490 likes | 587 Views
Forward Analysis of Depth-Bounded Processes. Thomas Wies Damien Zufferey Tom Henzinger. In FoSSaCS’10. Motivation. Verify concurrent systems with synchronization via message passing unbounded dynamic process creation (name generation)
E N D
Forward Analysis of Depth-Bounded Processes Thomas WiesDamien Zufferey Tom Henzinger In FoSSaCS’10
Motivation • Verify concurrent systems with • synchronization via message passing • unbounded dynamic processcreation (name generation) • dynamic communication topology (name mobility) • Examples • Actors [G. Agha 1986] in languages such as Scala, Erlang • Distributed (mobile) systems …
A Publish/Subscribe Service in Scala sealed abstract class Category case object Cat1 extends Category ... case object CatN extends Category case object List case class Categories(cats: Set[Category]) ... class Server extends Actor { def loop(enl: Map[Category,Set[Actor]]){ val cats = Set(Cat1,...,CatN) react { case List => { reply(Categories(cats)) react { case Subscribe(c) => loop(enl + c -> (enl(c) + sender)) } } case Unsubscribe(c) => loop(enl(c) + c -> (enl(c) - sender)) case Publish => { reply(Who) react { case Credential => if (*) { reply(Categories(cats)) react { case Content(c) => enl(c).forall( _ ! Content(c)) loop(enl) } } else { reply(Deny) loop(enl) } } } } } override def act() = loop({_ => EmptySet}) } class Subscriber(server: Actor) extends Actor { def loop(cat: Category): Unit = { if (*) { react { case Content(c) => if (c != cat) error("...") ... } } else { server ! Unsubscribe(cat) exit('normal) } } override def act(): Unit = { server ! List react { case Categories(cats) => val cat = cats.choose loop(cat) } } } class Publisher(server: Actor) extends Actor { override def act(): Unit = { server ! Publish react { case Who => reply(Credential) react { case Categories(cats) => val c = cats.choose reply(Content(c)) if (*) act() else exit('normal) case Deny => exit('badCredential) } } } }
A Publish/Subscribe Service in Scala Subscriber Subscriber Subscriber Subscribe(Cat1) enl(Cat2) server server server sender enl(Cat1) Server server server Publisher Publisher
A Publish/Subscribe Service in Scala Subscriber Subscriber Subscriber enl(Cat2) server server server sender enl(Cat1) enl(Cat1) Server Subscribe(Cat1) server server Publisher Publisher
A Publish/Subscribe Service in Scala Subscriber Subscriber Subscriber enl(Cat2) server server server enl(Cat1) enl(Cat1) Server server server Publisher sender Publisher Content(Cat1)
A Publish/Subscribe Service in Scala Subscriber Subscriber Subscriber enl(Cat2) server server server • Infinite state system • number of Subscriber and Publisher processes and • number of messages in mailboxes can grow unboundedly enl(Cat1) enl(Cat1) Server Content(Cat1) Content(Cat1) sender sender server Content(Cat1) server Publisher sender Publisher
Semantics Interleaving of local transitions of processes. Processes have • an associated name • finitely many control states • finitely many parameters (denoting names of other processes) • an associated mailbox (unbounded but unordered)
Semantics Interleaving of local transitions of processes. In each local transition a process may • change its control state • change the value of one of its parameters • receive a message from its mailbox (blocking) • send a message to a process it knows • create a new process
Semantics Global configurations are graphs • nodes model • processes (node labels are control state) • messages (node labels are message kinds) • edges model • mailboxes • process parameters • message data
Semantics More formal • Actors [Agha 1986] • ¼-calculus [Milner, Parrow, Walker 1992] • Dynamic I/O automata [Attie, Lynch 2001] • …
Verification of Safety Properties Subscriber server enl(Cat1) Server Content(Cat1) sender Shape Invariants “The server link of a Subscriber always points to a Server” “Subscribers only receive content they are enlisted to” “No process ever reaches a local error state”
Turing Completeness Encoding of a two counter machine next counter1 next C C C State machine next C C counter2 Are there any interesting fragments with decidable verification problems?
Depth-Bounded Systems (DBS) [Meyer 2008] Definition A system is depth-boundediff there exists a constant that bounds the length of all simple pathsin all reachable configurations. The actual definition is in terms of ¼-calculus processes.
Depth-Bounded Systems (DBS) Subscriber Subscriber Subscriber enl(Cat2) server server server enl(Cat1) enl(Cat1) Server Content(Cat1) sender server Content(Cat1) server Publisher sender Publisher maximal length of any simple path is 5
What is Decidable for DBS? DBSs are well-structured transition systems [Meyer 2008]. Termination is decidable What about reachability? • Reset nets are DBSs [Meyer, Gorrieri 2009]. • Reachability is undecidable for reset nets • [Dufourd et al.1998] and thus for DBSs
The Covering Problem Given a transition system and a bad configuration init bad decide whether there is a reachable configuration that “covers” the bad one.
The Covering Problem Application: verify absence of bad patterns Subscriber server enl(Cat1) Server Content(Cat2) sender “Subscribers only receive content they are enlisted to” The covering problem is decidable for DBSs
Well-Quasi-Orderings • Definition • A relation ·µ S £ S is a well-quasi-ordering iff • · is a quasi-ordering (reflexive and transitive) • for any infinite sequence s1, s2, … there are • i < j such that si· sj • Examples • identity relation on a finite set • order on the natural numbers • multiset extension of a well-quasi-ordering • (Higman’s lemma)
Well-Structured Transition Systems (WSTS) [Finkel 1987] • Definition • A WSTS is a tuple (S, init, !, ·) where • (S, init, !) is a transition system • · is a well-quasi-ordering on S • · is compatible with the transition relation !: • for all s, t, s’ 2 S with s ! s’ and s · t there exists t’ 2 S with t ! t’ and s’ · t’ • Examples • Petri nets • lossy channel systems s s’ t t’
Upward and Downward-Closures "X Y · · X "Y "X = {y 2 S | 9 x 2 X. x · y}
Backward Algorithm for the Covering Problem of WSTS prek("bad) pre("bad) "bad … init bad
Backward Algorithm for the Covering Problem of WSTS prek("bad) pre("bad) "bad … init … bad
Depth-Bounded Systems as WSTS • Depth-bounded systems form WSTS for • their reachable configurations • and the quasi-ordering “ “ induced by • subgraph isomorphism Next we show that “ “ is a well-quasi-ordering on the reachable configurations
Closure of a Tree Add edges according to transitive closure of the edge relation Every (undirected) graph is contained in the closure of some tree.
Tree-Depth of a Graph Definition The tree-depth td(G) of a graph G is the minimal height of all trees whose closure contain G. v3 v2 v1 v1 v4 v4 v3 v5 v2 v5 tree depth is 2 height is 2
Tree-Depth and Depth-Bounded Systems Proposition A set S of graphs has bounded tree-depthiff S is bounded in the length of its simple paths. the reachable configurations of a depth-bounded system have bounded tree-depth.
Tree Encodings of Depth-Bounded Graphs v3 v2 v1 v1 v4 v4 v3 v5 v2 v5 tree(G) G Take a minimal tree whose closure contains the graph G. Label each node v in the tree by the subgraph of G induced by the nodes on the path to v. Number of labels used in the encoding is finite.
tree(G1) ¹ tree(G2) implies G1 G2 Homeomorphic Tree Embedding ¹ We can show for all graphs G1, G2:
Kruskal’s Tree Theorem Theorem [Kruskal 1960] Homeomorphic tree embedding is a well-quasi-ordering on finite trees labelled by a WQO set. Theorem [Laver 1971] Homeomorphic tree embedding is a better-quasi-ordering on countable trees labelled by a BQO set. subgraphisomorphisms induce a better-quasi-ordering on the reachable configurations of a depth-bounded system.
Backward Algorithm for the Covering Problem of WSTS prek("bad) pre("bad) "bad … • Requirements • ·is decidable • pre is effectively computable init bad
Backward Analysis of DBSs • WSTS of a depth-bounded system is defined wrt. the forward-reachable configurations • reachability is undecidable so pre is not computable for the induced WSTS • only option: if bound of the system is k, define WSTS wrt. the set of all graphs of depth at most k • termination of a backward analysis can only be ensured if the bound of the system is known a priori. Standard algorithm is not a decision procedure for the covering problem of DBS.
Backward Analysis is Impractical Backward analysis has to guess sender (and other parameters) of sent messages explosion in the nondeterminism Subscriber Subscribe(Cat1) server sender Server
Backward Analysis is Impractical Backward analysis has to guess sender (and other parameters) of sent messages explosion in the nondeterminism Subscriber ? server sender Server Subscribe(Cat1) This is similar to the aliasing problem for backward analysis of programs with pointers
Is there a forward analysis that decides the covering problem?
Forward Analysis of a WSTS init … #init #postk(#init) #post(#init) bad
Forward Analysis of a WSTS init We need “limits” of all downward-closed sets for termination. … #init #postk(#init) #post(#init) bad
Adequate Domain of Limits (ADL) [Geeraerts, Raskin, Van Begin 2006] For every z 2Y, °(z) is a downward-closed subset of X D ° X Y wqo set ADL for X
Adequate Domain of Limits (ADL) [Geeraerts, Raskin, Van Begin 2006] Every downward-closed subset of X is generated by a finite subset E of Y [ X D ° X Y E1 E2 E = E1[ E2 wqo set ADL for X
Expand, Enlarge, and Check Theorem [Geeraerts, Raskin, Van Begin 2006] There exists an algorithm that decides the covering problem for WSTS with effective ADL. X1 X2 X2 … µ X µ µ µ Y1 Y2 Y2 … µ Y µ µ µ Next: an ADL for depth-bounded systems
Loop Acceleration à la Karp-Miller limit configuration + Subscriber Subscriber Subscriber ¾ ¾ Server Server Server Idea for loop acceleration Record which parts of a configuration can be duplicated.
Limit Configurations Subscriber Content + Subscriber + Server ° Content … Server Subscriber Subscriber Denotation °(L) is downward-closure of all unfoldings of L Content Content Content Server
An ADL for Depth-Bounded Systems Theorem Limit configurations form an ADL for depth-bounded graphs. + Corollary The EEC algorithm decides the covering problem for depth-bounded systems. Subscriber Server
Canonical Adequate Domain of Limits Theorem [Finkel, Goubault-Larrecq 2009] The downward-closed directed subsets of a wqo set X form an ADL for X. • A directed set for qo (X, ·) is • a nonempty subset of X • closed under upper bounds D1 D4 · · X D3 X D5 D2 D
Hedge Automata = (Q,§,Qf,¢) Q = {p,q,r,s} § = {a,b,c} Qf = {p} ¢ = {a(²) → s b(²) → r c(sr*s) → q a(q+) → p} a p c c q q a b a a a s r s s s
Proof Sketch To proof: For every directed downward-closed set , there exists a limit configuration with Look at the tree encodings and construct a hedge automaton such that From construct the limit configuration .
Proof Sketch … directed dc set …
Further Related Work Meyer, Gorrieri 2009 – depth-bounded systems and place/transition nets Finkel, Goubault-Larreqc 2009 – Karp-Miller-style forward analysis of WSTSs with ADLs Ganty, Raskin, Van Begin 2006 – Forward analysis of WSTSs without ADLs Dam 1993, Amadio, Meyssonnier 2002 – decidable fragments of the ¼-calculus Sangiorgi 1996, Busi et al. 2003, Ostrovský 2005 – type systems for the ¼-calculus Bauer (Kreiker), Wilhelm 2007 – shape analysis for depth-bounded systems
Conclusions • many real-life examples of message passing systems are depth-bounded • many interesting safety properties are expressible in terms of covering • our main result: the covering problem is decidable for depth-bounded systems • our ADL suggests a whole spectrum of forward analyses for depth-bounded systems