480 likes | 582 Views
Enforcing Concurrent Temporal Behaviors. Doron Peled, Dept. of CS University of Warwick. Verification of systems. Modeling (translating). Code, Design. Some representation. Verifying. Counterexample. Checking against original code. Failed. Some feedback information.
E N D
Enforcing Concurrent Temporal Behaviors Doron Peled, Dept. of CS University of Warwick
Verification of systems Modeling (translating) Code, Design Some representation Verifying Counterexample Checking against original code Failed. Some feedback information Passed, inform developers!!
Problems: Given as a sequence of states/events: • Concurrent information is lost. • Long and complicated. So where is the error among 2,375 states in the sequence? • If concurrent/nondeterministic, may not actually happen when running the code under same initial state+input.
0:START P1 0:START P2 11:c1:=1 11:c2:=1 12:true 12:true yes no yes no 2:c1:=0 13:end 2:c2:=0 13:end 8:c2=0? 8:c1=0? yes no yes no 7:turn=2? no 9:critical-1 7:turn=1? no 9:critical-2 yes yes 3:c1:=1 10:c1:=1 3:c2:=1 10:c2:=1 5:turn=2? 5:turn=1? 11:turn:=2 yes no 11:turn:=1 yes no 4:no-op 6:c1:=0 4:no-op 6:c2:=0 Initially: turn=1
0:START P1 0:START P2 11:c1:=1 11:c2:=1 12:true 12:true yes no yes no 2:c1:=0 13:end 2:c2:=0 13:end 8:c2=0? 8:c1=0? yes no yes no 7:turn=2? no 7:turn=1? no 9:critical-1 9:critical-2 yes yes 3:c1:=1 10:c1:=1 3:c2:=1 10:c2:=1 5:turn=2? 5:turn=1? 11:turn:=2 yes 11:turn:=1 no yes no 4:no-op 6:c1:=0 4:no-op 6:c2:=0
0:START P1 0:START P2 11:c1:=1 11:c2:=1 12:true 12:true yes no yes no 2:c1:=0 13:end 2:c2:=0 13:end 8:c2=0? 8:c1=0? yes no yes no 7:turn=2? no 7:turn=1? no 9:critical-1 9:critical-2 yes yes 3:c1:=1 10:c1:=1 3:c2:=1 10:c2:=1 5:turn=2? 5:turn=1? 11:turn:=2 yes 11:turn:=1 no yes no 4:no-op 6:c1:=0 4:no-op 6:c2:=0
0:START P1 0:START P2 11:c1:=1 11:c2:=1 12:true 12:true yes no yes no 2:c1:=0 13:end 2:c2:=0 13:end 8:c2=0? 8:c1=0? yes no yes no 7:turn=2? no 7:turn=1? no 9:critical-1 9:critical-2 yes yes 3:c1:=1 10:c1:=1 3:c2:=1 10:c2:=1 5:turn=2? 5:turn=1? 11:turn:=2 yes 11:turn:=1 no yes no 4:no-op 6:c1:=0 4:no-op 6:c2:=0
0:START P1 0:START P2 11:c1:=1 11:c2:=1 12:true 12:true yes no yes no 2:c1:=0 13:end 2:c2:=0 13:end 8:c2=0? 8:c1=0? yes no yes no 7:turn=2? no 7:turn=1? no 9:critical-1 9:critical-2 yes yes 3:c1:=1 10:c1:=1 3:c2:=1 10:c2:=1 5:turn=2? 5:turn=1? 11:turn:=2 yes 11:turn:=1 no yes no 4:no-op 6:c1:=0 4:no-op 6:c2:=0
0:START P1 0:START P2 11:c1:=1 11:c2:=1 12:true 12:true yes no yes no 2:c1:=0 13:end 2:c2:=0 13:end 8:c2=0? 8:c1=0? yes no yes no 7:turn=2? no 7:turn=1? no 9:critical-1 9:critical-2 yes yes 3:c1:=1 10:c1:=1 3:c2:=1 10:c2:=1 5:turn=2? 5:turn=1? 11:turn:=2 yes 11:turn:=1 no yes no 4:no-op 6:c1:=0 4:no-op 6:c2:=0
0:START P1 0:START P2 11:c1:=1 11:c2:=1 12:true 12:true yes no yes no 2:c1:=0 13:end 2:c2:=0 13:end 8:c2=0? 8:c1=0? yes no yes no 7:turn=2? no 7:turn=1? no 9:critical-1 9:critical-2 yes yes 3:c1:=1 10:c1:=1 3:c2:=1 10:c2:=1 5:turn=2? 5:turn=1? 11:turn:=2 yes 11:turn:=1 no yes no 4:no-op 6:c1:=0 4:no-op 6:c2:=0
0:START P1 0:START P2 11:c1:=1 11:c2:=1 12:true 12:true yes no yes no 2:c1:=0 13:end 2:c2:=0 13:end 8:c2=0? 8:c1=0? yes no yes no 7:turn=2? no 7:turn=1? no 9:critical-1 9:critical-2 yes yes 3:c1:=1 10:c1:=1 3:c2:=1 10:c2:=1 5:turn=2? 5:turn=1? 11:turn:=2 yes 11:turn:=1 no yes no 4:no-op 6:c1:=0 4:no-op 6:c2:=0
0:START P1 0:START P2 11:c1:=1 11:c2:=1 12:true 12:true yes no yes no 2:c1:=0 13:end 2:c2:=0 13:end 8:c2=0? 8:c1=0? yes no yes no 7:turn=2? no 7:turn=1? no 9:critical-1 9:critical-2 yes yes 3:c1:=1 10:c1:=1 3:c2:=1 10:c2:=1 5:turn=2? 5:turn=1? 11:turn:=2 yes 11:turn:=1 no yes no 4:no-op 6:c1:=0 4:no-op 6:c2:=0
0:START P1 0:START P2 11:c1:=1 11:c2:=1 12:true 12:true yes no yes no 2:c1:=0 13:end 2:c2:=0 13:end 8:c2=0? 8:c1=0? yes no yes no 7:turn=2? no 7:turn=1? no 9:critical-1 9:critical-2 yes yes 3:c1:=1 10:c1:=1 3:c2:=1 10:c2:=1 5:turn=2? 5:turn=1? 11:turn:=2 yes 11:turn:=1 no yes no 4:no-op 6:c1:=0 4:no-op 6:c2:=0
0:START P1 0:START P2 11:c1:=1 11:c2:=1 12:true 12:true yes no yes no 2:c1:=0 13:end 2:c2:=0 13:end 8:c2=0? 8:c1=0? yes no yes no 7:turn=2? no 9:critical-1 7:turn=1? no 9:critical-2 yes yes 3:c1:=1 10:c1:=1 3:c2:=1 10:c2:=1 5:turn=2? 5:turn=1? 11:turn:=2 yes no 11:turn:=1 yes no 4:no-op 6:c1:=0 4:no-op 6:c2:=0 Initially: turn=1 (same)
0:START P1 0:START P2 11:c1:=1 11:c2:=1 12:true 12:true yes no yes no 2:c1:=0 13:end 2:c2:=0 13:end 8:c2=0? 8:c1=0? yes no yes no 7:turn=2? no 7:turn=1? no 9:critical-1 9:critical-2 yes yes 3:c1:=1 10:c1:=1 3:c2:=1 10:c2:=1 5:turn=2? 5:turn=1? 11:turn:=2 yes 11:turn:=1 no yes no 4:no-op 6:c1:=0 4:no-op 6:c2:=0
0:START P1 0:START P2 11:c1:=1 11:c2:=1 12:true 12:true yes no yes no 2:c1:=0 13:end 2:c2:=0 13:end 8:c2=0? 8:c1=0? yes no yes no 7:turn=2? no 7:turn=1? no 9:critical-1 9:critical-2 yes yes 3:c1:=1 10:c1:=1 3:c2:=1 10:c2:=1 5:turn=2? 5:turn=1? 11:turn:=2 yes 11:turn:=1 no yes no 4:no-op 6:c1:=0 4:no-op 6:c2:=0
0:START P1 0:START P2 11:c1:=1 11:c2:=1 12:true 12:true yes no yes no 2:c1:=0 13:end 2:c2:=0 13:end 8:c2=0? 8:c1=0? yes no yes no 7:turn=2? no 7:turn=1? no 9:critical-1 9:critical-2 yes yes 3:c1:=1 10:c1:=1 3:c2:=1 10:c2:=1 5:turn=2? 5:turn=1? 11:turn:=2 yes 11:turn:=1 no yes no 4:no-op 6:c1:=0 4:no-op 6:c2:=0
0:START P1 0:START P2 11:c1:=1 11:c2:=1 12:true 12:true yes no yes no 2:c1:=0 13:end 2:c2:=0 13:end 8:c2=0? 8:c1=0? yes no yes no 7:turn=2? no 7:turn=1? no 9:critical-1 9:critical-2 yes yes 3:c1:=1 10:c1:=1 3:c2:=1 10:c2:=1 5:turn=2? 5:turn=1? 11:turn:=2 yes 11:turn:=1 no yes no 4:no-op 6:c1:=0 4:no-op 6:c2:=0
0:START P1 0:START P2 11:c1:=1 11:c2:=1 12:true 12:true yes no yes no 2:c1:=0 13:end 2:c2:=0 13:end 8:c2=0? 8:c1=0? yes no yes no 7:turn=2? no 7:turn=1? no 9:critical-1 9:critical-2 yes yes 3:c1:=1 10:c1:=1 3:c2:=1 10:c2:=1 5:turn=2? 5:turn=1? 11:turn:=2 yes 11:turn:=1 no yes no 4:no-op 6:c1:=0 4:no-op 6:c2:=0
0:START P1 0:START P2 11:c1:=1 11:c2:=1 12:true 12:true yes no yes no 2:c1:=0 13:end 2:c2:=0 13:end 8:c2=0? 8:c1=0? yes no yes no 7:turn=2? no 7:turn=1? no 9:critical-1 9:critical-2 yes yes 3:c1:=1 10:c1:=1 3:c2:=1 10:c2:=1 5:turn=2? 5:turn=1? 11:turn:=2 yes 11:turn:=1 no yes no 4:no-op 6:c1:=0 4:no-op 6:c2:=0
0:START P1 0:START P2 11:c1:=1 11:c2:=1 12:true 12:true yes no yes no 2:c1:=0 13:end 2:c2:=0 13:end 8:c2=0? 8:c1=0? yes no yes no 7:turn=2? no 7:turn=1? no 9:critical-1 9:critical-2 yes yes 3:c1:=1 10:c1:=1 3:c2:=1 10:c2:=1 5:turn=2? 5:turn=1? 11:turn:=2 yes 11:turn:=1 no yes no 4:no-op 6:c1:=0 4:no-op 6:c2:=0
0:START P1 0:START P2 11:c1:=1 11:c2:=1 12:true 12:true yes no yes no 2:c1:=0 13:end 2:c2:=0 13:end 8:c2=0? 8:c1=0? yes no yes no 7:turn=2? no 7:turn=1? no 9:critical-1 9:critical-2 yes yes 3:c1:=1 10:c1:=1 3:c2:=1 10:c2:=1 5:turn=2? 5:turn=1? 11:turn:=2 yes 11:turn:=1 no yes no 4:no-op 6:c1:=0 4:no-op 6:c2:=0
0:START P1 0:START P2 11:c1:=1 11:c2:=1 12:true 12:true yes no yes no 2:c1:=0 13:end 2:c2:=0 13:end 8:c2=0? 8:c1=0? yes no yes no 7:turn=2? no 7:turn=1? no 9:critical-1 9:critical-2 yes yes 3:c1:=1 10:c1:=1 3:c2:=1 10:c2:=1 5:turn=2? 5:turn=1? 11:turn:=2 yes 11:turn:=1 no yes no 4:no-op 6:c1:=0 4:no-op 6:c2:=0
0:START P1 0:START P2 11:c1:=1 11:c2:=1 12:true 12:true yes no yes no 2:c1:=0 13:end 2:c2:=0 13:end 8:c2=0? 8:c1=0? yes no yes no 7:turn=2? no 7:turn=1? no 9:critical-1 9:critical-2 yes yes 3:c1:=1 10:c1:=1 3:c2:=1 10:c2:=1 5:turn=2? 5:turn=1? 11:turn:=2 yes 11:turn:=1 no yes no 4:no-op 6:c1:=0 4:no-op 6:c2:=0
0:START P1 0:START P2 11:c1:=1 11:c2:=1 12:true 12:true yes no yes no 2:c1:=0 13:end 2:c2:=0 13:end 8:c2=0? 8:c1=0? yes no yes no 7:turn=2? no 7:turn=1? no 9:critical-1 9:critical-2 yes yes 3:c1:=1 10:c1:=1 3:c2:=1 10:c2:=1 5:turn=2? 5:turn=1? 11:turn:=2 yes 11:turn:=1 no yes no 4:no-op 6:c1:=0 4:no-op 6:c2:=0
0:START P1 0:START P2 11:c1:=1 11:c2:=1 12:true 12:true yes no yes no 2:c1:=0 13:end 2:c2:=0 13:end 8:c2=0? 8:c1=0? yes no yes no 7:turn=2? no 7:turn=1? no 9:critical-1 9:critical-2 yes yes 3:c1:=1 10:c1:=1 3:c2:=1 10:c2:=1 5:turn=2? 5:turn=1? 11:turn:=2 yes 11:turn:=1 no yes no 4:no-op 6:c1:=0 4:no-op 6:c2:=0
0:START P1 0:START P2 11:c1:=1 11:c2:=1 12:true 12:true yes no yes no 2:c1:=0 13:end 2:c2:=0 13:end 8:c2=0? 8:c1=0? yes no yes no 7:turn=2? no 7:turn=1? no 9:critical-1 9:critical-2 yes yes 3:c1:=1 10:c1:=1 3:c2:=1 10:c2:=1 5:turn=2? 5:turn=1? 11:turn:=2 yes 11:turn:=1 no yes no 4:no-op 6:c1:=0 4:no-op 6:c2:=0
0:START P1 0:START P2 11:c1:=1 11:c2:=1 12:true 12:true yes no yes no 2:c1:=0 13:end 2:c2:=0 13:end 8:c2=0? 8:c1=0? yes no yes no 7:turn=2? no 7:turn=1? no 9:critical-1 9:critical-2 yes yes 3:c1:=1 10:c1:=1 3:c2:=1 10:c2:=1 5:turn=2? 5:turn=1? 11:turn:=2 yes 11:turn:=1 no yes no 4:no-op 6:c1:=0 4:no-op 6:c2:=0
0:START P1 0:START P2 11:c1:=1 11:c2:=1 12:true 12:true yes no yes no 2:c1:=0 13:end 2:c2:=0 13:end 8:c2=0? 8:c1=0? yes no yes no 7:turn=2? no 7:turn=1? no 9:critical-1 9:critical-2 yes yes 3:c1:=1 10:c1:=1 3:c2:=1 10:c2:=1 5:turn=2? 5:turn=1? 11:turn:=2 yes 11:turn:=1 no yes no 4:no-op 6:c1:=0 4:no-op 6:c2:=0
Goals • Guaranteeing the same execution. • Minimal changes to the software. • Preserving concurrency independence. • Preserve the checked property. • Applying the transformation to finite sequences as well as ultimately periodic ones.
(p1(0):start) (P2(0):start) [P1(1):c1:=1] [P2(1):c2:=1] <P2(12):true>yes <P1(12):true>yes [p2(2):c2:=0] <P2(8):c1=0?>no <P2(9):critical-2> First execution again:
How to obtain the order? • Define dependency D (AA) relation: • a and b are in the same process, or • a and b use or define (update) same variable. • Make the following restrictions on occurrences in : • ak occurs before bl in the sequence , and • a and b are interdependent.
(p1(0):start) (P2(0):start) [P1(1):c1:=1] [P2(1):c2:=1] <P2(12):true>yes <P1(12):true>yes [p2(2):c2:=0] <P2(8):c1=0?>no <P2(9):critical-2> Causal constraints: Same process P1 (same program counter)
(p1(0):start) (P2(0):start) [P1(1):c1:=1] [P2(1):c2:=1] <P2(12):true>yes <P1(12):true>yes [p2(2):c2:=0] <P2(8):c1=0?>no <P2(9):critical-2> More causal constraints Same process P2 (same program counter)
(p1(0):start) (P2(0):start) [P1(1):c1:=1] [P2(1):c2:=1] <P2(12):true>yes <P1(12):true>yes [p2(2):c2:=0] <P2(8):c1=0?>no <P2(9):critical-2> Even more constraints: The mutual use ofvariable c1 in bothprocesses.
Need to add to the program: • For each pair of processes piand pj with some occurrences ak-->bl there is a variable Vij • After ak we performFreeij: Vij :=Vij + 1 • Before bl we perform Waitij: wait Vij >0 then Vij :=Vij - 1 • Count all actions that need to be synchronized. Make syncrhonization on correct count.
In what sense did we preserve the concurrency? • One way of looking at a concurrent execution is to observe all the linearizations into total orders. • The given sequence is a linearization of some partial order execution E. • But when we transform the program, we add some actions. • Informally: We obtain E’. When removing the additional actions, we obtain E. • When removing the additional actions from lin(E’) we obtain lin(E).
Some notation • ClD() The sequences obtained from after commuting independent actions. • HideB(S) The sequences obtained from the ones in S by omitting the events in B. • Exec(P) The executions of program P. • We add actions A’ such that D’(AA)=D.(dependency between old actions unaffected). • If we transform the program into a program P’, we obtain thatHideA’ \ A (Exec (P’ ))= ClD()
Preserving a temporal property • Suppose we selected a sequence since it satisfied (or failed) property L (language). • Problem: when both: • ClD() L • ClD()L • How to solve this?
A solution • Search a graph where each node is one of the equivalent executions, with original node . • An edge exists between a two nodes if one is obtained from the other by one shuffle of actions. • Whenever the shuffle does not preserve property, insert another Wait/Free pair.Rename such pair of events and make them interdependent (so other occurrences are unaffected). • Cost: expensive (can be exponential in number of processes). • NP-complete: May guess the interleaving of the path and the place of bad commutation, then check it.Hardness from Hamiltonian Path.
Simpler approximation • Assume property closed under stuttering. • Check which actions can affect the propositions that appear in the property. • Make these actions interdependent. • Complexity: Low. Quadratic in number of transitions.
Ultimately periodic sequences. • Test sequences for unbounded length of time. • Finite prefix v, finite recurring sequence w. • Can take care of both parts v, w separately. • One possibility: Make an artificial syncrhonization between the end of v and the beginning of w. • Another possibility: create a graph <P, E>, where P are processes, and pi-->pjE if there are some events ak-->bl belonging to pi , pj , respectively. v w
There are three cases: 1 There is a single strongly connected component. In this case, in some linearizations, the i+1st iteration may start in some processes while the i th iteration still executes in others. 2 The graph includes all the processes in different components. Then there can be arbitrary overtaking between the iterations. 3 The graph does not include all the processes. In this case, it might be that the sequence was “unfair”, and some additional actions and interactions occurs. Then synchronization is advised.
Conculusions • Given a counterexample, we may need to execute it on the checked code. • Need to transform code to enforce execution when nondeterminism present. • More synchronization for preserving temporal properties. • Several cases for preserving ultimately periodic executions.