1 / 26

Evidence-Based Verification

Evidence-Based Verification. Li Tan Computer Science Department Stony Brook Joint work with Rance Cleaveland Nov. 2002. Outline. Part I. Evidence-based Verification. Motivations. The general framework. Applications. Part II. Evidence-based Model Checking.

cheche
Download Presentation

Evidence-Based Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Evidence-Based Verification Li Tan Computer Science Department Stony Brook Joint work with Rance Cleaveland Nov. 2002 Evidence-Based Verification

  2. Outline Part I. Evidence-based Verification. • Motivations. • The general framework. • Applications. Part II. Evidence-based Model Checking. • Introducing support set as checker-independent evidence. • Extracting support set from existing checkers. • Post-model-checking analysis based on support sets. • Efficiently certifying model-checking result. • Generating the diagnostic information. • Evaluating the quality of model-checking process. • Prototype work on the Concurrency Workbench (CWB-NC). Evidence-Based Verification

  3. Automatic Verification • Verification algorithm (checker) decides in a fully automatic fashion whether or not a transition system satisfies a property. • A simple "Yes/No" may not satisfy users. • Why does my design go wrong [CGMZ95]? • Could my design satisfy the property trivially [KV99]? • Can I trust the verification result [Nam01]? Evidence-Based Verification

  4. Understanding the verification result To answer these questions, users may demand, • Diagnostic information. A diag. routine usually reuse the proof already computed by a checker, • Implementation requires the understanding of checkers. • Migrating a diag. routine onto a different checker requires changes on both diag. routine and checker. • Proof used for one diagnostic schema may not be suitable for a different schema. • Measurement on how well a system has been checked. • Evidence to support verification result. Currently we lack of the proof of correctness which is, • Independent of the checker, and • Able to be verified efficiently. Evidence-Based Verification

  5. Invalid Proof Evidence-Based Verification Let the result carry its own certifiable and check-independent proof Diagnostic schema 1..k Certification of result Evaluating verification process … Verifier Portable Proof of Correctness … Checker 1 Checker 2 Checker n Evidence-Based Verification

  6. The general framework • Defining abstract proof structures (APS). • APS encodes the proof structures of different checkers in a standard form. • APS may be used as the certification for correctness of result. • APS is rich enough to support a variety of analyses, while still abstract enough to save the space. • APS can be verified independently and efficiently. • Extracting APS from existing checkers. • Extraction should NOT compromise the complexities of checkers. • Utilizing support set to perform diagnoses. • Certifying verification result. • Generating diagnostic information. • Measuring the quality of verification process Evidence-Based Verification

  7. b s2 a,b s1 T Part II. Evidence-based Model Checking:An introduction by case study s0 Evidence-Based Verification

  8. Boolean Equation System=Temporal Property+Transition System Evidence-Based Verification

  9. Support Set Evidence-Based Verification

  10. Support Set Evidence-Based Verification

  11. Boolean Equation System=Temporal Property+Transition System Evidence-Based Verification

  12. Support Sets (Continue) Support set reflects how a checker “reasons” model-checking problem. • By properties 1 and 2, support set implies a fixpoint solution for BES. • By property 3, support set respects the semantics of fixpoint operators in BES. Theorem 1 [TanCle02] There exists a support set G=<r, X,x> , [E](X)=r. Evidence-Based Verification

  13. Support sets for other temporal logics • Boolean equation system (BES)=transition system + temporal property. • Model checkers explicitly or implicitly construct BES . • Variables in support set stands for pairs of subformula and state in transition system. • Decorated support set <G, pT, pF>, where G=<r, X, x>, resolves subformulas and states associated with the variables in G. In our example, • pT(h s0, X0 i)= s0 …… • pF(h s0, X0i)= AF(: a Æ AG : b) …… Evidence-Based Verification

  14. Extracting Support Set The extraction is, • practical. Support sets can be extracted from a wide range of existing checkers, • Boolean-Graph algorithm [And92], Linear Alternation-Free algorithms[CleSte91], On-the-fly algorithms for full m-calculus LAFP [LRS98] and SLP [TanCle02b], Automaton-based model checkers([BhaCle96a] and [KVW00]). • efficient. The overhead doesn't affect the original complexities of these checkers. • simply. We only need to record the immediate dependency of variables. Evidence-Based Verification

  15. Application I: Certifying model-checking results • Checking (a) and (b) can be done in linear time. • Checking (c) can be reduced to even-loop problem (a O(n log ad) problem[KKV01]). • Model checking is a NP Å co-NP problem [EmeJutSis93]. • The cost of certifying results < The cost of model checking. Evidence-Based Verification

  16. hs0, X0i hs0, X2i hs0, X1i hs0, X3i hs1, X0i hs0, : bi hs1, X2i hs2, X1i hs2, X0i hs1, X1i hs1, : ai hs2, X2i hs2, X3i hs2, X4i hs1, X3i hs1, : bi Application II: Generating Tree-like Counterexample [CJLV02] Step 1: Presenting support set as a graph  X1=[-] X0  X1=[-] X0  X1=[-] X0  X4=[-] X3 Evidence-Based Verification

  17. Step 2: Labelling the graph • hsi, : ai has the label a (h si, : ai means si²:: a) • The label of hsi,Xji will be added to its parent h si, Xii ‘s label if Xi , Xj is not connected by a modal operator ([-] or <->). b hs0, X0i hs0, X2i b hs0, X1i hs0, X3i b a hs1, X0i b hs0, : bi hs1, X2i a hs2, X1i hs2, X0i hs1, X1i hs1, : ai a hs2, X2i hs2, X3i hs2, X4i hs1, X3i hs1, : bi b b Evidence-Based Verification

  18. Step 3: Obtaining a skeletion. Remove those edges which make “no progress” on transition system. • Remove h si, Xii!h si, Xji such that Xi and Xj is not connected by a modal operator. • Let h si, Xii have all the transitions of h si, Xii. b hs0, X0i a hs1, X0i hs2, X0i hs1, X3i b Evidence-Based Verification

  19. Generating Tree-like counterexample 4/4 • T’ is tree-like [CJLV02] • The component graph of T’ is a tree • Strongly connected components are cycles • T’ ²: AF(: a Æ AG : b) = EG(a Ç EF b) • T’ Á T s0 b b a s2 Á a,b s1 T T’ b Evidence-Based Verification

  20. Application III:Evaluate the quality of MC • A positive result may hide the problem • T may pass AG(c ) AF b) trivially because c never occurs in T. • Is there the status of a state (Minicoverage [CKV01]) or a subformula (Vacuity [KV99]) irrelevant to the result? • Coverage problem of support set. • Has support set covered all the states and properties? Evidence-Based Verification

  21. Furture Work I:A Client-Server Model for model checking • Server: checkers • Inputting system and properties encoded in some temporal logic. • Outputting support set. • Client: user interface, diagnostic generation, and evidence-verifier. Abstract Proof Structures Design Systems and Properties Evidence-Based Verification

  22. Future Work II:Proof-Carrying Code • Mobile code [Nec97] carries its own proof attesting to its safeness. • Currently compilers are modified to produce the proof for a predefined set of safety rules. • Integrate support-set-ready model checkers with compilers. • Certifying compiler enjoys the richness of temporal logics. Evidence-Based Verification

  23. A Prototype on CWB-NC Evidence-Based Verification

  24. Conclusion Checkers produce abstract proof structures as evidence. • Support set provides the portable evidence for justifying model-checking result. • Extracting support set won't affect the complexities of checkers. • Applications of support set. • Efficiently certifying the model-checking result. • Evaluating the quality of model-checking process. • Generating a wide range of diagnostic information. • APSs are defined for Model checking, Equiv. checking, and Preordering Checking. Evidence-Based Verification

  25. Related Work • Mateescu [Mat00] proposed Extended Boolean Graphies(EBG) as the evidence for boolean equation system. • The framework works only in alternation-free fragment of m-calculus. • Namjoshi [Nam01] proposed a deductive proof as the evidence for m-calculus model checking. • The proof need recode the ranking information. • Ranking information is not generally available for on-the-fly algorithm, and it costs more space to store this information. Evidence-Based Verification

  26. Future Work • Applying the framework to symbolic model checking. • Essentially support set associates with X a set of variable x(X) as its evidence. Sets can be efficiently encoded in OBDD. • Applying the framework to first-order logic model checking. • A client-server model for model-checking. • Model-checking server takes trans. System and property as input from client, and produces support sets as output. • Client generates a variety of diag. Info. from support set. • Generating proof-carrying code. • Support-set ready model checker can be integrated with the compiler. • The support set generated during support-set ready compiler will be translated to the proof for proof-carrying code. Evidence-Based Verification

More Related