evidence-based verification evidence-based model checking li tan, rance cleaveland presented by...
Post on 20-Dec-2015
213 views
TRANSCRIPT
Evidence-Based Verification
Evidence-Based Model Checking
Li Tan, Rance Cleaveland
Presented by Arnab Ray
Computer Science DepartmentStony Brook
July 2002
Evidence-Based Verification
Outline
1. Motivations.2. Checker-independent evidence for model
checking.3. Post-model-checking analyses based on the
evidence.1. Efficiently certifying model-checking Result.2. Generating diagnostic information.3. Evaluating the quality of model-checking process.
4. A prototype on the Concurrency Workbench (CWB-NC).
Evidence-Based Verification
Model Checking Model Checking: whether or not a
transition system satisfies a temporal property.
Model checker works as a decision procedure for the problem.
"Yes/No" may not satisfy users. Why does my design go wrong? Could my design satisfy property
trivially? Can I trust the verification result?
Evidence-Based Verification
Problems with Traditional Diagnostic Generation
Diagnosis is about understanding the result, A diagnostic routine may,
Perform its own reasoning, or, Reuse the proof already computed by a checker.
Diagnostic routine is tightly geared to the structure of checkers.
Implementation requires the understanding of checkers.
Migrating a diag. routine onto another checker often requires major changes on both diag. routine and checker.
Proof used for one diagnostic schema may not be used for a different schema.
No additional checking on model-checking result.
Evidence-Based Verification
Evidence-Based Model Checking
Checker 1 Checker n
Verifier
Diagnostic Schema 1
Invalid Proof
Checker 2
Diagnostic Schema 2
Diagnostic Schema m
…
…
Portable Proof of Correctness
Let the result carry its own proof
Evidence-Based Verification
The General Framework Defining an abstract proof structures(APS) as
checker-independent evidence. APS encodes the proof structures of different
checkers in a standard form. APS carries the evidence to justify the result.
Extracting APS from existing checkers. Utilizing APS to perform diagnoses.
Certifying verification result. Generating diagnostic information.
Evaluating the quality of verification process.
Evidence-Based Verification
Searching for APS APS should be extracted from existing
checkers. The extraction should not affect the
complexities of checkers. The consistency of APS should be verified
efficiently. The complexities of certifying APS should
not exceed the complexities of checkers producing it.
APS should be abstract enough to save the space
APS should be rich enough for supporting a variety of diagnoses.
Evidence-Based Verification
Boolean (Fixpoint) Equation System
Syntax,
H={ {0, 1},< } is the Boolean lattice H. 2 2X can be viewed as a set. E is closed if X 2 Xi also appears as a left
side variable. [E](1)=[E](2) for any 1, 2 2 HX. Denote [E] for [E]() [E](X) assigns X a Boolean value.
Evidence-Based Verification
Model Checking via BES BES E= Kripke structure T+ Property
E is closed. A variable X in BES stands for $h s, ’ i$.
[E](X)=1 iff s ²T . Many checkers (implicitly) construct
BESs. For -calculus checker,
BES=T+-calculus. For automaton-based checker, BES=
parity automaton. E can be constructed on-the-fly.
Evidence-Based Verification
Support Set (Continue) By (a) and (b), support set implies a
fixpoint solution for E. By (c), support set respects the
definition of least/or greatest fixpoints.
If r=1, no bad loop on . If r=0, no good loop on .
Theorem 1 [TanCle02]Let =<r, X, > be a support set for
E, then [E](X)=r.
Evidence-Based Verification
Extracting Support SetThe extraction is, practical. Support sets can be extracted
from a wide range of existing checkers, Boolean-Graph algorithm [And92], Linear
Alternation-Free algorithms[CleSte91], On-the-fly algorithms for full -calculus LAFP [LRS98] and SLP [TanCle02b], Automaton-based model checkers([BhaCle96a] and [KVW00]).
efficient. The overhead doesn't exceed the original complexities of these checkers.
simply. It only need have dependency relations recorded.
Evidence-Based Verification
Application I: Certifying model-checking results
Checking (a) and (b) can be done in linear time.
Checking (c) can be reduced to even-loop problem (a nlogn problem[KKV01]).
Model checking is a NP Å co-NP problem [EmeJutSis93].
The cost of certifying results < The cost of model checking.
Evidence-Based Verification
Application II: model-checking game
Semantics: decide [E](X0) for E Two players: I (asserting [E](X0)=0) and
II (asserting [E](X0)=1) A play is a sequence =Xp0 Xp1 …such
that Xp0=X0 and if, (pi Xpi=ÇX ’) 2 E, then II chooses Xpi+1 2 X' (pi Xpi=ÆX ’) 2 E, then I chooses Xpi+1 2 X ’
II wins iff, It's I's turn but I has no choice (X '=;), or, The shallowest variable being visited
infinitely often by is a -variable.
Evidence-Based Verification
MC Game as a Diagnostic Routine MC game is a fair game.
([E])(X0)=1 ) II has a winning strategy. ([E])(X0)=0 ) I has a winning strategy.
Two physical players: computer and user. When the model-checking result is,
Yes ) The computer plays as II while the user as I.
No ) The computer plays as I while the user as II.
The user is always a loser if the MC result is correct and the computer uses the right strategy.
Evidence-Based Verification
Constructing Winning Strategy for Computer
Given h r, X0, i as a support set for E The computer will keep the play =Xp0
Xp1 … proceeding within support set: If r=1 and pi Xpi=ÇX ’, then the computer
(as II) chooses Xpi+1 2 ((Xpi) Å X '). If r=0 and pi Xpi=ÆX ’, then the computer
(as I) chooses Xpi+1 2 ((Xpi) Å X ').
The strategy is feasible: (Xpi) is defined whenever Xpi is the computer’s turn.
The strategy is a winning strategy for the computer.
Evidence-Based Verification
Application III:Evaluate the quality of MC
A positive result may hide the problem
T may pass AG(a ) AF b) trivially because a never occurs in T.
Is there the status of a state (Minicoverage [CKV01]) or a subformula (Vacuity [KV99]) irrelevant to the result?
Coverage problem of support set. Has support set covered all the states
and properties?
Evidence-Based Verification
Furture Work I:A Client-Server Model for Verification
Server: checkers. There are many formulations for the input Support sets help standardize the output.
Client: user interface, diagnostic generation, and evidence-verifier.
Design Systems and Properties
Abstract Proof Structures
Evidence-Based Verification
Future Work II:Proof-Carrying Code
Mobile code [Nec97] carries its own proof attesting to its safeness.
Currently compilers are modified to produce the proof for a predefined set of safety rules.
Integrate support-set-ready model checkers with compilers.
Certifying compiler enjoy the richness of temporal logics.
Evidence-Based Verification
ConclusionCheckers produce abstract proof structures as
evidence. APS is independent of checker. Extracting APS won't affect the
complexities of checkers. APS justifies the correctness of result. APs attests to the quality of verification. A wide range of diagnostic information can
be built on this evidence. APSs are defined for Model checking,
Equiv. checking, and Preordering Checking.