Model Checking of Systems Employing Commutative Functions

A.Prasad Sistla, Min Zhou, Xiaodong Wang

presented by Min Zhou

University of Illinois at Chicago

This talk is about how you can find lots of bugs in real code by making compilers aggressively system specific

This talk is about how you can find lots of bugs in real code by making compilers aggressively system specific

Outline Transition Diagram(TD) and Symbolic State Graph

Predicate Template and bisimulation ~0

Extended Predicate Template and bisimulation ~k

Experiment Results

Conclusion

Transition Diagram(TD) We only consider such TDs who

only have assignments: x:=c

– c is a constant x:=y

– y is another variable

x:=φ(x) – φ is a unary function; – each such φ in a TD is

commutative with each other:

φ1 φ2 = φ2 φ1

a≤y y++

b≤y x:=0,y:=0

0

1

2

a:=x,x++

b:=x,x++

Variables:a,b,x,y

Symbolic State Graph Sym_Reach(G, u) = (S0,R0, L0)

s.lc s.val s.exp

location

variables values

s.val(x): the latest constant assigned to variable x

variables expressions

s.exp(x): the composition of functions that were applied to x since last time a constant was assigned

How to construct Symbolic State Graph TD

s1.exp(x)=x

s1.val(x)=c

s1.exp(x)=s0.exp(y)[x/y]s1.val(x)=s0.val(y)

s1.exp(x)=φ(s0.exp(x))

s1.val(x)=s0.val(x)x:=φ(x

)q0

q1

x:=yq0

q1

x:=cq0

q1

s0

s1

s0

s1

s0

s1

Symbolic States

act_state(s) = (s.lc, h) where h(x) = s.exp(x){s.val(x)}

Symbolic States

actualstates

Symbolic State Graph

s0

s3

s1

s2

0,(0,0,0,0) (a,b,x,y)

1,(0,0,0,0) (a,b,x+1,y)

2,(0,0,0,0) (a,b,x+1,y)

0,(0,0,0,0) (a,b,x+1,y+1)

TD:

b:=x,x++

a:=x,x++

0

1

2

a y y++

b y x:=0,y:=0exp

lcval

Our Goal Define a bisimulation relation over symbolic

states

For every location q, define a predicate template ptemplates(q)

s ~0 t require they are equivalent w.r.t ptemplates(s.lc)

Predicate Template

p f

predicate, derived from guards and correctness

formula

var(p) X*

What should be in ptemplates(q)

(AP,fid) U (guard(q), fid ) Є ptemplates(q)

x:=φ2(x)

p(x)q1

x:=y

q qi

…

(P, fid) Є ptemplates(q)

x:=φ(x)

(P,f(x) = y) Є ptemplates(q)

p(x)q1

x:=c

q qi

…（ P, f(x)= ) Є ptemplates(q)

p(x)q1

x:= φ1(x)

q qi

…

Example p0: x y

p1: a y

p2: b y Formula: (x y )

Ptemplates(1)={– (p0, fid),

– (p1, fid),

– (p1, a x),

– (p2, b x)}

b:=x,x++

a:=x,x++

0

1

2

a y y++

b y x:=0,y:=0

Bisimulation ~0

Instantiate predicate templates in states:– (p(xi), xi yi) [s] = p [(s.exp (yi) /xi ) { xi/ yi }], where yi

Eg:

Define ~0 as follows: for any two states s and t, s ~0 t iff– s.lc = t.lc, s.val = t.val (p, f) Є ptemplates(s.lc), (p, f)[s] (p, f)[t]

–an implicit universal quantifier over the free variables

p: x1 < c

s.exp(x1):

x1+1

s.exp(x2): x2+2

(p,x1 x2 ) [s] =

(s.exp (x2) < c){ x1/x2 } =

(x1+2 < c)

Theorem 1 ~0 is a bi-simulation on the symbolic state graph Sym_Reach(G, u).

Proof idea: assume s0 ~0 t0 (p,fid) Є ptemplates(q1)

In this case, (p,fid) Є ptemplates(q0)

so we have (p,fid)[s0] (p,fid)[t0]

s1.exp(x)=φ(s0.exp(x))

s1.val(x)=s0.val(x)

x:=φ(x

)q0

q1

s0

s1

t0

t1

Theorem 1 ~0 is a bi-simulation on the symbolic state graph Sym_Reach(G, u).

Now We show

(p,fid)[s1] (p,fid)[t1]

(p,fid)[s0] (p,fid)[t0]

x P[s0.exp(x)] P[t0.exp(x)]

x P[s0.exp(φ (x))] P[t0.exp(φ (x))]

x P[φ (s0.exp(x))] P[φ (t0.exp(x))]

x P[s1.exp(x)] P[t1.exp(x)]

s1.exp(x)=φ(s0.exp(x))

s1.val(x)=s0.val(x)

By commutation

x:=φ(x

)q0

q1

s0

s1

t0

t1

Extension of Bisimulation ~0

If (p,f) Є ptemplates(q), we require (p,f)[s] (p,f) [t] even in above case.

Not necessary. Only need when this path is feasible for these two states

qi

q … P(x)TD:

si

s … P(x)

tit … P(x)

X

X

Bisimulation ~k

Only in this case, we require (p,f)[s] (p,f) [t]

qi

q … P(x)

si

si-

k

s … P(x)

feasible, length = k

tit ti-k … P(x)

~k

In ~k , we require a conditional equivalence

Lemma ~k+1 ~k,

but ~k+1 need more computation

Example of a TD for which ~0 ~1

any two states of the form (q1,(0,0), (x1 + c 0, x2 + c’ 0))

are bisimular w.r.t ~1

q1

q3

q2

q4

x 2=0

x1 =0

x1 20

x1++, x2++

x2 20 x2 ++

x1++

q0

Experiment Results

ProblemInstance

Property t(s) # ofstates

Ticketalgorithm

((pc1=C1pc2=c2)) 0 9

ProducerConsumer

Property t(s) # ofstates

buffer=30 (0p1+p2-(c1+c2)c2) s) 0.01 31

buffer=100

(0p1+p2-(c1+c2)c2) s) 0.09 101

taken from T.Bultan 1999

Circular QueueSize of queue

Property t(s) # ofstates

10 (h s t s) 0.24 121

(t h p - c = t - h) 0.12 121

(t h p - c = s- (h - t) +1) 0.12 121

(0 p - c s) 0.15 121

30 (h s t s) 16.4 961

(t h p - c = t - h) 2.8 961

(t h p - c = s- (h - t) +1) 2.7 961

(0 p - c s) 3.2 961

taken from T.Bultan 1999

Sliding WindowSenderWindow

ReceiverWindow

t[s] # ofstates

# ofedges

Enviroment

1 1 0.016 47 164 duplicatelost

1 2 0.203 447 1076 duplicate

1 2 0.296 509 1731 duplicatelost

2 1 0.860 1167 3832 duplicate

2 2 11.515

4555 11272 duplicate

Conclusion and future work Defined a non decreasing chain of bisimulation

Can be used in a class of infinite systems

~k can be checked on-the-fly

Need investigate how to combine with static analysis