1 / 101

Infinite State Model Checking with Presburger Arithmetic Constraints

Infinite State Model Checking with Presburger Arithmetic Constraints. Tevfik Bultan Department of Computer Science University of California, Santa Barbara. Joint Work with My Students. Action Language Verifier Tuba Yavuz-Kahveci (PhD 2004) Constantinos Bartzis (PhD 2004)

johana
Download Presentation

Infinite State Model Checking with Presburger Arithmetic Constraints

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Infinite State Model Checking with Presburger Arithmetic Constraints Tevfik Bultan Department of Computer Science University of California, Santa Barbara

  2. Joint Work with My Students • Action Language Verifier • Tuba Yavuz-Kahveci (PhD 2004) • Constantinos Bartzis (PhD 2004) • Design for verification • Aysu Betin-Can (PhD 2005)

  3. Infinite State Model Checking? • Model checking started as a finite state verification technique • Advantages of finite state systems: • Exhaustive state enumeration is possible for finite state systems • Disadvantages of infinite state systems: • Verification problems that are computable for finite state systems are uncomputable for infinite state systems

  4. Why Care About Infinity? • Computer systems do not have infinite memory or infinite time • So why care about infinity? • Infinity is an abstraction • Abstraction is at the core of computer science • Computers are built with layers of abstractions • Abstraction is necessary for design • Abstraction is necessary for analysis

  5. Why Care About Infinity? • Reason 1: • Enables us to check a specification with respect to an arbitrarily large number of components or memory • For example, arbitrary number of threads • Reason 2: • Rather than developing verification techniques that rely on the bound of the state space to terminate • Enables us to develop infinite state verification techniques that terminate independent of the bound • A technique which is guaranteed to terminate is not helpful if it runs out of memory

  6. An Example • A simple example that demonstrates limitations of (finite state) model checkers • Property P can be verified with an infinite state model checker that uses standard backward fixpoint computations • Fixpoint computation for some properties • for example, AG(State1  x 6) may not converge but we can use conservative approximations x’=x+1 State0 State1 x’=x+1 Initial: x=0  State0 P: AG(State1  x is odd) P: AG(State1  ( . x =2+1))

  7. Outline • Model checking with arithmetic constraints • Conservative approximations • Automata representation for arithmetic constraints • Composite representation • Action Language Verifier (ALV) • Checking synchronization in concurrent programs with ALV

  8. Symbolic Model Checking[McMillan et al. LICS 1990] • Represent sets of states and the transition relation as Boolean logic formulas • Forward and backward fixpoints can be computed by iteratively manipulating these formulas • Forward, backward image: Existential variable elimination • Conjunction (intersection), disjunction (union) and negation (set difference), and equivalence check • Use an efficient data structure for manipulation of Boolean logic formulas • BDDs

  9. Symbolic Model Checking • What do you need to compute fixpoints? Symbolic Conjunction(Symbolic,Symbolic) Symbolic Disjunction(Symbolic,Symbolic) Symbolic Negation(Symbolic) Boolean EquivalenceCheck(Symbolic,Symbolic) Symbolic Precondition(Symbolic) • Precondition (i.e., EX) computation is handled by: • variable renaming, followed by conjunction, followed by existential variable elimination • Infinite state model checking: Use a symbolic representation that is capable of representing infinite sets and supports the above functionality

  10. Linear Arithmetic Constraints • Linear arithmetic formulas can represent (infinite) sets of valuations of unbounded integers • Linear integer arithmetic formulas on can be stored as a set of polyhedra where each is a linear equality or inequality constraint and each is a polyhedron xi integer variable, ai coefficient, c constant

  11. A Linear Arithmetic Constraint Manipulator • Omega Library [Pugh et al.] • A tool for manipulating Presburger arithmetic formulas: First order theory of integers without multiplication • Equality and inequality constraints are not enough • Divisibility constraints are also needed • which means:is divisible by

  12. Integers are Complicated y x – 5  2y 2y  x – 1 x 3y 3y  x + 7 3 29 x dark shadow real shadow

  13. Presburger Arithmetic Model Checking[Bultan et al. CAV’97, TOPLAS’99] • Use linear arithmetic constraints as a symbolic representation • Use a Presburger arithmetic manipulator as the symbolic engine (Omega library) • Compute fixpoints to verify or falsify CTL properties • Use conservative approximations to achieve convergence

  14. What About Using BDDs for Encoding Arithmetic Constraints? • Arithmetic constraints on boundedinteger variables can be represented using BDDs • Use a binary encoding • represent integer x as x0x1x2... xk • where x0, x1, x2, ... , xk are binary variables • You have to be careful about the variable ordering! • BDDs and constraint representations are both applicable • Which one is better?

  15. Arithmetic Constraints vs. BDDs[Bultan TACAS’00]

  16. Arithmetic Constraints vs. BDDs

  17. Arithmetic Constraints vs. BDDs • Constraint based verification can be more efficient than BDDs for integers with large domains • Constraint based verification can be used to automatically verify infinite state systems • cannot be done using BDDs • However, BDD-based verification is more robust and the arithmetic constraint representation has two problems: • Problem 1: Constraint based verification does not scale well when there are boolean or enumerated variables in the specification • Problem 2: Price of infinity • CTL model checking becomes undecidable for infinite domains

  18. Outline • Model checking with arithmetic constraints • Conservative approximations • Automata representation for arithmetic constraints • Composite representation • Action Language Verifier (ALV) • Checking synchronization in concurrent programs with ALV

  19. Conservative Approximations • Compute a lower ( p ) or an upper ( p+ ) approximation to the truth set of the property ( p )

  20. Conservative Approximations • Compute a lower ( p ) or an upper ( p+ ) approximation to the truth set of the property ( p ) • There are three possible outcomes: p p I 1) “The property is satisfied”

  21. Conservative Approximations • Compute a lower ( p ) or an upper ( p+ ) approximation to the truth set of the property ( p ) • There are three possible outcomes: I p p p I p 1) “The property is satisfied” 3) “I don’t know” sates which violate the property I p p+  p 2) “The property is false and here is a counter-example”

  22. Conservative Approximations • Compute a lower ( p ) or an upper ( p+ ) approximation to the truth set of the property ( p ) • There are three possible outcomes: I p p p I p 1) “The property is satisfied” 3) “I don’t know” sates which violate the property I p p+  p 2) “The property is false and here is a counter-example”

  23. Conservative Approximations • Truncated fixpoint computations • To compute a lower bound for a least-fixpoint computation • Stop after a fixed number of iterations • Widening • To compute an upper bound for the least-fixpoint computation • We use a generalization of the polyhedra widening operator by [Cousot and Halbwachs POPL’78]

  24. Polyhedra Widening y x  y y  5 1  y x x  4 Ai:x  y  x  4  y  5  1  y

  25. Polyhedra Widening x  y y x  y y  5 y  5 1  y 1  y x x  5 x  4 Ai:x  y  x  4  y  5  1  y Ai+1: x  y  x  5  y  5  1  y

  26. Polyhedra Widening y x  y y  5 1  y x x  5 x  4 Ai:x  y  x  4  y  5  1  y Ai+1: x  y  x  5  y  5  1  y AiAi+1: x  y  y  5  1  y

  27. Polyhedra Widening x  y y x  y y  5 y  5 1  y 1  y x x  5 x  4 Ai:x  y  x  4  y  5  1  y Ai+1: x  y  x  5  y  5  1  y AiAi+1: x  y  y  5  1  y • Ai Ai+1 is defined as: • all the constraints in Ai • that are also satisfied by Ai+1

  28. Outline • Model checking with arithmetic constraints • Conservative approximations • Automata representation for arithmetic constraints • Composite representation • Action Language Verifier (ALV) • Checking synchronization in concurrent programs with ALV

  29. Automata Representation for Arithmetic Constraints [Bartzis, Bultan CIAA’02, IJFCS ’02] • Given an atomic linear arithmetic constraint in one of the following two forms we can construct an FA which accepts all the solutions to the given constraint • By combining such automata one can handle full Presburger arithmetic

  30. Basic Construction 0 1 2 • We first construct a basic state machine which • Reads one bit of each variable at each step, starting from the least significant bits • and executes bitwise binary addition and stores the carry in each step in its state In my figures alphabet symbols are written vertically! 0 1 0 0 / / 0 1 0 1 / 1 1 0 / 0 0 1 1 1 / / 0 1 Example x + 2y 1 1 / 1 0 1 / 0 1 1 / 0 010 + 2  001 0 0 / 1 0 1 0 0 / / 0 1 1 0 0 Number of states:

  31. Automaton Construction • Equality With 0 • All transitions writing 1 go to a sink state • State labeled 0 is the only accepting state • For disequations (), state labeled 0 is the only rejecting state • Inequality (<0) • States with negative carries are accepting • No sink state • Non-zero Constant Term c • Same as before, but now -c is the initial state • If there is no such state, create one (and possibly some intermediate states which can increase the size by |c|)

  32. Conjunction and Disjunction 0 0 1 0,1,1 0 1 0,1 1 0 Automaton for x-y<1 1 0 1 0 -1 0 1 0 1 0 0 1 0,1,1 0 0 0,1 0 0 0,1 0,-1 0 0 1 1 1 0 1 1 1 0,1 0 1 Automaton for x-y<1  2x-y>0 1 0 0 1 0,1 Automaton for 2x-y>0 0 1 0,1 0 1 0,1 -1,-1 -1,0 -1 0 0 1 0 0 0 0 0 1 0 1 0 1 0 0 1 1,1 0 1 1,1 1 0 0 1 1 1,0,1 -2,-1 -2,0 -2,1 -2 0 1 1 0 1 1 • Conjunction and disjunction is handled by generating the product automaton

  33. Other Extensions • Existential quantification (necessary for pre and post) • Project the quantified variables away • The resulting FA is non-deterministic • Determinization may result in exponential blowup of the FA size but we do not observe this in practice • For universal quantification use negation • Constraints on all integers • Use 2’s complement arithmetic • The basic construction is the same • In the worst case the size doubles

  34. Experiments • We implemented these algorithms using MONA [Klarlund et al] • We integrated them to our infinite state model checker • We compared our automata representation against • the polyhedral representation used in the Omega library • the automata representation used in LASH [Boigelot and Wolper] • we also integrated LASH to our model checker by writing a wrapper around it

  35. Experimental results

  36. Experimental results

  37. Experimental results

  38. Efficient Pre- and Post-condition Computations [Bartzis, Bultan CAV’03] • Pre and post condition computations can cause an exponential blow-up in the size of the automaton in the worst case • We do not observe this blow-up in the experiments • We proved that for a common class of systems this blow up does not occur

  39. Assumptions About the Transition Relation • We assume that the transition relation of the input system is a disjunction of formulas in the following form guard(R)  update(R) where • guard(R) is a Presburger formula on current state variables and • update(R) is of the form xi’=f(x1, …, xv)   xj’= xj • In asynchronous concurrent systems the transition relation is usually in the above form ji

  40. Three Classes of Updates • xi’ = c • xi’ = xi + c • xi’ = j=1aj· xj + c We proved that • Computation of pre is polynomial for all 3 cases • Computation of post is polynomial for 2 and for 3, whenever ai is odd. v

  41. Other Results Related to Automata Encoding[Bartzis, Bultan TACAS’03, STTT] • We developed efficient BDD construction algorithms and proved bounds for the sizes of the BDDs for bounded linear arithmetic constraints • Given a linear arithmetic formula that contains n atomic constraints on v bounded integer variables represented with b-bits, the size of the BDD is: • These results explain why all three versions of SMV (NuSMV, CMU SMV and Cadence SMV) are inefficient in handling linear arithmetic constraints • In SMV the BDD size could be exponential in b

  42. Other Results Related to Automata Encoding[CAV’04] • We defined a widening operator for the automata representation of arithmetic constraints • The widening operator looks for similar states in two consecutive iterations (Ai and Ai+1) and creates an equivalence relation • then it merges the states in the same equivalence class • We can prove that for some cases this widening operator computes the exact fixpoint • for example for updates of the form x’=x+c

  43. Example • The sequence y=x, y=x  y=x+1, y=x  y=x+1  y=x+2, … does not converge • However we know that a fixpoint exists (yx) and is representable as an arithmetic constraint module incr_1 integer y; parameterized integer x; initial: y=x; incr_1: y'=y+1; spec: AG(y>=x) endmodule

  44. Widening • Instead of computing a sequence A1, A2, … where Ai+1=Aipost(Ai) compute A’1, A’2, … where A’i+1=A’i(A’ipost(A’i)) • By definition AB  AB • The goal is to find a widening operator  such that: • The sequence A’1, A’2, … converges • It converges fast • The computed fixpoint is as close as possible to the exact set of reachable states

  45. Widening Arithmetic Automata • Given automata A and A’ we want to compute AA’ • We say that states k and k’ are equivalent (kk’) if either • k and k’ can be reached from either initial state with the same string (unless k or k’ is a sink state) • or, the languages accepted from k and k’ are equal • or, for some state k’’, kk’’ and k’k’’ • The states of AA’ are the equivalence classes of 

  46. Example 0 1 0,1 X X y=x 1 0 0,1 0 0 1 0 1 1 3 0 1 0,1 0 y=x y=x+1 1 0 0,1 0 X 0,1 1 1 X X 0 3 0 1 2 1 0 2 0 1 0,1 3 1 0

  47. Example 0 1 0,1 0 1 0,1 X X 1 0 0,1 0 X 0,1 1 X X 1 0 0,1 0 1 0 3 0 1 1 0 2 0 1 0,1 1 0 0 X 0,1 1 0 X X = 1 0 0 1 0,1 0,1 2 3 0 1

  48. Example 0 0, X 1 1 0 X X 1 0 0 1 0,1 0 2 0 0 1 2 0 1 1 1 3 2 4 0 X 0,1 0 X 1 1 0 1 0 X X 0 0 2 1 0 1 0,1 0 3 4 0 1 2 0 1 3 1 0 1 0 1 4 X 0

  49. Example 0 X 0,1 0 0, X 1 1 0 X X 1 0 X X X 1 1 0 0 0 2 1 0 0 1 0,1 0 1 0,1 0 1 2 0 3 4 0 1 0 1 0 1 1 0 1 0 1 X 0 0 X 0,1 X 1 0,0 = 1 0 Represents: yx 0,2 1,3 0 1

  50. Outline • Model checking with arithmetic constraints • Conservative approximations • Automata representation for arithmetic constraints • Composite representation • Action Language Verifier (ALV) • Checking synchronization in concurrent programs with ALV

More Related