Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel...
-
Upload
lorin-hodges -
Category
Documents
-
view
218 -
download
0
description
Transcript of Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel...
Theory-Aided Model Checking of Concurrent Transition Systems
Guy Katz, Clark Barrett, David Harel
New York UniversityWeizmann Institute of Science
2
Compositional VerificationA divide and conquer verification approach
No need to explore all composite states
𝑃 𝜑⊨
𝜑1⊨𝜑2⊨𝜑3⊨
3
The DifficultiesAutomation
1. Partition the system into modules2. Choose “good” module properties3. Prove module properties4. Prove global property
A very difficult problem!
4
Our ApproachTrade generality for effectiveness
◦ Do well on specific classes of programs
We present a fully automatic, compositional approach◦ Handle concurrent programs written in the RWB
model◦ Based on SMT solving
5
Transition
Systems
An SMT-Driven Process
SMTSolver
Arithmetic Arrays
Input program
SAT (unsafe)or
UNSAT (safe)
Assertion:
Transition
Systems
6
A Theory of Transition SystemsDecision procedure: state space traversal
Look for known patterns in the input◦ Generate lemmas for other theory solvers
Lemmas allow other theories to aid in the verification◦ Prune the search space◦ Can significantly reduce verification time
7
AgendaRWB Transition Systems
A Theory of Transition Systems
Programs with Shared Arrays
Periodic Programs
Experimental Results
8
AgendaRWB Transition Systems
A Theory of Transition Systems
Programs with Shared Arrays
Periodic Programs
Experimental Results
9
Request / Wait / Block (RWB)RWB programs have events and threads
Threads synchronize and declare1. Requested events 2. Waited-for events 3. Blocked events
Trigger an event that is requested and not blocked
Inform threads that requested / waited-for the event
10
B-s
Block
Wait
Request
Threads
The Execution Cycle
11
requested and not blocked at rightmost states◦ Precisely every 6 steps
Toy Example
𝑅=0 ,10
0 ,1
0
0 ,1
𝑅=0 ,10
Trace: Trace: Trace: Trace: Trace: Trace: Trace:
12
Why RWB?RWB idioms are common
◦ Publish / Subscribe systems◦ Supervisory control◦ Live Sequence Charts (LSCs)◦ Behavioral Programming
The strict synchronization mechanism facilitates reasoning about individual threads
Makes finding module properties easier
13
AgendaRWB Transition Systems
A Theory of Transition Systems
Programs with Shared Arrays
Periodic Programs
Experimental Results
14
The Transition System (TS) Solver Input:
◦ Formulas describing RWB threads◦ An assertion that the program is unsafe
A deadlock state is reachable Safety reducible to deadlock freedom
Output:◦ SAT if the property is violated (+ counter-example)◦ UNSAT if the property holds
15
Basic Decision Procedure𝑞0
𝑞1𝑞3
𝑞2
¬𝑠𝑎𝑓𝑒(𝑠)
¬𝑠𝑎𝑓𝑒 (𝑠 )
¬𝑑𝑒𝑎𝑑𝑙𝑜𝑐𝑘(𝑞0)
¬𝑠𝑎𝑓𝑒 (𝑠 )
¬𝑠𝑎𝑓𝑒 (𝑠 )⊥
START
DECIDE DECIDE
DECIDE
UNSAT
𝑞0
𝑞1
𝑞2
𝑞3
¬𝑑𝑒𝑎𝑑𝑙𝑜𝑐𝑘(𝑞1)¬𝑑𝑒𝑎𝑑𝑙𝑜𝑐𝑘(𝑞2)
SATTheory-valid lemmas:
16
Pattern MatchingDuring state space traversal, TS looks for
thread patterns◦ Structural properties of threads◦ Checked on each thread separately (compositionally)
When a pattern applies, lemmas are generated◦ From the languages of other theory solvers◦ The SMT core handles the interfaces
Other solvers can then curtail the search space
17
Property: never
7 composite states
Pattern Matching: Example
𝑅=0 ,10
0 ,1
0
0 ,1
𝑅=0 ,10
𝐵=0 ,1
1
18
𝑅=0 ,10
0 ,1Looped thread:
Step index determines state
Recognizing looped threads:Every state has successor
Also looped
Looped Threads
0
0 ,1
𝑅=0 ,10
19
𝑝1 𝑝2𝑅=0 ,10
0 ,1
𝑝2 𝑞10
0 ,1
𝑞2 𝑞3𝑅=0 ,10
Where can be triggered?◦ Only where it is not blocked
Generate the lemma:
Generating Lemmas
𝑞3
This part of the lemma:
indicates that state is reachable
The SMT core asserts it to the arithmetic solver
If no such exists, return UNSAT ◦ State is unreachable
Otherwise continue from state ◦ Skip intermediate states
Generating Lemmas (cnt’d)
Matchers implemented as C++ classes
Take the input transition systems, answer yes/no◦ If pattern holds, invoked every time a new state is visited◦ Get to generate lemmas
Internally, very flexible ◦ Compute strongly connected components◦ Check when events are always blocked / never requested◦ Threads are small, so this is cheap
Restriction: don’t construct the composite state graph!
Implementing Pattern Matchers
The technique is useful only when a pattern applies
Can a few stored patterns apply to many programs?◦ Examples in next sections
Adding patterns is amortized over future applications
Portfolio approach: quickly recognize that no pattern matches
Limitations
23
AgendaRWB Transition Systems
A Theory of Transition Systems
Programs with Shared Arrays
Periodic Programs
Experimental Results
24
Shared Arrays in RWBLocally, threads can use any construct
◦ Arrays, lists, etc
Inter-thread shared arrays – only through RWB
25
Example: A Shared Bit
Read by simultaneously requesting ◦ The “wrong” value will be blocked
Can generalize to arbitrary shared arrays
𝑠1
𝑠0
𝐵=𝑟𝑒𝑎𝑑(0)
𝑤𝑟𝑖𝑡𝑒 (0)𝑤𝑟𝑖𝑡𝑒 (1)
𝐵=𝑟𝑒𝑎𝑑(1)
26
Leveraging Shared ArraysRecognize shared arrays in the input threads
◦ Extract arity, read / write events, initial value, etc◦ Sometimes it is used unintentionally
Check if violations occur only in certain configurations◦ Sometimes certain configurations are the violation
During state traversal, generate lemmas when a shared memory cell becomes fixed◦ Write events always blocked / never requested
The array theory solver can then curtail the search
27
Example: Tic Tac ToeGoal: complete a row, column or diagonal
If no mistakes are made, game always ends in a draw
XX
O
X
X
O
X
X
O O
X
X
O O X
X
O X
O O X
X X
O X
O O X
X X
O X
O O X
28
Implementing Tic Tac ToeProgram plays , player plays
◦ Goal: never lose
Board modeled as a shared array with 3-valued elements
Rule threads, strategy threads◦ Blocking used to prevent multiple writes to each
cell
29
Verifying Tic Tac ToeProgrammer: I’ve covered all cases in which
wins by taking the upper row. Let’s test that!
A state is bad if has the upper row◦ A certain configuration of the array
Generate lemma:
30
ExampleBoard:
DECIDE: DECIDE: DECIDE: DECIDE:
◦ Array theory solver raises a conflict◦ Backtrack, without exploring successor states
¬safe state (q1 )⇒𝑏𝑜𝑎𝑟𝑑 [4 ]=𝑋
¬safe state (q4 )⇒𝑏𝑜𝑎𝑟𝑑 [1 ]=𝑂¬safe state (q3 )⇒𝑏𝑜𝑎𝑟𝑑 [0 ]=𝑋¬safe state (q2 )⇒𝑏𝑜𝑎𝑟𝑑 [8 ]=𝑂
31
AgendaRWB Transition Systems
A Theory of Transition Systems
Programs with Shared Arrays
Periodic Programs
Experimental Results
32
Periodic ProgramsSingle processor scheduling problems
Each task has ◦ period ◦ execution time ◦ priority (static/dynamic)
Programs have nice arithmetic properties
Periodic Programs in RWBA task that needs to be scheduled requests
an event
Priorities expressed by blocking less urgent tasks
Pattern matcher checks this on individual threads
Then generates arithmetic lemmas about time instances when a violation can occur
34
ExampleTS Theory Arithmetic
Theory𝑥
𝑥=143…,
𝑥=513…,
UNSAT, property holds
35
AgendaRWB Transition Systems
A Theory of Transition Systems
Programs with Shared Arrays
Periodic Programs
Experimental Results
36
Experimental ResultsBenchmarks: periodic programs and program
with shared arraysAverage speedup:
1 9 17 25 33 41 49 57 65 73 81 89 971051000
10000
100000
1000000
10000000
100000000CVC4BPMC
Number of Solved Instances
Tim
e (s
econ
ds)
37
1 2 3 4 5 6 7 8 9 101000
10000
100000
1000000
10000000CVC4BPMC
Number of Solved Instances
Tim
e (s
econ
ds)
Experimental Results (cnt’d)Larger example: a web-serverAverage speedup:
38
ConclusionAutomatic compositional verification of RWB
programs
Added a theory of transition systems to CVC4
Traverse state space and look for patterns◦ When a pattern is found, generate lemmas◦ Other theories can then curtail the search space
Examples:◦ Programs with shared arrays◦ Periodic programs
39
Future WorkSupport additional models beyond RWB
Add more patterns
Improve the portfolio approach
40
Questions
Thank You!