Verification of Dynamic Message Passing Systems Thomas Wies AVACS Spring School 2010 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A AAA A

Motivation Verify concurrent systems with synchronization via message passing unbounded dynamic process creation dynamic communication topology

A Publish/Subscribe Service in Scala sealed abstract class Category case object Cat1 extends Category... case object CatN extends Category case object List case class Categories(cats: Set[Category])... class Server extends Actor { def loop(enl: Map[Category,Set[Actor]]){ val cats = Set(Cat1,...,CatN) react { case List => { reply(Categories(cats)) react { case Subscribe(c) => loop(enl + c -> (enl(c) + sender)) } case Unsubscribe(c) => loop(enl(c) + c -> (enl(c) - sender)) case Publish => { reply(Who) react { case Credential => if (*) { reply(Categories(cats)) react { case Content(c) => enl(c).forall( _ ! Content(c)) loop(enl) } } else { reply(Deny) loop(enl) } override def act() = loop({_ => EmptySet}) } class Subscriber(server: Actor) extends Actor { def loop(cat: Category): Unit = { if (*) { react { case Content(c) => if (c != cat) error("...")... } } else { server ! Unsubscribe(cat) exit('normal) } override def act(): Unit = { server ! List react { case Categories(cats) => val cat = cats.choose loop(cat) } class Publisher(server: Actor) extends Actor { override def act(): Unit = { server ! Publish react { case Who => reply(Credential) react { case Categories(cats) => val c = cats.choose reply(Content(c)) if (*) act() else exit('normal) case Deny => exit('badCredential) }

A Publish/Subscribe Service in Scala Server Subscriber Publisher server enl(Cat1) Subscriber server enl(Cat2) Subscribe(Cat1) sender

A Publish/Subscribe Service in Scala Server Subscriber Publisher server enl(Cat1) Subscriber server enl(Cat2) Subscribe(Cat1) sender enl(Cat1)

A Publish/Subscribe Service in Scala Server Subscriber Publisher server enl(Cat1) Subscriber server enl(Cat1) server enl(Cat2) Content(Cat1) sender

A Publish/Subscribe Service in Scala Server Subscriber Publisher server enl(Cat1) Subscriber server enl(Cat1) server enl(Cat2) Content(Cat1) sender Content(Cat1) sender Infinite state system number of Subscriber and Publisher processes and number of messages in mailboxes can grow unboundedly Infinite state system number of Subscriber and Publisher processes and number of messages in mailboxes can grow unboundedly

Semantics Interleaving of local transitions of processes. Processes have an associated name finitely many control states finitely many parameters (denoting names of other processes) an associated mailbox (unbounded but unordered)

Semantics Interleaving of local transitions of processes. In each local transition a process may change its control state change the value of one of its parameters receive a message from its mailbox (blocking) send a message to a process it knows create a new process

Semantics Global configurations are graphs nodes model –processes (node labels are control state) –messages (node labels are message kinds) edges model –mailboxes –process parameters –message data

Semantics More formal DCS [Bauer, Schaefer, Toben, Westphal 2006] Dynamic I/O automata [Attie, Lynch 2001] ¼-calculus [Milner, Parrow, Walker 1992] Actors [Agha 1986] …

Server Subscriber server enl(Cat1) Content(Cat1) sender “The server link of a Subscriber always points to a Server” “Subscribers only receive content they are enlisted to” “No process ever reaches a local error state” Verification of Safety Properties Shape Invariants

Overview Part I – Decidability Part II – Abstraction

Turing Completeness State machine C counter 1 C next C CC counter 2 Encoding of a two counter machine Are there any interesting fragments with decidable verification problems? Are there any interesting fragments with decidable verification problems?

Depth-Bounded Systems (DBS) [Meyer 2008] Definition A system is depth-bounded iff there exists a constant that bounds the length of all simple paths in all reachable configurations. Definition A system is depth-bounded iff there exists a constant that bounds the length of all simple paths in all reachable configurations. The actual definition is in terms of ¼-calculus processes.

Depth-Bounded Systems (DBS) Server Subscriber Publisher server enl(Cat1) Subscriber server enl(Cat1) server enl(Cat2) Content(Cat1) sender Content(Cat1) sender maximal length of any simple path is 5

What is Decidable for DBS? DBSs are well-structured transition systems [Meyer 2008].  Termination is decidable What about reachability? Reset nets are DBSs [Meyer, Gorrieri 2009].  Reachability is undecidable for reset nets [Dufourd et al.1998] and thus for DBSs

The Covering Problem init bad Given a transition system and a bad configuration decide whether there is a reachable configuration that “covers” the bad one.

Server Subscriber server enl(Cat1) Content(Cat2) sender Application: verify absence of bad patterns “Subscribers only receive content they are enlisted to” The Covering Problem The covering problem is decidable for DBSs [Wies, Zufferey, Henzinger FoSSaCS’10] The covering problem is decidable for DBSs [Wies, Zufferey, Henzinger FoSSaCS’10]

Well-Quasi-Orderings Definition A relation · µ S £ S is a well-quasi-ordering iff · is a quasi-ordering (reflexive and transitive) for any infinite sequence s 1, s 2, … there are i < j such that s i · s j Definition A relation · µ S £ S is a well-quasi-ordering iff · is a quasi-ordering (reflexive and transitive) for any infinite sequence s 1, s 2, … there are i < j such that s i · s j Examples identity relation on a finite set order on the natural numbers multiset extension of a well-quasi-ordering (Higman’s lemma)

Well-Structured Transition Systems (WSTS) [Finkel 1987] Definition A WSTS is a tuple (S, init, !, · ) where (S, init, ! ) is a transition system · is a well-quasi-ordering on S · is compatible with the transition relation ! : for all s, t, s’ 2 S with s ! s’ and s · t there exists t’ 2 S with t ! t’ and s’ · t’ Definition A WSTS is a tuple (S, init, !, · ) where (S, init, ! ) is a transition system · is a well-quasi-ordering on S · is compatible with the transition relation ! : for all s, t, s’ 2 S with s ! s’ and s · t there exists t’ 2 S with t ! t’ and s’ · t’ Examples Petri nets lossy channel systems ss’ tt’

Upward and Downward-Closures "X"X X · Y · "Y"Y " X = {y 2 S | 9 x 2 X. x · y}

Backward Algorithm for the Covering Problem of WSTS bad " bad pre( " bad) … pre k ( " bad) init

Backward Algorithm for the Covering Problem of WSTS bad " bad pre( " bad) … pre k ( " bad) init …

Depth-Bounded Systems as WSTS Depth-bounded systems form WSTS for their reachable configurations and the quasi-ordering “ “ induced by subgraph isomorphism Next we show that “ “ is a well-quasi-ordering on the reachable configurations

Closure of a Tree Add edges according to transitive closure of the edge relation Every (undirected) graph is contained in the closure of some tree.

Tree-Depth of a Graph Definition The tree-depth td(G) of a graph G is the minimal height of all trees whose closure contain G. Definition The tree-depth td(G) of a graph G is the minimal height of all trees whose closure contain G. v1v1 v2v2 v4v4 v3v3 v5v5 v1v1 v2v2 v4v4 v3v3 v5v5 height is 2 tree depth is 2

Tree-Depth and Depth-Bounded Systems Proposition A set S of graphs has bounded tree-depth iff S is bounded in the length of its simple paths. Proposition A set S of graphs has bounded tree-depth iff S is bounded in the length of its simple paths.  the reachable configurations of a depth-bounded system have bounded tree-depth.

Tree Encodings of Depth-Bounded Graphs v1v1 v2v2 v4v4 v3v3 v5v5 v1v1 v2v2 v4v4 v3v3 v5v5 G tree(G) Number of labels used in the encoding is finite.

Homeomorphic Tree Embedding ¹ tree(G 1 ) ¹ tree(G 2 ) implies G 1 G 2 We can show for all graphs G 1, G 2 :

Kruskal’s Tree Theorem Theorem [Kruskal 1960] Homeomorphic tree embedding is a well-quasi- ordering on finite labeled trees. Theorem [Kruskal 1960] Homeomorphic tree embedding is a well-quasi- ordering on finite labeled trees.  subgraph isomorphisms induce a better-quasi- ordering on the reachable configurations of a depth- bounded system. Theorem [Laver 1971] Homeomorphic tree embedding is a better-quasi- ordering on finite labeled trees. Theorem [Laver 1971] Homeomorphic tree embedding is a better-quasi- ordering on finite labeled trees.

Backward Algorithm for the Covering Problem of WSTS bad " bad pre( " bad) … pre k ( " bad) init Requirements · is decidable pre is effectively computable Requirements · is decidable pre is effectively computable

Backward Analysis of DBSs WSTS of a depth-bounded system is defined wrt. the forward-reachable configurations reachability is undecidable so pre is not computable for the induced WSTS only option: if bound of the system is k, define WSTS wrt. the set of all graphs of depth at most k  termination of a backward analysis can only be ensured if the bound of the system is known a priori. Standard algorithm is not a decision procedure for the covering problem of DBS.

Backward Analysis is Impractical Server Subscriber server Subscribe(Cat1) sender Backward analysis has to guess sender (and other parameters) of sent messages  explosion in the nondeterminism

Backward Analysis is Impractical Server Subscriber server Subscribe(Cat1) sender Backward analysis has to guess sender (and other parameters) of sent messages  explosion in the nondeterminism This is similar to the aliasing problem for backward analysis of programs with pointers ?

Is there a forward analysis that decides the covering problem?

Forward Analysis of a WSTS init # init # post( # init) … # post k ( # init) bad

Forward Analysis of a WSTS init # init # post( # init) … # post k ( # init) bad We need “limits” of all downward-closed sets for termination.

Server Loop Acceleration à la Karp-Miller Server Subscriber Server ¾¾ + limit configuration Idea for loop acceleration Record which parts of a configuration can be duplicated.

Adequate Domain of Limits (ADL) [Geeraerts, Raskin, Van Begin 2006] XY D wqo set ADL for X ° For every z 2 Y, °(z) is a downward-closed subset of X

X D wqo set ADL for X ° Y Every downward-closed subset of X is generated by a finite subset E of Y [ X E1E1 E2E2 E = E 1 [ E 2 Adequate Domain of Limits (ADL) [Geeraerts, Raskin, Van Begin 2006]

Expand, Enlarge, and Check Theorem [Geeraerts, Raskin, Van Begin 2006] There exists an algorithm that decides the covering problem for WSTS with effective ADL. Theorem [Geeraerts, Raskin, Van Begin 2006] There exists an algorithm that decides the covering problem for WSTS with effective ADL. X1X1 Y1Y1 X2X2 Y2Y2 X2X2 Y2Y2 … µ X µ Y µ … µ µ µ µ µ Next: an ADL for depth-bounded systems

Server Loop Acceleration à la Karp-Miller Server Subscriber Server ¾¾ + limit configuration Idea for loop acceleration Record which parts of a configuration can be duplicated.

Content Server Limit Configurations Server Subscriber + + Content Server Subscriber Content ° … Denotation °(L) is downward-closure of all unfoldings of L

An ADL for Depth-Bounded Systems Server Subscriber + Theorem Limit configurations form an ADL for depth- bounded graphs. Theorem Limit configurations form an ADL for depth- bounded graphs. Corollary The EEC algorithm decides the covering problem for depth- bounded systems. Corollary The EEC algorithm decides the covering problem for depth- bounded systems.

Theorem [Finkel, Goubault-Larrecq 2009] The downward-closed directed subsets of a wqo set X form an ADL for X. Theorem [Finkel, Goubault-Larrecq 2009] The downward-closed directed subsets of a wqo set X form an ADL for X. Canonical Adequate Domain of Limits X A directed set for qo (X, · ) is a nonempty subset of X closed under upper bounds · · X D D1D1 D2D2 D3D3 D4D4 D5D5

= (Q,§,Q f,¢) Q = {p,q,r,s} § = {a,b,c} Q f = {p} ¢ = {a(²) → s b(²) → r c(sr * s) → q a(q + ) → p} Hedge Automata a cc a a a ab s s s s r qq p

To proof: For every directed downward-closed set, there exists a limit configuration with Proof Sketch Look at the tree encodings and construct a hedge automaton such that From construct the limit configuration.

Proof Sketch … … directed dc set

Further Related Work Meyer, Gorrieri 2009 – depth-bounded systems and place/transition nets Finkel, Goubault-Larreqc 2009 – Karp-Miller-style forward analysis of WSTSs with ADLs Ganty, Raskin, Van Begin 2006 – Forward analysis of WSTSs without ADLs Dam 1993, Amadio, Meyssonnier 2002 – decidable fragments of the ¼-calculus Sangiorgi 1996, Busi et al. 2003, Ostrovský 2005 – type systems for the ¼-calculus Bauer, Wilhelm 2007 – shape analysis for depth-bounded systems

Part II – Abstraction

Leader Election in a Ring

Safety property Goal: verify property for all rings  no longer a depth-bounded system

Leader Election in a Ring Safe inductive invariant 6 Challenges quantified invariants reasoning in complex theories Challenges quantified invariants reasoning in complex theories

Symbolic Analysis use of formulas to represent sets of states –simplicity abstract domain µ concrete domain abstraction ' logical entailment –soundness by construction use of automated reasoning procedures –automation (construction of abstract trans. graphs) –separation of concerns (black-boxing) –get leverage from automated reasoning community use of abstraction refinement –more automation (construction of abstract domain) –efficiency (targeted precision)

Existing tools: SLAM, BLAST, ARMC, MAGIC, SLAB, … Predicate Abstraction P 1 ´ x · 0 P 2 ´ y>0 … P1ÆP2Æ…P1ÆP2Æ… reachable states error states state space

: P 1, : P 2, : P 3 P 1, : P 2, : P 3 P 1, : P 2, P 3 P 1, P 2, : P 3 3-valued Shape Analysis [Sagiv, Reps, Wilhelm POPL’99] Partition state graphs according to a finite set of predicates on nodes. x next y null next P 1 (v) ´ next * (x,v) P 2 (v) ´ x = v P 3 (v) ´ null = v Abstract state graphs induce finite partitioning of the state space

Predicate abstraction use state predicates to finitely partition the transition graph. (3-valued) shape analysis use node predicates to finitely partition the state graphs to obtain state predicates that finitely partition the transition graph. In a Nutshell…

Shape Analysis = 2 Predicate Abstraction In a Nutshell… But the analogy only goes so far…

Symbolic Shape Analysis Credo apply not only idea but also the techniques of predicate abstraction in the context of shape analysis and take advantage of all the benefits Credo apply not only idea but also the techniques of predicate abstraction in the context of shape analysis and take advantage of all the benefits

Overview Boolean Heaps –generalizes predicate abstraction (infers universally quantified invariants) –uses key idea of 3-valued shape analysis (predicates on nodes in the state graphs) –enables use of automated reasoning procedures to construct abstract transition graph

Overview Boolean Heaps Counterexample-Guided Focus –novel CEGAR algorithm –enables use of automated reasoning procedures to automatically construct abstract domain automatically adapt precision of abstract transformer

Boolean Heaps [Podelski, Wies SAS’05] Use idea of [Sagiv, Reps, Wilhelm 2002]: Partition graphs according to a finite set of predicates

Use idea of [Sagiv, Reps, Wilhelm 2002]: Partition graphs according to a finite set of predicates. Boolean Heaps Abstract state Abstract domain disjunctions of abstract states

Abstr. transformer for loop Most Precise Abstract Transformer

Abstr. transformer for loop Inductive invariant for Verification succeeds! Most Precise Abstract Transformer

reachable states error states Precision-Efficiency Tradeoff Number of abstract states is doubly-exponential in number of predicates Most precise abstract transformer is impractical expensive to construct keeps track of irrelevant information Solution: apply additional abstraction Most precise abstract transformer is impractical expensive to construct keeps track of irrelevant information Solution: apply additional abstraction

Cartesian Abstraction x y S S x £ S y SxSx SySy..., [Cousot, Cousot PPCA’95], [Ball, Podelski, Rajamani TACAS’01],… for abstracting sets of vectors

Cartesian Abstraction abstract states are sets of bit-vectors Cartesian abstraction applies abstr. transformer w/ Cartesian abstraction is efficiently implementable: –check entailments between QF formulas –number of entailment checks polynomial in number of predicates precise enough for many practical examples not precise enough for many practical examples

Inductive invariant for Verification succeeds! Inductive invariant for Verification fails! Abstract Transformer with Cartesian Abstraction 37 07,

Overview Boolean Heaps Counterexample-Guided Focus

Focus Common recipe in shape analysis –start from coarse but efficient abstract transformer –adapt precision to each individual program statement and individual data structures (partial concretization / materialization / focus) Problem Fine-tuning precision uniformly makes analysis again too precise (i.e., often inefficient) Exciting research direction Parameterized focus that adapts abstract transformer to the individual verification tasks e.g. [Manevich et al., 2004, 2007, 2009]

Fine-Tuned Focus Idea: take this direction to its logical extreme Fine-tune focus to the individual steps of the analysis of the individual verification task

reachable states error states Fine-Tuned Focus Instead of fixed uniform precision…

error states reachable states Fine-Tuned Focus …adapt precision locally and lazily.

Counterexample-Guided Focus [Podelski, Wies POPL’10] Idea: take this direction to its logical extreme Fine-tune focus to the individual steps of the analysis of the individual verification task This fine-tuning must be automated. We use counterexamples for this purpose.

analysis of abstract program produces spurious counterexamples spuriousness results from imprecise abstract transformer construct fine-tuned focus operator that locally adapts precision of abstract transformer –locally refine the abstract domain of the pre-image of the abstract transformer –locally refine the pre-image itself by splitting disjuncts below and above the universal quantifier –both refinements are guided by the spurious counterexample Counterexample-Guided Focus [Podelski, Wies POPL’10]

x y S S x £ S y SxSx SySy Loss of Precision under Cartesian abstraction splitting is guided by counterexamples

Effect of Counterexample-Guided Focus Inductive invariant for Verification succeeds! 37 Inductive invariant for Verification fails! 07

Nested Lazy CEGAR Loop outer loop refines abstract domain by inferring new predicates inner loop fine-tunes abstract transformer using counterexample-guided focus Progress theorem: every spurious counterexample is eventually eliminated

Bohne Implementation of Symbolic Shape Analysis (doubly-linked) lists lists with iterators sorted lists skip lists search trees trees w/ parent pointers threaded trees first root Verified data structure implementations: No manual adaptation of abstract domain / abstract transformer required.

Bohne Implementation of Symbolic Shape Analysis absence of runtime errors shape invariants -acyclic -sharing-free -doubly-linked -parent-linked -threaded -sorted … partial correctness first root Verified properties: No manual adaptation of abstract domain / abstract transformer required. We are currently extending the implementation to message passing systems.

Further Related Work Shape analysis three-valued shape analysis [Sagiv, Reps, Wilhelm 2002] –decision procedures in TVLA [Yorsh et al. 2004, …, Lev-Ami et al. 2006] –parameterized focus for concurrent programs [Manevich et al., 2004, 2007, 2009] … Predicate abstraction CE-guided refinement of abstract transformers [Das, Dill 2002] nested refinement for predicate abstraction [Ball et al. 2004] indexed predicate abstraction [Lahiri, Bryant 2004] lazy abstraction [Henzinger et al. 2002] lazy shape analysis [Beyer et al. 2006] Interpolants quantified Craig interpolants [McMillan 2008, Kovács, Voronkov 2009] abstractions from proofs [Henzinger et al. 2004] Template-based techniques [Gulwani et al. 2008, Srivastava, Gulwani 2009]