Linear Programming for Software
Verification
Model Checking Group Talk
Linear Programming for
Software Verification
Dellacherie et al
LPV Technology patent #97 15217
[ France Telecom, the CNRS, and the University of Caen ]
Problem Definition
• Given a software S and a property P,
determine whether a path of S satisfies P.
– If yes, show the path
– If not, generate a proof of its non-existence.
Synchronized Automata - I
A small example of
synchronized automata
• Each automata has a single token
that can move from state to state using
the transitions.
• Transitions carry (possibly multiple)
synchronization messages.
•
An automaton can go (i.e. move its token) from a state to another if and only
if
 there exists a transition between those two states and
 all the synchronization messages present on that transition can be
emitted.
Synchronized Automata - II
•
A message can be emitted if and
only if all automata that know the
message (i.e. that have at least
one transition carrying this
message) can use simultaneously
a transition carrying this
message.
• For example, automaton A can go from state Ae1 to state Ae2 if and only if
both synchronization messages m1 and m2 can be emitted.
•This is possible if, for example, automata B and C are (i.e. have their
token) respectively in states Be1 and Ce1 .
•In this situation, the three automata will arrive in state Ae2 , Be2 and Ce2
respectively
Definition: System of Automata
• A system of automata S is composed of N subsystems Sn (1 · n · N) called automata, and
of a set M = { mj,,1 · k · |M| } containing the
messages mj of S.
• Every automaton Sn is described by
– 1. the set En = { ein ; 1 · i · |En| } of its states;
– 2. the set An = { ajn; 1 · j · |An| } of its transitions;
– 3. the set of messages Mn ½ M carried by An.
Definition: Synchronization Rule
• Let us call configuration a mapping C which associates to every
automaton Sn a unique state en 2 Sn called the activated state of Sn,
and let us call syn a subset s of M. We then define the sync rule as
follows:
• The synchronization s has the automata system S changed from
configuration C to configuration C’ if and only if 8 Sn 2 S,
• 1. if s Å Mn = ; then C’ (Sn) = C (Sn)
– If s does not share a message with Sn, then the
token on Sn does not move.
• 2. if s Å Mn   and 9 ajn = ( ej1n, ej2n 2 An, such
that Mjn = s Å Mn, then ej1n = C (Sn) and ej2n = C’
(Sn)
– If s does share a message with S_n, then the transition labeled
with a subset of s are enabled.
Definition: Synchronized Automata
• A system of synchronized automata is a
system of automata endowed with the
(previously discussed) synchronization
rule.
• Accessibility Properties: The kind of
requests we will check on a system of
synchronized automata corresponds to the
classical set of accessibility (or
reachability) properties.
Definition: Path Satisfiability
• An accessibility property P = (C; C’) on S
has a path satisfying P if and only if there
exists a path in N steps going from the
initial conguration C0 to a conguration C’n
such that 8 Sn 2 S,
• if En Å C   , then C0 (Sn) 2 C
• if En Å C’   , then C’n (Sn) 2 C’
Flow-Synchronized Automata
• Message-flow: A message-flow is a function fm
which associates to every message m of S a
real quantity fm(m) 2 [0, 1].
• Transition-flow: A transition-flow is a function fa
which associates to every transition ajn of S a
real quantity fa(ajn) 2 [0, 1].
• State-flow: A state-flow is a function fe which
associates to every state ein of S a real quantity
fe(ein) 2 [0, 1].
Flow-Synchronization Rules - I
• Amn is the set of transitions of automata Sn
carrying message m:
– Amn = { ajn 2 An / m 2 Mjn }
• Ei+n is the set of transitions of Sn having ein
as starting state:
– Ei+n = { ajn 2 An / 9 e, ajn = (ein, e) }
• Ei−n is the set of transitions of Sn having ein
as arriving state:
– Ei−n = { ajn 2 An / 9 e; ajn = (e, ein) }.
Flow-Synchronization Rules - II
• Conservation of tokens in state-flow of
automata:
8 Sn, ein 2 Sn fC(ein) = 1
– i.e. the quantity of token on each automaton is equal
to 1
• Relation between Transition Flow and
Message Flow for valid synchronization:
8 m 2 M, 8 Sn,
Amn   ) fs(m) = ajn 2 Amn fa (ajn)
– i.e. for all automata that know m, the quantity of m
emitted is equal to the flow going through the
transitions carrying m.
Flow Synchronization Rules - III
• 1. ajn 2 Ei+n fa(ajn) · fC(ein)
– (i.e. the flow leaving ein is not greater than the
quantity of token which is on ein),
• 2. ajn 2 E(i-)N fa(ajn) · fC’ (ein)
– (i.e. the flow arriving on ein is not greater than the
total amount of token which is on ein),
• 3. fC(ein)− ajn 2 Ei+n fa(ajn) = fC’ (ein) − ajn 2 Ei−n
fa(ajn)
– (i.e. the new quantity of token on ein is the
previous quantity plus the flow arriving on ein and
less the flow leaving ein).
Flow Synchronization Automata
• A system of flow-synchronized automata is a
system of automata endowed with the flowsynchronization rule.
• Furthermore, let fC and fC’ be two flowconfigurations of S. The change from fC to fC’ by
flow-synchronization fs defines a flow-step (fC,
fs, fC’) for S.
• A succession of flow-steps (fC0, fs0, fC’0 ), …,
(fCn−1, fsn−1, fC’n ) such that fC’i = fCi+1 defines a
flow-path for S.
Storied Automata
• Let S be a system of automata. We consider S
on T + 1 time steps as follow: for each
automaton Sn 2 S we associate
– To every value t 2 { 0; … ; T} and every state ein, a
state ein(t);
– To every value t 2 { 1; … ; T} and every transition ajn =
(ej1n ; ej2n ), a transition ajn(t) = (ej1n (t − 1), ej2n (t));
– To to every value t 2 {1; … ; T} and every message
mk 2 Majn, a message mk(t) 2 Majn(t);
– To every value t 2 {1; … ; T} and every state ein, an transition in(t) = (ein(t − 1), ein(t)).
• The system thus constructed from S is called the
storied system of automata ST of S on T time
steps.
System of Equations: L(ST,P)
• Flow equations: 8 Sn 2 S; 8 t 2 {1; … ; T}, 8 ein
2 Sn, we have
– ein(t − 1) = j1 2 Ei+n aj1n (t) + in(t)
– ein(t) = j2 2 Ei−n aj2n (t) + in(t)
• Synchronization equations: 8 Sn 2 S; forall t 2
{1, … ,T}; 8 m 2 Mn, we have
– m(t) =  j3 2 Amn aj3n (t)
• Property equations: 8 Sn 2 S, we have ein 2
i (0)=1
e
m
A n n
– If C Å En   then ein 2 C Å En ein (0) = 1
– If C’ Å En   then ein 2 C’ Å En ein (T) = 1
Key Result
• The solving of L(ST ;P) gives either a
flow-path or a proof of the inexistence of
any path of length N on a model of T
stories.
– If we find a flow path, it may be spurious.
– If we find a proof of the inexistence of any
path, we are done.
Examples Analyzed - I
• Telephone System: The systems is made
of more than 800 automata and uses more
than 2500 different synchronization
messages. The state space is more than
1040 wide.
• The property checked was to know
whether phone#2 ring while nobody ever
called it ?
Examples Analyzed - II
• An Access Control System: On this last
instance the resulting system is made of
230 automata and uses more than 2800
different synchronization messages. The
state space is more than 1052 wide
• The property checked was:
– Can card#1, who entered building#1, enter
building#2 without first getting out of
building#1 ?
Examples Analyzed - III
• Bus Arbiter: Systems with up to 1200 cells
were analyzed. The state space is then at
least 10500 wide, and the computation took
around one hour.
• The property checked was to know
whether a client could access the bus at
the same time as client#1.
Deeper Insights
• There is a PhD thesis in German which
perhaps contain the details:
– [Del99b] S. Dellacherie. Vrication logicielle
base sur la programmation linaire. PhD
thesis, Universit de Caen, 1999. To appear.
– [Dev99] S. Devulder. Un modle de preuve de
logiciels fond sur la programmationlinaire.
PhD thesis, Universit de Caen, 1999. To
appear.
US Patent October 15, 2002
Dellacherie; Samuel (Caen, FR), Broult; Christophe (Briouze, FR),
Devulder; Samuel (Saint-Contest, FR), Lambert; Jean-Luc (Amfreville, FR)
• Farkas Lemma: Let A be a matrix and x
and b be vectors. Then the system
A x = b for some x ¸ 0
has no solution iff the system
ATy ¸ 0 and bTy < 0
has a solution, where x is a vector.
Fang, S.-C. and Puthenpura, S. Linear Optimization and Extensions: Theory and
Algorithms. Englewood Cliffs, NJ: Prentice-Hall, p. 60, 1993.