form of distributivity. In particular, it works over infinite disjunctions and conjunctions.

The reader can see the precise definitions in [DP02]. From now on, when we talk about Boolean lattices we are talking about lattices that are complete and completely distributive. An example of such lattices is given in Example3.1.1.

Example 3.1.1 Let E be a set. The powersetP(E)of E along with the set-union and set-intersection is a Boolean latticehP(E),∪,∩,∅,Li.

3.1.2 Standard definitions

We present also some standard mathematical concepts that we use throughout the rest of this work. For a given function, we define the preimage of an element. For a given element of the image sety, the preimage is the set of elementsxof the domain where f(x) isy. The formal definition is given in Def. 3.1.2. Note that the preimage of an element y is the set of all elements whose image is y. The preimage of an element might also be the empty set.

Definition 3.1.2 (Preimage of an element) Let D and L be sets, and f : D → L a function. The preimage of an element y ∈L is the set{x∈D: f(x)= y}. We note this set as f−1(y).

We also recall the definition of a binary relation. Given two sets, a binary relation can be seen as a subset of their Cartesian product. The formal definition follows in Def.3.1.3.

Definition 3.1.3 (Binary relation) Let A,B be sets. A binary relation R is triple hA,B,Gi, where G ⊆ A × B is called its graph. The statement (a,b) ∈ R is read

“a is R-related to b”, and is denoted aRb. The sets A and B are called domain and codomain respectively.

The set of all binary relations over the sets Aand Bis noted B(A,B). It forms a lattice isomorphic to the lattice formed by the powerset of A× B. For two elements inB(A,B) their join and their meet are the union of the graphs and the intersection of the graphs, respectively.

3.1. Mathematical fundamentals 19 Example 3.1.2 Let A = {1,2,3,4} and B = {1,2,3}, we can define the binary re-lation greater than or equal to, which is represented by the triple hA,B,Gi, with G = {(1,1),(2,1),(2,2),(3,1),(3,2),(3,3),(4,1),(4,2),(4,3)}. A pair (a,b) in this

relation is read: agreater than or equal tob.

We present the multi-set. A multi-set or bag is like a set but it can contain the same element several times. A formal definition is given in Def.3.1.4. It is formalized as a function where each element of the function is mapped to the number of elements in the set.

Definition 3.1.4 Given a non-empty set A, a multi-set of A is a function f : A → N from the set A to the set of naturals. For an element a∈A we call f(a)itscardinality.

Notation The set of multisets of set A are noted M(A). Given a set A, and some element a∈ A, we note the multi-set that contains only a as a. Otherwise a multi-set is noted as follows. Each element is preceded by the number of elements in the multi-set, an apostrophe (0) and the element. The elements are separated each by the symbol ++. An example is shown in Example3.1.3. We note the cardf(a) the function that returns the cardinality of some element a.

Example 3.1.3 We present an example of a multi-set. Let A={1,2,3}. The following function is a multi-set:

f :A→N : 17→2 : 27→1 : 37→0

We note this multi-set201++102. We have that cardf(1) = 2and cardf(2) = 1, and


Multi-sets support standard set operations. In particular we define the union for them. The formal definition is given in Def.3.1.5. The idea behind the operation is the same as the set union. For the empty multi-set we give use the same notation that for sets,i.e.,the∅symbol. We present an example of the multi-set union in Example3.1.4.

Definition 3.1.5 Let A be a non-empty set, and f : A → N and g : A → N two multi-sets. We define the union of two multi-sets as follows:

f ∪g:A→N

:a→ f(a)+g(a)

20 Chapter 3. Preliminaries Example 3.1.4 Given the multi-set of Example3.1.3and the following multi-set.

f : A→N : 17→1 : 27→1 : 37→2

We have thus that201++102∪101++102++203is equals to the multi-set301++202++203.

Another concept that we manipulate a lot in this work are functions (or mappings).

In particular, we usually have a function where we want to modify a particular map-ping of the function. We introduce a notation to do exactly that in Def. 3.1.6. An example is presented in Example3.1.5.

Definition 3.1.6 Let A, and B be some sets, f : A → B a function from A to B, and a∈A, b∈B elements of A and B respectively. We define a new function:

f[a=b] : A→ B f[a=b] : x7→

( f(x), if x,a b, otherwise

Example 3.1.5 Let us consider the multi-set f defined in Example3.1.4. The function f[2=4]is equivalent to the multi-set101++402++203

Dans le document Symbolic model-checking with Set Rewriting (Page 33-39)