Expand, Enlarge, and Check for Branching Vector Addition Systems Rupak Majumdar Zilong Wang MPI-SWS

Expand, Enlarge, and Check for Branching

Vector Addition Systems

Rupak Majumdar Zilong Wang

MPI-SWS MPI-SWS

Branching Vector Addition Systems(BVAS)

• A generalization of vector addition systems (VAS)

• A very expressive concurrency model – spawn and wait– asynchronous programming

• Program safety coverability problem for BVAS

Coverability ResultsCoverability VAS BVAS

Theory

Practice

EXPSPACE-complete [Lipton 76, Rackoff 78]Nondeterministically guess a doubly exponential covering path

2EXPTIME-complete[Demri et al. 09]Nondeterministically guess a doubly exponential covering tree

• Backward reachability [Abdulla et al. 96]

[2EXPTIME: Bozzelli & Ganty 11]

• Expand, Enlarge, and Check (EEC) [Geeraerts et al. 04] [complexity unknown]

Coverability ResultsCoverability VAS BVAS

Theory

Practice




[2EXPTIME: Bozzelli & Ganty 11]

• EEC

EEC [2EXPTIME]

[EXPSPACE]

Outline

• Recap of EEC for VAS

• Complexity analysis of EEC for VAS • Generalized to EEC for BVAS

• Experimental results of EEC for BVAS

Vector Addition System (VAS)

VAS

• is the dimension of vectors

• is the initial vector

• is a finite set of unary rules

Derivationinitialvectordim unary rules

(1, 2)(2, -1)

(3, 1)(-1, -1)

(2, 0)

(1, 2) + (2, -1) = (3, 1)

(3, 1) + (-1, -1) = (2, 0)

(-1, -1)

(1, -1) derives

Coverability Problem

Given a VAS and a target , is there a covering derivation of in ?

is a covering (derivation) of if derives a vector such that

EEC for VAS

Truncated and Extended Derivations w.r.t a bound

Normal Truncated ( = 2) Extended ( = 2)

If a number > ,truncate it to

If a number > ,extend it to

EEC for VAS

No

No

Cover

Uncover

Yes

Yes

Soundness and Completeness [Geeraerts et al. 04]

Complexity Analysis

EEC for VASHow many iterations are required for termination?

Finite graph reachability. Size of the graph is

Finite graph reachability. Size of the graph is

No

No

Cover

Uncover

Yes

Yes

Definitions

Given a VAS and a vector , define

• input size : number of bits required to encode and in binary

• : the absolute value of the smallest negative integer in (i.e. the maximal decrease in one step of a derivation)

• : the greatest integer in

•

Lemmas

Lemma 1 [Rackoff 78, Demri et al. 09]: If there is a covering derivation of , there is one whose length is at most

Lemma 2: For all , if there is a covering extended derivation of , there is one whose length is at most

Pf: Let

We show:

Theorem 1: EEC for VAS terminates in iterations

Theorem

1.If is coverable, there is a covering truncated derivation

2.If is uncoverable, there is no covering extended derivation

Proof of Claim 1

By Lemma 1:

If is coverable, there is a covering truncated derivation

No truncation in

Proof of Claim 1

By Lemma 1:

There is a truncation in

If is coverable, there is a covering truncated derivation

Pf: Let

We show:


Theorem



✓

Proof of Claim 2

By Lemma 2:

If is uncoverable, there is no covering extended derivation

No extension in

Proof of Claim 2

By Lemma 2:

There is an extension in

If is uncoverable, there is no covering extended derivation

Pf: Let

We show:


Theorem



✓✓


Pf:• By Theorem 1, =

• Each iteration solves two finite graph reachability problems

• Each graph has at most or nodes , which is

• Finite graph reachability problem is in NLOGSPACE

Theorem 2: EEC for VAS is in EXPSPACE

Branching Vector Addition System

BVAS

BVAS

is the dimension of vectors

is a finite set of axioms

is a finite set of unary rules

is a finite set of binary rules

Derivation

(0,3)+(4,2)+(0,-4)=(4, 1)

(0, 1)

(5, -2) derives (5, 1)

dim axioms unary rules binary rule

(0, 1)(0, 2)

(0, 3)

(3, 2)(1, 0)

(4, 2)

(0, -4)

(0, -4)

(1, 0)

(5, 1)

Coverability Problem

Given a BVAS and a target , is there a covering derivation of in ?

is a covering (derivation) of if derives a vector such that

EEC for BVAS

No

No

Cover

Uncover

Yes

Yes

These are trees

Theorems about EEC for BVAS

Theorem 4: EEC for BVAS terminates in iterations

Theorem 5: EEC for BVAS is in 2EXPTIME

Implementation and Experimental Results

Single-wait Programs [Bouajjani & Emmi 12]

• A function can

1. call unboundedly many asynchronous functions running in parallel

2. wait till the first return value comes back

• State reachability BVAS coverability

DNS lookupdns_server(Name) { ... // do something else do { post r0 <- lookup Name (fun ret->Result=ret); } while(*) ... // do something else ewait r0; assert(is_valid_ip(Result)); ... // do something else}

lookup(Name) { // lookup() returns ip ... while(true) { allocate(Buf); post r1 <- server1 Name (fun ret->Buf=ret);//server1 returns err or ip post r1 <- server2 Name (fun ret->Buf=ret);//server2 returns err or ip

... // do something else ewait r1; if (Buf == err) {

free(Buf);

} return Buf; }}

Can this assertion fail?

continue;

• Asynchronously make unboundedly many lookups

• wait till the first return value that comes back.

• Ask two remote servers for an ip address

• wait for the first return value

Experimental Results

#server #dimension

#axiom #urule #brule result time

2 19 20 9153 6950 Uncover 31.25s

3 22 23 14832 11664 Uncover 79.16s

4 25 26 22640 18326 Uncover 151.46s

5 28 29 33070 27392 Uncover 279.56s

6 31 32 46638 39366 Uncover 463.71s

6(buggy) 31 32 40077 32805 Cover 63.58s

SummaryCoverability VAS BVAS

Theory

Practice




[2EXPTIME: Bozelli & Ganty 11]

• EEC

EEC [2EXPTIME]

[EXPSPACE]

Questions?

www.mpi-sws.org/~zilong

http://www.mpi-sws.org/~zilong

Documents

Expand, Enlarge, and Check for Branching Vector Addition Systems Rupak Majumdar Zilong Wang MPI-SWS