1 / 24

Evidence-Based Verification

Evidence-Based Verification. Li Tan Computer Science Department Stony Brook Joint work with Rance Cleaveland Augest 2002. Outline. Part I. Evidence-based Verification. Motivations. The general framework. Applications. Part II. Evidence-based Model Checking.

amadeus-franks
Download Presentation

Evidence-Based Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Evidence-Based Verification Li Tan Computer Science Department Stony Brook Joint work with Rance Cleaveland Augest 2002 Evidence-Based Verification

  2. Outline Part I. Evidence-based Verification. • Motivations. • The general framework. • Applications. Part II. Evidence-based Model Checking. • Introducing support set as checker-independent evidence. • Extracting support set from existing checkers. • Post-model-checking analysis based on support sets. • Efficiently certifying verification result. • Generating the diagnostic information. • Evaluating the quality of model-checking process. • Prototype work on the Concurrency Workbench (CWB-NC). Evidence-Based Verification

  3. Automatic Verification • Verification algorithm (checker) decides in a fully automatic fashion whether or not a transition system satisfies a property. • A simple "Yes/No" may not satisfy users. • Why does my design go wrong [CGMZ95]? • Could my design satisfy the property trivially [KV99]? • Can I trust the verification result [Nam01]? Evidence-Based Verification

  4. Understanding the verification result To answer these questions, users may demand, • Diagnostic information. A diag. routine usually reuse the proof already computed by a checker, • Implementation requires the understanding of checkers. • Migrating a diag. routine onto a different checker requires changes on both diag. routine and checker. • Proof used for one diagnostic schema may not be suitable for a different schema. • Measurement on how well a system has been checked. • Currently we use “trial and error” strategy to find out unchecked subformula. • Evidence to support verification result. Currently we lack of the proof of correctness which is, • Independent of the checker, and • Able to be verified efficiently. Evidence-Based Verification

  5. Invalid Proof Evidence-Based Verification Let the result carry its own certifiable and check-independent proof Diagnostic schema 1..k Certification of result Evaluating verification process … Verifier Portable Proof of Correctness … Checker 1 Checker 2 Checker n Evidence-Based Verification

  6. The general framework • Defining abstract proof structures (APS). • APS encodes the proof structures of different checkers in a standard form. • APS may be used as the certification for correctness of result. • APS is rich enough to support a variety of analyses, while still abstract enough to save the space. • APS can be verified independently and efficiently. • Extracting APS from existing checkers. • Extraction should NOT compromise the complexities of checkers. • Utilizing support set to perform diagnoses. • Certifying verification result. • Generating diagnostic information. • Measuring the quality of verification process Evidence-Based Verification

  7. Part II. Evidence-based Model Checking:An introduction by case study Evidence-Based Verification

  8. Boolean Equation System=Temporal Property+Transition System Evidence-Based Verification

  9. Support Set Evidence-Based Verification

  10. Support Set Evidence-Based Verification

  11. Support Sets (Continue) Support set reflects how a checker “reasons” model-checking problem. • By properties 1 and 2, support set implies a fixpoint solution for BES. • By property 3, support set respects the semantics of fixpoint operators in BES. Theorem 1 [TanCle02] There exists a support set G=<r, X,x> , [E](X)=r. Evidence-Based Verification

  12. Support sets for other temporal logics • Boolean equation system (BES)=transition system + temporal property. • Model checkers explicitly or implicitly construct BES . • Variables in BES stands for pairs of subformula and state in transition system. • Decorated support set <G, pT, pF>, where G=<r, X, x>, resolves subformulas and states associated with the variables in G. In our example, • pT(X0)= s0 …… • pF(X0)= AG(a ) AF b) …… Evidence-Based Verification

  13. Extracting Support Set The extraction is, • practical. Support sets can be extracted from a wide range of existing checkers, • Boolean-Graph algorithm [And92], Linear Alternation-Free algorithms[CleSte91], On-the-fly algorithms for full m-calculus LAFP [LRS98] and SLP [TanCle02b], Automaton-based model checkers([BhaCle96a] and [KVW00]). • efficient. The overhead doesn't affect the original complexities of these checkers. • simply. We only need to record the immediate dependency of variables. Evidence-Based Verification

  14. Application I: Certifying model-checking results • Checking (a) and (b) can be done in linear time. • Checking (c) can be reduced to even-loop problem (a O(n log ad) problem[KKV01]). • Model checking is a NP Å co-NP problem [EmeJutSis93]. • The cost of certifying results < The cost of model checking. Evidence-Based Verification

  15. Application II: Generating Counterexample • Reducing a support set to a linear support set, • Support Set hr, X, xi is linear if |x(Xi)| · 1 for every Xi defined on x. Evidence-Based Verification

  16. Application II: Generating Counterexample (Cont.) • A counterexample can be generated by, • “Projecting” linear support set on states • Removing the redundant steps, • hs, X’i should be removed if …hs, Xi, hs, X’i is not interleaved with a modal operator. Evidence-Based Verification

  17. Application III:Evaluate the quality of MC • A positive result may hide the problem • T may pass AG(c ) AF b) trivially because c never occurs in T. • Is there the status of a state (Minicoverage [CKV01]) or a subformula (Vacuity [KV99]) irrelevant to the result? • Coverage problem of support set. • Has support set covered all the states and properties? Evidence-Based Verification

  18. Evaluate the quality of Model-checking process (Cont.) • The support set for s0² AG(c ) AF b) is like, • AF b is not covered ) AF b is not checked. Evidence-Based Verification

  19. Furture Work I:A Client-Server Model for model checking • Server: checkers • Inputting system and properties encoded in some temporal logic. • Outputting support set. • Client: user interface, diagnostic generation, and evidence-verifier. Abstract Proof Structures Design Systems and Properties Evidence-Based Verification

  20. Future Work II:Proof-Carrying Code • Mobile code [Nec97] carries its own proof attesting to its safeness. • Currently compilers are modified to produce the proof for a predefined set of safety rules. • Integrate support-set-ready model checkers with compilers. • Certifying compiler enjoy the richness of temporal logics. Evidence-Based Verification

  21. A Prototype on CWB-NC Evidence-Based Verification

  22. Conclusion Checkers produce abstract proof structures as evidence. • Extracting APS won't affect the complexities of checkers. • APS provides the portable evidence for justifying verification result. • Applications of APS. • Efficiently certifying the verification result. • Evaluating the quality of verification. • Generating a wide range of diagnostic information. • APSs are defined for Model checking, Equiv. checking, and Preordering Checking. Evidence-Based Verification

  23. A Prototype on CWB-NC Evidence-Based Verification

  24. Conclusion Checkers produce support sets as evidence. • Support set is independent of checker. • Extracting support sets won't affect the complexities of checkers. • Support set justifies the correctness of result. • Support set attests to the quality of verification. • A wide range of diagnostic information can be built on support set. • Linear Counterexample and witness. • Synthesizing winning strategy for model-checking game. • Vacuity Detection and Coverage Metrics. Evidence-Based Verification

More Related