Download presentation

Presentation is loading. Please wait.

Published byJake Trujillo Modified over 2 years ago

1
Exploiting the Dual View in Verification Koen Lindström Claessen Chalmers University Gothenburg, Sweden

2
informal formal Verification w/ Theorem Proving System Under Verification Expected/Wanted Property formula S formula P S P? model ~ actual behavior of system model ~ allowed behavior of system is every actual behavior allowed? does (S&¬P) have a model? counter example correctness proof

3
Full Pure First-Order Logic (FOL) First-order logic Predicate/function symbols Equality Universal/existential quantification Not included Arithmetic Least fixpoints Induction

4
FOL Decidability formula (Assumptions & ¬ProofObligation) contradiction (proof) satisfiable (model) infinite domain finite domain ? counter example correctness proof FOL is semi- decidable a domain (a set); plus interpretations for function/predicate symbols

5
This Talk Present an alternative view Dual View Though experiment with initial success System correct Formula satisfiable Model ~ correctness witness System incorrect Formula unsatisfiable Proof ~ concrete bug trace

6
Example: Ball Game Balls outin same different Can the last ball be red? green? 50

7
Modelling the Ball Game (#red, #green) (n+2,m) (n+1,m) (n,m+2) (n+1,m) (n+1,m+1) (n,m+1) initial state: (50,50)

8
Modelling the Ball Game in FOL % initial state r(s 50 (0),s 50 (0)). % transitions r(s(s(N)),M) r(s(N),M). r(N,s(s(M))) r(s(N),M). r(s(N),s(M)) r(N,s(M)). % final state -r(s(0),0). r(n,m) provable iff. (n,m) reachable -r(0,s(0)).

9
The Model (final state: -r(0,s(0))) 0 = '1 r('1,'1) : TRUE r('1,'2) : FALSE r('2,'1) : TRUE r('2,'2) : FALSE s('1) = '2 s('2) = '1 This is an abstraction of the original system

10
Modelling the Ball Game in FOL % initial states i(N,0). i(N,M) i(N,s(s(M))). i(N,M) r(N,M). % transitions r(s(s(N)),M) r(s(N),M). r(N,s(s(M))) r(s(N),M). r(s(N),s(M)) r(N,s(M)). % final state -r(0,s(0)).

11
The Model 0 = '1 i('1,'1) : TRUE i('1,'2) : FALSE i('2,'1) : TRUE i('2,'2) : FALSE r('1,'1) : TRUE r('1,'2) : FALSE r('2,'1) : TRUE r('2,'2) : FALSE s('1) = '2 s('2) = '1 This is an abstraction of the original system, which has an infinite amount of states!

12
Summary Traditional view Proof ~ system correct Counter model ~ system incorrect Dual view Proof ~ system incorrect Model ~ system correct

13
Problem to FOL Mapping formula contradiction (proof) satisfiable (model) infinite domain finite domain ? Hard

14
Natural Mapping? Traditional Correctness ~ proof Needs induction/meta-reasoning Hard Incorrectness ~ bug trace Finding a model Hard conceptually easy conceptually hard

15
Natural Mapping Dual View Incorrectness ~ proof Finding bug trace is easy Proof is easy Correctness ~ model Correctness is hard Finding model is hard

16
informal formal Verification w/ Dual View System Under Verification Expected/Wanted Property formula S formula P M|=S&P? one intended model ~ all behaviors of system model ~ system satisfying the property counter proof model s reachable iff. r(s) provable ¬r(s bad )

17
Summary Dual View reachability ~ provability correctness ~ unreachability correctness ~ unprovability incorrectness ~ provability use model finder use theorem prover

18
Related Work Inductionless induction Traditional way of expressing puzzles in FOL Weidenbachs security protocols with SPASS finite-domain model finding

19
Process Calculus P ::= nilterminated process | f(e1,...,ek)call a process | P || Qparallell composition | P + Qchoice | e ! Psend | p ? Preceive synchronous + definitions

20
Example % server server = req ? rel ? server % clients clients = client || client || client client = req ! doit doit = rel ! client % top level top = server || clients

21
Translation into FOL Each process is a FOL term A set of processes is also a FOL term A reachability predicate r(P) Some general axioms about nil, ||, + Initial state axiom r(top) Property is written directly in FOL

22
Process Calculus P ::= nilterminated process | f(e1,...,ek)call a process | P || Qparallell composition | P + Qchoice | e ! Psend | p ? Preceive Syntactically, FOL terms already Special treatment

23
General Axioms (FOL) % parallel composition (P || Q) || R = P || (Q || R). P || Q = Q || P. P || nil = P. % choice r( (P + Q) || R ) r( P || R ). r( (P + Q) || R ) r( Q || R ).

24
Definition restriction Each receive construct needs to have its own definition

25
Example % server server = req ? rel ? server % clients clients = client || client || client client = req ! doit doit = rel ! client % top level top = server || clients

26
Example, fixed % server server = req ? waiting waiting = rel ? server % clients clients = client || client || client client = req ! doit doit = rel ! client % top level top = server || clients

27
Definition Translation f(x1,...,xk) = t f(X1,...,Xk) = t. f(x1,...,xk) = p ? t r( f(X1,...,Xk) || (p ! P) || Q ) r( t || P || Q ).

28
Example in FOL % server r( server || (req ! P) || Q ) r( waiting || P || Q ). r( waiting || (rel ! P) || Q ) r( server || P || Q ). % clients clients = client || client || client. client = req ! doit. doit = rel ! client. % top level top = server || clients.

29
Property % bad state -r( doit || doit || P ). Model with domain size 3 So, bad states are unreachable

30
Model? What is a model? A domain (a set) Interpretations for functions/predicates What does it mean? For each concrete state s, we can calculate M(r(s)) Overapproximation of reachability Bad state: M(r(s bad )) = FALSE Model is an abstraction

31
Example, infinite % server server = req ? waiting waiting = rel ? server % clients clients = client || clients client = req ! doit doit = rel ! client % top level top = server || clients

32
Process Calculus P ::= nilterminated process | f(e1,...,ek)call a process | P || Qparallell composition | P + Qchoice | e! send | p ? Preceive | new x. Pnew objects asynchronous

33
Example % server server = req(A) ? (ack(A)! || waiting(A)) waiting(A) = rel(A) ? server % clients clients = (new A. client(A)) || clients client(A) = req(A)! || doit(A) doit(A) = ack(A) ? (rel(A)! || client(A)) % top level top = server || clients

34
Example in FOL % server r( server || req(A)! || Q ) r( ack(A)! || waiting(A) || Q ). r( waiting(A) || rel(A)! || Q ) r( server || Q ). % clients r( clients || P ) r( client(new(P)) || clients || P ). client(A) = req(A)! || doit(A). r( doit(A) || rel(A)! || P ) r( rel(A)! || client(A) || P ). % top level top = server || clients.

35
Property % bad state -r( doit(A) || doit(B) || P ). Model with domain size 3

36
Conclusions Dual View Benefit Can work in practice (security protocols) Has tighter fit with actual problem Works for all computation! Disadvantages Careful axiomatizations Danger of infinite models FOL proving ~ computing

37
Other constructs Higher-order calculi Processes are just terms, like messages Channels Use the idea behind the new construct Unbounded queues Messages with sender and receiver Tag send construct with extra information

38
Paradox Finite-domain model finder Finds finite domain Finds interpretations Full pure first-order logic Constants, functions, predicates Quantifiers Equality (Untyped) Winner of CASC 2003,2004,2005,2006

39
FOL Decidability formula contradiction (proof) satisfiable (model) infinite domain finite domain ? Hard

40
Paradox Applications Satisfiability Proof wont go trhough Bad state is unreachable Model Math: group theory, algebra Counter example Abstraction Decision procedure For FOL with finite domains

41
Paradox Overview FOL problem ClausifierFlattener Instantiate SAT Solver n:=n+1 n:=1 no yes MiniSat (Sörensson, Eén)

42
FOL Clause Examples -p(X,Y) | -p(Y,Z) | p(X,Z) h(X,h(Y,Z)) = h(h(X,Y),Z) X = Y | -(f(X) = f(Y))

43
Connection with SAT-world Pick domain D Only size matters D = {1,2,3,..,n} Introduce SAT variables p(i,j) (for i, j in D) f(i,j)=k(for i, j, k in D) Re-express FOL clauses

44
Flattening: Definitions -p(X,Y) | -p(Y,Z) | p(X,Z) Already flattened h(X,h(Y,Z)) = h(h(X,Y),Z) -(h(Y,Z) = U) | -(h(X,Y) = V) | -(h(X,U) = W) | h(V,Z) = W X = Y | -(f(X) = f(Y)) X = Y | -(f(X) = V) | -(f(Y) = V)

45
Extra Axioms for Functions Result should be unique -(f(X,Y) = V) | -(f(X,Y) = W) | V = W Function should be total f(X,Y) = 1 | f(X,Y) = 2 |... | f(X,Y) = n Only for domain size n

46
Instantiation (n=3) X = Y | -(f(X) = V) | -(f(Y) = V) 1 = 1 | -(f(1) = 1) | -(f(1) = 1) 1 = 1 | -(f(1) = 2) | -(f(1) = 2) 1 = 1 | -(f(1) = 3) | -(f(1) = 3) 1 = 2 | -(f(1) = 1) | -(f(2) = 1) 1 = 2 | -(f(1) = 2) | -(f(2) = 2) 1 = 2 | -(f(1) = 3) | -(f(2) = 3) 1 = 3 | -(f(1) = 1) | -(f(3) = 1) 1 = 3 | -(f(1) = 2) | -(f(3) = 2) 1 = 3 | -(f(1) = 3) | -(f(3) = 3)...

47
Instantiation (n=3) X = Y | -(f(X) = V) | -(f(Y) = V) 1 = 1 | -(f(1) = 1) | -(f(1) = 1) 1 = 1 | -(f(1) = 2) | -(f(1) = 2) 1 = 1 | -(f(1) = 3) | -(f(1) = 3) 1 = 2 | -(f(1) = 1) | -(f(2) = 1) 1 = 2 | -(f(1) = 2) | -(f(2) = 2) 1 = 2 | -(f(1) = 3) | -(f(2) = 3) 1 = 3 | -(f(1) = 1) | -(f(3) = 1) 1 = 3 | -(f(1) = 2) | -(f(3) = 2) 1 = 3 | -(f(1) = 3) | -(f(3) = 3)...

48
Incremental SAT: Assumptions FOL problem ClausifierFlattener Instantiate SAT Solver n:=n+1 n:=1 no yes Under the assumption of totalness for size n

49
Complexity Instantiation Domain size n Number of variables per clause k O(n k ) Typically, 1 n 10 k ~ number of (distinct) subterms in clause

50
Splitting -(h(Y,Z) = U) | -(h(X,Y) = V) | -(h(X,U) = W) | h(V,Z) = W 6 variables: O(n 6 ) -(h(Y,Z) = U) | -(h(X,Y) = V) | s(X,Z,U,V) -(h(X,U) = W) | h(V,Z) = W | -s(X,Z,U,V) New predicate s 2 x 5 variables: O(n 5 )

51
Splitting Algorithm X V Z U W Y

52
X V Z U W Graph tree- decomposition

53
Other Techniques Cliques Pre-assign domain values Symmetry reduction All permutations are also a model Force a particular permutation Type inference Some types can have smaller domains Apply symmetry reduction for each type

54
General Results Good splitting is vital for feasibility Term-based splitting Variable splitting Symmetry reduction Makes SAT problem easier Type inference and domain reduction Makes some problems feasible

55
Typical Behavior Domain sizes 6,7,8 No problem Degree 5 Domains up to size 20

56
Using Paradox in the Dual View Increase possibility For finite models For small models For small representations of models Give freedom … To do as much as possible with as few domain elements as possible

57
Example: Unbounded Channels % queues cat(empty,Q) = Q & cat(Q,empty) = Q. cat(Q1,cat(Q2,Q3)) = cat(cat(Q1,Q2),Q3). % initial state r( stateA, empty, stateP, empty). % state transitions r( stateA, Q1, S2, cat(unit(a), Q2) ) r( stateB, cat(Q1, unit(b)), S2, Q2 ).... AB ?a !b PQ !a ……

58
A Possible Model … Must give one interpretation to cat, empty, unit So, only one abstraction is used for both queues! This makes the model more complicated Larger domain Possibly infinite!

59
Trick 1: Copy Symbols & Axioms % queues cat1(empty1,Q) = Q & cat1(Q,empty1) = Q. cat1(Q1,cat1(Q2,Q3)) = cat1(cat1(Q1,Q2),Q3). cat2(empty2,Q) = Q & cat2(Q,empty2) = Q. cat2(Q1,cat2(Q2,Q3)) = cat2(cat2(Q1,Q2),Q3). % initial state r( stateA, empty1, stateP, empty2). % state transitions r( stateA, Q1, S2, cat2(unit2(a), Q2) ) r( stateB, cat1(Q1, unit1(b)), S2, Q2 )....

60
Copying Axioms? Feels silly Build into the model finder primitively

61
Example: Types % queues cat1(empty1,Q) = Q & cat1(Q,empty1) = Q. cat1(Q1,cat1(Q2,Q3)) = cat1(cat1(Q1,Q2),Q3). cat2(empty2,Q) = Q & cat2(Q,empty2) = Q. cat2(Q1,cat2(Q2,Q3)) = cat2(cat2(Q1,Q2),Q3). % initial state r( stateA, empty1, stateP, empty2). % state transitions r( stateA, Q1, S2, cat2(unit2(a), Q2) ) r( stateB, cat1(Q1, unit1(b)), S2, Q2 ).... : queue(mess1) : queue(mess2) : state2: state1 : mess2 : mess1

62
Untyped? Use same domain for each type Is not the real problem Using same domain size is If one concept needs extra room in model Then all concepts pay for that Instantiation is sensitive to domain size

63
Trick 2: Allow per-type domain size Who decides the types? Given by the user Inferred by the tool Who decides the domain sizes? Search? In what order? Trick 1 improves on trick 2 More types, more freedom

64
Multiple Domains FOL problem ClausifierFlattener Instantiate SAT Solver n i :=n i +1 n 1 :=1,n 2 :=1,n 3 :=1 no yes why? pick i Under the assumption of totalness for sizes n 1,n 2,n 3 MiniSat extension: conflict clause = subset of assumptions

65
Example: Arity-reduction % initial state r( stateA, stateP, stateX, stateV, empty12, empty13, empty14, empty21, empty23, empty24, empty31, empty32, empty34, empty41, empty42, empty43 ). % state transitions... Building this predicate table: n=1: 1^16 n=2: 2^16 n=3: 3^16

66
Trick 3: Introducing tupling Instead of writing p(X,Y,Z,A,B,C) p(tup1(X,Y,Z),tup2(A,B,C)) p(tup1(X,Y),tup2(Z,A),tup3(A,C)) p(tup1(X,A),tup2(Y,B),tup3(Z,C)) Types change: tup1 : (A,B) T Worst-case: |T| = |A| x |B| Better cases: |T| << |A| x |B| Information-coupling Automation… ?

67
Tricks Multiple interpretations Several similar symbols Copy axiomatization Multiple domain sizes Feedback from incremental SAT-solver Arity-reducing transformations Feasibility of building the model

68
Results Abstractions of finite systems Visualization Abstraction refinement Abstractions of infinite systems Works surprisingly often Techniques for reducing needed size Techniques for infinite finite security protocols communication protocols distributed systems puzzles

69
Conclusions Explore Dual View Interesting and intriguing Finite models Abstractions Push boundaries Unbounded queues: not many techniques known Tricks work also for other problems TPTP

70
Future Work Characterize when it works Techniques for making it work Infinite model finding Saturation techniques SMT Approximation models Using the models

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google