11 Counter-Example Based Predicate Discovery in Predicate Abstraction Satyaki Das and David L. Dill Computer Systems Lab Stanford University

22 Outline Motivation Predicate Abstraction Predicate Discovery Application to AODV Conclusion

33 Motivation Easy verification of infinite state systems

44 Simple Mutual Exclusion Protocol A trivial example to illustrate concepts Clients communicate with server via asynchronous messages Three kinds of messages: –REQUEST –GRANT –RELEASE Infinite state Unbounded message queue Any number of clients

55 Protocol Steps cs[i]=false cs[i]:=true cs[i]:=false granted=false granted:=true current:=i granted:=false REQUEST(i) GRANT(i) RELEASE(i) Client Variables cs:array of boolean Server Variables granted:boolean; current:integer; Queue Variables Q.type:array of enum; Q.node:array of integer;

66 Verification Condition For distinct nodes, a and b prove that,  cs[a] /\ cs[b] )

77 Outline Motivation Predicate Abstraction Predicate Discovery Application to AODV Conclusion

88 Abstraction A finite set of predicates defines the abstraction Abstraction is conservative Concrete Abstract   Predicates: bit 1 : cs[a] bit 2 : cs[b] [00] cs = x. false Q.type = x. EMPTY granted = true cs = x. false Q.type = x. EMPTY granted = false

99 Abstraction (contd) Abstract transition relation is conservative Abstract next states must contain all concrete successors And possibly more states RARA Abstract Concrete RCRC s t x y   Example Let s=[10] and t=[11]  (s) contains a state where a GRANT(b) message is in queue So we have abstract transition from s to t! Predicates: bit 1 : cs[a] bit 2 : cs[b]

1010 Abstract Counter-Example If model checking fails an abstract counter-example produced Concrete transitions are present for each pair of consecutive abstract states But concrete counter-example may not be present! x y’ z y’’    Abstract Concrete Real Trace Spurious Trace

1111 Tool Block Diagram Abstraction Module Model Checker CVC BDD System Predicates Property Predicate Generator Trace Checker CVC Proved!!! Abstract counter-example Concrete counter-example

1212 History of Predicate Abstraction Graf and Saidi CAV 97 Colon and Uribe CAV 98 Shankar and Saidi CAV 99 Das,Dill and Park CAV 99 Saidi and Lessens ENTCS 97 Das and Dill LICS 2001 SLAM Ball, Rajamani et al 2000-present Henzinger et al POPL 02 InVeSt CAV 98 Bensalem et al TACAS 01 Tiwari et al TACAS 01 Invariant Generation Software Model Checking And many more… Flanagan et al POPL 2002

1313 Outline Motivation Predicate Abstraction Predicate Discovery Application to AODV Conclusion

1414 Predicate Discovery Example Rejoin action after the first iteration Current predicates are: “a in critical section” cs[a] “b in critical section” cs[b] “At least one GRANT message”  x. Q.type[x] = GRANT xxx init Send GRANT Rec GRANT Is abstract trace spurious? Predicates: bit 1 : cs[a] bit 2 : cs[b] bit 3 :  x. Q.type[x] = GRANT

1515 Predicate Discovery Example (contd) xxx Rec GRANT Send GRANT init Minimal spurious trace found! Predicates: bit 1 : cs[a] bit 2 : cs[b] bit 3 :  x. Q.type[x] = GRANT

1616 Predicate Discovery Example (contd) Rec GRANT  cs[a]  cs[b] Q.type[m 1 ] = GRANT Q.type[m 2 ] = GRANT Q.node[m 2 ] = b m 1  m 2 These are the candidate predicates! Predicates: bit 1 : cs[a] bit 2 : cs[b] bit 3 :  x. Q.type[x] = GRANT 000

1717 Predicate Discovery Example (contd) Send GRANT  cs[a]  cs[b] Q.type[m 1 ] = GRANT Q.type[m 2 ] = GRANT Q.node[m 2 ] = b m 1  m 2 Predicate added:  m 1,m 2. Q.type[m 1 ]=GRANT /\ Q.type[m 2 ]=GRANT /\ m 1  m Predicates: bit 1 : cs[a] bit 2 : cs[b] bit 3 :  x. Q.type[x] = GRANT

1818 Predicate Discovery Algorithm Step 1. Check if abstract counter-example is spurious Step 2. If not spurious, concrete error trace has been found. Otherwise find a minimal spurious trace Step 3. Solve non-spurious tail to find candidate predicates that characterize the second state of the minimal spurious trace Step 4. Find a minimal set from these predicates to construct new predicates

1919 Outline Motivation Predicate Abstraction Predicate Discovery Application to AODV Conclusion

2020 AODV Example Ad-hoc On-demand Distance Vector (AODV) routing protocol. Nodes can dynamically enter or leave the system. Routes are maintained so that the nodes can communicate. Important that routing table does not have loops. The method automatically proves the loop-freeness of a simplified version of the protocol. Protocol was simplified by not modeling timeouts Protocol highlights: Routes are found by broadcasting request to neighbors Sequence number tracks route age Hop count tracks number of hops to destination

2121 AODV Example Proof obligation: If a’s next hop in route to c is b then either a’s sequence number is lower than that of b or the sequence numbers of a and b are the same but the hop count of a is higher than that of b Find predicates about messages present in the queue 20 predicates were found in 14 iterations before the proof was successfully completed a b c Message Queue

2222 Outline Motivation Predicate Abstraction Predicate Discovery Application to AODV Conclusion

2323 Weakest pre-condition based abstraction refinement is useful Future Work: Easily usable concrete error traces would aid debugging Better quantifier support would be nice Integration with other predicate generation schemes

2424 End

2525 Predicate Discovery (contd) Generalize abstract transition relation to test for spurious counter-example trace. Let counter-example trace be: s 1, s 2, … s M Concrete counter-example exists if, R C (x 1,x 2 ) /\ R C (x 2,x 3 ) /\ … /\ R C (x M-1,x M ) /\  (x 1 )=s 1 /\  (x 2 )=s 2 /\ … /\  (x M )=s M is satisfiable for some concrete states x 1, x 2, … x M Notice that checking for spuriousness turns into a validity check that we use CVC to carry out!

2626 Predicate Discovery (contd) Real Trace! s2s2 s4s4 s5s5 s3s3 Remove first state if the remainder is spurious Repeat till removing first state makes the remainder a real trace Do similar shortening at end of trace

2727 Predicate Discovery (contd) Solve for conditions that must hold for the partial trace corresponding to s 2, s 3, s 4, s 5. The conditions on the concrete state x 2 can be derived by finding a satisfying assignment for:  (x 2 )=s 2 /\  (x 3 )=s 3 /\  (x 4 )=s 4 /\  (x 5 )=s 5 /\ R C (x 2,x 3 ) /\ R C (x 3,x 4 ) /\ R C (x 4,x 5 ) Let the solution be the conjunction of predicates,    x 2 ),    x 2 ), …,  L (x 2 ) These are our candidate predicates!

2828 Predicate Discovery (contd) For the candidate predicates it must be the case,  1 (x 2 ) /\  2 (x 2 ) … /\  L (x 2 ) /\ R C (x 1,x 2 ) /\  (x 1 )=s 1 Is unsatisfiable for all x 1 and x 2. Find a minimal subset of predicates (say  1 and  2 in this case) such that,  1 (x 2 ) /\  2 (x 2 ) /\ R C (x 1,x 2 ) /\  (x 1 )=s 1 Is still unsatisfiable. Use  1 and  2 as predicates to refine the abstraction

2929 Related Work Predicate Abstraction Graf and Saidi in CAV 1997 Colon and Uribe in CAV 1998 Flanagan and Qadeer in POPL 2002 Counter-example guided refinement Alur et al in CAV 95 Bensalem et al in CAV 98 Lakhnech et al in TACAS 2001 Tiwari et al in TACAS 2001 Clark, Grumberg et al CAV 2000 SLAM Project at MSR (POPL 2002) BLAST project at Berkeley (POPL 2002)

3030 Implementation Binary Decision Diagrams (BDD) are used to represent abstract system and for model checking Cooperating Validity Checker (CVC) is used to check satisfiability CVC is a decision procedure for quantifier free first order logic Supported types in CVC include booleans, rationals, stores (unbounded arrays) and records Quantifier support Heuristics were used for quantifier instantiation

3131 Verification Scheme Abstract and Model Check Check Counter-example and Discover Predicates Initial Predicates Safety Property Concrete SystemProperty Verified! Abstract Counter-example Concrete Counter-example New predicates

3232 Predicate Discovery Intuition A spurious trace is an abstract trace with no concrete counterpart Real trace is one which has a concrete counterpart Predicates are added to remove spurious traces New Predicate Spurious counter-example is avoided in refined abstraction! x1x1 x2x2 x’ 2 x3x3

3333 Protocol Description Ruleset (cell,msg): “Send REQUEST”  cs[cell] /\ Q.type[msg]=EMPTY  Q.type[msg]:=REQUEST; Q.node[msg]:=cell “Receive GRANT”  cs[cell] /\ Q.type[msg]=GRANT /\ Q.node[msg]=cell  Q.type[msg]:=EMPTY; cs[cell]:=true “Send RELEASE” cs[cell] /\ Q.type[msg]=EMPTY  Q.type[msg] := RELEASE; Q.node[msg] := cell; cs[cell] := false Client Rules Ruleset (msg): “Receive REQUEST”  granted /\ Q.type[msg]=REQUEST  Q.type[msg] := GRANT; granted := true; current := Q.node[msg] “Receive RELEASE” granted /\ Q.type[msg]=RELEASE /\ Q.node[msg]=current  Q.type[msg] := EMPTY; granted := false Server Rules Rule true  Q.type := x. EMPTY; cs := x. false; granted := false Initialization Rule