CAV Talk

Download Report

Transcript CAV Talk 

Counter-Example Based Predicate
Discovery in Predicate Abstraction
Satyaki Das and David L. Dill
Computer Systems Lab
Stanford University
[email protected]
[email protected]
1
Outline
 Motivation
 Predicate Abstraction
 Predicate Discovery
 Application to AODV
 Conclusion
2
Motivation
Easy verification of infinite state systems
3
Simple Mutual Exclusion Protocol
 A trivial example to illustrate concepts
 Clients communicate with server via asynchronous
messages

Three kinds of messages:
– REQUEST
– GRANT
– RELEASE
 Infinite state


4
Unbounded message queue
Any number of clients
Protocol Steps
cs[i]=false
Client Variables
REQUEST(i)
granted=false
cs:array of boolean
granted:=true
current:=i
Server Variables
granted:boolean;
current:integer;
Queue Variables
GRANT(i)
cs[i]:=true
cs[i]:=false
RELEASE(i)
Q.type:array of enum;
Q.node:array of integer;
granted:=false
5
Verification Condition
For distinct nodes, a and b prove that,
cs[a] /\ cs[b] )
6
Outline
 Motivation
 Predicate Abstraction
 Predicate Discovery
 Application to AODV
 Conclusion
7
Abstraction
 A finite set of predicates defines the abstraction
 Abstraction is conservative
Predicates:
bit1: cs[a]
bit2: cs[b]
[00]
Abstract
Concrete
a
g
cs = lx. false
Q.type = lx. EMPTY
granted = false
cs = lx. false
Q.type = lx. EMPTY
granted = true
8
Abstraction (contd)
 Abstract transition relation is conservative


Abstract next states must contain all concrete successors
And possibly more states
Predicates:
bit1: cs[a]
bit2: cs[b]
t
RA
s
Abstract
g
g
Example
Let s=[10] and t=[11]
Concrete
g(s) contains a state where a GRANT(b)
message is in queue
x
y
RC
9
So we have abstract transition from s to t!
Abstract Counter-Example
 If model checking fails an abstract counter-example
produced
 Concrete transitions are present for each pair of
consecutive abstract states

But concrete counter-example may not be present!
Real Trace
Spurious
Abstract
g
g
g
Concrete
y’
x
10
y’’
z
Tool Block Diagram
Property
System
Proved!!!
Model
Checker
Abstraction
Module
Abstract
counter-example
Predicates
BDD
CVC
Predicate
Generator
Trace
Checker
CVC
11
Concrete
counter-example
History of Predicate Abstraction
And many more…
Graf and Saidi
CAV 97
Colon and Uribe
CAV 98
Shankar and Saidi
CAV 99
Das,Dill and Park
CAV 99
Flanagan et al
POPL 2002
Saidi and Lessens
ENTCS 97
SLAM
Software Model Checking
Ball, Rajamani et al
2000-present
Invariant Generation
12
InVeSt
CAV 98
Das and Dill
LICS 2001
Bensalem et al
TACAS 01
Henzinger et al
POPL 02
Tiwari et al
TACAS 01
Outline
 Motivation
 Predicate Abstraction
 Predicate Discovery
 Application to AODV
 Conclusion
13
Predicate Discovery Example
 Rejoin action after the first iteration
 Current predicates are:



xxx
“a in critical section” cs[a]
“b in critical section” cs[b]
“At least one GRANT message” $x. Q.type[x] = GRANT
init
Send GRANT
000
Rec GRANT
Rec GRANT
001
111
011
Predicates:
Is abstract trace spurious?
14
bit1: cs[a]
bit2: cs[b]
bit3: $x. Q.type[x] = GRANT
Predicate Discovery Example (contd)
init
xxx
Send GRANT
000
Rec GRANT
001
Rec GRANT
011
111
Minimal spurious trace found!
Predicates:
bit1: cs[a]
bit2: cs[b]
bit3: $x. Q.type[x] = GRANT
15
Predicate Discovery Example (contd)
Rec GRANT
000
001
011
 cs[a]
 cs[b]
Q.type[m1] = GRANT
Q.type[m2] = GRANT
Q.node[m2] = b
m1  m2
These are the candidate predicates!
16
Predicates:
bit1: cs[a]
bit2: cs[b]
bit3: $x. Q.type[x] = GRANT
Predicate Discovery Example (contd)
Send GRANT
000
001
011
 cs[a]
 cs[b]
Predicates:
Q.type[m1] = GRANT
Q.type[m2] = GRANT
bit1: cs[a]
bit2: cs[b]
bit3: $x. Q.type[x] = GRANT
Q.node[m2] = b
m1  m2
Predicate added:
$ m1,m2. Q.type[m1]=GRANT /\ Q.type[m2]=GRANT /\ m1  m2
17
Predicate Discovery Algorithm
Step 1. Check if abstract counter-example is spurious
Step 2. If not spurious, concrete error trace has been found.
Otherwise find a minimal spurious trace
Step 3. Solve non-spurious tail to find candidate predicates
that characterize the second state of the minimal
spurious trace
Step 4. Find a minimal set from these predicates to
construct new predicates
18
Outline
 Motivation
 Predicate Abstraction
 Predicate Discovery
 Application to AODV
 Conclusion
19
AODV Example
 Ad-hoc On-demand Distance Vector (AODV) routing
protocol.



Nodes can dynamically enter or leave the system.
Routes are maintained so that the nodes can communicate.
Important that routing table does not have loops.
 The method automatically proves the loop-freeness
of a simplified version of the protocol.

Protocol was simplified by not modeling timeouts
 Protocol highlights:



20
Routes are found by broadcasting request to neighbors
Sequence number tracks route age
Hop count tracks number of hops to destination
AODV Example
c
b
Message Queue
a
 Proof obligation: If a’s next hop in route to c is b then either
a’s sequence number is lower than that of b or the sequence
numbers of a and b are the same but the hop count of a is
higher than that of b
 Find predicates about messages present in the queue
 20 predicates were found in 14 iterations before the proof was
successfully completed
21
Outline
 Motivation
 Predicate Abstraction
 Predicate Discovery
 Application to AODV
 Conclusion
22
Conclusion
 Weakest pre-condition based abstraction
refinement is useful
 Future Work:



23
Easily usable concrete error traces would aid debugging
Better quantifier support would be nice
Integration with other predicate generation schemes
End
24
Predicate Discovery (contd)
 Generalize abstract transition relation to test for
spurious counter-example trace.
 Let counter-example trace be: s1, s2, … sM
 Concrete counter-example exists if,
RC(x1,x2) /\ RC(x2,x3) /\ … /\ RC(xM-1,xM)
/\ a(x1)=s1 /\ a(x2)=s2 /\ … /\ a(xM)=sM
is satisfiable for some concrete states x1, x2, … xM
 Notice that checking for spuriousness turns into a
validity check that we use CVC to carry out!
25
Predicate Discovery (contd)
 Remove first state if the remainder is spurious
 Repeat till removing first state makes the remainder
a real trace
 Do similar shortening at end of trace
Real Trace!
s2
s3
Real Trace!
26
s4
s5
Predicate Discovery (contd)
 Solve for conditions that must hold for the partial
trace corresponding to s2, s3, s4, s5.
 The conditions on the concrete state x2 can be
derived by finding a satisfying assignment for:
a(x2)=s2 /\ a(x3)=s3 /\ a(x4)=s4 /\ a(x5)=s5
/\ RC(x2,x3) /\ RC(x3,x4) /\ RC(x4,x5)
 Let the solution be the conjunction of predicates,
s1x2), s2x2), …, sL(x2)
 These are our candidate predicates!
27
Predicate Discovery (contd)
 For the candidate predicates it must be the case,
s1(x2) /\ s2(x2) … /\ sL(x2)
/\ RC(x1,x2) /\ a(x1)=s1
Is unsatisfiable for all x1 and x2.
 Find a minimal subset of predicates (say s1 and s2
in this case) such that,
s1(x2) /\ s2(x2)
/\ RC(x1,x2) /\ a(x1)=s1
Is still unsatisfiable.
 Use s1 and s2 as predicates to refine the abstraction
28
Related Work
 Predicate Abstraction



Graf and Saidi in CAV 1997
Colon and Uribe in CAV 1998
Flanagan and Qadeer in POPL 2002
 Counter-example guided refinement







29
Alur et al in CAV 95
Bensalem et al in CAV 98
Lakhnech et al in TACAS 2001
Tiwari et al in TACAS 2001
Clark, Grumberg et al CAV 2000
SLAM Project at MSR (POPL 2002)
BLAST project at Berkeley (POPL 2002)
Implementation
 Binary Decision Diagrams (BDD) are used to
represent abstract system and for model checking
 Cooperating Validity Checker (CVC) is used to
check satisfiability


CVC is a decision procedure for quantifier free first order
logic
Supported types in CVC include booleans, rationals, stores
(unbounded arrays) and records
 Quantifier support

30
Heuristics were used for quantifier instantiation
Verification Scheme
Concrete System
Safety Property
Property Verified!
Abstract and
Model Check
Abstract Counter-example
Initial Predicates
New predicates
Check Counter-example
and Discover Predicates
Concrete
Counter-example
31
Predicate Discovery Intuition
 A spurious trace is an abstract trace with no
concrete counterpart

Real trace is one which has a concrete counterpart
 Predicates are added to remove spurious traces
x’2
x1
x2
x3
New Predicate
Spurious counter-example is avoided in refined abstraction!
32
Protocol Description
Ruleset (msg):
Ruleset (cell,msg):
“Send REQUEST”
 cs[cell] /\ Q.type[msg]=EMPTY 
Q.type[msg]:=REQUEST;
Q.node[msg]:=cell
“Receive REQUEST”
 granted /\ Q.type[msg]=REQUEST 
Q.type[msg] := GRANT;
granted := true;
current := Q.node[msg]
“Receive GRANT”
 cs[cell] /\ Q.type[msg]=GRANT
/\ Q.node[msg]=cell 
Q.type[msg]:=EMPTY;
cs[cell]:=true
“Receive RELEASE”
granted /\ Q.type[msg]=RELEASE
/\ Q.node[msg]=current 
Q.type[msg] := EMPTY;
granted := false
“Send RELEASE”
cs[cell] /\ Q.type[msg]=EMPTY 
Q.type[msg] := RELEASE;
Q.node[msg] := cell;
cs[cell] := false
Server Rules
Client Rules
Rule
true 
Q.type := lx. EMPTY;
cs := lx. false;
granted := false
Initialization Rule
33