Invisible Invariants: Underapproximating to Overapproximate Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A
Invisible Invariants Automatic Deductive Verification with Invisible Invariants, A. Pnueli, S. Ruah, and L. Zuck (TACAS 2001.) Parameterized Verification with Automatically Computed Inductive Assertions, T. Arons, A. Pnueli, S. Ruah, J. Xu, and L. Zuck. (CAV 2001). Liveness with Invisible Ranking, Yi Fang, Nir Piterman, A. Pnueli and L. Zuck. (VMCAI'04). IIV: An Invisible Invariant Verifier, I.~Balaban, Y.~Fang, A.~Pnueli, and L.~D.~Zuck (CAV 2005)
Parameterized Systems Suppose we have a parallel composition of N (finite state) processes, where N is unknown P1P1P1P1 P2P2P2P2 P3P3P3P3 PNPNPNPN... Proofs require auxiliary constructs, parameterized on N – –For safety, an inductive invariant – –For liveness, say, a ranking Pnueli, et al., 2001: derive these constructs for general N by abstracting from the mechanical proof of a particular N. – –Surprising practical result: under-approximations can yield over- approximations at the fixed point. – –Subtle implementation: proofs can be done entirely using finite-state model checking, without explicitly generating the auxiliary constructs (hence invisible invariants).
Recipe for an invariant 1. Compute the reachable states R N for fixed N (say, N=5) ● ● ● ● ● 2. Project onto a small subset of processes (say 2) processes (say 2) ● ● = {(s 1,s 2 ) | 9 (s 1,s 2,...) 2 R N }
Recipe for an invariant 3. Generalize from 2 to N, to get G N 2. Project onto a small subset of processes (say 2) processes (say 2) ● ● ● ● ● N = {(s 1,s 2 ) | 9 (s 1,s 2,...) 2 R N } N G N = Æ i j 2 [1..N] (s i,s j ) 4. Test whether G N is an invariant for all N 8 N. G N ) X G N
Checking inductiveness This problem: 8 N. G N ) X G N... can be reduced to this problem: G M ) X G M... where M is a fixed number Inductiveness is equivalent to validity of this formula: G N Æ T ) G’ N Transition relation Small model theorem: – –If there is a countermodel with N>M, there is a countermodel with N=M – –Suffices to check inductiveness for N · M Thus, both the invariant generation and invariant checking amount to finite-state model checking.
SMT example Allow the following variables: N natural > 1 x 1,...,x a boolean y 1,...,y b [1..N] z 1,...,z c array [1..N] of boolean V = Some parameters i,j ranging over [1..N] An R-atom is x i or z i [v] or v = w, where v,w, are integer vars/params An R-assertion is a FO formula over R-atoms Example: 8 i,j: i j ) : (z 1 [i] Æ z 1 [j]) Small model results: – –M depends mainly on quantifier structure of G N and T – –Example: if T has one universal and G N has two, then M = 2b+3
Invisible invariants and AI A logical language L provides an abstract domain The semantics of L is given by the concretization function : L ! 2 S Assuming L is finite and Æ -closed, we have an abstract function: S) = Æ { 2 L | S µ ( ) } That is, (s) is the most we can say about set s in L L is the formulas of the form 8 i,j 2 [1..N] , where is a QF formula over R-atoms. Abstract domain for invisible invariants In other words, L is our class of generalizations
Abstraction function The project-and-generalize operation computes the abstraction function An R-minterm is a conjunctions of literals over R-atoms – –Every R-atom occurs exactly once – –Think of as a truth assignment to the R-atoms – –Think of as a local state, for a pair of processes (i,j) Example: i j Æ z 1 [i] Æ : z 1 [j] For a set S of states of the N-process system, we have N = 8 i,j. Ç s 2 S N (s) N (s) = { 2 R-minterms | s ² 9 i,j. } Note computing N involves finitely many evaluations
Invisible invariant construction We construct the invariant guess by reachability and abstraction NNNN NNNN NNNN NNNN NNNN NNNN = fixpoint = R N Testing the invariant guess ¶ GNGNGNGN NNNN ¶ NNNN GNGNGNGN SMT if N >= M NNNN GNGNGNGN
Invariant by AI Abstract transformer # t#t#t#t# = fixpoint Compute strongest inductive invariant in L t#t#t#t# t#t#t#t# t#t#t#t# is difficult to compute because of unbounded quantifier because of unbounded quantifier For our particular L, this is called Indexed Predicate Abstraction
Under-approximation Amir’s idea of generalizing finite instances suggests we can under- approximate the best abstract transformer # t#t#t#t# NNNN NNNN NNNN t#Nt#Nt#Nt#N SMT implies that for N >= M, that # and # N are equivalent! This has two consequences – –For N >= M, we can compute # exactly by finite-state methods, without using a theorem prover. – –For N < M, we might still reach a fixed point that is inductive for all N...
Three methods t#t#t#t# t#t#t#t# t#t#t#t# A lfp( # ) NNNN NNNN NNNN NNNN NNNN NNNN NNNN C N (lfp( N )) NNNN NNNN NNNN NNNN B lfp( # N ) NNNN NNNN NNNN NNNN NNNN NNNN if fp of # N then = if fp of # then =
Shape analysis Allow the following variables: Add a reachability predicate rea p (i,j) Example: 8 i: rea p (y 1,i) ) z 1 [i] Small model results possible for limited cases – –But if not, can apply theorem prover to test invariance N natural > 1 x 1,...,x a boolean y 1,...,y b [1..N] z 1,...,z c array [1..N] of boolean p 1,...,p d array [1..N] of 1..N V = Pointers! Allows abstraction of linked lists
Canonical shape graphs Plans A, B or C can be used for any abstract domain L –We only need to define the finite concretization N –For example, N might generate only concrete heaps to size N pxpxpxpx rea x pypypypy rea y rea x rea y null... N might allow just N concrete nodes for each summary node Each canonical graph corresponds to a logical formula [YRSW2003] – –We can test inductiveness using a theorem prover
Invisible shape graphs? t#t#t#t#A ’ ‘‘‘‘ Use model-generating prover to compute samples violating ’ NNNN NNNN NNNN B ‘‘‘‘ Use SAT solver to compute bounded samples violating ’ NNNN NNNN NNNN C... Compute all bounded concrete heaps (symbolically?) then abstract These methods require the theorem prover to be called just once to test the fixpoint. Of course, the test may fail.
Conclusion Invisible invariants suggest a general approach to abstract interpretation based on two ideas: –Under-approximations can yield over-approximations at the fixed point This is a bit mysterious, but observationally true –Computing the fixed point with under-approximations can use more light- weight methods For example, BDD-based model checking instead of a theorem prover To verify fixed point, need either an SMT or a theorem prover (but just once!) Invisible invariants give a less reliable but much less expensive way to compute the least fixed point for a given abstract domain.