VIETNAM NATIONAL UNIVERSITY, HANOI UNIVERSITY OF ENGINEERING AND TECHNOLOGY BUI PHI DIEP AVOIDING STATE-SPACE EXPLOSION IN MODEL-CHECKER MASTER THESIS OF INFORMATION TECHNOLOGY Hanoi - 2014 TIEU LUAN MOI download : skknchat@gmail.com VIETNAM NATIONAL UNIVERSITY, HANOI UNIVERSITY OF ENGINEERING AND TECHNOLOGY BUI PHI DIEP AVOIDING STATE-SPACE EXPLOSION IN MODEL-CHECKER Major: Computer science Code: 60480101 MASTER THESIS OF INFORMATION TECHNOLOGY SUPERVISOR: Assoc Prof Nguyen Viet Ha Dr Mohamed Faouzi Atig Hanoi - 2014 TIEU LUAN MOI download : skknchat@gmail.com Declaration of Authorship I hereby declare that this submission is my own work and to the best of my knowledge it contains no materials previously published or written by another person, or substantial proportions of material which have been accepted for the award of any other degree or diploma at University of Engineering and Technology (UET/Coltech) or any other educational institution, except where due acknowledgement is made in the thesis Any contribution made to the research by others, with whom I have worked at UET/Coltech or elsewhere, is explicitly acknowledged in the thesis I also declare that the intellectual content of this thesis is the product of my own work, except to the extent that assistance from others in the project’s design and conception or in style, presentation and linguistic expression is acknowledged Signed: Date: i TIEU LUAN MOI download : skknchat@gmail.com ABSTRACT Model-checking is a well-known technique for the program verification problem (i.e., checking that the program satisfies a given property) However, Model-checking su↵ers the state-space explosion problem This is more visible in the the case of concurrent / parallel programs Therefore, developing new efficient techniques to address the statespace explosion problem (such as slicing) is a crucial and difficult challenge in Modelchecking In this thesis, we present a new slicing method for handling the standard state explosion problem Our slicing method consists of three steps: (1) creating an abstraction with respect to a subset of program variables, which leads to an over-approximation of the input program, (2) reconstructing a program with another subset of variables from a counterexample of abstracted program, and (3) refining the abstraction if the counterexample is a spurious one The process stops when either there are no more counterexamples remaining or there exists a counterexample after investigating all variables In the former case, the program is correct; in the latter case, the program contains an error We have implemented a prototype tool and run it successfully on standard benchmarks, together with several challenging examples The experimental results show the efficiency of our method ii TIEU LUAN MOI download : skknchat@gmail.com Acknowledgements First and foremost, I would like to express my deepest gratitude to my supervisor, Assoc.Prof Nguyen Viet Ha, for his patient guidance and continuous support throughout the years I would like to give my honest appreciation to my co-supervisor Dr Mohamed Faouzi Atig and Prof Parosh Aziz Abdulla for their great support They always appear when I need help, and respond to queries so helpfully and promptly The encouragement from my family, my friends in UET-VNUH and Uppsala University, and my girl friend, Diu Cap, is also very important for me When reading this thesis, if you find any mistakes, sending to me at diepbp@vnu.edu.vn is appreciated iii TIEU LUAN MOI download : skknchat@gmail.com Contents Declaration of Authorship i Acknowledgements iii Contents iv List of Figures vi List of Tables vii Introduction 1.1 Motivation 1.2 Related work 1.2.1 Program Slicing 1.2.2 Predicate Abstraction 1.3 Thesis structure 1 4 Slicing Sequential Programs 2.1 Program Syntax 2.2 Statements, Variables 2.3 Program Control-Flow Graph 2.4 Program Transition System 2.5 Variable Slicing for Sequential Programs 2.5.0.1 Creating an initial abstraction 2.5.1 Reconstructing Counterexample 2.5.2 Refining the abstraction 8 10 11 13 15 15 19 21 22 22 22 23 23 Slicing Concurrent Programs 3.1 Program Syntax 3.2 Statements 3.3 Program Control-Flow Graph 3.4 Variable Slicing for Concurrent Programs 3.4.1 Reconstructing the counterexample Experiment 27 4.1 Sequential Programs 27 4.2 Concurrent Programs 29 iv TIEU LUAN MOI download : skknchat@gmail.com Contents v Conclusions and Future Work 33 Bibliography 34 TIEU LUAN MOI download : skknchat@gmail.com List of Figures 1.1 1.2 1.3 Structure of SPIN Our method CEGAR framework 2.1 2.2 2.3 An example of program and its control flow graph An example of program abstraction, counterexample and program Refined abstraction 3.1 3.2 3.3 CFG of concurrent program and their abstraction 21 A concurrent counterexample 24 Simulating the concurrent counterexample 25 4.1 A program with its initial abstraction 28 11 reconstructed 18 20 vi TIEU LUAN MOI download : skknchat@gmail.com List of Tables 2.1 2.2 The syntax of program Conditions on state transitions hv1 , ⌦1 i !P hv2 , ⌦2 i for each vertex type 12 4.1 Experimental results of verifying concurrent programs in comparison with SPIN 30 Column Information 30 Experimental results of verifying concurrent programs in comparison with tools in SV-COMP 32 4.2 4.3 vii TIEU LUAN MOI download : skknchat@gmail.com Chapter Introduction In this chapter, we describe the motivation of our work, and it is important Initially, we start with the necessaries of program verification and Model-Checking Then we state the state explosion problem, which are unavoidable by applying Model-Checking Next, we summarize our solutions and results Finally, we describe related work and thesis’s structure 1.1 Motivation Software is everywhere The appearance of software is in diverse areas namely education, healthcare system, transportation Besides, the development of multicore architecture makes software to be designed in many cores It helps software run faster, but unfortunately software becomes larger and more complex Software developers now need more e↵ort to not only make software but also guarantee that it works correctly Errors in software are difficult to find and fix Therefore, we need efficient techniques, for example program verification and testing, to help us handle complex program errors Program verification is a technique that considers a program with given properties of interest It then concludes that whether the properties are satisfied in the program The considered properties of program can be valuations of variables at a program location, or no out of memory errors The result of program is either the properties are hold, which means all executions of program not violate the properties, or the properties are not hold because of a specific execution It is notable that program verification is undecidable There are no a program verification tool which can handle every type of program with every type of properties In practice, each program verification tool only focuses on a small types of program with a restricted set of properties TIEU LUAN MOI download : skknchat@gmail.com Chapter Slicing Concurrent Programs 3.1 22 Program Syntax The concurrent program P has a set of procedures P rocs(P ) Each procedure p P rocs(P ) corresponds to a thread There is a special procedure named init which is the place where the program starts The run id() is to execute the procedure named id It is notable that call procedure statement is di↵erent to traditional call-site, the called procedure runs in parallel with calling procedure Besides, there is another new kind of statement in the form of atomic {sseq}, called atomic statement, where sseq is the sequence of statement that we have already defined in Table 2.1 Any statements inside atomic statements not have transitions to statements of other procedures 3.2 Statements The term statement in concurrent programs consists of statements in sequential program in Table 2.1, call procedure statements run id() and atomic statements atomic{stmt} We denote the type of call statements: T ype(run id()) = Call and the type of atomic statements: T ype(atomic{stmt}) = Atomic Each procedure in concurrent programs consist of a set of statements Let Init : P rocs ! Stmt be the initial statement in a procedure, P roc : Stmt ! P rocs be the function that determines which procedure containing a statement Each statement possibly belongs to an atomic statement, so we define Atomic : Stmt ! {0, 1} to be the function check whether or not a statement placed in an atomic statement Atomic(v) = if v is in an atomic statement, and Atomic(v) = otherwise 3.3 Program Control-Flow Graph The control flow graph of a concurrent program consists of subgraphs GP = {G1 , , Gn }, where Gi ,  i  n is a subgraph modeling procedure i Similar to control flow graph of sequential program, the subgraph of a procedure p is a directed graph Gp = (Vp , Ep ) where Vp is a set of vertices and Ep ✓ Vp ⇥ Vp is a set of edges The set Vp contains one vertex for each statement in the procedure p and one vertex Exit, which indicates the procedure finishes its execution Besides, Vp also has one vertex Errp to indicate the failure of assert statement Edges in a procedures is defined by Succp : Vp ! Vp function and N extp function, which are identical to SuccP and N extP in the sequential program and we not describe them again here TIEU LUAN MOI download : skknchat@gmail.com Chapter Slicing Concurrent Programs 23 In the concurrent program, there exists edges between vertices of procedures From an arrival statement in a procedure, the execution possibly goes to any other destination statements of any other procedures if both the arrival statement and destination statement are not in atomic statements Formally, let SuccP : VP ! VP be the successor function, we define SuccP as follows: SuccP (vi ) = > > < {vj |vj Succp (vi ) [ (VP \Vp ) : Atomic(vj ) = 0} if Atomic(vi ) = \ T ype(vi ) 6= Call Succp (vi ) > > : {Init(id)} if Atomic(vi ) = \ T ype(vi ) 6= Call if T ype(vi ) = Call where p = P roc(vi ) and id is the name of procedure called by vi if T ype(vi ) = Call 3.4 Variable Slicing for Concurrent Programs To get started, let we define the context switch between two procedures Definition 10 (Interleaving) An interleaving itl in a counterexample Cex = h(l1 , ⌘1 ), , (ln , ⌘n )i of program P is pair of outgoing and incoming vertex: hvi , vi+1 i where vi , vi+1 V ertices(Cex) and P roc(vi ) 6= P roc(vi+1 ) Let Itls(Cex) be the set of interleavings in Cex The process of testing concurrent programs also contains three steps: (1) Creating an initial abstraction, (2) Reconstructing the counterexample, and (3) Refining the abstract The first step and last step are similar to the corresponding steps in the sequential program so we not mention them again We focus on the second step because constructing program in concurrent programs is di↵erent to sequential programs due to interleavings 3.4.1 Reconstructing the counterexample In general, we reconstruct the counterexample by finding the path between two continuous statements in the counterexample trace, which is similar to the method in the sequential case However, the di↵erence is that the constructed concurrent program has to run in the same order of procedures as in the counterexample Let we describe it in the following example: Example Let consider the counterexample Cex in the Figure 3.2, which is the counterexample of the program in the Figure 3.1 Dashed lines simulate the interleavings in the counterexample In particular, the order of vertices in the counterexample is x2 = *, x2 = x2 + 1, out2 , x2  3, assert(x2 == 2), err It is notable TIEU LUAN MOI download : skknchat@gmail.com Chapter Slicing Concurrent Programs x2 = 24 x2 = x2 + out2 x2