Presentation is loading. Please wait.

Presentation is loading. Please wait.

Invisible Invariants: Underapproximating to Overapproximate Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Invisible Invariants: Underapproximating to Overapproximate Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A."— Presentation transcript:

1 Invisible Invariants: Underapproximating to Overapproximate Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A

2 Invisible Invariants Automatic Deductive Verification with Invisible Invariants, A. Pnueli, S. Ruah, and L. Zuck (TACAS 2001.) Parameterized Verification with Automatically Computed Inductive Assertions, T. Arons, A. Pnueli, S. Ruah, J. Xu, and L. Zuck. (CAV 2001). Liveness with Invisible Ranking, Yi Fang, Nir Piterman, A. Pnueli and L. Zuck. (VMCAI'04). IIV: An Invisible Invariant Verifier, I.~Balaban, Y.~Fang, A.~Pnueli, and L.~D.~Zuck (CAV 2005)

3 Parameterized Systems Suppose we have a parallel composition of N (finite state) processes, where N is unknown P1P1P1P1 P2P2P2P2 P3P3P3P3 PNPNPNPN... Proofs require auxiliary constructs, parameterized on N – –For safety, an inductive invariant – –For liveness, say, a ranking Pnueli, et al., 2001: derive these constructs for general N by abstracting from the mechanical proof of a particular N. – –Surprising practical result: under-approximations can yield over- approximations at the fixed point. – –Subtle implementation: proofs can be done entirely using finite-state model checking, without explicitly generating the auxiliary constructs (hence invisible invariants).

4 Recipe for an invariant 1. Compute the reachable states R N for fixed N (say, N=5) ● ● ● ● ● 2. Project onto a small subset of processes (say 2) processes (say 2) ● ●  = {(s 1,s 2 ) | 9 (s 1,s 2,...) 2 R N }

5 Recipe for an invariant 3. Generalize from 2 to N, to get G N 2. Project onto a small subset of processes (say 2) processes (say 2) ● ● ● ●....... ● N......  = {(s 1,s 2 ) | 9 (s 1,s 2,...) 2 R N } N G N = Æ i  j 2 [1..N]  (s i,s j ) 4. Test whether G N is an invariant for all N 8 N. G N ) X G N

6 Checking inductiveness This problem: 8 N. G N ) X G N... can be reduced to this problem: G M ) X G M... where M is a fixed number Inductiveness is equivalent to validity of this formula: G N Æ T ) G’ N Transition relation Small model theorem: – –If there is a countermodel with N>M, there is a countermodel with N=M – –Suffices to check inductiveness for N · M Thus, both the invariant generation and invariant checking amount to finite-state model checking.

7 SMT example Allow the following variables: N natural > 1 x 1,...,x a boolean y 1,...,y b [1..N] z 1,...,z c array [1..N] of boolean V = Some parameters i,j ranging over [1..N] An R-atom is x i or z i [v] or v = w, where v,w, are integer vars/params An R-assertion is a FO formula over R-atoms Example: 8 i,j: i  j ) : (z 1 [i] Æ z 1 [j]) Small model results: – –M depends mainly on quantifier structure of G N and T – –Example: if T has one universal and G N has two, then M = 2b+3

8 Invisible invariants and AI A logical language L provides an abstract domain The semantics of L is given by the concretization function  : L ! 2 S Assuming L is finite and Æ -closed, we have an abstract function:  S) = Æ {  2 L | S µ  (  ) } That is,  (s) is the most we can say about set s in L L is the formulas of the form 8 i,j 2 [1..N] , where  is a QF formula over R-atoms. Abstract domain for invisible invariants In other words, L is our class of generalizations

9 Abstraction function The project-and-generalize operation computes the abstraction function An R-minterm is a conjunctions of literals over R-atoms – –Every R-atom occurs exactly once – –Think of as a truth assignment to the R-atoms – –Think of as a local state, for a pair of processes (i,j) Example: i  j Æ z 1 [i] Æ : z 1 [j] For a set S of states of the N-process system, we have  N = 8 i,j. Ç s 2 S  N (s)  N (s) = {  2 R-minterms | s ² 9 i,j.  } Note computing  N involves finitely many evaluations

10 Invisible invariant construction We construct the invariant guess by reachability and abstraction NNNN NNNN NNNN NNNN NNNN NNNN = fixpoint = R N Testing the invariant guess ¶   GNGNGNGN NNNN ¶ NNNN GNGNGNGN SMT if N >= M NNNN GNGNGNGN

11 Invariant by AI Abstract transformer  #    t#t#t#t# = fixpoint Compute strongest inductive invariant in L     t#t#t#t#   t#t#t#t#   t#t#t#t#  is difficult to compute because of unbounded quantifier because of unbounded quantifier For our particular L, this is called Indexed Predicate Abstraction

12 Under-approximation Amir’s idea of generalizing finite instances suggests we can under- approximate the best abstract transformer  #    t#t#t#t# NNNN NNNN NNNN t#Nt#Nt#Nt#N SMT implies that for N >= M, that  # and  # N are equivalent! This has two consequences – –For N >= M, we can compute  # exactly by finite-state methods, without using a theorem prover. – –For N < M, we might still reach a fixed point that is inductive for all N...

13 Three methods     t#t#t#t#    t#t#t#t#    t#t#t#t# A lfp(  # ) NNNN NNNN NNNN NNNN NNNN NNNN NNNN C  N (lfp(  N )) NNNN NNNN NNNN NNNN B lfp(  # N ) NNNN NNNN NNNN NNNN NNNN NNNN if fp of  # N then = if fp of  # then =

14 Shape analysis Allow the following variables: Add a reachability predicate rea p (i,j) Example: 8 i: rea p (y 1,i) ) z 1 [i] Small model results possible for limited cases – –But if not, can apply theorem prover to test invariance N natural > 1 x 1,...,x a boolean y 1,...,y b [1..N] z 1,...,z c array [1..N] of boolean p 1,...,p d array [1..N] of 1..N V = Pointers! Allows abstraction of linked lists

15 Canonical shape graphs Plans A, B or C can be used for any abstract domain L –We only need to define the finite concretization  N –For example,  N might generate only concrete heaps to size N pxpxpxpx rea x pypypypy rea y rea x rea y null...  N might allow just N concrete nodes for each summary node Each canonical graph corresponds to a logical formula [YRSW2003] – –We can test inductiveness using a theorem prover

16 Invisible shape graphs?    t#t#t#t#A  ’ ‘‘‘‘ Use model-generating prover to compute samples violating  ’ NNNN NNNN NNNN B ‘‘‘‘ Use SAT solver to compute bounded samples violating  ’ NNNN NNNN NNNN C... Compute all bounded concrete heaps (symbolically?) then abstract These methods require the theorem prover to be called just once to test the fixpoint. Of course, the test may fail.

17 Conclusion Invisible invariants suggest a general approach to abstract interpretation based on two ideas: –Under-approximations can yield over-approximations at the fixed point This is a bit mysterious, but observationally true –Computing the fixed point with under-approximations can use more light- weight methods For example, BDD-based model checking instead of a theorem prover To verify fixed point, need either an SMT or a theorem prover (but just once!) Invisible invariants give a less reliable but much less expensive way to compute the least fixed point for a given abstract domain.

Download ppt "Invisible Invariants: Underapproximating to Overapproximate Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A."

Similar presentations

Model Checking Base on Interoplation

Model Checking Base on Interoplation
A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.

A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Consequence Generation, Interpolants, and Invariant Discovery Ken McMillan Cadence Berkeley Labs.

Consequence Generation, Interpolants, and Invariant Discovery Ken McMillan Cadence Berkeley Labs.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Completeness and Expressiveness

Completeness and Expressiveness
Ken McMillan Microsoft Research

Ken McMillan Microsoft Research
50.530: Software Engineering

50.530: Software Engineering
Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.

Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.
1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.

1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
© Anvesh Komuravelli Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken.

© Anvesh Komuravelli Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken.
Interpolation and Widening Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Interpolation and Widening Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
Logic as the lingua franca of software verification Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A Joint work with Andrey Rybalchenko.

Logic as the lingua franca of software verification Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A Joint work with Andrey Rybalchenko.
Lecture 23. Subset Sum is NPC

Lecture 23. Subset Sum is NPC
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Nir Piterman Department of Computer Science TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAA Bypassing Complexity.

Nir Piterman Department of Computer Science TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAA Bypassing Complexity.
Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.

Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

Similar presentations

Ads by Google