Evidence-Based Verification Evidence-Based Model Checking Li Tan, Rance Cleaveland Presented by Arnab Ray Computer Science Department Stony Brook July 2002
Evidence-Based Verification Outline 1. Motivations. 2. Checker-independent evidence for model checking. 3. Post-model-checking analyses based on the evidence. 1. Efficiently certifying model-checking Result. 2. Generating diagnostic information. 3. Evaluating the quality of model-checking process. 4. A prototype on the Concurrency Workbench (CWB- NC).
Evidence-Based Verification Model Checking Model Checking: whether or not a transition system satisfies a temporal property. Model checker works as a decision procedure for the problem. "Yes/No" may not satisfy users. Why does my design go wrong? Could my design satisfy property trivially? Can I trust the verification result?
Evidence-Based Verification Problems with Traditional Diagnostic Generation Diagnosis is about understanding the result, A diagnostic routine may, Perform its own reasoning, or, Reuse the proof already computed by a checker. Diagnostic routine is tightly geared to the structure of checkers. Implementation requires the understanding of checkers. Migrating a diag. routine onto another checker often requires major changes on both diag. routine and checker. Proof used for one diagnostic schema may not be used for a different schema. No additional checking on model-checking result.
Evidence-Based Verification Evidence-Based Model Checking Checker 1Checker n Verifier Diagnostic Schema 1 Invalid Proof Checker 2 Diagnostic Schema 2 Diagnostic Schema m … … Portable Proof of Correctness Let the result carry its own proof
Evidence-Based Verification The General Framework Defining an abstract proof structures(APS) as checker- independent evidence. APS encodes the proof structures of different checkers in a standard form. APS carries the evidence to justify the result. Extracting APS from existing checkers. Utilizing APS to perform diagnoses. Certifying verification result. Generating diagnostic information. Evaluating the quality of verification process.
Evidence-Based Verification Searching for APS APS should be extracted from existing checkers. The extraction should not affect the complexities of checkers. The consistency of APS should be verified efficiently. The complexities of certifying APS should not exceed the complexities of checkers producing it. APS should be abstract enough to save the space APS should be rich enough for supporting a variety of diagnoses.
Evidence-Based Verification Introducing APS by case study
Evidence-Based Verification Boolean Equation System=System + Temporal Property E= +T:
Evidence-Based Verification Boolean Equation System=System + Temporal Property E= +T:
Evidence-Based Verification Equation System: Semantics [ E ]: H X ! H X is a function on environments
Evidence-Based Verification
Boolean (Fixpoint) Equation System Syntax, H={ {0, 1},< } is the Boolean lattice H. 2 2 X can be viewed as a set. E is closed if X 2 X i also appears as a left side variable. [ E ]( 1 )=[ E ]( 2 ) for any 1, 2 2 H X. Denote [ E ] for [ E ]( ) [ E ](X) assigns X a Boolean value.
Evidence-Based Verification Model Checking via BES BES E = Kripke structure T+ Property E is closed. A variable X in BES stands for $ h s, ’ i $. [ E ](X)=1 iff s ² T . Many checkers (implicitly) construct BESs. For -calculus checker, BES=T+ -calculus. For automaton-based checker, BES= parity automaton. E can be constructed on-the-fly.
Evidence-Based Verification Evaluating Equation System: an Example
Evidence-Based Verification Support Set
Evidence-Based Verification Support Set (Continue) By (a) and (b), support set implies a fixpoint solution for E. By (c), support set respects the definition of least/or greatest fixpoints. If r=1, no bad loop on. If r=0, no good loop on. Theorem 1 [TanCle02] Let = be a support set for E, then [ E ](X)=r.
Evidence-Based Verification Extracting Support Set The extraction is, practical. Support sets can be extracted from a wide range of existing checkers, Boolean-Graph algorithm [And92], Linear Alternation- Free algorithms[CleSte91], On-the-fly algorithms for full -calculus LAFP [LRS98] and SLP [TanCle02b], Automaton-based model checkers([BhaCle96a] and [KVW00]). efficient. The overhead doesn't exceed the original complexities of these checkers. simply. It only need have dependency relations recorded.
Evidence-Based Verification Application I: Certifying model-checking results Checking (a) and (b) can be done in linear time. Checking (c) can be reduced to even- loop problem (a nlogn problem[KKV01]). Model checking is a NP Å co-NP problem [EmeJutSis93]. The cost of certifying results < The cost of model checking.
Evidence-Based Verification Application II: model-checking game Semantics: decide [ E ](X 0 ) for E Two players: I (asserting [ E ](X 0 )=0) and II (asserting [ E ](X 0 )=1) A play is a sequence =X p0 X p1 such that X p0 =X 0 and if, ( pi X pi = ÇX ’ ) 2 E, then II chooses X pi+1 2 X ' ( pi X pi = ÆX ’ ) 2 E, then I chooses X pi+1 2 X ’ II wins iff, It's I's turn but I has no choice ( X '= ; ), or, The shallowest variable being visited infinitely often by is a -variable.
Evidence-Based Verification MC Game as a Diagnostic Routine MC game is a fair game. ([ E ])(X 0 )=1 ) II has a winning strategy. ([ E ])(X 0 )=0 ) I has a winning strategy. Two physical players: computer and user. When the model-checking result is, Yes ) The computer plays as II while the user as I. No ) The computer plays as I while the user as II. The user is always a loser if the MC result is correct and the computer uses the right strategy.
Evidence-Based Verification Constructing Winning Strategy for Computer Given h r, X 0, i as a support set for E The computer will keep the play =X p0 X p1 proceeding within support set: If r=1 and pi X pi = ÇX ’, then the computer (as II) chooses X pi+1 2 ( (X pi ) Å X '). If r=0 and pi X pi = ÆX ’, then the computer (as I) chooses X pi+1 2 ( (X pi ) Å X '). The strategy is feasible: (X pi ) is defined whenever X pi is the computer’s turn. The strategy is a winning strategy for the computer.
Evidence-Based Verification Evaluating Equation System: an Example
Evidence-Based Verification Application III: Evaluate the quality of MC A positive result may hide the problem T may pass AG(a ) AF b) trivially because a never occurs in T. Is there the status of a state (Minicoverage [CKV01]) or a subformula (Vacuity [KV99]) irrelevant to the result? Coverage problem of support set. Has support set covered all the states and properties?
Evidence-Based Verification Furture Work I: A Client-Server Model for Verification Server: checkers. There are many formulations for the input Support sets help standardize the output. Client: user interface, diagnostic generation, and evidence-verifier. Design Systems and Properties Abstract Proof Structures
Evidence-Based Verification Future Work II: Proof-Carrying Code Mobile code [Nec97] carries its own proof attesting to its safeness. Currently compilers are modified to produce the proof for a predefined set of safety rules. Integrate support-set-ready model checkers with compilers. Certifying compiler enjoy the richness of temporal logics.
Evidence-Based Verification A Prototype on CWB-NC
Evidence-Based Verification Conclusion C heckers produce abstract proof structures as evidence. APS is independent of checker. Extracting APS won't affect the complexities of checkers. APS justifies the correctness of result. APs attests to the quality of verification. A wide range of diagnostic information can be built on this evidence. APSs are defined for Model checking, Equiv. checking, and Preordering Checking.