reasoning about nondeterminism in software
play

Reasoning about nondeterminism in software IBM Programming - PowerPoint PPT Presentation

Jan 08, 2023 •287 likes •1.57k views

Reasoning about nondeterminism in software IBM Programming Languages Day 2012 Eric Koskinen Research Scientist and Principal Investigator New York University ejk@cims.nyu.edu Monday, June 25, 12 Prove temporal properties of real programs

  1. */ err = nondet(); // bind(fd, addr->ai_addr, addr->ai_addrlen); if (err < 0) PostgreSQL StreamServer { /* ereport(LOG, */ /* (errcode_for_socket_access(), */ /* /\* translator: %s is IPv4, IPv6, or Unix *\/ */ int StreamServerPort( int family, ...) /* errmsg("could not bind %s socket: %m", */ /* familyDesc), */ /* (IS_AF_UNIX(addr_ai_family)) ? */ Proving this statically is challenging. /* errhint("Is another postmaster already running on port %d?" */ /* " If not, remove socket file \"%s\" and retry.", */ /* (int) portNumber, sock_path) : */ Reason about termination. /* errhint("Is another postmaster already running on port %d?" */ /* " If not, wait a few seconds and retry.", */ /* (int) portNumber))); */ Reason about reachability. closesocket(fd); continue; } #ifdef HAVE_UNIX_SOCKETS if (addr_ai_family == AF_UNIX) { � � if (nondet() != STATUS_OK) { closesocket(fd); break; } } #endif /* * Select appropriate accept-queue length limit. PG_SOMAXCONN is * only intended to provide a clamp on the request on platforms * where an overly large request provokes a kernel error (are * there any?). */ maxconn = MaxBackends * 2; if (maxconn > PG_SOMAXCONN) maxconn = PG_SOMAXCONN; err = listen(fd, maxconn); if (err < 0) { timeout Previous technique closesocket(fd); continue; } ListenSocket_OF_listen_index = fd; ( G ¬ error ) ⇒ F ( added>0 ∧ F ret=OK ) added++; } //freeaddrinfo_all(hint.ai_family, addrs); Monday, June 25, 12

  2. */ err = nondet(); // bind(fd, addr->ai_addr, addr->ai_addrlen); if (err < 0) PostgreSQL StreamServer { /* ereport(LOG, */ /* (errcode_for_socket_access(), */ /* /\* translator: %s is IPv4, IPv6, or Unix *\/ */ int StreamServerPort( int family, ...) /* errmsg("could not bind %s socket: %m", */ /* familyDesc), */ /* (IS_AF_UNIX(addr_ai_family)) ? */ Proving this statically is challenging. /* errhint("Is another postmaster already running on port %d?" */ /* " If not, remove socket file \"%s\" and retry.", */ /* (int) portNumber, sock_path) : */ Reason about termination. /* errhint("Is another postmaster already running on port %d?" */ /* " If not, wait a few seconds and retry.", */ /* (int) portNumber))); */ Reason about reachability. closesocket(fd); continue; } #ifdef HAVE_UNIX_SOCKETS if (addr_ai_family == AF_UNIX) { � � if (nondet() != STATUS_OK) { closesocket(fd); break; Our work } } #endif /* * Select appropriate accept-queue length limit. PG_SOMAXCONN is * only intended to provide a clamp on the request on platforms * where an overly large request provokes a kernel error (are * there any?). */ maxconn = MaxBackends * 2; if (maxconn > PG_SOMAXCONN) maxconn = PG_SOMAXCONN; err = listen(fd, maxconn); if (err < 0) { timeout Previous technique closesocket(fd); continue; } ListenSocket_OF_listen_index = fd; ( G ¬ error ) ⇒ F ( added>0 ∧ F ret=OK ) added++; } //freeaddrinfo_all(hint.ai_family, addrs); Monday, June 25, 12

  3. */ err = nondet(); // bind(fd, addr->ai_addr, addr->ai_addrlen); if (err < 0) PostgreSQL StreamServer { /* ereport(LOG, */ /* (errcode_for_socket_access(), */ /* /\* translator: %s is IPv4, IPv6, or Unix *\/ */ int StreamServerPort( int family, ...) /* errmsg("could not bind %s socket: %m", */ /* familyDesc), */ /* (IS_AF_UNIX(addr_ai_family)) ? */ Proving this statically is challenging. /* errhint("Is another postmaster already running on port %d?" */ /* " If not, remove socket file \"%s\" and retry.", */ /* (int) portNumber, sock_path) : */ Reason about termination. /* errhint("Is another postmaster already running on port %d?" */ /* " If not, wait a few seconds and retry.", */ /* (int) portNumber))); */ Reason about reachability. closesocket(fd); continue; } #ifdef HAVE_UNIX_SOCKETS if (addr_ai_family == AF_UNIX) { � � if (nondet() != STATUS_OK) { closesocket(fd); ✔ break; Our work } } #endif /* * Select appropriate accept-queue length limit. PG_SOMAXCONN is * only intended to provide a clamp on the request on platforms * where an overly large request provokes a kernel error (are * there any?). */ maxconn = MaxBackends * 2; if (maxconn > PG_SOMAXCONN) maxconn = PG_SOMAXCONN; err = listen(fd, maxconn); if (err < 0) { timeout Previous technique closesocket(fd); continue; } ListenSocket_OF_listen_index = fd; ( G ¬ error ) ⇒ F ( added>0 ∧ F ret=OK ) added++; } //freeaddrinfo_all(hint.ai_family, addrs); Monday, June 25, 12

  4. */ err = nondet(); // bind(fd, addr->ai_addr, addr->ai_addrlen); if (err < 0) PostgreSQL StreamServer { /* ereport(LOG, */ /* (errcode_for_socket_access(), */ /* /\* translator: %s is IPv4, IPv6, or Unix *\/ */ int StreamServerPort( int family, ...) /* errmsg("could not bind %s socket: %m", */ /* familyDesc), */ /* (IS_AF_UNIX(addr_ai_family)) ? */ Proving this statically is challenging. /* errhint("Is another postmaster already running on port %d?" */ /* " If not, remove socket file \"%s\" and retry.", */ /* (int) portNumber, sock_path) : */ Reason about termination. /* errhint("Is another postmaster already running on port %d?" */ /* " If not, wait a few seconds and retry.", */ /* (int) portNumber))); */ Reason about reachability. closesocket(fd); continue; } #ifdef HAVE_UNIX_SOCKETS if (addr_ai_family == AF_UNIX) { � � if (nondet() != STATUS_OK) 9.56 s { closesocket(fd); ✔ break; Our work } } #endif /* * Select appropriate accept-queue length limit. PG_SOMAXCONN is * only intended to provide a clamp on the request on platforms * where an overly large request provokes a kernel error (are * there any?). */ maxconn = MaxBackends * 2; if (maxconn > PG_SOMAXCONN) maxconn = PG_SOMAXCONN; err = listen(fd, maxconn); if (err < 0) { timeout Previous technique closesocket(fd); continue; } ListenSocket_OF_listen_index = fd; ( G ¬ error ) ⇒ F ( added>0 ∧ F ret=OK ) added++; } //freeaddrinfo_all(hint.ai_family, addrs); Monday, June 25, 12

  5. Previous work CAV’11 Reduction P ⊢ φ ∀ CTL program analysis task (symbolic MC, AI) using Frontiers Monday, June 25, 12

  6. Previous work These tools are good at finding the “right” abstraction CAV’11 Reduction P ⊢ φ ∀ CTL program analysis task (symbolic MC, AI) using Frontiers Monday, June 25, 12

  7. Previous work These tools are good at finding the “right” abstraction POPL’11 CAV’11 Trace-based Reduction properties (eg. LTL) P ⊢ φ P ⊢ φ ∀ CTL LTL program synth decision analysis task predicates (symbolic MC, AI) using Frontiers Monday, June 25, 12

  8. Previous work prove trace-based with These tools are good iterated state-based at finding the “right” techniques abstraction POPL’11 CAV’11 Trace-based Reduction properties (eg. LTL) P ⊢ φ P ⊢ φ ∀ CTL LTL program synth decision analysis task predicates (symbolic MC, AI) using Frontiers Monday, June 25, 12

  9. Previous work Traditional Program Property Time(s) Example from Sec. 2 AFAGp 2.32 Example from Fig. 8 of [15] AG(p ⇒ AFq) 209.64 Toy acq/rel AG(p ⇒ AFq) 103.48 Toy lin. arith. 1 p ⇒ AFq 126.86 Toy lin. arith. 2 p ⇒ AFq timeout PostgreSQL strsrv AG(p ⇒ AFAGq) timeout PostgreSQL strsrv+bug AG(p ⇒ AFAGq) 87.31 PostgreSQL pgarch AFAGp 31.50 PostgreSQL dropbuf AGp timeout PostgreSQL dropbuf AG(p ⇒ AFq) 53.99 Apache child AG(p ⇒ AGAFq) timeout Apache child accept liveness AG(p ⇒ (AFa ∨ AFb)) 685.34 Windows frag. 1 AG(p ⇒ AFq) 901.81 Windows frag. 2 AFAGp 16.47 Windows frag. 2+bug AFAGp 26.15 Windows frag. 3 AFAGp 4.21 Windows frag. 4 AG(p ⇒ AFq) timeout Windows frag. 4 (AFp) ∨ (AFq) 1,223.96 Windows frag. 5 AG(p ⇒ AFq) timeout Windows frag. 6 AFAGp 149.41 Windows frag. 6+bug AFAGp 6.06 Windows frag. 7 AGAFp timeout Windows frag. 8 FGp timeout Monday, June 25, 12

  10. Previous work Traditional Our Approach Program Property Time(s) Time(s) Example from Sec. 2 AFAGp 2.32 1.98 Example from Fig. 8 of [15] AG(p ⇒ AFq) 209.64 27.94 Toy acq/rel AG(p ⇒ AFq) 103.48 14.18 Toy lin. arith. 1 p ⇒ AFq 126.86 34.51 Toy lin. arith. 2 p ⇒ AFq timeout 6.74 PostgreSQL strsrv AG(p ⇒ AFAGq) timeout 9.56 PostgreSQL strsrv+bug AG(p ⇒ AFAGq) 87.31 47.16 PostgreSQL pgarch AFAGp 31.50 15.20 PostgreSQL dropbuf AGp timeout 1.14 PostgreSQL dropbuf AG(p ⇒ AFq) 53.99 27.54 Apache child AG(p ⇒ AGAFq) timeout 197.41 Apache child accept liveness AG(p ⇒ (AFa ∨ AFb)) 685.34 684.24 Windows frag. 1 AG(p ⇒ AFq) 901.81 539.00 Windows frag. 2 AFAGp 16.47 52.10 Windows frag. 2+bug AFAGp 26.15 30.37 Windows frag. 3 AFAGp 4.21 15.75 Windows frag. 4 AG(p ⇒ AFq) timeout 1,114.18 Windows frag. 4 (AFp) ∨ (AFq) 1,223.96 100.68 Windows frag. 5 AG(p ⇒ AFq) timeout timeout Windows frag. 6 AFAGp 149.41 59.56 Windows frag. 6+bug AFAGp 6.06 22.12 Windows frag. 7 AGAFp timeout 55.77 Windows frag. 8 FGp timeout 5.24 Monday, June 25, 12

  11. Previous work Traditional Our Approach Program Property Time(s) Time(s) Example from Sec. 2 AFAGp 2.32 1.98 Example from Fig. 8 of [15] AG(p ⇒ AFq) 209.64 27.94 Toy acq/rel AG(p ⇒ AFq) 103.48 14.18 Toy lin. arith. 1 p ⇒ AFq 126.86 34.51 Toy lin. arith. 2 p ⇒ AFq timeout 6.74 PostgreSQL strsrv AG(p ⇒ AFAGq) timeout 9.56 PostgreSQL strsrv+bug AG(p ⇒ AFAGq) 87.31 47.16 PostgreSQL pgarch AFAGp 31.50 15.20 PostgreSQL dropbuf AGp timeout 1.14 PostgreSQL dropbuf AG(p ⇒ AFq) 53.99 27.54 Apache child AG(p ⇒ AGAFq) timeout 197.41 Apache child accept liveness AG(p ⇒ (AFa ∨ AFb)) 685.34 684.24 Windows frag. 1 AG(p ⇒ AFq) 901.81 539.00 Windows frag. 2 AFAGp 16.47 52.10 Windows frag. 2+bug AFAGp 26.15 30.37 Windows frag. 3 AFAGp 4.21 15.75 Windows frag. 4 AG(p ⇒ AFq) timeout 1,114.18 Windows frag. 4 (AFp) ∨ (AFq) 1,223.96 100.68 Windows frag. 5 AG(p ⇒ AFq) timeout timeout Windows frag. 6 AFAGp 149.41 59.56 Windows frag. 6+bug AFAGp 6.06 22.12 Windows frag. 7 AGAFp timeout 55.77 Windows frag. 8 FGp timeout 5.24 Monday, June 25, 12

  12. Previous work Traditional Our Approach Program Property Time(s) Time(s) Example from Sec. 2 AFAGp 2.32 1.98 Example from Fig. 8 of [15] AG(p ⇒ AFq) 209.64 27.94 Toy acq/rel AG(p ⇒ AFq) 103.48 14.18 Toy lin. arith. 1 p ⇒ AFq 126.86 34.51 Toy lin. arith. 2 p ⇒ AFq timeout 6.74 PostgreSQL strsrv AG(p ⇒ AFAGq) timeout 9.56 PostgreSQL strsrv+bug AG(p ⇒ AFAGq) 87.31 47.16 PostgreSQL pgarch AFAGp 31.50 15.20 PostgreSQL dropbuf AGp timeout 1.14 PostgreSQL dropbuf AG(p ⇒ AFq) 53.99 27.54 Apache child AG(p ⇒ AGAFq) timeout 197.41 Apache child accept liveness AG(p ⇒ (AFa ∨ AFb)) 685.34 684.24 Windows frag. 1 AG(p ⇒ AFq) 901.81 539.00 Windows frag. 2 AFAGp 16.47 52.10 Windows frag. 2+bug AFAGp 26.15 30.37 Windows frag. 3 AFAGp 4.21 15.75 Windows frag. 4 AG(p ⇒ AFq) timeout 1,114.18 Windows frag. 4 (AFp) ∨ (AFq) 1,223.96 100.68 Windows frag. 5 AG(p ⇒ AFq) timeout timeout Windows frag. 6 AFAGp 149.41 59.56 Windows frag. 6+bug AFAGp 6.06 22.12 Windows frag. 7 AGAFp timeout 55.77 POPL’11, CAV’11 Windows frag. 8 FGp timeout 5.24 Monday, June 25, 12

  13. Previous work Traditional Our Approach Program Property Time(s) Time(s) Example from Sec. 2 AFAGp 2.32 1.98 Example from Fig. 8 of [15] AG(p ⇒ AFq) 209.64 27.94 Toy acq/rel AG(p ⇒ AFq) 103.48 14.18 Toy lin. arith. 1 p ⇒ AFq 126.86 34.51 Toy lin. arith. 2 p ⇒ AFq timeout 6.74 PostgreSQL strsrv AG(p ⇒ AFAGq) timeout 9.56 PostgreSQL strsrv+bug AG(p ⇒ AFAGq) 87.31 47.16 PostgreSQL pgarch AFAGp 31.50 15.20 PostgreSQL dropbuf AGp timeout 1.14 PostgreSQL dropbuf AG(p ⇒ AFq) 53.99 27.54 Apache child AG(p ⇒ AGAFq) timeout 197.41 Apache child accept liveness AG(p ⇒ (AFa ∨ AFb)) 685.34 684.24 Windows frag. 1 AG(p ⇒ AFq) 901.81 539.00 Windows frag. 2 AFAGp 16.47 52.10 timeout Windows frag. 2+bug AFAGp 26.15 30.37 Windows frag. 3 AFAGp 4.21 15.75 Windows frag. 4 AG(p ⇒ AFq) timeout 1,114.18 Windows frag. 4 (AFp) ∨ (AFq) 1,223.96 100.68 Windows frag. 5 AG(p ⇒ AFq) timeout timeout Windows frag. 6 AFAGp 149.41 59.56 Windows frag. 6+bug AFAGp 6.06 22.12 Windows frag. 7 AGAFp timeout 55.77 POPL’11, CAV’11 Windows frag. 8 FGp timeout 5.24 Monday, June 25, 12

  14. Previous work all “A” properties Traditional Our Approach Program Property Time(s) Time(s) Example from Sec. 2 AFAGp 2.32 1.98 Example from Fig. 8 of [15] AG(p ⇒ AFq) 209.64 27.94 Toy acq/rel AG(p ⇒ AFq) 103.48 14.18 Toy lin. arith. 1 p ⇒ AFq 126.86 34.51 Toy lin. arith. 2 p ⇒ AFq timeout 6.74 PostgreSQL strsrv AG(p ⇒ AFAGq) timeout 9.56 PostgreSQL strsrv+bug AG(p ⇒ AFAGq) 87.31 47.16 PostgreSQL pgarch AFAGp 31.50 15.20 PostgreSQL dropbuf AGp timeout 1.14 PostgreSQL dropbuf AG(p ⇒ AFq) 53.99 27.54 Apache child AG(p ⇒ AGAFq) timeout 197.41 Apache child accept liveness AG(p ⇒ (AFa ∨ AFb)) 685.34 684.24 Windows frag. 1 AG(p ⇒ AFq) 901.81 539.00 Windows frag. 2 AFAGp 16.47 52.10 Windows frag. 2+bug AFAGp 26.15 30.37 Windows frag. 3 AFAGp 4.21 15.75 Windows frag. 4 AG(p ⇒ AFq) timeout 1,114.18 Windows frag. 4 (AFp) ∨ (AFq) 1,223.96 100.68 Windows frag. 5 AG(p ⇒ AFq) timeout timeout Windows frag. 6 AFAGp 149.41 59.56 Windows frag. 6+bug AFAGp 6.06 22.12 Windows frag. 7 AGAFp timeout 55.77 Windows frag. 8 FGp timeout 5.24 Monday, June 25, 12

  15. all “A” properties AF p Across all paths, eventually reach p AG p Across all paths, p always holds Monday, June 25, 12

  16. all “A” properties AF p Across all paths, eventually reach p Extend beyond the universal fragment, include existential properties . . . AG p Across all paths, p always holds Monday, June 25, 12

  17. The behavior of software is often nondeterministic Initial states if (read(&buf)) { computeA(); read() else { computeB(); } ≤ 0 >0 Monday, June 25, 12

  18. Modern software systems have elaborate control-flow. Initial states Monday, June 25, 12

  19. ... and infinite state spaces! Initial states . . . . . . . . . Monday, June 25, 12

  20. Many important properties involve the branching behaviors of a program Initial states . . . Example: does there exist a way to reach a red state? EF red Monday, June 25, 12

  21. Many important properties involve the branching behaviors of a program Initial states . . . Example: are you assured you will always reach a state from which point you can always be in a green state? AF (EG green) Monday, June 25, 12

  22. Many important properties involve the branching behaviors of a program Initial states . . . Example: are you assured you will always reach a state from which point you can always be in a green state? AF (EG green) Monday, June 25, 12

  23. branching Branching properties can be found in many temporal logics. CTL Computation Tree Logic [Clarke 1986] AFp Across all paths, eventually reach p EFp There is a path that eventually reaches p AGp Across all paths, p always holds EGp There is a path along which p always holds Monday, June 25, 12

  24. branching Branching properties can be found in many temporal logics. CTL Computation Tree Logic [Clarke 1986] AFp Across all paths, eventually reach p EFp There is a path that eventually reaches p AGp Across all paths, p always holds EGp There is a path along which p always holds Monday, June 25, 12

  25. branching existential and universal • Planning Is there a position I can move to such that escape is possible? At any point system could terminate and when it does p holds. Monday, June 25, 12

  26. branching existential and universal • Planning Is there a position I can move to such that escape is possible? At any point system could terminate and when it does p holds. • Games Are there choices that I can make (“exists”) such that I will always outwit every move (“universal”) my opponent makes? Monday, June 25, 12

  27. branching existential and universal • Planning Is there a position I can move to such that escape is possible? At any point system could terminate and when it does p holds. • Games Are there choices that I can make (“exists”) such that I will always outwit every move (“universal”) my opponent makes? • Security Can the system eventually repair itself after an intrusion? Is is possible that, no matter what inputs an attacker enters, the system can escape being compromised. Monday, June 25, 12

  28. branching existential and universal Can be treated similarly Can be treated similarly Monday, June 25, 12

  29. AG and EG (reachability) Initial states AG yellow . . . . . . . . . Monday, June 25, 12

  30. AG and EG (reachability) Initial states AG yellow . . . . . . . . . Monday, June 25, 12

  31. AG and EG (reachability) Initial states AG yellow . . . . . . . . . Monday, June 25, 12

  32. AG and EG (reachability) Initial states AG yellow . . . . . . . . . Monday, June 25, 12

  33. AG and EG (reachability) Initial states EG yellow . . . . . . . . . Monday, June 25, 12

  34. AG and EG (reachability) Initial states EG yellow . . . . . . . . . Monday, June 25, 12

  35. AG and EG (reachability) Initial states EG yellow . . . . . . . . . Monday, June 25, 12

  36. AG and EG (reachability) Initial states EG yellow . . . . . . . . . Monday, June 25, 12

  37. AG and EG (reachability) Initial states EG yellow . . . . . . . . . Monday, June 25, 12

  38. AG and EG (reachability) Initial states EG yellow . . . . . . . . . Looks like AG yellow Monday, June 25, 12

  39. AG and EG (reachability) Initial states EG yellow . . . . . . . . . Side Condition : Looks like AG yellow Recurrent set? Monday, June 25, 12

  40. AF and EF (termination) Initial states AF green Monday, June 25, 12

  41. AF and EF (termination) Initial states AF green Monday, June 25, 12

  42. AF and EF (termination) Initial states EF red Monday, June 25, 12

  43. AF and EF (termination) Initial states EF red Monday, June 25, 12

  44. AF and EF (termination) Initial states EF red Looks like AF red Monday, June 25, 12

  45. AF and EF (termination) Initial states EF red Side Condition : Looks like AF red Recurrent set? Monday, June 25, 12

  46. Treat universal and existential fragments similarly . . . Monday, June 25, 12

  47. Treat universal and existential fragments similarly . . . EF green X . . . . . . C F . . . C ≡ { s | color ( s ) = yellow } F ≡ { s | color ( s ) = green } Monday, June 25, 12

  48. Treat universal and existential fragments similarly . . . EF green X . . . . . . C “Chute” F . . . C ≡ { s | color ( s ) = yellow } F ≡ { s | color ( s ) = green } Monday, June 25, 12

  49. Treat universal and existential fragments similarly . . . EF green X . . . . . . C “Chute” F “Frontier” . . . C ≡ { s | color ( s ) = yellow } F ≡ { s | color ( s ) = green } Monday, June 25, 12

  50. Treat universal and existential fragments similarly . . . EF green X . . . . . . C “Chute” F “Frontier” . . . C ≡ { s | color ( s ) = yellow } For AF p , chute is simply S F ≡ { s | color ( s ) = green } Monday, June 25, 12

  51. Treat universal and existential fragments similarly . . . Characterization for CTL . . . EF green X . . . . . . C “Chute” F “Frontier” . . . C ≡ { s | color ( s ) = yellow } For AF p , chute is simply S F ≡ { s | color ( s ) = green } Monday, June 25, 12

  52. Treat universal and existential fragments similarly . . . X ` Φ Monday, June 25, 12

  53. Treat universal and existential fragments similarly . . . X ` Φ Set of states Monday, June 25, 12

  54. Treat universal and existential fragments similarly . . . Property X ` Φ Set of states Monday, June 25, 12

  55. Treat universal and existential fragments similarly . . . Property X ` Φ Set of states Standard CTL semantics Monday, June 25, 12

  56. Treat universal and existential fragments similarly . . . Property X ` Φ Set of states I ` Φ ( ) 8 s 2 I. s ✏ Φ Standard CTL semantics Monday, June 25, 12

  57. Treat universal and existential fragments similarly . . . X ` Φ Monday, June 25, 12

  58. Treat universal and existential fragments similarly . . . X ` Φ Monday, June 25, 12

  59. Treat universal and existential fragments similarly . . . X ` Φ Monday, June 25, 12

  60. Treat universal and existential fragments similarly . . . X ` Φ Monday, June 25, 12

  61. Treat universal and existential fragments similarly . . . X ` Φ Decompose temporal operators: Similar to CTL* Monday, June 25, 12

  62. Treat universal and existential fragments similarly . . . X ` Φ X, C , F � γ Second kind of judgement Decompose temporal operators: Similar to CTL* Monday, June 25, 12

  63. Treat universal and existential fragments similarly . . . X ` Φ X, C , F � γ Monday, June 25, 12

  64. Treat universal and existential fragments similarly . . . Side Condition : X ` Φ Recurrent set? X, C , F � γ Monday, June 25, 12

  65. Treat universal and existential fragments similarly . . . X ` Φ X, C , F � γ W alk Monday, June 25, 12

  66. Treat universal and existential fragments similarly . . . X ` Φ Termination X, C , F � γ W alk Monday, June 25, 12

  67. Treat universal and existential fragments similarly . . . X ` Φ Termination X, C , F � γ } well-founded W alk Monday, June 25, 12

  68. Treat universal and existential fragments similarly . . . X ` Φ X, C , F � γ W alk Monday, June 25, 12

  69. Treat universal and existential fragments similarly . . . X ` Φ Safety X, C , F � γ W alk Monday, June 25, 12

  70. Treat universal and existential fragments similarly . . . X ` Φ Soundness and Completeness Proof System CTL semantics I ` Φ ( ) 8 s 2 I. s ✏ Φ Monday, June 25, 12

  71. Treat universal and existential fragments similarly . . . X ` Φ X, C , F � γ • Sets-of-states rather than singleton states • Works well for infinite state spaces • Partition rather than enumerate states • Symbolic representations/overapproximations • We believe it will work well in practice ... Monday, June 25, 12

  72. Side Condition : Recurrent set? Monday, June 25, 12

  73. Side Condition : Recurrent set? C F X ✘ Monday, June 25, 12

  74. Side Condition : Recurrent set? In practice , C F 1. Guess an invariant I for chute C X ✘ (using, e.g., Octagon) 2. Check that I is recurrent set (using an SMT solver) Monday, June 25, 12

  75. x = 0 EF (AF (EG x )) x := 0 x := 1 Monday, June 25, 12

  76. x = 0 EF (AF (EG x )) x := 0 x := 1 Monday, June 25, 12

  77. x = 0 EF (AF (EG x )) x := 0 x := 1 x Monday, June 25, 12

  78. x = 0 EF (AF (EG x )) x := 0 x := 1 x EG x Monday, June 25, 12

  79. x = 0 EF (AF (EG x )) x := 0 AF EG x x := 1 x EG x Monday, June 25, 12

  80. x = 0 EF AF EG x EF AF EG x EF (AF (EG x )) x := 0 AF EG x x := 1 x EG x Monday, June 25, 12

  81. x = 0 EF AF EG x EF AF EG x x := 0 AF EG x x := 1 x EG x Monday, June 25, 12

  82. F 1 pc = 4 x = 0 ≡ EF AF EG x C 1 pc = 0 ⇒ ρ 1 ∧ pc = 2 ⇒ ρ 2 ≡ F 2 pc = 6 ≡ C 2 pc = 2 ⇒ ¬ ρ 2 ≡ EF AF EG x F 3 ≡ true x := 0 AF EG x x := 1 x EG x Monday, June 25, 12

  83. F 1 pc = 4 x = 0 ≡ EF AF EG x C 1 pc = 0 ⇒ ρ 1 ∧ pc = 2 ⇒ ρ 2 ≡ F 2 pc = 6 ≡ C 2 pc = 2 ⇒ ¬ ρ 2 ≡ EF AF EG x F 3 ≡ true x := 0 AF EG x x := 1 x EG x Monday, June 25, 12

  84. F 1 pc = 4 x = 0 ≡ EF AF EG x C 1 pc = 0 ⇒ ρ 1 ∧ pc = 2 ⇒ ρ 2 ≡ F 2 pc = 6 ≡ C 2 pc = 2 ⇒ ¬ ρ 2 ≡ EF AF EG x F 3 ≡ true x := 0 AF EG x x := 1 x EG x Monday, June 25, 12

  85. F 1 pc = 4 x = 0 ≡ EF AF EG x C 1 pc = 0 ⇒ ρ 1 ∧ pc = 2 ⇒ ρ 2 ≡ F 2 pc = 6 ≡ C 2 pc = 2 ⇒ ¬ ρ 2 ≡ EF AF EG x F 3 ≡ true x := 0 AF EG x x := 1 x EG x Monday, June 25, 12

  86. F 1 pc = 4 x = 0 ≡ EF AF EG x C 1 pc = 0 ⇒ ρ 1 ∧ pc = 2 ⇒ ρ 2 ≡ F 2 pc = 6 ≡ C 2 pc = 2 ⇒ ¬ ρ 2 ≡ EF AF EG x F 3 ≡ true x := 0 AF EG x x := 1 x EG x Monday, June 25, 12

  87. F 1 pc = 4 x = 0 ≡ EF AF EG x C 1 pc = 0 ⇒ ρ 1 ∧ pc = 2 ⇒ ρ 2 ≡ F 2 pc = 6 ≡ C 2 pc = 2 ⇒ ¬ ρ 2 ≡ EF AF EG x F 3 ≡ true x := 0 AF EG x x := 1 x EG x Monday, June 25, 12

  88. F 1 pc = 4 x = 0 ≡ EF AF EG x C 1 pc = 0 ⇒ ρ 1 ∧ pc = 2 ⇒ ρ 2 ≡ F 2 pc = 6 ≡ C 2 pc = 2 ⇒ ¬ ρ 2 ≡ EF AF EG x F 3 ≡ true x := 0 AF EG x x := 1 x EG x Monday, June 25, 12

  89. F 1 pc = 4 x = 0 ≡ EF AF EG x C 1 pc = 0 ⇒ ρ 1 ∧ pc = 2 ⇒ ρ 2 ≡ F 2 pc = 6 ≡ C 2 pc = 2 ⇒ ¬ ρ 2 ≡ EF AF EG x F 3 ≡ true x := 0 AF EG x • (Finite) derivation despite infinite state spaces • Partition rather than enumerate states x := 1 • Symbolic representations/overapproximations x EG x • We believe it will work well in practice ... Monday, June 25, 12

  90. F 1 pc = 4 x = 0 ≡ EF AF EG x C 1 pc = 0 ⇒ ρ 1 ∧ pc = 2 ⇒ ρ 2 ≡ F 2 pc = 6 ≡ C 2 pc = 2 ⇒ ¬ ρ 2 ≡ EF AF EG x F 3 ≡ true x := 0 AF EG x How do we discover Frontiers and Chutes? x := 1 x EG x Monday, June 25, 12

  91. F 1 pc = 4 x = 0 ≡ EF AF EG x C 1 pc = 0 ⇒ ρ 1 ∧ pc = 2 ⇒ ρ 2 ≡ F 2 pc = 6 ≡ C 2 pc = 2 ⇒ ¬ ρ 2 ≡ EF AF EG x F 3 ≡ true x := 0 AF EG x • (Finite) derivation despite infinite state spaces How do we discover Frontiers and Chutes? • Partition rather than enumerate states x := 1 • Symbolic representations/overapproximations x EG x • We believe it will work well in practice ... Monday, June 25, 12

  92. Automation How do we discover frontiers ? (see our work in CAV 2011) Monday, June 25, 12

  93. Automation How do we discover chutes ? EF red Initial states . . . Monday, June 25, 12

Recommend

CSE507 Computer-Aided Reasoning for Software Program Synthesis

CSE507 Computer-Aided Reasoning for Software Program Synthesis

CSE507 Computer-Aided Reasoning for Software Program Synthesis courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today Last lecture Angelic nondeterminism and execution Today Program synthesis:

645 views • 15 slides
Nondeterministic Finite Automata Nondeterminism Subset Construction 1 Nondeterminism A

Nondeterministic Finite Automata Nondeterminism Subset Construction 1 Nondeterminism A

Nondeterministic Finite Automata Nondeterminism Subset Construction 1 Nondeterminism A nondeterministic finite automaton has the ability to be in several states at once. Transitions from a state on an input symbol can be to any set

737 views • 37 slides
BU CS 332 Theory of Computation Lecture 3: Reading: Nondeterminism Sipser Ch 1.1 1.2

BU CS 332 Theory of Computation Lecture 3: Reading: Nondeterminism Sipser Ch 1.1 1.2

BU CS 332 Theory of Computation Lecture 3: Reading: Nondeterminism Sipser Ch 1.1 1.2 Equivalence of NFAs and DFAs More on closure properties Mark Bun January 29, 2020 Non Nondeterminism 1 0,1 0 0 0 1 1 A

525 views • 23 slides
Type Safe Nondeterminism A Formal Semantics of Java Threads Andreas Lochbihler University of

Type Safe Nondeterminism A Formal Semantics of Java Threads Andreas Lochbihler University of

Type Safe Nondeterminism A Formal Semantics of Java Threads Andreas Lochbihler University of Passau Germany 01/13/2008 Funded by DFG grant Sn11/10-1 Andreas Lochbihler Type Safe Nondeterminism FOOL 08 1 / 17 Overview Motivation 1

750 views • 46 slides
Revisiting: Algebraic laws for nondeterminism and concurrency Matthew Hennessy Milner-Symposium,

Revisiting: Algebraic laws for nondeterminism and concurrency Matthew Hennessy Milner-Symposium,

Revisiting: Algebraic laws for nondeterminism and concurrency Matthew Hennessy Milner-Symposium, Edinburgh April 2012 1/29 History of a paper Algebraic laws for nondeterminism and concurrency, JACM 1985 Matthew Hennessy and Robin Milner

953 views • 61 slides
Tabled CLP for Reasoning over Stream Data Joaqun Arias 1 , 2 1 IMDEA Software Institute, 2

Tabled CLP for Reasoning over Stream Data Joaqun Arias 1 , 2 1 IMDEA Software Institute, 2

October 18, 2016 Tabled CLP for Reasoning over Stream Data Joaqun Arias 1 , 2 1 IMDEA Software Institute, 2 Technical University of Madrid madrid institute for advanced studies in software development technologies www.software.imdea.org Goal:

401 views • 25 slides
CHAPTER-4 1 LOGIC AND REASONING ! Knowledge and ! Reasoning in Knowledge- Reasoning Based

CHAPTER-4 1 LOGIC AND REASONING ! Knowledge and ! Reasoning in Knowledge- Reasoning Based

CHAPTER-4 1 LOGIC AND REASONING ! Knowledge and ! Reasoning in Knowledge- Reasoning Based Systems ! syntax and semantics ! shallow and deep reasoning ! validity and satisfiability ! forward and backward ! logic languages chaining ! alternative

616 views • 23 slides
Reasoning about the Security of Open Architecture Software Systems Walt Scacchi and Thomas

Reasoning about the Security of Open Architecture Software Systems Walt Scacchi and Thomas

Reasoning about the Security of Open Architecture Software Systems Walt Scacchi and Thomas Alspaugh Institute for Software Research University of California, Irvine Irvine, CA 92697-3455 USA 14 December 2012 1 Overview Cyber security

887 views • 46 slides
Nondeterminism (Deterministic) FA required for every state q and every symbol of the alphabet

Nondeterminism (Deterministic) FA required for every state q and every symbol of the alphabet

[Section 4.1] Nondeterminism (Deterministic) FA required for every state q and every symbol of the alphabet to have exactly one arrow out of q labeled . What happens when we drop this requirement ? L = { w {a,b} * | w contains abba as a

464 views • 22 slides
Probabilistic Reasoning; Probabilistic Reasoning; Network-based reasoning Network-based

Probabilistic Reasoning; Probabilistic Reasoning; Network-based reasoning Network-based

Probabilistic Reasoning; Probabilistic Reasoning; Network-based reasoning Network-based reasoning COMPSCI 276, Fall 2014 Set 1: Introduction and Background Rina Dechter (Reading: Pearl chapter 1-2, Darwiche chapters 1,3) 1 Why/What/How

700 views • 45 slides
Evidential and Causal Reasoning Much reasoning in AI can be seen as evidential reasoning ,

Evidential and Causal Reasoning Much reasoning in AI can be seen as evidential reasoning ,

Evidential and Causal Reasoning Much reasoning in AI can be seen as evidential reasoning , (observations to a theory) followed by causal reasoning (theory to predictions). Diagnosis Given symptoms, evidential reasoning leads to hypotheses about

243 views • 8 slides
Software has bugs To find them , we use testing and code reviews ! But some bugs are still

Software has bugs To find them , we use testing and code reviews ! But some bugs are still

Software has bugs To find them , we use testing and code reviews ! But some bugs are still missed Rare features Rare circumstances Nondeterminism Static analysis Can analyze all possible runs of a program An explosion

597 views • 25 slides
CSE 331 Software Design and Implementation Lecture 2 Formal Reasoning Leah Perlmutter / Summer

CSE 331 Software Design and Implementation Lecture 2 Formal Reasoning Leah Perlmutter / Summer

CSE 331 Software Design and Implementation Lecture 2 Formal Reasoning Leah Perlmutter / Summer 2018 Announcements First section tomorrow! Homework 0 due today (Wednesday) at 10 pm Heads up: no late days for this one! Quiz 1 due

556 views • 53 slides
SECTION 1: Introductions Code Reasoning Forward Reasoning CODE REASONING +

SECTION 1: Introductions Code Reasoning Forward Reasoning CODE REASONING +

OUTLINE SECTION 1: Introductions Code Reasoning Forward Reasoning CODE REASONING + Backward Reasoning Weaker vs. Stronger statements Version control VERSION CONTROL CSE 331 Summer 2018 slides borrowed and

763 views • 11 slides
Reasoning and Meta-reasoning Sonia Marin IT-University of Copenhagen, Denmark 85-211

Reasoning and Meta-reasoning Sonia Marin IT-University of Copenhagen, Denmark 85-211

Reasoning and Meta-reasoning Sonia Marin IT-University of Copenhagen, Denmark 85-211 Cognitive Psychology, Guest lecture CMU Qatar November 28, 2018 1 / 15 What is reasoning? Reasoning is the process of drawing conclusions from

911 views • 59 slides
Reasoning Analytically About Password-Cracking Software Enze Alex Liu, Amanda Nakanishi,

Reasoning Analytically About Password-Cracking Software Enze Alex Liu, Amanda Nakanishi,

Reasoning Analytically About Password-Cracking Software Enze Alex Liu, Amanda Nakanishi, Maximilian Golla, David Cash, and Blase Ur November 26, 2019 | PasswordsCon | Stockholm, Sweden People Choose Weak Passwords Johnny14! 2 November 26,

2.25k views • 49 slides
Semantic Web Services-based Reasoning in the Design of Software Product Lines J. Jeffrey Rusk

Semantic Web Services-based Reasoning in the Design of Software Product Lines J. Jeffrey Rusk

Semantic Web Services-based Reasoning in the Design of Software Product Lines J. Jeffrey Rusk and Dragan Gasevic Athabasca University Canada Research Goal To evaluate the suitability of the Web Service Modeling Ontology (WSMO) in the

578 views • 22 slides
Why Formal q Reasoning Informally q Hoare Logic q Weaker and Stronger Statements Reasoning q

Why Formal q Reasoning Informally q Hoare Logic q Weaker and Stronger Statements Reasoning q

CSE 331 Announcements Software Design and Implementation First section tomorrow! Homework 0 due today (Wednesday) at 10 pm Heads up: no late days for this one! Lecture 2 Quiz 1 due tomorrow (Thursday) at 10 pm Homework 1 due

166 views • 14 slides
A Denotational Semantics for Low-Level Probabilistic Programs with Nondeterminism Di Wang 1 Jan

A Denotational Semantics for Low-Level Probabilistic Programs with Nondeterminism Di Wang 1 Jan

A Denotational Semantics for Low-Level Probabilistic Programs with Nondeterminism Di Wang 1 Jan Hoffmann 1 Thomas Reps 2,3 1 Carnegie Mellon University 2 University of Wisconsin 3 GrammaTech, Inc. Probabilistic Programs Draw random data from

914 views • 72 slides
MA/CSSE 474 Theory of Computation Nondeterminism NFSMs Your Questions? Previous class

MA/CSSE 474 Theory of Computation Nondeterminism NFSMs Your Questions? Previous class

3/13/2018 MA/CSSE 474 Theory of Computation Nondeterminism NFSMs Your Questions? Previous class days' HW1 solutions material HW3 or HW4 problems Reading Assignments Anything else 1 3/13/2018 MORE DFSM EXAMPLES

281 views • 15 slides
Co-nondeterminism in compositions: A kernelization lower bound for a Ramsey-type problem Stefan

Co-nondeterminism in compositions: A kernelization lower bound for a Ramsey-type problem Stefan

Co-nondeterminism in compositions: A kernelization lower bound for a Ramsey-type problem Stefan Kratsch September 03, WorKer 2011, Vienna 1 Introduction Ramsey(k) Input: A graph G and an integer k . Parameter: k . Question: Does G contain an

395 views • 25 slides
Rule formats for bounded nondeterminism in structural operational semantics lvaro

Rule formats for bounded nondeterminism in structural operational semantics lvaro

Rule formats for bounded nondeterminism in structural operational semantics lvaro Garca-Prez Luca Aceto Anna Inglfsdttir Reykjavk University Lyngby, January 8th, 2016 1 / 11 Motivation 2 / 11 Structural operational semantics

383 views • 21 slides
Automated Reasoning Course Presentation Summary Automated Reasoning Motivations Course Plan

Automated Reasoning Course Presentation Summary Automated Reasoning Motivations Course Plan

Automated Reasoning Automated Reasoning Course Presentation Summary Automated Reasoning Motivations Course Plan Resources Exam Methods Motivations Automated Reasoning Automated reasoning mechanising the reasoning process. reasoning :

159 views • 14 slides
Automated Reasoning: Some Successes and New Challenges Predrag Jani ci c

Automated Reasoning: Some Successes and New Challenges Predrag Jani ci c

What is this talk about? What is automated reasoning? Automated reasoning in propositional logic Automated reasoning in first-order logic Automated reasoning in higher-order logic Automated reasoning in geometry Conclusions Automated

806 views • 52 slides

More recommend