Model Checking of Systems Employing Commutative Functions

1
Model Checking of Systems Employing Commutative
Functions
This talk is about how you can find lots of bugs
in real code by making compilers aggressively
system specific

• A.Prasad Sistla, Min Zhou, Xiaodong Wang
• presented by Min Zhou
• University of Illinois at Chicago

2
Outline

• Transition Diagram(TD) and Symbolic State Graph
• Predicate Template and bisimulation 0
• Extended Predicate Template and bisimulation k
• Experiment Results
• Conclusion

3
Transition Diagram(TD)

• We only consider such TDs who only have
  assignments
• xc
• c is a constant
• xy
• y is another variable
• xf(x)
• f is a unary function
• each such f in a TD is commutative with each
  other
• f1? f2 f2 ? f1

ay ?y
1
ax,x
0
bx,x
2
by ?x0,y0
Variablesa,b,x,y
4
Symbolic State Graph

• Sym_Reach(G, u) (S0,R0, L0)

s.lc
s.val
s.exp
location
variables ? expressions s.exp(x) the
composition of functions that were applied to x
since last time a constant was assigned
variables ? values s.val(x) the latest constant
assigned to variable x
5
How to construct Symbolic State Graph

• TD

6
Symbolic States

• act_state(s) (s.lc, h) where h(x)
  s.exp(x)s.val(x)

Symbolic States
actual states
?
?
?
?
?
7
Symbolic State Graph

val
TD
lc
exp
8
Our Goal

• Define a bisimulation relation over symbolic
  states
• For every location q, define a predicate
  template ptemplates(q)
• s 0 t require they are equivalent w.r.t
  ptemplates(s.lc)

9
Predicate Template
var(p) ?X???
predicate, derived from guards and correctness
formula
10
What should be in ptemplates(q)

• (AP,fid) U (guard(q), fid ) ? ptemplates(q)

x f1(x)

xf2(x)
(P, fid) ? ptemplates(q)
p(x)
q1
q
qi
xf(x)
(P,f(x) y) ? ptemplates(q)
(P, f(x) ?) ? ptemplates(q)
11
Example

• p0 x ? y
• p1 a ? y
• p2 b ? y
• Formula ??(x ? y )
• Ptemplates(1)
• (p0, fid),
• (p1, fid),
• (p1, a ? x),
• (p2, b ? x)

12
Bisimulation 0

• Instantiate predicate templates in states
• (p(xi), xi ? yi) s p (s.exp (yi) /xi ) xi/
  yi , where yi ? ?
• Eg
• Define 0 as follows for any two states s and t,
  s 0 t iff
• s.lc t.lc, s.val t.val
• ?(p, f) ? ptemplates(s.lc), (p, f)s ? (p, f)t

• p x1 lt c
• s.exp(x1) x11
• s.exp(x2) x22

(p,x1 ? x2 ) s (s.exp (x2) lt c) x1/x2
(x12 lt c)

• an implicit universal quantifier over the free
  variables

13
Theorem 1 0 is a bi-simulation on the
symbolic state graph Sym_Reach(G, u).

• Proof idea
• assume s0 0 t0 (p,fid) ? ptemplates(q1)
• In this case, (p,fid) ? ptemplates(q0)
• so we have (p,fid)s0 ? (p,fid)t0

14
Theorem 1 0 is a bi-simulation on the
symbolic state graph Sym_Reach(G, u).

• Now We show
• (p,fid)s1 ? (p,fid)t1
• (p,fid)s0 ? (p,fid)t0 ?
• ?x Ps0.exp(x) ? Pt0.exp(x) ?
• ?x Ps0.exp(f (x)) ? Pt0.exp(f (x))
• ?x Pf (s0.exp(x)) ? Pf (t0.exp(x)) ?
• ?x Ps1.exp(x) ? Pt1.exp(x)

By commutation
15
Extension of Bisimulation 0

• If (p,f) ? ptemplates(q), we require (p,f)s ?
  (p,f) t even in above case.
• Not necessary. Only need when this path is
  feasible for these two states

TD
X
X
16
Bisimulation k

P(x)
si
si-k
s
feasible, length k

• Only in this case, we require (p,f)s ? (p,f)
  t

17
k

• In k , we require a conditional equivalence
• Lemma k1 ? k,
• but k1 need more computation

18
Example of a TD for which 0 ? 1

• any two states of the form
• (q1,(0,0), (x1 c ? 0, x2 c ? 0))
• are bisimular w.r.t 1

19
Experiment Results
20
Circular Queue
21
Sliding Window
22
Conclusion and future work

• Defined a non decreasing chain of bisimulation
• Can be used in a class of infinite systems
• k can be checked on-the-fly
• Need investigate how to combine with static
  analysis