Reasoning about nondeterminism in software IBM Programming - - PowerPoint PPT Presentation
Reasoning about nondeterminism in software IBM Programming Languages Day 2012 Eric Koskinen Research Scientist and Principal Investigator New York University ejk@cims.nyu.edu Monday, June 25, 12 Prove temporal properties of real programs
IBM Programming Languages Day 2012 Eric Koskinen Research Scientist and Principal Investigator New York University
ejk@cims.nyu.edu
Monday, June 25, 12
Prove temporal properties of real programs
Monday, June 25, 12
/* * StreamServerPort -- open a "listening" port to accept connections. * * Successfully opened sockets are added to the ListenSocket[] array, * at the first position that isn't -1. * * RETURNS: STATUS_OK or STATUS_ERROR */ int StreamServerPort(int family, char *hostName, unsigned short portNumber, char *unixSocketName, int ListenSocket[], int MaxListen) void body() { /* Initialize hint structure */ #ifdef HAVE_UNIX_SOCKETS if (family == AF_UNIX) { /* Lock_AF_UNIX will also fill in sock_path. */ /* if (Lock_AF_UNIX(portNumber, unixSocketName) != STATUS_OK) */ /* return STATUS_ERROR; */ service = sock_path; } else #endif /* HAVE_UNIX_SOCKETS */ { snprintf(1, sizeof(1), "%d", portNumber); service = 1; } ret = getaddrinfo_all(hostName, service, &hint, &addrs); if (ret || !addrs) {
/* ereport(LOG, */ /* (errmsg("could not translate host name \"%s\", service \"%s\" to address: %s", */ /* hostName, service, gai_strerror(ret)))); */
/* ereport(LOG, */ /* (errmsg("could not translate service \"%s\" to address: %s", */
int StreamServerPort(int family, ...)
PostgreSQL StreamServer
Monday, June 25, 12
*/ err = nondet(); // bind(fd, addr->ai_addr, addr->ai_addrlen); if (err < 0) { /* ereport(LOG, */ /* (errcode_for_socket_access(), */ /* /\* translator: %s is IPv4, IPv6, or Unix *\/ */ /* errmsg("could not bind %s socket: %m", */ /* familyDesc), */ /* (IS_AF_UNIX(addr_ai_family)) ? */ /* errhint("Is another postmaster already running on port %d?" */ /* " If not, remove socket file \"%s\" and retry.", */ /* (int) portNumber, sock_path) : */ /* errhint("Is another postmaster already running on port %d?" */ /* " If not, wait a few seconds and retry.", */ /* (int) portNumber))); */ closesocket(fd); continue; } #ifdef HAVE_UNIX_SOCKETS if (addr_ai_family == AF_UNIX) {
{ closesocket(fd); break; } } #endif /* * Select appropriate accept-queue length limit. PG_SOMAXCONN is * only intended to provide a clamp on the request on platforms * where an overly large request provokes a kernel error (are * there any?). */ maxconn = MaxBackends * 2; if (maxconn > PG_SOMAXCONN) maxconn = PG_SOMAXCONN; err = listen(fd, maxconn); if (err < 0) { closesocket(fd); continue; } ListenSocket_OF_listen_index = fd; added++; } //freeaddrinfo_all(hint.ai_family, addrs);
int StreamServerPort(int family, ...)
PostgreSQL StreamServer
Monday, June 25, 12
*/ err = nondet(); // bind(fd, addr->ai_addr, addr->ai_addrlen); if (err < 0) { /* ereport(LOG, */ /* (errcode_for_socket_access(), */ /* /\* translator: %s is IPv4, IPv6, or Unix *\/ */ /* errmsg("could not bind %s socket: %m", */ /* familyDesc), */ /* (IS_AF_UNIX(addr_ai_family)) ? */ /* errhint("Is another postmaster already running on port %d?" */ /* " If not, remove socket file \"%s\" and retry.", */ /* (int) portNumber, sock_path) : */ /* errhint("Is another postmaster already running on port %d?" */ /* " If not, wait a few seconds and retry.", */ /* (int) portNumber))); */ closesocket(fd); continue; } #ifdef HAVE_UNIX_SOCKETS if (addr_ai_family == AF_UNIX) {
{ closesocket(fd); break; } } #endif /* * Select appropriate accept-queue length limit. PG_SOMAXCONN is * only intended to provide a clamp on the request on platforms * where an overly large request provokes a kernel error (are * there any?). */ maxconn = MaxBackends * 2; if (maxconn > PG_SOMAXCONN) maxconn = PG_SOMAXCONN; err = listen(fd, maxconn); if (err < 0) { closesocket(fd); continue; } ListenSocket_OF_listen_index = fd; added++; } //freeaddrinfo_all(hint.ai_family, addrs);
(G ¬error) ⇒ F (added>0 ∧ F ret=OK)
int StreamServerPort(int family, ...)
PostgreSQL StreamServer
Monday, June 25, 12
*/ err = nondet(); // bind(fd, addr->ai_addr, addr->ai_addrlen); if (err < 0) { /* ereport(LOG, */ /* (errcode_for_socket_access(), */ /* /\* translator: %s is IPv4, IPv6, or Unix *\/ */ /* errmsg("could not bind %s socket: %m", */ /* familyDesc), */ /* (IS_AF_UNIX(addr_ai_family)) ? */ /* errhint("Is another postmaster already running on port %d?" */ /* " If not, remove socket file \"%s\" and retry.", */ /* (int) portNumber, sock_path) : */ /* errhint("Is another postmaster already running on port %d?" */ /* " If not, wait a few seconds and retry.", */ /* (int) portNumber))); */ closesocket(fd); continue; } #ifdef HAVE_UNIX_SOCKETS if (addr_ai_family == AF_UNIX) {
{ closesocket(fd); break; } } #endif /* * Select appropriate accept-queue length limit. PG_SOMAXCONN is * only intended to provide a clamp on the request on platforms * where an overly large request provokes a kernel error (are * there any?). */ maxconn = MaxBackends * 2; if (maxconn > PG_SOMAXCONN) maxconn = PG_SOMAXCONN; err = listen(fd, maxconn); if (err < 0) { closesocket(fd); continue; } ListenSocket_OF_listen_index = fd; added++; } //freeaddrinfo_all(hint.ai_family, addrs);
(G ¬error) ⇒ F (added>0 ∧ F ret=OK)
int StreamServerPort(int family, ...)
PostgreSQL StreamServer Proving this statically is challenging. Reason about termination. Reason about reachability.
Monday, June 25, 12
*/ err = nondet(); // bind(fd, addr->ai_addr, addr->ai_addrlen); if (err < 0) { /* ereport(LOG, */ /* (errcode_for_socket_access(), */ /* /\* translator: %s is IPv4, IPv6, or Unix *\/ */ /* errmsg("could not bind %s socket: %m", */ /* familyDesc), */ /* (IS_AF_UNIX(addr_ai_family)) ? */ /* errhint("Is another postmaster already running on port %d?" */ /* " If not, remove socket file \"%s\" and retry.", */ /* (int) portNumber, sock_path) : */ /* errhint("Is another postmaster already running on port %d?" */ /* " If not, wait a few seconds and retry.", */ /* (int) portNumber))); */ closesocket(fd); continue; } #ifdef HAVE_UNIX_SOCKETS if (addr_ai_family == AF_UNIX) {
{ closesocket(fd); break; } } #endif /* * Select appropriate accept-queue length limit. PG_SOMAXCONN is * only intended to provide a clamp on the request on platforms * where an overly large request provokes a kernel error (are * there any?). */ maxconn = MaxBackends * 2; if (maxconn > PG_SOMAXCONN) maxconn = PG_SOMAXCONN; err = listen(fd, maxconn); if (err < 0) { closesocket(fd); continue; } ListenSocket_OF_listen_index = fd; added++; } //freeaddrinfo_all(hint.ai_family, addrs);
(G ¬error) ⇒ F (added>0 ∧ F ret=OK)
int StreamServerPort(int family, ...)
PostgreSQL StreamServer Previous technique Proving this statically is challenging. Reason about termination. Reason about reachability.
Monday, June 25, 12
*/ err = nondet(); // bind(fd, addr->ai_addr, addr->ai_addrlen); if (err < 0) { /* ereport(LOG, */ /* (errcode_for_socket_access(), */ /* /\* translator: %s is IPv4, IPv6, or Unix *\/ */ /* errmsg("could not bind %s socket: %m", */ /* familyDesc), */ /* (IS_AF_UNIX(addr_ai_family)) ? */ /* errhint("Is another postmaster already running on port %d?" */ /* " If not, remove socket file \"%s\" and retry.", */ /* (int) portNumber, sock_path) : */ /* errhint("Is another postmaster already running on port %d?" */ /* " If not, wait a few seconds and retry.", */ /* (int) portNumber))); */ closesocket(fd); continue; } #ifdef HAVE_UNIX_SOCKETS if (addr_ai_family == AF_UNIX) {
{ closesocket(fd); break; } } #endif /* * Select appropriate accept-queue length limit. PG_SOMAXCONN is * only intended to provide a clamp on the request on platforms * where an overly large request provokes a kernel error (are * there any?). */ maxconn = MaxBackends * 2; if (maxconn > PG_SOMAXCONN) maxconn = PG_SOMAXCONN; err = listen(fd, maxconn); if (err < 0) { closesocket(fd); continue; } ListenSocket_OF_listen_index = fd; added++; } //freeaddrinfo_all(hint.ai_family, addrs);
(G ¬error) ⇒ F (added>0 ∧ F ret=OK)
int StreamServerPort(int family, ...)
PostgreSQL StreamServer Previous technique timeout Proving this statically is challenging. Reason about termination. Reason about reachability.
Monday, June 25, 12
*/ err = nondet(); // bind(fd, addr->ai_addr, addr->ai_addrlen); if (err < 0) { /* ereport(LOG, */ /* (errcode_for_socket_access(), */ /* /\* translator: %s is IPv4, IPv6, or Unix *\/ */ /* errmsg("could not bind %s socket: %m", */ /* familyDesc), */ /* (IS_AF_UNIX(addr_ai_family)) ? */ /* errhint("Is another postmaster already running on port %d?" */ /* " If not, remove socket file \"%s\" and retry.", */ /* (int) portNumber, sock_path) : */ /* errhint("Is another postmaster already running on port %d?" */ /* " If not, wait a few seconds and retry.", */ /* (int) portNumber))); */ closesocket(fd); continue; } #ifdef HAVE_UNIX_SOCKETS if (addr_ai_family == AF_UNIX) {
{ closesocket(fd); break; } } #endif /* * Select appropriate accept-queue length limit. PG_SOMAXCONN is * only intended to provide a clamp on the request on platforms * where an overly large request provokes a kernel error (are * there any?). */ maxconn = MaxBackends * 2; if (maxconn > PG_SOMAXCONN) maxconn = PG_SOMAXCONN; err = listen(fd, maxconn); if (err < 0) { closesocket(fd); continue; } ListenSocket_OF_listen_index = fd; added++; } //freeaddrinfo_all(hint.ai_family, addrs);
(G ¬error) ⇒ F (added>0 ∧ F ret=OK)
int StreamServerPort(int family, ...)
PostgreSQL StreamServer Previous technique timeout Our work Proving this statically is challenging. Reason about termination. Reason about reachability.
Monday, June 25, 12
*/ err = nondet(); // bind(fd, addr->ai_addr, addr->ai_addrlen); if (err < 0) { /* ereport(LOG, */ /* (errcode_for_socket_access(), */ /* /\* translator: %s is IPv4, IPv6, or Unix *\/ */ /* errmsg("could not bind %s socket: %m", */ /* familyDesc), */ /* (IS_AF_UNIX(addr_ai_family)) ? */ /* errhint("Is another postmaster already running on port %d?" */ /* " If not, remove socket file \"%s\" and retry.", */ /* (int) portNumber, sock_path) : */ /* errhint("Is another postmaster already running on port %d?" */ /* " If not, wait a few seconds and retry.", */ /* (int) portNumber))); */ closesocket(fd); continue; } #ifdef HAVE_UNIX_SOCKETS if (addr_ai_family == AF_UNIX) {
{ closesocket(fd); break; } } #endif /* * Select appropriate accept-queue length limit. PG_SOMAXCONN is * only intended to provide a clamp on the request on platforms * where an overly large request provokes a kernel error (are * there any?). */ maxconn = MaxBackends * 2; if (maxconn > PG_SOMAXCONN) maxconn = PG_SOMAXCONN; err = listen(fd, maxconn); if (err < 0) { closesocket(fd); continue; } ListenSocket_OF_listen_index = fd; added++; } //freeaddrinfo_all(hint.ai_family, addrs);
(G ¬error) ⇒ F (added>0 ∧ F ret=OK)
int StreamServerPort(int family, ...)
PostgreSQL StreamServer
Previous technique timeout Our work Proving this statically is challenging. Reason about termination. Reason about reachability.
Monday, June 25, 12
*/ err = nondet(); // bind(fd, addr->ai_addr, addr->ai_addrlen); if (err < 0) { /* ereport(LOG, */ /* (errcode_for_socket_access(), */ /* /\* translator: %s is IPv4, IPv6, or Unix *\/ */ /* errmsg("could not bind %s socket: %m", */ /* familyDesc), */ /* (IS_AF_UNIX(addr_ai_family)) ? */ /* errhint("Is another postmaster already running on port %d?" */ /* " If not, remove socket file \"%s\" and retry.", */ /* (int) portNumber, sock_path) : */ /* errhint("Is another postmaster already running on port %d?" */ /* " If not, wait a few seconds and retry.", */ /* (int) portNumber))); */ closesocket(fd); continue; } #ifdef HAVE_UNIX_SOCKETS if (addr_ai_family == AF_UNIX) {
{ closesocket(fd); break; } } #endif /* * Select appropriate accept-queue length limit. PG_SOMAXCONN is * only intended to provide a clamp on the request on platforms * where an overly large request provokes a kernel error (are * there any?). */ maxconn = MaxBackends * 2; if (maxconn > PG_SOMAXCONN) maxconn = PG_SOMAXCONN; err = listen(fd, maxconn); if (err < 0) { closesocket(fd); continue; } ListenSocket_OF_listen_index = fd; added++; } //freeaddrinfo_all(hint.ai_family, addrs);
(G ¬error) ⇒ F (added>0 ∧ F ret=OK)
int StreamServerPort(int family, ...)
PostgreSQL StreamServer
9.56 s Previous technique timeout Our work Proving this statically is challenging. Reason about termination. Reason about reachability.
Monday, June 25, 12
P ⊢ φ
∀CTL
Reduction
CAV’11
program analysis task (symbolic MC, AI) using Frontiers
Monday, June 25, 12
P ⊢ φ
∀CTL
Reduction
CAV’11
program analysis task (symbolic MC, AI) using Frontiers
These tools are good at finding the “right” abstraction
Monday, June 25, 12
P ⊢ φ
∀CTL
Reduction
CAV’11
program analysis task (symbolic MC, AI) using Frontiers
These tools are good at finding the “right” abstraction
P ⊢ φ
LTL
Trace-based properties (eg. LTL)
POPL’11
synth decision predicates
Monday, June 25, 12
P ⊢ φ
∀CTL
Reduction
CAV’11
program analysis task (symbolic MC, AI) using Frontiers
These tools are good at finding the “right” abstraction
P ⊢ φ
LTL
Trace-based properties (eg. LTL)
POPL’11
synth decision predicates
prove trace-based with iterated state-based techniques
Monday, June 25, 12
Traditional Program Property Time(s) Example from Sec. 2 AFAGp 2.32
Example from Fig. 8 of [15]
AG(p⇒AFq) 209.64 Toy acq/rel AG(p⇒AFq) 103.48 Toy lin. arith. 1 p⇒AFq 126.86 Toy lin. arith. 2 p⇒AFq timeout PostgreSQL strsrv AG(p⇒AFAGq) timeout PostgreSQL strsrv+bug AG(p⇒AFAGq) 87.31 PostgreSQL pgarch AFAGp 31.50 PostgreSQL dropbuf AGp timeout PostgreSQL dropbuf AG(p⇒AFq) 53.99 Apache child AG(p⇒AGAFq) timeout Apache child accept liveness AG(p⇒(AFa ∨ AFb)) 685.34 Windows frag. 1 AG(p⇒AFq) 901.81 Windows frag. 2 AFAGp 16.47 Windows frag. 2+bug AFAGp 26.15 Windows frag. 3 AFAGp 4.21 Windows frag. 4 AG(p⇒AFq) timeout Windows frag. 4 (AFp) ∨ (AFq) 1,223.96 Windows frag. 5 AG(p⇒AFq) timeout Windows frag. 6 AFAGp 149.41 Windows frag. 6+bug AFAGp 6.06 Windows frag. 7 AGAFp timeout Windows frag. 8 FGp timeout
Monday, June 25, 12
Traditional Our Approach Program Property Time(s) Time(s) Example from Sec. 2 AFAGp 2.32 1.98
Example from Fig. 8 of [15]
AG(p⇒AFq) 209.64 27.94 Toy acq/rel AG(p⇒AFq) 103.48 14.18 Toy lin. arith. 1 p⇒AFq 126.86 34.51 Toy lin. arith. 2 p⇒AFq timeout 6.74 PostgreSQL strsrv AG(p⇒AFAGq) timeout 9.56 PostgreSQL strsrv+bug AG(p⇒AFAGq) 87.31 47.16 PostgreSQL pgarch AFAGp 31.50 15.20 PostgreSQL dropbuf AGp timeout 1.14 PostgreSQL dropbuf AG(p⇒AFq) 53.99 27.54 Apache child AG(p⇒AGAFq) timeout 197.41 Apache child accept liveness AG(p⇒(AFa ∨ AFb)) 685.34 684.24 Windows frag. 1 AG(p⇒AFq) 901.81 539.00 Windows frag. 2 AFAGp 16.47 52.10 Windows frag. 2+bug AFAGp 26.15 30.37 Windows frag. 3 AFAGp 4.21 15.75 Windows frag. 4 AG(p⇒AFq) timeout 1,114.18 Windows frag. 4 (AFp) ∨ (AFq) 1,223.96 100.68 Windows frag. 5 AG(p⇒AFq) timeout timeout Windows frag. 6 AFAGp 149.41 59.56 Windows frag. 6+bug AFAGp 6.06 22.12 Windows frag. 7 AGAFp timeout 55.77 Windows frag. 8 FGp timeout 5.24
Monday, June 25, 12
Traditional Our Approach Program Property Time(s) Time(s) Example from Sec. 2 AFAGp 2.32 1.98
Example from Fig. 8 of [15]
AG(p⇒AFq) 209.64 27.94 Toy acq/rel AG(p⇒AFq) 103.48 14.18 Toy lin. arith. 1 p⇒AFq 126.86 34.51 Toy lin. arith. 2 p⇒AFq timeout 6.74 PostgreSQL strsrv AG(p⇒AFAGq) timeout 9.56 PostgreSQL strsrv+bug AG(p⇒AFAGq) 87.31 47.16 PostgreSQL pgarch AFAGp 31.50 15.20 PostgreSQL dropbuf AGp timeout 1.14 PostgreSQL dropbuf AG(p⇒AFq) 53.99 27.54 Apache child AG(p⇒AGAFq) timeout 197.41 Apache child accept liveness AG(p⇒(AFa ∨ AFb)) 685.34 684.24 Windows frag. 1 AG(p⇒AFq) 901.81 539.00 Windows frag. 2 AFAGp 16.47 52.10 Windows frag. 2+bug AFAGp 26.15 30.37 Windows frag. 3 AFAGp 4.21 15.75 Windows frag. 4 AG(p⇒AFq) timeout 1,114.18 Windows frag. 4 (AFp) ∨ (AFq) 1,223.96 100.68 Windows frag. 5 AG(p⇒AFq) timeout timeout Windows frag. 6 AFAGp 149.41 59.56 Windows frag. 6+bug AFAGp 6.06 22.12 Windows frag. 7 AGAFp timeout 55.77 Windows frag. 8 FGp timeout 5.24
Monday, June 25, 12
Traditional Our Approach Program Property Time(s) Time(s) Example from Sec. 2 AFAGp 2.32 1.98
Example from Fig. 8 of [15]
AG(p⇒AFq) 209.64 27.94 Toy acq/rel AG(p⇒AFq) 103.48 14.18 Toy lin. arith. 1 p⇒AFq 126.86 34.51 Toy lin. arith. 2 p⇒AFq timeout 6.74 PostgreSQL strsrv AG(p⇒AFAGq) timeout 9.56 PostgreSQL strsrv+bug AG(p⇒AFAGq) 87.31 47.16 PostgreSQL pgarch AFAGp 31.50 15.20 PostgreSQL dropbuf AGp timeout 1.14 PostgreSQL dropbuf AG(p⇒AFq) 53.99 27.54 Apache child AG(p⇒AGAFq) timeout 197.41 Apache child accept liveness AG(p⇒(AFa ∨ AFb)) 685.34 684.24 Windows frag. 1 AG(p⇒AFq) 901.81 539.00 Windows frag. 2 AFAGp 16.47 52.10 Windows frag. 2+bug AFAGp 26.15 30.37 Windows frag. 3 AFAGp 4.21 15.75 Windows frag. 4 AG(p⇒AFq) timeout 1,114.18 Windows frag. 4 (AFp) ∨ (AFq) 1,223.96 100.68 Windows frag. 5 AG(p⇒AFq) timeout timeout Windows frag. 6 AFAGp 149.41 59.56 Windows frag. 6+bug AFAGp 6.06 22.12 Windows frag. 7 AGAFp timeout 55.77 Windows frag. 8 FGp timeout 5.24
POPL’11, CAV’11
Monday, June 25, 12
Traditional Our Approach Program Property Time(s) Time(s) Example from Sec. 2 AFAGp 2.32 1.98
Example from Fig. 8 of [15]
AG(p⇒AFq) 209.64 27.94 Toy acq/rel AG(p⇒AFq) 103.48 14.18 Toy lin. arith. 1 p⇒AFq 126.86 34.51 Toy lin. arith. 2 p⇒AFq timeout 6.74 PostgreSQL strsrv AG(p⇒AFAGq) timeout 9.56 PostgreSQL strsrv+bug AG(p⇒AFAGq) 87.31 47.16 PostgreSQL pgarch AFAGp 31.50 15.20 PostgreSQL dropbuf AGp timeout 1.14 PostgreSQL dropbuf AG(p⇒AFq) 53.99 27.54 Apache child AG(p⇒AGAFq) timeout 197.41 Apache child accept liveness AG(p⇒(AFa ∨ AFb)) 685.34 684.24 Windows frag. 1 AG(p⇒AFq) 901.81 539.00 Windows frag. 2 AFAGp 16.47 52.10 Windows frag. 2+bug AFAGp 26.15 30.37 Windows frag. 3 AFAGp 4.21 15.75 Windows frag. 4 AG(p⇒AFq) timeout 1,114.18 Windows frag. 4 (AFp) ∨ (AFq) 1,223.96 100.68 Windows frag. 5 AG(p⇒AFq) timeout timeout Windows frag. 6 AFAGp 149.41 59.56 Windows frag. 6+bug AFAGp 6.06 22.12 Windows frag. 7 AGAFp timeout 55.77 Windows frag. 8 FGp timeout 5.24
POPL’11, CAV’11
timeout
Monday, June 25, 12
Traditional Our Approach Program Property Time(s) Time(s) Example from Sec. 2 AFAGp 2.32 1.98
Example from Fig. 8 of [15]
AG(p⇒AFq) 209.64 27.94 Toy acq/rel AG(p⇒AFq) 103.48 14.18 Toy lin. arith. 1 p⇒AFq 126.86 34.51 Toy lin. arith. 2 p⇒AFq timeout 6.74 PostgreSQL strsrv AG(p⇒AFAGq) timeout 9.56 PostgreSQL strsrv+bug AG(p⇒AFAGq) 87.31 47.16 PostgreSQL pgarch AFAGp 31.50 15.20 PostgreSQL dropbuf AGp timeout 1.14 PostgreSQL dropbuf AG(p⇒AFq) 53.99 27.54 Apache child AG(p⇒AGAFq) timeout 197.41 Apache child accept liveness AG(p⇒(AFa ∨ AFb)) 685.34 684.24 Windows frag. 1 AG(p⇒AFq) 901.81 539.00 Windows frag. 2 AFAGp 16.47 52.10 Windows frag. 2+bug AFAGp 26.15 30.37 Windows frag. 3 AFAGp 4.21 15.75 Windows frag. 4 AG(p⇒AFq) timeout 1,114.18 Windows frag. 4 (AFp) ∨ (AFq) 1,223.96 100.68 Windows frag. 5 AG(p⇒AFq) timeout timeout Windows frag. 6 AFAGp 149.41 59.56 Windows frag. 6+bug AFAGp 6.06 22.12 Windows frag. 7 AGAFp timeout 55.77 Windows frag. 8 FGp timeout 5.24
all “A” properties
Monday, June 25, 12
all “A” properties
AFp Across all paths, eventually reach p AGp Across all paths, p always holds
Monday, June 25, 12
all “A” properties
AFp Across all paths, eventually reach p AGp Across all paths, p always holds
Monday, June 25, 12
Initial states
if (read(&buf)) { computeA(); else { computeB(); } read() >0 ≤0
Monday, June 25, 12
Initial states
Monday, June 25, 12
Initial states . . .
. . . . . .
Monday, June 25, 12
Initial states
. . .
Example: does there exist a way to reach a red state? EF red
Monday, June 25, 12
Initial states
. . .
Example: are you assured you will always reach a state from which point you can always be in a green state? AF (EG green)
Monday, June 25, 12
Initial states
. . .
Example: are you assured you will always reach a state from which point you can always be in a green state? AF (EG green)
Monday, June 25, 12
Branching properties can be found in many temporal logics.
AFp Across all paths, eventually reach p EFp There is a path that eventually reaches p AGp Across all paths, p always holds EGp There is a path along which p always holds
Computation Tree Logic [Clarke 1986]
Monday, June 25, 12
Branching properties can be found in many temporal logics.
AFp Across all paths, eventually reach p EFp There is a path that eventually reaches p AGp Across all paths, p always holds EGp There is a path along which p always holds
Computation Tree Logic [Clarke 1986]
Monday, June 25, 12
Is there a position I can move to such that escape is possible? At any point system could terminate and when it does p holds.
Monday, June 25, 12
Is there a position I can move to such that escape is possible? At any point system could terminate and when it does p holds.
Are there choices that I can make (“exists”) such that I will always outwit every move (“universal”) my opponent makes?
Monday, June 25, 12
Is there a position I can move to such that escape is possible? At any point system could terminate and when it does p holds.
Are there choices that I can make (“exists”) such that I will always outwit every move (“universal”) my opponent makes?
Can the system eventually repair itself after an intrusion? Is is possible that, no matter what inputs an attacker enters, the system can escape being compromised.
Monday, June 25, 12
Can be treated similarly Can be treated similarly
Monday, June 25, 12
Initial states
. . . . . . . . .
Monday, June 25, 12
Initial states
. . . . . . . . .
Monday, June 25, 12
Initial states
. . . . . . . . .
Monday, June 25, 12
Initial states
. . . . . . . . .
Monday, June 25, 12
Initial states
. . . . . . . . .
Monday, June 25, 12
Initial states
. . . . . . . . .
Monday, June 25, 12
Initial states
. . . . . . . . .
Monday, June 25, 12
Initial states
. . . . . . . . .
Monday, June 25, 12
Initial states
. . . . . . . . .
Monday, June 25, 12
Initial states
. . . . . . . . .
Looks like AG yellow
Monday, June 25, 12
Initial states
. . . . . . . . .
Side Condition:
Recurrent set?
Looks like AG yellow
Monday, June 25, 12
Initial states
Monday, June 25, 12
Initial states
Monday, June 25, 12
Initial states
Monday, June 25, 12
Initial states
Monday, June 25, 12
Initial states
Looks like AF red
Monday, June 25, 12
Initial states
Side Condition:
Recurrent set?
Looks like AF red
Monday, June 25, 12
Treat universal and existential fragments similarly . . .
Monday, June 25, 12
. . . . . . . . . Treat universal and existential fragments similarly . . . F ≡ {s | color(s) = green} C ≡ {s | color(s) = yellow}
EF green
Monday, June 25, 12
. . . . . . . . . Treat universal and existential fragments similarly . . . F ≡ {s | color(s) = green} C ≡ {s | color(s) = yellow}
EF green
“Chute”
Monday, June 25, 12
. . . . . . . . . Treat universal and existential fragments similarly . . . F ≡ {s | color(s) = green} C ≡ {s | color(s) = yellow}
EF green
“Chute” “Frontier”
Monday, June 25, 12
. . . . . . . . . Treat universal and existential fragments similarly . . . F ≡ {s | color(s) = green} C ≡ {s | color(s) = yellow}
EF green
“Chute” For AFp, chute is simply S “Frontier”
Monday, June 25, 12
. . . . . . . . . Treat universal and existential fragments similarly . . . F ≡ {s | color(s) = green} C ≡ {s | color(s) = yellow}
EF green
“Chute” For AFp, chute is simply S
Characterization for CTL . . .
“Frontier”
Monday, June 25, 12
Treat universal and existential fragments similarly . . . X ` Φ
Monday, June 25, 12
Treat universal and existential fragments similarly . . . X ` Φ
Set of states
Monday, June 25, 12
Treat universal and existential fragments similarly . . . X ` Φ
Set of states Property
Monday, June 25, 12
Treat universal and existential fragments similarly . . . X ` Φ
Set of states Property
Standard CTL semantics
Monday, June 25, 12
Treat universal and existential fragments similarly . . . X ` Φ
Set of states Property
Standard CTL semantics
Monday, June 25, 12
Treat universal and existential fragments similarly . . . X ` Φ
Monday, June 25, 12
Treat universal and existential fragments similarly . . . X ` Φ
Monday, June 25, 12
Treat universal and existential fragments similarly . . . X ` Φ
Monday, June 25, 12
Treat universal and existential fragments similarly . . . X ` Φ
Monday, June 25, 12
Similar to CTL* Decompose temporal operators: Treat universal and existential fragments similarly . . . X ` Φ
Monday, June 25, 12
Similar to CTL* Decompose temporal operators: Treat universal and existential fragments similarly . . . X ` Φ X, C, F γ
Second kind of judgement
Monday, June 25, 12
Treat universal and existential fragments similarly . . . X ` Φ X, C, F γ
Monday, June 25, 12
Treat universal and existential fragments similarly . . . X ` Φ
Side Condition:
Recurrent set? X, C, F γ
Monday, June 25, 12
Treat universal and existential fragments similarly . . . X ` Φ X, C, F γ Walk
Monday, June 25, 12
Treat universal and existential fragments similarly . . . X ` Φ
Termination
X, C, F γ Walk
Monday, June 25, 12
Treat universal and existential fragments similarly . . . X ` Φ
Termination
well-founded
X, C, F γ Walk
Monday, June 25, 12
Treat universal and existential fragments similarly . . . X ` Φ X, C, F γ Walk
Monday, June 25, 12
Treat universal and existential fragments similarly . . . X ` Φ
Safety
X, C, F γ Walk
Monday, June 25, 12
CTL semantics Proof System
Treat universal and existential fragments similarly . . . X ` Φ
Soundness and Completeness
Monday, June 25, 12
Treat universal and existential fragments similarly . . . X ` Φ
X, C, F γ
Monday, June 25, 12
Side Condition:
Recurrent set?
Monday, June 25, 12
Side Condition:
Recurrent set?
Monday, June 25, 12
Side Condition:
Recurrent set?
In practice,
(using, e.g., Octagon)
(using an SMT solver)
Monday, June 25, 12
x := 1 x = 0 x := 0
Monday, June 25, 12
x := 1 x = 0 x := 0
Monday, June 25, 12
x := 1 x = 0
x
x := 0
Monday, June 25, 12
x := 1 x = 0
x EG x
x := 0
Monday, June 25, 12
x := 1 x = 0
x EG x AF EG x
x := 0
Monday, June 25, 12
x := 1 x = 0
x EG x AF EG x EF AF EG x EF AF EG x
x := 0
Monday, June 25, 12
x := 1 x = 0
x EG x AF EG x EF AF EG x EF AF EG x
x := 0
Monday, June 25, 12
x := 1 x = 0
x EG x AF EG x EF AF EG x EF AF EG x
x := 0
F1 ≡ pc = 4 C1 ≡ pc = 0 ⇒ ρ1 ∧ pc = 2 ⇒ ρ2 F2 ≡ pc = 6 C2 ≡ pc = 2 ⇒ ¬ρ2 F3 ≡ true
Monday, June 25, 12
x := 1 x = 0
x EG x AF EG x EF AF EG x EF AF EG x
x := 0
F1 ≡ pc = 4 C1 ≡ pc = 0 ⇒ ρ1 ∧ pc = 2 ⇒ ρ2 F2 ≡ pc = 6 C2 ≡ pc = 2 ⇒ ¬ρ2 F3 ≡ true
Monday, June 25, 12
x := 1 x = 0
x EG x AF EG x EF AF EG x EF AF EG x
x := 0
F1 ≡ pc = 4 C1 ≡ pc = 0 ⇒ ρ1 ∧ pc = 2 ⇒ ρ2 F2 ≡ pc = 6 C2 ≡ pc = 2 ⇒ ¬ρ2 F3 ≡ true
Monday, June 25, 12
x := 1 x = 0
x EG x AF EG x EF AF EG x EF AF EG x
x := 0
F1 ≡ pc = 4 C1 ≡ pc = 0 ⇒ ρ1 ∧ pc = 2 ⇒ ρ2 F2 ≡ pc = 6 C2 ≡ pc = 2 ⇒ ¬ρ2 F3 ≡ true
Monday, June 25, 12
x := 1 x = 0
x EG x AF EG x EF AF EG x EF AF EG x
x := 0
F1 ≡ pc = 4 C1 ≡ pc = 0 ⇒ ρ1 ∧ pc = 2 ⇒ ρ2 F2 ≡ pc = 6 C2 ≡ pc = 2 ⇒ ¬ρ2 F3 ≡ true
Monday, June 25, 12
x := 1 x = 0
x EG x AF EG x EF AF EG x EF AF EG x
x := 0
F1 ≡ pc = 4 C1 ≡ pc = 0 ⇒ ρ1 ∧ pc = 2 ⇒ ρ2 F2 ≡ pc = 6 C2 ≡ pc = 2 ⇒ ¬ρ2 F3 ≡ true
Monday, June 25, 12
x := 1 x = 0
x EG x AF EG x EF AF EG x EF AF EG x
x := 0
F1 ≡ pc = 4 C1 ≡ pc = 0 ⇒ ρ1 ∧ pc = 2 ⇒ ρ2 F2 ≡ pc = 6 C2 ≡ pc = 2 ⇒ ¬ρ2 F3 ≡ true
Monday, June 25, 12
x := 1 x = 0
x EG x AF EG x EF AF EG x EF AF EG x
x := 0
F1 ≡ pc = 4 C1 ≡ pc = 0 ⇒ ρ1 ∧ pc = 2 ⇒ ρ2 F2 ≡ pc = 6 C2 ≡ pc = 2 ⇒ ¬ρ2 F3 ≡ true
Monday, June 25, 12
F1 ≡ pc = 4 C1 ≡ pc = 0 ⇒ ρ1 ∧ pc = 2 ⇒ ρ2 F2 ≡ pc = 6 C2 ≡ pc = 2 ⇒ ¬ρ2 F3 ≡ true
x := 1 x = 0
x EG x AF EG x EF AF EG x EF AF EG x
x := 0
Monday, June 25, 12
F1 ≡ pc = 4 C1 ≡ pc = 0 ⇒ ρ1 ∧ pc = 2 ⇒ ρ2 F2 ≡ pc = 6 C2 ≡ pc = 2 ⇒ ¬ρ2 F3 ≡ true
x := 1 x = 0
x EG x AF EG x EF AF EG x EF AF EG x
x := 0
Monday, June 25, 12
How do we discover frontiers?
(see our work in CAV 2011)
Monday, June 25, 12
How do we discover chutes?
Initial states
. . .
Monday, June 25, 12
How do we discover chutes?
Initial states
. . .
Monday, June 25, 12
How do we discover chutes?
Initial states
. . .
. . .
Monday, June 25, 12
How do we discover chutes?
Initial states
. . .
Counterexample
. . .
Monday, June 25, 12
How do we discover chutes?
Initial states
. . .
Counterexample
. . .
Remove this behavior!
Monday, June 25, 12
How do we discover chutes?
Initial states
. . .
Monday, June 25, 12
How do we discover chutes?
Initial states
. . .
Monday, June 25, 12
How do we discover chutes?
Initial states
. . .
Monday, June 25, 12
How do we discover chutes?
Initial states
. . .
Monday, June 25, 12
How do we discover chutes?
Initial states
. . .
Monday, June 25, 12
How do we discover chutes?
Initial states
. . .
Monday, June 25, 12
How do we discover chutes?
Initial states
. . .
Monday, June 25, 12
How do we discover chutes?
Initial states
. . .
Monday, June 25, 12
How do we discover chutes?
Initial states
. . .
Monday, June 25, 12
How do we discover chutes?
Initial states
. . .
Recurrent set.
Monday, June 25, 12
How do we discover chutes?
Initial states
. . .
Recurrent set.
Monday, June 25, 12
How do we discover chutes?
Initial states
. . .
(X, C, F) is rcr F ` red X ` EF red X, C, F F red WC,F
X
is w.f.
Monday, June 25, 12
Iterated refinement Algorithm
Prove(P, Φ) : let Φ’ = Φ where replace “E” with “A” in loop match ( P ⊢∀ Φ ) with | Fail χ in EG or EF → eliminate χ | Fail χ in AG or AF → return Fail | Succeed → if C’s are recurrent, return Succeed else return Fail
Monday, June 25, 12
x := 1 x = 0
x EG x AF EG x EF AF EG x EF AF EG x
x := 0
Refinement: eliminate χ
assume(x=0) 0: assume(¬ρ1) 1: loop
pc=0 ⇒ ρ1
Monday, June 25, 12
x := 1 x = 0
x EG x AF EG x EF AF EG x EF AF EG x
x := 0
Refinement: eliminate χ
assume(x=0) 0: assume(¬ρ1) 1: loop
pc=0 ⇒ ρ1
Monday, June 25, 12
x := 1 x = 0
x EG x AF EG x EF AF EG x EF AF EG x
x := 0
Refinement: eliminate χ
assume(x=0) 0: assume(¬ρ1) 1: loop
pc=0 ⇒ ρ1
assume(x=0) 0: assume(ρ1); ρ2 = *; 2: assume(¬ρ2); 3780 loop
pc=0 ⇒ ρ2
Monday, June 25, 12
x := 1 x = 0
x EG x AF EG x EF AF EG x EF AF EG x
x := 0
Refinement: eliminate χ
assume(x=0) 0: assume(¬ρ1) 1: loop
pc=0 ⇒ ρ1
assume(x=0) 0: assume(ρ1); ρ2 = *; 2: assume(¬ρ2); 3780 loop
pc=0 ⇒ ρ2
assume(x=0) 024: assume(ρ1 ,ρ2); 456: assume(x=1) 7802: assume(x=0) pc=2 ⇒ ¬ρ2
Monday, June 25, 12
x := 1 x = 0
x EG x AF EG x EF AF EG x EF AF EG x
x := 0
Refinement: eliminate χ
assume(x=0) 0: assume(¬ρ1) 1: loop
pc=0 ⇒ ρ1
assume(x=0) 0: assume(ρ1); ρ2 = *; 2: assume(¬ρ2); 3780 loop
pc=0 ⇒ ρ2
assume(x=0) 024: assume(ρ1 ,ρ2); 456: assume(x=1) 7802: assume(x=0) pc=2 ⇒ ¬ρ2
Recurrent set.
Monday, June 25, 12
(SLAM or BLAST)
Monday, June 25, 12
(SLAM or BLAST)
Work in progress . . .
Monday, June 25, 12
Monday, June 25, 12
Work in progress . . .
Monday, June 25, 12
End of talk :-)
Monday, June 25, 12