170 likes | 316 Vues
Invisible Invariants: Underapproximating to Overapproximate. Ken McMillan Cadence Research Labs. TexPoint fonts used in EMF: A A A A A. Invisible Invariants. Automatic Deductive Verification with Invisible Invariants, A. Pnueli, S. Ruah, and L. Zuck (TACAS 2001.)
E N D
Invisible Invariants: Underapproximating to Overapproximate Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: AAAAA
Invisible Invariants • Automatic Deductive Verification with Invisible Invariants, A. Pnueli, S. Ruah, and L. Zuck (TACAS 2001.) • Parameterized Verification with Automatically Computed Inductive Assertions , T. Arons, A. Pnueli, S. Ruah, J. Xu, and L. Zuck. • (CAV 2001). • Liveness with Invisible Ranking, Yi Fang, Nir Piterman, A. Pnueli and L. Zuck. (VMCAI'04). • IIV: An Invisible Invariant Verifier, I.~Balaban, Y.~Fang, A.~Pnueli, and L.~D.~Zuck (CAV 2005)
... P1 P2 P3 PN Parameterized Systems • Suppose we have a parallel composition of N (finite state) processes, where N is unknown • Proofs require auxiliary constructs, parameterized on N • For safety, an inductive invariant • For liveness, say, a ranking • Pnueli, et al., 2001: derive these constructs for general N by abstracting from the mechanical proof of a particular N. • Surprising practical result: under-approximations can yield over-approximations at the fixed point. • Subtle implementation: proofs can be done entirely using finite-state model checking, without explicitly generating the auxiliary constructs (hence invisible invariants).
1. Compute the reachable states RN for fixed N (say, N=5) ● ● ●●● ●●● ● ● ● ●●● ● ●●● ● ● ●● ● ● ● ●● ● ● ● ● ● ●●● ● ● ● ●● ● ●●● ● ● ● ● ●● 2. Project onto a small subset of processes (say 2) ●● ● ● ●● ●● ●● ●● = {(s1,s2) | 9 (s1,s2,...) 2 RN} Recipe for an invariant
●●....... ● ●●....... ● ●● ....... ● ●● ....... ● 2. Project onto a small subset of processes (say 2) ●● ●● ● ● ●● ●● ●● 4. Test whether GN is an invariant for all N 8 N. GN) X GN Recipe for an invariant = {(s1,s2) | 9 (s1,s2,...) 2 RN} 3. Generalize from 2 to N, to get GN N N GN = Æi j2 [1..N] (si,sj) ... ...
Inductiveness is equivalent to validity of this formula: GNÆ T ) G’N Transition relation Checking inductiveness • This problem: 8 N. GN) X GN ... can be reduced to this problem: GM) X GM ... where M is a fixed number • Small model theorem: • If there is a countermodel with N>M, there is a countermodel with N=M • Suffices to check inductiveness for N·M Thus, both the invariant generation and invariant checking amount to finite-state model checking.
N natural > 1 x1,...,xaboolean y1,...,yb [1..N] z1,...,zcarray [1..N] of boolean V = SMT example • Allow the following variables: • Some parameters i,j ranging over [1..N] • An R-atom is xi or zi[v] or v = w, where v,w, are integer vars/params • An R-assertion is a FO formula over R-atoms Example: 8 i,j: i j ):(z1[i] Æ z1[j]) • Small model results: • M depends mainly on quantifier structure of GN and T • Example: if T has one universal and GN has two, then M = 2b+3
Abstract domain for invisible invariants L is the formulas of the form 8 i,j2[1..N] , where is a QF formula over R-atoms. In other words, L is our class of generalizations Invisible invariants and AI • A logical language L provides an abstract domain • The semantics of L is given by the concretization function : L! 2S • Assuming L is finite and Æ-closed, we have an abstract function: (S) = Æ { 2L | S µ() } That is, (s) is the most we can say about set s in L
For a set S of states of the N-process system, we have N(s) = {2 R-minterms | s ²9 i,j. } N = 8 i,j. Çs2 SN(s) Note computing N involves finitely many evaluations Abstraction function • The project-and-generalize operation computes the abstraction function • An R-minterm is a conjunctions of literals over R-atoms • Every R-atom occurs exactly once • Think of as a truth assignment to the R-atoms • Think of as a local state, for a pair of processes (i,j) Example: i j Æ z1[i] Æ: z1[j]
GN N N N N N N N N = ¶ ¶ fixpoint = RN GN GN SMT N if N >= M Invisible invariant construction • We construct the invariant guess by reachability and abstraction • Testing the invariant guess
t# t# t# t# = fixpoint Invariant by AI • Abstract transformer # # is difficult to compute because of unbounded quantifier • Compute strongest inductive invariant in L For our particular L, this is called Indexed Predicate Abstraction
t# t#N N N N Under-approximation • Amir’s idea of generalizing finite instances suggests we can under-approximate the best abstract transformer # SMT implies that for N >= M, that # and #N are equivalent! • This has two consequences • For N >= M, we can compute # exactly by finite-state methods, without using a theorem prover. • For N < M, we might still reach a fixed point that is inductive for all N...
lfp(#) t# t# t# A if fp of # then = N N N N N N N N N lfp(#N) B N N N N N N N if fp of #N then = N(lfp(N)) C N Three methods
N natural > 1 x1,...,xaboolean y1,...,yb [1..N] z1,...,zcarray [1..N] of boolean p1,...,pdarray [1..N] of 1..N V = Pointers! Shape analysis • Allow the following variables: • Add a reachability predicate reap(i,j) Example: 8 i: reap(y1,i) ) z1[i] • Allows abstraction of linked lists • Small model results possible for limited cases • But if not, can apply theorem prover to test invariance
py reay reay px reax reax reax reax null ... N might allow just N concrete nodes for each summary node Canonical shape graphs • Plans A, B or C can be used for any abstract domain L • We only need to define the finite concretization N • For example, N might generate only concrete heaps to size N • Each canonical graph corresponds to a logical formula [YRSW2003] • We can test inductiveness using a theorem prover
t# ‘ A ’ Use model-generating prover to compute samples violating ’ N N N ‘ B N N These methods require the theorem prover to be called just once to test the fixpoint. Of course, the test may fail. Use SAT solver to compute bounded samples violating ’ Compute all bounded concrete heaps (symbolically?) then abstract C N ... Invisible shape graphs?
Conclusion • Invisible invariants suggest a general approach to abstract interpretation based on two ideas: • Under-approximations can yield over-approximations at the fixed point • This is a bit mysterious, but observationally true • Computing the fixed point with under-approximations can use more light-weight methods • For example, BDD-based model checking instead of a theorem prover • To verify fixed point, need either an SMT or a theorem prover (but just once!) Invisible invariants give a less reliable but much less expensive way to compute the least fixed point for a given abstract domain.