CuuDuongThanCong.com Lecture Notes in Computer Science 6605 Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison, UK Josef Kittler, UK Alfred Kobsa, USA John C Mitchell, USA Oscar Nierstrasz, Switzerland Bernhard Steffen, Germany Demetri Terzopoulos, USA Gerhard Weikum, Germany Takeo Kanade, USA Jon M Kleinberg, USA Friedemann Mattern, Switzerland Moni Naor, Israel C Pandu Rangan, India Madhu Sudan, USA Doug Tygar, USA Advanced Research in Computing and Software Science Subline of Lectures Notes in Computer Science Subline Series Editors Giorgio Ausiello, University of Rome ‘La Sapienza’, Italy Vladimiro Sassone, University of Southampton, UK Subline Advisory Board Susanne Albers, University of Freiburg, Germany Benjamin C Pierce, University of Pennsylvania, USA Bernhard Steffen, University of Dortmund, Germany Madhu Sudan, Microsoft Research, Cambridge, MA, USA Deng Xiaotie, City University of Hong Kong Jeannette M Wing, Carnegie Mellon University, Pittsburgh, PA, USA CuuDuongThanCong.com CuuDuongThanCong.com Parosh Aziz Abdulla K Rustan M Leino (Eds.) Tools and Algorithms for the Construction and Analysis of Systems 17th International Conference, TACAS 2011 Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2011 Saarbrücken, Germany, March 26–April 3, 2011 Proceedings 13 CuuDuongThanCong.com Volume Editors Parosh Aziz Abdulla University of Uppsala Dept of Information Technology 751 05 Uppsala, Sweden E-mail: parosh@it.uu.se K Rustan M Leino Microsoft Research Redmond, WA 98052, USA E-mail: leino@microsoft.com ISSN 0302-9743 e-ISSN 1611-3349 ISBN 978-3-642-19834-2 e-ISBN 978-3-642-19835-9 DOI 10.1007/978-3-642-19835-9 Springer Heidelberg Dordrecht London New York Library of Congress Control Number: 2011922620 CR Subject Classification (1998): F.3, D.2, C.2, D.3, D.2.4, C.3 LNCS Sublibrary: SL – Theoretical Computer Science and General Issues © Springer-Verlag Berlin Heidelberg 2011 This work is subject to copyright All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer Violations are liable to prosecution under the German Copyright Law The use of general descriptive names, registered names, trademarks, etc in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper Springer is part of Springer Science+Business Media (www.springer.com) CuuDuongThanCong.com Foreword ETAPS 2011 was the 14th instance of the European Joint Conferences on Theory and Practice of Software ETAPS is an annual federated conference that was established in 1998 by combining a number of existing and new conferences This year it comprised the usual five sister conferences (CC, ESOP, FASE, FOSSACS, TACAS), 16 satellite workshops (ACCAT, BYTECODE, COCV, DICE, FESCA, GaLoP, GT-VMT, HAS, IWIGP, LDTA, PLACES, QAPL, ROCKS, SVARM, TERMGRAPH, and WGT), one associated event (TOSCA), and seven invited lectures (excluding those specific to the satellite events) The five main conferences received 463 submissions this year (including 26 tool demonstration papers), 130 of which were accepted (2 tool demos), giving an overall acceptance rate of 28% Congratulations therefore to all the authors who made it to the final programme! I hope that most of the other authors will still have found a way of participating in this exciting event, and that you will all continue submitting to ETAPS and contributing to make of it the best conference on software science and engineering The events that comprise ETAPS address various aspects of the system development process, including specification, design, implementation, analysis and improvement The languages, methodologies and tools which support these activities are all well within its scope Different blends of theory and practice are represented, with an inclination towards theory with a practical motivation on the one hand and soundly based practice on the other Many of the issues involved in software design apply to systems in general, including hardware systems, and the emphasis on software is not intended to be exclusive ETAPS is a confederation in which each event retains its own identity, with a separate Programme Committee and proceedings Its format is open-ended, allowing it to grow and evolve as time goes by Contributed talks and system demonstrations are in synchronised parallel sessions, with invited lectures in plenary sessions Two of the invited lectures are reserved for ‘unifying’ talks on topics of interest to the whole range of ETAPS attendees The aim of cramming all this activity into a single one-week meeting is to create a strong magnet for academic and industrial researchers working on topics within its scope, giving them the opportunity to learn about research in related areas, and thereby to foster new and existing links between work in areas that were formerly addressed in separate meetings ETAPS 2011 was organised by the Universită at des Saarlandes in cooperation with: European Association for Theoretical Computer Science (EATCS) European Association for Programming Languages and Systems (EAPLS) European Association of Software Science and Technology (EASST) CuuDuongThanCong.com VI Foreword It also had support from the following sponsors, which we gratefully thank: DFG Deutsche Forschungsgemeinschaft; AbsInt Angewandte Informatik GmbH; Microsoft Research; Robert Bosch GmbH; IDS Scheer AG / Software AG; T-Systems Enterprise Services GmbH; IBM Reăr Wirtschaftsfo ă rderung Saar mbH; search; gwSaar Gesellschaft fu Springer-Verlag GmbH; and Elsevier B.V The organising team comprised: General Chair: Reinhard Wilhelm Organising Committee: Bernd Finkbeiner, Holger Hermanns (chair), Reinhard Wilhelm, Stefanie Haupert-Betz, Christa Schă afer Satellite Events: Bernd Finkbeiner Website: Hern´ an Bar´ o Graf Overall planning for ETAPS conferences is the responsibility of its Steering Committee, whose current membership is: Vladimiro Sassone (Southampton, Chair), Parosh Abdulla (Uppsala), Gilles Barthe (IMDEA-Software), Lars Birkedal (Copenhagen), Michael O’Boyle (Edinburgh), Giuseppe Castagna (CNRS Paris), Marsha Chechik (Toronto), Sophia Drossopoulou (Imperial College London), Bernd Finkbeiner (Saarbră ucken) Cormac Flanagan (Santa Cruz), Dimitra Giannakopoulou (CMU/NASA Ames), Andrew D Gordon (MSR Cambridge), Rajiv Gupta (UC Riverside), Chris Hankin (Imperial College London), Holger Hermanns (Saarbră ucken), Mike Hinchey (Lero, the Irish Software Engineering Research Centre), Martin Hofmann (LMU Munich), Joost-Pieter Katoen (Aachen), Paul Klint (Amsterdam), Jens Knoop (Vienna), Barbara Kă onig (Duisburg), Shriram Krishnamurthi (Brown), Juan de Lara (Madrid), Kim Larsen (Aalborg), Rustan Leino (MSR Redmond), Gerald Luettgen (Bamberg), Rupak Majumdar (Los Angeles), Tiziana Margaria (Potsdam), Ugo Montanari (Pisa), Luke Ong (Oxford), Fernando Orejas (Barcelona), Catuscia Palamidessi (INRIA Paris), George Papadopoulos (Cyprus), David Rosenblum (UCL), Don Sannella (Edinburgh), Jo˜ ao Saraiva (Minho), Helmut Seidl (TU Munich), Tarmo Uustalu (Tallinn), and Andrea Zisman (London) I would like to express my sincere gratitude to all of these people and organisations, the Programme Committee Chairs and members of the ETAPS conferences, the organisers of the satellite events, the speakers themselves, the many reviewers, all the participants, and Springer for agreeing to publish the ETAPS proceedings in the ARCoSS subline Finally, I would like to thank the Organising Chair of ETAPS 2011, Holger Hermanns and his Organising Committee, for arranging for us to have ETAPS in the most beautiful surroundings of Saarbră ucken January 2011 CuuDuongThanCong.com Vladimiro Sassone ETAPS SC Chair Preface This volume contains the proceedings of the 17th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2011) TACAS 2011 took place in Saarbră ucken, Germany, March 2831, 2011, as part of the 14th European Joint Conferences on Theory and Practice of Software (ETAPS 2011), whose aims, organization, and history are presented in the foreword of this volume by the ETAPS Steering Committee Chair, Vladimiro Sassone TACAS is a forum for researchers, developers, and users interested in rigorously based tools and algorithms for the construction and analysis of systems The conference serves to bridge the gaps between different communities that share common interests in tool development and its algorithmic foundations The research areas covered by such communities include, but are not limited to, formal methods, software and hardware verification, static analysis, programming languages, software engineering, real-time systems, communications protocols, and biological systems The TACAS forum provides a venue for such communities at which common problems, heuristics, algorithms, data structures, and methodologies can be discussed and explored TACAS aims to support researchers in their quest to improve the usability, utility, flexibility, and efficiency of tools and algorithms for building systems Tool descriptions and case studies with a conceptual message, as well as theoretical papers with clear relevance for tool construction, are all encouraged The specific topics covered by the conference include, but are not limited to, the following: specification and verification techniques for finite and infinite-state systems, software and hardware verification, theorem proving and model checking, system construction and transformation techniques, static and run-time analysis, abstraction techniques for modeling and validation, compositional and refinement-based methodologies, testing and test-case generation, analytical techniques for safety, security, or dependability, analytical techniques for real-time, hybrid, or stochastic systems, integration of formal methods and static analysis in high-level hardware design or software environments, tool environments and tool architectures, SAT and SMT solvers, and applications and case studies TACAS traditionally considers two types of papers: research papers and tool demonstration papers Research papers are full-length papers that contain novel research on topics within the scope of the TACAS conference and have a clear relevance for tool construction Tool demonstration papers are shorter papers that give an overview of a particular tool and its applications or evaluation TACAS 2011 received a total of 112 submissions including 24 tool demonstration papers and accepted 32 papers of which 10 papers were tool demonstration papers Each submission was evaluated by at least three reviewers After a six-week reviewing process, the program selection was carried out in a two-week electronic Program CuuDuongThanCong.com VIII Preface Committee meeting We believe that the committee deliberations resulted in a strong technical program One highlight is the quantity and quality of the tool papers submitted to the conference and accepted for presentation Gerard J Holzmann, Jet Propulsion Laboratory, California Institute of Technology, USA, gave the unifying ETAPS 2011 invited talk on “Reliable Software Development: Analysis-Aware Design.” Andreas Podelski, University of Freiburg, Germany, gave the TACAS 2011 invited talk on “Transition Invariants and Transition Predicate Abstraction for Program Termination” The abstracts of the talks are included in this volume As TACAS 2011 Program Committee Co-chairs, we would like to thank the authors of all submitted papers, the Program Committee members, and all the referees for their invaluable contribution in guaranteeing such a strong technical program We also thank the EasyChair system for hosting the conference submission and program selection process and automating much of the proceedings generation process We would like to express our appreciation to the ETAPS Steering Committee and especially its Chair, Vladimiro Sassone, as well as the Organizing Committee for their efforts in making ETAPS 2011 such a successful event January 2011 Parosh Aziz Abdulla K Rustan M Leino CuuDuongThanCong.com Conference Organization Steering Committee Ed Brinksma Rance Cleaveland Kim G Larsen Bernhard Steffen Lenore Zuck ESI and University of Twente (The Netherlands) University of Maryland and Fraunhofer USA Inc (USA) Aalborg University (Denmark) Technical University Dortmund (Germany) University of Illinois at Chicago (USA) Program Chairs Parosh A Abdulla K Rustan M Leino Uppsala University (Sweden) Microsoft Research (USA) Program Committee Nikolaj Bjørner Ahmed Bouajjani Patricia Bouyer-Decitre Alessandro Cimatti Rance Cleaveland Thierry Coquand Giorgio Delzanno Javier Esparza Orna Grumberg Peter Habermehl Reiner Hăahnle Naoki Kobayashi Kim G Larsen Rupak Majumdar Panagiotis Manolios Richard Mayr Doron Peled Anna Philippou CuuDuongThanCong.com Microsoft Research (USA) LIAFA, University of Paris (France) LSV, CNRS and ENS Cachan (France) Istituto per la Ricerca Scientifica e Tecnologica (Italy) University of Maryland and Fraunhofer USA Inc (USA) Chalmers University (Sweden) Universit`a di Genova (Italy) Technische Universităat Mă unchen (Germany) Technion - Israel Institute of Technology (Israel) LIAFA University Paris (France) Chalmers University of Technology (Sweden) Tohoku University (Japan) Aalborg University (Denmark) Max Planck Institute for Software Systems (Germany) Northeastern University (USA) University of Edinburgh (UK) Bar Ilan University (Israel) University of Cyprus (Cyprus) Model Repair for Probabilistic Systems 337 Example The Kaminsky DNS attack makes clever use of cache poisoning, so that when a victim DNS server is asked to resolve URLs within a non-malicious domain, it replies with the IP address of a malicious web server The proposed fix is to randomize the UDP port used in name-resolution requests As such, an intruder can corrupt the cache of a DNS server with a falsified IP address for a URL, only if it manages to guess a 16-bit source-port id, in addition to the 16-bit query id assigned to the name-resolution request Our CTMC model for the Kaminsky attack [1] implements a victim DNS server that generates times to request url queries to resolve one or more resource names within some domain While the victim waits for a legitimate response to its query, the intruder tries with rate guess to provide a fake response that, if correctly matching the query id, will be accepted by the victim, thus corrupting its cache The only parameter the victim can control is the range of port-id values used by the proposed fix, which affects the rate at which correct guesses arrive at the victim Other parameters that affect the rate of correct guesses, but are not controlled by the victim are the popularity of the requested names, and the rate at which other legitimate requests arrive at the victim If the fix is disabled, the number of port ids is one, and experiments show that for guess ≥ 200, the attack probability is greater than 0.9 if times to request url ≥ By applying model repair on the controllable embedded DTMC, we determined the minimum required range of port ids such that P≤0.05 F cache poisoned While the value of times to request url determines the size of the state space, we observed that nonlinear optimization with Ipopt is not affected by state-space growth This is not the case, however, for the parametric model-checking times given in Table (popularity=3,guess=150,other legitimate requests=150) The model was successfully repaired for all values of times to request url from to 10 Example According to the Zeroconf protocol for assigning IP addresses in a network, when a new host joins the network it randomly selects an IP address among K possible ones With m hosts in the network, the collision probability is q = m/K A new host asks the other hosts whether the randomly selected IP address is already used and waits for an answer The probability that the new host does not get any answer is p, in which case it repeats the query If after n tries there is still no answer, the host will erroneously consider the chosen address as valid We used Max Profit model repair on the DTMC model of [7] to determine the collision probability q that optimizes the trade-off between (a) the expected number of tries until the algorithm terminates, and (b) the cost of changing q from its default value The change applied to q is the only parameter used in our Max Profit model; all other transition probabilities were maintained as constants as in the original model For n = 3, p = 0.1, and initial q = 0.6, we determined the optimal q to be 0.5002, which reduced the expected number of steps to termination from 6.15 to 5.1 CuuDuongThanCong.com 338 E Bartocci et al Table Model Repair of the Kaminsky CTMC times to request States Transitions CPU PARAM 10 10 13 60 118 215 561 567 1759 1237 4272 2350 8796 4085 16163 6625 27341 10182 43434 14992 65682 0m0.390s 0m0.430s 0m0.490s 0m1.750s 0m15.820s 1m56.650s 10m55.150s 47m21.220s 167m58.470s 528m32.720s PORT ID P=? [F cache poisoned ] 10 14 19 24 28 33 38 42 47 0.04498 0.04593 0.04943 0.04878 0.04840 0.0498 0.0494 0.0491 0.0499 0.0496 Related Work Prior work has addressed a related version of the Model Repair problem in the nonprobabilistic setting In [5], abductive reasoning is used to determine a suitable modification of a Kripke model that fails to satisfy a CTL formula Addition and deletion of state transitions are considered, without taking into account the cost of the repair process The problem of automatically revising untimed and real-time programs with respect to UNITY properties is investigated in [3], such that the revised program satisfies a previously failed property, while preserving the other properties A game-based approach to the problem of automatically fixing faults in a finite-state program is considered in [18] The game consists of the product of a modified version of the program and an automaton representing an LTL specification, such that every winning finite-state strategy corresponds to a repair In [23], the authors introduce an algorithm for solving the parametric real-time model-checking problem: given a real-time system and temporal formula, both of which may contain parameters, and a constraint over the parameters, does every allowed parameter assignment ensure that the real-time system satisfies the formula? In related work for probabilistic models, a Bayesian estimator based on runtime data is used in [10] to address the problem of model evolution, where model parameters may change over time The authors of [21] consider parametric models for which they show that finding parameter values for a property to be satisfied is in general undecidable In [8], a model checker together with a genetic algorithm drive the parameter-estimation process by reducing the distance between the desired behavior and the actual behavior The work of [16] addresses the parameter-synthesis problem for parametric CTMCs and timebounded properties The problem is undecidable and the authors provide an approximation method that yields a solution in most cases CuuDuongThanCong.com Model Repair for Probabilistic Systems 339 Conclusions We have defined, investigated, implemented, and benchmarked the Model Repair problem for probabilistic systems Ultimately, we show how Model Repair can be seen as both a nontrivial extension of the parametric model-checking problem for probabilistic systems and a nontrivial generalization of the controller-synthesis problem for linear systems In both cases, its solution requires one to solve a nonlinear optimization problem with a minimal-cost (or maximal-profit) objective function The problem we considered is one of offline model repair As future work, we would like to investigate the online version of the problem, where an online controller runs concurrently with the system in question, appropriately adjusting its parameters whenever a property violation is detected Meeting this objective will likely require a better understanding of the similarities between the model repair and controller synthesis problems Acknowledgements We thank the anonymous referees for their valuable comments Research supported in part by NSF Grants CCF-0926190, CCF-1018459, CNS 0831298, CNS 0721665, ONR grant N00014-07-1-0928, and AFOSR Grant FA0550-09-1-0481 The research of Professor Katsaros was conducted while on Sabbatical leave at Stony Brook University References Alexiou, N., Deshpande, T., Basagiannis, S., Smolka, S.A., Katsaros, P.: Formal analysis of the kaminsky DNS cache-poisoning attack using probabilistic model checking In: Proceedings of the 12th IEEE International High Assurance Systems Engineering Symposium, pp 94–103 IEEE Computer Society, Los Alamitos (2010) Biegler, L.T., Zavala, V.M.: Large-scale nonlinear programming using IPOPT: An integrating framework for enterprise-wide dynamic optimization Computers & Chemical Engineering 33(3), 575–582 (2009) Bonakdarpour, B., Ebnenasir, A., Kulkarni, S.S.: Complexity results in revising UNITY programs ACM Trans Auton Adapt Syst 4(1), 1–28 (2009) Boyd, S., Vandenberghe, L.: Convex Optimization Camb Univ Press, Cambridge (2004) Buccafurri, F., Eiter, T., Gottlob, G., Leone, N.: Enhancing model checking in verification by AI techniques Artif Intell 112(1-2), 57–104 (1999) Clarke, E.M., Emerson, E.A., Sifakis, J.: Model checking: Algorithmic verification and debugging Communications of the ACM 52(11), 74–84 (2009) Daws, C.: Symbolic and parametric model checking of discrete-time Markov chains In: Liu, Z., Araki, K (eds.) ICTAC 2004 LNCS, vol 3407, pp 280–294 Springer, Heidelberg (2005) Donaldson, R., Gilbert, D.: A model checking approach to the parameter estimation of biochemical pathways In: Heiner, M., Uhrmacher, A.M (eds.) CMSB 2008 LNCS (LNBI), vol 5307, pp 269–287 Springer, Heidelberg (2008) Dong, Y., Sarna-Starosta, B., Ramakrishnan, C.R., Smolka, S.A.: Vacuity checking in the modal mu-calculus In: Kirchner, H., Ringeissen, C (eds.) AMAST 2002 LNCS, vol 2422, pp 147–162 Springer, Heidelberg (2002) CuuDuongThanCong.com 340 E Bartocci et al 10 Epifani, I., Ghezzi, C., Mirandola, R., Tamburrelli, G.: Model evolution by runtime parameter adaptation In: ICSE 2009: Proceedings of the 31st International Conference on Software Engineering, pp 111–121 IEEE Computer Society Press, Washington, DC, USA (2009) 11 Giacalone, A., Chang Jou, C., Smolka, S.A.: Algebraic reasoning for probabilistic concurrent systems In: Proc of the IFIP TC2 Working Conference on Programming Concepts and Methods, pp 443–458 North-Holland, Amsterdam (1990) 12 Granvilliers, L., Benhamou, F.: RealPaver: an interval solver using constraint satisfaction techniques ACM Trans Math Softw 32, 138–156 (2006) 13 Hahn, E., Hermanns, H., Zhang, L.: Probabilistic reachability for parametric Markov models International Journal on Software Tools for Technology Transfer, 1–17 (April 2010) 14 Hahn, E.M.: Parametric Markov model analysis Master’s thesis, Saarland University (2008) 15 Hahn, E.M., Hermanns, H., Wachter, B., Zhang, L.: PARAM: A Model Checker for Parametric Markov Models In: Touili, T., Cook, B., Jackson, P (eds.) CAV 2010 LNCS, vol 6174, pp 660–664 Springer, Heidelberg (2010) 16 Han, T., Katoen, J.-P., Mereacre, A.: Approximate parameter synthesis for probabilistic time-bounded reachability In: IEEE International Real-Time Systems Symposium, pp 173–182 (2008) 17 Hansson, H., Jonsson, B.: A logic for reasoning about time and reliability Formal Aspects of Computing 6, 102–111 (1994) 18 Jobstmann, B., Griesmayer, A., Bloem, R.: Program repair as a game In: Etessami, K., Rajamani, S.K (eds.) CAV 2005 LNCS, vol 3576, pp 226–238 Springer, Heidelberg (2005) 19 Knuth, D., Yao, A.: The complexity of nonuniform random number generation In: Algorithms and Complexity: New Directions and Recent Results Academic Press, London (1976) 20 Kwiatkowska, M.Z., Norman, G., Parker, D.: Stochastic model checking In: Bernardo, M., Hillston, J (eds.) SFM 2007 LNCS, vol 4486, pp 220–270 Springer, Heidelberg (2007) 21 Lanotte, R., Maggiolo-Schettini, A., Troina, A.: Parametric probabilistic transition systems for system sesign and analysis Formal Aspects of Computing 19(1), 93–109 (2007) 22 Sinha, S.M.: Duality in nonlinear programming In: Mathematical Programming, pp 423–430 Elsevier Science, Burlington (2006) 23 Zhang, D., Cleaveland, R.: Fast on-the-fly parametric real-time model checking In: Proceedings of the 26th IEEE International Real-Time Systems Symposium, pp 157–166 IEEE Computer Society, Los Alamitos (2005) CuuDuongThanCong.com Boosting Lazy Abstraction for SystemC with Partial Order Reduction Alessandro Cimatti, Iman Narasamdya, and Marco Roveri Fondazione Bruno Kessler — Irst {cimatti,narasamdya,roveri}@fbk.eu Abstract The SystemC language is a de-facto standard for the description of systems on chip A promising technique, called ESST, has recently been proposed for the formal verification of SystemC designs ESST combines Explicit state techniques to deal with the SystemC Scheduler, with Symbolic techniques, based on lazy abstraction, to deal with the Threads Despite its relative effectiveness, this approach suffers from the potential explosion of thread interleavings In this paper we propose the adoption of partial order reduction (POR) techniques to alleviate the problem We extend ESST with two complementary POR techniques (persistent set, and sleep set), and we prove the soundness of the approach in the case of safety properties The extension is only seemingly trivial: the POR, applied to the scheduler, must be proved not to interfere with the lazy abstraction of the threads We implemented the techniques within the software model checker K RATOS, and we carried out an experimental evaluation on benchmarks taken from the SystemC distribution and from the literature The results showed a significant improvement in terms of the number of visited abstract states and run times Introduction SystemC is widely used for the design of systems on chip Executable models written in SystemC are amenable for high-speed simulation before synthesizing the RTL hardware description Formal verification of SystemC designs can help to pinpoint errors, preventing their propagation down to the hardware, but can also help to reveal errors in the specifications Despite its importance, however, formal verification of SystemC is a very hard challenge Indeed, a SystemC design is a very complex entity In addition to rich data, SystemC features a form of multi-threading, where scheduling is cooperative and carried out according to a specific set of rules [20], and the execution of threads is mutually exclusive A promising technique, called ESST [7], has recently been proposed for the verification of SystemC designs ESST combines Explicit state techniques to deal with the SystemC Scheduler, with Symbolic techniques, based on lazy abstraction [2], to deal with the Threads Despite its relative effectiveness, this technique requires the exploration of a large number of thread interleavings, many of which are redundant, with subsequent degradations in the run time performance and high memory consumption Partial-order reduction (POR) [11,18,22] is a well known model checking technique that tackles the state explosion problem by exploring only representative subset of all P.A Abdulla and K.R.M Leino (Eds.): TACAS 2011, LNCS 6605, pp 341–356, 2011 c Springer-Verlag Berlin Heidelberg 2011 CuuDuongThanCong.com 342 A Cimatti, I Narasamdya, and M Roveri possible schedules In general, POR exploits the commutativity of concurrent transitions that result in the same state when they are executed in different orders POR techniques have successfully been integrated in explicit-state software model checkers like SPIN [13] and V ERI S OFT [10], and also applied in symbolic model checking [15,23,1] In this paper we boost ESST with two complementary POR techniques [11], persistent set and sleep set The POR techniques are used in the ESST algorithm to limit the expansion of the transitions in the explicit scheduler, while the nature of the symbolic search of the threads, based on lazy abstraction, remains unchanged Notice that the application of POR in ESST algorithm is only seemingly trivial, because POR could in principle interact negatively with the lazy abstraction used for the search within the threads In fact, we prove that the pruning carried out by POR in the abstract space preserves the reachability in the concrete space, which yields the soundness of the approach in the case of safety properties We implemented these POR techniques within the K RATOS software model checker K RATOS implements the ESST algorithm, and is at the core of the tool chain described in [7], which also includes a SystemC front-end derived from P INAPA [17] We perform an experimental evaluation on the benchmark set used in [7], that includes problems from the SystemC distribution and from the literature The results show that POR techniques can yield substantial improvements on the performance of the ESST algorithm in terms of the number of visited abstract states and run times This paper is structured as follows In Sec we briefly introduce SystemC and we briefly describe the ESST algorithm In Sec we show by means of an example the possible state explosion problem that may arise In Sec we show how to lift POR techniques to the ESST algorithm In Sec we revise the related work Finally, in Sec we draw some conclusions and we outline future work Background The SystemC language SystemC is a C++ library that consists of (1) a core language that allows one to model a System-on-Chip (SoC) by specifying its components and architecture, and (2) a simulation kernel (or scheduler) that schedules and runs processes (or threads) of components SoC components are modeled as SystemC modules that communicate through channels (that are bound to the ports specified in the modules) A module consists of one or more threads that describe the parallel behavior of the SoC design SystemC provides general-purpose events as a synchronization mechanism between threads For example, a thread can suspend itself by waiting for an event or by waiting for some specified time A thread can perform immediate notification of an event or delayed notification The SystemC scheduler is a cooperative non-preempting scheduler that runs at most one thread at a time During a simulation, the status of a thread changes from sleeping, to runnable, and to running A running thread will only give control back to the scheduler by suspending itself The scheduler runs all runnable threads, one at a time, in a single delta cycle, while postponing the channel updates made by the threads When there are no more runnable threads, the scheduler materializes the channel updates, and wakes up all sleeping threads that are sensitive to the updated channels If, after this CuuDuongThanCong.com Boosting Lazy Abstraction for SystemC with Partial Order Reduction 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 SC MODULE( numgen ) { sc out o ; / / output port sc in ck ; / / i n p u t p o r t f o r c l o c k / / Reads i n p u t from environment void gen ( ) { i n t x = r e a d i n p u t ( ) ; o w r i t e ( x ) ; } SC CTOR( numgen ) { / / d e c l a r e ” gen ” as a method t h r e a d SC METHOD( gen ) ; dont initialize (); s e n s i t i v e