Content uploaded by Dominik Klumpp

Author content

All content in this area was uploaded by Dominik Klumpp on Mar 04, 2023

Content may be subject to copyright.

Algorithmic Veriﬁcation of Reductions

Iteratively construct Floyd/Hoare-style proof of program

complex proofs to cover all interleavings

▶qualitatively: need quantiﬁed / nonlinear / . . . assertions

▶quantitatively: need many distinct proof assertions

⇝reduction may have simpler proof

exponential proof checking to show that proof covers all interleavings

⇝compactly represent reductions

6

Algorithmic Veriﬁcation of Reductions

Iteratively construct Floyd/Hoare-style proof of program

complex proofs to cover all interleavings

▶qualitatively: need quantiﬁed / nonlinear / . . . assertions

▶quantitatively: need many distinct proof assertions

⇝reduction may have simpler proof

exponential proof checking to show that proof covers all interleavings

⇝compactly represent reductions

6

Algorithmic Veriﬁcation of Reductions

Iteratively construct Floyd/Hoare-style proof of program

complex proofs to cover all interleavings

▶qualitatively: need quantiﬁed / nonlinear / . . . assertions

▶quantitatively: need many distinct proof assertions

⇝reduction may have simpler proof

exponential proof checking to show that proof covers all interleavings

⇝compactly represent reductions

6

Algorithmic Veriﬁcation of Reductions

Iteratively construct Floyd/Hoare-style proof of program

complex proofs to cover all interleavings

▶qualitatively: need quantiﬁed / nonlinear / . . . assertions

▶quantitatively: need many distinct proof assertions

⇝reduction may have simpler proof

exponential proof checking to show that proof covers all interleavings

⇝compactly represent reductions

6

Algorithmic Veriﬁcation of Reductions

Iteratively construct Floyd/Hoare-style proof of program

complex proofs to cover all interleavings

▶qualitatively: need quantiﬁed / nonlinear / . . . assertions

▶quantitatively: need many distinct proof assertions

⇝reduction may have simpler proof

exponential proof checking to show that proof covers all interleavings

⇝compactly represent reductions

6

Reductions

Reduction: One representative trace for each equivalence class

redI

⪯(P)

program to be veriﬁed

commutativity relation I

deﬁnes equivalence classes

preference order ⪯[1]

selects representatives for each equivalence class

[1] Farzan, Klumpp and Podelski. Sound sequentialization for concurrent program veriﬁcation. PLDI 2022

7

Reductions

Reduction: One representative trace for each equivalence class

redI

⪯(P)

program to be veriﬁed

commutativity relation I

deﬁnes equivalence classes

preference order ⪯[1]

selects representatives for each equivalence class

[1] Farzan, Klumpp and Podelski. Sound sequentialization for concurrent program veriﬁcation. PLDI 2022

7

Reductions

Reduction: One representative trace for each equivalence class

redI

⪯(P)

program to be veriﬁed

commutativity relation I

deﬁnes equivalence classes

preference order ⪯[1]

selects representatives for each equivalence class

[1] Farzan, Klumpp and Podelski. Sound sequentialization for concurrent program veriﬁcation. PLDI 2022

7

Reductions

Reduction: One representative trace for each equivalence class

redI

⪯(P)

program to be veriﬁed

commutativity relation I

deﬁnes equivalence classes

preference order ⪯[1]

selects representatives for each equivalence class

7

Reductions

Reduction: One representative trace for each equivalence class

redI

⪯(P)

program to be veriﬁed

commutativity relation I

deﬁnes equivalence classes

preference order ⪯[1]

selects representatives for each equivalence class

7

Contributions

1Framework for safe abstract commutativity relations

▶safe by construction

▶abstraction driven by the proof

2Stratiﬁed commutativity proof rule: Combine commutativity relations

▶applicable in many settings

▶subsumes individual commutativity relations

3Variation of stratiﬁed commutativity amenable to algorithmic veriﬁcation

▶decision algorithm based on partial order reduction

8

Contributions

1Framework for safe abstract commutativity relations

▶safe by construction

▶abstraction driven by the proof

2Stratiﬁed commutativity proof rule: Combine commutativity relations

▶applicable in many settings

▶subsumes individual commutativity relations

3Variation of stratiﬁed commutativity amenable to algorithmic veriﬁcation

▶decision algorithm based on partial order reduction

8

Contributions

1Framework for safe abstract commutativity relations

▶safe by construction

▶abstraction driven by the proof

2Stratiﬁed commutativity proof rule: Combine commutativity relations

▶applicable in many settings

▶subsumes individual commutativity relations

3Variation of stratiﬁed commutativity amenable to algorithmic veriﬁcation

▶decision algorithm based on partial order reduction

8

Contributions

1Framework for safe abstract commutativity relations

▶safe by construction

▶abstraction driven by the proof

2Stratiﬁed commutativity proof rule: Combine commutativity relations

▶applicable in many settings

▶subsumes individual commutativity relations

3Variation of stratiﬁed commutativity amenable to algorithmic veriﬁcation

▶decision algorithm based on partial order reduction

8

Commutativity

Statements st1and st2commute

iﬀ

neither statement writes a variable accessed by the other

(“disjoint” variable accesses)

for all programs and wrt. all properties

Formally: read(st1)∩write(st2) = write(st1)∩read(st2) = write(st1)∩write(st2) = ∅

abstract irrelevant details preserve relevant details

10

Safe Commutativity

Let Πbe a proof (a set of Hoare triples).

redI

⪯(P)⊆ L(Π)

Pis correct

▶commutativity ICbased on (concrete) semantics: safe wrt. all proofs Π

▶How to get safe commutativity for a particular proof Π?

traces proven correct by Πtraces proven correct by Π

traces in L(Π)

only equivalent to

correct traces

12

Safe Commutativity

Let Πbe a proof (a set of Hoare triples).

redI

⪯(P)⊆ L(Π)

Pis correct

▶commutativity ICbased on (concrete) semantics: safe wrt. all proofs Π

▶How to get safe commutativity for a particular proof Π?

traces proven correct by Πtraces proven correct by Π

traces in L(Π)

only equivalent to

correct traces

12

Safe Commutativity

Let Πbe a proof (a set of Hoare triples).

redI

⪯(P)⊆ L(Π) Isafe wrt. Π

Pis correct

▶commutativity ICbased on (concrete) semantics: safe wrt. all proofs Π

▶How to get safe commutativity for a particular proof Π?

traces proven correct by Πtraces proven correct by Π

traces in L(Π)

only equivalent to

correct traces

12

Safe Commutativity

Let Πbe a proof (a set of Hoare triples).

redI

⪯(P)⊆ L(Π) Isafe wrt. Π

Pis correct

▶commutativity ICbased on (concrete) semantics: safe wrt. all proofs Π

▶How to get safe commutativity for a particular proof Π?

traces proven correct by Πtraces proven correct by Π

traces in L(Π)

only equivalent to

correct traces

12

Safe Commutativity

Let Πbe a proof (a set of Hoare triples).

redI

⪯(P)⊆ L(Π) Isafe wrt. Π

Pis correct

▶commutativity ICbased on (concrete) semantics: safe wrt. all proofs Π

▶How to get safe commutativity for a particular proof Π?

traces proven correct by Πtraces proven correct by Π

traces in L(Π)

only equivalent to

correct traces

12

Safe Commutativity

Let Πbe a proof (a set of Hoare triples).

redI

⪯(P)⊆ L(Π) Isafe wrt. Π

Pis correct

▶commutativity ICbased on (concrete) semantics: safe wrt. all proofs Π

▶How to get safe commutativity for a particular proof Π?

traces proven correct by Πtraces proven correct by Π

traces in L(Π)

only equivalent to

correct traces

12

Instance: Projection to the Proof

Idea: Variable xdoes not occur in the proof ⇒Ignore xwhen determining commutativity

Abstraction:

▶reads of irrelevant variables ⇝nondeterministic values

▶assignment to irrelevant variables ⇝nondeterministic assignment (havoc)

Example

Let Π = {⊤} y:=x+x {y= 1}. Then

αΠ(y:=x+x ) : “assign some nondet. even value to y”

αΠ(x:=0 ) : “assign some nondet. value to x”

Now: αΠ(y:=x+x )commutes with αΠ(x:=0 ).

14

Instance: Projection to the Proof

Idea: Variable xdoes not occur in the proof ⇒Ignore xwhen determining commutativity

Abstraction:

▶reads of irrelevant variables ⇝nondeterministic values

▶assignment to irrelevant variables ⇝nondeterministic assignment (havoc)

Example

Let Π = {⊤} y:=x+x {y= 1}. Then

αΠ(y:=x+x ) : “assign some nondet. even value to y”

αΠ(x:=0 ) : “assign some nondet. value to x”

Now: αΠ(y:=x+x )commutes with αΠ(x:=0 ).

14

Instance: Projection to the Proof

Idea: Variable xdoes not occur in the proof ⇒Ignore xwhen determining commutativity

Abstraction:

▶reads of irrelevant variables ⇝nondeterministic values

▶assignment to irrelevant variables ⇝nondeterministic assignment (havoc)

Example

Let Π = {⊤} y:=x+x {y= 1}. Then

αΠ(y:=x+x ) : “assign some nondet. even value to y”

αΠ(x:=0 ) : “assign some nondet. value to x”

Now: αΠ(y:=x+x )commutes with αΠ(x:=0 ).

14

Instance: Projection to the Proof

Idea: Variable xdoes not occur in the proof ⇒Ignore xwhen determining commutativity

Abstraction:

▶reads of irrelevant variables ⇝nondeterministic values

▶assignment to irrelevant variables ⇝nondeterministic assignment (havoc)

Example

Let Π = {⊤} y:=x+x {y= 1}. Then

αΠ(y:=x+x ) : “assign some nondet. even value to y”

αΠ(x:=0 ) : “assign some nondet. value to x”

Now: αΠ(y:=x+x )commutes with αΠ(x:=0 ).

14

Instance: Projection to the Proof

Idea: Variable xdoes not occur in the proof ⇒Ignore xwhen determining commutativity

Abstraction:

▶reads of irrelevant variables ⇝nondeterministic values

▶assignment to irrelevant variables ⇝nondeterministic assignment (havoc)

Example

Let Π = {⊤} y:=x+x {y= 1}. Then

αΠ(y:=x+x ) : “assign some nondet. even value to y”

αΠ(x:=0 ) : “assign some nondet. value to x”

Now: αΠ(y:=x+x )commutes with αΠ(x:=0 ).

14

Instance: Projection to the Proof

Idea: Variable xdoes not occur in the proof ⇒Ignore xwhen determining commutativity

Abstraction:

▶reads of irrelevant variables ⇝nondeterministic values

▶assignment to irrelevant variables ⇝nondeterministic assignment (havoc)

Example

Let Π = {⊤} y:=x+x {y= 1}. Then

αΠ(y:=x+x ) : “assign some nondet. even value to y”

αΠ(x:=0 ) : “assign some nondet. value to x”

Now: αΠ(y:=x+x )commutes with αΠ(x:=0 ).

14

Instance: Projection to the Proof

Proposition: Projection to the proof is safe (it satisﬁes abstraction and preservation).

Empirical Observation: Projection to the proof signiﬁcantly improves veriﬁcation

– especially for light-weight properties (e.g. memory safety).

Advantages:

▶often allows additional commutativity

▶abstraction easy to compute

Limitations:

▶theoretically: may lose commutativity

▶practically: introduces quantiﬁers

Generally: abstract commutativity ⊉concrete commutativity

Solution: combine abstract with concrete commutativity

15

Instance: Projection to the Proof

Proposition: Projection to the proof is safe (it satisﬁes abstraction and preservation).

Empirical Observation: Projection to the proof signiﬁcantly improves veriﬁcation

– especially for light-weight properties (e.g. memory safety).

Advantages:

▶often allows additional commutativity

▶abstraction easy to compute

Limitations:

▶theoretically: may lose commutativity

▶practically: introduces quantiﬁers

Generally: abstract commutativity ⊉concrete commutativity

Solution: combine abstract with concrete commutativity

15

Instance: Projection to the Proof

Proposition: Projection to the proof is safe (it satisﬁes abstraction and preservation).

Empirical Observation: Projection to the proof signiﬁcantly improves veriﬁcation

– especially for light-weight properties (e.g. memory safety).

Advantages:

▶often allows additional commutativity

▶abstraction easy to compute

Limitations:

▶theoretically: may lose commutativity

▶practically: introduces quantiﬁers

Generally: abstract commutativity ⊉concrete commutativity

Solution: combine abstract with concrete commutativity

15

Instance: Projection to the Proof

Proposition: Projection to the proof is safe (it satisﬁes abstraction and preservation).

Empirical Observation: Projection to the proof signiﬁcantly improves veriﬁcation

– especially for light-weight properties (e.g. memory safety).

Advantages:

▶often allows additional commutativity

▶abstraction easy to compute

Limitations:

▶theoretically: may lose commutativity

▶practically: introduces quantiﬁers

Generally: abstract commutativity ⊉concrete commutativity

Solution: combine abstract with concrete commutativity

15

Instance: Projection to the Proof

Proposition: Projection to the proof is safe (it satisﬁes abstraction and preservation).

Empirical Observation: Projection to the proof signiﬁcantly improves veriﬁcation

– especially for light-weight properties (e.g. memory safety).

Advantages:

▶often allows additional commutativity

▶abstraction easy to compute

Limitations:

▶theoretically: may lose commutativity

▶practically: introduces quantiﬁers

Generally: abstract commutativity ⊉concrete commutativity

Solution: combine abstract with concrete commutativity

15

Instance: Projection to the Proof

Proposition: Projection to the proof is safe (it satisﬁes abstraction and preservation).

Empirical Observation: Projection to the proof signiﬁcantly improves veriﬁcation

– especially for light-weight properties (e.g. memory safety).

Advantages:

▶often allows additional commutativity

▶abstraction easy to compute

Limitations:

▶theoretically: may lose commutativity

▶practically: introduces quantiﬁers

Generally: abstract commutativity ⊉concrete commutativity

Solution: combine abstract with concrete commutativity

15

Instance: Projection to the Proof

Proposition: Projection to the proof is safe (it satisﬁes abstraction and preservation).

Empirical Observation: Projection to the proof signiﬁcantly improves veriﬁcation

– especially for light-weight properties (e.g. memory safety).

Advantages:

▶often allows additional commutativity

▶abstraction easy to compute

Limitations:

▶theoretically: may lose commutativity

▶practically: introduces quantiﬁers

Generally: abstract commutativity ⊉concrete commutativity

Solution: combine abstract with concrete commutativity

15

Instance: Projection to the Proof

Proposition: Projection to the proof is safe (it satisﬁes abstraction and preservation).

Empirical Observation: Projection to the proof signiﬁcantly improves veriﬁcation

– especially for light-weight properties (e.g. memory safety).

Advantages:

▶often allows additional commutativity

▶abstraction easy to compute

Limitations:

▶theoretically: may lose commutativity

▶practically: introduces quantiﬁers

Generally: abstract commutativity ⊉concrete commutativity

Solution: combine abstract with concrete commutativity

15

Stratiﬁed Commutativity Relations

Idea: Sequentially combine commutativity relations

τ1∼Iατ2∼ICτ3

(1) abstract (2) concrete

proven correct

⇒

Combination through new proof rule:

P⊆clIn(. . . cl I1(Π) . . .)I1, . . . , Insafe wrt. ΠI1⋑. . . ⋑In

Pis correct

cl(X):

traces equivalent to

some trace in X

“more abstract than”

18

Summary

In algorithmic veriﬁcation, commutativity-based reductions can simplify proofs and allow

eﬃcient proof checking.

Commutativity Relations: Determines notion of equivalence

▶automatically computed and safe wrt. a proof

▶e.g. derived from safe abstractions

▶may have incomparable strengths and weaknesses

Stratiﬁed Commutativity: Combination of multiple commutativity relations

▶new proof rule for sound combination of commutativity relations

▶decidable variant of proof rule (analogous to single-relation case)

Questions?

23

Summary

In algorithmic veriﬁcation, commutativity-based reductions can simplify proofs and allow

eﬃcient proof checking.

Commutativity Relations: Determines notion of equivalence

▶automatically computed and safe wrt. a proof

▶e.g. derived from safe abstractions

▶may have incomparable strengths and weaknesses

Stratiﬁed Commutativity: Combination of multiple commutativity relations

▶new proof rule for sound combination of commutativity relations

▶decidable variant of proof rule (analogous to single-relation case)

Questions?

23

Summary

In algorithmic veriﬁcation, commutativity-based reductions can simplify proofs and allow

eﬃcient proof checking.

Commutativity Relations: Determines notion of equivalence

▶automatically computed and safe wrt. a proof

▶e.g. derived from safe abstractions

▶may have incomparable strengths and weaknesses

Stratiﬁed Commutativity: Combination of multiple commutativity relations

▶new proof rule for sound combination of commutativity relations

▶decidable variant of proof rule (analogous to single-relation case)

Questions?

23

Summary

In algorithmic veriﬁcation, commutativity-based reductions can simplify proofs and allow

eﬃcient proof checking.

Commutativity Relations: Determines notion of equivalence

▶automatically computed and safe wrt. a proof

▶e.g. derived from safe abstractions

▶may have incomparable strengths and weaknesses

Stratiﬁed Commutativity: Combination of multiple commutativity relations

▶new proof rule for sound combination of commutativity relations

▶decidable variant of proof rule (analogous to single-relation case)

Questions?

23