170 likes | 184 Views
This paper discusses the concept of invisible invariants and how they can be used in automatic deductive verification. It explores the generation and checking of these invariants for parameterized systems, and highlights the practical results and implementation challenges. The paper also introduces an abstract domain for representing invisible invariants and discusses the abstraction function. Additionally, it presents the construction of the invariant guess using reachability and abstraction, and explores underapproximation techniques. The paper concludes by discussing the implications of using underapproximation in the context of invisible invariants.
E N D
Invisible Invariants: Underapproximating to Overapproximate Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: AAAAA
Invisible Invariants • Automatic Deductive Verification with Invisible Invariants, A. Pnueli, S. Ruah, and L. Zuck (TACAS 2001.) • Parameterized Verification with Automatically Computed Inductive Assertions , T. Arons, A. Pnueli, S. Ruah, J. Xu, and L. Zuck. • (CAV 2001). • Liveness with Invisible Ranking, Yi Fang, Nir Piterman, A. Pnueli and L. Zuck. (VMCAI'04). • IIV: An Invisible Invariant Verifier, I.~Balaban, Y.~Fang, A.~Pnueli, and L.~D.~Zuck (CAV 2005)
... P1 P2 P3 PN Parameterized Systems • Suppose we have a parallel composition of N (finite state) processes, where N is unknown • Proofs require auxiliary constructs, parameterized on N • For safety, an inductive invariant • For liveness, say, a ranking • Pnueli, et al., 2001: derive these constructs for general N by abstracting from the mechanical proof of a particular N. • Surprising practical result: under-approximations can yield over-approximations at the fixed point. • Subtle implementation: proofs can be done entirely using finite-state model checking, without explicitly generating the auxiliary constructs (hence invisible invariants).
1. Compute the reachable states RN for fixed N (say, N=5) ● ● ●●● ●●● ● ● ● ●●● ● ●●● ● ● ●● ● ● ● ●● ● ● ● ● ● ●●● ● ● ● ●● ● ●●● ● ● ● ● ●● 2. Project onto a small subset of processes (say 2) ●● ● ● ●● ●● ●● ●● = {(s1,s2) | 9 (s1,s2,...) 2 RN} Recipe for an invariant
●●....... ● ●●....... ● ●● ....... ● ●● ....... ● 2. Project onto a small subset of processes (say 2) ●● ●● ● ● ●● ●● ●● 4. Test whether GN is an invariant for all N 8 N. GN) X GN Recipe for an invariant = {(s1,s2) | 9 (s1,s2,...) 2 RN} 3. Generalize from 2 to N, to get GN N N GN = Æi j2 [1..N] (si,sj) ... ...
Inductiveness is equivalent to validity of this formula: GNÆ T ) G’N Transition relation Checking inductiveness • This problem: 8 N. GN) X GN ... can be reduced to this problem: GM) X GM ... where M is a fixed number • Small model theorem: • If there is a countermodel with N>M, there is a countermodel with N=M • Suffices to check inductiveness for N·M Thus, both the invariant generation and invariant checking amount to finite-state model checking.
N natural > 1 x1,...,xaboolean y1,...,yb [1..N] z1,...,zcarray [1..N] of boolean V = SMT example • Allow the following variables: • Some parameters i,j ranging over [1..N] • An R-atom is xi or zi[v] or v = w, where v,w, are integer vars/params • An R-assertion is a FO formula over R-atoms Example: 8 i,j: i j ):(z1[i] Æ z1[j]) • Small model results: • M depends mainly on quantifier structure of GN and T • Example: if T has one universal and GN has two, then M = 2b+3
Abstract domain for invisible invariants L is the formulas of the form 8 i,j2[1..N] , where is a QF formula over R-atoms. In other words, L is our class of generalizations Invisible invariants and AI • A logical language L provides an abstract domain • The semantics of L is given by the concretization function : L! 2S • Assuming L is finite and Æ-closed, we have an abstract function: (S) = Æ { 2L | S µ() } That is, (s) is the most we can say about set s in L
For a set S of states of the N-process system, we have N(s) = {2 R-minterms | s ²9 i,j. } N = 8 i,j. Çs2 SN(s) Note computing N involves finitely many evaluations Abstraction function • The project-and-generalize operation computes the abstraction function • An R-minterm is a conjunctions of literals over R-atoms • Every R-atom occurs exactly once • Think of as a truth assignment to the R-atoms • Think of as a local state, for a pair of processes (i,j) Example: i j Æ z1[i] Æ: z1[j]
GN N N N N N N N N = ¶ ¶ fixpoint = RN GN GN SMT N if N >= M Invisible invariant construction • We construct the invariant guess by reachability and abstraction • Testing the invariant guess
t# t# t# t# = fixpoint Invariant by AI • Abstract transformer # # is difficult to compute because of unbounded quantifier • Compute strongest inductive invariant in L For our particular L, this is called Indexed Predicate Abstraction
t# t#N N N N Under-approximation • Amir’s idea of generalizing finite instances suggests we can under-approximate the best abstract transformer # SMT implies that for N >= M, that # and #N are equivalent! • This has two consequences • For N >= M, we can compute # exactly by finite-state methods, without using a theorem prover. • For N < M, we might still reach a fixed point that is inductive for all N...
lfp(#) t# t# t# A if fp of # then = N N N N N N N N N lfp(#N) B N N N N N N N if fp of #N then = N(lfp(N)) C N Three methods
N natural > 1 x1,...,xaboolean y1,...,yb [1..N] z1,...,zcarray [1..N] of boolean p1,...,pdarray [1..N] of 1..N V = Pointers! Shape analysis • Allow the following variables: • Add a reachability predicate reap(i,j) Example: 8 i: reap(y1,i) ) z1[i] • Allows abstraction of linked lists • Small model results possible for limited cases • But if not, can apply theorem prover to test invariance
py reay reay px reax reax reax reax null ... N might allow just N concrete nodes for each summary node Canonical shape graphs • Plans A, B or C can be used for any abstract domain L • We only need to define the finite concretization N • For example, N might generate only concrete heaps to size N • Each canonical graph corresponds to a logical formula [YRSW2003] • We can test inductiveness using a theorem prover
t# ‘ A ’ Use model-generating prover to compute samples violating ’ N N N ‘ B N N These methods require the theorem prover to be called just once to test the fixpoint. Of course, the test may fail. Use SAT solver to compute bounded samples violating ’ Compute all bounded concrete heaps (symbolically?) then abstract C N ... Invisible shape graphs?
Conclusion • Invisible invariants suggest a general approach to abstract interpretation based on two ideas: • Under-approximations can yield over-approximations at the fixed point • This is a bit mysterious, but observationally true • Computing the fixed point with under-approximations can use more light-weight methods • For example, BDD-based model checking instead of a theorem prover • To verify fixed point, need either an SMT or a theorem prover (but just once!) Invisible invariants give a less reliable but much less expensive way to compute the least fixed point for a given abstract domain.