Dynamic Reductions for Model Checking Concurrent Software Alfons - - PowerPoint PPT Presentation

SLIDE 1

Introduction Transactions Dynamic Experiments Conclusion

Dynamic Reductions for Model Checking Concurrent Software

Alfons Laarman

alfons@laarman.com Henning G¨ unther , Ana Sokolova and Georg Weissenbacher Formal Methods in Systems Engineering Vienna University of Technology

March 21, 2017

Alfons Laarman (TU Wien) 1/14

SLIDE 2

Introduction Transactions Dynamic Experiments Conclusion

Reductions

Model Checking of Concurrent Software

1 Explosion of interleavings 2 Partial-order reduction vs Lipton reduction 3 Symbolic is a challenge 4 Global commutativity is needed, but a severe bottleneck Alfons Laarman (TU Wien) 2/14

SLIDE 3

Introduction Transactions Dynamic Experiments Conclusion

Reductions

Model Checking of Concurrent Software

1 Explosion of interleavings 2 Partial-order reduction vs Lipton reduction 3 Symbolic is a challenge 4 Global commutativity is needed, but a severe bottleneck

a = 1; b = 2;

• x

= 1; x += 2; x += 3;

Alfons Laarman (TU Wien) 2/14

SLIDE 4

Introduction Transactions Dynamic Experiments Conclusion

Reductions

Model Checking of Concurrent Software

1 Explosion of interleavings 2 Partial-order reduction vs Lipton reduction 3 Symbolic is a challenge 4 Global commutativity is needed, but a severe bottleneck

x = 1; a = 1; b = 2;

• x

= 1; x += 2; x += 3;

Alfons Laarman (TU Wien) 2/14

SLIDE 5

Introduction Transactions Dynamic Experiments Conclusion

Lipton vs Partial-Order Reduction (POR)

l1 l2 l3 la lb lc a=0; b=2; x=1; y=2;

Alfons Laarman (TU Wien) 3/14

SLIDE 6

Introduction Transactions Dynamic Experiments Conclusion

Lipton vs Partial-Order Reduction (POR)

l1 l2 l3 la lb lc a=0; b=2; x=1; y=2; a=0; x=1; b=2; x=1; a=0; y=2; b=2; y=2; x=1; a=0; b=2; y=2;

Alfons Laarman (TU Wien) 3/14

SLIDE 7

Introduction Transactions Dynamic Experiments Conclusion

Lipton vs Partial-Order Reduction (POR)

l1 l2 l3 la lb lc a=0; b=2; x=1; y=2; a=0; x=1; b=2; x=1; a=0; y=2; b=2; y=2; x=1; a=0; b=2; y=2; a=0; x=1; b=2; y=2;

Alfons Laarman (TU Wien) 3/14

SLIDE 8

Introduction Transactions Dynamic Experiments Conclusion

Lipton vs Partial-Order Reduction (POR)

l1 l2 l3 la lb lc a=0; b=2; x=1; y=2; a=0; x=1; b=2; x=1; a=0; y=2; b=2; y=2; x=1; a=0; b=2; y=2; a=0; x=1; b=2; y=2; a,b=0,2; x,y=1,2; a,b=0,2; x,y=1,2;

Alfons Laarman (TU Wien) 3/14

SLIDE 9

Introduction Transactions Dynamic Experiments Conclusion

Transactions in databases

lock A lock B lock C UPDATE unlock C unlock B unlock A

Alfons Laarman (TU Wien) 4/14

SLIDE 10

Introduction Transactions Dynamic Experiments Conclusion

Transactions in databases

lock A lock B lock C UPDATE unlock C unlock B unlock A internal

Alfons Laarman (TU Wien) 4/14

SLIDE 11

Introduction Transactions Dynamic Experiments Conclusion

Transactions in databases

lock A lock B lock C UPDATE unlock C unlock B unlock A internal pre-phase commit post-phase

Alfons Laarman (TU Wien) 4/14

SLIDE 12

Introduction Transactions Dynamic Experiments Conclusion

Commutativity

Action α right commutes with β, iff α can always be delayed after β:

α β

• β

α Alfons Laarman (TU Wien) 5/14

SLIDE 13

Introduction Transactions Dynamic Experiments Conclusion

Commutativity

Action α right commutes with β, iff α can always be delayed after β:

α β

• β

α

Definition (Right commutativity (

→

⊲ ⊳))

σ1 α

→

⊲ ⊳ β iff σ2 σ3

α

→

β

→ ∀σ1,σ2,σ3 : σ1 σ4 σ3

α

→

β

→ σ2

α

→

β

→ ⇒ ∃σ4 :

Alfons Laarman (TU Wien) 5/14

SLIDE 14

Introduction Transactions Dynamic Experiments Conclusion

Commutativity

Action α right commutes with β, iff α can always be delayed after β:

α β

• β

α

Definition (Right commutativity (

→

⊲ ⊳))

σ1 α

→

⊲ ⊳ β iff σ2 σ3

α

→

β

→ ∀σ1,σ2,σ3 : σ1 σ4 σ3

α

→

β

→ σ2

α

→

β

→ ⇒ ∃σ4 :

Example An action both-commutes with all actions that access a disjoint set of variables. A lock(/unlock) right(/right)-commutes with other lock and unlock

• perations.

Alfons Laarman (TU Wien) 5/14

SLIDE 15

Introduction Transactions Dynamic Experiments Conclusion

Commutativity

Action α right commutes with β, iff α can always be delayed after β:

α β

• β

α

Definition (Right commutativity (

→

⊲ ⊳))

σ1 α

→

⊲ ⊳ β iff σ2 σ3

α

→

β

→ ∀σ1,σ2,σ3 : σ1 σ4 σ3

α

→

β

→ σ2

α

→

β

→ ⇒ ∃σ4 :

Example An action both-commutes with all actions that access a disjoint set of variables. A lock(/unlock) right(/right)-commutes with other lock and unlock

• perations.

Definition (Right-Movability) The action α of thread i is a right-mover, iff for all j i: α →i

→

⊲ ⊳→j

Alfons Laarman (TU Wien) 5/14

SLIDE 16

Introduction Transactions Dynamic Experiments Conclusion

Lipton Reduction

[Lipton ’77, Lamport et al. ’89] Example (A statement sequence, where x is the only global variable) a = 1; x = 2; b = 3; c = 4;

Alfons Laarman (TU Wien) 6/14

SLIDE 17

Introduction Transactions Dynamic Experiments Conclusion

Lipton Reduction

[Lipton ’77, Lamport et al. ’89] Example (A statement sequence, where x is the only global variable) a = 1; x = 2; b = 3; c = 4;

• a, x, b, c = 1, 2, 3, 4;

Alfons Laarman (TU Wien) 6/14

SLIDE 18

Introduction Transactions Dynamic Experiments Conclusion

Lipton Reduction

[Lipton ’77, Lamport et al. ’89] Lipton Reduction A statement α1;...;αn of thread i can be reduced to α1 ◦ ··· ◦ αn, if for some 1 ≤ k < n, and all j i:

1

α1,...,αk−1

→

⊲ ⊳→j (pre-phase statements (before αk) are right movers)

2

αk+1,...,αn

←

⊲ ⊳→j (post-phase statements (after αk) are left movers)

3

∀σ ∃σ′ : σ

α2

→i ◦···◦

αn

→i σ′ (statements after α1 do not block) Example (A statement sequence, where x is the only global variable) a = 1; x = 2; b = 3; c = 4;

• a, x, b, c = 1, 2, 3, 4;

Alfons Laarman (TU Wien) 6/14

SLIDE 19

Introduction Transactions Dynamic Experiments Conclusion

Lipton Reduction

[Lipton ’77, Lamport et al. ’89] Lipton Reduction A statement α1;...;αn of thread i can be reduced to α1 ◦ ··· ◦ αn, if for some 1 ≤ k < n, and all j i:

1

α1,...,αk−1

→

⊲ ⊳→j (pre-phase statements (before αk) are right movers)

2

αk+1,...,αn

←

⊲ ⊳→j (post-phase statements (after αk) are left movers)

3

∀σ ∃σ′ : σ

α2

→i ◦···◦

αn

→i σ′ (statements after α1 do not block) Example (A statement sequence, where x is the only global variable) a = 1; x = 2; b = 3; c = 4;

• a, x, b, c = 1, 2, 3, 4;

x = 6 a = 1 x = 7 x = 8 x = 2 b = 3 x = 9 c = 4

Alfons Laarman (TU Wien) 6/14

SLIDE 20

Introduction Transactions Dynamic Experiments Conclusion

Lipton Reduction

[Lipton ’77, Lamport et al. ’89] Lipton Reduction A statement α1;...;αn of thread i can be reduced to α1 ◦ ··· ◦ αn, if for some 1 ≤ k < n, and all j i:

1

α1,...,αk−1

→

⊲ ⊳→j (pre-phase statements (before αk) are right movers)

2

αk+1,...,αn

←

⊲ ⊳→j (post-phase statements (after αk) are left movers)

3

∀σ ∃σ′ : σ

α2

→i ◦···◦

αn

→i σ′ (statements after α1 do not block) Example (A statement sequence, where x is the only global variable) a = 1; x = 2; b = 3; c = 4;

• a, x, b, c = 1, 2, 3, 4;

x = 6 a = 1 x = 7 x = 8 x = 2 b = 3 x = 9 c = 4 x = 6 x = 7 a = 1 x = 8 x = 2 b = 3 x = 9 c = 4

Alfons Laarman (TU Wien) 6/14

SLIDE 21

Introduction Transactions Dynamic Experiments Conclusion

Lipton Reduction

[Lipton ’77, Lamport et al. ’89] Lipton Reduction A statement α1;...;αn of thread i can be reduced to α1 ◦ ··· ◦ αn, if for some 1 ≤ k < n, and all j i:

1

α1,...,αk−1

→

⊲ ⊳→j (pre-phase statements (before αk) are right movers)

2

αk+1,...,αn

←

⊲ ⊳→j (post-phase statements (after αk) are left movers)

3

∀σ ∃σ′ : σ

α2

→i ◦···◦

αn

→i σ′ (statements after α1 do not block) Example (A statement sequence, where x is the only global variable) a = 1; x = 2; b = 3; c = 4;

• a, x, b, c = 1, 2, 3, 4;

x = 6 a = 1 x = 7 x = 8 x = 2 b = 3 x = 9 c = 4 x = 6 x = 7 a = 1 x = 8 x = 2 b = 3 x = 9 c = 4 x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 x = 9 c = 4

Alfons Laarman (TU Wien) 6/14

SLIDE 22

Introduction Transactions Dynamic Experiments Conclusion

Lipton Reduction

[Lipton ’77, Lamport et al. ’89] Lipton Reduction A statement α1;...;αn of thread i can be reduced to α1 ◦ ··· ◦ αn, if for some 1 ≤ k < n, and all j i:

1

α1,...,αk−1

→

⊲ ⊳→j (pre-phase statements (before αk) are right movers)

2

αk+1,...,αn

←

⊲ ⊳→j (post-phase statements (after αk) are left movers)

3

∀σ ∃σ′ : σ

α2

→i ◦···◦

αn

→i σ′ (statements after α1 do not block) Example (A statement sequence, where x is the only global variable) a = 1; x = 2; b = 3; c = 4;

• a, x, b, c = 1, 2, 3, 4;

x = 6 a = 1 x = 7 x = 8 x = 2 b = 3 x = 9 c = 4 x = 6 x = 7 a = 1 x = 8 x = 2 b = 3 x = 9 c = 4 x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 x = 9 c = 4 x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 c = 4 x = 9

Alfons Laarman (TU Wien) 6/14

SLIDE 23

Introduction Transactions Dynamic Experiments Conclusion

Movability is too strong a condition

1 2 3 a b c a=0; b=2; x=1; y=2; a=0; x=1; b=2; x=1; a=0; y=2; b=2; y=2; x=1; a=0; b=2; y=2;

Alfons Laarman (TU Wien) 7/14

SLIDE 24

Introduction Transactions Dynamic Experiments Conclusion

Movability is too strong a condition

1 2 3 a b c a=0; b=2; x=1; y=2; a=0; x=1; b=2; x=1; a=0; y=2; b=2; y=2; x=1; a=0; b=2; y=2; x,y=1,2;

Alfons Laarman (TU Wien) 7/14

SLIDE 25

Introduction Transactions Dynamic Experiments Conclusion

Movability is too strong a condition

1 2 3 a b c a=0; b=2; x=1; y=2; a=0; x=1; b=2; x=1; a=0; y=2; b=2; y=2; x=1; a=0; b=2; y=2; x,y=1,2;

1

α1,...,αk−1

→

⊲ ⊳→j (pre-phase statements (before αk) are right movers)

2

αk+1,...,αn

←

⊲ ⊳→j (post-phase statements (after αk) are left movers)

Alfons Laarman (TU Wien) 7/14

SLIDE 26

Introduction Transactions Dynamic Experiments Conclusion

Movability is too strong a condition

1 2 3 a b c a=0; b=2; x=1; y=2; x=y; a=0; x=1; b=2; x=1; a=0; y=2; b=2; y=2; x=1; a=0; b=2; y=2; x,y=1,2;

1

α1,...,αk−1

→

⊲ ⊳→j (pre-phase statements (before αk) are right movers)

2

αk+1,...,αn

←

⊲ ⊳→j (post-phase statements (after αk) are left movers)

Alfons Laarman (TU Wien) 7/14

SLIDE 27

Introduction Transactions Dynamic Experiments Conclusion

Movability is too strong a condition

1 2 3 a b c a=0; b=2; x=1; y=2; x=y;

×

a=0; x=1; b=2; x=1; a=0; y=2; b=2; y=2; x=1; a=0; b=2; y=2; x,y=1,2;

1

α1,...,αk−1

→

⊲ ⊳→j (pre-phase statements (before αk) are right movers)

2

αk+1,...,αn

←

⊲ ⊳→j (post-phase statements (after αk) are left movers)

Alfons Laarman (TU Wien) 7/14

SLIDE 28

Introduction Transactions Dynamic Experiments Conclusion

Movability is too strong a condition

1 2 3 a b c a=0; b=2; x=1; y=2; x=y;

×

a=0; x=1; b=2; x=1; a=0; y=2; b=2; y=2; x=1; a=0; b=2; y=2; x,y=1,2; x=y;

×

1

α1,...,αk−1

→

⊲ ⊳→j (pre-phase statements (before αk) are right movers)

2

αk+1,...,αn

←

⊲ ⊳→j (post-phase statements (after αk) are left movers)

Alfons Laarman (TU Wien) 7/14

SLIDE 29

Introduction Transactions Dynamic Experiments Conclusion

Movability is too strong a condition

1 2 3 a b c a=0; b=2; x=1; y=2; x=y;

×

a=0; x=1; b=2; x=1; a=0; y=2; b=2; y=2; x=1; a=0; b=2; y=2; x,y=1,2; x=y;

×

1

α1,...,αk−1

→

⊲ ⊳→j (pre-phase statements (before αk) are right movers)

2

αk+1,...,αn

←

⊲ ⊳→j (post-phase statements (after αk) are left movers) Monotonicity is key!

Alfons Laarman (TU Wien) 7/14

SLIDE 30

Introduction Transactions Dynamic Experiments Conclusion

Example

int *data = NULL; void worker thread(int tid) { if (data == NULL) { int *tmp = read from disk(1024); W: if (!CAS(&data, NULL, tmp)) free(tmp); } for (int i = 0; i < 512; i++) R: process(data[i + tid * 512]); } int main () { pthread create(worker thread, 0); // T1 pthread create(worker thread, 1); // T2 }

Alfons Laarman (TU Wien) 8/14

SLIDE 31

Introduction Transactions Dynamic Experiments Conclusion

Example

int *data = NULL; void worker thread(int tid) { if (data == NULL) { int *tmp = read from disk(1024); W: if (!CAS(&data, NULL, tmp)) free(tmp); } for (int i = 0; i < 512; i++) R: process(data[i + tid * 512]); } int main () { pthread create(worker thread, 0); // T1 pthread create(worker thread, 1); // T2 }

Example Other dynamic conditions Pointers / array indices that don’t change value. Atomic Compare-And-Swap (CAS) operations to permanently grab resources.

Alfons Laarman (TU Wien) 8/14

SLIDE 32

Introduction Transactions Dynamic Experiments Conclusion

Instrumentation with dynamic reduction

1 2 3 a=0; b=2; x=y; a b c x=1; y=2;

Alfons Laarman (TU Wien) 9/14

SLIDE 33

Introduction Transactions Dynamic Experiments Conclusion

Instrumentation with dynamic reduction

1 2 3 a=0; b=2; x=y; a al ar bl br cl cr pc1 0 pc1 = 0 x=1; x=1; y=2; y=2;

Alfons Laarman (TU Wien) 9/14

SLIDE 34

Introduction Transactions Dynamic Experiments Conclusion

Instrumentation with dynamic reduction

1 2 3 a=0; b=2; x=y; a al ar cl cr cl cr pc1 0 pc1 = 0 x=1; x=1; y=2; y=2;

Alfons Laarman (TU Wien) 9/14

SLIDE 35

Introduction Transactions Dynamic Experiments Conclusion

Instrumentation with dynamic reduction

1 2 3 a=0; b=2; x=y; a al ar cl cr cl cr pc1 0 pc1 = 0 x=1; x=1; y=2; y=2; (0,a) (1,a) (0,al) (1,al) (1,ar) x = y ; pc1=0 x=y; pc10

Alfons Laarman (TU Wien) 9/14

SLIDE 36

Introduction Transactions Dynamic Experiments Conclusion

Instrumentation with dynamic reduction

1 2 3 a=0; b=2; x=y; a al ar cl cr cl cr pc1 0 pc1 = 0 x=1; x=1; y=2; y=2; (0,a) (1,a) (0,al) (1,al) (1,ar) x = y ; pc1=0 x=y; pc10

• Alfons Laarman (TU Wien)

9/14

SLIDE 37

Introduction Transactions Dynamic Experiments Conclusion

Instrumentation with dynamic reduction

1 2 3 a=0; b=2; x=y; a al ar cl cr cl cr pc1 0 pc1 = 0 x=1; x=1; y=2; y=2; (0,a) (1,a) (0,al) (1,al) (1,ar) x = y ; pc1=0 x=y; pc10

• {2}

Alfons Laarman (TU Wien) 9/14

SLIDE 38

Introduction Transactions Dynamic Experiments Conclusion

Instrumentation with dynamic reduction

1 2 3 a=0; b=2; x=y; a al ar cl cr cl cr pc1 0 pc1 = 0 x=1; x=1; y=2; y=2; (0,a) (1,a) (0,al) (1,al) (1,ar) x = y ; pc1=0 x=y; pc10

• {2}

Definition (Dynamic both-moving conditions) A state predicate cα is a dynamic both-moving condition for an action α, if for all j i:

1

(cα

• α

→i) ⊲ ⊳ (cα

• →j)

2

cα is never disabled

Alfons Laarman (TU Wien) 9/14

SLIDE 39

Introduction Transactions Dynamic Experiments Conclusion

Instrumentation with dynamic reduction

1 2 3 a=0; b=2; x=y; a al ar cl cr cl cr pc1 0 pc1 = 0 x=1; x=1; y=2; y=2; (0,a) (1,a) (0,al) (1,al) (1,ar) x = y ; pc1=0 x=y; pc10

• {2}

Definition (Dynamic both-moving conditions) A state predicate cα is a dynamic both-moving condition for an action α, if for all j i:

1

(cα

• α

→i) ⊲ ⊳ (cα

• →j)

2

cα is never disabled

Example (Heuristics for other dynamic conditions) int T[10] = {E,E,22,35,46,25,E,E,91,E}; int find-or-put(int v) { int hash = v / 10; for (int i = 0; i < 10; i++) { int index = (i + hash) % 10; if (CAS(&T[index], E, v)) { return INSERTED; } else if (T[index] == v) return FOUND; } return TABLE_FULL; } int main() { pthread_create(find-or-put, 25); pthread_create(find-or-put, 42); }

Alfons Laarman (TU Wien) 9/14

SLIDE 40

Introduction Transactions Dynamic Experiments Conclusion

Instrumentation with dynamic reduction

1 2 3 a=0; b=2; x=y; a al ar cl cr cl cr pc1 0 pc1 = 0 x=1; x=1; y=2; y=2; (0,a) (1,a) (0,al) (1,al) (1,ar) x = y ; pc1=0 x=y; pc10

• {2}

Definition (Dynamic both-moving conditions) A state predicate cα is a dynamic both-moving condition for an action α, if for all j i:

1

(cα

• α

→i) ⊲ ⊳ (cα

• →j)

2

cα is never disabled

Example (Heuristics for other dynamic conditions) int T[10] = {E,E,22,35,46,25,E,E,91,E}; int find-or-put(int v) { int hash = v / 10; for (int i = 0; i < 10; i++) { int index = (i + hash) % 10; if (CAS(&T[index], E, v)) { return INSERTED; } else if (T[index] == v) return FOUND; } return TABLE_FULL; } int main() { pthread_create(find-or-put, 25); pthread_create(find-or-put, 42); } cα := T[index] != E

Alfons Laarman (TU Wien) 9/14

SLIDE 41

Introduction Transactions Dynamic Experiments Conclusion

Movability up to bisimulation

Definition (Right-commutativity up to bisimulation (

→

⊲ ⊳X)) The transition relation

α

→i right-commutes with

β

→j up to X, notation

α

→i

→

⊲ ⊳X

β

→j, iff:

σ1 σ2 σ3

β

→j

α

→i ∀σ1,σ2,σ3 : σ1 σ2 σ3

β

→j

α

→i ⇒ ∃σ′

3,σ4 :

σ4

β

→j σ′

3 α

→

i

X

Definition (Right-movability up to bisimulation) The action α of thread i is a right-mover up to X, iff for all j i:

α

→i

→

⊲ ⊳X→j

Alfons Laarman (TU Wien) 10/14

SLIDE 42

Introduction Transactions Dynamic Experiments Conclusion

Transaction Reduction

[Flanagan, Qadeer SoftMC’03] Theorem (Reduction) Let (→,S) be a transition system. For all i,j i, let S = Ri ⊎ Li ⊎ Ni such that Li

• →i
• Ri = ∅

post does not reach pre

1

→i

• Ri

→

⊲ ⊳ →j →i into pre right commutes with →j

2

Li

• →i

←

⊲ ⊳ →j →i from post left commutes with →j

3

∀σ ∈ Li : ∃σ′ ∈ Ni : σ →∗

i σ′

post phases terminate Let ֒ →i

ji Nj

• →i (i can only transition when all j are in an external

state). Suppose σ →∗ σ′, σ ∈ N and σ′ ∈ N, then there is an σ′′ ∈ N s.t. σ ֒ →∗ σ′′.

Alfons Laarman (TU Wien) 11/14

SLIDE 43

Introduction Transactions Dynamic Experiments Conclusion

Dynamic Transaction Reduction

[G¨ unther, Laarman, Sokolova, Weissenbacher VMCAI’17] Theorem (Reduction) Let (→,S) be a transition system. For all i,j i, let S = Ri ⊎ Li ⊎ Ni such that For each thread i, there exists a thread bisimulation relation i, and: Li

• →i
• Ri = ∅

post does not reach pre

1

→i

• Ri

→

⊲ ⊳ {j} →j →i into pre right commutes with →j

2

Li

• →i

←

⊲ ⊳ {i,j} →j →i from post left commutes with →j

3

∀σ ∈ Li : ∃σ′ ∈ Ni : σ →∗

i σ′

post phases terminate

4

i ⊆ L2

j ∪ R2 j ∪ N2 j

(i entails j-phase-equality) Let ֒ →i

ji Nj

• →i (i can only transition when all j are in an external

state). Let i Ni

• (֒

→i

• Ni)∗ ֒

→i

• Ni (block steps skip internal states)

Suppose σ →∗ σ′, σ ∈ N and σ′ ∈ N, then there is an σ′′ ∈ N s.t. σ ∗ σ′′.

Alfons Laarman (TU Wien) 11/14

SLIDE 44

Introduction Transactions Dynamic Experiments Conclusion

Complete instrumentation

Gi (Vi ,δi ) V′

i ,δ′ in G′ i (pictured)

∀(la,α,lb ) ∈ δi :

lN

a

lR

b

lL

b

cα

• α

¬cα

• α

∀(la,α,lb ) ∈ δi :

lR′

a

lR

b

lL

b

c

α

• α

¬ c

α

• α

∀la ∈ Vi :

lR

a

lR′

a

true

∀la ∈ Vi \ LFSi :

lL

a

lL′

a

lN

a

c ( l

a

) ¬c(la) with c(la)

• (la,α,lb)∈δi cα

∀(la,α,lb ) ∈ δi ,la ∈ Vi \ LFSi :

lL′

a

lL

b

α

∀la ∈ LFSi :

lL

a

lN

a

true Alfons Laarman (TU Wien) 12/14

SLIDE 45

Introduction Transactions Dynamic Experiments Conclusion

Complete instrumentation

Gi (Vi ,δi ) V′

i ,δ′ in G′ i (pictured)

∀(la,α,lb ) ∈ δi :

lN

a

lR

b

lL

b

cα

• α

¬cα

• α

∀(la,α,lb ) ∈ δi :

lR′

a

lR

b

lL

b

c

α

• α

¬ c

α

• α

∀la ∈ Vi :

lR

a

lR′

a

true

∀la ∈ Vi \ LFSi :

lL

a

lL′

a

lN

a

c ( l

a

) ¬c(la) with c(la)

• (la,α,lb)∈δi cα

∀(la,α,lb ) ∈ δi ,la ∈ Vi \ LFSi :

lL′

a

lL

b

α

∀la ∈ LFSi :

lL

a

lN

a

true

l2 l1 α β lN

2

lN

1

lL

2

lL

1

lL′

2

lL′

1

lR

2

lR

1

lR′

2

lR′

1

cα

• α

¬cα

• α

c

α

• α

¬cα

• α

cβ

• β

¬cβ

• β

c

β

• β

¬ cβ

• β

true true c(l2) ¬c(l2) α β true

Alfons Laarman (TU Wien) 12/14

SLIDE 46

Introduction Transactions Dynamic Experiments Conclusion

VVT

Vienna Verification Tool [G¨ unther, Laarman, Weissenbacher SVCOMP’16]

http://vvt.forsyte.at/ (open source)

Alfons Laarman (TU Wien) 13/14

SLIDE 47

Introduction Transactions Dynamic Experiments Conclusion

VVT

Vienna Verification Tool [G¨ unther, Laarman, Weissenbacher SVCOMP’16]

http://vvt.forsyte.at/ (open source) BMC with all dynamic reductions (BMC-dyn in the graphs); BMC with only static reductions (BMC-phase); IC3 with all dynamic reductions (IC3-dyn); and IC3 with only static reductions (IC3-phase).

Alfons Laarman (TU Wien) 13/14

SLIDE 48

Introduction Transactions Dynamic Experiments Conclusion

VVT

Vienna Verification Tool [G¨ unther, Laarman, Weissenbacher SVCOMP’16]

http://vvt.forsyte.at/ (open source) BMC with all dynamic reductions (BMC-dyn in the graphs); BMC with only static reductions (BMC-phase); IC3 with all dynamic reductions (IC3-dyn); and IC3 with only static reductions (IC3-phase).

1 2 3 4 5 6 7 8 500 1500 2500 3500 #Threads Time(s)

• BMC−dyn

BMC−phase IC3−dyn IC3−phase 1 2 3 4 5 6 7 8 500 1500 2500 3500 #Threads Time(s)

• BMC−dyn

BMC−phase IC3−dyn IC3−phase

Lazy initialization Dynamic locking

Alfons Laarman (TU Wien) 13/14

SLIDE 49

Introduction Transactions Dynamic Experiments Conclusion

VVT

Vienna Verification Tool [G¨ unther, Laarman, Weissenbacher SVCOMP’16]

http://vvt.forsyte.at/ (open source) BMC with all dynamic reductions (BMC-dyn in the graphs); BMC with only static reductions (BMC-phase); IC3 with all dynamic reductions (IC3-dyn); and IC3 with only static reductions (IC3-phase).

1 2 3 4 5 6 7 8 500 1500 2500 3500 #Threads Time(s)

• BMC−dyn

BMC−phase IC3−dyn IC3−phase 1 2 3 4 5 6 7 8 500 1500 2500 3500 #Threads Time(s)

• BMC−dyn

BMC−phase IC3−dyn IC3−phase

Lazy initialization Dynamic locking

1 2 3 4 5 500 1500 2500 3500 #Threads Time(s)

• BMC−dyn

BMC−phase IC3−dyn IC3−phase 1 2 3 4 5 6 7 #Threads

• BMC−dyn

BMC−phase IC3−dyn IC3−phase 1 2 3 4 5 6 7 8 9 #Threads

• BMC−dyn

BMC−phase IC3−dyn IC3−phase

Hash table reads/writes Hash table reads Hash table writes

Alfons Laarman (TU Wien) 13/14

SLIDE 50

Introduction Transactions Dynamic Experiments Conclusion

Conclusions

Contributions Dynamic movers as in stubborn set POR “Straight-forward” instrumentation and encoding Dynamic mover conditions are suitable for symbolic model checking

Alfons Laarman (TU Wien) 14/14

SLIDE 51

Introduction Transactions Dynamic Experiments Conclusion

Conclusions

Contributions Dynamic movers as in stubborn set POR “Straight-forward” instrumentation and encoding Dynamic mover conditions are suitable for symbolic model checking Open Questions Is a weaker reduction theorem possible? How do transactions compare to POR?

Alfons Laarman (TU Wien) 14/14