Scope-bounded Multistack Pushdown Systems:

- fixed-point- sequentialization - tree-width

1

Salvatore La Torre Gennaro Parlato (U. Salerno, Italy) (U. Southampton, UK)

Multi-stack Pushdown Systems (MPS)

• n stacks sharing a finite control

– configurations: s, , , … ,

– transitions:• push one symbol onto stack i• pop one symbol from stack i• internal move: stacks stay unchanged, only control

location is altered

• problem: control-state reachability

1 2 n

Multi-stack Pushdown Systems (MPS)

• Interesting model for concurrency– allows accurate modeling of the control flow of

concurrent programs with shared memory and recursive procedure calls

• Too expressive– two stacks suffice to encode a Turing machine

• Several decidable restrictions in literature

bounded context-switch (round) runs

round 1

round 2 bouded

moves on stack 1

moves on stack 2

moves on stack 3

round 3

round 4

round 5

round 6

round 7

… … … …

bounded round reachability is decidable [Qadeer-Rehof, TACAS’05 ] (solution based on automata)

bounded round analysis (compositional)

moves on stack 1

moves on stack 2

moves on stack 3

computeinterface

for stack 1

computeinterface

for stack 2

computeinterface

for stack 3

computeinterface

for stack 1 + stack 2

computeinterface

for stack 1 + stack 2 + stack 3

- Sequentialization [Lal-Reps, CAV’08 ]- Interfaces & Getafix [La Torre-Madhusudan-Parlato, PLDI’09, CAV’10, FIT’12 ]

Tools based on compositional alg.Sequentialization (programming languages)

– Poirot+Corral (MSR) [Lahiri-Lal-Qadeer, POPL’11, CAV’12]

– Cseq (code-to-code translation for C prgms + Pthread) [Cseq+ESBMC. Fischer-Inverso-Parlato,

SV-COMP’13]

Model-Checkers for Boolean programs (abstracted device drivers)

– Getafix [La Torre – Madhusudan - Parlato, PLDI’09, CAV’10]

beyond bounded-round restriction: scope-bounded runsmoves on

stack 1moves on stack 2

moves on stack 3

… … …

Decidable reachability [La Torre-Napoli, CONCUR’11 ]• solution based on automata,• compositional ???

Fix a bound k.A run is k-scope if

for all push, pop. ( matching(push, pop)∧ (round(pop) – round(push) ≤ k ))pop

push

What is this talk about?

Compositional algorithm for bounded-scope reachability

can be implemented as a

– fixed-point (using interfaces)

– sequentialization (from multi to one stack)

Bounded-scope multiply nested words have bounded tree-width

– decidability of reachability, LTL, …, MSO

Compositional algorithm for bounded-scope reachability

• fixed-point• sequentialization

9

compositional algorithm (fixed point)

interfacestack 1

interfacestack 2

interfacestack 3

interfacestack 4

The compositional algorithm for bounded rounds won’t work• we don’t know a bound on # of needed rounds (semi-algorithm)

Our solution computes the cross product of interfaces in parallel

interface decomposition for k-scopeevery k-scope interface can be obtained as a concatenation of several k-round interfaces

simpleconcatenation

k-scope

k-round

k-scope

k-round

<- first round

last -> round

overlappingconcatenation

q

compositional algorithm (fixed point)

initial -> control

state

interfacestack 1

interfacestack 2

interfacestack 3

interfacestack 4

Init: insert an initial interface for stack 1 with at most k roundsRules: (Add) concatenate a feasible interface (with at most k rounds) to the stack interface with the lowest incomplete round

(Remove) if the first tracked round is complete then remove it Termination: one line left with the target control state at the end

target <- state

Always reaches a fixed point:

- configuration: O( k*n) control states ^ ^ | | #scope #stacks

Comparison with bounded-round restriction - bounded rounds requires only O( k ) control states - n cannot be eliminated from O (k n) (additional price to pay)

Sequentialization

13

Code-to-code translation as a plug-in for sequential verification tools

A convenient way to get new tools for conc. programs …

Sequ. tool

Concsequtranslation

Instrumentationfor the Sequ. tool

Concurrent Program

T1 T2 Tn

shared vars

…

Sequ.program

Concurrent Program

features of a good sequentialization

A direct simulation doesn’t lead to scalable solutions:

state: C1 X C2 X … X Cn X Shared

Simulation: at each step non-deterministically simulate one move of a thread

- data structures for the configurations (n stacks)

State space explosion !

Avoid cross product (compositional)• 1 stack for the simulation• 1 local state, fixed # of shared states

Conc. & Sequ. Programs are in the same class• i.e. no additional data structures to simulate parallelism• Example: concurrent Boolean programs Boolean (sequential) program

Parameterized: increasing the parameter • more behaviors are captured• at the expense of more computational resources

Explore as many behaviors as possible

related work (sequentialization)Up 2 context-switches (KISS) [Qadeer-Wu, PLDI’04]

bounded-round schedules & finite # of threads • Eager [Lal-Reps, CAV’08]• Lazy [La Torre-Madhusudan-Parlato, CAV’09]

bounded-round schedule & parameterized programs• Lazy [La Torre, Madhusudan-Parlato, CAV’10, FIT’12]

Delay-bounded schedules (thread creation) [Emmi-Qadeer-Rakamaric, POPL’11]

Bounded semantics

[Bouajjani-Emmi-Parlato, SAS’11]

from fixed point to sequentializationFixed-point algorithm Init: insert an initial interface for stack 1 with at most k roundsRules: (Add) Fill any hole with a feasible interface with at most k rounds

(Remove) If the first tracked line is complete then remove it Termination: one line left with the target control state at the end

SequentializationOur fixed point leads to a straightforward sequentialization (1stack+2kn shared vars)

Global variables: 2k copies of the shared variable to store tuple-interfaceAdditional functions: - INTERFACE( thread_id ); // non-deterministically build an interface for thread thread_id - Init() // implements Init - remove_first_round() //implements Remove rule - add_interface() //implements Add rule

Code-to-code translation:Init();while (true) { if (Remove) remove_first_round(); else add_interface(); if (termination) ERROR; }

bounded-scope runs =>

bounded tree-width of k-scope

multiply nested words

18

nested words

• A nested word NW graph captures the behavior of a run– The stack is compiled down into the nested word (nesting edges)

push push push int int pop int pop int push int pop pop

q1 q2 q3 q4 q5 q6 q7 q8 q9 q10 q11 q12 q13 q14

final

multiply nested words (MNW)

A MNW graph captures the behavior of an MPS run– Stacks are compiled down into the graph (nesting edges)– One nesting relation per stack

push1 push1 push1

push2 push2

pop1

pop2

pop1 int

push1

pop2

pop1 pop1

decidability for multistack systems [Madhusudan-Parlato, POPL’11]Several decidable restrictions of Multistack pushdown systemslead to bounded tree-width multiply nested wordsDecidability: Courcelle/Seese theorem

– bounded-contexts [Rehof - Qadeer, TACAS’05]– bounded-phases [La Torre – Madhusudan - Parlato, LICS’07]– ordered (Breveglieri – Cherubini – Citrini - Crespi Reghizzi, Int. J. Found. Comput. Sci.’95]– Parameterized pushdown automata with k-rounds

[La Torre - Madhusudan – Parlato, CAV’10]

– Delay bounded [Emmi – Qadeer – Rakamarik, POPL’11] – Bounded semantics [Bouajjani – Emmi - Parlato, SAS’11]

– Bounded-Scope [La Torre - Napoli, CONCUR’11] (More details in the “Verification of Infinite-State Systems” talk)

Conclusions

22

Conclusions & Future WorkBounded-scoped model-checkingCompositional algorithm

– Fixed point algorithm• can be encoded in Getafix [La Torre - Madhusudan - Parlato, PLDI’09]

– Sequentialization (under-approximation)• code-to-code translation (for C programs + Pthread library) • sequential tool can be used to analyze concurrent programs• empirical evaluation (can we find new bugs?)

[Multi-Pushdown Systems with Budget. Abdulla-Atig-Rezine-Stenman - ‘12]

bounded tree-width runs + MSO definable [MSO decidability of multi-pushdown systems via split-width. Cyriac - Gastin - Kumar, CONCUR’12]

– reachability/LTL Seese/Courcelle’s theorem (decidable) [A temporal logic for multi-threaded programs. La Torre - Napoli, IFIP TCS’12] [LTL model-checking for multithreaded programs under scope-bounding.

Atig, Bouajjani, Kumar, Saivasan – ATVA’12]