Symbolic model-checking with Set Rewriting

(1)

Thesis

Reference

Symbolic model-checking with Set Rewriting

LOPEZ BOBEDA, Edmundo

Abstract

In this thesis we tackle the difficulty of translating a high level formalism to Decision Diagrams (DDs). We propose to improve an existing DD (the ΣDD) and its operations to better handle new operations. Our solution adds an abstraction layer on top of ΣDDs. This abstraction layer can express the usual operations of DDs in a high level way. It allows the definition of the semantics of a system, the description of the model checking algorithm, and DD optimizations. Our layer is called Set Rewriting (SR). SR is an extension of classical Term Rewriting (TR). In SR we describe a system using terms and term rewriting rules as in TR.

However, the rewrite rules of SR are designed to work on sets of terms instead of single terms. SR also uses TR strategies. TR strategies are operations to control the rewriting process. They enable a better control of rewrite process.

LOPEZ BOBEDA, Edmundo. Symbolic model-checking with Set Rewriting. Thèse de doctorat : Univ. Genève, 2015, no. Sc. 4782

URN : urn:nbn:ch:unige-729494

DOI : 10.13097/archive-ouverte/unige:72949

Available at:

http://archive-ouverte.unige.ch/unige:72949

Disclaimer: layout of this document may differ from the published version.

1 / 1

(2)

UNIVERSITÉ DE GENÈVE FACULTÉ DES SCIENCES Département d’Informatique Professeur D. Buchs

Symbolic Model-checking with Set Rewriting

THÈSE

présentée à la Faculté des sciences de l’Université de Genève pour obtenir le grade de

Docteur ès sciences, mention informatique

par

Edmundo López Bóbeda de

Bolivie

Thèse No 4782

Genève

Atelier d’impression ReproMail 2015

(3)

(4)

Remerciements

En première place, je voudrais remercier mon directeur de thèse, le Professeur Didier Buch. Depuis le début de ce travail il m’a toujours guidé avec soins, il m’a corrigé quand je me trompait et il m’a encouragé quand j’était sur la bonne voie. Il m’a toujours encouragé quand j’ai pris de différentes initiatives et aussi il m’a laissé la liberté de choisir les outils pour mieux faire mon travail. Comme chef, il a surement mis la barre haute pour mes futurs supérieurs.

Je voudrais aussi exprimer ma gratitude envers mes collaborateurs au laboratoire SMV pendant le temps que j’y ai travaillé. Alexis Maréchal et Maximilien Colange, qui ont partagé le bureau avec moi méritent une mention spéciale. Ils étaient toujours disponibles pour des questions, pour vérifier mon travail et pour me donner des conseils. Je suis aussi réconnaissant envers les autres membres du groupe: Steve Hostettler, Alban Linard, Matteo Risoldi, Dimitri Raccordon et David Lawrence. Ils on certainement complété mon environement de travail.

Un grand merci va pour ma femme Daniela, pour son support inconditionel pendant tout ce temps. Elle a été ma plus grande supporteuse et confort depuis que nous sommes ensemble. Elle est certainement la bénédiction plus grande de ma vie et elle a fait ce processus beaucoup plus facile pour moi.

Ma famille aussi mérite une mention spéciale. Ma mère, mon père, et mes deux frères sont la raison pour laquelle je suis ici. Ils m’ont toujours encouragé à poursuivre mes rêves et a vivre une vie pleine. Malgré la distance physique qui nous sépare, leur présence ne m’a jamais manqué. Ils étaient toujours là avec des mots d’encouragement et support.

Comme chrétien, je veux aussi remercier Dieu pour rendre tout cela possible et pour toutes les bénédictions qu’il ma données. Tout arrive à cause de Lui et pour Lui.

Mes frères et soeurs à l’église sont la manifestation la plus grande dans ma vie. Je vais toujours être réconnaissant envers eux.

Merci aussi à la fondation Patiño pour avoir rendu cette aventure possible. C’est eux qui ont rendu possible mes études en Suisse.

Finalement, je remercie le personnel du CUI. J’ai beaucoup aprecié mon environement étendu de travail. On a mangé beaucoup de fois ensemble et on a eu plein de bons moments que je ne vais jamais oublier.

iii

(5)

(6)

Acknowledgements

In the first place, I’d like to thank my advisor Prof. Didier Buchs. Since the beginning of this work he has always guided me carefully, correcting me when I am wrong and encouraging me when I am on the right track. He has continously supported me when I took different initiatives, and also let me the freedom to choose the tools I prefer to use for my work. As a boss, he certainly set a high standard for my future superiors.

I would like to express my gratitude to my coworkers at the SMV lab during the time I worked there. Alexis Marechal and Maximilien Colange, who shared the of- fice with me, deserve a special mention. They were always available for questions, for double checking my work or for giving me feedback. I’m also thankful to the other members of the group: Steve Hostettler, Alban Linard, Matteo Risoldi, Dimitri Raccordon, and David Lawrence. They certainly completed my work environment.

A special thanks goes to my wife Daniela for her inconditional support during all this time. She has been my greatest fan, supporter, and comfort since we started our relationship. She is certainly the biggest blessing in my life, and she made this whole process a lot easier.

My family also deserves a special mention. My mother, my father, and my two brothers are the reason why I am here. They always encouraged me to chase my dreams and to live a plenty life. In spite of the physical distance that separates us, their presence has never abandoned me. They were always there with words of encouragement and support.

As a christian, I also want to thank God for making this possible and for all the blessing He gave me. Everything happens because of Him and for Him. My brothers and sisters in the church have been His biggest manifestation. I will always be grateful to them.

Thanks to the Patiño foundation for making all this journey possible. They were the ones who made possible my studies abroad in the first place.

Finally, I thank all the staff of CUI. I really enjoyed the environment of my ex- tended workplace. Everybody was always willing to help and available. We enjoyed countless meals together and had some great funny moments that I will never forget.

v

(7)

(8)

Abstract

From the early days of computing the verification of programs has been an important subject. Nowadays the subject is even more vital as computers are ubiquitous in our current way of life. Computers thrive in all kind of environments, and some of their applications are life critical. Indeed, more and more lives depend on the reliability of airborne systems, rail signaling applications, and medical device software.

Several techniques have been devised to tackle the verification problem. This thesis focuses on a particular technique called symbolic model checking. Model checking tackles the verification problem by examining the states of a system and deciding if the system respects or not its specification. This approach however is usually hampered by the state explosion problem, i.e., the number of states of a system is too large to be handled. Symbolic model checking enhances model checking by using particular algorithms and structures to harness the state space explosion problem. This structure is called Decision Diagram.

Decision Diagrams (DDs) are very performing to encode large sets and operations on them. They are however low level data structures supporting very basic data types like integers and Booleans. This has the following implications. First, it is hard to translate high level formalisms to them because of complex data structures and their operations are not easy to represent as vector of integers. Second, one needs to be an expert in DDs to be able to write such a translation.

In this thesis we tackle these two problems. We propose to improve an existing DD (theΣDD) and its operations to better handle these problems. Our solution adds an abstraction layer on top ofΣDDs. This abstraction layer is capable of expressing the usual operations of DDs in a high level way. In this layer we can define the semantics of a system, describe the model checking algorithm, and implement DD optimization.

The layer we propose is called Set Rewriting (SR). SR is an extension of classical Term Rewriting (TR). In SR we describe a system using terms and term rewriting rules as in TR. However, the rewrite rules of SR are designed to work on sets of terms instead of single terms. SR also uses TR strategies. TR strategies are operations used to control the rewriting process. In particular, they enable the removing of non- determinism from the rewrite process.

Since SR is a novel approach to describe the semantics of a system, we also provide a complete guide to translate from a formalism to SR. The approach is based of the well known Structured Operational Semantics (SOS) rules. We describe a way to pass from a system specified with SOS rules to an SR system. Our translation approach is complemented by two large case studies. We translate the well known Petri nets formalism, and a formalism called DiViNE. DiViNE presents the structure of an

vii

(9)

imperative language and thus shows that our approach can also be used to evaluate standard programming languages.

We devote an entire chapter of this thesis to the implementation of model checking algorithms using SR. We show how to describe the computation of a state space, and the check of properties. We spend a big part of our chapter showing how the model checking algorithm can be optimized using standard DD optimization that can be expressed using SR.

Finally, we occupy ourselves with the implementation of our technique. All of the techniques discussed in this thesis has been duly implemented and tested. It is important to notice that our implementation has been compared against state of the art tools. Our tool outperforms other tools that perform symbolic model checking on standard benchmarks. We present the architecture of our tool and also the benchmark comparisons performed against other tools.

(10)

Résumé

Dès le debut de l’informatique, la vérification des logiciels informatiques a été un sujet important. Aujourd’hui le sujet est encore plus important puisque les ordinateurs sont omniprésents dans notre mode de vie actuel. Les ordinateurs se retrouvent dans tous les types d’environments, et ils ont des applications critiques. En effet, de plus en plus de vies dépendent de la fiabilité des systèmes de contrôle de vol, applications d’aiguillage de trains et logiciels pour des dispositifs médicaux.

Beaucoup de techniques ont été inventées pour s’attaquer au problème de la vérifi- cation. Cette thèse se concentre dans une technique particulière appelé model checking symbolique. Le model checking s’attaque au problème de la vérification en exam- inant les états d’un système un à un et puis, en décidant si le système respecte ou non sa spécification. Cette approche est cependant gênée par le problème de l’explosion de l’espace d’états, c’est-à-dire le nombre d’états du système devient trop gran pour être gérable par un ordinnateur. Le model checking symbolique améliore le model checking en utilisant des algorithmes et des structures particuliers pour maîtriser le prob- lème de l’explosion de l’espace d’états. La structure utilisée s’appelle Diagramme de décision (DD).

Les DDs sont très performants pour encoder de grands ensembles d’état et les opérations entre eux. Néanmoins ils sont des structures de très bas niveau ne suppor- tant que des types de données basiques, comme les Booléens et les entiers. Ceci a les implications suivantes: d’abord, c’est difficile de traduire des formalismes de haut niveau vers des DDs parce que les structures complexes sont difficiles à encoder sous forme de vecteurs d’entiers; ensuite, on a besoin d’être un expert en DDs pour être capable d’écrire une telle traduction.

Dans cette thèse nous nous attaquons à ces deux problèmes. On propose d’abord d’améliorer un DD existant (le ΣDD) et ses opérations pour mieux gérer ces prob- lèmes. Notre solution ajoute une couche d’abstraction sur les ΣDDs. Cette couche d’abstraction est capable d’exprimer les opérations usuelles sur les DDs. Dans cette couche, on peut aussi définir la sémantique d’un système, l’algorithme de model checking, et l’implantation des optimisations pour le DD.

La couche que l’on propose s’appelle la Reécriture d’ensembles de termes (RET).

La RET est une extension de la reécriture de termes classique. Dans la RET on décrit un système à l’aide des règles de reécriture comme dans la reécriture classique.

Cependant, les règles de reécriture dans la RET sont faites pour s’appliquer sur des ensembles de termes en lieu de simple termes. La RET se sert aussi des stratégies de reécriture. Les strategies de reécritures sont des opérations qui aident à contrôler le processus de reécriture. En particulier, elles permettent d’enlever le non-determinisme

ix

(11)

du procéssus de reécriture.

Comme la RET est une approche nouvelle pour décrire la sémantique d’un sys- tème, nous proposons aussi un guide complet pour traduire d’un autre formalisme vers la RET. Notre approche est basée sur les règles SOS (Semantique opérationnelle structuréee). Nous montrons une façon de passer d’un système spécifié sous forme de règles SOS vers un système RET. Notre approche de traduction est complémentée par deux cas d’étude. Nous traduisons les réseaux de Pétri et un formalisme appelé Di- ViNE. DiViNE a la structure d’un langage impératif, ce qui montre que notre approche peut être utilisé pour évaluer des languages de programmation standards.

Nous passons un chapitre entier de cette thèse à nous occuper de l’implantation des algorithmes de model checking dans la RET. Nous montrons comment décrire le calcul de l’espace d’états, et la vérification de propriétés simples. Nous dédions aussi une grande partie de ce chapitre à montrer comment un algorithme de model checking peut être optimisé en utilisant des techniques standards d’optimisation basées sur les DDs qui peut aisement s’exprimer avec la RET.

Finalement, nous nous occupons de l’implantation de nos techniques. Toutes les techniques présentées dans cette thèse ont été implantées et testées dans notre outil StrataGEM. Nous remarquons que notre outil a été comparé avec des outils de la litérature. Notre outil est meilleure que d’autres outils dans de benchmarks standards.

Nous présentons aussi l’architechture de notre outil et aussi les tableaux comparatifs qui preuvent empiriquement l’éffcacité de nos techniques.

(12)

List of Figures

1.1 Our approach and contribution . . . 4

3.1 Set of rewrite rules . . . 21

4.1 IIPF for the relation the-sum-is pair in Example 4.2.1 . . . 33

4.2 ΣDD . . . 37

4.3 Example of aΣDecision Diagrams (ΣDDs) encoding five terms . . . 38

5.1 Abstract syntax . . . 45

6.1 Approaches to describe semantics . . . 63

6.2 Translation approach . . . 64

6.3 Semantics of a complex expression . . . 68

6.4 Kanban Petri Net . . . 69

6.5 Peterson mutual exclusion algorithm in Distributed Verification Envi- ronment (DiViNE) . . . 85 8.1 Architecture of Strategy Generic Extensible Modelchecker (StrataGEM) 98

xv

(17)

(18)

List of Tables

2.1 Available APIs from different DDs . . . 15

5.1 List of Strategies and their semantics . . . 54

5.2 Semantic of Basic Strategies . . . 55

6.1 Abstract syntax for simple SOS rules . . . 67

6.2 Term signature for Petri net markings . . . 70

6.3 Simplified Abstract Syntax of the DiViNE language . . . 74

6.4 SOS rules for Divine . . . 76

6.5 SOS rules for Divine . . . 82

7.1 Language to describe properties on Petri nets (PNs) . . . 89

7.2 Term signature for Petri net markings with clustering . . . 91

8.1 Runtime Comparison . . . 100

8.2 Runtime Comparison with clustering enabled . . . 102

xvii

(19)

(20)

Chapter 1

Introduction

1.1 Motivations

From the early days of computing the verification of programs has been an important subject. Nowadays the subject is even more vital as computers are ubiquitous in our current way of life. Computers thrive in all kind of environments, and some of their applications are life critical. Indeed, more and more lives depend on the reliability of airborne systems, rail signaling applications, and medical device software.

Given the importance of the matter, many efforts have been done to ensure the quality of the software. On the organizational side, project management techniques have been devised for the software development process, e.g., the RUP (Rational Unified Process) [Kru80], the Waterfall Model [Roy70], the Spiral Model [Boe86], B-method [LSDS95], etc. Most recently, the so called agile methodologies, like SCRUM [TN86], are taking over the industry [SA08]. However, these software development frameworks can improve software quality only up to a certain point. In fact, they cannot offer complete guarantees for critical systems by themselves as their effectiveness is based only on empirical evidence [SA08].

These approaches share in common the fact that all of them require to describe what the system does without saying how to do it. That description is called the specification. Depending on the development process used, the specification can be informal (SCRUM), semi-formal (RUP), or formal (B-method). Getting the specification right is paramount for the software quality. On the one hand, the specification is used to check if the development team understood the requirements (are we building the right thing?). This is calledvalidation. On the other hand, it is used to check if the finished software does what it was meant to do (are we building the thing right?).

This is calledverification.

A very simple way to do verification is testing. In software testing, we use the specification to derive behaviors that we expect from the software. For each expected behavior we write atest. A test is a procedure that exercises the software (or a part of it), and tells if the observed behavior is correct or not (according to the specification).

Hence, a test can prove that there are errors in the software. However, proving the absence of errors is much more complicated. It implies to write a test for each possible behavior of the software. The number of behaviors of even simple software being

1

(21)

2 Chapter 1. Introduction extremely large means that testing is unfeasible for proving the absence of errors.

Nevertheless, some kinds of software cannot afford to contain any error since human lives depend on it. This need gave birth to a set of verification techniques that can guarantee the absence of errors in a given system: formal verification techniques.

Formal verification techniques, a.k.a. formal methods, can guarantee the absence of errors in a system. Among formal methods there are several variants ranging from theorem proving to model checking. These techniques aim to build a formal mathematical proof of the program’s correctness. This requires of course that the specification is formally described. It also requires that the program itself has a formally specified semantics. In these thesis we focus on the model checking variant of formal methods.

Model checking was invented in 1986 by Clarke et al. [CES86]. It attempts to build a proof of correctness by systematically exploring the behaviors of the program.

As testing, it also suffers from the extremely large number of possible behaviors of software. In model checking, the exploration of the behaviors is done by exploring the states of the system. The set of states is called the state space and it tends to be very large. In model checking this is known as thestate space explosion problem (SSE) [Val98]. Several approaches have been proposed to tackle theSSEproblem like abstraction, partial order reduction, symbolic model checking, etc.

Symbolic model checking is the approach we concentrate here. Symbolic model checking uses ad hoc data structures to encode the state space in a compact way. It also uses special operations to perform calculation on the data structures efficiently.

The class of data structure most favored by symbolic model checking are Decision Diagrams (DDs).

DDs are a data structure aimed at the representation of large sets of data. The data represented by a DD in model checking is usually the state space of a system.

The idea behind DD is to benefit from the redundancy found in these state spaces.

This redundancy appears because computer systems are generally well structured. A system can for example be composed of several subsystems with almost identical behavior. Decision Diagrams are conceived to take advantage of this redundancy.

For example, the state space of identical subsystems is stored in memory only once.

One can also take advantage of redundancy by caching operations. Indeed, several complex operations are repeated all the time and one can store their result for later reuse. The efficiency of this is amplified byDDsproperties such as canonicity, which enables efficient caching.

The problem withDDsis that they are very low level data structures. This means that the translation of new higher level languages to them becomes more and more difficult. We consider three axes to evaluate the advances in DDstheory: data types, operations, and optimizations.

Data Types

The first class ofDecision Diagrams,BDDs[Bry86], supported only Booleans as data type. Since the early applications ofDDswere the verification of logical circuits this was not a problem. However, over time DDsstarted to be used to verify higher level

(22)

1.1. Motivations 3 formalisms,i.e., Petri nets. The initial application ofBDDstoPetri netswas limited to a special class ofPetri net easily translatable to a Boolean representation, namely safe Petri nets. Later came Multi-valued Decision Diagrams (MDDs) [KVBSV98], defined over an arbitrary domain. Nevertheless, they were only implemented over integers. Later iterations overDecision Diagramscontinued to be based on integers as main data type,e.g.,DDDs[CEPA⁺02],SDDs[CTM05], IDDs[ST99], etc. Finally, ΣDDs [Hos11] introduce a breakthrough by representing sets of terms and user defined operations in a Decision Diagramstructure. However, the application of ΣDD in model checking was restricted to the rewriting of sets of terms in Algebraic Petri nets[Vau87]. Such application imposed some constraints on the rewrite rules and the way they were applied. For example, rewrite rules were applied using an innermost strategy. This poses a problem to their application in general model checking. In fact, the innermost rewriting strategy is not the best strategy to handle the rewriting of a whole system. Thus, to applyΣDDsto general model checking it is necessary to provide them with more flexibility regarding the rewriting strategy.

Decision Diagram Operations

Operations inDDsare used to describe the transition relation of the described system and the model checking algorithm. Since DDsrepresent sets of states, they support standard set operations,i.e., union, intersection, and difference. These operations are used for model checking,e.g.,computing the state space. They also need to support operations to transform the states they represent. This is the same as describing the transitions of the system. Finally, there are the model checking algorithms. These are usually described in pseudo code that uses theDDs operations. An example of such operation is the fixpoint, which is needed to build the state space using the set operations and the transitions.

BDDsrepresent Boolean functions (or sets of sequences of Boolean variables) and Boolean operations describe operations among them.MDDsintroduced their own operations to manipulate them. These operations however lacked flexibility. Indeed, they cannot represent someDecision Diagrams-based optimizations. DDDs, which are a specialized version ofMDDs, propose to describe operations onDDsusing homomorphisms. An homomorphism is a function that preserves some operation. In the case ofDecision Diagramsit preserves the union,i.e.,φ(a∪b)= φ(a)∪φ(b). Indeed, one can write homomorphisms elegantly in mathematical notation. They can also describe complex operations onDDs. However, homomorphisms have some drawbacks. First, translating homomorphisms to code is not always straightforward. Second, creating operations that respect the homomorphic property is a delicate affair, prone to errors.

Thus, in spite of their flexibility they are not easy to use for the non-expert user.

Optimizations

In the beginning of Decision Diagrams, the main optimization technique was the choice of the right variable ordering. Indeed, DDs can be interpreted as a set of

(23)

4 Chapter 1. Introduction sequences of variable assignments¹. The order of these variables has a capital importance in the performance of the structure. Nonetheless, finding the right variable ordering is an NP-complete problem. Another optimization techniques have been developed, for example hierarchy and saturation. OnlySDDsandΣDDsuse hierarchy.

Hierarchy means that the variables in theDDscan contain anotherDDs. This enables the usage of divide and conquer strategies, which maximize sharing and caching in the DD. Also, hierarchical systems are more easily translatable to suchDDs. Other well known optimization technique is saturation [CLS01]. Saturation consists of exploiting locality. The idea is that one can apply the model checking algorithm,e.g.,state space construction algorithm, to a part of the theDD. Indeed, as theDD-encoded state space grows larger more and more parts of it can be shared, thus decreasing its memory footprint. However, before attaining the inflection point, there is a peak in memory consumption. Saturation improves performance by attaining this peak locally, where it is small, and then having smaller peaks at a global scale. One can describe saturation using homomorphisms. However, such descriptions present the same problems that were explained for homomorphism in the previous subsection.

1.2 Contribution

Formalism

Abstract Semantics

Set rewriting

Decision Diagrams User defined

translation

Automated translation

Our approach Our contribution

Figure 1.1 – Our approach and contribution

We propose a framework to abstract the DD-specific parts and unify the afore- mentioned axes: data types, operations, and optimization. Our framework, shown in Fig. 1.1, comprises three lay- ers. Each layer describes the semantics of the formalism at a different level of abstraction. The upmost layer is the denotational semantics of the formalism expressed as functions on mathematical objects. It represents an abstract view of the semantics. The middle layer represents the operational semantics using Term Rewriting strategies. It allows expressing semantics, optimizations and model checking computations. It shows a concrete view of the semantics and can easily be translated to a very fast and

memory efficient representation for model checking. The bottom layer is based on ΣDDs. Actual computations are done in this layer. We provide a working implementation of the Domain Specific Language for the middle layer, the translation to the lower layer, and the ΣDD-based lower layer. The user only has to provide theTerm Rewritingstrategies (in Fig.1.1, the user-defined translation) in order to automatically have an efficient symbolic model checker for a source formalism.

1This does not apply toΣDDs

(24)

1.2. Contribution 5

1.2.1 Set rewriting as a Unifying language

TheSet Rewriting (SR)layer that we propose tackles the different problems ofDDs in a unified manner.

ΣDD

ΣDDs were introduced by Hostettler in his thesis [Hos11]. However, the definitions he presented were extremely difficult to follow. We have taken Hostettler definitions and reworked them to create a simpler framework. In particular, we have redefined theInjective Partitioned Function (IPF)and associated them to the encoding of binary relations. Our new presentation simplifies the core theory behindΣDDs. We also show that the rewrite operations do not need to be homomorphic. Relaxing this constraint, the definition of operations onΣDDsbecomes much simpler.

Data Types

SRallows the description of rich data types and their operations. As a matter of fact, SR is based on Term Rewriting and it is equally expressive. SR can describe arbitrary data types and their operations. One defines these data types and operations usingTerm Rewriting rules and strategies. Term Rewriting strategies are operations allowing to control the rewriting process. In our framework they help to define complex operations that cannot be expressed using simple rewrite rules. They also allow to tune the rewriting process to render it as fast as possible. All of this is possible becauseSRis translated toΣDDs.

Decision Diagram Operations

The beauty ofSRis that one can writeDDoperations without even knowing that one is doing it. Indeed, Term Rewriting strategies are at the same time DD operations and Term Rewriting strategies. In this area our main contribution is the complete abstraction of theDDoperations. UsingSRto describeDDoperations removes most problems mentioned in Section1.1. First,SRis much closer to high level languages.

Thus it is easier to translate a formalism to it. Second, the design ofSRis aimed at removing the complexities of the underlying structure. In particular,ΣDDsrepresent sets of terms and their native operations work on them. However, although the user ofSRis actually writing operations on sets of terms, most of the time he can think in terms of standardTerm Rewritingrules and strategies.

Also, we have enrichedTerm Rewritingwith extra strategies. These new strategies enableSRto describe the model checking algorithms. Thus, the user of our approach can describe transition relation and model checking computation in one unified language.

Optimizations

Finally, one can also characterize most common DD optimizations in SR. As expressed in previous subsection,SRstrategies areDDoperations and they are powerful

(25)

6 Chapter 1. Introduction enough to describeDDoptimizations. Actually, the control provided bySRstrategies gives a flexibility that is hard to achieve using other approaches. For example, using SR one can describe several variants of saturation. Also, one can directly describe hierarchical subsystems by using Term Rewriting subterms. More interestingly, one can easily use different variants of saturation for each different subsystem.

Our contribution in this field helps researchers on DD optimizations. Indeed, thanks toSRit is now very easy to define and test new saturation strategies forDDs.

1.2.2 A Tool: StrataGEM

We also developed a tool as a part of this research. Our tool is calledStrataGEM[LBCB14].

Our tool provides a complete implementation of the approach presented in Fig.1.1. In our tool we provide a re-implementation ofΣDDsas well as the translation fromSR.

To validate our approachStrataGEMparticipated twice at the Model Checking Con- test (MCC) at thePetri netsconferences [KGH⁺14]. Our hypothesis was that given the correct strategy,StrataGEMcould compete with any model checker,i.e.,SRstrategies are capable of emulating any symbolic model checker out there. Using the results we could improve our strategies and even beat the best model checkers which participated in the competition.

Our tool confirmed that the approach is efficient but also its expressivity. To test the expressivity of our approach we translated the semantics of two formalisms to it.

The first was PN. The translation ofPNwas relatively straightforward. The usage of our approach enabled not only the translation of standardPNs, but also some variants like flush arcs PNs and inhibitor arc PNs. The second was the DiViNE [BBR09].

DiViNE is a SPIN [Hol04] like model checker and its syntax is close to that of an imperative programming language. The translation to DiViNEactually tested all fea- tures ofStrataGEM. Among other things, it required the usage of Order-Sorted rewrite systems, guard constructions, and complex transitions including an internal state.

1.3 Summary

In this Chapter we presented a global view of the content of this thesis. The next Chap- ter presents the state of the art in symbolic model checking. We highlight particularly the evolution ofDDs.

(26)

Chapter 2

State of the art: Symbolic Model-Checking

In this chapter we present the evolution of symbolic model checking. We focus mainly on the development of the data structures supporting the technique, namelyDecision Diagrams. We also put the technique in the context of other formal methods techniques.

This chapter is structured as follows: We first give an overview of the different techniques used in formal methods in Section2.1. Then we outline the evolution of the symbolic model checking technique. The next section focuses on the evolution ofDDs, the preferred data structure for symbolic model checking. In Section2.4we introduce the concept ofsemantic gap. We use the concept of semantic gap to analyze the evolution ofDDsin Section 2.5. Finally, we reformulate the contribution of our work in terms of the semantic gap.

2.1 Overview of Formal Methods

In this chapter, we outline three of the main formal method techniques. The techniques differ on several levels. For example, some techniques can easily be automated, others scale well, and others cover the whole development cycle, from specification to source code generation.

2.1.1 Theorem proving

Theorem proving is clearly the oldest method since it was directly inherited from mathematics. One of the first implementation known dates from 1954, when Martin Davis programmed the Pressburger algorithm for deciding validity in addition in the arithmetic of integers [Dav01]. Of course, this technique has evolved a lot ever since.

Nowadays, its goal is to formally state a property of the program and then to prove it.

The technique can be either semi-automatic or automatic. It can be applied throughout all the development cycle, i.e., from requirement analysis to implementation. One example of such method is the B-method [Abr96]. The drawback of this technique is that to be used proficiently a very high level of expertise is needed [LSDS95].

This technique has however several major successes. Among others, we have the 7

(27)

8 Chapter 2. State of the art: Symbolic Model-Checking complete verification of a C compiler [Ler09] done with the Coq proof assistant [dt14].

Also, the verification of the software for the Paris Metro Line 14 was done using the B-method. To illustrate the size of that application, the size of the software generated was 21,000 lines of code. 63% of the generated code was safety critical [LSDS95].

2.1.2 Static analysis

Static analysis analyzes the system statically, i.e., without exploring its behaviors.

It is used to prove properties such as invariants [Cou90] and also to find common programming errors. Static analysis is to be used either during the implementation phase or during the design phase of a project. The most well known application of this technique is compilers. Modern compilers not only check the code for syntactic validity but also for common programming errors and bugs. They also use static analysis to decide where to apply optimizations.

One of the advantages of static analysis is that it scales well and can be done completely automatically. In can treat large codebases of sizes greater than 10 MLOC [BBC⁺10]. Indeed, the technique is actively being used in industry [Cov14]. The use in industry shows that the techniques is mature enough, however, this is only valid for some applications. In fact, most of the techniques being used in industry are not sound [BBC⁺10], i.e., the do not guarantee the absence of bugs. This is clearly not enough for critical systems. Another drawback of this technique is that it usually provides lots of false alarms [BBC⁺10]. Detecting a false positive requires once again human intervention, which beats the purpose of the complete automation.

There are also static analysis techniques that are sound, e.g., abstract interpretation [CC77]. Abstract interpretation can guarantee the absence of bugs, however it does not scale. Also, it suffers from the problem of false alarms.

2.1.3 Model checking

Model checking is the approach that we explore in this thesis. Contrary to static analysis, model checking explores the behaviors of the system and can check more complex properties, expressed withComputation Tree Logic(CTL),Linear Temporal Logic(LTL), etc. Compared to theorem proving, model checking can more easily be automated.

Model checking assumes the existence of a formal specification ϕ. ϕ is usually a logic formula in some appropriate logic. The goal of model checking is to prove that some mathematical structure M (an abstraction of the real system) models the specification,i.e.,ϕholds for M. The model is usually a Kripke structure. Generally, the model checking problem is stated as follows:

M|= ϕ (2.1)

which read Mmodelsϕ, orMsatisfiesϕ.

To accomplish its goal, model checking explores exhaustively all behaviors ofM.

The main problem with this approach is that the number of behaviors of standard

(28)

2.1. Overview of Formal Methods 9 software is enormous. This problem is usually referred as the state space explosion problem [Val98].

Harnessing the state space explosion problem is a big problem in itself. The model checking community has put a lot of effort in the solution of this problem. We present here some of the techniques frequently used to address the state explosion problem.

Abstraction

Abstraction is simply removing the behaviors of the system that are not relevant to the property being checked [CGL94, MA03]. This can be done at several levels. Either the model or the verification structure can be modified to become more abstract.

In the case of the model, it is a manual task. The modeler decides which parts of the system are not relevant and then removes them. In the case of the verification structure, several attempts have been done to automate the procedure. A simple way to reduce the state space is to ignore state variables that are not relevant for the property being checked. This reduces the state space and thus facilitates model checking. The first attempt to such procedure is due to Kurshan [Kur94].

Reduction of search space

Instead of reducing the actual number of states to be explored (like in abstraction), this technique aims to safely ignore the exploration of some behaviors. To choose the non- important paths there are several methods.Partial Order Reduction(POR) [Val91], for example, is used in concurrent systems verification. PORexploits the commutativity of concurrently executed transitions. Indeed, concurrently executed transitions give the same result independently of their order.

Symmetries is another technique in this category [CDFH91]. It aims to find equivalence classes in the state space. The search is then performed in the quotiented state space, which is generally exponentially smaller.

Symbolic model checking

Symbolic model checking aims to tackle the state space explosion problem by means of efficient data structures for encoding the encoding of the state space. These structures exploit the redundancy in the state space to compress it and perform efficient operations on it. For example, similar parts of the state space are usually shared and operations are cached.

Also, symbolic model checking algorithms do not handle states explicitly. In structures likeDDs, the algorithms handle sets of states instead of each state separately.

This improves the efficiency since the number of states handled is usually very large.

Of course,DDsoperations are optimized to handle such set representation. However, this imposes some burden on the algorithm designer, since reasoning over set of states is not a simple exercise.

(29)

10 Chapter 2. State of the art: Symbolic Model-Checking Bounded Model Checking

Bounded Model Checking (BMC)was introduced by Biereet al.in [BCCZ99]. BMC works by bounding the length of the counter example, hence the namebounded, and trying to find a counter example of that length. Setting this bound enables the reduction of the model checking problem to a Boolean satisfiability problem (SAT problem). The advantage of the SAT problem is that is has been widely studied and there are several efficient solvers available [GN07,MA03,MSS99].

This approach has been gaining a lot of popularity lately [PBG05]. Its main advantage is that it allows the factorization of the model checking problem. Indeed, Boolean functions are well understood and anyone can make a translation from a new formalism to them. A new formalism can thus enjoy the advantages of the latest advances in SAT solving by creating a proper translation.

2.2 From proofs to symbolic model checking

In this section we present the evolution of the symbolic model checking. In fact, the formal tooling necessary to tackle the problem of verification took 20 years to develop. During these years, researchers developed the mathematical concepts that are well suited to the study of programs. These concepts are the following: a proper formalization of a program, a proper specification language for properties properties and proper algorithms to decide the verification problem

In 1970, Park proposes theµ-calculus [Par70]. Park’s paper shows the limitations of the theory at his time: the program formalization, i.e., equation schemas, he uses is far from being intuitive, and interesting program properties are stated in second order logics. The main contribution of his paper is the Conv operator, which we know as theµoperator today. Using this operator, one can express a class of formula called recursion formulas, which “can be used to abbreviate a number of important mathematical and logical properties” [Par70]. Besides, Park also gives a procedure to find a solution for these formulas under certain conditions.

The program formalization problem is later solved by Keller in [Kel76]. He unifies the formalization of sequential programs and parallel ones using the notion ofsystem.

He gives the definition of what we call now aLabeled Transition System(LTS). The notion of system allows to give a clear mathematical characterization of properties like deadlocks, termination and invariants in the context of parallel and sequential programs.

The notion introduced by Keller enables further development of expressive property languages. In 1977, it is used by Pnueli [Pnu77] to describe high level logical operators to reason about systems. The challenge here is to choose operators that are expressive enough to represent interesting properties while avoiding explicitly naming time. To solve this challenge, Pnueli adopts a fragment of the tense logic Kb[RU71].

Among others, he introduces the temporal logics operatorsG, for globally, andF, for finally. These two operators can respectively express invariance and eventuality, two important program properties.

(30)

2.2. From proofs to symbolic model checking 11 All of the previous endeavors to perform verification were aimed at the development of correctness proofs for programs. However, people designing hardware were also struggling with the verification of circuits and their cumbersome specifications.

This is why Akers introducesBinary Decision Diagrams(BDDs) [Ake78]. BDDsal- low to specify a Boolean function in a compact way, in contrast to truth tables, without giving how it is specified.

The idea is improved by Bryant, who develops efficient algorithms to handle BDDs [Bry86]. Bryant’s algorithms are important for the implementation of verification. In fact, he shows thatBDDscan be used for several practical logic design verification problems. Since the main interest at the time was the verification of digital circuits, BDDs and Boolean functions are an ideal implementation structure. How- ever, at the moment,BDDswere used only to check function equivalence,i.e.,test if a function corresponds to its implementation.

The strength ofBinary Decision Diagrams (BDDs)resides in their ability to handle extremely large Boolean functions in a compact way. To achieve this,BDDsrely on canonicity. EachBDDsrepresents one and only one Boolean function. The Boolean function can be interpreted as the indicator function of a set of Boolean assignments.

Thus, one can see a Boolean function as a set. Canonicity implies that each set has a unique representation, which in turn implies that one can keep only one instance of eachBDDin memory. Thus, one can check the equality of two sets just by comparing their address in memory,i.e.,in constant time. Hence, one can easily memoize operations over sets. Other than that,BDDrepresentation is compact for extremely large sets. Combining both properties, canonicity and compactness, we have a structure that is both capable of storing and performing operations on large sets of data. These operations are encoded as Boolean operations. For example, doing the union of two sets is equivalent toor-ing their indicator functions.

In the same year Bryant presents hisBDDsalgorithms, Clarkeet al. invent model checking in [CES86]. Until then, the checking of properties was done purely by hand.

Clarkeet al. prove that if the system has a finite number of states there is a decision procedure for the verification problem. In their paper, they also give the semantics of the branching time logic CTL, which stands for Computation Tree Logic. The algorithm they propose can check properties stated inCTL.

In 1990, Coudert and Madre come up with a new idea for BDD[CM90]. They propose to stop seeingBDDsas a Boolean function and instead, consider it as aset of states, where each state is a sequence of Boolean variables. The idea “is to manipulate sets of states and sets of transitions instead of individual states and individual transitions” [CM90]. They also put forward a temporal logic as a specification language and give an algorithm to decide the verification problem in this setting.

In 1992 comes the breakthrough that unifies all the methods we have seen until now. Indeed, Burch et al. [BCM⁺92] generalize Coudert and Madre’s work by describing an algorithm to calculate Park’sµ-calculus. Using their algorithm they derive an efficient decision procedure for CTL by using Bryant’s BDDoperations. Indeed CTLcan easily be expressed in terms of Park’s recursion formulas. Hence, one can verify it by calculating fixpoint operations. The fixpoint operations require to manipulate large sets, consequently,BDDsare well adapted for such computation. This

(31)

12 Chapter 2. State of the art: Symbolic Model-Checking technique’s practical applicability is validated in the same year by McMillan in his Ph.D. Thesis [McM92]. He uses it to verify the cache protocol of a commercial pro- cessor. The major contribution of such techniques is that the verification of extremely large state spaces are now tractable.

2.3 Towards a Structure for Expressive Models

BDDs and CTL become the starting point for other symbolic model checking techniques. In fact several variants of BDDs have been developed ever since. These variants carry the nameDecision Diagrams(DDs).

One of the first structures trying to raise the level of abstraction of BDDare the Edge-Valued Binary Decision Diagrams (EVBDDs) (Lai and Sastry) [LS92]. While BDDs, EVBDDsencode integer functions. The idea is the same as the originalBDD idea: to represent a function in a compact way. EVBDDalso preserve the interesting properties ofBDDs, namely canonicity and efficient operations. This representation is however only used to check the equivalence of two different functions, still for digital circuits.

In 1994, Pastor et al. [PRCB94] bring symbolic model checking techniques to Petri nets. Petri nets[Rei85] (PNs) are a well known formalism particularly adapted to express concurrent programs. It is obvious that a higher level formalism asPNsentails a bigger effort in the translation of the formalism semantics to Boolean functions. That is why Pastor et al. focus mainly on safe PNs, a class ofPNs whose marking can directly be encoded by a Boolean function.

The efforts towards a generalization of BDDs continue as two new kind of DDs are created in 1998 and 1999. On the one hand we have Multi-valued Decision Di- agrams (MDDs) [KVBSV98], by Kam et al., and on the otherInterval Decision Di- agrams(IDDs)[ST99] by Strehl and Thiele. Multi-valued Decision Diagramsgener- alize BDDs to an arbitrary domain, while Interval Decision Diagrams generalize it to intervals over rational numbers. IDDsrepresent a class of function calledinterval logic functions. MDDsrepresent functions over an arbitrary domain. These functions are manipulated using thecaseoperation. Thecase(F,G₀, . . . ,Gm) selects and returns a function Gi according to the value of the functionF. Thus, the programmer of an MDDbased system has to write the differentcasefunctions required by his application. For the case of Interval Decision Diagrams (IDDs), the user needs to describe the system in terms of interval logic functions. Tovchigrechko presents some efficient algorithms for such operations in his thesis [Tov08].

MDDs quickly find a niche in the verification community and are adopted by Miner and Ciardo to perform reachability analysis of Petri nets[MC99]. Thanks to MDDs they are not limited to safe PN. One of their main contribution is exploiting the concept of locality in Petri nets. It is clear that the use ofMDDs closes the gap between the formalism, i.e., Petri nets, and the data structure, DDs, since both are based on integers. Thus the translation from the formalism to the structure becomes more manageable.

In 2001, Ciardoet al. introducesaturation [CLS01], a new idea in theDD-based

(32)

2.3. Towards a Structure for Expressive Models 13 techniques. The idea revolves around the concept of locality. As it turns out, depending on the order in which local transitions are fired for the state space computation, the process can become faster and also take much less space. Saturation adds an optimization dimension to symbolic model checking.

Ciardoet al. describe their optimization in pseudo code that directly manipulates the structure. It is clear that to implement this sophisticated optimization strategy the available operations inMDD are not enough. In 2002, Jean-Michel Couvreuret al. attack this problem by creating theData Decision Diagrams(DDDs)[CEPA⁺02].

DDDsare “a specialized version of theMulti-valued Decision Diagramsrepresenting characteristic functions of sets”[CEPA⁺02]. One of the main contributions of their framework is the usage of homomorphisms to describe operations on DDDs. Ho- momorphisms replace thecaseoperation, which was described usually through code.

Instead, homomorphisms can be expressed fully in mathematical notation. Homo- morphisms are more flexible than previousDDoperations and they allow to describe optimizations like saturation and the locality based optimizations without leaving the formal framework.

Following the same line of work, Couvreur and Thierry-Mieg improve DDD by adding hierarchy to them, giving birth to the Hierarchical Set Decision Diagrams (SDDs) [CTM05]. SDDsare equipped with homomorphism but they also include the concept of hierarchy, which provides a natural translation for hierarchical formalisms.

Hierarchy does not only allow to tighten the gap towards high-level formalism, but it also improves the speed and memory footprint of the state space computation. They present a tool called ITS-tools that implements their technique [TM15].

In 2008, IDDs are also used for the model checking of Petri nets. In his Ph.D.

Thesis [Tov08], Tovchigrechko shows how to use IDDsto perform symbolic model checking on Petri nets. The theory developed by Tovchigrechko is used by the tool Marcie [HRS13].

The next step in the evolution ofDDsare theΣDecision Diagrams(ΣDDs). ΣDDs, a variant ofSDDs, are presented in Hostettler’s Ph.D. Thesis [Hos11].ΣDDsrepresent sets of terms and they allow to rewrite sets of terms using rewriting homomorphisms.

Using them, the tool AlPiNA [HML⁺11] was developed. AlPiNA allows to model checkAlgebraic Petri nets [Vau87], a very high level formalism based onPNs. The tool implements several kind ofDDsusingΣDDsonly to rewrite sets of terms.

It is important to highlight the qualitative jump introduced byΣDDsin theDDs- space. In fact, one of the limitations ofDDs-based approaches lies in the translation of data types of the program to the verification structure (some kind of DD). DDs are structures with remarkable properties for model checking. However, translating a high-level formalism to them remains a daunting task. All concepts in the original language need to be expressed in terms of extremely simple data types and operations UntilΣDDs,Decision Diagramsare limited by the data types used by the source program. Even though someDDs allow the usage of arbitrary data types, e.g., MDDs, they do not allow the user to define custom data types,i.e.,each data type present in the source program has to be implemented in the verification framework.

(33)

14 Chapter 2. State of the art: Symbolic Model-Checking

2.4 The semantic gap

Until the early 90s the programs being verified were for digital circuits. Boolean functions were the natural choice as a formal representation, which also fitted well forBDDs. The semantic gap between program, formal representation and verification structure was very narrow. The next challenge was to apply such techniques for real software and this required both higher level program representations and higher level structures. The semantic gap is the conceptual distance between the different program representations.

This gap is bridged by a translation. Verification techniques, from their beginning, have made trade offs to limit the complexity of this translation. Either they limit the formal representation expressiveness to better fit the underlying verification structure, or they try to improve the underlying structure to fit higher level formalisms.

Ideally, this translation is straightforward. Unfortunately, for high level formalisms and programming languages it is not the case. Sometimes, the low-level representation of a high level data structure can be so huge that it becomes intractable. Two practical examples of these problems can be found in the Model Checking Contest [KGH⁺14]:

the Drink Vending Machine and CSRepetition models. For the former, its representation as a Coloured Petri net (high level) is only 24 Kb, while its representation as a Place/Transition Petri net is 139.9 Mb. The two versions of the latter model were proven to have different semantics where several tools reported different state spaces for them. This shows that even a translation that has been known for years and that presents no theoretical difficulty is still prone to errors. In the next section we see how the BDDsevolved to handle more complex structures, each time narrowing the semantic gap towards real programs.

2.5 Synthesis

In the end we can seeDecision Diagramsas a model checkingAPI(Application Pro- gramming Interface), and formalisms and model checking algorithms as their clients.

Formalisms have data and behavior that needs to be expressed in thisAPI. Other than that, thisAPIhas to allow the description of the model checking algorithm,e.g.,CTL verification, state space calculation, etc. Finally, this API has to allow some way to perform optimizations. We highlight the fact that we are not interested in the intrinsic characteristics of DDs; the reader interested in DDs can consult [LPAK⁺10] where Linard et al. propose a generalization of DDsand do a survey of different types of DDs.

We focus here on the services that DDs offer their clients and how they can be accessed. As said earlier, a higher level API narrows the semantic gap between the formal representation and the DD. In Table 2.1 we show how this API has evolved from the firstDDsto the most recent ones.

The first column of the table lists the discussed types of DDs in chronological order. The second one lists the API for model checking provided by those DDs. It is clear that the structures quickly evolved from Boolean operations as only possible operations of the model checking algorithm. In this aspect we have two categories,

(34)

2.6. Summary 15 Table2.1 – AvailableAPIsfrom differentDDs

DDname Model checking Data types Data operations Optimization

BDD Boolean ops. B Boolean/fix. Mixed

MDD Mixed N native/fix. Mixed

DDD Homs. N native/fix. Homs.

SDD Homs. Non specified native/fix. Homs.

IDD Mixed R⁺ native/fix. Mixed

ΣDD Homs. User def. Rew./User def. Homs.

Abbreviations: ops. (operations), fix. (fixed), Homs. (homomorphisms), Rew. (Rewriting), User def.

(User defined)

mixed and homomorphism. By a mixedAPIwe mean that the model checking algorithm is described by pseudo-code. The pseudo-code uses theDDprovided API, but also other standard programming primitives,i.e.,theDDprovidedAPIis not enough to describe the task. Homomorphisms on the other hand allow to describe entirely the model checking process. The problem with the mixed approach is that it breaks the encapsulation of the technique, as the client has to directly manipulate the structure to accomplish its task

The third column represents the data types provided by each structures. Once again, the trend towards higher level data types jumps out. The fourth column is intimately bound to the previous one. We can see that after BDDs, most DDs use native and fixed operations. By native and fixed, we mean that each implementation will offer a set of native operations to a model checking algorithm, and that the client of theAPIcannot add new operations to thisAPI. This entails that the richer the source formalism for a translation, the heavier the translation, since the target data types are not only limited but also fixed. The onlyDD that breaks the pattern are ΣDDs that allow to user defined types through the use of abstract data types. It also allows the definition of user defined operations on the data types usingterm rewriting[DW91].

The last column represents the OptimizationAPI. As seen in Section2.3, the way the computation is done can be a critical parameter for DD-based model checking.

Once again, in this domain we have mixed technique and homomorphisms. The problem is the same that appeared before,i.e.,the lack of encapsulation.

2.6 Summary

In this chapter, we have given a general overview of model checking, covering the most important techniques. For symbolic model checking, we have given a detailed history. We presented a detailed account ofDDsevolution focusing particularly on the expressivity of the technique. The reader should by now be familiar with the problem this thesis deals with and the different solutions in the literature. In the next chapter we present in detail the mathematical tools that we are using for our proposed solution.

(35)

16 Chapter 2. State of the art: Symbolic Model-Checking

(36)

Chapter 3

Preliminaries

In this chapter we introduce the different mathematical concepts needed to understand our work. First we introduce some general concepts and notations. Then, we define Term Rewriting (TR)andStructured Operational Semantics (SOS)semantics. These are standard techniques to describe the semantics of systems. We define the parts of them that we plan to use to make this work self-contained.

3.1 Mathematical fundamentals

3.1.1 Boolean lattices

We start by presenting Boolean lattices. We use them to define a structure for the encoding of sets of terms. We are interested in them because we need a mathematical structure that can be related to subsets of the powerset. Lattices are such structure.

The formal definition of lattices is given in Def.3.1.1.

Definition 3.1.1 (Boolean Lattice) An algebraic structure L = hL,∨,∧, 0, 1i, is a Boolean lattice if the following axioms holds. For each a,b∈L:

commutative a∨b= b∨a and a∧b=b∧a;

associative a∨(b∨c)= (a∨b)∨c and a∧(b∧c)=(a∧b)∧c;

idempotent a∨a=a and a∧a=a;

absorption law a∨(a∧b)=a and a∧(a∨b)= a;

distributivity a∨(b∧c)=(a∨b)∧(a∨c)and a∧(b∨c)= (a∧b)∨(a∧c);

absorbing and identity element a∧ 0 = ⁰ and a∨ 0 = a;

complement a has a unique complement a^c ∈L,i.e.,a∧a^c = ⁰ and a∨a^c = ¹. Notation We use L to refer to the algebraic structure and L to refer to the carrier set. Usually we shall be a little slovenly and say that L is a lattice. The∨symbol in a lattice is known as thejoin and the ∧symbols as themeet. We use as well be the

17

(37)

18 Chapter 3. Preliminaries symbols∪(resp. ∩) to denote the join (resp. meet) of a lattice, since the lattices we consider are isomorphic to sets . The lower bound 0 of the lattice is also called the bottom elementand the the upper bound 1 thetop element. We use the symbol to denote isomorphism.

The first 4 axioms are the basic axioms for lattices. The rest of the axioms make the lattice Boolean. Boolean lattices have interesting properties. When they are finite, they are isomorphic to the powersetP(X) of some finite setX[DP02]. However, to be isomorphic to the powersetP(X) for any setX, the Boolean lattice has to becomplete andcompletely distributive. Completeness means that for each set of elements there is a supremum. Completely distributiveness means that arbitrary conjunctions distribute over arbitrary disjunctions (and vice versa). Intuitively, the former guarantees that the lattice is closed under arbitrary joins and meets, the latter is just a stronger form of distributivity. In particular, it works over infinite disjunctions and conjunctions.

The reader can see the precise definitions in [DP02]. From now on, when we talk about Boolean lattices we are talking about lattices that are complete and completely distributive. An example of such lattices is given in Example3.1.1.

Example 3.1.1 Let E be a set. The powersetP(E)of E along with the set-union and set-intersection is a Boolean latticehP(E),∪,∩,∅,Li.

3.1.2 Standard definitions

We present also some standard mathematical concepts that we use throughout the rest of this work. For a given function, we define the preimage of an element. For a given element of the image sety, the preimage is the set of elementsxof the domain where f(x) isy. The formal definition is given in Def. 3.1.2. Note that the preimage of an element y is the set of all elements whose image is y. The preimage of an element might also be the empty set.

Definition 3.1.2 (Preimage of an element) Let D and L be sets, and f : D → L a function. The preimage of an element y ∈L is the set{x∈D: f(x)= y}. We note this set as f⁻¹(y).

We also recall the definition of a binary relation. Given two sets, a binary relation can be seen as a subset of their Cartesian product. The formal definition follows in Def.3.1.3.

Definition 3.1.3 (Binary relation) Let A,B be sets. A binary relation R is triple hA,B,Gi, where G ⊆ A × B is called its graph. The statement (a,b) ∈ R is read

“a is R-related to b”, and is denoted aRb. The sets A and B are called domain and codomain respectively.

The set of all binary relations over the sets Aand Bis noted B(A,B). It forms a lattice isomorphic to the lattice formed by the powerset of A× B. For two elements inB(A,B) their join and their meet are the union of the graphs and the intersection of the graphs, respectively.

(38)

3.1. Mathematical fundamentals 19 Example 3.1.2 Let A = {1,2,3,4} and B = {1,2,3}, we can define the binary relation greater than or equal to, which is represented by the triple hA,B,Gi, with G = {(1,1),(2,1),(2,2),(3,1),(3,2),(3,3),(4,1),(4,2),(4,3)}. A pair (a,b) in this

relation is read: agreater than or equal tob.

We present the multi-set. A multi-set or bag is like a set but it can contain the same element several times. A formal definition is given in Def.3.1.4. It is formalized as a function where each element of the function is mapped to the number of elements in the set.

Definition 3.1.4 Given a non-empty set A, a multi-set of A is a function f : A → N from the set A to the set of naturals. For an element a∈A we call f(a)itscardinality.

Notation The set of multisets of set A are noted M(A). Given a set A, and some element a∈ A, we note the multi-set that contains only a as a. Otherwise a multi-set is noted as follows. Each element is preceded by the number of elements in the multi-set, an apostrophe (⁰) and the element. The elements are separated each by the symbol ++. An example is shown in Example3.1.3. We note the cardf(a) the function that returns the cardinality of some element a.

Example 3.1.3 We present an example of a multi-set. Let A={1,2,3}. The following function is a multi-set:

f :A→N : 17→2 : 27→1 : 37→0

We note this multi-set2⁰1++1⁰2. We have that cardf(1) = 2and cardf(2) = 1, and

cardf(3)=0.

Multi-sets support standard set operations. In particular we define the union for them. The formal definition is given in Def.3.1.5. The idea behind the operation is the same as the set union. For the empty multi-set we give use the same notation that for sets,i.e.,the∅symbol. We present an example of the multi-set union in Example3.1.4.

Definition 3.1.5 Let A be a non-empty set, and f : A → N and g : A → N two multi-sets. We define the union of two multi-sets as follows:

f ∪g:A→N

:a→ f(a)+g(a)

Symbolic model-checking with Set Rewriting

Thesis

Reference

Symbolic model-checking with Set Rewriting

UNIVERSITÉ DE GENÈVE FACULTÉ DES SCIENCES Département d’Informatique Professeur D. Buchs

Symbolic Model-checking with Set Rewriting

THÈSE

Docteur ès sciences, mention informatique

Edmundo López Bóbeda de

Bolivie

Remerciements

Acknowledgements

Abstract

Résumé

Contents

List of Figures

List of Tables

Chapter 1

Introduction

1.1 Motivations

1.2 Contribution

1.2.1 Set rewriting as a Unifying language

1.2.2 A Tool: StrataGEM

1.3 Summary

Chapter 2

State of the art: Symbolic Model-Checking

2.1 Overview of Formal Methods

2.1.1 Theorem proving

2.1.2 Static analysis

2.1.3 Model checking

2.2 From proofs to symbolic model checking

2.3 Towards a Structure for Expressive Models

2.4 The semantic gap

2.5 Synthesis

2.6 Summary

Chapter 3

Preliminaries

3.1 Mathematical fundamentals

3.1.1 Boolean lattices

3.1.2 Standard definitions