PresentationPDF Available

Commutativity in Concurrent Program Verification

Authors:

Abstract

Commutativity-based reasoning has significant benefits for algorithmic verification of concurrent programs: Verifying only a reduction, i.e., a representative subset of interleavings, can simplify proofs, and allow for compact program representations that enable efficient proof checking. Reductions are defined by two key parameters: the notion of commutativity, and the choice of representatives. In this talk, I present our theoretical and practical results on how the choice of these parameters impacts the verification.
Commutativity in Concurrent Program Verification
Dominik Klumpp
klumpp@informatik.uni-freiburg.de
University of Freiburg
joint work with: Azadeh Farzan (University of Toronto)
Andreas Podelski (University of Freiburg)
Marcel Ebbinghaus (University of Freiburg)
AVM 2022
1
Example Program
{x=y=i=j= 0 }
w h i l e (i<n) {
x+= A[i];
i++;
}
w h i l e (j<n) {
y+= A[j];
j++;
}
{x=y}
2
Naïve Sequentialization
i<n
x+=A[i]
i++
x+=A[i]
i++
j<n y+=A[j]
j++
j<n
y+=A[j]
j>=n
j>=n
j>=n
i<nx+=A[i]
i++
i>=n
i>=n
i>=n
j<n y+=A[j]
j++
j>=ni>=n
Counterexample:
τ=i<n x+=A[i] j<n y+=A[j] i++ j++ i>=n j>=n
x=
i
P
k=0
A[k]y=
j
P
k=0
A[k]injn
x=yi=jx=yjnx =yin
x=
i
P
k=0
A[k]iny= 0 j= 0 x=
n
P
k=0
A[k]y=
j
P
k=0
A[k]jn
3
Naïve Sequentialization
i<n
x+=A[i]
i++
x+=A[i]
i++
j<n y+=A[j]
j++
j<n
y+=A[j]
j>=n
j>=n
j>=n
i<nx+=A[i]
i++
i>=n
i>=n
i>=n
j<n y+=A[j]
j++
j>=ni>=n
Counterexample:
τ=i<n x+=A[i] j<n y+=A[j] i++ j++ i>=n j>=n
x=
i
P
k=0
A[k]y=
j
P
k=0
A[k]injn
x=yi=jx=yjnx =yin
x=
i
P
k=0
A[k]iny= 0 j= 0 x=
n
P
k=0
A[k]y=
j
P
k=0
A[k]jn
3
Commutativity-Based Equivalence
Many statements commute: execution order does not matter
Example: x+=A[i] y+=A[j] y+=A[j] x+=A[i]
equivalence between program interleavings
Extension: proof-sensitive commutativity
Example: B[k]:=c commutes with B[l]:=d if proof guarantees k=lc=d
Typical Cases: aliasing, conditional updates (CAS), blocking statements (locks)
Key Property: Correct traces only equivalent to correct traces.
Reduction
One representative trace for each equivalence class
4
Commutativity-Based Equivalence
Many statements commute: execution order does not matter
Example: x+=A[i] y+=A[j] y+=A[j] x+=A[i]
equivalence between program interleavings
Extension: proof-sensitive commutativity
Example: B[k]:=c commutes with B[l]:=d if proof guarantees k=lc=d
Typical Cases: aliasing, conditional updates (CAS), blocking statements (locks)
Key Property: Correct traces only equivalent to correct traces.
Reduction
One representative trace for each equivalence class
4
Commutativity-Based Equivalence
Many statements commute: execution order does not matter
Example: x+=A[i] y+=A[j] y+=A[j] x+=A[i]
equivalence between program interleavings
Extension: proof-sensitive commutativity
Example: B[k]:=c commutes with B[l]:=d if proof guarantees k=lc=d
Typical Cases: aliasing, conditional updates (CAS), blocking statements (locks)
Key Property: Correct traces only equivalent to correct traces.
Reduction
One representative trace for each equivalence class
4
Commutativity-Based Equivalence
Many statements commute: execution order does not matter
Example: x+=A[i] y+=A[j] y+=A[j] x+=A[i]
equivalence between program interleavings
Extension: proof-sensitive commutativity
Example: B[k]:=c commutes with B[l]:=d if proof guarantees k=lc=d
Typical Cases: aliasing, conditional updates (CAS), blocking statements (locks)
Key Property: Correct traces only equivalent to correct traces.
Reduction
One representative trace for each equivalence class
4
Commutativity-Based Equivalence
Many statements commute: execution order does not matter
Example: x+=A[i] y+=A[j] y+=A[j] x+=A[i]
equivalence between program interleavings
Extension: proof-sensitive commutativity
Example: B[k]:=c commutes with B[l]:=d if proof guarantees k=lc=d
Typical Cases: aliasing, conditional updates (CAS), blocking statements (locks)
Key Property: Correct traces only equivalent to correct traces.
Reduction
One representative trace for each equivalence class
4
Commutativity-Based Equivalence
Many statements commute: execution order does not matter
Example: x+=A[i] y+=A[j] y+=A[j] x+=A[i]
equivalence between program interleavings
Extension: proof-sensitive commutativity
Example: B[k]:=c commutes with B[l]:=d if proof guarantees k=lc=d
Typical Cases: aliasing, conditional updates (CAS), blocking statements (locks)
Key Property: Correct traces only equivalent to correct traces.
Reduction
One representative trace for each equivalence class
4
Naïve Sequentialization
i<n
x+=A[i]
i++
x+=A[i]
i++
j<n y+=A[j]
j++
j<n
y+=A[j]
j>=n
j>=n
j>=n
i<nx+=A[i]
i++
i>=n
i>=n
i>=n
j<n y+=A[j]
j++
j>=ni>=n
Counterexample:
τ=i<n x+=A[i] j<n y+=A[j] i++ j++ i>=n j>=n
x=
i
P
k=0
A[k]y=
j
P
k=0
A[k]injn
x=yi=jx=yjnx =yin
x=
i
P
k=0
A[k]iny= 0 j= 0 x=
n
P
k=0
A[k]y=
j
P
k=0
A[k]jn
5
Reduction I
i<n
x+=A[i]
i++
x+=A[i]
i++
j<n y+=A[j]
j++
j<n
y+=A[j]
j>=n
j>=n
j>=n
i<nx+=A[i]
i++
i>=n
i>=n
i>=n
j<n y+=A[j]
j++
j>=ni>=n
Counterexample:
τ=i<n x+=A[i] j<n y+=A[j] i++ j++ i>=n j>=n
x=
i
P
k=0
A[k]y=
j
P
k=0
A[k]injn
x=yi=jx=yjnx =yin
x=
i
P
k=0
A[k]iny= 0 j= 0 x=
n
P
k=0
A[k]y=
j
P
k=0
A[k]jn
5
Algorithmic Verification of Reductions
Iteratively construct Floyd/Hoare-style proof of program
complex proofs to cover all interleavings
qualitatively: need quantified / nonlinear / . . . assertions
quantitatively: need many distinct proof assertions
reduction may have simpler proof
exponential proof checking to show that proof covers all interleavings
compactly represent reductions
[1] Ebbinghaus. Tight Integration of Partial Order Reduction into Trace Abstraction Refinement. BSc Thesis
[2] Klumpp, Dietsch, Heizmann, Schüssele, Ebbinghaus, Farzan and Podelski. Ultimate GemCutter and the
Axes of Generalization - (Competition Contribution). TACAS 2022
6
Algorithmic Verification of Reductions
Iteratively construct Floyd/Hoare-style proof of program
complex proofs to cover all interleavings
qualitatively: need quantified / nonlinear / . . . assertions
quantitatively: need many distinct proof assertions
reduction may have simpler proof
exponential proof checking to show that proof covers all interleavings
compactly represent reductions
[1] Ebbinghaus. Tight Integration of Partial Order Reduction into Trace Abstraction Refinement. BSc Thesis
[2] Klumpp, Dietsch, Heizmann, Schüssele, Ebbinghaus, Farzan and Podelski. Ultimate GemCutter and the
Axes of Generalization - (Competition Contribution). TACAS 2022
6
Algorithmic Verification of Reductions
Iteratively construct Floyd/Hoare-style proof of program
complex proofs to cover all interleavings
qualitatively: need quantified / nonlinear / . . . assertions
quantitatively: need many distinct proof assertions
reduction may have simpler proof
exponential proof checking to show that proof covers all interleavings
compactly represent reductions
[1] Ebbinghaus. Tight Integration of Partial Order Reduction into Trace Abstraction Refinement. BSc Thesis
[2] Klumpp, Dietsch, Heizmann, Schüssele, Ebbinghaus, Farzan and Podelski. Ultimate GemCutter and the
Axes of Generalization - (Competition Contribution). TACAS 2022
6
Algorithmic Verification of Reductions
Iteratively construct Floyd/Hoare-style proof of program
complex proofs to cover all interleavings
qualitatively: need quantified / nonlinear / . . . assertions
quantitatively: need many distinct proof assertions
reduction may have simpler proof
exponential proof checking to show that proof covers all interleavings
compactly represent reductions
[1] Ebbinghaus. Tight Integration of Partial Order Reduction into Trace Abstraction Refinement. BSc Thesis
[2] Klumpp, Dietsch, Heizmann, Schüssele, Ebbinghaus, Farzan and Podelski. Ultimate GemCutter and the
Axes of Generalization - (Competition Contribution). TACAS 2022
6
Algorithmic Verification of Reductions
Iteratively construct Floyd/Hoare-style proof of program
complex proofs to cover all interleavings
qualitatively: need quantified / nonlinear / . . . assertions
quantitatively: need many distinct proof assertions
reduction may have simpler proof
exponential proof checking to show that proof covers all interleavings
compactly represent reductions
[1] Ebbinghaus. Tight Integration of Partial Order Reduction into Trace Abstraction Refinement. BSc Thesis
[2] Klumpp, Dietsch, Heizmann, Schüssele, Ebbinghaus, Farzan and Podelski. Ultimate GemCutter and the
Axes of Generalization - (Competition Contribution). TACAS 2022
6
Algorithmic Verification of Reductions
Iteratively construct Floyd/Hoare-style proof of program
complex proofs to cover all interleavings
qualitatively: need quantified / nonlinear / . . . assertions
quantitatively: need many distinct proof assertions
reduction may have simpler proof
exponential proof checking to show that proof covers all interleavings
compactly represent reductions
[1] Ebbinghaus. Tight Integration of Partial Order Reduction into Trace Abstraction Refinement. BSc Thesis
[2] Klumpp, Dietsch, Heizmann, Schüssele, Ebbinghaus, Farzan and Podelski. Ultimate GemCutter and the
Axes of Generalization - (Competition Contribution). TACAS 2022
6
Evaluation
Implemented in Ultimate GemCutter software model checker
Evaluated on SV-COMP’21 benchmarks and benchmarks of Weaver tool
200 400 600 800 1,000 1,200
10
100
4
900
CPU time (s)
Automizer GemCutter
200 400 600 800 1,000 1,200
1,000
200
8,000
Memory (MB)
analyzed 50 more programs using significantly less time (50 %), memory (27 %),
and refinement rounds (64 %)
7
Reductions
Reduction: One representative trace for each equivalence class
redI
(P)
program to be verified
commutativity relation I
defines equivalence classes
preference order
selects representatives for each equivalence class
8
Reductions
Reduction: One representative trace for each equivalence class
redI
(P)
program to be verified
commutativity relation I
defines equivalence classes
preference order
selects representatives for each equivalence class
8
Reductions
Reduction: One representative trace for each equivalence class
redI
(P)
program to be verified
commutativity relation I
defines equivalence classes
preference order
selects representatives for each equivalence class
8
Reductions
Reduction: One representative trace for each equivalence class
redI
(P)
program to be verified
commutativity relation I
defines equivalence classes
preference order
selects representatives for each equivalence class
8
Reductions
Reduction: One representative trace for each equivalence class
redI
(P)
program to be verified
commutativity relation I
defines equivalence classes
preference order
selects representatives for each equivalence class
8
Preference Orders
Selecting the right representatives
[3] Farzan, Klumpp and Podelski. Sound sequentialization for concurrent program verification. PLDI 2022
9
Reduction I
i<n
x+=A[i]
i++
x+=A[i]
i++
j<n y+=A[j]
j++
j<n
y+=A[j]
j>=n
j>=n
j>=n
i<nx+=A[i]
i++
i>=n
i>=n
i>=n
j<n y+=A[j]
j++
j>=ni>=n
Counterexample:
τ=i<n x+=A[i] j<n y+=A[j] i++ j++ i>=n j>=n
x=
i
P
k=0
A[k]y=
j
P
k=0
A[k]injn
x=yi=jx=yjnx =yin
x=
i
P
k=0
A[k]iny= 0 j= 0 x=
n
P
k=0
A[k]y=
j
P
k=0
A[k]jn
10
Reduction I
i<n
x+=A[i]
i++
x+=A[i]
i++
j<n y+=A[j]
j++
j<n
y+=A[j]
j>=n
j>=n
j>=n
i<nx+=A[i]
i++
i>=n
i>=n
i>=n
j<n y+=A[j]
j++
j>=ni>=n
Counterexample:
τ=i<n x+=A[i] j<n y+=A[j] i++ j++ i>=n j>=n
x=
i
P
k=0
A[k]y=
j
P
k=0
A[k]injn
x=yi=jx=yjnx =yin
x=
i
P
k=0
A[k]iny= 0 j= 0 x=
n
P
k=0
A[k]y=
j
P
k=0
A[k]jn
10
Reduction II
i<n
x+=A[i]
i++
x+=A[i]
i++
j<n y+=A[j]
j++
j<n
y+=A[j]
j>=n
j>=n
j>=n
i<nx+=A[i]
i++
i>=n
i>=n
i>=n
j<n y+=A[j]
j++
j>=ni>=n
Counterexample:
τ=i<n x+=A[i] j<n y+=A[j] i++ j++ i>=n j>=n
x=
i
P
k=0
A[k]y=
j
P
k=0
A[k]injn
x=yi=jx=yjnx =yin
x=
i
P
k=0
A[k]iny= 0 j= 0 x=
n
P
k=0
A[k]y=
j
P
k=0
A[k]jn
11
Reduction II
i<n
x+=A[i]
i++
x+=A[i]
i++
j<n y+=A[j]
j++
j<n
y+=A[j]
j>=n
j>=n
j>=n
i<nx+=A[i]
i++
i>=n
i>=n
i>=n
j<n y+=A[j]
j++
j>=ni>=n
Counterexample:
τ=i<n x+=A[i] j<n y+=A[j] i++ j++ i>=n j>=n
x=
i
P
k=0
A[k]y=
j
P
k=0
A[k]injn
x=yi=jx=yjnx =yin
x=
i
P
k=0
A[k]iny= 0 j= 0 x=
n
P
k=0
A[k]y=
j
P
k=0
A[k]jn
11
Characterizing Reductions
Preference orders characterize choice of reduction
order interleavings from most preferred (smallest) to least preferred (greatest)
keep only most preferred representative per equivalence class
redI
(P) := {min[τ]I|τP}
independent of commutativity
same scheme of preference order applies to different programs
12
Characterizing Reductions
Preference orders characterize choice of reduction
order interleavings from most preferred (smallest) to least preferred (greatest)
keep only most preferred representative per equivalence class
redI
(P) := {min[τ]I|τP}
independent of commutativity
same scheme of preference order applies to different programs
12
Characterizing Reductions
Preference orders characterize choice of reduction
order interleavings from most preferred (smallest) to least preferred (greatest)
keep only most preferred representative per equivalence class
redI
(P) := {min[τ]I|τP}
independent of commutativity
same scheme of preference order applies to different programs
12
Characterizing Reductions
Preference orders characterize choice of reduction
order interleavings from most preferred (smallest) to least preferred (greatest)
keep only most preferred representative per equivalence class
redI
(P) := {min[τ]I|τP}
independent of commutativity
same scheme of preference order applies to different programs
12
Characterizing Reductions
Preference orders characterize choice of reduction
order interleavings from most preferred (smallest) to least preferred (greatest)
keep only most preferred representative per equivalence class
redI
(P) := {min[τ]I|τP}
independent of commutativity
same scheme of preference order applies to different programs
12
Positional Lexicographic Preference Orders
Algorithmic construction of reductions using techniques from partial order reduction:
finite representation as control flow graphs
constructed using variant of sleep set technique
no redundant interleavings: proofs not unnecessarily complex
compact representation
through weakly persistent membranes
linear-size representation in the best case
More on preference orders in Marcel’s talk
13
Positional Lexicographic Preference Orders
Algorithmic construction of reductions using techniques from partial order reduction:
finite representation as control flow graphs
constructed using variant of sleep set technique
no redundant interleavings: proofs not unnecessarily complex
compact representation
through weakly persistent membranes
linear-size representation in the best case
More on preference orders in Marcel’s talk
13
Positional Lexicographic Preference Orders
Algorithmic construction of reductions using techniques from partial order reduction:
finite representation as control flow graphs
constructed using variant of sleep set technique
no redundant interleavings: proofs not unnecessarily complex
compact representation
through weakly persistent membranes
linear-size representation in the best case
More on preference orders in Marcel’s talk
13
Positional Lexicographic Preference Orders
Algorithmic construction of reductions using techniques from partial order reduction:
finite representation as control flow graphs
constructed using variant of sleep set technique
no redundant interleavings: proofs not unnecessarily complex
compact representation
through weakly persistent membranes
linear-size representation in the best case
More on preference orders in Marcel’s talk
13
Positional Lexicographic Preference Orders
Algorithmic construction of reductions using techniques from partial order reduction:
finite representation as control flow graphs
constructed using variant of sleep set technique
no redundant interleavings: proofs not unnecessarily complex
compact representation
through weakly persistent membranes
linear-size representation in the best case
More on preference orders in Marcel’s talk
13
Positional Lexicographic Preference Orders
Algorithmic construction of reductions using techniques from partial order reduction:
finite representation as control flow graphs
constructed using variant of sleep set technique
no redundant interleavings: proofs not unnecessarily complex
compact representation
through weakly persistent membranes
linear-size representation in the best case
More on preference orders in Marcel’s talk
13
Positional Lexicographic Preference Orders
Algorithmic construction of reductions using techniques from partial order reduction:
finite representation as control flow graphs
constructed using variant of sleep set technique
no redundant interleavings: proofs not unnecessarily complex
compact representation
through weakly persistent membranes
linear-size representation in the best case
More on preference orders in Marcel’s talk
13
Positional Lexicographic Preference Orders
Algorithmic construction of reductions using techniques from partial order reduction:
finite representation as control flow graphs
constructed using variant of sleep set technique
no redundant interleavings: proofs not unnecessarily complex
compact representation
through weakly persistent membranes
linear-size representation in the best case
More on preference orders in Marcel’s talk
13
Commutativity Relations
at different abstraction levels
[work in progress; presented at Commute workshop @ PLDI’22]
14
Commutativity
Statements st1and st2commute
iff
neither statement writes a variable accessed by the other
(“disjoint” variable accesses)
for all programs and wrt. all properties
Formally: read(st1)write(st2) = write(st1)read(st2) = write(st1)write(st2) =
abstract irrelevant details preserve relevant details
15
Commutativity
Statements st1and st2commute
iff
the order of execution does not matter
(st1st2behaves exactly like st2st1)
for all programs and wrt. all properties
Formally: read(st1)write(st2) = write(st1)read(st2) = write(st1)write(st2) =
abstract irrelevant details preserve relevant details
15
Commutativity
Statements st1and st2commute
iff
the order of execution does not matter
(st1st2behaves exactly like st2st1)
for all programs and wrt. all properties
Formally: Jst1st2K=Jst2st1K
abstract irrelevant details preserve relevant details
15
Commutativity
Statements st1and st2commute
iff
the order of execution does not matter
(st1st2behaves exactly like st2st1)
for all programs and wrt. all properties
Formally: Jst1st2K=Jst2st1K
abstract irrelevant details preserve relevant details
16
Commutativity
Statements st1and st2commute
iff
the order of execution does not matter
(st1st2behaves similar enough to st2st1)
for a given program and property
Formally: Jst1st2K=Jst2st1K
abstract irrelevant details preserve relevant details
16
Commutativity
Statements st1and st2commute
iff
the order of execution does not matter
(st1st2behaves similar enough to st2st1)
for a given program and property
Formally: Jst1st2K=Jst2st1K
abstract irrelevant details preserve relevant details
16
Commutativity
Statements st1and st2commute
iff
the order of execution does not matter
(st1st2behaves similar enough to st2st1)
for a given program and property
Formally: Jst1st2K=Jst2st1K
abstract irrelevant details preserve relevant details
16
Commutativity
Statements st1and st2commute
iff
the order of execution does not matter
(st1st2behaves similar enough to st2st1)
for a given (partial) proof
Formally: Jst1st2K=Jst2st1K
abstract irrelevant details preserve relevant details
16
Safe Commutativity
Let Πbe a proof (a set of Hoare triples).
redI
(P) L(Π)
Pis correct
commutativity ICbased on (concrete) semantics: safe wrt. all proofs Π
How to get safe commutativity for a particular proof Π?
traces proven correct by Πtraces proven correct by Π
traces in L(Π)
only equivalent to
correct traces
17
Safe Commutativity
Let Πbe a proof (a set of Hoare triples).
redI
(P) L(Π)
Pis correct
commutativity ICbased on (concrete) semantics: safe wrt. all proofs Π
How to get safe commutativity for a particular proof Π?
traces proven correct by Πtraces proven correct by Π
traces in L(Π)
only equivalent to
correct traces
17
Safe Commutativity
Let Πbe a proof (a set of Hoare triples).
redI
(P) L(Π) Isafe wrt. Π
Pis correct
commutativity ICbased on (concrete) semantics: safe wrt. all proofs Π
How to get safe commutativity for a particular proof Π?
traces proven correct by Πtraces proven correct by Π
traces in L(Π)
only equivalent to
correct traces
17
Safe Commutativity
Let Πbe a proof (a set of Hoare triples).
redI
(P) L(Π) Isafe wrt. Π
Pis correct
commutativity ICbased on (concrete) semantics: safe wrt. all proofs Π
How to get safe commutativity for a particular proof Π?
traces proven correct by Πtraces proven correct by Π
traces in L(Π)
only equivalent to
correct traces
17
Safe Commutativity
Let Πbe a proof (a set of Hoare triples).
redI
(P) L(Π) Isafe wrt. Π
Pis correct
commutativity ICbased on (concrete) semantics: safe wrt. all proofs Π
How to get safe commutativity for a particular proof Π?
traces proven correct by Πtraces proven correct by Π
traces in L(Π)
only equivalent to
correct traces
17
Safe Commutativity
Let Πbe a proof (a set of Hoare triples).
redI
(P) L(Π) Isafe wrt. Π
Pis correct
commutativity ICbased on (concrete) semantics: safe wrt. all proofs Π
How to get safe commutativity for a particular proof Π?
traces proven correct by Πtraces proven correct by Π
traces in L(Π)
only equivalent to
correct traces
17
Safe Abstraction
Let α:Stmt Stmt.
Iα:= {(st1, st2)|Jα(st1)α(st2)K=Jα(st2)α(st1)K}
Theorem (Safety)
If αsatisfies
abstraction: JstKJα(st)Kfor all st
preservation: {φ}α(st){ψ}is valid, for all {φ}st{ψ} Π
then Iαis safe wrt. Π.
18
Safe Abstraction
Let α:Stmt Stmt.
Iα:= {(st1, st2)|Jα(st1)α(st2)K=Jα(st2)α(st1)K}
Theorem (Safety)
If αsatisfies
abstraction: JstKJα(st)Kfor all st
preservation: {φ}α(st){ψ}is valid, for all {φ}st{ψ} Π
then Iαis safe wrt. Π.
18
Safe Abstraction
Let α:Stmt Stmt.
Iα:= {(st1, st2)|Jα(st1)α(st2)K=Jα(st2)α(st1)K}
Theorem (Safety)
If αsatisfies
abstraction: JstKJα(st)Kfor all st
preservation: {φ}α(st){ψ}is valid, for all {φ}st{ψ} Π
then Iαis safe wrt. Π.
18
Instance: Projection to the Proof
Idea: Variable xdoes not occur in the proof Ignore xwhen determining commutativity
Abstraction:
reads of irrelevant variables nondeterministic values
assignment to irrelevant variables nondeterministic assignment (havoc)
Example
Let Π = {⊤} y:=x+x {y= 1}. Then
αΠ(y:=x+x ) : “assign yto some even value (nondet.)”
αΠ(x:=0 ) : “do not change y
Now: αΠ(y:=x+x )commutes with αΠ(x:=0 ).
19
Instance: Projection to the Proof
Idea: Variable xdoes not occur in the proof Ignore xwhen determining commutativity
Abstraction:
reads of irrelevant variables nondeterministic values
assignment to irrelevant variables nondeterministic assignment (havoc)
Example
Let Π = {⊤} y:=x+x {y= 1}. Then
αΠ(y:=x+x ) : “assign yto some even value (nondet.)”
αΠ(x:=0 ) : “do not change y
Now: αΠ(y:=x+x )commutes with αΠ(x:=0 ).
19
Instance: Projection to the Proof
Idea: Variable xdoes not occur in the proof Ignore xwhen determining commutativity
Abstraction:
reads of irrelevant variables nondeterministic values
assignment to irrelevant variables nondeterministic assignment (havoc)
Example
Let Π = {⊤} y:=x+x {y= 1}. Then
αΠ(y:=x+x ) : “assign yto some even value (nondet.)”
αΠ(x:=0 ) : “do not change y
Now: αΠ(y:=x+x )commutes with αΠ(x:=0 ).
19
Instance: Projection to the Proof
Idea: Variable xdoes not occur in the proof Ignore xwhen determining commutativity
Abstraction:
reads of irrelevant variables nondeterministic values
assignment to irrelevant variables nondeterministic assignment (havoc)
Example
Let Π = {⊤} y:=x+x {y= 1}. Then
αΠ(y:=x+x ) : “assign yto some even value (nondet.)”
αΠ(x:=0 ) : “do not change y
Now: αΠ(y:=x+x )commutes with αΠ(x:=0 ).
19
Instance: Projection to the Proof
Idea: Variable xdoes not occur in the proof Ignore xwhen determining commutativity
Abstraction:
reads of irrelevant variables nondeterministic values
assignment to irrelevant variables nondeterministic assignment (havoc)
Example
Let Π = {⊤} y:=x+x {y= 1}. Then
αΠ(y:=x+x ) : “assign yto some even value (nondet.)”
αΠ(x:=0 ) : “do not change y
Now: αΠ(y:=x+x )commutes with αΠ(x:=0 ).
19
Instance: Projection to the Proof
Idea: Variable xdoes not occur in the proof Ignore xwhen determining commutativity
Abstraction:
reads of irrelevant variables nondeterministic values
assignment to irrelevant variables nondeterministic assignment (havoc)
Example
Let Π = {⊤} y:=x+x {y= 1}. Then
αΠ(y:=x+x ) : “assign yto some even value (nondet.)”
αΠ(x:=0 ) : “do not change y
Now: αΠ(y:=x+x )commutes with αΠ(x:=0 ).
19
Instance: Projection to the Proof
Proposition: Projection to the proof is safe (it satisfies abstraction and preservation).
Advantages:
often allows additional commutativity
abstraction easy to compute
Limitations:
theoretically: may lose commutativity
practically: introduces quantifiers
Generally: abstract commutativity concrete commutativity
Solution: combine abstract with concrete commutativity
20
Instance: Projection to the Proof
Proposition: Projection to the proof is safe (it satisfies abstraction and preservation).
Advantages:
often allows additional commutativity
abstraction easy to compute
Limitations:
theoretically: may lose commutativity
practically: introduces quantifiers
Generally: abstract commutativity concrete commutativity
Solution: combine abstract with concrete commutativity
20
Instance: Projection to the Proof
Proposition: Projection to the proof is safe (it satisfies abstraction and preservation).
Advantages:
often allows additional commutativity
abstraction easy to compute
Limitations:
theoretically: may lose commutativity
practically: introduces quantifiers
Generally: abstract commutativity concrete commutativity
Solution: combine abstract with concrete commutativity
20
Instance: Projection to the Proof
Proposition: Projection to the proof is safe (it satisfies abstraction and preservation).
Advantages:
often allows additional commutativity
abstraction easy to compute
Limitations:
theoretically: may lose commutativity
practically: introduces quantifiers
Generally: abstract commutativity concrete commutativity
Solution: combine abstract with concrete commutativity
20
Instance: Projection to the Proof
Proposition: Projection to the proof is safe (it satisfies abstraction and preservation).
Advantages:
often allows additional commutativity
abstraction easy to compute
Limitations:
theoretically: may lose commutativity
practically: introduces quantifiers
Generally: abstract commutativity concrete commutativity
Solution: combine abstract with concrete commutativity
20
Instance: Projection to the Proof
Proposition: Projection to the proof is safe (it satisfies abstraction and preservation).
Advantages:
often allows additional commutativity
abstraction easy to compute
Limitations:
theoretically: may lose commutativity
practically: introduces quantifiers
Generally: abstract commutativity concrete commutativity
Solution: combine abstract with concrete commutativity
20
Instance: Projection to the Proof
Proposition: Projection to the proof is safe (it satisfies abstraction and preservation).
Advantages:
often allows additional commutativity
abstraction easy to compute
Limitations:
theoretically: may lose commutativity
practically: introduces quantifiers
Generally: abstract commutativity concrete commutativity
Solution: combine abstract with concrete commutativity
20
Instance: Projection to the Proof
Proposition: Projection to the proof is safe (it satisfies abstraction and preservation).
Advantages:
often allows additional commutativity
abstraction easy to compute
Limitations:
theoretically: may lose commutativity
practically: introduces quantifiers
Generally: abstract commutativity concrete commutativity
Solution: combine abstract with concrete commutativity
20
Combining Commutativity Relations
Observation: Union of safe commutativity relations may be unsafe!
Example:
precondition:
postcondition: z= 2
proof Π:{⊤} x:=1 {⊤} x==1;z:=1 {⊤} x==2;z:=2 {z= 2}
x:=1 x==1;z:=1 x==2;z:=2 ICx:=1 x==2;z:=2 x==1;z:=1
Iαx==2;z:=2 x:=1 x==1;z:=1
21
Combining Commutativity Relations
Observation: Union of safe commutativity relations may be unsafe!
Example:
precondition:
postcondition: z= 2
proof Π:{⊤} x:=1 {⊤} x==1;z:=1 {⊤} x==2;z:=2 {z= 2}
x:=1 x==1;z:=1 x==2;z:=2 ICx:=1 x==2;z:=2 x==1;z:=1
Iαx==2;z:=2 x:=1 x==1;z:=1
21
Combining Commutativity Relations
Observation: Union of safe commutativity relations may be unsafe!
Example:
precondition:
postcondition: z= 2
proof Π:{⊤} x:=1 {⊤} x==1;z:=1 {⊤} x==2;z:=2 {z= 2}
x:=1 x==1;z:=1 x==2;z:=2
ICx:=1 x==2;z:=2 x==1;z:=1
Iαx==2;z:=2 x:=1 x==1;z:=1
21
Combining Commutativity Relations
Observation: Union of safe commutativity relations may be unsafe!
Example:
precondition:
postcondition: z= 2
proof Π:{⊤} x:=1 {⊤} x==1;z:=1 {⊤} x==2;z:=2 {z= 2}
x:=1 x==1;z:=1 x==2;z:=2 ICx:=1 x==2;z:=2 x==1;z:=1
Iαx==2;z:=2 x:=1 x==1;z:=1
21
Combining Commutativity Relations
Observation: Union of safe commutativity relations may be unsafe!
Example:
precondition:
postcondition: z= 2
proof Π:{⊤} x:=1 {⊤} x==1;z:=1 {⊤} x==2;z:=2 {z= 2}
x:=1 x==1;z:=1 x==2;z:=2 ICx:=1 x==2;z:=2 x==1;z:=1
Iαx==2;z:=2 x:=1 x==1;z:=1
21
Combining Commutativity Relations
Idea: Sequentially combine commutativity relations
τ1Iατ2ICτ3
(1) abstract (2) concrete
proven correct
Combination through new proof rule:
redIα,IC
(P) L(Π) Iαsafe wrt. Π
Pis correct
New partial order reduction algorithm for ncommutativity relations
“more abstract than”
22
Combining Commutativity Relations
Idea: Sequentially combine commutativity relations
τ1Iατ2ICτ3
(1) abstract (2) concrete
proven correct
Combination through new proof rule:
redIα,IC
(P) L(Π) Iαsafe wrt. Π
Pis correct
New partial order reduction algorithm for ncommutativity relations
“more abstract than”
22
Combining Commutativity Relations
Idea: Sequentially combine commutativity relations
τ1Iατ2ICτ3
(1) abstract (2) concrete
proven correct
Combination through new proof rule:
redIα,IC
(P) L(Π) Iαsafe wrt. Π
Pis correct
New partial order reduction algorithm for ncommutativity relations
“more abstract than”
22
Combining Commutativity Relations
Idea: Sequentially combine commutativity relations
τ1Iατ2ICτ3
(1) abstract (2) concrete
proven correct
Combination through new proof rule:
redI1,...,In
(P) L(Π) I1, . . . , Insafe wrt. ΠI1. . . In
Pis correct
New partial order reduction algorithm for ncommutativity relations
“more abstract than”
22
Combining Commutativity Relations
Idea: Sequentially combine commutativity relations
τ1Iατ2ICτ3
(1) abstract (2) concrete
proven correct
Combination through new proof rule:
redI1,...,In
(P) L(Π) I1, . . . , Insafe wrt. ΠI1. . . In
Pis correct
New partial order reduction algorithm for ncommutativity relations
“more abstract than”
22
Conclusion
23
Summary
In algorithmic verification, commutativity-based reductions can simplify proofs and allow
efficient proof checking.
Preference Orders: Selection of representatives in reduction
influences both proof simplicity and proof check efficiency
trade-off between both aspects
Commutativity Relations: Determines notion of equivalence
automatically computed and safe wrt. a proof
e.g. derived from safe abstractions
new proof rule and algorithm combine commutativity relations
Questions?
24
Summary
In algorithmic verification, commutativity-based reductions can simplify proofs and allow
efficient proof checking.
Preference Orders: Selection of representatives in reduction
influences both proof simplicity and proof check efficiency
trade-off between both aspects
Commutativity Relations: Determines notion of equivalence
automatically computed and safe wrt. a proof
e.g. derived from safe abstractions
new proof rule and algorithm combine commutativity relations
Questions?
24
Summary
In algorithmic verification, commutativity-based reductions can simplify proofs and allow
efficient proof checking.
Preference Orders: Selection of representatives in reduction
influences both proof simplicity and proof check efficiency
trade-off between both aspects
Commutativity Relations: Determines notion of equivalence
automatically computed and safe wrt. a proof
e.g. derived from safe abstractions
new proof rule and algorithm combine commutativity relations
Questions?
24
Summary
In algorithmic verification, commutativity-based reductions can simplify proofs and allow
efficient proof checking.
Preference Orders: Selection of representatives in reduction
influences both proof simplicity and proof check efficiency
trade-off between both aspects
Commutativity Relations: Determines notion of equivalence
automatically computed and safe wrt. a proof
e.g. derived from safe abstractions
new proof rule and algorithm combine commutativity relations
Questions?
24
ResearchGate has not been able to resolve any citations for this publication.
ResearchGate has not been able to resolve any references for this publication.