Presentation is loading. Please wait.

Presentation is loading. Please wait.

game-based model checking key game model properties: syntax-direct: behaviour of any component specified in isolation truly compositional: behaviour of.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "game-based model checking key game model properties: syntax-direct: behaviour of any component specified in isolation truly compositional: behaviour of."— Presentation transcript:

1

2 game-based model checking key game model properties: syntax-direct: behaviour of any component specified in isolation truly compositional: behaviour of component built from sub-models  any component can be verified in isolation  huge programs could be verified by isolating difficult parts

3 game-based p.a. game models cannot avoid state explosion - would benefit from predicate abstraction! predicate abstraction most naturally treated as a model mutation - would benefit from syntax-direct and compositional explanation

4 contributions a game semantics of p.a. a verification tool for a large subset of C a predicate annotation approach that exploits the syntax-direct property a CEGAR verification algorithm that exploits the syntax-direct property

5 programming language: IA L C-like control structure if | ; | break | continue | goto | assert block structure state {nat x := M; N} | x := M expressions x | k | M(N 1,..,N n ) | let f(x 1,..,x n ) = M in N

6 battle of numbers bool goer := 0; nat pile := 10 * you()%10 + me()%10; f (if pile > 0 then {goer := 1; pile -= you()%9%pile}; if pile > 0 then {goer := 0; pile -= me()%9%pile}); if pile = 0 then winner := goer

7 wrestle of numbers bool goer := 0; nat pile := {nat n = you()%10; n*10 + 9 – n}; assert(pile%9 = 0); f (if pile > 0 then {nat n := you()%9; goer := 1; pile -= n; assert(pile%9 = 9 - n); if pile > 0 then {pile -= 9 – n; goer := 0}}); assert(goer = 0)

8 stateful game model – no p.a. model: M v = set of traces returning val v distinguish ab/normally terminating traces trace: start state, moves, end state state: map ids in environment to vals move: val position (in typing) | ) ( |

9 you()%9 d =  m%9=d q you,m you stateful game models you() m = q you,m you (for all m) ( | ( | | ) | ) n := you()%9 () =  d  m%9=d q you,m you ( | | ) ndnd

10 p.a. game model model: M e = set of traces returning expr e distinguish ab/normally terminating traces trace: start P-state, moves, end P-state P-state: set of (negated) P members move: expr position (in typing) {||}

11 if sat ( & ) p.a. game models you()%9 y%9 = q you,y you you() y = q you,y you n := you()%9 () = q you,y you y%9/n {| {| {| |} |} |}

12 wrestle game model goer=0 goer=1 q you,0 you,q f q f1,q you,n you () f1 () f q f1,() f1 q you,1 you,q f … () f1

13 wrestle p.a. model pile%9=0 pile%9!=9-ngoer=0 pile>0 pile%9!=0 pile%9=9-n pile>0 goer=1 q you,y you,q f q f1,q you,n you pile%9=0 pile%9!=9-n pile=0 goer=0 () f1 () f pile%9=0 pile%9!=9-n pile=0 goer=0 q f1,() f1 () f1

14 about this formulation + simple + stateful and p.a. variants similar + control semantics orthogonal to state semantics (control ignored in this talk!) – less compositional in spirit than some game semantics - environments are important - p.a. semantics difficult to handle otherwise

15 p.a. properties the p.a. model is decidable (finite-state) if p.a. model of M has no aborting traces then M is safe

16 syntactic predicate annotation we can trivially move predicate annotations from the model to the program this can be used to minimize the predicate state size

17 annotated wrestle letp goer = 0 in bool goer := 0; letp pile%9 = 0 in nat pile := {nat n = you()%10; n*10 + 9 – n}; assert(pile%9 = 0); f (if pile > 0 then {nat n := you()%9; goer := 1; letp pile%9 = 9 – n in pile -= n; assert(pile%9 = 9 - n); if pile > 0 then {pile -= 9 – n; goer := 0}}); assert(goer = 0)

18 annotated p.a. model pile%9=0goer=0 pile%9!=0 pile%9=9-ngoer=1 q you,y you,q f q f1,q you,n you () f q f1,() f1 () f1 goer=0

19 game p.a. c.e.g.a.r. make each conditional a predicate –as tightly scoped as possible model check –safe => safe –unsafe => check trace feasibility widen scope of some letp if infeasible

20 c.e.g.a.r. wrestle bool goer := 0; nat pile := {nat n = you()%10; n*10 + 9 – n}; letp pile%9 = 0 in assert(pile%9 = 0); f (if letp pile > 0 in pile > 0 then {nat n := you()%9; goer := 1; pile -= n; letp pile%9 = 9 – n in assert(pile%9 = 9 - n); if letp pile > 0 in pile > 0 then {pile -= 9 – n; goer := 0}}); letp goer = 0 in assert(goer = 0)

21 c.e.g.a.r. wrestle bool goer := 0; letp pile%9 = 0 in nat pile := {nat n = you()%10; n*10 + 9 – n}; assert(pile%9 = 0); f (if letp pile > 0 in pile > 0 then {nat n := you()%9; goer := 1; pile -= n; letp pile%9 = 9 – n in assert(pile%9 = 9 - n); if letp pile > 0 in pile > 0 then {pile -= 9 – n; goer := 0}}); letp goer = 0 in assert(goer = 0)

22 c.e.g.a.r. wrestle bool goer := 0; letp pile%9 = 0 in nat pile := {nat n = you()%10; n*10 + 9 – n}; assert(pile%9 = 0); letp goer = 0 in f (if letp pile > 0 in pile > 0 then {nat n := you()%9; goer := 1; pile -= n; letp pile%9 = 9 – n in assert(pile%9 = 9 - n); if letp pile > 0 in pile > 0 then {pile -= 9 – n; goer := 0}}); assert(goer = 0)

23 c.e.g.a.r. wrestle bool goer := 0; letp goer = 0 in letp pile%9 = 0 in nat pile := {nat n = you()%10; n*10 + 9 – n}; assert(pile%9 = 0); f (if letp pile > 0 in pile > 0 then {nat n := you()%9; goer := 1; pile -= n; letp pile%9 = 9 – n in assert(pile%9 = 9 - n); if letp pile > 0 in pile > 0 then {pile -= 9 – n; goer := 0}}); assert(goer = 0)

24 c.e.g.a.r. wrestle letp goer = 0 in bool goer := 0; letp pile%9 = 0 in nat pile := {nat n = you()%10; n*10 + 9 – n}; assert(pile%9 = 0); f (if letp pile > 0 in pile > 0 then {nat n := you()%9; goer := 1; pile -= n; letp pile%9 = 9 – n in assert(pile%9 = 9 - n); if letp pile > 0 in pile > 0 then {pile -= 9 – n; goer := 0}}); assert(goer = 0)

25 c.e.g.a.r. wrestle letp goer = 0 in bool goer := 0; letp pile%9 = 0 in nat pile := {nat n = you()%10; n*10 + 9 – n}; assert(pile%9 = 0); f (if letp pile > 0 in pile > 0 then {nat n := you()%9; goer := 1; pile -= n; letp pile%9 = 9 – n in assert(pile%9 = 9 - n); if letp pile > 0 in pile > 0 then {pile -= 9 – n; goer := 0}}); assert(goer = 0)

26 c.e.g.a.r. wrestle letp goer = 0 in bool goer := 0; letp pile%9 = 0 in nat pile := {nat n = you()%10; n*10 + 9 – n}; assert(pile%9 = 0); f (if letp pile > 0 in pile > 0 then {nat n := you()%9; goer := 1; letp pile%9 = 9 – n in pile -= n; assert(pile%9 = 9 - n); if letp pile > 0 in pile > 0 then {pile -= 9 – n; goer := 0}}); assert(goer = 0)

27 c.e.g.a.r. wrestle letp goer = 0 in bool goer := 0; letp pile%9 = 0 in nat pile := {nat n = you()%10; n*10 + 9 – n}; assert(pile%9 = 0); f (if letp pile > 0 in pile > 0 then {nat n := you()%9; goer := 1; letp pile%9 = 9 – n in pile -= n; assert(pile%9 = 9 - n); if letp pile > 0 in pile > 0 then {pile -= 9 – n; goer := 0}}); assert(goer = 0)

Download ppt "game-based model checking key game model properties: syntax-direct: behaviour of any component specified in isolation truly compositional: behaviour of."

Similar presentations

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
IPAW'08 – Salt Lake City, Utah, June 2008 Data lineage model for Taverna workflows with lightweight annotation requirements Paolo Missier, Khalid Belhajjame,

IPAW'08 – Salt Lake City, Utah, June 2008 Data lineage model for Taverna workflows with lightweight annotation requirements Paolo Missier, Khalid Belhajjame,
- Vasvi Kakkad.  Formal -  Tool for mathematical analysis of language  Method for precisely designing language  Well formed model for describing and.

- Vasvi Kakkad.  Formal -  Tool for mathematical analysis of language  Method for precisely designing language  Well formed model for describing and.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Model-based reasoning meets code verification Michael Butler 21 May 2014 WG 2.3 Meeting 55, Orlando.

Model-based reasoning meets code verification Michael Butler 21 May 2014 WG 2.3 Meeting 55, Orlando.
1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.

1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.
0 PROGRAMMING IN HASKELL Chapter 10 - Declaring Types and Classes.

0 PROGRAMMING IN HASKELL Chapter 10 - Declaring Types and Classes.
1 A Description Logic with Concrete Domains CS848 presentation Presenter: Yongjuan Zou.

1 A Description Logic with Concrete Domains CS848 presentation Presenter: Yongjuan Zou.
SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
Fall 20021 Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.

Fall Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
Compiler Principle and Technology Prof. Dongming LU Mar. 28th, 2014.

Compiler Principle and Technology Prof. Dongming LU Mar. 28th, 2014.
Comp 205: Comparative Programming Languages Semantics of Imperative Programming Languages denotational semantics operational semantics logical semantics.

Comp 205: Comparative Programming Languages Semantics of Imperative Programming Languages denotational semantics operational semantics logical semantics.
Chess Review May 8, 2003 Berkeley, CA Classes and Inheritance in Actor- Oriented Models Stephen Neuendorffer Edward Lee UC Berkeley.

Chess Review May 8, 2003 Berkeley, CA Classes and Inheritance in Actor- Oriented Models Stephen Neuendorffer Edward Lee UC Berkeley.
O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham.

O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham.

Similar presentations

Ads by Google