Content uploaded by Dominik Klumpp

Author content

All content in this area was uploaded by Dominik Klumpp on Jan 17, 2024

Content may be subject to copyright.

Verifying Parameterized Programs: Ghost State

Φ≡for all thread IDs i∈ {1, . . . , n}, it holds that φ(Vglobal ,Vlocal [i], ℓi)

Problem: incomplete

Solution: ghost state

▶add fresh “ghost” variables to program

▶updated, but not used by computation

▶use in invariant

Types of ghost variables:

▶tailored to program and property: %diﬃcult to synthesize

▶history variables: %undecidable reasoning

▶local state of (boundedly many) other threads: %incomplete

5

Verifying Parameterized Programs: Ghost State

Φ≡for all thread IDs i∈ {1, . . . , n}, it holds that φ(Vglobal ,Vlocal [i], ℓi)

Problem: incomplete

Solution: ghost state

▶add fresh “ghost” variables to program

▶updated, but not used by computation

▶use in invariant

Types of ghost variables:

▶tailored to program and property: %diﬃcult to synthesize

▶history variables: %undecidable reasoning

▶local state of (boundedly many) other threads: %incomplete

5

Verifying Parameterized Programs: Ghost State

Φ≡for all thread IDs i∈ {1, . . . , n}, it holds that φ(Vglobal ,Vlocal [i], ℓi)

Problem: incomplete

Solution: ghost state

▶add fresh “ghost” variables to program

▶updated, but not used by computation

▶use in invariant

Types of ghost variables:

▶tailored to program and property: %diﬃcult to synthesize

▶history variables: %undecidable reasoning

▶local state of (boundedly many) other threads: %incomplete

5

Verifying Parameterized Programs: Ghost State

Φ≡for all thread IDs i∈ {1, . . . , n}, it holds that φ(Vglobal ,Vlocal [i], ℓi)

Problem: incomplete

Solution: ghost state

▶add fresh “ghost” variables to program

▶updated, but not used by computation

▶use in invariant

Types of ghost variables:

▶tailored to program and property: %diﬃcult to synthesize

▶history variables: %undecidable reasoning

▶local state of (boundedly many) other threads: %incomplete

5

Verifying Parameterized Programs: Ghost State

Φ≡for all thread IDs i∈ {1, . . . , n}, it holds that φ(Vglobal ,Vlocal [i], ℓi)

Problem: incomplete

Solution: ghost state

▶add fresh “ghost” variables to program

▶updated, but not used by computation

▶use in invariant

Types of ghost variables:

▶tailored to program and property: %diﬃcult to synthesize

▶history variables: %undecidable reasoning

▶local state of (boundedly many) other threads: %incomplete

5

Verifying Parameterized Programs: Example

Traces of parameterized program P= (T, Vlocals,Vglobals):

Traces(P) = [

n∈N

Traces(P(n))

=x:=x+1 x:=x-1 ,

x:=x+1 x:=x+1 x:=x-1 ,

x:=x+1 x:=x+1 x:=x-1 x:=x+1 x:=x-1 ,

x:=x+1 x:=x+1 x:=x+1 x:=x-1 x:=x+1 x:=x-1 x:=x-1 ,

. . .

⇝no thread-modular proof exists without ghost state

6

Verifying Parameterized Programs: Example

Traces of parameterized program P= (T, Vlocals,Vglobals):

Traces(P) = [

n∈N

Traces(P(n))

=x:=x+1 x:=x-1 ,

x:=x+1 x:=x+1 x:=x-1 ,

x:=x+1 x:=x+1 x:=x-1 x:=x+1 x:=x-1 ,

x:=x+1 x:=x+1 x:=x+1 x:=x-1 x:=x+1 x:=x-1 x:=x-1 ,

. . .

⇝no thread-modular proof exists without ghost state

6

Verifying Parameterized Programs: Example

Traces of parameterized program P= (T, Vlocals,Vglobals):

Traces(P) = [

n∈N

Traces(P(n))

=x:=x+1 x:=x-1 ,

x:=x+1 x:=x+1 x:=x-1 ,

x:=x+1 x:=x+1 x:=x-1 x:=x+1 x:=x-1 ,

x:=x+1 x:=x+1 x:=x+1 x:=x-1 x:=x+1 x:=x-1 x:=x-1 ,

. . .

⇝no thread-modular proof exists without ghost state

6

Commutativity

Many statements commute: execution order does not matter

x:=x+1 x:=x-1 ∼x:=x-1 x:=x+1

⇒equivalence between program traces [1]

Key Property

If one trace is correct, all equivalent traces are also correct.

Reduction: One representative trace for each equivalence class

▶Correctness of reduction ⇒Correctness of Program

[1] Mazurkiewicz. Trace Theory. 1987

7

Commutativity

Many statements commute: execution order does not matter

x:=x+1 x:=x-1 ∼x:=x-1 x:=x+1

⇒equivalence between program traces [1]

Key Property

If one trace is correct, all equivalent traces are also correct.

Reduction: One representative trace for each equivalence class

▶Correctness of reduction ⇒Correctness of Program

[1] Mazurkiewicz. Trace Theory. 1987

7

Commutativity

Many statements commute: execution order does not matter

x:=x+1 x:=x-1 ∼x:=x-1 x:=x+1

⇒equivalence between program traces [1]

Key Property

If one trace is correct, all equivalent traces are also correct.

Reduction: One representative trace for each equivalence class

▶Correctness of reduction ⇒Correctness of Program

[1] Mazurkiewicz. Trace Theory. 1987

7

Commutativity

Many statements commute: execution order does not matter

x:=x+1 x:=x-1 ∼x:=x-1 x:=x+1

⇒equivalence between program traces [1]

Key Property

If one trace is correct, all equivalent traces are also correct.

Reduction: One representative trace for each equivalence class

▶Correctness of reduction ⇒Correctness of Program

[1] Mazurkiewicz. Trace Theory. 1987

7

Commutativity Simpliﬁes Proofs of Parameterized Programs

Reduction of parameterized program P= (T, Vlocals,Vglobals):

red(P) =

x:=x+1 x:=x-1 ,

x:=x+1 x:=x-1 x:=x+1 ,

x:=x+1 x:=x-1 x:=x+1 x:=x-1 x:=x+1 ,

x:=x+1 x:=x-1 x:=x+1 x:=x-1 x:=x+1 x:=x+1 x:=x-1 ,

. . .

=[

n∈N

TracesT[1] ;. . . ;T[n]

⇝simple invariant for reduced program:

for all thread IDs i, it holds that (ℓi=ℓ⊖→x≥0) ∧(ℓi=ℓ⊕→x≥1)

8

Commutativity Simpliﬁes Proofs of Parameterized Programs

Reduction of parameterized program P= (T, Vlocals,Vglobals):

red(P) = x:=x+1 x:=x-1 ,

x:=x+1 x:=x-1 x:=x+1 ,

x:=x+1 x:=x-1 x:=x+1 x:=x-1 x:=x+1 ,

x:=x+1 x:=x-1 x:=x+1 x:=x-1 x:=x+1 x:=x+1 x:=x-1 ,

. . .

=[

n∈N

TracesT[1] ;. . . ;T[n]

⇝simple invariant for reduced program:

for all thread IDs i, it holds that (ℓi=ℓ⊖→x≥0) ∧(ℓi=ℓ⊕→x≥1)

8

Commutativity Simpliﬁes Proofs of Parameterized Programs

Reduction of parameterized program P= (T, Vlocals,Vglobals):

red(P) = x:=x+1 x:=x-1 ,

x:=x+1 x:=x-1 x:=x+1 ,

x:=x+1 x:=x-1 x:=x+1 x:=x-1 x:=x+1 ,

x:=x+1 x:=x-1 x:=x+1 x:=x-1 x:=x+1 x:=x+1 x:=x-1 ,

. . .

=[

n∈N

TracesT[1] ;. . . ;T[n]

⇝simple invariant for reduced program:

for all thread IDs i, it holds that (ℓi=ℓ⊖→x≥0) ∧(ℓi=ℓ⊕→x≥1)

8

Commutativity Simpliﬁes Proofs of Parameterized Programs

Reduction of parameterized program P= (T, Vlocals,Vglobals):

red(P) = x:=x+1 x:=x-1 ,

x:=x+1 x:=x-1 x:=x+1 ,

x:=x+1 x:=x-1 x:=x+1 x:=x-1 x:=x+1 ,

x:=x+1 x:=x-1 x:=x+1 x:=x-1 x:=x+1 x:=x+1 x:=x-1 ,

. . .

=[

n∈N

TracesT[1] ;. . . ;T[n]

⇝simple invariant for reduced program:

for all thread IDs i, it holds that (ℓi=ℓ⊖→x≥0) ∧(ℓi=ℓ⊕→x≥1)

8

Evaluation

Proof of Concept: Apply thread-modular veriﬁcation at many levels [2] to reduced programs

▶translation to constrained Horn clauses (CHC)

Evaluation: 19 benchmarks (custom & literature), all correct

Results:

▶original programs: 4×proven, 11×no proof exists, 4×timeout

▶reduced programs: 14×proven,0×no proof exists, 5×timeout

[2] Hoenicke, Majumdar and Podelski. Thread modularity at many levels. POPL 2017

10

Evaluation

Proof of Concept: Apply thread-modular veriﬁcation at many levels [2] to reduced programs

▶translation to constrained Horn clauses (CHC)

Evaluation: 19 benchmarks (custom & literature), all correct

Results:

▶original programs: 4×proven, 11×no proof exists, 4×timeout

▶reduced programs: 14×proven,0×no proof exists, 5×timeout

[2] Hoenicke, Majumdar and Podelski. Thread modularity at many levels. POPL 2017

10

Evaluation

Proof of Concept: Apply thread-modular veriﬁcation at many levels [2] to reduced programs

▶translation to constrained Horn clauses (CHC)

Evaluation: 19 benchmarks (custom & literature), all correct

Results:

▶original programs: 4×proven, 11×no proof exists, 4×timeout

▶reduced programs: 14×proven,0×no proof exists, 5×timeout

[2] Hoenicke, Majumdar and Podelski. Thread modularity at many levels. POPL 2017

10

Contributions

Extension of commutativity-based reductions to parameterized programs

1Encoding of reductions through program transformation of thread template

2Large class of reductions through pairwise preference orders

3Characterization of ghost state simpliﬁcation using Ashcroft invariants

4Application in thread-modular veriﬁcation at many levels: Translation to CHC

5Symmetry-breaking CHC translation for eﬃciency

11

Contributions

Extension of commutativity-based reductions to parameterized programs

1Encoding of reductions through program transformation of thread template

2Large class of reductions through pairwise preference orders

3Characterization of ghost state simpliﬁcation using Ashcroft invariants

4Application in thread-modular veriﬁcation at many levels: Translation to CHC

5Symmetry-breaking CHC translation for eﬃciency

11

Contributions

Extension of commutativity-based reductions to parameterized programs

1Encoding of reductions through program transformation of thread template

2Large class of reductions through pairwise preference orders

3Characterization of ghost state simpliﬁcation using Ashcroft invariants

4Application in thread-modular veriﬁcation at many levels: Translation to CHC

5Symmetry-breaking CHC translation for eﬃciency

11

Contributions

Extension of commutativity-based reductions to parameterized programs

1Encoding of reductions through program transformation of thread template

2Large class of reductions through pairwise preference orders

3Characterization of ghost state simpliﬁcation using Ashcroft invariants

4Application in thread-modular veriﬁcation at many levels: Translation to CHC

5Symmetry-breaking CHC translation for eﬃciency

11

Contributions

Extension of commutativity-based reductions to parameterized programs

1Encoding of reductions through program transformation of thread template

2Large class of reductions through pairwise preference orders

3Characterization of ghost state simpliﬁcation using Ashcroft invariants

4Application in thread-modular veriﬁcation at many levels: Translation to CHC

5Symmetry-breaking CHC translation for eﬃciency

11

Contributions

Extension of commutativity-based reductions to parameterized programs

1Encoding of reductions through program transformation of thread template

2Large class of reductions through pairwise preference orders

3Characterization of ghost state simpliﬁcation using Ashcroft invariants

4Application in thread-modular veriﬁcation at many levels: Translation to CHC

5Symmetry-breaking CHC translation for eﬃciency

11

Future Work

▶Ashcroft invariants must encode reduction

▶insuﬃcient expressiveness: also holds for other kinds of proofs?

▶practical challenge for CHC solver: separate reduction from data?

▶Abstract and stratiﬁed commutativity for parameterized programs

▶General theory of reductions over inﬁnite alphabets

13

Evaluation Results

no reduction symbolic-sleep explicit-sleep

Program kstatus CPU time (s) status CPU time (s) status CPU time (s)

add-sub-nondet 2unsat 20.5 sat 416.0 sat 74.5

add-sub-positive-nondet 2unsat 51.1 sat 1 590.0 sat 144.0

bluetooth 2unsat 6.5 TO – sat 532.5

equalsum-ghost 2 TO – TO – TO –

inc-bdec 2unsat 5.8 sat 76.3 sat 51.3

inc-dec-eq0-locked-assert 2sat 59.6 TO – sat 726.0

inc-dec-eq0-locked 2unsat 110.0 TO – TO –

inc-dec-eq0 2unsat 8.9 sat 112.0 sat 24.7

inc-dec-geq0 2unsat 4.3 sat 5.8 sat 5.7

line-queue 2 TO – TO – TO –

lock 1sat 4.0 sat 4.6 sat 4.7

mutex-3 2unsat 5.2 sat 5.3 sat 4.5

mutex-4 2unsat 3.5 sat 5.6 sat 4.3

mutex-5 2unsat 4.5 sat 5.3 sat 4.0

mutex-unbounded 2unsat 4.5 sat 6.6 sat 4.2

notify-listeners 1 TO – TO – sat 379.0

numbered-array 2sat 4.0 sat 5.8 sat 5.4

thread-pooling 2 TO – TO – TO –

ticket 2sat 332.0 TO – TO –

14