Enforcing Concurrent Temporal Behaviors

Doron Peled,Doron Peled,

Dept. of CSDept. of CS

University of WarwickUniversity of Warwick

Verification of systems

Modeling(translating)

Verifying

Checking against original code

Code,Design

Some representation

Counterexample

Failed.

Some feedback information Passed, informdevelopers!!

Problems:

Given as a sequence of states/events:Concurrent information is lost.Long and complicated. So where is

the error among 2,375 states in the sequence?

If concurrent/nondeterministic, may not actually happen when running the code under same initial state+input.

0:START P10:START P1

11:c1:=111:c1:=1

12:true12:true

13:end13:end2:c1:=02:c1:=0

8:c2=0?8:c2=0?

7:turn=2?7:turn=2?

6:c1:=06:c1:=0

3:c1:=13:c1:=1

11:turn:=211:turn:=2

10:c1:=110:c1:=1

9:critical-19:critical-1

4:no-op4:no-op

5:turn=2?5:turn=2?

nonoyesyes

yesyes

11:c2:=111:c2:=1

12:true12:true

13:end13:end2:c2:=02:c2:=0

8:c1=0?8:c1=0?

7:turn=1?7:turn=1?

6:c2:=06:c2:=0

3:c2:=13:c2:=1

10:c2:=110:c2:=1

4:no-op4:no-op

5:turn=1?5:turn=1?

nonoyesyes

yesyes

Initially:

turn=1

11:c1:=111:c1:=1

12:true12:true

13:end13:end2:c1:=02:c1:=0

8:c2=0?8:c2=0?

7:turn=2?7:turn=2?

6:c1:=06:c1:=0

3:c1:=13:c1:=1

10:c1:=110:c1:=1

4:no-op4:no-op

5:turn=2?5:turn=2?

nonoyesyes

yesyes

11:c2:=111:c2:=1

12:true12:true

13:end13:end2:c2:=02:c2:=0

8:c1=0?8:c1=0?

7:turn=1?7:turn=1?

6:c2:=06:c2:=0

3:c2:=13:c2:=1

10:c2:=110:c2:=1

4:no-op4:no-op

5:turn=1?5:turn=1?

nonoyesyes

yesyes

11:c1:=111:c1:=1

12:true12:true

13:end13:end2:c1:=02:c1:=0

8:c2=0?8:c2=0?

7:turn=2?7:turn=2?

6:c1:=06:c1:=0

3:c1:=13:c1:=1

10:c1:=110:c1:=1

4:no-op4:no-op

5:turn=2?5:turn=2?

nonoyesyes

yesyes

11:c2:=111:c2:=1

12:true12:true

13:end13:end2:c2:=02:c2:=0

8:c1=0?8:c1=0?

7:turn=1?7:turn=1?

6:c2:=06:c2:=0

3:c2:=13:c2:=1

10:c2:=110:c2:=1

4:no-op4:no-op

5:turn=1?5:turn=1?

nonoyesyes

yesyes

11:c1:=111:c1:=1

12:true12:true

13:end13:end2:c1:=02:c1:=0

8:c2=0?8:c2=0?

7:turn=2?7:turn=2?

6:c1:=06:c1:=0

3:c1:=13:c1:=1

10:c1:=110:c1:=1

4:no-op4:no-op

5:turn=2?5:turn=2?

nonoyesyes

yesyes

11:c2:=111:c2:=1

12:true12:true

13:end13:end2:c2:=02:c2:=0

8:c1=0?8:c1=0?

7:turn=1?7:turn=1?

6:c2:=06:c2:=0

3:c2:=13:c2:=1

10:c2:=110:c2:=1

4:no-op4:no-op

5:turn=1?5:turn=1?

nonoyesyes

yesyes

11:c1:=111:c1:=1

12:true12:true

13:end13:end2:c1:=02:c1:=0

8:c2=0?8:c2=0?

7:turn=2?7:turn=2?

6:c1:=06:c1:=0

3:c1:=13:c1:=1

10:c1:=110:c1:=1

4:no-op4:no-op

5:turn=2?5:turn=2?

nonoyesyes

yesyes

11:c2:=111:c2:=1

12:true12:true

13:end13:end2:c2:=02:c2:=0

8:c1=0?8:c1=0?

7:turn=1?7:turn=1?

6:c2:=06:c2:=0

3:c2:=13:c2:=1

10:c2:=110:c2:=1

4:no-op4:no-op

5:turn=1?5:turn=1?

nonoyesyes

yesyes

11:c1:=111:c1:=1

12:true12:true

13:end13:end2:c1:=02:c1:=0

8:c2=0?8:c2=0?

7:turn=2?7:turn=2?

6:c1:=06:c1:=0

3:c1:=13:c1:=1

10:c1:=110:c1:=1

4:no-op4:no-op

5:turn=2?5:turn=2?

nonoyesyes

yesyes

11:c2:=111:c2:=1

12:true12:true

13:end13:end2:c2:=02:c2:=0

8:c1=0?8:c1=0?

7:turn=1?7:turn=1?

6:c2:=06:c2:=0

3:c2:=13:c2:=1

10:c2:=110:c2:=1

4:no-op4:no-op

5:turn=1?5:turn=1?

nonoyesyes

yesyes

11:c1:=111:c1:=1

12:true12:true

13:end13:end2:c1:=02:c1:=0

8:c2=0?8:c2=0?

7:turn=2?7:turn=2?

6:c1:=06:c1:=0

3:c1:=13:c1:=1

10:c1:=110:c1:=1

4:no-op4:no-op

5:turn=2?5:turn=2?

nonoyesyes

yesyes

11:c2:=111:c2:=1

12:true12:true

13:end13:end2:c2:=02:c2:=0

8:c1=0?8:c1=0?

7:turn=1?7:turn=1?

6:c2:=06:c2:=0

3:c2:=13:c2:=1

10:c2:=110:c2:=1

4:no-op4:no-op

5:turn=1?5:turn=1?

nonoyesyes

yesyes

11:c1:=111:c1:=1

12:true12:true

13:end13:end2:c1:=02:c1:=0

8:c2=0?8:c2=0?

7:turn=2?7:turn=2?

6:c1:=06:c1:=0

3:c1:=13:c1:=1

10:c1:=110:c1:=1

4:no-op4:no-op

5:turn=2?5:turn=2?

nonoyesyes

yesyes

11:c2:=111:c2:=1

12:true12:true

13:end13:end2:c2:=02:c2:=0

8:c1=0?8:c1=0?

7:turn=1?7:turn=1?

6:c2:=06:c2:=0

3:c2:=13:c2:=1

10:c2:=110:c2:=1

4:no-op4:no-op

5:turn=1?5:turn=1?

nonoyesyes

yesyes

11:c1:=111:c1:=1

12:true12:true

13:end13:end2:c1:=02:c1:=0

8:c2=0?8:c2=0?

7:turn=2?7:turn=2?

6:c1:=06:c1:=0

3:c1:=13:c1:=1

10:c1:=110:c1:=1

4:no-op4:no-op

5:turn=2?5:turn=2?

nonoyesyes

yesyes

11:c2:=111:c2:=1

12:true12:true

13:end13:end2:c2:=02:c2:=0

8:c1=0?8:c1=0?

7:turn=1?7:turn=1?

6:c2:=06:c2:=0

3:c2:=13:c2:=1

10:c2:=110:c2:=1

4:no-op4:no-op

5:turn=1?5:turn=1?

nonoyesyes

yesyes

11:c1:=111:c1:=1

12:true12:true

13:end13:end2:c1:=02:c1:=0

8:c2=0?8:c2=0?

7:turn=2?7:turn=2?

6:c1:=06:c1:=0

3:c1:=13:c1:=1

10:c1:=110:c1:=1

4:no-op4:no-op

5:turn=2?5:turn=2?

nonoyesyes

yesyes

11:c2:=111:c2:=1

12:true12:true

13:end13:end2:c2:=02:c2:=0

8:c1=0?8:c1=0?

7:turn=1?7:turn=1?

6:c2:=06:c2:=0

3:c2:=13:c2:=1

10:c2:=110:c2:=1

4:no-op4:no-op

5:turn=1?5:turn=1?

nonoyesyes

yesyes

11:c1:=111:c1:=1

12:true12:true

13:end13:end2:c1:=02:c1:=0

8:c2=0?8:c2=0?

7:turn=2?7:turn=2?

6:c1:=06:c1:=0

3:c1:=13:c1:=1

10:c1:=110:c1:=1

4:no-op4:no-op

5:turn=2?5:turn=2?

nonoyesyes

yesyes

11:c2:=111:c2:=1

12:true12:true

13:end13:end2:c2:=02:c2:=0

8:c1=0?8:c1=0?

7:turn=1?7:turn=1?

6:c2:=06:c2:=0

3:c2:=13:c2:=1

10:c2:=110:c2:=1

4:no-op4:no-op

5:turn=1?5:turn=1?

nonoyesyes

yesyes

Initially:

turn=1

(same)

11:c1:=111:c1:=1

12:true12:true

13:end13:end2:c1:=02:c1:=0

8:c2=0?8:c2=0?

7:turn=2?7:turn=2?

6:c1:=06:c1:=0

3:c1:=13:c1:=1

10:c1:=110:c1:=1

4:no-op4:no-op

5:turn=2?5:turn=2?

nonoyesyes

yesyes

11:c2:=111:c2:=1

12:true12:true

13:end13:end2:c2:=02:c2:=0

8:c1=0?8:c1=0?

7:turn=1?7:turn=1?

6:c2:=06:c2:=0

3:c2:=13:c2:=1

10:c2:=110:c2:=1

4:no-op4:no-op

5:turn=1?5:turn=1?

nonoyesyes

yesyes

11:c1:=111:c1:=1

12:true12:true

13:end13:end2:c1:=02:c1:=0

8:c2=0?8:c2=0?

7:turn=2?7:turn=2?

6:c1:=06:c1:=0

3:c1:=13:c1:=1

10:c1:=110:c1:=1

4:no-op4:no-op

5:turn=2?5:turn=2?

nonoyesyes

yesyes

11:c2:=111:c2:=1

12:true12:true

13:end13:end2:c2:=02:c2:=0

8:c1=0?8:c1=0?

7:turn=1?7:turn=1?

6:c2:=06:c2:=0

3:c2:=13:c2:=1

10:c2:=110:c2:=1

4:no-op4:no-op

5:turn=1?5:turn=1?

nonoyesyes

yesyes

11:c1:=111:c1:=1

12:true12:true

13:end13:end2:c1:=02:c1:=0

8:c2=0?8:c2=0?

7:turn=2?7:turn=2?

6:c1:=06:c1:=0

3:c1:=13:c1:=1

10:c1:=110:c1:=1

4:no-op4:no-op

5:turn=2?5:turn=2?

nonoyesyes

yesyes

11:c2:=111:c2:=1

12:true12:true

13:end13:end2:c2:=02:c2:=0

8:c1=0?8:c1=0?

7:turn=1?7:turn=1?

6:c2:=06:c2:=0

3:c2:=13:c2:=1

10:c2:=110:c2:=1

4:no-op4:no-op

5:turn=1?5:turn=1?

nonoyesyes

yesyes

11:c1:=111:c1:=1

12:true12:true

13:end13:end2:c1:=02:c1:=0

8:c2=0?8:c2=0?

7:turn=2?7:turn=2?

6:c1:=06:c1:=0

3:c1:=13:c1:=1

10:c1:=110:c1:=1

4:no-op4:no-op

5:turn=2?5:turn=2?

nonoyesyes

yesyes

11:c2:=111:c2:=1

12:true12:true

13:end13:end2:c2:=02:c2:=0

8:c1=0?8:c1=0?

7:turn=1?7:turn=1?

6:c2:=06:c2:=0

3:c2:=13:c2:=1

10:c2:=110:c2:=1

4:no-op4:no-op

5:turn=1?5:turn=1?

nonoyesyes

yesyes

11:c1:=111:c1:=1

12:true12:true

13:end13:end2:c1:=02:c1:=0

8:c2=0?8:c2=0?

7:turn=2?7:turn=2?

6:c1:=06:c1:=0

3:c1:=13:c1:=1

10:c1:=110:c1:=1

4:no-op4:no-op

5:turn=2?5:turn=2?

nonoyesyes

yesyes

11:c2:=111:c2:=1

12:true12:true

13:end13:end2:c2:=02:c2:=0

8:c1=0?8:c1=0?

7:turn=1?7:turn=1?

6:c2:=06:c2:=0

3:c2:=13:c2:=1

10:c2:=110:c2:=1

4:no-op4:no-op

5:turn=1?5:turn=1?

nonoyesyes

yesyes

11:c1:=111:c1:=1

12:true12:true

13:end13:end2:c1:=02:c1:=0

8:c2=0?8:c2=0?

7:turn=2?7:turn=2?

6:c1:=06:c1:=0

3:c1:=13:c1:=1

10:c1:=110:c1:=1

4:no-op4:no-op

5:turn=2?5:turn=2?

nonoyesyes

yesyes

11:c2:=111:c2:=1

12:true12:true

13:end13:end2:c2:=02:c2:=0

8:c1=0?8:c1=0?

7:turn=1?7:turn=1?

6:c2:=06:c2:=0

3:c2:=13:c2:=1

10:c2:=110:c2:=1

4:no-op4:no-op

5:turn=1?5:turn=1?

nonoyesyes

yesyes

11:c1:=111:c1:=1

12:true12:true

13:end13:end2:c1:=02:c1:=0

8:c2=0?8:c2=0?

7:turn=2?7:turn=2?

6:c1:=06:c1:=0

3:c1:=13:c1:=1

10:c1:=110:c1:=1

4:no-op4:no-op

5:turn=2?5:turn=2?

nonoyesyes

yesyes

11:c2:=111:c2:=1

12:true12:true

13:end13:end2:c2:=02:c2:=0

8:c1=0?8:c1=0?

7:turn=1?7:turn=1?

6:c2:=06:c2:=0

3:c2:=13:c2:=1

10:c2:=110:c2:=1

4:no-op4:no-op

5:turn=1?5:turn=1?

nonoyesyes

yesyes

11:c1:=111:c1:=1

12:true12:true

13:end13:end2:c1:=02:c1:=0

8:c2=0?8:c2=0?

7:turn=2?7:turn=2?

6:c1:=06:c1:=0

3:c1:=13:c1:=1

10:c1:=110:c1:=1

4:no-op4:no-op

5:turn=2?5:turn=2?

nonoyesyes

yesyes

11:c2:=111:c2:=1

12:true12:true

13:end13:end2:c2:=02:c2:=0

8:c1=0?8:c1=0?

7:turn=1?7:turn=1?

6:c2:=06:c2:=0

3:c2:=13:c2:=1

10:c2:=110:c2:=1

4:no-op4:no-op

5:turn=1?5:turn=1?

nonoyesyes

yesyes

11:c1:=111:c1:=1

12:true12:true

13:end13:end2:c1:=02:c1:=0

8:c2=0?8:c2=0?

7:turn=2?7:turn=2?

6:c1:=06:c1:=0

3:c1:=13:c1:=1

10:c1:=110:c1:=1

4:no-op4:no-op

5:turn=2?5:turn=2?

nonoyesyes

yesyes

11:c2:=111:c2:=1

12:true12:true

13:end13:end2:c2:=02:c2:=0

8:c1=0?8:c1=0?

7:turn=1?7:turn=1?

6:c2:=06:c2:=0

3:c2:=13:c2:=1

10:c2:=110:c2:=1

4:no-op4:no-op

5:turn=1?5:turn=1?

nonoyesyes

yesyes

11:c1:=111:c1:=1

12:true12:true

13:end13:end2:c1:=02:c1:=0

8:c2=0?8:c2=0?

7:turn=2?7:turn=2?

6:c1:=06:c1:=0

3:c1:=13:c1:=1

10:c1:=110:c1:=1

4:no-op4:no-op

5:turn=2?5:turn=2?

nonoyesyes

yesyes

11:c2:=111:c2:=1

12:true12:true

13:end13:end2:c2:=02:c2:=0

8:c1=0?8:c1=0?

7:turn=1?7:turn=1?

6:c2:=06:c2:=0

3:c2:=13:c2:=1

10:c2:=110:c2:=1

4:no-op4:no-op

5:turn=1?5:turn=1?

nonoyesyes

yesyes

11:c1:=111:c1:=1

12:true12:true

13:end13:end2:c1:=02:c1:=0

8:c2=0?8:c2=0?

7:turn=2?7:turn=2?

6:c1:=06:c1:=0

3:c1:=13:c1:=1

10:c1:=110:c1:=1

4:no-op4:no-op

5:turn=2?5:turn=2?

nonoyesyes

yesyes

11:c2:=111:c2:=1

12:true12:true

13:end13:end2:c2:=02:c2:=0

8:c1=0?8:c1=0?

7:turn=1?7:turn=1?

6:c2:=06:c2:=0

3:c2:=13:c2:=1

10:c2:=110:c2:=1

4:no-op4:no-op

5:turn=1?5:turn=1?

nonoyesyes

yesyes

11:c1:=111:c1:=1

12:true12:true

13:end13:end2:c1:=02:c1:=0

8:c2=0?8:c2=0?

7:turn=2?7:turn=2?

6:c1:=06:c1:=0

3:c1:=13:c1:=1

10:c1:=110:c1:=1

4:no-op4:no-op

5:turn=2?5:turn=2?

nonoyesyes

yesyes

11:c2:=111:c2:=1

12:true12:true

13:end13:end2:c2:=02:c2:=0

8:c1=0?8:c1=0?

7:turn=1?7:turn=1?

6:c2:=06:c2:=0

3:c2:=13:c2:=1

10:c2:=110:c2:=1

4:no-op4:no-op

5:turn=1?5:turn=1?

nonoyesyes

yesyes

11:c1:=111:c1:=1

12:true12:true

13:end13:end2:c1:=02:c1:=0

8:c2=0?8:c2=0?

7:turn=2?7:turn=2?

6:c1:=06:c1:=0

3:c1:=13:c1:=1

10:c1:=110:c1:=1

4:no-op4:no-op

5:turn=2?5:turn=2?

nonoyesyes

yesyes

11:c2:=111:c2:=1

12:true12:true

13:end13:end2:c2:=02:c2:=0

8:c1=0?8:c1=0?

7:turn=1?7:turn=1?

6:c2:=06:c2:=0

3:c2:=13:c2:=1

10:c2:=110:c2:=1

4:no-op4:no-op

5:turn=1?5:turn=1?

nonoyesyes

yesyes

11:c1:=111:c1:=1

12:true12:true

13:end13:end2:c1:=02:c1:=0

8:c2=0?8:c2=0?

7:turn=2?7:turn=2?

6:c1:=06:c1:=0

3:c1:=13:c1:=1

10:c1:=110:c1:=1

4:no-op4:no-op

5:turn=2?5:turn=2?

nonoyesyes

yesyes

11:c2:=111:c2:=1

12:true12:true

13:end13:end2:c2:=02:c2:=0

8:c1=0?8:c1=0?

7:turn=1?7:turn=1?

6:c2:=06:c2:=0

3:c2:=13:c2:=1

10:c2:=110:c2:=1

4:no-op4:no-op

5:turn=1?5:turn=1?

nonoyesyes

yesyes

11:c1:=111:c1:=1

12:true12:true

13:end13:end2:c1:=02:c1:=0

8:c2=0?8:c2=0?

7:turn=2?7:turn=2?

6:c1:=06:c1:=0

3:c1:=13:c1:=1

10:c1:=110:c1:=1

4:no-op4:no-op

5:turn=2?5:turn=2?

nonoyesyes

yesyes

11:c2:=111:c2:=1

12:true12:true

13:end13:end2:c2:=02:c2:=0

8:c1=0?8:c1=0?

7:turn=1?7:turn=1?

6:c2:=06:c2:=0

3:c2:=13:c2:=1

10:c2:=110:c2:=1

4:no-op4:no-op

5:turn=1?5:turn=1?

nonoyesyes

yesyes

Guaranteeing the same execution.Minimal changes to the software.Preserving concurrency

independence.Preserve the checked property.Applying the transformation to

finite sequences as well as ultimately periodic ones.

First execution again:(p1(0):start) (P2(0):start)[P1(1):c1:=1] [P2(1):c2:=1] <P2(12):true>yes<P1(12):true>yes [p2(2):c2:=0] <P2(8):c1=0?>no <P2(9):critical-2>

How to obtain the order?

Define dependency D (AA) relation: a and b are in the same process, or a and b use or define (update) same

variable.Make the following restrictions on

occurrences in : ak occurs before bl in the sequence , and a and b are interdependent.

Causal constraints:(p1(0):start) (P2(0):start)[P1(1):c1:=1] [P2(1):c2:=1] <P2(12):true>yes<P1(12):true>yes [p2(2):c2:=0] <P2(8):c1=0?>no <P2(9):critical-2>

Same process P1

(same program counter)

More causal constraints(p1(0):start) (P2(0):start)[P1(1):c1:=1] [P2(1):c2:=1] <P2(12):true>yes<P1(12):true>yes [p2(2):c2:=0] <P2(8):c1=0?>no <P2(9):critical-2>

Same process P2

(same program counter)

Even more constraints:(p1(0):start) (P2(0):start)[P1(1):c1:=1] [P2(1):c2:=1] <P2(12):true>yes<P1(12):true>yes [p2(2):c2:=0] <P2(8):c1=0?>no <P2(9):critical-2>

The mutual use ofvariable c1 in bothprocesses.

Need to add to the program:For each pair of processes pi and pj with

some occurrences ak-->bl there is a variable Vij

After ak we performFreeij: Vij := Vij + 1

Before bl we perform Waitij: wait Vij >0 then Vij := Vij - 1

Count all actions that need to be synchronized. Make syncrhonization on correct count.

In what sense did we preserve the concurrency?

One way of looking at a concurrent execution is to observe all the linearizations into total orders.

The given sequence is a linearization of some partial order execution E.

But when we transform the program, we add some actions.

Informally: We obtain E’. When removing the additional actions, we obtain E.

When removing the additional actions from lin(E’) we obtain lin(E).

Some notationClD() The sequences obtained from after

commuting independent actions.HideB(S) The sequences obtained from the

ones in S by omitting the events in B.Exec(P) The executions of program P.We add actions A’ such that D’(AA)=D.

(dependency between old actions unaffected).

If we transform the program into a program P’, we obtain thatHideA’ \ A (Exec (P’ ))= ClD()

Preserving a temporal property

Suppose we selected a sequence since it satisfied (or failed) property L (language).

Problem: when both: ClD() L ClD()L

How to solve this?

A solution Search a graph where each node is one of the

equivalent executions, with original node . An edge exists between a two nodes if one is

obtained from the other by one shuffle of actions. Whenever the shuffle does not preserve property,

insert another Wait/Free pair.Rename such pair of events and make them interdependent (so other occurrences are unaffected).

Cost: expensive (can be exponential in number of processes).

NP-complete: May guess the interleaving of the path and the place of bad commutation, then check it.Hardness from Hamiltonian Path.

Simpler approximation

Assume property closed under stuttering.

Check which actions can affect the propositions that appear in the property.

Make these actions interdependent.Complexity: Low. Quadratic in

number of transitions.

Ultimately periodic sequences.

Test sequences for unbounded length of time.

Finite prefix v, finite recurring sequence w.

Can take care of both parts v, w separately. One possibility: Make an artificial

syncrhonization between the end of v and the

beginning of w. Another possibility: create a graph

<P, E>, where P are processes, and pi-->pj E if there are some events ak-->bl belonging to pi , pj , respectively.

There are three cases:

1 There is a single strongly connected component. In this case, in some linearizations, the i+1st iteration may start in some processes while the i th iteration still executes in others.

2 The graph includes all the processes in different components. Then there can be arbitrary overtaking between the iterations.

3 The graph does not include all the processes. In this case, it might be that the sequence was “unfair”, and some additional actions and interactions occurs. Then synchronization is advised.

Conculusions

Given a counterexample, we may need to execute it on the checked code.

Need to transform code to enforce execution when nondeterminism present.

More synchronization for preserving temporal properties.

Several cases for preserving ultimately periodic executions.

Enforcing Concurrent Temporal Behaviors

Documents

Transcript of Enforcing Concurrent Temporal Behaviors