Counter-Example Based Predicate Discovery in Predicate Abstraction

# Counter-Example Based Predicate Discovery in Predicate Abstraction

## Counter-Example Based Predicate Discovery in Predicate Abstraction

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
##### Presentation Transcript

1. Satyaki Das and David L. Dill Computer Systems Lab Stanford University satyakid@stanford.edu dill@cs.stanford.edu Counter-Example Based Predicate Discovery in Predicate Abstraction

2. Outline • Motivation • Predicate Abstraction • Predicate Discovery • Application to AODV • Conclusion

3. Motivation Easy verification of infinite state systems

4. Simple Mutual Exclusion Protocol • A trivial example to illustrate concepts • Clients communicate with server via asynchronous messages • Three kinds of messages: • REQUEST • GRANT • RELEASE • Infinite state • Unbounded message queue • Any number of clients

5. Protocol Steps cs[i]=false Client Variables cs:array of boolean granted=false REQUEST(i) granted:=true current:=i Server Variables granted:boolean; current:integer; GRANT(i) cs[i]:=true Queue Variables Q.type:array of enum; Q.node:array of integer; cs[i]:=false RELEASE(i) granted:=false

6. Verification Condition For distinct nodes, a and b prove that, Ø ( cs[a] /\ cs[b] )

7. Outline • Motivation • Predicate Abstraction • Predicate Discovery • Application to AODV • Conclusion

8. Abstraction • A finite set of predicates defines the abstraction • Abstraction is conservative Predicates: bit1: cs[a] bit2: cs[b] [00] a Abstract cs = lx. false Q.type = lx. EMPTY granted = false Concrete g cs = lx. false Q.type = lx. EMPTY granted = true

9. Abstraction (contd) • Abstract transition relation is conservative • Abstract next states must contain all concrete successors • And possibly more states Predicates: bit1: cs[a] bit2: cs[b] t RA s Abstract Example Let s=[10] and t=[11] g(s) contains a state where a GRANT(b) message is in queue So we have abstract transition from s to t! g g Concrete x y RC

10. Abstract Counter-Example • If model checking fails an abstract counter-example produced • Concrete transitions are present for each pair of consecutive abstract states • But concrete counter-example may not be present! Real Trace Spurious Trace g g Abstract g Concrete y’ z x y’’

11. Tool Block Diagram Property System Proved!!! Model Checker Abstraction Module Abstract counter-example Predicates BDD CVC Predicate Generator Trace Checker Concrete counter-example CVC

12. History of Predicate Abstraction And many more… Graf and Saidi CAV 97 Colon and Uribe CAV 98 Shankar and Saidi CAV 99 Das,Dill and Park CAV 99 Das and Dill LICS 2001 Flanagan et al POPL 2002 Saidi and Lessens ENTCS 97 SLAM Ball, Rajamani et al 2000-present Henzinger et al POPL 02 Software Model Checking Bensalem et al TACAS 01 Tiwari et al TACAS 01 InVeSt CAV 98 Invariant Generation

13. Outline • Motivation • Predicate Abstraction • Predicate Discovery • Application to AODV • Conclusion

14. Predicate Discovery Example • Rejoin action after the first iteration • Current predicates are: • “a in critical section” cs[a] • “b in critical section” cs[b] • “At least one GRANT message” \$x. Q.type[x] = GRANT Send GRANT Rec GRANT Rec GRANT init 000 xxx 001 111 011 Predicates: bit1: cs[a] bit2: cs[b] bit3: \$x. Q.type[x] = GRANT Is abstract trace spurious?

15. Predicate Discovery Example (contd) Rec GRANT Rec GRANT init Send GRANT 001 111 011 xxx 000 Minimal spurious trace found! Predicates: bit1: cs[a] bit2: cs[b] bit3: \$x. Q.type[x] = GRANT

16. Predicate Discovery Example (contd) Rec GRANT 011 001 000 Ø cs[a] Ø cs[b] Q.type[m1] = GRANT Q.type[m2] = GRANT Q.node[m2] = b Predicates: bit1: cs[a] bit2: cs[b] bit3: \$x. Q.type[x] = GRANT m1¹ m2 These are the candidate predicates!

17. Predicate Discovery Example (contd) Send GRANT 011 001 000 Ø cs[a] Ø cs[b] Predicates: bit1: cs[a] bit2: cs[b] bit3: \$x. Q.type[x] = GRANT Q.type[m1] = GRANT Q.type[m2] = GRANT Q.node[m2] = b m1¹ m2 Predicate added: \$ m1,m2. Q.type[m1]=GRANT /\ Q.type[m2]=GRANT /\ m1¹ m2

18. Predicate Discovery Algorithm Step 1. Check if abstract counter-example is spurious Step 2. If not spurious, concrete error trace has been found. Otherwise find a minimal spurious trace Step 3. Solve non-spurious tail to find candidate predicates that characterize the second state of the minimal spurious trace Step 4. Find a minimal set from these predicates to construct new predicates

19. Outline • Motivation • Predicate Abstraction • Predicate Discovery • Application to AODV • Conclusion

20. AODV Example • Ad-hoc On-demand Distance Vector (AODV) routing protocol. • Nodes can dynamically enter or leave the system. • Routes are maintained so that the nodes can communicate. • Important that routing table does not have loops. • The method automatically proves the loop-freeness of a simplified version of the protocol. • Protocol was simplified by not modeling timeouts • Protocol highlights: • Routes are found by broadcasting request to neighbors • Sequence number tracks route age • Hop count tracks number of hops to destination

21. AODV Example c b Message Queue a • Proof obligation: If a’s next hop in route to c is b then either a’s sequence number is lower than that of b or the sequence numbers of a and b are the same but the hop count of a is higher than that of b • Find predicates about messages present in the queue • 20 predicates were found in 14 iterations before the proof was successfully completed

22. Outline • Motivation • Predicate Abstraction • Predicate Discovery • Application to AODV • Conclusion

23. Conclusion • Weakest pre-condition based abstraction refinement is useful • Future Work: • Easily usable concrete error traces would aid debugging • Better quantifier support would be nice • Integration with other predicate generation schemes

24. End

25. Predicate Discovery (contd) • Generalize abstract transition relation to test for spurious counter-example trace. • Let counter-example trace be: s1, s2, … sM • Concrete counter-example exists if, RC(x1,x2) /\ RC(x2,x3) /\ … /\ RC(xM-1,xM) /\ a(x1)=s1 /\ a(x2)=s2 /\ … /\ a(xM)=sM is satisfiable for some concrete states x1, x2, … xM • Notice that checking for spuriousness turns into a validity check that we use CVC to carry out!

26. Predicate Discovery (contd) • Remove first state if the remainder is spurious • Repeat till removing first state makes the remainder a real trace • Do similar shortening at end of trace Real Trace! s5 s2 s4 s3 Real Trace!

27. Predicate Discovery (contd) • Solve for conditions that must hold for the partial trace corresponding to s2, s3, s4, s5. • The conditions on the concrete state x2 can be derived by finding a satisfying assignment for: a(x2)=s2 /\ a(x3)=s3 /\ a(x4)=s4 /\ a(x5)=s5 /\ RC(x2,x3) /\ RC(x3,x4) /\ RC(x4,x5) • Let the solution be the conjunction of predicates, s1(x2), s2(x2), …, sL(x2) • These are our candidate predicates!

28. Predicate Discovery (contd) • For the candidate predicates it must be the case, s1(x2) /\ s2(x2) … /\ sL(x2) /\ RC(x1,x2) /\ a(x1)=s1 Is unsatisfiable for all x1 and x2. • Find a minimal subset of predicates (say s1 and s2 in this case) such that, s1(x2) /\ s2(x2) /\ RC(x1,x2) /\ a(x1)=s1 Is still unsatisfiable. • Use s1 and s2 as predicates to refine the abstraction

29. Related Work • Predicate Abstraction • Graf and Saidi in CAV 1997 • Colon and Uribe in CAV 1998 • Flanagan and Qadeer in POPL 2002 • Counter-example guided refinement • Alur et al in CAV 95 • Bensalem et al in CAV 98 • Lakhnech et al in TACAS 2001 • Tiwari et al in TACAS 2001 • Clark, Grumberg et al CAV 2000 • SLAM Project at MSR (POPL 2002) • BLAST project at Berkeley (POPL 2002)

30. Implementation • Binary Decision Diagrams (BDD) are used to represent abstract system and for model checking • Cooperating Validity Checker (CVC) is used to check satisfiability • CVC is a decision procedure for quantifier free first order logic • Supported types in CVC include booleans, rationals, stores (unbounded arrays) and records • Quantifier support • Heuristics were used for quantifier instantiation

31. Verification Scheme Concrete System Property Verified! Abstract and Model Check Safety Property Abstract Counter-example Initial Predicates Check Counter-example and Discover Predicates New predicates Concrete Counter-example

32. Predicate Discovery Intuition • A spurious trace is an abstract trace with no concrete counterpart • Real trace is one which has a concrete counterpart • Predicates are added to remove spurious traces x3 x’2 x1 x2 New Predicate Spurious counter-example is avoided in refined abstraction!

33. Ruleset (cell,msg): “Send REQUEST” Ø cs[cell] /\ Q.type[msg]=EMPTY  Q.type[msg]:=REQUEST; Q.node[msg]:=cell “Receive GRANT” Ø cs[cell] /\ Q.type[msg]=GRANT /\ Q.node[msg]=cell  Q.type[msg]:=EMPTY; cs[cell]:=true “Send RELEASE” cs[cell] /\ Q.type[msg]=EMPTY  Q.type[msg] := RELEASE; Q.node[msg] := cell; cs[cell] := false Client Rules Ruleset (msg): “Receive REQUEST” Ø granted /\ Q.type[msg]=REQUEST  Q.type[msg] := GRANT; granted := true; current := Q.node[msg] “Receive RELEASE” granted /\ Q.type[msg]=RELEASE /\ Q.node[msg]=current  Q.type[msg] := EMPTY; granted := false Server Rules Protocol Description Rule true  Q.type := lx. EMPTY; cs := lx. false; granted := false Initialization Rule