SS 2017 Software Verification SMT Solving, Partial Order Methods Prof. Dr. Holger Schlingloff 1,2 Dr. Esteban Pavese 1 (1) Institut für Informatik der Humboldt Universität (2) Fraunhofer Institut für offene Kommunikationssysteme FOKUS

Recap Why are parallel programs error-prone? Typical concurrency bugs? Synchronization mechanisms in Java? Parallelism concept language? Difference of the SOS-semantics with and without || ? What does SMT stand for?

SMT Satisfiability modulo theories: Checking the satisfiability of a formula, where certain functions/relations are interpreted according to a particular mathematical theory Theory: set of axioms / consequences Theory of linear orders, natural numbers, reals, rings, fields, ... E.g., is (x+y=2) satisfiable? E.g., is (an+bn=cn  n>2) satisfiable? Slides partly borrowed from Cesare Tinelli, http://fm.csl.sri.com/SSFT11/Tinelli.pdf

SMT Satisfiability of quantifier-free formulas is decidable for many theories of interest in model checking Equality with “Uninterpreted Function Symbols” Linear Arithmetic (Real and Integer) Arrays (i.e., updatable maps) Finite sets and multisets Inductive data types (enumerations, lists, trees, . . . ) . . . Thanks to advances in SAT and in decision procedures, this can be done very efficiently by current SMT solvers SMT solvers differ from traditional theorem provers by having built-in theories, and using specialized methods to reason about them

Model Checking by SMT SMT-based model checking techniques blur the line between traditional model checking and deductive verification Different approaches, e.g., predicate abstraction, bounded model checking, backward reachability, temporal induction, ...

Example: Parametric Resettable Counter

Encoding the Transition Relation

Inductive Reasoning

Example Binomial Coefficient Vars x = (a, b, c, n, k, , , sc) Initialization I[x]: (a=nb=0c=1=1=1(sc=1sc=2)) Transition relation T[x,x’]: a’=ite(=3sc=1, a-1, a) b’=ite(=2sc=2, b+1, b) c’=ite(=2sc=1, c*a, ite (=4sc=2, c/b, c)) n’=n  k’=k  (sc’=1  sc’=2) ’=ite( =1sc=1, ite(a≠n-k, 2, 4), ite( =2sc=1, 3, ite(=3sc=1, 1, ))) ’=ite(=1sc=2, ite(b≠k, 2, 5), ite(=2sc=2, 3, ite(=3sc=2, ite(a+b≤n, 4, 3), ite(=4sc=2, 1, )))) a=n; b=0; c=1; :{ 1: while (a ≠ n-k) { 2: c=c*a; 3: a--; } 4: || 1: while (b ≠ k) { 2: b++; 3: await (a+b ≤ n); 4: c=c/b; } 5: }

Invariant for Binomial Coefficient Vars x = (a,b,c,n,k,,,sc) sc “scheduler”, values in {1,2} Invariant: Let P(i, j)=(c=(n*n-1*...*(n-i+1) / 1*2*...*j)) ({1,2,4} {1,2,5} P(n-a, b)) (=3  {1,2,5} P(n-a+1, b)) ({1,2,4} {3,4}P(n-a, b-1)) (=3  {3,4}P(n-a+1, b-1)) (=4  a=n-k)  (=5  b=k) Property to be proven: ( =4  =5  P(k,k)) follows directly from the invariant a=n; b=0; c=1; :{ 1: while (a!=n-k) { 2: c=c*a; 3: a--; } 4: || 1: while (b!=k) { 2: b++; 3: await (a+b ≤ n); 4: c=c/b; } 5: }

How to Come Up with an Invariant? In principle undecidable In practice, much progress has been done Annual workshops on invariant generation (WING) Keywords: weakest preconditions and strongest postconditions of statements Dijkstra’s wp-calculus: wp(skip, ) =  wp(x=t, ) = [x:=t] wp({1; 2}, ) = wp(1, wp(2, )) wp(if (b) 1 else 2, ) = ((b  wp(1, ))  (¬b  wp(2, ))) wp(while (b) , ) = ?

! This is a non-constructive definition ! Existence??? Examples wp(while (b) , ) = z (z)  z((b(z))  z’ (z’<z  wp(, (z’)))  z((¬b(z))  ) where  is a loop variant and < a wfo, z new var. ! This is a non-constructive definition ! Existence??? Examples wp(x=x-3, x>7) = x>7 [x:=x-3] = x-3>7 = x>10 wp({x=2*x; x=x-3}, x>7) = wp(x=2*x, wp(x=x-3, x>7)) = wp(x=2*x, x>10) = x>5 wp(if(a<b) a=b, a>=b) = ((a<b  wp(a=b, a>=b)  (a>=b  wp(skip, a>=b)) =((a<b  b>=b)  (a>=b  a>=b)) = T wp(while (i>0) i--, i==0) = i>=0

Break!

Partial Order Reduction The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily. To avoid discriminating against any particular ordering, the events are interleaved in all possible ways. For software model checking, all interleaving paths are analyzed (depth-first search) This can be very many (“state explosion problem“) But it may not be necessary: a=0; b=0; {a=a*a; a=a-5; || b=2*b+3; b=1-b;} Only one possible result, even with different interleavings! However, not always: a=0; {a*=a*a; a=a-5; || a=2*a+3; a=1-a;}

The ordering between “independent” transitions is largely meaningless Consider n transitions that can be executed concurrently. In this case, there are n! different orderings and 2n different states (one for each subset of the transitions) If the specification does not distinguish between these sequences, it is beneficial to consider only one with n+1 states. Basic question: When are concurrent transitions independent? Slides & pictures thanks to Ed Clarke, www.cs.cmu.edu/~emc/15817-f09/partialorder.pdf

The partial order reduction is aimed at reducing the size of the state space that needs to be searched It exploits the commutativity of concurrently executed transitions, which result in the same state The method consists of constructing a reduced state graph. The full state graph, which may be too big to fit in memory, is never constructed The behaviors of the reduced graph are a subset of the behaviors of the full state graph The justification of the reduction method shows that the behaviors that are not present do not add any information

There are various versions of the partial-order method: stubborn set method (Valmari 1990) ample set method (Peled 1993) persistent set method (Godefroid 1994) Consider two transitions to be independent only if whenever they are both enabled, they cannot disable one another, and the execution of both results in a unique state regardless of the order in which they are executed

DFS search with ample sets Goal is to reduce the number of states considered in model checking, while preserving the correctness of the property Will assume that a reduced state graph is first generated explicitly using depth-first search The model checking algorithm is then applied to the resulting state graph, which has fewer states and edges This speeds up the construction of the graph and uses less memory, thus resulting in a more efficient model checking algorithm From any given state, do not consider the set of all enabled transitions but an ample set, which is some sort of “minimal set of independent transitions” The calculation of ample(s) needs to satisfy three goals: When ample(s) is used instead of enabled(s), enough behaviors must be retained so DFS gives correct results Using ample(s) instead of enabled(s) should result in a significantly smaller state graph The overhead in calculating ample(s) must be reasonably small.

Pairs of transitions belonging to the same process are dependent Pairs of transitions that share a variable, which is changed by at least one of them, are dependent Pairs of transitions belonging to the same process are dependent Consider the following program: a=0; b=0; {1: a++; 2: await ()... || 1: b++; 2: b--} 1 and all  transitions are always enabled 1 1 and 1 1 lead to the same state Hence 1 and 1 are independent Problem The states reached after 1 and 1 may have other successors, which may not be explored if either is eliminated (e.g., 2: await (b=0)...)

Conditions on ample sets (C0) ample(s) is empty only if enabled(s) is empty (C1) If a transition  depends on some transition in ample(s), then  cannot be executed without some transition in the ample set occuring first Consider again the following program: a=0; b=0; {1: a++; 2: await (b=0) a++ || 1: b++; 2: b--} after a=0; b=0; enabled ={1, 1}, ample ={1} ample ={1} is not a valid choice, since 2 is disabled by 1 (i.e., 2 can be invoked before 1 is executed)

Preservation of LTL properties? Problem: the checked property might be sensitive to the ordering of independent transitions Solution disallow next-operator define “invisible” transitions : a transition is invisible when its execution from any state does not change the value of the propositions (C2) If enabled(s) ≠ ample(s), each transition in the ample set must be invisible

Eventualities? Problem: satisfaction of eventualities might be lost Solution similar to the normal LTL eventualities rule (C3) A cycle is not allowed if it contains a state in which some transition is enabled, but is never included in ample(s) for any state s on the cycle Correctness of partial order method For any model M and next-free LTL-formula φ, it holds that M ⊨ φ iff M‘ ⊨ φ, where M‘ is the reduced state graph If φ does not hold im M, a counterexample in M‘ is produced

Experimental Results Since the set ample(s) is not unique, heuristics can be used to construct it Construction of ample(s) should be fast in order not to spoil the speed-up On models with a lot of concurrency, partial order methods can exponentially improve the model checking process However, they do not combine well with symbolic (BDD based) methods