1 / 41

Carnegie Mellon University

Symbolic Approaches to Invariant Checking and Automatic Predicate Abstraction. Randal E. Bryant. Carnegie Mellon University. http://www.cs.cmu.edu/~bryant. Contributions by graduate students: Sanjit Seshia, Shuvendu Lahiri. Outline. Task Prove safety properties of term-level systems

Download Presentation

Carnegie Mellon University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Symbolic Approaches to Invariant Checking and Automatic Predicate Abstraction Randal E. Bryant Carnegie Mellon University http://www.cs.cmu.edu/~bryant Contributions by graduate students: Sanjit Seshia, Shuvendu Lahiri

  2. Outline • Task • Prove safety properties of term-level systems • Method • Generate & prove inductive invariants by predicate abstraction • Features • Symbolic approach using SAT enumeration • Handles important class of quantified predicates • Augment with automated predicate discovery

  3. Present State Next State  Inputs (Arbitrary) Verifying Safety Properties • State Machine Model • State encoded as Booleans, integers, and functions • Next state function expresses how updated on each step • Prove: System will never reach bad state Bad States Reachable States Reset States Reset

  4. Reach Fixed-Point Rn = Rn+1 = Reachable Impractical for Term-Level Models Many systems never reach fixed point Can keep adding elements to buffer Convergence test undecidable  Rn • • • True Model Checking Bad States R2 R1 Reset States

  5. I Inductive Invariant Checking Bad States • Key Properties of System that Make it Operate Correctly • Formulate as formula I • Prove Inductive • Holds initially I(s0) • Preserved by all state changes I(s)  I((i, s)) Reachable States Reset States

  6. Inductive Invariants • Formulas I1, …, In • Ij(s0) holds for any initial state s0, for 1 jn • I1(s)  I2(s)  … In(s)  Ij(s ) for any current state s and successor state s for 1 jn • Overall Correctness • Follows by induction on time • Restricted form of invariants • x1x2…xk (x1…xk) • (x1…xk) is a CLU formula without quantifiers • x1…xk are integer variables free in (x1…xk)

  7. Restricted Invariants and Proofs • Proving invariants inductive requires quantifiers |= (x1x2…xk (x1…xk))  y1y2…ym (y1…ym) |= x1x2…xk (x1…xk)  y1y2…ym (y1…ym) • Universally Quantified Variables “Free” • Validity proves holds for all interpretations • Existentially Quantified Variables Make Problem Undecidable • Automatic instantiation of x1…xk with concrete terms • Sound but incomplete method • Reduce the quantified formula to a CLU formula • Can use the decision procedure for CLU

  8. Constructing Invariants from Predicates rob.head  reg.tag(r) Recipe: Invariants r,t.reg.valid(r)  reg.tag(r) = t  (rob.head  reg.tag(r) < rob.tail rob.dest(t) = r ) reg.valid(r) Result: Correctness reg.tag(r) = t rob.dest(t) = r

  9. Automatic Predicate Abstraction • Graf & Saïdi, CAV ‘97 • Idea • Given set of predicates P1(s), …, Pk(s) • Boolean formulas describing properties of system state • View as abstraction mapping: States {0,1}k • Defines abstract FSM over state set {0,1}k • Form of abstract interpretation • Do reachability analysis similar to symbolic model checking • Implementation • Early ones had weak inference capabilities • Call theorem prover or decision procedure to test each potential transition • Recent ones make better use of symbolic encodings

  10. P1(s), …, Pk(s) Abstraction Function  Concretization Function  s t s t Abstract State Space Abstraction Concretization Abstract States Abstract States Concrete States Concrete States

  11. Abstract Transition Concretize  Abstract  Concrete Transition s s t t Abstract State Machine • Transitions in abstract system mirror those in concrete Abstract System Concrete System

  12. A I Rn • • • R2 R1 Reset States Concretize  C Concrete System Reset States Generating Concrete Invariant • Reach Fixed-Point on Abstract System • Termination guaranteed, since finite state • Equivalent to Computing Invariant for Concrete System • Strongest possible invariant that can be expressed by formula over these predicates Abstract System

  13. Predicate Abstraction Example • State Space • State variables: { x, y } • Initial State • { (2, 1) } • Next State Behavior • x x • y y • Verification Task • Prove all bad states unreachable Initial State Bad States

  14. Precise Analysis • Reachable States • { (2, 1), (2, 1) } Reachable States Bad States

  15. cx:3 cx:y cy:0 L L G E E E G G L Predicates • Use 3-valued predicates in this example

  16. cx:3 cx:y cy:0 L G G Abstract Initial State Reached Set #0 { LGG }

  17. (Note loss of precision) Concretize Concretize Concretize g g g s s s Step 1: Concretize Reached Set #0 Reached Set #0 { LGG } cx:3 cx:y cy:0 L G G

  18. Concretize Concretize Concretize g g g Concrete Transition Concrete Transition Concrete Transition ¢ ¢ ¢ s s s s s s Compute Possible Successor States x x y y

  19. Concretize Concretize Concretize Abstract Abstract Abstract g g g a a a Concrete Transition Concrete Transition Concrete Transition ¢ ¢ ¢ s s s s s s Abstract Newly Reached States cx:3 cx:y cy:0 L L L 0 0 0 Reached Set #1 { LLL, LGG }

  20. (Note loss of precision) Concretize Concretize Concretize g g g s s s Step 2: Concretize Reached Set #1 Reached Set #1 { LLL, LGG } cx:3 cx:y cy:0 L L L

  21. Concretize Concretize Concretize g g g Concrete Transition Concrete Transition Concrete Transition ¢ ¢ ¢ s s s s s s Compute Possible Successor States x x y y

  22. cx:3 cx:y cy:0 Concretize Concretize Concretize Abstract Abstract Abstract g g g a a a G E Concrete Transition Concrete Transition Concrete Transition ¢ ¢ ¢ s s s s s s G G Abstract Newly Reached States Reached Set #2 { LLL, LGG, EGG, GGG }

  23. Final Reached State Set EGG LGG GGG LLL Bad States

  24. Abstract Transition? Concretize  Concretize  [P/B] [P/B] [P/B][/S] Predecessor Conventional Implementation of P.A. • Basis • Abstract state sets described as formulas over Boolean variables B = b1, …, bk • Current state given by formula (b1, …, bk) • Check whether candidate state (b1, …, bk) is successor   Abstract System Intersect? Concrete System

  25. Drawbacks of Conventional Implementation Intersect? • Very Slow • Guess at possible next state • Construct term-level formula and test for satisfiability • Possibly 2k calls to decision procedure • Can Only Handle Proposition Predicates • Cannot construct quantified invariants [P/B] [P/B]  [P/B][/S] Satisfiable? [P/B][/S]

  26. All Abstract Transitions (B, S, X) S, X How to reach abstract state B via concrete states S and X Symbolic Approach to P.A. • Lahiri, Bryant, Cook, CAV 2003 • Generate Quantified Formula Describing Next Abstract State Set • Current state given by formula (B) • Generate formula (B) describing all successors   Abstract System

  27. Symbolic Approach (cont.) • Transform into Quantified Boolean Formula • Formula of form Next(B) =  S, X(S, X, B) S, X: Integer and function variables B: Abstract state variables • Translate into Boolean formula of form  A(A, B) A: Boolean variables encoding integer & function values • Key Property { B | (S, X, B) satisfiable } = { B | (A, B) satisfiable } • Solve using either SAT enumeration or BDD quantification

  28. LGG LLL Symbolic Formulation of Step 2 • Concretized State Set • Encode each 3-valued {L, E, G} predicate with 2 Boolean variables (l, g) • Represent state set as formula • (l1 g1 l2 g2l3 g3)  (l1 g1 l2 g2l3 g3) l1: x < 3 l2: x < y g3: y > 0 g1: x > 3 g2: x > y l3: y < 0 Reached Set #1 { LLL, LGG }

  29. Next-State Predicates • Next State (x, y ) • Get predicates l1, l2, l3, g1, g2, g3 • Determine conditions under which predicates will hold in next state • Express in terms of current state (x, y)

  30. l1 g3  l3 g1 (g2 g3 l1) l3 g3 (g1 g1) l2  g2 g1 l1 g2  l2 (g1 l1) Consistency Constraints • Eliminate impossible predicate combinations • In general, may need to introduce additional variables • To express more complex transitivity constraints

  31. l1, l2, l3, g1, g2, g3 (g1 g1) (g1 l1) (g2 g3 l1) l2g2 g2l2 l3g3g3l3 [ (l1 g1 l2 g2l3 g3)  (l1 g1 l2 g2l3 g3) ] Current State Consistency Constraints Symbolic Form • Formulation • Express compatible combinations of current-state & next-state variables • Quantify out current-state variables • Gives formula over next-state variables

  32.  (l1 g1 l2 g2l3 g3) Extracting Next-State Set • Run SAT checker over formula • Generate blocking clause for each newly generated state [ (l1 g1 l2 g2l3 g3)  (l1 g1 l2 g2l3 g3) ] (g1 g1) (g1 l1) (g2 g3 l1) l2g2 g2l2 l3g3g3l3

  33. Quantified Invariant Generation (Lahiri & Bryant, VMCAI 2004) • User supplies predicates containing free variables • Generate globally quantified invariant • Example • Predicates p1: reg.valid(r) p2: rob.dest(t) = r p3: reg.tag(r) = t • Abstract state satisfying (p1p2p3) corresponds to concrete state satisfying r,t[reg.valid(r) reg.tag(r)=t  rob.dest(t)=r] rather than r[reg.valid(r)] r,t[reg.tag(r)=t] r,t[rob.dest(t)=r]

  34. Systems Verified with Predicate Abstraction • Very general models • Unbounded processes, buffers, cache lines, … • Safety properties only

  35. Automatic Predicate Discovery • Strength of Predicate Abstraction • If give it right set of predicates, PA will put them together into invariant • Weakness • Gets nowhere without right set of predicates • Typical failure mode: Generate “true” as invariant • Challenges • Too many predicates will overwhelm PA engine • Our use of quantified invariants precludes counterexample-generated refinement techniques

  36. Initial set of atomic predicates from the invariant  P WP-based new predicate generation from P Generate inductive invariant using predicate abstraction over P Yes, Done No Property proved? Iterative Generation of Predicates • Lahiri & Bryant, CAV ’04 • Generate new set of predicates if current predicates not sufficient

  37. Case Study 1: N-Bakery • N-Process mutual exclusion protocol [Lamport ’76] • Each process contains • An unbounded ticket • A counter with range [1…N] • Other Boolean state variables • Safety: Mutual exclusion property • Constructs inductive invariant in 3 iterations of WP-based predicate discovery • Iteration 1: # Predicates = 1, Time to construct inv = .81s • Does not imply mutual exclusion • Iteration 2: # Predicates = 18, Time = 55.8s • Does not imply mutual exclusion • Iteration 3: # Predicates = 33, Time = 471s • Implies mutual exclusion

  38. Case Study 2: German’s Cache Protocol • N-Client Directory based Cache Coherence Protocol [German, IBM] • Each client contains Boolean state variables • 3 single-entry channels to communicate with central process • Central “home” process contains • Directory : [1..N]  {0,1} of clients sharing a line • Current client id [1…N] • Boolean variables • Safety: Mutual exclusion property • Constructs inductive invariant in 4 iterations of WP-based predicate discovery • Iteration 1: # Predicates = 4, Time (to construct inv) = 1.46 s • Iteration 2: # Predicates = 12, Time = 11.94 s • Iteration 3: # Predicates = 24, Time = 207 s • Iteration 4: # Predicates = 28, Time = 1266s • Implies mutual exclusion

  39. Extension of German’s cache protocol • Each client communicates with home with unbounded FIFO channels • Unbounded number of unbounded channels • Verification complexity goes up considerably • 2 manually provided predicates for FIFOs required • Predicates involved constant offsets • Time to construct inductive invariant = 3 hours

  40. Predicate Abstraction Convergences • Powerful method for generating & evaluating abstract model of system • Applicable to variety of systems with different modeling levels

  41. Observations • Predicate Abstraction • Combines features of theorem proving & model checking • Very general and powerful technique • Lots of ways to generalize • Making More Efficient • Symbolic formulation very general • SAT enumeration limits capacity to ~25 predicates • Making Easier to Use • Automatic predicate discovery • Limitation: Hard to find counterexamples

More Related