Toward Unbounded Model Checking for Region Automata Fang Yu, Bow-Yaw Wang

Institute of Information ScienceAcademia Sinica, Taiwan

Introduction

Symbolic model checking with Binary Decision Diagrams (BDDs)

BDD-based Model Checker Sequential CircuitsProtocols

…

System and Specification

BDDs may grow exponentially

SAT-based Model Checking

Bounded Model Checking Biere et al.[BCCFZ99] Boolean formula satisfiability

n steps: Pros

Powerful SAT solvers developed Many heuristic approaches Hundreds of thousands of variables and millions of clauses

capable

0 0 1 1 2 1I B B B B B B Bn n

A powerful support for verifying large systems!

Motivation SAT-based model checking from discrete systems t

o real-time systems Challenges

From infinite to boolean Region graph [YWH04]

Simple and precise transition relation BMC efficiently

Large reachability diameter Correctness guarantee infeasible

From bounded to unbounded Induction

Sheeran et al. (2000) Discrete systems

xBMC

Real-Time System

Discrete variables plus dense-time clocks Real domain A uniform rate increase Reset

0 1 2

X:Y:

…

Timed Automata

Alur et al. (1990) Timed Automata <D, X, A, E, I>:

D: A set of discrete variables X: A set of clocks A: A set of actions

Each action is a series of discrete variable assignments E: A set of edges, each edge is associated with

: Guarded condition : An action : A set of reset clocks

I: An initial condition

: | | | | 1 2ff d q x c { , , =}

,

Cx

Timed Automata

State Discrete interpretation Clock interpretation

Transition Time elapse

Edge fire , ,s s v

: , ,, [ ], [ ]

es s

,s :s D N

0: X R

A positive real

Region Automata

Alur et al (1990) Equivalence class [ν]

The same integral part The same fractional ordering

Region Graph State Transition

x

y

Cx

Cy

,s

,[ ] , [ ]

: , ,,[ ] [ ],[ [ ]]

s s succ

es s

0

Region Encoding

x

Cx

0 1 2 3

Xd=3, Yd=5, Zd=4, Xf<Yf

0 1 2 3 4 5 6 7

0 1 2 3

0 1 2 3 4 5 6 7(Mx)

Xd is even a point Xd is odd an open interval

Xd is Mx X>Cx

4 …

8 …

X:Y:Z:

Xd0 1 2 3

0 1 2 3 5 6 74

X:Y:Z:

Each odd pair a fraction relation

Fraction relation: Xf>Yf, Xf>Zf, Yf>Zf

[0,0] [1,1] [2,2] [3,3](0,1) (1,2) (2,3) (3,∞]

Xd is even, Yd is odd or My

Xd’=Xd+1, Yd’=Yd, Xf’<Yf’

Successor Relation Encoding

Xd is even, Yd is even

Xd’=Xd++, Yd’=Yd++, Xf’=Yf’

Xd is odd, Yd is odd, and Xf<Yf

Xd’=Xd, Yd’ =Yd++

ixy i Úsucc

Pair conjunction and stuttering condition [YWH2004]

: Two-clock system

: Multi-clock system

Transition

Time elapse

Edge fire

One step condition

Te eÚ

'T s s succ

T Te 0

Reachability AnalysisBoundedFwdReach(I, R, , MaxBound) var i: 0.. MaxBound;

begin i := 0; F := I(B0); loop forever if(i=MaxBound)

return unreachable within MaxBound; if(SAT(FR(Bi)))

return reachable; F := FR(Bi)(BiBi+1) ;

i := i+1;end. Results of each step are added until termination

Theorem

Given a TA having n regions,BoundedFwdReach() is sound and completewhen MaxBound≥n.

The number of regions is prohibitively high to reach!

• This is the worst case of reachability diameters• A better option is the steps of the longest shortest path

Loop-free termination

Loop-Free Reachability Analysis

LFFwdReach(I, R, , MaxBound) var i: 0.. MaxBound;

begin i := 0; F := I(B0); loop forever if(i=MaxBound)return unreachable within MaxBound; if(SAT(FR(Bi)))return reachable;

F := FR(Bi)(BiBi+1)(∧j<i+1 BjBi+1); if(not SAT(F)) return unreachable by loop-free; i := i+1;

end.

Loop-free restrictions are added to enforcesearching distinct states

1. A loop-free path is a shortest path2. Completeness is preserved

Solve the problem?

0 0

• The tightest bound may be still too high to reach!• Can we prove correctness without considering the diameter?

Construct an induction proof!

Simple Induction

Prove P always holds An Induction Proof

Prove that P(0) is true (basis) Prove that for all k, P(k) implies P(k+1) (I

nductive step)Formal verification:

P holds in the initial states P is maintained by the transition relation

Constraints: I(B0)P(B0) is unsatisfiable For all k, P(Bk)(Bk→Bk+1)P(Bk+1)

is unsatisfiable

• Sound • When it succeeds,

induction is able to handle larger models

• However, in many cases, simple induction is infeasible

Windowed Induction

An Induction Proof (window-size: N) Prove that for 0≤k≤N, P(k) is true Prove that for all k, (P(k)… P(k+N)) implies P(k+N+1)

Formal Verification P holds in all paths of length N starting from an initial state For an arbitrary path of length N+1, if P holds in N+1 states, then

it holds in state N+2 tooConstraints

I(B0)((B0→B0+1)…(BN-1→BN))(P(B0)…P(BN)) is unsatisfiable For all k, P(Bk) (Bk→Bk+1) P(Bk+1) (Bk+1→Bk+2) …

P(BN+k) (BN+k→BN+k+1) P(BN+k+1) is unsatisfiable

N+1

Inductive Reachability Analysis

S0 S1 S2

If satisfiable, risk state is reachable;else basis is constructed and go on Induction

If unsatisfiable, risk state is unreachable;else go on Reachability

Given I, R, →, (Invariant property : R)

R(B0)?

S0 S1 S2

R(B0)

Induction:

Reachability:

R(B1) R(B2)R(B1)? R(B2)?

I(B0) R(B0)? R(B1)? R(B2)?(B0→B1) (B1→B2)

(B0→B1) (B1→B2) (B2→B3)

…

…

R(B0) R(B1) R(B2)

R(B3)?

Inductive Reachability Analysis

IndFwdReach(I, R, ) var i: 0.. N;

begin i := 0; F := I(B0); loop forever if(not SAT((F\I)R(Bi)))

return unreachable by induction; if(SAT(FR(Bi)))

return reachable; F := FR(Bi) (BiBi+1) (∧j<i+1 BjBi+1);

if(not SAT(F)) return unreachable by loop-free;

i := i+1;end.

The negation of risk condition is inserted1. Retain previous efforts

2. Build the constraint of inductive step

Remove the clauses of the initial condition from F

Implementation

Implementation Standard bit encoding A circuit representation

xBMC Makes use of zChaff xBMC 2.0: supports real-time systems xBMC 1.0: supports discrete systems, and has be

en used to verify program security (DSN2004)

Experiments A simplified client model of CorSS

O[JSS04] P: the id of the chosen policy A: a bounded integer to record the

number of the collected authentications

X, Y: local clocks Safety property

i,Access[i]k0.P[i]=kA[i]>THk

Experiments A bug was inserted by mistyping T

H2 to TH1 in transition 3. Increase the number of clients

Authentication

Access

P:={1,2}; A:=0; reset {X,Y};

P0X>TAA<MxA:=A+1; reset {X};

Y<TE( (P=1A>TH1) (P=2A>TH2))P:=0;

1.

2.

3.4.

Time Performance

# of processes

Correctness Guarantee Bug HuntingRED 5.0 xBMC 2 RED 5.0 xBMC 2

3 2.71 0.03 2.64 28.65 89.25 0.26 85.23 97.547 1076.37 0.59 990.16 268.719 7169.19 4.94 6545.04 722.8111 33201.08 12.38 30722.57 746.3412 T/O 17.81 T/O O/M20 N/A 185.45 N/A O/M25 N/A 484.78 N/A O/M

T/O: time out(>60000s), O/M: out of memory, N/A: not available TA=1, TE=10, TH1=2, TH2=3. P1.7 GHz, 256M, Linux

• Induction proofs with window size 3 are constructed• All bugs are found at the 12th step• RED run against default values (sec)

Related Works General zones/polyhedra

Seshia and Bryant (CAV’03) Unbounded, fully symbolic model checking Quantified separation logic to quantified Boolean formula Tool: TMV (CUDD) No SAT-based model checker available

Discretization of region automata Penczek, Wozna and Zbrzezny (FTRTFT’02) Reachability analysis Divide a time unit into 2n segments Tool: BBMC

Compared to BBMC

# of P

BBMC-RG BBMC-ARG xBMC 2# of variables # of clauses # of variables # of clauses # of variables # of clauses

2 5,434 15,197 5,533 15,102 4,502 13,770

5 37,488 110,471 30,851 90,079 22,577 77,948

10 171,229 513,965 126,801 379,470 83,652 300,176

15 358,999 1,081,790 311,501 942,085 182,842 645,297

20 824,374 2,493,481 556,987 1,686,384 321,347 1,150,023

• BBMC’s data directly copied from [WPZ03] “Checking reachability properties for timed automata via SAT.”• BBMC-ARG: forward projection is applied• BBMC found the witness at the 12th iteration• xBMC 2 found the witness at the 15th iteration

Fischer’s Mutual Exclusion, A=1, B=2

Conclusion

We try to migrate the success of the discrete-system verification to timing behavior analysis Bounded model checking techniques Induction algorithms Discretization of region automata

Therefore, we get the best of both worlds: We get a correctness proof We get the ability to handle large real-time systems

Primitive experiments show some promise in correctness guarantee as well as bug hunting

Limitation and Future Work Using region graph

Pros: simple and precise transition relation BMC is efficient Tight induction step

Cons: a minor step might imply a deeper diameter Correctness might be proved by induction But once induction fails or bugs exist in a deep depth,

what can we do? Future work

Invariant strengthening [MRS03] Interpolation [McMillan03] Abstraction Case study