Improving the Precision of INCA by Preventing Spurious Cycles

1
Improving the Precision of INCA by Preventing
Spurious Cycles

• Stephen F. Siegel and George S. Avrunin
• University of Massachusetts
• Laboratory for Advanced Software Engineering
  Research

2
Approaches to Finite State Verification

• Traditional Reachability
• Enumerate all states
• Precise, but State Explosion Problem
• INCA approach
• Formulate necessary conditions for the existence
  of a violation
• Trade precision for tractability

3
How INCA Works
Query
Source
INCA Front End
answer
FSAs
Integer Linear Programming (ILP) Problem
INCA Back End
CPLEX
INCA
4
Inequality Necessary Condition Analyzer
5
Simple Example
1
t1
c
2
5
t2
b
a
c
7
t3
c
b
6
3
4
8
a
a
a
6
Property for simple example
Requirement On no execution is there a b
preceded by an a.
(defquery no-a-before-b nofair
(omega-star-less (sequence (interval
initial t ends-with ((rend
t3t1.b)) require ((rend
t2t1.a))))))
7
1
t1
1
c
2
5
t2
b
a
c
7
7
t3
c
2
4
9
b
6
8
3
4
8
5
3
6
a
a
a
8
x2x4
x1x6
1
t1
1
c
2
5
t2
b
a
c
7
7
t3
c
2
4
9
b
6
8
3
4
8
5
3
6
a
a
a
9
x2x4 x5x6
x1x6 x4x5
1
t1
1
c
2
5
t2
b
a
c
7
7
t3
c
2
4
9
b
6
8
3
4
8
5
3
6
a
a
a
10
x2x4 x6
x1x6 x4
1
t1
1
c
2
5
t2
b
a
c
7
7
t3
c
2
4
9
b
6
8
3
4
8
5
3
6
a
a
a
11
Flow Equations
x1 x2x4 x31 x6 x7 x81 x9 1
1 x1x6 x2x3 x4 1 x7x8 1 x9
1
t1
1
c
2
5
t2
b
a
c
7
7
t3
c
2
4
9
b
6
8
3
4
8
5
3
6
a
a
a
12
Flow Equations
x1 x2x4 x31 x6 x7 x81 x9 1
1 x1x6 x2x3 x4 1 x7x8 1 x9
x8
x3 x4 x5
1
t1
1
c
2
5
t2
b
a
c
7
7
t3
c
2
4
9
b
6
8
3
4
8
5
3
6
a
a
a
13
Flow Equations
Communication Equations
x1 x2x4 x31 x6 x7 x81 x9 1
1 x1x6 x2x3 x4 1 x7x8 1 x9
x8 x9 x7
x3 x4 x5 x2 x1x6
1
t1
1
c
2
5
t2
b
a
c
7
7
t3
c
2
4
9
b
6
8
3
4
8
5
3
6
a
a
a
14
Flow Equations
Communication Equations
x1 x2x4 x31 x6 x7 x81 x9 1
1 x1x6 x2x3 x4 1 x7x8 1 x9
x8 x9 x7
x3 x4 x5 x2 x1x6
1
t1
1
c
Requirement Inequality
2
x8 1
5
t2
b
a
c
7
7
t3
c
2
4
9
b
6
8
3
4
8
5
3
6
a
a
a
15
Flow Equations
Communication Equations
x1 x2x4 x31 x6 x7 x81 x9 1
1 x1x6 x2x3 x4 1 x7x8 1 x9
x8 x9 x7
x3 x4 x5 x2 x1x6
1
t1
1
c
Requirement Inequality
2
x8 1
5
t2
b
a
c
7
7
t3
c
2
4
9
b
6
8
3
4
8
5
3
6
a
a
a
16
Spurious Cycle
17
The Cycle Elimination Problem

• Add constraints to ILP System so that
• (i) any solution with disconnected flow is
  eliminated, and
• (ii) no connected solutions are eliminated.
• Naïve solution exponential number of constraints
• Our solution linear

18
Distinguishing Solutions
19
Distinguishing Solutions
20
Connected solution has spanning tree
21
Our Solution toCycle Elimination Problem

• Add to INCA-generated ILP Problem
• For each node v new variable dv
• For each edge e new binary variable se

22
Given connected solution
0
Let se1 if e is in spanning tree, 0
otherwise. Let dvdepth of v in tree if v is in
solution, 0 otherwise.
1
3
1
1
1
1
0
4
2
0
0
1
1
0
3
5
1
4
23
Constraints
(i) For each edge e If xe0 then se0.
0
1
3
1
1
1
1
0
4
2
0
0
1
1
0
3
5
1
4
24
Constraints
(i) For each edge e If xe0 then se0. (ii) For
each edge e(u,v) If se1 then dv gt du.
0
1
3
1
1
1
1
0
4
2
0
0
1
1
0
3
5
1
4
25
Constraints
(i) For each edge e If xe0 then se0. (ii) For
each edge e(u,v) If se1 then dv gt du. (iii)
For each node v If ?xe gt 0 then for some
e(u,v), se1.
0
1
3
1
1
1
1
0
4
2
0
0
1
1
0
3
5
1
4
26
Disconnected solution cannot satisfy constraints
(i) For each edge e If xe0 then se0. (ii) For
each edge e(u,v) If se1 then dv gt du. (iii)
For each node v If ?xe gt 0 then for some
e(u,v), se1.
u
e
v
27
Expressing Constraints in ILP
Suppose x,y 0. Problem express If x 0 then
y 0 as linear constraint. Impossible!
y
x
28
Expressing Constraints in ILP
Suppose x,y 0. Problem express If x 0 then
y 0 as linear constraint. Impossible! (But y
xy works.)
y
x
29
If x 0 then y 0
Add restriction 0 y B
B
y
Then if x 0 then y 0 is equivalent to y
Bx
x
30
Compromise

• We must use bounds 0 xe B for flow variables.
• For experiments, B10,000.
• Strictly speaking, INCA analysis is not
  conservative.

31
Preliminary Experiments

• Can we solve a problem we could not solve before?
• How does cost (CPLEX time) scale?
• Compare cost to inconclusive case.
• For problems we could already solve
• Compare cost of using cycle-elimination with cost
  of not using it

32
Experiment 1 Scaled Simple

• tasks linear in n
• nodes linear in n
• edges quadratic in n
• new variables quadratic in n
• new constraints quadratic in n

33
(No Transcript)
34
(No Transcript)
35
(No Transcript)
36
Conclusions

• Technique eliminates solutions with spurious
  cycles, but not real solutions (except for those
  which exceed bound).
• Number of new variables constraints linear in
  number of nodes, edges.
• ILP analysis time seems quite reasonable.

37
Future Work

• Fully incorporate cycle-elimination into INCA.
• Do extensive experimentation.
• Work on the other major source of imprecision in
  INCA, the Order Problem
• solutions in which there is no global ordering of
  events which is consistent with the order implied
  by the flow in each task.

38
Expressing Constraint (i)
(i) For each edge e if xe0 then se0. (i) For
each edge e xe se
39
Expressing Constraint (ii)
(ii) For each edge e(u,v) if se1 then dv gt
du. BOUND 0 dv N, N number of
nodes (ii) dv du(N1)si - N
40
Expressing Constraint (iii)
(iii) For each node v if ?xe gt 0 then for some
e(u,v), se1. BOUND 0 xe B (B10,000 for
now)
v
41
Expressing Constraint (iii)
(iii) For each node v if ?xe gt 0 then for some
e(u,v), se1. BOUND 0 xe B (B10,000 for
now) (iii) B In(v) ?se ?xe
v
42
Chiron client architecture
Client Initializer
Application
Artist Manager
Client Protocol Manager
Wrapper
Artist(s)
ADT
Dispatcher
Mapper
43
Chiron Notification Property

• If Dispatcher receives event e1 from ADT Wrapper
  then it does not notify any artist of event e2
  until it has notified the appropriate artists of
  event e1.

44
Chiron Unregister Property

• Artist a1 never unregisters for event e1 unless
  a1 is already registered for e1.