Model Checking of Systems Employing Commutative Functions A.Prasad Sistla, Min Zhou, Xiaodong Wang...
22
Model Checking of Systems Employing Commutative Functions A.Prasad Sistla, Min Zhou, Xiaodong Wang presented by Min Zhou University of Illinois at Chicago This talk is about how you can find lots of bugs in real code by making compilers aggressively system specific
-
Upload
patrick-whitehead -
Category
Documents
-
view
219 -
download
0
Transcript of Model Checking of Systems Employing Commutative Functions A.Prasad Sistla, Min Zhou, Xiaodong Wang...
Model Checking of Systems Employing Commutative Functions
A.Prasad Sistla, Min Zhou, Xiaodong Wang
presented by Min Zhou
University of Illinois at Chicago
This talk is about how you can find lots of bugs in real code by making compilers aggressively system specific
This talk is about how you can find lots of bugs in real code by making compilers aggressively system specific
Outline Transition Diagram(TD) and Symbolic State Graph
Predicate Template and bisimulation ~0
Extended Predicate Template and bisimulation ~k
Experiment Results
Conclusion
Transition Diagram(TD) We only consider such TDs who
only have assignments: x:=c
– c is a constant x:=y
– y is another variable
x:=φ(x) – φ is a unary function; – each such φ in a TD is
commutative with each other:
φ1 φ2 = φ2 φ1
a≤y y++
b≤y x:=0,y:=0
0
1
2
a:=x,x++
b:=x,x++
Variables:a,b,x,y
Symbolic State Graph Sym_Reach(G, u) = (S0,R0, L0)
s.lc s.val s.exp
location
variables values
s.val(x): the latest constant assigned to variable x
variables expressions
s.exp(x): the composition of functions that were applied to x since last time a constant was assigned
How to construct Symbolic State Graph TD
s1.exp(x)=x
s1.val(x)=c
s1.exp(x)=s0.exp(y)[x/y]s1.val(x)=s0.val(y)
s1.exp(x)=φ(s0.exp(x))
s1.val(x)=s0.val(x)x:=φ(x
)q0
q1
x:=yq0
q1
x:=cq0
q1
s0
s1
s0
s1
s0
s1
Symbolic States
act_state(s) = (s.lc, h) where h(x) = s.exp(x){s.val(x)}
Symbolic States
actualstates
Symbolic State Graph
s0
s3
s1
s2
0,(0,0,0,0) (a,b,x,y)
1,(0,0,0,0) (a,b,x+1,y)
2,(0,0,0,0) (a,b,x+1,y)
0,(0,0,0,0) (a,b,x+1,y+1)
TD:
b:=x,x++
a:=x,x++
0
1
2
a y y++
b y x:=0,y:=0exp
lcval
Our Goal Define a bisimulation relation over symbolic
states
For every location q, define a predicate template ptemplates(q)
s ~0 t require they are equivalent w.r.t ptemplates(s.lc)
Predicate Template
p f
predicate, derived from guards and correctness
formula
var(p) X*
What should be in ptemplates(q)
(AP,fid) U (guard(q), fid ) Є ptemplates(q)
x:=φ2(x)
p(x)q1
x:=y
q qi
…
(P, fid) Є ptemplates(q)
x:=φ(x)
(P,f(x) = y) Є ptemplates(q)
p(x)q1
x:=c
q qi
…( P, f(x)= ) Є ptemplates(q)
p(x)q1
x:= φ1(x)
q qi
…
Example p0: x y
p1: a y
p2: b y Formula: (x y )
Ptemplates(1)={– (p0, fid),
– (p1, fid),
– (p1, a x),
– (p2, b x)}
b:=x,x++
a:=x,x++
0
1
2
a y y++
b y x:=0,y:=0
Bisimulation ~0
Instantiate predicate templates in states:– (p(xi), xi yi) [s] = p [(s.exp (yi) /xi ) { xi/ yi }], where yi
Eg:
Define ~0 as follows: for any two states s and t, s ~0 t iff– s.lc = t.lc, s.val = t.val (p, f) Є ptemplates(s.lc), (p, f)[s] (p, f)[t]
–an implicit universal quantifier over the free variables
p: x1 < c
s.exp(x1):
x1+1
s.exp(x2): x2+2
(p,x1 x2 ) [s] =
(s.exp (x2) < c){ x1/x2 } =
(x1+2 < c)
Theorem 1 ~0 is a bi-simulation on the symbolic state graph Sym_Reach(G, u).
Proof idea: assume s0 ~0 t0 (p,fid) Є ptemplates(q1)
In this case, (p,fid) Є ptemplates(q0)
so we have (p,fid)[s0] (p,fid)[t0]
s1.exp(x)=φ(s0.exp(x))
s1.val(x)=s0.val(x)
x:=φ(x
)q0
q1
s0
s1
t0
t1
Theorem 1 ~0 is a bi-simulation on the symbolic state graph Sym_Reach(G, u).
Now We show
(p,fid)[s1] (p,fid)[t1]
(p,fid)[s0] (p,fid)[t0]
x P[s0.exp(x)] P[t0.exp(x)]
x P[s0.exp(φ (x))] P[t0.exp(φ (x))]
x P[φ (s0.exp(x))] P[φ (t0.exp(x))]
x P[s1.exp(x)] P[t1.exp(x)]
s1.exp(x)=φ(s0.exp(x))
s1.val(x)=s0.val(x)
By commutation
x:=φ(x
)q0
q1
s0
s1
t0
t1
Extension of Bisimulation ~0
If (p,f) Є ptemplates(q), we require (p,f)[s] (p,f) [t] even in above case.
Not necessary. Only need when this path is feasible for these two states
qi
q … P(x)TD:
si
s … P(x)
tit … P(x)
X
X
Bisimulation ~k
Only in this case, we require (p,f)[s] (p,f) [t]
qi
q … P(x)
si
si-
k
s … P(x)
feasible, length = k
tit ti-k … P(x)
~k
In ~k , we require a conditional equivalence
Lemma ~k+1 ~k,
but ~k+1 need more computation
Example of a TD for which ~0 ~1
any two states of the form (q1,(0,0), (x1 + c 0, x2 + c’ 0))
are bisimular w.r.t ~1
q1
q3
q2
q4
x 2=0
x1 =0
x1 20
x1++, x2++
x2 20 x2 ++
x1++
q0
Experiment Results
ProblemInstance
Property t(s) # ofstates
Ticketalgorithm
((pc1=C1pc2=c2)) 0 9
ProducerConsumer
Property t(s) # ofstates
buffer=30 (0p1+p2-(c1+c2)c2) s) 0.01 31
buffer=100
(0p1+p2-(c1+c2)c2) s) 0.09 101
taken from T.Bultan 1999
Circular QueueSize of queue
Property t(s) # ofstates
10 (h s t s) 0.24 121
(t h p - c = t - h) 0.12 121
(t h p - c = s- (h - t) +1) 0.12 121
(0 p - c s) 0.15 121
30 (h s t s) 16.4 961
(t h p - c = t - h) 2.8 961
(t h p - c = s- (h - t) +1) 2.7 961
(0 p - c s) 3.2 961
taken from T.Bultan 1999
Sliding WindowSenderWindow
ReceiverWindow
t[s] # ofstates
# ofedges
Enviroment
1 1 0.016 47 164 duplicatelost
1 2 0.203 447 1076 duplicate
1 2 0.296 509 1731 duplicatelost
2 1 0.860 1167 3832 duplicate
2 2 11.515
4555 11272 duplicate
Conclusion and future work Defined a non decreasing chain of bisimulation
Can be used in a class of infinite systems
~k can be checked on-the-fly
Need investigate how to combine with static analysis
