Loading in 5 sec....

Model Checking of Systems Employing Commutative FunctionsPowerPoint Presentation

Model Checking of Systems Employing Commutative Functions

- By
**zaza** - Follow User

- 95 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' Model Checking of Systems Employing Commutative Functions' - zaza

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Model Checking of Systems Employing Commutative Functions

This talk is about how you can find lots of bugs in real code by making compilers aggressively system specific

A.Prasad Sistla, Min Zhou, Xiaodong Wang

presented by Min Zhou

University of Illinois at Chicago

Outline code by making compilers aggressively system specific

- Transition Diagram(TD) and Symbolic State Graph
- Predicate Template and bisimulation ~0
- Extended Predicate Template and bisimulation ~k
- Experiment Results
- Conclusion

We only consider such TDs who only have assignments: code by making compilers aggressively system specific

x:=c

c is a constant

x:=y

y is another variable

x:=φ(x)

φ is a unary function;

each such φ in a TD is commutative with each other:

φ1 φ2 = φ2φ1

Transition Diagram(TD)a≤y y++

1

a:=x,x++

0

b:=x,x++

2

b≤y x:=0,y:=0

Variables:a,b,x,y

Symbolic State Graph code by making compilers aggressively system specific

- Sym_Reach(G, u) = (S0,R0, L0)

s.lc

s.val

s.exp

location

- variables expressions
- s.exp(x): the composition of functions that were applied to x since last time a constant was assigned

- variables values
- s.val(x): the latest constant assigned to variable x

How to construct Symbolic State Graph code by making compilers aggressively system specific

TD

x:=c

x:=φ(x)

x:=y

s1.exp(x)=φ(s0.exp(x))

s1.exp(x)=x

s1.exp(x)=s0.exp(y)[x/y]

q1

q1

q1

s1

s1

s1

s0

q0

q0

s0

s0

q0

s1.val(x)=s0.val(x)

s1.val(x)=c

s1.val(x)=s0.val(y)

Symbolic States code by making compilers aggressively system specific

- act_state(s) = (s.lc, h) where h(x) = s.exp(x){s.val(x)}

Symbolic

States

actual

states

a code by making compilers aggressively system specific y y++

1

1,(0,0,0,0)

(a,b,x+1,y)

s1

0,(0,0,0,0)

(a,b,x,y)

a:=x,x++

0

b:=x,x++

s0

s2

2

0,(0,0,0,0)

(a,b,x+1,y+1)

b y x:=0,y:=0

s3

2,(0,0,0,0)

(a,b,x+1,y)

Symbolic State Graphval

TD:

lc

exp

Our Goal code by making compilers aggressively system specific

- Define a bisimulation relation over symbolic states
- For every location q, define a predicate template ptemplates(q)
- s ~0 t require they are equivalent w.r.t ptemplates(s.lc)

p code by making compilers aggressively system specific

f

Predicate Templatevar(p) X*

predicate, derived from guards and correctness formula

… code by making compilers aggressively system specific

…

x:=y

x:=c

p(x)

p(x)

q1

q1

q

q

qi

qi

What should be in ptemplates(q)- (AP,fid) U (guard(q), fid)Є ptemplates(q)

x:= φ1(x)

…

x:=φ2(x)

(P, fid) Є ptemplates(q)

p(x)

q1

q

qi

x:=φ(x)

(P,f(x) = y) Є ptemplates(q)

（P, f(x)=) Є ptemplates(q)

p code by making compilers aggressively system specific0: x y

p1: a y

p2: b y

Formula: (x y)

Ptemplates(1)={

(p0, fid),

(p1, fid),

(p1, a x),

(p2, b x)}

a y y++

1

a:=x,x++

0

b:=x,x++

2

b y x:=0,y:=0

ExampleInstantiate predicate templates in states: code by making compilers aggressively system specific

(p(xi), xi yi) [s] = p [(s.exp (yi) /xi ) { xi/ yi }], where yi

Eg:

Define ~0as follows: for any two states s and t, s ~0 t iff

s.lc = t.lc, s.val = t.val

(p, f) Є ptemplates(s.lc), (p, f)[s] (p, f)[t]

Bisimulation ~0- p: x1 < c
- s.exp(x1): x1+1
- s.exp(x2): x2+2

- (p,x1 x2 ) [s] =
- (s.exp (x2) < c){ x1/x2 } =
- (x1+2 < c)

- an implicit universal quantifier over the free variables

Proof idea: code by making compilers aggressively system specific

assume s0 ~0t0 (p,fid) Є ptemplates(q1)

In this case, (p,fid) Є ptemplates(q0)

so we have (p,fid)[s0] (p,fid)[t0]

x:=φ(x)

s1.exp(x)=φ(s0.exp(x))

q1

q0

s1.val(x)=s0.val(x)

s1

t1

s0

t0

Theorem 1 ~0is a bi-simulation on the symbolic state graph Sym_Reach(G, u).Now We show code by making compilers aggressively system specific

(p,fid)[s1] (p,fid)[t1]

(p,fid)[s0] (p,fid)[t0]

x P[s0.exp(x)] P[t0.exp(x)]

x P[s0.exp(φ (x))] P[t0.exp(φ (x))]

x P[φ (s0.exp(x))] P[φ (t0.exp(x))]

x P[s1.exp(x)] P[t1.exp(x)]

x:=φ(x)

s1.exp(x)=φ(s0.exp(x))

q1

q0

s1.val(x)=s0.val(x)

s1

t1

s0

t0

Theorem 1 ~0is a bi-simulation on the symbolic state graph Sym_Reach(G, u).By commutation

… code by making compilers aggressively system specific

…

…

P(x)

P(x)

P(x)

si

ti

qi

s

q

t

Extension of Bisimulation ~0- If (p,f) Є ptemplates(q), we require (p,f)[s] (p,f) [t] even in above case.
- Not necessary. Only need when this path is feasible for these two states

TD:

X

X

… code by making compilers aggressively system specific

P(x)

qi

q

…

P(x)

ti

t

ti-k

Bisimulation ~k- Only in this case, we require (p,f)[s] (p,f) [t]

…

P(x)

si

s

si-k

feasible, length = k

~ code by making compilers aggressively system specifick

- In ~k , we require a conditional equivalence
- Lemma ~k+1 ~k,
- but ~k+1 need more computation

q code by making compilers aggressively system specific2

x2=0

x1++

x1 20

x1++, x2++

q0

q1

q4

x1=0

x2 ++

q3

x2 20

Example of a TD for which ~0 ~1any two states of the form

(q1,(0,0), (x1 + c 0, x2 + c’ 0))

are bisimular w.r.t ~1

taken from T.Bultan 1999 code by making compilers aggressively system specific

Experiment Resultstaken from T.Bultan 1999 code by making compilers aggressively system specific

Circular QueueSliding Window code by making compilers aggressively system specific

Conclusion and future work code by making compilers aggressively system specific

- Defined a non decreasing chain of bisimulation
- Can be used in a class of infinite systems
- ~k can be checked on-the-fly
- Need investigate how to combine with static analysis

Download Presentation

Connecting to Server..