verification of concurrent systems
play

Verification of Concurrent Systems Ahmed Bouajjani LIAFA, - PowerPoint PPT Presentation

Dec 10, 2023 •128 likes •1.26k views

Verification of Concurrent Systems Ahmed Bouajjani LIAFA, University Paris Diderot Paris 7 MOVEP12, CIRM, December 2012 A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 1 / 42 Concurrent Programs Parallel

  1. Key lemma Lemma The pre and pre ∗ images of upward closed set are upward closed 1 Let S be an upward closed set. 2 Assume pre ( S ) is not upward closed. 3 Let c 1 ∈ pre ( S ), and let c 2 ∈ U such that c 1 � c 2 and c 2 �∈ pre ( S ) 4 Let c ′ 1 ∈ S such that c 1 − → c ′ 1 5 Monotonicity ⇒ there is a c ′ 2 such that c 2 − → c ′ 2 and c ′ 1 � c ′ 2 A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 12 / 42

  2. Key lemma Lemma The pre and pre ∗ images of upward closed set are upward closed 1 Let S be an upward closed set. 2 Assume pre ( S ) is not upward closed. 3 Let c 1 ∈ pre ( S ), and let c 2 ∈ U such that c 1 � c 2 and c 2 �∈ pre ( S ) 4 Let c ′ 1 ∈ S such that c 1 − → c ′ 1 5 Monotonicity ⇒ there is a c ′ 2 such that c 2 − → c ′ 2 and c ′ 1 � c ′ 2 6 S is upward closed ⇒ c ′ 2 ∈ S A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 12 / 42

  3. Key lemma Lemma The pre and pre ∗ images of upward closed set are upward closed 1 Let S be an upward closed set. 2 Assume pre ( S ) is not upward closed. 3 Let c 1 ∈ pre ( S ), and let c 2 ∈ U such that c 1 � c 2 and c 2 �∈ pre ( S ) 4 Let c ′ 1 ∈ S such that c 1 − → c ′ 1 5 Monotonicity ⇒ there is a c ′ 2 such that c 2 − → c ′ 2 and c ′ 1 � c ′ 2 6 S is upward closed ⇒ c ′ 2 ∈ S 7 ⇒ c 2 ∈ pre ( S ), contradiction. A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 12 / 42

  4. Key lemma Lemma The pre and pre ∗ images of upward closed set are upward closed 1 Let S be an upward closed set. 2 Assume pre ( S ) is not upward closed. 3 Let c 1 ∈ pre ( S ), and let c 2 ∈ U such that c 1 � c 2 and c 2 �∈ pre ( S ) 4 Let c ′ 1 ∈ S such that c 1 − → c ′ 1 5 Monotonicity ⇒ there is a c ′ 2 such that c 2 − → c ′ 2 and c ′ 1 � c ′ 2 6 S is upward closed ⇒ c ′ 2 ∈ S 7 ⇒ c 2 ∈ pre ( S ), contradiction. 8 For pre ∗ : the union of upward closed sets is upward closed. A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 12 / 42

  5. Backward Reachability Analysis Consider the increasing sequence X 0 ⊆ X 1 ⊆ X 2 . . . defined by: X 0 = Min ( S ) X i +1 = X i ∪ Min ( pre ( X i )) Termination: There is a index i ≥ 0 such that X i +1 = X i The set pre ∗ ( S ) is upward closed ⇒ has a finite minor Wait until a minor is collected A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 13 / 42

  6. Backward Reachability Analysis Consider the increasing sequence X 0 ⊆ X 1 ⊆ X 2 . . . defined by: X 0 = Min ( S ) X i +1 = X i ∪ Min ( pre ( X i )) Termination: There is a index i ≥ 0 such that X i +1 = X i The set pre ∗ ( S ) is upward closed ⇒ has a finite minor Wait until a minor is collected How long shall we wait? A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 13 / 42

  7. Backward Reachability Analysis Consider the increasing sequence X 0 ⊆ X 1 ⊆ X 2 . . . defined by: X 0 = Min ( S ) X i +1 = X i ∪ Min ( pre ( X i )) Termination: There is a index i ≥ 0 such that X i +1 = X i The set pre ∗ ( S ) is upward closed ⇒ has a finite minor Wait until a minor is collected How long shall we wait? Possibly very very long: Non primitive recursive in general A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 13 / 42

  8. The case of VASS Usual ≤ order over N is a WQO (Dickson lemma) Product of WQO’s is a WQO. ⇒ ≤ generalized to N n is a WQO. A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 14 / 42

  9. The case of VASS Usual ≤ order over N is a WQO (Dickson lemma) Product of WQO’s is a WQO. ⇒ ≤ generalized to N n is a WQO. Upward-closed sets = finite disjunctions of � n i =1 l i ≤ c i , where l i ∈ N Computation of the Pre: ◮ op = “ c j := c j + 1” : ( � i � = j l i ≤ c i ) ∧ ( max ( l j − 1 , 0) ≤ c j ) ◮ op = “ c j > 0 / c j − 1”: ( � i � = j l i ≤ c i ) ∧ ( l j + 1 ≤ c j ) A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 14 / 42

  10. The case of VASS Usual ≤ order over N is a WQO (Dickson lemma) Product of WQO’s is a WQO. ⇒ ≤ generalized to N n is a WQO. Upward-closed sets = finite disjunctions of � n i =1 l i ≤ c i , where l i ∈ N Computation of the Pre: ◮ op = “ c j := c j + 1” : ( � i � = j l i ≤ c i ) ∧ ( max ( l j − 1 , 0) ≤ c j ) ◮ op = “ c j > 0 / c j − 1”: ( � i � = j l i ≤ c i ) ∧ ( l j + 1 ≤ c j ) No test to zero, only guards of the form c > 0 ⇒ Monotonicity ⇒ Coverability is decidable. A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 14 / 42

  11. The case of Lossy Fifo Channel Systems Subword relation over a finite alphabet is a WQO (Higman’s lemma) A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 15 / 42

  12. The case of Lossy Fifo Channel Systems Subword relation over a finite alphabet is a WQO (Higman’s lemma) Upward-closed sets = finite unions of Σ ∗ a 1 Σ ∗ a 2 · · · a m Σ ∗ Computation of the Pre: ◮ Send: Left concatenation + Upward closure ◮ Receive: Right derivation A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 15 / 42

  13. The case of Lossy Fifo Channel Systems Subword relation over a finite alphabet is a WQO (Higman’s lemma) Upward-closed sets = finite unions of Σ ∗ a 1 Σ ∗ a 2 · · · a m Σ ∗ Computation of the Pre: ◮ Send: Left concatenation + Upward closure ◮ Receive: Right derivation Lossyness ⇒ Monotonicity ⇒ Coverability is decidable. A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 15 / 42

  14. Concurrent Programs with Procedures Procedural program → Pushdown System (finite control + stack) Concurrent program → Concurrent PDS’s (Multistack systems) A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 16 / 42

  15. Concurrent Programs with Procedures Procedural program → Pushdown System (finite control + stack) Concurrent program → Concurrent PDS’s (Multistack systems) Two stacks can simulate a Turing tape. Concurrent programs with 2 threads are Turing powerful. A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 16 / 42

  16. Concurrent Programs with Procedures Procedural program → Pushdown System (finite control + stack) Concurrent program → Concurrent PDS’s (Multistack systems) Two stacks can simulate a Turing tape. Concurrent programs with 2 threads are Turing powerful. ⇒ Restrictions ◮ Classes of programs with particular features ◮ Particular kind of behaviors (under-approximate analysis for bug detection) A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 16 / 42

  17. Asynchronous Programs Synchronous calls Usual procedure calls Asynchronous calls ◮ Calls are stored and dispatched later by the scheduler ◮ They can be executed in any order Event-driven programming (requests, responses) Useful model: distributed systems, web servers, embedded systems A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 17 / 42

  18. Formal Models: Multiset Pushdown Systems A task is a sequential (pushdown) process with dynamic task creation Created tasks are stored in an unordered buffer (multiset) Tasks run until completion If the stack is empty, a task in moved from the multiset to the stack A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 18 / 42

  19. Difficulties Unbounded buffer of tasks The buffer is a multiset ⇒ can be encoded as counters Need to combine somehow PDS with VASS Stack ⇒ not Well Structured How to get rid of the stack ? A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 19 / 42

  20. State Reachability of Multiset PDS Theorem The control state reachability problem for MPDS is EXPSPACE-complete. Reduction to/from the coverability problem for Petri. First decidability proof by K. Sen and M. Viswanathan, 2006 A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 20 / 42

  21. Semi-linear Sets Linear set over N n is a set of the form { � u + k 1 � v 1 + · · · + k m � v m : k 1 , . . . , k m ∈ N } v m ∈ N n where � u , � v 1 , . . . , � Semi-linear set = finite union of linear sets. Examples: ◮ { (0 , 0) + k (1 , 1) : k ≥ 0 } ≡ x 1 = x 2 ◮ { (0 , 0) + k (1 , 2) : k ≥ 0 } ≡ 2 x 1 = x 2 ◮ { (0 , 3) + k (1 , 1) : k ≥ 0 } ≡ x 1 + 3 = x 2 ◮ { (0 , 3) + k 1 (0 , 1) + k 2 (1 , 1) : k ≥ 0 } ≡ x 1 + 3 ≤ x 2 ◮ { (0 , 0 , 0) + k 1 (1 , 0 , 1) + k 2 (0 , 1 , 1) : k 1 , k 2 ≥ 0 } ≡ x 1 + x 2 = x 3 ◮ { (0 , 0 , 3) + k 1 (1 , 0 , 2) + k 2 (0 , 1 , 1) : k 1 , k 2 ≥ 0 } ≡ 2 x 1 + x 2 + 3 = x 3 A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 21 / 42

  22. Semi-linear Sets Linear set over N n is a set of the form { � u + k 1 � v 1 + · · · + k m � v m : k 1 , . . . , k m ∈ N } v m ∈ N n where � u , � v 1 , . . . , � Semi-linear set = finite union of linear sets. Examples: ◮ { (0 , 0) + k (1 , 1) : k ≥ 0 } ≡ x 1 = x 2 ◮ { (0 , 0) + k (1 , 2) : k ≥ 0 } ≡ 2 x 1 = x 2 ◮ { (0 , 3) + k (1 , 1) : k ≥ 0 } ≡ x 1 + 3 = x 2 ◮ { (0 , 3) + k 1 (0 , 1) + k 2 (1 , 1) : k ≥ 0 } ≡ x 1 + 3 ≤ x 2 ◮ { (0 , 0 , 0) + k 1 (1 , 0 , 1) + k 2 (0 , 1 , 1) : k 1 , k 2 ≥ 0 } ≡ x 1 + x 2 = x 3 ◮ { (0 , 0 , 3) + k 1 (1 , 0 , 2) + k 2 (0 , 1 , 1) : k 1 , k 2 ≥ 0 } ≡ 2 x 1 + x 2 + 3 = x 3 Theorem [Ginsburg, Spanier, 1966] A set is semi-linear iff it is definable in Presburger arithmetics. A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 21 / 42

  23. Parikh’s image Let Σ = { a 1 , . . . , a n } . Given a word w ∈ Σ ∗ , the Parikh image of w is: φ ( w ) = (# a 1 ( w ) , . . . , # a n ( w )) ∈ N n Given a language L ⊆ Σ ∗ , φ ( L ) = { φ ( w ) : w ∈ L } Examples: ◮ L 1 = { a n b n : n ≥ 0 } , φ ( L 1 ) = { ( x 1 , x 2 ) : x 1 = x 2 } ◮ L 2 = { a n b n c n : n ≥ 0 } , φ ( L 2 ) = { ( x 1 , x 2 , x 3 ) : x 1 = x 2 ∧ x 2 = x 3 } ◮ L 3 = ( ab ) ∗ = { ( ab ) n : n ≥ 0 } , φ ( L 3 ) = { ( x 1 , x 2 ) : x 1 = x 2 } A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 22 / 42

  24. Semi-linear sets, CFL’s, and RL’s Parikh’s Theorem (1966) For every Context-Free Language L, φ ( L ) is a semi-linear set. A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 23 / 42

  25. Semi-linear sets, CFL’s, and RL’s Parikh’s Theorem (1966) For every Context-Free Language L, φ ( L ) is a semi-linear set. Proposition For every semi-linear set S, there exists a Regular Language L such that φ ( L ) = S. Corollary For every Context-Free Language L, there exists a Regular language L ′ such that φ ( L ) = φ ( L ′ ) . A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 23 / 42

  26. From Multiset PDS to VASS PDS computation with tasks creation q 0 γ 0 q 1 γ 1 q 2 Pending tasks Multiset A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 24 / 42

  27. From Multiset PDS to VASS PDS computation with tasks creation q 0 γ 0 q 1 γ 1 q 2 Pending tasks Multiset A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 24 / 42

  28. From Multiset PDS to VASS PDS computation with tasks creation q 0 γ 0 q 1 γ 1 q 2 M 1 Pending tasks Multiset A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 24 / 42

  29. From Multiset PDS to VASS PDS computation with tasks creation q 0 γ 0 q 1 γ 1 q 2 M 1 Pending tasks Multiset A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 24 / 42

  30. From Multiset PDS to VASS PDS computation with tasks creation q 0 γ 0 q 1 γ 1 q 2 M 1 M 2 Pending tasks Multiset A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 24 / 42

  31. From Multiset PDS to VASS q 0 γ 0 q 1 γ 1 q 2 M 1 M 2 L 1 = Set of sequences of created tasks L 1 ⇒ ∗ q 1 , ǫ q 0 , γ 0 = L 1 is a Context-Free Language M 1 is the Parikh image of L 1 A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 24 / 42

  32. From Multiset PDS to VASS q 0 γ 0 q 1 γ 1 q 2 M 1 M 2 Parikh’s Theorem: M i is definable by a finite state automaton S i A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 24 / 42

  33. From Multiset PDS to VASS q 0 γ 0 q 1 γ 1 q 2 M 1 M 2 Parikh’s Theorem: M i is definable by a finite state automaton S i Construction of a VASS: Simulation of S i + task consumption rules A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 24 / 42

  34. Message-Passing Programs with Procedures Undecidable even for unbounded FIFO channels Restrictions on ◮ Interaction between recursion and communication (e.g., communication with empty stack) ◮ Kind of channels (e.g., lossy, unordered) ◮ Topology of the network Decidable classes [La Torre et al. TACAS’08], [Atig et al., CONCUR’08], ... A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 25 / 42

  35. Concurrent Programs: Under-approximate analysis Parallel threads (with/without procedure calls) Shared memory Interleaving semantics (sequential consistency) Model = Concurrent Pushdown Systems (Multistack systems) A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 26 / 42

  36. Concurrent Programs: Under-approximate analysis Parallel threads (with/without procedure calls) Shared memory Interleaving semantics (sequential consistency) Model = Concurrent Pushdown Systems (Multistack systems) Undecidability / Complexity ⇒ Consider only some schedules Aim: detect bugs A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 26 / 42

  37. Concurrent Programs: Under-approximate analysis Parallel threads (with/without procedure calls) Shared memory Interleaving semantics (sequential consistency) Model = Concurrent Pushdown Systems (Multistack systems) Undecidability / Complexity ⇒ Consider only some schedules Aim: detect bugs What is a good concept for restricting the set of behaviors ? A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 26 / 42

  38. Context-Bounded Analysis [Qadeer, Rehof, 2005] The number of context switches in a computation is bounded w 0 w 1 w 1 w 2 q 0 q 1 q 2 q 3 Thread 1: u 0 u 1 u 1 q 1 q 2 q 3 Thread 2: Context 1 Context 2 Context 3 Context 4 Suitable for finding bugs in concurrent programs. Concurrency bugs show up after a small number of context switches. A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 27 / 42

  39. Context-Bounded Analysis [Qadeer, Rehof, 2005] The number of context switches in a computation is bounded w 0 w 1 w 1 w 2 q 0 q 1 q 2 q 3 Thread 1: u 0 u 1 u 1 q 1 q 2 q 3 Thread 2: Context 1 Context 2 Context 3 Context 4 Suitable for finding bugs in concurrent programs. Concurrency bugs show up after a small number of context switches. Infinite-state space: Unbounded sequential computations Decidability ? A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 27 / 42

  40. Basic case: Pushdown system Pushdown system = ( Q , Γ , ∆) Configuration: ( q , w ) where q ∈ Q is a control state, w ∈ Γ is the stack content. A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 28 / 42

  41. Basic case: Pushdown system Pushdown system = ( Q , Γ , ∆) Configuration: ( q , w ) where q ∈ Q is a control state, w ∈ Γ is the stack content. Symbolic representation: A finite state automaton. Computation of the predecessors/successors: For every regular set of configurations C, the pre ∗ ( C ) and post ∗ ( C ) are regular and effectively constructible. [B¨ uchi 62], ..., [B., Esparza, Maler, 97], ... Reachability: Polynomial algorithms. Can be generalized to model checking. A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 28 / 42

  42. Context-Bounded Analysis: Decidability Consider a multi-stack systems with n stacks Configuration: ( q , w 1 , . . . , w n ), where q is a control state, w i ∈ Γ i are stack contents. A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 29 / 42

  43. Context-Bounded Analysis: Decidability Consider a multi-stack systems with n stacks Configuration: ( q , w 1 , . . . , w n ), where q is a control state, w i ∈ Γ i are stack contents. Symbolic representation: clusters ( q , A 1 , . . . , A n ), q a control state, A i are FSA over Γ i Given a cluster C , compute a set of clusters characterizing K - pre ∗ ( C ) (resp. K - post ∗ ( C )) A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 29 / 42

  44. Context-Bounded Analysis: Decidability Consider a multi-stack systems with n stacks Configuration: ( q , w 1 , . . . , w n ), where q is a control state, w i ∈ Γ i are stack contents. Symbolic representation: clusters ( q , A 1 , . . . , A n ), q a control state, A i are FSA over Γ i Given a cluster C , compute a set of clusters characterizing K - pre ∗ ( C ) (resp. K - post ∗ ( C )) Generalize the pre ∗ / post ∗ constructions for PDS A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 29 / 42

  45. Context-Bounded Analysis: Decidability Consider a multi-stack systems with n stacks Configuration: ( q , w 1 , . . . , w n ), where q is a control state, w i ∈ Γ i are stack contents. Symbolic representation: clusters ( q , A 1 , . . . , A n ), q a control state, A i are FSA over Γ i Given a cluster C , compute a set of clusters characterizing K - pre ∗ ( C ) (resp. K - post ∗ ( C )) Generalize the pre ∗ / post ∗ constructions for PDS Enumerate sequences of the form q 0 i 0 q 1 i 1 q 2 i 2 . . . i K q K i K +1 , where q j ’s are states, and i j ∈ { 1 , . . . , n } are threads identities. Let X K +1 = C . Compute: for j = K back to 0 ◮ A ′ j +1 = pre ∗ i j +1 ( X j +1 [ i j +1 ]) ∩ q j Γ ∗ i ◮ X j = ( q j , A j +1 , . . . , A ′ j +1 , . . . , A j +1 ) 1 n A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 29 / 42

  46. Sequentialization under Context Bounding Question: Is it possible to reduce CBA of a Concurrent Program to the Reachability Analysis of a Sequential Program ? A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 30 / 42

  47. Sequentialization under Context Bounding Question: Is it possible to reduce CBA of a Concurrent Program to the Reachability Analysis of a Sequential Program ? Yes: Use compositional reasoning ! [Lal, Reps, 2008] A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 30 / 42

  48. Sequentialization under Context Bounding: Basic Idea Consider a Program with 2 threads T 1 and T 2 , and global variables X Consider the problem: Can the program reach the state ( q 1 , q 2 ) A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 31 / 42

  49. Sequentialization under Context Bounding: Basic Idea Consider a Program with 2 threads T 1 and T 2 , and global variables X Consider the problem: Can the program reach the state ( q 1 , q 2 ) Round Robin thread scheduling. K = number of rounds A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 31 / 42

  50. Sequentialization under Context Bounding: Basic Idea Consider a Program with 2 threads T 1 and T 2 , and global variables X Consider the problem: Can the program reach the state ( q 1 , q 2 ) Round Robin thread scheduling. K = number of rounds Guess an interface of each thread: ◮ I i = ( I i 1 , . . . I i K ), the global states when T i starts/is resumed ◮ O i = ( O i 1 , . . . O i K ), the global states when T i terminates/is interrupted A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 31 / 42

  51. Sequentialization under Context Bounding: Basic Idea Consider a Program with 2 threads T 1 and T 2 , and global variables X Consider the problem: Can the program reach the state ( q 1 , q 2 ) Round Robin thread scheduling. K = number of rounds Guess an interface of each thread: ◮ I i = ( I i 1 , . . . I i K ), the global states when T i starts/is resumed ◮ O i = ( O i 1 , . . . O i K ), the global states when T i terminates/is interrupted Check that T 1 can reach q 1 by a computation that fulfills its interface A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 31 / 42

  52. Sequentialization under Context Bounding: Basic Idea Consider a Program with 2 threads T 1 and T 2 , and global variables X Consider the problem: Can the program reach the state ( q 1 , q 2 ) Round Robin thread scheduling. K = number of rounds Guess an interface of each thread: ◮ I i = ( I i 1 , . . . I i K ), the global states when T i starts/is resumed ◮ O i = ( O i 1 , . . . O i K ), the global states when T i terminates/is interrupted Check that T 1 can reach q 1 by a computation that fulfills its interface Check that T 2 can reach q 2 by a computation that fulfills its interface A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 31 / 42

  53. Sequentialization under Context Bounding: Basic Idea Consider a Program with 2 threads T 1 and T 2 , and global variables X Consider the problem: Can the program reach the state ( q 1 , q 2 ) Round Robin thread scheduling. K = number of rounds Guess an interface of each thread: ◮ I i = ( I i 1 , . . . I i K ), the global states when T i starts/is resumed ◮ O i = ( O i 1 , . . . O i K ), the global states when T i terminates/is interrupted Check that T 1 can reach q 1 by a computation that fulfills its interface Check that T 2 can reach q 2 by a computation that fulfills its interface Check that the interfaces are composable ◮ O 1 j = I 2 j for every j ∈ { 1 , . . . , K } ◮ O 2 j = I 1 j +1 for every j ∈ { 1 , . . . , K − 1 } A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 31 / 42

  54. Sequentialization: Code-to-code translation Given a concurrent program P , construct a sequential program P s such that ( q 1 , q 2 ) is reachable under K -CB in P iff q win in reachable in P s . A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 32 / 42

  55. Sequentialization: Code-to-code translation Given a concurrent program P , construct a sequential program P s such that ( q 1 , q 2 ) is reachable under K -CB in P iff q win in reachable in P s . Create 2 K copies of the global variables X j and X ′ j , for j ∈ { 1 , . . . , K } Simulation of T 1 . At each round j ∈ { 1 , . . . , K } do: Assign ∗ to all variables of X j (guesses the input I 1 j ) 1 Copies X j in X ′ j , and runs by using X ′ j as global variables 2 Choses nondeterministically the next context-switch point 3 Moves to round j + 1 (locals are not modified) and go to 1 (using new 4 copies of globals X j +1 and X ′ j +1 ). Whenever T 1 reaches q 1 , start simulating T 2 . 5 A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 32 / 42

  56. Sequentialization: Code-to-code translation Given a concurrent program P , construct a sequential program P s such that ( q 1 , q 2 ) is reachable under K -CB in P iff q win in reachable in P s . Create 2 K copies of the global variables X j and X ′ j , for j ∈ { 1 , . . . , K } Simulation of T 1 . At each round j ∈ { 1 , . . . , K } do: Assign ∗ to all variables of X j (guesses the input I 1 j ) 1 Copies X j in X ′ j , and runs by using X ′ j as global variables 2 Choses nondeterministically the next context-switch point 3 Moves to round j + 1 (locals are not modified) and go to 1 (using new 4 copies of globals X j +1 and X ′ j +1 ). Whenever T 1 reaches q 1 , start simulating T 2 . 5 Simulation of T 2 . At each round j do: Starts from the content of X ′ j that was produced by T 1 in its j -th round 1 Runs by using X ′ j as global variables 2 Choses nondeterministically the next context-switch point 3 Checks that X ′ j = X j +1 (composability check), and move to round j + 1 4 If q 2 is reachable at round K , then go to state q win 5 A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 32 / 42

  57. Dynamic Creation of Threads ? [Atig, B., Qadeer, 09] Problem Bounding the number of context switches ⇒ bounding the number of threads. ⇒ Inadequate bounding concept for the dynamic case. Each created thread must have a chance to be executed A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 33 / 42

  58. Dynamic Creation of Threads ? [Atig, B., Qadeer, 09] Problem Bounding the number of context switches ⇒ bounding the number of threads. ⇒ Inadequate bounding concept for the dynamic case. Each created thread must have a chance to be executed New definition Give to each thread a context switch budget ⇒ The number of context switches is bounded for each thread ⇒ The global number of context switches in a run is unbounded NB: Generalization of Asynchronous Programs A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 33 / 42

  59. Case 1: Dynamic Networks of Finite-State Processes Decidable ? A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 34 / 42

  60. Case 1: Dynamic Networks of Finite-State Processes Decidable ? Theorem The K-bounded state reachability problem is EXPSPACE-complete. Reduction to/from the coverability problem for Petri. A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 34 / 42

  61. Reduction to coverability in PN For every global store q ∈ Q , associate a place q . For every stack configuration γ ∈ Γ ∪ { ǫ } and budget b ∈ { 1 , . . . , K } of the active thread, associate a place ( γ ,b,Act). For every stack configuration γ ∈ Γ ∪ { ǫ } and budget b ∈ { 0 , . . . , K } of a pending thread, associate a place ( γ ,b,Pen). A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 35 / 42

  62. Reduction to coverability in PN For every global store q ∈ Q , associate a place q . For every stack configuration γ ∈ Γ ∪ { ǫ } and budget b ∈ { 1 , . . . , K } of the active thread, associate a place ( γ ,b,Act). For every stack configuration γ ∈ Γ ∪ { ǫ } and budget b ∈ { 0 , . . . , K } of a pending thread, associate a place ( γ ,b,Pen). q ( γ ,b,Act) → q ′ γ ′ = ⇒ Rule of the form: q γ − ( γ ′ ,b,Act) q ′ A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 35 / 42

  63. Reduction to coverability in PN For every global store q ∈ Q , associate a place q . For every stack configuration γ ∈ Γ ∪ { ǫ } and budget b ∈ { 1 , . . . , K } of the active thread, associate a place ( γ ,b,Act). For every stack configuration γ ∈ Γ ∪ { ǫ } and budget b ∈ { 0 , . . . , K } of a pending thread, associate a place ( γ ,b,Pen). q ( γ ,b,Act) → q ′ γ ′ ⊲ γ ′′ = ⇒ Rule of the form: q γ − ( γ ′′ ,K,Pen) ( γ ′ ,b,Act) q ′ A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 35 / 42

  64. Reduction to coverability in PN For every global store q ∈ Q , associate a place q . For every stack configuration γ ∈ Γ ∪ { ǫ } and budget b ∈ { 1 , . . . , K } of the active thread, associate a place ( γ ,b,Act). For every stack configuration γ ∈ Γ ∪ { ǫ } and budget b ∈ { 0 , . . . , K } of a pending thread, associate a place ( γ ,b,Pen). ( γ ,b,Act) ( γ ′ ,b’,Pen) Context switch (with b’ > 0) = ⇒ ( γ ′ ,b’,Act) ( γ ,b-1,Pen) A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 35 / 42

  65. Case 2: Dynamic Networks of Pushdown Systems Decidable ? A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 36 / 42

  66. Case 2: Dynamic Networks of Pushdown Systems Decidable ? Difficulty: ◮ Unbounded number of pending local contexts ◮ Can not use the same construction as for the case of finite state threads. (This would need an unbounded number of places.) A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 36 / 42

  67. Case 2: Dynamic Networks of Pushdown Systems Decidable ? Difficulty: ◮ Unbounded number of pending local contexts ◮ Can not use the same construction as for the case of finite state threads. (This would need an unbounded number of places.) Theorem The K-bounded state reachability problem is in 2EXPSPACE. Exponential reduction to the coverability problem in PN A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 36 / 42

  68. Making visible the interactions w 1 w 1 w 2 w 2 w 3 γ Thread: γ 1 γ 2 γ 3 Phase 1 Phase 2 Phase 3 Envir. : q q 1 q 2 q ′ q ′ q ′ 1 2 A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 37 / 42

  69. Making visible the interactions w 1 w 1 w 2 w 2 w 3 γ Thread: γ 1 γ 2 γ 3 Phase 1 Phase 2 Phase 3 Envir. : q q 1 q 2 q ′ q ′ q ′ 1 2 Construct a labeled pushdown automaton which: ◮ Guesses the effect of the environment on the states w 1 w 1 w 2 w 2 w 3 γ Pushdown: q q 1 q 2 q ′ q ′ q ′ 1 2 A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 37 / 42

  70. Making visible the interactions w 1 w 1 w 2 w 2 w 3 γ Thread: γ 1 γ 2 γ 3 Phase 1 Phase 2 Phase 3 Envir. : q q 1 q 2 q ′ q ′ q ′ 1 2 Construct a labeled pushdown automaton which: ◮ Guesses the effect of the environment on the states w 1 w 1 w 2 w 2 w 3 γ ( q 1 , q ′ 1 ) ( q 2 , q ′ 2 ) Pushdown: q q 1 q 2 q ′ q ′ q ′ 1 2 A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 37 / 42

  71. Making visible the interactions w 1 w 1 w 2 w 2 w 3 γ Thread: γ 1 γ 2 γ 3 Phase 1 Phase 2 Phase 3 Envir. : q q 1 q 2 q ′ q ′ q ′ 1 2 Construct a labeled pushdown automaton which: ◮ Makes visible (as transition labels) the created threads w 1 w 1 w 2 w 2 w 3 γ ( q 1 , q ′ 1 ) ( q 2 , q ′ 2 ) Pushdown: q q 1 q 2 q ′ q ′ q ′ 1 2 A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 37 / 42

  72. Making visible the interactions w 1 w 1 w 2 w 2 w 3 γ Thread: γ 1 γ 2 γ 3 Phase 1 Phase 2 Phase 3 Envir. : q q 1 q 2 q ′ q ′ q ′ 1 2 Construct a labeled pushdown automaton which: ◮ Makes visible (as transition labels) the created threads . . . γ 1 . . . w 1 w 1 . . . γ 2 . . . w 2 w 2 . . . γ 3 . . . w 3 γ ( q 1 , q ′ 1 ) ( q 2 , q ′ 2 ) Pushdown: q q 1 q 2 q ′ q ′ q ′ 1 2 A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 37 / 42

  73. Constructing a regular interface . . . γ 1 . . . . . . γ 2 . . . . . . γ 3 . . . γ ( q 1 , q ′ ( q 2 , q ′ 1 ) 2 ) Pushdown: q q 1 q 2 q ′ q ′ q ′ 1 2 A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 38 / 42

  74. Constructing a regular interface . . . γ 1 . . . . . . γ 2 . . . . . . γ 3 . . . γ ( q 1 , q ′ ( q 2 , q ′ 1 ) 2 ) Pushdown: q q 1 q 2 q ′ q ′ q ′ 1 2 The set of traces L characterizes the interaction between the thread and its environment ( L is a CFL) A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 38 / 42

  75. Constructing a regular interface . . . γ 1 . . . . . . γ 2 . . . . . . γ 3 . . . γ ( q 1 , q ′ ( q 2 , q ′ 1 ) 2 ) Pushdown: q q 1 q 2 q ′ q ′ q ′ 1 2 The set of traces L characterizes the interaction between the thread and its environment ( L is a CFL) Observations: For the state reachability problem Order of events is important Some created threads may never be scheduled A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 38 / 42

  76. Constructing a regular interface . . . γ 1 . . . . . . γ 2 . . . . . . γ 3 . . . γ ( q 1 , q ′ ( q 2 , q ′ 1 ) 2 ) Pushdown: q q 1 q 2 q ′ q ′ q ′ 1 2 The set of traces L characterizes the interaction between the thread and its environment ( L is a CFL) Observations: For the state reachability problem Order of events is important Some created threads may never be scheduled ⇒ Replace L by its downward closure w.r.t. the sub-word relation L ↓ A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 38 / 42

  77. Constructing a regular interface (cont.) The interactions of a thread with its environment can be characterized by the downward closure L ↓ of the context-free language L L ↓ is regular and effectively constructible ([Courcelle, 1991]) The size of an automaton for L ↓ can be exponential in the PDA defining L A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 39 / 42

Recommend

VERCORS: VERIFICATION OF CONCURRENT SYSTEMS MARIEKE HUISMAN UNIVERSITY OF TWENTE, NETHERLANDS

VERCORS: VERIFICATION OF CONCURRENT SYSTEMS MARIEKE HUISMAN UNIVERSITY OF TWENTE, NETHERLANDS

VERCORS: VERIFICATION OF CONCURRENT SYSTEMS MARIEKE HUISMAN UNIVERSITY OF TWENTE, NETHERLANDS OUTLINE OF THIS LECTURE How to ensure software quality? Classical program logic Separation logic The next challenge: concurrent

1.36k views • 108 slides
Modeling and Verification of Real-time/Hybrid/Cyber-Physical Systems via Concurrent Co-inductive

Modeling and Verification of Real-time/Hybrid/Cyber-Physical Systems via Concurrent Co-inductive

Motivation Background Contribution Summary Modeling and Verification of Real-time/Hybrid/Cyber-Physical Systems via Concurrent Co-inductive Constraint Logic Programming Neda Saeedloei Department of Computer Science University of Texas at

929 views • 77 slides
Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group

Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group

Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group NEC Labs America, Princeton, USA www.nec-labs.com Tutorial: Verifying Concurrent Programs Oct 2011 Acknowledgements Malay Ganai, Vineet

982 views • 72 slides
Towards Verification of Systems of Asynchronous Concurrent Processes Marek Rychl Department

Towards Verification of Systems of Asynchronous Concurrent Processes Marek Rychl Department

Towards Verification of Systems of Asynchronous Concurrent Processes Marek Rychl Department of Information Systems, Faculty of Information Technology, Brno University of Technology Outline Introduction Distributed information

191 views • 17 slides
Automatic Verification of Finite State Concurrent Systems Edmund M. Clarke, Jr. Computer Science

Automatic Verification of Finite State Concurrent Systems Edmund M. Clarke, Jr. Computer Science

Automatic Verification of Finite State Concurrent Systems Edmund M. Clarke, Jr. Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213 1 Temporal Logic Model Checking Specification Language: A propositional temporal

710 views • 41 slides
Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek,

Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek,

Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek, Nickolai Zeldovich MIT and *Boston College Systems verification, broadly impl proof specification 2 Systems verification requires connecting

859 views • 48 slides
Towards full verification of concurrent libraries Viktor Vafeiadis Program verification

Towards full verification of concurrent libraries Viktor Vafeiadis Program verification

Towards full verification of concurrent libraries Viktor Vafeiadis Program verification Programs considered: Small (<100 LOC) Medium (KLOC) Large (MLOC) Simple

577 views • 45 slides
Probabilistic Modelling and Verification of Introduction Biological Systems Biological Systems

Probabilistic Modelling and Verification of Introduction Biological Systems Biological Systems

Probabilistic Modelling and Verification of Biological Systems Paolo Milazzo Outline Probabilistic Modelling and Verification of Introduction Biological Systems Biological Systems as Concurrent Systems Examples of Models Discussion on

840 views • 34 slides
Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan

Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan

Concurrent Datatype Verification 01 Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan Lawrence jonathan.lawrence@cs.ox.ac.uk Concurrent Datatype Verification 02 Introduction Case study using

618 views • 27 slides
Local State Space Construction for Compositional Verification of Concurrent Systems Hao Zheng

Local State Space Construction for Compositional Verification of Concurrent Systems Hao Zheng

Local State Space Construction for Compositional Verification of Concurrent Systems Hao Zheng Department of Computer Science and Engineering University of South Florida H. Zheng (CSE USF) Local State Space Construction for Compositional

1.12k views • 50 slides
Modeling Concurrent Systems Hao Zheng Department of Computer Science and Engineering University

Modeling Concurrent Systems Hao Zheng Department of Computer Science and Engineering University

Modeling Concurrent Systems Hao Zheng Department of Computer Science and Engineering University of South Florida Tampa, FL 33620 Email: haozheng@usf.edu Phone: (813)974-4757 Fax: (813)974-5456 Hao Zheng (CSE, USF) Comp Sys Verification 1 /

1.33k views • 74 slides
Modeling and Analyzing Concurrent Systems Robert B. France 1

Modeling and Analyzing Concurrent Systems Robert B. France 1

Modeling and Analyzing Concurrent Systems Robert B. France 1 Overview Why model and analyze concurrent systems? How are concurrent systems modeled?

1.39k views • 83 slides
Verification of Concurrent Programs Decidability, Complexity, Reductions. Ahmed Bouajjani U

Verification of Concurrent Programs Decidability, Complexity, Reductions. Ahmed Bouajjani U

Verification of Concurrent Programs Decidability, Complexity, Reductions. Ahmed Bouajjani U Paris Diderot Paris 7 Locali Workshop, Beijing, November 2013 A. Bouajjani (U Paris Diderot UP7) Verification of Concurrent Programs Beijing,

924 views • 50 slides
Session-Based Compositional Verification on Actor-based Concurrent Systems Session Types for ABS

Session-Based Compositional Verification on Actor-based Concurrent Systems Session Types for ABS

Session-Based Compositional Verification on Actor-based Concurrent Systems Session Types for ABS Eduard Kamburjan, Crystal Chang Din, Tzu-Chun Chen 20. Oktober 2015 | TU Darmstadt | Eduard Kamburjan, Crystal Chang Din, Tzu-Chun Chen | 1

357 views • 34 slides
Modeling and Analyzing Concurrent Systems Robert B. France 1 Overview Why model and analyze

Modeling and Analyzing Concurrent Systems Robert B. France 1 Overview Why model and analyze

Modeling and Analyzing Concurrent Systems Robert B. France 1 Overview Why model and analyze concurrent systems? How are concurrent systems modeled? How are concurrent systems analyzed? What tools are available for modeling and

1.13k views • 85 slides
Program Correctness Literatuur Verification of Sequential and Concurrent Programs. Krzysztof R.

Program Correctness Literatuur Verification of Sequential and Concurrent Programs. Krzysztof R.

Program Correctness Literatuur Verification of Sequential and Concurrent Programs. Krzysztof R. Apt, Frank S. de Boer, Ernst-R udiger Olderog. Series: Texts in Computer Science. Springer. 3rd ed. 2nd Printing. ISBN: 978-1-84882-744-8. Te

1.23k views • 112 slides
Automatic Atomicity Verification for Clients of Concurrent Data Structures Mohsen Lesani Todd

Automatic Atomicity Verification for Clients of Concurrent Data Structures Mohsen Lesani Todd

Automatic Atomicity Verification for Clients of Concurrent Data Structures Mohsen Lesani Todd Millstein Jens Palsberg Concurrent Data Structures class ConcurrentHashmap<K, V> { // data structure V get(K k) { ... } void put(K k, V v)

512 views • 36 slides
Lecture 2: Verification of Concurrent Programs Part 2: Under Approximate Analysis Ahmed

Lecture 2: Verification of Concurrent Programs Part 2: Under Approximate Analysis Ahmed

Lecture 2: Verification of Concurrent Programs Part 2: Under Approximate Analysis Ahmed Bouajjani LIAFA, University Paris Diderot Paris 7 VTSA, MPI-Saarbr ucken, September 2012 A. Bouajjani (LIAFA, UP7) Lecture 2: Concurrent Programs

654 views • 47 slides
Lecture 1: Verification of Concurrent Programs Part 1: Decidability and Complexity Results Ahmed

Lecture 1: Verification of Concurrent Programs Part 1: Decidability and Complexity Results Ahmed

Lecture 1: Verification of Concurrent Programs Part 1: Decidability and Complexity Results Ahmed Bouajjani LIAFA, University Paris Diderot Paris 7 VTSA, MPI-Saarbr ucken, September 2012 A. Bouajjani (LIAFA, UP7) Lecture 1: Concurrent

651 views • 61 slides
Viktor Vafeiadis Software Analysis & Verification Full functional verification

Viktor Vafeiadis Software Analysis & Verification Full functional verification

Viktor Vafeiadis Software Analysis & Verification Full functional verification Compilers , concurrent programs , theorem provers Program equivalence / Compositional reasoning Compositional compiler verification

266 views • 3 slides
Model Checking of Action-Based Concurrent Systems Radu Mateescu INRIA Rhne-Alpes / VASY

Model Checking of Action-Based Concurrent Systems Radu Mateescu INRIA Rhne-Alpes / VASY

Model Checking of Action-Based Concurrent Systems Radu Mateescu INRIA Rhne-Alpes / VASY http://www.inrialpes.fr/vasy Why formal verification? Therac-25 radiotherapy Ariane-5 launch Mars climate orbiter accidents (1985-1987) failure

1.16k views • 115 slides
DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification

DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification

DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification Projects Birth Record Verification State to State Verification DIVS State to State Verification Service (S2S) Program Benefits Mission

349 views • 8 slides
Parametric Verification of Concurrent Programs under the TSO Weak Memory Model Ahmed Bouajjani

Parametric Verification of Concurrent Programs under the TSO Weak Memory Model Ahmed Bouajjani

Parametric Verification of Concurrent Programs under the TSO Weak Memory Model Ahmed Bouajjani Paris Diderot University Based on joint work with Parosh A. Abdulla Mohamed Faouzi Atig T. Phong Ngo Uppsala University Sebastian

897 views • 77 slides
CS510 Concurrent Systems Why the Grass May Not Be Greener

CS510 Concurrent Systems Why the Grass May Not Be Greener

CS510 Concurrent Systems Why the Grass May Not Be Greener on the Other Side: A Comparison of Locking and TransacConal Memory Why Do Concurrent

391 views • 17 slides

More recommend