reachability graphs
TRANSCRIPT
![Page 1: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/1.jpg)
Page 1
Reachability Graphs
Reading Assignment
• G. S. Avrunin, U. A. Buy, J. C. Corbett, L. K. Dillon and J. C. Wileden, "Automated Analysis of Concurrent Systems with the Constrained Expression Toolset," IEEE Transactions on Software Engineering, 17 (11), November 1991, pp. 1204-1222.
• M. B. Dwyer, L. A. Clarke, J. M. Cobleigh, G. Naumovich " Flow Analysis for Verifying Properties of Concurrent Software Systems," ACM Transactions on Software Engineering and Methodology, Vol. 13, No. 4, October 2004, pp. 359-430.
![Page 2: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/2.jpg)
Page 2
Analyzing Concurrent & Distributed Systems
• Dynamic analysis approaches • Monitor and replay • Coverage criteria • Specification-based evaluation
• FSAs and QREs • Temporal Logics
• Static analysis approaches
Static analysis approaches for concurrent & distributed systems
• Reachability graphs and reachability analysis • Petri nets and Petri net based analysis • CFGs and CFG based analysis
• Finite State Verification • Model checking • Flow equations • Dataflow analysis
![Page 3: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/3.jpg)
Page 3
Reachability Graph • models state space
• Each node represents a possible state in a distributed system • States represent the value of all the variables, including the program counter for each task
• If we only consider the value of the program counter for each task then each state is a vector where the ith element is the current program counter of the ith task • <pc1,i; pc2,j; …pcr,l> • Coarse-grained representation of a RG; doesn’t consider values of variables
Reachability Graph
• Typically, each edge represents progress in a single task • Multiple concurrent events may be possible, but allowing only single events captures all states and simplifies the graph structure (interleaved execution model)
• Only have multiple tasks progress when required by the semantics of the programming construct • E.g., rendezvous
• Only contains states that are potentially reachable from the start state
![Page 4: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/4.jpg)
Page 4
Reachability Graph Example
b1
e1
q
begin
T2.Q
end
b2
e2
q’
begin
Accept Q
end
task control flow graphs T1 T2
e1,e2
b1,b2
q,e2 e1,q’
q,q’
b1,q’ q,b2
Reachability graph
waiting for q? Need to distinguish before a rendezvous from after a rendezvous
Reachability Graph Example (clarified)
b1
e1
q
begin
T2.Q
end
b2
e2
q’
begin
Accept Q
end
task control flow graphs T1 T2
b1,b2
e1,e2
q,e2 e1, q’
r(q, q’)
b1,b_q’ b_q,b2
Reachability graph
b_q means that a task is blocked at q
r(q, q’) means that the rendezvous between q and q’ occurs
![Page 5: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/5.jpg)
Page 5
Alternative: Show both tasks blocked before a rendezvous
r(q, q’)
b1,b_q’ b_q,b2 b_q,b2 b1,b_q’
r(q, q’)
b_q, b_q’
Use a worklist to build the reachability graph
b1
e1
q
begin
T2.Q
end
b2
e2
q’
begin
Accept Q
end
task control flow graphs T1 T2
b1,b2
e1,e2
q,e2 e1, q’
r(q, q’)
b1,b_q’ b_q,b2
Reachability graph
Worklist: <b1,b2> <b_q,b2> <b1,b_q’>
<r(q,q’)> <e1,q’><q,e2> <e1,e2>
![Page 6: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/6.jpg)
Page 6
begin begin!
T2.Q !Accept Q!
T2.Q !Accept Q!
end end!
Infeasible synchronization
Infeasible synchronization??
begin begin!
T2.Q!
Accept Q!T2.Q!
end end!
T1! T2!
Infeasible synchronizations
precise up to symbolic execution
begin begin!
T2.Q ! Accept Q!
T2.Q ! Accept Q!
end end!
1
2
5
6
4
3
8
7
1,5
b_2, 5
r(3, 7)
1, b_6
2, b_7 b_3, 6
r(2, 6)
3,8 4,7
4,8
![Page 7: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/7.jpg)
Page 7
Another example
begin begin!
T2.Q!
Accept Q!T2.Q!
end end!
T1! T2!
1
2
5
4
6
8
7 3
synchronizations
1,6
b_2,6 1,b_7 3,6
2,8 3,7
R(2,7)
4,8 5,7
5,8
5,b_7
R(4,7)
3,b_7 5,6
b_4,6
b_4,8
3,8 b_4,7
Another example
begin begin!
T2.Q!
Accept Q!T2.Q!
end end!
T1! T2!
1
2
5
4
6
8
7 3
1,6
b_2,6 1,b_7 3,6
2,8 3,7
R(2,7)
4,8 5,7
5,8
5,b_7
R(4,7)
3,b_7 5,6
b_4,6
b_4,8
3,8 b_4,7
deadlock
![Page 8: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/8.jpg)
Page 8
Analysis of the reachability graph
• State based • Look at individual nodes
• E.g., deadlock • (sub)Path based
• Sequences of states
State based analysis
• Check some characteristic of each reachable state • E.g., deadlock, race conditions • E.g., can a reader be reading and a writer writing at the same time?
• To solve, examine each state in graph for the characteristic
![Page 9: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/9.jpg)
Page 9
State based analysis
1,5
b_2, 5
r(3, 7)
1, b_6
2, b_7 b_3, 6
r(2, 6)
3,8 4,7
4,8
<r,r>
<r,r>
<r,r>
<r,w>
Usually ref/def info represented via bit vectors for each node:
1 w 1 1 1 r
x c b a
Path based analysis
• Checking characteristics of sequences of events in the reachability graph • Examples:
• Must always write at least once before reading • Is it not possible to have a consumer consume before a
producer produces? • To solve, we examine all paths in the graph for the
sequence • Number of paths may be infinite • Can use dataflow state propagation to check path based
properties • Creates equivalence classes of nodes with respect to the
property being examined
![Page 10: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/10.jpg)
Page 10
Reachability graph based flow analysis
1,5
b_2, 5
r(3, 7)
1, b_6
2, b_7 b_3, 6
r(2, 6)
3,8 4,7
4,8
write
read read
Shared Resource Example for a Reactive System
• Provide access to a shared resource • Only one thread should
access the resource at a time
• CyclicBarrier • Found in
java.util.concurrency • Allows a set of threads
to all wait for each other to reach a common barrier point
![Page 11: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/11.jpg)
Page 11
Example Program with 2 threads
Reachability Graph
x, pc1, pc2
![Page 12: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/12.jpg)
Page 12
Reachability Graph
100
x, pc1, pc2
Reachability Graph
100
x, pc1, pc2
![Page 13: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/13.jpg)
Page 13
Reachability Graph
110
x, pc1, pc2
Reachability Graph
x, pc1, pc2
![Page 14: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/14.jpg)
Page 14
Checking Properties
1. Freedom from deadlock • Are there any nodes
without outgoing edges?
Checking Deadlock
x, pc1, pc2
![Page 15: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/15.jpg)
Page 15
Checking Properties
1. Freedom from deadlock • Are there any nodes without
outgoing edges? 2. Mutual exclusion
• Are there any nodes with both PCs on line 3?
Checking Mutual Exclusion
x, pc1, pc2
![Page 16: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/16.jpg)
Page 16
Checking Properties
1. Freedom from deadlock • Are there any nodes without outgoing edges?
2. Mutual exclusion • Are there any nodes with both PCs on line 3?
3. Liveness • The resource will eventually be used • Are there any reachable cycles in which the
resource is not used?
Checking Liveness
223 132
203 130
113 231
x, pc1, pc2
![Page 17: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/17.jpg)
Page 17
Checking Liveness
223 132
203 130
113 231
x, pc1, pc2
112 100
Checking Liveness
110
222
202
211
x, pc1, pc2
![Page 18: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/18.jpg)
Page 18
Checking Liveness
x, pc1, pc2
112
110
222
211
202
100
Reachability based analysis is inherently exponential
• Size of the reachability graph is exponential in the number of tasks • N nodes per task, T tasks worse case bound on the size of the graph: NT nodes in the reachability graph
• Data flow analysis is often quadratic in the size of the graph • (NT)2
![Page 19: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/19.jpg)
Page 19
Controlling Complexity of Reachability Analysis
• Don’t consider all interleavings of events, only consider “representative” interleavings • Valmari, Godefroid, Wolper, McDowell
• Use compositional techniques • Analyze reachable states of portions of the model and summarize
• Still have exponential worst-case upper bound
Additional Problems With Reachability Analysis
• Imprecision • Model may not capture all information about state • For example, may not model all variable values
• Aliasing may cause inclusion of events and states that are not actually possible
• Over-approximate executable paths • Can lead to the consideration of infeasible paths
![Page 20: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/20.jpg)
Page 20
Non-Conservative Techniques
• Non-conservative techniques may not find a problem even though one exists
• For reachability graphs, a common non-conservative technique is to bound the size of the graph • Limit depth of the graph (limit length of path from start state to
any node) • Limit number of loop iterations
• Non-conservative techniques may under-report errors • False negative
• Conservative techniques may over-report errors • False positive
Summary of Reachability Analysis
• Reachability analysis is intuitively appealing, but difficult to implement efficiently (sub- exponentially)
• Techniques exist to control state explosion, but they still carry an exponential upper bound • I.e., May be practical on some problems
• Looked at a CFG based reachability graph • Can also be constructed from Petri Net representations
![Page 21: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/21.jpg)
Page 21
Petri nets A Petri Net is a four-tuple, C=(P,T,I,O)
P = {p1, p2, ..., pn}, n ≥ 0 is a finite set of places
T = {t1, t2, ..., tm}, m ≥ 0 is a finite set of transitions
µ0 = {u01, u02, ..., u0n} the initial marking
I: T → P is the input function pi is an input place of a transition tj if pi ∈ I(tj)
O: T → P is the output function pi is an output place of a transition tj if pi ∈ O(tj)
M: P → integer is the number of tokens at place p
Petri Net
5 places, 1 transition
4 tokens
Input places
output places
![Page 22: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/22.jpg)
Page 22
Petri net firing rule
• A transition t is enabled if and only if ∀ pi ∈ I(t) , m(pi) › 0
• Firing an enabled transition t produces a new marking m’ • m’(pi) = m(pi)-1, ∀ pi ∈ I(t) • m’(pi) = m(pi)+1, ∀ pi ∈ O(t) • m’(pi) = m(pi) otherwise
Transition firing examples Can’t fire
![Page 23: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/23.jpg)
Page 23
Non-deterministic choice example
Synchronous task interaction • Initial marking has one token per task • Task interaction preserves the number of tokens per task
![Page 24: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/24.jpg)
Page 24
example with text_io: procedure main is
task T0; task T1 is
entry P; entry Q;
end T1; task T2;
begin NULL; end main;
task body T1 is package boolean_io is new text_io.enumeration_io(boolean); done: boolean; begin --(4)
loop --(5) select --(6)
accept P; --(7) or accept Q; --(8)
end select; boolean_io.get(done); exit when done;
end loop; -- (9) end T1; --(10)
task body T0 is begin --(1) T1.P; --(2) end T0; --(3)
task body T2 is begin --(11) T1.Q; --(12) end T2; --(13)
1 begin"
2 T1.P"
3 end"
4 begin"
5,6 select"
9"
7 accept P" 8 accept Q"
10 end"
11 begin"
12 T1.Q"
13 end"
CFG representation
1 begin"
2 T1.P"
3 end"
11 begin"
12 T1.Q"
13 end"
4 begin"
5,6 select"
9"
7 accept P" 8 accept Q"
10 end"
![Page 25: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/25.jpg)
Page 25
Petri net for example
rend Q!
begin! begin!begin!
P0!
P9!P4!
P7!
P10!P6!P5!P2!
P1!
P8!P3!
end!
loop!
end!
rend P
1 begin"
2 T1.P"
3 end"
11 begin"
12 T1.Q"
13 end"
4 begin"
5,6 select"
9"
7accept P"8accept Q"
10 end"
Reachability Analysis from a Petri net • The reachability graph, R = (N,E), for Petri net =
(P,T,I,O) • N = n1 , n2 , ..., nl , each ni corresponds to a Petri net
marking µi = {ui1, ui2, ..., uin} • E = {..., (nk, nr ) , ... } where there is a transition from pik
to pir and a series of markings that causes that transition to be taken
• reachability graph for a safe conservative Petri net with n places and k tokens can potentially have nk nodes • thus, reachability graphs for Petri nets are potentially
exponential in the number of tasks in the program.
![Page 26: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/26.jpg)
Page 26
Petri net reachability graph
< P0,P3,P8 >!
< P0,P3,P9 >!< P1,P3,P8 >!< P0,P4,P8 >!
rend Q!
begin! begin!begin!
rend P!
P0!
P9!P4!
P7!
P10!P6!P5!P2!
P1!
P8!P3!
end!
loop!
end!
Petri net reachability graph
< P0,P3,P8 >!
< P1,P3,P9 >!< P1,P4,P8 >!< P0,P4,P9 >!
< P0,P3,P9 >!< P1,P3,P8 >!< P0,P4,P8 >!
rend Q!
begin! begin!begin!
rend P!
P0!
P9!P4!
P7!
P10!P6!P5!P2!
P1!
P8!P3!
end!
loop!
end!
![Page 27: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/27.jpg)
Page 27
Petri net reachability graph
< P0,P3,P8 >!
< P1,P3,P9 >!< P1,P4,P8 >!< P0,P4,P9 >!
< P0,P3,P9 >!< P1,P3,P8 >!< P0,P4,P8 >!
< P0,P6,P10 >! < P2,P5,P8 >! < P1,P4,P9 >!
< P2,P5,P9 >!< P2,P4,P8 >!< P2,P7,P8 >!
< P1,P6,P10 >!< P0,P7,P10 >!
< P0,P4,P10 >!
< P2,P4,P9 >!< P2,P7,P9 >!< P1,P7,P10 > !< P1,P4,P10 >!
< P2,P7,P10 >!
< P1,P6,P10 >!< P2,P4,P10 >!
< P2,P5,P10 > !
rend Q!
begin! begin!begin!
rend P!
P0!
P9!P4!
P7!
P10!P6!P5!P2!
P1!
P8!P3!
end!
loop!
end!
Petri net reachability graph analysis • State properties
• checking some characteristic of each reachable state • examples: deadlock, critical races, multiple readers
• Path properties • Check for sequences of events
• Basically doesn’t matter if the reachability graph is derived from control flow graph or from Petri net models
![Page 28: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/28.jpg)
Page 28
deadlock detection
examine nodes with no out edges for deadlocks
< P0,P3,P8 >!
< P1,P3,P9 >!< P1,P4,P8 >!< P0,P4,P9 >!
< P0,P3,P9 >!< P1,P3,P8 >!< P0,P4,P8 >!
< P0,P6,P10 >! < P2,P5,P8 >! < P1,P4,P9 >!
< P2,P5,P9 >!< P2,P4,P8 >!< P2,P7,P8 >!
< P1,P6,P10 >!< P0,P7,P10 >!
< P0,P4,P10 >!
< P2,P4,P9 >!< P2,P7,P9 >!< P1,P7,P10 > !
< P2,P7,P10 >!
< P1,P6,P10 >!< P2,P4,P10 >!
< P2,P5,P10 > !
rend Q!
begin! begin!begin!
rend P!
P0!
P9!P4!
P7!
P10!P6!P5!P2!
P1!
P8!P3!
end!
loop!
end!
Problems with reachability analysis • complexity
• many reachability problems shown to be NP-complete • upper bound on graph size is
(average task size)(number of tasks) • commonly called the “state explosion problem” • 10 tasks, 10 states in each --> 10 billion states
• some contributors • consideration of all possible interleavings of events • nondeterminism
• reachability analysis still has the static analysis problems of imprecision • alias resolution • path infeasibility
![Page 29: Reachability Graphs](https://reader031.vdocuments.us/reader031/viewer/2022020700/61f4d7f45d885c2c112e44ac/html5/thumbnails/29.jpg)
Page 29
Benefits of Reachability Analysis • Can often be optimized to produce interesting results • E.g., SPIN, G. Holzmann, AT&T
• Works with a “simplified specification language,” Promela
• State Transition Model • Publicly available tool
• Don’t have to analyze the whole system • Can evaluate subsystems • Can evaluate specific configurations • Can evaluate high-level designs
• Better to find a problem earlier than later • For concurrent/distributed systems, provides some assurances