Evidence-Based Verification

Evidence-Based Model Checking

Li Tan, Rance Cleaveland

Presented by Arnab Ray

Computer Science DepartmentStony Brook

July 2002

Evidence-Based Verification

Outline

1. Motivations.2. Checker-independent evidence for model

checking.3. Post-model-checking analyses based on the

evidence.1. Efficiently certifying model-checking Result.2. Generating diagnostic information.3. Evaluating the quality of model-checking process.

4. A prototype on the Concurrency Workbench (CWB-NC).

Evidence-Based Verification

Model Checking Model Checking: whether or not a

transition system satisfies a temporal property.

Model checker works as a decision procedure for the problem.

"Yes/No" may not satisfy users. Why does my design go wrong? Could my design satisfy property

trivially? Can I trust the verification result?

Evidence-Based Verification

Problems with Traditional Diagnostic Generation

Diagnosis is about understanding the result, A diagnostic routine may,

Perform its own reasoning, or, Reuse the proof already computed by a checker.

Diagnostic routine is tightly geared to the structure of checkers.

Implementation requires the understanding of checkers.

Migrating a diag. routine onto another checker often requires major changes on both diag. routine and checker.

Proof used for one diagnostic schema may not be used for a different schema.

No additional checking on model-checking result.

Evidence-Based Verification

Evidence-Based Model Checking

Checker 1 Checker n

Verifier

Diagnostic Schema 1

Invalid Proof

Checker 2

Diagnostic Schema 2

Diagnostic Schema m

…

…

Portable Proof of Correctness

Let the result carry its own proof

Evidence-Based Verification

The General Framework Defining an abstract proof structures(APS) as

checker-independent evidence. APS encodes the proof structures of different

checkers in a standard form. APS carries the evidence to justify the result.

Extracting APS from existing checkers. Utilizing APS to perform diagnoses.

Certifying verification result. Generating diagnostic information.

Evaluating the quality of verification process.

Evidence-Based Verification

Searching for APS APS should be extracted from existing

checkers. The extraction should not affect the

complexities of checkers. The consistency of APS should be verified

efficiently. The complexities of certifying APS should

not exceed the complexities of checkers producing it.

APS should be abstract enough to save the space

APS should be rich enough for supporting a variety of diagnoses.

Evidence-Based Verification

Introducing APS by case study

Evidence-Based Verification

Boolean Equation System=System + Temporal Property

E=+T:

Evidence-Based Verification

Boolean Equation System=System + Temporal Property

E=+T:

Evidence-Based Verification

Equation System: Semantics

[E]: HX !HX is a function on environments

Evidence-Based Verification

Evidence-Based Verification

Boolean (Fixpoint) Equation System

Syntax,

H={ {0, 1},< } is the Boolean lattice H. 2 2X can be viewed as a set. E is closed if X 2 Xi also appears as a left

side variable. [E](1)=[E](2) for any 1, 2 2 HX. Denote [E] for [E]() [E](X) assigns X a Boolean value.

Evidence-Based Verification

Model Checking via BES BES E= Kripke structure T+ Property

E is closed. A variable X in BES stands for $h s, ’ i$.

[E](X)=1 iff s ²T . Many checkers (implicitly) construct

BESs. For -calculus checker,

BES=T+-calculus. For automaton-based checker, BES=

parity automaton. E can be constructed on-the-fly.

Evidence-Based Verification

Evaluating Equation System: an Example

Evidence-Based Verification

Support Set

Evidence-Based Verification

Support Set (Continue) By (a) and (b), support set implies a

fixpoint solution for E. By (c), support set respects the

definition of least/or greatest fixpoints.

If r=1, no bad loop on . If r=0, no good loop on .

Theorem 1 [TanCle02]Let =<r, X, > be a support set for

E, then [E](X)=r.

Evidence-Based Verification

Extracting Support SetThe extraction is, practical. Support sets can be extracted

from a wide range of existing checkers, Boolean-Graph algorithm [And92], Linear

Alternation-Free algorithms[CleSte91], On-the-fly algorithms for full -calculus LAFP [LRS98] and SLP [TanCle02b], Automaton-based model checkers([BhaCle96a] and [KVW00]).

efficient. The overhead doesn't exceed the original complexities of these checkers.

simply. It only need have dependency relations recorded.

Evidence-Based Verification

Application I: Certifying model-checking results

Checking (a) and (b) can be done in linear time.

Checking (c) can be reduced to even-loop problem (a nlogn problem[KKV01]).

Model checking is a NP Å co-NP problem [EmeJutSis93].

The cost of certifying results < The cost of model checking.

Evidence-Based Verification

Application II: model-checking game

Semantics: decide [E](X0) for E Two players: I (asserting [E](X0)=0) and

II (asserting [E](X0)=1) A play is a sequence =Xp0 Xp1 …such

that Xp0=X0 and if, (pi Xpi=ÇX ’) 2 E, then II chooses Xpi+1 2 X' (pi Xpi=ÆX ’) 2 E, then I chooses Xpi+1 2 X ’

II wins iff, It's I's turn but I has no choice (X '=;), or, The shallowest variable being visited

infinitely often by is a -variable.

Evidence-Based Verification

MC Game as a Diagnostic Routine MC game is a fair game.

([E])(X0)=1 ) II has a winning strategy. ([E])(X0)=0 ) I has a winning strategy.

Two physical players: computer and user. When the model-checking result is,

Yes ) The computer plays as II while the user as I.

No ) The computer plays as I while the user as II.

The user is always a loser if the MC result is correct and the computer uses the right strategy.

Evidence-Based Verification

Constructing Winning Strategy for Computer

Given h r, X0, i as a support set for E The computer will keep the play =Xp0

Xp1 … proceeding within support set: If r=1 and pi Xpi=ÇX ’, then the computer

(as II) chooses Xpi+1 2 ((Xpi) Å X '). If r=0 and pi Xpi=ÆX ’, then the computer

(as I) chooses Xpi+1 2 ((Xpi) Å X ').

The strategy is feasible: (Xpi) is defined whenever Xpi is the computer’s turn.

The strategy is a winning strategy for the computer.

Evidence-Based Verification

Evaluating Equation System: an Example

Evidence-Based Verification

Application III:Evaluate the quality of MC

A positive result may hide the problem

T may pass AG(a ) AF b) trivially because a never occurs in T.

Is there the status of a state (Minicoverage [CKV01]) or a subformula (Vacuity [KV99]) irrelevant to the result?

Coverage problem of support set. Has support set covered all the states

and properties?

Evidence-Based Verification

Furture Work I:A Client-Server Model for Verification

Server: checkers. There are many formulations for the input Support sets help standardize the output.

Client: user interface, diagnostic generation, and evidence-verifier.

Design Systems and Properties

Abstract Proof Structures

Evidence-Based Verification

Future Work II:Proof-Carrying Code

Mobile code [Nec97] carries its own proof attesting to its safeness.

Currently compilers are modified to produce the proof for a predefined set of safety rules.

Integrate support-set-ready model checkers with compilers.

Certifying compiler enjoy the richness of temporal logics.

Evidence-Based Verification

A Prototype on CWB-NC

Evidence-Based Verification

ConclusionCheckers produce abstract proof structures as

evidence. APS is independent of checker. Extracting APS won't affect the

complexities of checkers. APS justifies the correctness of result. APs attests to the quality of verification. A wide range of diagnostic information can

be built on this evidence. APSs are defined for Model checking,

Equiv. checking, and Preordering Checking.