invariants for finite instances and beyond
play

INVARIANTS FOR FINITE INSTANCES AND BEYOND October, 21 st 2013 - PowerPoint PPT Presentation

Sep 01, 2022 •187 likes •948 views

INVARIANTS FOR FINITE INSTANCES AND BEYOND October, 21 st 2013 Sylvain Conchon, Amit Goel, Sava Kristi c, Alain Mebsout , Fatiha Za di LRI, Universit e Paris-Sud Strategic CAD Labs, Intel Corporation Challenge How to prove safety of

  1. INVARIANTS FOR FINITE INSTANCES AND BEYOND October, 21 st 2013 Sylvain Conchon, Amit Goel, Sava Kristi´ c, Alain Mebsout , Fatiha Za¨ ıdi LRI, Universit´ e Paris-Sud Strategic CAD Labs, Intel Corporation

  2. Challenge How to prove safety of industrial size protocols like FLASH for an arbitrary number of processes ? 2

  3. Challenge How to prove safety of industrial size protocols like FLASH for an arbitrary number of processes ? ◮ automatically 2

  4. The FLASH protocol Stanford FLASH multiprocessor architecture (1994) ◮ Cache-coherence shared memory ◮ High-performance message passing ◮ Industrial size: 67 million states for 4 processes (28,000 states for German) 3

  5. The FLASH protocol Stanford FLASH multiprocessor architecture (1994) ◮ Cache-coherence shared memory ◮ High-performance message passing ◮ Industrial size: 67 million states for 4 processes (28,000 states for German) Who proved the protocol? ◮ Park and Dill, 1996, PVS proof ◮ Das, Dill and Park, 1999, by predicate abstraction ◮ McMillan, 2001, by compositional model checking ◮ Chou, Mannava, Park, 2004, CMP method inspired by McMillan’s work ◮ Talapur and Tuttle, 2008, message-flows extension of CMP None of these proofs are purely automatic 3

  6. Solutions ◮ Model checking of parameterized systems ◮ Decidable fragment ◮ Cubicle implements backward reachability 4

  7. Solutions ◮ Model checking of parameterized systems ◮ Decidable fragment ◮ Cubicle implements backward reachability Does it work ? 4

  8. Some benchmarks Cubicle CMurphi Szymanski at 0.30s 8.04s (8) 5m12s (10) 2h50m (12) German Baukus 7.03s 0.74s (4) 19m35s (8) 4h49m (10) German.CTC 3m23s 1.83s (4) 43m46s (8) 12h35m (10) German pfs 3m58s 0.99s (4) 22m56s (8) 5h30m (10) Chandra-Toueg 2h01m 5.68s (4) 2m58s (5) 1h36m (6) 5

  9. Some benchmarks Cubicle CMurphi Szymanski at 0.30s 8.04s (8) 5m12s (10) 2h50m (12) German Baukus 7.03s 0.74s (4) 19m35s (8) 4h49m (10) German.CTC 3m23s 1.83s (4) 43m46s (8) 12h35m (10) German pfs 3m58s 0.99s (4) 22m56s (8) 5h30m (10) Chandra-Toueg 2h01m 5.68s (4) 2m58s (5) 1h36m (6) Szymanski na T.O. 0.88s (4) 8m25s (6) 7h08m (8) Flash nodata O.M. 4.86s (3) 3m33s (4) 2h46m (5) Flash O.M. 1m27s (3) 2h15m (4) O.M. (5) O.M. > 20 GB T.O. > 20 h 5

  10. How to scale ? ◮ Reduce the state space to explore ◮ Invariants for parameterized case ◮ Interesting behaviors often observable on small instances 6

  11. Invariants inference Problem: Invariants often harder to prove than original property 7

  12. Invariants inference Problem: Invariants often harder to prove than original property Idea: use finite instances to infer invariants for parametrized case ◮ Insert and check on the fly in backward reachability loop ◮ Backtrack if necessary BRAB: B ackward R eachability with A pproximations and B acktracking 7

  13. Backward reachability algorithm I U 8

  14. Backward reachability algorithm I Q V U 8

  15. Backward reachability algorithm I Q V U 8

  16. Backward reachability algorithm I Q V U 8

  17. Backward reachability algorithm I Q V U 8

  18. Backward reachability algorithm I Q V U 8

  19. Backward reachability algorithm I Q V U 8

  20. Backward reachability algorithm I Q V U 8

  21. Backward reachability algorithm I V U 8

  22. BRAB: intuition I U 9

  23. BRAB: intuition I 2 U 9

  24. BRAB: intuition I 2 2 U 9

  25. BRAB: intuition I 2 2 Q V U 9

  26. BRAB: intuition I 2 2 ϕ Q V U 9

  27. BRAB: intuition I 2 2 candidate Q V U 9

  28. BRAB: intuition I 2 2 Q V U 9

  29. BRAB: intuition I 2 2 Q Q V V U 9

  30. BRAB: intuition I 2 2 ϕ Q Q V V U 9

  31. BRAB: intuition I 2 2 Q Q V V U 9

  32. BRAB: intuition I Q 2 2 V U 9

  33. BRAB: intuition I Q 2 2 V U 9

  34. BRAB: intuition I Q 2 2 V U 9

  35. BRAB: intuition I Q 2 2 V U 9

  36. BRAB: intuition I 2 2 U 9

  37. BRAB: intuition I 2 2 Q V U 9

  38. BRAB: intuition I 2 2 Q V U 9

  39. BRAB: intuition I 2 2 Q V U 9

  40. BRAB: intuition I 2 2 Q V U 9

  41. BRAB: intuition I 2 2 V U 9

  42. Framework ◮ Symbolic framework for parameterized systems ◮ States : formulas in a decidable fragment of FOL ◮ Pre-image effectively computable ◮ Post-image effectively computable for a finite instance 10

  43. Framework ◮ Symbolic framework for parameterized systems ◮ States : formulas in a decidable fragment of FOL ◮ Pre-image effectively computable ◮ Post-image effectively computable for a finite instance In Cubicle → array-based transition systems 10

  44. Example: German -ish cache coherence protocol Client i : E Cache [ i ] ∈ { E , S , I } Exg := true Exg := false Directory: Shr [ i ] := false Cmd ∈ { rs , re , ǫ } Shr [ i ] := true S Exg := true Exg := false Shr [ i ] := true Shr [ i ] := false Ptr ∈ proc Shr [ i ] ∈ { true , false } Exg ∈ { true , false } I ∀ i. Cache [ i ] = I ∧ ¬ Shr [ i ] ∧ ¬ Exg ∧ Cmd = ǫ Initial states: ∃ i, j. i � = j ∧ Cache [ i ] = E ∧ Cache [ j ] � = I ? Unsafe states: (cubes) 11

  45. Example: German -ish cache coherence protocol Client i : E Cache [ i ] ∈ { E , S , I } Exg := true Exg := false Directory: Shr [ i ] := false Cmd ∈ { rs , re , ǫ } Shr [ i ] := true S Exg := false Exg := true Shr [ i ] := true Shr [ i ] := false Ptr ∈ proc Shr [ i ] ∈ { true , false } Exg ∈ { true , false } I t 5 : ∃ i. Ptr = i ∧ Cmd = rs ∧ ¬ Exg ∧ Cmd ′ = ǫ ∧ Shr ′ [ i ] ∧ Cache ′ [ i ] = S 11

  46. BRAB algorithm T : transitions I : inital states U : unsafe states (cubes) BRAB (): B := ∅ ; Kind (U) := Orig; From (U) := U; M := FWD ( d max , k ) ; while BWDA() = unsafe do if Kind ( F ) = Orig then return unsafe B := B ∪ { From ( F ) } ; return safe 12

  47. BRAB algorithm T : transitions I : inital states U : unsafe states (cubes) BWD (): V := ∅ ; push( Q , U ) ; while not empty( Q ) do ϕ := pop( Q ); if ϕ ∧ I sat then return unsafe if ¬ ( ϕ | = � ψ ∈ V ψ ) then V := V ∪ { ϕ } ; push( Q , pre T ( ϕ )); return safe 13

  48. BRAB algorithm T : transitions I : inital states U : unsafe states (cubes) BWDA (): V := ∅ ; push( Q , U ) ; while not empty( Q ) do ϕ := pop( Q ); if ϕ ∧ I sat then return unsafe if ¬ ( ϕ | = � ψ ∈ V ψ ) then V := V ∪ { ϕ } ; push( Q , Approx T ( ϕ ) ); return safe 13

  49. BRAB algorithm T : transitions I : inital states U : unsafe states (cubes) Approx T ( ϕ ): foreach ψ in candidates ( ϕ ) do if ψ �∈ B ∧ M � � ψ then Kind ( ψ ) := Appr ; . . . return ψ . . . return pre T ( ϕ ) 14

  50. Example: BRAB on German -ish ¬ Exg Cmd = ǫ ∀ i. Cache [ i ] = I ¬ Shr [ i ] t 2 ( #2 ) t 1 ( #1 ) t 2 ( #1 ) t 1 ( #2 ) t 6 ( #2 ) t 6 ( #1 ) t 5 ( #2 ) t 5 ( #1 ) t 1 ( #2 ) t 2 ( #1 ) t 1 ( #1 ) t 2 ( #2 ) t 2 ( #2 ) t 2 ( #1 ) t 1 ( #1 ) ∃ i � = j. Cache [ i ] = E Cache [ j ] � = I 15

  51. Example: BRAB on German -ish ¬ Exg Cmd = ǫ Cache [ #1 ] = I Cache [ #2 ] = I ¬ Shr [ #1 ] t 2 ( #2 ) ¬ Shr [ #2 ] t 1 ( #1 ) t 2 ( #1 ) t 1 ( #2 ) t 6 ( #2 ) t 6 ( #1 ) t 5 ( #2 ) t 5 ( #1 ) t 1 ( #2 ) t 2 ( #1 ) t 1 ( #1 ) t 2 ( #2 ) t 2 ( #2 ) t 2 ( #1 ) t 1 ( #1 ) ∃ i � = j. Cache [ i ] = E Cache [ j ] � = I 15

  52. Example: BRAB on German -ish ¬ Exg Cmd = ǫ Cache [ #1 ] = I Cache [ #2 ] = I ¬ Shr [ #1 ] t 2 ( #2 ) ¬ Shr [ #2 ] t 1 ( #1 ) t 2 ( #1 ) t 1 ( #2 ) ¬ Exg ¬ Exg ¬ Exg ¬ Exg Cmd = re Cmd = re Cmd = rs Cmd = rs Ptr = #2 Ptr = #1 Ptr = #2 Ptr = #1 Cache [ #1 ] = I Cache [ #1 ] = I Cache [ #1 ] = I Cache [ #1 ] = I Cache [ #2 ] = I Cache [ #2 ] = I Cache [ #2 ] = I Cache [ #2 ] = I ¬ Shr [ #1 ] ¬ Shr [ #1 ] ¬ Shr [ #1 ] ¬ Shr [ #1 ] ¬ Shr [ #2 ] ¬ Shr [ #2 ] ¬ Shr [ #2 ] ¬ Shr [ #2 ] t 6 ( #2 ) t 6 ( #1 ) t 5 ( #2 ) t 5 ( #1 ) Exg Exg ¬ Exg Cmd = ǫ Cmd = ǫ Cmd = ǫ Ptr = #2 Ptr = #1 Ptr = #2 . . . Cache [ #1 ] = I Cache [ #1 ] = E Cache [ #1 ] = I Cache [ #2 ] = E Cache [ #2 ] = I Cache [ #2 ] = S ¬ Shr [ #1 ] ¬ Shr [ #1 ] Shr [ #1 ] Shr [ #2 ] ¬ Shr [ #2 ] Shr [ #2 ] t 1 ( #2 ) t 2 ( #1 ) t 1 ( #1 ) t 2 ( #2 ) t 1 ( #1 ) t 2 ( #2 ) t 2 ( #1 ) Exg Cmd = rs Ptr = #2 ∃ i � = j. Cache [ i ] = E Cache [ #1 ] = E Cache [ j ] � = I Cache [ #2 ] = I Shr [ #1 ] ¬ Shr [ #2 ] 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Drinfeld Modules, Hasse Invariants and Factoring Polynomials over Finite Fields Anand Kumar

Drinfeld Modules, Hasse Invariants and Factoring Polynomials over Finite Fields Anand Kumar

Drinfeld Modules, Hasse Invariants and Factoring Polynomials over Finite Fields Anand Kumar Narayanan Laboratoire dinformatique de Paris 6 GTBAC Telecom Paristech 8 March 2018 Polynomial Factorization over Finite Fields Decompose a given

493 views • 34 slides
COMP 213 Advanced Object-oriented Programming Lecture 25 Class Invariants Class Invariants A

COMP 213 Advanced Object-oriented Programming Lecture 25 Class Invariants Class Invariants A

COMP 213 Advanced Object-oriented Programming Lecture 25 Class Invariants Class Invariants A class invariant is definition of Class Invariant some property that is always true of all instances of the class in question. i.e., some statement,

1.34k views • 96 slides
On some numerical invariants of finite groups Jan Krempa Institute of Mathematics, University of

On some numerical invariants of finite groups Jan Krempa Institute of Mathematics, University of

On some numerical invariants of finite groups Jan Krempa Institute of Mathematics, University of Warsaw ul. Banacha 2, 02-097 Warszawa, Poland jkrempa@mimuw.edu.pl ( with Agnieszka Stocka) References [1] P.R. Jones, Basis properties for

419 views • 21 slides
Perverse Sheaves, Finite Maps, and Numerical Invariants AMS Special Session on Singularities

Perverse Sheaves, Finite Maps, and Numerical Invariants AMS Special Session on Singularities

Introduction Deforming Hypersurfaces Rational Homology Manifolds Trivial, Non-Trivial Example Future Directions Perverse Sheaves, Finite Maps, and Numerical Invariants AMS Special Session on Singularities Northeastern University Brian

859 views • 70 slides
Cohomological invariants of finite Coxeter groups J er ome Ducoat Universit e Grenoble 1

Cohomological invariants of finite Coxeter groups J er ome Ducoat Universit e Grenoble 1

Cohomological invariants of finite Coxeter groups J er ome Ducoat Universit e Grenoble 1 Ramification in Algebra and Geometry at Emory J er ome Ducoat (Universit e Grenoble 1) May 18, 2011 1 / 8 Introduction Let k 0 be a

436 views • 17 slides
Example Instances 22 101 10/10/96 58 103 11/12/96 We will use these S1 sid sname

Example Instances 22 101 10/10/96 58 103 11/12/96 We will use these S1 sid sname

R1 sid bid day Example Instances 22 101 10/10/96 58 103 11/12/96 We will use these S1 sid sname rating age instances of the 22 dustin 7 45.0 SQL: Queries, Constraints, Triggers Sailors and Reserves relations in our 31

415 views • 7 slides
GLMC Connecting ACL2 with Hardware Model Checkers Proving Invariants in Hardware Verification

GLMC Connecting ACL2 with Hardware Model Checkers Proving Invariants in Hardware Verification

GLMC Connecting ACL2 with Hardware Model Checkers Proving Invariants in Hardware Verification Inductive invariants are easy to prove Provable by SAT for finite state machines In ACL2, can use GL. Downsides:

596 views • 12 slides
Example Instances 22 101 10/10/96 58 103 11/12/96 We will use these sid sname rating

Example Instances 22 101 10/10/96 58 103 11/12/96 We will use these sid sname rating

sid bid day R1 Example Instances 22 101 10/10/96 58 103 11/12/96 We will use these sid sname rating age S1 SQL: Queries, Programming, instances of the 22 dustin 7 45.0 Sailors and Triggers Reserves relations 31 lubber

400 views • 7 slides
Searching for Program Invariants using Genetic Programming and Mutation Testing Sam Ratcliff,

Searching for Program Invariants using Genetic Programming and Mutation Testing Sam Ratcliff,

Searching for Program Invariants using Genetic Programming and Mutation Testing Sam Ratcliff, David R. White and John A. Clark. The 13th CREST Open Workshop Thursday 12 May 2011 Outline Invariants Using GP to find Invariants Identifying

417 views • 38 slides
GENERATING INVARIANTS IN POSITIVE CHARACTERISTIC VISU MAKAM Abstract. The ring of invariants for a

GENERATING INVARIANTS IN POSITIVE CHARACTERISTIC VISU MAKAM Abstract. The ring of invariants for a

GENERATING INVARIANTS IN POSITIVE CHARACTERISTIC VISU MAKAM Abstract. The ring of invariants for a rational representation of a reductive group is finitely generated by the results of Hilbert, Nagata and Haboush. However, the proof is not

482 views • 3 slides
Local invariants of maps between 3-manifolds Victor Goryunov University of Liverpool Conference

Local invariants of maps between 3-manifolds Victor Goryunov University of Liverpool Conference

Introduction Generic critical value sets Integer invariants mod2 invariants Local invariants of maps between 3-manifolds Victor Goryunov University of Liverpool Conference Legacy of Vladimir Arnold Fields Institute, Toronto 25 November

1.37k views • 84 slides
Loop invariants <precondition: n>0> int i = 0; while (i < n){ i = i+1; We want to

Loop invariants <precondition: n>0> int i = 0; while (i < n){ i = i+1; We want to

4/23/16 Loop invariants as a way of reasoning about the state of your program Loop invariants <precondition: n>0> int i = 0; while (i < n){ i = i+1; We want to prove: } i==n right after the loop <post condition: i==n>

80 views • 7 slides
Ontology Visualization What is the graph widget? Allows visual editing of instances and

Ontology Visualization What is the graph widget? Allows visual editing of instances and

9 th International Protg Conference Jennifer Vendetti, Stanford University Ontology Visualization What is the graph widget? Allows visual editing of instances and relationships between instances Alternative to Protege Forms for

539 views • 31 slides
Cheeger-Gromov L 2 -invariants of 3-manifolds Geunho Lim Indiana University Bloomington

Cheeger-Gromov L 2 -invariants of 3-manifolds Geunho Lim Indiana University Bloomington

Cheeger-Gromov L 2 -invariants of 3-manifolds Geunho Lim Indiana University Bloomington limg@iu.edu L 2 -invariants Topological Definition of L 2 -invariants, (2) (M, ) M is a closed (4k-1)-manifold. : 1 ( M) G is

805 views • 3 slides
Recognizing object instances 3. Recognizing object instances Kristen Grauman UT-Austin Image

Recognizing object instances 3. Recognizing object instances Kristen Grauman UT-Austin Image

2/2/2016 Plan for today 1. Basics in feature extraction: filtering 2. Invariant local features Recognizing object instances 3. Recognizing object instances Kristen Grauman UT-Austin Image Formation Basics in feature extraction

1.02k views • 37 slides
Data Invariants, Abstraction and Refinement Liam OConnor University of Edinburgh LFCS (and

Data Invariants, Abstraction and Refinement Liam OConnor University of Edinburgh LFCS (and

Data Invariants and ADTs Validation Data Refinement Administrivia Software System Design and Implementation Data Invariants, Abstraction and Refinement Liam OConnor University of Edinburgh LFCS (and UNSW) Term 2 2020 1 Data Invariants

1.07k views • 68 slides
Real-time Model Checking Timed Temporal Logics Nicolas M ARKEY Lav. Sp ecification

Real-time Model Checking Timed Temporal Logics Nicolas M ARKEY Lav. Sp ecification

Real-time Model Checking Timed Temporal Logics Nicolas M ARKEY Lav. Sp ecification & V erification CNRS & ENS Cachan France March 3, 2010 (Quantitative) Model checking system: property: Always ( safe )

1.28k views • 102 slides
Introduction to SMT Albert Oliveras Technical University of Catalonia 8th International

Introduction to SMT Albert Oliveras Technical University of Catalonia 8th International

Introduction to SMT Albert Oliveras Technical University of Catalonia 8th International SAT/SMT/AR Summer School 2019 Lisbon, Portugal July 3rd, 2019 Introduction to SMT p. 1 Overview of the talk Motivation SMT Theories of Interest

1.39k views • 105 slides
Leonardo de Moura and Nikolaj Bjrner Microsoft Research Verification/Analysis tools need some

Leonardo de Moura and Nikolaj Bjrner Microsoft Research Verification/Analysis tools need some

Leonardo de Moura and Nikolaj Bjrner Microsoft Research Verification/Analysis tools need some form of Symbolic Reasoning Verification/Analysis tools need some form of Symbolic Reasoning Many Flavors: SAT Solvers SMT Solvers First-order

1.19k views • 55 slides
EuroPython 2020 c e d o Real Time Machine Learning with Python Alejandro Saucedo |

EuroPython 2020 c e d o Real Time Machine Learning with Python Alejandro Saucedo |

@ A x S a u EuroPython 2020 c e d o Real Time Machine Learning with Python Alejandro Saucedo | as@seldon.io Twitter: @AxSaucedo @ my name is Alejandro A Hello, x S a u c e d o Engineering Director Seldon Technologies

500 views • 32 slides
Testing Deep Neural Networks Xiaowei Huang, University of Liverpool Outline Safety Problem of AI

Testing Deep Neural Networks Xiaowei Huang, University of Liverpool Outline Safety Problem of AI

Testing Deep Neural Networks Xiaowei Huang, University of Liverpool Outline Safety Problem of AI Verification (brief) Testing Conclusions and Future Works Human-Level Intelligence Robotics and Autonomous Systems Deep neural networks all

1.5k views • 63 slides
CS137: Today Electronic Design Automation Specification/Implementation Abstraction

CS137: Today Electronic Design Automation Specification/Implementation Abstraction

CS137: Today Electronic Design Automation Specification/Implementation Abstraction Functions Correctness Condition Day 15: February 13, 2006 Verification Processor Verification Self-Consistency 1 2 CALTECH CS137

334 views • 7 slides
Valeria Bertacco Advanced Computer Architecture Laboratory University of Michigan, Ann Arbor

Valeria Bertacco Advanced Computer Architecture Laboratory University of Michigan, Ann Arbor

DACOTA: Post-silicon validation of the memory subsystem in multi-core designs Andrew DeOrio Ilya Wagner Valeria Bertacco Advanced Computer Architecture Laboratory University of Michigan, Ann Arbor HPCA 2009 Multi-core Designs Many simple

538 views • 22 slides
UC UCb b 1 2 methods a b c 3 4 & Tools b c 3 4 UPPAAL Model 2 DISC Summer

UC UCb b 1 2 methods a b c 3 4 & Tools b c 3 4 UPPAAL Model 2 DISC Summer

UCb Validation & Verification Timed Automata Construction of UPPAAL models & Controller Program Plant Model Checking Discrete Continuous Using UPPAALx : x {1,2,3,4} sensors Task Task Task Task Model actuators of tasks

486 views • 11 slides

More recommend