Veri fi cation of Erlang-style Concurrency Emanuele DOsualdo , - - PowerPoint PPT Presentation

Verification of Erlang-style Concurrency

Emanuele D’Osualdo, Jonathan Kochems and Luke Ong

Department of Computer Science University of Oxford

11 September 2012

The goal

1

Automatic Verification

The goal

1

• f

Automatic Verification

The goal

1

• f

Automatic Verification Properties

The goal

1

• f
• f

Automatic Verification Properties

The goal

1

• f
• f

Automatic Verification Properties Concurrent Systems

The goal

1

• f
• f

Automatic Verification Properties Concurrent Systems based on Message Passing

The goal

1

• f
• f

Automatic Verification Properties Concurrent Systems based on the Actor Model

The goal

1

• f
• f

Automatic Verification Properties Erlang programs

functional sequential fragment dynamic process creation asynchronous message passing

The goal

1

• f
• f

Effective Sound Approximation Properties Erlang programs

functional sequential fragment dynamic process creation asynchronous message passing

The goal

1

• f
• f

Effective Sound Approximation Reachability Erlang programs

functional sequential fragment dynamic process creation asynchronous message passing

Example: Erathostene’s sieve

2

Running Example: a concurrent version of Erathostene’s sieve Inspired by: Rob Pike. Concurrency and message passing in Newsqueak. Google Tech Talks, 2007.

Example: Erathostene’s sieve

3

1 ❝♦✉♥t❡r✭◆✮ → 2

r❡❝❡✐✈❡ ④♣♦❦❡✱ ❋r♦♠⑥ →

3

❋r♦♠✦④❛♥s✱ ◆⑥✱

4

❝♦✉♥t❡r✭◆✰✶✮

5

❡♥❞✳

❝♦✉♥t❡r✭◆✮ ❝❧✐❡♥t

Example: Erathostene’s sieve

3

1 ❝♦✉♥t❡r✭◆✮ → 2

r❡❝❡✐✈❡ ④♣♦❦❡✱ ❋r♦♠⑥ →

3

❋r♦♠✦④❛♥s✱ ◆⑥✱

4

❝♦✉♥t❡r✭◆✰✶✮

5

❡♥❞✳

❝♦✉♥t❡r✭◆✮ ❝❧✐❡♥t poke

Example: Erathostene’s sieve

3

1 ❝♦✉♥t❡r✭◆✮ → 2

r❡❝❡✐✈❡ ④♣♦❦❡✱ ❋r♦♠⑥ →

3

❋r♦♠✦④❛♥s✱ ◆⑥✱

4

❝♦✉♥t❡r✭◆✰✶✮

5

❡♥❞✳

❝♦✉♥t❡r✭◆✮ ❝❧✐❡♥t poke

Example: Erathostene’s sieve

3

1 ❝♦✉♥t❡r✭◆✮ → 2

r❡❝❡✐✈❡ ④♣♦❦❡✱ ❋r♦♠⑥ →

3

❋r♦♠✦④❛♥s✱ ◆⑥✱

4

❝♦✉♥t❡r✭◆✰✶✮

5

❡♥❞✳

❝♦✉♥t❡r✭◆✮ ❝❧✐❡♥t poke poke

Example: Erathostene’s sieve

3

1 ❝♦✉♥t❡r✭◆✮ → 2

r❡❝❡✐✈❡ ④♣♦❦❡✱ ❋r♦♠⑥ →

3

❋r♦♠✦④❛♥s✱ ◆⑥✱

4

❝♦✉♥t❡r✭◆✰✶✮

5

❡♥❞✳

❝♦✉♥t❡r✭◆✮ ❝❧✐❡♥t poke poke

Example: Erathostene’s sieve

3

1 ❝♦✉♥t❡r✭◆✮ → 2

r❡❝❡✐✈❡ ④♣♦❦❡✱ ❋r♦♠⑥ →

3

❋r♦♠✦④❛♥s✱ ◆⑥✱

4

❝♦✉♥t❡r✭◆✰✶✮

5

❡♥❞✳

❝♦✉♥t❡r✭◆✰✶✮ ❝❧✐❡♥t poke N

Example: Erathostene’s sieve

4

1 ♠❛✐♥✭✮ → 2

▼ ❂ s❡❧❢✭✮✱

3

❈ ❂ s♣❛✇♥✭❝♦✉♥t❡r✱❬✷❪✮✱

4

s♣❛✇♥✭s✐❡✈❡✱ ❬❈✱▼❪✮✳

❝♦✉♥t❡r✭✷✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❈✱▼✮

❙ ❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 s✐❡✈❡✭■♥✱ ❖✉t✮ → 2

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

3

r❡❝❡✐✈❡ ④❛♥s✱❳⑥ →

4

❖✉t✦④♣r✐♠❡✱❳⑥✱

5

❋ ❂ s♣❛✇♥✭❢✉♥✭✮→

6

❢✐❧t❡r✭❞✐✈❴❜②✭❳✮✱ ■♥✮

7

❡♥❞✮✱

8

s✐❡✈❡✭❋✱❖✉t✮

9

❡♥❞✳

❝♦✉♥t❡r✭✷✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❈✱▼✮

❙ ❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 s✐❡✈❡✭■♥✱ ❖✉t✮ → 2

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

3

r❡❝❡✐✈❡ ④❛♥s✱❳⑥ →

4

❖✉t✦④♣r✐♠❡✱❳⑥✱

5

❋ ❂ s♣❛✇♥✭❢✉♥✭✮→

6

❢✐❧t❡r✭❞✐✈❴❜②✭❳✮✱ ■♥✮

7

❡♥❞✮✱

8

s✐❡✈❡✭❋✱❖✉t✮

9

❡♥❞✳

❝♦✉♥t❡r✭✷✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❈✱▼✮

❙

poke

❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 s✐❡✈❡✭■♥✱ ❖✉t✮ → 2

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

3

r❡❝❡✐✈❡ ④❛♥s✱❳⑥ →

4

❖✉t✦④♣r✐♠❡✱❳⑥✱

5

❋ ❂ s♣❛✇♥✭❢✉♥✭✮→

6

❢✐❧t❡r✭❞✐✈❴❜②✭❳✮✱ ■♥✮

7

❡♥❞✮✱

8

s✐❡✈❡✭❋✱❖✉t✮

9

❡♥❞✳

❝♦✉♥t❡r✭✷✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❈✱▼✮

❙

poke

❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 s✐❡✈❡✭■♥✱ ❖✉t✮ → 2

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

3

r❡❝❡✐✈❡ ④❛♥s✱❳⑥ →

4

❖✉t✦④♣r✐♠❡✱❳⑥✱

5

❋ ❂ s♣❛✇♥✭❢✉♥✭✮→

6

❢✐❧t❡r✭❞✐✈❴❜②✭❳✮✱ ■♥✮

7

❡♥❞✮✱

8

s✐❡✈❡✭❋✱❖✉t✮

9

❡♥❞✳

❝♦✉♥t❡r✭✸✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❈✱▼✮

❙

2

❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 s✐❡✈❡✭■♥✱ ❖✉t✮ → 2

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

3

r❡❝❡✐✈❡ ④❛♥s✱❳⑥ →

4

❖✉t✦④♣r✐♠❡✱❳⑥✱

5

❋ ❂ s♣❛✇♥✭❢✉♥✭✮→

6

❢✐❧t❡r✭❞✐✈❴❜②✭❳✮✱ ■♥✮

7

❡♥❞✮✱

8

s✐❡✈❡✭❋✱❖✉t✮

9

❡♥❞✳

❝♦✉♥t❡r✭✸✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❈✱▼✮

❙

2

❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 s✐❡✈❡✭■♥✱ ❖✉t✮ → 2

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

3

r❡❝❡✐✈❡ ④❛♥s✱❳⑥ →

4

❖✉t✦④♣r✐♠❡✱❳⑥✱

5

❋ ❂ s♣❛✇♥✭❢✉♥✭✮→

6

❢✐❧t❡r✭❞✐✈❴❜②✭❳✮✱ ■♥✮

7

❡♥❞✮✱

8

s✐❡✈❡✭❋✱❖✉t✮

9

❡♥❞✳

❝♦✉♥t❡r✭✸✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❈✱▼✮

❙

prime 2

❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 s✐❡✈❡✭■♥✱ ❖✉t✮ → 2

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

3

r❡❝❡✐✈❡ ④❛♥s✱❳⑥ →

4

❖✉t✦④♣r✐♠❡✱❳⑥✱

5

❋ ❂ s♣❛✇♥✭❢✉♥✭✮→

6

❢✐❧t❡r✭❞✐✈❴❜②✭❳✮✱ ■♥✮

7

❡♥❞✮✱

8

s✐❡✈❡✭❋✱❖✉t✮

9

❡♥❞✳

❝♦✉♥t❡r✭✸✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❈✱▼✮

❙

2

❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 s✐❡✈❡✭■♥✱ ❖✉t✮ → 2

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

3

r❡❝❡✐✈❡ ④❛♥s✱❳⑥ →

4

❖✉t✦④♣r✐♠❡✱❳⑥✱

5

❋ ❂ s♣❛✇♥✭❢✉♥✭✮→

6

❢✐❧t❡r✭❞✐✈❴❜②✭❳✮✱ ■♥✮

7

❡♥❞✮✱

8

s✐❡✈❡✭❋✱❖✉t✮

9

❡♥❞✳

❝♦✉♥t❡r✭✸✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❋✶✱▼✮

❙

2

❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 s✐❡✈❡✭■♥✱ ❖✉t✮ → 2

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

3

r❡❝❡✐✈❡ ④❛♥s✱❳⑥ →

4

❖✉t✦④♣r✐♠❡✱❳⑥✱

5

❋ ❂ s♣❛✇♥✭❢✉♥✭✮→

6

❢✐❧t❡r✭❞✐✈❴❜②✭❳✮✱ ■♥✮

7

❡♥❞✮✱

8

s✐❡✈❡✭❋✱❖✉t✮

9

❡♥❞✳

❝♦✉♥t❡r✭✸✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❋✶✱▼✮

❙

2 poke

❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 ❢✐❧t❡r✭❚❡st✱ ■♥✮ → 2

r❡❝❡✐✈❡ ④♣♦❦❡✱ ❋r♦♠⑥ →

3

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❋r♦♠✮

4

❡♥❞✳

5 6 ❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮ → 7

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

8

r❡❝❡✐✈❡ ④❛♥s✱❨⑥ →

9

❝❛s❡ ❚❡st✭❨✮ ♦❢

10

❢❛❧s❡ →

11

❖✉t✦④❛♥s✱❨⑥✱

12

❢✐❧t❡r✭❚❡st✱ ■♥✮❀

13

tr✉❡ →

14

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮

15

❡♥❞

16

❡♥❞✳

❝♦✉♥t❡r✭✸✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❋✶✱▼✮

❙

2 poke

❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 ❢✐❧t❡r✭❚❡st✱ ■♥✮ → 2

r❡❝❡✐✈❡ ④♣♦❦❡✱ ❋r♦♠⑥ →

3

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❋r♦♠✮

4

❡♥❞✳

5 6 ❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮ → 7

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

8

r❡❝❡✐✈❡ ④❛♥s✱❨⑥ →

9

❝❛s❡ ❚❡st✭❨✮ ♦❢

10

❢❛❧s❡ →

11

❖✉t✦④❛♥s✱❨⑥✱

12

❢✐❧t❡r✭❚❡st✱ ■♥✮❀

13

tr✉❡ →

14

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮

15

❡♥❞

16

❡♥❞✳

❝♦✉♥t❡r✭✸✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❋✶✱▼✮

❙

2 poke

❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 ❢✐❧t❡r✭❚❡st✱ ■♥✮ → 2

r❡❝❡✐✈❡ ④♣♦❦❡✱ ❋r♦♠⑥ →

3

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❋r♦♠✮

4

❡♥❞✳

5 6 ❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮ → 7

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

8

r❡❝❡✐✈❡ ④❛♥s✱❨⑥ →

9

❝❛s❡ ❚❡st✭❨✮ ♦❢

10

❢❛❧s❡ →

11

❖✉t✦④❛♥s✱❨⑥✱

12

❢✐❧t❡r✭❚❡st✱ ■♥✮❀

13

tr✉❡ →

14

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮

15

❡♥❞

16

❡♥❞✳

❝♦✉♥t❡r✭✸✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❋✶✱▼✮

❙

2 poke

❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 ❢✐❧t❡r✭❚❡st✱ ■♥✮ → 2

r❡❝❡✐✈❡ ④♣♦❦❡✱ ❋r♦♠⑥ →

3

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❋r♦♠✮

4

❡♥❞✳

5 6 ❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮ → 7

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

8

r❡❝❡✐✈❡ ④❛♥s✱❨⑥ →

9

❝❛s❡ ❚❡st✭❨✮ ♦❢

10

❢❛❧s❡ →

11

❖✉t✦④❛♥s✱❨⑥✱

12

❢✐❧t❡r✭❚❡st✱ ■♥✮❀

13

tr✉❡ →

14

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮

15

❡♥❞

16

❡♥❞✳

❝♦✉♥t❡r✭✹✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❋✶✱▼✮

❙

2 3

❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 ❢✐❧t❡r✭❚❡st✱ ■♥✮ → 2

r❡❝❡✐✈❡ ④♣♦❦❡✱ ❋r♦♠⑥ →

3

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❋r♦♠✮

4

❡♥❞✳

5 6 ❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮ → 7

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

8

r❡❝❡✐✈❡ ④❛♥s✱❨⑥ →

9

❝❛s❡ ❚❡st✭❨✮ ♦❢

10

❢❛❧s❡ →

11

❖✉t✦④❛♥s✱❨⑥✱

12

❢✐❧t❡r✭❚❡st✱ ■♥✮❀

13

tr✉❡ →

14

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮

15

❡♥❞

16

❡♥❞✳

❝♦✉♥t❡r✭✹✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❋✶✱▼✮

❙

2 3

❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 ❢✐❧t❡r✭❚❡st✱ ■♥✮ → 2

r❡❝❡✐✈❡ ④♣♦❦❡✱ ❋r♦♠⑥ →

3

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❋r♦♠✮

4

❡♥❞✳

5 6 ❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮ → 7

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

8

r❡❝❡✐✈❡ ④❛♥s✱❨⑥ →

9

❝❛s❡ ❚❡st✭❨✮ ♦❢

10

❢❛❧s❡ →

11

❖✉t✦④❛♥s✱❨⑥✱

12

❢✐❧t❡r✭❚❡st✱ ■♥✮❀

13

tr✉❡ →

14

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮

15

❡♥❞

16

❡♥❞✳

❝♦✉♥t❡r✭✹✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❋✶✱▼✮

❙

2 3

❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 ❢✐❧t❡r✭❚❡st✱ ■♥✮ → 2

r❡❝❡✐✈❡ ④♣♦❦❡✱ ❋r♦♠⑥ →

3

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❋r♦♠✮

4

❡♥❞✳

5 6 ❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮ → 7

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

8

r❡❝❡✐✈❡ ④❛♥s✱❨⑥ →

9

❝❛s❡ ❚❡st✭❨✮ ♦❢

10

❢❛❧s❡ →

11

❖✉t✦④❛♥s✱❨⑥✱

12

❢✐❧t❡r✭❚❡st✱ ■♥✮❀

13

tr✉❡ →

14

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮

15

❡♥❞

16

❡♥❞✳

❝♦✉♥t❡r✭✹✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❋✶✱▼✮

❙

2 3

❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 ❢✐❧t❡r✭❚❡st✱ ■♥✮ → 2

r❡❝❡✐✈❡ ④♣♦❦❡✱ ❋r♦♠⑥ →

3

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❋r♦♠✮

4

❡♥❞✳

5 6 ❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮ → 7

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

8

r❡❝❡✐✈❡ ④❛♥s✱❨⑥ →

9

❝❛s❡ ❚❡st✭❨✮ ♦❢

10

❢❛❧s❡ →

11

❖✉t✦④❛♥s✱❨⑥✱

12

❢✐❧t❡r✭❚❡st✱ ■♥✮❀

13

tr✉❡ →

14

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮

15

❡♥❞

16

❡♥❞✳

❝♦✉♥t❡r✭✹✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❋✷✱▼✮

❙

2 3

❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 ❢✐❧t❡r✭❚❡st✱ ■♥✮ → 2

r❡❝❡✐✈❡ ④♣♦❦❡✱ ❋r♦♠⑥ →

3

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❋r♦♠✮

4

❡♥❞✳

5 6 ❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮ → 7

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

8

r❡❝❡✐✈❡ ④❛♥s✱❨⑥ →

9

❝❛s❡ ❚❡st✭❨✮ ♦❢

10

❢❛❧s❡ →

11

❖✉t✦④❛♥s✱❨⑥✱

12

❢✐❧t❡r✭❚❡st✱ ■♥✮❀

13

tr✉❡ →

14

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮

15

❡♥❞

16

❡♥❞✳

❝♦✉♥t❡r✭✹✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❋✷✱▼✮

❙

2 3 poke

❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 ❢✐❧t❡r✭❚❡st✱ ■♥✮ → 2

r❡❝❡✐✈❡ ④♣♦❦❡✱ ❋r♦♠⑥ →

3

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❋r♦♠✮

4

❡♥❞✳

5 6 ❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮ → 7

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

8

r❡❝❡✐✈❡ ④❛♥s✱❨⑥ →

9

❝❛s❡ ❚❡st✭❨✮ ♦❢

10

❢❛❧s❡ →

11

❖✉t✦④❛♥s✱❨⑥✱

12

❢✐❧t❡r✭❚❡st✱ ■♥✮❀

13

tr✉❡ →

14

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮

15

❡♥❞

16

❡♥❞✳

❝♦✉♥t❡r✭✹✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❋✷✱▼✮

❙

2 3 poke

❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 ❢✐❧t❡r✭❚❡st✱ ■♥✮ → 2

r❡❝❡✐✈❡ ④♣♦❦❡✱ ❋r♦♠⑥ →

3

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❋r♦♠✮

4

❡♥❞✳

5 6 ❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮ → 7

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

8

r❡❝❡✐✈❡ ④❛♥s✱❨⑥ →

9

❝❛s❡ ❚❡st✭❨✮ ♦❢

10

❢❛❧s❡ →

11

❖✉t✦④❛♥s✱❨⑥✱

12

❢✐❧t❡r✭❚❡st✱ ■♥✮❀

13

tr✉❡ →

14

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮

15

❡♥❞

16

❡♥❞✳

❝♦✉♥t❡r✭✹✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❋✷✱▼✮

❙

2 3 poke

❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 ❢✐❧t❡r✭❚❡st✱ ■♥✮ → 2

r❡❝❡✐✈❡ ④♣♦❦❡✱ ❋r♦♠⑥ →

3

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❋r♦♠✮

4

❡♥❞✳

5 6 ❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮ → 7

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

8

r❡❝❡✐✈❡ ④❛♥s✱❨⑥ →

9

❝❛s❡ ❚❡st✭❨✮ ♦❢

10

❢❛❧s❡ →

11

❖✉t✦④❛♥s✱❨⑥✱

12

❢✐❧t❡r✭❚❡st✱ ■♥✮❀

13

tr✉❡ →

14

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮

15

❡♥❞

16

❡♥❞✳

❝♦✉♥t❡r✭✺✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❋✷✱▼✮

❙

2 3 4

❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 ❢✐❧t❡r✭❚❡st✱ ■♥✮ → 2

r❡❝❡✐✈❡ ④♣♦❦❡✱ ❋r♦♠⑥ →

3

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❋r♦♠✮

4

❡♥❞✳

5 6 ❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮ → 7

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

8

r❡❝❡✐✈❡ ④❛♥s✱❨⑥ →

9

❝❛s❡ ❚❡st✭❨✮ ♦❢

10

❢❛❧s❡ →

11

❖✉t✦④❛♥s✱❨⑥✱

12

❢✐❧t❡r✭❚❡st✱ ■♥✮❀

13

tr✉❡ →

14

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮

15

❡♥❞

16

❡♥❞✳

❝♦✉♥t❡r✭✺✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❋✷✱▼✮

❙

2 3 poke

❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 ❢✐❧t❡r✭❚❡st✱ ■♥✮ → 2

r❡❝❡✐✈❡ ④♣♦❦❡✱ ❋r♦♠⑥ →

3

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❋r♦♠✮

4

❡♥❞✳

5 6 ❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮ → 7

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

8

r❡❝❡✐✈❡ ④❛♥s✱❨⑥ →

9

❝❛s❡ ❚❡st✭❨✮ ♦❢

10

❢❛❧s❡ →

11

❖✉t✦④❛♥s✱❨⑥✱

12

❢✐❧t❡r✭❚❡st✱ ■♥✮❀

13

tr✉❡ →

14

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮

15

❡♥❞

16

❡♥❞✳

❝♦✉♥t❡r✭✻✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❋✷✱▼✮

❙

2 3 5

❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 ❢✐❧t❡r✭❚❡st✱ ■♥✮ → 2

r❡❝❡✐✈❡ ④♣♦❦❡✱ ❋r♦♠⑥ →

3

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❋r♦♠✮

4

❡♥❞✳

5 6 ❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮ → 7

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

8

r❡❝❡✐✈❡ ④❛♥s✱❨⑥ →

9

❝❛s❡ ❚❡st✭❨✮ ♦❢

10

❢❛❧s❡ →

11

❖✉t✦④❛♥s✱❨⑥✱

12

❢✐❧t❡r✭❚❡st✱ ■♥✮❀

13

tr✉❡ →

14

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮

15

❡♥❞

16

❡♥❞✳

❝♦✉♥t❡r✭✻✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❋✷✱▼✮

❙

2 3 5

❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 ❢✐❧t❡r✭❚❡st✱ ■♥✮ → 2

r❡❝❡✐✈❡ ④♣♦❦❡✱ ❋r♦♠⑥ →

3

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❋r♦♠✮

4

❡♥❞✳

5 6 ❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮ → 7

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

8

r❡❝❡✐✈❡ ④❛♥s✱❨⑥ →

9

❝❛s❡ ❚❡st✭❨✮ ♦❢

10

❢❛❧s❡ →

11

❖✉t✦④❛♥s✱❨⑥✱

12

❢✐❧t❡r✭❚❡st✱ ■♥✮❀

13

tr✉❡ →

14

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮

15

❡♥❞

16

❡♥❞✳

❝♦✉♥t❡r✭✻✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❋✷✱▼✮

❙

2 3 5

❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 ❢✐❧t❡r✭❚❡st✱ ■♥✮ → 2

r❡❝❡✐✈❡ ④♣♦❦❡✱ ❋r♦♠⑥ →

3

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❋r♦♠✮

4

❡♥❞✳

5 6 ❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮ → 7

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

8

r❡❝❡✐✈❡ ④❛♥s✱❨⑥ →

9

❝❛s❡ ❚❡st✭❨✮ ♦❢

10

❢❛❧s❡ →

11

❖✉t✦④❛♥s✱❨⑥✱

12

❢✐❧t❡r✭❚❡st✱ ■♥✮❀

13

tr✉❡ →

14

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮

15

❡♥❞

16

❡♥❞✳

❝♦✉♥t❡r✭✻✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❋✷✱▼✮

❙

2 3 5

❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Example: Erathostene’s sieve

4

1 ❢✐❧t❡r✭❚❡st✱ ■♥✮ → 2

r❡❝❡✐✈❡ ④♣♦❦❡✱ ❋r♦♠⑥ →

3

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❋r♦♠✮

4

❡♥❞✳

5 6 ❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮ → 7

■♥✦④♣♦❦❡✱ s❡❧❢✭✮⑥✱

8

r❡❝❡✐✈❡ ④❛♥s✱❨⑥ →

9

❝❛s❡ ❚❡st✭❨✮ ♦❢

10

❢❛❧s❡ →

11

❖✉t✦④❛♥s✱❨⑥✱

12

❢✐❧t❡r✭❚❡st✱ ■♥✮❀

13

tr✉❡ →

14

❢✐❧t❡r✭❚❡st✱ ■♥✱ ❖✉t✮

15

❡♥❞

16

❡♥❞✳

❝♦✉♥t❡r✭✻✮

❈

♠❛✐♥

▼ ❢✐❧t❡r✭❞✐✈❴❜②✭✷✮✳✳ ❋✶ ❢✐❧t❡r✭❞✐✈❴❜②✭✸✮✳✳ ❋✷

s✐❡✈❡✭❋✸✱▼✮

❙

2 3 5

❢✐❧t❡r✭❞✐✈❴❜②✭✺✮✳✳ ❋✸

Erlang

5

Erlang: Pure functional sequential fragment Call-by-value Dynamically typed Higher Order Process creation: s♣❛✇♥ / s❡❧❢ Message passing: r❡❝❡✐✈❡ / send P ✦ ▼s❣ Send is asynchronous, receive is blocking Jim Larson. Erlang for concurrent programming. Communications of the ACM, 2009.

Related Work

6

Bug-finding tools:

Related Work

6

Bug-finding tools: Dialyzer (Lindahl&Sagonas) based on control-flow-analysis, success types and detection of wrong use of built-ins

Related Work

6

Bug-finding tools: Dialyzer (Lindahl&Sagonas) based on control-flow-analysis, success types and detection of wrong use of built-ins QuickCheck (Arts et al.) / PropEr (Sagonas’ group) property-based testing

Related Work

6

Bug-finding tools: Dialyzer (Lindahl&Sagonas) based on control-flow-analysis, success types and detection of wrong use of built-ins QuickCheck (Arts et al.) / PropEr (Sagonas’ group) property-based testing

Related Work

7

Verification tools:

Related Work

7

Verification tools: McErlang (Fredlund&Svensson) instrumented custom runtime which exhaustively explores (on-the-fly) all the execution paths. Parametrised by user-provided abstractions

Related Work

7

Verification tools: McErlang (Fredlund&Svensson) instrumented custom runtime which exhaustively explores (on-the-fly) all the execution paths. Parametrised by user-provided abstractions Termination and soundness depend entirely on user params

Related Work

7

Verification tools: McErlang (Fredlund&Svensson) instrumented custom runtime which exhaustively explores (on-the-fly) all the execution paths. Parametrised by user-provided abstractions Termination and soundness depend entirely on user params Abstract Model Checking (Huch) reduction of the operational semantics to a sound finite transition system via user-provided data-abstractions

Related Work

7

Verification tools: McErlang (Fredlund&Svensson) instrumented custom runtime which exhaustively explores (on-the-fly) all the execution paths. Parametrised by user-provided abstractions Termination and soundness depend entirely on user params Abstract Model Checking (Huch) reduction of the operational semantics to a sound finite transition system via user-provided data-abstractions Applies to a very restricted fragment of Erlang

Erlang

8

Goals: SAFETY PRECISION

Erlang

8

Goals: SAFETY PRECISION

Prove safety

Erlang

8

Goals: SAFETY PRECISION

Prove safety Infinite state abstract model

Erlang

8

Goals: SAFETY PRECISION

Prove safety Infinite state abstract model Must abstract to be automatic!

Why is it difficult to verify?

9

Sources of infinity in the state space: recursive function definitions higher order infinite domains of values message space is infinite unbounded dynamic processes creation mailboxes have unbounded capacity

Why is it difficult to verify?

9

Sources of infinity in the state space: recursive function definitions CFA-like abs higher order CFA-like abs infinite domains of values CFA-like abs message space is infinite unbounded dynamic processes creation mailboxes have unbounded capacity

Why is it difficult to verify?

9

Sources of infinity in the state space: recursive function definitions CFA-like abs higher order CFA-like abs infinite domains of values CFA-like abs message space is infinite CFA-like abs unbounded dynamic processes creation CFA-like abs mailboxes have unbounded capacity CFA-like abs Using methodology from Van Horn & Might. Abstracting Abstract Machines. ICFP, 2010.

Why is it difficult to verify?

9

Sources of infinity in the state space: recursive function definitions CFA-like abs higher order CFA-like abs infinite domains of values CFA-like abs message space is infinite finite abs unbounded dynamic processes creation counter abs mailboxes have unbounded capacity counter abs

Actor Communicating Systems

10

We define an abstract model: finite set of control states q finite set of messages ♠ finite set of pid-classes ι finite set of rules:

• Seq. red.

ι: q

τ

− − − − → q′ Send ι: q

ι′!♠

− − − − − → q′ Receive ι: q

?♠

− − − − − → q′ Spawn ι: q

νι′.q′

− − − − − − − → q′′

Actor Communicating Systems

10

We define an abstract model: finite set of control states q finite set of messages ♠ finite set of pid-classes ι finite set of rules:

• Seq. red.

ι: q

τ

− − − − → q′ Send ι: q

ι′!♠

− − − − − → q′ Receive ι: q

?♠

− − − − − → q′ Spawn ι: q

νι′.q′

− − − − − − − → q′′ They are equivalent to Vector Addition Systems (VAS)

Erlang and ACS mailboxes

11

Erlang

◗ → r❡❝❡✐✈❡ ❛ → ❆❀ ❜ → ❇❀ ❝ → ❈ ❡♥❞✳

◗ ③, ❜, ❛, ❛ ❇ ③, ❛, ❛ ◗ ❛ ❆ ◗ ❜ ❇ ◗ ❝ ❈ ◗ ❛ ❜ ❝ ③ ❇ ❛ ❜ ❝ ③ ❆ ❛ ❜ ❝ ③

Erlang and ACS mailboxes

11

Erlang

◗ → r❡❝❡✐✈❡ ❛ → ❆❀ ❜ → ❇❀ ❝ → ❈ ❡♥❞✳

◗ ③, ❜, ❛, ❛ ❇ ③, ❛, ❛ ◗ ❛ ❆ ◗ ❜ ❇ ◗ ❝ ❈ ◗ ❛ ❜ ❝ ③ ❇ ❛ ❜ ❝ ③ ❆ ❛ ❜ ❝ ③ Finite State control + FIFFO queue is Turing Powerful

Erlang and ACS mailboxes

11

Erlang

◗ → r❡❝❡✐✈❡ ❛ → ❆❀ ❜ → ❇❀ ❝ → ❈ ❡♥❞✳

◗ ③, ❜, ❛, ❛ ❇ ③, ❛, ❛ ACS ι: ◗

?❛

− − − − − → ❆ ι: ◗

?❜

− − − − − → ❇ ι: ◗

?❝

− − − − − → ❈ ◗ ❛ ❜ ❝ ③ ❇ ❛ ❜ ❝ ③ ❆ ❛ ❜ ❝ ③

Erlang and ACS mailboxes

11

Erlang

◗ → r❡❝❡✐✈❡ ❛ → ❆❀ ❜ → ❇❀ ❝ → ❈ ❡♥❞✳

◗ ③, ❜, ❛, ❛ ❇ ③, ❛, ❛ ACS ι: ◗

?❛

− − − − − → ❆ ι: ◗

?❜

− − − − − → ❇ ι: ◗

?❝

− − − − − → ❈ ◗ ❛ ❜ ❝ ③ 2 1 1 ❇ ❛ ❜ ❝ ③ 2 1 ❆ ❛ ❜ ❝ ③ 1 1 1

Erlang and ACS mailboxes

11

Erlang

◗ → r❡❝❡✐✈❡ ❛ → ❆❀ ❜ → ❇❀ ❝ → ❈ ❡♥❞✳

◗ ③, ❜, ❛, ❛ ❇ ③, ❛, ❛ ACS ι: ◗

?❛

− − − − − → ❆ ι: ◗

?❜

− − − − − → ❇ ι: ◗

?❝

− − − − − → ❈ ◗ ❛ ❜ ❝ ③ 2 1 1 ❇ ❛ ❜ ❝ ③ 2 1 ❆ ❛ ❜ ❝ ③ 1 1 1 ACS mailboxes over-approximate Erlang ones

Underlying VAS

12

ι0 . . . . . . control states mailbox ι1 . . . . . . ιp . . . . . . pid-classes . . . . . . q0 m0 q1 m1 qn−1 mk−1 qn mk

Underlying VAS

12

ι0 . . . . . . control states mailbox ι1 . . . . . . ιp . . . . . . pid-classes . . . . . . q0 m0 q1 m1 qn−1 mk−1 qn mk

• 1

+1

• Seq. reduction

ι1: q0

τ

− − − − → q1

Underlying VAS

12

ι0 . . . . . . control states mailbox ι1 . . . . . . ιp . . . . . . pid-classes . . . . . . q0 m0 q1 m1 qn−1 mk−1 qn mk

• 1

+1 +1

Send ι1: q0

ι0 ! m1

− − − − − − − → q1

Underlying VAS

12

ι0 . . . . . . control states mailbox ι1 . . . . . . ιp . . . . . . pid-classes . . . . . . q0 m0 q1 m1 qn−1 mk−1 qn mk

• 1

+1

• 1

Receive ι1: q0

?m1

− − − − − → q1

Underlying VAS

12

ι0 . . . . . . control states mailbox ι1 . . . . . . ιp . . . . . . pid-classes . . . . . . q0 m0 q1 m1 qn−1 mk−1 qn mk

• 1

+1 +1

Spawn ι1: q0

νι0.q0

− − − − − − → q1

Underlying VAS

12

ι0 . . . . . . control states mailbox ι1 . . . . . . ιp . . . . . . pid-classes . . . . . . q0 m0 q1 m1 qn−1 mk−1 qn mk

Interesting properties: Mutual Exclusion v(ι1, q1) < 2

Underlying VAS

12

ι0 . . . . . . control states mailbox ι1 . . . . . . ιp . . . . . . pid-classes . . . . . . q0 m0 q1 m1 qn−1 mk−1 qn mk

Interesting properties: Absence of error v(ι1, q1) = 0

Underlying VAS

12

ι0 . . . . . . control states mailbox ι1 . . . . . . ιp . . . . . . pid-classes . . . . . . q0 m0 q1 m1 qn−1 mk−1 qn mk

Interesting properties: Bound on mailbox

• 0≤i≤k v(ι1, mi) ≤ B

Underlying VAS

12

ι0 . . . . . . control states mailbox ι1 . . . . . . ιp . . . . . . pid-classes . . . . . . q0 m0 q1 m1 qn−1 mk−1 qn mk

Interesting properties: Coverability queries (Expspace-complete)

Verification pathway

13

Our method:

1 (Core) Erlang code as source 2 A k-CFA-like analysis abstracts the control-flow 3 The analysis produces an ACS which soundly approximates the

program

4 Model-check the ACS with VAS coverability engine (BFC)

The analysis is parametric and can be tuned for accuracy.

In the paper

14

What’s in the paper: A fully formal description of the parametric analysis Formal definition of ACS generation, with polynomial bounds

• n size of the model

Formal proofs of soundness and termination A tool with some benchmarks (available as virtual machine and web-interface)

Soter

15

ACS BFC model

Coverab. Query Elang module +prop. annot. Core Elang module erlc

Analysis Data Abs Msg Abs

bfc

Gen.

SAFE UNSAFE (ERROR)

Mailbox Abs Context Abs Simpl Phase 3 Phase 1 Phase 2

❤tt♣✿✴✴♠❥♦❧♥✐r✳❝s✳♦①✳❛❝✳✉❦✴s♦t❡r✴

Future Work

16

Planned work includes support for full Erlang improve precision wrt:

• process identities
• stack behaviour

find ways to handle open systems

Thanks!

❤tt♣✿✴✴♠❥♦❧♥✐r✳❝s✳♦①✳❛❝✳✉❦✴s♦t❡r✴