1 / 17

Invisible Invariants: Underapproximating to Overapproximate

Invisible Invariants: Underapproximating to Overapproximate. Ken McMillan Cadence Research Labs. TexPoint fonts used in EMF: A A A A A. Invisible Invariants. Automatic Deductive Verification with Invisible Invariants, A. Pnueli, S. Ruah, and L. Zuck (TACAS 2001.)

starbuck
Download Presentation

Invisible Invariants: Underapproximating to Overapproximate

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Invisible Invariants: Underapproximating to Overapproximate Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: AAAAA

  2. Invisible Invariants • Automatic Deductive Verification with Invisible Invariants, A. Pnueli, S. Ruah, and L. Zuck (TACAS 2001.) • Parameterized Verification with Automatically Computed Inductive Assertions , T. Arons, A. Pnueli, S. Ruah, J. Xu, and L. Zuck. • (CAV 2001). • Liveness with Invisible Ranking, Yi Fang, Nir Piterman, A. Pnueli and L. Zuck. (VMCAI'04). • IIV: An Invisible Invariant Verifier, I.~Balaban, Y.~Fang, A.~Pnueli, and L.~D.~Zuck (CAV 2005)

  3. ... P1 P2 P3 PN Parameterized Systems • Suppose we have a parallel composition of N (finite state) processes, where N is unknown • Proofs require auxiliary constructs, parameterized on N • For safety, an inductive invariant • For liveness, say, a ranking • Pnueli, et al., 2001: derive these constructs for general N by abstracting from the mechanical proof of a particular N. • Surprising practical result: under-approximations can yield over-approximations at the fixed point. • Subtle implementation: proofs can be done entirely using finite-state model checking, without explicitly generating the auxiliary constructs (hence invisible invariants).

  4. 1. Compute the reachable states RN for fixed N (say, N=5) ● ● ●●● ●●● ● ● ● ●●● ● ●●● ● ● ●● ● ● ● ●● ● ● ● ● ● ●●● ● ● ● ●● ● ●●● ● ● ● ● ●● 2. Project onto a small subset of processes (say 2) ●● ● ● ●● ●● ●● ●● = {(s1,s2) | 9 (s1,s2,...) 2 RN} Recipe for an invariant

  5. ●●....... ● ●●....... ● ●● ....... ● ●● ....... ● 2. Project onto a small subset of processes (say 2) ●● ●● ● ● ●● ●● ●● 4. Test whether GN is an invariant for all N 8 N. GN) X GN Recipe for an invariant = {(s1,s2) | 9 (s1,s2,...) 2 RN} 3. Generalize from 2 to N, to get GN N N GN = Æi  j2 [1..N] (si,sj) ... ...

  6. Inductiveness is equivalent to validity of this formula: GNÆ T ) G’N Transition relation Checking inductiveness • This problem: 8 N. GN) X GN ... can be reduced to this problem: GM) X GM ... where M is a fixed number • Small model theorem: • If there is a countermodel with N>M, there is a countermodel with N=M • Suffices to check inductiveness for N·M Thus, both the invariant generation and invariant checking amount to finite-state model checking.

  7. N natural > 1 x1,...,xaboolean y1,...,yb [1..N] z1,...,zcarray [1..N] of boolean V = SMT example • Allow the following variables: • Some parameters i,j ranging over [1..N] • An R-atom is xi or zi[v] or v = w, where v,w, are integer vars/params • An R-assertion is a FO formula over R-atoms Example: 8 i,j: i  j ):(z1[i] Æ z1[j]) • Small model results: • M depends mainly on quantifier structure of GN and T • Example: if T has one universal and GN has two, then M = 2b+3

  8. Abstract domain for invisible invariants L is the formulas of the form 8 i,j2[1..N] , where is a QF formula over R-atoms. In other words, L is our class of generalizations Invisible invariants and AI • A logical language L provides an abstract domain • The semantics of L is given by the concretization function : L! 2S • Assuming L is finite and Æ-closed, we have an abstract function: (S) = Æ { 2L | S µ() } That is, (s) is the most we can say about set s in L

  9. For a set S of states of the N-process system, we have N(s) = {2 R-minterms | s ²9 i,j. } N = 8 i,j. Çs2 SN(s) Note computing N involves finitely many evaluations Abstraction function • The project-and-generalize operation computes the abstraction function • An R-minterm is a conjunctions of literals over R-atoms • Every R-atom occurs exactly once • Think of as a truth assignment to the R-atoms • Think of as a local state, for a pair of processes (i,j) Example: i  j Æ z1[i] Æ: z1[j]

  10. GN N N N N N N N N = ¶ ¶ fixpoint = RN GN GN SMT  N  if N >= M Invisible invariant construction • We construct the invariant guess by reachability and abstraction • Testing the invariant guess

  11. t#       t# t# t# = fixpoint        Invariant by AI • Abstract transformer # # is difficult to compute because of unbounded quantifier • Compute strongest inductive invariant in L For our particular L, this is called Indexed Predicate Abstraction

  12. t# t#N N  N  N  Under-approximation • Amir’s idea of generalizing finite instances suggests we can under-approximate the best abstract transformer # SMT implies that for N >= M, that # and #N are equivalent! • This has two consequences • For N >= M, we can compute # exactly by finite-state methods, without using a theorem prover. • For N < M, we might still reach a fixed point that is inductive for all N...

  13. lfp(#) t# t# t# A        if fp of # then =    N N N N N N N N N lfp(#N) B N N N N N N N if fp of #N then = N(lfp(N)) C N Three methods

  14. N natural > 1 x1,...,xaboolean y1,...,yb [1..N] z1,...,zcarray [1..N] of boolean p1,...,pdarray [1..N] of 1..N V = Pointers! Shape analysis • Allow the following variables: • Add a reachability predicate reap(i,j) Example: 8 i: reap(y1,i) ) z1[i] • Allows abstraction of linked lists • Small model results possible for limited cases • But if not, can apply theorem prover to test invariance

  15. py reay reay px reax reax reax reax null ... N might allow just N concrete nodes for each summary node Canonical shape graphs • Plans A, B or C can be used for any abstract domain L • We only need to define the finite concretization N • For example, N might generate only concrete heaps to size N • Each canonical graph corresponds to a logical formula [YRSW2003] • We can test inductiveness using a theorem prover

  16. t#  ‘ A ’   Use model-generating prover to compute samples violating ’ N N N   ‘ B N N These methods require the theorem prover to be called just once to test the fixpoint. Of course, the test may fail. Use SAT solver to compute bounded samples violating ’ Compute all bounded concrete heaps (symbolically?) then abstract C N ... Invisible shape graphs?

  17. Conclusion • Invisible invariants suggest a general approach to abstract interpretation based on two ideas: • Under-approximations can yield over-approximations at the fixed point • This is a bit mysterious, but observationally true • Computing the fixed point with under-approximations can use more light-weight methods • For example, BDD-based model checking instead of a theorem prover • To verify fixed point, need either an SMT or a theorem prover (but just once!) Invisible invariants give a less reliable but much less expensive way to compute the least fixed point for a given abstract domain.

More Related