Content uploaded by Dominik Klumpp
Author content
All content in this area was uploaded by Dominik Klumpp on Oct 01, 2022
Content may be subject to copyright.
Commutativity-Based Equivalence
Many statements commute: execution order does not matter
Example: x+=A[i] y+=A[j] ∼y+=A[j] x+=A[i]
⇒equivalence between program interleavings
Extension: proof-sensitive commutativity
Example: B[k]:=c commutes with B[l]:=d if proof guarantees k=l∨c=d
Typical Cases: aliasing, conditional updates (CAS), blocking statements (locks)
Key Property: Correct traces only equivalent to correct traces.
Reduction
One representative trace for each equivalence class
4
Commutativity-Based Equivalence
Many statements commute: execution order does not matter
Example: x+=A[i] y+=A[j] ∼y+=A[j] x+=A[i]
⇒equivalence between program interleavings
Extension: proof-sensitive commutativity
Example: B[k]:=c commutes with B[l]:=d if proof guarantees k=l∨c=d
Typical Cases: aliasing, conditional updates (CAS), blocking statements (locks)
Key Property: Correct traces only equivalent to correct traces.
Reduction
One representative trace for each equivalence class
4
Commutativity-Based Equivalence
Many statements commute: execution order does not matter
Example: x+=A[i] y+=A[j] ∼y+=A[j] x+=A[i]
⇒equivalence between program interleavings
Extension: proof-sensitive commutativity
Example: B[k]:=c commutes with B[l]:=d if proof guarantees k=l∨c=d
Typical Cases: aliasing, conditional updates (CAS), blocking statements (locks)
Key Property: Correct traces only equivalent to correct traces.
Reduction
One representative trace for each equivalence class
4
Commutativity-Based Equivalence
Many statements commute: execution order does not matter
Example: x+=A[i] y+=A[j] ∼y+=A[j] x+=A[i]
⇒equivalence between program interleavings
Extension: proof-sensitive commutativity
Example: B[k]:=c commutes with B[l]:=d if proof guarantees k=l∨c=d
Typical Cases: aliasing, conditional updates (CAS), blocking statements (locks)
Key Property: Correct traces only equivalent to correct traces.
Reduction
One representative trace for each equivalence class
4
Commutativity-Based Equivalence
Many statements commute: execution order does not matter
Example: x+=A[i] y+=A[j] ∼y+=A[j] x+=A[i]
⇒equivalence between program interleavings
Extension: proof-sensitive commutativity
Example: B[k]:=c commutes with B[l]:=d if proof guarantees k=l∨c=d
Typical Cases: aliasing, conditional updates (CAS), blocking statements (locks)
Key Property: Correct traces only equivalent to correct traces.
Reduction
One representative trace for each equivalence class
4
Commutativity-Based Equivalence
Many statements commute: execution order does not matter
Example: x+=A[i] y+=A[j] ∼y+=A[j] x+=A[i]
⇒equivalence between program interleavings
Extension: proof-sensitive commutativity
Example: B[k]:=c commutes with B[l]:=d if proof guarantees k=l∨c=d
Typical Cases: aliasing, conditional updates (CAS), blocking statements (locks)
Key Property: Correct traces only equivalent to correct traces.
Reduction
One representative trace for each equivalence class
4
Algorithmic Verification of Reductions
Iteratively construct Floyd/Hoare-style proof of program
complex proofs to cover all interleavings
▶qualitatively: need quantified / nonlinear / . . . assertions
▶quantitatively: need many distinct proof assertions
⇝reduction may have simpler proof
exponential proof checking to show that proof covers all interleavings
⇝compactly represent reductions
[1] Ebbinghaus. Tight Integration of Partial Order Reduction into Trace Abstraction Refinement. BSc Thesis
[2] Klumpp, Dietsch, Heizmann, Schüssele, Ebbinghaus, Farzan and Podelski. Ultimate GemCutter and the
Axes of Generalization - (Competition Contribution). TACAS 2022
6
Algorithmic Verification of Reductions
Iteratively construct Floyd/Hoare-style proof of program
complex proofs to cover all interleavings
▶qualitatively: need quantified / nonlinear / . . . assertions
▶quantitatively: need many distinct proof assertions
⇝reduction may have simpler proof
exponential proof checking to show that proof covers all interleavings
⇝compactly represent reductions
[1] Ebbinghaus. Tight Integration of Partial Order Reduction into Trace Abstraction Refinement. BSc Thesis
[2] Klumpp, Dietsch, Heizmann, Schüssele, Ebbinghaus, Farzan and Podelski. Ultimate GemCutter and the
Axes of Generalization - (Competition Contribution). TACAS 2022
6
Algorithmic Verification of Reductions
Iteratively construct Floyd/Hoare-style proof of program
complex proofs to cover all interleavings
▶qualitatively: need quantified / nonlinear / . . . assertions
▶quantitatively: need many distinct proof assertions
⇝reduction may have simpler proof
exponential proof checking to show that proof covers all interleavings
⇝compactly represent reductions
[1] Ebbinghaus. Tight Integration of Partial Order Reduction into Trace Abstraction Refinement. BSc Thesis
[2] Klumpp, Dietsch, Heizmann, Schüssele, Ebbinghaus, Farzan and Podelski. Ultimate GemCutter and the
Axes of Generalization - (Competition Contribution). TACAS 2022
6
Algorithmic Verification of Reductions
Iteratively construct Floyd/Hoare-style proof of program
complex proofs to cover all interleavings
▶qualitatively: need quantified / nonlinear / . . . assertions
▶quantitatively: need many distinct proof assertions
⇝reduction may have simpler proof
exponential proof checking to show that proof covers all interleavings
⇝compactly represent reductions
[1] Ebbinghaus. Tight Integration of Partial Order Reduction into Trace Abstraction Refinement. BSc Thesis
[2] Klumpp, Dietsch, Heizmann, Schüssele, Ebbinghaus, Farzan and Podelski. Ultimate GemCutter and the
Axes of Generalization - (Competition Contribution). TACAS 2022
6
Algorithmic Verification of Reductions
Iteratively construct Floyd/Hoare-style proof of program
complex proofs to cover all interleavings
▶qualitatively: need quantified / nonlinear / . . . assertions
▶quantitatively: need many distinct proof assertions
⇝reduction may have simpler proof
exponential proof checking to show that proof covers all interleavings
⇝compactly represent reductions
[1] Ebbinghaus. Tight Integration of Partial Order Reduction into Trace Abstraction Refinement. BSc Thesis
[2] Klumpp, Dietsch, Heizmann, Schüssele, Ebbinghaus, Farzan and Podelski. Ultimate GemCutter and the
Axes of Generalization - (Competition Contribution). TACAS 2022
6
Algorithmic Verification of Reductions
Iteratively construct Floyd/Hoare-style proof of program
complex proofs to cover all interleavings
▶qualitatively: need quantified / nonlinear / . . . assertions
▶quantitatively: need many distinct proof assertions
⇝reduction may have simpler proof
exponential proof checking to show that proof covers all interleavings
⇝compactly represent reductions
[1] Ebbinghaus. Tight Integration of Partial Order Reduction into Trace Abstraction Refinement. BSc Thesis
[2] Klumpp, Dietsch, Heizmann, Schüssele, Ebbinghaus, Farzan and Podelski. Ultimate GemCutter and the
Axes of Generalization - (Competition Contribution). TACAS 2022
6
Evaluation
Implemented in Ultimate GemCutter software model checker
Evaluated on SV-COMP’21 benchmarks and benchmarks of Weaver tool
200 400 600 800 1,000 1,200
10
100
4
900
CPU time (s)
Automizer GemCutter
200 400 600 800 1,000 1,200
1,000
200
8,000
Memory (MB)
analyzed 50 more programs using significantly less time (≈50 %), memory (≈27 %),
and refinement rounds (≈64 %)
7
Characterizing Reductions
Preference orders characterize choice of reduction
▶order interleavings from most preferred (smallest) to least preferred (greatest)
▶keep only most preferred representative per equivalence class
redI
⪯(P) := {min⪯[τ]∼I|τ∈P}
▶independent of commutativity
▶same scheme of preference order applies to different programs
12
Characterizing Reductions
Preference orders characterize choice of reduction
▶order interleavings from most preferred (smallest) to least preferred (greatest)
▶keep only most preferred representative per equivalence class
redI
⪯(P) := {min⪯[τ]∼I|τ∈P}
▶independent of commutativity
▶same scheme of preference order applies to different programs
12
Characterizing Reductions
Preference orders characterize choice of reduction
▶order interleavings from most preferred (smallest) to least preferred (greatest)
▶keep only most preferred representative per equivalence class
redI
⪯(P) := {min⪯[τ]∼I|τ∈P}
▶independent of commutativity
▶same scheme of preference order applies to different programs
12
Characterizing Reductions
Preference orders characterize choice of reduction
▶order interleavings from most preferred (smallest) to least preferred (greatest)
▶keep only most preferred representative per equivalence class
redI
⪯(P) := {min⪯[τ]∼I|τ∈P}
▶independent of commutativity
▶same scheme of preference order applies to different programs
12
Characterizing Reductions
Preference orders characterize choice of reduction
▶order interleavings from most preferred (smallest) to least preferred (greatest)
▶keep only most preferred representative per equivalence class
redI
⪯(P) := {min⪯[τ]∼I|τ∈P}
▶independent of commutativity
▶same scheme of preference order applies to different programs
12
Positional Lexicographic Preference Orders
Algorithmic construction of reductions using techniques from partial order reduction:
▶finite representation as control flow graphs
constructed using variant of sleep set technique
▶no redundant interleavings: proofs not unnecessarily complex
▶compact representation
through weakly persistent membranes
▶linear-size representation in the best case
→More on preference orders in Marcel’s talk
13
Positional Lexicographic Preference Orders
Algorithmic construction of reductions using techniques from partial order reduction:
▶finite representation as control flow graphs
constructed using variant of sleep set technique
▶no redundant interleavings: proofs not unnecessarily complex
▶compact representation
through weakly persistent membranes
▶linear-size representation in the best case
→More on preference orders in Marcel’s talk
13
Positional Lexicographic Preference Orders
Algorithmic construction of reductions using techniques from partial order reduction:
▶finite representation as control flow graphs
constructed using variant of sleep set technique
▶no redundant interleavings: proofs not unnecessarily complex
▶compact representation
through weakly persistent membranes
▶linear-size representation in the best case
→More on preference orders in Marcel’s talk
13
Positional Lexicographic Preference Orders
Algorithmic construction of reductions using techniques from partial order reduction:
▶finite representation as control flow graphs
constructed using variant of sleep set technique
▶no redundant interleavings: proofs not unnecessarily complex
▶compact representation
through weakly persistent membranes
▶linear-size representation in the best case
→More on preference orders in Marcel’s talk
13
Positional Lexicographic Preference Orders
Algorithmic construction of reductions using techniques from partial order reduction:
▶finite representation as control flow graphs
constructed using variant of sleep set technique
▶no redundant interleavings: proofs not unnecessarily complex
▶compact representation
through weakly persistent membranes
▶linear-size representation in the best case
→More on preference orders in Marcel’s talk
13
Positional Lexicographic Preference Orders
Algorithmic construction of reductions using techniques from partial order reduction:
▶finite representation as control flow graphs
constructed using variant of sleep set technique
▶no redundant interleavings: proofs not unnecessarily complex
▶compact representation
through weakly persistent membranes
▶linear-size representation in the best case
→More on preference orders in Marcel’s talk
13
Positional Lexicographic Preference Orders
Algorithmic construction of reductions using techniques from partial order reduction:
▶finite representation as control flow graphs
constructed using variant of sleep set technique
▶no redundant interleavings: proofs not unnecessarily complex
▶compact representation
through weakly persistent membranes
▶linear-size representation in the best case
→More on preference orders in Marcel’s talk
13
Positional Lexicographic Preference Orders
Algorithmic construction of reductions using techniques from partial order reduction:
▶finite representation as control flow graphs
constructed using variant of sleep set technique
▶no redundant interleavings: proofs not unnecessarily complex
▶compact representation
through weakly persistent membranes
▶linear-size representation in the best case
→More on preference orders in Marcel’s talk
13
Commutativity
Statements st1and st2commute
iff
neither statement writes a variable accessed by the other
(“disjoint” variable accesses)
for all programs and wrt. all properties
Formally: read(st1)∩write(st2) = write(st1)∩read(st2) = write(st1)∩write(st2) = ∅
abstract irrelevant details preserve relevant details
15
Safe Commutativity
Let Πbe a proof (a set of Hoare triples).
redI
⪯(P)⊆ L(Π)
Pis correct
▶commutativity ICbased on (concrete) semantics: safe wrt. all proofs Π
▶How to get safe commutativity for a particular proof Π?
traces proven correct by Πtraces proven correct by Π
traces in L(Π)
only equivalent to
correct traces
17
Safe Commutativity
Let Πbe a proof (a set of Hoare triples).
redI
⪯(P)⊆ L(Π)
Pis correct
▶commutativity ICbased on (concrete) semantics: safe wrt. all proofs Π
▶How to get safe commutativity for a particular proof Π?
traces proven correct by Πtraces proven correct by Π
traces in L(Π)
only equivalent to
correct traces
17
Safe Commutativity
Let Πbe a proof (a set of Hoare triples).
redI
⪯(P)⊆ L(Π) Isafe wrt. Π
Pis correct
▶commutativity ICbased on (concrete) semantics: safe wrt. all proofs Π
▶How to get safe commutativity for a particular proof Π?
traces proven correct by Πtraces proven correct by Π
traces in L(Π)
only equivalent to
correct traces
17
Safe Commutativity
Let Πbe a proof (a set of Hoare triples).
redI
⪯(P)⊆ L(Π) Isafe wrt. Π
Pis correct
▶commutativity ICbased on (concrete) semantics: safe wrt. all proofs Π
▶How to get safe commutativity for a particular proof Π?
traces proven correct by Πtraces proven correct by Π
traces in L(Π)
only equivalent to
correct traces
17
Safe Commutativity
Let Πbe a proof (a set of Hoare triples).
redI
⪯(P)⊆ L(Π) Isafe wrt. Π
Pis correct
▶commutativity ICbased on (concrete) semantics: safe wrt. all proofs Π
▶How to get safe commutativity for a particular proof Π?
traces proven correct by Πtraces proven correct by Π
traces in L(Π)
only equivalent to
correct traces
17
Safe Commutativity
Let Πbe a proof (a set of Hoare triples).
redI
⪯(P)⊆ L(Π) Isafe wrt. Π
Pis correct
▶commutativity ICbased on (concrete) semantics: safe wrt. all proofs Π
▶How to get safe commutativity for a particular proof Π?
traces proven correct by Πtraces proven correct by Π
traces in L(Π)
only equivalent to
correct traces
17
Instance: Projection to the Proof
Idea: Variable xdoes not occur in the proof ⇒Ignore xwhen determining commutativity
Abstraction:
▶reads of irrelevant variables ⇝nondeterministic values
▶assignment to irrelevant variables ⇝nondeterministic assignment (havoc)
Example
Let Π = {⊤} y:=x+x {y= 1}. Then
αΠ(y:=x+x ) : “assign yto some even value (nondet.)”
αΠ(x:=0 ) : “do not change y”
Now: αΠ(y:=x+x )commutes with αΠ(x:=0 ).
19
Instance: Projection to the Proof
Idea: Variable xdoes not occur in the proof ⇒Ignore xwhen determining commutativity
Abstraction:
▶reads of irrelevant variables ⇝nondeterministic values
▶assignment to irrelevant variables ⇝nondeterministic assignment (havoc)
Example
Let Π = {⊤} y:=x+x {y= 1}. Then
αΠ(y:=x+x ) : “assign yto some even value (nondet.)”
αΠ(x:=0 ) : “do not change y”
Now: αΠ(y:=x+x )commutes with αΠ(x:=0 ).
19
Instance: Projection to the Proof
Idea: Variable xdoes not occur in the proof ⇒Ignore xwhen determining commutativity
Abstraction:
▶reads of irrelevant variables ⇝nondeterministic values
▶assignment to irrelevant variables ⇝nondeterministic assignment (havoc)
Example
Let Π = {⊤} y:=x+x {y= 1}. Then
αΠ(y:=x+x ) : “assign yto some even value (nondet.)”
αΠ(x:=0 ) : “do not change y”
Now: αΠ(y:=x+x )commutes with αΠ(x:=0 ).
19
Instance: Projection to the Proof
Idea: Variable xdoes not occur in the proof ⇒Ignore xwhen determining commutativity
Abstraction:
▶reads of irrelevant variables ⇝nondeterministic values
▶assignment to irrelevant variables ⇝nondeterministic assignment (havoc)
Example
Let Π = {⊤} y:=x+x {y= 1}. Then
αΠ(y:=x+x ) : “assign yto some even value (nondet.)”
αΠ(x:=0 ) : “do not change y”
Now: αΠ(y:=x+x )commutes with αΠ(x:=0 ).
19
Instance: Projection to the Proof
Idea: Variable xdoes not occur in the proof ⇒Ignore xwhen determining commutativity
Abstraction:
▶reads of irrelevant variables ⇝nondeterministic values
▶assignment to irrelevant variables ⇝nondeterministic assignment (havoc)
Example
Let Π = {⊤} y:=x+x {y= 1}. Then
αΠ(y:=x+x ) : “assign yto some even value (nondet.)”
αΠ(x:=0 ) : “do not change y”
Now: αΠ(y:=x+x )commutes with αΠ(x:=0 ).
19
Instance: Projection to the Proof
Idea: Variable xdoes not occur in the proof ⇒Ignore xwhen determining commutativity
Abstraction:
▶reads of irrelevant variables ⇝nondeterministic values
▶assignment to irrelevant variables ⇝nondeterministic assignment (havoc)
Example
Let Π = {⊤} y:=x+x {y= 1}. Then
αΠ(y:=x+x ) : “assign yto some even value (nondet.)”
αΠ(x:=0 ) : “do not change y”
Now: αΠ(y:=x+x )commutes with αΠ(x:=0 ).
19
Instance: Projection to the Proof
Proposition: Projection to the proof is safe (it satisfies abstraction and preservation).
Advantages:
▶often allows additional commutativity
▶abstraction easy to compute
Limitations:
▶theoretically: may lose commutativity
▶practically: introduces quantifiers
Generally: abstract commutativity ⊉concrete commutativity
Solution: combine abstract with concrete commutativity
20
Instance: Projection to the Proof
Proposition: Projection to the proof is safe (it satisfies abstraction and preservation).
Advantages:
▶often allows additional commutativity
▶abstraction easy to compute
Limitations:
▶theoretically: may lose commutativity
▶practically: introduces quantifiers
Generally: abstract commutativity ⊉concrete commutativity
Solution: combine abstract with concrete commutativity
20
Instance: Projection to the Proof
Proposition: Projection to the proof is safe (it satisfies abstraction and preservation).
Advantages:
▶often allows additional commutativity
▶abstraction easy to compute
Limitations:
▶theoretically: may lose commutativity
▶practically: introduces quantifiers
Generally: abstract commutativity ⊉concrete commutativity
Solution: combine abstract with concrete commutativity
20
Instance: Projection to the Proof
Proposition: Projection to the proof is safe (it satisfies abstraction and preservation).
Advantages:
▶often allows additional commutativity
▶abstraction easy to compute
Limitations:
▶theoretically: may lose commutativity
▶practically: introduces quantifiers
Generally: abstract commutativity ⊉concrete commutativity
Solution: combine abstract with concrete commutativity
20
Instance: Projection to the Proof
Proposition: Projection to the proof is safe (it satisfies abstraction and preservation).
Advantages:
▶often allows additional commutativity
▶abstraction easy to compute
Limitations:
▶theoretically: may lose commutativity
▶practically: introduces quantifiers
Generally: abstract commutativity ⊉concrete commutativity
Solution: combine abstract with concrete commutativity
20
Instance: Projection to the Proof
Proposition: Projection to the proof is safe (it satisfies abstraction and preservation).
Advantages:
▶often allows additional commutativity
▶abstraction easy to compute
Limitations:
▶theoretically: may lose commutativity
▶practically: introduces quantifiers
Generally: abstract commutativity ⊉concrete commutativity
Solution: combine abstract with concrete commutativity
20
Instance: Projection to the Proof
Proposition: Projection to the proof is safe (it satisfies abstraction and preservation).
Advantages:
▶often allows additional commutativity
▶abstraction easy to compute
Limitations:
▶theoretically: may lose commutativity
▶practically: introduces quantifiers
Generally: abstract commutativity ⊉concrete commutativity
Solution: combine abstract with concrete commutativity
20
Instance: Projection to the Proof
Proposition: Projection to the proof is safe (it satisfies abstraction and preservation).
Advantages:
▶often allows additional commutativity
▶abstraction easy to compute
Limitations:
▶theoretically: may lose commutativity
▶practically: introduces quantifiers
Generally: abstract commutativity ⊉concrete commutativity
Solution: combine abstract with concrete commutativity
20
Combining Commutativity Relations
Idea: Sequentially combine commutativity relations
τ1∼Iατ2∼ICτ3
(1) abstract (2) concrete
proven correct
⇒
Combination through new proof rule:
redIα,IC
⪯(P)⊆ L(Π) Iαsafe wrt. Π
Pis correct
New partial order reduction algorithm for ncommutativity relations
“more abstract than”
22
Combining Commutativity Relations
Idea: Sequentially combine commutativity relations
τ1∼Iατ2∼ICτ3
(1) abstract (2) concrete
proven correct
⇒
Combination through new proof rule:
redIα,IC
⪯(P)⊆ L(Π) Iαsafe wrt. Π
Pis correct
New partial order reduction algorithm for ncommutativity relations
“more abstract than”
22
Combining Commutativity Relations
Idea: Sequentially combine commutativity relations
τ1∼Iατ2∼ICτ3
(1) abstract (2) concrete
proven correct
⇒
Combination through new proof rule:
redIα,IC
⪯(P)⊆ L(Π) Iαsafe wrt. Π
Pis correct
New partial order reduction algorithm for ncommutativity relations
“more abstract than”
22
Combining Commutativity Relations
Idea: Sequentially combine commutativity relations
τ1∼Iατ2∼ICτ3
(1) abstract (2) concrete
proven correct
⇒
Combination through new proof rule:
redI1,...,In
⪯(P)⊆ L(Π) I1, . . . , Insafe wrt. ΠI1⋑. . . ⋑In
Pis correct
New partial order reduction algorithm for ncommutativity relations
“more abstract than”
22
Combining Commutativity Relations
Idea: Sequentially combine commutativity relations
τ1∼Iατ2∼ICτ3
(1) abstract (2) concrete
proven correct
⇒
Combination through new proof rule:
redI1,...,In
⪯(P)⊆ L(Π) I1, . . . , Insafe wrt. ΠI1⋑. . . ⋑In
Pis correct
New partial order reduction algorithm for ncommutativity relations
“more abstract than”
22
Summary
In algorithmic verification, commutativity-based reductions can simplify proofs and allow
efficient proof checking.
Preference Orders: Selection of representatives in reduction
▶influences both proof simplicity and proof check efficiency
▶trade-off between both aspects
Commutativity Relations: Determines notion of equivalence
▶automatically computed and safe wrt. a proof
▶e.g. derived from safe abstractions
▶new proof rule and algorithm combine commutativity relations
Questions?
24
Summary
In algorithmic verification, commutativity-based reductions can simplify proofs and allow
efficient proof checking.
Preference Orders: Selection of representatives in reduction
▶influences both proof simplicity and proof check efficiency
▶trade-off between both aspects
Commutativity Relations: Determines notion of equivalence
▶automatically computed and safe wrt. a proof
▶e.g. derived from safe abstractions
▶new proof rule and algorithm combine commutativity relations
Questions?
24
Summary
In algorithmic verification, commutativity-based reductions can simplify proofs and allow
efficient proof checking.
Preference Orders: Selection of representatives in reduction
▶influences both proof simplicity and proof check efficiency
▶trade-off between both aspects
Commutativity Relations: Determines notion of equivalence
▶automatically computed and safe wrt. a proof
▶e.g. derived from safe abstractions
▶new proof rule and algorithm combine commutativity relations
Questions?
24
Summary
In algorithmic verification, commutativity-based reductions can simplify proofs and allow
efficient proof checking.
Preference Orders: Selection of representatives in reduction
▶influences both proof simplicity and proof check efficiency
▶trade-off between both aspects
Commutativity Relations: Determines notion of equivalence
▶automatically computed and safe wrt. a proof
▶e.g. derived from safe abstractions
▶new proof rule and algorithm combine commutativity relations
Questions?
24