Refined interfaces for compositional verification

Transcription

1 Refined interfces for compositionl verifiction Frédéric Lng INRI Rhône-lpes

2 Motivtion Enumertive verifiction of concurrent systems Prllel composition of synchronous processes Systemtic explortion of the stte/trnsition grph obtined by interleving nd synchroniztion ompositionl verifiction to pllite stte explosion Simple: reduce stte/trnsition grphs incrementlly Enhnced: use interfce constrints to void intermedite stte explosion This tlk is bout tool to build interfce constrints utomticlly 2

3 Stte/trnsition grphs Semntic model of ction-bsed processes, lso clled Lbelled Trnsition System (LTS) Trnsitions between sttes re lbelled by events Synchronizble/observble events Non-synchronizble/hidden event τ b c τ c P toolbox llows on-the-fly explortion of stte/trnsition grphs (OPEN/ESR) 3

4 Using interfce constrints big grph P cn be reduced using interfce constrints, represented s grph I nd set of lbels through which P nd I interct Projection opertor P I (Grf & Steffen, Krimm & Mounier) omputes the sub-grph of P rechble in P I I cn be reduced modulo sfety equivlence fter hiding ll lbels outside similr pproch exists for SP (heung & Krmer) Norml prllel composition insted of projection Requires tu elimintion nd determiniztion (expensive) in I to ensure context trnsprency 4

5 5 Exmple of projection {,, } =

6 The PROJETOR tool of P Softwre implementtion of projection (Krimm & Mounier 1997) OPEN/ESR grph P G grph (interfce) I Synchroniztion set PROJETOR G Grph P I 6

7 omputing the interfce constrints Solution 1: User-specified interfce The user provides n interfce correct interfce is hrd to guess ut correctness cn be checked fterwrds Solution 2: "Exct" interfce correct interfce is computed utomticlly from the environment Krimm & Mounier give n lgorithm bsed on n nlysis of the lgebric LOTOS-like expression describing the composition of processes The interfce I is process of the composition The synchroniztion set is derived utomticlly 7

8 Limittion 1 of K&M lgorithm The method to compute the synchroniztion set is specific to LOTOS prllel composition How cn we build exct interfces in expressions tht use different nd/or more generl opertors? 8

9 Limittion 2 of K&M lgorithm It is impossible to compute interfce constrints induced by combintion of (distnt) processes Sometimes, only such constrints llow reductions Exmple: in b c {, b, d} ( {c, d} ) b d d P 1 P 2 P 3 restricting P 3 w.r.t. either P 1 or P 2 yields no reduction: P 3 {, d} P 1 = P 3 {c, d} P 2 = P 3 Using n interfce obtined by combintion of P 1 nd P 2 (synchronized on b) would yield better reductions d c c d c 9

10 Limittion 3 of K&M lgorithm Interfces my be not precise enough when nondeterministic synchroniztion is involved Exmple: in b b Restricting P 2 w.r.t. P 1 yields no reduction: P 2 {} P 1 = P 2 However P 1 implies tht two successive b ctions cnnot be reched without n in between b, b b {, b} ( {} ) P 1 P 2 P 3 d 10

11 Refined interfces We propose new lgorithm which solves the limittions of K&M lgorithm The lgorithm works in three phses 1. Trnsltion of the composition of processes into generl model clled "synchroniztion networks" 2. Extrction of n "interfce network" from the network model 3. Genertion of the interfce grph corresponding to the interfce network 11

12 Phse 1: synchroniztion networks generl synchroniztion model Synchroniztion of processes P 1,..., P n described by set of synchroniztion vectors of the form where L i,1,..., L i,n L i ech L i,j is either lbel of P j or the specil symbol denoting inction of P j L i is the lbel used in the product grph s the result of the synchroniztion between the P j 's 12

13 Exmple 1 d b c d d ( c c c b ) {, b, d} {c, d} d P 1 P 2 P 3 cn be represented by the set of synchroniztion vectors,, b, b, b, c, c c d, d, d d 13

14 Exmple 2 b b b, b b {, b} ( {} ) d P 1 P 2 P 3 cn be represented by the set of synchroniztion vectors,, b, b, b b,, b b,, d d } nondeterministic synchroniztion on b for P 1 14

15 Phse 2: Interfce network extrction Extrction of network N' representing n bstrction of the environment of process to be constrined Inputs: The synchroniztion network N of system P 1,..., P n The index i of the process P i to be constrined The indices j 1,..., j m (user-given) of the constrining processes lgorithm: for ech vector v in N, crete in N' vector v[j 1 ],..., v[j m ] r where r = v[i] if v[i] (P i ctive in synchroniztion) r = τ otherwise 15

16 Exmple P1, P2, P3 synchronized by the vectors,, b, b, b b,, b b,, d d The interfce network of P2 induced by P1 is: b b b τ τ (This lst one cn be removed) 16

17 Phse 3: interfce grph genertion Generte the grph corresponding to N' (product of P j1,..., P jm ) Thnks to congruence, P j1,..., P jm cn be reduced modulo sfety equivlence beforehnd Prtil order reduction llows to void useless interlevings 17

18 Using the generted interfce The (possibly lrge) grph of P i cn be replced by (smller) grph of P i I where I is n interfce obtined by our lgorithm Forml proof provided in FORTE'2006 pper 18

19 Limittion 1 solved The lgorithm pplies on synchroniztion networks, generl model similr to ME nd F2 networks We implemented the trnsltion into networks for S, SP, LOTOS, mrl prllel composition E-LOTOS generlized prllel composition nd m mong n synchroniztion The trnsltion cn still be done for other opertors 19

20 Limittion 2 solved Interfce constrints induced by ny combintion of processes cn be computed Exmple: in b c d d ( c c c ) {, b, d} b {c, d} d d P 1 P 2 P 3 the interfce I of P 3 induced by P 1 nd P 2 is: c τ c d d c It yields reduction of P 3 s P 3 {, c, d} I = c 20

21 Limittion 3 solved Interfces re precise even in presence of nondeterministic synchroniztion, b b {, b} ( {} ) b b b d P 1 P 2 P 3 The interfce I of P 2 induced by P 1 is: b τ It yields reduction of P 2 s P 2 {, b} I = b 21

22 Implementtion in P lgorithm implemented in Exp.Open 2.0 (-interfce option) Exmple: odp.exp hide ll but WORK in pr EXPORT, IMPORT in pr WORK #2 in "object_1.bcg" "object_2.bcg" "object_3.bcg" "object_4.bcg" end pr "trder.bcg" end pr end hide 22

23 Implementtion in P exp.open -wektrce -interfce "5: 1 2 3" "odp.exp" genertor "trder_interfce.bcg" Genertes n interfce grph "trder_interfce.bcg" induced by the 1st ("object_1.bcg"), 2nd ("object_2.bcg"), nd 3rd ("object_3.bcg") grphs in "odp.exp" The interfce grph cn be used to constrin the 5th grph ("trder.bcg") Prtil order reduction (persistent set method) preserving observble trces is pplied 23

24 pplictions (1/3) Philips' HVi Home udio-video leder election Modeled in LOTOS by J. Romijn (Eindhoven) Lrgest process (404,477 sttes) ws: Reduced downto 365,923 sttes (182s, 46Mb) using interfce obtined by K&M lgorithm Reduced downto 645 sttes (11s, 8.5Mb) using refined interfce 24

25 pplictions (2/3) OP (Open istributed Processing) Trder Modeled in E-LOTOS by Grvel & Sighirenu (INRI) Uses m mong n synchroniztion to model the dynmicity of object exchnges Trder reduced from 1 M sttes without interfce downto 256 sttes using refined interfce 25

26 pplictions (3/3) che oherency Protocol Modeled in LOTOS by M. Zendri (ull) 5 gents ccessing remote directory concurrently No reduction using interfce obtined by K&M lgorithm Remote directory reduced from 1 M sttes downto 60 sttes using refined interfce irectory generted for configurtion with 7 gents (81 sttes) 26

27 Refined bstrction in SVL Refined interfce genertion nd projection cn be done esily within the SVL scripting lnguge New "refined bstrction" opertor clls EXP.OPEN nd PROJETOR utomticlly Exmple: "cche.bcg" = root lef strong reduction of ( (GENT_1 GENT_2 GENT_3) [GET_LINE_STTUS, PUT_LINE_STTUS] (refined bstrction GENT_1, GENT_2 using IR_STRT of IRETORY) ); 27

28 onclusions We provided new lgorithm to synthesize interfce constrints utomticlly The lgorithm solves the 3 limittions of K&M's lgorithm It does not depend on prticulr input lnguge It permits to tke into ccount constrints induced by combintion of distnt processes It permits finer nlysis of synchroniztion ptterns between processes, thus yielding better reductions The method is fully implemented in P It is esy to use thnks to the SVL scripting lnguge Experiments indicte possible reductions by severl orders of mgnitude 28