From Model Checking to Proof Checking ... and Back Kedar Namjoshi - PowerPoint PPT Presentation

From Model Checking to Proof Checking ... and Back Kedar Namjoshi Bell Labs April 29, 2005

Abstraction ◦ Model Checking = Deductive Proof MODEL CHECKING PROOF CHECKING M | = φ M ⊢ φ Completeness Abstraction Proof Lifting M | = φ M ⊢ φ Certifying Model Checker

I. From Model Checking to Proof Checking We show how to build a “certifying” model checker, one that generates a proof to justify its result. Why bother? • Proofs generalize counterexample traces for failure • A proof is an independently-checkable certificate for success (think PCC for temporal properties) • A proof is a convenient data structure for interactive exploration and incremental model checking

CTL Basics The CTL logic is built out of atomic propositions, boolean operators, and the temporal operators EX ( φ ) (“ φ holds of some successor”), E ( φ W ψ ) (“ φ unless ψ ”), and E ( φ U ψ ) (“ φ until ψ ”). Some derived operators: EF ( φ ) (“ φ is reachable”) = E ( true U φ ) AX ( φ ) (“all successors satisfy φ ) = ¬ EX ( ¬ φ ) AG ( φ ) (“ φ is invariant”) = ¬ EF ( ¬ φ )

CTL via fixpoints The basic CTL operators can be defined as fixpoints of EX -formulas. • EF ( φ ) = ( min Z : φ ∨ EX ( Z )) • E ( φ W ψ ) = ( max Z : ψ ∨ ( φ ∧ EX ( Z ))) Fixpoint formulas can be re-worked into a structurally sim- ple notation: alternating automata.

Simple Alternating Automata (SAA) A SAA is just like an NFA, except that the transition func- tion δ maps a state to a boolean formula over atomic propositions and EX . E.g., EF ( P ) has a 3-state automaton, with initial state q 0 δ ( q 0 ) = q 1 ∨ q 2 ; δ ( q 1 ) = P ; δ ( q 2 ) = EX ( q 0 ) This is just the parse graph of ( min Z : P ∨ EX ( Z )). The (B¨ uchi) acceptance set, F , is empty. Theorem 0 Every CTL formula can be represented by an SAA of proportional size.

An Automaton-based proof system To show that a program M with state set S and transition relation R satisfies an automaton property ( Q, ˆ q, δ, F ) we need, for each automaton state q : • An invariance predicate, φ q ⊆ S , and • A partial rank function , ρ q : S → N Roughly speaking, the invariance assertions state that any (reachable) state of M satisfying q falls within the “safe” set φ q . The rank function marks the “distance” to reaching a B¨ uchi state; it is re-set when the distance is 0.

Conditions for a valid Proof � Consistency: ρ q is defined for every state in φ q � Initiality: Every initial state of M satisfies φ ˆ q � Safety and Progress: Based on δ ( q ) • l (a literal): φ q ( s ) ⇒ l ( s ), for all s . • ( ∨ j : q j ): (similarly for ∧ ) φ q ( s ) ⇒ ( ∃ j : φ q j ( s ) ∧ ( ρ q j ( s ) < q ρ q ( s ))) • EX ( r ): (similarly for AX ) φ q ( s ) ⇒ ( ∃ t : sRt : φ r ( t ) ∧ ( ρ r ( t ) < q ρ q ( s ))) The relation a < q b = if q �∈ F then a < b else true Progress and safety have to be checked together because of the EX and ∨ operators.

Generating a Proof-I Key: model check with automata instead of CTL 1. Turn CTL specification into a simple automaton 2. Form an AND-OR product graph of the program M and automaton A 3. Check the canonical property: does Player I have a winning strategy? W I = max Z ; min Y : tt ∨ ( OR ∧ ( F ⇒ EX ( Z )) ∧ ( ¬ F ⇒ EX ( Y ))) ∨ ( AND ∧ ( F ⇒ AX ( Z )) ∧ ( ¬ F ⇒ AX ( Y )))

Generating a Proof-II Now set: 1. the invariant φ q to be { s : ( s, q ) ∈ W I } 2. the rank ρ q ( s ) to the index of the earliest stage for Y where ( s, q ) is added, during the last Z iteration. This works! Theorem 1 The proof system is sound and (relatively) complete.

Generating Proofs-IV Problem: we do not know before-hand whether the check succeeds or fails. Immediate Solution: Generate proofs after normal model checking. (this requires two runs of the model checker) Better Solution? Exploit duality. If W I fails to hold of all initial states, then its dual, W II , holds of some initial state. So keep approximations for both Y and Z , and use whichever is appropriate at the end.

A Simple Example 2-process, Atomic Bakery Protocol var st 1 , st 2 : { N, W, C } (* N =“Non-critical”, W =“Waiting”, C =“Critical” *) var y 1 , y 2 : natural initially ( st 1 = N ) ∧ ( y 1 = 0) ∧ ( st 2 = N ) ∧ ( y 2 = 0) st 1 = N ֒ → st 1 , y 1 := W, y 2 + 1 wait 1 st 1 = W ∧ ( y 2 = 0 ∨ y 1 ≤ y 2 ) ֒ → st 1 := C enter 1 st 1 = C ֒ → st 1 , y 1 := N, 0 release 1 st 2 = N ֒ → st 2 , y 2 := W, y 1 + 1 wait 2 st 2 = W ∧ ( y 1 = 0 ∨ y 2 < y 1 ) ֒ → st 2 := C enter 2 st 2 = C ֒ → st 2 , y 2 := N, 0 release 2

The Abstracted Protocol Abstraction: b 1 = ( y 1 = 0); b 2 = ( y 2 = 0); b 3 = ( y 1 ≤ y 2 ) var st 1 , st 2 : { N, W, C } var b 1 , b 2 , b 3 : boolean initially ( st 1 = N ) ∧ b 1 ∧ ( st 2 = N ) ∧ b 2 ∧ b 3 st 1 = N ֒ → st 1 , b 1 , b 2 , b 3 := W, false , b 2 , false wait 1 st 1 = W ∧ ( b 2 ∨ b 3 ) ֒ → st 1 , b 1 , b 2 , b 3 := C, b 1 , b 2 , b 3 enter 1 release 1 st 1 = C ֒ → st 1 , b 1 , b 2 , b 3 := N, true , b 2 , true wait 2 st 2 = N ֒ → st 2 , b 1 , b 2 , b 3 := W, b 1 , false , true enter 2 st 2 = W ∧ ( b 1 ∨ ¬ b 3 ) ֒ → st 2 , b 1 , b 2 , b 3 := C, b 1 , b 2 , b 3 release 2 st 2 = C ֒ → st 2 , b 1 , b 2 , b 3 := N, b 1 , true , b 1

Abstract Proof (N N tt tt tt) (W N ff tt ff) (W W ff ff tt) (C N ff tt ff) (C W ff ff tt) (N W tt ff tt) (W W ff ff ff) (N C tt ff tt) (W C ff ff ff) For the mutual exclusion property φ = AG ( ¬ ( C 1 ∧ C 2 )), the invariants are just the set of reachable states.

Concretizing this Proof Let ξ be a simulation relation from M to M . A proof ( φ, ρ ) on M can be concretized to a proof ( φ ′ , ρ ′ ) on M by letting φ ′ q ( s ) ≡ ( ∃ t : sξt : φ q ( t )), and ρ ′ q ( s ) = (min t : sξt ∧ φ q ( t ) : ρ q ( t )) So: φ ′ q ( st 1 , st 2 , y 1 , y 2 ) = (by definition) ( ∃ b 1 , b 2 , b 3 : b 1 ≡ ( y 1 = 0) ∧ b 2 ≡ ( y 2 = 0) ∧ b 3 = ( y 1 ≤ y 2 ) ∧ φ q ( st 1 , st 2 , b 1 , b 2 , b 3 )) = (simplifying) φ q ( st 1 , st 2 , ( y 1 = 0) , ( y 2 = 0) , ( y 1 ≤ y 2 ))

Summary: Proof Generation • It is possible to design a model checker which generates an independently checkable proof of its results. • This can be done quite easily: COSPAN modification (experimental) about 200 lines of C. • Generated proofs have several applications ... and per- haps some as-yet-unknown ones!

Abstraction ◦ Model Checking = Deductive Proof MODEL CHECKING PROOF CHECKING M | = φ M ⊢ φ Completeness Abstraction Proof Lifting M | = φ M ⊢ φ Certifying Model Checker

II. Completeness of Verification via Abstraction (joint work with Dennis Dams) Given: Program M , property φ ; to check M | = φ Construct Abstraction: a finite program M Model Check: whether M | = φ An Abstraction Framework specifies the precise relation- ship between M and M . Soundness : for any M, φ : if M | = φ , then M | = φ Completeness : for any M, φ : if M | = φ , there exists an abstraction M such that M | = φ

Summary of New Results For properties expressed in branching time temporal logics (e.g., CTL, CTL ∗ , or the µ -calculus) * Negative: Several well-studied abstraction frameworks are incomplete . Examples: bisimulation [Milner71] , modal transition system refinement [Larsen-Thomsen88] . This holds even with enhancements such as fairness or stuttering . * Positive: A simple extension of modal transition sys- tems with new focus operations gives rise to a complete framework. This is intimately connected to the representation of prop- erties by finite tree automata.

Completeness and “Small Model” Theorems Small Model Theorem [Hossley-Rackoff 72, Emerson85] : Any satisfiable property of the µ -calculus has a finite model. Why doesn’t this settle the question? ... because the small model need not abstract M . Example: { Q } { Q } N M N is a small model for the property “there is a reachable Q -state” Bu N and M are unrelated by, say, simulation or modal refinement.

Modal Transition Systems [Larsen-Thomsen 1988] A (Kripke) MTS is a transition system with • two transition relations: may (over-approximate) and must (under-approximate) transitions, with must ⊆ may • a 3-valued ( true , false , ⊥ ) propositional valuation at states For temporal logics, existential path modalities (e.g., EX ) are interpreted over must-transitions; universal path modal- ities (e.g., AX ) over may-transitions. The outcome of model checking is also 3-valued.

Abstraction with MTS’s If c ⊑ a then: → c ′ ⇒ ( ∃ a ′ : a may – ∀ c ′ : c − → a ′ ∧ c ′ ⊑ a ′ ) − – ∀ a ′ : a must → a ′ ⇒ ( ∃ c ′ : c − → c ′ ∧ c ′ ⊑ a ′ ) − { L 2 , even ( x ) } Program M integer x; L1: {x is even} L2: if (*) { L 3 , even ( x ) } { L 3 , div3 ( x ) } then x := x+2 else x := x+4; may transition L3: must transition

Incompleteness 0 2n 2 4 . . . L0: Program M L0: initially even(x) . . . L1: L1: while (x > 0) do x := x-2 od; L2: x := -1 L2: −1 Let φ = E ( even ( x ) W ( x < 0)). Theorem 2 No finite MTS abstracts M and satisfies φ . Proof by contradiction. The property holds for must-paths in M ; so either (i) even ( x ) holds forever, or (ii) by finiteness , x is negative within a bounded number of steps. The must-abstraction enforces these properties at every initial state of M , a contradication!