1 / 41

410 likes | 420 Views

This paper discusses a symbolic approach using SAT enumeration for invariant checking and automatic predicate abstraction in term-level systems. The method generates and proves inductive invariants, handles a class of quantified predicates, and can augment with automated predicate discovery.

Download Presentation
## Symbolic Approaches for Invariant Checking and Automatic Predicate Abstraction

**An Image/Link below is provided (as is) to download presentation**
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.
Content is provided to you AS IS for your information and personal use only.
Download presentation by click this link.
While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

**Symbolic Approaches to Invariant Checking and Automatic**Predicate Abstraction Randal E. Bryant Carnegie Mellon University http://www.cs.cmu.edu/~bryant Contributions by graduate students: Sanjit Seshia, Shuvendu Lahiri**Outline**• Task • Prove safety properties of term-level systems • Method • Generate & prove inductive invariants by predicate abstraction • Features • Symbolic approach using SAT enumeration • Handles important class of quantified predicates • Augment with automated predicate discovery**Present**State Next State Inputs (Arbitrary) Verifying Safety Properties • State Machine Model • State encoded as Booleans, integers, and functions • Next state function expresses how updated on each step • Prove: System will never reach bad state Bad States Reachable States Reset States Reset**Reach Fixed-Point**Rn = Rn+1 = Reachable Impractical for Term-Level Models Many systems never reach fixed point Can keep adding elements to buffer Convergence test undecidable Rn • • • True Model Checking Bad States R2 R1 Reset States****I Inductive Invariant Checking Bad States • Key Properties of System that Make it Operate Correctly • Formulate as formula I • Prove Inductive • Holds initially I(s0) • Preserved by all state changes I(s) I((i, s)) Reachable States Reset States**Inductive Invariants**• Formulas I1, …, In • Ij(s0) holds for any initial state s0, for 1 jn • I1(s) I2(s) … In(s) Ij(s ) for any current state s and successor state s for 1 jn • Overall Correctness • Follows by induction on time • Restricted form of invariants • x1x2…xk (x1…xk) • (x1…xk) is a CLU formula without quantifiers • x1…xk are integer variables free in (x1…xk)**Restricted Invariants and Proofs**• Proving invariants inductive requires quantifiers |= (x1x2…xk (x1…xk)) y1y2…ym (y1…ym) |= x1x2…xk (x1…xk) y1y2…ym (y1…ym) • Universally Quantified Variables “Free” • Validity proves holds for all interpretations • Existentially Quantified Variables Make Problem Undecidable • Automatic instantiation of x1…xk with concrete terms • Sound but incomplete method • Reduce the quantified formula to a CLU formula • Can use the decision procedure for CLU**Constructing Invariants from Predicates**rob.head reg.tag(r) Recipe: Invariants r,t.reg.valid(r) reg.tag(r) = t (rob.head reg.tag(r) < rob.tail rob.dest(t) = r ) reg.valid(r) Result: Correctness reg.tag(r) = t rob.dest(t) = r**Automatic Predicate Abstraction**• Graf & Saïdi, CAV ‘97 • Idea • Given set of predicates P1(s), …, Pk(s) • Boolean formulas describing properties of system state • View as abstraction mapping: States {0,1}k • Defines abstract FSM over state set {0,1}k • Form of abstract interpretation • Do reachability analysis similar to symbolic model checking • Implementation • Early ones had weak inference capabilities • Call theorem prover or decision procedure to test each potential transition • Recent ones make better use of symbolic encodings**P1(s), …, Pk(s)**Abstraction Function Concretization Function s t s t Abstract State Space Abstraction Concretization Abstract States Abstract States Concrete States Concrete States**Abstract Transition**Concretize Abstract Concrete Transition s s t t Abstract State Machine • Transitions in abstract system mirror those in concrete Abstract System Concrete System**A**I Rn • • • R2 R1 Reset States Concretize C Concrete System Reset States Generating Concrete Invariant • Reach Fixed-Point on Abstract System • Termination guaranteed, since finite state • Equivalent to Computing Invariant for Concrete System • Strongest possible invariant that can be expressed by formula over these predicates Abstract System**Predicate Abstraction Example**• State Space • State variables: { x, y } • Initial State • { (2, 1) } • Next State Behavior • x x • y y • Verification Task • Prove all bad states unreachable Initial State Bad States**Precise Analysis**• Reachable States • { (2, 1), (2, 1) } Reachable States Bad States**cx:3**cx:y cy:0 L L G E E E G G L Predicates • Use 3-valued predicates in this example**cx:3**cx:y cy:0 L G G Abstract Initial State Reached Set #0 { LGG }**(Note loss of precision)**Concretize Concretize Concretize g g g s s s Step 1: Concretize Reached Set #0 Reached Set #0 { LGG } cx:3 cx:y cy:0 L G G**Concretize**Concretize Concretize g g g Concrete Transition Concrete Transition Concrete Transition ¢ ¢ ¢ s s s s s s Compute Possible Successor States x x y y**Concretize**Concretize Concretize Abstract Abstract Abstract g g g a a a Concrete Transition Concrete Transition Concrete Transition ¢ ¢ ¢ s s s s s s Abstract Newly Reached States cx:3 cx:y cy:0 L L L 0 0 0 Reached Set #1 { LLL, LGG }**(Note loss of precision)**Concretize Concretize Concretize g g g s s s Step 2: Concretize Reached Set #1 Reached Set #1 { LLL, LGG } cx:3 cx:y cy:0 L L L**Concretize**Concretize Concretize g g g Concrete Transition Concrete Transition Concrete Transition ¢ ¢ ¢ s s s s s s Compute Possible Successor States x x y y**cx:3**cx:y cy:0 Concretize Concretize Concretize Abstract Abstract Abstract g g g a a a G E Concrete Transition Concrete Transition Concrete Transition ¢ ¢ ¢ s s s s s s G G Abstract Newly Reached States Reached Set #2 { LLL, LGG, EGG, GGG }**Final Reached State Set**EGG LGG GGG LLL Bad States**Abstract Transition?**Concretize Concretize [P/B] [P/B] [P/B][/S] Predecessor Conventional Implementation of P.A. • Basis • Abstract state sets described as formulas over Boolean variables B = b1, …, bk • Current state given by formula (b1, …, bk) • Check whether candidate state (b1, …, bk) is successor Abstract System Intersect? Concrete System**Drawbacks of Conventional Implementation**Intersect? • Very Slow • Guess at possible next state • Construct term-level formula and test for satisfiability • Possibly 2k calls to decision procedure • Can Only Handle Proposition Predicates • Cannot construct quantified invariants [P/B] [P/B] [P/B][/S] Satisfiable? [P/B][/S]**All Abstract Transitions**(B, S, X) S, X How to reach abstract state B via concrete states S and X Symbolic Approach to P.A. • Lahiri, Bryant, Cook, CAV 2003 • Generate Quantified Formula Describing Next Abstract State Set • Current state given by formula (B) • Generate formula (B) describing all successors Abstract System**Symbolic Approach (cont.)**• Transform into Quantified Boolean Formula • Formula of form Next(B) = S, X(S, X, B) S, X: Integer and function variables B: Abstract state variables • Translate into Boolean formula of form A(A, B) A: Boolean variables encoding integer & function values • Key Property { B | (S, X, B) satisfiable } = { B | (A, B) satisfiable } • Solve using either SAT enumeration or BDD quantification**LGG**LLL Symbolic Formulation of Step 2 • Concretized State Set • Encode each 3-valued {L, E, G} predicate with 2 Boolean variables (l, g) • Represent state set as formula • (l1 g1 l2 g2l3 g3) (l1 g1 l2 g2l3 g3) l1: x < 3 l2: x < y g3: y > 0 g1: x > 3 g2: x > y l3: y < 0 Reached Set #1 { LLL, LGG }**Next-State Predicates**• Next State (x, y ) • Get predicates l1, l2, l3, g1, g2, g3 • Determine conditions under which predicates will hold in next state • Express in terms of current state (x, y)**l1**g3 l3 g1 (g2 g3 l1) l3 g3 (g1 g1) l2 g2 g1 l1 g2 l2 (g1 l1) Consistency Constraints • Eliminate impossible predicate combinations • In general, may need to introduce additional variables • To express more complex transitivity constraints**l1, l2, l3, g1, g2, g3**(g1 g1) (g1 l1) (g2 g3 l1) l2g2 g2l2 l3g3g3l3 [ (l1 g1 l2 g2l3 g3) (l1 g1 l2 g2l3 g3) ] Current State Consistency Constraints Symbolic Form • Formulation • Express compatible combinations of current-state & next-state variables • Quantify out current-state variables • Gives formula over next-state variables** (l1 g1 l2**g2l3 g3) Extracting Next-State Set • Run SAT checker over formula • Generate blocking clause for each newly generated state [ (l1 g1 l2 g2l3 g3) (l1 g1 l2 g2l3 g3) ] (g1 g1) (g1 l1) (g2 g3 l1) l2g2 g2l2 l3g3g3l3**Quantified Invariant Generation**(Lahiri & Bryant, VMCAI 2004) • User supplies predicates containing free variables • Generate globally quantified invariant • Example • Predicates p1: reg.valid(r) p2: rob.dest(t) = r p3: reg.tag(r) = t • Abstract state satisfying (p1p2p3) corresponds to concrete state satisfying r,t[reg.valid(r) reg.tag(r)=t rob.dest(t)=r] rather than r[reg.valid(r)] r,t[reg.tag(r)=t] r,t[rob.dest(t)=r]**Systems Verified with Predicate Abstraction**• Very general models • Unbounded processes, buffers, cache lines, … • Safety properties only**Automatic Predicate Discovery**• Strength of Predicate Abstraction • If give it right set of predicates, PA will put them together into invariant • Weakness • Gets nowhere without right set of predicates • Typical failure mode: Generate “true” as invariant • Challenges • Too many predicates will overwhelm PA engine • Our use of quantified invariants precludes counterexample-generated refinement techniques**Initial set of atomic predicates**from the invariant P WP-based new predicate generation from P Generate inductive invariant using predicate abstraction over P Yes, Done No Property proved? Iterative Generation of Predicates • Lahiri & Bryant, CAV ’04 • Generate new set of predicates if current predicates not sufficient**Case Study 1: N-Bakery**• N-Process mutual exclusion protocol [Lamport ’76] • Each process contains • An unbounded ticket • A counter with range [1…N] • Other Boolean state variables • Safety: Mutual exclusion property • Constructs inductive invariant in 3 iterations of WP-based predicate discovery • Iteration 1: # Predicates = 1, Time to construct inv = .81s • Does not imply mutual exclusion • Iteration 2: # Predicates = 18, Time = 55.8s • Does not imply mutual exclusion • Iteration 3: # Predicates = 33, Time = 471s • Implies mutual exclusion**Case Study 2: German’s Cache Protocol**• N-Client Directory based Cache Coherence Protocol [German, IBM] • Each client contains Boolean state variables • 3 single-entry channels to communicate with central process • Central “home” process contains • Directory : [1..N] {0,1} of clients sharing a line • Current client id [1…N] • Boolean variables • Safety: Mutual exclusion property • Constructs inductive invariant in 4 iterations of WP-based predicate discovery • Iteration 1: # Predicates = 4, Time (to construct inv) = 1.46 s • Iteration 2: # Predicates = 12, Time = 11.94 s • Iteration 3: # Predicates = 24, Time = 207 s • Iteration 4: # Predicates = 28, Time = 1266s • Implies mutual exclusion**Extension of German’s cache protocol**• Each client communicates with home with unbounded FIFO channels • Unbounded number of unbounded channels • Verification complexity goes up considerably • 2 manually provided predicates for FIFOs required • Predicates involved constant offsets • Time to construct inductive invariant = 3 hours**Predicate Abstraction Convergences**• Powerful method for generating & evaluating abstract model of system • Applicable to variety of systems with different modeling levels**Observations**• Predicate Abstraction • Combines features of theorem proving & model checking • Very general and powerful technique • Lots of ways to generalize • Making More Efficient • Symbolic formulation very general • SAT enumeration limits capacity to ~25 predicates • Making Easier to Use • Automatic predicate discovery • Limitation: Hard to find counterexamples

More Related