CS 267: Automated Verification Lecture 17: Infinite State Model Checking, Arithmetic Constraints, Action Language Verifier Instructor: Tevfik Bultan

Model Checking View Every reactive system is represented as a transition system: – S : The set of states – I  S : The set of initial states – R  S  S : The transition relation

Model Checking View Properties of reactive systems are expressed in temporal logics Invariant(p) : is true in a state if property p is true in every state reachable from that state –Also known as AG Eventually(p) : is true in a state if property p is true at some state on every execution path from that state –Also known as AF

Model Checking Given a program and a temporal property p: Either show that all the initial states satisfy the temporal property p –set of initial states  truth set of p Or find an initial state which does not satisfy the property p –a state  set of initial states  truth set of  p

Invariant(p) pppp Initialstates initial states that violate Invariant(p) Backwardfixpoint Forwardfixpoint Initialstates states that can reach  p i.e., states that violate Invariant(p) reachable states of the system pppp backwardImage of  p of  p reachable states that violate p forward image of initial states Temporal Properties  Fixpoints

Symbolic Model Checking Represent sets of states and the transition relation as Boolean logic formulas Forward and backward fixpoints can be computed by iteratively manipulating these formulas –Forward, backward image: Existential variable elimination –Conjunction (intersection), disjunction (union) and negation (set difference), and equivalence check Use an efficient data structure for manipulation of Boolean logic formulas –BDDs

Symbolic Model Checking What do you need to compute fixpoints? Symbolic Conjunction(Symbolic,Symbolic) Symbolic Disjunction(Symbolic,Symbolic) Symbolic Negation(Symbolic) BooleanEquivalenceCheck(Symbolic,Symbolic) Symbolic Precondition(Symbolic) Precondition (i.e., EX) computation is handled by: –variable renaming, followed by conjunction, followed by existential variable elimination BDDs support all these operations!

Infinite State Model Checking Use a symbolic representation that is capable of representing infinite sets and supports the following functionality: Symbolic Conjunction(Symbolic,Symbolic) Symbolic Disjunction(Symbolic,Symbolic) Symbolic Negation(Symbolic) BooleanEquivalenceCheck(Symbolic,Symbolic) Symbolic Precondition(Symbolic) Compute fixpoints using the infinite state symbolic representation –Warning: Fixpoints are not guaranteed to converge!

Constraint-Based Verification Can we use linear arithmetic constraints as a symbolic representation? –Required functionality Disjunction, conjunction, negation, equivalence checking, existential variable elimination Advantages: –Arithmetic constraints can represent infinite sets –Heuristics based on arithmetic constraints can be used to accelerate fixpoint computations Widening, loop-closures

Linear Arithmetic Constraints Can be used to represent sets of valuations of unbounded integers Linear integer arithmetic formulas can be stored as a set of polyhedra c kl is a linear equality or inequality constraint and each where each c kl is a linear equality or inequality constraint and each is a polyhedron

Linear Arithmetic Constraints Disjunction complexity: linear Conjunction complexity: quadratic Negation complexity: can be exponential –Because of the disjunctive representation Equivalence checking complexity: can be exponential –Uses existential variable elimination Image computation complexity: can be exponential –Uses existential variable elimination –Existential variable elimination can be done by extending Fourier-Motzkin variable elimination to integers

What About Using BDDs for Encoding Arithmetic Constraints? Arithmetic constraints on bounded integer variables can be represented using BDDs Use a binary encoding –represent integer x as x 0 x 1 x 2... x k –where x 0, x 1, x 2,..., x k are binary variables You have to be careful about the variable ordering!

Arithmetic Constraints on Bounded Integer Variables BDDs and constraint representations are both applicable Which one is better?

smv: SMV smv+co: SMV with William Chan’s interleaved variable ordering omc: My model checker based on Omega Library Intel Pentium PC (500MHz, 128MByte main memory) AG(!(pc1=cs && pc2=cs))

AG(cinchair>=cleave && bavail>=bbusy>=bdone && cinchair<=bavail && bbusy<=cinchair && cleave<=bdone)

AG(produced-consumed= size-available && 0<=available<=size)

Arithmetic Constraints vs. BDDs Constraint based verification can be more efficient than BDDs for integers with large domains BDD-based verification is more robust Constraint based approach does not scale well when there are boolean or enumerated variables in the specification Constraint based verification can be used to automatically verify infinite state systems –cannot be done using BDDs Price of infinity –CTL model checking becomes undecidable

Which Symbolic Representation to Use? BDDs canonical and efficient representation for Boolean logic formulas can only encode finite sets Linear Arithmetic Constraints can encode infinite sets two representations –polyhedral representation –automata representation mapping booleans to integers is not an efficient encoding F F F T T x  y  {(T,T), (T,F), (F,T)} a > 0  b = a+1  {(1,2), (2,3), (3,4),...} T x y

Is There a Better Way? Each symbolic representation has its own deficiencies BDD’s cannot represent infinite sets Linear arithmetic constraint representations are expensive to manipulate –Mapping boolean variables to integers does not scale –Eliminating boolean variables by partitioning the state- space does not scale

Composite Model Checking Each variable type is mapped to a symbolic representation type –Map boolean and enumerated types to BDD representation –Map integer type to arithmetic constraint representation Conjunctively partition atomic actions based on the symbolic representation type Use a disjunctive representation to combine symbolic representations Sets of states and transitions are represented using this disjunctive representation Set operations and image computations are performed on this disjunctive representation

Composite Model Checking [Bultan, Gerber, League ISSTA 98, TOSEM 00] Map each variable type to a symbolic representation –Map boolean and enumerated types to BDD representation –Map integer type to a linear arithmetic constraint representation Use a disjunctive representation to combine different symbolic representations: composite representation Each disjunct is a conjunction of formulas represented by different symbolic representations –we call each disjunct a composite atom

Composite Representation symbolic rep. 1 symbolic rep. 2 symbolic rep. t composite atom Example: x: integer, y: boolean x>0 and x´  x-1 and y´ or x<=0 and x´  x and y´  y arithmetic constraint representation BDD arithmetic constraint representation BDD

Composite Symbolic Library [Yavuz-Kahveci, Tuncer, Bultan TACAS01], [Yavuz-Kahveci, Bultan FroCos 02, STTT 03] Uses a common interface for each symbolic representation Easy to extend with new symbolic representations Enables polymorphic verification Multiple symbolic representations: –As a BDD library we use Colorado University Decision Diagram Package (CUDD) [Somenzi et al] –As an integer constraint manipulator we use Omega Library [Pugh et al]

Composite Symbolic Library Class Diagram CUDD LibraryOMEGA Library Symbolic +intersect() +union() +complement() +isSatisfiable() +isSubset() +pre() +post() CompSym –representation: list of comAtom +intersect() + union() BoolSym –representation: BDD +intersect() +union() IntSym –representation: Polyhedra +intersect() +union() compAtom –atom: *Symbolic

Pre and Post-condition Computation Variables: x: integer, y: boolean Transition relation: R: x>0 and x´  x-1 and y´ or x<=0 and x´  x and y´  y Set of states: s: x=2 and !y or x=0 and !y Compute post(s,R)

Pre and Post-condition Distribute R: x>0 and x´  x-1 and y´ or x<=0 and x´  x and y´  y s: x=2 and !y or x=0 and y post(s,R) = post( x=2, x>0 and x´  x-1 )  post( !y, y´ ) x=1 y  post( x=2, x<=0 and x´  x )  post ( !y, y´  y ) false !y  post( x=0, x>0 and x´  x-1 )  post( y, y´ ) false y  post ( x=0, x<=0 and x´  x )  post ( y, y´  y ) x=0 y = x=1 and y or x=0 and y

Polymorphic Verifier Symbolic TranSys::check(Node *f) { Symbolic s = check(f.left) case EX: s.pre(transRelation) case EF: do sold = s s.pre(transRelation) s.union(sold) while not sold.isEqual(s) }  Action Language Verifier is polymorphic  It becomes a BDD based model checker when there or no integer variables

Fixpoints May Not Converge Integer variables can increase without a bound –state space is infinite Model checking is undecidable for systems with unbounded integer variables We use conservative approximations

Conservative Approximations Compute a lower ( p  ) or an upper ( p + ) approximation to the truth set of the property ( p ) Action Language Verifier can give three answers: I p pppp 1) “The property is satisfied” I p 3) “I don’t know” 2) “The property is false and here is a counter-example” I p  p p p p sates which violate the property p+p+p+p+ pppp

Conservative Approximations Truncated fixpoint computations –To compute a lower bound for a least-fixpoint computation –Stop after a fixed number of iterations Widening –To compute an upper bound for the least-fixpoint computation –We use a generalization of the polyhedra widening operator by [Cousot and Halbwachs POPL’77]

Widening Widening operation with composite representation: –Given two composite atoms c 1 and c 2 in consecutive fixpoint iterates, assume that c 1 = b 1  i 1 c 2 = b 2  i 2 where b 1 = b 2 and i 1  i 2 Assume that i 1 is a single polyhedron and i 2 is also a single polyhedron We find pairs of composite atoms which satisfy this criteria

Widening Assuming that i 1 and i 2 are conjunctions of atomic constraints (i.e., polyhedra), then i 1  i 2 is defined as: all the constraints in i 1 which are also satisfied by i 2 Example: i 1 = 0  count  count  2 i 2 = 0  count  count  3 i 1  i 2 = 0  count Replace i 2 with i 1  i 2 in c 2 This generates an upper approximation for the least fixpoint computation This constraint is not satisfied by i 2 so we drop it

Composite Symbolic Library with Automata Encoding OMEGA Library Symbolic +union() +isSatisfiable() +isSubset() +forwardImage() CompSym –representation: list of comAtom + union() compAtom –atom: *Symbolic IntSymAuto –representation: automaton +union() IntSym –representation: list of Polyhedra +union() CUDD Library BoolSym –representation: BDD +union() MONA IntBoolSymAuto –representation: automaton +union()

Automata Representation for Arithmetic Constraints [Bartzis, Bultan CIAA’02, IJFCS ’02] Given an atomic linear arithmetic constraint in one of the following two forms we construct an FA which accepts all the solutions to the given constraint By combining such automata one can handle full Presburger arithmetic

Basic Construction We first construct a basic state machine which –Reads one bit of each variable at each step, starting from the least significant bits –and executes bitwise binary addition and stores the carry in each step in its state / /101/1 1 / / / 1 11/011/0 00/100/1 Example x + 2y  /001/0 1 0 / 0 Number of states:

Automaton Construction Equality With 0 –All transitions writing 1 go to a sink state –State labeled 0 is the only accepting state –For disequations (  ), state labeled 0 is the only rejecting state Inequality (<0) –States with negative carries are accepting –No sink state Non-zero Constant Term c –Same as before, but now -c is the initial state –If there is no such state, create one (and possibly some intermediate states which can increase the size by |c|)

Conjunction and Disjunction ,1, , ,1,1 Automaton for x-y< , , ,0,1 1 0, Automaton for 2x-y> , , , , , Automaton for x-y 0 -1,-1 0,-1 -2,-1 -1,0 -2,0-2,1 Conjunction and disjunction is handled by generating the product automaton

Other Extensions Existential quantification (necessary for pre and post) –Project the quantified variables away –The resulting FA is non-deterministic Determinization may result in exponential blowup of the FA size but we do not observe this in practice –For universal quantification use negation Constraints on all integers –Use 2’s complement arithmetic –The basic construction is the same –In the worst case the size doubles

Experiments We implemented these algorithms using MONA [Klarlund et al] Integrated them to the Action Language Verifier We verified a large number of specification examples We compared our representation against –the polyhedral representation used in the Omega library –the automata representation used in LASH we also integrated LASH to the Composite Symbolic Library using a wrapper around it

Experimental results

Action Language Tool Set Action Language Parser Verifier OmegaLibraryCUDDPackage MONA Composite Symbolic Library PresburgerArithmeticManipulatorBDDManipulatorAutomataManipulator Action Language Specification Verified Counter example

Action Language [Bultan, ICSE 00], [Bultan, Yavuz-Kahveci, ASE 01] A state based language –Actions correspond to state changes States correspond to valuations of variables –boolean –enumerated –integer (possibly unbounded) –heap variables (i.e., pointers) Parameterized constants –specifications are verified for every possible value of the constant

Action Language Transition relation is defined using actions –Atomic actions: Predicates on current and next state variables –Action composition: asynchronous (|) or synchronous (&) Modular –Modules can have submodules –A module is defined as asynchronous and/or synchronous compositions of its actions and submodules

Actions in Action Language Atomic actions: Predicates on current and next state variables –Current state variables: reading, nr, busy –Next state variables: reading’, nr’, busy’ –Logical operators: not (!) and (&&) or (||) –Equality: = (for all variable types) –Linear arithmetic:, >=, <=, +, * (by a constant) An atomic action: !reading and !busy and nr’=nr+1 and reading’

Readers-Writers Example module main() integer nr; boolean busy; restrict: nr>=0; initial: nr=0 and !busy; module Reader() boolean reading; initial: !reading; rEnter: !reading and !busy and nr’=nr+1 and reading’; rExit: reading and !reading’ and nr’=nr-1; Reader: rEnter | rExit; endmodule module Writer() boolean writing; initial: !writing; wEnter: !writing and nr=0 and !busy and busy’ and writing’; wExit: writing and !writing’ and !busy’; Writer: wEnter | wExit; endmodule main: Reader() | Reader() | Writer() | Writer(); spec: invariant(busy => nr=0) endmodule

Readers Writers Example: A Closer Look module main() integer nr; boolean busy; restrict: nr>=0; initial: nr=0 and !busy; module Reader() boolean reading; initial: !reading; rEnter: !reading and !busy and nr’=nr+1 and reading’; rExit: reading and !reading’ and nr’=nr-1; Reader: rEnter | rExit; endmodule module Writer()... endmodule main: Reader() | Reader() | Writer() | Writer(); spec: invariant(busy => nr=0) endmodule S : Cartesian product of variable domains defines variable domains defines the set of states the set of states I : Predicates defining the initial states the initial states R : Atomic actions of the Reader Reader R : Transition relation of Reader defined as asynchronous composition of its atomic actions R : Transition relation of main defined as asynchronous composition of two Reader and two Writer processes

Asynchronous Composition Asynchronous composition is equivalent to disjunction if composed actions have the same next state variables a1: i > 0 and i’ = i + 1; a2: i <= 0 and i’ = i – 1; a3: a1 | a2 is equivalent to a3: (i > 0 and i’ = i + 1) or (i <= 0 and i’ = i – 1);

Asynchronous Composition Asynchronous composition preserves values of variables which are not explicitly updated a1 : i > j and i’ = j; a2 : i <= j and j’ = i; a3 : a1 | a2; is equivalent to a3 : (i > j and i’ = j) and j’ = j or (i <= j and j’ = i) and i’ = i

Synchronous Composition Synchronous composition is equivalent to conjunction if two actions do not disable each other a1: i’ = i + 1; a2: j’ = j + 1; a3: a1 & a2; is equivalent to a3: i’ = i + 1 and j’ = j + 1;

Synchronous Composition A disabled action does not block synchronous composition a1: i < max and i’ = i + 1; a2: j < max and j’ = j + 1; a3: a1 & a2; is equivalent to a3: (i = max & i’ = i) and (j = max & j’ = j);

Arbitrary Number of Threads Counting abstraction –Create an integer variable for each local state of a thread –Each variable will count the number of threads in a particular state Local states of the threads have to be finite –Specify only the thread behavior that relates to the correctness of the controller –Shared variables of the controller can be unbounded Counting abstraction can be automated

Readers-Writers After Counting Abstraction module main() integer nr; boolean busy; parameterized integer numReader, numWriter; restrict: nr>=0 and numReader>=0 and numWriter>=0; initial: nr=0 and !busy; module Reader() integer readingF, readingT; initial: readingF=numReader and readingT=0; rEnter: readingF>0 and !busy and nr’=nr+1 and readingF’=readingF-1 and readingT’=readingT+1; rExit: readingT>0 and nr’=nr-1 readingT’=readingT-1 and readingF’=readingF+1; Reader: rEnter | rExit; endmodule module Writer()... endmodule main: Reader() | Writer(); spec: invariant([busy => nr=0]) endmodule Variables introduced by the counting abstractions Parameterized constants introduced by the counting abstractions

Verification of Readers-Writers Controller IntegersBooleansCons. Time (secs.) Ver. Time (secs.) Memory (Mbytes) RW RW RW RW RW RW-P SUN ULTRA 10 (768 Mbyte main memory)

A simplified model of Seattle Tacoma International Airport from [Zhong 97] Example: Airport Ground Traffic Control

Action Language Specification module main() integer numRW16R, numRW16L, numC3,...; initial: numRW16R=0 and numRW16L=0 and...; module Airplane() enumerated pc {arFlow, touchDown, parked, depFlow, taxiTo16LC3,..., taxiFr16LB2,..., takeoff}; initial: pc=arFlow or pc=parked; reqLand: pc=arFlow and numRW16R=0 and pc’=touchDown and numRW16R’=numRW16R+1; exitRW3: pc =touchDown and numC3=0 and numC3’=numC3+1 and numRW16R’=numRW16R-1 and pc’=taxiTo16LC3;... Airplane: reqLand | exitRW3 |...; endmodule main: AirPlane() | Airplane() | Airplane() |....; spec: AG(numRW16R  1 and numRW16L  1) spec: AG(numC3  1) spec: AG((numRW16L=0 and numC3+numC4+...+numC8>0) => AX(numRW16L=0)) endmodule

Airport Ground Traffic Control Action Language specification –Has 13 integer variables –Has 6 Boolean variables per airplane process to keep the local state of each airplane –20 actions per airplane

Experiments ProcessesConstruction(sec)Verify-P1(sec)Verify-P2(sec)Verify-P3(sec) A,PD A,PD A,PD A,PD PA,2D PA,4D PA,8D PA,16D PA,PD A: Arriving Airplane D: Departing Airplane P: Arbitrary number of threads

Heap Type [Yavuz-Kahveci, Bultan SAS 02] Heap type in Action Language heap {next} top; Heap type represents dynamically allocated storage top’=new; We need to add a symbolic representation for the heap type to the Composite Symbolic Library numItems > 2 => top.next != null

Concurrent Stack module main() heap {next} top, add, get, newTop; boolean mutex; integer numItems; initial: top=null and mutex and numItems=0; module push() enumerated pc {l1, l2, l3, l4}; initial: pc=l1 and add=null; push1: pc=l1 and mutex and !mutex’ and add’=new and pc’=l2; push2: pc=l2 and numItems=0 and top’=add and numItems’=1 and pc’=l3; push3: pc=l3 and top’.next =null and mutex’ and pc’=l1; push4: pc=l2 and numItems!=0 and add’.next=top and pc’=l4; push5: pc=l4 and top’=add and numItems’=numItems+1 and mutex’ and pc’=l1; push: push1 | push2 | push3 | push4 | push5; endmodule module pop()... endmodule main: pop() | pop() | push() | push() ; spec:AG(mutex =>(numItems=0 top=null)) spec: AG(mutex => (numItems>2 => top->next!=null)) endmodule

Shape Graphs Shape graphs represent the states of the heap Each node in the shape graph represents a dynamically allocated memory location Heap variables point to nodes of the shape graph The edges between the nodes show the locations pointed by the fields of the nodes add top next next n1n2 heap variables add and top point to node n1 add.next is node n2 top.next is also node n2 add.next.next is null

Composite Symbolic Library: Further Extended CUDD LibraryOMEGA Library Symbolic +union() +isSatisfiable() +isSubset() +forwardImage() CompSym –representation: list of comAtom + union() BoolSym –representation: BDD +union() compAtom –atom: *Symbolic HeapSym –representation: list of ShapeGraph +union() IntSym –representation: list of Polyhedra +union() ShapeGraph –atom: *Symbolic

Forward Fixpoint pc=l1  mutex numItems=2 add top   pc=l2   mutex  numItems=2 addtopBDD arithmetic constraint representation A set of shape graphs  pc=l4   mutex  numItems=2  addtop  pc=l1  mutex  numItems=3  addtop

Post-condition Computation: Example pc=l4   mutex  numItems=2  addtop pc=l4 and mutex’ pc’=l1 pc=l1  mutex numItems’=numItems+1  numItems=3 top’=add   addtop set of states transitionrelation

Again: Fixpoints Do Not Converge We have two reasons for non-termination –integer variables can increase without a bound –the number of nodes in the shape graphs can increase without a bound As I mentioned earlier, we use widening on integer variables to achieve convergence For heap variables we use the summarization operation

Summarization The nodes that form a chain are mapped to a summary node No heap variable points to any concrete node that is mapped to a summary node Each concrete node mapped to a summary node is only pointed by a concrete node which is also mapped to the same summary node During summarization, we also introduce an integer variable which counts the number of concrete nodes mapped to a summary node

Summarization Example pc=l1  mutex numItems=3 add top   pc=l1  mutex numItems=3  summarycount=2 add top  summary node a new integer variable representing the number of concrete nodes encoded by the summary node After summarization, it becomes: summarized nodes

Simplification pc=l1  mutex  numItems=3  summaryCount=2 addtop pc=l1  mutex add top   numItems=4  summaryCount=3  = pc=l1  mutex add top   (numItems=4  summaryCount=3  numItems=3  summarycount=2)

Simplification On the Integer Part pc=l1  mutex add top   (numItems=4  summaryCount=3  numItems=3  summaryCount=2) = pc=l1  mutex add top  numItems=summaryCount+1  3  numItems  numItems  4

Then We Use Integer Widening pc=l1  mutex add top  numItems=summaryCount+1  3  numItems  numItems  4 pc=l1  mutex add top  numItems=summaryCount+1  3  numItems  numItems  5  pc=l1  mutex add top  numItems=summaryCount+1  3  numItems = Now, fixpoint converges

Verified Properties SpecificationVerified Invariants Stack top=null  numItems=0 top  null  numItems  0 numItems=2  top.next  null Single Lock Queue head=null  numItems=0 head  null  numItems  0 (head=tail  head  null)  numItems=1 head  tail  numItems  0 Two Lock Queue numItems>1  head  tail numItems>2  head.next  tail

Experimental Results Number of Threads Queue HC Queue IC Stack HC Stack IC 2Lock Queue HC 2Lock Queue IC 1P-1C P-2C P-4C  1P-PC  PP-1C  HC : heap control IC : integer control Verification times in secs

Verifying Linked Lists with Multiple Fields Pattern-based summarization –User provides a graph grammar rule to describe the summarization pattern L x = next x y, prev y x, L y Represent any maximal sub-graph that matches the pattern with a summary node –no node in the sub-graph pointed by a heap variable

Summarization Pattern Examples... nnn L x  x.n = y, L y... nnn L x  x.n = y, y.p = x, L y ppp L x  x.n = y, x.d = z, L y... nnn d d d