Slides

Download Report

Transcript Slides 

Theory-Aided Model Checking of
Concurrent Transition Systems
Guy Katz, Clark Barrett, David Harel
Weizmann Institute
of Science
New York University
Compositional Verification
ο‚—
A divide and conquer verification approach
𝑃1
ο‚—
𝑃𝑃2
𝑃3
⊨
πœ‘
⊨
πœ‘1
⊨
πœ‘2
⊨
πœ‘3
No need to explore all composite states
2
The Difficulties
ο‚—
Automation
1.
2.
3.
4.
ο‚—
Partition the system into modules
Choose β€œgood” module properties
Prove module properties
Prove global property
A very difficult problem!
3
Our Approach
ο‚—
Trade generality for effectiveness
β—¦ Do well on specific classes of programs
ο‚—
We present a fully automatic, compositional approach
β—¦ Handle concurrent programs written in the RWB model
β—¦ Based on SMT solving
4
An SMT-Driven Process
Input program 𝑠
SAT (unsafe)
or
UNSAT (safe)
SMT
Solver
Assertion: ¬π‘ π‘Žπ‘“𝑒(𝑠)
Arithmetic
Transition
Systems
Arrays
5
A Theory of Transition Systems
ο‚—
Decision procedure: state space traversal
ο‚—
Look for known patterns in the input
β—¦ Generate lemmas for other theory solvers
ο‚—
Lemmas allow other theories to aid in the verification
β—¦ Prune the search space
β—¦ Can significantly reduce verification time
6
Agenda
ο‚—
RWB Transition Systems
ο‚—
A Theory of Transition Systems
ο‚—
Programs with Shared Arrays
ο‚—
Periodic Programs
ο‚—
Experimental Results
7
Agenda
ο‚—
RWB Transition Systems
ο‚—
A Theory of Transition Systems
ο‚—
Programs with Shared Arrays
ο‚—
Periodic Programs
ο‚—
Experimental Results
8
Request / Wait / Block (RWB)
ο‚—
RWB programs have events and threads
ο‚—
Threads synchronize and declare
1. Requested events
2. Waited-for events
3. Blocked events
ο‚—
Trigger an event that is requested and not blocked
ο‚—
Inform threads that requested / waited-for the event
9
The Execution Cycle
Wait
B-s
Threads
Request
Block
10
Toy Example
ο‚—
ο‚—
𝐿 = (05 β‹… (0 + 1))πœ”
1 requested and not blocked at rightmost states
β—¦ Precisely every 6 steps
0, 1
𝑅=0
𝐡=1
0
Trace: 00000(0
00
0
000
0000
00000
+ 1)
𝑅 = 0, 1
0, 1
𝑅=0
𝐡=1
0
𝑅=0
𝐡=1
0
𝑅 = 0, 1
11
Why RWB?
ο‚—
RWB idioms are common
β—¦
β—¦
β—¦
β—¦
Publish / Subscribe systems
Supervisory control
Live Sequence Charts (LSCs)
Behavioral Programming
ο‚—
The strict synchronization mechanism facilitates
reasoning about individual threads
ο‚—
Makes finding module properties easier
12
Agenda
ο‚—
RWB Transition Systems
ο‚—
A Theory of Transition Systems
ο‚—
Programs with Shared Arrays
ο‚—
Periodic Programs
ο‚—
Experimental Results
13
The Transition System (TS) Solver
ο‚—
Input:
β—¦ Formulas describing RWB threads
β—¦ An assertion that the program is unsafe
ο‚– A deadlock state is reachable
ο‚– Safety reducible to deadlock freedom
ο‚—
Output:
β—¦ SAT if the property is violated (+ counter-example)
β—¦ UNSAT if the property holds
14
Basic Decision Procedure
¬π‘ π‘Žπ‘“𝑒(𝑠)
π‘ž0
START
π‘ž3
¬π‘ π‘Žπ‘“𝑒 𝑠
¬π‘ π‘Žπ‘“𝑒_π‘ π‘‘π‘Žπ‘‘π‘’(π‘ž0 )
π‘ž1
DECIDE
¬π‘ π‘Žπ‘“𝑒 𝑠
¬π‘ π‘Žπ‘“𝑒_π‘ π‘‘π‘Žπ‘‘π‘’(π‘ž0 )
¬π‘ π‘Žπ‘“𝑒_π‘ π‘‘π‘Žπ‘‘π‘’ π‘ž1
DECIDE
π‘ž2
¬π‘ π‘Žπ‘“𝑒 𝑠
¬π‘ π‘Žπ‘“𝑒_π‘ π‘‘π‘Žπ‘‘π‘’(π‘ž3 )
Theory-valid lemmas:
¬π‘‘π‘’π‘Žπ‘‘π‘™π‘œπ‘π‘˜(π‘ž0 )
SAT
DECIDE
UNSAT
¬π‘ π‘Žπ‘“𝑒 𝑠
¬π‘ π‘Žπ‘“𝑒_π‘ π‘‘π‘Žπ‘‘π‘’(π‘ž0 )
¬π‘ π‘Žπ‘“𝑒_π‘ π‘‘π‘Žπ‘‘π‘’ π‘ž1
¬π‘ π‘Žπ‘“𝑒_π‘ π‘‘π‘Žπ‘‘π‘’(π‘ž2 )
¬π‘‘π‘’π‘Žπ‘‘π‘™π‘œπ‘π‘˜(π‘ž1 )
¬π‘‘π‘’π‘Žπ‘‘π‘™π‘œπ‘π‘˜(π‘ž2 )
βŠ₯
15
Pattern Matching
ο‚—
During state space traversal, TS looks for thread patterns
β—¦ Structural properties of threads
β—¦ Checked on each thread separately (compositionally)
ο‚—
When a pattern applies, lemmas are generated
β—¦ From the languages of other theory solvers
β—¦ The SMT core handles the interfaces
ο‚—
Other solvers can then curtail the search space
16
Pattern Matching: Example
ο‚—
𝐿 = (05 β‹… (0 + 1))πœ”
ο‚—
Property: never 1
ο‚—
7 composite states
0, 1
𝑅=0
𝐡=1
0
𝑅 = 0, 1
0, 1
𝑅=0
𝐡=1
0
𝑅=0
𝐡=1
0
𝑅 = 0, 1
1
𝐡 = 0, 1
17
Looped Threads
ο‚—
Looped thread:
Step index determines state
ο‚—
Recognizing looped threads:
Every state has 1 successor
ο‚—
Also looped
0, 1
𝑅=0
𝐡=1
0
𝑅 = 0, 1
0, 1
𝑅=0
𝐡=1
0
𝑅=0
𝐡=1
0
𝑅 = 0, 1
18
Generating Lemmas
ο‚—
Where can 1 be triggered?
β—¦ Only where it is not blocked
ο‚—
Generate the lemma:
¬π‘ π‘Žπ‘“𝑒_π‘ π‘‘π‘Žπ‘‘π‘’ βŒ©π‘1 , π‘ž1 βŒͺ ⟺
¬π‘ π‘Žπ‘“𝑒_π‘ π‘‘π‘Žπ‘‘π‘’ βŒ©π‘2 , π‘ž3 βŒͺ ∧
βˆƒπ‘‘ ∈ β„•. 𝑑 ≑ 1 π‘šπ‘œπ‘‘ 2 ∧ 𝑑 ≑ 2(π‘šπ‘œπ‘‘ 3)
0, 1
0, 1
𝑝1
𝑅=0
𝐡=1
0
𝑝𝑝22
π‘ž1
𝑅 = 0, 1
𝑅=0
𝐡=1
0
π‘ž2
𝑅=0
𝐡=1
0
π‘ž3
𝑅 = 0, 1
19
Generating Lemmas (cnt’d)
ο‚—
This part of the lemma:
βˆƒπ‘‘ ∈ β„•. 𝑑 ≑ 1 π‘šπ‘œπ‘‘ 2 ∧ 𝑑 ≑ 2 π‘šπ‘œπ‘‘ 3
indicates that state βŒ©π‘2 , π‘ž3 βŒͺ is reachable
ο‚—
The SMT core asserts it to the arithmetic solver
ο‚—
If no such 𝑑 exists, return UNSAT
β—¦ State βŒ©π‘2 , π‘ž3 βŒͺ is unreachable
ο‚—
Otherwise continue from state βŒ©π‘2 , π‘ž3 βŒͺ
β—¦ Skip intermediate states
Implementing Pattern Matchers
ο‚—
Matchers implemented as C++ classes
ο‚—
Take the input transition systems, answer yes/no
β—¦ If pattern holds, invoked every time a new state is visited
β—¦ Get to generate lemmas
ο‚—
Internally, very flexible
β—¦ Compute strongly connected components
β—¦ Check when events are always blocked / never requested
β—¦ Threads are small, so this is cheap
ο‚—
Restriction: don’t construct the composite state graph!
Limitations
ο‚—
The technique is useful only when a pattern applies
ο‚—
Can a few stored patterns apply to many programs?
β—¦ Examples in next sections
ο‚—
Adding patterns is amortized over future applications
ο‚—
Portfolio approach: quickly recognize that no pattern
matches
Agenda
ο‚—
RWB Transition Systems
ο‚—
A Theory of Transition Systems
ο‚—
Programs with Shared Arrays
ο‚—
Periodic Programs
ο‚—
Experimental Results
23
Shared Arrays in RWB
ο‚—
Locally, threads can use any construct
β—¦ Arrays, lists, etc
ο‚—
Inter-thread shared arrays – only through RWB
24
Example: A Shared Bit
𝐡 = π‘Ÿπ‘’π‘Žπ‘‘(1)
𝑠0
π‘€π‘Ÿπ‘–π‘‘π‘’(1)
π‘€π‘Ÿπ‘–π‘‘π‘’(0)
𝑠1
𝐡 = π‘Ÿπ‘’π‘Žπ‘‘(0)
ο‚—
Read by simultaneously requesting π‘Ÿπ‘’π‘Žπ‘‘ 0 , π‘Ÿπ‘’π‘Žπ‘‘(1)
β—¦ The β€œwrong” value will be blocked
ο‚—
Can generalize to arbitrary shared arrays
25
Leveraging Shared Arrays
ο‚—
Recognize shared arrays in the input threads
β—¦ Extract arity, read / write events, initial value, etc
β—¦ Sometimes it is used unintentionally
ο‚—
Check if violations occur only in certain configurations
β—¦ Sometimes certain configurations are the violation
ο‚—
During state traversal, generate lemmas when a shared
memory cell becomes fixed
β—¦ Write events always blocked / never requested
ο‚—
The array theory solver can then curtail the search
26
Example: Tic Tac Toe
ο‚—
Goal: complete a row, column or diagonal
X
ο‚—
X
X
O
X
O
O
If no mistakes are made, game always ends in a draw
27
Implementing Tic Tac Toe
ο‚—
Program plays 𝑂, player plays 𝑋
β—¦ Goal: never lose
ο‚—
Board modeled as a shared array with 3-valued
elements
ο‚—
Rule threads, strategy threads
β—¦ Blocking used to prevent multiple writes to each cell
28
Verifying Tic Tac Toe
ο‚—
Programmer: I’ve covered all cases in which 𝑋 wins by taking
the upper row. Let’s test that!
ο‚—
A state is bad if 𝑋 has the upper row
β—¦ A certain configuration of the array
ο‚—
Generate lemma:
¬π‘ π‘Žπ‘“𝑒 𝑠 β‡’ π‘π‘œπ‘Žπ‘Ÿπ‘‘ 0 = π‘π‘œπ‘Žπ‘Ÿπ‘‘ 1 = π‘π‘œπ‘Žπ‘Ÿπ‘‘ 2 = 𝑋
29
Example
ο‚—
Board:
𝑋
ο‚—
ο‚—
ο‚—
ο‚—
𝑋
𝑂
DECIDE: 𝑋 1,1
DECIDE: 𝑂 2,2
DECIDE: 𝑋(0,0)
DECIDE: 𝑂 0,1
𝑋
𝑋
𝑂
¬safe_state q1 β‡’ π‘π‘œπ‘Žπ‘Ÿπ‘‘ 4 = 𝑋
¬safe_state q2 β‡’ π‘π‘œπ‘Žπ‘Ÿπ‘‘ 8 = 𝑂
¬safe_state q3 β‡’ π‘π‘œπ‘Žπ‘Ÿπ‘‘ 0 = 𝑋
¬safe_state q4 β‡’ π‘π‘œπ‘Žπ‘Ÿπ‘‘ 1 = 𝑂
β—¦ Array theory solver raises a conflict
β—¦ Backtrack, without exploring successor states
30
Agenda
ο‚—
RWB Transition Systems
ο‚—
A Theory of Transition Systems
ο‚—
Programs with Shared Arrays
ο‚—
Periodic Programs
ο‚—
Experimental Results
31
Periodic Programs
ο‚—
Single processor scheduling problems
ο‚—
Each task has
β—¦ period 𝑃
β—¦ execution time 𝐢
β—¦ priority (static/dynamic)
ο‚—
Programs have nice arithmetic properties
32
Periodic Programs in RWB
ο‚—
A task that needs to be scheduled requests an event
ο‚—
Priorities expressed by blocking less urgent tasks
ο‚—
Pattern matcher checks this on individual threads
ο‚—
Then generates arithmetic lemmas about time instances
when a violation can occur
Example
TS Theory
π‘₯ π‘šπ‘œπ‘‘ 5 β‰₯ 3
π‘₯ π‘šπ‘œπ‘‘ 6 β‰₯ 3
π‘₯ π‘šπ‘œπ‘‘ 11 == 0
Arithmetic Theory
π‘₯
π‘₯ = 143
…, π‘₯ β‰  143
π‘₯ = 513
…, π‘₯ β‰  513
UNSAT, property holds
34
Agenda
ο‚—
RWB Transition Systems
ο‚—
A Theory of Transition Systems
ο‚—
Programs with Shared Arrays
ο‚—
Periodic Programs
ο‚—
Experimental Results
35
Experimental Results
ο‚—
Benchmarks: periodic programs and program with
shared arrays
Average speedup: 63%
100000
CVC4
BPMC
10000
Time (seconds)
ο‚—
1000
100
10
1
1
11
21
31
41
51
61
71
81
91 101 111
Number of Solved Instances
36
Experimental Results (cnt’d)
ο‚—
Larger example: a web-server
Average speedup: 16%
10000
CVC4
Time (seconds)
ο‚—
1000
BPMC
100
10
1
1
2
3
4
5
6
7
8
9
10
Number of Solved Instances
37
Conclusion
ο‚—
Automatic compositional verification of RWB programs
ο‚—
Added a theory of transition systems to CVC4
ο‚—
Traverse state space and look for patterns
β—¦ When a pattern is found, generate lemmas
β—¦ Other theories can then curtail the search space
ο‚—
Examples:
β—¦ Programs with shared arrays
β—¦ Periodic programs
38
Future Work
ο‚—
Support additional models beyond RWB
ο‚—
Add more patterns
ο‚—
Improve the portfolio approach
39
Thank You!
Questions
40