Download - Scope-bounded Multistack Pushdown Systems: - f ixed- p oint - s equentialization - tree-width
Scope-bounded Multistack Pushdown Systems:
- fixed-point- sequentialization - tree-width
1
Salvatore La Torre Gennaro Parlato (U. Salerno, Italy) (U. Southampton, UK)
Multi-stack Pushdown Systems (MPS)
• n stacks sharing a finite control
– configurations: s, , , … ,
– transitions:• push one symbol onto stack i• pop one symbol from stack i• internal move: stacks stay unchanged, only control
location is altered
• problem: control-state reachability
1 2 n
Multi-stack Pushdown Systems (MPS)
• Interesting model for concurrency– allows accurate modeling of the control flow of
concurrent programs with shared memory and recursive procedure calls
• Too expressive– two stacks suffice to encode a Turing machine
• Several decidable restrictions in literature
bounded context-switch (round) runs
round 1
round 2 bouded
moves on stack 1
moves on stack 2
moves on stack 3
round 3
round 4
round 5
round 6
round 7
… … … …
bounded round reachability is decidable [Qadeer-Rehof, TACAS’05 ] (solution based on automata)
bounded round analysis (compositional)
moves on stack 1
moves on stack 2
moves on stack 3
computeinterface
for stack 1
computeinterface
for stack 2
computeinterface
for stack 3
computeinterface
for stack 1 + stack 2
computeinterface
for stack 1 + stack 2 + stack 3
- Sequentialization [Lal-Reps, CAV’08 ]- Interfaces & Getafix [La Torre-Madhusudan-Parlato, PLDI’09, CAV’10, FIT’12 ]
Tools based on compositional alg.Sequentialization (programming languages)
– Poirot+Corral (MSR) [Lahiri-Lal-Qadeer, POPL’11, CAV’12]
– Cseq (code-to-code translation for C prgms + Pthread) [Cseq+ESBMC. Fischer-Inverso-Parlato,
SV-COMP’13]
Model-Checkers for Boolean programs (abstracted device drivers)
– Getafix [La Torre – Madhusudan - Parlato, PLDI’09, CAV’10]
beyond bounded-round restriction: scope-bounded runsmoves on
stack 1moves on stack 2
moves on stack 3
… … …
Decidable reachability [La Torre-Napoli, CONCUR’11 ]• solution based on automata,• compositional ???
Fix a bound k.A run is k-scope if
for all push, pop. ( matching(push, pop)∧ (round(pop) – round(push) ≤ k ))pop
push
What is this talk about?
Compositional algorithm for bounded-scope reachability
can be implemented as a
– fixed-point (using interfaces)
– sequentialization (from multi to one stack)
Bounded-scope multiply nested words have bounded tree-width
– decidability of reachability, LTL, …, MSO
Compositional algorithm for bounded-scope reachability
• fixed-point• sequentialization
9
compositional algorithm (fixed point)
interfacestack 1
interfacestack 2
interfacestack 3
interfacestack 4
The compositional algorithm for bounded rounds won’t work• we don’t know a bound on # of needed rounds (semi-algorithm)
Our solution computes the cross product of interfaces in parallel
interface decomposition for k-scopeevery k-scope interface can be obtained as a concatenation of several k-round interfaces
simpleconcatenation
k-scope
k-round
k-scope
k-round
<- first round
last -> round
overlappingconcatenation
q
compositional algorithm (fixed point)
initial -> control
state
interfacestack 1
interfacestack 2
interfacestack 3
interfacestack 4
Init: insert an initial interface for stack 1 with at most k roundsRules: (Add) concatenate a feasible interface (with at most k rounds) to the stack interface with the lowest incomplete round
(Remove) if the first tracked round is complete then remove it Termination: one line left with the target control state at the end
target <- state
Always reaches a fixed point:
- configuration: O( k*n) control states ^ ^ | | #scope #stacks
Comparison with bounded-round restriction - bounded rounds requires only O( k ) control states - n cannot be eliminated from O (k n) (additional price to pay)
Sequentialization
13
Code-to-code translation as a plug-in for sequential verification tools
A convenient way to get new tools for conc. programs …
Sequ. tool
Concsequtranslation
Instrumentationfor the Sequ. tool
Concurrent Program
T1 T2 Tn
shared vars
…
Sequ.program
Concurrent Program
features of a good sequentialization
A direct simulation doesn’t lead to scalable solutions:
state: C1 X C2 X … X Cn X Shared
Simulation: at each step non-deterministically simulate one move of a thread
- data structures for the configurations (n stacks)
State space explosion !
Avoid cross product (compositional)• 1 stack for the simulation• 1 local state, fixed # of shared states
Conc. & Sequ. Programs are in the same class• i.e. no additional data structures to simulate parallelism• Example: concurrent Boolean programs Boolean (sequential) program
Parameterized: increasing the parameter • more behaviors are captured• at the expense of more computational resources
Explore as many behaviors as possible
related work (sequentialization)Up 2 context-switches (KISS) [Qadeer-Wu, PLDI’04]
bounded-round schedules & finite # of threads • Eager [Lal-Reps, CAV’08]• Lazy [La Torre-Madhusudan-Parlato, CAV’09]
bounded-round schedule & parameterized programs• Lazy [La Torre, Madhusudan-Parlato, CAV’10, FIT’12]
Delay-bounded schedules (thread creation) [Emmi-Qadeer-Rakamaric, POPL’11]
Bounded semantics
[Bouajjani-Emmi-Parlato, SAS’11]
from fixed point to sequentializationFixed-point algorithm Init: insert an initial interface for stack 1 with at most k roundsRules: (Add) Fill any hole with a feasible interface with at most k rounds
(Remove) If the first tracked line is complete then remove it Termination: one line left with the target control state at the end
SequentializationOur fixed point leads to a straightforward sequentialization (1stack+2kn shared vars)
Global variables: 2k copies of the shared variable to store tuple-interfaceAdditional functions: - INTERFACE( thread_id ); // non-deterministically build an interface for thread thread_id - Init() // implements Init - remove_first_round() //implements Remove rule - add_interface() //implements Add rule
Code-to-code translation:Init();while (true) { if (Remove) remove_first_round(); else add_interface(); if (termination) ERROR; }
bounded-scope runs =>
bounded tree-width of k-scope
multiply nested words
18
nested words
• A nested word NW graph captures the behavior of a run– The stack is compiled down into the nested word (nesting edges)
push push push int int pop int pop int push int pop pop
q1 q2 q3 q4 q5 q6 q7 q8 q9 q10 q11 q12 q13 q14
final
multiply nested words (MNW)
A MNW graph captures the behavior of an MPS run– Stacks are compiled down into the graph (nesting edges)– One nesting relation per stack
push1 push1 push1
push2 push2
pop1
pop2
pop1 int
push1
pop2
pop1 pop1
decidability for multistack systems [Madhusudan-Parlato, POPL’11]Several decidable restrictions of Multistack pushdown systemslead to bounded tree-width multiply nested wordsDecidability: Courcelle/Seese theorem
– bounded-contexts [Rehof - Qadeer, TACAS’05]– bounded-phases [La Torre – Madhusudan - Parlato, LICS’07]– ordered (Breveglieri – Cherubini – Citrini - Crespi Reghizzi, Int. J. Found. Comput. Sci.’95]– Parameterized pushdown automata with k-rounds
[La Torre - Madhusudan – Parlato, CAV’10]
– Delay bounded [Emmi – Qadeer – Rakamarik, POPL’11] – Bounded semantics [Bouajjani – Emmi - Parlato, SAS’11]
– Bounded-Scope [La Torre - Napoli, CONCUR’11] (More details in the “Verification of Infinite-State Systems” talk)
Conclusions
22
Conclusions & Future WorkBounded-scoped model-checkingCompositional algorithm
– Fixed point algorithm• can be encoded in Getafix [La Torre - Madhusudan - Parlato, PLDI’09]
– Sequentialization (under-approximation)• code-to-code translation (for C programs + Pthread library) • sequential tool can be used to analyze concurrent programs• empirical evaluation (can we find new bugs?)
[Multi-Pushdown Systems with Budget. Abdulla-Atig-Rezine-Stenman - ‘12]
bounded tree-width runs + MSO definable [MSO decidability of multi-pushdown systems via split-width. Cyriac - Gastin - Kumar, CONCUR’12]
– reachability/LTL Seese/Courcelle’s theorem (decidable) [A temporal logic for multi-threaded programs. La Torre - Napoli, IFIP TCS’12] [LTL model-checking for multithreaded programs under scope-bounding.
Atig, Bouajjani, Kumar, Saivasan – ATVA’12]