Debugging declarative models using core extraction Robert Seater with Ilya Shlyakhter, Daniel Jackson, Manu Sridharan, Mana Taghdiri December 20, 2005.

Slides:



Advertisements
Similar presentations
Exploiting SAT solvers in unbounded model checking
Advertisements

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
– Seminar in Software Engineering Cynthia Disenfeld
Proofs from SAT Solvers Yeting Ge ACSys NYU Nov
CPSC 422, Lecture 21Slide 1 Intelligent Systems (AI-2) Computer Science cpsc422, Lecture 21 Mar, 4, 2015 Slide credit: some slides adapted from Stuart.
VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
Proof translation from CVC3 to Hol light Yeting Ge Acsys Mar 5, 2008.
Towards a Lightweight Model of BGP Safety Matvey Arye Princeton University Joint work with: Rob Harrison, Richard Wang, Jennifer Rexford (Princeton) Pamela.
Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main.
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.
Formal Verification Group © Copyright IBM Corporation 2008 IBM Haifa Labs SAT-based unbounded model checking using interpolation Based on a paper “Interpolation.
Computing Over­Approximations with Bounded Model Checking Daniel Kroening ETH Zürich.
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.
BPC.1 Basic Programming Concepts
© Janice Regan, CMPT 128, Jan CMPT 128 Introduction to Computing Science for Engineering Students Creating a program.
An Introduction to Programming and Object-Oriented Design Using Java By Jaime Niño and Fred Hosch Slides by Darwin Baines and Robert Burton.
Programming. What is a Program ? Sets of instructions that get the computer to do something Instructions are translated, eventually, to machine language.
CMU, Oct 4 DPLL-based Checkers for Satisfiability Modulo Theories Cesare Tinelli Department of Computer Science The University of Iowa Joint work with.
1 Automatic Refinement and Vacuity Detection for Symbolic Trajectory Evaluation Orna Grumberg Technion Haifa, Israel Joint work with Rachel Tzoref.
Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.
BoolTool: A Tool for Manipulation of Boolean Functions Petr Fišer, David Toman Czech Technical University in Prague Dept. of Computer Science and Engineering.
Unification Algorithm Input: a finite set Σ of simple expressions Output: a mgu for Σ (if Σ is unifiable) 1. Set k = 0 and  0 = . 2. If Σ  k is a singleton,
Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000.
The Software Development Process
Fitting a Function to the Difficulty of Boolean Formulas Greg Dennis NMM Final Project.
Arjav Dave Jitendra Gupta Nishit Shah. Agenda  Overview  Alloy Architecture  Alloy Specification Language  Alloy Analyzer Demo  Comparisons  Conclusion.
On Finding All Minimally Unsatisfiable Subformulas Mark Liffiton and Karem Sakallah University of Michigan {liffiton, June 21, 2005.
1 Formal Methods in SE Abstract Model Specification Lecture # 19.
Author: Alex Groce, Daniel Kroening, and Flavio Lerda Computer Science Department, Carnegie Mellon University Pittsburgh, PA Source: R. Alur and.
Verification & Validation By: Amir Masoud Gharehbaghi
SAT 2009 Ashish Sabharwal Backdoors in the Context of Learning (short paper) Bistra Dilkina, Carla P. Gomes, Ashish Sabharwal Cornell University SAT-09.
February 22-25, 2010 Designers Work Less with Quality Formal Equivalence Checking by Orly Cohen, Moran Gordon, Michael Lifshits, Alexander Nadel, and Vadim.
Formal Specification: a Roadmap Axel van Lamsweerde published on ICSE (International Conference on Software Engineering) Jing Ai 10/28/2003.
Formal Refinement of Obfuscated Codes Hamidreza Ebtehaj 1.
Formal Verification. Background Information Formal verification methods based on theorem proving techniques and model­checking –To prove the absence of.
CSCI 161 Lecture 3 Martin van Bommel. Operating System Program that acts as interface to other software and the underlying hardware Operating System Utilities.
ALLOY: A Formal Methods Tool Glenn Gordon Indiana University of Pennsylvania COSC 481- Formal Methods Dr. W. Oblitey 26 April 2005.
Alloy Analyzer 4 Tutorial Session 3: Static Modeling Greg Dennis and Rob Seater Software Design Group, MIT.
Implementation Topics Describe –Characteristics of good implementations –Best practices to achieve them Understand role of comments Learn debugging techniques.
Principles of Programming & Software Engineering
Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.
Hybrid BDD and All-SAT Method for Model Checking
Programming Problem steps must be able to be fully & unambiguously described Problem types; Can be clearly described Cannot be clearly described (e.g.
Deriving small unsatisfiable cores with dominators
Enhancing PDR/IC3 with Localization Abstraction
A Boolean Paradigm in Multi-Valued Logic Synthesis
Logical architecture refinement
SAT-Based Area Recovery in Technology Mapping
Canonical Computation without Canonical Data Structure
Canonical Computation Without Canonical Data Structure
Resolution Proofs for Combinational Equivalence
Why this Paper isn’t useful ?
Canonical Computation without Canonical Data Structure
Scalability in Model Checking
Canonical Computation without Canonical Data Structure
Alloy = FOL + transitive closure + sets + relations
SAT-based Methods: Logic Synthesis and Technology Mapping
SAT/SMT seminar 18/02/2018 Computing multiple MUSes (Minimal Unsatisfiable Subformulas) and MSISes (Minimal Safe Inductive Subsets) Alexander Ivrii IBM.
SAT Based Abstraction/Refinement in Model-Checking
Faster Extraction of High-Level Minimal Unsatisfiable Cores
Rich Model Toolkit – An Infrastructure for Reliable Computer Systems
Chapter 9: Implementation
Verifying Clausal Proofs, DRUPing and Interpolants SAT/SMT Seminar
Presentation transcript:

debugging declarative models using core extraction Robert Seater with Ilya Shlyakhter, Daniel Jackson, Manu Sridharan, Mana Taghdiri December 20, 2005

2 logical modeling subject model analysis feedback hard? accurate? guarantees? scalable?

3 styles of logical modeling operational models (model checking) ›prescriptive (how to build a tree) ›temporal properties ›state machines ›natural for hardware declarative models ›descriptive (what a tree looks like) ›partial descriptions ›topological properties ›structured data ›natural for software alloy language ›first order relational logic + transitive closure ›encodes to SAT

4 example: file system module FileSystem sig Object { parent: lone Dir } sig Dir extends Object { contents: set Object } sig File extends Object {} one sig Root extends Dir {} fact DefineContents { contents = ~parent } fact Partioning { File + Dir = Object } pred WellFormed () { no Root.parent all o: Object | o in Root.*contents } assert Acyclic { WellFormed() => all o: Object | o !in o.^contents } check Acyclic for 5 --no counterexample

5 logical modeling subject model analysis feedback hard? accurate? guarantees? scalable?

6 logical modeling: alloy subject model analysis feedback hard? accurate? guarantees? scalable? arbitrary FOL OO-like syntax structured data sat solvers symmetry breaking sound scope-complete

7 logical modeling: alloy subject model analysis feedback hard? accurate? guarantees? scalable? arbitrary FOL OO-like syntax structured data sat solvers symmetry breaking sound scope-complete Did you write the model you think you wrote?

8 2 types of errors underconstraint – allow erroneous behaviors ›easy to identify ›easy to locate ›harmless if missed - stronger result! overconstraint - disallow important behaviors ›hard to identify ›hard to locate ›dangerous if missed - may mask errors! extreme: no behaviors violate property because no behaviors exist (simple liveness) dangerous case: missing only error-revealing behaviors

9 harmless underconstraint module FileSystem sig Object { parent: lone Dir } sig Dir extends Object { contents: set Object } sig File extends Object {} one sig Root extends Dir {} fact DefineContents { contents = ~parent } fact Partioning { File + Dir = Object } pred WellFormed () { no Root.parent all o: Object | o in Root.*contents } assert Acyclic { WellFormed() => all o: Object | o !in o.^contents } check Acyclic for 5 --fact Partioning { File + Dir = Object } --no counterexample

10 relevant underconstraint module FileSystem sig Object { parent: lone Dir } sig Dir extends Object { contents: set Object } sig File extends Object {} one sig Root extends Dir {} fact DefineContents { contents = ~parent } fact Partioning { File + Dir = Object } pred WellFormed () { no Root.parent all o: Object | o in Root.*contents } assert Acyclic { WellFormed() => all o: Object | o !in o.^contents } check Acyclic for 5 --all o: Object | o in Root.*contents --counterexample !

11 relevant underconstraint Dir_0 (Acyclic) Root_0 Dir_0 (Acyclic) parent contents

12 2 types of errors underconstraint – allow erroneous behaviors ›easy to identify ›easy to locate ›harmless if missed - stronger result! overconstraint - disallow important behaviors ›hard to identify ›hard to locate ›dangerous if missed - may mask errors! extreme: no behaviors violate property because no behaviors exist (simple liveness) dangerous case: missing only error-revealing behaviors

13 overconstraint module FileSystem sig Object { parent: one Dir } sig Dir extends Object { contents: set Object } sig File extends Object {} one sig Root extends Dir {} fact DefineContents { contents = ~parent } fact Partioning { File + Dir = Object } pred WellFormed () { no Root.parent all o: Object | o in Root.*contents } assert Acyclic { WellFormed() => all o: Object | o !in o.^contents } check Acyclic for 5 --lone Dir } --no counterexample ! --all o: Object | o in Root.*contents

14 what would help? when solutions exist ›an example explains why when no solutions exist ›a proof explains why

15 what would help? when solutions exist ›an example explains why when no solutions exist ›a proof explains why problem with proofs ›long & hard (1,000's of resolutions) ›in terms of CNF clauses solution ›just what was was used in the proof ›do so in terms the user can understand (use the text of the model)

16 extracted unsat core module FileSystem sig Object { parent: one Dir } sig Dir extends Object { contents: set Object } sig File extends Object {} one sig Root extends Dir {} fact DefineContents { contents = ~parent } fact Partioning { File + Dir = Object } pred WellFormed () { no Root.parent all o: Object | o in Root.*contents } assert Acyclic { WellFormed() => all o: Object | o !in o.^contents } check Acyclic for 5 --lone Dir } --no counterexample ! --all o: Object | o in Root.*contents

17 core extraction extracted unsat core ›subset of model ›sufficient to rule out solutions ›changing rest of model leaves it unsat ›double checks user’s intuition guarantee: Altering non-core portions of an unsatisfiable model in a syntactically valid manner will leave the model unsatisfiable.

18 algorithm constr aint langua ge user’s view SAT solver … (a - b) in b …

19 algorithm constr aint langua ge user’s view SAT solver … (a - b) in b … a b b inin - AST of user’s model

20 algorithm constr aint langua ge CNF clauses user’s view SAT solver … (a - b) in b … a b b in - (b3)  (b1 V ~b2 V b3)  (b1 V ~b3 V b4)  (~b1 V b2)  (b1 V ~b3)  (~b1 V ~b2)  … convert AST of user’s model

21 algorithm constr aint langua ge CNF clauses SAT solver user’s view SAT solver … (a - b) in b … a b b inin - convert analyze AST of user’s model (b3)  (b1 V ~b2 V b3)  (b1 V ~b3 V b4)  (~b1 V b2)  (b1 V ~b3)  (~b1 V ~b2)  …

22 algorithm constr aint langua ge CNF clauses SAT solver user’s view SAT solver … (a - b) in b … a b b inin - convert analyze AST of user’s model solve “unsatisfiabl e” (b3)  (b1 V ~b2 V b3)  (b1 V ~b3 V b4)  (~b1 V b2)  (b1 V ~b3)  (~b1 V ~b2)  …

23 algorithm constr aint langua ge CNF clauses SAT solver CNF core user’s view core extraction SAT solver subset … (a - b) in b … a b b inin - convert analyze AST of user’s model solve extract core “unsatisfiabl e” (b3)  (b1 V ~b2 V b3)  (b1 V ~b3 V b4)  (~b1 V b2)  (b1 V ~b3)  (~b1 V ~b2)  …

24 algorithm constr aint langua ge CNF clauses SAT solver CNF core user’s view core extraction SAT solver subset … (a - b) in b … a b b inin - convert analyze map back AST of user’s model solve extract core “unsatisfiabl e” Highlighte d AST (b3)  (b1 V ~b2 V b3)  (b1 V ~b3 V b4)  (~b1 V b2)  (b1 V ~b3)  (~b1 V ~b2)  …

25 algorithm constr aint langua ge CNF clauses SAT solver CNF core user’s view core extraction SAT solver subset … (c - b) in b … c b b inin - convert analyze map back AST of user’s model solve extract core “unsatisfiabl e” alter AST Highlighte d AST Altered AST (b3)  (b1 V ~b2 V b3)  (b1 V ~b3 V b4)  (~b1 V b2)  (b1 V ~b3)  (~b1 V ~b2)  …

26 algorithm constr aint langua ge CNF clauses SAT solver CNF core CNF clauses user’s view core extraction SAT solver subset superset … (c - b) in b … c b b inin - convert analyze map back AST of user’s model solve extract core “unsatisfiabl e” alter AST Highlighte d AST Altered AST (b3)  (b1 V ~b2 V b3)  (b5 V ~b6 V b7)  (~b1 V b2)  (b1 V ~b3)  (~b1 V ~b2)  …

27 algorithm constr aint langua ge CNF clauses SAT solver CNF core CNF clauses SAT solver user’s view core extraction SAT solver subset superset … (c - b) in b … c b b inin - convert analyze map back AST of user’s model solve extract core “unsatisfiabl e” alter AST Highlighte d AST Altered AST (b3)  (b1 V ~b2 V b3)  (b5 V ~b6 V b7)  (~b1 V b2)  (b1 V ~b3)  (~b1 V ~b2)  …

28 complications shared subformulae ›important optimization ›may cause larger core ›can often be trimmed core may not be minimal ›iterate to fixed point ›usually locally minimal core is not unique ›could exist different (smaller) core requires node-by-node translation ›one CNF variable per node ›clauses for different nodes are independent

29 case studies logs of common errors ›‘dumb bugs’ ›all languages have them ›time consuming in practice ›core extraction often nails them major case studies ›known, subtle bugs ›iolus - secure multi-casting core extraction revealed bug’s location ›firewire - ‘tree identify’ protocol core extraction helped narrow down bug’s location

30 key related work vacuity testing by model checkers ›(Beer '01, Chockler '01, Kupferman '99, Vardi '03) ›modal logic in particular form ›focus on property not model ›cannot pinpoint model subsets responsibility ›(Chockler) ›relative important of subformulae ›analogous to number of cores a formula is in procedure call abstraction ›uses unsat core in refinement step

31 conclusions contributions ›filled a hole in declarative modeling tools ›mapped proof contents to something meaningful ›proof of correctness ›case studies Shlyakhter, Seater, Jackson, Sridharan, Taghdiri. Debugging Declarative Models Using Unsatisfiable Cores. Automated Software Engineering (ASE), (best paper award)