Counter-Example Based Predicate Discovery in Predicate Abstraction

1
Counter-Example Based Predicate Discovery in
Predicate Abstraction

• Satyaki Das and David L. Dill
• Computer Systems Lab
• Stanford University
• satyakid_at_stanford.edu
• dill_at_cs.stanford.edu

2
Outline

• Motivation
• Predicate Abstraction
• Predicate Discovery
• Application to AODV
• Conclusion

3
Motivation

• Easy verification of infinite state systems

4
Simple Mutual Exclusion Protocol

• A trivial example to illustrate concepts
• Clients communicate with server via asynchronous
  messages
• Three kinds of messages
• REQUEST
• GRANT
• RELEASE
• Infinite state
• Unbounded message queue
• Any number of clients

5
Protocol Steps
csifalse
Client Variables csarray of boolean
grantedfalse
REQUEST(i)
grantedtrue currenti
Server Variables grantedboolean currentinteger

GRANT(i)
csitrue
Queue Variables Q.typearray of
enum Q.nodearray of integer
csifalse
RELEASE(i)
grantedfalse
6
Verification Condition

• For distinct nodes, a and b prove that,
• Ø ( csa /\ csb )

7
Outline

• Motivation
• Predicate Abstraction
• Predicate Discovery
• Application to AODV
• Conclusion

8
Abstraction

• A finite set of predicates defines the
  abstraction
• Abstraction is conservative

Predicates bit1 csa bit2 csb
00
a
Abstract
cs lx. false Q.type lx. EMPTY
granted false
Concrete
g
cs lx. false Q.type lx. EMPTY
granted true
9
Abstraction (contd)

• Abstract transition relation is conservative
• Abstract next states must contain all concrete
  successors
• And possibly more states

Predicates bit1 csa bit2 csb
t
RA
s
Abstract
Example Let s10 and t11 g(s) contains a
state where a GRANT(b) message is in queue So we
have abstract transition from s to t!
g
g
Concrete
x
y
RC
10
Abstract Counter-Example

• If model checking fails an abstract
  counter-example produced
• Concrete transitions are present for each pair of
  consecutive abstract states
• But concrete counter-example may not be present!

Real Trace
Spurious Trace
g
g
Abstract
g
Concrete
y
z
x
y
11
Tool Block Diagram
Property
System
Proved!!!
Model Checker
Abstraction Module
Abstract counter-example
Predicates
CVC
BDD
Predicate Generator
Trace Checker
Concrete counter-example
CVC
12
History of Predicate Abstraction
And many more
Graf and Saidi CAV 97
Colon and Uribe CAV 98
Shankar and Saidi CAV 99
Das,Dill and Park CAV 99
Das and Dill LICS 2001
Flanagan et al POPL 2002
Saidi and Lessens ENTCS 97
SLAM Ball, Rajamani et al 2000-present
Henzinger et al POPL 02
Software Model Checking
Bensalem et al TACAS 01
Tiwari et al TACAS 01
InVeSt CAV 98
Invariant Generation
13
Outline

• Motivation
• Predicate Abstraction
• Predicate Discovery
• Application to AODV
• Conclusion

14
Predicate Discovery Example

• Rejoin action after the first iteration
• Current predicates are
• a in critical section csa
• b in critical section csb
• At least one GRANT message x. Q.typex
  GRANT

Send GRANT
Rec GRANT
Rec GRANT
init
000
xxx
001
111
011
Predicates bit1 csa bit2 csb bit3 x.
Q.typex GRANT
Is abstract trace spurious?
15
Predicate Discovery Example (contd)
Rec GRANT
Rec GRANT
Send GRANT
init
001
111
011
xxx
000
Minimal spurious trace found!
Predicates bit1 csa bit2 csb bit3 x.
Q.typex GRANT
16
Predicate Discovery Example (contd)
Rec GRANT
011
001
000
Ø csa
Ø csb
Q.typem1 GRANT
Q.typem2 GRANT
Q.nodem2 b
m1 ¹ m2
Predicates bit1 csa bit2 csb bit3 x.
Q.typex GRANT
These are the candidate predicates!
17
Predicate Discovery Example (contd)
Send GRANT
011
001
000
Ø csa
Ø csb
Predicates bit1 csa bit2 csb bit3 x.
Q.typex GRANT
Q.typem1 GRANT
Q.typem2 GRANT
Q.nodem2 b
m1 ¹ m2
Predicate added m1,m2.
Q.typem1GRANT /\ Q.typem2GRANT /\ m1 ¹ m2
18
Predicate Discovery Algorithm

• Step 1. Check if abstract counter-example is
  spurious
• Step 2. If not spurious, concrete error trace
  has been found.
• Otherwise find a minimal spurious
  trace
• Step 3. Solve non-spurious tail to find
  candidate predicates
• that characterize the second
  state of the minimal
• spurious trace
• Step 4. Find a minimal set from these
  predicates to
• construct new predicates

19
Outline

• Motivation
• Predicate Abstraction
• Predicate Discovery
• Application to AODV
• Conclusion

20
AODV Example

• Ad-hoc On-demand Distance Vector (AODV) routing
  protocol.
• Nodes can dynamically enter or leave the system.
• Routes are maintained so that the nodes can
  communicate.
• Important that routing table does not have loops.
• The method automatically proves the loop-freeness
  of a simplified version of the protocol.
• Protocol was simplified by not modeling timeouts
• Protocol highlights
• Routes are found by broadcasting request to
  neighbors
• Sequence number tracks route age
• Hop count tracks number of hops to destination

21
AODV Example
c
b
Message Queue
a

• Proof obligation If as next hop in route to c
  is b then either as sequence number is lower
  than that of b or the sequence numbers of a and b
  are the same but the hop count of a is higher
  than that of b
• Find predicates about messages present in the
  queue
• 20 predicates were found in 14 iterations before
  the proof was successfully completed

22
Outline

• Motivation
• Predicate Abstraction
• Predicate Discovery
• Application to AODV
• Conclusion

23
Conclusion

• Weakest pre-condition based abstraction
  refinement is useful
• Future Work
• Easily usable concrete error traces would aid
  debugging
• Better quantifier support would be nice
• Integration with other predicate generation
  schemes

24
End
25
Predicate Discovery (contd)

• Generalize abstract transition relation to test
  for spurious counter-example trace.
• Let counter-example trace be s1, s2, sM
• Concrete counter-example exists if,
• RC(x1,x2) /\ RC(x2,x3) /\ /\
  RC(xM-1,xM)
• /\ a(x1)s1 /\ a(x2)s2 /\ /\ a(xM)sM
• is satisfiable for some concrete states x1,
  x2, xM
• Notice that checking for spuriousness turns into
  a validity check that we use CVC to carry out!

26
Predicate Discovery (contd)

• Remove first state if the remainder is spurious
• Repeat till removing first state makes the
  remainder a real trace
• Do similar shortening at end of trace

Real Trace!
s5
s2
s4
s3
Real Trace!
27
Predicate Discovery (contd)

• Solve for conditions that must hold for the
  partial trace corresponding to s2, s3, s4, s5.
• The conditions on the concrete state x2 can be
  derived by finding a satisfying assignment for
• a(x2)s2 /\ a(x3)s3 /\ a(x4)s4 /\
  a(x5)s5
• /\ RC(x2,x3) /\ RC(x3,x4) /\ RC(x4,x5)
• Let the solution be the conjunction of
  predicates, s1(x2), s2(x2), , sL(x2)
• These are our candidate predicates!

28
Predicate Discovery (contd)

• For the candidate predicates it must be the case,
• s1(x2) /\ s2(x2) /\ sL(x2)
• /\ RC(x1,x2) /\ a(x1)s1
• Is unsatisfiable for all x1 and x2.
• Find a minimal subset of predicates (say s1 and
  s2 in this case) such that,
• s1(x2) /\ s2(x2)
• /\ RC(x1,x2) /\ a(x1)s1
• Is still unsatisfiable.
• Use s1 and s2 as predicates to refine the
  abstraction

29
Related Work

• Predicate Abstraction
• Graf and Saidi in CAV 1997
• Colon and Uribe in CAV 1998
• Flanagan and Qadeer in POPL 2002
• Counter-example guided refinement
• Alur et al in CAV 95
• Bensalem et al in CAV 98
• Lakhnech et al in TACAS 2001
• Tiwari et al in TACAS 2001
• Clark, Grumberg et al CAV 2000
• SLAM Project at MSR (POPL 2002)
• BLAST project at Berkeley (POPL 2002)

30
Implementation

• Binary Decision Diagrams (BDD) are used to
  represent abstract system and for model checking
• Cooperating Validity Checker (CVC) is used to
  check satisfiability
• CVC is a decision procedure for quantifier free
  first order logic
• Supported types in CVC include booleans,
  rationals, stores (unbounded arrays) and records
• Quantifier support
• Heuristics were used for quantifier instantiation

31
Verification Scheme
Concrete System
Property Verified!
Abstract and Model Check
Safety Property
Abstract Counter-example
Initial Predicates
Check Counter-example and Discover Predicates
New predicates
Concrete Counter-example
32
Predicate Discovery Intuition

• A spurious trace is an abstract trace with no
  concrete counterpart
• Real trace is one which has a concrete
  counterpart
• Predicates are added to remove spurious traces

x3
x2
x1
x2
New Predicate
Spurious counter-example is avoided in refined
abstraction!
33
Protocol Description

• Ruleset (msg)
• Receive REQUEST
• Ø granted /\ Q.typemsgREQUEST ?
• Q.typemsg GRANT
• granted true
• current Q.nodemsg
• Receive RELEASE
• granted /\ Q.typemsgRELEASE
• /\ Q.nodemsgcurrent ?
• Q.typemsg EMPTY
• granted false
• Server Rules

• Ruleset (cell,msg)
• Send REQUEST
• Ø cscell /\ Q.typemsgEMPTY ?
• Q.typemsgREQUEST
• Q.nodemsgcell
• Receive GRANT
• Ø cscell /\ Q.typemsgGRANT
• /\ Q.nodemsgcell ?
• Q.typemsgEMPTY
• cscelltrue
• Send RELEASE
• cscell /\ Q.typemsgEMPTY ?
• Q.typemsg RELEASE
• Q.nodemsg cell
• cscell false

Rule true ? Q.type lx. EMPTY
cs lx. false granted
false Initialization Rule