LPV: a new technique, based
on linear programming, to
formally prove or disprove
safety properties
J-L Lambert, valiosys
Contents
 What is LPV ?
– LPV in brief
– The counter-example in real numbers
 LPV in details 1
– The linear programming model
– The proof engine
 An example
 LPV in details 2
– A completeness theorem
– The refinement process
 Conclusion
31/07/2017 2
What is LPV ?
LPV in brief
 LPV is a theorem prover
– No state space exploration nor representation of the state space
– The performance depends on the complexity of the proof, not on the
size of the system
 Based on linear programming computations
– Efficiency (polynomial time)
– Real numbers used (the gap between real numbers and integers is
always the problem)
– High level modeling (state machines)
 LPV can generate counter-examples
– The technology is complete: if the proof fails there exists a counterexample
– Beware: the counter-example may not be a real one. It may be in real
numbers
31/07/2017 4
What is a counter-example in real numbers ?
t=0
1/2
1/2
1/2
1/2
1/2
1/2
1/2
t=1
1/2
t=2
31/07/2017 5
What to do with counter-examples in real numbers ?
Real number counter-examples are the price to pay for having a
polynomial and complete proof system
Analyzing a counter-example allows
to understand why the proof engine failed
That analyze gives some indications on how the model
can be modified to make the proof succeed
The modification of the model is called the refinement
the analysis is the refinement algorithm
31/07/2017 6
LPV in details 1
The model used
The model is
communicating automata synchronized by blocking rendez-vous
c
d
31/07/2017 8
a
b
c
a
d
b
The translation into linear equations
b
State e
Variable X (e)
Transition t
Variable Y(t)
Message b
Variable M(b)
State e’
31/07/2017 9
in
out
Variable X (e’)
The translation into linear equations
X (e) = S
in
Y(t)
One equation for each state
Y(t)
One equation for each message
and each automaton emitting the message
t exiting e
M(b) = S
t emitting b
X (e) = S
out
Y(t)
t entering e
S Y(t)=1
t in the automaton
31/07/2017 10
One equation for each state
One equation for each automaton
The epsilon transitions
The model is supposed to contain epsilon transitions:
• epsilon transitions carry no message
• each state carry one epsilon transition
• the epsilon transition has the same input and output state
• the epsilon transitions allow an automaton to do nothing
c
d
31/07/2017 11
a
b
epsilon transitions
The linear system of equations generated
in
It has the form:
X = AY
M = BY
out
_X = CY
1 = DY
And its integer solutions are the global transitions of the system where:
in
•X (e) = 1 iff the automaton is in the state e at the begining of the global transition
•M(b)=1 iff b is emitted
•Y(t) = 1 iff t is fired
•Xout (e)=1 iff the automaton is in the state e at the end of the global transition
31/07/2017 12
The proof engine
 The LPV proof engine works under the following assumptions:
– The system is described as communicating automata (following the lines
mentionned previously)
– Each state of each automaton has an epsilon transition
– The initial state of the system is implicitely given by an equation:
EXi = 0 (E positive)
i.e. some states are empty in the initial state
– The objective is described as an additional constraint concerning the last
state:
FXf = 0 (F positive)
i.e. some states are empty in the final state
31/07/2017 13
The first engine: interpretation
The first engine can be be interpreted as the computation
of a set of states such that any transition entering the set must
synchronize with one that exits it
States e such that u(e) >0
31/07/2017 14
The first engine
It computes a positive vector u (one component per state) such that:
E.X =0 implies u.X=0
in
u.X = 0
Xin = AY
M = BY
out
_X = CY
1 = DY
out
implies u.X =0
u has the maximum number of non zero components
31/07/2017 15
The first engine: conclusion
 The first engine proves that:
– The invariant u.X = 0 is satisfied on any sequence having Xi as initial state
 This leads to the conclusions:
– all the states of the system for which u(e) > 0 remain empty on any sequence
satisfying the request
– If for all the states e of an automaton we have u(e) > 0 or F(e) > 0 then the
final state must verify:
S Xf (e) = 0 which is impossible
e state of
the automaton
 In consequence we get that
– Either there is no possible final state for the request
– Or all the states of the system for which u(e) > 0 can be removed from the
model
31/07/2017 16
The second engine: interpretation
The second engine can be interpreted as the computation
of a set of states such that any transition exiting the set must
synchronize with one that enters it
States e such that u(e) >0
31/07/2017 17
The second engine
It computes a positive vector u (one component per state) such that:
F.X =0 implies u.X=0
out
u.X = 0
Xin = AY
M = BY
out
_X = CY
1 = DY
in
implies u.X =0
u has the maximum number of non zero components
31/07/2017 18
The second engine: conclusion
 The second engine proves that:
– The invariant u.X = 0 is satisfied on any sequence having Xf as final state
 This leads to the conclusions:
– all the states of the system for which u(e) > 0 remain empty on any sequence
satisfying the request
– If for all the states e of an automaton we have u(e) > 0 or E(e) > 0 then the
initial state must verify:
S Xi (e) = 0 which is impossible
e state of
the automaton
 In consequence we get that
– Either there is no possible initial state for the request
– Or all the states of the system for which u(e) > 0 can be removed from the
model
31/07/2017 19
The third engine: interpretation
C.X = b
Xi
C.X > b
31/07/2017 20
C.X < b
Xf
The third engine: interpretation
The third engine can be interpreted as the computation
of a potential function that increases
at each global transition of the system
The value of that function is increased
iff some specified transitions are fired
Moreover that function is decreased between
the initial and the final state
31/07/2017 21
The third engine
It computes a vector C (one component per state)
and a vector V positive (one component per transition) such that:
E.X=0, F.X’=0 implies C.X ≥ C.X’
in
X = AY
M = BY
out
_X = CY
1 = DY
out
in
implies C.X - C.X = V.Y
V has the maximum number of non zero components
31/07/2017 22
The third engine: conclusion
 The third engine proves that:
– The linear function C.X increases with any global transition of the system
and strictly increases when a transition such that V(t) > 0 is fired
 This leads to the conclusions:
– all the transitions of the system for which V(t) > 0 cannot be fired in any
sequence satisfying the request
– If the inequality C.Xi ≥ C.Xf is strict:
C.Xi > C.Xf
then the request is impossible
 In consequence we get that
– Either the request is impossible
– Or all the transitions of the system for which V(t) > 0 can be removed from
the model
31/07/2017 23
Behaviour of the proof engine
 While no result has been returned
– Choose one of the engines and apply it
– If the engine proves impossibility then
– Returns « proof done »
– Else suppress transitions or states
– If the three engines were tried and none of them suppressed a transition or a state then
– Returns « proof failed »
The above process works in polynomial time
wrt the number of transitions
31/07/2017 24
An example
An example
A1
E1
a
b
a
A2
ra
rb
E0
rb
B1
31/07/2017 26
b
E2
B2
ra
An example: the first question
A1
E1
a
b
a
A2
ra
rb
E0
rb
B1
b
E2
The question is: Can the state:
(A1,E1,B2)
be reached ?
31/07/2017 27
B2
ra
An example: the first answer
A1
E1
a
b
a
A2
ra
rb
E0
Q
rb
B1
b
E2
The answer is: no since the set:
Q={B1,E2,E0,A2}
cannot be emptied
31/07/2017 28
ra
B2
An example: the second question
A1
E1
a
b
a
A2
ra
rb
E0
rb
B1
b
E2
The question is: Can a state in:
{(A1,E1,B2), (B1,E1,B2)}
be reached ?
31/07/2017 29
B2
ra
An example: the second answer
E1
A1
a
b
a
A2
ra
rb
E0
rb
B1
b
E2
B2
The answer is: no since the function:
-2X(B1)-X(E0)+X(E1)-3X(E2)+2X(B2)
is constant
31/07/2017 30
ra
An example: the second answer
C.X = 0
Xi
C.X = -1
31/07/2017 31
3 C.X  1
Xf
LPV in details 2
The failure of the proof engine: a completeness theorem
 When the proof engine fails in finding a proof, it provides an answer that is
not simply « the proof failed »
 It can provide a counter-example showing why the proof failed
 The counter-example is composed of a number n and a real positive number
solution of the system of equations:
0
E.X = 0
i-1
X = AY
i
i
M = BY
i
i
X
=
CY
_
1 = DY i
for i=1 to n:
n
F.X = 0
31/07/2017 33
i
Meaning of the counter-examples
A counter-example is a scenario on n steps contradicting the property:
X
0
Y
1
1
M
X
1
Y
2
2
M
X
2
X
n-1
Y
n
n
X
n
M
If the counter-example is in integers, it is a valid counter-example to the property
If the counter-example is in real numbers one doesn’t know the status of the property
31/07/2017 34
What to do with counter-examples in real numbers ?
Real number counter-examples are the price to pay for having a
polynomial and complete proof system
Analyzing a counter-example allows
to understand why the proof engine failed
That analyze gives some indications on how the model
can be modified to make the proof succeed
The modification of the model is called the refinement
the analysis is the refinement algorithm
31/07/2017 35
An example of refinement
a.0
b.0
c.0
a.0
b.0
d.0
0,5
a.1
b.1
c.0
a.1
b.0
c.1
0,5
0,5
a.1
b.1
d.0
0,5
a.0
b.1
c.1
a.0
b.1
d.1
a
c
0
0,5
0,5
b
31/07/2017 36
1
d
a.1
b.0
d.1
Typical refinement situation
1/2a.0 1/2a.1
1/2a.0 1/2a.1
c.0
d.1
1/2b.0 1/2b.1
1/2b.1 1/b.0
On the refined system: c=0 and d=1 is impossible:
a.0
a.1
c.0
d.1
b.0a.0
31/07/2017 37
b.0a.1
b.1
The refined system
a.0
b.0a.0
c.0
a.0
b.0a.0
d.0
0
0
0
a.1
b.1
c.0
a.1
b.0a.1
c.1
a.1
b.1
d.0
0
0
0
a.0
b.1
c.1
a.0
b.1
d.1
a
c
0
1
b
31/07/2017 38
0
d
a.1
b.0a.1
d.1
More general refinements
na b
n n(¬ a ¬ b)
ma
m¬a m
a
31/07/2017 39
b
ca b
c
c(¬ a ¬ b)
Conclusion
 LPV is a new theorem prover
 LPV manipulates new concepts that are not manipulated by other verification
techniques
 LPV applies well at the level of communicating state machines
 LPV’s proof system works in polynomial time and is then scalable
 In case of failure, a counter-example is generated, this counter-example permits
to modify the system and do the proof
 The refinement process is not polynomial time
 The success and scalability of LPV depends on both the adequacy of the
underlying proof concepts and the description level of the model
 The linear invariants manipulated by LPV are often preserved by system
complications
31/07/2017 40