BMCMT Bounded Model Checking of TLA + Specifications with SMT Jure - PowerPoint PPT Presentation

BMCMT – Bounded Model Checking of TLA + Specifications with SMT Jure Kukovec Igor Konnov Thanh Hai Tran work in progress TLA + Community Event Oxford, UK, July 2018

APALACHE Abstraction-based Parameterized TLA + Checker A.1 TLA + patterns repository B.1 B.2 B.3 TLA + decision TLA + predicate TLA + abstraction procedures abstraction refinement C.1 C.2 C.3 Techniques for parameterized Parameterized Multi-model abstraction fault-tolerant TLA + designs refinement D.1 D.2 D.3 Verification of finite- Verification of Integration with state TLA + designs parameterized TLA + designs TLA + proof system Almost automated verification: using the user input in a sound way Igor Konnov 7 of 56

TLA + First-order logic with sets (ZFC) Temporal operators: ✷ (always), ✸ (eventually), ❀ (leads-to), no Nexttime Syntax for operations on sets, functions, tuples, records TLA Proof System: TLAPS Explicit-state model checker: TLC Igor Konnov 8 of 56

What is hard about TLA + ? Rich data sets of sets, functions, records, tuples, sequences No types TLA + is not a programming language No imperative statements like assignments TLA + is not a programming language No standard control flow TLA + is not a programming language Igor Konnov 9 of 56

In this talk: - a model checker like TLC but symbolic - no abstractions - nothing parameterized Igor Konnov 10 of 56

Our short-term goal Symbolic model checker that works under the assumptions of TLC: Fixed and finite constants (parameters) Finite sets, function domains and co-domains TLC restrictions on formula structure As few language restrictions as possible Technically, Quantifier-free formulas in SMT Unfolding quantified expressions, e.g., ∀ x ∈ S : P as � P [ c / x ] c ∈ S Igor Konnov 11 of 56

Our short-term goal Symbolic model checker that works under the assumptions of TLC: Fixed and finite constants (parameters) Finite sets, function domains and co-domains TLC restrictions on formula structure As few language restrictions as possible Technically, Quantifier-free formulas in SMT Unfolding quantified expressions, e.g., ∀ x ∈ S : P as � P [ c / x ] c ∈ S Igor Konnov 11 of 56

an example

Maximal Independent Set 1 4 Classical distributed problem [Lynch, Ch 4] 2 3 N processes placed in the nodes of an undirected graph ( V , E ) Processes exchange messages in synchronous rounds Goal : Find a maximal independent set I ⊆ V : ( u , v ) ∈ E → u / ∈ I ∨ v / ∈ I for u , v ∈ V (1) every larger set I ′ ⊃ I violates Equation (1) (2) Example: I = { 1 , 3 } Igor Konnov 15 of 56

Maximal Independent Set 1 4 Classical distributed problem [Lynch, Ch 4] 2 3 N processes placed in the nodes of an undirected graph ( V , E ) Processes exchange messages in synchronous rounds Goal : Find a maximal independent set I ⊆ V : ( u , v ) ∈ E → u / ∈ I ∨ v / ∈ I for u , v ∈ V (1) every larger set I ′ ⊃ I violates Equation (1) (2) Example: I = { 1 , 3 } Igor Konnov 15 of 56

LubyMIS randomized distributed algorithm [Lynch, p. 73] every process cyclically executes three rounds: 1, 2, 3, 1, 2, 3, . . . at every round 1, a process i randomly picks a value val [ i ] ∈ 1 .. N 4 if val [ i ] > val [ k ] for every neighbor k of i , round 1 : i sends “winner” to the neighbors of i if a process i receives “winner”, round 2 : it becomes a “loser” and sends “loser” to the neighbors a process i removes the losers from its neighbors round 3 : if i is a winner or a loser, it falls asleep Igor Konnov 16 of 56

LubyMIS randomized distributed algorithm [Lynch, p. 73] every process cyclically executes three rounds: 1, 2, 3, 1, 2, 3, . . . at every round 1, a process i randomly picks a value val [ i ] ∈ 1 .. N 4 if val [ i ] > val [ k ] for every neighbor k of i , round 1 : i sends “winner” to the neighbors of i if a process i receives “winner”, round 2 : it becomes a “loser” and sends “loser” to the neighbors a process i removes the losers from its neighbors round 3 : if i is a winner or a loser, it falls asleep Igor Konnov 16 of 56

LubyMIS randomized distributed algorithm [Lynch, p. 73] every process cyclically executes three rounds: 1, 2, 3, 1, 2, 3, . . . at every round 1, a process i randomly picks a value val [ i ] ∈ 1 .. N 4 if val [ i ] > val [ k ] for every neighbor k of i , round 1 : i sends “winner” to the neighbors of i if a process i receives “winner”, round 2 : it becomes a “loser” and sends “loser” to the neighbors a process i removes the losers from its neighbors round 3 : if i is a winner or a loser, it falls asleep Igor Konnov 16 of 56

LubyMIS randomized distributed algorithm [Lynch, p. 73] every process cyclically executes three rounds: 1, 2, 3, 1, 2, 3, . . . at every round 1, a process i randomly picks a value val [ i ] ∈ 1 .. N 4 if val [ i ] > val [ k ] for every neighbor k of i , round 1 : i sends “winner” to the neighbors of i if a process i receives “winner”, round 2 : it becomes a “loser” and sends “loser” to the neighbors a process i removes the losers from its neighbors round 3 : if i is a winner or a loser, it falls asleep Igor Konnov 16 of 56

module mis { w ∈ Senders ( u ) : awake [ w ] ∧ status [ w ] = “loser” } extends Integers , TLC Round 3 = ∆ ∆ N = 3 ∧ round = 3 msgs ′ = [ u ∈ Nodes �→ SentLosers ( u )] ∆ N 4 = 81 ∧ ∆ awake ′ = [ n ∈ Nodes �→ Nodes = 1 . . N ∧ if status [ n ] / ∈ { “winner” , “loser” } then true else false ] variables Nb , round , val , awake , rem nbrs , status , msgs rem nbrs ′ = [ u ∈ Nodes �→ rem nbrs [ u ] \ msgs ′ [ u ]] ∧ ∧ unchanged � status , val � ∆ Pred ( n ) = if n > 1 then n − 1 else N ∆ Succ ( n ) = if n < N then n + 1 else 1 ∆ Next = round ′ = 1 + ( round %3) ∧ ( Round 1 ∨ Round 2 ∨ Round 3) ∧ unchanged � Nb � ∆ Init = ∧ Nb = [ n ∈ Nodes �→ { Pred ( n ) , Succ ( n ) } ] ∧ round = 1 ∆ IsIndependent = ∧ val ∈ [ Nodes → 1 . . N 4] ∀ u ∈ Nodes : ∀ v ∈ Nb [ u ] : ∧ awake = [ n ∈ Nodes �→ true ] ( status [ u ] � = “winner” ∨ status [ v ] � = “winner” ) ∧ rem nbrs = Nb ∆ ∧ status = [ n ∈ Nodes �→ “unknown” ] Terminated = ∀ n ∈ Nodes : awake [ n ] = false ∧ msgs = {} ∆ Senders ( u ) = { v ∈ Nodes : u ∈ rem nbrs [ v ] ∧ awake [ v ] } \ * Modification History \ * Last modified Mon Jul 16 19:35:37 CEST 2018 by igor SentValues ( u ) = { val ′ [ w ] : w ∈ Senders ( u ) } ∆ \ * Created Sun Jul 15 17:03:47 CEST 2018 by igor IsWinner ( u ) = ∀ v ∈ msgs ′ [ u ] : val ′ [ u ] > v ∆ ∆ Round 1 = ∧ round = 1 val ′ ∈ [ Nodes → 1 . . N 4] non-determinism, no randomness ∧ msgs ′ = [ u ∈ Nodes �→ SentValues ( u )] ∧ status ′ = [ n ∈ Nodes �→ ∧ if awake [ n ] ∧ IsWinner ( n ) then “winner” else status [ n ]] ∧ unchanged � rem nbrs , awake � ∆ SentWinners ( u ) = if ∃ w ∈ Senders ( u ) : awake [ w ] ∧ status [ w ] = “winner” then { “winner” } else {} IsLoser ( u ) = “winner” ∈ msgs ′ [ u ] ∆ Round 2 ∆ = ∧ round = 2 msgs ′ = [ u ∈ Nodes �→ SentWinners ( u )] ∧ status ′ = [ n ∈ Nodes �→ ∧ if awake [ n ] ∧ IsLoser ( n ) then “loser” else status [ n ]] ∧ unchanged � rem nbrs , awake , val � ∆ SentLosers ( u ) =

Declaration and initialization EXTENDS Integers △ N = 3 △ N4 = 81 △ = 1 . .N Nodes Nb , round , val , awake , rem_nbrs , status , msgs VARIABLES △ Pred ( n ) = I F n > 1 THEN n − 1 ELSE N △ Succ ( n ) = I F n < N THEN n + 1 ELSE 1 △ Init = ∧ Nb = [ n ∈ Nodes �→ { Pred ( n ) , Succ ( n ) } ] (* a ring of size N *) ∧ round = 1 ∧ val ∈ [ Nodes → 1 .. N 4 ] ∧ awake = [ n ∈ Nodes �→ TRUE ] ∧ rem_nbrs = Nb ∧ status = [ n ∈ Nodes �→ “ unknown ′′ ] ∧ msgs = {}

Round 1 △ Senders ( u ) = { v ∈ Nodes : u ∈ rem_nbrs [ v ] ∧ awake [ v ] } △ = { val ′ [ w ] : w ∈ Senders ( u ) } SentValues ( u ) △ = ∀ v ∈ msgs ′ [ u ] : val ′ [ u ] > v IsWinner ( u ) △ Round1 = ∧ round = 1 ∧ val ′ ∈ [ Nodes → 1 .. N 4 ] (* non-determinism instead of randomness *) ∧ msgs ′ = [ u ∈ Nodes �→ SentValues ( u )] ∧ status ′ = [ n ∈ Nodes �→ I F awake [ n ] ∧ IsWinner ( n ) THEN “ winner ′′ ELSE status [ n ]] ∧ UNCHANGED �� rem_nbrs , awake ��

Round 2 △ SentWinners ( u ) = I F ∃ w ∈ Senders ( u ) : awake [ w ] ∧ status [ w ] = “ winner ′′ THEN { “ winner ′′ } { } ELSE △ = “ winner ′′ ∈ msgs ′ [ u ] IsLoser ( u ) △ Round2 = ∧ round = 2 ∧ msgs ′ = [ u ∈ Nodes �→ SentWinners ( u )] ∧ status ′ = [ n ∈ Nodes �→ I F awake [ n ] ∧ IsLoser ( n ) THEN “ loser ′′ ELSE status [ n ]] ∧ UNCHANGED �� rem_nbrs , awake , val ��

Round 3 △ SentLosers ( u ) = { w ∈ Senders ( u ) : awake [ w ] ∧ status [ w ] = “ loser ′′ } △ Round3 = ∧ round = 3 ∧ msgs ′ = [ u ∈ Nodes �→ SentLosers ( u )] ∧ awake ′ = [ n ∈ Nodes �→ I F status [ n ] ∈ { “ winner ′′ , “ loser ′′ } THEN TRUE ] FALSE ELSE ∧ rem_nbrs ′ = [ u ∈ Nodes �→ rem_nbrs [ u ] \ msgs ′ [ u ]] ∧ UNCHANGED �� status , val ��