Presentation is loading. Please wait.

Presentation is loading. Please wait.

Debugging declarative models using core extraction Robert Seater with Ilya Shlyakhter, Daniel Jackson, Manu Sridharan, Mana Taghdiri December 20, 2005.

Published byAlice Singleton Modified over 8 years ago

Similar presentations

Presentation on theme: "Debugging declarative models using core extraction Robert Seater with Ilya Shlyakhter, Daniel Jackson, Manu Sridharan, Mana Taghdiri December 20, 2005."— Presentation transcript:

1 debugging declarative models using core extraction Robert Seater with Ilya Shlyakhter, Daniel Jackson, Manu Sridharan, Mana Taghdiri December 20, 2005

2 2 logical modeling subject model analysis feedback hard? accurate? guarantees? scalable?

3 3 styles of logical modeling operational models (model checking) ›prescriptive (how to build a tree) ›temporal properties ›state machines ›natural for hardware declarative models ›descriptive (what a tree looks like) ›partial descriptions ›topological properties ›structured data ›natural for software alloy language ›first order relational logic + transitive closure ›encodes to SAT

4 4 example: file system module FileSystem sig Object { parent: lone Dir } sig Dir extends Object { contents: set Object } sig File extends Object {} one sig Root extends Dir {} fact DefineContents { contents = ~parent } fact Partioning { File + Dir = Object } pred WellFormed () { no Root.parent all o: Object | o in Root.*contents } assert Acyclic { WellFormed() => all o: Object | o !in o.^contents } check Acyclic for 5 --no counterexample

5 5 logical modeling subject model analysis feedback hard? accurate? guarantees? scalable?

6 6 logical modeling: alloy subject model analysis feedback hard? accurate? guarantees? scalable? arbitrary FOL OO-like syntax structured data sat solvers symmetry breaking sound scope-complete

7 7 logical modeling: alloy subject model analysis feedback hard? accurate? guarantees? scalable? arbitrary FOL OO-like syntax structured data sat solvers symmetry breaking sound scope-complete Did you write the model you think you wrote?

8 8 2 types of errors underconstraint – allow erroneous behaviors ›easy to identify ›easy to locate ›harmless if missed - stronger result! overconstraint - disallow important behaviors ›hard to identify ›hard to locate ›dangerous if missed - may mask errors! extreme: no behaviors violate property because no behaviors exist (simple liveness) dangerous case: missing only error-revealing behaviors

9 9 harmless underconstraint module FileSystem sig Object { parent: lone Dir } sig Dir extends Object { contents: set Object } sig File extends Object {} one sig Root extends Dir {} fact DefineContents { contents = ~parent } fact Partioning { File + Dir = Object } pred WellFormed () { no Root.parent all o: Object | o in Root.*contents } assert Acyclic { WellFormed() => all o: Object | o !in o.^contents } check Acyclic for 5 --fact Partioning { File + Dir = Object } --no counterexample

10 10 relevant underconstraint module FileSystem sig Object { parent: lone Dir } sig Dir extends Object { contents: set Object } sig File extends Object {} one sig Root extends Dir {} fact DefineContents { contents = ~parent } fact Partioning { File + Dir = Object } pred WellFormed () { no Root.parent all o: Object | o in Root.*contents } assert Acyclic { WellFormed() => all o: Object | o !in o.^contents } check Acyclic for 5 --all o: Object | o in Root.*contents --counterexample !

11 11 relevant underconstraint Dir_0 (Acyclic) Root_0 Dir_0 (Acyclic) parent contents

12 12 2 types of errors underconstraint – allow erroneous behaviors ›easy to identify ›easy to locate ›harmless if missed - stronger result! overconstraint - disallow important behaviors ›hard to identify ›hard to locate ›dangerous if missed - may mask errors! extreme: no behaviors violate property because no behaviors exist (simple liveness) dangerous case: missing only error-revealing behaviors

13 13 overconstraint module FileSystem sig Object { parent: one Dir } sig Dir extends Object { contents: set Object } sig File extends Object {} one sig Root extends Dir {} fact DefineContents { contents = ~parent } fact Partioning { File + Dir = Object } pred WellFormed () { no Root.parent all o: Object | o in Root.*contents } assert Acyclic { WellFormed() => all o: Object | o !in o.^contents } check Acyclic for 5 --lone Dir } --no counterexample ! --all o: Object | o in Root.*contents

14 14 what would help? when solutions exist ›an example explains why when no solutions exist ›a proof explains why

15 15 what would help? when solutions exist ›an example explains why when no solutions exist ›a proof explains why problem with proofs ›long & hard (1,000's of resolutions) ›in terms of CNF clauses solution ›just what was was used in the proof ›do so in terms the user can understand (use the text of the model)

16 16 extracted unsat core module FileSystem sig Object { parent: one Dir } sig Dir extends Object { contents: set Object } sig File extends Object {} one sig Root extends Dir {} fact DefineContents { contents = ~parent } fact Partioning { File + Dir = Object } pred WellFormed () { no Root.parent all o: Object | o in Root.*contents } assert Acyclic { WellFormed() => all o: Object | o !in o.^contents } check Acyclic for 5 --lone Dir } --no counterexample ! --all o: Object | o in Root.*contents

17 17 core extraction extracted unsat core ›subset of model ›sufficient to rule out solutions ›changing rest of model leaves it unsat ›double checks user’s intuition guarantee: Altering non-core portions of an unsatisfiable model in a syntactically valid manner will leave the model unsatisfiable.

18 18 algorithm constr aint langua ge user’s view SAT solver … (a - b) in b …

19 19 algorithm constr aint langua ge user’s view SAT solver … (a - b) in b … a b b inin - AST of user’s model

20 20 algorithm constr aint langua ge CNF clauses user’s view SAT solver … (a - b) in b … a b b in - (b3)  (b1 V ~b2 V b3)  (b1 V ~b3 V b4)  (~b1 V b2)  (b1 V ~b3)  (~b1 V ~b2)  … convert AST of user’s model

21 21 algorithm constr aint langua ge CNF clauses SAT solver user’s view SAT solver … (a - b) in b … a b b inin - convert analyze AST of user’s model (b3)  (b1 V ~b2 V b3)  (b1 V ~b3 V b4)  (~b1 V b2)  (b1 V ~b3)  (~b1 V ~b2)  …

22 22 algorithm constr aint langua ge CNF clauses SAT solver user’s view SAT solver … (a - b) in b … a b b inin - convert analyze AST of user’s model solve “unsatisfiabl e” (b3)  (b1 V ~b2 V b3)  (b1 V ~b3 V b4)  (~b1 V b2)  (b1 V ~b3)  (~b1 V ~b2)  …

23 23 algorithm constr aint langua ge CNF clauses SAT solver CNF core user’s view core extraction SAT solver subset … (a - b) in b … a b b inin - convert analyze AST of user’s model solve extract core “unsatisfiabl e” (b3)  (b1 V ~b2 V b3)  (b1 V ~b3 V b4)  (~b1 V b2)  (b1 V ~b3)  (~b1 V ~b2)  …

24 24 algorithm constr aint langua ge CNF clauses SAT solver CNF core user’s view core extraction SAT solver subset … (a - b) in b … a b b inin - convert analyze map back AST of user’s model solve extract core “unsatisfiabl e” Highlighte d AST (b3)  (b1 V ~b2 V b3)  (b1 V ~b3 V b4)  (~b1 V b2)  (b1 V ~b3)  (~b1 V ~b2)  …

25 25 algorithm constr aint langua ge CNF clauses SAT solver CNF core user’s view core extraction SAT solver subset … (c - b) in b … c b b inin - convert analyze map back AST of user’s model solve extract core “unsatisfiabl e” alter AST Highlighte d AST Altered AST (b3)  (b1 V ~b2 V b3)  (b1 V ~b3 V b4)  (~b1 V b2)  (b1 V ~b3)  (~b1 V ~b2)  …

26 26 algorithm constr aint langua ge CNF clauses SAT solver CNF core CNF clauses user’s view core extraction SAT solver subset superset … (c - b) in b … c b b inin - convert analyze map back AST of user’s model solve extract core “unsatisfiabl e” alter AST Highlighte d AST Altered AST (b3)  (b1 V ~b2 V b3)  (b5 V ~b6 V b7)  (~b1 V b2)  (b1 V ~b3)  (~b1 V ~b2)  …

27 27 algorithm constr aint langua ge CNF clauses SAT solver CNF core CNF clauses SAT solver user’s view core extraction SAT solver subset superset … (c - b) in b … c b b inin - convert analyze map back AST of user’s model solve extract core “unsatisfiabl e” alter AST Highlighte d AST Altered AST (b3)  (b1 V ~b2 V b3)  (b5 V ~b6 V b7)  (~b1 V b2)  (b1 V ~b3)  (~b1 V ~b2)  …

28 28 complications shared subformulae ›important optimization ›may cause larger core ›can often be trimmed core may not be minimal ›iterate to fixed point ›usually locally minimal core is not unique ›could exist different (smaller) core requires node-by-node translation ›one CNF variable per node ›clauses for different nodes are independent

29 29 case studies logs of common errors ›‘dumb bugs’ ›all languages have them ›time consuming in practice ›core extraction often nails them major case studies ›known, subtle bugs ›iolus - secure multi-casting core extraction revealed bug’s location ›firewire - ‘tree identify’ protocol core extraction helped narrow down bug’s location

30 30 key related work vacuity testing by model checkers ›(Beer '01, Chockler '01, Kupferman '99, Vardi '03) ›modal logic in particular form ›focus on property not model ›cannot pinpoint model subsets responsibility ›(Chockler) ›relative important of subformulae ›analogous to number of cores a formula is in procedure call abstraction ›uses unsat core in refinement step

31 31 conclusions contributions ›filled a hole in declarative modeling tools ›mapped proof contents to something meaningful ›proof of correctness ›case studies Shlyakhter, Seater, Jackson, Sridharan, Taghdiri. Debugging Declarative Models Using Unsatisfiable Cores. Automated Software Engineering (ASE), 2003. (best paper award)

Download ppt "Debugging declarative models using core extraction Robert Seater with Ilya Shlyakhter, Daniel Jackson, Manu Sridharan, Mana Taghdiri December 20, 2005."

Similar presentations

Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
– Seminar in Software Engineering Cynthia Disenfeld

– Seminar in Software Engineering Cynthia Disenfeld
Proofs from SAT Solvers Yeting Ge ACSys NYU Nov 20 2007.

Proofs from SAT Solvers Yeting Ge ACSys NYU Nov
CPSC 422, Lecture 21Slide 1 Intelligent Systems (AI-2) Computer Science cpsc422, Lecture 21 Mar, 4, 2015 Slide credit: some slides adapted from Stuart.

CPSC 422, Lecture 21Slide 1 Intelligent Systems (AI-2) Computer Science cpsc422, Lecture 21 Mar, 4, 2015 Slide credit: some slides adapted from Stuart.
VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly.

VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
Proof translation from CVC3 to Hol light Yeting Ge Acsys Mar 5, 2008.

Proof translation from CVC3 to Hol light Yeting Ge Acsys Mar 5, 2008.
Towards a Lightweight Model of BGP Safety Matvey Arye Princeton University Joint work with: Rob Harrison, Richard Wang, Jennifer Rexford (Princeton) Pamela.

Towards a Lightweight Model of BGP Safety Matvey Arye Princeton University Joint work with: Rob Harrison, Richard Wang, Jennifer Rexford (Princeton) Pamela.
Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main.

Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main.
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.

1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.
Formal Verification Group © Copyright IBM Corporation 2008 IBM Haifa Labs SAT-based unbounded model checking using interpolation Based on a paper “Interpolation.

Formal Verification Group © Copyright IBM Corporation 2008 IBM Haifa Labs SAT-based unbounded model checking using interpolation Based on a paper “Interpolation.
11.7.2005 Computing Over­Approximations with Bounded Model Checking Daniel Kroening ETH Zürich.

Computing Over­Approximations with Bounded Model Checking Daniel Kroening ETH Zürich.
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.

Similar presentations

Ads by Google