Theory-Aided Model Checking of Concurrent Transition Systems

Guy Katz, Clark Barrett, David Harel

New York UniversityWeizmann Institute of Science

2

Compositional VerificationA divide and conquer verification approach

No need to explore all composite states

𝑃 𝜑⊨

𝜑1⊨𝜑2⊨𝜑3⊨

3

The DifficultiesAutomation

1. Partition the system into modules2. Choose “good” module properties3. Prove module properties4. Prove global property

A very difficult problem!

4

Our ApproachTrade generality for effectiveness

◦ Do well on specific classes of programs

We present a fully automatic, compositional approach◦ Handle concurrent programs written in the RWB

model◦ Based on SMT solving

5

Transition

Systems

An SMT-Driven Process

SMTSolver

Arithmetic Arrays

Input program

SAT (unsafe)or

UNSAT (safe)

Assertion:

Transition

Systems

6

A Theory of Transition SystemsDecision procedure: state space traversal

Look for known patterns in the input◦ Generate lemmas for other theory solvers

Lemmas allow other theories to aid in the verification◦ Prune the search space◦ Can significantly reduce verification time

7

AgendaRWB Transition Systems

A Theory of Transition Systems

Programs with Shared Arrays

Periodic Programs

Experimental Results

8

AgendaRWB Transition Systems

A Theory of Transition Systems

Programs with Shared Arrays

Periodic Programs

Experimental Results

9

Request / Wait / Block (RWB)RWB programs have events and threads

Threads synchronize and declare1. Requested events 2. Waited-for events 3. Blocked events

Trigger an event that is requested and not blocked

Inform threads that requested / waited-for the event

10

B-s

Block

Wait

Request

Threads

The Execution Cycle

11

requested and not blocked at rightmost states◦ Precisely every 6 steps

Toy Example

𝑅=0 ,10

0 ,1

0

0 ,1

𝑅=0 ,10

Trace: Trace: Trace: Trace: Trace: Trace: Trace:

12

Why RWB?RWB idioms are common

◦ Publish / Subscribe systems◦ Supervisory control◦ Live Sequence Charts (LSCs)◦ Behavioral Programming

The strict synchronization mechanism facilitates reasoning about individual threads

Makes finding module properties easier

13

AgendaRWB Transition Systems

A Theory of Transition Systems

Programs with Shared Arrays

Periodic Programs

Experimental Results

14

The Transition System (TS) Solver Input:

◦ Formulas describing RWB threads◦ An assertion that the program is unsafe

A deadlock state is reachable Safety reducible to deadlock freedom

Output:◦ SAT if the property is violated (+ counter-example)◦ UNSAT if the property holds

15

Basic Decision Procedure𝑞0

𝑞1𝑞3

𝑞2

¬𝑠𝑎𝑓𝑒(𝑠)

¬𝑠𝑎𝑓𝑒 (𝑠 )

¬𝑑𝑒𝑎𝑑𝑙𝑜𝑐𝑘(𝑞0)

¬𝑠𝑎𝑓𝑒 (𝑠 )

¬𝑠𝑎𝑓𝑒 (𝑠 )⊥

START

DECIDE DECIDE

DECIDE

UNSAT

𝑞0

𝑞1

𝑞2

𝑞3

¬𝑑𝑒𝑎𝑑𝑙𝑜𝑐𝑘(𝑞1)¬𝑑𝑒𝑎𝑑𝑙𝑜𝑐𝑘(𝑞2)

SATTheory-valid lemmas:

16

Pattern MatchingDuring state space traversal, TS looks for

thread patterns◦ Structural properties of threads◦ Checked on each thread separately (compositionally)

When a pattern applies, lemmas are generated◦ From the languages of other theory solvers◦ The SMT core handles the interfaces

Other solvers can then curtail the search space

17

Property: never

7 composite states

Pattern Matching: Example

𝑅=0 ,10

0 ,1

0

0 ,1

𝑅=0 ,10

𝐵=0 ,1

1

18

𝑅=0 ,10

0 ,1Looped thread:

Step index determines state

Recognizing looped threads:Every state has successor

Also looped

Looped Threads

0

0 ,1

𝑅=0 ,10

19

𝑝1 𝑝2𝑅=0 ,10

0 ,1

𝑝2 𝑞10

0 ,1

𝑞2 𝑞3𝑅=0 ,10

Where can be triggered?◦ Only where it is not blocked

Generate the lemma:

Generating Lemmas

𝑞3

This part of the lemma:

indicates that state is reachable

The SMT core asserts it to the arithmetic solver

If no such exists, return UNSAT ◦ State is unreachable

Otherwise continue from state ◦ Skip intermediate states

Generating Lemmas (cnt’d)

Matchers implemented as C++ classes

Take the input transition systems, answer yes/no◦ If pattern holds, invoked every time a new state is visited◦ Get to generate lemmas

Internally, very flexible ◦ Compute strongly connected components◦ Check when events are always blocked / never requested◦ Threads are small, so this is cheap

Restriction: don’t construct the composite state graph!

Implementing Pattern Matchers

The technique is useful only when a pattern applies

Can a few stored patterns apply to many programs?◦ Examples in next sections

Adding patterns is amortized over future applications

Portfolio approach: quickly recognize that no pattern matches

Limitations

23

AgendaRWB Transition Systems

A Theory of Transition Systems

Programs with Shared Arrays

Periodic Programs

Experimental Results

24

Shared Arrays in RWBLocally, threads can use any construct

◦ Arrays, lists, etc

Inter-thread shared arrays – only through RWB

25

Example: A Shared Bit

Read by simultaneously requesting ◦ The “wrong” value will be blocked

Can generalize to arbitrary shared arrays

𝑠1

𝑠0

𝐵=𝑟𝑒𝑎𝑑(0)

𝑤𝑟𝑖𝑡𝑒 (0)𝑤𝑟𝑖𝑡𝑒 (1)

𝐵=𝑟𝑒𝑎𝑑(1)

26

Leveraging Shared ArraysRecognize shared arrays in the input threads

◦ Extract arity, read / write events, initial value, etc◦ Sometimes it is used unintentionally

Check if violations occur only in certain configurations◦ Sometimes certain configurations are the violation

During state traversal, generate lemmas when a shared memory cell becomes fixed◦ Write events always blocked / never requested

The array theory solver can then curtail the search

27

Example: Tic Tac ToeGoal: complete a row, column or diagonal

If no mistakes are made, game always ends in a draw

XX

O

X

X

O

X

X

O O

X

X

O O X

X

O X

O O X

X X

O X

O O X

X X

O X

O O X

28

Implementing Tic Tac ToeProgram plays , player plays

◦ Goal: never lose

Board modeled as a shared array with 3-valued elements

Rule threads, strategy threads◦ Blocking used to prevent multiple writes to each

cell

29

Verifying Tic Tac ToeProgrammer: I’ve covered all cases in which

wins by taking the upper row. Let’s test that!

A state is bad if has the upper row◦ A certain configuration of the array

Generate lemma:

30

ExampleBoard:

DECIDE: DECIDE: DECIDE: DECIDE:

◦ Array theory solver raises a conflict◦ Backtrack, without exploring successor states

¬safe state (q1 )⇒𝑏𝑜𝑎𝑟𝑑 [4 ]=𝑋

¬safe state (q4 )⇒𝑏𝑜𝑎𝑟𝑑 [1 ]=𝑂¬safe state (q3 )⇒𝑏𝑜𝑎𝑟𝑑 [0 ]=𝑋¬safe state (q2 )⇒𝑏𝑜𝑎𝑟𝑑 [8 ]=𝑂

31

AgendaRWB Transition Systems

A Theory of Transition Systems

Programs with Shared Arrays

Periodic Programs

Experimental Results

32

Periodic ProgramsSingle processor scheduling problems

Each task has ◦ period ◦ execution time ◦ priority (static/dynamic)

Programs have nice arithmetic properties

Periodic Programs in RWBA task that needs to be scheduled requests

an event

Priorities expressed by blocking less urgent tasks

Pattern matcher checks this on individual threads

Then generates arithmetic lemmas about time instances when a violation can occur

34

ExampleTS Theory Arithmetic

Theory𝑥

𝑥=143…,

𝑥=513…,

UNSAT, property holds

35

AgendaRWB Transition Systems

A Theory of Transition Systems

Programs with Shared Arrays

Periodic Programs

Experimental Results

36

Experimental ResultsBenchmarks: periodic programs and program

with shared arraysAverage speedup:

1 9 17 25 33 41 49 57 65 73 81 89 971051000

10000

100000

1000000

10000000

100000000CVC4BPMC

Number of Solved Instances

Tim

e (s

econ

ds)

37

1 2 3 4 5 6 7 8 9 101000

10000

100000

1000000

10000000CVC4BPMC

Number of Solved Instances

Tim

e (s

econ

ds)

Experimental Results (cnt’d)Larger example: a web-serverAverage speedup:

38

ConclusionAutomatic compositional verification of RWB

programs

Added a theory of transition systems to CVC4

Traverse state space and look for patterns◦ When a pattern is found, generate lemmas◦ Other theories can then curtail the search space

Examples:◦ Programs with shared arrays◦ Periodic programs

39

Future WorkSupport additional models beyond RWB

Add more patterns

Improve the portfolio approach

40

Questions

Thank You!