invisible invariants: underapproximating to overapproximate
DESCRIPTION
Invisible Invariants: Underapproximating to Overapproximate. Ken McMillan Cadence Research Labs. TexPoint fonts used in EMF: A A A A A. Invisible Invariants. Automatic Deductive Verification with Invisible Invariants, A. Pnueli, S. Ruah, and L. Zuck (TACAS 2001.) - PowerPoint PPT PresentationTRANSCRIPT
Invisible Invariants: Underapproximating to
Overapproximate
Ken McMillan
Cadence Research Labs
Invisible Invariants• Automatic Deductive Verification with Invisible Invariants, A. Pnueli, S.
Ruah, and L. Zuck (TACAS 2001.)
• Parameterized Verification with Automatically Computed Inductive Assertions , T. Arons, A. Pnueli, S. Ruah, J. Xu, and L. Zuck.
• (CAV 2001).
• Liveness with Invisible Ranking, Yi Fang, Nir Piterman, A. Pnueli and L. Zuck. (VMCAI'04).
• IIV: An Invisible Invariant Verifier, I.~Balaban, Y.~Fang, A.~Pnueli, and L.~D.~Zuck (CAV 2005)
Parameterized Systems• Suppose we have a parallel composition of N (finite state) processes,
where N is unknown
PP11 PP22 PP33 PPNN......
• Proofs require auxiliary constructs, parameterized on N– For safety, an inductive invariant
– For liveness, say, a ranking
• Pnueli, et al., 2001: derive these constructs for general N by abstracting from the mechanical proof of a particular N.– Surprising practical result: under-approximations can yield over-
approximations at the fixed point.
– Subtle implementation: proofs can be done entirely using finite-state model checking, without explicitly generating the auxiliary constructs (hence invisible invariants).
Recipe for an invariant
1. Compute the reachable states R1. Compute the reachable states RN N for fixed N (say, N=5) for fixed N (say, N=5)
●● ● ● ● ●● ● ● ●
●● ●● ● ● ●● ● ●
●● ● ● ●● ● ●● ●
●● ● ● ● ● ●● ●●
●● ● ● ● ● ● ● ●●
●● ● ● ● ●● ● ● ●
●● ●● ● ● ●● ● ●
●● ● ● ●● ● ●● ●
●● ● ● ● ● ●● ●●
●● ● ● ● ● ● ● ●●
2. Project onto a small subset of2. Project onto a small subset of processes (say 2)processes (say 2)
●● ●●
●● ●●
●● ●●
●● ●●
●● ●●
●● ● ● = {(s= {(s11,s,s22) | ) | 99 (s (s11,s,s22,...) ,...) 22 R RNN}}
Recipe for an invariant
3. Generalize from 2 to N, to get G3. Generalize from 2 to N, to get GNN
2. Project onto a small subset of2. Project onto a small subset of processes (say 2)processes (say 2)
●● ●●
●● ●●
●● ●●
●● ●●
●● ●●
●● ● ●
●● ● ● ....... ●....... ●
●● ●● ....... ●....... ●
●● ● ● ....... ●....... ●
●● ●● ....... ●....... ●
NN
...... ......
= {(s= {(s11,s,s22) | ) | 99 (s (s11,s,s22,...) ,...) 22 R RNN}}
NN
GGNN = = ÆÆ i i j j 22 [1..N] [1..N] (s (sii,s,sjj))
4. Test whether G4. Test whether GNN is an invariant for all N is an invariant for all N 8 8 N. GN. GNN )) X G X GNN
Checking inductiveness• This problem: 8 8 N. GN. GNN )) X G X GNN
... can be reduced to this problem: ... can be reduced to this problem: GGMM )) X G X GMM
... where M is a fixed number... where M is a fixed number
• Inductiveness is equivalent to validity of this formula:
GGNN ÆÆ T T )) G’ G’NNTransition relationTransition relation
• Small model theorem:– If there is a countermodel with N>M, there is a countermodel with N=M
– Suffices to check inductiveness for N·M
Thus, both the invariant generation and invariant checkingThus, both the invariant generation and invariant checkingamount to finite-state model checking.amount to finite-state model checking.
SMT example• Allow the following variables:
N N naturalnatural > 1 > 1xx11,...,x,...,xaa booleanboolean
yy11,...,y,...,ybb [1..N] [1..N]
zz11,...,z,...,zcc arrayarray [1..N] [1..N] of booleanof boolean
V = V =
• Some parameters i,j ranging over [1..N]
• An R-atom is xi or zi[v] or v = w, where v,w, are integer vars/params
• An R-assertion is a FO formula over R-atoms
Example: Example: 88 i,j: i i,j: i j j )) ::(z(z11[i] [i] ÆÆ z z11[j])[j])
• Small model results: – M depends mainly on quantifier structure of GN and T
– Example: if T has one universal and GN has two, then M = 2b+3
Invisible invariants and AI• A logical language L provides an abstract domain• The semantics of L is given by the concretization function
: : LL !! 2 2SS
• Assuming L is finite and Æ-closed, we have an abstract function:
S) = S) = ÆÆ { { 22 LL | S | S µµ (() }) }
That is, That is, (s) is the most we can say about set s in (s) is the most we can say about set s in LL
L L is the formulas of the form is the formulas of the form 88 i,j i,j22[1..N] [1..N] , where, whereis a QF formula over R-atoms.is a QF formula over R-atoms.
Abstract domain for invisible invariantsAbstract domain for invisible invariants
In other words, In other words, LL is our class of generalizations is our class of generalizations
Abstraction function• The project-and-generalize operation computes the abstraction function
• An R-minterm is a conjunctions of literals over R-atoms– Every R-atom occurs exactly once
– Think of as a truth assignment to the R-atoms
– Think of as a local state, for a pair of processes (i,j)
Example: i Example: i j j ÆÆ z z11[i] [i] ÆÆ :: z z11[j][j]
• For a set S of states of the N-process system, we have
NN = = 88 i,j. i,j. ÇÇss22 S S NN(s)(s)
NN(s) = {(s) = { 22 R-minterms | s R-minterms | s ²² 99 i,j. i,j. } }
Note computing Note computing NN involves finitely many evaluations involves finitely many evaluations
Invisible invariant construction• We construct the invariant guess by reachability and abstraction
NN NN NN NN NN NN
==fixpoint = Rfixpoint = RNN
• Testing the invariant guess
¶¶
GGNN
NN
¶¶
NN
GGNNSMTSMT
if N >= Mif N >= M
NN
GGNN
Invariant by AI• Abstract transformer #
tt##
==
fixpointfixpoint
• Compute strongest inductive invariant in L
tt##
tt##
tt##
is difficult to computeis difficult to compute because of unbounded quantifierbecause of unbounded quantifier
For our particular For our particular LL, this is called Indexed Predicate Abstraction, this is called Indexed Predicate Abstraction
Under-approximation• Amir’s idea of generalizing finite instances suggests we can under-
approximate the best abstract transformer #
tt##
NN
NN NN
tt##NN
SMT implies that for N >= M, that SMT implies that for N >= M, that ## and and ##NN are equivalent! are equivalent!
• This has two consequences
– For N >= M, we can compute # exactly by finite-state methods, without using a theorem prover.– For N < M, we might still reach a fixed point that is inductive for all N...
Three methods
tt##
tt##
tt##
AAlfp(lfp(##))
NN NN NN NN NN NN
NNCCNN(lfp((lfp(NN))))
NN
NN
NN NNBBlfp(lfp(##
NN))
NN
NN NN
NN
NN NN
if fp of if fp of ##NN
then =then =
if fp of if fp of ##
then =then =
Shape analysis• Allow the following variables:
• Add a reachability predicate reap(i,j)
Example: Example: 88 i: rea i: reapp(y(y11,i) ,i) )) z z11[i][i]
• Small model results possible for limited cases– But if not, can apply theorem prover to test invariance
N N naturalnatural > 1 > 1xx11,...,x,...,xaa booleanboolean
yy11,...,y,...,ybb [1..N] [1..N]
zz11,...,z,...,zcc arrayarray [1..N] [1..N] of booleanof boolean
pp11,...,p,...,pdd arrayarray [1..N] [1..N] of 1..Nof 1..N
V = V =
Pointers!Pointers!
• Allows abstraction of linked lists
Canonical shape graphs• Plans A, B or C can be used for any abstract domain L
– We only need to define the finite concretization N
– For example, N might generate only concrete heaps to size N
ppxx reareaxx
ppyy
reareaxx reareaxx
reareayy
reareaxx
reareayy
nullnull
... ... NN might allow just N concrete nodes for each summary node might allow just N concrete nodes for each summary node
• Each canonical graph corresponds to a logical formula [YRSW2003]– We can test inductiveness using a theorem prover
Invisible shape graphs?
tt##
AA
’’‘‘
Use model-generating prover toUse model-generating prover tocompute samples violating compute samples violating ’’
NN
NN NNBB ‘‘
Use SAT solver to compute Use SAT solver to compute boundedbounded samples violating samples violating ’’
NN NN
NNCC......
Compute all bounded concreteCompute all bounded concreteheaps (symbolically?) then abstractheaps (symbolically?) then abstract
These methods require the theorem proverThese methods require the theorem proverto be called just once to test the fixpoint.to be called just once to test the fixpoint.
Of course, the test may fail.Of course, the test may fail.
Conclusion• Invisible invariants suggest a general approach to abstract interpretation
based on two ideas:– Under-approximations can yield over-approximations at the fixed point
• This is a bit mysterious, but observationally true
– Computing the fixed point with under-approximations can use more light-weight methods
• For example, BDD-based model checking instead of a theorem prover
• To verify fixed point, need either an SMT or a theorem prover (but just once!)
Invisible invariants give a less reliable but much less expensiveInvisible invariants give a less reliable but much less expensiveway to compute the least fixed point for a given abstract domain.way to compute the least fixed point for a given abstract domain.