403 research outputs found
Distributed graph-based state space generation
LTSMIN provides a framework in which state space generation can be distributed easily over many cores on a single compute node, as well as over multiple compute nodes. The tool works on the basis of a vector representation of the states; the individual cores are assigned the task of computing all successors of states that are sent to them. In this paper we show how this framework can be applied in the case where states are essentially graphs interpreted up to isomorphism, such as the ones we have been studying for GROOVE. This involves developing a suitable vector representation for a canonical form of those graphs. The canonical forms are computed using a third tool called BLISS. We combined the three tools to form a system for distributed state space generation based on graph grammars. We show that the time performance of the resulting system scales well (i.e., close to linear) with the number of cores. We also report surprising statistics on the memory\ud
consumption, which imply that the vector representation used to store graphs in LTSMIN is more compact than the representation used in GROOVE
Verification of Shared-Reading Synchronisers
Synchronisation classes are an important building block for shared memory
concurrent programs. Thus to reason about such programs, it is important to be
able to verify the implementation of these synchronisation classes, considering
atomic operations as the synchronisation primitives on which the
implementations are built. For synchronisation classes controlling exclusive
access to a shared resource, such as locks, a technique has been proposed to
reason about their behaviour. This paper proposes a technique to verify
implementations of both exclusive access and shared-reading synchronisers. We
use permission-based Separation Logic to describe the behaviour of the main
atomic operations, and the basis for our technique is formed by a specification
for class AtomicInteger, which is commonly used to implement synchronisation
classes in java.util.concurrent. To demonstrate the applicability of our
approach, we mechanically verify the implementation of various synchronisation
classes like Semaphore, CountDownLatch and Lock.Comment: In Proceedings MeTRiD 2018, arXiv:1806.0933
Verifying Parallel Loops with Separation Logic
This paper proposes a technique to specify and verify whether a loop can be
parallelised. Our approach can be used as an additional step in a parallelising
compiler to verify user annotations about loop dependences. Essentially, our
technique requires each loop iteration to be specified with the locations it
will read and write. From the loop iteration specifications, the loop
(in)dependences can be derived. Moreover, the loop iteration specifications
also reveal where synchronisation is needed in the parallelised program. The
loop iteration specifications can be verified using permission-based separation
logic.Comment: In Proceedings PLACES 2014, arXiv:1406.331
Future-based Static Analysis of Message Passing Programs
Message passing is widely used in industry to develop programs consisting of
several distributed communicating components. Developing functionally correct
message passing software is very challenging due to the concurrent nature of
message exchanges. Nonetheless, many safety-critical applications rely on the
message passing paradigm, including air traffic control systems and emergency
services, which makes proving their correctness crucial. We focus on the
modular verification of MPI programs by statically verifying concrete Java
code. We use separation logic to reason about local correctness and define
abstractions of the communication protocol in the process algebra used by
mCRL2. We call these abstractions futures as they predict how components will
interact during program execution. We establish a provable link between futures
and program code and analyse the abstract futures via model checking to prove
global correctness. Finally, we verify a leader election protocol to
demonstrate our approach.Comment: In Proceedings PLACES 2016, arXiv:1606.0540
Distributed Branching Bisimulation Minimization by Inductive Signatures
We present a new distributed algorithm for state space minimization modulo
branching bisimulation. Like its predecessor it uses signatures for refinement,
but the refinement process and the signatures have been optimized to exploit
the fact that the input graph contains no tau-loops.
The optimization in the refinement process is meant to reduce both the number
of iterations needed and the memory requirements. In the former case we cannot
prove that there is an improvement, but our experiments show that in many cases
the number of iterations is smaller. In the latter case, we can prove that the
worst case memory use of the new algorithm is linear in the size of the state
space, whereas the old algorithm has a quadratic upper bound.
The paper includes a proof of correctness of the new algorithm and the
results of a number of experiments that compare the performance of the old and
the new algorithms
Bridging the Gap between Enumerative and Symbolic Model Checkers
We present a method to perform symbolic state space generation for languages with existing enumerative state generators. The method is largely independent from the chosen modelling language. We validated this on three different types of languages and tools: state-based languages (PROMELA), action-based process algebras (muCRL, mCRL2), and discrete abstractions of ODEs (Maple).\ud
Only little information about the combinatorial structure of the\ud
underlying model checking problem need to be provided. The key enabling data structure is the "PINS" dependency matrix. Moreover, it can be provided gradually (more precise information yield better results).\ud
\ud
Second, in addition to symbolic reachability, the same PINS matrix contains enough information to enable new optimizations in state space generation (transition caching), again independent from the chosen modelling language. We have also based existing optimizations, like (recursive) state collapsing, on top of PINS and hint at how to support partial order reduction techniques.\ud
\ud
Third, PINS allows interfacing of existing state generators to, e.g., distributed reachability tools. Thus, besides the stated novelties, the method we propose also significantly reduces the complexity of building modular yet still efficient model checking tools.\ud
\ud
Our experiments show that we can match or even outperform existing tools by reusing their own state generators, which we have linked into an implementation of our ideas
Lifting infinite normal form definitions from term rewriting to term graph rewriting
Infinite normal forms are a way of giving semantics to non-terminating rewrite systems. The notion is a generalization of the Boehm tree in the lambda calculus. It was first introduced in [AB97] to provide semantics for a lambda calculus on terms with letrec. In that paper infinite normal forms were defined directly on the graph rewrit e system. In [Blo01] the framework was improved by defining the infinite normal form of a term graph using the infinite normal form on terms. This approach of lifting the definition makes the non-confluence problems introduced into term graph rewriting by substitution rules much easier to deal with. In this paper, we give a simplified presentation of the latter approach
Witnessing the elimination of magic wands
This paper discusses static verification of programs that have been specified using separation logic with magic wands. Magic wands are used to specify incomplete resources in separation logic, i.e., if missing resources are provided, a magic wand allows one to exchange these for the completed resources. One of the applications of the magic wand operator is to describe loop invariants for algorithms that traverse a data structure, such as the imperative version of the tree delete problem (Challenge 3 from the VerifyThis@FM2012 Program Verification Competition), which is the motivating example for our work.\ud
\ud
Most separation logic based static verification tools do not provide support for magic wands, possibly because validity of formulas containing the magic wand is, by itself, undecidable. To avoid this problem, in our approach the program annotator has to provide a witness for the magic wand, thus circumventing undecidability due to the use of magic wands. A witness is an object that encodes both instructions for the permission exchange that is specified by the magic wand and the extra resources needed during that exchange. We show how this witness information is used to encode a specification with magic wands as a specification without magic wands. Concretely, this approach is used in the VerCors tool set: annotated Java programs are encoded as Chalice programs. Chalice then further translates the program to BoogiePL, where appropriate proof obligations are generated. Besides our encoding of magic wands, we also discuss the encoding of other aspects of annotated Java programs into Chalice, and in particular, the encoding of abstract predicates with permission parameters. We illustrate our approach on the tree delete algorithm, and on the verification of an iterator of a linked list
Witnessing the elimination of magic wands
This paper discusses the use and verification of magic wands. Magic wands are used to specify incomplete resources in separation logic, i.e., if missing resources are provided, a magic wand allows one to exchange these for the completed resources. We show how the magic wand operator is suitable to describe loop invariants for algorithms that traverse a data structure, such as the imperative version of the tree delete problem (Challenge 3 from the VerifyThis@FM2012 Program Verification Competition). Most separation-logic-based verification tools do not provide support for magic wands, possibly because validity of formulas containing the magic wand is, by itself, undecidable. To avoid this problem, in our approach the program annotator has to provide a witness for the magic wand, thus circumventing undecidability due to the use of magic wands. We show how this witness information is used to encode a specification with magic wands as a specification without magic wands. Concretely this approach is used in the VerCors tool set: annotated Java programs are encoded as Chalice programs. Chalice then further translates the program to BoogiePL, where appropriate proof obligations are generated. Besides our encoding of magic wands, we also discuss the encoding of other aspects of annotated Java programs into Chalice, and in particular, the encoding of abstract predicates with permission parameters. We illustrate our approach on the tree delete algorithm, and on the verification of an iterator of a linked list
- …