Presentation is loading. Please wait.

Presentation is loading. Please wait.

Compositional Verification part II Dimitra Giannakopoulou and Corina Păsăreanu CMU / NASA Ames Research Center.

Published byMark Greene Modified over 9 years ago

Similar presentations

Presentation on theme: "Compositional Verification part II Dimitra Giannakopoulou and Corina Păsăreanu CMU / NASA Ames Research Center."— Presentation transcript:

1 Compositional Verification part II Dimitra Giannakopoulou and Corina Păsăreanu CMU / NASA Ames Research Center

2 recap from part I Compositional Verification Assume-guarantee reasoning Weakest assumption Learning framework for reasoning about 2 components

3 compositional verification M2M2 M1M1 A satisfies P? Check P on entire system: too many states! Use the natural decomposition of the system into its components to break-up the verification task Check components in isolation: Does M 1 satisfy P? –Typically a component is designed to satisfy its requirements in specific contexts / environments Assume-guarantee reasoning: –Introduces assumption A representing M 1 ’s “context” Does system made up of M 1 and M 2 satisfy property P?

4 assume-guarantee reasoning Simplest assume-guarantee rule – A SYM “discharge” the assumption 1.  A  M 1  P  2.  true  M 2  A  3.  true  M 1 || M 2  P  How do we come up with the assumption A? (usually a difficult manual process) Solution: synthesize A automatically Reason about triples:  A  M  P  The formula is true if whenever M is part of a system that satisfies A, then the system must also guarantee P M2M2 M1M1 A satisfies P?

5 the weakest assumption Given component M, property P, and the interface of M with its environment, generate the weakest environment assumption WA such that:  WA  M  P  holds Weakest means that for all environments E:  true  M || E  P  IFF  true  E  WA 

6 assumption generation [ASE’02] STEP 1: composition, hiding, minimization property true! (all environments) STEP 2: backward propagation of error along  transitions property false! (all environments) STEP 3: property extraction (subset construction & completion) assumption

7 learning for assume-guarantee reasoning Use an off-the-shelf learning algorithm to build appropriate assumption for rule A SYM Process is iterative Assumptions are generated by querying the system, and are gradually refined Queries are answered by model checking Refinement is based on counterexamples obtained by model checking Termination is guaranteed 1.  A  M 1  P  2.  true  M 2  A  3.  true  M 1 || M 2  P 

8  true  M 2  A i  learning assumptions Use L* to generate candidate assumptions  A = (  M 1   P)   M 2 L* query: string s true false  s  M 1  P  conjecture: A i  A i  M 1  P   c  A  M 1  P  true false + cex c true false false + cex c P holds in M 1 || M 2 P violated in M1 || M2 1.  A  M 1  P  2.  true  M 2  A  3.  true  M 1 || M 2  P  string c  A Model Checking Guaranteed to terminate Reaches weakest assumption or terminates earlier true

9 part II compositional verification assume-guarantee reasoning weakest assumption learning framework for reasoning about 2 components extensions: reasoning about n > 2 components symmetric and circular assume-guarantee rules alphabet refinement reasoning about code

10 extension to n components To check if M 1 || M 2 || … || M n satisfies P –decompose it into M 1 and M’ 2 = M 2 || … || M n –apply learning framework recursively for 2 nd premise of rule –A plays the role of the property At each recursive invocation for M j and M’ j = M j+1 || … || M n –use learning to compute A j such that  A i  M j  A j-1  is true  true  M j+1 || … || M n  A j  is true 1.  A  M 1  P  2.  true  M 2 || … || M n  A  3.  true  M 1 || M 2 … || M n  P 

11 example Model derived from Mars Exploration Rover (MER) Resource Arbiter –Local management of resource contention between resource consumers (e.g. science instruments, communication systems) –Consists of k user threads and one server thread (arbiter) Checked mutual exclusion between resources –E.g. driving while capturing a camera image are mutually incompatible Compositional verification scaled to >5 users vs. monolithic verification ran out of memory [SPIN’06] ARB U5U5 U4U4 Request, Cancel U3U3 U2U2 U1U1 Grant, Deny Rescind Resource Arbiter

12 recursive invocation Compute A 1 … A 5 s.t.  A 1  U 1  P   true  U 2 || U 3 || U 4 || U 5 || ARB  A 1   A 2  U 2  A 1   true  U 3 || U 4 || U 5 || ARB  A 2   A 3  U 3  A 2   true  U 4 || U 5 || ARB  A 2   A 4  U 4  A 3   true  U 5 || ARB  A 4   A 5  U 5  A 4   true  ARB  A 5  Result:  true  U 1 ||.. || U 5 || ARB  P  U1U1 U2U2 P A2A2 A1A1 ARB A1A1 U3U3 U4U4 A2A2 A4A4 A3A3 A3A3 U5U5 A5A5 A4A4 A5A5

13 AnalysisMemoryState SpaceTime t model t compile t run Assumption Size Monolithic544 MB3.9e+060.02s 0.8s 33.7sN/A Recursive2.6 MB10020.03s 1.1s 0.03s6.. 12 analysis results Analysisqueriesoracle1oracle2t SPIN +t Learn Mem Learn t LTSA Mem LTSA Recursive48844815646.3s1743K42.8s20400K LTSA tool Analysis Assumption generation

14 symmetric rules: motivation ack,out,send ack send out ack send A4:A4: ack send out, send A2:A2: ack send A1:A1: ack in A1:A1: ack in ack A2:A2: send M 1 = Input, M 2 = Output, P = Order M 1 = Output, M 2 = Input, P = Order Order err in out in Output send ack out Input in ack send

15 symmetric rules Assumptions for both components at the same time –Early termination; smaller assumptions Example symmetric rule – S YM coA i = complement of A i, for i=1,2 Requirements for alphabets: –  P   M 1   M 2 ;  A i  (  M 1   M 2 )   P, for i =1,2 The rule is sound and complete Completeness needed to guarantee termination Straightforward extension to n components 1.  A 1  M 1  P  2.  A 2  M 2  P  3. L(coA 1 || coA 2 )  L(P)  true  M 1 || M 2  P  Ensure that any common trace ruled out by both assumptions satisfies P.

16 learning framework for rule S YM L*  A 1  M 1  P  L*  A 2  M 2  P  A1A1 A2A2 false L(coA 1 || coA 2 )  L(P) counterex. analysis true false P holds in M 1 ||M 2 P violated in M 1 ||M 2 add counterex. remove counterex. remove counterex. true

17 circular rule Rule C IRC – from [Grumberg&Long – Concur’91] Similar to rule A SYM applied recursively to 3 components –First and last component coincide –Hence learning framework similar Straightforward extension to n components 1.  A 1  M 1  P  2.  A 2  M 2  A 1  3.  true  M 1  A 2   true  M 1 || M 2  P 

18 assumption alphabet refinement Rule A SYM –Assumption alphabet was fixed during learning –  A = (  M 1   P)   M 2 [SPIN ’ 06]: A subset alphabet –May be sufficient to prove the desired property –May lead to smaller assumption How do we compute a good subset of the assumption alphabet? Solution – iterative alphabet refinement –Start with small alphabet –Add actions as necessary –Discovered by analysis of counterexamples obtained from model checking M1M1 M2M2 P

19 learning with alphabet refinement 1. Initialize Σ to subset of alphabet  A = (  M 1   P)   M 2 2. If learning with Σ returns true, return true and go to 4. (END) 3. If learning returns false (with counterexample c), perform extended counterexample analysis on c. If c is real, return false and go to 4. (END) If c is spurious, add more actions from  A to Σ and go to 2. 4. END

20 extended counterexample analysis  A = (  M 1   P)   M 2 Σ   A is the current alphabet  c  Σ  M 1  P   c  A  M 1  P  Refiner: compare c  A and t  A Add actions to Σ and restart learning  true  M 2  A i  L* query conjecture: A i false c  A false + cex c  A i  M 1  P  true c  A false + cex t false true P holds P violated  s  M 1  P 

21 alphabet refinement Order err in out in Output send ack out Input in ack send  true  Output  A i  false with c =  send, out   = { out } c  Σ =  out   c  Σ  Input  P  false with counterex. t =  out   A = { send, out, ack } c  A =  send, out   c  A  Input  P  true compare  out  with  send, out  add “send” to 

22 characteristics Initialization of Σ –Empty set or property alphabet  P   A Refiner –Compares t  A and c  A –Heuristics: AllDiff adds all actions in the symmetric difference of the trace alphabets Forward scans traces in parallel forward adding first action that differs Backward symmetric to previous Termination –Refinement produces at least one new action and the interface is finite Generalization to n components –Through recursive invocation See also learning with optimal alphabet refinement –Developed independently by Chaki & Strichman 07

23 implementation & experiments Implementation in the LTSA tool –Learning using rules A SYM, S YM and C IRC –Supports reasoning about two and n components –Alphabet refinement for all the rules Experiments –Compare effectiveness of different rules –Measure effect of alphabet refinement –Measure scalability as compared to non-compositional verification Extensions for –SPIN –JavaPathFinder http://javapathfinder.sourceforge.net

24 case studies Model of Ames K9 Rover Executive –Executes flexible plans for autonomy –Consists of main Executive thread and ExecCondChecker thread for monitoring state conditions –Checked for specific shared variable: if the Executive reads its value, the ExecCondChecker should not read it before the Executive clears it Model of JPL MER Resource Arbiter –Local management of resource contention between resource consumers (e.g. science instruments, communication systems) –Consists of k user threads and one server thread (arbiter) –Checked mutual exclusion between resources K9 Rover MER Rover

25 results Rule A SYM more effective than rules S YM and C IRC Recursive version of ASYM the most effective –When reasoning about more than two components Alphabet refinement improves learning based assume guarantee verification significantly Backward refinement slightly better than other refinement heuristics Learning based assume guarantee reasoning –Can incur significant time penalties –Not always better than non-compositional (monolithic) verification –Sometimes, significantly better in terms of memory

26 Case|A|MemTime|A|MemTimeMemTime MER 2408.6521.9061.231.601.040.04 MER 3501240.06--83.544.764.050.111 MER 4273101.59--109.6113.6814.291.46 MER 520078.10--1219.0335.2314.2427.73 MER 616284.95--1447.0991.82--600 K9 Rover112.651.8242.372.536.270.015 analysis data |A| = assumption size Mem = memory (MB) Time (seconds) -- = reached time (30min) or memory limit (1GB) A SYM A SYM + refinement Monolithic

27 design/code level analysis Does M 1 || M 2 satisfy P? Model check; build assumption A Does C 1 || C 2 satisfy P? Model check; use assumption A [ICSE’2004] – good results but may not scale TEST! M1M1 C1C1 M2M2 C2C2 Design Code PA AP

28 compositional verification for C C 1 ||C 2 |=P spurious C 1 ||C 2 |= P true false counterexample analysis learning framework predicate abstraction M1M1 C1C1 predicate abstraction M2M2 refine Check composition of software C components C 1 ||C 2 |= P C2C2 refine spurious

29 compositional verification for C (details) learning  A 1  M 1  P  learning  A 2  M 2  P  A1A1 A2A2 false  true  M 2  A 1   true  M 1  A 2  OR counterexample analysis true false C 1 ||C 2 |=P weaken A 1 strengthen A 1 strengthen A 2 M1M1 predicate abstraction C1C1 predicate abstraction C2C2 weaken A 2 strengthen M 1 strengthen M 2 M2M2 false M1M1 M2M2

30 end of part 1I please ask LOTS of questions!

Download ppt "Compositional Verification part II Dimitra Giannakopoulou and Corina Păsăreanu CMU / NASA Ames Research Center."

Similar presentations

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Design by Contract.

Design by Contract.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
1 Constraint Satisfaction Problems A Quick Overview (based on AIMA book slides)

1 Constraint Satisfaction Problems A Quick Overview (based on AIMA book slides)
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by SRC Contract.

Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by SRC Contract.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Automated assume-guarantee reasoning for component verification Dimitra Giannakopoulou (RIACS), Corina Păsăreanu (Kestrel) Automated Software Engineering.

Automated assume-guarantee reasoning for component verification Dimitra Giannakopoulou (RIACS), Corina Păsăreanu (Kestrel) Automated Software Engineering.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Similar presentations

Ads by Google