forward analysis of depth-bounded processes thomas wies damien zufferey tom henzinger in...
TRANSCRIPT
Forward Analysis of Depth-Bounded Processes
Thomas Wies Damien Zufferey Tom Henzinger
In FoSSaCS’10
Motivation
Verify concurrent systems with• synchronization via message passing• unbounded dynamic process creation (name generation)• dynamic communication topology (name mobility)
Examples• Actors [G. Agha 1986] in languages such as Scala, Erlang• Distributed (mobile) systems …
A Publish/Subscribe Service in Scalasealed abstract class Categorycase object Cat1 extends Category...case object CatN extends Categorycase object Listcase class Categories(cats: Set[Category])...class Server extends Actor { def loop(enl: Map[Category,Set[Actor]]){ val cats = Set(Cat1,...,CatN) react { case List => { reply(Categories(cats)) react { case Subscribe(c) => loop(enl + c -> (enl(c) + sender)) } } case Unsubscribe(c) => loop(enl(c) + c -> (enl(c) - sender)) case Publish => { reply(Who) react { case Credential => if (*) { reply(Categories(cats)) react { case Content(c) => enl(c).forall( _ ! Content(c)) loop(enl) } } else { reply(Deny) loop(enl) } } } } } override def act() = loop({_ => EmptySet})}
class Subscriber(server: Actor) extends Actor { def loop(cat: Category): Unit = { if (*) { react { case Content(c) => if (c != cat) error("...") ... } } else { server ! Unsubscribe(cat) exit('normal) } }
override def act(): Unit = { server ! List react { case Categories(cats) => val cat = cats.choose loop(cat) } }}
class Publisher(server: Actor) extends Actor { override def act(): Unit = { server ! Publish react { case Who => reply(Credential) react { case Categories(cats) => val c = cats.choose reply(Content(c)) if (*) act() else exit('normal) case Deny => exit('badCredential) } } }}
A Publish/Subscribe Service in Scala
Server
Subscriber
Subscriber
Publisher
Publisher
server
server
enl(Cat1)
Subscriber
server
server
server
enl(Cat2) Subscribe(Cat1)
sender
A Publish/Subscribe Service in Scala
Server
Subscriber
Subscriber
Publisher
Publisher
server
server
enl(Cat1)
Subscriber
server
server
server
enl(Cat2)
Subscribe(Cat1)
senderenl(Cat1)
A Publish/Subscribe Service in Scala
Server
Subscriber
Subscriber
Publisher
Publisher
server
server
enl(Cat1)
Subscriber
server
enl(Cat1)
server
server
enl(Cat2)
Content(Cat1)sender
A Publish/Subscribe Service in Scala
Server
Subscriber
Subscriber
Publisher
Publisher
server
server
enl(Cat1)
Subscriber
server
enl(Cat1)
server
server
enl(Cat2)
Content(Cat1)
sender
Content(Cat1) Content(Cat1)sendersender
Infinite state system• number of Subscriber and Publisher processes and• number of messages in mailboxes can grow unboundedly
Semantics
Interleaving of local transitions of processes.
Processes have• an associated name• finitely many control states• finitely many parameters
(denoting names of other processes)
• an associated mailbox (unbounded but unordered)
Semantics
Interleaving of local transitions of processes.
In each local transition a process may• change its control state• change the value of one of its parameters• receive a message from its mailbox (blocking)• send a message to a process it knows• create a new process
Semantics
Global configurations are graphs• nodes model
– processes (node labels are control state)– messages (node labels are message kinds)
• edges model– mailboxes– process parameters– message data
Semantics
More formal• Actors [Agha 1986]• ¼-calculus [Milner, Parrow, Walker 1992]• Dynamic I/O automata [Attie, Lynch 2001]
• …
Server
Subscriber
server
enl(Cat1)
Content(Cat1)sender
“The server link of a Subscriber always points to a Server”
“Subscribers only receive content they are enlisted to”
“No process ever reaches a local error state”
Verification of Safety Properties
Shape Invariants
Turing Completeness
Statemachine
Ccounter1 C
nextC
next
C Cnext
counter2
Encoding of a two counter machine
Are there any interesting fragments with decidable verification problems?
Depth-Bounded Systems (DBS)[Meyer 2008]
DefinitionA system is depth-bounded iffthere exists a constant that bounds the lengthof all simple paths in all reachable configurations.
The actual definition is in terms of ¼-calculus processes.
Depth-Bounded Systems (DBS)
Server
Subscriber
Subscriber
Publisher
Publisher
server
server
enl(Cat1)
Subscriber
server
enl(Cat1)
server
server
enl(Cat2)
Content(Cat1)
sender
Content(Cat1)sender
maximal length of any simple path is 5
What is Decidable for DBS?
DBSs are well-structured transition systems [Meyer 2008].
Termination is decidable
What about reachability?
Reset nets are DBSs [Meyer, Gorrieri 2009].
Reachability is undecidable for reset nets [Dufourd et al.1998] and thus for DBSs
The Covering Problem
init bad
Given a transition system and a bad configuration
decide whether there is a reachable configuration that “covers” the bad one.
Server
Subscriber
server
enl(Cat1)
Content(Cat2)sender
Application: verify absence of bad patterns
“Subscribers only receive content they are enlisted to”
The Covering Problem
The covering problem is decidable for DBSs
Well-Quasi-Orderings
DefinitionA relation · µ S £ S is a well-quasi-ordering iff• · is a quasi-ordering (reflexive and transitive)• for any infinite sequence s1, s2, … there are
i < j such that si · sj
Examples• identity relation on a finite set• order on the natural numbers• multiset extension of a well-quasi-ordering
(Higman’s lemma)
Well-Structured Transition Systems (WSTS) [Finkel 1987]
DefinitionA WSTS is a tuple (S, init, !, ·) where• (S, init, !) is a transition system• · is a well-quasi-ordering on S• · is compatible with the transition relation !:
for all s, t, s’ 2 S with s ! s’ and s · t there exists t’ 2 S with t ! t’ and s’ · t’
Examples• Petri nets• lossy channel systems
s s’
t t’
Upward and Downward-Closures
"X
X
·
Y
·
"Y
"X = {y 2 S | 9 x 2 X. x · y}
Backward Algorithm for the Covering Problem of WSTS
bad
"badpre("bad)
…prek("bad)
init
Backward Algorithm for the Covering Problem of WSTS
bad
"badpre("bad)
…prek("bad)
init
…
Depth-Bounded Systems as WSTS
Depth-bounded systems form WSTS for• their reachable configurations • and the quasi-ordering “ “ induced by
subgraph isomorphism
Next we show that “ “ is a well-quasi-ordering on the reachable configurations
Closure of a Tree
Add edges according to transitive closure of the edge relation
Every (undirected) graph is contained in the closure of some tree.
Tree-Depth of a Graph
DefinitionThe tree-depth td(G) of a graph G is the minimal height of all trees whose closure contain G.
v1
v2
v4
v3v5
v1
v2
v4
v3
v5
height is 2tree depth is 2
Tree-Depth and Depth-Bounded Systems
PropositionA set S of graphs has bounded tree-depth iff S is bounded in the length of its simple paths.
the reachable configurations of a depth-bounded system have bounded tree-depth.
Tree Encodings of Depth-Bounded Graphs
v1
v2
v4
v3v5
v1
v2
v4
v3
v5
G tree(G)
Number of labels used in the encoding is finite.
Take a minimal tree whose closure contains the graph G.Label each node v in the tree by the subgraph of G induced by the nodes on the path to v.
Homeomorphic Tree Embedding
¹
tree(G1) ¹ tree(G2) implies G1 G2
We can show for all graphs G1, G2:
Kruskal’s Tree Theorem
Theorem [Kruskal 1960]Homeomorphic tree embedding is a well-quasi-ordering on finite trees labelled by a WQO set.
subgraph isomorphisms induce a better-quasi-ordering on the reachable configurations of a depth-bounded system.
Theorem [Laver 1971]Homeomorphic tree embedding is a better-quasi-ordering on countable trees labelled by a BQO set.
Backward Algorithm for the Covering Problem of WSTS
bad
"badpre("bad)
…prek("bad)
initRequirements• · is decidable• pre is effectively computable
Backward Analysis of DBSs
• WSTS of a depth-bounded system is defined wrt. the forward-reachable configurations
• reachability is undecidable so pre is not computable for the induced WSTS
• only option: if bound of the system is k, define WSTS wrt. the set of all graphs of depth at most k
termination of a backward analysis can only be ensured if the bound of the system is known a priori.
Standard algorithm is not a decision procedure for the covering problem of DBS.
Backward Analysis is Impractical
Server
Subscriber
server
Subscribe(Cat1)
sender
Backward analysis has to guess sender (and other parameters) of sent messages
explosion in the nondeterminism
Backward Analysis is Impractical
Server
Subscriber
server
Subscribe(Cat1)
sender
Backward analysis has to guess sender (and other parameters) of sent messages
explosion in the nondeterminism
This is similar to the aliasing problem for backward analysis of programs with pointers
?
Is there a forward analysis that decides the covering problem?
Forward Analysis of a WSTS
init
#init #post(#init)… #postk(#init)
bad
Forward Analysis of a WSTS
init
#init #post(#init)… #postk(#init)
bad
We need “limits” of all downward-closed sets for termination.
Adequate Domain of Limits (ADL) [Geeraerts, Raskin, Van Begin 2006]
X YD
wqo set ADL for X
°
For every z 2 Y, °(z) is a downward-closed subset of X
X D
wqo set ADL for X
° Y
Every downward-closed subset of X is generated by a finite subset E of Y [ X
E1
E2
E = E1 [ E2
Adequate Domain of Limits (ADL) [Geeraerts, Raskin, Van Begin 2006]
Expand, Enlarge, and Check
Theorem [Geeraerts, Raskin, Van Begin 2006]
There exists an algorithm that decides the covering problem for WSTS with effective ADL.
X1
Y1
X2
Y2
X2
Y2
… µ X
µ Y
µ
…µ
µ
µ
µ
µ
Next: an ADL for depth-bounded systems
Server
Loop Acceleration à la Karp-Miller
Server
Subscriber SubscriberSubscriber
Server
¾ ¾
+
limit configuration
Idea for loop accelerationRecord which parts of a configuration can be duplicated.
Content
Server
Limit Configurations
Server
Subscriber Subscriber
Subscriber+
+Content
ContentContent
Server
Subscriber
Content
°
…
Denotation °(L) is downward-closure of all unfoldings of L
An ADL for Depth-Bounded Systems
Server
Subscriber+
TheoremLimit configurations form an ADL for depth-bounded graphs.
CorollaryThe EEC algorithm decides the covering problem for depth-bounded systems.
Theorem [Finkel, Goubault-Larrecq 2009]
The downward-closed directed subsets of a wqo set X form an ADL for X.
Canonical Adequate Domain of Limits
X
A directed set for qo (X, ·) is• a nonempty subset of X• closed under upper bounds
·· X
D
D1
D2
D3
D4
D5
= (Q,§,Qf,¢)Q = {p,q,r,s}§ = {a,b,c}Qf = {p}¢ = {a(²) → s b(²) → r c(sr*s) → q a(q+) → p}
Hedge Automata
A a
c c
a a a ab
s s s sr
q q
p
To proof: For every directed downward-closed set , there exists a limit configuration with D
Proof Sketch
LD = °(L)
tree(D)Look at the tree encodings and construct a hedge automaton such that
From construct the limit configuration .
AD
D = #tree¡ 1(L (AD ))
AD L
Proof Sketch
…
…
directed dc set
Further Related WorkMeyer, Gorrieri 2009 –
depth-bounded systems and place/transition nets
Finkel, Goubault-Larreqc 2009 – Karp-Miller-style forward analysis of WSTSs with ADLs
Ganty, Raskin, Van Begin 2006 –Forward analysis of WSTSs without ADLs
Dam 1993, Amadio, Meyssonnier 2002 –decidable fragments of the ¼-calculus
Sangiorgi 1996, Busi et al. 2003, Ostrovský 2005 –type systems for the ¼-calculus
Bauer (Kreiker), Wilhelm 2007 –shape analysis for depth-bounded systems
Conclusions
• many real-life examples of message passing systems are depth-bounded
• many interesting safety properties are expressible in terms of covering
• our main result: the covering problem is decidable for depth-bounded systems
• our ADL suggests a whole spectrum of forward analyses for depth-bounded systems