A FOL Fragment for Safety Checking in Infinite State Systems

Supratik Chakraborty and Abhisekh Sankaran

Introduction

! Given a state-transition system, thesafety checking problem involvesfinding whether a certainsafety property is true in all reachable states of the system.

! This can be translated to the problem of reachability of a state violating the safety property in the system.

! We look at reachability in infinite state systems. This is known to be undecidable in general.

! However we try to answer the reachability question by using a combination of inductive reasoning and bounded model checking in a semi-decision procedure.

InductionSolve

ifnotSat(¬P(s))then returnTrue;

ifSat(I(s)∧ ¬P(s)) thenreturn counterexamples;

else k :=1;

whileTrue do ifnotSat(!i=k

i=1(P(si)∧ T(si,s_i+1))∧

!

1≤i<j≤k+1(si "=s_j)∧ ¬P(sk+1))then returnTrue;

ifSat(I(s1)∧!i=k

i=1(P(si)∧ T(si,s_i+1))∧

!

1≤i<j≤k+1(s_i "=s_j)∧ ¬P(s_k+1))then return counterexamples;

else

k := k + 1;

end

InductionSolve (Contd..)

! Let

IS1(k) =!i=k

i=1(P(si)∧ T(si,s_i+1))∧ ¬P(sk+1).

IS2(k) =I(s₁)∧!i=k

i=1(P(s_i)∧ T(s_i,s_i+1))∧ ¬P(s_k+1).

! Non-termination of InductionSolve can be due to (a) non-termination of SAT solver or (b) unbounded increase ofk.

! Halting problem can be expressed as a reachability problem where we can decide the satisfiability ofIS1(k) andIS2(k).

! We hence try to identify classes ofP,T andI for which we can decideIS1(k)andIS2(k).

An Example

s

a b c

d e

f g

h i

a c

d f g

h i

b e s

! T(s,s^")≡ ∃x,y,z(E(x,y)∧ ¬E(y,z)∧ ¬E^"(x,y)∧E^"(y,z))

P(s) =∀x,y,z¬(E(x,y)∧E(y,z)). Then IS1(1) =P(s)∧ T(s,s^")∧ ¬P(s^")is true.

! The following sub-graphs (having 3 nodes) also satisfy

T(s,s^"). Further no matter how you extend them (by

adding nodes) the resulting graphs still satisfyT(s,s^").

d e

b

d e

b

d e

b f

h g

f h d e g

b

An Example (Contd..)

! The following sub-graphs (having 0 and 3 nodes resp.) also satisfyP(s)and¬P(s^"). Extending them,P(s)and

P(s^")still hold true.

d e

i

d e

i f

g

h

! Putting the above sub-graphs together the following subgraphs having atmost 3 + 0 + 3 = 6 nodes satisfy IS1(1).

d e

i

b

d e

i

b

A General Procedure for Deciding IS1(k ) and IS 2(k )

! SupposeT(s,s^")has the following property.

11

T(s ,s’ )

22

T(s ,s’ )

|s | <= B₁^’ _T

|s | <= B_{1 T}

11 T(s,s’)

s s’

1 s₁₁² s

s s’₁

s’₂ s’

! SupposeP(s)(and likewise¬P(s),I(s)and¬I(s)) have the following property.

s ,P(s )_{1 1}

s,P(s) s ,P(s )_{2 2}

A General Procedure for Deciding IS1(k ) and IS 2(k )

! Then ifIS1(1)has a model, we can construct a bounded (sub)model of sizeB=BT +BP+B¬P.

11

T(s ,s’ )

22

T(s ,s’ )

s ,P(s )_{11 11} s’ ,!P(s’ 11 11

s1

s ,P(s )2 2

s’₁

2 2

s’ ,!P(s’ ) T(s,s’)

s, P(s) (C) s’,!P(s’)

! We can do likewise forIS1(k)andIS2(k)for anyk.

! Then for each formula, if it has a model, it has a model of bounded sizeB. Enumerate all models of size uptoB. If

youfind a model, you are done, else you know there

cannot exist a model.

The Extensible Bounded Submodel Property (EBS)

A formulaϕ(x)overΣis said to satisfy theExtensible

Bounded Submodelproperty with respect toσ⊆Σ(denoted asϕ(x)∈EBS_Σ(σ)) if there exists a cardinalBϕ,σ such that for everyΣ−structureMhaving universeAwith|A| ≥ Bϕ,σ and for everya∈A^|x|, ifM |=ϕ(a)then there existsA₁⊆Asuch that

1. a∈A^|x|₁ 2. |A₁| ≤ Bϕ,σ

3. For allA₂such thatA₁⊆A₂⊆A, ifM₂^" is the substructure ofM generated byA₂, then there exists aΣ−structureM₂ such thatM₂|σ =M₂^"|σ andM₂|=ϕ(a).

The EBS property pictorially

TO BE RETAINED A₁

A₂ A

M

CAN BE CHANGED

|A | <= B₁

Its easy to see that forσ₁⊆σ₂⊆Σ,EBS_Σ(σ2)⊆EBS_Σ(σ1).

Some Examples

! Bernays-Sch¨onfinkel (∃^∗∀^∗(..))is inEBS_Σ(Σ). For a sentenceϕ,B_ϕ,Σ= No. of existential quantifiers inϕ.

! In the example shown earlier, the sentence is

∃x₁,x₂,x₃,y₁,y₂,y₃∀z₁,z₂,z₃

(E(x₁,x₂)∧ ¬E(x₂,x₃)∧ ¬(E(z₁,z₂)∧E(z₂,z₃))∧

¬E^"(x1,x₂)∧E^"(x2,x₃)∧E^"(y1,y₂)∧E^"(y2,y₃))

and hence has bound of 6.

! L¨owenheim class (monadic FO)∈EBS_Σ(Σ).B_ϕ,Σ=k.2^m (k = Rank ofϕ,m=|Σ|).

! Ifφ=∀x∃yP(x,y),thenφ∈EBS_Σ(∅).

EBS and other classes of FO

! EBS"→bounded submodel property.

Considerϕ=∀x∃yP(x,y). The infinite chain is a model but there is no bounded submodel of it satisfyingϕ. Yet ϕ∈EBS_Σ(∅)as seen earlier.

! EBS"=finite satisfiability

Letϕ1express there exists exactly one element andϕ2

express an infinite chain. Then Finitely sat In EBS Eg formula

Yes Yes ϕ₁

Yes No ϕ₁∨ϕ₂

No Yes ϕ₁∧ϕ₂(=False)

No No ϕ₂

Closure properties of EBS

Letϕ_i(xi)∈EBS_Σi(σi)for someσ_i ⊆Σi. Let condition

C = (Σ1∩Σ2=σ₁∩σ₂). LetZ(ϕi)denote free variables ofϕ_i. 1. ∧-Closure: Letϕ(x) =ϕ₁(x1)∧ϕ₂(x2),Σ = Σ1∪Σ2. IfC

holds, thenϕ(x)∈EBS_Σ(σ1∪σ₂)⊆ EBSwith Bϕ,σ1∪σ2 =Bϕ1,σ1 +Bϕ2,σ2.

2. ∨-Closure: Letϕ(x) =ϕ1(x1)∨ϕ2(x2),Σ =Σ1∪Σ2. Then ϕ(x)∈EBS_Σ(σ)with

σ = ((Σ1−Σ2)∪σ₂)"

((Σ2−Σ1)∪σ₁),Bϕ,σ =

max{Bϕ₁,σ₁,Bϕ₂,σ₂}+max(|Z(ϕ1)\Z(ϕ2)|,|Z(ϕ2)\Z(ϕ1)|).

3. ¬-(Non)Closure: EBS is not closed under negation.

4. ∃−Closure: Letϕ(x) =∃zϕ₁(x1)wherez ∈Z(ϕ1). Then ϕ(x)∈EBS_Σ1(σ1)⊆ EBSwithBϕ,σ =Bϕ1,σ1.

A Syntactic Subclass of EBS - Some Terminology

Considerϕ(x)in prenex normal form with all its variables named uniquely. Let

! V(ϕ)= set of all free variables#

the leftmost∃quantified variables ofϕ.

! AV(ϕ)= set of all∀quantified variables ofϕand

! EV(ϕ)= set of all∃quantified variables ofϕexcept the leftmost ones.

A Syntactic Subclass of EBS - Some Terminology (Contd..)

A predicatePis called

! freeif each argument of every instance ofPinϕis inV(ϕ).

! universal if no argument of any instance ofP is from EV(ϕ)and atleast one argument of some instance ofPis fromAV(ϕ).

! existential if atleast one argument of some instance ofP is fromEV(ϕ).

! mixed if, for somei, thei^th argument of one instance ofP is fromAV(ϕ)while thei^thargument of another instance of P is fromEV(ϕ).

A Syntactic Subclass of EBS - Some Terminology (Contd..)

! Thefree support set (fss)of an instance ofPinϕis the set of all variables inV(ϕ)appearing as arguments in that instance ofP. Theaggregated free support set (afss) of predicatePis the union of the free support sets of all instances ofP inϕ.

! Theuniversal support set (uss)of an instance ofPinϕis the set of all variables ofAV(ϕ)appearing as arguments in that instance ofP. Theaggregated universal support set (auss)ofPis the union of the universal support sets of all instances ofP inϕ.

A Syntactic Subclass of EBS - Some Terminology (Contd..)

! Theexistential support set (ess)of an instance ofP inϕis the set of all variables ofEV(ϕ)appearing as arguments in that instance ofP. Theaggregated existential support set (aess)ofPis the union of the existential support sets of all instances ofP inϕ.

! Two instances of predicatePinϕ(x)are said to be distinguishablewith respect to variablev if there is an integerisuch thatv occurs as thei^thargument of one instance but not as thei^th argument of the other instance.

An Example

Considerϕgiven as below.

ϕ(u,x) = ∃w∀y∃z P(x,z)∧(P(y,z)∨ ¬P(u,w))∧(Q(y)∨

¬Q(x)∨S(u))∨(R(y,x)∧R(u,y))∧(T(y,z)∧T(z,w))

! V(ϕ) ={u,x,w},AV(ϕ) ={y},EV(ϕ) ={z}.

! P is existential,Q,R are universal,Sis free,T is mixed.

! ForP,fssoffirst instance is{x},ussis{}andess is{z}.

ForP,afss={x,u,w},auss={y}andaess={z}.

! Variabley distinguishes the two instances ofQ.

A Syntactic Subclass of EBS - Definition

Letϕ(x)be a FOL formula in prenex normal form with uniquely named variables and signatureΣ. Formulaϕ(x)is said to have Existentially Distinguishable and Unmixed Predicateswith respect toσ⊆Σ(denotedϕ(x)∈EDUP_Σ(σ)) if:

1. Every predicate inσis nullary, unary, free or universal.

2. There is no equality.

3. Every predicateP ∈Σwith arity≥2 satisfies the following:

! Pis not mixed inϕ(x).

! LetP¹andP²be two syntactically distinct instances ofP.

LetE_U^σbe the union of aggregated existential support sets of unary predicates inσ, andE1,2be the union of existential support sets ofP¹andP². ThenP¹andP²are either distinguishable with respect to every variable inE1,2or with respect to some variable inE1,2\E_U^σ.

An Example

Consider the same example as before.

ϕ(u,x) = ∃w∀y∃z P(x,z)∧(P(y,z)∨ ¬P(u,w))∧(Q(y)∨

¬Q(x)∨S(u))∨(R(y,x)∧R(u,y))∧(T(y,z)∧T(z,w)).

! ϕ /∈EDUP_Σ(σ)for anyσ asT is mixed.

! ϕ /∈EDUP_Σ(σ)also since the second argument of thefirst twoP instances is same i.e.z.

! Suppose the last clause is dropped and the second argument of thefirstP instance is changed tou. Then if P ∈/σ, ϕ∈EDUP_Σ(σ)else not.

Some Results on EDUP

Lemma

Letϕ(x)be a formula in prenex normal form with signatureΣin which (a) every predicate of arity≥2inΣappears exactly once and (b)there is no equality predicate. Then there existsσ ⊆Σ such thatϕ(x)∈EDUP_Σ(σ).

LetBSbe the Bernay’s Sch¨onfinkel class andLbe the L¨owenheim class of FO formulae overΣ.

Lemma

(BS∪L)⊆EDUP_Σ(Σ).

Some Results on EDUP (Contd..)

Lemma

If L"⊆BS, then(L∪BS)!EDUP_Σ(Σ).

Theorem

Letϕ(x)∈EDUP_Σ(σ). Let m and k be the number of constants and unary predicates, resp. inΣ. Let l be the number of

existential instances of predicates of arity≥2inϕ(x). Then ϕ(x)∈EBS_Σ(σ)withBϕ,σ =m+|V(ϕ(x))|+|EV(ϕ(x)| ·2^k+l.

Conclusion

! We looked at a semantic property called EBS to give us a semi-decision procedure for the reachability problem in infinite state systems.

! We studied the EBS class with regards to its relation with other classes, deciding the membership in the EBS class and its closure properties.

! We then looked at a syntactic subclass of EBS called EDUP which is defined by placing restrictions on the way quantified variables appear as the arguments of predicates and looked at some results concerning this class.

! The EDUP class generalises two well known classes namely Bernays Sch¨onfinkel and L¨owenheim and is a decidable class.

! We intend to get explore more syntactic subclasses of EBS.