-
Verifying Parameterized Networks Specified by Vertex-Replacement Graph Grammars
Authors:
Radu Iosif,
Arnaud Sangnier,
Neven Villani
Abstract:
We consider the parametric reachability problem (PRP) for families of networks described by vertex-replacement (VR) graph grammars, where network nodes run replicas of finite-state processes that communicate via binary handshaking. We show that the PRP problem for VR grammars can be effectively reduced to the PRP problem for hyperedge-replacement (HR) grammars at the cost of introducing extra edge…
▽ More
We consider the parametric reachability problem (PRP) for families of networks described by vertex-replacement (VR) graph grammars, where network nodes run replicas of finite-state processes that communicate via binary handshaking. We show that the PRP problem for VR grammars can be effectively reduced to the PRP problem for hyperedge-replacement (HR) grammars at the cost of introducing extra edges for routing messages. This transformation is motivated by the existence of several parametric verification techniques for families of networks specified by HR grammars, or similar inductive formalisms. Our reduction enables applying the verification techniques for HR systems to systems with dense architectures, such as user-specified cliques and multi-partite graphs.
△ Less
Submitted 2 May, 2025;
originally announced May 2025.
-
Counting Abstraction for the Verification of Structured Parameterized Networks
Authors:
Marius Bozga,
Radu Iosif,
Arnaud Sangnier,
Neven Villani
Abstract:
We consider the verification of parameterized networks of replicated
processes whose architecture is described by hyperedge-replacement
graph grammars. Due to the undecidability of verification problems
such as reachability or coverability of a given configuration, in
which we count the number of replicas in each local state, we
develop two orthogonal verification techniques. We present…
▽ More
We consider the verification of parameterized networks of replicated
processes whose architecture is described by hyperedge-replacement
graph grammars. Due to the undecidability of verification problems
such as reachability or coverability of a given configuration, in
which we count the number of replicas in each local state, we
develop two orthogonal verification techniques. We present a
counting abstraction able to produce, from a graph grammar
describing a parameterized system, a finite set of Petri nets that
over-approximate the behaviors of the original system. The counting
abstraction is implemented in a prototype tool, evalutated on a
non-trivial set of test cases. Moreover, we identify a decidable
fragment, for which the coverability problem is in 2EXPTIME
and PSPACE-hard.
△ Less
Submitted 21 February, 2025;
originally announced February 2025.
-
Regular Grammars for Sets of Graphs of Tree-Width 2
Authors:
Marius Bozga,
Radu Iosif,
Florian Zuleger
Abstract:
Regular word grammars are restricted context-free grammars that define all the recognizable languages of words. This paper generalizes regular grammars from words to certain classes of graphs, by defining regular grammars for unordered unranked trees and graphs of tree-width 2 at most. The qualifier ``regular'' is justified because these grammars define precisely the recognizable (equivalently, CM…
▽ More
Regular word grammars are restricted context-free grammars that define all the recognizable languages of words. This paper generalizes regular grammars from words to certain classes of graphs, by defining regular grammars for unordered unranked trees and graphs of tree-width 2 at most. The qualifier ``regular'' is justified because these grammars define precisely the recognizable (equivalently, CMSO-definable) sets of the respective graph classes. The proof of equivalence between regular and recognizable sets of graphs relies on the effective construction of a recognizer algebra of size doubly-exponential in the size of the grammar. This sets a 2EXPTIME upper bound on the (EXPTIME-hard) problem of inclusion of a context-free language in a regular language, for graphs of tree-width 2 at most. A further syntactic restriction of regular grammars suffices to capture precisely the MSO-definable sets of graphs of tree-width 2 at most, i.e., the sets defined by CMSO formulae without cardinality constraints. Moreover, we show that MSO-definability coincides with recognizability by algebras having an aperiodic parallel composition semigroup, for each class of graphs defined by a bound on the tree-width.
△ Less
Submitted 14 June, 2025; v1 submitted 2 August, 2024;
originally announced August 2024.
-
Tree-Verifiable Graph Grammars
Authors:
Mark Chimes,
Radu Iosif,
Florian Zuleger
Abstract:
Hyperedge-Replacement grammars (HR) have been introduced by Courcelle in order to extend the notion of context-free sets from words and trees to graphs of bounded tree-width. While for words and trees the syntactic restrictions that guarantee that the associated languages of words resp. trees are regular - and hence, MSO-definable - are known, the situation is far more complicated for graphs. Here…
▽ More
Hyperedge-Replacement grammars (HR) have been introduced by Courcelle in order to extend the notion of context-free sets from words and trees to graphs of bounded tree-width. While for words and trees the syntactic restrictions that guarantee that the associated languages of words resp. trees are regular - and hence, MSO-definable - are known, the situation is far more complicated for graphs. Here, Courcelle proposed the notion of regular graph grammars, a syntactic restriction of HR grammars that guarantees the definability of the associated languages of graphs in Counting Monadic Second Order Logic (CMSO). However, these grammars are not complete in the sense that not every CMSO-definable set of graphs of bounded tree-width can be generated by a regular graph grammar. In this paper, we introduce a new syntactic restriction of HR grammars, called tree-verifiable graph grammars, and a new notion of bounded tree-width, called embeddable bounded tree-width, where the later restricts the trees of a tree-decomposition to be a subgraph of the analyzed graph. The main property of tree-verifiable graph grammars is that their associated languages are CMSO-definable and that the have bounded embeddable tree-width. We show further that they strictly generalize the regular graph grammars of Courcelle. Finally, we establish a completeness result, showing that every language of graphs that is CMSO-definable and of bounded embeddable tree-width can be generated by a tree-verifiable graph grammar.
△ Less
Submitted 28 February, 2024; v1 submitted 26 February, 2024;
originally announced February 2024.
-
Effective MSO-Definability for Tree-width Bounded Models of an Inductive Separation Logic of Relations
Authors:
Lucas Bueri,
Radu Iosif,
Florian Zuleger
Abstract:
A class of graph languages is definable in Monadic Second-Order logic (MSO) if and only if it consists of sets of models of MSO formulæ. If, moreover, there is a computable bound on the tree-widths of the graphs in each such set, the satisfiability and entailment problems are decidable, by Courcelle's Theorem. This motivates the comparison of other graph logics to MSO. In this paper, we consider t…
▽ More
A class of graph languages is definable in Monadic Second-Order logic (MSO) if and only if it consists of sets of models of MSO formulæ. If, moreover, there is a computable bound on the tree-widths of the graphs in each such set, the satisfiability and entailment problems are decidable, by Courcelle's Theorem. This motivates the comparison of other graph logics to MSO. In this paper, we consider the MSO definability of a Separation Logic of Relations (SLR) that describes simple hyper-graphs, in which each sequence of vertices is attached to at most one edge with a given label. Our logic SLR uses inductive predicates whose recursive definitions consist of existentially quantified separated conjunctions of relation and predicate atoms. The main contribution of this paper is an expressive fragment of SLR that describes bounded tree-width sets of graphs which can, moreover, be effectively translated into MSO.
△ Less
Submitted 25 February, 2024;
originally announced February 2024.
-
The Treewidth Boundedness Problem for an Inductive Separation Logic of Relations
Authors:
Marius Bozga,
Lucas Bueri,
Radu Iosif,
Florian Zuleger
Abstract:
The treewidth boundedness problem for a logic asks for the existence of an upper bound on the treewidth of the models of a given formula in that logic. This problem is found to be undecidable for first order logic. We consider a generalization of Separation Logic over relational signatures, interpreted over standard relational structures, and describe an algorithm for the treewidth boundedness pro…
▽ More
The treewidth boundedness problem for a logic asks for the existence of an upper bound on the treewidth of the models of a given formula in that logic. This problem is found to be undecidable for first order logic. We consider a generalization of Separation Logic over relational signatures, interpreted over standard relational structures, and describe an algorithm for the treewidth boundedness problem in the context of this logic.
△ Less
Submitted 17 May, 2024; v1 submitted 14 October, 2023;
originally announced October 2023.
-
Characterizations of Monadic Second Order Definable Context-Free Sets of Graphs
Authors:
Radu Iosif,
Florian Zuleger
Abstract:
We give a characterization of the sets of graphs that are both definable in Counting Monadic Second Order Logic (CMSO) and context-free, i.e., least solutions of Hyperedge-Replacement (HR) grammars introduced by Courcelle and Engelfriet. We prove the equivalence of these sets with: (a) recognizable sets (in the algebra of graphs with HR-operations) of bounded tree-width; we refine this condition f…
▽ More
We give a characterization of the sets of graphs that are both definable in Counting Monadic Second Order Logic (CMSO) and context-free, i.e., least solutions of Hyperedge-Replacement (HR) grammars introduced by Courcelle and Engelfriet. We prove the equivalence of these sets with: (a) recognizable sets (in the algebra of graphs with HR-operations) of bounded tree-width; we refine this condition further and show equivalence with recognizability in a finitely generated subalgebra of the HR-algebra of graphs; (b) parsable sets, for which there is an MSO-definable transduction from graphs to a set of derivation trees labelled by HR operations, such that the set of graphs is the image of the set of derivation trees under the canonical evaluation of the HR operations; (c) images of recognizable unranked sets of trees under an MSO-definable transduction, whose inverse is also MSO-definable. We rely on a novel connection between two seminal results, a logical characterization of context-free graph languages in terms of tree to graph MSO-definable transductions, by Courcelle and Engelfriet and a proof that an optimal-width tree decomposition of a graph can be built by an MSO-definable transduction, by Bojanczyk and Pilipczuk.
△ Less
Submitted 6 June, 2024; v1 submitted 7 October, 2023;
originally announced October 2023.
-
Expressiveness Results for an Inductive Logic of Separated Relations
Authors:
Radu Iosif,
Florian Zuleger
Abstract:
In this paper we study a Separation Logic of Relations (SLR) and compare its expressiveness to (Monadic)Second Order Logic (M)SO. SLR is based on the well-known Symbolic Heap fragment of Separation Logic, whose formulae are composed of points-to assertions, inductively defined predicates, with the separating conjunction as the only logical connective. SLR generalizes the Symbolic Heap fragment by…
▽ More
In this paper we study a Separation Logic of Relations (SLR) and compare its expressiveness to (Monadic)Second Order Logic (M)SO. SLR is based on the well-known Symbolic Heap fragment of Separation Logic, whose formulae are composed of points-to assertions, inductively defined predicates, with the separating conjunction as the only logical connective. SLR generalizes the Symbolic Heap fragment by supporting general relational atoms, instead of only points-to assertions. In this paper, we restrict ourselves to finite relational structures, and hence only consider Weak (M)SO, where quantification ranges over finite sets. Our main results are that SLR and MSO are incomparable on structures of unbounded treewidth, while SLR can be embedded in SO in general. Furthermore, MSO becomes a strict subset of SLR, when the treewidth of the models is bounded by a parameter and all vertices attached to some hyperedge belong to the interpretation of a fixed unary relation symbol. We also discuss the problem of identifying a fragment of SLR that is equivalent to MSO over models of bounded treewidth.
△ Less
Submitted 5 July, 2023;
originally announced July 2023.
-
On the Expressiveness of a Logic of Separated Relations
Authors:
Radu Iosif,
Florian Zuleger
Abstract:
We compare the model-theoretic expressiveness of the existential fragment of Separation Logic over unrestricted relational signatures (SLR) -- with only separating conjunction as logical connective and higher-order inductive definitions, traditionally known as the symbolic heap fragment -- with the expressiveness of (Monadic) Second Order Logic ((M)SO). While SLR and MSO are incomparable on struct…
▽ More
We compare the model-theoretic expressiveness of the existential fragment of Separation Logic over unrestricted relational signatures (SLR) -- with only separating conjunction as logical connective and higher-order inductive definitions, traditionally known as the symbolic heap fragment -- with the expressiveness of (Monadic) Second Order Logic ((M)SO). While SLR and MSO are incomparable on structures of unbounded treewidth, it turns out that SLR can be embedded in SO, in general, and that MSO becomes a strict subset of SLR, when the treewidth of the models is bounded by a parameter given as input. We also discuss the problem of defining a fragment of SLR that is equivalent to MSO over models of bounded treewidth. Such a fragment would then become the most general Separation Logic with a decidable entailment problem, a key ingredient of practical verification methods for self-adapting (reconfigurable) component-based and distributed systems.
△ Less
Submitted 2 August, 2022;
originally announced August 2022.
-
On an Invariance Problem for Parameterized Concurrent Systems
Authors:
Marius Bozga,
Lucas Bueri,
Radu Iosif
Abstract:
We consider concurrent systems consisting of replicated finite-state processes that synchronize via joint interactions in a network with user-defined topology. The system is specified using a resource logic with a multiplicative connective and inductively defined predicates, reminiscent of Separation Logic. The problem we consider is if a given formula in this logic defines an invariant, namely wh…
▽ More
We consider concurrent systems consisting of replicated finite-state processes that synchronize via joint interactions in a network with user-defined topology. The system is specified using a resource logic with a multiplicative connective and inductively defined predicates, reminiscent of Separation Logic. The problem we consider is if a given formula in this logic defines an invariant, namely whether any model of the formula, following an arbitrary firing sequence of interactions, is transformed into another model of the same formula. This property, called \emph{havoc invariance}, is quintessential in proving the correctness of reconfiguration programs that change the structure of the network at runtime. We show that the havoc invariance problem is many-one reducible to the entailment problem $φ\models ψ$, asking if any model of $φ$ is also a model of $ψ$. Although, in general, havoc invariance is found to be undecidable, this reduction allows to prove that havoc invariance is in 2EXP, for a general fragment of the logic, with a 2EXP entailment problem.
△ Less
Submitted 26 April, 2022;
originally announced April 2022.
-
Decision Problems in a Logic for Reasoning about Reconfigurable Distributed Systems
Authors:
Marius Bozga,
Lucas Bueri,
Radu Iosif
Abstract:
We consider a logic used to describe sets of configurations of distributed systems, whose network topologies can be changed at runtime, by reconfiguration programs. The logic uses inductive definitions to describe networks with an unbounded number of components and interactions, written using a multiplicative conjunction, reminiscent of Bunched Implications and Separation Logic. We study the compl…
▽ More
We consider a logic used to describe sets of configurations of distributed systems, whose network topologies can be changed at runtime, by reconfiguration programs. The logic uses inductive definitions to describe networks with an unbounded number of components and interactions, written using a multiplicative conjunction, reminiscent of Bunched Implications and Separation Logic. We study the complexity of the satisfiability and entailment problems for the configuration logic under consideration. Additionally, we consider robustness properties, such as tightness (are all interactions entirely connected to components?) and degree boundedness (is every component involved in a bounded number of interactions?), the latter being an ingredient for decidability of entailments.
△ Less
Submitted 26 April, 2022; v1 submitted 19 February, 2022;
originally announced February 2022.
-
Verification of Component-based Systems with Recursive Architectures
Authors:
Marius Bozga,
Radu Iosif,
Joseph Sifakis
Abstract:
We study a sound verification method for parametric component-based systems. The method uses a resource logic, a new formal specification language for distributed systems consisting of a finite yet unbounded number of components. The logic allows the description of architecture configurations coordinating instances of a finite number of types of components, by means of inductive definitions simila…
▽ More
We study a sound verification method for parametric component-based systems. The method uses a resource logic, a new formal specification language for distributed systems consisting of a finite yet unbounded number of components. The logic allows the description of architecture configurations coordinating instances of a finite number of types of components, by means of inductive definitions similar to the ones used to describe algebraic data types or recursive data structures. For parametric systems specified in this logic, we show that decision problems such as reaching deadlock or violating critical section are undecidable, in general. Despite this negative result, we provide for these decision problems practical semi-algorithms relying on the automatic synthesis of structural invariants allowing the proof of general safety properties. The invariants are defined using the WSkS fragment of the monadic second order logic, known to be decidable by a classical automata-logic connection, thus reducing a verification problem to checking satisfiability of a WSkS formula.
△ Less
Submitted 15 December, 2021;
originally announced December 2021.
-
Reasoning about Reconfigurations of Distributed Systems
Authors:
Emma Ahrens,
Marius Bozga,
Radu Iosif,
Joost-Pieter Katoen
Abstract:
This paper presents a Hoare-style calculus for formal reasoning about reconfiguration programs of distributed systems. Such programs create and delete components and/or interactions (connectors) while the system components change state according to their internal behaviour. Our proof calculus uses a resource logic, in the spirit of Separation Logic, to give local specifications of reconfiguration…
▽ More
This paper presents a Hoare-style calculus for formal reasoning about reconfiguration programs of distributed systems. Such programs create and delete components and/or interactions (connectors) while the system components change state according to their internal behaviour. Our proof calculus uses a resource logic, in the spirit of Separation Logic, to give local specifications of reconfiguration actions. Moreover, distributed systems with an unbounded number of components are described using inductively defined predicates. The correctness of reconfiguration programs relies on havoc invariants, that are assertions about the ongoing interactions in a part of the system that is not affected by the structural change caused by the reconfiguration. We present a proof system for such invariants in an assume/rely-guarantee style. We illustrate the feasibility of our approach by proving the correctness of real-life distributed systems with reconfigurable (self-adjustable) tree architectures.
△ Less
Submitted 16 March, 2022; v1 submitted 12 July, 2021;
originally announced July 2021.
-
Unifying Decidable Entailments in Separation Logic with Inductive Definitions
Authors:
Mnacho Echenim,
Radu Iosif,
Nicolas Peltier
Abstract:
The entailment problem $\varphi \models ψ$ in Separation Logic \cite{IshtiaqOHearn01,Reynolds02}, between separated conjunctions of equational ($x \iseq y$ and $x \not\iseq y$), spatial ($x \mapsto (y_1,\ldots,y_\rank)$) and predicate ($p(x_1,\ldots,x_n)$) atoms, interpreted by a finite set of inductive rules, is undecidable in general. Certain restrictions on the set of inductive definitions lead…
▽ More
The entailment problem $\varphi \models ψ$ in Separation Logic \cite{IshtiaqOHearn01,Reynolds02}, between separated conjunctions of equational ($x \iseq y$ and $x \not\iseq y$), spatial ($x \mapsto (y_1,\ldots,y_\rank)$) and predicate ($p(x_1,\ldots,x_n)$) atoms, interpreted by a finite set of inductive rules, is undecidable in general. Certain restrictions on the set of inductive definitions lead to decidable classes of entailment problems. Currently, there are two such decidable classes, based on two restrictions, called \emph{establishment} \cite{IosifRogalewiczSimacek13,KatelaanMathejaZuleger19,PZ20} and \emph{restrictedness} \cite{EIP21a}, respectively. Both classes are shown to be in \twoexptime\ by the independent proofs from \cite{PZ20} and \cite{EIP21a}, respectively, and a many-one reduction of established to restricted entailment problems has been given \cite{EIP21a}. In this paper, we strictly generalize the restricted class, by distinguishing the conditions that apply only to the left- ($\varphi$) and the right- ($ψ$) hand side of entailments, respectively. We provide a many-one reduction of this generalized class, called \emph{safe}, to the established class. Together with the reduction of established to restricted entailment problems, this new reduction closes the loop and shows that the three classes of entailment problems (respectively established, restricted and safe) form a single, unified, \twoexptime-complete class.
△ Less
Submitted 15 February, 2021; v1 submitted 28 December, 2020;
originally announced December 2020.
-
Verifying Safety Properties of Inductively Defined Parameterized Systems
Authors:
Marius Bozga,
Radu Iosif
Abstract:
We introduce a term algebra as a new formal specification language for the coordinating architectures of distributed systems consisting of a finite yet unbounded number of components. The language allows to describe infinite sets of systems whose coordination between components share the same pattern, using inductive definitions similar to the ones used to describe algebraic data types or recursiv…
▽ More
We introduce a term algebra as a new formal specification language for the coordinating architectures of distributed systems consisting of a finite yet unbounded number of components. The language allows to describe infinite sets of systems whose coordination between components share the same pattern, using inductive definitions similar to the ones used to describe algebraic data types or recursive data structures. Further, we give a verification method for the parametric systems described in this language, relying on the automatic synthesis of structural invariants that enable proving general safety properties (mutual exclusion, absence of deadlocks). The invariants are defined using the WSkS fragment of the monadic second order logic, known to be decidable by a classical automata-logic connection. This reduces the safety verification problem to checking satisfiability of a WSkS formula.
△ Less
Submitted 14 October, 2020; v1 submitted 10 August, 2020;
originally announced August 2020.
-
Decidable Entailments in Separation Logic with Inductive Definitions: Beyond Established Systems
Authors:
Mnacho Echenim,
Radu Iosif,
Nicolas Peltier
Abstract:
We define a class of Separation Logic formulae, whose entailment problem: given formulae $φ, ψ_1, \ldots, ψ_n$, is every model of $φ$ a model of some $ψ_i$? is 2EXPTIME-complete. The formulae in this class are existentially quantified separating conjunctions involving predicate atoms, interpreted by the least sets of store-heap structures that satisfy a set of inductive rules, which is also part o…
▽ More
We define a class of Separation Logic formulae, whose entailment problem: given formulae $φ, ψ_1, \ldots, ψ_n$, is every model of $φ$ a model of some $ψ_i$? is 2EXPTIME-complete. The formulae in this class are existentially quantified separating conjunctions involving predicate atoms, interpreted by the least sets of store-heap structures that satisfy a set of inductive rules, which is also part of the input to the entailment problem. Previous work consider established sets of rules, meaning that every existentially quantified variable in a rule must eventually be bound to an allocated location, i.e. from the domain of the heap. In particular, this guarantees that each structure has treewidth bounded by the size of the largest rule in the set. In contrast, here we show that establishment, although sufficient for decidability (alongside two other natural conditions), is not necessary, by providing a condition, called equational restrictedness, which applies syntactically to (dis-)equalities. The entailment problem is more general in this case, because equationally restricted rules define richer classes of structures, of unbounded treewidth. In this paper we show that (1) every established set of rules can be converted into an equationally restricted one and (2) the entailment problem is 2EXPTIME-complete in the latter case, thus matching the complexity of entailments for established sets of rules.
△ Less
Submitted 11 October, 2020; v1 submitted 1 July, 2020;
originally announced July 2020.
-
Entailment Checking in Separation Logic with Inductive Definitions is 2-EXPTIME hard
Authors:
Mnacho Echenim,
Radu Iosif,
Nicolas Peltier
Abstract:
The entailment between separation logic formulae with inductive predicates, also known as symbolic heaps, has been shown to be decidable for a large class of inductive definitions. Recently, a 2-EXPTIME algorithm was proposed and an EXPTIME-hard bound was established; however no precise lower bound is known. In this paper, we show that deciding entailment between predicate atoms is 2-EXPTIME-hard.…
▽ More
The entailment between separation logic formulae with inductive predicates, also known as symbolic heaps, has been shown to be decidable for a large class of inductive definitions. Recently, a 2-EXPTIME algorithm was proposed and an EXPTIME-hard bound was established; however no precise lower bound is known. In this paper, we show that deciding entailment between predicate atoms is 2-EXPTIME-hard. The proof is based on a reduction from the membership problem for exponential-space bounded alternating Turing machines.
△ Less
Submitted 16 April, 2020;
originally announced April 2020.
-
Structural Invariants for the Verification of Systems with Parameterized Architectures
Authors:
Marius Bozga,
Javier Esparza,
Radu Iosif,
Joseph Sifakis,
Christoph Welzel
Abstract:
We consider parameterized concurrent systems consisting of a finite but unknown number of components, obtained by replicating a given set of finite state automata. Components communicate by executing atomic interactions whose participants update their states simultaneously. We introduce an interaction logic to specify both the type of interactions (e.g.\ rendez-vous, broadcast) and the topology of…
▽ More
We consider parameterized concurrent systems consisting of a finite but unknown number of components, obtained by replicating a given set of finite state automata. Components communicate by executing atomic interactions whose participants update their states simultaneously. We introduce an interaction logic to specify both the type of interactions (e.g.\ rendez-vous, broadcast) and the topology of the system (e.g.\ pipeline, ring). The logic can be easily embedded in monadic second order logic of finitely many successors, and is therefore decidable.
Proving safety properties of such a parameterized system, like deadlock freedom or mutual exclusion, requires to infer an inductive invariant that contains all reachable states of all system instances, and no unsafe state. We present a method to automatically synthesize inductive invariants directly from the formula describing the interactions, without costly fixed point iterations. We experimentally prove that this invariant is strong enough to verify safety properties of a large number of systems including textbook examples (dining philosophers, synchronization schemes), classical mutual exclusion algorithms, cache-coherence protocols and self-stabilization algorithms, for an arbitrary number of components.
△ Less
Submitted 7 September, 2021; v1 submitted 18 February, 2020;
originally announced February 2020.
-
Local Reasoning about Parametric and Reconfigurable Component-based Systems
Authors:
Marius Bozga,
Radu Iosif,
Joseph Sifakis
Abstract:
We introduce a logical framework for the specification and verification of component-based systems, in which finitely many component instances are active, but the bound on their number is not known. Besides specifying and verifying parametric systems, we consider the aspect of dynamic reconfiguration, in which components can migrate at runtime on a physical map, whose shape and size may change. We…
▽ More
We introduce a logical framework for the specification and verification of component-based systems, in which finitely many component instances are active, but the bound on their number is not known. Besides specifying and verifying parametric systems, we consider the aspect of dynamic reconfiguration, in which components can migrate at runtime on a physical map, whose shape and size may change. We describe such parametric and reconfigurable architectures using resource logics, close in spirit to Separation Logic, used to reason about dynamic pointer structures. These logics support the principle of local reasoning, which is the key for writing modular specifications and building scalable verification algorithms, that deal with large industrial-size systems.
△ Less
Submitted 19 August, 2019;
originally announced August 2019.
-
Structural Invariants for Parametric Verification of Systems with Almost Linear Architectures
Authors:
Marius Bozga,
Radu Iosif,
Joseph Sifakis
Abstract:
We consider concurrent systems consisting of a finite but unknown number of components, that are replicated instances of a given set of finite state automata. The components communicate by executing interactions which are simultaneous atomic state changes of a set of components. We specify both the type of interactions (e.g.\ rendez-vous, broadcast) and the topology (i.e.\ architecture) of the sys…
▽ More
We consider concurrent systems consisting of a finite but unknown number of components, that are replicated instances of a given set of finite state automata. The components communicate by executing interactions which are simultaneous atomic state changes of a set of components. We specify both the type of interactions (e.g.\ rendez-vous, broadcast) and the topology (i.e.\ architecture) of the system (e.g.\ pipeline, ring) via a decidable interaction logic, which is embedded in the classical weak sequential calculus of one successor (WS1S). Proving correctness of such system for safety properties, such as deadlock freedom or mutual exclusion, requires the inference of an inductive invariant that subsumes the set of reachable states and avoids the unsafe states. Our method synthesizes such invariants directly from the formula describing the interactions, without costly fixed point iterations. We applied our technique to the verification of several textbook examples, such as dining philosophers, mutual exclusion protocols and concurrent systems with preemption and priorities.
△ Less
Submitted 7 February, 2019;
originally announced February 2019.
-
First Order Alternation
Authors:
Radu Iosif,
Xiao Xu
Abstract:
We introduce first order alternating automata, a generalization of boolean alternating automata, in which transition rules are described by multisorted first order formulae, with states and internal variables given by uninterpreted predicate terms. The model is closed under union, intersection and complement, and its emptiness problem is undecidable, even for the simplest data theory of equality.…
▽ More
We introduce first order alternating automata, a generalization of boolean alternating automata, in which transition rules are described by multisorted first order formulae, with states and internal variables given by uninterpreted predicate terms. The model is closed under union, intersection and complement, and its emptiness problem is undecidable, even for the simplest data theory of equality. To cope with this limitation, we develop an abstraction refinement semi-algorithm based on lazy annotation of the symbolic execution paths with interpolants, obtained by applying (i) quantifier elimination with witness term generation and (ii) Lyndon interpolation in the quantifier-free data theory with uninterpreted predicate symbols. This provides a method for checking inclusion of timed and finite-memory register automata, and emptiness of quantified predicate automata, previously used in the verification of parameterized concurrent programs, composed of replicated threads, with a shared-memory communication model.
△ Less
Submitted 19 November, 2018; v1 submitted 6 November, 2018;
originally announced November 2018.
-
Checking Deadlock-Freedom of Parametric Component-Based Systems
Authors:
Marius Bozga,
Radu Iosif,
Joseph Sifakis
Abstract:
We propose an automated method for computing inductive invariants applied to check deadlock-freedom for parametric component-based systems. The method generalizes the approach for computing structural trap invariants from bounded to parametric systems with general architectures. It symbolically extracts trap invariants from a monadic interaction formula characterizing the system architecture. The…
▽ More
We propose an automated method for computing inductive invariants applied to check deadlock-freedom for parametric component-based systems. The method generalizes the approach for computing structural trap invariants from bounded to parametric systems with general architectures. It symbolically extracts trap invariants from a monadic interaction formula characterizing the system architecture. The paper presents the theoretical foundations of the method including new results for the first order monadic logic and proves its soundness. It also provides preliminary illustrations on examples.
△ Less
Submitted 15 February, 2019; v1 submitted 25 May, 2018;
originally announced May 2018.
-
The Complexity of Prenex Separation Logic with One Selector
Authors:
Mnacho Echenim,
Radu Iosif,
Nicolas Peltier
Abstract:
We first show that infinite satisfiability can be reduced to finite satisfiability for all prenex formulas of Separation Logic with $k\geq1$ selector fields ($\seplogk{k}$). Second, we show that this entails the decidability of the finite and infinite satisfiability problem for the class of prenex formulas of $\seplogk{1}$, by reduction to the first-order theory of one unary function symbol and un…
▽ More
We first show that infinite satisfiability can be reduced to finite satisfiability for all prenex formulas of Separation Logic with $k\geq1$ selector fields ($\seplogk{k}$). Second, we show that this entails the decidability of the finite and infinite satisfiability problem for the class of prenex formulas of $\seplogk{1}$, by reduction to the first-order theory of one unary function symbol and unary predicate symbols. We also prove that the complexity is not elementary, by reduction from the first-order theory of one unary function symbol. Finally, we prove that the Bernays-Schönfinkel-Ramsey fragment of prenex $\seplogk{1}$ formulae with quantifier prefix in the language $\exists^*\forall^*$ is \pspace-complete. The definition of a complete (hierarchical) classification of the complexity of prenex $\seplogk{1}$, according to the quantifier alternation depth is left as an open problem.
△ Less
Submitted 30 April, 2018; v1 submitted 10 April, 2018;
originally announced April 2018.
-
On the Expressive Completeness of Bernays-Schönfinkel-Ramsey Separation Logic
Authors:
Mnacho Echenim,
Radu Iosif,
Nicolas Peltier
Abstract:
This paper investigates the satisfiability problem for Separation Logic, with unrestricted nesting of separating conjunctions and implications, for prenex formulae with quantifier prefix in the language $\exists^*\forall^*$, in the cases where the universe of possible locations is either countably infinite or finite. In analogy with first-order logic with uninterpreted predicates and equality, we…
▽ More
This paper investigates the satisfiability problem for Separation Logic, with unrestricted nesting of separating conjunctions and implications, for prenex formulae with quantifier prefix in the language $\exists^*\forall^*$, in the cases where the universe of possible locations is either countably infinite or finite. In analogy with first-order logic with uninterpreted predicates and equality, we call this fragment Bernays-Schönfinkel-Ramsey Separation Logic [BSR(SLk)]. We show that, unlike in first-order logic, the (in)finite satisfiability problem is undecidable for BSR(SLk) and we define two non-trivial subsets thereof, that are decidable for finite and infinite satisfiability, respectively, by controlling the occurrences of universally quantified variables within the scope of separating implications, as well as the polarity of the occurrences of the latter. The decidability results are obtained by a controlled elimination of separating connectives, described as (i) an effective translation of a prenex form Separation Logic formula into a combination of a small number of \emph{test formulae}, using only first-order connectives, followed by (ii) a translation of the latter into an equisatisfiable first-order formula.
△ Less
Submitted 16 February, 2018; v1 submitted 1 February, 2018;
originally announced February 2018.
-
Complete Cyclic Proof Systems for Inductive Entailments
Authors:
Radu Iosif,
Cristina Serban
Abstract:
In this paper we develop cyclic proof systems for the problem of inclusion between the least sets of models of mutually recursive predicates, when the ground constraints in the inductive definitions belong to the quantifier-free fragments of (i) First Order Logic with the canonical Herbrand interpretation and (ii) Separation Logic, respectively. Inspired by classical automata-theoretic techniques…
▽ More
In this paper we develop cyclic proof systems for the problem of inclusion between the least sets of models of mutually recursive predicates, when the ground constraints in the inductive definitions belong to the quantifier-free fragments of (i) First Order Logic with the canonical Herbrand interpretation and (ii) Separation Logic, respectively. Inspired by classical automata-theoretic techniques of proving language inclusion between tree automata, we give a small set of inference rules, that are proved to be sound and complete, under certain semantic restrictions, involving the set of constraints in the inductive system. Moreover, we investigate the decidability and computational complexity of these restrictions for all the logical fragments considered and provide a proof search semi-algorithm that becomes a decision procedure for the entailment problem, for those systems that fulfill the restrictions.
△ Less
Submitted 30 April, 2018; v1 submitted 8 July, 2017;
originally announced July 2017.
-
The Impact of Alternation
Authors:
Radu Iosif,
Xiao Xu
Abstract:
Alternating automata have been widely used to model and verify systems that handle data from finite domains, such as communication protocols or hardware. The main advantage of the alternating model of computation is that complementation is possible in linear time, thus allowing to concisely encode trace inclusion problems that occur often in verification. In this paper we consider alternating auto…
▽ More
Alternating automata have been widely used to model and verify systems that handle data from finite domains, such as communication protocols or hardware. The main advantage of the alternating model of computation is that complementation is possible in linear time, thus allowing to concisely encode trace inclusion problems that occur often in verification. In this paper we consider alternating automata over infinite alphabets, whose transition rules are formulae in a combined theory of booleans and some infinite data domain, that relate past and current values of the data variables. The data theory is not fixed, but rather it is a parameter of the class. We show that union, intersection and complementation are possible in linear time in this model and, though the emptiness problem is undecidable, we provide two efficient semi-algorithms, inspired by two state-of-the-art abstraction refinement model checking methods: lazy predicate abstraction \cite{HJMS02} and the \impact~ semi-algorithm \cite{mcmillan06}. We have implemented both methods and report the results of an experimental comparison.
△ Less
Submitted 16 August, 2017; v1 submitted 16 May, 2017;
originally announced May 2017.
-
Reasoning in the Bernays-Schoenfinkel-Ramsey Fragment of Separation Logic
Authors:
Andrew Reynolds,
Radu Iosif,
Cristina Serban
Abstract:
Separation Logic (SL) is a well-known assertion language used in Hoare-style modular proof systems for programs with dynamically allocated data structures. In this paper we investigate the fragment of first-order SL restricted to the Bernays-Schoenfinkel-Ramsey quantifier prefix $\exists^*\forall^*$, where the quantified variables range over the set of memory locations. When this set is uninterpre…
▽ More
Separation Logic (SL) is a well-known assertion language used in Hoare-style modular proof systems for programs with dynamically allocated data structures. In this paper we investigate the fragment of first-order SL restricted to the Bernays-Schoenfinkel-Ramsey quantifier prefix $\exists^*\forall^*$, where the quantified variables range over the set of memory locations. When this set is uninterpreted (has no associated theory) the fragment is PSPACE-complete, which matches the complexity of the quantifier-free fragment. However, SL becomes undecidable when the quantifier prefix belongs to $\exists^*\forall^*\exists^*$ instead, or when the memory locations are interpreted as integers with linear arithmetic constraints, thus setting a sharp boundary for decidability within SL. We have implemented a decision procedure for the decidable fragment of $\exists^*\forall^*$SL as a specialized solver inside a DPLL($T$) architecture, within the CVC4 SMT solver. The evaluation of our implementation was carried out using two sets of verification conditions, produced by (i) unfolding inductive predicates, and (ii) a weakest precondition-based verification condition generator. Experimental data shows that automated quantifier instantiation has little overhead, compared to manual model-based instantiation.
△ Less
Submitted 23 November, 2016; v1 submitted 15 October, 2016;
originally announced October 2016.
-
How hard is it to verify flat affine counter systems with the finite monoid property ?
Authors:
Radu Iosif,
Arnaud Sangnier
Abstract:
We study several decision problems for counter systems with guards defined by convex polyhedra and updates defined by affine transformations. In general, the reachability problem is undecidable for such systems. Decidability can be achieved by imposing two restrictions: (i) the control structure of the counter system is flat, meaning that nested loops are forbidden, and (ii) the set of matrix powe…
▽ More
We study several decision problems for counter systems with guards defined by convex polyhedra and updates defined by affine transformations. In general, the reachability problem is undecidable for such systems. Decidability can be achieved by imposing two restrictions: (i) the control structure of the counter system is flat, meaning that nested loops are forbidden, and (ii) the set of matrix powers is finite, for any affine update matrix in the system. We provide tight complexity bounds for several decision problems of such systems, by proving that reachability and model checking for Past Linear Temporal Logic are complete for the second level of the polynomial hierarchy $Σ^P_2$, while model checking for First Order Logic is PSPACE-complete.
△ Less
Submitted 19 May, 2016;
originally announced May 2016.
-
A Decision Procedure for Separation Logic in SMT
Authors:
Andrew Reynolds,
Radu Iosif,
Tim King
Abstract:
This paper presents a complete decision procedure for the entire quantifier-free fragment of Separation Logic ($\seplog$) interpreted over heaplets with data elements ranging over a parametric multi-sorted (possibly infinite) domain. The algorithm uses a combination of theories and is used as a specialized solver inside a DPLL($T$) architecture. A prototype was implemented within the CVC4 SMT solv…
▽ More
This paper presents a complete decision procedure for the entire quantifier-free fragment of Separation Logic ($\seplog$) interpreted over heaplets with data elements ranging over a parametric multi-sorted (possibly infinite) domain. The algorithm uses a combination of theories and is used as a specialized solver inside a DPLL($T$) architecture. A prototype was implemented within the CVC4 SMT solver. Preliminary evaluation suggests the possibility of using this procedure as a building block of a more elaborate theorem prover for SL with inductive predicates, or as back-end of a bounded model checker for programs with low-level pointer and data manipulations.
△ Less
Submitted 19 May, 2016; v1 submitted 22 March, 2016;
originally announced March 2016.
-
Decidable Horn Systems with Difference Constraints Arithmetic
Authors:
Radu Iosif
Abstract:
This paper tackles the problem of the existence of solutions for recursive systems of Horn clauses with second-order variables interpreted as integer relations, and harnessed by quantifier-free difference bounds arithmetic. We start by proving the decidability of the problem "does the system have a solution ?" for a simple class of Horn systems with one second-order variable and one non-linear rec…
▽ More
This paper tackles the problem of the existence of solutions for recursive systems of Horn clauses with second-order variables interpreted as integer relations, and harnessed by quantifier-free difference bounds arithmetic. We start by proving the decidability of the problem "does the system have a solution ?" for a simple class of Horn systems with one second-order variable and one non-linear recursive rule. The proof relies on a construction of a tree automaton recognizing all cycles in the weighted graph corresponding to every unfolding tree of the Horn system. We constrain the tree to recognize only cycles of negative weight by adding a Presburger formula that harnesses the number of times each rule is fired, and reduce our problem to the universality of a Presburger-constrained tree automaton. We studied the complexity of this problem and found it to be in \textsc{NEXPtime} with an \textsc{EXPtime}-hard lower bound. Second, we drop the univariate restriction and consider multivariate second-order Horn systems with a structural restriction, called \emph{flatness}. This more general class of Horn systems is found to be decidable, within the same complexity bounds. Finally, we encode the reachability problem for Alternating Branching Vector Addition Systems (ABVASS) using Horn systems and prove that, for flat ABVASS, this problem is in co-\textsc{NEXPtime}.
△ Less
Submitted 14 February, 2016; v1 submitted 1 March, 2015;
originally announced March 2015.
-
Abstraction Refinement for Trace Inclusion of Infinite State Systems
Authors:
Radu Iosif,
Adam Rogalewicz,
Tomas Vojnar
Abstract:
A \emph{data automaton} is a finite automaton equipped with variables (counters or registers) ranging over infinite data domains. A trace of a data automaton is an alternating sequence of alphabet symbols and values taken by the counters during an execution of the automaton. The problem addressed in this paper is the inclusion between the sets of traces (data languages) recognized by such automata…
▽ More
A \emph{data automaton} is a finite automaton equipped with variables (counters or registers) ranging over infinite data domains. A trace of a data automaton is an alternating sequence of alphabet symbols and values taken by the counters during an execution of the automaton. The problem addressed in this paper is the inclusion between the sets of traces (data languages) recognized by such automata. Since the problem is undecidable in general, we give a semi-algorithm based on abstraction refinement, which is proved to be sound and complete, but whose termination is not guaranteed. We have implemented our technique in a~prototype tool and show promising results on several non-trivial examples.
△ Less
Submitted 21 October, 2015; v1 submitted 19 October, 2014;
originally announced October 2014.
-
Interprocedural Reachability for Flat Integer Programs
Authors:
Pierre Ganty,
Radu Iosif
Abstract:
We study programs with integer data, procedure calls and arbitrary call graphs. We show that, whenever the guards and updates are given by octagonal relations, the reachability problem along control flow paths within some language w1* ... wd* over program statements is decidable in Nexptime. To achieve this upper bound, we combine a program transformation into the same class of programs but withou…
▽ More
We study programs with integer data, procedure calls and arbitrary call graphs. We show that, whenever the guards and updates are given by octagonal relations, the reachability problem along control flow paths within some language w1* ... wd* over program statements is decidable in Nexptime. To achieve this upper bound, we combine a program transformation into the same class of programs but without procedures, with an Np-completeness result for the reachability problem of procedure-less programs. Besides the program, the expression w1* ... wd* is also mapped onto an expression of a similar form but this time over the transformed program statements. Several arguments involving context-free grammars and their generative process enable us to give tight bounds on the size of the resulting expression. The currently existing gap between Np-hard and Nexptime can be closed to Np-complete when a certain parameter of the analysis is assumed to be constant.
△ Less
Submitted 11 June, 2015; v1 submitted 13 May, 2014;
originally announced May 2014.
-
Deciding Entailments in Inductive Separation Logic with Tree Automata
Authors:
Radu Iosif,
Adam Rogalewicz,
Tomas Vojnar
Abstract:
Separation Logic (SL) with inductive definitions is a natural formalism for specifying complex recursive data structures, used in compositional verification of programs manipulating such structures. The key ingredient of any automated verification procedure based on SL is the decidability of the entailment problem. In this work, we reduce the entailment problem for a non-trivial subset of SL descr…
▽ More
Separation Logic (SL) with inductive definitions is a natural formalism for specifying complex recursive data structures, used in compositional verification of programs manipulating such structures. The key ingredient of any automated verification procedure based on SL is the decidability of the entailment problem. In this work, we reduce the entailment problem for a non-trivial subset of SL describing trees (and beyond) to the language inclusion of tree automata (TA). Our reduction provides tight complexity bounds for the problem and shows that entailment in our fragment is EXPTIME-complete. For practical purposes, we leverage from recent advances in automata theory, such as inclusion checking for non-deterministic TA avoiding explicit determinization. We implemented our method and present promising preliminary experimental results.
△ Less
Submitted 11 February, 2014; v1 submitted 10 February, 2014;
originally announced February 2014.
-
The Complexity of Reachability Problems for Flat Counter Machines with Periodic Loops
Authors:
Marius Bozga,
Radu Iosif,
Filip Konecny
Abstract:
This paper proves the NP-completeness of the reachability problem for the class of flat counter machines with difference bounds and, more generally, octagonal relations, labeling the transitions on the loops. The proof is based on the fact that the sequence of powers $\{R^i\}_{i=1}^\infty$ of such relations can be encoded as a periodic sequence of matrices, and that both the prefix and the period…
▽ More
This paper proves the NP-completeness of the reachability problem for the class of flat counter machines with difference bounds and, more generally, octagonal relations, labeling the transitions on the loops. The proof is based on the fact that the sequence of powers $\{R^i\}_{i=1}^\infty$ of such relations can be encoded as a periodic sequence of matrices, and that both the prefix and the period of this sequence are $2^{\mathcal{O}(\bin{R})}$ in the size of the binary encoding $\bin{R}$ of a relation $R$. This result allows to characterize the complexity of the reachability problem for one of the most studied class of counter machines \cite{cav10,comon-jurski98}, and has a potential impact for other problems in program verification.
△ Less
Submitted 14 February, 2016; v1 submitted 16 July, 2013;
originally announced July 2013.
-
Deciding Conditional Termination
Authors:
Radu Iosif,
Filip Konecny,
Marius Bozga
Abstract:
We address the problem of conditional termination, which is that of defining the set of initial configurations from which a given program always terminates. First we define the dual set, of initial configurations from which a non-terminating execution exists, as the greatest fixpoint of the function that maps a set of states into its pre-image with respect to the transition relation. This definit…
▽ More
We address the problem of conditional termination, which is that of defining the set of initial configurations from which a given program always terminates. First we define the dual set, of initial configurations from which a non-terminating execution exists, as the greatest fixpoint of the function that maps a set of states into its pre-image with respect to the transition relation. This definition allows to compute the weakest non-termination precondition if at least one of the following holds: (i) the transition relation is deterministic, (ii) the descending Kleene sequence overapproximating the greatest fixpoint converges in finitely many steps, or (iii) the transition relation is well founded. We show that this is the case for two classes of relations, namely octagonal and finite monoid affine relations. Moreover, since the closed forms of these relations can be defined in Presburger arithmetic, we obtain the decidability of the termination problem for such loops.
△ Less
Submitted 20 August, 2014; v1 submitted 12 February, 2013;
originally announced February 2013.
-
The Tree Width of Separation Logic with Recursive Definitions
Authors:
Radu Iosif,
Adam Rogalewicz,
Jiri Simacek
Abstract:
Separation Logic is a widely used formalism for describing dynamically allocated linked data structures, such as lists, trees, etc. The decidability status of various fragments of the logic constitutes a long standing open problem. Current results report on techniques to decide satisfiability and validity of entailments for Separation Logic(s) over lists (possibly with data). In this paper we esta…
▽ More
Separation Logic is a widely used formalism for describing dynamically allocated linked data structures, such as lists, trees, etc. The decidability status of various fragments of the logic constitutes a long standing open problem. Current results report on techniques to decide satisfiability and validity of entailments for Separation Logic(s) over lists (possibly with data). In this paper we establish a more general decidability result. We prove that any Separation Logic formula using rather general recursively defined predicates is decidable for satisfiability, and moreover, entailments between such formulae are decidable for validity. These predicates are general enough to define (doubly-) linked lists, trees, and structures more general than trees, such as trees whose leaves are chained in a list. The decidability proofs are by reduction to decidability of Monadic Second Order Logic on graphs with bounded tree width.
△ Less
Submitted 30 March, 2013; v1 submitted 22 January, 2013;
originally announced January 2013.
-
Underapproximation of Procedure Summaries for Integer Programs
Authors:
Pierre Ganty,
Radu Iosif,
Filip Konecny
Abstract:
We show how to underapproximate the procedure summaries of recursive programs over the integers using off-the-shelf analyzers for non-recursive programs. The novelty of our approach is that the non-recursive program we compute may capture unboundedly many behaviors of the original recursive program for which stack usage cannot be bounded. Moreover, we identify a class of recursive programs on whic…
▽ More
We show how to underapproximate the procedure summaries of recursive programs over the integers using off-the-shelf analyzers for non-recursive programs. The novelty of our approach is that the non-recursive program we compute may capture unboundedly many behaviors of the original recursive program for which stack usage cannot be bounded. Moreover, we identify a class of recursive programs on which our method terminates and returns the precise summary relations without underapproximation. Doing so, we generalize a similar result for non-recursive programs to the recursive case. Finally, we present experimental results of an implementation of our method applied on a number of examples.
△ Less
Submitted 24 October, 2016; v1 submitted 16 October, 2012;
originally announced October 2012.
