Download presentation
Presentation is loading. Please wait.
Published byBruce Leonard Daniels Modified over 9 years ago
1
1 Automatic Non-interference Lemmas for Parameterized Model Checking Jesse Bingham, Intel DEG FMCAD 2008
2
2 Classic CMP Approach CMP approach [McMillan 99/01, Chou et al. 04, Krstic 05, Lv et al 07, Li 07, Talupur & Tuttle 08] human writes non-interference lemmas from counterexamples system is iteratively strengthened with lemmas until all lemmas and property hold
3
3 CMP requires human to write lemmas Umm, me no think possible in real system Human writes “non-interference lemma”:
4
4 What we do our approach removes lemma-writing burden of human’s shoulders start with “non-interference conjecture” False abstract strengthened system compute abstract reachability fixpoint iterate, with concretized fixpoint as new conjecture our contributions general theory based on abstract interpretation instantiation of theory for class of parameterized protocols using BDDs & prototype tool
5
5 Roadmap General Theory Symmetric Parameterized Protocols Case Studies/Final Thoughts
6
6 Theory concrete transition system (C,I,T) C is the set of (concrete) states I C are the initial states T C C is the transition relation Reach (C,I,T) denotes set of reachable states p C is called an invariant if Reach (C,I,T) p for C define post [T]( ) = {y | x.(x,y) T and x }
7
7 Strengthening For C, the strengthening of (C,I,T) by , is the transition system (C, I, T ( C)). We denote the strengthening by T # . Theorem. is an invariant of (C,I,T) if and only if is an invariant of T # . Strengthen with = blue states
8
8 Abstraction finite abstract domain A along with partial order ⊑, forming a lattice (A, ⊑ ) Think of ⊑ as subset ordering on represented sets galois connection ( , ) defines association between concrete states and abstract domain : 2 C A : A 2 C and are order preserving other technical properties
9
9 : Makes Abstract Posts for Strengthened Concrete Systems (1/2) ( ) : A A set of concrete states Abstract post (a.k.a abstract interpretation) of post[ T # ]
10
10 : Makes Abstract Posts for Strengthened Concrete Systems (2/2) Concrete States C Abstract Domain A a (a)(a) post [T# ] ( ( a )) ( post [T# ] ( ( a )) ( )(a ) ⊑ C C “best” post relative to ( , )
11
11 The Method Concrete States C Abstract Domain A Reach ( (Init), ( 0 )) Reach ( (Init), ( 1 )) 11 0 = False 22 Reach ( (Init), ( k )) = Reach ( (Init), ( k-1 )) … … kk (k)(k) ⊑ (property)
12
12 Roadmap General Theory Parameterized Protocols Case Studies/Final Thoughts
13
13 State variable types let Pid denote the process IDs four types of variables Bool e.g. global FSM state Pid Bool e.g. process FSM state, control arrays indexed by Pid Pid e.g. global process pointer Pid Pid e.g. pre-process process pointer
14
14 Transition relation syntax atoms w ( w : Bool ) x[p] ( x : Pid Bool and quantifed var p ) y=p ( y : Pid and quantifed var p ) z[p]=q ( z : Pid Pid and quant vars p & q ) plus any of the above with priming transition formula syntax: where 0 and 1 are (restricted) boolean combinations of atoms
15
15 Protocol Abstraction abstract domain is symmetric sets of views galois connection is straightfoward similar to [Lahiri & Bryant 04]’s for universally quantified predicate abstraction thanks to a small model theorem & symmetry, we can compute a best using BDDs
16
16 Views [Chou et al 04] Bool Pid Pid Bool 1 0123 Concrete state View ( m=2 ) 1 Bool Pid Pid Bool 3 0123 Concrete state View ( m=2 ) other a view only includes info regarding a small number m of processes; Pid vars take values from {0,…,m-1,other}
17
17 Small Model Theorem Bool Pid Pid Bool 1 0123 4 n (arbitrarily big) 0 … … 0 … 1 0123 4 m+L+1 (fixed & small!) … if and only if -abstract away this state in BDD
18
18 Putting It All Together i (set of views as BDD) Compute BDD for T ( i ) of size m+L+1 - quantify away all but first m processes (i)(i) i+1 = Reach ( (Init), ( i )) Computed using BDD techniques of [Pnueli et al 01]
19
19 Non-best small model theorem allows for best can cause BDD blow-up two orthogonal techniques allow for non-best , which typically yields smaller BDDs strengthen with subset of variables also reduces small model theorem bound by 1 only strengthen “guarded commands” that depend on abstracted state in the guards, or even fewer
20
20 Roadmap General Theory Symmetric Parameterized Protocols Case Studies/Final Thoughts
21
21 Prototype Tool built prototype tool using Intel’s forte formal verification system [Seger et al 05] protocols modeled in forte’s language reFLect user specifies “ingredients” number of concrete processes m=2 variables to constraint during strengthening transitions to strengthen dynamic BDD var ordering useful [Rudell 93]
22
22 Case Studies (1/3) GERMAN [German 00] “hello world” for parameterized verification just one Pid var; no Pid Pid vars control & data properties verified totally automatically with “best” GERMAN2004 more complex than GERMAN has Pid Pid vars (network) previously verified by [Lv et al 07], who needed human to add history vars we verified the control property with non-best
23
23 Case Studies (2/3) FLASH [Kuskin et al 94] “…if [a parameterized verification method] works on FLASH, then there is a good chance that it will also work on many real-world cache coherence protocols.” [Chou et al 04] first automatically verified by [Lv et al 07] we verified the control property using non-best
24
24 Case Studies (3/3) abstract reach iterations outter loop iterations
25
25 Final Thoughts presented a method that automatically computers non-interference lemmas general theory applied to symmetric protocols related to Invisible Invariants [Pnueli et al 01] BDDs aren’t necessarily bad for protocols especially parameterized model checking original work [McMillan 99/01] used SMV/BDDs automation: intellectually pleasing…but probably won’t scale
26
26 Foil graveyard…
27
27 Motivating Example … Want to prove invariance of something like:
28
28 Abstract Process other Abstracts behavior of processes {2,…,n} for arbitrary n Model Check:
29
29 Counterexample Analysis Umm, me no think possible in real system Human writes “non-interference lemma”:
30
30 Guard Strengthening Model Check: Strengthen with:
31
31 Order Preservation of Abstraction ()() ( ) ⊑ Concrete States C Abstract Domain A
32
32 Order Preservation of Concretization (a)(a) a a ⊑ (a)(a) Concrete States C Abstract Domain A
33
33 Proving Invariants with & (a different view from in the paper & talk) Concrete States C Abstract Domain A (i)(i) Reach ( (Init), ( i )) ( Reach ( (Init), ( i ))) = i+1 ii Abstracts T# i Abstracts Reach (I,T# i ) Theorem. i+1 i implies i is a (concrete) invariant
34
34 Proving Invariants with & Concrete States C Abstract Domain A Reach ( (Init), ( i )) ii ⊑ (i)(i) (i)(i) Abstracts Reach (I,T# i ) Abstracts T# i Theorem. Reach ( (Init), ( i )) ⊑ ( i ) implies i is an invariant Abstracts i
35
35 Weakening with & Concrete States C Abstract Domain A (i)(i) Reach ( (Init), ( i )) ( Reach ( (Init), ( i ))) = i+1 ii Abstracts T# i Abstracts Reach (I,T# i )
36
36 Abstract Post ap() Concrete States C Abstract Domain A a (a)(a) post( ( a )) (post( ( a ))) ap( a ) ⊑
37
37 : Makes Abstract Posts for Strengthened Concrete Systems Concrete States C Abstract Domain A ( ) : A A Abstract post image of T#
38
38 The Method (1/3) Concrete States C Abstract Domain A (i)(i) Reach ( (Init), ( i )) ii Abstracts T# i Abstracts Reach (I,T# i ) (i)(i) ⊑ | ( Reach ( (Init), ( i ))) = i+1
39
39 The Method start with 0 = False ; iteratively compute 1, 2, 3,… until a provable invariant is found this is the strongest provable invariant provable is relative to and if we use that is “best” then is the strongest invariant provable using
40
40 Protocol Abstraction abstract domain is symmetric sets of views galois connection is conceptually straightforward; similar to [Lahiri & Bryant 04] ( ) = { View (s) | s and is a view map } thanks to a small model theorem & symmetry, we can compute a best …
41
41 Small Model “cut-off” m+ L + 1 number of concrete processes in view number of existentially quantified vars in protocol transition relation can be done away With in certain circumstances
42
42 Views type in protocoltype in view Bool Pid BoolPid m Bool PidPid m other Pid PidPid m Pid m other m a small constant (typically 2) Pid m = {0,…,m-1} Pid other = Pid m {other} abstract domain is sets of views [Chou et al 04], which are assignments to protocol vars with different typing
43
43 Abstraction Bool Pid Pid Bool 2 0123 other 0 1 1 0 Concrete state s (with n=4 ) Set of views (s)
44
44 Views (2/2) Replace this slide!!! Pid vars have type {0,1,other} m = 2 “concrete” processes State of the form array[other] is abstracted away
45
45 Small Model Theorem … arbitrarily large n view ( m = 2 ) … m+ L + 1 above can do any “view transition” iff below can hence we -abstract these processes away
46
46 TODO…
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.