Loading in 5 sec....

Model Checking of Systems Employing Commutative FunctionsPowerPoint Presentation

Model Checking of Systems Employing Commutative Functions

Download Presentation

Model Checking of Systems Employing Commutative Functions

Loading in 2 Seconds...

- 89 Views
- Uploaded on
- Presentation posted in: General

Model Checking of Systems Employing Commutative Functions

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

This talk is about how you can find lots of bugs in real code by making compilers aggressively system specific

Model Checking of Systems Employing Commutative Functions

A.Prasad Sistla, Min Zhou, Xiaodong Wang

presented by Min Zhou

University of Illinois at Chicago

- Transition Diagram(TD) and Symbolic State Graph
- Predicate Template and bisimulation ~0
- Extended Predicate Template and bisimulation ~k
- Experiment Results
- Conclusion

We only consider such TDs who only have assignments:

x:=c

c is a constant

x:=y

y is another variable

x:=φ(x)

φ is a unary function;

each such φ in a TD is commutative with each other:

φ1 φ2 = φ2φ1

a≤y y++

1

a:=x,x++

0

b:=x,x++

2

b≤y x:=0,y:=0

Variables:a,b,x,y

- Sym_Reach(G, u) = (S0,R0, L0)

s.lc

s.val

s.exp

location

- variables expressions
- s.exp(x): the composition of functions that were applied to x since last time a constant was assigned

- variables values
- s.val(x): the latest constant assigned to variable x

TD

x:=c

x:=φ(x)

x:=y

s1.exp(x)=φ(s0.exp(x))

s1.exp(x)=x

s1.exp(x)=s0.exp(y)[x/y]

q1

q1

q1

s1

s1

s1

s0

q0

q0

s0

s0

q0

s1.val(x)=s0.val(x)

s1.val(x)=c

s1.val(x)=s0.val(y)

- act_state(s) = (s.lc, h) where h(x) = s.exp(x){s.val(x)}

Symbolic

States

actual

states

a y y++

1

1,(0,0,0,0)

(a,b,x+1,y)

s1

0,(0,0,0,0)

(a,b,x,y)

a:=x,x++

0

b:=x,x++

s0

s2

2

0,(0,0,0,0)

(a,b,x+1,y+1)

b y x:=0,y:=0

s3

2,(0,0,0,0)

(a,b,x+1,y)

val

TD:

lc

exp

- Define a bisimulation relation over symbolic states
- For every location q, define a predicate template ptemplates(q)
- s ~0 t require they are equivalent w.r.t ptemplates(s.lc)

p

f

var(p) X*

predicate, derived from guards and correctness formula

…

…

x:=y

x:=c

p(x)

p(x)

q1

q1

q

q

qi

qi

- (AP,fid) U (guard(q), fid)Є ptemplates(q)

x:= φ1(x)

…

x:=φ2(x)

(P, fid) Є ptemplates(q)

p(x)

q1

q

qi

x:=φ(x)

(P,f(x) = y) Є ptemplates(q)

（P, f(x)=) Є ptemplates(q)

p0: x y

p1: a y

p2: b y

Formula: (x y)

Ptemplates(1)={

(p0, fid),

(p1, fid),

(p1, a x),

(p2, b x)}

a y y++

1

a:=x,x++

0

b:=x,x++

2

b y x:=0,y:=0

Instantiate predicate templates in states:

(p(xi), xi yi) [s] = p [(s.exp (yi) /xi ) { xi/ yi }], where yi

Eg:

Define ~0as follows: for any two states s and t, s ~0 t iff

s.lc = t.lc, s.val = t.val

(p, f) Є ptemplates(s.lc), (p, f)[s] (p, f)[t]

- p: x1 < c
- s.exp(x1): x1+1
- s.exp(x2): x2+2

- (p,x1 x2 ) [s] =
- (s.exp (x2) < c){ x1/x2 } =
- (x1+2 < c)

- an implicit universal quantifier over the free variables

Proof idea:

assume s0 ~0t0 (p,fid) Є ptemplates(q1)

In this case, (p,fid) Є ptemplates(q0)

so we have (p,fid)[s0] (p,fid)[t0]

x:=φ(x)

s1.exp(x)=φ(s0.exp(x))

q1

q0

s1.val(x)=s0.val(x)

s1

t1

s0

t0

Now We show

(p,fid)[s1] (p,fid)[t1]

(p,fid)[s0] (p,fid)[t0]

x P[s0.exp(x)] P[t0.exp(x)]

x P[s0.exp(φ (x))] P[t0.exp(φ (x))]

x P[φ (s0.exp(x))] P[φ (t0.exp(x))]

x P[s1.exp(x)] P[t1.exp(x)]

x:=φ(x)

s1.exp(x)=φ(s0.exp(x))

q1

q0

s1.val(x)=s0.val(x)

s1

t1

s0

t0

By commutation

…

…

…

P(x)

P(x)

P(x)

si

ti

qi

s

q

t

- If (p,f) Є ptemplates(q), we require (p,f)[s] (p,f) [t] even in above case.
- Not necessary. Only need when this path is feasible for these two states

TD:

X

X

…

P(x)

qi

q

…

P(x)

ti

t

ti-k

- Only in this case, we require (p,f)[s] (p,f) [t]

…

P(x)

si

s

si-k

feasible, length = k

- In ~k , we require a conditional equivalence
- Lemma ~k+1 ~k,
- but ~k+1 need more computation

q2

x2=0

x1++

x1 20

x1++, x2++

q0

q1

q4

x1=0

x2 ++

q3

x2 20

any two states of the form

(q1,(0,0), (x1 + c 0, x2 + c’ 0))

are bisimular w.r.t ~1

taken from T.Bultan 1999

taken from T.Bultan 1999

- Defined a non decreasing chain of bisimulation
- Can be used in a class of infinite systems
- ~k can be checked on-the-fly
- Need investigate how to combine with static analysis