Presentation is loading. Please wait.

Presentation is loading. Please wait.

Toward Unbounded Model Checking for Region Automata Fang Yu, Bow-Yaw Wang Institute of Information Science Academia Sinica, Taiwan.

Published bySilas Turner Modified over 8 years ago

Similar presentations

Presentation on theme: "Toward Unbounded Model Checking for Region Automata Fang Yu, Bow-Yaw Wang Institute of Information Science Academia Sinica, Taiwan."— Presentation transcript:

1 Toward Unbounded Model Checking for Region Automata Fang Yu, Bow-Yaw Wang Institute of Information Science Academia Sinica, Taiwan

2 Introduction Symbolic model checking with Binary Decision Diagrams (BDDs) BDD-based Model Checker Sequential Circuits Protocols … System and Specification BDDs may grow exponentially

3 SAT-based Model Checking Bounded Model Checking  Biere et al.[BCCFZ99]  Boolean formula satisfiability n steps:  Pros Powerful SAT solvers developed  Many heuristic approaches  Hundreds of thousands of variables and millions of clauses capable A powerful support for verifying large systems!

4 Motivation SAT-based model checking from discrete systems to real-time systems Challenges  From infinite to boolean Region graph [YWH04]  Simple and precise transition relation  BMC efficiently  Large reachability diameter  Correctness guarantee infeasible  From bounded to unbounded Induction  Sheeran et al. (2000)  Discrete systems xBMC

5 Real-Time System Discrete variables plus dense-time clocks  Real domain  A uniform rate increase  Reset 01 2 X: Y: …

6 Timed Automata Alur et al. (1990) Timed Automata :  D: A set of discrete variables  X: A set of clocks  A: A set of actions Each action is a series of discrete variable assignments  E: A set of edges, each edge is associated with  : Guarded condition  : An action : A set of reset clocks  I: An initial condition,

7 Timed Automata State  Discrete interpretation  Clock interpretation Transition  Time elapse  Edge fire A positive real

8 Region Automata Alur et al (1990) Equivalence class [ν]  The same integral part  The same fractional ordering Region Graph  State  Transition x y 0

9 Region Encoding x 0123 Xd=3, Yd=5, Zd=4, Xf<Yf 0 1 2 3 4 5 6 7 0123 0 1 2 3 4 5 6 7(Mx) Xd is even  a point Xd is odd  an open interval Xd is Mx  X>Cx 4 … 8 … X:X: Y:Y: Z:Z: Xd 0123 0 1 2 3 5 6 7 4 X:X: Y:Y: Z:Z: Each odd pair  a fraction relation Fraction relation: Xf>Yf, Xf>Zf, Yf>Zf [0,0] [1,1] [2,2] [3,3] (0,1) (1,2) (2,3) (3,∞]

10 Xd is even, Yd is odd or My Xd’=Xd+1, Yd’=Yd, Xf’<Yf’ Successor Relation Encoding Xd is even, Yd is even Xd’=Xd++, Yd’=Yd++, Xf’=Yf’ Xd is odd, Yd is odd, and Xf<Yf Xd’=Xd, Yd’ =Yd++ Pair conjunction and stuttering condition [YWH2004] : Two-clock system : Multi-clock system

11 Transition Time elapse Edge fire One step condition 0

12 Reachability Analysis BoundedFwdReach(I, R, , MaxBound) var i: 0.. MaxBound; begin i := 0; F := I(B 0 ); loop forever if(i=MaxBound) return unreachable within MaxBound; if(SAT(F  R(B i ))) return reachable; F := F  R(B i )  (B i  B i+1 ) ; i := i+1; end. Results of each step are added until termination

13 Theorem Given a TA having n regions, BoundedFwdReach() is sound and complete when MaxBound ≥n. The number of regions is prohibitively high to reach! This is the worst case of reachability diameters A better option is the steps of the longest shortest path Loop-free termination

14 Loop-Free Reachability Analysis LFFwdReach(I, R, , MaxBound) var i: 0.. MaxBound; begin i := 0; F := I(B 0 ); loop forever if(i=MaxBound) return unreachable within MaxBound; if(SAT(F  R(B i ))) return reachable; F := F  R(B i )  (B i  B i+1 )  ( ∧ j<i+1 B j  B i+1 ); if(not SAT(F)) return unreachable by loop-free; i := i+1; end. Loop-free restrictions are added to enforce searching distinct states 1.A loop-free path is a shortest path 2.Completeness is preserved

15 Solve the problem? 00 The tightest bound may be still too high to reach! Can we prove correctness without considering the diameter? Construct an induction proof!

16 Simple Induction Prove P always holds An Induction Proof  Prove that P(0) is true (basis)  Prove that for all k, P(k) implies P(k+1) (Inductive step)  Formal verification:  P holds in the initial states  P is maintained by the transition relation  Constraints:  I(B 0 )  P(B 0 ) is unsatisfiable  For all k, P(B k )  (B k →B k+1 )  P(B k+1 ) is unsatisfiable Sound When it succeeds, induction is able to handle larger models However, in many cases, simple induction is infeasible

17 Windowed Induction An Induction Proof (window-size: N)  Prove that for 0≤k≤N, P(k) is true  Prove that for all k, (P(k)  …  P(k+N)) implies P(k+N+1)  Formal Verification  P holds in all paths of length N starting from an initial state  For an arbitrary path of length N+1, if P holds in N+1 states, then it holds in state N+2 too  Constraints  I(B 0 )  ((B 0 →B 0+1 )  …  (B N-1 →B N ))  (  P(B 0 )  …  P(B N )) is unsatisfiable  For all k, P(B k )  (B k →B k+1 )  P(B k+1 )  (B k+1 →B k+2 )  …  P(B N+k )  (B N+k →B N+k+1 )  P(B N+k+1 ) is unsatisfiable N+1

18 Inductive Reachability Analysis S0S0 S1S1 S2S2 If satisfiable, risk state is reachable; else basis is constructed and go on Induction If unsatisfiable, risk state is unreachable; else go on Reachability Given I, R, →, (Invariant property :  R) R(B 0 )? S0S0 S1S1 S2S2  R(B 0 ) Induction: Reachability:  R(B 1 )  R(B 2 )  R(B 1 )?  R(B 2 )? I(B 0 )  R(B 0 )?  R(B 1 )?  R(B 2 )?  (B 0 →B 1 )  (B 1 →B 2 )  (B 0 →B 1 )  (B 1 →B 2 )  (B 2 →B 3 ) … …  R(B 0 )  R(B 1 )  R(B 2 )  R(B 3 )?

19 Inductive Reachability Analysis IndFwdReach(I, R,  ) var i: 0.. N; begin i := 0; F := I(B 0 ); loop forever if(not SAT((F\I)  R(B i ))) return unreachable by induction; if(SAT(F  R(B i ))) return reachable; F := F  R(B i )  (B i  B i+1 )  ( ∧ j<i+1 B j  B i+1 ); if(not SAT(F)) return unreachable by loop-free; i := i+1; end. The negation of risk condition is inserted 1.Retain previous efforts 2.Build the constraint of inductive step Remove the clauses of the initial condition from F

20 Implementation  Standard bit encoding  A circuit representation xBMC  Makes use of zChaff  xBMC 2.0: supports real-time systems  xBMC 1.0: supports discrete systems, and has been used to verify program security (DSN2004)

21 Experiments A simplified client model of CorSSO[JSS04]  P: the id of the chosen policy  A: a bounded integer to record the number of the collected authentications  X, Y: local clocks Safety property  i,Access[i]   k  0.P[i]=k  A[i]>TH k Experiments  A bug was inserted by mistyping TH 2 to TH 1 in transition 3.  Increase the number of clients Authentication Access P:={1,2}; A:=0; reset {X,Y}; P  0  X>TA  A<Mx A:=A+1; reset {X}; Y TH 1 )  (P=2  A>TH 2 )) P:=0; 1.1. 2. 3.3. 4.

22 Time Performance # of processes Correctness GuaranteeBug Hunting RED 5.0xBMC 2RED 5.0xBMC 2 3 2.710.032.6428.6 5 89.250.2685.2397.54 7 1076.370.59990.16268.71 9 7169.194.946545.04722.81 11 33201.0812.3830722.57746.34 12 T/O17.81T/OO/M 20 N/A185.45N/AO/M 25 N/A484.78N/AO/M T/O: time out(>60000s), O/M: out of memory, N/A: not available TA=1, TE=10, TH 1 =2, TH 2 =3. P1.7 GHz, 256M, Linux Induction proofs with window size 3 are constructed All bugs are found at the 12th step RED run against default values (sec)

23 Related Works General zones/polyhedra  Seshia and Bryant (CAV’03)  Unbounded, fully symbolic model checking  Quantified separation logic to quantified Boolean formula  Tool: TMV (CUDD)  No SAT-based model checker available Discretization of region automata  Penczek, Wozna and Zbrzezny (FTRTFT’02)  Reachability analysis  Divide a time unit into 2n segments  Tool: BBMC

24 Compared to BBMC # of P BBMC-RGBBMC-ARGxBMC 2 # of variables# of clauses# of variables# of clauses# of variables# of clauses 25,43415,1975,53315,1024,50213,770 537,488110,47130,85190,07922,57777,948 10171,229513,965126,801379,47083,652300,176 15358,9991,081,790311,501942,085182,842645,297 20824,3742,493,481556,9871,686,384321,3471,150,023 BBMC’s data directly copied from [WPZ03] “Checking reachability properties for timed automata via SAT.” BBMC-ARG: forward projection is applied BBMC found the witness at the 12th iteration xBMC 2 found the witness at the 15th iteration Fischer’s Mutual Exclusion, A=1, B=2

25 Conclusion We try to migrate the success of the discrete-system verification to timing behavior analysis  Bounded model checking techniques  Induction algorithms  Discretization of region automata Therefore, we get the best of both worlds:  We get a correctness proof  We get the ability to handle large real-time systems Primitive experiments show some promise in correctness guarantee as well as bug hunting

26 Limitation and Future Work Using region graph  Pros: simple and precise transition relation BMC is efficient Tight induction step  Cons: a minor step might imply a deeper diameter Correctness might be proved by induction But once induction fails or bugs exist in a deep depth, what can we do? Future work  Invariant strengthening [MRS03]  Interpolation [McMillan03]  Abstraction  Case study

Download ppt "Toward Unbounded Model Checking for Region Automata Fang Yu, Bow-Yaw Wang Institute of Information Science Academia Sinica, Taiwan."

Similar presentations

Model Checking Base on Interoplation

Model Checking Base on Interoplation
Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.

Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Proofs from SAT Solvers Yeting Ge ACSys NYU Nov 20 2007.

Proofs from SAT Solvers Yeting Ge ACSys NYU Nov
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
Timed Automata.

Timed Automata.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
Towards More Efficient SAT-Based Model Checking Joao Marques-Silva Electronics & Computer Science University of Southampton LAA C&V Workshop, Isaac Newton.

Towards More Efficient SAT-Based Model Checking Joao Marques-Silva Electronics & Computer Science University of Southampton LAA C&V Workshop, Isaac Newton.
SAT-based verification: underlying methods Mary Sheeran Chalmers University of Technology and Prover Technology AB.

SAT-based verification: underlying methods Mary Sheeran Chalmers University of Technology and Prover Technology AB.
CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.

CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

Similar presentations

Ads by Google