1111

Counter-Example Based Predicate Discovery in Predicate AbstractionCounter-Example Based Predicate Discovery in Predicate Abstraction

Satyaki Das and David L. Dill

Computer Systems Lab

Stanford University

satyakid@stanford.edu

dill@cs.stanford.edu

2222

OutlineOutline

Motivation

Predicate Abstraction

Predicate Discovery

Application to AODV

Conclusion

3333

MotivationMotivation

Easy verification of infinite state systems

4444

Simple Mutual Exclusion ProtocolSimple Mutual Exclusion Protocol

A trivial example to illustrate concepts

Clients communicate with server via asynchronous messages Three kinds of messages:

– REQUEST– GRANT– RELEASE

Infinite state Unbounded message queue Any number of clients

5555

Protocol StepsProtocol Steps

cs[i]=false

cs[i]:=true

cs[i]:=false

granted=false

granted:=truecurrent:=i

granted:=false

REQUEST(i)

GRANT(i)

RELEASE(i)

Client Variables

cs:array of boolean

Server Variables

granted:boolean;current:integer;

Queue Variables

Q.type:array of enum;Q.node:array of integer;

6666

Verification ConditionVerification Condition

For distinct nodes, a and b prove that,

cs[a] /\ cs[b] )

7777

OutlineOutline

Motivation

Predicate Abstraction

Predicate Discovery

Application to AODV

Conclusion

8888

AbstractionAbstraction

A finite set of predicates defines the abstraction

Abstraction is conservative

Concrete

Abstract

Predicates: bit1: cs[a] bit2: cs[b][00]

cs = x. false Q.type = x. EMPTY granted = true

cs = x. false Q.type = x. EMPTY granted = false

9999

Abstraction (contd)Abstraction (contd)

Abstract transition relation is conservative Abstract next states must contain all concrete successors And possibly more states

RA

Abstract

Concrete

RC

s

t

x y

Example

Let s=[10] and t=[11]

(s) contains a state where a GRANT(b)message is in queue

So we have abstract transition from s to t!

Predicates: bit1: cs[a] bit2: cs[b]

10101010

Abstract Counter-ExampleAbstract Counter-Example

If model checking fails an abstract counter-example produced

Concrete transitions are present for each pair of consecutive abstract states But concrete counter-example may not be present!

xy’

zy’’

Abstract

Concrete

Real TraceSpurious Trace

11111111

Tool Block DiagramTool Block Diagram

AbstractionModule

ModelChecker

CVC BDD

System

Predicates

Property

PredicateGenerator

TraceChecker

CVC

Proved!!!

Abstractcounter-example

Concretecounter-example

12121212

History of Predicate AbstractionHistory of Predicate Abstraction

Graf and SaidiCAV 97

Colon and UribeCAV 98

Shankar and SaidiCAV 99

Das,Dill and ParkCAV 99

Saidi and LessensENTCS 97

Das and DillLICS 2001

SLAMBall, Rajamani et al

2000-present

Henzinger et alPOPL 02

InVeStCAV 98

Bensalem et alTACAS 01

Tiwari et alTACAS 01

Invariant Generation

Software Model Checking

And many more…And many more…

Flanagan et alPOPL 2002

13131313

OutlineOutline

Motivation

Predicate Abstraction

Predicate Discovery

Application to AODV

Conclusion

14141414

Predicate Discovery ExamplePredicate Discovery Example

Rejoin action after the first iteration

Current predicates are: “a in critical section” cs[a] “b in critical section” cs[b] “At least one GRANT message” x. Q.type[x] = GRANT

xxx 000 001 011 111init

Send GRANT Rec GRANT Rec GRANT

Is abstract trace spurious?

Predicates:

bit1: cs[a]bit2: cs[b]bit3: x. Q.type[x] = GRANT

15151515

Predicate Discovery Example (contd)Predicate Discovery Example (contd)

xxx 000 001 111011Rec GRANTRec GRANTSend GRANTinit

Minimal spurious trace found!

Predicates:

bit1: cs[a]bit2: cs[b]bit3: x. Q.type[x] = GRANT

16161616

Predicate Discovery Example (contd)Predicate Discovery Example (contd)

001 011Rec GRANT

cs[a]

cs[b]

Q.type[m1] = GRANT

Q.type[m2] = GRANT

Q.node[m2] = b

m1 m2

These are the candidate predicates!

Predicates:

bit1: cs[a]bit2: cs[b]bit3: x. Q.type[x] = GRANT

000

17171717

Predicate Discovery Example (contd)Predicate Discovery Example (contd)

001000Send GRANT

cs[a]

cs[b]

Q.type[m1] = GRANT

Q.type[m2] = GRANT

Q.node[m2] = b

m1 m2

Predicate added: m1,m2. Q.type[m1]=GRANT /\ Q.type[m2]=GRANT /\ m1 m2

011

Predicates:

bit1: cs[a]bit2: cs[b]

bit3: x. Q.type[x] = GRANT

18181818

Predicate Discovery AlgorithmPredicate Discovery Algorithm

Step 1. Check if abstract counter-example is spurious

Step 2. If not spurious, concrete error trace has been found. Otherwise find a minimal spurious trace

Step 3. Solve non-spurious tail to find candidate predicates that characterize the second state of the minimal spurious trace

Step 4. Find a minimal set from these predicates to construct new predicates

19191919

OutlineOutline

Motivation

Predicate Abstraction

Predicate Discovery

Application to AODV

Conclusion

20202020

AODV ExampleAODV Example

Ad-hoc On-demand Distance Vector (AODV) routing protocol. Nodes can dynamically enter or leave the system. Routes are maintained so that the nodes can communicate. Important that routing table does not have loops.

The method automatically proves the loop-freeness of a simplified version of the protocol. Protocol was simplified by not modeling timeouts

Protocol highlights: Routes are found by broadcasting request to neighbors Sequence number tracks route age Hop count tracks number of hops to destination

21212121

AODV ExampleAODV Example

Proof obligation: If a’s next hop in route to c is b then either a’s sequence number is lower than that of b or the sequence numbers of a and b are the same but the hop count of a is higher than that of b

Find predicates about messages present in the queue

20 predicates were found in 14 iterations before the proof was successfully completed

a

b c

Message Queue

22222222

OutlineOutline

Motivation

Predicate Abstraction

Predicate Discovery

Application to AODV

Conclusion

23232323

ConclusionConclusion

Weakest pre-condition based abstraction refinement is useful

Future Work: Easily usable concrete error traces would aid debugging Better quantifier support would be nice Integration with other predicate generation schemes

24242424

EndEnd

25252525

Predicate Discovery (contd)Predicate Discovery (contd)

Generalize abstract transition relation to test for spurious counter-example trace.

Let counter-example trace be: s1, s2, … sM

Concrete counter-example exists if, RC(x1,x2) /\ RC(x2,x3) /\ … /\ RC(xM-1,xM)

/\ (x1)=s1 /\ (x2)=s2 /\ … /\ (xM)=sM

is satisfiable for some concrete states x1, x2, … xM

Notice that checking for spuriousness turns into a validity check that we use CVC to carry out!

26262626

Predicate Discovery (contd)Predicate Discovery (contd)

Real Trace!

Real Trace!

s2 s4s5s3

Remove first state if the remainder is spurious

Repeat till removing first state makes the remainder a real trace

Do similar shortening at end of trace

27272727

Predicate Discovery (contd)Predicate Discovery (contd)

Solve for conditions that must hold for the partial trace corresponding to s2, s3, s4, s5.

The conditions on the concrete state x2 can be derived by finding a satisfying assignment for:(x2)=s2 /\ (x3)=s3 /\ (x4)=s4 /\ (x5)=s5

/\ RC(x2,x3) /\ RC(x3,x4) /\ RC(x4,x5)

Let the solution be the conjunction of predicates, x2), x2), …, L(x2)

These are our candidate predicates!

28282828

Predicate Discovery (contd)Predicate Discovery (contd)

For the candidate predicates it must be the case,1(x2) /\ 2(x2) … /\ L(x2)

/\ RC(x1,x2) /\ (x1)=s1

Is unsatisfiable for all x1 and x2.

Find a minimal subset of predicates (say 1 and 2 in this case) such that,1(x2) /\ 2(x2)

/\ RC(x1,x2) /\ (x1)=s1

Is still unsatisfiable.

Use 1 and 2 as predicates to refine the abstraction

29292929

Related WorkRelated Work

Predicate Abstraction Graf and Saidi in CAV 1997 Colon and Uribe in CAV 1998 Flanagan and Qadeer in POPL 2002

Counter-example guided refinement Alur et al in CAV 95 Bensalem et al in CAV 98 Lakhnech et al in TACAS 2001 Tiwari et al in TACAS 2001 Clark, Grumberg et al CAV 2000 SLAM Project at MSR (POPL 2002) BLAST project at Berkeley (POPL 2002)

30303030

ImplementationImplementation

Binary Decision Diagrams (BDD) are used to represent abstract system and for model checking

Cooperating Validity Checker (CVC) is used to check satisfiability CVC is a decision procedure for quantifier free first order

logic Supported types in CVC include booleans, rationals, stores

(unbounded arrays) and records

Quantifier support Heuristics were used for quantifier instantiation

31313131

Verification SchemeVerification Scheme

Abstract andModel Check

Check Counter-exampleand Discover Predicates

Initial Predicates

Safety Property

Concrete System Property Verified!

Abstract Counter-example

ConcreteCounter-example

New predicates

32323232

Predicate Discovery IntuitionPredicate Discovery Intuition

A spurious trace is an abstract trace with no concrete counterpart Real trace is one which has a concrete counterpart

Predicates are added to remove spurious traces

New Predicate

Spurious counter-example is avoided in refined abstraction!

x1 x2

x’2x3

33333333

Protocol DescriptionProtocol Description

Ruleset (cell,msg):

“Send REQUEST”

cs[cell] /\ Q.type[msg]=EMPTY Q.type[msg]:=REQUEST;

Q.node[msg]:=cell

“Receive GRANT”

cs[cell] /\ Q.type[msg]=GRANT

/\ Q.node[msg]=cell Q.type[msg]:=EMPTY;

cs[cell]:=true

“Send RELEASE”

cs[cell] /\ Q.type[msg]=EMPTY Q.type[msg] := RELEASE;

Q.node[msg] := cell;

cs[cell] := false

Client Rules

Ruleset (msg):

“Receive REQUEST”

granted /\ Q.type[msg]=REQUEST Q.type[msg] := GRANT;

granted := true;

current := Q.node[msg]

“Receive RELEASE”

granted /\ Q.type[msg]=RELEASE

/\ Q.node[msg]=current Q.type[msg] := EMPTY;

granted := false

Server Rules

Rule

true Q.type := x. EMPTY; cs := x. false; granted := false

Initialization Rule