Veri cation-Modulo-Theory techniques · BMC, interpolation-based, k-induction, predicate...

transcript

Verification-Modulo-Theory techniquesBMC, interpolation-based, k-induction, predicate abstraction

and a new combination thereof

Stefano Tonetta

FBK-irst, Trento, Italy{tonettas}@fbk.eu

RichModels Workshop, Turin, 4 October 2011

S. Tonetta (FBK-irst) VMT techniques RichModels, 4 October 2011 1 / 28

Motivations I

VMT applied to support the development of embedded systems.

Industrial effort in model-based system engineering.

Validation and verification integrated in the development process.

Many languages used to describe requirements, system architectures,software and hardware components (UML, SysML, MARTE, CHESS,SystemC, Altarica, ...).

Formal approaches to validation and verification assign a formalsemantics to the design models.

Complexity of embedded systems:

Hundreds of functionsNetworked controlReal-time constraintsComplex execution model with mixture of real-time and event-basedtriggers

Motivations II

Transition systems are a generic formalism suitable to capture thepeculiarities of the different languages (a relational form is sometimesnecessary).

Symbolic representation allows compact and easy translations.

VMT reduces the verification to a (possibly infinite) series ofsatisfiability checks.

SMT is fundamental to increase the richness of the models.

Outline

1 Verification modulo theory

2 VMT techniques

3 VMT techniques with implicit predicate abstraction

4 Conclusions

Outline

2 VMT techniques

4 Conclusions

Symbolic transition systems

V : state variables.

V ′: next variables.

A symbolic transition system is a tuple S = 〈V , I ,T 〉 where:

I is a first order formula over V (called initial condition),T is a first order formula over V ∪ V ′ (called transition condition),

where the conditions are formulas of some decidable first-order logic.

Models are sequences π of assignments to V such that:

π0 |= I ,πi , π

′i+1 |= T , for all i , 0 ≤ i < |π|.

First-order transition systems

Refined definition.

Σ: first-order signature;

Σr ⊆ Σ signature of rigid symbols;

Σf = Σ \ Σr flexible symbols;

Σ′ = {s ′}s∈Σf: next symbols;

A first-order transition system is a tuple S = 〈Σ,Σr , I ,T 〉 where:

I is a Σ-formula,T is a Σ ∪ Σ′-formula.

T : a Σ-theory.

Models are sequences π of T -models with the same domain and sameinterpretation of the rigid symbols in Σr such that:

π0 |= I ,πi , π

′i+1 |= T , for all i , 0 ≤ i < |π|.

We keep the standard notation where V = Σf and Σr is omitted(assuming no functions, no parameters, ...).

First-order transition systems

Refined definition.

Σ: first-order signature;

Σr ⊆ Σ signature of rigid symbols;

Σf = Σ \ Σr flexible symbols;

Σ′ = {s ′}s∈Σf: next symbols;

A first-order transition system is a tuple S = 〈Σ,Σr , I ,T 〉 where:

I is a Σ-formula,T is a Σ ∪ Σ′-formula.

T : a Σ-theory.

Models are sequences π of T -models with the same domain and sameinterpretation of the rigid symbols in Σr such that:

π0 |= I ,πi , π

′i+1 |= T , for all i , 0 ≤ i < |π|.

We keep the standard notation where V = Σf and Σr is omitted(assuming no functions, no parameters, ...).

A hybrid system example

VARlocation : real;destination : real;timed : boolean;INITlocation≤destinationTRANS!timed →

(next(location)=location &next(destination)≥location)

TRANStimed →

(location=destination →next(location)=location)

TRANStimed →

Variables

TRANStimed →

Initial condition

TRANStimed →

Transition condition

Reachability modulo theory

Reachability

Given a transition system S , a theory T , and a formula φ, is there a finitesequence π of T -models such that:

π is a run of S ;

π|π| |= φ.

Language emptiness

Given a transition system S , a theory T , and a formula φ, is there aninfinite sequence π of T -models such that:

π is a run of S ;

πi |= φ for infinitely many i .

Undecidable.Sound but incomplete solution, no guarantee on termination.Focus on reachability, but the techniques can be easily adapted tofairness.

Reachability modulo theory

Reachability

Given a transition system S , a theory T , and a formula φ, is there a finitesequence π of T -models such that:

π is a run of S ;

π|π| |= φ.

Language emptiness

Given a transition system S , a theory T , and a formula φ, is there aninfinite sequence π of T -models such that:

π is a run of S ;

πi |= φ for infinitely many i .

Undecidable.Sound but incomplete solution, no guarantee on termination.Focus on reachability, but the techniques can be easily adapted tofairness.

Outline

2 VMT techniques

4 Conclusions

Symbolic model checking

VMT techniques are particular cases of Symbolic Model Checking(SMC)

SMC characteristics: manipulate formulas instead of states.

Typical operations are union, conjunction, sat, quantifier elimination.

VMT uses SMT:

SatisfiabilityIncrementalityModel extractionUnsat core extractionInterpolationQuantifier elimination / ALLSMT

Since quantifier elimination is expensive, many techniques are basedon sat only.

Determine if φ is reachable in k steps.

State variables replicated k + 1 times: V 0,V 1, . . . ,V k−1,V k .

Given ψ(V ), denote ψ[V i/V ] with ψi .

Given ψ(V ,V ′), denote ψ[V i/V ,V i+1/V ′] with ψi .

Encoding of an initial path reaching φ:

I 0 ∧ T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧ φk

Incremental approach:I 0 ∧ φ0

I 0 ∧ T 0 ∧ φ1

I 0 ∧ T 0 ∧ T 1 ∧ φ2

. . .I 0 ∧ T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧ φk

Interpolation-based model checking

If A ∧ B |= ⊥, the Craig interpolant of A ∧ B is a formula I such that|= A→ I , B ∧ I |= ⊥, and which contains only variables common toA and B.

Interpolation-based model checking:

1 I 0 ∧ T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧ φk

2 I 01 ∧ T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧ φk

3 ... until fixpoint.

If sat with abstract initial states, k is increased.

1 I 0 ∧ T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧ φk I1 interpolant over-approximating the reachable states

2 I 01 ∧ T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧ φk

1 I 0 ∧ T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧ φk2 I 0

1 ∧ T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧ φk

I23 ... until fixpoint.

1 I 0 ∧ T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧ φk2 I 0

1 ∧ T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧ φk I2

1 I 0 ∧ T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧ φk2 I 0

1 ∧ T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧ φk

K-induction

K-induction proves that if a set of states is not reachable in k steps,then it is not reachable at all.

It consists of a base step (bounded reachability problem), and aninductive step.

Two ways:check if the initial states cannot reach new states in k + 1 stepscheck if the target set of states cannot be reached in k + 1 steps.

Solved by means of satisfiability.

kindfwk := I 0 ∧ T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧∧

0≤i<j≤kV i 6= V j

kindbwk,φ := T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧ φk ∧∧

0≤i<j≤kV i 6= V j

If, for all i ≤ k, BMCi ,φ is unsat and, either kindfwk+1 or kindbwk+1,φ

is unsat as well, then φ is not reachable in S .

Predicate abstraction

Existential abstraction

Iα(V ) := ∃V (I (V ) ∧ Hα(V , V ))

Tα(V , V ′) := ∃V∃V ′(T (V ,V ′) ∧Hα(V , V ) ∧ Hα(V ′, V ′))

Predicate abstraction: abstract state-space is described with a set ofpredicates P.

Each predicate is represented by an abstract variable (VP = {vP}P∈P).

Abstract relation:HP(V ,VP) :=

∧P∈P vP ↔ P(V )

Quantifier elimination with ALL-SMT.

CEGAR loop

Transitionsystem Abstraction Model Checking No violations

Simulation Real bugRefinement

Counter-example π

Spurious

Outline

2 VMT techniques

4 Conclusions

General idea

Key idea

Encode the abstract path in terms of concrete variables.

An abstract path encoding represents a sequence of disconnectedtransitions where every gap lays in the same abstract state.Equivalence induced by abstraction:

s, s |= EQα iff two concrete states correspond to the same abstract one.In the case of predicate abstraction:

EQP(V ,V ) := ∃V (∧P∈P

vP ↔ P(V ) ∧∧P∈P

vP ↔ P(V ))

≡∧P∈P

P(V )↔ P(V )

Abstract encodings

We use EQα to provide abstract versions of the formulas used forBMC and k-induction.

Abstract path:

PATHα,k :=∧

1≤h<k(T (Vh−1,V h) ∧ EQα(V h,Vh)) ∧ T (Vk−1,V k)

The encoding represents a sequence of disconnected transitions whereevery gap lays in the same abstract state.

Path encoding

Rational

Embed the definition of the abstraction in the encoding of BMC andk-induction.

Consider the BMC encoding of the abstract system:

Iα(V0) ∧ Tα(V0,V1) ∧ · · · ∧ Tα(Vk−1,Vk) ∧ φα(Vk)

If we substitute Iα, Tα, and φα with their definitions, we obtain:

∧ Hα(V 0, V0) ∧ T (V 0,V1) ∧ Hα(V1, V1) ∧ · · · ∧Hα(V k−1, Vk−1) ∧ T (V k−1,Vk) ∧ Hα(Vk , Vk) ∧ Hα(V k , Vk) ∧ φ(V k)

Note that the scope of abstract variables Vi is limited to two copiesof the abstraction relation.

Path encoding

Rational

Iα(V0) ∧ Tα(V0, V1) ∧ · · · ∧ Tα(Vk−1, Vk) ∧ φα(Vk)

Path encoding

Rational

Path encoding

Rational

Abstract system

- Iα(V ) := ∃V (I (V ) ∧ Hα(V , V ))- Tα(V , V ′) := ∃V∃V ′(T (V ,V ′) ∧ Hα(V , V ) ∧ Hα(V ′, V ′))- Fα(V ) := ∃V (F (V ) ∧ Hα(V , V ))- φα = ∃V (φ(V ) ∧ Hα(V , V ))

Path encoding

Rational

Abstract system

I (V0) ∧ Hα(V0, V0)

Path encoding

Rational

Abstract system

I (V0) ∧ Hα(V0, V0) ∧ Hα(V 0, V0) ∧ T (V 0,V1) ∧ Hα(V1, V1)

∧ · · · ∧Hα(V k−1, Vk−1) ∧ T (V k−1,Vk) ∧ Hα(Vk , Vk) ∧ Hα(V k , Vk) ∧ φ(V k)

Path encoding

Rational

Abstract system

I (V0) ∧ Hα(V0, V0) ∧ Hα(V 0, V0) ∧ T (V 0,V1) ∧ Hα(V1, V1) ∧ · · · ∧Hα(V k−1, Vk−1) ∧ T (V k−1,Vk) ∧ Hα(Vk , Vk)

∧ Hα(V k , Vk) ∧ φ(V k)

Path encoding

Rational

Abstract system

I (V0) ∧ Hα(V0, V0) ∧ Hα(V 0, V0) ∧ T (V 0,V1) ∧ Hα(V1, V1) ∧ · · · ∧Hα(V k−1, Vk−1) ∧ T (V k−1,Vk) ∧ Hα(Vk , Vk) ∧ Hα(V k , Vk) ∧ φ(V k)

Path encoding

Rational

I (V0) ∧ Hα(V0, V0) ∧ Hα(V 0, V0) ∧ T (V 0,V1) ∧ Hα(V1, V1) ∧ · · · ∧Hα(V k−1, Vk−1) ∧ T (V k−1,Vk) ∧ Hα(Vk , Vk) ∧ Hα(V k , Vk) ∧ φ(V k)

Path encoding

Rational

I (V0) ∧ EQα(V0,V 0) ∧ T (V 0,V1) ∧ Hα(V1, V1) ∧ · · · ∧Hα(V k−1, Vk−1) ∧ T (V k−1,Vk) ∧ EQα(Vk ,V k) ∧ φ(V k)

Abstract model checking

Abstract BMC:BMCα,k,φ := I (V0)∧EQα(V0,V 0)∧ PATHα,k ∧EQα(Vk ,V k)∧φ(Vk)

Abstract simple path:SIMPLEPATHα,k := PATHα,k ∧

∧0≤i<j≤k ¬EQα(Vi ,Vj)

Abstract forward simple path:

kindfwα,k := I (V0) ∧ EQα(V0,V 0) ∧ SIMPLEPATHα,k

Abstract backward simple path:

kindbwα,k,φ := SIMPLEPATHα,k ∧ EQα(Vk ,V k) ∧ φ(Vk)

If, for all i ≤ k, BMCα,i ,φ is unsat and, either kindfwα,k+1 or

kindbwα,k+1,φ is unsat as well, then φ is not reachable in S .

Abstraction refinement

Incremental abstraction: exploiting EQP∪P′ = EQP ∧ EQP′

Incremental concretization:

TEQ EQ

= = ==

Predicate discovery based on interpolation.

TEQ EQ

= = ==

TEQ EQ

= = ==

TEQ EQ

= = ==

TEQ EQ

= = ==

Outline

2 VMT techniques

4 Conclusions

Conclusions

In this talk: BMC, k-induction, interpolation, predicate abstractionand combination thereof.

At FBK, we work both on VMT engine and applications:

hybrid verification (Mover’s thesis),software verification (Kratos model checker),requirements validation and safety assessment for expressive logic.

Better to avoid quantifier elimination new VMT techniques.

Other SAT-based techniques not described: interpolation-sequenceand IC3.

Veri cation-Modulo-Theory techniques · BMC, interpolation-based, k-induction, predicate...

Documents