# FAST: Theory and practice of acceleration 

Sébastien Bardin<br>LSV - CNRS \& ÉNS de Cachan<br>24 avril 2006

## Verification of reactive systems



## Reactive systems

- Software and/or hardware
- Autonomous
- Critical


## The TTP protocol



## Processors embedded in cars

The TTP protocol

- fault tolerance
- ensure no fault will propagate

TTP is supported by Audi, PSA, Renault, ...

## A model of the TTP [Bouajjani-Merceron 2002]

```
If \(\mathrm{d}<\mathrm{N}\) Do
    \(\mathrm{d}:=\mathrm{d}+1 ; \mathrm{Cp}:=\mathrm{Cp}+1\)
End Do
```



N : number of processors
Cp : round number
d : number of processors having broadcast so far

## A model of the TTP [Bouajjani-Merceron 2002]



## A model of the TTP [Bouajjani-Merceron 2002]



## Question

In the red location, does
$C_{p}=N \Rightarrow\left(C_{0}=0 \vee C_{1}=0\right)$ ?

## Objective

Automatic verification for any value of $N$

## Our problem: counter system verification

## Counter systems

- we study mathematical models of concrete systems
- automata extended with unbounded integer variables

Properties to check

Reachability properties $=$ properties of reachable configurations.

- useful: mutual exclusion, deadlock freedom, ...
- easy to check from the reachability set.


## Our problem: counter system verification

## Problems

- Undecidable for two counters with $(+1,-1, \stackrel{?}{=} 0)$
- One of the issues: infinite reachability set


## Back to the finite case



## Back to the finite case



## Back to the finite case



## Back to the finite case



## Back to the finite case



## Extend verification to infinite systems

Enumerative methods do not work any more

Algorithms for decidable subclasses

- Petri nets,
- timed automata,
or Semi-algorithms to compute the reachability set
- more expressive/realistic systems
- no guarantee of termination, we hope practical termination
- Extend iterative computation for infinite sets
- (symbolic model-checking)


## Extend verification to infinite systems

Enumerative methods do not work any more

Algorithms for decidable subclasses

- Petri nets,
- timed automata, ...
or Semi-algorithms to compute the reachability set
- more expressive/realistic systems
- no guarantee of termination, we hope practical termination
- Extend iterative computation for infinite sets
- (symbolic model-checking)


## Extend verification to infinite systems

Enumerative methods do not work any more

Algorithms for decidable subclasses

- Petri nets,
- timed automata, ...
or Semi-algorithms to compute the reachability set
- more expressive/realistic systems
- no guarantee of termination, we hope practical termination
- Extend iterative computation for infinite sets
- (symbolic model-checking)


## Symbolic model-checking framework

Issue 1: infinite set of reachable configurations.
Idea $=$ manipulate infinite sets of configurations

- sets are represented symbolically.
- need basic symbolic operations POST, ப, $\sqsubseteq$.

Example: intervals of integers

- Formula $\phi_{x}:\{x>5\}$ means that $x$ ranges over all integers greater than 5
- After transition $\xrightarrow{\mathrm{y}:=\mathrm{x}+1}$, the possible values of $y$ are exactly represented by $\phi_{Y}=\{y>6\}$


## Symbolic model-checking framework

Issue 1: infinite set of reachable configurations.
Idea $=$ manipulate infinite sets of configurations

- sets are represented symbolically.
- need basic symbolic operations POST, $\sqcup$, $\sqsubseteq$.

Example: intervals of integers

- Formula $\phi_{X}:\{x>5\}$ means that $x$ ranges over all integers greater than 5
- After transition $\xrightarrow{y:=x+1}$, the possible values of $y$ are exactly represented by $\phi_{Y}=\{y>6\}$


## First (and basic) symbolic procedure

Iterative computation of $\operatorname{post}_{S}^{*}\left(X_{0}\right)$
(1) $X \leftarrow X_{0}$
(2) If $\operatorname{Post}(X) \sqsubseteq X$ Goto 5
(3) $\quad X \leftarrow \operatorname{Post}(X) \sqcup X$
(9) Goto 2
(5) Return $X$

Issue 2: termination is scarce
because of circuits in the control graph


$$
\text { If } X_{0}=\{0\} \text { then }
$$

## First (and basic) symbolic procedure

Iterative computation of $\operatorname{post}_{S}^{*}\left(X_{0}\right)$
(1) $X \leftarrow X_{0}$
(2) If $\operatorname{Post}(X) \sqsubseteq X$ Goto 5
(3) $\quad X \leftarrow \operatorname{Post}(X) \sqcup X$
(9) Goto 2
(5) Return $X$

## Issue 2: termination is scarce

because of circuits in the control graph ...

$$
\text { If } x \geq 0 \text { Do } x \leftarrow x+2
$$



If $X_{0}=\{0\}$ then $X=\{0\}$

## First (and basic) symbolic procedure

Iterative computation of post $_{S}^{*}\left(X_{0}\right)$
(1) $X \leftarrow X_{0}$
(2) If $\operatorname{Post}(X) \sqsubseteq X$ Goto 5
(3) $\quad X \leftarrow \operatorname{Post}(X) \sqcup X$
(9) Goto 2
(5) Return $X$

## Issue 2: termination is scarce

because of circuits in the control graph ...


If $X_{0}=\{0\}$ then $X=\{0,2\}$

## First (and basic) symbolic procedure

Iterative computation of post $_{S}^{*}\left(X_{0}\right)$
(1) $X \leftarrow X_{0}$
(2) If $\operatorname{Post}(X) \sqsubseteq X$ Goto 5
(3) $\quad X \leftarrow \operatorname{Post}(X) \sqcup X$
(9) Goto 2
(5) Return $X$

## Issue 2: termination is scarce

because of circuits in the control graph ...


## Principle of circuit acceleration

## Circuit acceleration

Enhance the convergence of the iterative symbolic procedure by computing in one step the iteration of a sequence of transitions (circuit).


If $X_{0}=\{0\}$ then

## Principle of circuit acceleration

## Circuit acceleration

Enhance the convergence of the iterative symbolic procedure by computing in one step the iteration of a sequence of transitions (circuit).


## About acceleration of counter systems

State-of-the-art in 2002
(Karp-Miller 1969)
(Fribourg 1990)
[Boigelot-Wolper 1994],
[Boigelot-Wolper 1998],
[Annichini-Asarin-Bouajjani 2000], (+ temps)
[Finkel-Leroux 2002],
Remarks
(1) very different techniques, no unifying view (comparison?)
(2) still a gap between acceleration algorithm and fixpoint
computation (how to select circuits?)

## About acceleration of counter systems

State-of-the-art in 2002
(Karp-Miller 1969)
(Fribourg 1990)
[Boigelot-Wolper 1994],
[Boigelot-Wolper 1998],
[Annichini-Asarin-Bouajjani 2000], (+ temps)
[Finkel-Leroux 2002],
Remarks
(1) very different techniques, no unifying view (comparison?)
(2) still a gap between acceleration algorithm and fixpoint computation (how to select circuits?)

## Symbolic computation in counter systems, 2002

- A symbolic representation: automata
- DFA [Boudet-Comon 1996],
- NDD [Wolper-Boigelot 2000]).
- Various circuit acceleration algorithms
- $f(x)=M . x+v$, with finite monoid and convex guard [Boigelot 1998]
- $f(x)=M \cdot x+v$ with finite monoid and Presburger guard [Finkel-Leroux 2002]
- functions "à la" timed automata [Annichini-Asarin-Bouajjani 2000]
- Circuit selection no argued heuristic
- Tools
- Alv (no acceleration) [Bultan]
- LASH (acceleration but no circuit selection) [Wolper]
- TREX (acceleration and circuit selection, but no argument) [Bouajjani]


## Symbolic computation in counter systems, 2002

- A symbolic representation: automata

■ DFA [Boudet-Comon 1996],

- NDD [Wolper-Boigelot 2000]).
- Various circuit acceleration algorithms
- $f(x)=M \cdot x+v$, with finite monoid and convex guard [Boigelot 1998]
■ $f(x)=M \cdot x+v$ with finite monoid and Presburger guard [Finkel-Leroux 2002]
- functions "à la" timed automata [Annichini-Asarin-Bouajjani 2000]
- Circuit selection no argued heuristic
- Tools
- AlV (no acceleration) [Bultan]
- LASH (acceleration but no circuit selection) [Wolper]
- TREX (acceleration and circuit selection, but no argument) [Bouajjani]


## Symbolic computation in counter systems, 2002

- A symbolic representation: automata

■ DFA [Boudet-Comon 1996],
■ NDD [Wolper-Boigelot 2000]).

- Various circuit acceleration algorithms
- $f(x)=M \cdot x+v$, with finite monoid and convex guard [Boigelot 1998]
- $f(x)=M . x+v$ with finite monoid and Presburger guard [Finkel-Leroux 2002]
■ functions "à la" timed automata [Annichini-Asarin-Bouajjani 2000]
- Circuit selection no argued heuristic
- Tools
- Alv (no acceleration) [Bultan]
- LaSh (acceleration but no circuit selection) [Wolper]
- TREX (acceleration and circuit selection, but no argument) [Bouajjani]


## Symbolic computation in counter systems, 2002

- A symbolic representation: automata

■ DFA [Boudet-Comon 1996],
■ NDD [Wolper-Boigelot 2000]).

- Various circuit acceleration algorithms
- $f(x)=M \cdot x+v$, with finite monoid and convex guard [Boigelot 1998]
- $f(x)=M . x+v$ with finite monoid and Presburger guard [Finkel-Leroux 2002]
■ functions "à la" timed automata [Annichini-Asarin-Bouajjani 2000]
- Circuit selection no argued heuristic
- Tools
- Alv (no acceleration) [Bultan]
- LaSh (acceleration but no circuit selection) [Wolper]
- TREX (acceleration and circuit selection, but no argument) [Bouajjani]


## Symbolic computation in counter systems, 2002

- A symbolic representation: automata

■ DFA [Boudet-Comon 1996],

- NDD [Wolper-Boigelot 2000]).
- Various circuit acceleration algorithms
- $f(x)=M \cdot x+v$, with finite monoid and convex guard [Boigelot 1998]
- $f(x)=M . x+v$ with finite monoid and Presburger guard [Finkel-Leroux 2002]
■ functions "à la" timed automata [Annichini-Asarin-Bouajjani 2000]
- Circuit selection no argued heuristic
- Tools
- Alv (no acceleration) [Bultan]
- Lash (acceleration but no circuit selection) [Wolper]
- TREX (acceleration and circuit selection, but no argument) [Bouajjani]


## Issues / Results

Issue : Various acceleration techniques
Results : Unifying framework encompassing most of acceleration

## theorems [ATVA'05]

Issue : How to select circuits?
Maximal heuristic, efficient in practice [CAV'03,ATVA'05]
Issue : Improve practical efficiency of acceleration
Results: "Convex acceleration" algorithm [TACAS'04]
Issue : Experimentations
implementation of FAST [CAV'03],
Verification of various protocols: TTP [TACAS'04], CES and others.

These works have been partially supported by ACI Persée.

## Issues / Results

Issue : Various acceleration techniques
Results : Unifying framework encompassing most of acceleration theorems [ATVA'05]

Issue : How to select circuits?
Results : Maximal heuristic, efficient in practice [CAV'03,ATVA'05]
Issue : Improve practical efficiency of acceleration
Results: "Convex acceleration" algorithm [TACAS'04]
Issue : Experimentations
Results implementation of FAst [CAV'03], Verification of various protocols: TTP [TACAS'04], CES and others.

These works have been partially supported by ACI Persée.

## Issues / Results

Issue : Various acceleration techniques
Results : Unifying framework encompassing most of acceleration theorems [ATVA'05]

Issue : How to select circuits?
Results : Maximal heuristic, efficient in practice [CAV'03,ATVA'05]
Issue : Improve practical efficiency of acceleration
Results: "Convex acceleration" algorithm [TACAS'04]
Issue : Experimentations
Results implementation of Fast [CAV'03], Verification of various protocols: TTP [TACAS'04], CES and others.

These works have been partially supported by ACI Persée.

Vérification

## Issues / Results

Issue : Various acceleration techniques
Results : Unifying framework encompassing most of acceleration theorems [ATVA'05]

Issue : How to select circuits?
Results : Maximal heuristic, efficient in practice [CAV'03,ATVA'05]
Issue : Improve practical efficiency of acceleration
Results : "Convex acceleration" algorithm [TACAS'04]
Issue : Experimentations
Results implementation of FAst [CAV'03], and others.

These works have been partially supported by ACI Persée.

## Issues / Results

Issue : Various acceleration techniques
Results : Unifying framework encompassing most of acceleration theorems [ATVA'05]

Issue: How to select circuits?
Results : Maximal heuristic, efficient in practice [CAV'03,ATVA'05]
Issue : Improve practical efficiency of acceleration
Results : "Convex acceleration" algorithm [TACAS'04]
Issue : Experimentations
Results : implementation of Fast [CAV'03],
Verification of various protocols: TTP [TACAS'04], CES and others.

These works have been partially supported by ACI Persée.

Vérification

## Outline

(1) Introduction
(2) Counter systems
(3) Circuit acceleration
(1) Circuit selection
(3) The tool FASt
(C) Applications
(1) Conclusion

## Reminder

## Presburger arithmetics

First order arithmetics without $\times$-operator

$$
\begin{aligned}
& \phi::=t \leq t|\neg \phi| \phi \vee \phi|\exists k . \phi| \text { true } \\
& t::=0|1| y|t-t| t+t .
\end{aligned}
$$

Presburger set $=$ set of solutions of a Presburger formula.

## Counter systems

- finite set of $m$ variables $x, y, z, \ldots$ over $\mathbb{N}$
- finite set of P-affine functions

$$
f=(M, v, G)
$$

- $G \subseteq \mathbb{N}^{m}$ Presburger guard
- $M$ square matrix
- $v$ vector
- $\overrightarrow{v a r}^{\prime}=f(\overrightarrow{v a r})$ iff
- $\overrightarrow{v a r} \in G$
- and $\overrightarrow{v a r^{\prime}}=M \cdot \overrightarrow{v a r}+v$


## Symbolic representations: Automata

## Automata to recognize sets of integer vectors

- a non-negative integer in basis 2 is a word over $\{0,1\}$
- automata recognize sets of words
- extensions
- any integer: 2-complement encoding
- vectors: tuples of letters, or variables entanglement

Presburger sets (and a little bit more) are recognized by automata.
Common operations on sets $\longrightarrow$ standard operations on automata

## Symbolic representations: Automata



- DFA [Boudet-Comon 1996],
- NDD [Wolper-Boigelot 2000]).


## Outline

(1) Introduction
(2) Counter systems
(3) Circuit Acceleration
(9) Circuit Selection
(3) The tool Fast
(C) Applications
(1) Conclusion

Vérification

## Standard Acceleration

Monoid of a function $f=(M, v, G):\left\{1, M, M^{2}, \ldots, M^{n}, \ldots\right\}$

## Theorem [Finkel-Leroux 2002]

Let $f=(M, v, G)$ a P-affine function with finite monoid. Then $f^{*}$ is effectively defined by a Presburger formula

$$
f^{*}=\left\{\left(x, x^{\prime}\right) \mid x \in G \wedge \exists k \geq 0 \cdot x^{\prime}=\bar{f}^{k}(x) \wedge \forall i .0 \leq i<k, \bar{f}^{i}(x) \in G\right\}
$$

Building the formula is 3-EXP in $|\mathcal{A}(G)|,|v|_{\text {max }},|M|_{\text {max }}$ et $m$.

## Idea of the algorithm

- $f=(M, v, G)$ with finite monoid $\langle M\rangle$.
- $\bar{f}: \mathbb{Z}^{m} \rightarrow \mathbb{Z}^{m}, \forall x \in \mathbb{Z}^{m}, \bar{f}(x)=M . x+v$
- $<M>$ finite, then $\exists(a, b) \in \mathbb{N} \times \mathbb{N}$ such that $M^{a+b}=M^{a}$
- We deduce that $\forall n \in \mathbb{N}, \forall x \in \mathbb{Z}^{m}, \bar{f}^{a+n \cdot b}=\bar{f}^{a}(x)+n \cdot M^{a} \cdot \bar{f}^{b}(0)$
- It comes that $\bar{F}=\left\{\left(i, x, x^{\prime}\right) \in \mathbb{N} \times \mathbb{Z}^{m} \times \mathbb{Z}^{m}, x^{\prime}=\bar{f}^{i}(x)\right\} \Longleftrightarrow$

$$
\begin{aligned}
& \bigvee_{r=0}^{a-1}\left\{\left(i, x, x^{\prime}\right) \mid x^{\prime}=\bar{f}^{r}(x) \wedge i=r\right\} \bigvee_{r=0}^{b-1}\left\{\left(i, x, x^{\prime}\right) \mid \exists n \geq 0\left(x^{\prime}=\right.\right. \\
& \left.\left.f^{a+r}(x)+n \cdot M^{a+r} \cdot \bar{f}^{b}(0)\right) \wedge(i=a+r+n . b)\right\}
\end{aligned}
$$

$$
\begin{aligned}
& f^{*}=\left\{\left(x, x^{\prime}\right), \exists i \geq 0, x^{\prime}=f^{i}(x)\right\} \Longleftrightarrow \\
& \left\{\left(x, x^{\prime}\right), \exists i \geq 0\left[\left(i, x, x^{\prime}\right) \in \bar{F} \wedge\left(\forall k(0 \leq k<i), \exists x^{\prime \prime} \in G,\left(k, x, x^{\prime \prime}\right) \in \bar{F}\right)\right]\right\}
\end{aligned}
$$

## Faster acceleration ...

## Convex translations [TACAS'04]

$f=\left(I_{m}, v, G\right)$ where $I_{m}$ is the identity matrix and $G$ convex

- No need to test if the predecessors are in the guard.
- The construction can be simplified.


## Theorem [TACAS'04]

Convex acceleration is quadratic in $|\mathcal{A}(G)|$.

## Faster acceleration ... complexity

| parameter | magnitude | standard algorithm | convex algorithm |
| :---: | :---: | :---: | :---: |
| $\|\mathcal{A}(G)\|$ | 100.000 | $3-$ EXP | quadratic |
| $m$ | $5-50$ | $3-$ EXP | EXP |
| $\|v\|_{\max }$ | $\leq 10$ | $3-$ EXP | poly. in $m$ |
| $\|M\|_{\max }$ | $\leq 10$ | $3-$ EXP | $=1$ |

## Faster acceleration ... practice

$$
\mathcal{A}\left(f^{*}\right)=\text { automaton representing } f^{*} \text { (transductor) }
$$

| $\left\|\mathcal{A}\left(f^{*}\right)\right\|$ | Time (seconds) <br> Standard/Convex | Memory (MB) <br> Standard/Convex |
| :--- | :---: | :---: |
| 16,766 | $10 / 7$ | $31 / 13$ |
| 26,409 | $5 / 2$ | $17 / 18$ |
| 41,950 | $18 / 10$ | $52 / 30$ |
| 190,986 (TTP2) | $50 / 9$ | $400 / 140$ |
| 380,332 (TTP2) | $\uparrow \uparrow \uparrow / 34$ | $\uparrow \uparrow \uparrow / 534$ |
| $?$ | $\uparrow \uparrow \uparrow />900$ | $\uparrow \uparrow \uparrow />500$ |

## Outline

(1) Introduction
(2) Counter systems
(3) Circuit acceleration
(9) Circuit selection
(3) The tool Fast
(C) Applications
(1) Conclusion

## What is computable with circuit acceleration?

## First answer

Flat system $=$ at most 1 elementary circuit on each control node


Circuit acceleration + flat $S=$ computation of $\operatorname{post}_{S}^{*}\left(X_{0}\right)$

## Flattenings of non-flat systems

Système $S \quad$ Système $S^{\prime}$

$S^{\prime}$ is a flattening of $S$ iff
$S^{\prime}$ is flat and $S$ simulates $S^{\prime}$

## Flattable Systems

$\left(S, X_{0}\right)$ is flattable iff $\exists S^{\prime}$ such that

- $S^{\prime}$ is a flattening of $S$
- $S$ and $S^{\prime}$ are equivalent for reachability.


## Theorem 1 [ATVA'05]

post* $\left(X_{0}\right)$ is computable by circuit acceleration iff $\left(S, X_{0}\right)$ is flattable.

## Other characterization

A restricted linear regular expression (rlre) over $T$

$$
\rho=w_{1}^{*} w_{2}^{*} \ldots w_{n}^{*} \text {, where } w_{i} \in T^{*} .
$$

$\operatorname{post}(\rho, X)=$ configurations reachable following transitions in $\rho$

## Theorem 2 [ATVA'05] <br> $\operatorname{post}^{*}\left(X_{0}\right)$ is computable by circuit acceleration iff $\exists$ a rlre $p$ over $T$ such that $\operatorname{post}^{*}\left(X_{0}\right)=\operatorname{post}\left(\rho, X_{0}\right)$.

Remark: $\operatorname{post}(\rho, X)$ is computable with circuit acceleration

## Other characterization

A restricted linear regular expression (rlre) over $T$

$$
\rho=w_{1}^{*} w_{2}^{*} \ldots w_{n}^{*}, \text { where } w_{i} \in T^{*} .
$$

$\operatorname{post}(\rho, X)=$ configurations reachable following transitions in $\rho$

## Theorem 2 [ATVA'05]

post ${ }^{*}\left(X_{0}\right)$ is computable by circuit acceleration iff $\exists$ a rlre $\rho$ over $T$ such that $\operatorname{post}^{*}\left(X_{0}\right)=\operatorname{post}\left(\rho, X_{0}\right)$.

Remark: $\operatorname{post}(\rho, X)$ is computable with circuit acceleration

## Other characterization

A restricted linear regular expression (rlre) over $T$

$$
\rho=w_{1}^{*} w_{2}^{*} \ldots w_{n}^{*}, \text { where } w_{i} \in T^{*} .
$$

$\operatorname{post}(\rho, X)=$ configurations reachable following transitions in $\rho$

## Theorem 2 [ATVA'05]

post ${ }^{*}\left(X_{0}\right)$ is computable by circuit acceleration iff $\exists$ a rlre $\rho$ over $T$ such that $\operatorname{post}^{*}\left(X_{0}\right)=\operatorname{post}\left(\rho, X_{0}\right)$.

Remark: $\operatorname{post}(\rho, X)$ is computable with circuit acceleration

## Selection Heuristic (I)

Input: $\left(S, X_{0}\right)$
(1) $X \leftarrow X_{0}$;
(3) Lunch
(3) If $\operatorname{post}(X) \subseteq X$ Goto 10
(3) Enumerate the next $\rho$ rlre over $T$
( $3 \quad X \leftarrow \operatorname{post}(\rho, X)$
(1) Goto 4
(3) In parallel with
(1)

When Watchdog stops Goto 2
(10) Return $X$
maximal procedure: terminates iff $\left(S, X_{0}\right)$ is flattable
PB1(time) find quickly a good rlre
PB2(space) avoid as much as possible unnecessary expensive steps of computations

## Selection Heuristic (I)

Input: $\left(S, X_{0}\right)$
(1) $X \leftarrow X_{0} ; k \leftarrow 0$
(2) $k \leftarrow k+1$
(3) Lunch
(3) If $\operatorname{post}(X) \subseteq X$ Goto 10
(3) Choose fairly $w \in T \leq k$
(0) $X \leftarrow \operatorname{post}\left(w^{*}, X\right)$
(1) Goto 4
(8) In parallel with
(0) When Watchdog stops Goto 2
(10) Return $X$

The procedure is still maximal
PB1(time) partitioning + Watchdog
PB2(space) Choose

## Selection Heuristic (II)

## Results

The selection heuristic design is reduced to designing

- Choose (a standard solution is given)
- Watchdog (a standard solution is given)

The obtained procedure is then

- maximal
- efficient : good results on counter systems (cf. FAST)


## Reductions

$|T|^{\leq k}$ may be exponential in $k$.

## Idea $=$ reduce $|T|^{\leq k}$ by removing redundant functions.

Three reductions:

- union-reduction [Finkel-Leroux 2002]
$\quad$ if $f=\left(M, V, G_{1}\right)$ and $g=(M$,
let $h=\left(M, v, G_{1}, G_{2}\right)$
- commutation-reduction [CAV'03]
- conjugacy-reduction [ATVA'05]


## Reductions

$|T|^{\leq k}$ may be exponential in $k$.

## Idea $=$ reduce $|T|^{\leq k}$ by removing redundant functions.

## Three reductions:

- union-reduction [Finkel-Leroux 2002]

■ if $f=\left(M, v, G_{1}\right)$ and $g=\left(M, v, G_{2}\right)$,

- let $h=\left(M, v, G_{1} \vee G_{2}\right)$

■ then $(f+g)^{*}=h^{*}$

- commutation-reduction [CAV'03]
- conjugacy-reduction [ATVA'05]


## Reductions

$|T|^{\leq k}$ may be exponential in $k$.

## Idea $=$ reduce $|T|^{\leq k}$ by removing redundant functions.

## Three reductions:

- union-reduction [Finkel-Leroux 2002]

■ if $f=\left(M, v, G_{1}\right)$ and $g=\left(M, v, G_{2}\right)$,

- let $h=\left(M, v, G_{1} \vee G_{2}\right)$

■ then $(f+g)^{*}=h^{*}$

- commutation-reduction [CAV'03]
- if $f$ and $g$ commute then $f^{*} g^{*}=(f \cdot g)^{*}=(g \cdot f)^{*}$
- conjugacy-reduction [ATVA'05]


## Reductions

$|T|^{\leq k}$ may be exponential in $k$.

## Idea $=$ reduce $|T|^{\leq k}$ by removing redundant functions.

## Three reductions:

- union-reduction [Finkel-Leroux 2002]

■ if $f=\left(M, v, G_{1}\right)$ and $g=\left(M, v, G_{2}\right)$,

- let $h=\left(M, v, G_{1} \vee G_{2}\right)$

■ then $(f+g)^{*}=h^{*}$

- commutation-reduction [CAV'03]
- if $f$ and $g$ commute then $f^{*} g^{*}=(f \cdot g)^{*}=(g \cdot f)^{*}$
- conjugacy-reduction [ATVA'05]
- $\left(f_{2} \cdot f_{3} \cdot f_{1}\right)^{*}=I_{d}+f_{2} \cdot f_{3} \cdot\left(f_{1} \cdot f_{2} \cdot f_{3}\right)^{*} \cdot f_{1}$


## Practical results

| system | $\|T\|$ | $k$ | $\mid C \leq k$ | U | Cm | Cj | $\mathrm{U}+\mathrm{Cm}$ |
| :--- | :---: | :--- | :---: | :---: | :---: | :---: | :---: |
| csm | 13 | 1 | 14 | 14 | 14 | 14 | 14 |
|  | $\mathbf{1 3}$ | $\mathbf{2}$ | 183 | $\mathbf{1 0 3}$ | $\mathbf{5 7}$ | $\mathbf{9 9}$ | 35 |
| consistency | 8 | 1 | 9 | 9 | 9 | 9 | 9 |
|  | 8 | 2 | 68 | 45 | 44 | 39 | 30 |
|  | $\mathbf{8}$ | $\mathbf{3}$ | 484 | $\mathbf{1 7 2}$ | $\mathbf{2 9 9}$ | $\mathbf{1 7 8}$ | 98 |
| swimming | 6 | 1 | 7 | 7 | 7 | 7 | 7 |
| pool | 6 | 2 | 43 | 21 | 24 | 25 | 16 |
|  | 6 | 3 | 259 | 56 | 114 | 97 | 28 |
|  | $\mathbf{6}$ | $\mathbf{4}$ | 1555 | $\mathbf{1 2 6}$ | $\mathbf{6 1 4}$ | $\mathbf{4 2 1}$ | 47 |
|  | 6 | 5 | 9331 | 252 | 3591 | 1977 | 86 |

$\mathrm{U}, \mathrm{Cm}, \mathrm{Cj}$ : reductions (union, commutation, conjugacy)

## Outline

(1) Introduction
(2) Counter systems
(3) Circuit acceleration
(3) Circuit selection
(3) The tool FAST
(0) Applications
(1) Conclusion

## FAST

The previous results are implemented in FAST

## FAST works well in practice

- successfully verify $80 \%$ of 40 infinite systems [CAV'03].
- first automatic verification of TTP [TACAS'04]
- first automatic verification of CES


## Technological comparison

|  | ALV | LASH | FAST | TREX |
| :--- | :---: | :---: | :---: | :---: |
| system | relational | affine | restricted |  |
| symb. rep | automata |  | arith. + pdbm <br> (undec. $\sqsubseteq) ~$ |  |
| acceleration | no | circuits |  | circuits <br> (partial.rec.) |
| circuit selection |  | no | yes | yes, $\leq k$ |

## Practical comparison

| System | ALV | LASH | FAST | $k$ | TREX |
| :--- | :---: | :---: | :---: | :---: | :---: |
| RTP (bounded) | T | T | T | 1 | T |
| Lamport (bounded) | T | T | T | 1 | T |
| Dekker (bounded) | T | T | T | 1 | T |
| ticket 2 | T | T | T | 1 | T |
| kanban | $\uparrow$ | T | T | 1 | T |
| multipoll | $\uparrow$ | T | T | 1 | $\uparrow$ |
| prod/cons (2) | $\uparrow$ | T | T | 1 | - |
| ttp | $\uparrow$ | T | T | 1 | - |
| prod/cons (N) | $\uparrow$ | $\uparrow$ | T | 2 | - |
| lift control, N | $\uparrow$ | $\uparrow$ | T | 2 | T |
| train | $\uparrow$ | $\uparrow$ | T | 2 | T |
| csm, N | $\uparrow$ | $\uparrow$ | T | 2 | $\uparrow$ |
| consistency | $\uparrow$ | $\uparrow$ | T | 3 | - |
| swimming pool | $\uparrow$ | $\uparrow$ | T | 4 | $\uparrow$ |
| pncsa | $\uparrow$ | $\uparrow$ | $\uparrow$ | $?$ | $\uparrow$ |
| incdec | $\uparrow$ | $\uparrow$ | $\uparrow$ | $?$ | $\uparrow$ |
| bigjava | $\uparrow$ | $\uparrow$ | $\uparrow$ | $?$ | $\uparrow$ |

T : success within 20 minutes
$\uparrow$ : no success within 20 minutes
k: circuit length for FAST
-: not an input of TREX

## Outline

(1) Introduction
(2) Counter systems
(3) Circuit acceleration
(1) Circuit selection
(5) The tool FASt
(0) Applications
( Conclusion

## Verification of TTP by FAST



## Verification of TTP by FAsT

## 1 error [TACAS'04]

16 transitions, 9 variables, complex guards

- automatic verification
- Pentium 4 2.4 GHz, 1 Gbyte RAM : 940 sec. and 73 Mbytes .

Other tools:

- Alv does not terminate
- LaSh terminates when good circuits are provided
- TTP does not fit TREX input model.

2 errors [TACAS'04]
20 transitions, 18 variables, even more complex guards

- standard acceleration does not work
- convex acceleration + overapproximation.


## Verification of TTP by FAsT

## 1 error [TACAS'04]

16 transitions, 9 variables, complex guards

- automatic verification
- Pentium 4 2.4 GHz, 1 Gbyte RAM : 940 sec. and 73 Mbytes.

Other tools:

- Alv does not terminate
- LaSh terminates when good circuits are provided
- TTP does not fit TREX input model.

$$
2 \text { errors [TACAS'04] }
$$

20 transitions, 18 variables, even more complex guards

- standard acceleration does not work
- convex acceleration + overapproximation.


## The CES protocol - presentation

- Supported by Philips
- multimedia streaming
- ensures reliable communications over lossy channels

Jonathan Billington and Lin Liu [Billington-Liu 2002]

- Colored Petri net modeling of the CES,
- infinite system, counters and queues of parameterized length
- (complex) proofs of many properties of the CES (ex: size of the reachability set w.r.t. the buffer lengths)


## The CES protocol - verification with FAST

## Modeling issues

FAST does not handle queues.

- queues simulated by counters,
- correctness of the simulation is expressed as a reachability property of the counter system, and it is checked by FAST automatically.


## Results

Properties proved in [Billington-Liu 2002] are checked easily.

## Verification of pointer systems (work in progress)

## Manual management of memory ressources (language C)

- memory heap $=$ collection of memory cells
- a cell contains: data or address
- addresses $\in\{$ valid, invalid, NULL\}
- primitives: new, free, successor

Common errors

- memory violation
- memory leak

Work supported by EDF (2002-2004), and by RNTL AVÉRILES (2005-2008)

## Pointer systems

## Programs:

- only one successor (lists, no trees)
- no data, only pointers

```
List reverse (List x ) \{
    List y,t;
    y =NULL;
    while ( \(x\) !=NULL) \{
        \(\mathrm{t}=\mathrm{y}\);
        \(\mathrm{y}=\mathrm{x}\);
        \(\mathrm{x}=\mathrm{x}->\mathrm{n}\);
        \(\mathrm{y}->\mathrm{n}=\mathrm{t}\);
        \(\mathrm{t}=\) NULL;
    \}
    return y ;
\}
```



## Modeling the memory heap

## Concrete configurations

Memory graphs

- nodes $=$ memory cells
- edges $=$ "pointed by"
- labels $=$ set of pointer variables pointing the cell
- $\perp=$ invalid addresses



## Symbolic representation [AVIS'04]

memory graph (shape) + counters + constraint

- canonical form of shapes
- finite number of shapes



## FAST and pointers

Verification of pointer systems [AVIS'06]

- Encode infinite sets of memory graphs by Presburger sets
- bisimulation between the pointer system and a counter system
- verification by FAST

A prototype is in progress (with A. Sangnier and É. Lozes)

- Works well for $\approx 10$ small standard examples
- Both qualitative and quantitative properties
- Allows to check programs with counters + pointers


## Outline

(1) Introduction
(2) Counter systems
(3) Circuit acceleration
(1) Circuit selection
(5) the tool FAST
(0) Applications

- Conclusion


## Our methodology

 Vérification

## Our methodology



## Our methodology



## Our methodology



## Results

1. Generic methodology [ATVA'05]

- unified acceleration framework
- power and limits (flattable systems)
- maximal circuit selection
- generic optimizations (reductions)

2. Instantiation to counter systems

- two acceleration algorithms
- [Finkel-Leroux 2002]
- [TACAS'04]
- a reduction fit to counters [Finkel-Leroux 2002]
- The tool Fast


## Results

3. Many experimentations

- Counter systems
- 40 infinite systems [CAV'03]
- TTP [TACAS'04]
- Counters + queues
- CES (in my PhD thesis, work with Laure Petrucci)
- Stop and Wait Protocol [Billington-Gallasch-Petrucci 2005]
- Pointer systems
- translation into counter systems [AVIS'06, AVIS'04]
- prototype, works on 10 standard examples (work with Étienne Lozes and Arnaud Sangnier)


## Lessons and limits of the tool

Theoretical limitations (finite monoid, Presburger logic)

- not the main issue for protocols
- would be different for programs
(2) Number of transitions


## Lessons and limits of the tool

Theoretical limitations (finite monoid, Presburger logic)

- not the main issue for protocols
- would be different for programs

Practical limitations:
(1) Number of variables

- main point $=$ complexity of relationship among variables
- no more than 100 variables
(2) Number of transitions
- difficulty to find large circuits
- currently: circuits of length 4 with 20 variables


## Lessons and limits of the tool

Theoretical limitations (finite monoid, Presburger logic)

- not the main issue for protocols
- would be different for programs

Practical limitations:
(1) Number of variables

- main point $=$ complexity of relationship among variables
- Petri net with 50 variables is OK
- TTP2 with 20 variables is not
- no more than 100 variables
(2) Number of transitions
- difficulty to find large circuits
- currently: circuits of length 4 with 20 variables


## Lessons and limits of the tool

Theoretical limitations (finite monoid, Presburger logic)

- not the main issue for protocols
- would be different for programs

Practical limitations:
(1) Number of variables

- main point $=$ complexity of relationship among variables
- Petri net with 50 variables is OK
- TTP2 with 20 variables is not
- no more than 100 variables
(2) Number of transitions
- difficulty to find large circuits
- currently: circuits of length 4 with 20 variables


## FASt Extended Release

A new version FASTER is released [CAV'06]

- A new architecture
- Reachability set computation engine
- Generic Presburger Interface
- Presburger packages (Lash, Mona, omega)
- A new Presburger package

■ Cache computation [Couvreur 2004]
■ (not yet optimized)

- New features in analysis
- Circuit selection,
- Convex acceleration


## Perspectives

- Improve circuit detection: partial orders, system transformation
- Scale-up our methods: abstract-refine and checks methods
- Timed counter systems? (TPN, TA + counters, ...)

