liveness with counter abstraction
DESCRIPTION
Liveness with Counter Abstraction. A mir P nueli, J essie X u and L enore Z uck. where. ?. The Problem. The Parameterized Verification Problem Given a system and a property f , Does S(N) satisfy f for every N ?. Lesson from Experience …. - PowerPoint PPT PresentationTRANSCRIPT
LivenessLiveness with Counter AbstractionCounter Abstraction
Amir Pnueli, Jessie Xu and Lenore Zuck
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
The Parameterized Verification Problem
Given a system and a property f ,
Does S(N) satisfy f for every N ?
?
The Problem
where
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Lesson from Experience…
In order to verify a reactive system:If it is finite state – model check itIf it is infinite – verify it deductively
But abstraction makes it all simpler!
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Data Abstraction
Verifying that an infinite-state system S satisfies a property f using abstraction:
abstract system into a simpler finite-state system that admits more behaviorsabstract the property tomodel check abstract system with respect to abstract propertyconclude that concrete system satisfies concrete property
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Counter Abstraction
Assumptions on the concrete system :the control variable of processes ranges over 0,…the shared variables are y1,…,ybthere are no local variables
The variables of the counter abstractedcounter abstracted system are K_0,…,k_L : {0,1,2}Y_1,…,Y_b
Where if no process is in control location lif there is exactly one process in control
location lif there are at least two processes in control
location l
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Counter Abstraction
Assumptions on the concrete system :the control variable of processes ranges over 0,…the shared variables are y1,…,ybthere are no local variables
The variables of the counter abstractedcounter abstracted system are K_0,…,k_L : {0,1,2}Y_1,…,Y_b
Where if no process is in control location lif there is exactly one process in control
location lif there are at least two processes in control
location l
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
A Toy Example: Mutex
where
Fairness Fairness requirements:requirements:Justice:Compassion:
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
A Toy Example: Mutex
Safety property - mutual exclusion:
Liveness property –individual accessibility:(true only with fairness)
where
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
A Toy Example: Mutex
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
A Toy Example: Mutex
Concrete Safety property-
mutual exclusion:
Abstract Safety property-
mutual exclusion:
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Safety follows trivially!
Mutex after Counter Abstraction (graphical representation)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Abstracting JusticeJustice requirement
since if process is not in control location 2it is either in control location 0 or 1.
form the concrete justice requirementjustice requirement
we can obtain the
abstract requirementabstract requirement
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
unfortunately the abstract justice requirement abstract justice requirement doesn’t discard any states, so any liveness propertyliveness propertythat is not valid for Mutex without justicejustice cannot be proven in this abstract system
verifying LivenessLiveness in Mutex
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Strengthening JusticeJustice Requirements
How?
We provide 4 guidelines (in two slides…)
Conclusion:
we need to derive more/stronger fairnessfairness requirementsrequirements
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
If the concreteconcrete system contains the justicejustice
Then we can safelysafely add the abstract abstract justicejustice
Strengthening JusticeJustice Requirements
Why?
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
• suppose a state satisfies
• then there exists exactly one process, say I, in location
• the process I violates its justice requirement
• to fulfill it, it must exit location l sometime in the future
• when it exits it , must hold since another process cannot enter location (execute a transition) at the same step
If the concreteconcrete system contains the justicejustice
Then we can safelysafely add the abstract abstract justicejusticeWhy?
Strengthening JusticeJustice Requirements
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Strengthening JusticeJustice Requirements
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Strengthening JusticeJustice Requirements
is a condition on shared variables
leads only to
Emerges from
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
From the concrete justice and the concrete compassion we can conclude the concrete justiceconcrete justice
Strengthening JusticeJustice for Mutex
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Strengthening JusticeJustice for Mutex
Automatically
obtained
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Verifying LivenessLiveness using Counter Abstraction
which is abstracted to
Counter abstraction does not allow to observe the
behavior of an individualindividual process, thus we cannot
verify the liveness property of individual accessibilityindividual accessibility
we can, however, verify the liveness property of
communal accessibilitycommunal accessibility ( (livelock freedomlivelock freedom))
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Verifying LivenessLiveness
Model Checking [LP85]
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Verifying LivenessLiveness
Extract from the state-transition graph the sub-graph of pending states
A pending state is any state which is not reachable from a p-state by a q-free path
Show that the extracted sub-graph contains no infinite fair path
Decompose the sub-graph into maximal SCCs
Show that each of them violates some fairness requirement
Model Checking [LP85]
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Verifying LivenessLiveness
Model Checking [LP85]
Extract from the state-transition graph the sub-graph of pending states
A pending state is any state which is reachable
from a p-state by a q-free path
Show that the extracted sub-graph contains no infinite fair path
Decompose the sub-graph into maximal SCCs
Show that each of them violates some fairness requirement
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Verifying LivenessLiveness
Model Checking [LP85]
Extract from the state-transition graph the sub-graph of pending states
A pending state is any state which is reachable from a p-state by a q-free path
Show that the extracted sub-graph contains no infinite fair path
Decompose the sub-graph into maximal SCCs
Show that each of them violates some fairness requirement
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Verifying communal accessibilitycommunal accessibility forfor MutexMutex
To establish we have to remove all
states that are not in a q-free path reachable from a p-state
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Verifying communal accessibilitycommunal accessibility forfor MutexMutex
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Each maximal SCC (each node) violates the abstract justice Hence communal accessibility holds!
Verifying communal accessibilitycommunal accessibility forfor MutexMutex
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Counter Abstraction Save OneSave One
To prove individual accessibility
Counter abstractCounter abstract all the processes
except one,except one,
Model checkModel check that the abstract systemabstract system composed with one concrete processone concrete process satisfies the liveness property for the concrete process
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Graphical representation of Mutex under counter abstraction save one
Counter Abstraction Save OneSave One - Mutex
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Considering the compassion requirementcompassion requirementand the fact that no state satisfieswe can remove all states satisfying
Counter Abstraction Save OneSave One - Mutex
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Counter Abstraction Save OneSave One - Mutex
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Each maximal SCC (each node) violates the abstract justice Hence individual accessibility holds!
Counter Abstraction Save OneSave One - Mutex
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Adding CompassionCompassion requirements
Consider program TERMINATE
and the liveness property
The abstracted liveness property is
The counter abstraction of the program is
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Adding CompassionCompassion requirements
The abstracted liveness property is
The counter abstraction of the program is
From the concrete justice
We obtain the abstract justice
The computation can stay forever inwhich violates the liveness
property !
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Adding CompassionCompassion requirements
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Augment the system with two auxiliary variables and
Adding CompassionCompassion requirements
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Augment the system with two auxiliary variables and
Adding CompassionCompassion requirements
For each transition
If set
Else set
Add to the concrete compassion
Counter abstract the augmented system
For every justice requirement
include the abstract requirement
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
The transition graph for augmented TERMINATE
Verifying LivenessLiveness for TERMINATE
Abstract Compassion
obtained from Abstract Justice using
Hence the liveness property holds !
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Success with Counter Abstraction
Szymanski’s mutual exclusion algorithmThe Bakery Algorithm (shared variables are unbounded)Probabilistic mutual exclusion protocol
Liveness with Counter Abstraction
Pnueli, Xu, Zuck