causality-based verification of multi-threaded programs€¦ · multi-threaded programs andrey...
TRANSCRIPT
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Causality-Based Verification of Multi-threaded Programs
Andrey Kupriyanov and Bernd Finkbeiner
Saarland UniversityReactive Systems Group
August 28, 2013
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Introduction
Causality
The relation between two events (the cause and the effect), where thesecond event is understood as a (necessary) consequence of the first.
In this talk
I Capturing causality by concurrent traces and their transformations
I Verification of concurrent programs based on causality
I How causality-based verification can bring exponential savings forsome classes of multi-threaded programs
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Introduction
Causality
The relation between two events (the cause and the effect), where thesecond event is understood as a (necessary) consequence of the first.
In this talk
I Capturing causality by concurrent traces and their transformations
I Verification of concurrent programs based on causality
I How causality-based verification can bring exponential savings forsome classes of multi-threaded programs
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Introduction
Verification of Safety Properties
System S |= G safe ?
Different flavors:
I Synchronized product of finite automata
I Communicating processes
I Multi-threaded programs
ComplexityThe problem is PSPACE-complete
Problem complexity is robust
I varying communication models (global/binary/shared vars)
I different sizes of the alphabet
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Introduction
Verification of Safety Properties for Concurrent Systems
S = P1 ‖ P2 ‖ . . . ‖ PN |= G safe ?
Different flavors:
I Synchronized product of finite automata
I Communicating processes
I Multi-threaded programs
ComplexityThe problem is PSPACE-complete
Problem complexity is robust
I varying communication models (global/binary/shared vars)
I different sizes of the alphabet
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Introduction
Verification of Safety Properties for Concurrent Systems
S = P1 ‖ P2 ‖ . . . ‖ PN |= G safe ?
Different flavors:
I Synchronized product of finite automata
I Communicating processes
I Multi-threaded programs
ComplexityThe problem is PSPACE-complete
Problem complexity is robust
I varying communication models (global/binary/shared vars)
I different sizes of the alphabet
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Introduction
Verification of Safety Properties for Concurrent Systems
S = P1 ‖ P2 ‖ . . . ‖ PN |= G safe ?
Different flavors:
I Synchronized product of finite automata
I Communicating processes
I Multi-threaded programs
ComplexityThe problem is PSPACE-complete
Problem complexity is robust
I varying communication models (global/binary/shared vars)
I different sizes of the alphabet
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Introduction
Verification of Safety Properties for Concurrent Systems
S = P1 ‖ P2 ‖ . . . ‖ PN |= G safe ?
Different flavors:
I Synchronized product of finite automata
I Communicating processes
I Multi-threaded programs
ComplexityThe problem is PSPACE-complete
Problem complexity is robust
I varying communication models (global/binary/shared vars)
I different sizes of the alphabet
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Motivation
I Unless P = PSPACE , there is no scalable algorithm for thegeneral-case concurrent verification problem
I It is easy to manually prove/disprove the correctness of manyconcurrent programs
⇒ Investigate:
I Efficient (polynomial) proof techniques
I Classes of efficiently verifiable concurrent programs
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Motivation
I Unless P = PSPACE , there is no scalable algorithm for thegeneral-case concurrent verification problem
I It is easy to manually prove/disprove the correctness of manyconcurrent programs
⇒ Investigate:
I Efficient (polynomial) proof techniques
I Classes of efficiently verifiable concurrent programs
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Multi-threaded Programs with Locks
Syntax Semantics
acquire li li = 0 ∧ l ′i = 1 ∧ pc ′ = pc + 1
release li l′i = 0 ∧ pc ′ = pc + 1
if (ϕ) goto j (ϕ∧ pc ′ = j) ∨ (¬ϕ∧ pc ′ = pc + 1)
1
2
3
4
5
a1 : ack l1
a4 : ack l2
r4 : rel l2
r1 : rel l1
1
2
3
4
5
a2 : ack l1
r2 : rel l1
a5 : ack l1
r5 : rel l1
1
2
3
4
5
a3 : ack l1
a6 : ack l3
r3 : rel l1
r6 : rel l3
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
A Polynomial Proof 1
2
3
4
5
a1 : ack l1
a4 : ack l2
r4 : rel l2
r1 : rel l1
1
2
3
4
5
a2 : ack l1
r2 : rel l1
a5 : ack l1
r5 : rel l1
1
2
3
4
5
a3 : ack l1
a6 : ack l3
r3 : rel l1
r6 : rel l3
i
a1
a3
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]
i
a1
a2
pc1 ∈ [2, 3, 4]
pc2 ∈ [2, 4]
i
a2
a3
pc2 ∈ [2, 4]
pc3 ∈ [2, 3]
i
a1
a3
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]
OrderSplit
i r5
a1
a3
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]
OrderSplitNecessaryAction (l ′ = 1 l = 0)
i
a1
a3
r5
a2
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]pc2 ∈ [2, 4]
i
a1
a3
r5
a2
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]pc2 ∈ [2, 4]
NecessaryAction (pc ′2 = 1 pc2 = 4)Cover
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
A Polynomial Proof 1
2
3
4
5
a1 : ack l1
a4 : ack l2
r4 : rel l2
r1 : rel l1
1
2
3
4
5
a2 : ack l1
r2 : rel l1
a5 : ack l1
r5 : rel l1
1
2
3
4
5
a3 : ack l1
a6 : ack l3
r3 : rel l1
r6 : rel l3
i
a1
a3
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]
i
a1
a2
pc1 ∈ [2, 3, 4]
pc2 ∈ [2, 4]
i
a2
a3
pc2 ∈ [2, 4]
pc3 ∈ [2, 3]
i
a1
a3
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]
OrderSplit
i r5
a1
a3
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]
OrderSplitNecessaryAction (l ′ = 1 l = 0)
i
a1
a3
r5
a2
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]pc2 ∈ [2, 4]
i
a1
a3
r5
a2
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]pc2 ∈ [2, 4]
NecessaryAction (pc ′2 = 1 pc2 = 4)Cover
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
A Polynomial Proof 1
2
3
4
5
a1 : ack l1
a4 : ack l2
r4 : rel l2
r1 : rel l1
1
2
3
4
5
a2 : ack l1
r2 : rel l1
a5 : ack l1
r5 : rel l1
1
2
3
4
5
a3 : ack l1
a6 : ack l3
r3 : rel l1
r6 : rel l3
i
a1
a3
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]
i
a1
a2
pc1 ∈ [2, 3, 4]
pc2 ∈ [2, 4]
i
a2
a3
pc2 ∈ [2, 4]
pc3 ∈ [2, 3]
i
a1
a3
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]
OrderSplit
i r5
a1
a3
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]
OrderSplitNecessaryAction (l ′ = 1 l = 0)
i
a1
a3
r5
a2
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]pc2 ∈ [2, 4]
i
a1
a3
r5
a2
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]pc2 ∈ [2, 4]
NecessaryAction (pc ′2 = 1 pc2 = 4)Cover
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
A Polynomial Proof 1
2
3
4
5
a1 : ack l1
a4 : ack l2
r4 : rel l2
r1 : rel l1
1
2
3
4
5
a2 : ack l1
r2 : rel l1
a5 : ack l1
r5 : rel l1
1
2
3
4
5
a3 : ack l1
a6 : ack l3
r3 : rel l1
r6 : rel l3
i
a1
a3
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]
i
a1
a2
pc1 ∈ [2, 3, 4]
pc2 ∈ [2, 4]
i
a2
a3
pc2 ∈ [2, 4]
pc3 ∈ [2, 3]
i
a1
a3
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]
OrderSplit
i r5
a1
a3
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]
OrderSplitNecessaryAction (l ′ = 1 l = 0)
i
a1
a3
r5
a2
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]pc2 ∈ [2, 4]
i
a1
a3
r5
a2
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]pc2 ∈ [2, 4]
NecessaryAction (pc ′2 = 1 pc2 = 4)Cover
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
A Polynomial Proof 1
2
3
4
5
a1 : ack l1
a4 : ack l2
r4 : rel l2
r1 : rel l1
1
2
3
4
5
a2 : ack l1
r2 : rel l1
a5 : ack l1
r5 : rel l1
1
2
3
4
5
a3 : ack l1
a6 : ack l3
r3 : rel l1
r6 : rel l3
i
a1
a3
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]
i
a1
a2
pc1 ∈ [2, 3, 4]
pc2 ∈ [2, 4]
i
a2
a3
pc2 ∈ [2, 4]
pc3 ∈ [2, 3]
i
a1
a3
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]
OrderSplit
i r5
a1
a3
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]
OrderSplitNecessaryAction (l ′ = 1 l = 0)
i
a1
a3
r5
a2
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]pc2 ∈ [2, 4]
i
a1
a3
r5
a2
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]pc2 ∈ [2, 4]
NecessaryAction (pc ′2 = 1 pc2 = 4)
Cover
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
A Polynomial Proof 1
2
3
4
5
a1 : ack l1
a4 : ack l2
r4 : rel l2
r1 : rel l1
1
2
3
4
5
a2 : ack l1
r2 : rel l1
a5 : ack l1
r5 : rel l1
1
2
3
4
5
a3 : ack l1
a6 : ack l3
r3 : rel l1
r6 : rel l3
i
a1
a3
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]
i
a1
a2
pc1 ∈ [2, 3, 4]
pc2 ∈ [2, 4]
i
a2
a3
pc2 ∈ [2, 4]
pc3 ∈ [2, 3]
i
a1
a3
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]
OrderSplit
i r5
a1
a3
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]
OrderSplitNecessaryAction (l ′ = 1 l = 0)
i
a1
a3
r5
a2
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]pc2 ∈ [2, 4]
i
a1
a3
r5
a2
pc1 ∈ [2, 3, 4]
pc3 ∈ [2, 3]pc2 ∈ [2, 4]
NecessaryAction (pc ′2 = 1 pc2 = 4)Cover
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Proof Object
StateA tuple of state components s = 〈p1, p2, . . . , pN〉 ∈ |P1|×|P2|×. . .×|PN |
State Inclusions = 〈p1, . . . , pN〉 ⊆ s ′ = 〈p′1, . . . , p′N〉 iff ∀i . pi ⊆ p′i
Trace (implicitely defined, for forward search)
For a state s, an equivalence class of all traces, ending in s:
s1, t1, . . . , sk , tk , sss ≡ s ′1, t′1, . . . , s ′m, t′m, sss
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Proof Object
StateA tuple of state components s = 〈p1, p2, . . . , pN〉 ∈ |P1|×|P2|×. . .×|PN |
State Inclusions = 〈p1, . . . , pN〉 ⊆ s ′ = 〈p′1, . . . , p′N〉 iff ∀i . pi ⊆ p′i
Trace (implicitely defined, for forward search)
For a state s, an equivalence class of all traces, ending in s:
s1, t1, . . . , sk , tk , sss ≡ s ′1, t′1, . . . , s ′m, t′m, sss
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Proof Object
StateA tuple of state components s = 〈p1, p2, . . . , pN〉 ∈ |P1|×|P2|×. . .×|PN |
State Inclusions = 〈p1, . . . , pN〉 ⊆ s ′ = 〈p′1, . . . , p′N〉 iff ∀i . pi ⊆ p′i
Trace (implicitely defined, for forward search)
For a state s, an equivalence class of all traces, ending in s:
s1, t1, . . . , sk , tk , sss ≡ s ′1, t′1, . . . , s ′m, t′m, sss
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Proof Object
Concurrent TraceA labeled, directed, acyclic graph A = 〈N,E , ν, η〉:
I 〈N,E〉 is a graph with actions N and edges EI ν : N → Φ(V ∪ V ′)I η : E → Φ(V ∪ V ′)
labelings of actions/edges with transition predicates
Trace InclusionA = 〈N,E , ν, η〉 ⊆λ A′ = 〈N ′,E ′, ν′, η′〉 iff
I ∃ λ = 〈λN : N ′ → N, λE : E ′ → E〉.I for all n′ ∈ N ′ . ν(λN (n′)) =⇒ ν′(n′).I for all e′ ∈ E ′ . η(λE (e′)) =⇒ η′(e′).
x ′ = 0y ′ = 0
x + + y + +x > 1y > 1
x > 1
y > 1
x ′ = 0y ′ = 0
x + +
y + +
x > 1y > 1
x > 1
y > 1
x ′ = 0y ′ = 0
x > 1y > 1
⊆⊆⊆
⊆⊆ ⊆
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Proof Object
Concurrent TraceA labeled, directed, acyclic graph A = 〈N,E , ν, η〉:
I 〈N,E〉 is a graph with actions N and edges EI ν : N → Φ(V ∪ V ′)I η : E → Φ(V ∪ V ′)
labelings of actions/edges with transition predicates
Trace InclusionA = 〈N,E , ν, η〉 ⊆λ A′ = 〈N ′,E ′, ν′, η′〉 iff
I ∃ λ = 〈λN : N ′ → N, λE : E ′ → E〉.I for all n′ ∈ N ′ . ν(λN (n′)) =⇒ ν′(n′).I for all e′ ∈ E ′ . η(λE (e′)) =⇒ η′(e′).
x ′ = 0y ′ = 0
x + + y + +x > 1y > 1
x > 1
y > 1
x ′ = 0y ′ = 0
x + +
y + +
x > 1y > 1
x > 1
y > 1
x ′ = 0y ′ = 0
x > 1y > 1
⊆⊆⊆
⊆⊆ ⊆
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Proof Object
Concurrent TraceA labeled, directed, acyclic graph A = 〈N,E , ν, η〉:
I 〈N,E〉 is a graph with actions N and edges EI ν : N → Φ(V ∪ V ′)I η : E → Φ(V ∪ V ′)
labelings of actions/edges with transition predicates
Trace InclusionA = 〈N,E , ν, η〉 ⊆λ A′ = 〈N ′,E ′, ν′, η′〉 iff
I ∃ λ = 〈λN : N ′ → N, λE : E ′ → E〉.I for all n′ ∈ N ′ . ν(λN (n′)) =⇒ ν′(n′).I for all e′ ∈ E ′ . η(λE (e′)) =⇒ η′(e′).
x ′ = 0y ′ = 0
x + + y + +x > 1y > 1
x > 1
y > 1
x ′ = 0y ′ = 0
x + +
y + +
x > 1y > 1
x > 1
y > 1
x ′ = 0y ′ = 0
x > 1y > 1
⊆⊆⊆⊆⊆ ⊆
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Proof Rules
State Transition
For a state s: {t1, . . . , tn}, where s ti
−→ s ′i are transitions, enabled in s.
Seen as Trace Transformations
s1, t1, . . . , sss
s1, t1, . . . , s, t1, s ′1s
′1s′1 . . .. . .. . . s1, t1, . . . , s, t
n, s ′ns′ns′n
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Proof Rules
State Transition
For a state s: {t1, . . . , tn}, where s ti
−→ s ′i are transitions, enabled in s.
Seen as Trace Transformations
s1, t1, . . . , sss
s1, t1, . . . , s, t1, s ′1s
′1s′1 . . .. . .. . . s1, t1, . . . , s, t
n, s ′ns′ns′n
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Proof Rules
Causal Transitionτ : {τ1, . . . , τn} where τi : (L
ri−→ Ri ), are trace productions sharing thesame left-hand side L. τ is sound if the following holds:
∀A . A ⊆m L =⇒ L(A) ⊆⋃τi∈τ
L(τmi (A)
)
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Proof Rules
Causal Transitionτ : {τ1, . . . , τn} where τi : (L
ri−→ Ri ), are trace productions sharing thesame left-hand side L. τ is sound if the following holds:
∀A . A ⊆m L =⇒ L(A) ⊆⋃τi∈τ
L(τmi (A)
)
L
a{φ′} b{¬φ}
R
a{φ′} b{¬φ}
x{φ ∧ ¬φ′}
Necessary Actionφ
¬φ
a
b
x
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Proof Rules
Causal Transitionτ : {τ1, . . . , τn} where τi : (L
ri−→ Ri ), are trace productions sharing thesame left-hand side L. τ is sound if the following holds:
∀A . A ⊆m L =⇒ L(A) ⊆⋃τi∈τ
L(τmi (A)
)
L
a{φ′} b{¬φ}
Rfirst
a{φ′} b{¬φ}
x{φ ∧ ¬φ′}{φ ∧ φ′}
Necessary Actionφ
¬φ
a
b
x
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Proof Rules
Causal Transitionτ : {τ1, . . . , τn} where τi : (L
ri−→ Ri ), are trace productions sharing thesame left-hand side L. τ is sound if the following holds:
∀A . A ⊆m L =⇒ L(A) ⊆⋃τi∈τ
L(τmi (A)
)
L
a{φ′} b{¬φ}
Rlast
a{φ′} b{¬φ}
x{φ ∧ ¬φ′} {¬φ∧¬φ′}
Necessary Actionφ
¬φ
a
b
x
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Proof Rules
Causal Transitionτ : {τ1, . . . , τn} where τi : (L
ri−→ Ri ), are trace productions sharing thesame left-hand side L. τ is sound if the following holds:
∀A . A ⊆m L =⇒ L(A) ⊆⋃τi∈τ
L(τmi (A)
)
L
a
b
R1
a b
Order Split
R2
b a
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Proof Rules
Causal Transitionτ : {τ1, . . . , τn} where τi : (L
ri−→ Ri ), are trace productions sharing thesame left-hand side L. τ is sound if the following holds:
∀A . A ⊆m L =⇒ L(A) ⊆⋃τi∈τ
L(τmi (A)
)
L
a{φ}
R1
a{φ ∧ ψ}
Action Split
R2
a{φ ∧ ¬ψ}
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Proof Rules
Causal Transitionτ : {τ1, . . . , τn} where τi : (L
ri−→ Ri ), are trace productions sharing thesame left-hand side L. τ is sound if the following holds:
∀A . A ⊆m L =⇒ L(A) ⊆⋃τi∈τ
L(τmi (A)
)
L
a b{φ}
x{ψ}
R
a b{φ}
x{ψ ∧ φ}
Action Restriction
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Proof Rules
Causal Transitionτ : {τ1, . . . , τn} where τi : (L
ri−→ Ri ), are trace productions sharing thesame left-hand side L. τ is sound if the following holds:
∀A . A ⊆m L =⇒ L(A) ⊆⋃τi∈τ
L(τmi (A)
)
L
a b{φ}
x y{ψ}
R
a b{φ}
x y{ψ ∧ φ}
Edge Restriction
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Verification as a Search Problem: States vs Traces
beginset Q ←− InitialAbstraction(S)while not FixedPoint(Q) do
take some q from Qif IsError(q) then
return unsafeelse
Q := Q ∪ Successors(q)
return safe
Search Object: State Concurrent Trace
InitialAbstraction(S): I I −→ E
IsError(q): q ∩ E 6= ∅ Linearizable(q)
Successors(q): StateTransition(q) CausalTransition(q)
FixedPoint(Q): ∀q ∈ Q .Succesors(q) ⊆ Q
?
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Verification as a Search Problem: States vs Traces
beginset Q ←− InitialAbstraction(S)while not FixedPoint(Q) do
take some q from Qif IsError(q) then
return unsafeelse
Q := Q ∪ Successors(q)
return safe
Search Object: State Concurrent Trace
InitialAbstraction(S): I I −→ E
IsError(q): q ∩ E 6= ∅ Linearizable(q)
Successors(q): StateTransition(q) CausalTransition(q)
FixedPoint(Q): ∀q ∈ Q .Succesors(q) ⊆ Q
?
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Verification as a Search Problem: States vs Traces
beginset Q ←− InitialAbstraction(S)while not FixedPoint(Q) do
take some q from Qif IsError(q) then
return unsafeelse
Q := Q ∪ Successors(q)
return safe
Search Object: State Concurrent Trace
InitialAbstraction(S): I I −→ E
IsError(q): q ∩ E 6= ∅ Linearizable(q)
Successors(q): StateTransition(q) CausalTransition(q)
FixedPoint(Q): ∀q ∈ Q .Succesors(q) ⊆ Q
?
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Verification as a Search Problem: States vs Traces
beginset Q ←− InitialAbstraction(S)while not FixedPoint(Q) do
take some q from Qif IsError(q) then
return unsafeelse
Q := Q ∪ Successors(q)
return safe
Search Object: State Concurrent Trace
InitialAbstraction(S): I I −→ E
IsError(q): q ∩ E 6= ∅ Linearizable(q)
Successors(q): StateTransition(q) CausalTransition(q)
FixedPoint(Q): ∀q ∈ Q .Succesors(q) ⊆ Q
?
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Verification as a Search Problem: States vs Traces
beginset Q ←− InitialAbstraction(S)while not FixedPoint(Q) do
take some q from Qif IsError(q) then
return unsafeelse
Q := Q ∪ Successors(q)
return safe
Search Object: State Concurrent Trace
InitialAbstraction(S): I I −→ E
IsError(q): q ∩ E 6= ∅ Linearizable(q)
Successors(q): StateTransition(q) CausalTransition(q)
FixedPoint(Q): ∀q ∈ Q .Succesors(q) ⊆ Q
?
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Verification as a Search Problem: States vs Traces
beginset Q ←− InitialAbstraction(S)while not FixedPoint(Q) do
take some q from Qif IsError(q) then
return unsafeelse
Q := Q ∪ Successors(q)
return safe
Search Object: State Concurrent Trace
InitialAbstraction(S): I I −→ E
IsError(q): q ∩ E 6= ∅ Linearizable(q)
Successors(q): StateTransition(q) CausalTransition(q)
FixedPoint(Q): ∀q ∈ Q .Succesors(q) ⊆ Q
?
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Looking Closer into State Fixed-point...
State Fixed-point
∀q ∈ Q .Succesors(q) ⊆ Q
Seen as Trace Fixed-point
sss
s, t1, s1s1s1
s, t2, s2s2s2
s, t1, s1, t3, s3s3s3
s, t1, s1, t4, s4s4s4
s, t1, s1, t3, s3, t5, s5s5s5
s, t1, s1, t4, s4, t6, s6s6s6
s, t1, s1, t4, s4, t7, s7s7s7
Trace Fixed-point
There is no finite trace between I and E .
Alternatively: any trace between I and E should have infinite length!
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Looking Closer into State Fixed-point...
State Fixed-point
∀q ∈ Q .Succesors(q) ⊆ Q
Seen as Trace Fixed-point
sss
s, t1, s1s1s1
s, t2, s2s2s2
s, t1, s1, t3, s3s3s3
s, t1, s1, t4, s4s4s4
s, t1, s1, t3, s3, t5, s5s5s5
s, t1, s1, t4, s4, t6, s6s6s6
s, t1, s1, t4, s4, t7, s7s7s7
Trace Fixed-point
There is no finite trace between I and E .
Alternatively: any trace between I and E should have infinite length!
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Looking Closer into State Fixed-point...
State Fixed-point
∀q ∈ Q .Succesors(q) ⊆ Q
Seen as Trace Fixed-point
sss
s, t1, s1s1s1
s, t2, s2s2s2
s, t1, s1, t3, s3s3s3
s, t1, s1, t4, s4s4s4
s, t1, s1, t3, s3, t5, s5s5s5
s, t1, s1, t4, s4, t6, s6s6s6
s, t1, s1, t4, s4, t7, s7s7s7
Trace Fixed-point
There is no finite trace between I and E .
Alternatively: any trace between I and E should have infinite length!
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Causal Trace Unwindings 1
2
3
4
5
a1 : ack l1
a4 : ack l2
r4 : rel l2
r1 : rel l1
1
2
3
4
5
a2 : ack l1
r2 : rel l1
a5 : ack l1
r5 : rel l1
1
2
3
4
5
a3 : ack l1
a6 : ack l3
r3 : rel l1
r6 : rel l3
1
2
3
4 5
6
⊥⊥⊥7
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Causal Trace Unwindings 1
2
3
4
5
a1 : ack l1
a4 : ack l2
r4 : rel l2
r1 : rel l1
1
2
3
4
5
a2 : ack l1
r2 : rel l1
a5 : ack l1
r5 : rel l1
1
2
3
4
5
a3 : ack l1
a6 : ack l3
r3 : rel l1
r6 : rel l3
1
2
3
4 5
6
⊥⊥⊥7
pc ′1 = 1pc ′2 = 1pc ′3 = 1
pc1 = 2pc2 = 2
ie
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Causal Trace Unwindings 1
2
3
4
5
a1 : ack l1
a4 : ack l2
r4 : rel l2
r1 : rel l1
1
2
3
4
5
a2 : ack l1
r2 : rel l1
a5 : ack l1
r5 : rel l1
1
2
3
4
5
a3 : ack l1
a6 : ack l3
r3 : rel l1
r6 : rel l3
1
2
3
4 5
6
⊥⊥⊥7
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc1 = 1 ∧ pc ′1 = 2l = 0 ∧ l ′ = 1
a1pc1 = 2pc2 = 2
epc1 = 2
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Causal Trace Unwindings 1
2
3
4
5
a1 : ack l1
a4 : ack l2
r4 : rel l2
r1 : rel l1
1
2
3
4
5
a2 : ack l1
r2 : rel l1
a5 : ack l1
r5 : rel l1
1
2
3
4
5
a3 : ack l1
a6 : ack l3
r3 : rel l1
r6 : rel l3
1
2
3
4 5
6
⊥⊥⊥7
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i pc1 = 1 ∧ pc′1 = 2
l = 0 ∧ l ′ = 1
pc2 = 1 ∧ pc ′2 = 2l = 0 ∧ l ′ = 1
pc1 = 2pc2 = 2
epc1 = 2
pc2 = 2
a1
a2
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Causal Trace Unwindings 1
2
3
4
5
a1 : ack l1
a4 : ack l2
r4 : rel l2
r1 : rel l1
1
2
3
4
5
a2 : ack l1
r2 : rel l1
a5 : ack l1
r5 : rel l1
1
2
3
4
5
a3 : ack l1
a6 : ack l3
r3 : rel l1
r6 : rel l3
1
2
3
4
5
6
⊥⊥⊥7
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc1 = 1 ∧ pc ′1 = 2l = 0 ∧ l ′ = 1
pc2 = 1 ∧ pc ′2 = 2l = 0 ∧ l ′ = 1
a1
a2
pc1 = 2pc2 = 2
epc1 = 2
pc2 = 2
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Causal Trace Unwindings 1
2
3
4
5
a1 : ack l1
a4 : ack l2
r4 : rel l2
r1 : rel l1
1
2
3
4
5
a2 : ack l1
r2 : rel l1
a5 : ack l1
r5 : rel l1
1
2
3
4
5
a3 : ack l1
a6 : ack l3
r3 : rel l1
r6 : rel l3
1
2
3
4 5
6
⊥⊥⊥7
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc1 = 1 ∧ pc ′1 = 2l = 0 ∧ l ′ = 1
pc2 = 1 ∧ pc ′2 = 2l = 0 ∧ l ′ = 1
a1
a2
pc1 = 2pc2 = 2
e
pc1 = 2
pc2 = 2
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Causal Trace Unwindings 1
2
3
4
5
a1 : ack l1
a4 : ack l2
r4 : rel l2
r1 : rel l1
1
2
3
4
5
a2 : ack l1
r2 : rel l1
a5 : ack l1
r5 : rel l1
1
2
3
4
5
a3 : ack l1
a6 : ack l3
r3 : rel l1
r6 : rel l3
1
2
3
4 5
6
⊥⊥⊥7
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc1 = 4 ∧ pc ′1 = 5l ′ = 0
pc1 = 1 ∧ pc ′1 = 2l = 0∧ l ′ = 1
pc2 = 1 ∧ pc ′2 = 2l = 0 ∧l ′ = 1
a1
a2
pc1 = 2pc2 = 2
e
pc1 = 2
pc2 = 2
r1
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Causal Trace Unwindings 1
2
3
4
5
a1 : ack l1
a4 : ack l2
r4 : rel l2
r1 : rel l1
1
2
3
4
5
a2 : ack l1
r2 : rel l1
a5 : ack l1
r5 : rel l1
1
2
3
4
5
a3 : ack l1
a6 : ack l3
r3 : rel l1
r6 : rel l3
1
2
3
4 5
6
⊥⊥⊥7
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc2 = 2 ∧ pc ′2 = 3l ′ = 0
ir2
pc1 = 1 ∧ pc ′1 = 2l = 0∧ l ′ = 1
pc2 = 1 ∧ pc ′2 = 2l = 0 ∧l ′ = 1
pc1 = 2
a1
a2
pc1 = 2pc2 = 2
e
pc2 = 2
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Causal Trace Unwindings 1
2
3
4
5
a1 : ack l1
a4 : ack l2
r4 : rel l2
r1 : rel l1
1
2
3
4
5
a2 : ack l1
r2 : rel l1
a5 : ack l1
r5 : rel l1
1
2
3
4
5
a3 : ack l1
a6 : ack l3
r3 : rel l1
r6 : rel l3
1
2
3
4 5
6
⊥⊥⊥7
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc2 = 2 ∧pc ′2 = 3l ′ = 0
ir2
pc1 = 1 ∧ pc ′1 = 2l = 0∧ l ′ = 1
pc2 = 1 ∧ pc ′2 = 2l = 0 ∧l ′ = 1
pc1 = 2
a1
a2
pc1 = 2pc2 = 2
e
pc2 = 2
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Causal Trace Unwindings
Theorem (Soundness of Trace Unwinding)
If there exists a correct causal trace unwinding for P, where everycausal path is either contradictory or unbounded, then P is safe.
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Causal Trace Unwindings
Theorem (Soundness of Trace Unwinding)
If there exists a correct causal trace unwinding for P, where everycausal path is either contradictory or unbounded, then P is safe.
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Causal Trace Unwindings
Theorem (Soundness of Trace Unwinding)
If there exists a correct causal trace unwinding for P, where everycausal path is either contradictory or unbounded, then P is safe.
⇓
Trace Tableau = Trace Unwinding+ abstract labels + covering relation
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Causal Trace Tableaux
1
2
3
4 5
6
⊥⊥⊥7
abstract
concrete
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Causal Trace Tableaux
1
2
3
4 5
6
⊥⊥⊥7
abstract
concrete
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc1 = 2pc2 = 2
e
pc ′1 = 1pc ′2 = 1pc ′3 = 1
pc1 = 2pc2 = 2
ie
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Causal Trace Tableaux
1
2
3
4 5
6
⊥⊥⊥7
abstract
concrete
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc1 = 2pc2 = 2
e
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc1 = 1 ∧ pc ′1 = 2l = 0 ∧ l ′ = 1
a1pc1 = 2pc2 = 2
epc1 = 2
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc1 = 1 ∧ pc ′1 = 2l = 0 ∧ l ′ = 1
a1pc1 = 2pc2 = 2
epc1 = 2
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Causal Trace Tableaux
1
2
3
4 5
6
⊥⊥⊥7
abstract
concrete
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc1 = 2pc2 = 2
e
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc1 = 1 ∧ pc ′1 = 2l = 0 ∧ l ′ = 1
a1pc1 = 2pc2 = 2
epc1 = 2
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i pc1 = 1 ∧ pc′1 = 2
l = 0 ∧ l ′ = 1
pc2 = 1 ∧ pc ′2 = 2l = 0 ∧ l ′ = 1
pc1 = 2pc2 = 2
epc1 = 2
pc2 = 2
a1
a2
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Causal Trace Tableaux
1
2
3
4
5
6
⊥⊥⊥7
abstract
concrete
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc1 = 2pc2 = 2
e
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc1 = 1 ∧ pc ′1 = 2l = 0 ∧ l ′ = 1
a1pc1 = 2pc2 = 2
epc1 = 2
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc1 = 1 ∧ pc ′1 = 2l = 0 ∧ l ′ = 1
pc2 = 1 ∧ pc ′2 = 2l = 0 ∧ l ′ = 1
a1
a2
pc1 = 2pc2 = 2
epc1 = 2
pc2 = 2
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Causal Trace Tableaux
1
2
3
4 5
6
⊥⊥⊥7
abstract
concrete
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc1 = 2pc2 = 2
e
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc1 = 1 ∧ pc ′1 = 2l = 0 ∧ l ′ = 1
a1pc1 = 2pc2 = 2
epc1 = 2
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc1 = 1 ∧ pc ′1 = 2l = 0 ∧ l ′ = 1
pc2 = 1 ∧ pc ′2 = 2l = 0 ∧ l ′ = 1
a1
a2
pc1 = 2pc2 = 2
e
pc1 = 2
pc2 = 2
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Causal Trace Tableaux
1
2
3
4 5
6
⊥⊥⊥7
abstract
concrete
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc1 = 2pc2 = 2
e
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc1 = 1 ∧ pc ′1 = 2l = 0 ∧ l ′ = 1
a1pc1 = 2pc2 = 2
epc1 = 2
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc1 = 4 ∧ pc ′1 = 5l ′ = 0
pc1 = 1 ∧ pc ′1 = 2l = 0∧ l ′ = 1
pc2 = 1 ∧ pc ′2 = 2l = 0 ∧l ′ = 1
a1
a2
pc1 = 2pc2 = 2
e
pc1 = 2
pc2 = 2
r1
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Causal Trace Tableaux
1
2
3
4 5
6
⊥⊥⊥7
abstract
concrete
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc1 = 2pc2 = 2
e
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc1 = 1 ∧ pc ′1 = 2l = 0 ∧ l ′ = 1
a1pc1 = 2pc2 = 2
epc1 = 2
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc2 = 2 ∧ pc ′2 = 3l ′ = 0
pc1 = 2pc2 = 2
ei
r2
pc1 = 1 ∧ pc ′1 = 2l = 0∧ l ′ = 1
pc2 = 1 ∧ pc ′2 = 2l = 0 ∧l ′ = 1
pc1 = 2
a1
a2
pc2 = 2
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Causal Trace Tableaux
1
2
3
4 5
6
⊥⊥⊥7
abstract
concrete
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc1 = 2pc2 = 2
e
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc1 = 1 ∧ pc ′1 = 2l = 0 ∧ l ′ = 1
a1pc1 = 2pc2 = 2
epc1 = 2
pc ′1 = 1pc ′2 = 1pc ′3 = 1
i
pc2 = 2 ∧pc ′2 = 3l ′ = 0
pc1 = 2pc2 = 2
ei
r2
pc1 = 1 ∧ pc ′1 = 2l = 0∧ l ′ = 1
pc2 = 1 ∧ pc ′2 = 2l = 0 ∧l ′ = 1
pc1 = 2
a1
a2
pc2 = 2
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Causal Trace Tableaux
Theorem (Soundness)
If there exists a correct and complete causal trace tableau for a parallelprogram P, then P is safe.
Theorem (Completeness)
If a parallel program P with finite-state quotient is safe, then thereexists a correct and complete causal trace tableau for P.
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Causality-based Verification: Conclusion
We propose to shift emphasis from state space exploration tocausality-based proof search:
+ We capture causality by concurrent traces and their transformations
+ More powerful proof object allows to better exhibit causalrelationships
+ More powerful proof rules lead to substantially shorter proofs
-
Causality-BasedVerification ofMulti-threaded
Programs
Andrey Kupriyanovand Bernd Finkbeiner
Introduction
Motivation
Programs with Locks
Concurrent Proofs
Proof Object
Proof Rules
Verification Algorithm
States vs Traces
Trace Unwindings
Trace Tableaux
Conclusion
Causality-based Verification: Conclusion
We propose to shift emphasis from state space exploration tocausality-based proof search:
+ We capture causality by concurrent traces and their transformations
+ More powerful proof object allows to better exhibit causalrelationships
+ More powerful proof rules lead to substantially shorter proofs
Reduces the complexity from exponential to polynomial for theimportant class of multi-threaded programs.
IntroductionMotivationPrograms with Locks
Concurrent ProofsProof ObjectProof Rules
Verification AlgorithmStates vs TracesTrace UnwindingsTrace Tableaux
Conclusion