1. SS 2017 Software Verification SMT Solving, Partial Order Methods
Prof. Dr. Holger Schlingloff 1,2
Dr. Esteban Pavese 1
(1) Institut für Informatik der Humboldt Universität
(2) Fraunhofer Institut für offene Kommunikationssysteme FOKUS

2. Recap Why are parallel programs error-prone? Typical concurrency bugs?
Synchronization mechanisms in Java?
Parallelism concept language?
Difference of the SOS-semantics with and without || ?
What does SMT stand for?

3. SMT
Satisfiability modulo theories: Checking the satisfiability of a formula, where certain functions/relations are interpreted according to a particular mathematical theory
Theory: set of axioms / consequences
Theory of linear orders, natural numbers, reals, rings, fields, ...
E.g., is (x+y=2) satisfiable?
E.g., is (an+bn=cn  n>2) satisfiable?
Slides partly borrowed from Cesare Tinelli,

4. SMT
Satisfiability of quantifier-free formulas is decidable for many theories of interest in model checking
Equality with “Uninterpreted Function Symbols”
Linear Arithmetic (Real and Integer)
Arrays (i.e., updatable maps)
Finite sets and multisets
Inductive data types (enumerations, lists, trees, )
. . .
Thanks to advances in SAT and in decision procedures, this can be done very efficiently by current SMT solvers
SMT solvers differ from traditional theorem provers by having built-in theories, and using specialized methods to reason about them

5. Model Checking by SMT
SMT-based model checking techniques blur the line between traditional model checking and deductive verification
Different approaches, e.g.,
predicate abstraction,
bounded model checking,
backward reachability,
temporal induction, ...

6. Example: Parametric Resettable Counter

7. Encoding the Transition Relation

8. Inductive Reasoning

9. Example Binomial Coefficient
Vars x = (a, b, c, n, k, , , sc)
Initialization I[x]:
(a=nb=0c=1=1=1(sc=1sc=2))
Transition relation T[x,x’]:
a’=ite(=3sc=1, a-1, a)
b’=ite(=2sc=2, b+1, b)
c’=ite(=2sc=1, c*a, ite (=4sc=2, c/b, c))
n’=n  k’=k  (sc’=1  sc’=2)
’=ite( =1sc=1, ite(a≠n-k, 2, 4), ite( =2sc=1, 3, ite(=3sc=1, 1, )))
’=ite(=1sc=2, ite(b≠k, 2, 5), ite(=2sc=2, 3, ite(=3sc=2, ite(a+b≤n, 4, 3), ite(=4sc=2, 1, ))))
a=n; b=0; c=1;
:{
1: while (a ≠ n-k) {
2: c=c*a;
3: a--;
} 4: ||
1: while (b ≠ k) {
2: b++;
3: await (a+b ≤ n);
4: c=c/b;
} 5: }

10. Invariant for Binomial Coefficient
Vars x = (a,b,c,n,k,,,sc)
sc “scheduler”, values in {1,2}
Invariant:
Let P(i, j)=(c=(n*n-1*...*(n-i+1) / 1*2*...*j))
({1,2,4} {1,2,5} P(n-a, b))
(=3  {1,2,5} P(n-a+1, b))
({1,2,4} {3,4}P(n-a, b-1))
(=3  {3,4}P(n-a+1, b-1))
(=4  a=n-k)  (=5  b=k)
Property to be proven:
( =4  =5  P(k,k))
follows directly from the invariant
a=n; b=0; c=1;
:{
1: while (a!=n-k) {
2: c=c*a;
3: a--;
} 4: ||
1: while (b!=k) {
2: b++;
3: await (a+b ≤ n);
4: c=c/b;
} 5: }

11. How to Come Up with an Invariant?
In principle undecidable
In practice, much progress has been done
Annual workshops on invariant generation (WING)
Keywords: weakest preconditions and strongest postconditions of statements
Dijkstra’s wp-calculus:
wp(skip, ) = 
wp(x=t, ) = [x:=t]
wp({1; 2}, ) = wp(1, wp(2, ))
wp(if (b) 1 else 2, ) = ((b  wp(1, ))  (¬b  wp(2, )))
wp(while (b) , ) = ?

12. ! This is a non-constructive definition ! Existence??? Examples
wp(while (b) , ) = z (z)  z((b(z))  z’ (z’<z  wp(, (z’)))  z((¬b(z))  ) where  is a loop variant and < a wfo, z new var.
! This is a non-constructive definition ! Existence???
Examples
wp(x=x-3, x>7) = x>7 [x:=x-3] = x-3>7 = x>10
wp({x=2*x; x=x-3}, x>7) = wp(x=2*x, wp(x=x-3, x>7)) = wp(x=2*x, x>10) = x>5
wp(if(a<b) a=b, a>=b) = ((a<b  wp(a=b, a>=b)  (a>=b  wp(skip, a>=b)) =((a<b  b>=b)  (a>=b  a>=b)) = T
wp(while (i>0) i--, i==0) = i>=0

13. Break!

14. Partial Order Reduction
The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily.
To avoid discriminating against any particular ordering, the events are interleaved in all possible ways.
For software model checking, all interleaving paths are analyzed (depth-first search)
This can be very many (“state explosion problem“)
But it may not be necessary:
a=0; b=0; {a=a*a; a=a-5; || b=2*b+3; b=1-b;}
Only one possible result, even with different interleavings! However, not always:
a=0; {a*=a*a; a=a-5; || a=2*a+3; a=1-a;}

15. The ordering between “independent” transitions is largely meaningless
Consider n transitions that can be executed concurrently.
In this case, there are n! different orderings and 2n different states (one for each subset of the transitions)
If the specification does not distinguish between these sequences, it is beneficial to consider only one with n+1 states.
Basic question: When are concurrent transitions independent?
Slides & pictures thanks to Ed Clarke,

16. The partial order reduction is aimed at reducing the size of the state space that needs to be searched
It exploits the commutativity of concurrently executed transitions, which result in the same state
The method consists of constructing a reduced state graph. The full state graph, which may be too big to fit in memory, is never constructed
The behaviors of the reduced graph are a subset of the behaviors of the full state graph
The justification of the reduction method shows that the behaviors that are not present do not add any information

17. There are various versions of the partial-order method:
stubborn set method (Valmari 1990)
ample set method (Peled 1993)
persistent set method (Godefroid 1994)
Consider two transitions to be independent only if
whenever they are both enabled, they cannot disable one another, and
the execution of both results in a unique state regardless of the order in which they are executed

18. DFS search with ample sets
Goal is to reduce the number of states considered in model checking, while preserving the correctness of the property
Will assume that a reduced state graph is first generated explicitly using depth-first search
The model checking algorithm is then applied to the resulting state graph, which has fewer states and edges
This speeds up the construction of the graph and uses less memory, thus resulting in a more efficient model checking algorithm
From any given state, do not consider the set of all enabled transitions but an ample set, which is some sort of “minimal set of independent transitions”
The calculation of ample(s) needs to satisfy three goals:
When ample(s) is used instead of enabled(s), enough behaviors must be retained so DFS gives correct results
Using ample(s) instead of enabled(s) should result in a significantly smaller state graph
The overhead in calculating ample(s) must be reasonably small.

19. Pairs of transitions belonging to the same process are dependent
Pairs of transitions that share a variable, which is changed by at least one of them, are dependent
Pairs of transitions belonging to the same process are dependent
Consider the following program:
a=0; b=0; {1: a++; 2: await ()... || 1: b++; 2: b--}
1 and all  transitions are always enabled
1 1 and 1 1 lead to the same state
Hence 1 and 1 are independent
Problem
The states reached after 1 and 1 may have other successors, which may not be explored if either is eliminated (e.g., 2: await (b=0)...)

20. Conditions on ample sets
(C0) ample(s) is empty only if enabled(s) is empty
(C1) If a transition  depends on some transition in ample(s), then  cannot be executed without some transition in the ample set occuring first
Consider again the following program:
a=0; b=0; {1: a++; 2: await (b=0) a++ || 1: b++; 2: b--}
after a=0; b=0; enabled ={1, 1}, ample ={1}
ample ={1} is not a valid choice, since 2 is disabled by 1 (i.e., 2 can be invoked before 1 is executed)

21. Preservation of LTL properties?
Problem: the checked property might be sensitive to the ordering of independent transitions
Solution
disallow next-operator
define “invisible” transitions : a transition is invisible when its execution from any state does not change the value of the propositions
(C2) If enabled(s) ≠ ample(s), each transition in the ample set must be invisible

22. Eventualities? Problem: satisfaction of eventualities might be lost
Solution
similar to the normal LTL eventualities rule
(C3) A cycle is not allowed if it contains a state in which some transition is enabled, but is never included in ample(s) for any state s on the cycle
Correctness of partial order method
For any model M and next-free LTL-formula φ, it holds that M ⊨ φ iff M‘ ⊨ φ, where M‘ is the reduced state graph
If φ does not hold im M, a counterexample in M‘ is produced

23. Experimental Results
Since the set ample(s) is not unique, heuristics can be used to construct it
Construction of ample(s) should be fast in order not to spoil the speed-up
On models with a lot of concurrency, partial order methods can exponentially improve the model checking process
However, they do not combine well with symbolic (BDD based) methods