CS 267: Automated Verification Lecture 17: Infinite State Model Checking,
advertisement
CS 267: Automated Verification
Lecture 17: Infinite State Model Checking,
Arithmetic Constraints, Action Language Verifier
Instructor: Tevfik Bultan
Model Checking View
• Every reactive system is represented as a transition
system:
– S : The set of states
– I S : The set of initial states
– R S S : The transition relation
Model Checking View
• Properties of reactive systems are expressed in temporal
logics
• Invariant(p) : is true in a state if property p is true in every
state reachable from that state
– Also known as AG
• Eventually(p) : is true in a state if property p is true at some
state on every execution path from that state
– Also known as AF
Model Checking
Given a program and a temporal property p:
• Either show that all the initial states satisfy the temporal
property p
– set of initial states truth set of p
• Or find an initial state which does not satisfy the property p
– a state set of initial states truth set of p
Temporal Properties Fixpoints
backwardImage
of p
Backward
fixpoint
Initial
states
initial states that
violate Invariant(p)
Invariant(p)
Forward
fixpoint
• • •
p
states that can reach p
i.e., states that violate Invariant(p)
• • •
Initial
states
p
reachable states
that violate p
forward image
of initial states
reachable states
of the system
Symbolic Model Checking
• Represent sets of states and the transition relation as
Boolean logic formulas
• Forward and backward fixpoints can be computed by
iteratively manipulating these formulas
– Forward, backward image: Existential variable
elimination
– Conjunction (intersection), disjunction (union) and
negation (set difference), and equivalence check
• Use an efficient data structure for manipulation of Boolean
logic formulas
– BDDs
Symbolic Model Checking
• What do you need to compute fixpoints?
Symbolic
Symbolic
Symbolic
Boolean
Symbolic
Conjunction(Symbolic,Symbolic)
Disjunction(Symbolic,Symbolic)
Negation(Symbolic)
EquivalenceCheck(Symbolic,Symbolic)
Precondition(Symbolic)
• Precondition (i.e., EX) computation is handled by:
– variable renaming, followed by conjunction, followed by
existential variable elimination
• BDDs support all these operations!
Infinite State Model Checking
• Use a symbolic representation that is capable of
representing infinite sets and supports the following
functionality:
Symbolic
Symbolic
Symbolic
Boolean
Symbolic
Conjunction(Symbolic,Symbolic)
Disjunction(Symbolic,Symbolic)
Negation(Symbolic)
EquivalenceCheck(Symbolic,Symbolic)
Precondition(Symbolic)
• Compute fixpoints using the infinite state symbolic
representation
– Warning: Fixpoints are not guaranteed to converge!
Constraint-Based Verification
• Can we use linear arithmetic constraints as a symbolic
representation?
– Required functionality
• Disjunction, conjunction, negation, equivalence
checking, existential variable elimination
• Advantages:
– Arithmetic constraints can represent infinite sets
– Heuristics based on arithmetic constraints can be used
to accelerate fixpoint computations
• Widening, loop-closures
Linear Arithmetic Constraints
• Can be used to represent sets of valuations of unbounded
integers
• Linear integer arithmetic formulas can be stored as a set of
polyhedra
F = Ú Ù ckl
k
l
where each ckl is a linear equality or inequality constraint
and each
Ù ckl
l
is a polyhedron
Linear Arithmetic Constraints
• Disjunction complexity: linear
• Conjunction complexity: quadratic
• Negation complexity: can be exponential
– Because of the disjunctive representation
• Equivalence checking complexity: can be exponential
– Uses existential variable elimination
• Image computation complexity: can be exponential
– Uses existential variable elimination
– Existential variable elimination can be done by extending
Fourier-Motzkin variable elimination to integers
What About Using BDDs for Encoding Arithmetic
Constraints?
• Arithmetic constraints on bounded integer variables can be
represented using BDDs
• Use a binary encoding
– represent integer x as x0x1x2... xk
– where x0, x1, x2, ... , xk are binary variables
• You have to be careful about the variable ordering!
Arithmetic Constraints on Bounded Integer Variables
• BDDs and constraint representations are both applicable
• Which one is better?
smv: SMV
smv+co: SMV with William Chan’s
interleaved variable ordering
omc: My model checker based on Omega
Library
AG(!(pc1=cs && pc2=cs))
Intel Pentium PC (500MHz,
128MByte main memory)
AG(cinchair>=cleave &&
bavail>=bbusy>=bdone
&& cinchair<=bavail &&
bbusy<=cinchair && cleave<=bdone)
AG(produced-consumed=
size-available
&& 0<=available<=size)
Arithmetic Constraints vs. BDDs
• Constraint based verification can be more efficient than
BDDs for integers with large domains
• BDD-based verification is more robust
• Constraint based approach does not scale well when there
are boolean or enumerated variables in the specification
• Constraint based verification can be used to automatically
verify infinite state systems
– cannot be done using BDDs
• Price of infinity
– CTL model checking becomes undecidable
Which Symbolic Representation to Use?
BDDs
• canonical and efficient
representation for Boolean logic
formulas
• can only encode finite sets
x y {(T,T), (T,F), (F,T)}
F
x
a > 0 b = a+1
T
y
F
T
F
Linear Arithmetic Constraints
• can encode infinite sets
• two representations
– polyhedral representation
– automata representation
• mapping booleans to integers is
not an efficient encoding
T
{(1,2), (2,3), (3,4),...}
Is There a Better Way?
• Each symbolic representation has its own deficiencies
• BDD’s cannot represent infinite sets
• Linear arithmetic constraint representations are expensive
to manipulate
– Mapping boolean variables to integers does not scale
– Eliminating boolean variables by partitioning the statespace does not scale
Composite Model Checking
• Each variable type is mapped to a symbolic representation
type
– Map boolean and enumerated types to BDD
representation
– Map integer type to arithmetic constraint representation
• Conjunctively partition atomic actions based on the
symbolic representation type
• Use a disjunctive representation to combine symbolic
representations
• Sets of states and transitions are represented using this
disjunctive representation
• Set operations and image computations are performed on
this disjunctive representation
Composite Model Checking
[Bultan, Gerber, League ISSTA 98, TOSEM 00]
• Map each variable type to a symbolic representation
– Map boolean and enumerated types to BDD
representation
– Map integer type to a linear arithmetic constraint
representation
• Use a disjunctive representation to combine different
symbolic representations: composite representation
• Each disjunct is a conjunction of formulas represented by
different symbolic representations
– we call each disjunct a composite atom
Composite Representation
composite atom
P=
Úp Ùp
n
i1
i =1
symbolic
rep. 1
i2
Ù ... Ù pi t
symbolic
rep. 2
symbolic
rep. t
Example:
x: integer, y: boolean
x>0 and x´x-1
arithmetic constraint
representation
and y´ or
BDD
x<=0 and x´x and y´y
arithmetic constraint
representation
BDD
Composite Symbolic Library
[Yavuz-Kahveci, Tuncer, Bultan TACAS01], [Yavuz-Kahveci, Bultan FroCos 02, STTT 03]
• Uses a common interface for each symbolic representation
• Easy to extend with new symbolic representations
• Enables polymorphic verification
• Multiple symbolic representations:
– As a BDD library we use Colorado University Decision
Diagram Package (CUDD) [Somenzi et al]
– As an integer constraint manipulator we use Omega
Library [Pugh et al]
Composite Symbolic Library Class Diagram
Symbolic
+intersect()
+union()
+complement()
+isSatisfiable()
+isSubset()
+pre()
+post()
BoolSym
–representation: BDD
+intersect()
+union()
•
•
•
CompSym
IntSym
–representation: list
of comAtom
–representation: Polyhedra
+intersect()
+ union()
•
•
•
CUDD Library
compAtom
–atom: *Symbolic
+intersect()
+union()
•
•
•
OMEGA Library
Pre and Post-condition Computation
Variables:
x: integer, y: boolean
Transition relation:
R: x>0 and x´x-1 and y´ or x<=0 and x´x and y´y
Set of states:
s: x=2 and !y or x=0 and !y
Compute post(s,R)
Pre and Post-condition Distribute
R: x>0 and x´x-1 and y´ or x<=0 and x´x and y´y
s: x=2 and !y or x=0 and y
post(s,R) = post(x=2 , x>0 and x´x-1) post(!y , y´)
x=1
y
post(x=2 , x<=0 and x´x) post (!y , y´y)
false
!y
post(x=0 , x>0 and x´x-1) post(y , y´)
false
y
post (x=0 , x<=0 and x´x) post (y, y´y )
x=0
y
= x=1 and y or x=0 and y
Polymorphic Verifier
Symbolic TranSys::check(Node *f) {
•
•
•
Symbolic s = check(f.left)
case EX:
s.pre(transRelation)
case EF:
do
sold = s
s.pre(transRelation)
s.union(sold)
while not sold.isEqual(s)
•
•
•
}
Action
Language Verifier
is polymorphic
It becomes a BDD based model
checker when there or no integer variables
Fixpoints May Not Converge
• Integer variables can increase without a bound
– state space is infinite
• Model checking is undecidable for systems with unbounded
integer variables
• We use conservative approximations
Conservative Approximations
• Compute a lower ( p ) or an upper ( p+ ) approximation to
the truth set of the property ( p )
• Action Language Verifier can give three answers:
I
p
p
I
1) “The property is satisfied”
sates which
violate the
property
p
3) “I don’t know”
I
2) “The property is false and here is a counter-example”
p
p+
p
p
Conservative Approximations
• Truncated fixpoint computations
– To compute a lower bound for a least-fixpoint
computation
– Stop after a fixed number of iterations
• Widening
– To compute an upper bound for the least-fixpoint
computation
– We use a generalization of the polyhedra widening
operator by [Cousot and Halbwachs POPL’77]
Widening
• Widening operation with composite representation:
– Given two composite atoms c1 and c2 in consecutive
fixpoint iterates, assume that
c1 = b1 i1
c2 = b2 i2
where b1 = b2 and i1 i2
Assume that i1 is a single polyhedron and i2 is also a
single polyhedron
We find pairs of composite atoms which satisfy this criteria
Widening
• Assuming that i1 and i2 are conjunctions of atomic
constraints (i.e., polyhedra), then
i1 i2 is defined as: all the constraints in i1 which are also
satisfied by i2
Example:
i1 = 0count count2
i2 = 0count count3
i1 i2 = 0count
This constraint is not
satisfied by i so we drop it
2
• Replace i2 with i1 i2 in c2
• This generates an upper approximation for the least fixpoint
computation
Composite Symbolic Library with Automata Encoding
Symbolic
+union()
+isSatisfiable()
+isSubset()
+forwardImage()
IntBoolSymAuto
IntSymAuto
–representation:
automaton
–representation:
automaton
+union()
+union()
•
•
•
•
•
•
MONA
BoolSym
–representation:
BDD
IntSym
–representation:
list of Polyhedra
+union()
+union()
•
•
•
•
•
•
CUDD Library
CompSym
–representation:
list of comAtom
+ union()
•
•
•
OMEGA Library
compAtom
–atom: *Symbolic
Automata Representation for Arithmetic Constraints
[Bartzis, Bultan CIAA’02, IJFCS ’02]
• Given an atomic linear arithmetic constraint in one of the
following two forms
v
åa × x = c
i =1
i
i
v
åa × x < c
i =1
i
i
we construct an FA which accepts all the solutions to the
given constraint
• By combining such automata one can handle full
Presburger arithmetic
Basic Construction
• We first construct a basic state machine which
– Reads one bit of each variable at each step, starting
from the least significant bits
– and executes bitwise binary addition and stores the carry
in each step in its state
0
0
/
0
Example
x + 2y
010
+ 2 001
1
0
/
1
0
v
O(å | a |)
i =1
1
1
/
1
0
0
/
1
10 0
Number of states:
0
1
/
0
i
0
1
/
1
1
0
/
0
1
0
1
/
0
1
1
/
0
0
0
/
0
1
0
/
1
1
1
/
1
2
Automaton Construction
• Equality With 0
– All transitions writing 1 go to a sink state
– State labeled 0 is the only accepting state
– For disequations (), state labeled 0 is the only rejecting
state
• Inequality (<0)
– States with negative carries are accepting
– No sink state
• Non-zero Constant Term c
– Same as before, but now -c is the initial state
– If there is no such state, create one (and possibly some
intermediate states which can increase the size by |c|)
Conjunction and Disjunction
• Conjunction and disjunction is handled by generating the
product automaton
001
0,1,1
01
0,1
Automaton for x-y<1
1
0
1
0
1
0
-1
0
1
0
1
00
0,1
11
0,1
Automaton
for 2x-y>0
00
0,1
0
01
0,1
-1
0
1
0
1
1
0
01
0,1
-2
01
1,1
Automaton for x-y<1
2x-y>0
01
0,1
-1,-1
-1,0
1
0
0
0
1
0
011
1,0,1
0,-1
1
1
0
1
001
0,1,1
0
0
0
0
1
0
1
0
-2,-1
01
1,1
-2,0
0
1
-2,1
1
1
1
0
1
0
Other Extensions
• Existential quantification (necessary for pre and post)
– Project the quantified variables away
– The resulting FA is non-deterministic
• Determinization may result in exponential blowup of
the FA size but we do not observe this in practice
– For universal quantification use negation
• Constraints on all integers
– Use 2’s complement arithmetic
– The basic construction is the same
– In the worst case the size doubles
Experiments
• We implemented these algorithms using MONA [Klarlund et al]
• Integrated them to the Action Language Verifier
• We verified a large number of specification examples
• We compared our representation against
– the polyhedral representation used in the Omega library
– the automata representation used in LASH
• we also integrated LASH to the Composite Symbolic
Library using a wrapper around it
problem instance
li g
ht
co
nt
in
ro
se
l
rti
on
so
rt
si
s1
si
s3
pc
pc 5
10
rw
3
rw 2
64
ba
r
ba ber
r m
ba ber prb mp 1
er -2
m
p3
ba
ke
ba ry
k 2
ba ery -1
k e 3ry 1
41
ti c
ke
ti c t2
k -1
ti c et3
k e -1
co
t
he 4-1
c o re
he nc
re enc 3
e4
time (seconds)
Experimental results
Construction time
1000
100
10
Omega
1
Our construction
based on MONA
LASH
0.1
0.01
problem instance
li g
ht
co
nt
in
ro
se
l
rti
on
so
rt
si
s1
si
s3
pc
pc 5
10
rw
3
rw 2
64
ba
r
ba ber
r m
ba ber prb mp 1
er -2
m
p3
ba
ke
ba ry
k 2
ba ery -1
k e 3ry 1
41
ti c
ke
ti c t2
k -1
ti c et3
k e -1
co
t
he 4-1
c o re
he nc
re enc 3
e4
time (seconds)
Experimental results
Verification time
1000
100
10
Omega
1
Our construction
based on MONA
LASH
0.1
0.01
problem instance
in
rt i
l
rt
ro
s3
s1
so
nt
on
ht
co
se
l ig
si
si
3
rw 2
64
rw
pc
pc 5
10
r
ba be r
r m
ba be r p-1
rb mp
e r -2
m
p3
ba
ke
ba ry
k 2
ba e ry -1
ke 3ry 1
41
ti c
ke
ti c t 2
k -1
ti c et 3
ke -1
t4
co
-1
he
co re
he nc
re enc 3
e4
ba
memory (Mbytes)
Experimental results
Memory comsumption
100
10
Omega
1
Our construction
based on MONA
LASH
0.1
0.01
Action Language Tool Set
Action Language
Specification
Action Language
Parser
Composite Symbolic Library
Action Language
Verifier
Verified
Counter example
Omega
Library
Presburger
Arithmetic
Manipulator
CUDD
Package
BDD
Manipulator
MONA
Automata
Manipulator
Action Language
[Bultan, ICSE 00], [Bultan, Yavuz-Kahveci, ASE 01]
• A state based language
– Actions correspond to state changes
• States correspond to valuations of variables
– boolean
– enumerated
– integer (possibly unbounded)
– heap variables (i.e., pointers)
• Parameterized constants
– specifications are verified for every possible value of the
constant
Action Language
• Transition relation is defined using actions
– Atomic actions: Predicates on current and next state
variables
– Action composition:
• asynchronous (|) or synchronous (&)
• Modular
– Modules can have submodules
– A module is defined as asynchronous and/or
synchronous compositions of its actions and
submodules
Actions in Action Language
• Atomic actions: Predicates on current and next state
variables
– Current state variables: reading, nr, busy
– Next state variables: reading’, nr’, busy’
– Logical operators: not (!) and (&&) or (||)
– Equality: = (for all variable types)
– Linear arithmetic: <, >, >=, <=, +, * (by a
constant)
• An atomic action:
!reading and !busy and nr’=nr+1 and reading’
Readers-Writers Example
module main()
integer nr;
boolean busy;
restrict: nr>=0;
initial: nr=0 and !busy;
module Reader()
boolean reading;
initial: !reading;
rEnter: !reading and !busy and
nr’=nr+1 and reading’;
rExit: reading and !reading’ and nr’=nr-1;
Reader: rEnter | rExit;
endmodule
module Writer()
boolean writing;
initial: !writing;
wEnter: !writing and nr=0 and !busy and
busy’ and writing’;
wExit: writing and !writing’ and !busy’;
Writer: wEnter | wExit;
endmodule
main: Reader() | Reader() | Writer() | Writer();
spec: invariant(busy => nr=0)
endmodule
Readers Writers Example: A Closer Look
module main()
integer nr;
boolean busy;
restrict: nr>=0;
initial: nr=0 and !busy;
S : Cartesian product of
variable domains defines
the set of states
I : Predicates defining
the initial states
module Reader()
boolean reading;
R : Atomic actions of the
Reader
initial: !reading;
rEnter: !reading and !busy and
nr’=nr+1 and reading’;
rExit: reading and !reading’ and nr’=nr-1;
Reader: rEnter | rExit;
R : Transition relation of Reader defined
endmodule
as asynchronous composition of its atomic
actions
module Writer()
...
endmodule
main: Reader() | Reader() | Writer() | Writer();
spec: invariant(busy => nr=0)
endmodule
R : Transition relation of main defined as asynchronous composition of two Reader and
two Writer processes
Asynchronous Composition
• Asynchronous composition is equivalent to disjunction if
composed actions have the same next state variables
a1: i > 0 and i’ = i + 1;
a2: i <= 0 and i’ = i – 1;
a3: a1 | a2
is equivalent to
a3: (i > 0 and i’ = i + 1)
or (i <= 0 and i’ = i – 1);
Asynchronous Composition
• Asynchronous composition preserves values of variables
which are not explicitly updated
a1 : i > j and i’ = j;
a2 : i <= j and j’ = i;
a3 : a1 | a2;
is equivalent to
a3 : (i > j and i’ = j) and j’ = j
or (i <= j and j’ = i) and i’ = i
Synchronous Composition
• Synchronous composition is equivalent to conjunction if two
actions do not disable each other
a1: i’ = i + 1;
a2: j’ = j + 1;
a3: a1 & a2;
is equivalent to
a3: i’ = i + 1 and j’ = j + 1;
Synchronous Composition
• A disabled action does not block synchronous composition
a1: i < max and i’ = i + 1;
a2: j < max and j’ = j + 1;
a3: a1 & a2;
is equivalent to
a3: (i < max and i’ = i + 1 or i >= max & i’ = i)
and (j < max & j’ = j + 1 or j >= max & j’ = j);
Arbitrary Number of Threads
• Counting abstraction
– Create an integer variable for each local state of a
thread
– Each variable will count the number of threads in a
particular state
• Local states of the threads have to be finite
– Specify only the thread behavior that relates to the
correctness of the controller
– Shared variables of the controller can be unbounded
• Counting abstraction can be automated
Readers-Writers After Counting Abstraction
Parameterized constants introduced by
the counting abstractions
module main()
integer nr;
boolean busy;
parameterized integer numReader, numWriter;
restrict: nr>=0 and numReader>=0 and numWriter>=0;
Variables introduced by the counting
initial: nr=0 and !busy;
abstractions
module Reader()
integer readingF, readingT;
initial: readingF=numReader and readingT=0;
rEnter: readingF>0 and !busy and
nr’=nr+1 and readingF’=readingF-1 and
readingT’=readingT+1;
rExit: readingT>0 and nr’=nr-1 readingT’=readingT-1
and readingF’=readingF+1;
Reader: rEnter | rExit;
endmodule
module Writer()
...
endmodule
main: Reader() | Writer();
spec: invariant([busy => nr=0])
endmodule
Verification of Readers-Writers Controller
Integers
Booleans
Cons. Time
(secs.)
Ver. Time
(secs.)
Memory
(Mbytes)
RW-4
1
5
0.04
0.01
6.6
RW-8
1
9
0.08
0.01
7
RW-16
1
17
0.19
0.02
8
RW-32
1
33
0.53
0.03
10.8
RW-64
1
65
1.71
0.06
20.6
RW-P
7
1
0.05
0.01
9.1
SUN ULTRA 10 (768 Mbyte main memory)
Example: Airport Ground Traffic Control
A simplified model of Seattle Tacoma International Airport from [Zhong 97]
Action Language Specification
module main()
integer numRW16R, numRW16L, numC3, ...;
initial: numRW16R=0 and numRW16L=0 and ...;
module Airplane()
enumerated pc {arFlow, touchDown, parked, depFlow,
taxiTo16LC3, ..., taxiFr16LB2, ..., takeoff};
initial: pc=arFlow or pc=parked;
reqLand: pc=arFlow and numRW16R=0 and pc’=touchDown
and numRW16R’=numRW16R+1;
exitRW3: pc =touchDown and numC3=0 and
numC3’=numC3+1 and numRW16R’=numRW16R-1 and
pc’=taxiTo16LC3;
...
Airplane: reqLand | exitRW3 | ...;
endmodule
main: AirPlane() | Airplane() | Airplane() | ....;
spec: AG(numRW16R1 and numRW16L 1)
spec: AG(numC3 1)
spec: AG((numRW16L=0 and numC3+numC4+...+numC8>0) =>
AX(numRW16L=0))
endmodule
Airport Ground Traffic Control
• Action Language specification
– Has 13 integer variables
– Has 6 Boolean variables per airplane process to keep
the local state of each airplane
– 20 actions per airplane
A: Arriving Airplane
D: Departing Airplane
P: Arbitrary number of threads
Experiments
Processes Construction(sec)
Verify-P1(sec)
Verify-P2(sec)
Verify-P3(sec)
2
0.81
0.42
0.28
0.69
4
1.50
0.78
0.50
1.13
8
3.03
1.53
0.99
2.22
16
6.86
3.02
2.03
5.07
2A,PD
1.02
0.64
0.43
0.83
4A,PD
1.94
1.19
0.81
1.39
8A,PD
3.95
2.28
1.54
2.59
16A,PD
8.74
4.6
3.15
5.35
PA,2D
1.67
1.31
0.88
3.94
PA,4D
3.15
2.42
1.71
5.09
PA,8D
6.40
4.64
3.32
7.35
PA,16D
13.66
9.21
7.02
12.01
PA,PD
2.65
0.99
0.57
0.43
Heap Type
[Yavuz-Kahveci, Bultan SAS 02]
• Heap type in Action Language
heap {next} top;
• Heap type represents dynamically allocated storage
top’=new;
• We need to add a symbolic representation for the heap
type to the Composite Symbolic Library
numItems > 2 => top.next != null
Concurrent Stack
module main()
heap {next} top, add, get, newTop; boolean mutex; integer numItems;
initial: top=null and mutex and numItems=0;
module push()
enumerated pc {l1, l2, l3, l4};
initial: pc=l1 and add=null;
push1: pc=l1 and mutex and !mutex’ and add’=new and pc’=l2;
push2: pc=l2 and numItems=0 and top’=add and numItems’=1 and pc’=l3;
push3: pc=l3 and top’.next =null and mutex’ and pc’=l1;
push4: pc=l2 and numItems!=0 and add’.next=top and pc’=l4;
push5: pc=l4 and top’=add and numItems’=numItems+1 and
mutex’ and pc’=l1;
push: push1 | push2 | push3 | push4 | push5;
endmodule
module pop()
...
endmodule
main: pop() | pop() | push() | push() ;
spec:AG(mutex =>(numItems=0 <=> top=null))
spec: AG(mutex => (numItems>2 => top->next!=null))
endmodule
Shape Graphs
• Shape graphs represent the states of the heap
heap variables add and top
point to node n1
add
top
next
n1
n2
next
add.next is node n2
top.next is also node n2
add.next.next is null
• Each node in the shape graph represents a dynamically
allocated memory location
• Heap variables point to nodes of the shape graph
• The edges between the nodes show the locations pointed
by the fields of the nodes
Composite Symbolic Library: Further Extended
Symbolic
+union()
+isSatisfiable()
+isSubset()
+forwardImage()
BoolSym
–representation:
BDD
+union()
HeapSym
IntSym
–representation:
list of ShapeGraph
–representation:
list of Polyhedra
+union()
+union()
•
•
•
•
•
•
CUDD Library
ShapeGraph
–atom: *Symbolic
•
•
•
CompSym
–representation:
list of comAtom
+ union()
•
•
•
OMEGA Library
compAtom
–atom: *Symbolic
Forward Fixpoint
arithmetic constraint
representation
BDD
pc=l1 mutex
numItems=2
A set of shape graphs
add
top
pc=l2 mutex
numItems=2
add
top
pc=l4 mutex
numItems=2
add
top
pc=l1 mutex
numItems=3
add
top
Post-condition Computation: Example
set of
states
pc=l4 mutex
numItems=2
add
top
transition
relation
pc=l4 and mutex’
pc’=l1
pc=l1 mutex
numItems’=numItems+1
numItems=3
add
top’=add
top
Again: Fixpoints Do Not Converge
• We have two reasons for non-termination
– integer variables can increase without a bound
– the number of nodes in the shape graphs can increase
without a bound
• As I mentioned earlier, we use widening on integer
variables to achieve convergence
• For heap variables we use the summarization operation
Summarization
• The nodes that form a chain are mapped to a summary
node
• No heap variable points to any concrete node that is
mapped to a summary node
• Each concrete node mapped to a summary node is only
pointed by a concrete node which is also mapped to the
same summary node
• During summarization, we also introduce an integer
variable which counts the number of concrete nodes
mapped to a summary node
Summarization Example
pc=l1 mutex
numItems=3
add
top
summarized nodes
After summarization, it becomes:
add
top
pc=l1 mutex
numItems=3 summarycount=2
a new integer variable
representing the number
of concrete nodes encoded
by the summary node
summary node
Simplification
pc=l1 mutex
numItems=3
summaryCount=2
add
top
pc=l1 mutex
numItems=4
(numItems=4
add
top
summaryCount=3
=
pc=l1 mutex
summaryCount=3
numItems=3
summarycount=2)
add
top
Simplification On the Integer Part
(numItems=4
pc=l1 mutex
summaryCount=3
add
top
numItems=3
summaryCount=2)
=
pc=l1 mutex
numItems=summaryCount+1
3 numItems
numItems 4
add
top
Then We Use Integer Widening
pc=l1 mutex
numItems=summaryCount+1
add
top
3 numItems
numItems 4
pc=l1 mutex
numItems=summaryCount+1
add
top
3 numItems
numItems 5
=
pc=l1 mutex
numItems=summaryCount+1
Now, fixpoint converges
3 numItems
add
top
Verified Properties
Specification
Verified Invariants
Stack
top=null numItems=0
topnull numItems0
numItems=2 top.nextnull
Single Lock Queue
head=null numItems=0
headnull numItems0
(head=tail head null) numItems=1
headtail numItems0
Two Lock Queue
numItems>1 headtail
numItems>2 head.nexttail
Experimental Results
Verification times in secs
Number of
Threads
Queue
Queue
Stack
Stack
IC
2Lock
Queue
HC
2Lock
Queue
IC
HC
IC
HC
1P-1C
10.19
12.95
4.57
5.21
60.5
58.13
2P-2C
15.74
21.64
6.73
8.24
88.26
122.47
4P-4C
31.55
46.5
12.71
15.11
1P-PC
12.85
13.62
5.61
5.73
PP-1C
18.24
19.43
6.48
6.82
HC : heap control
IC : integer control
Verifying Linked Lists with Multiple Fields
• Pattern-based summarization
– User provides a graph grammar rule to describe the
summarization pattern
L x = next x y, prev y x, L y
• Represent any maximal sub-graph that matches the pattern
with a summary node
– no node in the sub-graph pointed by a heap variable
Summarization Pattern Examples
L x x.n = y, L y
L x x.n = y, y.p = x, L y
n
n
...
n
n
...
p
d
n
p
n
L x x.n = y, x.d = z, L y
n
n
d
p
...
n
d
