Revising UNITY Programs: Possibilities and Limitations

1
Revising UNITY Programs Possibilities and
Limitations
Ali Ebnenasir Sandeep S. Kulkarni Borzoo
Bonakdarpour

• Software Engineering and Network Systems
  Laboratory (SENS)

2
Motivation
Question Is it possible to revise the program
such that it satisfies the failed property
automatically?
3
Motivation (cont.)
Incomplete Specification ? Program
Requirements ?
Designer
Question Is it possible to add a newly
discovered property to the program automatically?
4
Motivation (cont.)

• Automatic Program Revision
• Comprehensive Redesign Designer redesigns the
  program from scratch
• Local Redesign The designer removes the
  undesired behaviors from the set of program
  computations.
• Provides reusability of previous efforts made for
  synthesizing existing programs.
• Has the potential to preserve efficiency.
• In some cases, in lower classes of complexity.

5
Motivation (cont.)

• UNITY programs and properties
• A simple and general computational model
• Provides logic and a proof system for specifying,
  designing, and verifying programs.
• Goal Locally redesign UNITY programs to
  incrementally add UNITY properties.

6
Outline

• Preliminary Concepts
• Programs
• UNITY Safety and Liveness Properties
• Adding Multiple UNITY Safety Properties
• Adding a Single Leads-to Property
• Adding Two Leads-to Properties
• Open Problems
• Related Work
• Conclusion

7
Preliminary Concepts

• A program p is a triple p ?Sp , Ip , ?p?, i.e.,
  finite state space, set of initial states, and
  program transitions.
• A state predicate is any subset of Sp.
• A computation ? is a state sequence ?s0 , s1 , ?
  iff
• s0 ? Ip
• ? i gt 0 (si-1 , si) ??p
• If ? terminates in state sf then there does not
  exist s such that (sf , s) ??p.

8
Preliminary Concepts (cont.)

• UNITY Properties
• Safety
• P unless Q
• stable(P)
• invariant(P)
• Liveness
• P leads-to Q

P
P
P
Q
P
P
P
P
P
P
P
P
P
P
Q
9
Preliminary Concepts (cont.)

• A specification is a conjunction of a set of
  UNITY properties
• spec L1 ? L2 ? ? Ln
• A computation ? satisfies spec iff (?i 0 ? i ?
  n ? satisfies Li)
• A program p satisfies spec iff all computations
  of p
• are infinite
• satisfy spec.

10
Problem Statement
Program p ?Sp , Ip , ?p?
Synthesis Algorithm
Program p? ?Sp? , Ip? , ?p??
UNITY Specification specn

• Formulation of the problem
• p? satisfies existing UNITY specification spece
• Sp? Sp
• Ip? Ip
• ?p? ? ?p
• All computations of p?
• are infinite
• satisfy specn.

11
Adding Single Leads-to Property (R? T )
Case 1 Deadlock states
Remove transitions (s1, s2) if s2 ? R and T is
not reachable from S2
Sp
s1
Ip
s0
R
T
s2
12
Adding Single Leads-to Property (R? T )
Case 2 Cycles
Remove cycles reachable from R without reaching Q.
Sp
Ip
R
T
s4
s0
s1
s2
s3
13
Soundness and Completeness

• Theorem 1) The algorithm for adding multiple
  UNITY safety properties along with a leads-to
  property is sound and complete.
• Fixability
• Theorem 2) The algorithm for adding multiple
  UNITY safety properties along with a leads-to
  property is in P.

14
Adding Two Leads-to Properties

• Adding two leads-to properties one after another

Sp
T
Ip
R
s6
s0
s2
s3
s1
s4
s5
s7
s6
s8
s9
Q
P
15
Adding Two Leads-to Properties (cont.)

• Adding two leads-to properties simultaneously
• NP-complete in the size of the input program.
• Reduction from the 3SAT problem.
• Instance Given are a set of Boolean variables
  x1xn and a propositional formula in the form Y
  (y1 ? y2 ym), where yi is a disjunction of
  exactly three literals (e.g., x1 ? ?x2 ? x3).
• Question Does there exist a truth assignment
  such that the formula is satisfiable?

16
Reduction

• States of the instance
• Ip cj 1 ? j ? M
• Sp Pi, ai, Qi, Ri, bi, Ti 1 ? i ? n ? cj
  1 ? j ? M
• P Pi 1 ? i ? n
• Q Qi 1 ? i ? n
• R Ri 1 ? i ? n
• T Ti 1 ? i ? n

yj
maps to
cj

• Transitions of the instance
• If xi is a literal in yj, we include (cj, Pi)
• If ?xi is a literal in yj, we include (cj, Ri)

• xi

maps to

• specn of the instance
• (P ? Q) ? (R ? T)

17
Open Problems

• Adding two ensures properties
• P ensures Q

i
18
Other Results

• Adding time-bounded liveness properties to
  teal-time programs
• Adding masking fault-tolerance to real-time
  programs

19
Related Work

• Synthesis from specification
• E.A Emerson, E. Clarke. Using branching time
  temporal logic to synthesize
• synchronization skeletons.
• Z. Manna, P. Wolper. Synthesis of communicating
  processes from
• temporal logic specifications.
• Transforming fault-intolerant programs into
  fault-tolerant
• Sandeep. S. Kulkarni, A. Arora. Automating the
  addition of fault-tolerance.
• Sandeep. S. Kulkarni, A. Ebnenasir, Enhancing the
  fault-tolerance of nonmasking programs
• Sandeep S. Kulkarni, E. Ebnenasir. Automatic
  synthesis of multitolerance.

20
Conclusion

• Synthesis method for adding a leads-to property
  along with multiple UNITY safety properties that
• Provides reusability of previous synthesis
  efforts
• Has the potential to preserve efficiency
• Lies in lower classes of complexity
• Shows fixability of a program with respect to a
  UNITY property
• Adding two leads-to properties simultaneously is
  NP-complete.
• Open problems

21

• Thank You!

22
Preliminary Concepts (cont.)

• UNITY Properties
• Safety properties
• A computation ? ?s0 , s1 , ? satisfies P
  unless Q iff
• ?i ? 0(si ?(P ? ?Q)) ? (si1 ? (P ? Q)).
• A computation ? satisfies stable(P) iff ?
  satisfies (P unless false).
• A computation ? ?s0 , s1 , ? satisfies
  invariant(P) iff s0 ? P and
• ? satisfies stable(P).
• Liveness properties
• A computation ? ?s0 , s1 , ? satisfies P
  leads-to Q (denoted P ? Q) iff
• ?i ? 0 (si ? P) ? (?j ? i sj ? Q)
• Safety and Liveness Properties
• A computation ? ?s0 , s1 , ? satisfies P
  ensures Q iff
• (P ? Q) and (P unless Q)

23
Adding Multiple Safety Properties

• UNITY safety properties can be specified in terms
  of a set B of bad transitions that must not occur
  in any computation.

violates stable(P)

• Example

P
?P

• In order to add UNITY safety properties specified
  by B, all we need to do is
• ?p ?p ? (s0, s1) (s0, s1) ? B
• What if we want to add multiple safety properties
  along with a liveness property?

24
Adding Single Leads-to Property (R? T )
Step3 Remove deadlock states.
Step4 Re-rank all the states and start over
until T is reachable from all the states in R.
Sp
Ip
s0
R
T
s4
s3
s2
Failure!
25
Reduction (3SAT ? Adding two leads-to)

• Sp? Sp
• Ip? Ip
• ?p? ? ?p
• p satisfies specn

• Y (x1? ?x2 ? x3) ? (x1? x2 ? ?x4), where
• x1 true, x2 false, x3 false, x4 false

P1
R1
P2
R2
P3
R3
P4
R4
a1
b1
a2
b2
a3
b3
a4
b4
T1
Q4
T2
Q3
T3
Q1
Q2
T4
26
Reduction (Adding two leads-to ? 3SAT)

• Truth assignments
• If Pi is reachable from cj then xi is assigned
  true.
• Otherwise, xi is assigned false.
• The above assignment satisfies all disjunctions.
• The value of each variable is uniquely true or
  false.

cj
yj
xi
Qi
27
Example