Model checking and abstraction to the aid of parameterized systems (a survey)

Abstract

Parameterized systems are systems that involve numerous instantiations of the same finite-state module, and depend on a parameter which defines their size. Examples of parameterized systems include sensor systems, telecommunication protocols, bus protocols, cache coherence protocols, and many other protocols that underly current state-of-the-art systems. Formal verification of parameterized systems is known to be undecidable (Inform. Process. Lett. 22 (6)) and thus cannot be automated. Recent research has shown that it is often the case that a combination of methodologies allows to reduce the problem of verification of a parameterized system into the problem of verification of a finite-state system, that can be automatically verified.

This paper describes several recent methodologies, based on model checking and abstraction. We start with the method of invisible auxiliary assertions that combines a small-model theorem with heuristics to automatically generate auxiliary constructs used in proofs of correctness of parameterized systems. We also describe the method of counter abstraction that offers simple liveness proofs for many parameterized systems, and discuss novel methodologies of using counter abstraction to automatically verify that probabilistic parameterized system satisfy their temporal specifications with probability 1.

Introduction

The main challenge of verification is undoubtedly automatic verification of very large systems. Parameterized systems are systems that consist of potentially numerous instantiations of “simple” modules, where the size of each module is the parameter of the system. Examples include sensor systems, cache coherence protocols, bus protocols (e.g., PCI), and telecommunication protocols. Typically of such systems, the programs of the individual processes (modules) are given by the process id. With the growing emphasis on embedded systems, we expect a growing interest in parameterized systems.

Verifying that a parameterized system satisfies some specification entails proving that every instantiation of the system satisfies the specification. In particular, it is necessary to show that no matter how many individual processes participate in the system, it satisfies its specification.

In this work we focus on specifications that are expressible by linear time temporal logic (LTL), to which we refer as “temporal properties”. There are two families of properties one usually wishes to verify, safety and liveness. Roughly speaking, safety properties state that a bad state never happens. For example, the safety property of mutual exclusion algorithms is that no two processes are ever at their critical section at the same time. Liveness properties guarantee that something good eventually happens. For example, the liveness property of mutual exclusion algorithms is that every process that is trying to access its critical section, eventually succeeds. Usually, liveness properties can only be proven under appropriate fairness requirements. Roughly speaking, fairness requirements capture a reasonable behavior of processes related to their eventual progress. For example, fairness will guarantee that a process in the critical section eventually leaves it.

When considering a parameterized system, both safety and liveness have to be established for every instantiation of the system. Thus, one must establish that, for every set of processes, the system that consists of the composition of these processes satisfies both safety and liveness properties. A highly desirable objective is to develop methods for the uniform verification of parameterized systems, that is, to produce a single proof that all instances of the system satisfy their specifications. There are two main approaches for verification of temporal properties. The first is using deductive methods where proofs are constructed incrementally and manually until the desired property is proved. While proofs that are obtained deductively can be checked by theorem provers, they usually require considerable amount of time and expertise to construct. The second approach for verification of temporal properties is enumeration, or model checking [2], [3]. There, the prover models the system to be verified as a finite-state transition system and proves that the system satisfies its specification. While model checking is fully automatic and has had numerous successes, a system to be model-checked has to be finite-state (and, practically speaking, rather small).

Obviously, for the purpose of uniform verification of parameterized systems (naive application of) model checking is ruled out since it can verify only a single instance at a time. However, to be applicable, methods of uniform verification should have a high degree of automation, which rules out extensively interactive deductive verification.

In this paper, we explore two families of methods that allow fully automated uniform verification of parameterized systems. One family, called the method of auxiliary constructs, automates the user-supplied interactive steps in deductive verification. The other, counter abstraction, abstracts the parameterized system and its specifications, so that its verification is reduced to simple model checking. The premise underlying both approaches is that the “infiniteness” of such systems is restricted to the number of processes, since each process is usually finite-state. Manual verification of such systems is usually accomplished using few proof rules. The method of auxiliary constructs exploits the inherent symmetry of a system to derive inductive assertions about it. Counter abstraction uses the relative small size of the individual modules to construct a finite-state abstraction. We also demonstrate how the methods can be extended to deal with probabilistic parameterized systems.

In the rest of the introduction we include (in Section 1.1) an example of a simple parameterized system which will be used throughout the paper. Section 1.2 is an overview of related work on parameterized systems. Section 1.3 describes the methodologies we introduce and their relations to existing work. Section 1.4 describes the organization of the paper.

For an example of a parameterized system consider the program MUXSEM in Fig. 1, which is a mutual exclusion protocol using semaphores. The processes are indexed 1,…,N, where N is the system's parameter. Thus, for every N>1, an instantiation of MUXSEM consists of processes P[1],…,P[N].

The semaphore instructions “request x” and “release x” appearing in the program stand, respectively, for

$$\text{〈}\text{when}\text{x=1}\text{do}\text{x≔0〉}\text{and}\text{x≔1.}$$

A process in location 0 (the “idle” state) may stay there indefinitely or move on to location 1 (the “trying” state), where it remains until it gains access to the (single) semaphore x. It then enters location 2 (the “critical” section), upon exit from it, releases the semaphore in location 3 (the “exit” state), and goes back to its idle state.

The (safety) mutual exclusion property of MUXSEM is that no two processes are ever simultaneously at their critical sections. Expressed in LTL, this property is

$$\text{∀N>1:}\text{∀i,j:1⩽i≠j⩽N→□¬(at}{}_{\mathrm{-}}\text{ℓ}{}_2\text{[i]∧at}{}_{\mathrm{-}}\text{ℓ}{}_2\text{[j]),}$$

where “at₋ℓ_ℓ[j]” stands for “the program counter of process j is ℓ,” and □ is the temporal operator “always”.

The liveness property of MUXSEM states that every process that wishes to gain access to its critical section eventually succeeds; it is expressed by the LTL formula

$$\text{∀N>1:}\text{∀i:1⩽i⩽N→□(at}{}_{\mathrm{-}}\text{ℓ}{}_1\text{[i]→◊at}{}_{\mathrm{-}}\text{ℓ}{}_2\text{[i]),}$$

where ◊ is the temporal operator “eventually”. The fairness properties of MUXSEM are that no process stays forever in location 1 if the semaphore is available infinitely many times, and that no process stays forever in locations 2 or 3. (Note, however, that there is no fairness property associated with location 0: processes may stay idle forever.)

The problem of uniform verification of parameterized systems is, in general, undecidable [1]. There are two possible remedies to the undecidability: either we should look for restricted families of parameterized systems for which the problem becomes decidable, or devise methods which are sound but, necessarily incomplete, and hope that the system of interest will yield to one of these methods.

Among the representatives of the first approach we can count the work of German and Sistla [4] which assumes a parameterized system where processes communicate synchronously, and shows how to verify single-index properties. Similarly, Emerson and Namjoshi [5] proved a PSPACE complete algorithm for verification of synchronously communicating processes. Many of these methods fail when we move to asynchronous systems where processes communicate by shared variables. Perhaps the most advanced of this approach is the paper [6], which considers a general parameterized system allowing several different classes of processes. However, this work provides separate algorithms for the cases that the guards are either all disjunctive or all conjunctive. A protocol such as the Cache Coherence protocol we handle in [7], which contains some disjunctive and some conjunctive guards, cannot be handled by the methods of [6].

The sound but incomplete methods include methods based on explicit induction [8], network invariants, which can be viewed as implicit induction [9], [10], [11], [12], methods that can be viewed as abstraction and approximation of network invariants [13], [14], [15], [16], [17], and other methods that can be viewed as based on abstraction [18]. Most of these methods require the user to provide auxiliary constructs, such as a network invariant or an abstraction mapping. Other attempts to verify parameterized protocols such as Burn's protocol [19] and Szymanski's algorithm [20], [21], [22] relied on abstraction functions or lemmas provided by the user. The work in [23] deals with the verification of safety properties of parameterized networks by abstracting the behavior of the system. PVS [24] is used to discharge the generated verification conditions.

Among the automatic incomplete approaches, we should mention the methods relying on “regular model-checking” [25], [26], [27], [28], where a class of systems which include our bounded-data systems as a special case is analyzed representing linear configurations of processes as a word in a regular language. Unfortunately, many of the systems analyzed by this method cause the analysis procedure to diverge and special acceleration procedures have to be applied which, again, requires user ingenuity and intervention.

The works in [29], [30], [31], [32] study symmetry reduction in order to deal with state explosion. The work in [18] detects symmetries by inspection of the system description.

When applying deductive proof rules to verification, the main burden on the user is to supply auxiliary assertions, that are often shown to be inductive. For example, verification of safety properties is often accomplished by means of a strengthening invariant, which is then shown to be inductive over the system (i.e., to hold in every reachable state) and to imply the desired safety property. The method of invisible auxiliary constructs automatically generates such auxiliary assertions for parameterized systems, so that the verification conditions, once the generated assertions are “plugged” into them, can be model checked.

The method consists of two parts: The first exploits the symmetry of the parameterized system and, given a set of reachable states (e.g., “all reachable states”, or “all states where process number 1 is trying to enter the critical section”), “guesses” a universally quantified assertion that over-approximates the given set. The second part is a “small model” theorem, that establishes when assertions over parameterized systems can be model checked on small instantiations (whose size depends on the parameterized system itself and on the assertion generated) to derive their validity over any instantiation.

Put together, for some deductive proof rules, the method of invisible auxiliary constructs automatically generates assertions that traditionally are supplied by the user, and the resulting verification conditions can be model checked, so that the proof rules are applied without user intervention. As a matter of fact, the method has “invisible” in its name since the user need never see the generated auxiliary assertions.

We describe the method and demonstrate its utility in applying deductive proof rules that establish both safety and liveness properties.

The method of invisible auxiliary constructs was introduced in [7] (under the name invisible invariants) for the automatic proofs of safety properties of parameterized systems, developed further in [33] for a larger family of systems, and in [34], [35] for automatic proofs of liveness properties. The method has been successfully applied to verification of safety properties of numerous protocols, including the Illinois Cache Coherence protocol, 3-stage Pipeline, and a Cache Coherence protocol developed for the ASCII Blue, as well as to the verification of liveness properties of numerous mutual exclusion algorithms. The idea of the invisible invariant method came from McMillan's work on compositional model-checking (e.g., [36]), which combines automatic abstraction with finite-instantiation due to symmetry.

While the method of auxiliary constructs can be used to prove both safety and liveness properties of parameterized systems, its application is at times far from trivial. In addition, the systems that are covered by the method are “bounded data”, which means that the data structures used are assumed to be of a certain type. The method of counter abstraction is somewhat simpler, and, when applicable, trivial to apply. Its shortcomings is that it is only suitable for system in a unstructured, or clique, architecture, and that the number of individual local states of each process should be rather small. The latter restriction can be overcome by some manual (deductive) intervention in the method, while the former is inherent to the method. For the types of systems counter abstraction can handle, it offers extremely elegant and simple uniform verification.

Counter abstraction is an application of finitary abstraction, which calls for an abstraction of the parameterized system into a finite-state system, and an abstraction of the property to be verified so that it refers to the abstract system. The abstraction is such that if the abstract system satisfies the abstract property, one can safely conclude that the concrete system satisfies the concrete property. A general theory of finitary abstraction which abstracts a system together with the property to be proven is presented in [16], and can be applied to the verification of arbitrary LTL properties, including liveness properties.

Roughly speaking, a concrete state is counter abstracted by counting the number of processes in each local state, truncating the count at 2. The idea of using this abstraction is not new. It had been studied by numerous works whose goal was to prove safety properties of parameterized systems, see, e.g., [37]. In fact, checking a safety property of a counter abstracted system reduces to reachability of a finite graph.

Proving liveness properties of counter abstracted system is, however, harder, since one has to take into account the fairness properties, that rule out some infinitary pathologically bad behaviors of a system. Thus, while a liveness property may not hold over the system if fairness properties are ignored (which is often the case since we allow the idle transition from every state), it may hold under fairness assumptions. Applying the algorithm of [16] for deriving abstract fairness properties of parameterized systems results often in the trivial T (true), which does not allow for verification of liveness properties. This is because the fairness properties often refer to a single process and counter abstraction gives no tools to track down a single process. To overcome this difficulty, we compiled, for many types of common concrete fairness properties, (counter) abstract fairness properties that can be derived from them. Armed with these abstract fairness properties, we can prove concrete liveness properties whose abstraction is non-trivial.

The same problems we face with abstracting fairness properties haunt us when we try to abstract individual liveness properties. To overcome these difficulties, we “counter abstract but one”—that is, counter abstract a system with all but the process whose liveness we want to establish. Proving individual liveness then reduces to proving that the composition of the abstract system (of all but the concrete process) with the concrete process satisfies the individual liveness property of the concrete system. This all can of course be model checked.

The method can be applied with no extensions to parameterized systems in which every process has only finitely many local states and the global variables range over finite domains. It can also be extended to deal with systems in which individual processes may have infinitely many local states. The necessary extension is that we identify some state assertions and then allocate (bounded) counters that count the number of processes whose local states satisfy these assertions.

We describe how parameterized systems and their properties are counter abstracted, and show how various liveness properties can be proven over the abstract systems.

Counter abstraction was first studied in [38]. The work which obtains results close to ours is [39] and previous articles describing the parameterized systems abstracted and explored (PAX) system. There, the problem of verification of parameterized systems is addressed, with emphasis on liveness properties. One of the differences between the two approaches is that [39] is based on the method of predicate abstraction [40]. As a result, the structure of the abstraction varies from case to case and the computation of the added fairness requirements depends on a marking algorithm which has to be re-applied for each case separately, searching for appropriate well-founded ranking. In comparison, counter abstraction offer a uniform abstraction approach, which provides a standard recipe for the additional compassion (strong fairness) and justice (weak fairness) requirements, that, according to [39], cannot be automatically lifted from the concrete to the abstract systems.

Another relative advantage of our method is its extended ability to deal with parameterized systems whose individual processes are not necessarily finite-state.

Probabilistic elements have been introduced into concurrent systems in the early 1980s to provide solutions (with high probability) to problems that do not have deterministic solutions. Among the pioneers of probabilistic protocols were [41], [42]. One of the most challenging problems in the study of probabilistic protocols has been their formal verification. While methodologies for proving safety (invariance) properties still hold for probabilistic protocols, formal verification of their liveness properties has been, and still is, a challenge. The main difficulty stems from the two types of non-determinism that occur in such programs: Their asynchronous execution, that assumes a potentially adversarial (though somewhat fair) scheduler, and the non-determinism associated with the probabilistic actions, that assumes an even-handed coin-tosser.

Since many of the probabilistic protocols that have been proposed and studied (e.g., [41], [42], [43]) are parameterized, a naturally arising question is whether we can combine automatic verification tools of parameterized systems with those of probabilistic ones. In [44], [17], [45] we studied automatic verification of probabilistic parameterized systems. The approach we took in [44], [17] is based on user-supplied network invariants. The approach in [45], which we describe here, combines the previously described abstraction methods with some treatment of the probabilistic elements of the system.

To our knowledge, with the exception of [45], there are no works that have attempted a uniform approach to the automatic verification of probabilistic parameterized systems. The PRISM probabilistic model checker [46], based on Markov chains and processes, allows the user to verify that a property holds with arbitrary probability, and not just probability 1. However, PRISM does not support the uniform verification of parameterized systems, but rather the verification of individual system instantiations.

In Section 2 we describe our formal model. We introduce fair bounded discrete systems—fair transition systems with bounded data types and somewhat restricted transition relation. We also elaborate on the types of properties that are of interest to us. The topic of Section 3 is the method of auxiliary constructs. We start by describing PROGEN, a heuristics to generate auxiliary assertions. We then describe the method of invisible invariants, that uses PROGEN to obtain automatic verification of safety properties of parameterized systems, and the method of invisible ranking, that uses PROGEN to obtain automatic verification of liveness properties of parameterized systems. The topic of Section 4 is the method of counter abstraction. We first describe how a parameterized system is abstracted into a finite-state on, ignoring fairness requirements. We then show how to counter abstract the justice requirements, and how to prove group liveness (live-lock freedom) and individual liveness properties of the original parameterized systems using the counter abstracted systems. In Section 5, we turn our attention to parameterized probabilistic systems. We describe an almost automatic method to prove liveness properties of such systems, based on transforming the system into a computationally equivalent system in which probability is replaced by non-determinism. The transformed system can then be verified using either invisible ranking or counter abstraction. We conclude in Section 6.