Causality-Based Verification of Multi-threaded Programs€¦ · Multi-threaded Programs Andrey...

Causality-BasedVerification ofMulti-threaded

Programs

Andrey Kupriyanovand Bernd Finkbeiner

Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules

Verification Algorithm

States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

Causality-Based Verification of Multi-threaded Programs

Andrey Kupriyanov and Bernd Finkbeiner

Saarland UniversityReactive Systems Group

August 28, 2013


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

Introduction

Causality

The relation between two events (the cause and the effect), where thesecond event is understood as a (necessary) consequence of the first.

In this talk

I Capturing causality by concurrent traces and their transformations

I Verification of concurrent programs based on causality

I How causality-based verification can bring exponential savings forsome classes of multi-threaded programs


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

Introduction

Verification of Safety Properties

System S |= G safe ?

Different flavors:

I Synchronized product of finite automata

I Communicating processes

I Multi-threaded programs

ComplexityThe problem is PSPACE-complete

Problem complexity is robust

I varying communication models (global/binary/shared vars)

I different sizes of the alphabet


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

Introduction

Verification of Safety Properties for Concurrent Systems

S = P1 ‖ P2 ‖ . . . ‖ PN |= G safe ?

Different flavors:

I Synchronized product of finite automata

I Communicating processes

I Multi-threaded programs

ComplexityThe problem is PSPACE-complete

Problem complexity is robust

I varying communication models (global/binary/shared vars)

I different sizes of the alphabet


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

Motivation

I Unless P = PSPACE , there is no scalable algorithm for thegeneral-case concurrent verification problem

I It is easy to manually prove/disprove the correctness of manyconcurrent programs

⇒ Investigate:

I Efficient (polynomial) proof techniques

I Classes of efficiently verifiable concurrent programs


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

Multi-threaded Programs with Locks

Syntax Semantics

acquire li li = 0 ∧ l ′i = 1 ∧ pc ′ = pc + 1

release li l′i = 0 ∧ pc ′ = pc + 1

if (ϕ) goto j (ϕ∧ pc ′ = j) ∨ (¬ϕ∧ pc ′ = pc + 1)

1

2

3

4

5

a1 : ack l1

a4 : ack l2

r4 : rel l2

r1 : rel l1

1

2

3

4

5

a2 : ack l1

r2 : rel l1

a5 : ack l1

r5 : rel l1

1

2

3

4

5

a3 : ack l1

a6 : ack l3

r3 : rel l1

r6 : rel l3


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

A Polynomial Proof 1

2

3

4

5

a1 : ack l1

a4 : ack l2

r4 : rel l2

r1 : rel l1

1

2

3

4

5

a2 : ack l1

r2 : rel l1

a5 : ack l1

r5 : rel l1

1

2

3

4

5

a3 : ack l1

a6 : ack l3

r3 : rel l1

r6 : rel l3

i

a1

a3

pc1 ∈ [2, 3, 4]

pc3 ∈ [2, 3]

i

a1

a2

pc1 ∈ [2, 3, 4]

pc2 ∈ [2, 4]

i

a2

a3

pc2 ∈ [2, 4]

pc3 ∈ [2, 3]

i

a1

a3

pc1 ∈ [2, 3, 4]

pc3 ∈ [2, 3]

OrderSplit

i r5

a1

a3

pc1 ∈ [2, 3, 4]

pc3 ∈ [2, 3]

OrderSplitNecessaryAction (l ′ = 1 l = 0)

i

a1

a3

r5

a2

pc1 ∈ [2, 3, 4]

pc3 ∈ [2, 3]pc2 ∈ [2, 4]

i

a1

a3

r5

a2

pc1 ∈ [2, 3, 4]

pc3 ∈ [2, 3]pc2 ∈ [2, 4]

NecessaryAction (pc ′2 = 1 pc2 = 4)Cover


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion


2

3

4

5

a1 : ack l1

a4 : ack l2

r4 : rel l2

r1 : rel l1

1

2

3

4

5

a2 : ack l1

r2 : rel l1

a5 : ack l1

r5 : rel l1

1

2

3

4

5

a3 : ack l1

a6 : ack l3

r3 : rel l1

r6 : rel l3

i

a1

a3

pc1 ∈ [2, 3, 4]

pc3 ∈ [2, 3]

i

a1

a2

pc1 ∈ [2, 3, 4]

pc2 ∈ [2, 4]

i

a2

a3

pc2 ∈ [2, 4]

pc3 ∈ [2, 3]

i

a1

a3

pc1 ∈ [2, 3, 4]

pc3 ∈ [2, 3]

OrderSplit

i r5

a1

a3

pc1 ∈ [2, 3, 4]

pc3 ∈ [2, 3]


i

a1

a3

r5

a2

pc1 ∈ [2, 3, 4]

pc3 ∈ [2, 3]pc2 ∈ [2, 4]

i

a1

a3

r5

a2

pc1 ∈ [2, 3, 4]

pc3 ∈ [2, 3]pc2 ∈ [2, 4]

NecessaryAction (pc ′2 = 1 pc2 = 4)

Cover


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion


2

3

4

5

a1 : ack l1

a4 : ack l2

r4 : rel l2

r1 : rel l1

1

2

3

4

5

a2 : ack l1

r2 : rel l1

a5 : ack l1

r5 : rel l1

1

2

3

4

5

a3 : ack l1

a6 : ack l3

r3 : rel l1

r6 : rel l3

i

a1

a3

pc1 ∈ [2, 3, 4]

pc3 ∈ [2, 3]

i

a1

a2

pc1 ∈ [2, 3, 4]

pc2 ∈ [2, 4]

i

a2

a3

pc2 ∈ [2, 4]

pc3 ∈ [2, 3]

i

a1

a3

pc1 ∈ [2, 3, 4]

pc3 ∈ [2, 3]

OrderSplit

i r5

a1

a3

pc1 ∈ [2, 3, 4]

pc3 ∈ [2, 3]


i

a1

a3

r5

a2

pc1 ∈ [2, 3, 4]

pc3 ∈ [2, 3]pc2 ∈ [2, 4]

i

a1

a3

r5

a2

pc1 ∈ [2, 3, 4]

pc3 ∈ [2, 3]pc2 ∈ [2, 4]

NecessaryAction (pc ′2 = 1 pc2 = 4)Cover


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

Proof Object

StateA tuple of state components s = 〈p1, p2, . . . , pN〉 ∈ |P1|×|P2|×. . .×|PN |

State Inclusions = 〈p1, . . . , pN〉 ⊆ s ′ = 〈p′1, . . . , p′N〉 iff ∀i . pi ⊆ p′i

Trace (implicitely defined, for forward search)

For a state s, an equivalence class of all traces, ending in s:

s1, t1, . . . , sk , tk , sss ≡ s ′1, t′1, . . . , s ′m, t′m, sss


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

Proof Object

Concurrent TraceA labeled, directed, acyclic graph A = 〈N,E , ν, η〉:

I 〈N,E〉 is a graph with actions N and edges EI ν : N → Φ(V ∪ V ′)I η : E → Φ(V ∪ V ′)

labelings of actions/edges with transition predicates

Trace InclusionA = 〈N,E , ν, η〉 ⊆λ A′ = 〈N ′,E ′, ν′, η′〉 iff

I ∃ λ = 〈λN : N ′ → N, λE : E ′ → E〉.I for all n′ ∈ N ′ . ν(λN (n′)) =⇒ ν′(n′).I for all e′ ∈ E ′ . η(λE (e′)) =⇒ η′(e′).

x ′ = 0y ′ = 0

x + + y + +x > 1y > 1

x > 1

y > 1

x ′ = 0y ′ = 0

x + +

y + +

x > 1y > 1

x > 1

y > 1

x ′ = 0y ′ = 0

x > 1y > 1

⊆⊆⊆

⊆⊆ ⊆


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

Proof Object

Concurrent TraceA labeled, directed, acyclic graph A = 〈N,E , ν, η〉:

I 〈N,E〉 is a graph with actions N and edges EI ν : N → Φ(V ∪ V ′)I η : E → Φ(V ∪ V ′)

labelings of actions/edges with transition predicates

Trace InclusionA = 〈N,E , ν, η〉 ⊆λ A′ = 〈N ′,E ′, ν′, η′〉 iff

I ∃ λ = 〈λN : N ′ → N, λE : E ′ → E〉.I for all n′ ∈ N ′ . ν(λN (n′)) =⇒ ν′(n′).I for all e′ ∈ E ′ . η(λE (e′)) =⇒ η′(e′).

x ′ = 0y ′ = 0

x + + y + +x > 1y > 1

x > 1

y > 1

x ′ = 0y ′ = 0

x + +

y + +

x > 1y > 1

x > 1

y > 1

x ′ = 0y ′ = 0

x > 1y > 1

⊆⊆⊆⊆⊆ ⊆


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

Proof Rules

State Transition

For a state s: {t1, . . . , tn}, where s ti

−→ s ′i are transitions, enabled in s.

Seen as Trace Transformations

s1, t1, . . . , sss

s1, t1, . . . , s, t1, s ′1s

′1s′1 . . .. . .. . . s1, t1, . . . , s, t

n, s ′ns′ns′n


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

Proof Rules

Causal Transitionτ : {τ1, . . . , τn} where τi : (L

ri−→ Ri ), are trace productions sharing thesame left-hand side L. τ is sound if the following holds:

∀A . A ⊆m L =⇒ L(A) ⊆⋃τi∈τ

L(τmi (A)

)


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

Proof Rules



∀A . A ⊆m L =⇒ L(A) ⊆⋃τi∈τ

L(τmi (A)

)

L

a{φ′} b{¬φ}

R

a{φ′} b{¬φ}

x{φ ∧ ¬φ′}

Necessary Actionφ

¬φ

a

b

x


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

Proof Rules



∀A . A ⊆m L =⇒ L(A) ⊆⋃τi∈τ

L(τmi (A)

)

L

a{φ′} b{¬φ}

Rfirst

a{φ′} b{¬φ}

x{φ ∧ ¬φ′}{φ ∧ φ′}

Necessary Actionφ

¬φ

a

b

x


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

Proof Rules



∀A . A ⊆m L =⇒ L(A) ⊆⋃τi∈τ

L(τmi (A)

)

L

a{φ′} b{¬φ}

Rlast

a{φ′} b{¬φ}

x{φ ∧ ¬φ′} {¬φ∧¬φ′}

Necessary Actionφ

¬φ

a

b

x


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

Proof Rules



∀A . A ⊆m L =⇒ L(A) ⊆⋃τi∈τ

L(τmi (A)

)

L

a

b

R1

a b

Order Split

R2

b a


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

Proof Rules



∀A . A ⊆m L =⇒ L(A) ⊆⋃τi∈τ

L(τmi (A)

)

L

a{φ}

R1

a{φ ∧ ψ}

Action Split

R2

a{φ ∧ ¬ψ}


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

Proof Rules



∀A . A ⊆m L =⇒ L(A) ⊆⋃τi∈τ

L(τmi (A)

)

L

a b{φ}

x{ψ}

R

a b{φ}

x{ψ ∧ φ}

Action Restriction


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

Proof Rules



∀A . A ⊆m L =⇒ L(A) ⊆⋃τi∈τ

L(τmi (A)

)

L

a b{φ}

x y{ψ}

R

a b{φ}

x y{ψ ∧ φ}

Edge Restriction


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

Verification as a Search Problem: States vs Traces

beginset Q ←− InitialAbstraction(S)while not FixedPoint(Q) do

take some q from Qif IsError(q) then

return unsafeelse

Q := Q ∪ Successors(q)

return safe

Search Object: State Concurrent Trace

InitialAbstraction(S): I I −→ E

IsError(q): q ∩ E 6= ∅ Linearizable(q)

Successors(q): StateTransition(q) CausalTransition(q)

FixedPoint(Q): ∀q ∈ Q .Succesors(q) ⊆ Q

?


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

Looking Closer into State Fixed-point...

State Fixed-point

∀q ∈ Q .Succesors(q) ⊆ Q

Seen as Trace Fixed-point

sss

s, t1, s1s1s1

s, t2, s2s2s2

s, t1, s1, t3, s3s3s3

s, t1, s1, t4, s4s4s4

s, t1, s1, t3, s3, t5, s5s5s5

s, t1, s1, t4, s4, t6, s6s6s6

s, t1, s1, t4, s4, t7, s7s7s7

Trace Fixed-point

There is no finite trace between I and E .

Alternatively: any trace between I and E should have infinite length!


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

Causal Trace Unwindings 1

2

3

4

5

a1 : ack l1

a4 : ack l2

r4 : rel l2

r1 : rel l1

1

2

3

4

5

a2 : ack l1

r2 : rel l1

a5 : ack l1

r5 : rel l1

1

2

3

4

5

a3 : ack l1

a6 : ack l3

r3 : rel l1

r6 : rel l3

1

2

3

4 5

6

⊥⊥⊥7


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion


2

3

4

5

a1 : ack l1

a4 : ack l2

r4 : rel l2

r1 : rel l1

1

2

3

4

5

a2 : ack l1

r2 : rel l1

a5 : ack l1

r5 : rel l1

1

2

3

4

5

a3 : ack l1

a6 : ack l3

r3 : rel l1

r6 : rel l3

1

2

3

4 5

6

⊥⊥⊥7

pc ′1 = 1pc ′2 = 1pc ′3 = 1

pc1 = 2pc2 = 2

ie


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion


2

3

4

5

a1 : ack l1

a4 : ack l2

r4 : rel l2

r1 : rel l1

1

2

3

4

5

a2 : ack l1

r2 : rel l1

a5 : ack l1

r5 : rel l1

1

2

3

4

5

a3 : ack l1

a6 : ack l3

r3 : rel l1

r6 : rel l3

1

2

3

4 5

6

⊥⊥⊥7

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc1 = 1 ∧ pc ′1 = 2l = 0 ∧ l ′ = 1

a1pc1 = 2pc2 = 2

epc1 = 2


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion


2

3

4

5

a1 : ack l1

a4 : ack l2

r4 : rel l2

r1 : rel l1

1

2

3

4

5

a2 : ack l1

r2 : rel l1

a5 : ack l1

r5 : rel l1

1

2

3

4

5

a3 : ack l1

a6 : ack l3

r3 : rel l1

r6 : rel l3

1

2

3

4 5

6

⊥⊥⊥7

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i pc1 = 1 ∧ pc′1 = 2

l = 0 ∧ l ′ = 1

pc2 = 1 ∧ pc ′2 = 2l = 0 ∧ l ′ = 1

pc1 = 2pc2 = 2

epc1 = 2

pc2 = 2

a1

a2


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion


2

3

4

5

a1 : ack l1

a4 : ack l2

r4 : rel l2

r1 : rel l1

1

2

3

4

5

a2 : ack l1

r2 : rel l1

a5 : ack l1

r5 : rel l1

1

2

3

4

5

a3 : ack l1

a6 : ack l3

r3 : rel l1

r6 : rel l3

1

2

3

4

5

6

⊥⊥⊥7

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc1 = 1 ∧ pc ′1 = 2l = 0 ∧ l ′ = 1

pc2 = 1 ∧ pc ′2 = 2l = 0 ∧ l ′ = 1

a1

a2

pc1 = 2pc2 = 2

epc1 = 2

pc2 = 2


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion


2

3

4

5

a1 : ack l1

a4 : ack l2

r4 : rel l2

r1 : rel l1

1

2

3

4

5

a2 : ack l1

r2 : rel l1

a5 : ack l1

r5 : rel l1

1

2

3

4

5

a3 : ack l1

a6 : ack l3

r3 : rel l1

r6 : rel l3

1

2

3

4 5

6

⊥⊥⊥7

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc1 = 1 ∧ pc ′1 = 2l = 0 ∧ l ′ = 1

pc2 = 1 ∧ pc ′2 = 2l = 0 ∧ l ′ = 1

a1

a2

pc1 = 2pc2 = 2

e

pc1 = 2

pc2 = 2


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion


2

3

4

5

a1 : ack l1

a4 : ack l2

r4 : rel l2

r1 : rel l1

1

2

3

4

5

a2 : ack l1

r2 : rel l1

a5 : ack l1

r5 : rel l1

1

2

3

4

5

a3 : ack l1

a6 : ack l3

r3 : rel l1

r6 : rel l3

1

2

3

4 5

6

⊥⊥⊥7

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc1 = 4 ∧ pc ′1 = 5l ′ = 0

pc1 = 1 ∧ pc ′1 = 2l = 0∧ l ′ = 1

pc2 = 1 ∧ pc ′2 = 2l = 0 ∧l ′ = 1

a1

a2

pc1 = 2pc2 = 2

e

pc1 = 2

pc2 = 2

r1


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion


2

3

4

5

a1 : ack l1

a4 : ack l2

r4 : rel l2

r1 : rel l1

1

2

3

4

5

a2 : ack l1

r2 : rel l1

a5 : ack l1

r5 : rel l1

1

2

3

4

5

a3 : ack l1

a6 : ack l3

r3 : rel l1

r6 : rel l3

1

2

3

4 5

6

⊥⊥⊥7

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc2 = 2 ∧ pc ′2 = 3l ′ = 0

ir2

pc1 = 1 ∧ pc ′1 = 2l = 0∧ l ′ = 1

pc2 = 1 ∧ pc ′2 = 2l = 0 ∧l ′ = 1

pc1 = 2

a1

a2

pc1 = 2pc2 = 2

e

pc2 = 2


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion


2

3

4

5

a1 : ack l1

a4 : ack l2

r4 : rel l2

r1 : rel l1

1

2

3

4

5

a2 : ack l1

r2 : rel l1

a5 : ack l1

r5 : rel l1

1

2

3

4

5

a3 : ack l1

a6 : ack l3

r3 : rel l1

r6 : rel l3

1

2

3

4 5

6

⊥⊥⊥7

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc2 = 2 ∧pc ′2 = 3l ′ = 0

ir2

pc1 = 1 ∧ pc ′1 = 2l = 0∧ l ′ = 1

pc2 = 1 ∧ pc ′2 = 2l = 0 ∧l ′ = 1

pc1 = 2

a1

a2

pc1 = 2pc2 = 2

e

pc2 = 2


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

Causal Trace Unwindings

Theorem (Soundness of Trace Unwinding)

If there exists a correct causal trace unwinding for P, where everycausal path is either contradictory or unbounded, then P is safe.


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

Causal Trace Unwindings

Theorem (Soundness of Trace Unwinding)

If there exists a correct causal trace unwinding for P, where everycausal path is either contradictory or unbounded, then P is safe.

⇓

Trace Tableau = Trace Unwinding+ abstract labels + covering relation


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

Causal Trace Tableaux

1

2

3

4 5

6

⊥⊥⊥7

abstract

concrete


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion


1

2

3

4 5

6

⊥⊥⊥7

abstract

concrete

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc1 = 2pc2 = 2

e

pc ′1 = 1pc ′2 = 1pc ′3 = 1

pc1 = 2pc2 = 2

ie


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion


1

2

3

4 5

6

⊥⊥⊥7

abstract

concrete

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc1 = 2pc2 = 2

e

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc1 = 1 ∧ pc ′1 = 2l = 0 ∧ l ′ = 1

a1pc1 = 2pc2 = 2

epc1 = 2

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc1 = 1 ∧ pc ′1 = 2l = 0 ∧ l ′ = 1

a1pc1 = 2pc2 = 2

epc1 = 2


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion


1

2

3

4 5

6

⊥⊥⊥7

abstract

concrete

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc1 = 2pc2 = 2

e

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc1 = 1 ∧ pc ′1 = 2l = 0 ∧ l ′ = 1

a1pc1 = 2pc2 = 2

epc1 = 2

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i pc1 = 1 ∧ pc′1 = 2

l = 0 ∧ l ′ = 1

pc2 = 1 ∧ pc ′2 = 2l = 0 ∧ l ′ = 1

pc1 = 2pc2 = 2

epc1 = 2

pc2 = 2

a1

a2


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion


1

2

3

4

5

6

⊥⊥⊥7

abstract

concrete

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc1 = 2pc2 = 2

e

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc1 = 1 ∧ pc ′1 = 2l = 0 ∧ l ′ = 1

a1pc1 = 2pc2 = 2

epc1 = 2

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc1 = 1 ∧ pc ′1 = 2l = 0 ∧ l ′ = 1

pc2 = 1 ∧ pc ′2 = 2l = 0 ∧ l ′ = 1

a1

a2

pc1 = 2pc2 = 2

epc1 = 2

pc2 = 2


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion


1

2

3

4 5

6

⊥⊥⊥7

abstract

concrete

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc1 = 2pc2 = 2

e

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc1 = 1 ∧ pc ′1 = 2l = 0 ∧ l ′ = 1

a1pc1 = 2pc2 = 2

epc1 = 2

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc1 = 1 ∧ pc ′1 = 2l = 0 ∧ l ′ = 1

pc2 = 1 ∧ pc ′2 = 2l = 0 ∧ l ′ = 1

a1

a2

pc1 = 2pc2 = 2

e

pc1 = 2

pc2 = 2


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion


1

2

3

4 5

6

⊥⊥⊥7

abstract

concrete

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc1 = 2pc2 = 2

e

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc1 = 1 ∧ pc ′1 = 2l = 0 ∧ l ′ = 1

a1pc1 = 2pc2 = 2

epc1 = 2

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc1 = 4 ∧ pc ′1 = 5l ′ = 0

pc1 = 1 ∧ pc ′1 = 2l = 0∧ l ′ = 1

pc2 = 1 ∧ pc ′2 = 2l = 0 ∧l ′ = 1

a1

a2

pc1 = 2pc2 = 2

e

pc1 = 2

pc2 = 2

r1


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion


1

2

3

4 5

6

⊥⊥⊥7

abstract

concrete

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc1 = 2pc2 = 2

e

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc1 = 1 ∧ pc ′1 = 2l = 0 ∧ l ′ = 1

a1pc1 = 2pc2 = 2

epc1 = 2

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc2 = 2 ∧ pc ′2 = 3l ′ = 0

pc1 = 2pc2 = 2

ei

r2

pc1 = 1 ∧ pc ′1 = 2l = 0∧ l ′ = 1

pc2 = 1 ∧ pc ′2 = 2l = 0 ∧l ′ = 1

pc1 = 2

a1

a2

pc2 = 2


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion


1

2

3

4 5

6

⊥⊥⊥7

abstract

concrete

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc1 = 2pc2 = 2

e

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc1 = 1 ∧ pc ′1 = 2l = 0 ∧ l ′ = 1

a1pc1 = 2pc2 = 2

epc1 = 2

pc ′1 = 1pc ′2 = 1pc ′3 = 1

i

pc2 = 2 ∧pc ′2 = 3l ′ = 0

pc1 = 2pc2 = 2

ei

r2

pc1 = 1 ∧ pc ′1 = 2l = 0∧ l ′ = 1

pc2 = 1 ∧ pc ′2 = 2l = 0 ∧l ′ = 1

pc1 = 2

a1

a2

pc2 = 2


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion


Theorem (Soundness)

If there exists a correct and complete causal trace tableau for a parallelprogram P, then P is safe.

Theorem (Completeness)

If a parallel program P with finite-state quotient is safe, then thereexists a correct and complete causal trace tableau for P.


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

Causality-based Verification: Conclusion

We propose to shift emphasis from state space exploration tocausality-based proof search:

+ We capture causality by concurrent traces and their transformations

+ More powerful proof object allows to better exhibit causalrelationships

+ More powerful proof rules lead to substantially shorter proofs


Programs


Introduction

Motivation

Programs with Locks

Concurrent Proofs

Proof Object

Proof Rules


States vs Traces

Trace Unwindings

Trace Tableaux

Conclusion

Causality-based Verification: Conclusion

We propose to shift emphasis from state space exploration tocausality-based proof search:

+ We capture causality by concurrent traces and their transformations

+ More powerful proof object allows to better exhibit causalrelationships

+ More powerful proof rules lead to substantially shorter proofs

Reduces the complexity from exponential to polynomial for theimportant class of multi-threaded programs.

IntroductionMotivationPrograms with Locks

Concurrent ProofsProof ObjectProof Rules

Verification AlgorithmStates vs TracesTrace UnwindingsTrace Tableaux

Conclusion

Causality-Based Verification of Multi-threaded Programs€¦ · Multi-threaded Programs Andrey...

Documents

Transcript of Causality-Based Verification of Multi-threaded Programs€¦ · Multi-threaded Programs Andrey...