theory-aided model checking of concurrent transition systems guy katz, clark barrett, david harel...
DESCRIPTION
The Difficulties Automation 1.Partition the system into modules 2.Choose “good” module properties 3.Prove module properties 4.Prove global property A very difficult problem! 3TRANSCRIPT
![Page 1: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/1.jpg)
Theory-Aided Model Checking of Concurrent Transition Systems
Guy Katz, Clark Barrett, David Harel
New York UniversityWeizmann Institute of Science
![Page 2: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/2.jpg)
2
Compositional VerificationA divide and conquer verification approach
No need to explore all composite states
𝑃 𝜑⊨
𝜑1⊨𝜑2⊨𝜑3⊨
![Page 3: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/3.jpg)
3
The DifficultiesAutomation
1. Partition the system into modules2. Choose “good” module properties3. Prove module properties4. Prove global property
A very difficult problem!
![Page 4: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/4.jpg)
4
Our ApproachTrade generality for effectiveness
◦ Do well on specific classes of programs
We present a fully automatic, compositional approach◦ Handle concurrent programs written in the RWB
model◦ Based on SMT solving
![Page 5: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/5.jpg)
5
Transition
Systems
An SMT-Driven Process
SMTSolver
Arithmetic Arrays
Input program
SAT (unsafe)or
UNSAT (safe)
Assertion:
Transition
Systems
![Page 6: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/6.jpg)
6
A Theory of Transition SystemsDecision procedure: state space traversal
Look for known patterns in the input◦ Generate lemmas for other theory solvers
Lemmas allow other theories to aid in the verification◦ Prune the search space◦ Can significantly reduce verification time
![Page 7: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/7.jpg)
7
AgendaRWB Transition Systems
A Theory of Transition Systems
Programs with Shared Arrays
Periodic Programs
Experimental Results
![Page 8: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/8.jpg)
8
AgendaRWB Transition Systems
A Theory of Transition Systems
Programs with Shared Arrays
Periodic Programs
Experimental Results
![Page 9: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/9.jpg)
9
Request / Wait / Block (RWB)RWB programs have events and threads
Threads synchronize and declare1. Requested events 2. Waited-for events 3. Blocked events
Trigger an event that is requested and not blocked
Inform threads that requested / waited-for the event
![Page 10: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/10.jpg)
10
B-s
Block
Wait
Request
Threads
The Execution Cycle
![Page 11: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/11.jpg)
11
requested and not blocked at rightmost states◦ Precisely every 6 steps
Toy Example
𝑅=0 ,10
0 ,1
0
0 ,1
𝑅=0 ,10
Trace: Trace: Trace: Trace: Trace: Trace: Trace:
![Page 12: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/12.jpg)
12
Why RWB?RWB idioms are common
◦ Publish / Subscribe systems◦ Supervisory control◦ Live Sequence Charts (LSCs)◦ Behavioral Programming
The strict synchronization mechanism facilitates reasoning about individual threads
Makes finding module properties easier
![Page 13: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/13.jpg)
13
AgendaRWB Transition Systems
A Theory of Transition Systems
Programs with Shared Arrays
Periodic Programs
Experimental Results
![Page 14: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/14.jpg)
14
The Transition System (TS) Solver Input:
◦ Formulas describing RWB threads◦ An assertion that the program is unsafe
A deadlock state is reachable Safety reducible to deadlock freedom
Output:◦ SAT if the property is violated (+ counter-example)◦ UNSAT if the property holds
![Page 15: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/15.jpg)
15
Basic Decision Procedure𝑞0
𝑞1𝑞3
𝑞2
¬𝑠𝑎𝑓𝑒(𝑠)
¬𝑠𝑎𝑓𝑒 (𝑠 )
¬𝑑𝑒𝑎𝑑𝑙𝑜𝑐𝑘(𝑞0)
¬𝑠𝑎𝑓𝑒 (𝑠 )
¬𝑠𝑎𝑓𝑒 (𝑠 )⊥
START
DECIDE DECIDE
DECIDE
UNSAT
𝑞0
𝑞1
𝑞2
𝑞3
¬𝑑𝑒𝑎𝑑𝑙𝑜𝑐𝑘(𝑞1)¬𝑑𝑒𝑎𝑑𝑙𝑜𝑐𝑘(𝑞2)
SATTheory-valid lemmas:
![Page 16: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/16.jpg)
16
Pattern MatchingDuring state space traversal, TS looks for
thread patterns◦ Structural properties of threads◦ Checked on each thread separately (compositionally)
When a pattern applies, lemmas are generated◦ From the languages of other theory solvers◦ The SMT core handles the interfaces
Other solvers can then curtail the search space
![Page 17: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/17.jpg)
17
Property: never
7 composite states
Pattern Matching: Example
𝑅=0 ,10
0 ,1
0
0 ,1
𝑅=0 ,10
𝐵=0 ,1
1
![Page 18: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/18.jpg)
18
𝑅=0 ,10
0 ,1Looped thread:
Step index determines state
Recognizing looped threads:Every state has successor
Also looped
Looped Threads
0
0 ,1
𝑅=0 ,10
![Page 19: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/19.jpg)
19
𝑝1 𝑝2𝑅=0 ,10
0 ,1
𝑝2 𝑞10
0 ,1
𝑞2 𝑞3𝑅=0 ,10
Where can be triggered?◦ Only where it is not blocked
Generate the lemma:
Generating Lemmas
𝑞3
![Page 20: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/20.jpg)
This part of the lemma:
indicates that state is reachable
The SMT core asserts it to the arithmetic solver
If no such exists, return UNSAT ◦ State is unreachable
Otherwise continue from state ◦ Skip intermediate states
Generating Lemmas (cnt’d)
![Page 21: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/21.jpg)
Matchers implemented as C++ classes
Take the input transition systems, answer yes/no◦ If pattern holds, invoked every time a new state is visited◦ Get to generate lemmas
Internally, very flexible ◦ Compute strongly connected components◦ Check when events are always blocked / never requested◦ Threads are small, so this is cheap
Restriction: don’t construct the composite state graph!
Implementing Pattern Matchers
![Page 22: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/22.jpg)
The technique is useful only when a pattern applies
Can a few stored patterns apply to many programs?◦ Examples in next sections
Adding patterns is amortized over future applications
Portfolio approach: quickly recognize that no pattern matches
Limitations
![Page 23: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/23.jpg)
23
AgendaRWB Transition Systems
A Theory of Transition Systems
Programs with Shared Arrays
Periodic Programs
Experimental Results
![Page 24: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/24.jpg)
24
Shared Arrays in RWBLocally, threads can use any construct
◦ Arrays, lists, etc
Inter-thread shared arrays – only through RWB
![Page 25: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/25.jpg)
25
Example: A Shared Bit
Read by simultaneously requesting ◦ The “wrong” value will be blocked
Can generalize to arbitrary shared arrays
𝑠1
𝑠0
𝐵=𝑟𝑒𝑎𝑑(0)
𝑤𝑟𝑖𝑡𝑒 (0)𝑤𝑟𝑖𝑡𝑒 (1)
𝐵=𝑟𝑒𝑎𝑑(1)
![Page 26: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/26.jpg)
26
Leveraging Shared ArraysRecognize shared arrays in the input threads
◦ Extract arity, read / write events, initial value, etc◦ Sometimes it is used unintentionally
Check if violations occur only in certain configurations◦ Sometimes certain configurations are the violation
During state traversal, generate lemmas when a shared memory cell becomes fixed◦ Write events always blocked / never requested
The array theory solver can then curtail the search
![Page 27: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/27.jpg)
27
Example: Tic Tac ToeGoal: complete a row, column or diagonal
If no mistakes are made, game always ends in a draw
XX
O
X
X
O
X
X
O O
X
X
O O X
X
O X
O O X
X X
O X
O O X
X X
O X
O O X
![Page 28: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/28.jpg)
28
Implementing Tic Tac ToeProgram plays , player plays
◦ Goal: never lose
Board modeled as a shared array with 3-valued elements
Rule threads, strategy threads◦ Blocking used to prevent multiple writes to each
cell
![Page 29: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/29.jpg)
29
Verifying Tic Tac ToeProgrammer: I’ve covered all cases in which
wins by taking the upper row. Let’s test that!
A state is bad if has the upper row◦ A certain configuration of the array
Generate lemma:
![Page 30: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/30.jpg)
30
ExampleBoard:
DECIDE: DECIDE: DECIDE: DECIDE:
◦ Array theory solver raises a conflict◦ Backtrack, without exploring successor states
¬safe state (q1 )⇒𝑏𝑜𝑎𝑟𝑑 [4 ]=𝑋
¬safe state (q4 )⇒𝑏𝑜𝑎𝑟𝑑 [1 ]=𝑂¬safe state (q3 )⇒𝑏𝑜𝑎𝑟𝑑 [0 ]=𝑋¬safe state (q2 )⇒𝑏𝑜𝑎𝑟𝑑 [8 ]=𝑂
![Page 31: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/31.jpg)
31
AgendaRWB Transition Systems
A Theory of Transition Systems
Programs with Shared Arrays
Periodic Programs
Experimental Results
![Page 32: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/32.jpg)
32
Periodic ProgramsSingle processor scheduling problems
Each task has ◦ period ◦ execution time ◦ priority (static/dynamic)
Programs have nice arithmetic properties
![Page 33: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/33.jpg)
Periodic Programs in RWBA task that needs to be scheduled requests
an event
Priorities expressed by blocking less urgent tasks
Pattern matcher checks this on individual threads
Then generates arithmetic lemmas about time instances when a violation can occur
![Page 34: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/34.jpg)
34
ExampleTS Theory Arithmetic
Theory𝑥
𝑥=143…,
𝑥=513…,
UNSAT, property holds
![Page 35: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/35.jpg)
35
AgendaRWB Transition Systems
A Theory of Transition Systems
Programs with Shared Arrays
Periodic Programs
Experimental Results
![Page 36: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/36.jpg)
36
Experimental ResultsBenchmarks: periodic programs and program
with shared arraysAverage speedup:
1 9 17 25 33 41 49 57 65 73 81 89 971051000
10000
100000
1000000
10000000
100000000CVC4BPMC
Number of Solved Instances
Tim
e (s
econ
ds)
![Page 37: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/37.jpg)
37
1 2 3 4 5 6 7 8 9 101000
10000
100000
1000000
10000000CVC4BPMC
Number of Solved Instances
Tim
e (s
econ
ds)
Experimental Results (cnt’d)Larger example: a web-serverAverage speedup:
![Page 38: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/38.jpg)
38
ConclusionAutomatic compositional verification of RWB
programs
Added a theory of transition systems to CVC4
Traverse state space and look for patterns◦ When a pattern is found, generate lemmas◦ Other theories can then curtail the search space
Examples:◦ Programs with shared arrays◦ Periodic programs
![Page 39: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/39.jpg)
39
Future WorkSupport additional models beyond RWB
Add more patterns
Improve the portfolio approach
![Page 40: Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science](https://reader036.vdocuments.mx/reader036/viewer/2022062413/5a4d1b117f8b9ab05998fe19/html5/thumbnails/40.jpg)
40
Questions
Thank You!