Causality-based Model Checking

Trace Tableau = concrete trace unwinding + abstract looping trace tableau • automatic procedure to find proofs in the form of a looping trace tableau Figure 1: Data structures for causality-based model checking. the property of interest. The exploration algorithm proceeds by picking some forest leaf, and employing an applicable trace transformer, producing a number of further nodes. The exploration stops when all forest leaves are found to be contradictory. The most involved datastructure, abstract trace tableau, contains, besides concrete trace unwinding, an abstract looping trace tableau, which may have covering edges between tableau nodes. A covering condition is an extension of subgraph isomorphism to concurrent traces: a concurrent trace, which is a subgraph of another trace, represents a situation which was encountered in the analysis before. This tableau is also allowed to contain causal loops, i.e. infinite repetitions of a sequence of trace productions, which together imply the impossibility of a computation satisfying them. The abstract trace tableau is used to track premises of already applied proof rules, and, thus, simplifies coverings. 3 Two Examples We illustrate the framework with two examples taken from [4] and [5]: one for the analysis of a safety property (reachability), and another for the analysis of a liveness property (termination). Safety. Consider the synchronized system shown in the top part of Figure 2: the example was introduced by Esparza and Heljanko in [2] to illustrate the exponential succinctness of Petri net unfoldings. There are n+ 1 processes, and we want to check whether the global transition c is executable. Note that the state space of this system is exponential with respect to n: the system contains 3 · 2n−1 reachable states. Thus, approaches based on state space exploration will suffer from the state space explosion problem. The authors of [2] show that the Petri net unfolding of the example system contains 2 · n+ 3 places, i.e., a linear size unfolding can represent succinctly the exponential state space. We use the same example to demonstrate that the trace unwinding of the example system never exceeds n+ 6 nodes, but a constant size unwinding of just 7 nodes also suffice, which we show in the bottom part of Figure 2. Node 1, the root of the unwinding, captures all system traces where c is executed. One of it’s preconditions is that the first process should be at location r2; but the initial condition says that the system is at location r1: a contradiction. Thus, a transition that goes from r1 to r2 is necessary, B. Finkbeiner & A. Kupriyanov 35