![Page 1: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/1.jpg)
LivenessLiveness with Counter AbstractionCounter Abstraction
Amir Pnueli, Jessie Xu and Lenore Zuck
![Page 2: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/2.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
The Parameterized Verification Problem
Given a system and a property f ,
Does S(N) satisfy f for every N ?
?
The Problem
where
![Page 3: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/3.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Lesson from Experience…
In order to verify a reactive system:If it is finite state – model check itIf it is infinite – verify it deductively
But abstraction makes it all simpler!
![Page 4: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/4.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Data Abstraction
Verifying that an infinite-state system S satisfies a property f using abstraction:
abstract system into a simpler finite-state system that admits more behaviorsabstract the property tomodel check abstract system with respect to abstract propertyconclude that concrete system satisfies concrete property
![Page 5: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/5.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Counter Abstraction
Assumptions on the concrete system :the control variable of processes ranges over 0,…the shared variables are y1,…,ybthere are no local variables
The variables of the counter abstractedcounter abstracted system are K_0,…,k_L : {0,1,2}Y_1,…,Y_b
Where if no process is in control location lif there is exactly one process in control
location lif there are at least two processes in control
location l
![Page 6: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/6.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Counter Abstraction
Assumptions on the concrete system :the control variable of processes ranges over 0,…the shared variables are y1,…,ybthere are no local variables
The variables of the counter abstractedcounter abstracted system are K_0,…,k_L : {0,1,2}Y_1,…,Y_b
Where if no process is in control location lif there is exactly one process in control
location lif there are at least two processes in control
location l
![Page 7: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/7.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
A Toy Example: Mutex
where
Fairness Fairness requirements:requirements:Justice:Compassion:
![Page 8: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/8.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
A Toy Example: Mutex
Safety property - mutual exclusion:
Liveness property –individual accessibility:(true only with fairness)
where
![Page 9: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/9.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
A Toy Example: Mutex
![Page 10: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/10.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
A Toy Example: Mutex
Concrete Safety property-
mutual exclusion:
Abstract Safety property-
mutual exclusion:
![Page 11: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/11.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Safety follows trivially!
Mutex after Counter Abstraction (graphical representation)
![Page 12: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/12.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Abstracting JusticeJustice requirement
since if process is not in control location 2it is either in control location 0 or 1.
form the concrete justice requirementjustice requirement
we can obtain the
abstract requirementabstract requirement
![Page 13: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/13.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
unfortunately the abstract justice requirement abstract justice requirement doesn’t discard any states, so any liveness propertyliveness propertythat is not valid for Mutex without justicejustice cannot be proven in this abstract system
verifying LivenessLiveness in Mutex
![Page 14: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/14.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Strengthening JusticeJustice Requirements
How?
We provide 4 guidelines (in two slides…)
Conclusion:
we need to derive more/stronger fairnessfairness requirementsrequirements
![Page 15: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/15.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
If the concreteconcrete system contains the justicejustice
Then we can safelysafely add the abstract abstract justicejustice
Strengthening JusticeJustice Requirements
Why?
![Page 16: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/16.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
• suppose a state satisfies
• then there exists exactly one process, say I, in location
• the process I violates its justice requirement
• to fulfill it, it must exit location l sometime in the future
• when it exits it , must hold since another process cannot enter location (execute a transition) at the same step
If the concreteconcrete system contains the justicejustice
Then we can safelysafely add the abstract abstract justicejusticeWhy?
Strengthening JusticeJustice Requirements
![Page 17: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/17.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Strengthening JusticeJustice Requirements
![Page 18: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/18.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Strengthening JusticeJustice Requirements
is a condition on shared variables
leads only to
Emerges from
![Page 19: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/19.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
From the concrete justice and the concrete compassion we can conclude the concrete justiceconcrete justice
Strengthening JusticeJustice for Mutex
![Page 20: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/20.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Strengthening JusticeJustice for Mutex
Automatically
obtained
![Page 21: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/21.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Verifying LivenessLiveness using Counter Abstraction
which is abstracted to
Counter abstraction does not allow to observe the
behavior of an individualindividual process, thus we cannot
verify the liveness property of individual accessibilityindividual accessibility
we can, however, verify the liveness property of
communal accessibilitycommunal accessibility ( (livelock freedomlivelock freedom))
![Page 22: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/22.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Verifying LivenessLiveness
Model Checking [LP85]
![Page 23: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/23.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Verifying LivenessLiveness
Extract from the state-transition graph the sub-graph of pending states
A pending state is any state which is not reachable from a p-state by a q-free path
Show that the extracted sub-graph contains no infinite fair path
Decompose the sub-graph into maximal SCCs
Show that each of them violates some fairness requirement
Model Checking [LP85]
![Page 24: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/24.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Verifying LivenessLiveness
Model Checking [LP85]
Extract from the state-transition graph the sub-graph of pending states
A pending state is any state which is reachable
from a p-state by a q-free path
Show that the extracted sub-graph contains no infinite fair path
Decompose the sub-graph into maximal SCCs
Show that each of them violates some fairness requirement
![Page 25: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/25.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Verifying LivenessLiveness
Model Checking [LP85]
Extract from the state-transition graph the sub-graph of pending states
A pending state is any state which is reachable from a p-state by a q-free path
Show that the extracted sub-graph contains no infinite fair path
Decompose the sub-graph into maximal SCCs
Show that each of them violates some fairness requirement
![Page 26: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/26.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Verifying communal accessibilitycommunal accessibility forfor MutexMutex
To establish we have to remove all
states that are not in a q-free path reachable from a p-state
![Page 27: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/27.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Verifying communal accessibilitycommunal accessibility forfor MutexMutex
![Page 28: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/28.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Each maximal SCC (each node) violates the abstract justice Hence communal accessibility holds!
Verifying communal accessibilitycommunal accessibility forfor MutexMutex
![Page 29: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/29.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Counter Abstraction Save OneSave One
To prove individual accessibility
Counter abstractCounter abstract all the processes
except one,except one,
Model checkModel check that the abstract systemabstract system composed with one concrete processone concrete process satisfies the liveness property for the concrete process
![Page 30: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/30.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Graphical representation of Mutex under counter abstraction save one
Counter Abstraction Save OneSave One - Mutex
![Page 31: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/31.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Considering the compassion requirementcompassion requirementand the fact that no state satisfieswe can remove all states satisfying
Counter Abstraction Save OneSave One - Mutex
![Page 32: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/32.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Counter Abstraction Save OneSave One - Mutex
![Page 33: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/33.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Each maximal SCC (each node) violates the abstract justice Hence individual accessibility holds!
Counter Abstraction Save OneSave One - Mutex
![Page 34: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/34.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Adding CompassionCompassion requirements
Consider program TERMINATE
and the liveness property
The abstracted liveness property is
The counter abstraction of the program is
![Page 35: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/35.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Adding CompassionCompassion requirements
The abstracted liveness property is
The counter abstraction of the program is
From the concrete justice
We obtain the abstract justice
The computation can stay forever inwhich violates the liveness
property !
![Page 36: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/36.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Adding CompassionCompassion requirements
![Page 37: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/37.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Augment the system with two auxiliary variables and
Adding CompassionCompassion requirements
![Page 38: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/38.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Augment the system with two auxiliary variables and
Adding CompassionCompassion requirements
For each transition
If set
Else set
Add to the concrete compassion
Counter abstract the augmented system
For every justice requirement
include the abstract requirement
![Page 39: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/39.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
The transition graph for augmented TERMINATE
Verifying LivenessLiveness for TERMINATE
Abstract Compassion
obtained from Abstract Justice using
Hence the liveness property holds !
![Page 40: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/40.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck
Success with Counter Abstraction
Szymanski’s mutual exclusion algorithmThe Bakery Algorithm (shared variables are unbounded)Probabilistic mutual exclusion protocol
![Page 41: Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck](https://reader037.vdocument.in/reader037/viewer/2022102906/56649d145503460f949e889d/html5/thumbnails/41.jpg)
Liveness with Counter Abstraction
Pnueli, Xu, Zuck