ENHANCING STATE SPACE REDUCTION METHODS FOR MODEL CHECKING ZHANG SHAOJIE NATIONAL UNIVERSITY OF SINGAPORE 2013 ENHANCING STATE SPACE REDUCTION METHODS FOR MODEL CHECKING ZHANG SHAOJIE (BEng., Northeastern Univeristy (China), 2007) A THESIS SUBMITTED FOR THE DEGREE OF DOCTOR OF PHILOSOPHY DEPARTMENT OF COMPUTER SCIENCE NUS GRADUATE SCHOOL FOR INTEGRATIVE SCIENCES AND ENGINEERING NATIONAL UNIVERSITY OF SINGAPORE 2013 Declaration I hereby declare that the thesis is my original work and it has been written by me in its entirety I have duly acknowledged all the sources of information which have been used in the thesis This thesis has also not been submitted for any degree in any university previously Zhang Shaojie 23 Jan 2013 Acknowledgements I would like to express my gratitude to all those who gave me the possibility to complete this thesis First and foremost, I would like to express my deep and sincere gratitude to my supervisor Dr Dong Jin Song for his patient guidance, enduring supervision and constant encouragement He has also been a kind and effective advisor, allowing me a great amount of freedom while being actively involved in my research and nudging me in the right directions I have been privileged to have him as my supervisor, who always puts students’ supervision and welfare as top priority Furthermore, I would like to thank my thesis advisory committee: Dr P S Thiagarajan and Dr Sun Jun for their participation and constructive comments on my research I have special thanks to Dr Sun Jun, for introducing me to the beauty and horror of symmetry His wide knowledge and logical way of thinking have been of great value of me My sincere thanks also go to my mentor Dr Liu Yang for numerous helpful advice, inspiring discussions and constant technical support I gratefully acknowledge the support, friendship and help of everyone at PAT group which leaves a wonderful memory of my PhD life Last but not the least, I would like to thank my parents for giving me unconditional love and friends for helping me get where I am today A special thank to my mother Li Jingzhu, who always believes that I am the best and supports every single decision I have made in my life, and to my husband, Sun Chengnian, who listened to my research stories over and over and over His patience, willingness and trust enabled me to complete this work Contents List of Tables List of Figures i Introduction and Overview 1.1 Motivation & Goals 1.1.1 The Need for Formal Methods 1.1.2 Model Checking & State Explosion Problem 1.1.3 Summary of This Thesis 1.2 Thesis Outline and Overview 1.3 ii List of Algorithms i Acknowledgment of Published Work Preliminaries 11 2.1 Labeled Transition Systems 11 2.2 State/Event Linear Temporal Logic 13 2.3 The PAT Verification System 14 2.4 Symmetry Reduction 15 2.4.1 Preliminary Concepts 15 2.4.2 Model Checking with Symmetry Reduction 17 Partial Order Reduction 20 2.5 i CONTENTS ii 2.5.1 22 2.5.2 Ample Set Partial Order Reduction Dynamic Partial Order Reduction 23 27 3.1 Self Stabilizing Population Protocols 30 3.2 Model Checking with Fairness 31 3.2.1 Fairness and Global Fairness 32 3.2.2 Model Checking with Fairness 34 3.2.3 Algorithm for Model Checking with Global Fairness 35 3.3 Symmetry Reduction with Global Fairness 36 3.4 Partial Order Reduction with Global Fairness 42 3.5 Implementation and Evaluation 42 3.6 On Combining State Space Reductions with Global Fairness Assumption Related Work 45 Verifying Linearizability via Optimized Refinement Checking 49 4.1 Linearizability 52 4.2 Linearizability as Refinement 55 4.2.1 Linearizability without Linearization Points 55 4.2.2 Linearizability with Linearization Points 60 Verification of Linearizability 64 4.3.1 A Linearizability Checking Algorithm 65 4.3.2 Optimization 1: Symmetry Reduction 71 4.3.3 Optimization 2: Partial Order Reduction 78 4.3.4 Combining Symmetry Reduction and Partial Order Reduction 82 4.4 Experimental Results 85 4.5 Related Work 90 4.3 CONTENTS iii PAT Experience on Linearizability Checking 95 5.1 Modeling Language 96 5.2 Model Checking of linearizability of Scalable Nonzero Indicators 98 5.2.1 The SNZI Algorithms 98 5.2.2 Specification and Implementation Models 100 5.2.3 Experimental Results 103 5.3 Model Checking of linearizability of a Lazy Concurrent List-based Set 104 5.3.1 5.3.2 Specification and Implementation Models 106 5.3.3 The List-based Set Algorithm 104 Experimental Results 111 Constraint-based Automatic Symmetry Detection for Model Checking 113 6.1 Motivating Examples 116 6.2 Preliminaries 120 6.2.1 6.2.2 6.3 Intermediate Language – Linear Process Specification 121 Constraint Satisfaction Problem 124 Automatic Symmetry Detection Approach 125 6.3.1 6.3.2 Step 2: Symmetry Detection 130 6.3.3 6.4 Step 1: Conversion 126 Step 3: Optimization 134 Case Study 137 6.4.1 6.4.2 6.5 Performance Improvement 142 Symmetry Reduction 143 Related Work 144 Conclusion & Outlook 149 7.1 Summary 149 7.2 Future Challenges 151 CONTENTS iv Bibliography 154 A Cartesian Function 171 B Transformation of Concurrent Models 173 CONTENTS v Summary Model checking is an automatic technique that aims to build the correctness of finite state systems In the last three decades, it has established itself as a widely used and effective verification technique for both hardware and software Despite its success, the applicability of model checking is often limited by the notorious state space explosion problem often a system is too large to check within the affordable time and memory A variety of approaches have emerged to ameliorate this problem over years, including partial order reduction, symmetry reduction, symbolic model checking, compositional verification and predicate abstraction However, basic reduction techniques generally not take into account sophisticated techniques associated with model checking When two particular techniques are combined, special care has to be taken for the potential incompatibility between them In this thesis, we successfully improve the application of symmetry reduction and partial order reduction in three distinct contexts First, we study the problem in the context of model checking liveness properties with global fairness assumption Global fairness requires that if some process step becomes enabled infinitely often in a context, then it will be executed infinitely often in this context It often plays a vital role in designing self-stabilizing population protocols We prove that unlike weak/strong fairness, symmetry reduction and global fairness can be integrated without extra effort We develop the combined algorithm based on Tarjan’s strongly connected component algorithm and demonstrate its usability by verifying a number of recently proposed population protocols Further, we examine the combination of partial order reduction and global fairness We show that partial order reduction is not property preserving with global fairness Second, we investigate the problem in the context of checking linearizability Linearizability is an important correctness requirement for concurrent data structures Verifying linearizability amounts to verifying a refinement relationship between a concurrent implementation and its sequential specification We develop and apply symmetry reduction, dynamic partial order reduction, and more importantly, a combination of both, which has never been explored before in refinement checking setting, to achieve maximum reduction The efficiency and scalability is demonstrated in a bench of concurrent data structure algorithms We also describe our experience with modeling and checking linearizability of two advanced complex concurrent data structure algorithms (scalable nonzero indicators and concurrent list-based set) Third, a fundamental yet often overlooked step for a successful application of symmetry CONTENTS vi reduction is to obtain correct and sufficient knowledge of symmetries that can be exploited during model checking We present an automatic approach to detecting symmetry relations for general concurrent models We show how a concurrent model can be viewed as a constraint satisfaction problem, and present an algorithm capable of detecting all the symmetries arising from the constraint satisfaction problem which induce automorphisms of the model Unlike previous approaches, our method can automatically detect both various process and data symmetries as demonstrated via a number of systems Key words: Model Checking, Symmetry Reduction, Partial Order Reduction, Fairness, Linearizability, Symmetry Detection BIBLIOGRAPHY 161 Research Working Conference on Correct Hardware Design and Verification Methods, pages 142–157 Springer-Verlag, 1999 1.1.2 [66] E A Emerson and A P Sistla Symmetry and Model Checking Formal Methods in System Design, 9(1-2):105–131, 1996 2.4.2, 3.3, 4.3.2 [67] E A Emerson and A P Sistla Utilizing Symmetry when Model-Checking under Fairness Assumptions: An Automata-Theoretic Approach ACM Transactions on Programming Languages and Systems, 19(4):617–638, 1997 3, 3.2.1, 3.6 [68] E A Emerson and R J Trefler From Asymmetry to Full Symmetry: New Techniques for Symmetry Reduction in Model Checking In The 10th IFIP WG 10.5 Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME’99), pages 142–156 Springer, 1999 4.3.2 [69] M J Fischer and H Jiang Self-stabilizing Leader Election in Networks of Finite-state Anonymous Agents In The 10th International Conference on Principles of Distributed Systems (OPODIS’06), volume 4305, pages 395–409, 2006 2.4.2, 3, 3.1, 3.2.1, 3.2.1, 1, 9, 11 [70] L Fix Fifteen Years of Formal Property Verification in Intel In O Grumberg and H Veith, editors, 25 Years of Model Checking, pages 139–144 Springer-Verlag, Berlin, Heidelberg, 2008 1.1.1 [71] C Flanagan and P Godefroid Dynamic Partial-order Reduction for Model Checking Software In The 32nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages (POPL ’05), pages 110–121, New York, USA, 2005 1.1.2, 2.5, 2.5.2, 4.3.3 [72] W Fokkink Linear Process Equations In Modelling Distributed Systems, Texts in Theoretical Computer Science An EATCS Series, pages 69–79 Springer Berlin Heidelberg, 2007 6.2.1, [73] W Fokkink and J Pang Cones and Foci for Protocol Verification Revisited In The 6th International conference on Foundations of Software Science and Computation Structures and joint European conference on Theory and practice of software (FOSSACS’03/ETAPS’03), pages 267–281, Berlin, Heidelberg, 2003 Springer-Verlag 6.2.1 [74] The GAP Group GAP – Groups, Algorithms, and Programming, Version 4.5.6, 2012 6.4 [75] P Godefroid Partial-Order Methods for the Verification of Concurrent Systems: An Approach to the State-Explosion Problem Springer-Verlag New York, Inc., Secaucus, NJ, USA, 1996 2.5.1, 4.3.3 BIBLIOGRAPHY 162 [76] P Godefroid and P Wolper A Partial Approach to Model Checking In Information and Computation, pages 406–415, 1994 2.5.1 [77] G Gueta, C Flanagan, E Yahav, and M Sagiv Cartesian Partial-Order Reduction In The 14th International SPIN Workshop on Model Checking Software (SPIN’07), volume 4595, pages 95–112, 2007 2.5.2, 4, 4.3.3, 4.3.3 [78] V Gyuris and A P Sistla On-the-Fly Model Checking Under Fairness That Exploits Symmetry Formal Methods in System Design, 15(3):217–238, 1999 3, 3.6 [79] T L Harris, K Fraser, and I A Pratt A Practical Multi-word Compare-and-Swap Operation In The 16th International Conference on Distributed Computing (DISC ’02), pages 265–279, London, UK, 2002 [80] D Hendler, N Shavit, and L Yerushalmi A Scalable Lock-Free Stack Algorithm In The 16th annual ACM symposium on Parallelism in algorithms and architectures (SPAA ’04), pages 206–215, New York, NY, USA, 2004 [81] M Hendriks, G Behrmann, K Larsen, P Niebert, and F Vaandrager Adding Symmetry Reduction to UPPAAL In Formal Modeling and Analysis of Timed Systems, volume 2791, pages 46–59 Springer Berlin / Heidelberg, 2004 6.5 [82] M Herlihy and N Shavit The Art of Multiprocessor Programming Morgan Kaufmann, 2008 4.3.3 [83] M Herlihy and J M Wing Linearizability: A Correctness Condition for Concurrent Objects ACM Transactions on Programming Language and Systems, 12(3):463–492, 1990 4, 4.1, 4.5 [84] C A R Hoare Communicating Sequential Processes International Series in Computer Science Prentice-Hall, 1985 New version at www.usingcsp.com/cspbook.pdf 2.3, 5.1, [85] J E Hopcroft Introduction to Automata Theory, Languages, and Computation Addison Wesley, 2001 4.3.1 [86] R Iosif Symmetry Reduction Criteria for Software Model Checking In Model Checking Software, volume 2318, pages 31–33 Springer-Verlag, 2002 4.3.4 [87] C N Ip and D L Dill Better Verification through Symmetry Formal Methods System Design, 9(1-2):41–75, 1996 1.1.2, 4.3.2, 6, 6.1, 6.1, 6.4.2, 6.5 BIBLIOGRAPHY 163 [88] M M Jaghoori, M Sirjani, M R Mousavi, E Khamespanah, and A Movaghar Symmetry and Partial Order Reduction Techniques in Model Checking Rebeca Acta Inf., 47(1):33–66, Jan 2010 6, 6.1, 6.1 [89] M M Jaghoori, M Sirjani, M R Mousavi, and A Movaghar Efficient Symmetry Reduction for an Actor-based model In Proceedings of the Second international conference on Distributed Computing and Internet Technology, ICDCIT’05, pages 494–507, Berlin, Heidelberg, 2005 Springer-Verlag 6, 6.1, 6.1 [90] H Jiang Distributed Systems of Simple Interacting Agents PhD thesis, Yale University, 2007 3, 3.5 [91] Y.-J Joung On Fairness Notions in Distributed Systems: I A Characterization of Implementability Information and Computation, 166(1):1 – 34, 2001 7.2 [92] R Kaivola, R Ghughal, N Narasimhan, A Telfer, J Whittemore, S Pandav, A Slobodov´ , C Taylor, V Frolov, E Reeber, and A Naik Replacing Testing with Formal a Verification in Intel CoreTM i7 Processor Execution Engine Validation In The 21st International Conference on Computer Aided Verification (CAV ’09), pages 414–429, Berlin, Heidelberg, 2009 Springer-Verlag 1.1.2 [93] R A Krzysztof and E.-R Olderog Verification of Sequential and Concurrent Programs Springer-Verlag New York, Inc., New York, NY, USA, 1991 [94] R P Kurshan, V Levin, M Minea, D Peled, and H Yenigun Static Partial Order ă Reduction In Proceedings of the 4th International Conference on Tools and Algorithms for Construction and Analysis of Systems (TACAS’98), pages 345–357, London, UK, 1998 4.3.3 [95] L Lamport Proving the Correctness of Multiprocess Programs IEEE Transactions on Software Engineering, 3(2):125–143, 1977 3.2.1 [96] L Lamport Fairness and Hyperfairness Distributed Computing, 13(4):239–245, 2000 3.2.1 [97] C Lecoutre and S Tabary Lightweight Detection of Variable Symmetries for Constraint Satisfaction In The 21st IEEE International Conference on Tools with Artificial Intelligence (ICTAI ’09), pages 193–197, Washington, DC, USA, 2009 IEEE Computer Society 6.2.2 BIBLIOGRAPHY 164 [98] M Leuschel, T Massart, and A Currie How to Make FDR Spin LTL Model Checking of CSP by Refinement In Proceedings of the International Symposium of Formal Methods Europe on Formal Methods for Increasing Software Productivity (FME’01), pages 99–118, London, UK, 2001 4.3.4 [99] Y Liu, W Chen, Y A Liu, and J Sun Model Checking Linearizability via Refinement In The 2nd World Congress on Formal Methods (FM’09), pages 321–337, 2009 1.1.3, 4, 4.2, 4.2.1 [100] Y Liu, J Pang, J Sun, and J Zhao Verification of Population Ring Protocols in PAT In The 3rd IEEE International Symposium on Theoretical Aspects of Software Engineering (TASE’09), pages 81–89, 2009 3, 3.5 [101] G Lowe Specification of Communicating Processes: Temporal Logic versus Refusals-based Refinement Formal Aspect of Computing, 20(3):277–294, May 2008 4.3.4 [102] N Lynch Distributed Algorithms Morgan Kaufmann, 1997 4.1 ´ [103] B D MacArthur, R J Sanchez-Garc´ and J W Anderson Symmetry in Complex ia, Networks Discrete Applied Mathematics, 156(18):3525 – 3531, 2008 [104] R Manevich, T Lev-Ami, M Sagiv, G Ramalingam, and J Berdine Heap Decomposition for Concurrent Shape Analysis In The 15th International Symposium on Static Analysis (SAS’08), pages 363–377, 2008 4.5 [105] K L McMillan Symbolic Model Checking: an Approach to the State Explosion Problem PhD thesis, Carnegie Mellon University, Pittsburgh, PA, USA, 1992 1.1.2 [106] C Mears, M G De La Banda, M Wallace, and B Demoen A Novel Approach for Detecting Symmetries in CSP Models In The 5th international conference on Integration of AI and OR techniques in constraint programming for combinatorial optimization problems (CPAIOR’08), pages 158–172, Berlin, Heidelberg, 2008 Springer-Verlag 6.2.2 [107] C Mears, M Garcia De La Banda, and M Wallace On Implementing Symmetry Detection Constraints, 14(4):443–477, 2009 6.2.2 [108] C Mears, T Niven, M Jackson, and M Wallace Proving Symmetries by Model Transformation In The 17th international conference on Principles and practice of constraint programming (CP’11), pages 591–605, Berlin, Heidelberg, 2011 Springer-Verlag 6.2.2 BIBLIOGRAPHY 165 [109] M M Michael and M L Scott Nonblocking Algorithms and Preemption-Safe Locking on Multiprogrammed Shared Memory Multiprocessors Journal of Parallel and Distributed Computing, 51:1–26, 1998 4, 4.4 [110] R Milner Communication and Concurrency Prentice-Hall, Inc., 1989 [111] N Moffat, M Goldsmith, and B Roscoe A Representative Function Approach to Symmetry Exploitation for CSP Refinement Checking In The 10th International Conference on Formal Methods and Software Engineering (ICFEM ’08), pages 258–277, Berlin, Heidelberg, 2008 4, 4.3.2, 4, 4.3.2 [112] U Nitsche and P Wolper Relative Liveness and Behavior Abstraction (Extended Abstract) In PODC, pages 45–52 ACM, 1997 3.6 [113] V Paruthi Large-scale Application of Formal Verification: from Fiction to Fact In The 2010 Conference on Formal Methods in Computer-Aided Design (FMCAD ’10), pages 175–180, Austin, TX, 2010 FMCAD Inc 1.1.1 [114] D Peled All from One, One for All: on Model Checking Using Representatives In The 5th International Conference on Computer Aided Verification (CAV’93), pages 409–423, 1993 2.5.1, 3, 3.6, 7.2 [115] D Peled Combining Partial Order Reductions with On-the-fly Model-Checking In The 6th International Conference on Computer Aided Verification (CAV ’94), pages 377–390, London, UK, UK, 1994 1.1.2, 3.6 [116] D Peled Ten Years of Partial Order Reduction In The 10th International Conference on Computer Aided Verification, pages 17–28 Springer-Verlag, 1998 1.1.2 [117] G L Peterson Myths About the Mutual Exclusion Problem Information Processing Letters, 12(3):115–116, 1981 [118] D Plagge and M Leuschel Seven at one stroke: LTL model checking for highlevel specifications in B, Z, CSP, and more International Journal on Software Tools for Technology Transfer, 12(1):9–21, Jan 2010 4.3.4 [119] A Pnueli On the Extremely Fair Treatment of Probabilistic Algorithms In STOC, pages 278–290, New York, NY, USA, 1983 ACM 3.2.1 [120] A Pnueli and Y Sa’ar All You Need Is Compassion In VMCAI, pages 233–247, 2008 3.2.1 BIBLIOGRAPHY 166 [121] A Pnueli, J Xu, and L D Zuck Liveness with (0, 1, infinity)-Counter Abstraction In CAV, LNCS, pages 107–122 Springer, 2002 3.2.1 [122] F Pong and M Dubois A New Approach for the Verification of Cache Coherence Protocols IEEE Transactions on Parallel and Distributed Systems, 6(8):773–787, 1995 3.2.1 [123] J.-F Puget Automatic Detection of Variable and Value Symmetries In P van Beek, editor, Principles and Practice of Constraint Programming, volume 3709 of CP’05, pages 475–489 Springer Berlin / Heidelberg, 2005 6.2.2, 6.3.2 [124] J.-P Queille and J Sifakis Specification and Verification of Concurrent Systems in CESAR In The 5th Colloquium on International Symposium on Programming, pages 337–351, London, UK, UK, 1981 Springer-Verlag 1.1.2 [125] A W Roscoe Model-checking CSP A classical mind: essays in honour of C A R Hoare, pages 353–378, 1994 4.3, 4.3.1 [126] C H Shann, T L Huang, and C Chen A Practical Nonblocking Queue Algorithm Using Compare-and-Swap In The Seventh International Conference on Parallel and Distributed Systems (ICPADS’00), pages 470–475 IEEE, 2000 4.4 [127] A P Sistla and P Godefroid Symmetry and Reduced Symmetry in Model Checking ACM Transactions on Programming Languages and Systems (TOPLAS), 26(4):702–734, July 2004 4.3.2 [128] A P Sistla, V Gyuris, and E A Emerson SMC: a Symmetry-Based Model Checker for Verification of Safety and Liveness Properties ACM Transactions on Software Engineering and Methodology (TOSEM), 9(2):133–166, Apr 2000 6, 6.1 [129] C Spermann and M Leuschel ProB Gets Nauty: Effective Symmetry Reduction for B and Z Models In The 2008 2nd IFIP/IEEE International Symposium on Theoretical Aspects of Software Engineering (TASE ’08), Washington, DC, USA, 2008 IEEE Computer Society 6, 6.1 [130] C Sun, S.-C Khoo, and S J Zhang Graph-based detection of library API imitations In The 2011 27th IEEE International Conference on Software Maintenance (ICSM ’11), pages 183–192, Washington, DC, USA, 2011 1.3 [131] J Sun, Y Liu, and J S Dong Model Checking CSP Revisited: Introducing a Process Analysis Toolkit In Proceedings of the 3rd International Symposium on Leveraging BIBLIOGRAPHY 167 Applications of Formal Methods, Verification and Validation (ISoLA’08), volume 17 of Communications in Computer and Information Science, pages 307–322 Springer, 2008 4.4 [132] J Sun, Y Liu, J S Dong, and C Chen Integrating specification and programs for system modeling and verification In The 3rd IEEE International Symposium on Theoretical Aspects of Software Engineering (TASE’09), pages 127–135 IEEE Computer Society, 2009 5.1, 5.1 [133] J Sun, Y Liu, J S Dong, and J Pang PAT: Towards Flexible Verification under Fairness In The 21st International Conference on Computer Aided Verification, volume 5643 of CAV’09, pages 709–714 Springer, 2009 2.3, 3, 3.2.1, 3.2.3, 4, 4.4 [134] J Sun, Y Liu, J S Dong, and X Zhang Verifying Stateful Timed CSP Using Implicit Clocks and Zone Abstraction In K Breitman and A Cavalcanti, editors, Proceedings of the 11th IEEEInternational Conference on Formal Engineering Methods (ICFEM 2009), volume 5885 of Lecture Notes in Computer Science, pages 581–600 Springer, 2009 2.3 [135] J Sun, Y Liu, A Roychoudhury, S S Liu, and J S Dong Fair Model Checking with Process Counter Abstraction In FM, pages 123–139 Springer, 2009 3.2.1, 3.6 [136] J Sun, S Song, and Y Liu Model Checking Hierarchical Probabilistic Systems In J S Dong and H Zhu, editors, Formal Methods and Software Engineering - 12th International Conference on Formal Engineering Methods, ICFEM 2010, Shanghai, China, November 17-19, 2010 Proceedings, volume 6447, pages 388–403, 2010 2.3 [137] R Tarjan Depth-first Search and Linear Graph Algorithms The 12th Annual Symposium on Switching and Automata Theory, pages 114–121, 1971 3, 3.3 [138] G Tassey The Economic Impacts of Inadequate Infrastructure for Software Testing Technical report, National Institute of Standards and Technology, 2002 1.1.1 [139] R K Treiber Systems Programming: Coping with Parallelism Technical Report RJ 5118, IBM Almaden Research Center, 1986 4.2.2.2 [140] U Ultes-Nitsche and S S James Improved Verification of Linear-time Properties within Fairness: Weakly Continuation-closed Behaviour Abstractions Computed from Trace Reductions Software Testing, Verification & Reliability, 13(4):241–255, 2003 3.6 BIBLIOGRAPHY 168 [141] V Vafeiadis Shape-Value Abstraction for Verifying Linearizability In The 10th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI’09), pages 335–348, 2009 4.5 [142] V Vafeiadis Automatically Proving Linearizability In The 22nd International Conference on Computer Aided Verification (CAV’10), pages 450–464, 2010 4.5 [143] V Vafeiadis, M Herlihy, T Hoare, and M Shapiro Proving Correctness of Highlyconcurrent Linearisable Objects In The 11th ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming (PPoPP’06), pages 129–136, 2006 4.5 [144] A Valmari Stubborn Sets for Reduced State Space Generation In The 10th International Conference on Applications and Theory of Petri Nets: Advances in Petri Nets 1990, pages 491–515 Springer-Verlag, 1991 2.5.1, 4.3.3 [145] A Valmari Stubborn Set Methods for Process Algebras In The DIMACS Workshop on Partial Order Methods in Verification (PMIV’96), volume 29, pages 213–231, 1996 2.5.2 [146] A Valmari The State Explosion Problem In Lectures on Petri Nets I: Basic Models, volume 1491 of Lecture Notes in Computer Science, pages 429–528 Springer Berlin Heidelberg, 1998 1.1.2 [147] P Van Hentenryck, P Flener, J Pearson, and M Agren Compositional Derivation of Symmetries for Constraint Satisfaction In The 6th international conference on Abstraction, Reformulation and Approximation (SARA’05), pages 234–247 Springer-Verlag, 2005 6.2.2 [148] M Vechev and E Yahav Deriving Linearizable Fine-grained Concurrent Objects In The 2008 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’08), pages 125–135, 2008 4, 4.5 [149] M Vechev, E Yahav, and G Yorsh Experience with Model Checking Linearizability In The 16th International SPIN Workshop on Model Checking Software (SPIN’09), pages 261–278, Berlin, Heidelberg, 2009 [150] T Wahl Adaptive Symmetry Reduction In The 19th International Conference on Computer Aided Verification (CAV’07), pages 393–405 Springer-Verlag, 2007 6.1, [151] T Wahl and A Donaldson Replication and Abstraction: Symmetry in Automated Formal Verification Symmetry, 2(2):799–847, 2010 BIBLIOGRAPHY 169 [152] T Wahl and V D’Silva A Lazy Approach to Symmetry Reduction Form Asp Comput., pages 713–733, 2010 6.5 [153] P Wolper Temporal Logic can be More Expressive In Proceedings of the 22nd Annual Symposium on Foundations of Computer Science (SFCS’81), pages 340–348, Washington, DC, USA, 1981 4.3.4 [154] W Wong, V Debroy, A Surampudi, H Kim, and M Siok Recent Catastrophic Accidents: Investigating How Software was Responsible In The Fourth International Conference on Secure Software Integration and Reliability Improvement (SSIRI’10), pages 14–22, june 2010 1.1.1 [155] J Woodcock, P G Larsen, J Bicarregui, and J Fitzgerald Formal Methods: Practice and Experience ACM Comput Surv., 41(4), Oct 2009 1.1.1 [156] Y Xiao, M Xiong, W Wang, and H Wang Emergence of Symmetry in Complex Networks Phys Rev E, 77:066108, Jun 2008 [157] L Yang, W Chen, L Yanghong A., S J Zhang, J Sun, and J S Dong Verifying Linearizability via Optimized Refinement Checking IEEE Transaction Software Engineering, (Accepted) 1.3, 4.2.2 [158] Y Yang, X Chen, G Gopalakrishnan, and R M Kirby Efficient Stateful Dynamic Partial Order Reduction In The 15th international workshop on Model Checking Software (SPIN ’08), pages 288–305, Berlin, Heidelberg, 2008 Springer-Verlag 2.5.2 [159] X Yi, J Wang, and X Yang Stateful Dynamic Partial-Order Reduction In Formal Methods and Software Engineering, volume 4260, pages 149–167, 2006 2.5.2 [160] S J Zhang Scalable Automatic Linearizability Checking In The 33rd International Conference on Software Engineering (ICSE ’11), pages 1185–1187, New York, NY, USA, 2011 1.3 [161] S J Zhang and Y Liu An Automatic Approach to Model Checking UML State Machines In The Fourth International Conference on Secure Software Integration and Reliability Improvement Companion, SSIRI’10, pages –6, 2010 1.3 [162] S J Zhang, Y Liu, J Sun, J S Dong, W Chen, and Y A Liu Formal Verification of Scalable NonZero Indicators In The 21st International Conference on Software Engineering and Knowledge Engineering (SEKE’09), pages 406–411, 2009 1.3 BIBLIOGRAPHY 170 [163] S J Zhang, J Sun, J Pang, Y Liu, and J S Dong On Combining State Space Reductions with Global Fairness Assumptions In The 17th international conference on Formal methods (FM’11), pages 432–447, Berlin, Heidelberg, 2011 Springer-Verlag 1.3 Appendix A Cartesian Function Let P1 , P2 , · · · , Pk be the processes of the concurrent data structure algorithm; αi denotes the action executed by process Pi 171 Appendix A Cartesian Function Algorithm A.0.1 Algorithm for calculating cartesian vectors on Lim Procedure ϕ(s) 1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: αi for all s → s′ ∈ Tim add αi and s′ to CV[i]; end for extendable := {1, · · · , n}; for all i ∈ {1, · · · , n} : lastAction(CV[i]) is visible extendable := extendable − {i}; end for for all i, j ∈ extendable : i j ∧ lastAction(CV[i]) is dependent on lastAction(CV[j]) extendable := extendable − {i, j}; end for while extendable ∅ pick any i ∈ extendable; s := lastState(CV[i]); (αi , s′ ) := nextTrans(s, i); if ∃ j i : αi is dependent on some action in CV[j] (other than the last) then extendable := extendable − {i}; else for all j i : α′ is dependent on lastAction(CV[j]) i extendable := extendable − {i, j}; end for if s′ ∈ CV[i] ∧ i ∈ extendable then mark CV[i] as in f inite; extendable := extendable − {i}; end if if αi is visible ∧ i ∈ extendable then extendable := extendable − {i}; end if add αi and s′ to CV[i]; end if end while return CV Helper function: αi nextTrans(s, i) = (αi , s′ ) : s → s′ ∈ Tim 172 Appendix B Transformation of Concurrent Models In this subsection, we show a straightforward principle of modeling concurrent programs by means of nondeterministic sequential programs Here we consider a simple concurrent specification model, which is however general enough to three different types of systems with respect to execution patterns, i.e., sequential, parallel and distributed systems Sequential systems execute one transition at a time, possibly nondeterministically; parallel systems may execute multiple actions in parallel and achieve communication between different processes by shared variables; distributed systems also may execute actions in parallel but employ a handshaking mechanisms (like shared actions) for interprocess communication Figure B.1 lists the syntax of our language Omitted rules are identical to those in Figure 6.2 The language includes two familiar elementary data types, integer and boolean.1 A system description consists of a set of global variable declarations, a set of process definitions and one initialization rule Component processes of a parallel system are composed by |∥ symbol which denotes that processes run concurrently without barrier synchronization; those of a distributed system are composed by ∥ symbol which denotes that processes run concurrently with synchronization on common events A component process is defined to be a sequential program with an option list of parameters It is composed of a sequence of statements Each statement may be an event-labeled statement composed of sub-statements which are atomically executed, an signal of process termination, if-else conditional choice, while-loop, or nondeterministically executed statements separated by symbol Composite data types, like arrays are excluded for ease of presentation 173 Appendix B Transformation of Concurrent Models 174 ⟨program⟩ ::= ⟨vardecl⟩∗ ⟨prodecl⟩∗ ⟨init⟩ ⟨vardecl⟩ ::= var g ⟨prodecl⟩ ::= proc⟨pid⟩(⟨param-list,′ ,′ ⟩){⟨vardecl⟩∗ ⟨estmts⟩} ⟨estmts⟩ ::= {⟨estmt-list,′ ;′ ⟩} ⟨estmt⟩ ::= ⟨eid⟩{⟨stmt-list,′ ;′ ⟩} |Skip |if(⟨guard⟩){⟨estmts⟩} else{⟨estmts⟩} |while(⟨guard⟩){⟨estmts⟩} |⟨estmt⟩ ⟨estmt⟩ ⟨prore f ⟩ ::= ⟨pid⟩((⟨args⟩)) |⟨prore f ⟩∥⟨prore f ⟩ |⟨prore f ⟩|∥⟨prore f ⟩ ⟨init⟩ ::= init ⟨prore f ⟩ Figure B.1: Syntax of concurrent language The translation function T is defined for translating each statement into one or more sequential programs recursively, separated by symbol The preparatory step of the transformation is to introduce a new integer variable state for each component process to model its control points Each atomic statement is labeled with a distinguished value of ⃗ ⃗ state of the form “k :” For a list of statements, say S, let f irst(S) be the value of state of ⃗ ⃗ ⃗ its first statement in S and last(S) be the value of its last statement, and T (S)(c) denote the ⃗ transformation of S and c is the value of state of the successor statement of the last statement ⃗ in S A component process can then be transformed by induction as follows: • T (k : Skip)(c) := [state = k] → {state := c} ⃗ ⃗ • T (k : ⟨eid⟩{S})(c) := [state = k]⟨eid⟩ → {S; state := c; } • T (⟨estmt1 , estmt2 , · · · , estmtn ⟩)(c) := T (⟨estmt1 ⟩)( f irst(⟨estmt2 , · · · , estmtn ⟩)) T (⟨estmt2 ⟩)( f irst(⟨estmt3 , · · · , estmtn ⟩)) ··· T (⟨estmtn ⟩)(c) • T (k : if(⟨guard⟩){⟨estmts1 ⟩} else{⟨estmts2 ⟩})(c) := [state = k ∧ guard = T] → {state := f irst(⟨estmts1 ⟩)} Appendix B Transformation of Concurrent Models 175 [state = k ∧ guard = F] → {state := f irst(⟨estmts2 ⟩)} T (⟨estmts1 ⟩)(c) T (⟨estmts2 ⟩)(c) • T (k : while(⟨guard⟩){⟨estmts⟩})(c) := [state = k ∧ guard = T] → {state := f irst(⟨estmts⟩)} [state = k ∧ guard = F] → {state := c} T (⟨estmts⟩)(k) Now we can transform a component process P that contains a sequence of statements ⃗ ⃗ ⃗ S1 , S2 , · · · , Sn as follows: ⃗ T (P) := T (S1 )(c1 ) ⃗ T (S2 )(c2 ) ··· ⃗ T (Sn )(cn ) Let us now consider the transformation of concurrent composition of two processes P1 |∥P2 T (P1 |∥P2 ) := T (P1 ) T (P2 ) The transformation of the other concurrent composition of processes, P1 ∥P2 , is slightly complicated, because P1 and P2 perform lock-step synchronization on common events ⃗ Then for any pair of common-event-labeled statements in P1 and P2 , written in (k1 : e{S1 })(c1 ) ⃗ and (k2 : e{S2 })(c2 ), their transformation will result in one statement, i.e., [state1 = k1 ∧state2 = ⃗ ⃗ k2 ]e → {S1 ; S2 ; state1 := c1 ; state2 := c2 } Other statements are transformed in the same way as P1 |∥P2 It is straightforward to write the sequential program in the format of linear process specification Complexity Analysis For a component process, the transformation takes one atomic statement at a time and translates it to one statement in the sequential program For the interleving/parallel composition of processes, the resulting program at most has the total number of atomic statements of all processes in the worst case, the number of parameters are linear to the number of processes Thus, the size of the analysis is linear to the number of processes instead of as exponentially large as the size of generating the state space .. .ENHANCING STATE SPACE REDUCTION METHODS FOR MODEL CHECKING ZHANG SHAOJIE (BEng., Northeastern Univeristy (China), 2007) A THESIS SUBMITTED FOR THE DEGREE OF DOCTOR OF... automatic formal verification technique for state transition systems It can be simply stated as [34]: Let M be a state transition graph and f be a formula of temporal logic The model checking problem... using model checking techniques to hardware verification since 1990 [70] A summary of other industrial applications is presented in [155] 1.1.2 Model Checking & State Explosion Problem Model checking