Infinite-State Backward Exploration of Boolean Broadcast Programs - PowerPoint PPT Presentation

Infinite-State Backward Exploration of Boolean Broadcast Programs ∗ Peizun Liu and Thomas Wahl Northeastern University, Boston, USA FMCAD 2014 Lausanne, Switzerland October 24, 2014 ∗ This work is supported by NSF grant no. 1253331. 1/28

Outline Introduction Classical BWS Our Approach Experiments Summary 2/28

Problem Description Assertion checking for non-recursive, unbounded-thread Boolean broadcast programs ✞ ☎ decl s := 0; // shared main () { decl l := 0; // local 1: s := 0; 2: goto 3,7; 3: assume(s); 4: l := 1; 5: wait; 6: goto 7; 7: assume (!s); 8: broadcast; 9: s := !s; 10: assert (!l); ➠ } ✝ ✆ ✡ 3/28

Problem Description Definition Given: a program state ( s , ℓ ) , with shared component s and local component ℓ Task: check if there exists a reachable global state of the form: shared local . . . . . . s ℓ 1 ℓ 2 ℓ 3 ℓ 4 ℓ 4/28

Motivation ◮ Boolean broadcast programs result from concurrent C programs via predicate abstraction [Donaldson et al., 2012] ◮ Predicate abstraction used widely in verification: S LAM , B LAST , S AT A BS (concurrent), etc. ✞ ☎ ✞ ☎ int x = 1; decl s := 0; main () { int main () { decl l := 0; int y = 0; 1: s := 0; 2: goto 3,6; x = 0; 3: assume(s); if(x) 4: l := 1; y = 1; 5: goto 7; x = !x; 6: assume (!s); assert (!y); 7: s := !s; return 0; 8: assert (!l); } } ✝ ✆ ✝ ✆ ✡ ✡ 5/28

Motivation: Classical Solutions Reachability of ( s , ℓ ) ⇒ coverability problem ◮ Karp-Miller Procedure [Karp & Miller, 1969] ◮ Backward Search [Abdulla et al., 1996] Limitations ◮ Karp-Miller procedure can not deal with broadcasts ◮ Both operate on transition systems ⇒ need to first convert concurrent BP to Petri net 6/28

Motivation: State Space Blow-Up Boolean Program to Petri Net: Program from Slide 5 l 30 l 31 l 29 l 32 l 28 l 33 l 27 l 4 l 3 l 5 l 2 l 34 l 26 s 3 s 2 l 6 l 1 l 35 l 25 s 4 s 1 l 36 l 7 s 5 s 0 l 0 l 24 s 6 s 9 l 37 l 23 l 8 l 13 s 7 s 8 l 14 l 22 l 9 l 12 l 10 l 11 l 15 l 21 | T | = 84 l 16 l 20 l 17 l 19 l 18 7/28

Motivation: State Space Blow-Up Boolean Program to Petri Net: one benchmark BP: | V S | = 5, | V L | = 2, LOC = 60 l 205 l 206 l 204 l 207 l 203 l 202 l 208 l 201 l 209 l 200 l 210 l 94 l 93 l 199 l 96 l 95 l 92 l 211 l 91 l 97 l 90 l 98 l 198 l 89 l 212 l 99 l 88 l 100 l 197 l 87 l 213 l 150 l 101 l 18 l 17 l 16 l 86 l 19 l 15 l 102 l 20 l 14 l 196 l 21 l 13 l 85 l 151 l 22 l 103 l 12 l 23 l 84 l 11 l 195 l 104 l 24 l 152 l 10 l 83 l 25 s 88 s 87 s 86 s 85 l 105 s 89 s 84 l 9 s 90 s 83 l 194 l 26 s 82 l 82 s 91 l 153 s 92 s 81 l 8 l 106 l 27 s 80 s 93 l 7 l 81 s 79 l 193 s 94 l 107 l 28 s 78 s 95 l 154 l 6 l 80 s 51 s 50 s 49 s 77 l 29 s 96 s 52 s 48 l 108 s 53 s 47 s 76 l 5 l 192 s 97 l 30 s 54 s 46 l 79 s 75 l 155 l 109 s 98 s 55 s 45 l 4 s 74 l 31 l 78 s 99 s 56 s 44 l 191 l 110 s 73 l 3 s 100 s 6 s 5 s 4 l 156 l 32 s 57 s 43 s 7 s 3 s 72 l 77 l 2 s 101 l 111 s 58 s 8 s 2 s 42 l 190 l 33 s 71 s 102 l 1 l 76 l 157 s 59 s 9 s 1 s 41 s 70 l 112 l 34 s 103 s 20 s 10 s 0 s 40 s 69 l 0 l 75 l 69 l 189 s 104 l 113 l 35 s 68 l 158 s 21 s 11 s 19 s 39 s 105 l 68 l 149 l 36 s 67 l 114 s 22 s 12 s 18 s 38 l 188 s 106 l 67 s 13 s 17 s 66 l 148 l 159 l 37 s 107 s 23 s 37 s 14 s 15 s 16 l 115 s 65 l 66 s 108 s 24 s 36 l 187 l 38 l 147 s 64 s 109 s 25 s 35 l 65 l 160 l 116 s 63 l 39 s 26 s 34 l 146 s 110 s 27 s 33 s 62 l 64 l 186 l 117 l 40 s 111 s 28 s 32 s 29 s 30 s 31 s 61 l 161 s 112 l 63 l 145 l 118 l 41 s 60 s 113 s 128 l 62 l 185 s 114 l 144 l 42 s 127 l 119 s 115 l 162 s 126 l 61 s 116 l 43 s 125 l 143 s 117 s 124 l 184 l 120 s 118 s 119 s 123 l 60 s 120 s 121 s 122 l 44 l 163 l 59 l 142 l 121 l 45 l 58 l 183 l 46 l 141 l 122 l 57 l 164 l 47 l 56 l 140 l 48 l 123 l 49 l 55 l 182 l 50 l 54 l 51 l 52 l 53 l 139 l 165 l 124 l 138 l 181 l 125 l 137 l 166 l 126 l 136 l 127 l 135 l 180 l 128 l 167 l 134 l 129 l 130 l 133 l 131 l 132 l 179 l 168 | T | = 8064 l 178 l 169 l 177 l 170 l 176 l 171 l 175 l 172 l 174 l 173 7/28

Our Approach Boolean broadcast program backward search . . . based on Abdulla’s Backward Search. But: ◮ operates directly on Boolean program ◮ instead of statically building transition system, constructs it on-the-fly Result: dramatic reduction of state explosion 8/28

Outline Introduction Classical BWS Our Approach Experiments Summary 9/28

Backward Search [Abdulla et al., 1996] WQOS and cover relation BWS operates over a well quasi-ordered system (WQOS). In our case: WQO is the covers relation: ( s , ¯ ℓ 1 , . . . , ¯ n ) � ( s , ℓ 1 , . . . , ℓ n ) ℓ ¯ multiset { ¯ ℓ 1 , . . . , ¯ whenever ℓ ¯ n } ⊇ multiset { ℓ 1 , . . . , ℓ n } . 10/28

Backward Search [Abdulla et al., 1996] p ∃ ¯ w � w Pre ( w ) CovPre ( w ) = min Pre ( w ) 11/28

Outline Introduction Classical BWS Our Approach Experiments Summary 12/28

State Representation Store states in counter-abstracted form : τ = � s , { ( ℓ 1 , n 1 ) , . . . , ( ℓ k , n k ) }� ◮ ℓ 1 , . . . , ℓ k are the distinct local states occurring in τ ◮ n i = # of threads in local state ℓ i in τ ( n i > 0 !) 13/28

Cover Predecessor Computation CovPre ( w ) = min { p : ∃ ¯ w � w : p → ¯ w } Two challenges: 1. given w , need to explore expanded elements ¯ w � w ⇒ how many threads to be added? 2. given ¯ w , need to compute predecessor: p → ¯ w We do not have → , only the program B ! ⇒ how to execute B backwards ? 14/28

Cover Predecessor Computation Two challenges 1. need to expand w to ¯ w 2. need to execute B backwards from ¯ w The solutions 1. adding a single thread to w is sufficient 1 2. execute B backwards via WP and CFG 1 see paper for details 15/28

Our Algorithm: Standard Predecessors τ ′ = � s ′ , { ( ℓ ′ 1 , n ′ 1 ) , . . . , ( ℓ ′ k , n ′ k ) }� Standard predecessors . . . ℓ ′ ℓ ′ i + 1 . . . ℓ ′ ℓ ′ ℓ ′ ℓ ′ = local states in τ ′ i − 1 1 2 i k ℓ ′ i for each CFG edge e s.t. target ( e ) = ℓ ′ i . pc switch e . stmt : case sequential statement: . . . ... τ 3 case thread creation statement: . . . τ 2 τ n case broadcast statement: . . . τ 0 τ 1 16/28

Our Algorithm: Standard Predecessors τ ′ = � s ′ , { ( ℓ ′ 1 , n ′ 1 ) , . . . , ( ℓ ′ k , n ′ k ) }� Sequential statements (e.g. assignments) ◮ compute the predecessors using WP e . stmt : for each ( s , ℓ ) s.t. WP e . stmt ( s , ℓ, s ′ , ℓ ′ i ) compute the predecessors of τ ′ w.r.t. ( s , ℓ ) 17/28

Our Algorithm: Standard Predecessors τ ′ = � s ′ , { . . . , ( ℓ ′ i , n i ) , . . . , ( ℓ ′ j , n j ) , . . . }� Thread creation statement ✞ ☎ τ ′ has a predecessor iff there 10: start_thread 20; j in τ ′ s.t. exists ℓ ′ i , ℓ ′ 11: . . . ➦ . . . ℓ ′ i . pc = 11 20: . . . ℓ ′ ∧ j . pc = 20 . . . ∀ v ∈ V L : ℓ ′ j . v = ℓ ′ ∧ i . v ✝ ✆ ✡ Predecessor: τ = � s ′ , { . . . , ( ℓ ′ i , n i − 1 ) , . . . , ( ℓ ′ j , n j − 1 ) , . . . , ( ℓ k , n k + 1 ) , . . . }� where ℓ k . pc = 10 ∧ ∀ v ∈ V L : ℓ k . v = ℓ ′ i . v 18/28

Our Algorithm: Standard Predecessors τ ′ = � s ′ , { . . . , ( ℓ ′ i , n i ) , . . . , ( ℓ ′ j , n j ) , . . . , ( ℓ ′ k , n k ) }� Broadcast statement First find ℓ ′ i . pc = 31 , ℓ ′ j . pc = 21 , ℓ ′ k . pc = 11 ✞ ☎ 10: wait; 11: . . . ➦ . . . 20: wait; 21: . . . ➦ . . . 30: broadcast; 31: . . . ➠ . . . ✝ ✆ ✡ 19/28

Our Algorithm: Standard Predecessors Broadcast statement Current State Predecessor could be ... ✞ ☎ ✞ ☎ 10: wait; ➥ 10: wait; 11: . . . 11: . . . ➦ . . . . . . 20: wait; 20: wait; ➥ 21: . . . 21: . . . ➦ broadcast ← − − − − − − − . . . . . . 30: broadcast; 30: broadcast; ➠ 31: . . . 31: . . . ➠ . . . . . . ✝ ✆ ✝ ✆ ✡ ✡ 20/28

Our Algorithm: Standard Predecessors Broadcast statement Current State Predecessor could be ... ✞ ☎ ✞ ☎ 10: wait; 10: wait; 11: . . . 11: . . . ➦ ➥ . . . . . . 20: wait; 20: wait; ➥ 21: . . . 21: . . . ➦ broadcast ← − − − − − − − . . . . . . 30: broadcast; 30: broadcast; ➠ 31: . . . 31: . . . ➠ . . . . . . ✝ ✆ ✝ ✆ ✡ ✡ 20/28

Our Algorithm: Standard Predecessors Broadcast statement Current State Predecessor could be ... ✞ ☎ ✞ ☎ 10: wait; ➥ 10: wait; 11: . . . 11: . . . ➦ . . . . . . 20: wait; 20: wait; 21: . . . 21: . . . ➦ ➥ broadcast ← − − − − − − − . . . . . . 30: broadcast; 30: broadcast; ➠ 31: . . . 31: . . . ➠ . . . . . . ✝ ✆ ✝ ✆ ✡ ✡ 20/28

Our Algorithm: Standard Predecessors Broadcast statement Current State Predecessor could be ... ✞ ☎ ✞ ☎ 10: wait; 10: wait; 11: . . . 11: . . . ➦ ➥ . . . . . . 20: wait; 20: wait; 21: . . . 21: . . . ➦ ➥ broadcast ← − − − − − − − . . . . . . 30: broadcast; 30: broadcast; ➠ 31: . . . 31: . . . ➠ . . . . . . ✝ ✆ ✝ ✆ ✡ ✡ 20/28