1 / 41

Liveness with Counter Abstraction

Liveness with Counter Abstraction. A mir P nueli, J essie X u and L enore Z uck. where. ?. The Problem. The Parameterized Verification Problem Given a system and a property f , Does S(N) satisfy f for every N ?. Lesson from Experience ….

wolfe
Download Presentation

Liveness with Counter Abstraction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. LivenesswithCounter Abstraction Amir Pnueli, Jessie Xu and Lenore Zuck

  2. where ? The Problem The Parameterized Verification Problem Given a system and a property f , Does S(N) satisfy f for every N ?

  3. Lesson from Experience… In order to verify a reactive system: • If it is finite state– model check it • If it is infinite – verify it deductively But abstraction makes it all simpler!

  4. Data Abstraction Verifying that an infinite-state system S satisfies a property f using abstraction: • abstract system into a simpler finite-state system that admits more behaviors • abstract the property to • model checkabstract system with respect to abstract property • conclude that concrete system satisfies concrete property

  5. Counter Abstraction Assumptions on the concrete system : • the control variable of processes ranges over 0,… • the shared variables are y1,…,yb • there are no local variables The variables of the counter abstracted system are • K_0,…,k_L : {0,1,2} • Y_1,…,Y_b Where if no process is in control location l if there is exactly one process in control location l if there are at least two processes in control location l

  6. Counter Abstraction Assumptions on the concrete system : • the control variable of processes ranges over 0,… • the shared variables are y1,…,yb • there are no local variables The variables of the counter abstracted system are • K_0,…,k_L : {0,1,2} • Y_1,…,Y_b Where if no process is in control location l if there is exactly one process in control location l if there are at least two processes in control location l

  7. where Fairness requirements: Justice: Compassion: A Toy Example: Mutex

  8. where A Toy Example: Mutex Safety property - mutual exclusion: Liveness property – individual accessibility: (true only with fairness)

  9. A Toy Example: Mutex

  10. Concrete Safety property - mutual exclusion: Abstract Safety property - mutual exclusion: A Toy Example: Mutex

  11. Safety follows trivially! Mutex after Counter Abstraction (graphical representation)

  12. Abstracting Justice requirement form the concrete justice requirement since if process is not in control location 2 it is either in control location 0 or 1. we can obtain the abstract requirement

  13. verifying Liveness in Mutex unfortunately the abstract justice requirement doesn’t discard any states, so any liveness property that is not valid for Mutex without justicecannot be proven in this abstract system

  14. Strengthening Justice Requirements Conclusion: we need to derive more/strongerfairnessrequirements How? We provide 4 guidelines(in two slides…)

  15. Strengthening Justice Requirements If the concrete system contains the justice Then we can safely add the abstract justice Why?

  16. Strengthening Justice Requirements If the concrete system contains the justice Then we can safely add the abstract justice Why? • suppose a state satisfies • then there exists exactly one process, say I, in location • the process I violates its justice requirement • to fulfill it, it must exit location l sometime in the future • when it exits it, must hold since another process cannot enter location (execute a transition) at the same step

  17. Strengthening Justice Requirements

  18. is a condition on shared variables leads only to Strengthening Justice Requirements Emerges from

  19. Strengthening Justice for Mutex From the concrete justice and the concrete compassion we can conclude the concrete justice

  20. Strengthening Justice for Mutex Automatically obtained

  21. Counter abstractiondoes not allow to observe the behavior of an individual process, thus we cannotverify the liveness property of individual accessibility we can, however, verify the liveness property of communal accessibility (livelock freedom) which is abstracted to Verifying Liveness using Counter Abstraction

  22. Verifying Liveness Model Checking [LP85]

  23. Verifying Liveness Model Checking [LP85] • Extract from the state-transition graph the sub-graph of pending states • A pending state is any state which is not reachable from a p-state by a q-free path • Show that the extracted sub-graph contains no infinite fair path • Decompose the sub-graph into maximal SCCs • Show that each of them violates some fairness requirement

  24. Verifying Liveness Model Checking [LP85] • Extract from the state-transition graph the sub-graph of pending states • A pending state is any state which is reachable from a p-state by a q-free path • Show that the extracted sub-graph contains no infinite fair path • Decompose the sub-graph into maximal SCCs • Show that each of them violates some fairness requirement

  25. Verifying Liveness Model Checking [LP85] • Extract from the state-transition graph the sub-graph of pending states • A pending state is any state which is reachable from a p-state by a q-free path • Show that the extracted sub-graph contains no infinite fair path • Decompose the sub-graph into maximal SCCs • Show that each of them violates some fairness requirement

  26. X X X X X Verifying communal accessibilityforMutex To establish we have to remove all states that are not in a q-free path reachable from a p-state X

  27. Verifying communal accessibilityforMutex

  28. Verifying communal accessibilityforMutex • Each maximal SCC (each node)violates the abstractjustice • Hence communal accessibility holds!

  29. Counter Abstraction Save One To prove individual accessibility • Counter abstract all the processes except one, • Model check that the abstract system composed with one concrete process satisfies the liveness property for the concrete process

  30. Counter Abstraction Save One - Mutex Graphical representation of Mutex under counter abstraction save one

  31. X X X X X Counter Abstraction Save One - Mutex Considering the compassion requirement and the fact that no state satisfies we can remove all states satisfying

  32. Counter Abstraction Save One - Mutex

  33. Counter Abstraction Save One - Mutex • Each maximal SCC (each node)violates the abstractjustice • Hence individual accessibility holds!

  34. The counter abstraction of the program is The abstracted liveness property is Adding Compassion requirements Consider program TERMINATE and the liveness property

  35. The counter abstraction of the program is X X X The abstracted liveness property is From the concrete justice We obtain the abstract justice The computation can stay forever in which violates the liveness property ! Adding Compassion requirements

  36. Adding Compassion requirements

  37. Adding Compassion requirements • Augment the system with two auxiliary variables and

  38. For each transition • If set • Else set Add to the concrete compassion For every justice requirement include the abstract requirement Adding Compassion requirements • Augment the system with two auxiliary variables and Counter abstract the augmented system

  39. X X X X Abstract Compassion Abstract Justice obtained from using Hence the liveness property holds ! Verifying Liveness for TERMINATE The transition graph for augmented TERMINATE

  40. Success with Counter Abstraction • Szymanski’s mutual exclusion algorithm • The BakeryAlgorithm (shared variables are unbounded) • Probabilisticmutual exclusion protocol

More Related