1 / 22

Model Checking of Systems Employing Commutative Functions

This talk is about how you can find lots of bugs in real code by making compilers aggressively system specific. Model Checking of Systems Employing Commutative Functions. A.Prasad Sistla, Min Zhou, Xiaodong Wang presented by Min Zhou University of Illinois at Chicago. Outline.

zaza
Download Presentation

Model Checking of Systems Employing Commutative Functions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. This talk is about how you can find lots of bugs in real code by making compilers aggressively system specific Model Checking of Systems Employing Commutative Functions A.Prasad Sistla, Min Zhou, Xiaodong Wang presented by Min Zhou University of Illinois at Chicago

  2. Outline • Transition Diagram(TD) and Symbolic State Graph • Predicate Template and bisimulation ~0 • Extended Predicate Template and bisimulation ~k • Experiment Results • Conclusion

  3. We only consider such TDs who only have assignments: x:=c c is a constant x:=y y is another variable x:=φ(x) φ is a unary function; each such φ in a TD is commutative with each other: φ1 φ2 = φ2φ1 Transition Diagram(TD) a≤y y++ 1 a:=x,x++ 0 b:=x,x++ 2 b≤y x:=0,y:=0 Variables:a,b,x,y

  4. Symbolic State Graph • Sym_Reach(G, u) = (S0,R0, L0) s.lc s.val s.exp location • variables  expressions • s.exp(x): the composition of functions that were applied to x since last time a constant was assigned • variables  values • s.val(x): the latest constant assigned to variable x

  5. How to construct Symbolic State Graph TD x:=c x:=φ(x) x:=y s1.exp(x)=φ(s0.exp(x)) s1.exp(x)=x s1.exp(x)=s0.exp(y)[x/y] q1 q1 q1 s1 s1 s1 s0 q0 q0 s0 s0 q0 s1.val(x)=s0.val(x) s1.val(x)=c s1.val(x)=s0.val(y)

  6. Symbolic States • act_state(s) = (s.lc, h) where h(x) = s.exp(x){s.val(x)} Symbolic States actual states     

  7. a  y y++ 1 1,(0,0,0,0) (a,b,x+1,y) s1 0,(0,0,0,0) (a,b,x,y) a:=x,x++ 0 b:=x,x++ s0 s2 2 0,(0,0,0,0) (a,b,x+1,y+1) b  y x:=0,y:=0 s3 2,(0,0,0,0) (a,b,x+1,y) Symbolic State Graph val TD: lc exp

  8. Our Goal • Define a bisimulation relation over symbolic states • For every location q, define a predicate template ptemplates(q) • s ~0 t require they are equivalent w.r.t ptemplates(s.lc)

  9. p f Predicate Template var(p) X* predicate, derived from guards and correctness formula

  10. … x:=y x:=c p(x) p(x) q1 q1 q q qi qi What should be in ptemplates(q) • (AP,fid) U (guard(q), fid)Є ptemplates(q) x:= φ1(x) … x:=φ2(x) (P, fid) Є ptemplates(q) p(x) q1 q qi x:=φ(x) (P,f(x) = y) Є ptemplates(q) (P, f(x)=) Є ptemplates(q)

  11. p0: x  y p1: a  y p2: b  y Formula: (x  y) Ptemplates(1)={ (p0, fid), (p1, fid), (p1, a  x), (p2, b  x)} a  y y++ 1 a:=x,x++ 0 b:=x,x++ 2 b  y x:=0,y:=0 Example

  12. Instantiate predicate templates in states: (p(xi), xi yi) [s] = p [(s.exp (yi) /xi ) { xi/ yi }], where yi   Eg: Define ~0as follows: for any two states s and t, s ~0 t iff s.lc = t.lc, s.val = t.val (p, f) Є ptemplates(s.lc), (p, f)[s] (p, f)[t] Bisimulation ~0 • p: x1 < c • s.exp(x1): x1+1 • s.exp(x2): x2+2 • (p,x1  x2 ) [s] = • (s.exp (x2) < c){ x1/x2 } = • (x1+2 < c) • an implicit universal quantifier over the free variables

  13. Proof idea: assume s0 ~0t0 (p,fid) Є ptemplates(q1) In this case, (p,fid) Є ptemplates(q0) so we have (p,fid)[s0] (p,fid)[t0] x:=φ(x) s1.exp(x)=φ(s0.exp(x)) q1 q0 s1.val(x)=s0.val(x) s1 t1 s0 t0 Theorem 1 ~0is a bi-simulation on the symbolic state graph Sym_Reach(G, u).

  14. Now We show (p,fid)[s1] (p,fid)[t1] (p,fid)[s0] (p,fid)[t0]  x P[s0.exp(x)]  P[t0.exp(x)]  x P[s0.exp(φ (x))]  P[t0.exp(φ (x))] x P[φ (s0.exp(x))]  P[φ (t0.exp(x))]  x P[s1.exp(x)]  P[t1.exp(x)] x:=φ(x) s1.exp(x)=φ(s0.exp(x)) q1 q0 s1.val(x)=s0.val(x) s1 t1 s0 t0 Theorem 1 ~0is a bi-simulation on the symbolic state graph Sym_Reach(G, u). By commutation

  15. … … P(x) P(x) P(x) si ti qi s q t Extension of Bisimulation ~0 • If (p,f) Є ptemplates(q), we require (p,f)[s]  (p,f) [t] even in above case. • Not necessary. Only need when this path is feasible for these two states TD: X X

  16. P(x) qi q … P(x) ti t ti-k Bisimulation ~k • Only in this case, we require (p,f)[s]  (p,f) [t] … P(x) si s si-k feasible, length = k

  17. ~k • In ~k , we require a conditional equivalence • Lemma ~k+1  ~k, • but ~k+1 need more computation

  18. q2 x2=0  x1++ x1 20  x1++, x2++ q0 q1 q4 x1=0  x2 ++ q3 x2  20  Example of a TD for which ~0  ~1 any two states of the form (q1,(0,0), (x1 + c 0, x2 + c’ 0)) are bisimular w.r.t ~1

  19. taken from T.Bultan 1999 Experiment Results

  20. taken from T.Bultan 1999 Circular Queue

  21. Sliding Window

  22. Conclusion and future work • Defined a non decreasing chain of bisimulation • Can be used in a class of infinite systems • ~k can be checked on-the-fly • Need investigate how to combine with static analysis

More Related