Light-Weight SMT-based Model Checking

AbstractRecently, the notion of an array-based system has been introduced as an abstraction of infinite state systems (such as mutual exclusion protocols or sorting programs) which allows for model checking of invariant (safety) and recurrence (liveness) properties by Satisfiability Modulo Theories (SMT) techniques. Unfortunately, the use of quantified first-order formulae to describe sets of states makes fix-point checking extremely expensive. In this paper, we show how invariant properties for a sub-class of array-based systems can be model-checked by a backward reachability algorithm where the length of quantifier prefixes is efficiently controlled by suitable heuristics. We also present various refinements of the reachability algorithm that allows it to be easily implemented in a client-server architecture, where a “light-weight” algorithm is the client generating proof obligations for safety and fix-point checks and an SMT solver plays the role of the server discharging the proof obligations. We also report on some encouraging preliminary experiments with a prototype implementation of our approach

Automatic Choreography Repair

Choreography analysis is a crucial problem in concurrent and distributed system development. A choreography specifies the desired ordering of message exchanges among the components of a system. The realizability of a choreography amounts to determining the existence of components whose communication behavior conforms to the given choreography. Recently, the choreography realizability problem has been proved to be decidable. In this paper, we investigate the repairability of un- realizable choreographies, where the goal is to identify a set of changes to a given un-realizable choreography that will make it realizable. We present a technique for automatically repairing un-realizable choreographies and provide formal guarantees of correctness and termination. We show the viability of our technique by applying it successfully for several small but representative unrealizable choregraphies from the domain of Singulary OS contract and Web services

Compatibility Checking for Asynchronously Communicating Software

International audienceCompatibility is a crucial problem that is encountered while constructing new software by reusing and composing existing components. A set of software components is called compatible if their composition preserves certain properties, such as deadlock freedom. However, checking compatibility for systems communicating asynchronously is an undecidable problem, and asynchronous communication is a common interaction mechanism used in building software systems. A typical approach in analyzing such systems is to bound the state space. In this paper, we take a different approach and do not impose any bounds on the number of participants or the sizes of the message buffers. Instead, we present a sufficient condition for checking compatibility of a set of asynchronously communicating components. Our approach relies on the synchronizability property which identifies systems for which interaction behavior remains the same when asynchronous communication is replaced with synchronous communication. Using the synchronizability property, we can check the compatibility of systems with unbounded message buffers by analyzing only a finite part of their behavior. We have implemented a prototype tool to automate our approach and we have applied it to many examples

Parallel mapping and circuit partitioning heuristics based on mean field annealing

Ankara : Department of Computer Engineering and Information Science and the Institute of Engineering and Science of Bilkent University, 1992.Thesis (Master's) -- Bilkent University, 1992.Includes bibliographical references.Moan Field Annealinp; (MFA) aJgoritlim, receñí,ly proposc'd for solving com binatorial optimization problems, combines the characteristics of nenral networks and simulated annealing. In this thesis, MFA is formulated for tlie mapping i)roblcm and the circuit partitioning problem. EHicient implementation schemes, which decrease the complexity of the proposed algorithms by asymptotical factors, are also given. Perlormances of the proposed MFA algorithms are evaluated in comparison with two well-known heuristics: simulated annealing and Kernighan-Lin. Results of the experiments indicate that MFA can be used as an alternative heuristic for the mapping problem and the circuit partitioning problem. Inherent parallelism of the MFA is exploited by designing efficient parallel algorithms for the proposed MFA heuristics. Parallel MFA algorithms proposed for solving the circuit partitioning problem are implemented on an iPS(J/2’ hypercube multicompute.r. Experimental results show that the proposed heuristics can be efficiently parallelized, which is crucial for algorithms that solve such computationally hard problems.Bultan, TevfikM.S

Backward Reachability of Array-based Systems by SMT solving: Termination and Invariant Synthesis

The safety of infinite state systems can be checked by a backward reachability procedure. For certain classes of systems, it is possible to prove the termination of the procedure and hence conclude the decidability of the safety problem. Although backward reachability is property-directed, it can unnecessarily explore (large) portions of the state space of a system which are not required to verify the safety property under consideration. To avoid this, invariants can be used to dramatically prune the search space. Indeed, the problem is to guess such appropriate invariants. In this paper, we present a fully declarative and symbolic approach to the mechanization of backward reachability of infinite state systems manipulating arrays by Satisfiability Modulo Theories solving. Theories are used to specify the topology and the data manipulated by the system. We identify sufficient conditions on the theories to ensure the termination of backward reachability and we show the completeness of a method for invariant synthesis (obtained as the dual of backward reachability), again, under suitable hypotheses on the theories. We also present a pragmatic approach to interleave invariant synthesis and backward reachability so that a fix-point for the set of backward reachable states is more easily obtained. Finally, we discuss heuristics that allow us to derive an implementation of the techniques in the model checker MCMT, showing remarkable speed-ups on a significant set of safety problems extracted from a variety of sources.Comment: Accepted for publication in Logical Methods in Computer Scienc

Land Use Effects on Climate: Current State, Recent Progress, and Emerging Topics

As demand for food and fiber, but also for negative emissions, brings most of the Earth’s land surface under management, we aim to consolidate the scientific progress of recent years on the climatic effects of global land use change, including land management, and related land cover changes (LULCC)

Contracting the Facebook API

In recent years, there has been an explosive growth in the popularity of online social networks such as Facebook. In a new twist, third party developers are now able to create their own web applications which plug into Facebook and work with Facebook's "social" data, enabling the entire Facebook user base of more than 400 million active users to use such applications. These client applications can contain subtle errors that can be hard to debug if they misuse the Facebook API. In this paper we present an experience report on applying Microsoft's new code contract system for the .NET framework to the Facebook API.We wrote contracts for several classes in the Facebook API wrapper which allows Microsoft .NET developers to implement Facebook applications. We evaluated the usefulness of these contracts during implementation of a new Facebook application. Our experience indicates that having code contracts provides a better and quicker software development experience.Comment: In Proceedings TAV-WEB 2010, arXiv:1009.330

Land-use change emissions based on high-resolution activity data substantially lower than previously estimated

Land-use and land-cover changes (LULCCs) contributed around one third to the cumulative, anthropogenic CO2 emissions from 1850 to 2019. Despite its great importance, estimates of the net CO 2 fluxes from LULCC (E LUC ) have high uncertainties, compared to other components of the global carbon cycle. One major source of uncertainty roots in the underlying LULCC forcing data. In this study, we implemented a new high-resolution LULCC dataset (HILDA + ) in a bookkeeping model (BLUE) and compared the results to estimates from simulations based on LUH2, which is the LULCC dataset most commonly used in global carbon cycle models. Compared to LUH2-based estimates, results based on HILDA + show lower total E LUC (global mean difference 1960–2019: 541 TgC yr ⁻¹ , 65%) and large spatial and temporal differences in component fluxes (e.g. CO 2 fluxes from deforestation). In general, the congruence of component fluxes is higher in the mid-latitudes compared to tropical and subtropical regions, which is to some degree explained with the different implementations of shifting cultivation in the underlying LULCC datasets. However, little agreement is reached on the trend of the last decade between E LUC estimates based on the two LULCC reconstructions. Globally and in many regions, E LUC estimates based on HILDA + have decreasing trends, whereas estimates based on LUH2 indicate an increase. Furthermore, we analyzed the effect of different resolutions on E LUC estimates. By comparing estimates from simulations at 0.01 ∘ and 0.25 ∘ resolution, we find that component fluxes of estimates based on the coarser resolution tend to be larger compared to estimates based on the finer resolution, both in terms of sources and sinks (global mean difference 1960–2019: 36 TgC yr ⁻¹, 96%). The reason for these differences are successive transitions: these are not adequately represented at coarser resolution, which has the effect that—despite capturing the same extent of transition areas—overall less area remains pristine at the coarser resolution compared to the finer resolution

Symbolic Model Checking of Infinite State Programs Using Presburger Artihmetic

Model checking is a powerful technique for analyzing large, finite-state systems. In an infinite transition system, however, many basic properties are undecidable. In this paper we present a new symbolic model checker which conservatively evaluates safety and liveness properties on infinite-state programs. We use Presburger formulas to symbolically encode a program's transition system, as well as its model-checking computations. All fixpoint calculations are executed symbolically, and their convergence is guaranteed by using approximation techniques. We demonstrate the promise of this technology on some well-known infinite-state concurrency problems. (Also cross-referenced as UMIACS-TR-96-66

Compositional Verification by Model Checking for Counter-Examples

Many concurrent systems are required to maintain certain safety and liveness properties. One emerging method of achieving confidence in such systems is to statically verify them using "model checking". In this approach an abstract, finite-state model of the system is constructed; then an automatic check is made to ensure that the requirements are satisfied by the model. In practice, however, this method is limited by the "state space explosion problem". We have developed a compositional method that directly addresses this problem in the context of multi-tasking programs. Our solution depends on three key space-saving ingredients: (1) checking for counter-examples, which leads to simpler search algorithms; (2) automatic extraction of interfaces, which allows a refinement of the finite model -- even before its communicating partners have been compiled; and (3) using propositional "strengthening assertions" for the sole purpose of reducing state space. In this paper we present our compositional approach, and describe the software tools that support it. (Also cross-referenced as UMIACS-TR-95-98