Model Checking of Concurrent Transition Systems Guy Katz Clark Barrett David Harel New York University Weizmann Institute of Science Compositional Verification A divide and conquer verification approach ID: 606417
Download Presentation The PPT/PDF document "Theory-Aided" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Theory-Aided Model Checking of Concurrent Transition Systems
Guy Katz, Clark Barrett, David Harel
New York University
Weizmann Institute
of ScienceSlide2
Compositional Verification
A divide and conquer verification approach
No need to explore all composite states
2
Slide3
The DifficultiesAutomation
Partition the system into modulesChoose “good” module propertiesProve module propertiesProve global property
A very difficult problem!3Slide4
Our Approach
4Trade generality for effectiveness Do well on specific classes of programsWe present a fully automatic, compositional approachHandle concurrent programs written in the RWB
modelBased on SMT solvingSlide5
Transition Systems
An SMT-Driven Process5
SMT
Solver
Arithmetic
Arrays
Input program
SAT (unsafe)
or UNSAT (safe)
Assertion:
Transition SystemsSlide6
A Theory of Transition Systems
6Decision procedure: state space traversalLook for known patterns in the inputGenerate lemmas for other theory solversLemmas allow other theories to aid in the verification
Prune the search spaceCan significantly reduce verification timeSlide7
AgendaRWB
Transition SystemsA Theory of Transition SystemsPrograms with Shared ArraysPeriodic ProgramsExperimental Results
7Slide8
AgendaRWB
Transition SystemsA Theory of Transition SystemsPrograms with Shared ArraysPeriodic Programs
Experimental Results8Slide9
Request / Wait / Block (RWB)
RWB programs have events and threadsThreads synchronize and declareRequested events Waited-for e
vents Blocked eventsTrigger an event that is requested and not
blockedInform threads that requested /
waited-for the event9Slide10
B-s
Block
Wait
Request
Threads
The Execution Cycle
10Slide11
requested and not blocked at rightmost states
Precisely every 6 steps
Toy Example
11
Trace:
Trace:
Trace:
Trace:
Trace:
Trace:
Trace:
Slide12
Why RWB?
RWB idioms are commonPublish / Subscribe systemsSupervisory controlLive Sequence Charts (LSCs)Behavioral ProgrammingThe strict synchronization mechanism facilitates reasoning about individual threadsMakes finding module properties easier
12Slide13
Agenda
RWB Transition SystemsA Theory of Transition SystemsPrograms with Shared ArraysPeriodic Programs
Experimental Results13Slide14
The Transition System (TS) Solver
Input: Formulas describing RWB threadsAn assertion that the program is unsafeA deadlock state is reachableSafety reducible to deadlock freedomOutput:SAT if the property is violated (+ counter-example)
UNSAT if the property holds14Slide15
Basic Decision Procedure15
Start
Decide
Decide
Decide
Unsat
SAT
Theory-valid lemmas:Slide16
Pattern MatchingDuring state space traversal, TS looks for
thread patternsStructural properties of threadsChecked on each thread separately (compositionally)When a pattern applies, lemmas are generatedFrom the languages of other theory solversThe SMT core handles the interfacesOther solvers can then curtail the search space
16Slide17
Property: never
7 composite states
Pattern Matching: Example
17
Slide18
Looped
thread:
Step index determines state
Recognizing looped threads:
Every state has
successor
Also looped
Looped Threads
18
Slide19
Where can
be triggered?
Only where it is not blocked
Generate the lemma:
Generating Lemmas
19
Slide20
This part of the lemma:
indicates that state
is reachable
The SMT core asserts it to the arithmetic solver
If no such
exists, return UNSAT
State
is unreachable
Otherwise continue from state
Skip intermediate states
Generating
Lemmas (cnt’d)Slide21
Matchers implemented as C++ classesTake the input transition systems, answer yes/no
If pattern holds, invoked every time a new state is visitedGet to generate lemmasInternally, very flexible Compute strongly connected componentsCheck when events are always blocked / never requested
Threads are small, so this is cheapRestriction: don’t construct the composite state graph!Implementing Pattern MatchersSlide22
The technique is useful only when a pattern appliesCan a few stored patterns apply to many programs?
Examples in next sectionsAdding patterns is amortized over future applicationsPortfolio approach: quickly recognize that no pattern matchesLimitationsSlide23
Agenda
RWB Transition SystemsA Theory of Transition SystemsPrograms with Shared ArraysPeriodic
ProgramsExperimental Results
23Slide24
Shared Arrays in RWB
24Locally, threads can use any constructArrays, lists, etcInter-thread shared arrays – only through
RWBSlide25
Example: A Shared Bit
25Read by simultaneously requesting
The “wrong” value will be blocked
Can generalize to arbitrary shared arrays
Slide26
Leveraging Shared Arrays
26Recognize shared arrays in the input threadsExtract arity, read / write events, initial value, etcSometimes it is used unintentionallyCheck if violations occur only in certain configurations
Sometimes certain configurations are the violationDuring state traversal, generate lemmas when a shared memory cell becomes fixedWrite events always blocked
/ never requestedThe array theory solver can then curtail the searchSlide27
Example: Tic Tac Toe
27Goal: complete a row, column or diagonalIf no mistakes are made, game always ends in a draw
X
X
O
X
X
O
X
X
O
O
X
X
O
O
X
X
O
X
O
O
X
X
X
O
X
O
O
X
X
X
O
XOOXSlide28
Implementing Tic Tac Toe
28Program plays
, player plays Goal: never loseBoard modeled as a shared array with 3-valued elementsRule threads, strategy threads
Blocking used to prevent multiple writes to each cell
Slide29
Verifying Tic Tac Toe
29Programmer: I’ve covered all cases in which wins by taking the upper row.
Let’s test that!A state is bad if
has the upper rowA certain configuration of the arrayGenerate lemma:
Slide30
Example
30Board:Decide:
Decide:
Decide
:
Decide:
Array theory solver raises a
conflict
Backtrack, without exploring successor states
Slide31
Agenda
RWB Transition SystemsA Theory of Transition SystemsPrograms with Shared ArraysPeriodic Programs
Experimental Results31Slide32
Periodic Programs
32Single processor scheduling problemsEach task has
period execution time
priority (static/dynamic)Programs have nice arithmetic properties
Slide33
Periodic Programs in RWB
A task that needs to be scheduled requests an eventPriorities expressed by blocking less urgent tasks
Pattern matcher checks this on individual threads
Then generates arithmetic lemmas about time instances when a violation can occurSlide34
Example
34
TS TheoryArithmetic Theory
…,
…,
UNSAT, property holdsSlide35
Agenda
RWB Transition SystemsA Theory of Transition SystemsPrograms with Shared Arrays
Periodic ProgramsExperimental Results
35Slide36
Experimental Results
36Benchmarks: periodic programs and program with shared arraysAverage speedup:
Slide37
Experimental Results (
cnt’d)37
Larger example: a web-serverAverage speedup:
Slide38
Conclusion
38Automatic compositional verification of RWB programsAdded a theory of transition systems to CVC4Traverse state space and look for patterns
When a pattern is found, generate lemmasOther theories can then curtail the search spaceExamples:Programs with shared arraysPeriodic programsSlide39
Future Work
39Support additional models beyond RWBAdd more patternsImprove the portfolio approachSlide40
Questions
40
Thank You!