11 counter-example based predicate discovery in predicate abstraction satyaki das and david l. dill...
TRANSCRIPT
1111
Counter-Example Based Predicate Discovery in Predicate AbstractionCounter-Example Based Predicate Discovery in Predicate Abstraction
Satyaki Das and David L. Dill
Computer Systems Lab
Stanford University
2222
OutlineOutline
Motivation
Predicate Abstraction
Predicate Discovery
Application to AODV
Conclusion
3333
MotivationMotivation
Easy verification of infinite state systems
4444
Simple Mutual Exclusion ProtocolSimple Mutual Exclusion Protocol
A trivial example to illustrate concepts
Clients communicate with server via asynchronous messages Three kinds of messages:
– REQUEST– GRANT– RELEASE
Infinite state Unbounded message queue Any number of clients
5555
Protocol StepsProtocol Steps
cs[i]=false
cs[i]:=true
cs[i]:=false
granted=false
granted:=truecurrent:=i
granted:=false
REQUEST(i)
GRANT(i)
RELEASE(i)
Client Variables
cs:array of boolean
Server Variables
granted:boolean;current:integer;
Queue Variables
Q.type:array of enum;Q.node:array of integer;
6666
Verification ConditionVerification Condition
For distinct nodes, a and b prove that,
cs[a] /\ cs[b] )
7777
OutlineOutline
Motivation
Predicate Abstraction
Predicate Discovery
Application to AODV
Conclusion
8888
AbstractionAbstraction
A finite set of predicates defines the abstraction
Abstraction is conservative
Concrete
Abstract
Predicates: bit1: cs[a] bit2: cs[b][00]
cs = x. false Q.type = x. EMPTY granted = true
cs = x. false Q.type = x. EMPTY granted = false
9999
Abstraction (contd)Abstraction (contd)
Abstract transition relation is conservative Abstract next states must contain all concrete successors And possibly more states
RA
Abstract
Concrete
RC
s
t
x y
Example
Let s=[10] and t=[11]
(s) contains a state where a GRANT(b)message is in queue
So we have abstract transition from s to t!
Predicates: bit1: cs[a] bit2: cs[b]
10101010
Abstract Counter-ExampleAbstract Counter-Example
If model checking fails an abstract counter-example produced
Concrete transitions are present for each pair of consecutive abstract states But concrete counter-example may not be present!
xy’
zy’’
Abstract
Concrete
Real TraceSpurious Trace
11111111
Tool Block DiagramTool Block Diagram
AbstractionModule
ModelChecker
CVC BDD
System
Predicates
Property
PredicateGenerator
TraceChecker
CVC
Proved!!!
Abstractcounter-example
Concretecounter-example
12121212
History of Predicate AbstractionHistory of Predicate Abstraction
Graf and SaidiCAV 97
Colon and UribeCAV 98
Shankar and SaidiCAV 99
Das,Dill and ParkCAV 99
Saidi and LessensENTCS 97
Das and DillLICS 2001
SLAMBall, Rajamani et al
2000-present
Henzinger et alPOPL 02
InVeStCAV 98
Bensalem et alTACAS 01
Tiwari et alTACAS 01
Invariant Generation
Software Model Checking
And many more…And many more…
Flanagan et alPOPL 2002
13131313
OutlineOutline
Motivation
Predicate Abstraction
Predicate Discovery
Application to AODV
Conclusion
14141414
Predicate Discovery ExamplePredicate Discovery Example
Rejoin action after the first iteration
Current predicates are: “a in critical section” cs[a] “b in critical section” cs[b] “At least one GRANT message” x. Q.type[x] = GRANT
xxx 000 001 011 111init
Send GRANT Rec GRANT Rec GRANT
Is abstract trace spurious?
Predicates:
bit1: cs[a]bit2: cs[b]bit3: x. Q.type[x] = GRANT
15151515
Predicate Discovery Example (contd)Predicate Discovery Example (contd)
xxx 000 001 111011Rec GRANTRec GRANTSend GRANTinit
Minimal spurious trace found!
Predicates:
bit1: cs[a]bit2: cs[b]bit3: x. Q.type[x] = GRANT
16161616
Predicate Discovery Example (contd)Predicate Discovery Example (contd)
001 011Rec GRANT
cs[a]
cs[b]
Q.type[m1] = GRANT
Q.type[m2] = GRANT
Q.node[m2] = b
m1 m2
These are the candidate predicates!
Predicates:
bit1: cs[a]bit2: cs[b]bit3: x. Q.type[x] = GRANT
000
17171717
Predicate Discovery Example (contd)Predicate Discovery Example (contd)
001000Send GRANT
cs[a]
cs[b]
Q.type[m1] = GRANT
Q.type[m2] = GRANT
Q.node[m2] = b
m1 m2
Predicate added: m1,m2. Q.type[m1]=GRANT /\ Q.type[m2]=GRANT /\ m1 m2
011
Predicates:
bit1: cs[a]bit2: cs[b]
bit3: x. Q.type[x] = GRANT
18181818
Predicate Discovery AlgorithmPredicate Discovery Algorithm
Step 1. Check if abstract counter-example is spurious
Step 2. If not spurious, concrete error trace has been found. Otherwise find a minimal spurious trace
Step 3. Solve non-spurious tail to find candidate predicates that characterize the second state of the minimal spurious trace
Step 4. Find a minimal set from these predicates to construct new predicates
19191919
OutlineOutline
Motivation
Predicate Abstraction
Predicate Discovery
Application to AODV
Conclusion
20202020
AODV ExampleAODV Example
Ad-hoc On-demand Distance Vector (AODV) routing protocol. Nodes can dynamically enter or leave the system. Routes are maintained so that the nodes can communicate. Important that routing table does not have loops.
The method automatically proves the loop-freeness of a simplified version of the protocol. Protocol was simplified by not modeling timeouts
Protocol highlights: Routes are found by broadcasting request to neighbors Sequence number tracks route age Hop count tracks number of hops to destination
21212121
AODV ExampleAODV Example
Proof obligation: If a’s next hop in route to c is b then either a’s sequence number is lower than that of b or the sequence numbers of a and b are the same but the hop count of a is higher than that of b
Find predicates about messages present in the queue
20 predicates were found in 14 iterations before the proof was successfully completed
a
b c
Message Queue
22222222
OutlineOutline
Motivation
Predicate Abstraction
Predicate Discovery
Application to AODV
Conclusion
23232323
ConclusionConclusion
Weakest pre-condition based abstraction refinement is useful
Future Work: Easily usable concrete error traces would aid debugging Better quantifier support would be nice Integration with other predicate generation schemes
24242424
EndEnd
25252525
Predicate Discovery (contd)Predicate Discovery (contd)
Generalize abstract transition relation to test for spurious counter-example trace.
Let counter-example trace be: s1, s2, … sM
Concrete counter-example exists if, RC(x1,x2) /\ RC(x2,x3) /\ … /\ RC(xM-1,xM)
/\ (x1)=s1 /\ (x2)=s2 /\ … /\ (xM)=sM
is satisfiable for some concrete states x1, x2, … xM
Notice that checking for spuriousness turns into a validity check that we use CVC to carry out!
26262626
Predicate Discovery (contd)Predicate Discovery (contd)
Real Trace!
Real Trace!
s2 s4s5s3
Remove first state if the remainder is spurious
Repeat till removing first state makes the remainder a real trace
Do similar shortening at end of trace
27272727
Predicate Discovery (contd)Predicate Discovery (contd)
Solve for conditions that must hold for the partial trace corresponding to s2, s3, s4, s5.
The conditions on the concrete state x2 can be derived by finding a satisfying assignment for:(x2)=s2 /\ (x3)=s3 /\ (x4)=s4 /\ (x5)=s5
/\ RC(x2,x3) /\ RC(x3,x4) /\ RC(x4,x5)
Let the solution be the conjunction of predicates, x2), x2), …, L(x2)
These are our candidate predicates!
28282828
Predicate Discovery (contd)Predicate Discovery (contd)
For the candidate predicates it must be the case,1(x2) /\ 2(x2) … /\ L(x2)
/\ RC(x1,x2) /\ (x1)=s1
Is unsatisfiable for all x1 and x2.
Find a minimal subset of predicates (say 1 and 2 in this case) such that,1(x2) /\ 2(x2)
/\ RC(x1,x2) /\ (x1)=s1
Is still unsatisfiable.
Use 1 and 2 as predicates to refine the abstraction
29292929
Related WorkRelated Work
Predicate Abstraction Graf and Saidi in CAV 1997 Colon and Uribe in CAV 1998 Flanagan and Qadeer in POPL 2002
Counter-example guided refinement Alur et al in CAV 95 Bensalem et al in CAV 98 Lakhnech et al in TACAS 2001 Tiwari et al in TACAS 2001 Clark, Grumberg et al CAV 2000 SLAM Project at MSR (POPL 2002) BLAST project at Berkeley (POPL 2002)
30303030
ImplementationImplementation
Binary Decision Diagrams (BDD) are used to represent abstract system and for model checking
Cooperating Validity Checker (CVC) is used to check satisfiability CVC is a decision procedure for quantifier free first order
logic Supported types in CVC include booleans, rationals, stores
(unbounded arrays) and records
Quantifier support Heuristics were used for quantifier instantiation
31313131
Verification SchemeVerification Scheme
Abstract andModel Check
Check Counter-exampleand Discover Predicates
Initial Predicates
Safety Property
Concrete System Property Verified!
Abstract Counter-example
ConcreteCounter-example
New predicates
32323232
Predicate Discovery IntuitionPredicate Discovery Intuition
A spurious trace is an abstract trace with no concrete counterpart Real trace is one which has a concrete counterpart
Predicates are added to remove spurious traces
New Predicate
Spurious counter-example is avoided in refined abstraction!
x1 x2
x’2x3
33333333
Protocol DescriptionProtocol Description
Ruleset (cell,msg):
“Send REQUEST”
cs[cell] /\ Q.type[msg]=EMPTY Q.type[msg]:=REQUEST;
Q.node[msg]:=cell
“Receive GRANT”
cs[cell] /\ Q.type[msg]=GRANT
/\ Q.node[msg]=cell Q.type[msg]:=EMPTY;
cs[cell]:=true
“Send RELEASE”
cs[cell] /\ Q.type[msg]=EMPTY Q.type[msg] := RELEASE;
Q.node[msg] := cell;
cs[cell] := false
Client Rules
Ruleset (msg):
“Receive REQUEST”
granted /\ Q.type[msg]=REQUEST Q.type[msg] := GRANT;
granted := true;
current := Q.node[msg]
“Receive RELEASE”
granted /\ Q.type[msg]=RELEASE
/\ Q.node[msg]=current Q.type[msg] := EMPTY;
granted := false
Server Rules
Rule
true Q.type := x. EMPTY; cs := x. false; granted := false
Initialization Rule