Verifying Concurrent Message-Passing C Programs with Recursive Calls

Transcription

1 Verifying Concurrent Messge-Pssing C Progrms with Recursive Clls Sgr Chki Edmund Clrke Crnegie Mellon University Pittsburgh USA Nichols Kidd Thoms Reps University of Wisconsin Mdison USA Tyssir Touili LIAFA CNRS & University of Pris 7 Pris Frnce Abstrct We consider the model-checking problem for C progrms with (1) dt rnging over very lrge domins (2) (recursive) procedure clls nd (3) concurrent prllel components tht communicte vi synchronizing ctions. We model such progrms using communicting pushdown systems nd reduce the rechbility problem for this model to deciding the emptiness of the intersection of two context-free lnguges L 1 nd L 2. We tckle this undecidble problem using CounterExmple Guided Abstrction Refinement (CEGAR) scheme bsed on (1) computing over-pproximtions A 1 nd A 2 of L 1 nd L 2 (2) checking if the intersection of A 1 nd A 2 is non-empty nd if the non-empty intersection represents n infesible trce (3) refining these over-pproximtions A 1 nd A 2. Furthermore we present new fully utomtic predictebstrction refinement techniques to obtin communicting pushdown systems from C source code. We hve implemented our techniques in the model-checker MAGIC. We report our experimentl results on some non-trivil benchmrks. 1. Introduction Anlysis of concurrent softwre represents mjor chllenge in the model-checking community. Indeed concurrent progrms include vrious complex fetures such s: (1) the mnipultion of dt rnging over unbounded domins such s integers nd rels (or very lrge domins such s 32-bit ints nd flots) (2) the presence of recursive procedure clls which cn led to n unbounded number of clls (3) concurrency nd the existence of synchroniztion sttements. Unfortuntely checking whether given control point is rechble is undecidble even if the progrm includes only recursive procedures nd synchronistion sttements [Rm00]. Consequently ny method for solving the rechbility problem for these systems is incomplete nd ll we cn hope for is either n pproxi- This reserch ws sponsored by the Office of Nvl Reserch (ONR) nd the Nvl Reserch Lbortory (NRL) under contrct no. N The views nd conclusions contined in this document re those of the uthors nd should not be interpreted s representing the officil policies either expressed or implied of ONR NRL the U.S. Government or ny other entity. [copyright notice will pper here] mte technique or semi-decision procedure whose termintion is not gurnteed. During the lst few yers severl uthors hve ddressed this issue. Pushown systems hve been proposed s n dequte formlism to describe pure sequentil recursive progrms [EK99 ES01]. This llows to represent the potentilly infinite configurtions of recursive progrms in symbolic mnner using regulr lnguges [BEM97 FWW97]. Recently compositions of pushown systems clled communicting pushown systems hve been used to model concurrent recursive progrms [BET03 BET03b]. However in these cses ll dt were ssumed to hve smll finite domin. On the other hnd bstrct-interprettion techniques [CC77] hve been used to del with dt rnging over unbounded (or very lrge) domins. More recently utomted predicte-bstrction techniques [GS97] hve been proposed to del with this issue. The ide of predicte bstrction is to bstrct the infinite dt domin into finite one defined by given set of predictes. The precision of the bstrction nd the model-checking lgorithm depend on the number nd the form of the predictes becuse the size of the model increses with the number of predictes. The centrl problem in predicte bstrction is then the discovery of smll set of predictes sufficient to prove the desired property. To do so CounterExmple Guided Abstction Refinement (CEGAR) techniques [Kur94 CGJ + 00] hve been used to find such smll set. The ide is to (1) strt with n empty set of predictes (2) perform the verifiction procedure on the obtined model. If the property is stisfied by the model we conclude tht it is lso stisfied by the rel progrm becuse the progrm hs fewer behviors thn the model. Otherwise we obtin counterexmple. (3) If the counterexmple corresponds to n execution of the progrm we conclude tht the progrm does not stisfy the property. (4) Otherwise we compute new set of predictes tht eliminte future explortion of the spurious trce nd go bck to step (2). This schem hs been successfully pplied to hndle both pure non-concurrent (sequentil) recursive progrms in the tool SLAM [BR01] nd concurrent nonrecursive progrms in the tools BLAST [HJMS02] nd MAGIC [CCG + 03]. In this work we go one step further nd combine CEGAR predicte-bstrction techniques with pushdown-system modeling to hndle concurrency recursion nd very lrge dt domins t the sme time. Our pproch consists of using communicting pushdown systems (CPDSs) to model concurrent progrms. To do this we (1) define CEGAR predicte-bstrction techniques to obtin successively more precise CPDSs from the C source code of prllel progrm nd (2) define model-checking lgorithms for CPDSs. The min contributions of this pper re: 1. Defining new utomtic CEGAR predicte-bstrction techniques tht cn crete CPDS from the C source code of concurrent (recursive) C progrm tht mnipultes vribles tht /7/19

2 rnge over very lrge domins nd tht cn refine CPDS bstrctions to eliminte given counterexmple. Our techniques re defined component-wise which mkes them compositionl nd sclble to lrge progrms. 2. Defining new model-checking techniques for CPDSs. We restrict ourselves in this work to solving rechbility queries. We reduce the rechbility problem for CPDSs to the undecidble problem of checking the emptiness of the intersection of two context-free lnguges L 1 nd L 2. To tckle this problem we pply second CEGAR scheme tht consists of (1) computing over-pproximtions A 1 nd A 2 of L 1 nd L 2. (2) If A 1 A 2 = we conclude tht L 1 L 2 =. (3) Otherwise we check whether the intersection A 1 A 2 is spurious. In this cse we refine the over-pproximtions A 1 nd A 2 nd return to step (2). This semi-decision procedure is gurnteed to terminte if the intersection L 1 L 2 is not empty. 3. Implementing our technique in the model-checker MAGIC nd crrying out number of non-trivil experiments. Our implementtion ws ble to hndle non-trivil exmple ( Bluetooth driver in Windows NT) tht could not be hndled with the previous version of MAGIC. Moreover the implementtion provides improved performnce for non-recursive exmples tht the previous version of MAGIC ws ble to hndle only vi inlining. This shows tht our technique represents n dvnce for recursive s well s non-recursive concurrent progrms. One of the novel fetures of this work is tht it pplies the CEGAR scheme t two levels: (1) t the predicte-bstrction level to del with unbounded domin vribles nd (2) t the modelchecking level to solve rechbility queries in CPDSs: the CPDS model checker uses second CEGAR scheme in its semi-decision procedure for testing emptiness of the intersection of two contextfree lnguges. As fr s we know this is the first time tht CEGAR is used in the model-checker itself. Indeed it is usully used to compute successively more precise bstrctions of system. Relted Work. In [BET03 BET03b] the rechbility problem for CPDSs hs lso been reduced to computing over-pproximtions of context-free lnguges. However no CEGAR techniques were presented there. More precisely those works compute overpproximtions A 1 nd A 2 of two given context-free lnguges L 1 nd L 2 nd if A 1 A 2 = one concludes tht L 1 L 2 =. However with the pproch of [BET03 BET03b] no conclusion cn be mde utomticlly if A 1 A 2. In prticulr using [BET03 BET03b] one cn never conclude tht L 1 L 2. In contrst our CEGAR-bsed semi-decision procedure is gurnteed to terminte in this cse with the correct nswer. CEGAR-bsed predicte-bstrction techniques re used in severl C-progrms model-checking tools such s SLAM [BR01] BLAST [HJMS02] ZING [QRR04] nd KISS [QW04]. However s mentioned previously SLAM cnnot del with concurrency BLAST cnnot hndle recursion nd KISS cnnot discover errors tht pper fter number of interlevings between the prllel components greter thn three. ZING is n extension of SLAM to concurrent progrms. SLAM nd ZING re bsed on procedure summriztion; hence ZING might not terminte in cses where our technique will. Indeed in the concurrent cse one needs to keep trck of the clling stck which cn be unbounded in the presence of recursive clls. The contents of the stck re explicitely represented in ZING. In contrst in our frmework they re symboliclly represented with regulr lnguges becuse we use pushdown system modeling. On the other hnd SLAM nd ZING use predicte-bstrction techniques to extrct Boolen progrm from C progrm with recursion. Schwoon [Sch02] hs implemented in his pushdown-systems-nlysis tool MOPED trnsltion from Boolen progrms to pushdown systems. However MOPED cnnot hndle concurrent progrms. Our CPDS predicte-bstrctionrefinement techniques re done component-wise nd mount to performing successive sequentil PDS predicte-bstrctions nd refinements. One cn rgue tht these successive steps cn be done using SLAM nd then MOPED. However in this pper we propose predicte-bstrction techniques tht produce directly nd more efficently pushdown system from C source code of sequentil component without going through Boolen progrm. We give in Section 3.4 more detils bout the difference between our predicte-bstrction techniques nd the ones used in SLAM nd ZING. Reders who re lredy fmilir with those techniques nd who wish to skip our pproch to trnslting C code to PDSs should concentrte on Sections 2 4 nd 6 which focus on the concurrency-relted spects of our work. Finlly the new techniques presented in [KIG05 QR05] lso use multiple pushdown systems to model concurrent recursive progrms. However [KIG05] is restricted to progrms tht communicte vi finite number of locks nd ssumes certin nesting condition on the locks. As for [QR05] it uses shred-vribles for communiction between threds wheres we use synchronizing ctions (these two models cn simulte ech other). The technique presented in [QR05] sidesteps the undecidbility of rechbility of multiple pushdown systems by putting bound k on the number of interlevings between the different threds wheres we hndle this undecidble problem by computing bstrctions of context-free lnguges (without bounding the number of interlevings between the different threds). In certin cses our technique cn be more powerful thn the one presented in [QR05]. Indeed if the trget configurtions re rechble our technique is gurnteed to terminte with the correct nswer. The sme cn be sid of the technique of [QR05] if we pply it by incrementing utomticlly the bound k until the trget configurtions re found to be rechble. However in certin circumstnces (when we find A 1 A 2 = ) we cn infer tht the trget configurtions re not rechble wheres the technique of [QR05] cn never estblish such property. Finlly the technique of [QR05] hs not been implemented nd no utomtic techniques to trnslte C code to pushdown systems re provided there. In contrst our method hs been implemented nd pplied to severl non-trivil exmples. This effort is reported in Section 6. The reminder of the pper is orgnized s follows: In Section 2 we define the CPDS model. Section 3 describes the wy we generte CPDS from C progrm using predicte bstrction. In Section 4 we give our semi-decision procedure for model-checking CPDS. Section 5 presents our predicte-bstrction refinement techniques. Section 6 reports our experimentl results. 2. Preliminry definitions A pushdown system (PDS) is four-tuple P = (Q Act Γ ) where P is finite set of sttes Act is finite set of ctions Γ is finite stck lphbet nd is finite set of trnsition rules of the form p γ p w where p p P Act γ Γ nd w Γ. We ssume without loss of generlity tht ll the rules of re such tht w 2. This is not restrictive becuse ny PDS cn be trnsformed into PDS of this form [Sch02]. Moreover s we will see in the next subsection the trnsition rules obtined from progrms re lwys of this form. A configurtion of P is pir p w where p P is stte nd w Γ is the content of the stck. A set C of configurtions is regulr if for every p P the lnguge {w Γ p w C} is regulr. For every Act we define trnsition reltion between the configurtions of P s follows: q γ q w then q γv q wv for every v Γ /7/19

3 For 1 n Act the reltion 1 n is defined in the obvious wy. Let C be set of configurtions. P ost (C) is the set of successors of C defined s follows: P ost (C) = {c c C 1 n Act c 1 n c } A communicting pushdown system (CPDS) [BET03b] is tuple CP = (P 1... P n) of pushdown systems over the sme set of ctions Act such tht Act = Lb {} where Lb is the set of synchroniztion ctions nd represents internl ctions. is such tht for every Lb = =. As we will see lter we need this to reduce the rechbility problem for CPDSs to checking the emptiness of the intersection of two context-free lnguges. A globl configurtion of CP is tuple g = (c 1... c n) of configurtions of P 1... P n. The reltion is extended to globl configurtions s follows: (c 1... c n) (c 1... c n) if there is n index 1 i n such tht c i c i nd c j = c j for every j i; (c 1... c n) (c 1... c n) if there re two distinct indices i j such tht c i c i c j c j nd c k = c k for every i k j. Given set G of globl configurtions we define the successors of G P ost (G) s before. 3. Component-wise Predicte Abstrction We model concurrent recursive progrms using CPDSs. In this section we show how to use predicte bstrction to extrct CPDS from prllel progrm. Suppose tht we re given n concurrent recursive C components. We extrct PDS from ech recursive component. The prllel composition of these components is then represented by the CPDS corresponding to the tuple of these PDSs. In wht follows we show how to extrct PDS from sequentil component using predicte bstrction. To do this we extend the pproch originlly used in MAGIC [CCG + 03] which utomticlly extrcts finitestte utomton from C code to extrct PDS. Without loss of generlity we ssume tht there re only six kinds of sttements in progrms: ssignments procedure clls if-then-else brnches gotos synchroniztion sttements nd returns. In MAGIC we use the CIL tool [NMW + 01] to trnsform rbitrry C progrms into the bove formt. Ech PDS is defined in terms of current set of seed predictes. Initilly the set of seed predictes is empty. The predicte set is ugmented using our refinement techniques (see Section 5). Ech predicte represents set of ssignments of the vribles of the progrm. Let p be predicte over the sets of vribles X nd Y where X (resp. Y ) is set of locl (resp. globl) vribles. Then p loc (resp. p glob ) is the projection of p over the locl vribles X (resp. globl vribles Y ). For exmple let p = (x > 0 & y < 8) be predicte tht represents the set of vlues {x > 0 y < 8}. If x is locl vrible nd y is globl one; p loc denotes the predicte (x > 0); nd p glob the predicte (y < 8). We extend these nottions to sets of predictes in the obvious mnner. We first describe how given set of seed predictes we generte lrger set of predictes useful to compute n bstrction of the progrm (this process is clled predicte inference) nd then describe how to use this new set of predictes to obtin PDS from sequentil C component. As explined bove the CPDS tht corresponds to prllel progrm is the tuple of ll the PDSs of its different sequentil components. 3.1 Predicte inference The wekest precondition of set of predictes p is defined s follows. Let s be n ssignment of the form v = e. Then the wekest precondition of p with respect to s (denoted by W s(p)) is obtined from p by replcing every occurrence of v in p by e. Assignments through pointers i.e. sttements of the form p = e re hndled by the pproch of Morris [Mor82]. Let C be set of seed predictes. In MAGIC we require tht the seed set C is lwys subset of the conditions in the progrm s if sttements 1. To crete PDS tht is n bstrction of sequentil component reltive to the predictes in seed set C we repetedly compute wekest preconditions. Tht is for every control point n we compute set of predictes P[C] n s follows: Initilly P[C] n = for every point n. We repet the following until for every n P[C] n is no longer modified. Let s n be the sttement tht corresponds to control point n: 1. if s n is n ssignment tht hs n s successor then dd W sn`p[c]n to P[C]n. 2. if s n is n if sttement nd n is its then or else successor then dd P[C] n to P[C] n. Moreover if c is the corresponding condition of s n such tht c C then dd c to P[C] n. 3. if s n is goto or synchronistion sttement tht hs n s successor then dd P[C] n to P[C] n. 4. if s n is cll to procedure π where s n hs n s successor nd if e π is the initil control point of procedure π then dd P[C] loc n nd P[C]glob e π to P[C] n. Note tht this procedure might not terminte in the presence of loops nd recursive procedure clls. In this cse we impose termintion by bounding the number of predictes in P[C] n for every control point n. Let us explin the intuition behind the items bove. P[C] n is ment to be the set of predictes needed to chrcterize the vlues of the vribles when point n is ctive (with respect to the predictes in C). Let s n be n ssignment tht hs n s successor. The first item dds W sn`p[c]n to P[C]n. This is becuse if ϕ is true t n then W sn (ϕ) is true t n. Thus if we know tht ϕ holds t n then to void loss of precision we need to know tht W sn (ϕ) holds t n. Now consider the fourth item (the others re esy to understnd). Let π be the procedure tht contins control point n. Becuse procedure π is clled t n the globl vribles hve the sme in P[C] n. Moreover when the procedure π termintes nd control goes bck to point n in procedure π the vlues of the locl vribles of the procedure π in n re the sme s those t point n (since these vlues did not chnge during the cll to π). This is why vlues t n nd e π. This motivtes the inclusion of P[C] glob e π we dd P[C] loc n to P[C]n. Note tht in our procedure we reson in bckwrd mnner to compute the P[C] n s. An equivlent pproch would hve been to use forwrd resoning. In this cse we would need to compute strongest postconditions insted of wekest preconditions. Finlly let P[C] = P[C] n where the union is tken over ll the control points n of the sequentil component be the set of ll the generted predictes. 3.2 Predicte vlution Recll tht our gol is to compute PDS bstrction of sequentil component. As described in the next section the sttes of this PDS correspond to the different vlutions of the globl predictes nd symbol of its stck will be pir tht consists of control point 1 A query q t given point p cn be emulted by introducing n if sttement t p whose brnch condition is q /7/19

4 n nd vlution of the locl predictes t point n. We ssocite with ech loction n two sets of formuls V[C] glob n nd V[C] loc n respectively clled globl nd locl vlutions s follows: For x in {glob loc} V[C] x n is the set of formuls {(p x 1 = v 1) (p x k x = v kx ) P[C] x n = {p x 1... p x k x } v i {trueflse} i = 1... k x}. Moreover if P[C] x n = then V[C] x n = {empty}. Let V be vlution of the form (p 1 = v 1) (p k = v k ). We denote by Γ(V ) its corresponding predicte p 1 p k where p i = p i if v i = true nd p i = p i if v i = flse. Moreover we let Γ(empty) = {true}. 3.3 Creting PDS tht corresponds to sequentil component We re now redy to describe how to crete PDS tht corresponds to sequentil component. Let C be given set of seed predictes. We ssign to sequentil (possibly recursive) component the PDS P = (Q Act Γ ) defined s follows. Q is the set of vlutions where the union is tken over ll the control points n of the sequentil component. Act contins the ction s well s the other synchroniztion ctions of the progrm. Γ is the set of ll pirs (n v) where n is control point of the sequentil component nd v is tht correspond to the globl vribles i.e. Q = V[C] glob n vlution in V[C] loc n tht corresponds to set of vlutions of the locl vribles t loction n. To define the rules of we need one more notion. Consider goto sttement from point to. Intuitively we would like to represent this sttement with rules of the form glob ( loc) glob ( loc ) where glob V[C] glob glob V[C] glob loc V[C] loc loc V[C] loc nd the formuls `Γ(glob) Γ(glob ) nd `Γ(loc) Γ(loc ) re stisfible. This mens tht if the progrm is t point nd its vribles stisfy the globl nd locl vlutions glob nd loc then fter performing the goto sttement it goes to point nd its vribles cn stisfy ll the vlutions glob V[C] glob nd loc V[C] loc such tht `Γ(glob) Γ(glob ) nd `Γ(loc) Γ(loc ) re stisfible. This condition ensures tht the PDS we re creting hs more behviors thn the concrete progrm. However determining whether (p 1 p 2) is stisfible is in generl undecidble when p 1 nd p 2 re first-order formuls over the integers. To sidestep this problem we use sound vlidity checker [Nel80] tht lwys termintes nd nswers TRUE FALSE or UN- KOWN to the question whether given formul (p 1 p 2) is vlid. We use A(p 1 p 2) to denote tht the nswer provided by the vlidity checker to the question Is (p 1 p 2) vlid? is FALSE or UNKOWN. Then to ensure tht the PDS we re creting is sfe bstrction we dd the PDS-trnsition bove if A(p 1 p 2) holds. We re now redy to define the set of rules s follows: Let s be sttement nd be its corresponding control point: If s is goto sttement it is represented by rules of the form: glob ( loc) glob ( loc ) where is the unique successor of glob V[C] glob glob V[C] glob loc V[C] loc loc V[C] loc A`Γ(glob) Γ(glob ) nd A`Γ(loc) Γ(loc ). If s is synchronizing sttement lbeled with ction it is represented by rules of the form: glob ( loc) glob ( loc ) where is the unique successor of glob V[C] glob glob V[C] glob loc V[C] loc loc V[C] loc A`Γ(glob) Γ(glob ) nd A`Γ(loc) Γ(loc ). If s is n ssignment then it is trnslted into set of rules of the form glob ( loc) glob ( loc ). where is the unique successor of glob V[C] glob glob V[C] glob loc V[C] loc loc V[C] loc A W s`γ(glob ) Γ(glob) nd A W s`γ(loc ) Γ(loc). In other words glob nd glob (loc nd loc ) re vlutions tht correspond to the vlues of the globl (locl) vribles before nd fter the ssignment. For exmple if we hve P[C] n1 = {(y = 7) (x > 2)} nd P[C] n2 = {(y = 7) (x > 1)} where y is globl vrible nd x is locl one; if s is the ssignment x := x + 3; then we hve the following rule where T stnds for true: `(y = 7) = T n `(x 1 > 2) = T `(y = 7) = T n `(x 2 > 1) = T. If s is n if sttement it is represented by rules of the form: glob ( loc) glob ( loc ). where is the control point of the corresponding then (resp. else) sttement if glob nd loc stisfy the if condition (resp. do not stisfy the if condition); nd where glob V[C] glob glob V[C] glob loc V[C] loc loc V[C] loc A`Γ(glob) Γ(glob ) nd A`Γ(loc) Γ(loc ). If s is cll to procedure π then it is represented by rules of the form: glob ( loc) glob (e π loc ) ( loc ) where is the unique successor of e π is the initil control point of the procedure π glob V[C] glob loc V[C] loc glob V[C] glob e π loc V[C] loc e π loc V[C] loc A`Γ(glob) Γ(glob ) nd A`Γ(loc) Γ(loc ). We need to hve A`Γ(loc) Γ(loc ) becuse the role of loc is to sve the vlues of the locl vribles of the cller procedure. Finlly return sttement is trnslted into rules of the following form where glob V[C] glob nd loc V[C] loc : glob ( loc) glob ε REMARK 3.1. Note tht the predicte bstrction techniques described bove re sound only for progrms in which there re no ssignments through pointers tht cn hold ddresses of locl vribles of cllers. It would not be difficult to extend these techniques with n interprocedurl modifiction-nlysis lgorithm [CK88] to detect nd ccount for such cses. NOTE 3.1. Observe tht ll the internl ctions re represented by. This is needed to reduce the rechbility problem for CPDSs to computing bstrctions of pth lnguges for pushdown systems s will be discussed in Section Comprision with the predicte-bstrction technique of SLAM As mentioned in Sectio the SLAM tool uses predictebstrction techniques to extrct Boolen progrm from C source code. Then one cn use Schwoon s trnsltion [Sch02] to obtin /7/19

5 PDS from Boolen progrm. Compred with the techniques used in SLAM the techniques described in Section 3.3 exhibit two min differences: 1. Our trnsltion is more efficient becuse it produces directly in one step PDS from C code without going through n intermedite Boolen progrm. 2. Techniclly the pproch described in Section 3.3 is different from SLAM s pproch. In our method we close given set of seed predictes C by computing wekest preconditions long the different possible pths of the progrm nd thus obtin lrger set of predictes tht we use to compute the bstrct model. In contrst SLAM uses the seed set of predictes C s is without computing its closure by wekest precondition. Insted it computes lrgest disjunctions of predictes in C tht imply the wekest preconditions. Consequently the bstrct model we obtin is more precise thn SLAM s becuse it uses more predictes. 3.5 Exmple Consider the following two sequentil components D 1 nd D 2 running in prllel where is synchroniztion ction: D 1: min() { n 0: int x=10; : proc(); : return;} void proc(){ n 3: if (x < 10) n 4: {;} n 5: else {proc();} n 6: return;} D 2: min(){ m 0: ; m 1: return;} Cse #1: The set of seed predictes C is empty: Let us model first the component D 1 by PDS P 1. There re no locl vribles so the stck lphbet is the set of the control points. Moreover becuse the set of seed predictes C is empty let p be the unique stte of P 1 (p corresponds to the vlution empty). P 1 contins the following rules: r 1 : p n 0 p ; r 2 : p p n 3 ; r 3 : p p ɛ ; r 4 : p n 3 p n 4 ; r 5 : p n 3 p n 5 ; r 6 : p n 4 p n 6 ; r 7 : p n 5 p n 3n 6 ; r 8 : p n 6 p ɛ. Similrly we represent the second component by PDS P 2 tht hs unique stte q nd the following rules: r 1 : q m 0 q m 1 ; nd r 2 : q m 1 q ɛ. Cse #2: We hve C = {(x < 10)}: We model the component D 1 by the following PDS P 1. We hve: P n1 = P n3 = P n5 = {x < 10} nd P n = for the other points (while computing P n0 we find the predicte 10 < 10. Becuse we ignore predictes tht re trivilly true or flse we keep P n0 = ). The sttes of P 1 re: p 1 : (x < 10) = flse p 2 : (x < 10) = true nd p 3 : empty. P 1 contins the following rules: p 3 n 0 p 1 ; p 1 p 1 n 3 ; p 3 p 3 ɛ ; p 2 n 3 p 3 n 4 ; p 1 n 3 p 1 n 5 ; p 3 n 4 p 3 n 6 ; p 1 n 5 p 1 n 3n 6 ; p 3 n 6 p 3 ɛ. 4. Rechbility Anlysis of CPDSs Suppose tht the progrm consists of n sequentil components. In MAGIC we usully sk the following query: Suppose tht the system strts from configurtion where ech component i is t its initil control point n i 0 for i = 1... n; cn one component rech n error point? We show in this section how to tckle the rechbility nlysis of these systems. In the reminder of this pper we restrict ourselves to systems tht consist of two prllel sequentil components. The technique cn be extended in strightforwrd mnner to the generl cse (see [BET03b] for more detils); the implementtion reported in Section 6 supports n rbitrry number of components. We reduce the rechbility problem for CPDSs to deciding the emptiness question for the intersection of two context-free lnguges s follows: Let (P 1 P 2) be CPDS nd let C 1 C 2 nd C 1 C 2 be two sets of globl configurtions of the system. Becuse ll the internl ctions re represented by (which is neutrl element for conctention) C 1 C 2 is rechble from C 1 C 2 if nd only if there exists t lest one sequence of synchroniztion ctions tht simultneously leds P 1 from configurtion in C 1 to configurtion in C 1 nd P 2 from configurtion in C 2 to configurtion in C 2. This holds iff L(C 1 C 1) L(C 2 C 2) where L(C i C i) is the context-free lnguge consisting of ll the sequences of ctions (or equivlently of synchroniztion ctions becuse the internl ctions re represented by ) tht led P i from C i to C i. Becuse deciding the emptiness of two context-free lnguges is undecidble we propose semi-decision procedure tht in cse of termintion nswers exctly whether the intersection is empty or not. Moreover if L(C 1 C 1) L(C 2 C 2) the semi-decision procedure is gurnteed to terminte nd return sequence in the intersection. The semi-decision procedure is bsed on CounterExmple Guided Abstrction Refinement (CEGAR) scheme s follows: 1. Abstrction: We compute n over-pproximtion A i of the pth lnguge L(C i C i). 2. Verifiction: We check if A 1 A 2 = nd if so we conclude tht L(C 1 C 1) L(C 2 C 2) = i.e. tht C 1 C 2 is unrechble from C 1 C 2. Otherwise we compute the counterexmple I = A 1 A Counterexmple Vlidtion: We check whether I contins sequence x tht is in L(C 1 C 1) L(C 2 C 2). In this cse I is not spurious nd we conclude tht L(C 1 C 1) L(C 2 C 2) i.e. tht C 1 C 2 is rechble from C 1 C 2. Otherwise we proceed to the next step. 4. Refinement: If I is spurious we refine the over-pproximtions A 1 nd A 2 i.e. we compute other over-pproximtions A 1 nd A 2 such tht L(C i C i) A i A i. We then continue from step 2. In the reminder of this section we discuss these steps in detil. We fix two sets of globl configurtions C 1 C 2 nd C 1 C 2. For the ske of simplicity we denote L(C 1 C 1) by L 1 nd L(C 2 C 2) by L Computing over-pproximtions of pth lnguges To compute over-pproximtions of pushdown-system pth lnguges our technique is bsed on the pproch presented in [BET03b]. We summrize this pproch in wht follows. Consider n bstrct lttice (D ) ssocited with n idempotent semiring (D 0 1) such tht = is n ssocitive commuttive nd idempotent ( = ) opertion; is n ssocitive opertion; 0 = ; 0 nd 1 re neutrl elements for /7/19

6 nd respectively; 0 is n nnihiltor for ( 0 = 0 = 0); nd distributes over. Finlly is such tht x x. D is relted to the concrete domi Lb s follows: It contins n element v for every letter Lb It is ssocited with n bstrction function α : 2 Lb D nd concretiztion function γ : D 2 Lb defined s follows: α(l) = M v 1 v n 1 n L nd γ(x) = { 1 n Lb v 1 v n x} It is esy to see tht for every lnguge L Lb ; α(l) D nd γ`α(l) L. In other words γ`α(l) is n overpproximtion of L tht is finitely represented in the bstrct domin D by the element α(l). Intuitively the bstrct opertions nd correspond to conctention nd union respectively; nd correspond to inclusion nd intersection respectively; nd the bstrct elements 0 nd 1 correspond to the empty lnguge nd {ɛ} respectively. Therefore to compute the over-pproximtions γ`α(l i) we need to compute its representtive α(l i) in the bstrct domin D. Let finite-chin bstrction be n bstrction such tht D does not contin n infinite scending chin nd let h be the mximl height of chin in D. Then we hve: THEOREM 4.1. [BET03b RSJ03] Let P = (Q Act Γ ) be PDS nd C C be two regulr sets of configurtions of P nd let α be finite-chin bstrction defined on the bstrct domin D. Then α`l(c C ) cn be effectively computed in D in O(h Q 2 ) time. There re two different lgorithms tht provide the bsis of this theorem one described in [BET03 BET03b] nd one described in [RSJ03 RSJM]. The ltter hs been implemented in tool clled WPDS++ [KRML]. We use this tool to compute bstrctions of pth lnguges. To check the emptiness of the intersection of the overpproximtions γ`α(l 1) nd γ`α(l 2) it suffices to check whether α(l 1) α(l 2) =. Indeed using the fct tht α( ) = nd γ( ) = we cn show tht L 1 L 2 Lb α(l 1) α(l 2) = γ`α(l 1) γ`α(l 2) = 4.2 Defining refinble finite-chin bstrctions To be ble to pply our CEGAR scheme we need to define refinble finite-chin bstrctions i.e. series (α i) i 1 such tht α i is more precise thn α j if i > j; i.e. for every lnguge L Lb if i > j then L γ i`αi(l) γ j`αj(l) For this we define the i th -prefix bstrction s follows: Let W i be the set of words of Lb of length less thn or equl to i. The bstrct lttice D i is equl to 2 W i ; for every Lb v = ; = ; = ; U V = {(uv) i u U v V } where (w) i is the prefix of w of length i; 0 = ; 1 = {ɛ}; =. Let α i nd γ i be the bstrction nd the concretiztion functions ssocited with this domin. It is esy to see tht α i(l) is the set of words of L of length less thn i union the set of prefixes of length i of L i.e. α i(l) = {w w < i nd w L or w = i nd v Lb s.t. wv L}. Therefore γ i`αi(l) = {w α i(l) w < i} {wv w α i(l) w = i v Lb }. Observe tht it is possible to decide whether α i(l 1) α i(l 2) = becuse for every L Lb α i(l) is finite set of words. It is esy to see tht if i > j then α i is more precise thn α j. Indeed we hve L γ i`αi(l) γ j`αj(l). We hve thus defined series of refinble finite-chin bstrctions α 1 α 2 α REMARK 4.1. The i th -prefix bstrction is only one bstrction tht cn be used to instntite the frmework. Others re possible such s the i th -suffix or the i th -subword bstrctions (defined in n nlogous wy). 4.3 Checking whether the counterexmple is spurious It remins to check whether I = γ i`αi`l1) γ i`αi(l 2) contins n element x such tht x L 1 L 2. This mounts to deciding whether I L 1 L 2 =. Unfortuntely this problem is undecidble becuse I is regulr lnguge (becuse for L Lb γ i`αi(l) is regulr). To sidestep this problem we check insted whether L 1 nd L 2 hve common word of length t most i. This mounts to checking whether `αi(l 1) L 1 `αi(l 2) L 2 = This is decidble becuse α i(l) is finite set. 4.4 The semi-decision procedure Summrizing the previous discussion we obtin the following semi-decision procedure: 1. Initilly i = 1; 2. Compute the common words of length less thn i nd the common prefixes of length i of L(C 1 C 1) nd L(C 2 C 2): I = α i`l(c1 C 1) α i`l(c2 C 2). 3. If I = conclude tht L(C 1 C 1) L(C 2 C 2) = nd tht C 1 C 2 is unrechble from C 1 C 2. Otherwise determine whether or not I is spurious: Check whether I L(C 1 C 1) L(C 2 C 2). If this holds conclude tht L(C 1 C 1) nd L(C 2 C 2) hve common word of length less thn or equl to i nd therefore tht L(C 1 C 1) L(C 2 C 2) nd C 1 C 2 is rechble from C 1 C Otherwise increment i nd proceed from step 2. It is esy to see tht: THEOREM 4.2. If L(C 1 C 1) L(C 2 C 2) then the bove semi-decision procedure termintes with the exct solution. Proof: Let x L(C 1 C 1) L(C 2 C 2) nd let k be the length of x. Then x α k`l(c1 C 1) α k`l(c2 C 2). REMARK 4.2. It follows from Theorem 4.1 tht t ech step i computing α i(l) necessittes O(2 Lb i Q 2 ) time since there re t most Lb i words of length i nd therefore t most 2 Lb i elements in D i. This is the worst cse complexity of our lgorithm. However in prctice our tool behves well s described in Section /7/19

7 4.5 Exmple Let P 1 be the PDS hving the following rules: r 1 : p n 0 p ; r 2 : p p n 0 ; r 3 : b b p p ɛ ; r 4 : p n 0 p ɛ. And let P 2 be the PDS hving the following rules: r 1 : q m 0 q m 1 ; r 2 b : q m 1 q m 2 ; r 3 : q m 2 q m 0m 3 ; r 4 b : q m 3 q ɛ ; nd r 5 : d q m 0 q ɛ. It is esy to see tht in P 1 L 1 = L` p n 0 p ɛ = { k bb k k 0}; nd tht in P 2 L 2 = L` q m 0 q ɛ = {(b) k db k k 0} nd therefore tht L 1 L 2 =. We use this strightforwrd exmple to illustrte our pproch: α 1(L 1) α 1(L 2) = {} ; / L 1 therefore we refine the bstrction nd go to α 2; α 2(L 1) α 2(L 2) = {b} ; b / L 2 therefore we refine the bstrction nd go to α 3; α 3(L 1) α 3(L 2) =. Therefore we infer tht L 1 L 2 =. 5. Component-wise Refinement The construction of the CPDS model from the C progrm involves predicte bstrction. It is prmetrized by set of predictes. The min issue in predicte bstrction is to find smll set of predictes tht llows to prove property of interest. In our cse the property in question is whether the system cn rech n error from the initil configurtion where component i (where e.g. i = 1 2) is in glob i 0 (n i 0 loc i 0) such tht n i 0 is the initil control point of the component i nd glob i 0 loc i 0 re initil vlutions of the globl nd locl vribles respectively. Similrly n error is configurtion where t lest one component i is in configurtion of the form glob (n i e loc) where n i e correponds to n error point nd glob nd loc re rbitrry vlutions of the vribles. MAGIC finds this miniml set of predictes by pplying CEGAR pproch s follows: We strt with model involving n empty set of seed predictes nd perform the model-checking step described in Section 4. If the model checker nswers tht the error stte is unrechble in the CPDS model we re sure tht this is lso the cse for the concrete progrm becuse the progrm hs fewer behviors thn the model. Otherwise if the model checker finds tht the CPDS cn rech n error stte by performing sequence of synchroniztion ctions 1 n ( 1 n I L(C 1 C 1) L(C 2 C 2)) we need to verify whether this behvior corresponds to ny rel executions of the progrm (in which cse we hve shown tht the progrm is not correct) or whether the erroneous-looking behvior hs been introduced by bstrction. If this is the cse we need to refine the CPDS model. More precisely the model checker returns two sequences of rules r rm 1 1 nd r rm 2 2 such tht the CPDS (P 1 P 2) reches the error stte if P i performs the sequence r1 i... rm i i (in this cse 1 n is the sequence of synchroniztion ctions corresponding to these sequences of rules). We sy tht the sequence r1 i... rm i i is counterexmple for component i. To check whether this counterexmple is spurious we need to check whether component i cn perform the sequence of sttements tht correspond to the sequence of rules r1 i... rm i i. If either component fils to perform its corresponding sequence we refine its corresponding PDS to eliminte the spurious sequence of rules. Observe tht ll these steps re done component-wise which mkes the technique compositionl nd sclble to lrge progrms. In this section we first show how to check whether sequence of rules returned by the model checker is spurious. We show then how to dd new seed predictes to crete more precise CPDS model tht elimintes spurious trce. 5.1 Counterexmple vlidtion We present in this subsection n lgorithm tht tkes s input counterexmple given by sequence of rules r 1... r n of PDS tht models sequentil component nd nswers whether it is spurious. Let s 1... s n be the sequence of sttements tht correspond to r 1... r n. Intuitively the lgorithm simultes the different steps to determine whether the concrete component could possibly perform them. The lgorithm strts from the initil point n 0 nd the vlutions glob 0 nd loc 0 of the vribles. Then it pplies successively the different sttements s i i = 1... n updtes the vlues of the vribles nd checks whether the if-thenelse conditions re stisfied in this sequence of instructions. More precisely the lgorithm works s follows: Initilly ϕ = glob 0 loc 0 For i = 1 to n do if s i is n ssignment compute the strongest postcondition of ϕ with respect to s i. For exmple if s i is the ssignment x := x + 5 nd ϕ is the vlution (1 < x < 4) = true; the updted vlution ϕ is (6 < x < 9) = true. if s i is n if sttement with condition c then if s i+1 corresponds to its then successor ϕ := ϕ c. Otherwise if s i+1 corresponds to its else successor ϕ := ϕ c. If ϕ is stisfible then the progrm cn execute the sequence of sttements nd the counterexmple is vlid; otherwise the counterexmple is spurious. 5.2 Eliminting the counterexmple If the counterexmple is spurious for component i we need to refine the PDS model P i corresponding to this component by dding new seed predictes. The predictes tht we dd re subsets of the set of conditions of the if-then-else brnches of the progrm. Intuitively it works s follows: In most cses the counterexmple is spurious becuse in the bstrct model we hve not modeled n if condition with sufficient precision nd we hve llowed both of its brnches to be followed (t some moment during n bstrct execution) wheres in ny concrete execution run only one brnch cn be followed; the counterexmple corresponds to trce tht tkes the wrong brnch. So to eliminte this trce we need to dd the condition c of this if sttement s seed predicte. More precisely let X = {c 1... c k } be the set of conditions of the if sttements of the progrm nd let C be the current set of seed predictes i.e. such tht P i is computed s described in Section 3 using the set of predictes P[C]. We proceed s follows: 1. i := 1 2. if c i C then increment i nd go to step 2 3. C := C {c i} 4. Crete the PDS P i tht corresponds to the predictes P[C ] s described in Section 3.3. If the new model elimintes the counterexmple then let the new seed set be C := C. Otherwise increment i nd go to step 2. If none of the predictes c 1... c k succeeds in eliminting the counterexmple we try to dd two predictes t ech step. If we try ll the possibilities nd the counterexmple is still not eliminted we try to dd three predictes t ech step etc. 5.3 Exmple Let us consider the prllel progrm given in Section 3.5. Consider this query: Cn D 2 rech the point m 1 if the system strts /7/19

8 from (n 0 m 0)? Obviously this is not the cse becuse the second component cn go to m 1 only if it synchronizes with D 1 using the ction wheres the first component cn never perform becuse t n 3 we do not hve x < 10. If we model the concurrent progrm using no seed predictes i.e. if we consider the model (P 1 P 2) described in Section 3.5 the model checker nswers tht (n 6 m 1) is rechble with the following sequences: r 1r 2r 4r 6 for P 1 nd r 1 for P 2. Using our method we cn check tht r 1r 2r 4r 6 is spurious becuse ϕ = (x = 10) (x < 10) is not stisfible. Therefore we refine PDS P 1. If we consider C = (x < 10) we obtin the PDS P 1 described in Section 3.5. Then it is esy to see tht in the CPDS (P 1 P 2) P 2 cnnot rech m Experimentl Results We implemented the method described in the pper in ComFoRT [CISW05] model checker built on top of MAGIC [CCG + 03] nd experimented with set of non-trivil benchmrks. Our implementtion supports two kinds of bstrctions described in Section 4.2: the i th -prefix nd the i th -suffix bstrctions. 6.1 Appliction to concurrent recursive progrms: Windows NT Bluetooth driver We pplied our technique to nontrivil recursive concurrent progrm tht could not be hndled with the originl (non-recursive) version of MAGIC: Windows NT Bluetooth driver. Our tool found bug in this progrm (tht ws reported in [QW04]). The bug could be detected with the i th -prefix s well s the i th -suffix bstrctions. Our experiments were performed on Linux SMP P Ghz mchine with 2 GB memory. The results re summrized in Figure 1. Abstrction Execution time(seconds) Memory used (MB) i th -prefix i th -suffix Figure 1. Results for the Bluetooth driver Note tht the suffix bstrction is more efficient in this cse. This is due to the fct tht in this exmple there re less possible bckwrd pths from the erroneous configurtions thn forwrd pths from the initil configurtions. We describe in wht follows the progrm (the source code cn be found in [QW04]) its corresponding CPDS model nd we show how to pply our technique to find the error. The driver consists of certin number of processes running in prllel: process STOP-D process COUNTER process STOPPING-FLAG process STOPPING-EVENT nd n rbitrry number of processes REQUEST (one per ech request for the driver). The role of the process COUNTER is to count the number of requests tht the driver receives. This number is set to 1 initilly is incremented when the driver receives new request nd is decremented when request exits the driver. The process STOP-D my issue request to stop the driver t ny time. It then hs to wit until ll the other requests hve finished their work before stopping the driver. The process STOPPING-FLAG hs two control points: F- S-F (FALSE-STOP-FLAG) nd T-S-F (TRUE-STOP-FLAG) depending on whether the process STOP-D is trying to stop the driver or not. It is initilly in stte F-S-F nd moves to stte T-S-F if it receives messge from STOP-D. No new thred cn enter the driver if this process is in T-S-F. The process STOPPING-EVENT lso hs two control points: F-S-E (FALSE-STOP-EVENT) nd T-S-E (TRUE-STOP-EVENT). It enters stte T-S-E if the driver stops i.e. when the number of running REQUESTs reches 0. Finlly when new REQUEST enters the driver it hs to increment the number stored in COUNTER perform the work sked by the request nd then decrement the number stored in COUNTER before exiting the driver. This is done by two functions: Increment nd Decrement. Ech of these processes cn be modeled by PDS s described below (ll the techniques described here were utomticlly performed by our tool). The process COUNTER: It hs no globl vribles so let p 0 be its unique stte. The number of threds is represented in stck. The stck lphbet is {0 1}. Initilly the stck contins the word 10 mening tht the number of requests is zero. It cn then contin ny word i 0. The number of 1 s in the stck corresponds to the number of running requests minus 1. The increment nd decrement opertions re invoked by incr nd decr messges from the REQUEST processes. COUNTER is represented by the following PDS rules: p 0 1 p incr 0 11 nd p 0 0 p incr These rules increment the counter. p 0 1 p decr 0 ɛ. This rule decrements the counter. p 0 1 p not zero 0 1 nd p 0 0 p is zero 0 0. These rules test whether the counter is 0. The process STOPPING-FLAG: let p 1 be its unique stte. It hs no globl vribles so p 1 F-S-F stop p 1 T-S-F : The process receives stop request from STOP-D. p 1 T-S-F p stop 1 T-S-F : The process communictes with REQUEST process vi stop messge. p 1 F-S-F p non stop 1 F-S-F : It sends non-stop request to the incoming REQUESTs. The process STOPPING-EVENT: As with the two previous processes this process hs lso no globl vribles so let p 2 be its unique stte. p 2 F-S-E p stop driver 2 T-S-E nd p 2 T-S-E p is stopped 2 T-S-E : The process uses the messges is-stopped nd stop-driver to indicte tht the driver is stopped. p 2 F-S-E non stopped p 2 F-S-E : It sends nonstopped messge to indicte tht the driver is still running. The process STOP-D: Agin this process hs no globl vribles so let p 3 be its unique stte. p 3 n 0 stop p 3 e Decrement : STOP-D sends stop request to STOPPING-FLAG nd clls Decrement. p 3 is stopped p 3 RELEASE. If the driver is stopped the llocted resources re relesed. This process hs copy of the function Decrement tht will be described below. The process REQUEST: This process hs globl vrible g tht cn be 0 1 or -1. It is set initilly to 1. Let g 0 g 1 nd g 1 be the globl sttes of the PDS tht correspond to the cses where g is equl to 0 1 nd -1 respectively. The process REQUEST does the following: 1. It strts by clling function Increment. This function will set g to -1 if the STOPPING-FLAG is set to TRUE otherwise it will increment the counter nd set g to /7/19

9 2. If Increment returns 0 REQUEST performs the work it hs to do nd then sserts tht STOPPING-EVENT is in stte F-S-E (i.e. tht the driver is still running). 3. Afterwrds it clls function Decrement tht decrements the counter. If this counter hs reched 0 it sends messge to inform STOPPING-EVENT tht the driver is stopped becuse there re no more requests running. The process REQUEST cn be modeled by the following PDS rules where x {1 0 1}: g x e g x e Inc n. First Increment is clled; g 0 n g 0 n W ork. If Increment returns 0 REQUEST performs some work. g 0 n W ork g 0 n End W ork. The work ends. g 0 n End W ork non stopped g 0 e Decrement. After the work is finished we hve to mke sure tht the driver is still running i.e. tht STOPPING-EVENT is in F-S-E. g 0 n End W ork is stopped g 0 ABORT. If this is not the cse we hve reched n error nd the progrm ABORTs. g x n g x e Decrement. After Decrement is clled. The function Increment is represented s follows: g x e Inc g stop 1 ɛ. If STOPPING-FLAG is in T-S-F the function returns -1; g x e Inc g non stop x n. Otherwise it increments the counter nd returns: g x n g incr 0 ɛ The function Decrement is represented s follows where g {g x p 3} (this function is shred by REQUEST nd STOP-D): g e Decrement dec g n. The counter is decremented. g n g not zero ɛ. If it hs not reched 0 the function termintes; g n g is zero n. Otherwise it communictes with STOPPING-EVENT using messge stop-driver: g n g stop driver ɛ The erroneous trce: The error rises even if we hve only one running request i.e. if we hve the processes STOP-D COUNTER STOPPING-FLAG STOPPING-EVENT nd n instnce of REQUEST running in prllel. We show tht the progrm cn rech the bd point ABORT. A configurtion will be represented by 5-tuple ( ) where nd 5 represent the configurtions of the processes STOP-D COUNTER STOPPING-FLAG STOPPING-EVENT nd RE- QUEST respectively. The initil configurtion is p 0 10 p 1 F-S-F p 2 F-S-E p 3 n 0 g 1 e With ction this configurtion cn move to: p 0 10 p 1 F-S-F p 2 F-S-E p 3 n 0 g 1 e Inc n nd then by exchnging non-stop messge between REQUEST nd STOPPING-FLAG to: p 0 10 p 1 F-S-F p 2 F-S-E p 3 n 0 g 1 n n Now STOP-D cn send stop request to STOPPING-FLAG: p 0 10 p 1 T-S-F p 2 F-S-E p 3 e Decrement g 1 n n The counter is decremented: p 0 0 p 1 T-S-F p 2 F-S-E p 3 n g 1 n n The counter is tested s to whether it is 0 by exchnging the messge is-zero: p 0 0 p 1 T-S-F p 2 F-S-E p 3 n g 1 n n Therefore Decrements confirms tht the driver is stopped by sending the messge stop-driver: p 0 0 p 1 T-S-F p 2 T-S-E p 3 g 1 n n Now the resources re relesed: p 0 0 p 1 T-S-F p 2 T-S-E p 3 RELEASE g 1 n n At this point the REQUEST t point n decides to resume its execution nd it increments the counter: p 0 10 p 1 T-S-F p 2 T-S-E p 3 RELEASE g 0 n Now the request executes its work: p 0 10 p 1 T-S-F p 2 T-S-E p 3 RELEASE g 0 n W ork The work finishes: p 0 10 p 1 T-S-F p 2 T-S-E p 3 RELEASE g 0 n End W ork Now REQUEST relises tht the driver ws stopped by communicting with STOPPING-EVENT using the messge isstoppednd it borts! p 0 10 p 1 T-S-F p 2 T-S-E p 3 RELEASE g 0 ABORT It is esy to see tht this trce will be found by our technique when using prefixes of length 8 (α 8) becuse it contins 8 synchronistion ctions. The sme cn be chieved using the suffix bstrction. 6.2 Appliction to non-recursive exmples We lso pplied our implementtion to severl exmples without recursion to which MAGIC hd lredy been pplied. The previous version of MAGIC hndles non-recursive procedure clls by in-line expnsion. The gol of these experiments ws to determine whether the method described in the pper would improve MAGIC s performnce. Indeed inlining produces huge finite-stte models. Consider for exmple procedure hving k control points nd m clls to procedure hving n control points. This system cn be modeled using finite utomton with O(k + mn) sttes or PDS tht hs only O(k + n) sttes. As described next our results re encourging nd we believe tht they cn be improved even further vi more efficient implementtion. This shows tht in ddition to its utility in the verifiction of concurrent recursive progrms our technique represents n dvnce for recursive s well s non-recursive concurrent progrms. The experiments were crried out on dul-athlon-xp mchine with 3 GB of RAM running RedHt 9.0. We used the i th - prefix bstrction for those experiments. The results re summrized in Figure 2. The columns re explined below the tble. Ech row corresponds to different benchmrk. More precisely the srvr series is single OpenSSL server (1444 lines of code); the clnt series is single OpenSSL client (1386 lines of code); ssl series is server nd client tht execute concurrently (2830 lines of code). Ech element of series corresponds to different property being verified on the sme source code. The ucos benchmrk (6263 lines /7/19