Results 1 
9 of
9
Scopebounded Multistack Pushdown Systems: FixedPoint, Sequentialization, and TreeWidth
, 2012
"... We present a novel fixedpoint algorithm to solve reachability of multistack pushdown systems restricted to runs of boundedscope. The followed approach is compositional, in the sense that the runs of the system are summarized by boundedsize interfaces. Moreover, it is suitable for a direct implem ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
(Show Context)
We present a novel fixedpoint algorithm to solve reachability of multistack pushdown systems restricted to runs of boundedscope. The followed approach is compositional, in the sense that the runs of the system are summarized by boundedsize interfaces. Moreover, it is suitable for a direct implementation and can be exploited to prove two new results. We give a sequentialization for this class of systems, i.e., for each such multistack pushdown system we construct an equivalent singlestack pushdown system that faithfully simulates the behaviour of each thread. We prove that the behaviour graphs (multiply nested words) for these systems have bounded threewidth, and thus a number of decidability results can be derived from Courcelle’s theorem.
Natural Proofs for Asynchronous Programs using AlmostSynchronous Reductions
"... We consider the problem of provably verifying that an asynchronous messagepassing system satisfies its local assertions. We present a novel reduction scheme for asynchronous eventdriven programs that finds almostsynchronous invariants — invariants consisting of global states where message buf ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
We consider the problem of provably verifying that an asynchronous messagepassing system satisfies its local assertions. We present a novel reduction scheme for asynchronous eventdriven programs that finds almostsynchronous invariants — invariants consisting of global states where message buffers are close to empty. The reduction finds almostsynchronous invariants and simultaneously argues that they cover all local states. We show that asynchronous programs often have almostsynchronous invariants and that we can exploit this to build natural proofs that they are correct. We implement our reduction strategy, which is sound and complete, and show that it is more effective in proving programs correct as well as more efficient in finding bugs in several programs, compared to current search strategies which almost always diverge. The high point of our experiments is that our technique can prove the Windows Phone USB Driver written in P [9] correct for the responsiveness property, which was hitherto not provable using stateoftheart modelcheckers.
Finding nonterminating executions in distributed asynchronous programs
, 2012
"... Abstract. Programming distributed and reactive asynchronous systems is complex due to the lack of synchronization between concurrently executing tasks, and arbitrary delay of messagebased communication. As even simple programming mistakes have the capability to introduce divergent behavior, a key l ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Programming distributed and reactive asynchronous systems is complex due to the lack of synchronization between concurrently executing tasks, and arbitrary delay of messagebased communication. As even simple programming mistakes have the capability to introduce divergent behavior, a key liveness property is eventual quiescence: for any finite number of external stimuli (e.g., clientgenerated events), only a finite number of internal messages are ever created. In this work we propose a practical threestep reductionbased approach for detecting divergent executions in asynchronous programs. As a first step, we give a codetocode translation reducing divergence of an asynchronous program P to completed statereachability—i.e., reachability to a given state with no pending asynchronous tasks—of a polynomiallysized asynchronous program P ′. In the second step, we give a codetocode translation underapproximating completed statereachability of P ′ by statereachability of a polynomiallysized recursive sequential program P ′ ′ (K), for the given analysis parameter K ∈ N. Following Emmi et al. [8]’s delaybounding approach, P ′ ′ (K) encodes a subset of P ′ ’s, and thus of P ’s, behaviors by limiting scheduling nondeterminism. As K is increased, more possibly divergent behaviors of P are considered, and in the limit as K approaches infinity, our reduction is complete for programs with finite data domains. As the final step we give the resulting statereachability query to an offtheshelf SMTbased sequential program verification tool. We demonstrate the feasibility of our approach by implementing a prototype analysis tool called Alive, which detects divergent executions in several handcoded variations of textbook distributed algorithms. As far as we are aware, our easytoimplement prototype is the first tool which automatically detects divergence for distributed and reactive asynchronous programs. 1
An SMTbased approach to coverability analysis
 In CAV 2014
, 2014
"... Abstract. Model checkers based on Petri net coverability have been used successfully in recent years to verify safety properties of concurrent sharedmemory or asynchronous messagepassing software. We revisit a constraint approach to coverability based on classical Petri net analysis techniques. We ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Model checkers based on Petri net coverability have been used successfully in recent years to verify safety properties of concurrent sharedmemory or asynchronous messagepassing software. We revisit a constraint approach to coverability based on classical Petri net analysis techniques. We show how to utilize an SMT solver to implement the constraint approach, and additionally, to generate an inductive invariant from a safety proof. We empirically evaluate our procedure on a large set of existing Petri net benchmarks. Even though our technique is incomplete, it can quickly discharge most of the safe instances. Additionally, the inductive invariants computed are usually orders of magnitude smaller than those produced by existing solvers. 1
Compatibility Checking for Asynchronously Communicating Software
"... Abstract. Compatibility is a crucial problem that is encountered while constructing new software by reusing and composing existing components. A set of software components is called compatible if their composition preserves certain properties, such as deadlock freedom. However, checking compatibil ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Compatibility is a crucial problem that is encountered while constructing new software by reusing and composing existing components. A set of software components is called compatible if their composition preserves certain properties, such as deadlock freedom. However, checking compatibility for systems communicating asynchronously is an undecidable problem, and asynchronous communication is a common interaction mechanism used in building software systems. A typical approach in analyzing such systems is to bound the state space. In this paper, we take a different approach and do not impose any bounds on the number of participants or the sizes of the message buffers. Instead, we present a sufficient condition for checking compatibility of a set of asynchronously communicating components. Our approach relies on the synchronizability property which identifies systems for which interaction behavior remains the same when asynchronous communication is replaced with synchronous communication. Using the synchronizability property, we can check the compatibility of systems with unbounded message buffers by analyzing only a finite part of their behavior. We have implemented a prototype tool to automate our approach and we have applied it to many examples. 1
Parameterized Verification of Communicating Automata under Context Bounds
 In RP’14, LNCS 8762
, 2014
"... Abstract. We study the verification problem for parameterized communicating automata (PCA), in which processes synchronize via message passing. A given PCA can be run on any topology of bounded degree (such as pipelines, rings, or ranked trees), and communication may take place between any two proc ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We study the verification problem for parameterized communicating automata (PCA), in which processes synchronize via message passing. A given PCA can be run on any topology of bounded degree (such as pipelines, rings, or ranked trees), and communication may take place between any two processes that are adjacent in the topology. Parameterized verification asks if there is a topology from a given topology class that allows for an accepting run of the given PCA. In general, this problem is undecidable even for synchronous communication and simple pipeline topologies. We therefore consider contextbounded verification, which restricts the behavior of each single process. For several variants of context bounds, we show that parameterized verification over pipelines, rings, and ranked trees is decidable. More precisely, it is PSPACEcomplete for pipelines and rings, and EXPTIMEcomplete for ranked trees. Our approach is automatatheoretic. We build a finite (tree, respectively) automaton that identifies those topologies that allow for an accepting run of the given PCA. The verification problem then reduces to checking nonemptiness of that automaton. 1
ProjectTeams Convecs Stability of Asynchronously Communicating Systems
, 2014
"... ha l0 ..."
(Show Context)
Author manuscript, published in "FACS 2013, Nanchang: China (2013)" Compatibility Checking for Asynchronously Communicating Software
, 2013
"... Abstract. Compatibility is a crucial problem that is encountered while constructing new software by reusing and composing existing components. A set of software components is called compatible if their composition preserves certain properties, such as deadlock freedom. However, checking compatibilit ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. Compatibility is a crucial problem that is encountered while constructing new software by reusing and composing existing components. A set of software components is called compatible if their composition preserves certain properties, such as deadlock freedom. However, checking compatibility for systems communicating asynchronously is an undecidable problem, and asynchronous communication is a common interaction mechanism used in building software systems. A typical approach in analyzing such systems is to bound the state space. In this paper, we take a different approach and do not impose any bounds on the number of participants or the sizes of the message buffers. Instead, we present a sufficient condition for checking compatibility of a set of asynchronously communicating components. Our approach relies on the synchronizability property which identifies systems for which interaction behavior remains the same when asynchronous communication is replaced with synchronous communication. Using the synchronizability property, we can check the compatibility of systems with unbounded message buffers by analyzing only a finite part of their behavior. We have implemented a prototype tool to automate our approach and we have applied it to many examples. 1