Automata-Based Analysis of Recursive Concurrent Programs Markus Müller-Olm Westfälische Wilhelms-Universität Münster, Germany 2nd Tutorial of SPP RS3: Reliably Secure Software Systems Schloss Buchenau, September 3-6, 2012
Introduction � Optimal Analysis: � Complete analysis of well-specified abstract model � Threads & recursive procedures � Locks & monitors � Regular model checking �������������������������������������������������������������������������������������������� ���!"� �
Lock-join-sensitive Analysis Main: 0 P: output (x) 0 2 1 acquire l acquire l 2 1 3 x := secret spawn P 3 2 4 release l output (x) 4 5 3 release l x := 0 5 6 6 4 join 7 Power of different analyses: output (x) � Pure lock sets: 3 � Analysis sensitive to thread creation, e.g., [BMOT05], [LMO07]: 1,2 9 � Lock-sensitive analysis [LMO08], [LMOW09]: 1,2,3,4 � Lock-join-sensitive analysis [GLMOSW11]: 1,2,3,4,5, 6 Of course, also treat branching, loops, recursion !
Reachability Analysis of Programs with Procedures and Thread Creation Theorem [Ramalingam] Reachability is undecidable in programs with two threads, synchronous communication, and procedures. Proof: Reduction of intersection problem (L 1 ∩ L 2 ≠ ∅ ) of contextfree languages L 1 ,L 2 . ⇒ ⇒ ⇒ ⇒ abstract from synchronous communication (for now). �������������������������������������������������������������������������������������������� ���!"�
A Model of Recursive Programs with Thread-creation: DPNs: Dynamic Pushdown-Networks A dynamic pushdown-network (DPN) over finite set of actions Act � consists of: P, a finite set of control symbols � Γ, a finite set of stack symbols � ∆ , a finite set of rules of the following form � a γ → ≤ p pw [ with w 2 ] 1 1 1 a ⊳ γ → [ with = 1 and = 1] p pw p w w w 1 1 2 2 1 2 (with p , p 1 , p 2 ∈ P, γ ∈� Γ , w 1 , w 2 ∈ Γ * , a ∈ Act). DPNs can model recursive programs with thread-creation primitives � using finite abstractions of (thread-local) global variables and local variables of procedures. �������������������������������������������������������������������������������������������� ���!"� #
Execution-Semantics of DPNs on Word-Shaped Configurations A Configuration of a DPN is a word in (P Γ *) + : ⋯ * ∈ ∈Γ > (with , , 0) p w p w p w p P w k 1 1 2 2 k k i i ... an infinite state space The transition relation of a DPN: ( ) a a γ → ∈∆ γ → : p p w u p v u p w v 1 1 1 1 ( ) ⊳ a a γ → ∈∆ : γ → p p w p w u p v u p w p w v 1 1 2 2 2 2 1 1 �������������������������������������������������������������������������������������������� ���!"� $
Example Consider the following DPN with a single rule ⊳ a γ → γγ γ p p q Transitions: γ p γ γγ q p γ γ γγγ q q p γ γ γ γγγγ q q q p γ γ γ γ γγγγγ q q q q p ⋮ �������������������������������������������������������������������������������������������� ���!"� %
Recursive Programs with Thread Creation Entry point, e q , Procedures of Q P: Q: 0 4 A C Recursive 1 5 procedure calls spawn Q call P call Q 2 6 B D Basic 3 3 7 actions Spawn commands Return point, x q , of Q + finite-state abstraction of (thread-local) global and local variables
Modelling Programs with DPNs à la [Esparza/Knoop, FOSSACS’99] abstraction of current abstraction of local state control point global state u ) � � ( # ( ) ( ) e , → ' ', , if , , ', ' ∈ g l u g l v g l g l A for basic edge e: A v u e , → , , g l u g l e l v for call edge e: call P init P v for return point of ret , → g l r g r P P each procedure u ⊳ e , → , , g l u g l v g l e for spawn edge e: spawn P init init P v
Spawns are Fundamentally Different P: Q: 0 4 A C 1 5 spawn Q call P call Q 2 6 B D 3 7 P induces trace language: L = ∪ { A n ⋅ ( B m ⊗ (C i ⋅ D j ) | n ≥ m ≥ 0, i ≥ j ≥ 0 } Cannot characterize L by constraint system with „ ⋅ “ and „ ⊗ “. Trace languages of DPNs differ from those of PA processes. [Bouajjani, MO, Touili: CONCUR 2005]
Basic Results on Reachability Analysis of DPNs [Bouajjani, MO, Touili, CONCUR 2005] Definition * w = ∃ ∈ ∈ → pre [ ]( ) : { | , : * } L C c d C w L c d * w = ∃ ∈ ∈ → post [ ]( ) : { | , : * } L C d c C w L c d Forward-Reachability 1) post*[Act*](C) is in general non-regular for regular C. 2) post*[Act*](C) is effectively context-free for context-free C (in polyn. time). 3) Membership in post*[L](C) is in general undecidable for regular L. Backward-Reachability 1) pre*[A*](C) is effectively regular for regular C and A ⊆ Act (in polyn. time). 2) Membership in pre*[L](C) is in general undecidable for regular L. Single Steps 1) pre * [A](C) and post*[A](C) are effectively regular for regular C and A ⊆ Act (in polyn. time).
Example: Backward Reachability Analysis for DPNs Consider again DPN with the rule ⊳ a γ → γγ γ p p q and the infinite set of states + ( ) + Bad = γ γ γ = ( ) q q p L A Analysis problem: can Bad be reached from p γ ? �������������������������������������������������������������������������������������������� ���!"� "&
Example: Backward Reachability Analysis for DPNs ⊳ a 1. Step : Saturate automaton for Bad with the DPN rule: γ → γγ γ p p q Generalization of [Bouajjani/Esparza/Maler, CONCUR`97] γ γ p p p γ γ γ γ q q q a γ → γ γγ up v uq p v Resulting automaton A pre* represents pre*(Bad) ! 2. Step : Check, whether p γ is accepted by A pre* or not Result : Bad is reachable from p γ , as A pre* accepts p γ !
Some Applications of pre*-Computations with unrestricted L (i.e. L = Act*) Reachability of regular sets of configurations Set Bad of configurations is reachable from initial configuration p 0 γ 0 iff p 0 γ 0 ∈ pre*[Act*](Bad) used in JMoped of Schwoon/Esparza Bounded model checking By iterated pre*-computations alternating with single steps corresponding to synchronizations/communications Bit-vector data-flow analysis problems à la [Esparza/Knoop, FOSSACS’99] Variable x is live at program point u iff ( ) ( ) ∈ ∩ *[ *] *[ *] *[ ]( ) e pre Act At pre NonDef pre Use Conf Main u x x �������������������������������������������������������������������������������������������� ���!"� "
Exploiting a Tree-Shaped View of Configurations CDPNs: Constrained Dynamic Pushdown-Networks Idea: Add (regular, stable) pre-conditions over current control symbols of children threads to DPN rules. A constrained dynamic pushdown-network (CDPN) consists of: P, a finite set of control symbols � Γ, a finite set of stack symbols � ∆ , a finite set of rules of the following form � a φ γ → φ ⊆ : where * p p w P 1 1 ⊳ a φ γ → φ ⊆ : where * p p w p w P 1 1 2 2 (with p , p 1 , p 2 ∈ P, γ ∈� Γ , w 1 , w 2 ∈ Γ * , a ∈ Act) �������������������������������������������������������������������������������������������� ���!"� "#
Recommend
More recommend