Verification of Dynamic Message Passing Systems Thomas Wies AVACS Spring School 2010 TexPoint fonts...
-
Upload
kory-atkins -
Category
Documents
-
view
213 -
download
0
Transcript of Verification of Dynamic Message Passing Systems Thomas Wies AVACS Spring School 2010 TexPoint fonts...
Verification of Dynamic Message Passing Systems
Thomas Wies
AVACS Spring School 2010
Motivation
Verify concurrent systems with• synchronization via message passing• unbounded dynamic process creation• dynamic communication topology
A Publish/Subscribe Service in Scalasealed abstract class Categorycase object Cat1 extends Category...case object CatN extends Categorycase object Listcase class Categories(cats: Set[Category])...class Server extends Actor { def loop(enl: Map[Category,Set[Actor]]){ val cats = Set(Cat1,...,CatN) react { case List => { reply(Categories(cats)) react { case Subscribe(c) => loop(enl + c -> (enl(c) + sender)) } } case Unsubscribe(c) => loop(enl(c) + c -> (enl(c) - sender)) case Publish => { reply(Who) react { case Credential => if (*) { reply(Categories(cats)) react { case Content(c) => enl(c).forall( _ ! Content(c)) loop(enl) } } else { reply(Deny) loop(enl) } } } } } override def act() = loop({_ => EmptySet})}
class Subscriber(server: Actor) extends Actor { def loop(cat: Category): Unit = { if (*) { react { case Content(c) => if (c != cat) error("...") ... } } else { server ! Unsubscribe(cat) exit('normal) } }
override def act(): Unit = { server ! List react { case Categories(cats) => val cat = cats.choose loop(cat) } }}
class Publisher(server: Actor) extends Actor { override def act(): Unit = { server ! Publish react { case Who => reply(Credential) react { case Categories(cats) => val c = cats.choose reply(Content(c)) if (*) act() else exit('normal) case Deny => exit('badCredential) } } }}
A Publish/Subscribe Service in Scala
Server
Subscriber
Subscriber
Publisher
Publisher
server
server
enl(Cat1)
Subscriber
server
server
server
enl(Cat2) Subscribe(Cat1)
sender
A Publish/Subscribe Service in Scala
Server
Subscriber
Subscriber
Publisher
Publisher
server
server
enl(Cat1)
Subscriber
server
server
server
enl(Cat2)
Subscribe(Cat1)
senderenl(Cat1)
A Publish/Subscribe Service in Scala
Server
Subscriber
Subscriber
Publisher
Publisher
server
server
enl(Cat1)
Subscriber
server
enl(Cat1)
server
server
enl(Cat2)
Content(Cat1)sender
A Publish/Subscribe Service in Scala
Server
Subscriber
Subscriber
Publisher
Publisher
server
server
enl(Cat1)
Subscriber
server
enl(Cat1)
server
server
enl(Cat2)
Content(Cat1)
sender
Content(Cat1) Content(Cat1)sendersender
Infinite state system• number of Subscriber and Publisher processes and• number of messages in mailboxes can grow unboundedly
Semantics
Interleaving of local transitions of processes.
Processes have• an associated name• finitely many control states• finitely many parameters
(denoting names of other processes)
• an associated mailbox (unbounded but unordered)
Semantics
Interleaving of local transitions of processes.
In each local transition a process may• change its control state• change the value of one of its parameters• receive a message from its mailbox (blocking)• send a message to a process it knows• create a new process
Semantics
Global configurations are graphs• nodes model
– processes (node labels are control state)– messages (node labels are message kinds)
• edges model– mailboxes– process parameters– message data
Semantics
More formal• DCS [Bauer, Schaefer, Toben, Westphal 2006]
• Dynamic I/O automata [Attie, Lynch 2001]
• ¼-calculus [Milner, Parrow, Walker 1992]
• Actors [Agha 1986]
• …
Server
Subscriber
server
enl(Cat1)
Content(Cat1)sender
“The server link of a Subscriber always points to a Server”
“Subscribers only receive content they are enlisted to”
“No process ever reaches a local error state”
Verification of Safety Properties
Shape Invariants
Overview
Part I – Decidability
Part II – Abstraction
Turing Completeness
Statemachine
Ccounter1 C
nextC
next
C Cnext
counter2
Encoding of a two counter machine
Are there any interesting fragments with decidable verification problems?
Depth-Bounded Systems (DBS)[Meyer 2008]
DefinitionA system is depth-bounded iffthere exists a constant that bounds the lengthof all simple paths in all reachable configurations.
The actual definition is in terms of ¼-calculus processes.
Depth-Bounded Systems (DBS)
Server
Subscriber
Subscriber
Publisher
Publisher
server
server
enl(Cat1)
Subscriber
server
enl(Cat1)
server
server
enl(Cat2)
Content(Cat1)
sender
Content(Cat1)sender
maximal length of any simple path is 5
What is Decidable for DBS?
DBSs are well-structured transition systems [Meyer 2008].
Termination is decidable
What about reachability?
Reset nets are DBSs [Meyer, Gorrieri 2009].
Reachability is undecidable for reset nets [Dufourd et al.1998] and thus for DBSs
The Covering Problem
init bad
Given a transition system and a bad configuration
decide whether there is a reachable configuration that “covers” the bad one.
Server
Subscriber
server
enl(Cat1)
Content(Cat2)sender
Application: verify absence of bad patterns
“Subscribers only receive content they are enlisted to”
The Covering Problem
The covering problem is decidable for DBSs[Wies, Zufferey, Henzinger FoSSaCS’10]
Well-Quasi-Orderings
DefinitionA relation · µ S £ S is a well-quasi-ordering iff• · is a quasi-ordering (reflexive and transitive)• for any infinite sequence s1, s2, … there are
i < j such that si · sj
Examples• identity relation on a finite set• order on the natural numbers• multiset extension of a well-quasi-ordering
(Higman’s lemma)
Well-Structured Transition Systems (WSTS) [Finkel 1987]
DefinitionA WSTS is a tuple (S, init, !, ·) where• (S, init, !) is a transition system• · is a well-quasi-ordering on S• · is compatible with the transition relation !:
for all s, t, s’ 2 S with s ! s’ and s · t there exists t’ 2 S with t ! t’ and s’ · t’
Examples• Petri nets• lossy channel systems
s s’
t t’
Upward and Downward-Closures
"X
X
·
Y
·
"Y
"X = {y 2 S | 9 x 2 X. x · y}
Backward Algorithm for the Covering Problem of WSTS
bad
"badpre("bad)
…prek("bad)
init
Backward Algorithm for the Covering Problem of WSTS
bad
"badpre("bad)
…prek("bad)
init
…
Depth-Bounded Systems as WSTS
Depth-bounded systems form WSTS for• their reachable configurations • and the quasi-ordering “ “ induced by
subgraph isomorphism
Next we show that “ “ is a well-quasi-ordering on the reachable configurations
Closure of a Tree
Add edges according to transitive closure of the edge relation
Every (undirected) graph is contained in the closure of some tree.
Tree-Depth of a Graph
DefinitionThe tree-depth td(G) of a graph G is the minimal height of all trees whose closure contain G.
v1
v2
v4
v3v5
v1
v2
v4
v3
v5
height is 2tree depth is 2
Tree-Depth and Depth-Bounded Systems
PropositionA set S of graphs has bounded tree-depth iff S is bounded in the length of its simple paths.
the reachable configurations of a depth-bounded system have bounded tree-depth.
Tree Encodings of Depth-Bounded Graphs
v1
v2
v4
v3v5
v1
v2
v4
v3
v5
G tree(G)
Number of labels used in the encoding is finite.
Homeomorphic Tree Embedding
¹
tree(G1) ¹ tree(G2) implies G1 G2
We can show for all graphs G1, G2:
Kruskal’s Tree Theorem
Theorem [Kruskal 1960]Homeomorphic tree embedding is a well-quasi-ordering on finite labeled trees.
subgraph isomorphisms induce a better-quasi-ordering on the reachable configurations of a depth-bounded system.
Theorem [Laver 1971]Homeomorphic tree embedding is a better-quasi-ordering on finite labeled trees.
Backward Algorithm for the Covering Problem of WSTS
bad
"badpre("bad)
…prek("bad)
initRequirements• · is decidable• pre is effectively computable
Backward Analysis of DBSs
• WSTS of a depth-bounded system is defined wrt. the forward-reachable configurations
• reachability is undecidable so pre is not computable for the induced WSTS
• only option: if bound of the system is k, define WSTS wrt. the set of all graphs of depth at most k
termination of a backward analysis can only be ensured if the bound of the system is known a priori.
Standard algorithm is not a decision procedure for the covering problem of DBS.
Backward Analysis is Impractical
Server
Subscriber
server
Subscribe(Cat1)
sender
Backward analysis has to guess sender (and other parameters) of sent messages
explosion in the nondeterminism
Backward Analysis is Impractical
Server
Subscriber
server
Subscribe(Cat1)
sender
Backward analysis has to guess sender (and other parameters) of sent messages
explosion in the nondeterminism
This is similar to the aliasing problem for backward analysis of programs with pointers
?
Is there a forward analysis that decides the covering problem?
Forward Analysis of a WSTS
init
#init #post(#init)… #postk(#init)
bad
Forward Analysis of a WSTS
init
#init #post(#init)… #postk(#init)
bad
We need “limits” of all downward-closed sets for termination.
Server
Loop Acceleration à la Karp-Miller
Server
Subscriber SubscriberSubscriber
Server
¾ ¾
+
limit configuration
Idea for loop accelerationRecord which parts of a configuration can be duplicated.
Adequate Domain of Limits (ADL) [Geeraerts, Raskin, Van Begin 2006]
X YD
wqo set ADL for X
°
For every z 2 Y, °(z) is a downward-closed subset of X
X D
wqo set ADL for X
° Y
Every downward-closed subset of X is generated by a finite subset E of Y [ X
E1
E2
E = E1 [ E2
Adequate Domain of Limits (ADL) [Geeraerts, Raskin, Van Begin 2006]
Expand, Enlarge, and Check
Theorem [Geeraerts, Raskin, Van Begin 2006]
There exists an algorithm that decides the covering problem for WSTS with effective ADL.
X1
Y1
X2
Y2
X2
Y2
… µ X
µ Y
µ
…µ
µ
µ
µ
µ
Next: an ADL for depth-bounded systems
Server
Loop Acceleration à la Karp-Miller
Server
Subscriber SubscriberSubscriber
Server
¾ ¾
+
limit configuration
Idea for loop accelerationRecord which parts of a configuration can be duplicated.
Content
Server
Limit Configurations
Server
Subscriber Subscriber
Subscriber+
+Content
ContentContent
Server
Subscriber
Content
°
…
Denotation °(L) is downward-closure of all unfoldings of L
An ADL for Depth-Bounded Systems
Server
Subscriber+
TheoremLimit configurations form an ADL for depth-bounded graphs.
CorollaryThe EEC algorithm decides the covering problem for depth-bounded systems.
Theorem [Finkel, Goubault-Larrecq 2009]
The downward-closed directed subsets of a wqo set X form an ADL for X.
Canonical Adequate Domain of Limits
X
A directed set for qo (X, ·) is• a nonempty subset of X• closed under upper bounds
·· X
D
D1
D2
D3
D4
D5
= (Q,§,Qf,¢)Q = {p,q,r,s}§ = {a,b,c}Qf = {p}¢ = {a(²) → s b(²) → r c(sr*s) → q a(q+) → p}
Hedge Automata
A a
c c
a a a ab
s s s sr
q q
p
To proof: For every directed downward-closed set , there exists a limit configuration with D
Proof Sketch
LD = °(L)
tree(D)Look at the tree encodings and construct a hedge automaton such that
From construct the limit configuration .
AD
D = #tree¡ 1(L (AD ))
AD L
Proof Sketch
…
…
directed dc set
Further Related WorkMeyer, Gorrieri 2009 –
depth-bounded systems and place/transition nets
Finkel, Goubault-Larreqc 2009 – Karp-Miller-style forward analysis of WSTSs with ADLs
Ganty, Raskin, Van Begin 2006 –Forward analysis of WSTSs without ADLs
Dam 1993, Amadio, Meyssonnier 2002 –decidable fragments of the ¼-calculus
Sangiorgi 1996, Busi et al. 2003, Ostrovský 2005 –type systems for the ¼-calculus
Bauer, Wilhelm 2007 –shape analysis for depth-bounded systems
Part II – Abstraction
Leader Election in a Ring
9
4
2 6
3
Leader Election in a Ring
9
4
2 6
3
2 6
9
4 3
Leader Election in a Ring
9
4
2 6
32
6
9
4
3
Leader Election in a Ring
9
4
2 6
3
9
Safety property
Goal: verify property for all rings no longer a depth-bounded system
8xy: x;y 2 Ring^Leader(x) ^Leader(y) ! x = y
Leader Election in a Ring
9
4
2 6
3
Safe inductive invariant
8x: x 2 Ring $ left¤(max;x)8x: x 2 Ring ! id(x) · id(max)8xy: x;y 2 Ring^id(x) = bu®er(y) !
(¸z1 z2: left(z1) = z2 ^z1 6= max)¤(x;y)8xy: x;y 2 Ring ! Leader(x) ^Leader(y) ! x = y
6
max
Challenges• quantified invariants• reasoning in complex theories
Symbolic Analysis• use of formulas to represent sets of states
– simplicity• abstract domain µ concrete domain• abstraction ' logical entailment
– soundness by construction• use of automated reasoning procedures
– automation (construction of abstract trans. graphs)– separation of concerns (black-boxing)– get leverage from automated reasoning community
• use of abstraction refinement– more automation (construction of abstract domain)– efficiency (targeted precision)
Existing tools: SLAM, BLAST, ARMC, MAGIC, SLAB, …
Predicate Abstraction
P1 ´ x·0 P2 ´ y>0 …
P1ÆP2Æ…
reachable states
err
or
stat
es
state space
:P1, :P2, :P
3
P1, :P2, :P3
P1, :P2, P3
P1, P2, :P3
3-valued Shape Analysis [Sagiv, Reps, Wilhelm POPL’99]
Partition state graphs according to a finite set of predicates on nodes.
xnext next next next
y
null
next nextnext
P1(v) ´ next*(x,v) P2(v) ´ x = v P3(v) ´ null = v
Abstract state graphs induce finite partitioning of the state space
Predicate abstraction
use state predicates to finitely partition the transition graph.
(3-valued) shape analysis
use node predicates to finitely partition the state graphs toobtain state predicates thatfinitely partition the transition graph.
In a Nutshell…
Shape Analysis = 2Predicate Abstraction
In a Nutshell…
But the analogy only goes so far…
Symbolic Shape Analysis
Credo
• apply not only idea but also the techniques of predicate abstraction in the context of shape analysis
• and take advantage of all the benefits
Overview
• Boolean Heaps– generalizes predicate abstraction
(infers universally quantified invariants)– uses key idea of 3-valued shape analysis
(predicates on nodes in the state graphs)– enables use of automated reasoning procedures to
construct abstract transition graph
Overview
• Boolean Heaps
• Counterexample-Guided Focus– novel CEGAR algorithm– enables use of automated reasoning procedures to
• automatically construct abstract domain• automatically adapt precision of abstract transformer
Boolean Heaps [Podelski, Wies SAS’05]
Use idea of [Sagiv, Reps, Wilhelm 2002]:Partition graphs according to a finite set of predicates.
0
7
3
Use idea of [Sagiv, Reps, Wilhelm 2002]:Partition graphs according to a finite set of predicates.
Boolean Heaps
Abstract state
0
7
3
5Abstract domaindisjunctions of abstract states
Abstr. transformer for loop
Most Precise Abstract Transformer
Abstr. transformer for loopInductive invariant for
Verification succeeds!
Most Precise Abstract Transformer
reachable states
error states
Precision-Efficiency TradeoffNumber of abstract states is doubly-exponential innumber of predicates
Most precise abstract transformer is impractical• expensive to construct• keeps track of irrelevant information
Solution: apply additional abstraction
Cartesian Abstraction
x
y
S
Sx £ Sy
Sx
Sy
..., [Cousot, Cousot PPCA’95], [Ball, Podelski, Rajamani TACAS’01],…
for abstracting sets of vectors
Cartesian Abstraction
• abstract states are sets of bit-vectors• Cartesian abstraction applies• abstr. transformer w/ Cartesian abstraction is
efficiently implementable:– check entailments between QF formulas– number of entailment checks polynomial in number of
predicates
• precise enough for many practical examples• not precise enough for many practical examples
Inductive invariant for
Verification succeeds!
Inductive invariant for
Verification fails!
Abstract Transformer with Cartesian Abstraction
3 7
0 7
,
Overview
• Boolean Heaps
• Counterexample-Guided Focus
FocusCommon recipe in shape analysis
– start from coarse but efficient abstract transformer– adapt precision to each individual program statement
and individual data structures(partial concretization / materialization / focus)
ProblemFine-tuning precision uniformly makes analysis again too precise (i.e., often inefficient)
Exciting research directionParameterized focus that adapts abstract transformer to the individual verification tasks e.g. [Manevich et al., 2004, 2007, 2009]
Fine-Tuned Focus
Idea: take this direction to its logical extreme
Fine-tune focus to the individual steps of the analysis of the individual verification task
reachable states
error states
Fine-Tuned FocusInstead of fixed uniform precision…
error states
reachable states
Fine-Tuned Focus…adapt precision locally and lazily.
Counterexample-Guided Focus[Podelski, Wies POPL’10]
Idea: take this direction to its logical extreme
Fine-tune focus to the individual steps of the analysis of the individual verification task
This fine-tuning must be automated.
We use counterexamples for this purpose.
• analysis of abstract program produces spurious counterexamples
• spuriousness results from imprecise abstract transformer
• construct fine-tuned focus operator that locally adapts precision of abstract transformer– locally refine the abstract domain of the pre-image of
the abstract transformer– locally refine the pre-image itself by splitting disjuncts
below and above the universal quantifier– both refinements are guided by the spurious
counterexample
Counterexample-Guided Focus[Podelski, Wies POPL’10]
x
y
S
Sx £ Sy
Sx
Sy
Loss of Precision under Cartesian abstraction
splitting is guidedby counterexamples
Effect of Counterexample-Guided Focus
Inductive invariant for
Verification succeeds!
3 7
Inductive invariant for
Verification fails!
0 7
Nested Lazy CEGAR Loop
• outer loop refines abstract domain by inferring new predicates
• inner loop fine-tunes abstract transformer using counterexample-guided focus
Progress theorem: every spurious counterexample is eventually eliminated
Bohne Implementation of Symbolic Shape Analysis
• (doubly-linked) lists• lists with iterators• sorted lists• skip lists• search trees• trees w/ parent pointers• threaded trees
6
3 9
1 5
4
first
rootVerified data structure implementations:
No manual adaptation of abstract domain / abstract transformer required.
Bohne Implementation of Symbolic Shape Analysis
• absence of runtime errors• shape invariants
- acyclic- sharing-free- doubly-linked- parent-linked- threaded- sorted …
• partial correctness
6
3 9
1 5
4
first
rootVerified properties:
No manual adaptation of abstract domain / abstract transformer required.
We are currently extending the implementation to message passing systems.
Further Related WorkShape analysis• three-valued shape analysis [Sagiv, Reps, Wilhelm 2002]
– decision procedures in TVLA [Yorsh et al. 2004, …, Lev-Ami et al. 2006]– parameterized focus for concurrent programs [Manevich et al., 2004, 2007, 2009]
• …
Predicate abstraction• CE-guided refinement of abstract transformers [Das, Dill 2002]
• nested refinement for predicate abstraction [Ball et al. 2004]
• indexed predicate abstraction [Lahiri, Bryant 2004]
• lazy abstraction [Henzinger et al. 2002]
• lazy shape analysis [Beyer et al. 2006]
Interpolants• quantified Craig interpolants [McMillan 2008, Kovács, Voronkov 2009]
• abstractions from proofs [Henzinger et al. 2004]
Template-based techniques [Gulwani et al. 2008, Srivastava, Gulwani 2009]