An algorithmic approach for checking closure properties of temporal logic specifications and ω-regular languages (original) (raw)
Related papers
Theoretical Computer Science, 1998
In concurrency theory, there are several examples where the interleaved model of concurrency can distinguish between execution sequences which are not significantly different. One such example is sequences that differ from each other by stuttering, ie, the number of times a state can adjacently repeat. Another example is executions that differ only by the ordering of independently executed events. Considering these sequences as different is semantically rather meaningless.
On the verification of sequential equivalence
IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2003
The state-explosion problem limits formal verification on large sequential circuits partly because the sizes of binary decision diagrams (BDDs) sizes heavily depend on the number of variables dealt with. In the worst case, a BDD size grows exponentially with the number of variables. Thus, reducing this number can possibly increase the verification capacity. In particular, this paper shows how sequential equivalence checking can be done in the sum state space. Given two finite state machines 1 and 2 with numbers of state variables 1 and 2 , respectively, conventional formal methods verify equivalence by traversing the state space of the product machine with 1 + 2 registers. In contrast, this paper introduces a different possibility, based on partitioning the state space defined by a multiplexed machine, which can have merely max 1 2 + 1 registers. This substantial reduction in state variables potentially enables the verification of larger instances. Experimental results show the approach can verify benchmarks with up to 312 registers, including all of the control outputs of microprocessor 8085.
Theoretical Computer Science, 1990
A transformation of sequential specifications into concurrent specifications is defined. The sequential specification is in the form of a regular expression extended with a declaration of the actions that are independent and have the potential for concurrent execution. The concurrent specification is in the form of a product of regular expressions. It is proved that a concurrent specification resulting from the application of the transformation to a sequential specification modified by inserting special actions, called synchronization guards, is behaviorally equivalent to the original specification. The programming language representation of a sequential specification is exemplified in a Pascal-like language, Banach.
Coarser Equivalences for Causal Concurrency
2024
Trace theory (formulated by Mazurkiewicz in 1987) is a principled framework for de ning equivalence relations for concurrent program runs based on a commutativity relation over the set of atomic steps taken by individual program threads. Its simplicity, elegance, and algorithmic e ciency makes it useful in many di erent contexts including program veri cation and testing. It is well-understood that the larger the equivalence classes are, the more bene ts they would bring to the algorithms and applications that use them. In this paper, we study relaxations of trace equivalence with the goal of maintaining its algorithmic advantages. We rst prove that the largest appropriate relaxation of trace equivalence, an equivalence relation that preserves the order of steps taken by each thread and what write operation each read operation observes, does not yield e cient algorithms. Speci cally, we prove a linear space lower bound for the problem of checking, in a streaming setting, if two arbitrary steps of a concurrent program run are causally concurrent (i.e. they can be reordered in an equivalent run) or causally ordered (i.e. they always appear in the same order in all equivalent runs). The same problem can be decided in constant space for trace equivalence. Next, we propose a new commutativity-based notion of equivalence called grain equivalence that is strictly more relaxed than trace equivalence, and yet yields a constant space algorithm for the same problem. This notion of equivalence uses commutativity of grains, which are sequences of atomic steps, in addition to the standard commutativity from trace theory. We study the two distinct cases when the grains are contiguous subwords of the input program run and when they are not, formulate the precise de nition of causal concurrency in each case, and show that they can be decided in constant space, despite being strict relaxations of the notion of causal concurrency based on trace equivalence. CCS Concepts: • Theory of computation → Concurrency; Formal languages and automata theory; Program analysis; • Software and its engineering → Software veri cation and validation.
Model-Checking of Correctness Conditions for Concurrent Objects
Information and Computation, 2000
The notions of serializability, linearizability and sequential consistency are used in the speci cation of concurrent systems. We show that the model checking problem for each of these properties can be cast in terms of the containment of one regular language in another regular language shu ed using a semi-commutative alphabet. The three model checking problems are shown to be, respectively, in Pspace, in Expspace, and undecidable.
Necessary and Sufficient Conditions on Partial Orders for Modeling Concurrent Computations
Proceedings of the 2015 International Conference on Distributed Computing and Networking - ICDCN '15, 2015
Partial orders are used extensively for modeling and analyzing concurrent computations. In this paper, we define two properties of partially ordered sets: width-extensibility and interleaving-consistency, and show that a partial order can be a valid state based model: (1) of some synchronous concurrent computation iff it is width-extensible, and (2) of some asynchronous concurrent computation iff it is widthextensible and interleaving-consistent. We also show a duality between the event based and state based models of concurrent computations, and give algorithms to convert models between the two domains. When applied to the problem of checkpointing, our theory leads to a better understanding of some existing results and algorithms in the field. It also leads to efficient detection algorithms for predicates whose evaluation requires knowledge of states from all the processes in the system.
An Improvement in Formal Verification
Formal Description Techniques VII, 1995
Part Four Verification verification tool SPIN [H92]. Section 6 contains an evaluation of the performance of this implementation, and a comparison against both the classic search method and an existing dynarnic reduction method, ali implemented as part of the same verification system. Section 7 summarizes the results. 2. DEFINITIONS We consider any verification problem that can be formalized as a reachability analysis problem in a finite labeled transition system (LTS). This specifically includes the problems of proving safety, liveness, and linear time temporal logic properties for any finite state concurrent system. An LTS is defined as a triple {S,so ,T}, where Sis a finite set of states, s 0 is a distinguished initial state inS, and T is a finite set of transitions, with Tr;;;,(SxS). In a simple forrn, an LTS can be used to formalize the behavior of a single sequential process. It can also forrnalize the combined behavior of a finite number of interacting and asynchronously executing sequential processes. Each transition of the LTS then corresponds to the execution of a specific atomic statement within one of the processes, in accordance with a standard interleaving semantics of concurrency. The LTS can be represented by a graph with nodes corresponding to the states in S and directed edges corresponding to the transitions in T. A connected path through this graph then defines the effects of a possible execution in the underlying concurrent system. There will be at least one path through the graph for every possible way in which the execution of atomic process statements could be interleaved in time. Given a transition tE Tin an LTS, we will use the notation Label(t) to refer to the process statement that is represented by transition t, and we will use Pid(t) to refer to the sequential process that contains the statement Label(t). Without loss of generality, we assume that the mapping from transitions to process statements is unique. The reverse mapping will in general not beunique. Note that, in general, a compound process statement (such as a selection ora repetition structure) could correspond to .a series of transitions in the LTS. In the remainder of this section, therefore, the term 'statement' will always refer to a simple statement (i.e., not a compound), and can therefore be used interchangeably with the term 'transition.' The semantics of a statement a =Label(t) are defined by two functions Cond and Act, where Cond(a) is the subset of S where a is enabled (or 'executable' [H92]), and Act(a,s) is that state of S that is reached when a is executed in a given sE Cond(a). Normally, a statement in a sequential process is 'enabled' or 'executable' only if it is pointed to by the current program counter of the sequential process that contains that statement. In a concurrent system, however, we can detine additional constraints on the enabledness or executability of statements. A message send operation, for instance, can be defined to be enabled only if also the destination message buffer is non-full, and a message receive operation can be defined to be enabled when also the source message buffer is non-empty. Two statements a and bare defined tobe independent at state sE S, written as { a,b}E Ind(s), if and only if the following fi ve conditions are met: (1) SE Cond(a), i.e., statement a is enabled ins, (2) sE Cond(b), i.e., statement b is enabled ins, (3) Act(a,s) E Cond(b), i.e., the execution of a cannot disable b, (4) Act(b,s) E Cond(a), i.e., the execution of b cannot disable a, (5) Act(b,Act(a,s))=Act(a,Act(b,s)), i.e., the effect of executing a followed by b is indistinguishable from that of executing b followed by a. Note that two statements from the same sequential process, i.e., with Pid(a) =Pid(b), can not be independent. If the two statements are executed sequentially, they cannot be simultaneously
On the Equivalence-Checking Problem for Polysemantic Models of Sequential Programs
Труды Института Системного Программирования Ран, 2004
We introduce a new propositional model of computation for sequential computer programs. A distinctive feature of this model is that program runs and the results of computations are defined by means of two independent operational semantics. One of them can be regarded as an internal semantics that is used for routing runs in the control-flow graph of a program. The other one can be viewed as an observational semantics which is used for interpreting the results of a program execution. We show that some conventional models of sequential and recursive programs can be embedded into our model. We consider the equivalence-checking problem for the presented model and develop a uniform approach to the design of efficient equivalence-checking algorithms.
Verification of Temporal Properties of Concurrent Systems
DAIMI Report Series, 1993
This thesis is concerned with the verification of concurrent systems modelled by process algebras. It provides methods and techniques for reasoning about temporal properties as described by assertions from an expressive modal logic -- the modal µ-calculus. It describes a compositional approach to model checking, efficient local and global algorithms for model checking finite-state systems, a general local fixed-point finding algorithm, a proof system for model checking infinite-state systems, a categorical completeness result for an intuitionistic version of the modal µ-calculus, and finally it shows some novel applications of the logic for expressing behavioural relations.