Model checking of systems employing commutative functions
This presentation is the property of its rightful owner.
Sponsored Links
1 / 22

Model Checking of Systems Employing Commutative Functions PowerPoint PPT Presentation


  • 80 Views
  • Uploaded on
  • Presentation posted in: General

This talk is about how you can find lots of bugs in real code by making compilers aggressively system specific. Model Checking of Systems Employing Commutative Functions. A.Prasad Sistla, Min Zhou, Xiaodong Wang presented by Min Zhou University of Illinois at Chicago. Outline.

Download Presentation

Model Checking of Systems Employing Commutative Functions

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Model checking of systems employing commutative functions

This talk is about how you can find lots of bugs in real code by making compilers aggressively system specific

Model Checking of Systems Employing Commutative Functions

A.Prasad Sistla, Min Zhou, Xiaodong Wang

presented by Min Zhou

University of Illinois at Chicago


Outline

Outline

  • Transition Diagram(TD) and Symbolic State Graph

  • Predicate Template and bisimulation ~0

  • Extended Predicate Template and bisimulation ~k

  • Experiment Results

  • Conclusion


Transition diagram td

We only consider such TDs who only have assignments:

x:=c

c is a constant

x:=y

y is another variable

x:=φ(x)

φ is a unary function;

each such φ in a TD is commutative with each other:

φ1 φ2 = φ2φ1

Transition Diagram(TD)

a≤y y++

1

a:=x,x++

0

b:=x,x++

2

b≤y x:=0,y:=0

Variables:a,b,x,y


Symbolic state graph

Symbolic State Graph

  • Sym_Reach(G, u) = (S0,R0, L0)

s.lc

s.val

s.exp

location

  • variables  expressions

  • s.exp(x): the composition of functions that were applied to x since last time a constant was assigned

  • variables  values

  • s.val(x): the latest constant assigned to variable x


How to construct symbolic state graph

How to construct Symbolic State Graph

TD

x:=c

x:=φ(x)

x:=y

s1.exp(x)=φ(s0.exp(x))

s1.exp(x)=x

s1.exp(x)=s0.exp(y)[x/y]

q1

q1

q1

s1

s1

s1

s0

q0

q0

s0

s0

q0

s1.val(x)=s0.val(x)

s1.val(x)=c

s1.val(x)=s0.val(y)


Symbolic states

Symbolic States

  • act_state(s) = (s.lc, h) where h(x) = s.exp(x){s.val(x)}

Symbolic

States

actual

states


Symbolic state graph1

a  y y++

1

1,(0,0,0,0)

(a,b,x+1,y)

s1

0,(0,0,0,0)

(a,b,x,y)

a:=x,x++

0

b:=x,x++

s0

s2

2

0,(0,0,0,0)

(a,b,x+1,y+1)

b  y x:=0,y:=0

s3

2,(0,0,0,0)

(a,b,x+1,y)

Symbolic State Graph

val

TD:

lc

exp


Our goal

Our Goal

  • Define a bisimulation relation over symbolic states

  • For every location q, define a predicate template ptemplates(q)

  • s ~0 t require they are equivalent w.r.t ptemplates(s.lc)


Predicate template

p

f

Predicate Template

var(p) X*

predicate, derived from guards and correctness formula


What should be in ptemplates q

x:=y

x:=c

p(x)

p(x)

q1

q1

q

q

qi

qi

What should be in ptemplates(q)

  • (AP,fid) U (guard(q), fid)Є ptemplates(q)

x:= φ1(x)

x:=φ2(x)

(P, fid) Є ptemplates(q)

p(x)

q1

q

qi

x:=φ(x)

(P,f(x) = y) Є ptemplates(q)

(P, f(x)=) Є ptemplates(q)


Example

p0: x  y

p1: a  y

p2: b  y

Formula: (x  y)

Ptemplates(1)={

(p0, fid),

(p1, fid),

(p1, a  x),

(p2, b  x)}

a  y y++

1

a:=x,x++

0

b:=x,x++

2

b  y x:=0,y:=0

Example


Bisimulation 0

Instantiate predicate templates in states:

(p(xi), xi yi) [s] = p [(s.exp (yi) /xi ) { xi/ yi }], where yi  

Eg:

Define ~0as follows: for any two states s and t, s ~0 t iff

s.lc = t.lc, s.val = t.val

(p, f) Є ptemplates(s.lc), (p, f)[s] (p, f)[t]

Bisimulation ~0

  • p: x1 < c

  • s.exp(x1): x1+1

  • s.exp(x2): x2+2

  • (p,x1  x2 ) [s] =

  • (s.exp (x2) < c){ x1/x2 } =

  • (x1+2 < c)

  • an implicit universal quantifier over the free variables


Theorem 1 0 is a bi simulation on the symbolic state graph sym reach g u

Proof idea:

assume s0 ~0t0 (p,fid) Є ptemplates(q1)

In this case, (p,fid) Є ptemplates(q0)

so we have (p,fid)[s0] (p,fid)[t0]

x:=φ(x)

s1.exp(x)=φ(s0.exp(x))

q1

q0

s1.val(x)=s0.val(x)

s1

t1

s0

t0

Theorem 1 ~0is a bi-simulation on the symbolic state graph Sym_Reach(G, u).


Theorem 1 0 is a bi simulation on the symbolic state graph sym reach g u1

Now We show

(p,fid)[s1] (p,fid)[t1]

(p,fid)[s0] (p,fid)[t0] 

x P[s0.exp(x)]  P[t0.exp(x)] 

x P[s0.exp(φ (x))]  P[t0.exp(φ (x))]

x P[φ (s0.exp(x))]  P[φ (t0.exp(x))] 

x P[s1.exp(x)]  P[t1.exp(x)]

x:=φ(x)

s1.exp(x)=φ(s0.exp(x))

q1

q0

s1.val(x)=s0.val(x)

s1

t1

s0

t0

Theorem 1 ~0is a bi-simulation on the symbolic state graph Sym_Reach(G, u).

By commutation


Extension of bisimulation 0

P(x)

P(x)

P(x)

si

ti

qi

s

q

t

Extension of Bisimulation ~0

  • If (p,f) Є ptemplates(q), we require (p,f)[s]  (p,f) [t] even in above case.

  • Not necessary. Only need when this path is feasible for these two states

TD:

X

X


Bisimulation k

P(x)

qi

q

P(x)

ti

t

ti-k

Bisimulation ~k

  • Only in this case, we require (p,f)[s]  (p,f) [t]

P(x)

si

s

si-k

feasible, length = k


Model checking of systems employing commutative functions

~k

  • In ~k , we require a conditional equivalence

  • Lemma ~k+1  ~k,

  • but ~k+1 need more computation


Example of a td for which 0 1

q2

x2=0 

x1++

x1 20 

x1++, x2++

q0

q1

q4

x1=0 

x2 ++

q3

x2  20 

Example of a TD for which ~0  ~1

any two states of the form

(q1,(0,0), (x1 + c 0, x2 + c’ 0))

are bisimular w.r.t ~1


Experiment results

taken from T.Bultan 1999

Experiment Results


Circular queue

taken from T.Bultan 1999

Circular Queue


Sliding window

Sliding Window


Conclusion and future work

Conclusion and future work

  • Defined a non decreasing chain of bisimulation

  • Can be used in a class of infinite systems

  • ~k can be checked on-the-fly

  • Need investigate how to combine with static analysis


  • Login