Verification of Dynamic Message Passing Systems

Thomas Wies

AVACS Spring School 2010

Motivation

Verify concurrent systems with• synchronization via message passing• unbounded dynamic process creation• dynamic communication topology

A Publish/Subscribe Service in Scalasealed abstract class Categorycase object Cat1 extends Category...case object CatN extends Categorycase object Listcase class Categories(cats: Set[Category])...class Server extends Actor { def loop(enl: Map[Category,Set[Actor]]){ val cats = Set(Cat1,...,CatN) react { case List => { reply(Categories(cats)) react { case Subscribe(c) => loop(enl + c -> (enl(c) + sender)) } } case Unsubscribe(c) => loop(enl(c) + c -> (enl(c) - sender)) case Publish => { reply(Who) react { case Credential => if (*) { reply(Categories(cats)) react { case Content(c) => enl(c).forall( _ ! Content(c)) loop(enl) } } else { reply(Deny) loop(enl) } } } } } override def act() = loop({_ => EmptySet})}

class Subscriber(server: Actor) extends Actor { def loop(cat: Category): Unit = { if (*) { react { case Content(c) => if (c != cat) error("...") ... } } else { server ! Unsubscribe(cat) exit('normal) } }

override def act(): Unit = { server ! List react { case Categories(cats) => val cat = cats.choose loop(cat) } }}

class Publisher(server: Actor) extends Actor { override def act(): Unit = { server ! Publish react { case Who => reply(Credential) react { case Categories(cats) => val c = cats.choose reply(Content(c)) if (*) act() else exit('normal) case Deny => exit('badCredential) } } }}

A Publish/Subscribe Service in Scala

Server

Subscriber

Subscriber

Publisher

Publisher

server

server

enl(Cat1)

Subscriber

server

server

server

enl(Cat2) Subscribe(Cat1)

sender

A Publish/Subscribe Service in Scala

Server

Subscriber

Subscriber

Publisher

Publisher

server

server

enl(Cat1)

Subscriber

server

server

server

enl(Cat2)

Subscribe(Cat1)

senderenl(Cat1)

A Publish/Subscribe Service in Scala

Server

Subscriber

Subscriber

Publisher

Publisher

server

server

enl(Cat1)

Subscriber

server

enl(Cat1)

server

server

enl(Cat2)

Content(Cat1)sender

A Publish/Subscribe Service in Scala

Server

Subscriber

Subscriber

Publisher

Publisher

server

server

enl(Cat1)

Subscriber

server

enl(Cat1)

server

server

enl(Cat2)

Content(Cat1)

sender

Content(Cat1) Content(Cat1)sendersender

Infinite state system• number of Subscriber and Publisher processes and• number of messages in mailboxes can grow unboundedly

Semantics

Interleaving of local transitions of processes.

Processes have• an associated name• finitely many control states• finitely many parameters

(denoting names of other processes)

• an associated mailbox (unbounded but unordered)

Semantics

Interleaving of local transitions of processes.

In each local transition a process may• change its control state• change the value of one of its parameters• receive a message from its mailbox (blocking)• send a message to a process it knows• create a new process

Semantics

Global configurations are graphs• nodes model

– processes (node labels are control state)– messages (node labels are message kinds)

• edges model– mailboxes– process parameters– message data

Semantics

More formal• DCS [Bauer, Schaefer, Toben, Westphal 2006]

• Dynamic I/O automata [Attie, Lynch 2001]

• ¼-calculus [Milner, Parrow, Walker 1992]

• Actors [Agha 1986]

• …

Server

Subscriber

server

enl(Cat1)

Content(Cat1)sender

“The server link of a Subscriber always points to a Server”

“Subscribers only receive content they are enlisted to”

“No process ever reaches a local error state”

Verification of Safety Properties

Shape Invariants

Overview

Part I – Decidability

Part II – Abstraction

Turing Completeness

Statemachine

Ccounter1 C

nextC

next

C Cnext

counter2

Encoding of a two counter machine

Are there any interesting fragments with decidable verification problems?

Depth-Bounded Systems (DBS)[Meyer 2008]

DefinitionA system is depth-bounded iffthere exists a constant that bounds the lengthof all simple paths in all reachable configurations.

The actual definition is in terms of ¼-calculus processes.

Depth-Bounded Systems (DBS)

Server

Subscriber

Subscriber

Publisher

Publisher

server

server

enl(Cat1)

Subscriber

server

enl(Cat1)

server

server

enl(Cat2)

Content(Cat1)

sender

Content(Cat1)sender

maximal length of any simple path is 5

What is Decidable for DBS?

DBSs are well-structured transition systems [Meyer 2008].

Termination is decidable

What about reachability?

Reset nets are DBSs [Meyer, Gorrieri 2009].

Reachability is undecidable for reset nets [Dufourd et al.1998] and thus for DBSs

The Covering Problem

init bad

Given a transition system and a bad configuration

decide whether there is a reachable configuration that “covers” the bad one.

Server

Subscriber

server

enl(Cat1)

Content(Cat2)sender

Application: verify absence of bad patterns

“Subscribers only receive content they are enlisted to”

The Covering Problem

The covering problem is decidable for DBSs[Wies, Zufferey, Henzinger FoSSaCS’10]

Well-Quasi-Orderings

DefinitionA relation · µ S £ S is a well-quasi-ordering iff• · is a quasi-ordering (reflexive and transitive)• for any infinite sequence s1, s2, … there are

i < j such that si · sj

Examples• identity relation on a finite set• order on the natural numbers• multiset extension of a well-quasi-ordering

(Higman’s lemma)

Well-Structured Transition Systems (WSTS) [Finkel 1987]

DefinitionA WSTS is a tuple (S, init, !, ·) where• (S, init, !) is a transition system• · is a well-quasi-ordering on S• · is compatible with the transition relation !:

for all s, t, s’ 2 S with s ! s’ and s · t there exists t’ 2 S with t ! t’ and s’ · t’

Examples• Petri nets• lossy channel systems

s s’

t t’

Upward and Downward-Closures

"X

X

·

Y

·

"Y

"X = {y 2 S | 9 x 2 X. x · y}

Backward Algorithm for the Covering Problem of WSTS

bad

"badpre("bad)

…prek("bad)

init

Backward Algorithm for the Covering Problem of WSTS

bad

"badpre("bad)

…prek("bad)

init

…

Depth-Bounded Systems as WSTS

Depth-bounded systems form WSTS for• their reachable configurations • and the quasi-ordering “ “ induced by

subgraph isomorphism

Next we show that “ “ is a well-quasi-ordering on the reachable configurations

Closure of a Tree

Add edges according to transitive closure of the edge relation

Every (undirected) graph is contained in the closure of some tree.

Tree-Depth of a Graph

DefinitionThe tree-depth td(G) of a graph G is the minimal height of all trees whose closure contain G.

v1

v2

v4

v3v5

v1

v2

v4

v3

v5

height is 2tree depth is 2

Tree-Depth and Depth-Bounded Systems

PropositionA set S of graphs has bounded tree-depth iff S is bounded in the length of its simple paths.

the reachable configurations of a depth-bounded system have bounded tree-depth.

Tree Encodings of Depth-Bounded Graphs

v1

v2

v4

v3v5

v1

v2

v4

v3

v5

G tree(G)

Number of labels used in the encoding is finite.

Homeomorphic Tree Embedding

¹

tree(G1) ¹ tree(G2) implies G1 G2

We can show for all graphs G1, G2:

Kruskal’s Tree Theorem

Theorem [Kruskal 1960]Homeomorphic tree embedding is a well-quasi-ordering on finite labeled trees.

subgraph isomorphisms induce a better-quasi-ordering on the reachable configurations of a depth-bounded system.

Theorem [Laver 1971]Homeomorphic tree embedding is a better-quasi-ordering on finite labeled trees.

Backward Algorithm for the Covering Problem of WSTS

bad

"badpre("bad)

…prek("bad)

initRequirements• · is decidable• pre is effectively computable

Backward Analysis of DBSs

• WSTS of a depth-bounded system is defined wrt. the forward-reachable configurations

• reachability is undecidable so pre is not computable for the induced WSTS

• only option: if bound of the system is k, define WSTS wrt. the set of all graphs of depth at most k

termination of a backward analysis can only be ensured if the bound of the system is known a priori.

Standard algorithm is not a decision procedure for the covering problem of DBS.

Backward Analysis is Impractical

Server

Subscriber

server

Subscribe(Cat1)

sender

Backward analysis has to guess sender (and other parameters) of sent messages

explosion in the nondeterminism

Backward Analysis is Impractical

Server

Subscriber

server

Subscribe(Cat1)

sender

Backward analysis has to guess sender (and other parameters) of sent messages

explosion in the nondeterminism

This is similar to the aliasing problem for backward analysis of programs with pointers

?

Is there a forward analysis that decides the covering problem?

Forward Analysis of a WSTS

init

#init #post(#init)… #postk(#init)

bad

Forward Analysis of a WSTS

init

#init #post(#init)… #postk(#init)

bad

We need “limits” of all downward-closed sets for termination.

Server

Loop Acceleration à la Karp-Miller

Server

Subscriber SubscriberSubscriber

Server

¾ ¾

+

limit configuration

Idea for loop accelerationRecord which parts of a configuration can be duplicated.

Adequate Domain of Limits (ADL) [Geeraerts, Raskin, Van Begin 2006]

X YD

wqo set ADL for X

°

For every z 2 Y, °(z) is a downward-closed subset of X

X D

wqo set ADL for X

° Y

Every downward-closed subset of X is generated by a finite subset E of Y [ X

E1

E2

E = E1 [ E2

Adequate Domain of Limits (ADL) [Geeraerts, Raskin, Van Begin 2006]

Expand, Enlarge, and Check

Theorem [Geeraerts, Raskin, Van Begin 2006]

There exists an algorithm that decides the covering problem for WSTS with effective ADL.

X1

Y1

X2

Y2

X2

Y2

… µ X

µ Y

µ

…µ

µ

µ

µ

µ

Next: an ADL for depth-bounded systems

Server

Loop Acceleration à la Karp-Miller

Server

Subscriber SubscriberSubscriber

Server

¾ ¾

+

limit configuration

Idea for loop accelerationRecord which parts of a configuration can be duplicated.

Content

Server

Limit Configurations

Server

Subscriber Subscriber

Subscriber+

+Content

ContentContent

Server

Subscriber

Content

°

…

Denotation °(L) is downward-closure of all unfoldings of L

An ADL for Depth-Bounded Systems

Server

Subscriber+

TheoremLimit configurations form an ADL for depth-bounded graphs.

CorollaryThe EEC algorithm decides the covering problem for depth-bounded systems.

Theorem [Finkel, Goubault-Larrecq 2009]

The downward-closed directed subsets of a wqo set X form an ADL for X.

Canonical Adequate Domain of Limits

X

A directed set for qo (X, ·) is• a nonempty subset of X• closed under upper bounds

·· X

D

D1

D2

D3

D4

D5

= (Q,§,Qf,¢)Q = {p,q,r,s}§ = {a,b,c}Qf = {p}¢ = {a(²) → s b(²) → r c(sr*s) → q a(q+) → p}

Hedge Automata

A a

c c

a a a ab

s s s sr

q q

p

To proof: For every directed downward-closed set , there exists a limit configuration with D

Proof Sketch

LD = °(L)

tree(D)Look at the tree encodings and construct a hedge automaton such that

From construct the limit configuration .

AD

D = #tree¡ 1(L (AD ))

AD L

Proof Sketch

…

…

directed dc set

Further Related WorkMeyer, Gorrieri 2009 –

depth-bounded systems and place/transition nets

Finkel, Goubault-Larreqc 2009 – Karp-Miller-style forward analysis of WSTSs with ADLs

Ganty, Raskin, Van Begin 2006 –Forward analysis of WSTSs without ADLs

Dam 1993, Amadio, Meyssonnier 2002 –decidable fragments of the ¼-calculus

Sangiorgi 1996, Busi et al. 2003, Ostrovský 2005 –type systems for the ¼-calculus

Bauer, Wilhelm 2007 –shape analysis for depth-bounded systems

Part II – Abstraction

Leader Election in a Ring

9

4

2 6

3

Leader Election in a Ring

9

4

2 6

3

2 6

9

4 3

Leader Election in a Ring

9

4

2 6

32

6

9

4

3

Leader Election in a Ring

9

4

2 6

3

9

Safety property

Goal: verify property for all rings no longer a depth-bounded system

8xy: x;y 2 Ring^Leader(x) ^Leader(y) ! x = y

Leader Election in a Ring

9

4

2 6

3

Safe inductive invariant

8x: x 2 Ring $ left¤(max;x)8x: x 2 Ring ! id(x) · id(max)8xy: x;y 2 Ring^id(x) = bu®er(y) !

(¸z1 z2: left(z1) = z2 ^z1 6= max)¤(x;y)8xy: x;y 2 Ring ! Leader(x) ^Leader(y) ! x = y

6

max

Challenges• quantified invariants• reasoning in complex theories

Symbolic Analysis• use of formulas to represent sets of states

– simplicity• abstract domain µ concrete domain• abstraction ' logical entailment

– soundness by construction• use of automated reasoning procedures

– automation (construction of abstract trans. graphs)– separation of concerns (black-boxing)– get leverage from automated reasoning community

• use of abstraction refinement– more automation (construction of abstract domain)– efficiency (targeted precision)

Existing tools: SLAM, BLAST, ARMC, MAGIC, SLAB, …

Predicate Abstraction

P1 ´ x·0 P2 ´ y>0 …

P1ÆP2Æ…

reachable states

err

or

stat

es

state space

:P1, :P2, :P

3

P1, :P2, :P3

P1, :P2, P3

P1, P2, :P3

3-valued Shape Analysis [Sagiv, Reps, Wilhelm POPL’99]

Partition state graphs according to a finite set of predicates on nodes.

xnext next next next

y

null

next nextnext

P1(v) ´ next*(x,v) P2(v) ´ x = v P3(v) ´ null = v

Abstract state graphs induce finite partitioning of the state space

Predicate abstraction

use state predicates to finitely partition the transition graph.

(3-valued) shape analysis

use node predicates to finitely partition the state graphs toobtain state predicates thatfinitely partition the transition graph.

In a Nutshell…

Shape Analysis = 2Predicate Abstraction

In a Nutshell…

But the analogy only goes so far…

Symbolic Shape Analysis

Credo

• apply not only idea but also the techniques of predicate abstraction in the context of shape analysis

• and take advantage of all the benefits

Overview

• Boolean Heaps– generalizes predicate abstraction

(infers universally quantified invariants)– uses key idea of 3-valued shape analysis

(predicates on nodes in the state graphs)– enables use of automated reasoning procedures to

construct abstract transition graph

Overview

• Boolean Heaps

• Counterexample-Guided Focus– novel CEGAR algorithm– enables use of automated reasoning procedures to

• automatically construct abstract domain• automatically adapt precision of abstract transformer

Boolean Heaps [Podelski, Wies SAS’05]

Use idea of [Sagiv, Reps, Wilhelm 2002]:Partition graphs according to a finite set of predicates.

0

7

3

Use idea of [Sagiv, Reps, Wilhelm 2002]:Partition graphs according to a finite set of predicates.

Boolean Heaps

Abstract state

0

7

3

5Abstract domaindisjunctions of abstract states

Abstr. transformer for loop

Most Precise Abstract Transformer

Abstr. transformer for loopInductive invariant for

Verification succeeds!

Most Precise Abstract Transformer

reachable states

error states

Precision-Efficiency TradeoffNumber of abstract states is doubly-exponential innumber of predicates

Most precise abstract transformer is impractical• expensive to construct• keeps track of irrelevant information

Solution: apply additional abstraction

Cartesian Abstraction

x

y

S

Sx £ Sy

Sx

Sy

..., [Cousot, Cousot PPCA’95], [Ball, Podelski, Rajamani TACAS’01],…

for abstracting sets of vectors

Cartesian Abstraction

• abstract states are sets of bit-vectors• Cartesian abstraction applies• abstr. transformer w/ Cartesian abstraction is

efficiently implementable:– check entailments between QF formulas– number of entailment checks polynomial in number of

predicates

• precise enough for many practical examples• not precise enough for many practical examples

Inductive invariant for

Verification succeeds!

Inductive invariant for

Verification fails!

Abstract Transformer with Cartesian Abstraction

3 7

0 7

,

Overview

• Boolean Heaps

• Counterexample-Guided Focus

FocusCommon recipe in shape analysis

– start from coarse but efficient abstract transformer– adapt precision to each individual program statement

and individual data structures(partial concretization / materialization / focus)

ProblemFine-tuning precision uniformly makes analysis again too precise (i.e., often inefficient)

Exciting research directionParameterized focus that adapts abstract transformer to the individual verification tasks e.g. [Manevich et al., 2004, 2007, 2009]

Fine-Tuned Focus

Idea: take this direction to its logical extreme

Fine-tune focus to the individual steps of the analysis of the individual verification task

reachable states

error states

Fine-Tuned FocusInstead of fixed uniform precision…

error states

reachable states

Fine-Tuned Focus…adapt precision locally and lazily.

Counterexample-Guided Focus[Podelski, Wies POPL’10]

Idea: take this direction to its logical extreme

Fine-tune focus to the individual steps of the analysis of the individual verification task

This fine-tuning must be automated.

We use counterexamples for this purpose.

• analysis of abstract program produces spurious counterexamples

• spuriousness results from imprecise abstract transformer

• construct fine-tuned focus operator that locally adapts precision of abstract transformer– locally refine the abstract domain of the pre-image of

the abstract transformer– locally refine the pre-image itself by splitting disjuncts

below and above the universal quantifier– both refinements are guided by the spurious

counterexample

Counterexample-Guided Focus[Podelski, Wies POPL’10]

x

y

S

Sx £ Sy

Sx

Sy

Loss of Precision under Cartesian abstraction

splitting is guidedby counterexamples

Effect of Counterexample-Guided Focus

Inductive invariant for

Verification succeeds!

3 7

Inductive invariant for

Verification fails!

0 7

Nested Lazy CEGAR Loop

• outer loop refines abstract domain by inferring new predicates

• inner loop fine-tunes abstract transformer using counterexample-guided focus

Progress theorem: every spurious counterexample is eventually eliminated

Bohne Implementation of Symbolic Shape Analysis

• (doubly-linked) lists• lists with iterators• sorted lists• skip lists• search trees• trees w/ parent pointers• threaded trees

6

3 9

1 5

4

first

rootVerified data structure implementations:

No manual adaptation of abstract domain / abstract transformer required.

Bohne Implementation of Symbolic Shape Analysis

• absence of runtime errors• shape invariants

- acyclic- sharing-free- doubly-linked- parent-linked- threaded- sorted …

• partial correctness

6

3 9

1 5

4

first

rootVerified properties:

No manual adaptation of abstract domain / abstract transformer required.

We are currently extending the implementation to message passing systems.

Further Related WorkShape analysis• three-valued shape analysis [Sagiv, Reps, Wilhelm 2002]

– decision procedures in TVLA [Yorsh et al. 2004, …, Lev-Ami et al. 2006]– parameterized focus for concurrent programs [Manevich et al., 2004, 2007, 2009]

• …

Predicate abstraction• CE-guided refinement of abstract transformers [Das, Dill 2002]

• nested refinement for predicate abstraction [Ball et al. 2004]

• indexed predicate abstraction [Lahiri, Bryant 2004]

• lazy abstraction [Henzinger et al. 2002]

• lazy shape analysis [Beyer et al. 2006]

Interpolants• quantified Craig interpolants [McMillan 2008, Kovács, Voronkov 2009]

• abstractions from proofs [Henzinger et al. 2004]

Template-based techniques [Gulwani et al. 2008, Srivastava, Gulwani 2009]