Forward Analysis of Depth-Bounded Processes Thomas Wies Damien Zufferey Tom Henzinger In FoSSaCS’10

Motivation Verify concurrent systems with synchronization via message passing unbounded dynamic process creation (name generation) dynamic communication topology (name mobility) Examples Actors [G. Agha 1986] in languages such as Scala, Erlang Distributed (mobile) systems …

A Publish/Subscribe Service in Scala sealed abstract class Category case object Cat1 extends Category... case object CatN extends Category case object List case class Categories(cats: Set[Category])... class Server extends Actor { def loop(enl: Map[Category,Set[Actor]]){ val cats = Set(Cat1,...,CatN) react { case List => { reply(Categories(cats)) react { case Subscribe(c) => loop(enl + c -> (enl(c) + sender)) } case Unsubscribe(c) => loop(enl(c) + c -> (enl(c) - sender)) case Publish => { reply(Who) react { case Credential => if (*) { reply(Categories(cats)) react { case Content(c) => enl(c).forall( _ ! Content(c)) loop(enl) } } else { reply(Deny) loop(enl) } override def act() = loop({_ => EmptySet}) } class Subscriber(server: Actor) extends Actor { def loop(cat: Category): Unit = { if (*) { react { case Content(c) => if (c != cat) error("...")... } } else { server ! Unsubscribe(cat) exit('normal) } override def act(): Unit = { server ! List react { case Categories(cats) => val cat = cats.choose loop(cat) } class Publisher(server: Actor) extends Actor { override def act(): Unit = { server ! Publish react { case Who => reply(Credential) react { case Categories(cats) => val c = cats.choose reply(Content(c)) if (*) act() else exit('normal) case Deny => exit('badCredential) }

A Publish/Subscribe Service in Scala Server Subscriber Publisher server enl(Cat1) Subscriber server enl(Cat2) Subscribe(Cat1) sender

A Publish/Subscribe Service in Scala Server Subscriber Publisher server enl(Cat1) Subscriber server enl(Cat2) Subscribe(Cat1) sender enl(Cat1)

A Publish/Subscribe Service in Scala Server Subscriber Publisher server enl(Cat1) Subscriber server enl(Cat1) server enl(Cat2) Content(Cat1) sender

A Publish/Subscribe Service in Scala Server Subscriber Publisher server enl(Cat1) Subscriber server enl(Cat1) server enl(Cat2) Content(Cat1) sender Content(Cat1) sender Infinite state system number of Subscriber and Publisher processes and number of messages in mailboxes can grow unboundedly Infinite state system number of Subscriber and Publisher processes and number of messages in mailboxes can grow unboundedly

Semantics Interleaving of local transitions of processes. Processes have an associated name finitely many control states finitely many parameters (denoting names of other processes) an associated mailbox (unbounded but unordered)

Semantics Interleaving of local transitions of processes. In each local transition a process may change its control state change the value of one of its parameters receive a message from its mailbox (blocking) send a message to a process it knows create a new process

Semantics Global configurations are graphs nodes model –processes (node labels are control state) –messages (node labels are message kinds) edges model –mailboxes –process parameters –message data

Semantics More formal Actors [Agha 1986] ¼ -calculus [Milner, Parrow, Walker 1992] Dynamic I/O automata [Attie, Lynch 2001] …

Server Subscriber server enl(Cat1) Content(Cat1) sender “The server link of a Subscriber always points to a Server” “Subscribers only receive content they are enlisted to” “No process ever reaches a local error state” Verification of Safety Properties Shape Invariants

Turing Completeness State machine C counter 1 C next C CC counter 2 Encoding of a two counter machine Are there any interesting fragments with decidable verification problems? Are there any interesting fragments with decidable verification problems?

Depth-Bounded Systems (DBS) [Meyer 2008] Definition A system is depth-bounded iff there exists a constant that bounds the length of all simple paths in all reachable configurations. Definition A system is depth-bounded iff there exists a constant that bounds the length of all simple paths in all reachable configurations. The actual definition is in terms of ¼ -calculus processes.

Depth-Bounded Systems (DBS) Server Subscriber Publisher server enl(Cat1) Subscriber server enl(Cat1) server enl(Cat2) Content(Cat1) sender Content(Cat1) sender maximal length of any simple path is 5

What is Decidable for DBS? DBSs are well-structured transition systems [Meyer 2008].  Termination is decidable What about reachability? Reset nets are DBSs [Meyer, Gorrieri 2009].  Reachability is undecidable for reset nets [Dufourd et al.1998] and thus for DBSs

The Covering Problem init bad Given a transition system and a bad configuration decide whether there is a reachable configuration that “covers” the bad one.

Server Subscriber server enl(Cat1) Content(Cat2) sender Application: verify absence of bad patterns “Subscribers only receive content they are enlisted to” The Covering Problem The covering problem is decidable for DBSs

Well-Quasi-Orderings Definition A relation · µ S £ S is a well-quasi-ordering iff · is a quasi-ordering (reflexive and transitive) for any infinite sequence s 1, s 2, … there are i < j such that s i · s j Definition A relation · µ S £ S is a well-quasi-ordering iff · is a quasi-ordering (reflexive and transitive) for any infinite sequence s 1, s 2, … there are i < j such that s i · s j Examples identity relation on a finite set order on the natural numbers multiset extension of a well-quasi-ordering (Higman’s lemma)

Well-Structured Transition Systems (WSTS) [Finkel 1987] Definition A WSTS is a tuple (S, init, !, · ) where (S, init, ! ) is a transition system · is a well-quasi-ordering on S · is compatible with the transition relation ! : for all s, t, s’ 2 S with s ! s’ and s · t there exists t’ 2 S with t ! t’ and s’ · t’ Definition A WSTS is a tuple (S, init, !, · ) where (S, init, ! ) is a transition system · is a well-quasi-ordering on S · is compatible with the transition relation ! : for all s, t, s’ 2 S with s ! s’ and s · t there exists t’ 2 S with t ! t’ and s’ · t’ Examples Petri nets lossy channel systems ss’ tt’

Upward and Downward-Closures "X"X X · Y · "Y"Y " X = {y 2 S | 9 x 2 X. x · y}

Backward Algorithm for the Covering Problem of WSTS bad " bad pre( " bad) … pre k ( " bad) init

Backward Algorithm for the Covering Problem of WSTS bad " bad pre( " bad) … pre k ( " bad) init …

Depth-Bounded Systems as WSTS Depth-bounded systems form WSTS for their reachable configurations and the quasi-ordering “ “ induced by subgraph isomorphism Next we show that “ “ is a well-quasi-ordering on the reachable configurations

Closure of a Tree Add edges according to transitive closure of the edge relation Every (undirected) graph is contained in the closure of some tree.

Tree-Depth of a Graph Definition The tree-depth td(G) of a graph G is the minimal height of all trees whose closure contain G. Definition The tree-depth td(G) of a graph G is the minimal height of all trees whose closure contain G. v1v1 v2v2 v4v4 v3v3 v5v5 v1v1 v2v2 v4v4 v3v3 v5v5 height is 2 tree depth is 2

Tree-Depth and Depth-Bounded Systems Proposition A set S of graphs has bounded tree-depth iff S is bounded in the length of its simple paths. Proposition A set S of graphs has bounded tree-depth iff S is bounded in the length of its simple paths.  the reachable configurations of a depth-bounded system have bounded tree-depth.

Tree Encodings of Depth-Bounded Graphs v1v1 v2v2 v4v4 v3v3 v5v5 v1v1 v2v2 v4v4 v3v3 v5v5 G tree(G) Number of labels used in the encoding is finite. Take a minimal tree whose closure contains the graph G. Label each node v in the tree by the subgraph of G induced by the nodes on the path to v.

Homeomorphic Tree Embedding ¹ tree(G 1 ) ¹ tree(G 2 ) implies G 1 G 2 We can show for all graphs G 1, G 2 :

Kruskal’s Tree Theorem Theorem [Kruskal 1960] Homeomorphic tree embedding is a well-quasi- ordering on finite trees labelled by a WQO set. Theorem [Kruskal 1960] Homeomorphic tree embedding is a well-quasi- ordering on finite trees labelled by a WQO set.  subgraph isomorphisms induce a better-quasi- ordering on the reachable configurations of a depth- bounded system. Theorem [Laver 1971] Homeomorphic tree embedding is a better-quasi- ordering on countable trees labelled by a BQO set. Theorem [Laver 1971] Homeomorphic tree embedding is a better-quasi- ordering on countable trees labelled by a BQO set.

Backward Algorithm for the Covering Problem of WSTS bad " bad pre( " bad) … pre k ( " bad) init Requirements · is decidable pre is effectively computable Requirements · is decidable pre is effectively computable

Backward Analysis of DBSs WSTS of a depth-bounded system is defined wrt. the forward-reachable configurations reachability is undecidable so pre is not computable for the induced WSTS only option: if bound of the system is k, define WSTS wrt. the set of all graphs of depth at most k  termination of a backward analysis can only be ensured if the bound of the system is known a priori. Standard algorithm is not a decision procedure for the covering problem of DBS.

Backward Analysis is Impractical Server Subscriber server Subscribe(Cat1) sender Backward analysis has to guess sender (and other parameters) of sent messages  explosion in the nondeterminism

Backward Analysis is Impractical Server Subscriber server Subscribe(Cat1) sender Backward analysis has to guess sender (and other parameters) of sent messages  explosion in the nondeterminism This is similar to the aliasing problem for backward analysis of programs with pointers ?

Is there a forward analysis that decides the covering problem?

Forward Analysis of a WSTS init # init # post( # init) … # post k ( # init) bad

Forward Analysis of a WSTS init # init # post( # init) … # post k ( # init) bad We need “limits” of all downward-closed sets for termination.

Adequate Domain of Limits (ADL) [Geeraerts, Raskin, Van Begin 2006] XY D wqo set ADL for X ° For every z 2 Y, ° (z) is a downward-closed subset of X

X D wqo set ADL for X ° Y Every downward-closed subset of X is generated by a finite subset E of Y [ X E1E1 E2E2 E = E 1 [ E 2 Adequate Domain of Limits (ADL) [Geeraerts, Raskin, Van Begin 2006]

Expand, Enlarge, and Check Theorem [Geeraerts, Raskin, Van Begin 2006] There exists an algorithm that decides the covering problem for WSTS with effective ADL. Theorem [Geeraerts, Raskin, Van Begin 2006] There exists an algorithm that decides the covering problem for WSTS with effective ADL. X1X1 Y1Y1 X2X2 Y2Y2 X2X2 Y2Y2 … µ X µ Y µ … µ µ µ µ µ Next: an ADL for depth-bounded systems

Server Loop Acceleration à la Karp-Miller Server Subscriber Server ¾¾ + limit configuration Idea for loop acceleration Record which parts of a configuration can be duplicated.

Content Server Limit Configurations Server Subscriber + + Content Server Subscriber Content ° … Denotation ° (L) is downward-closure of all unfoldings of L

An ADL for Depth-Bounded Systems Server Subscriber + Theorem Limit configurations form an ADL for depth- bounded graphs. Theorem Limit configurations form an ADL for depth- bounded graphs. Corollary The EEC algorithm decides the covering problem for depth- bounded systems. Corollary The EEC algorithm decides the covering problem for depth- bounded systems.

Theorem [Finkel, Goubault-Larrecq 2009] The downward-closed directed subsets of a wqo set X form an ADL for X. Theorem [Finkel, Goubault-Larrecq 2009] The downward-closed directed subsets of a wqo set X form an ADL for X. Canonical Adequate Domain of Limits X A directed set for qo (X, · ) is a nonempty subset of X closed under upper bounds · · X D D1D1 D2D2 D3D3 D4D4 D5D5

= (Q, §,Q f, ¢ ) Q = {p,q,r,s} § = {a,b,c} Q f = {p} ¢ = {a( ² ) → s b( ² ) → r c(sr * s) → q a(q + ) → p} Hedge Automata a cc a a a ab s s s s r qq p

To proof: For every directed downward-closed set, there exists a limit configuration with Proof Sketch Look at the tree encodings and construct a hedge automaton such that From construct the limit configuration.

Proof Sketch … … directed dc set

Further Related Work Meyer, Gorrieri 2009 – depth-bounded systems and place/transition nets Finkel, Goubault-Larreqc 2009 – Karp-Miller-style forward analysis of WSTSs with ADLs Ganty, Raskin, Van Begin 2006 – Forward analysis of WSTSs without ADLs Dam 1993, Amadio, Meyssonnier 2002 – decidable fragments of the ¼ -calculus Sangiorgi 1996, Busi et al. 2003, Ostrovský 2005 – type systems for the ¼ -calculus Bauer (Kreiker), Wilhelm 2007 – shape analysis for depth-bounded systems

Conclusions many real-life examples of message passing systems are depth-bounded many interesting safety properties are expressible in terms of covering our main result: the covering problem is decidable for depth-bounded systems our ADL suggests a whole spectrum of forward analyses for depth-bounded systems