Evidence-Based Verification Li Tan Computer Science Department Stony Brook April 2002

Evidence-Based Verification Outline 1. Part I: Evidence-based verification. 1. Motivations. 2. The general framework. 3. Applications. 2. Part II: Evidence-based model checking 1. Checker-independent evidence for model checking. 2. Extracting the evidence from existing model checkers. 3. Post-model-checking analyses based on the evidence. 1. Efficiently certifying model-checking Result. 2. Constructing winning strategy for model-checking game. 3. Evaluating the quality of model-checking process. 4. A prototype on the Concurrency Workbench (CWB-NC).

Evidence-Based Verification Verification Automatic verification: whether or not a transition system satisfies a property. Successful Applications (in Stony Brook alone): Checking communication protocol, Mechanical Design, Medical Device, Anti- Block Braking System, etc. Verification algorithm (Checker) works as a decision procedure for the problem. "Yes/No" may not satisfy users. Why does my design go wrong? Could my design satisfy property trivially? Can I trust the verification result?

Evidence-Based Verification Problems with Traditional Diagnostic Generation Diagnosis is about understanding the result, A diagnostic routine may, Perform its own reasoning. Reuse the proof already computed by a checker. Diagnostic routine is tightly geared to the structure of checkers. Implementation requires the understanding of checkers. Migrating a diag. routine onto another checker often requires major changes on both diag. routine and checker. Proof used for one diagnostic schema may not be used for a different schema. No additional checking on verificaton result.

Evidence-Based Verification Checker 1Checker n Verifier Diagnostic Schema 1 Invalid Proof Checker 2 Diagnostic Schema 2 Diagnostic Schema m … … Portable Proof of Correctness Let the result carry its own proof

Evidence-Based Verification The General Framework Defining Abstract Proof Structures(APS) as portable evidence. APS encodes the proof structures of different checkers in a standard form. APS carries the evidence to justify the result. Extracting APS from existing checkers. Utilizing APS to perform diagnoses. Certifying verification result. Generating diagnostic information. Evaluating the quality of verification process.

Evidence-Based Verification Requirements APS can be extracted from existing checkers. The extraction should not affect the complexities of checkers. The consistency of APS should be verified efficiently. The time and space complexities of certifying APS should not exceed the complexities of checkers producing them. A variety of diagnoses can be performed using APS. APS should be defined for three major approaches for verification: model checking, equivalence checking, and preordering checking.

Evidence-Based Verification Evidence Model Checking: a Sub-framework Background of model checking. T ²  T is modeled as a Kripke structure T= S is the set of states with the starting state s I 2 S. ! µ S £ S is the transition relation. V: A ! 2 S is an evaluation for atomic propositions.  is encoded in some temporal logic. CTL AG(a ) AF b) Model-checking problem can be encoded as a Boolean equation system

Evidence-Based Verification Fixpoint Equation System: Syntax Given a set of variables X and a complete lattice {H, <},  i 2 { , } is a (least, greatest) fixpoint operator. f i : H X ! H is monotonic.  2 H X is an environment for E. {H X, ½ }is a complete lattice.  [X/h] maps X 2 X to h 2 H. Denote E (k) for the tail of E starting from k th equation.

Evidence-Based Verification Equation System: Semantics [ E ]: H X ! H X is a function on environments

Evidence-Based Verification

Boolean (Fixpoint) Equation System Syntax, H={ {0, 1},< } is the Boolean lattice H.  2 2 X can be viewed as a set. E is closed if X 2 X i also appears as a left side variable. [ E ](  1 )=[ E ](  2 ) for any  1,  2 2 H X. Denote [ E ] for [ E ](  ) [ E ](X) assigns X a Boolean value.

Evidence-Based Verification Model Checking via BES BES E = Kripke structure T+ Property  E is closed. A variable X in BES stands for $ h s,  ’ i $. [ E ](X)=1 iff s ² T . Many checkers (implicitly) construct BESs. For  -calculus checker, BES=T+  -calculus. For automaton-based checker, BES= parity automaton. E can be constructed on-the-fly.

Evidence-Based Verification Evaluating Equation System: an Example

Evidence-Based Verification Support Set

Evidence-Based Verification Support Set (Continue) By (a) and (b), support set implies a fixpoint solution for E. By (c), support set respects the definition of least/or greatest fixpoints. If r=1, no bad loop on. If r=0, no good loop on. Theorem 1 [TanCle02] Let  = be a support set for E, then [ E ](X)=r.

Evidence-Based Verification Extracting Support Set The extraction is, practical. Support sets can be extracted from a wide range of existing checkers, Boolean-Graph algorithm [And92], Linear Alternation- Free algorithms[CleSte91], On-the-fly algorithms for full  -calculus LAFP [LRS98] and SLP [TanCle02b], Automaton-based model checkers([BhaCle96a] and [KVW00]). efficient. The overhead doesn't exceed the original complexities of these checkers. simply. It only need have dependency relations recorded.

Evidence-Based Verification Application I: Certifying model-checking results Checking (a) and (b) can be done in linear time. Checking (c) can be reduced to even- loop problem (a nlogn problem[KKV01]). Model checking is a NP Å co-NP problem [EmeJutSis93]. The cost of certifying results < The cost of model checking.

Evidence-Based Verification Application II: model-checking game Semantics: decide [ E ](X 0 ) for E Two players: I (asserting [ E ](X 0 )=0) and II (asserting [ E ](X 0 )=1) A play is a sequence  =X p0 X p1  such that X p0 =X 0 and if, (  pi X pi = ÇX ’ ) 2 E, then II chooses X pi+1 2 X ' (  pi X pi = ÆX ’ ) 2 E, then I chooses X pi+1 2 X ’ II wins  iff, It's I's turn but I has no choice ( X '= ; ), or, The shallowest variable being visited infinitely often by  is a -variable.

Evidence-Based Verification MC Game as a Diagnostic Routine MC game is a fair game. ([ E ])(X 0 )=1 ) II has a winning strategy. ([ E ])(X 0 )=0 ) I has a winning strategy. Two physical players: computer and user. When the model-checking result is, Yes ) The computer plays as II while the user as I. No ) The computer plays as I while the user as II. The user is always a loser if the MC result is correct and the computer uses the right strategy.

Evidence-Based Verification Constructing Winning Strategy for Computer Given h r, X 0,  i as a support set for E The computer will keep the play  =X p0 X p1  proceeding within support set: If r=1 and  pi X pi = ÇX ’, then the computer (as II) chooses X pi+1 2 (  (X pi ) Å X '). If r=0 and  pi X pi = ÆX ’, then the computer (as I) chooses X pi+1 2 (  (X pi ) Å X '). The strategy is feasible:  (X pi ) is defined whenever X pi is the computer’s turn. The strategy is a winning strategy for the computer.

Evidence-Based Verification Evaluating Equation System: an Example

Evidence-Based Verification Application III: Evaluate the quality of MC A positive result may hide the problem T may pass AG(a ) AF b) trivially because a never occurs in T. Is there the status of a state (Minicoverage [CKV01]) or a subformula (Vacuity [KV99]) irrelevant to the result? Coverage problem of support set. Has support set covered all the states and properties?

Evidence-Based Verification A Prototype on CWB-NC

Evidence-Based Verification Conclusion C heckers produce abstract proof structures as evidence. APS is independent of checker. Extracting APS won't affect the complexities of checkers. APS justifies the correctness of result. APs attests to the quality of verification. A wide range of diagnostic information can be built on this evidence. APSs are defined for Model checking, Equiv. checking, and Preordering Checking.