Infinite-State Backward Exploration of Boolean Broadcast Programs - - PowerPoint PPT Presentation

infinite state backward exploration
SMART_READER_LITE
LIVE PREVIEW

Infinite-State Backward Exploration of Boolean Broadcast Programs - - PowerPoint PPT Presentation

Aug 25, 2022 321 likes •649 views

Infinite-State Backward Exploration of Boolean Broadcast Programs Peizun Liu and Thomas Wahl Northeastern University, Boston, USA FMCAD 2014 Lausanne, Switzerland October 24, 2014 This work is supported by NSF grant no. 1253331. 1/28

slide-1
SLIDE 1

1/28

Infinite-State Backward Exploration

  • f Boolean Broadcast Programs∗

Peizun Liu and Thomas Wahl Northeastern University, Boston, USA

FMCAD 2014 Lausanne, Switzerland

October 24, 2014

∗This work is supported by NSF grant no. 1253331.

slide-2
SLIDE 2

2/28

Outline

Introduction Classical BWS Our Approach Experiments Summary

slide-3
SLIDE 3

3/28

Problem Description

Assertion checking for non-recursive, unbounded-thread Boolean broadcast programs

✞ ☎ decl s := 0; // shared main () { decl l := 0; // local 1: s := 0; 2: goto 3,7; 3: assume(s); 4: l := 1; 5: wait; 6: goto 7; 7: assume (!s); 8: broadcast; 9: s := !s; ➠ 10: assert (!l); } ✡ ✝ ✆

slide-4
SLIDE 4

4/28

Problem Description

Definition Given: a program state (s, ℓ), with shared component s and local component ℓ Task: check if there exists a reachable global state of the form: s ℓ1 ℓ2 ℓ3 ℓ4 . . . ℓ . . . shared local

slide-5
SLIDE 5

5/28

Motivation

◮ Boolean broadcast programs result from concurrent C

programs via predicate abstraction [Donaldson et al., 2012]

◮ Predicate abstraction used widely in verification:

SLAM, BLAST, SATABS (concurrent), etc.

✞ ☎ int x = 1; int main () { int y = 0; x = 0; if(x) y = 1; x = !x; assert (!y); return 0; } ✡ ✝ ✆ ✞ ☎ decl s := 0; main () { decl l := 0; 1: s := 0; 2: goto 3,6; 3: assume(s); 4: l := 1; 5: goto 7; 6: assume (!s); 7: s := !s; 8: assert (!l); } ✡ ✝ ✆

slide-6
SLIDE 6

6/28

Motivation: Classical Solutions

Reachability of (s, ℓ) ⇒ coverability problem

◮ Karp-Miller Procedure [Karp & Miller, 1969] ◮ Backward Search [Abdulla et al., 1996]

Limitations

◮ Karp-Miller procedure can not deal with broadcasts ◮ Both operate on transition systems

⇒ need to first convert concurrent BP to Petri net

slide-7
SLIDE 7

7/28

Motivation: State Space Blow-Up

Boolean Program to Petri Net: Program from Slide 5

s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 l0 l1 l2 l3 l4 l5 l6 l7 l8 l9 l10 l11 l12 l13 l14 l15 l16 l17 l18 l19 l20 l21 l22 l23 l24 l25 l26 l27 l28 l29 l30 l31 l32 l33 l34 l35 l36 l37

|T| = 84

slide-8
SLIDE 8

7/28

Motivation: State Space Blow-Up

Boolean Program to Petri Net: one benchmark BP: |VS| = 5, |VL| = 2, LOC = 60

s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 s16 s17 s18 s19 s20 s21 s22 s23 s24 s25 s26 s27 s28 s29 s30 s31 s32 s33 s34 s35 s36 s37 s38 s39 s40 s41 s42 s43 s44 s45 s46 s47 s48 s49 s50 s51 s52 s53 s54 s55 s56 s57 s58 s59 s60 s61 s62 s63 s64 s65 s66 s67 s68 s69 s70 s71 s72 s73 s74 s75 s76 s77 s78 s79 s80 s81 s82 s83 s84 s85 s86 s87 s88 s89 s90 s91 s92 s93 s94 s95 s96 s97 s98 s99 s100 s101 s102 s103 s104 s105 s106 s107 s108 s109 s110 s111 s112 s113 s114 s115 s116 s117 s118 s119 s120 s121 s122 s123 s124 s125 s126 s127 s128 l0 l1 l2 l3 l4 l5 l6 l7 l8 l9 l10 l11 l12 l13 l14 l15 l16 l17 l18 l19 l20 l21 l22 l23 l24 l25 l26 l27 l28 l29 l30 l31 l32 l33 l34 l35 l36 l37 l38 l39 l40 l41 l42 l43 l44 l45 l46 l47 l48 l49 l50 l51 l52 l53 l54 l55 l56 l57 l58 l59 l60 l61 l62 l63 l64 l65 l66 l67 l68 l69 l75 l76 l77 l78 l79 l80 l81 l82 l83 l84 l85 l86 l87 l88 l89 l90 l91 l92 l93 l94 l95 l96 l97 l98 l99 l100 l101 l102 l103 l104 l105 l106 l107 l108 l109 l110 l111 l112 l113 l114 l115 l116 l117 l118 l119 l120 l121 l122 l123 l124 l125 l126 l127 l128 l129 l130 l131 l132 l133 l134 l135 l136 l137 l138 l139 l140 l141 l142 l143 l144 l145 l146 l147 l148 l149 l150 l151 l152 l153 l154 l155 l156 l157 l158 l159 l160 l161 l162 l163 l164 l165 l166 l167 l168 l169 l170 l171 l172 l173 l174 l175 l176 l177 l178 l179 l180 l181 l182 l183 l184 l185 l186 l187 l188 l189 l190 l191 l192 l193 l194 l195 l196 l197 l198 l199 l200 l201 l202 l203 l204 l205 l206 l207 l208 l209 l210 l211 l212 l213

|T| = 8064

slide-9
SLIDE 9

8/28

Our Approach

Boolean broadcast program backward search . . . based on Abdulla’s Backward Search. But:

◮ operates directly on Boolean program ◮ instead of statically building transition system,

constructs it on-the-fly Result: dramatic reduction of state explosion

slide-10
SLIDE 10

9/28

Outline

Introduction Classical BWS Our Approach Experiments Summary

slide-11
SLIDE 11

10/28

Backward Search [Abdulla et al., 1996]

WQOS and cover relation BWS operates over a well quasi-ordered system (WQOS). In our case: WQO is the covers relation: (s, ¯ ℓ1, . . . , ¯ ℓ¯

n) (s, ℓ1, . . . , ℓn)

whenever multiset{¯ ℓ1, . . . , ¯ ℓ¯

n} ⊇ multiset{ℓ1, . . . , ℓn}.

slide-12
SLIDE 12

11/28

Backward Search [Abdulla et al., 1996]

p Pre(w) ∃ ¯ w

  • w

CovPre(w) = min Pre(w)

slide-13
SLIDE 13

12/28

Outline

Introduction Classical BWS Our Approach Experiments Summary

slide-14
SLIDE 14

13/28

State Representation

Store states in counter-abstracted form: τ = s, {(ℓ1, n1), . . . , (ℓk, nk)}

◮ ℓ1, . . . , ℓk are the distinct local states occurring in τ ◮ ni = # of threads in local state ℓi in τ (ni > 0 !)

slide-15
SLIDE 15

14/28

Cover Predecessor Computation

CovPre(w) = min{p : ∃ ¯ w w : p → ¯ w} Two challenges:

  • 1. given w, need to explore expanded elements ¯

w w ⇒ how many threads to be added?

  • 2. given ¯

w, need to compute predecessor: p → ¯ w We do not have →, only the program B ! ⇒ how to execute B backwards ?

slide-16
SLIDE 16

15/28

Cover Predecessor Computation

Two challenges

  • 1. need to expand w to ¯

w

  • 2. need to execute B backwards from ¯

w The solutions

  • 1. adding a single thread to w is sufficient1
  • 2. execute B backwards via WP and CFG

1see paper for details

slide-17
SLIDE 17

16/28

Our Algorithm: Standard Predecessors

τ ′ = s′, {(ℓ′

1, n′ 1), . . . , (ℓ′ k, n′ k)}

Standard predecessors

ℓ′

1

ℓ′

2

. . . ℓ′

i−1

ℓ′

i

ℓ′

i+1 . . .

ℓ′

k

= local states in τ ′ τ0 τ1 τ2 τ3 ... τn ℓ′

i

for each CFG edge e s.t. target(e) = ℓ′

i.pc

switch e.stmt: case sequential statement: . . . case thread creation statement: . . . case broadcast statement: . . .

slide-18
SLIDE 18

17/28

Our Algorithm: Standard Predecessors

τ ′ = s′, {(ℓ′

1, n′ 1), . . . , (ℓ′ k, n′ k)}

Sequential statements (e.g. assignments)

◮ compute the predecessors using WPe.stmt:

for each (s, ℓ) s.t. WPe.stmt(s, ℓ, s′, ℓ′

i)

compute the predecessors of τ ′ w.r.t. (s, ℓ)

slide-19
SLIDE 19

18/28

Our Algorithm: Standard Predecessors

τ ′ = s′, {. . . , (ℓ′

i, ni), . . . , (ℓ′ j, nj), . . .}

Thread creation statement

✞ ☎ 10: start_thread 20; ➦ 11: . . . . . . 20: . . . . . . ✡ ✝ ✆

τ ′ has a predecessor iff there exists ℓ′

i, ℓ′ j in τ ′ s.t.

ℓ′

i.pc = 11

∧ ℓ′

j.pc = 20

∧ ∀v ∈ VL : ℓ′

j.v = ℓ′ i.v

Predecessor: τ = s′, {. . . , (ℓ′

i, ni − 1), . . . , (ℓ′ j, nj − 1), . . . , (ℓk, nk + 1), . . .}

where ℓk.pc = 10 ∧ ∀v ∈ VL : ℓk.v = ℓ′

i.v

slide-20
SLIDE 20

19/28

Our Algorithm: Standard Predecessors

τ ′ = s′, {. . . , (ℓ′

i, ni), . . . , (ℓ′ j, nj), . . . , (ℓ′ k, nk)}

Broadcast statement First find ℓ′

i.pc = 31, ℓ′ j.pc = 21, ℓ′ k.pc = 11

✞ ☎ 10: wait; ➦ 11: . . . . . . 20: wait; ➦ 21: . . . . . . 30: broadcast; ➠ 31: . . . . . . ✡ ✝ ✆

slide-21
SLIDE 21

20/28

Our Algorithm: Standard Predecessors

Broadcast statement Current State Predecessor could be ...

✞ ☎ 10: wait; ➦ 11: . . . . . . 20: wait; ➦ 21: . . . . . . 30: broadcast; ➠ 31: . . . . . . ✡ ✝ ✆

broadcast ← − − − − − − −

✞ ☎ ➥ 10: wait; 11: . . . . . . ➥ 20: wait; 21: . . . . . . ➠ 30: broadcast; 31: . . . . . . ✡ ✝ ✆

slide-22
SLIDE 22

20/28

Our Algorithm: Standard Predecessors

Broadcast statement Current State Predecessor could be ...

✞ ☎ 10: wait; ➦ 11: . . . . . . 20: wait; ➦ 21: . . . . . . 30: broadcast; ➠ 31: . . . . . . ✡ ✝ ✆

broadcast ← − − − − − − −

✞ ☎ 10: wait; ➥ 11: . . . . . . ➥ 20: wait; 21: . . . . . . ➠ 30: broadcast; 31: . . . . . . ✡ ✝ ✆

slide-23
SLIDE 23

20/28

Our Algorithm: Standard Predecessors

Broadcast statement Current State Predecessor could be ...

✞ ☎ 10: wait; ➦ 11: . . . . . . 20: wait; ➦ 21: . . . . . . 30: broadcast; ➠ 31: . . . . . . ✡ ✝ ✆

broadcast ← − − − − − − −

✞ ☎ ➥ 10: wait; 11: . . . . . . 20: wait; ➥ 21: . . . . . . ➠ 30: broadcast; 31: . . . . . . ✡ ✝ ✆

slide-24
SLIDE 24

20/28

Our Algorithm: Standard Predecessors

Broadcast statement Current State Predecessor could be ...

✞ ☎ 10: wait; ➦ 11: . . . . . . 20: wait; ➦ 21: . . . . . . 30: broadcast; ➠ 31: . . . . . . ✡ ✝ ✆

broadcast ← − − − − − − −

✞ ☎ 10: wait; ➥ 11: . . . . . . 20: wait; ➥ 21: . . . . . . ➠ 30: broadcast; 31: . . . . . . ✡ ✝ ✆

slide-25
SLIDE 25

21/28

Our Algorithm: Standard Predecessors

τ ′ = s′, {. . . , (ℓ′

i, ni), . . . , (ℓ′ j, nj), . . . , (ℓ′ k, nk)}

Broadcast statement First find ℓ′

i.pc = 31, ℓ′ j.pc = 21, ℓ′ k.pc = 11

✞ ☎ 10: wait; ➦ 11: . . . . . . 20: wait; ➦ 21: . . . . . . 30: broadcast; ➠ 31: . . . . . . ✡ ✝ ✆

Predecessors: Each subset of past-wait threads gives rise to a different predecessor

slide-26
SLIDE 26

22/28

Our Algorithm: Expanded Predecessors

τ ′ = s′, {(ℓ′

1, n′ 1), . . . , (ℓ′ k, n′ k)}

Expanded predecessors for each (s, ℓ) s.t. ∃m′ ∈ {ℓ′

1, . . . , ℓ′ k} :

e := (ℓ.pc, m′.pc) ∈ CFG ∧ e.stmt may modify the shared state ∧ WPe.stmt(s, ℓ, s′, m′) compute the predecessors of τ ′ w.r.t. (s, ℓ)

slide-27
SLIDE 27

23/28

Outline

Introduction Classical BWS Our Approach Experiments Summary

slide-28
SLIDE 28

24/28

Experiments: Benchmark Sample

ID/Program C Program Boolean Program Safe? SV LV LOC Bc? |VS| |VL| Its. Mod.Sh. 01/INC-L 2 1 46

  • 3

1 2 7.5

  • 02/INC-C

1 3 57

  • 4

4

  • 03/PRNSIMP-L

2 4 63

  • 2

3 2 7.7

  • 04/PRNSIMP-C

1 5 95

  • 5

2

  • 05/BS-LOOP

6 24

  • 7

1

  • 06/PTHREAD

5 85

  • 7

5 17.1

  • 07/MAXOPT-L

3 4 69

  • 1

1 2 3.1

  • 08/MAXOPT-C

2 6 86

  • 2

2

  • 09/STACK-L

4 2 79

  • 1

3 3 3.8

  • 10/STACK-C

3 3 89

  • 3

1 2 6.4

  • 11/BSD-AK

1 7 90

  • 3

1 15 11.7

  • 12/BSD-RA

2 21 87

  • 3

19 12.3

  • 13/NETBSD

1 28 152

  • 3

1 30 10.1

  • 14/SOLARIS

1 56 122

  • 5

1 14 10.9

  • 15/BOOP

5 2 89

  • 5

2 4 11.4

  • .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . .

slide-29
SLIDE 29

25/28

Experimental Results

1 2 3 4 5 6 7 8 9 101112131415161718192021222324252627282930 10−1 100 101 102 103 # k of benchmarks analyzed successfully time t to analyze k benchmarks (sec.) UCOB MCOV MCOV/GKM BOOM-KM

slide-30
SLIDE 30

26/28

Outline

Introduction Classical BWS Our Approach Experiments Summary

slide-31
SLIDE 31

27/28

Summary

Our approach

◮ avoids the static transition system construction ◮ operates on-the-fly: what you see is what you pay ◮ can result in dramatic savings

slide-32
SLIDE 32

28/28

Thank You

References

  • A. Donaldson, A. Kaiser, D. Kroening, M. Tautschnig, and
  • T. Wahl, “Counterexample-guided abstraction refinement

for symmetric concurrent programs,” Form. Method. Syst. Des., 2012.

  • R. M. Karp and R. E. Miller, “Parallel program schemata,”
  • J. Comput. Syst. Sci., 1969.

P . Abdulla, K. Cerans, B. Jonsson, and Y. Tsay, “General decidability theorems for infinite-state systems,” in LICS, 1996.

  • A. Kaiser, D. Kroening, and T. Wahl, “Efficient coverability

analysis by proof minimization,” in CONCUR, 2012.