On Symmetries and Spotlights – Verifying Parameterised Systems

Timm, Nils; Wehrheim, Heike

doi:10.1007/978-3-642-16901-4_35

Cited by 8 publications

(7 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Some approaches avoid it by syntactically disallowing such predicates, e.g. [19], whose authors don't discuss, however, the reasons for (or, indeed, the consequences of) doing so. In other work, "algorithmic circumstances" may make the treatment of such predicates unnecessary.…”

Section: Related Work and Conclusionmentioning

confidence: 99%

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs

Donaldson

Kaiser

Kroening

et al. 2011

Computer Aided Verification

View full text Add to dashboard Cite

Predicate abstraction is a key enabling technology for applying finitestate model checkers to programs written in mainstream languages. It has been used very successfully for debugging sequential system-level C code. Although model checking was originally designed for analyzing concurrent systems, there is little evidence of fruitful applications of predicate abstraction to shared-variable concurrent software. The goal of this paper is to close this gap. We have developed a symmetry-aware predicate abstraction strategy: it takes into account the replicated structure of C programs that consist of many threads executing the same procedure, and generates a Boolean program template whose multithreaded execution soundly overapproximates the concurrent C program. State explosion during model checking parallel instantiations of this template can now be absorbed by exploiting symmetry. We have implemented our method in the SATABS predicate abstraction framework, and demonstrate its superior performance over alternative approaches on a large range of synchronization programs. IntroductionConcurrent software model checking is one of the most challenging problems facing the verification community today. Not only does software generally suffer from data state explosion. Concurrent software in particular is susceptible to state explosion due to the need to track arbitrary thread interleavings, whose number grows exponentially with the number of executing threads.Predicate abstraction [1] was introduced as a way of dealing with data state explosion: the program state is approximated via the values of a finite number of predicates over the program variables. Predicate abstraction turns C programs into finite-state Boolean programs [2], which can be model checked. Since insufficiently many predicates can cause spurious verification results, predicate abstraction is typically embedded into a counterexample-guided abstraction refinement (CEGAR) framework [3]. The feasibility of the overall approach has been convincingly demonstrated for sequential software by the success of the SLAM project at Microsoft, which was able to discover numerous control-dominated errors in low-level operating system code [4].The majority of concurrent software is written using mainstream APIs such as POSIX threads (pthreads) in C/C++, or using a combination of language and library support, such as the Thread class, Runnable interface and synchronized construct in Java. Typically, multiple threads are spawned -up front or dynamically, in response to varying system load levels -to execute a given procedure in parallel, communicating via shared global variables. For such shared-variable concurrent programs, predicate abstraction success stories similar to that of SLAM are few and far between. The bottleneck is the exponential dependence of the generated state space on the number of running threads, which, if not addressed, permits exhaustive exploration of such programs only for trivial thread counts. The key to obtaining scalability is to exploit the symm...

show abstract

Section: Related Work and Conclusionmentioning

confidence: 99%

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs

Donaldson

Kaiser

Kroening

et al. 2011

Computer Aided Verification

View full text Add to dashboard Cite

show abstract

“…We verified a number of multiple-resource allocation systems that satisfied the properties (t) as well as systems that violated the properties (f ). Moreover, we compared the performance of verification with the classical spotlight approach (which has proven to be successful for fixed-sized systems [5] and simple parameterised systems [7]) and with our extended shade clustering approach. An excerpt of the results is shown below.…”

Section: Resultsmentioning

confidence: 99%

“…In [7] we showed that for a KS K corresponding to an instantiation Sys n1,...,nk of a class-wise symmetric system, all classsensitive permutations σ are symmetries, and we proved that for each CTL formula ψ(pid 1 1 , ..., pid 1 d1 , . .…”

Section: Exploiting Symmetrymentioning

confidence: 97%

“…In certain cases, this allows to map the infinite state spaces of parameterised systems to finite abstractions that can be verified. In [7] we showed that spotlight abstraction can be combined with symmetry reduction in order to construct three-valued abstractions for the verification of class-wise symmetric parameterised systems -consisting of an unbounded number of processes that can be divided into a finite number of classes of homogeneous processes. The basic idea is that an unbounded number of homogenous processes in the shade can be summarised by a single approximative component as well.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Spotlight Abstraction with Shade Clustering -- Automatic Verification of Parameterised Systems

Timm

2014

2014 Theoretical Aspects of Software Engineering Conference

Self Cite

View full text Add to dashboard Cite

Parameterised verification is concerned with checking global properties of systems composed of an arbitrary number of processes. An approach to this undecidable problem is combining symmetry arguments with spotlight abstraction. This allows to construct small models of systems on which the properties can be checked. Spotlight abstraction partitions the systems processes into a spotlight and a shade. Shade processes are summarised into a single approximative component and the loss of information is modelled by a third truth value unknown. Thus, a verification run may also return unknown, which does not allow to draw any conclusions whether the property holds or not.Here we introduce an extension of spotlight abstraction called shade clustering, which allows to divide the shade into multiple approximative components and thus to preserve more definite information under abstraction. Finding suitable clusters is not straightforward. Moreover, an inadequate clustering can lead to an unnecessary explosion of the abstract state space. Therefore, we present an automatic abstraction refinement framework for verifying parameterised systems. Based on abstract counterexamples, refinement is iteratively performed by either adding new predicates, shifting processes from the shade to the spotlight, or building appropriate shade clusters. Experimental results show that our shade clustering-based approach can significantly speed up parameterised verification.

show abstract

“…Some approaches disallow such predicates, e.g. [28], whose authors do not discuss, however, the reasons for (or consequences of) doing so. Another approach nondeterministically resets global variables that may be affected by an operation [6], taking away the mixed flavour from certain predicates.…”

Section: Related Workmentioning

confidence: 99%

Counterexample-guided abstraction refinement for symmetric concurrent programs

Donaldson

Kaiser

Kroening

et al. 2012

Form Methods Syst Des

View full text Add to dashboard Cite

Predicate abstraction and counterexample-guided abstraction refinement (CE-GAR) have enabled finite-state model checking of software written in mainstream programming languages. This combination of techniques has been successful in analysing systemlevel sequential C code. In contrast, there is little evidence of fruitful applications of CE-GAR to shared-variable concurrent software. We attribute this gap to the lack of abstraction strategies that permit a scalable analysis of the resulting multi-threaded Boolean programs. The goal of this paper is to close this gap. We have developed a symmetry-aware CEGAR technique: it takes into account the replicated structure of programs that consist of many threads executing the same procedure, and generates a Boolean program template whose multi-threaded execution soundly overapproximates the original concurrent program. State explosion during model checking parallel instantiations of this template can now be absorbed by exploiting symmetry. We have implemented our method in a tool, SYMMPA, and Supported by EPSRC projects EP/G026254/1 and EP/G051100/1 and ERC project 280053. 26Form Methods Syst Des (2012) 41:25-44 demonstrate its superior performance over alternative approaches on a range of synchronisation programs.

show abstract

On Symmetries and Spotlights – Verifying Parameterised Systems

Cited by 8 publications

References 16 publications

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs

Spotlight Abstraction with Shade Clustering -- Automatic Verification of Parameterised Systems

Counterexample-guided abstraction refinement for symmetric concurrent programs

Contact Info

Product

Resources

About