View
220
Download
0
Tags:
Embed Size (px)
Citation preview
O MN O+ DTECHNIQUESH L CE H+ GAME-BASEDFOR CL KY I N G
Adam Bakewell& Dan GhicaUniversity ofBirmingham
on-the-fly techniques for compositional model checking
1. What are game models (&why)?
2. On-the-fly techniques
3. CEGAR techniques
4. Results and prospects
GAMODELSE
game models
Compositional: handle open code, components, unknown user behaviours
Encode exact behaviour: get all errors
Hide internal activity: only record actions in interface (environment + result)
e.g. interface
b:boolean,n:natk
,
user:command -> command|-M : command
Component ‘M’ is a command that canCall ‘user’ and read or write ‘b’ and ‘n’(with different results each time)
game models
• 1up - Player O: the user/context• 2up - Player P: the program• Move: place (.call | :=v | .ret | .v)• Play: valid sequence of alternating
moves• Model: all plays
e.g. model
e.g. model
e.g. code: hashing
|-boolean table[2*k];
for(i := 2*k - 1; i > 0; table[--i] := false);
command hashword (x:natk) {nat2*k h := 0;for (i := 3; i > 0; i--) h := h + !x;b := table[h];table[h] := true
}
user (hashword (n))
Model building
• Model has regular language representation– for languages excluding recursion, 2nd+-
order functions, infinite integers, heap
e.g. regular model
.call,{table:=[false,…,false]}user.call, (
user-arg.call,n.call, n.x, n.call, n.y, n.call, n.z,{h=(x+y+z)%tablesize}b:=table[h], b.ret,{table[h]:=true}user-arg.ret, )*
user.ret,.ret
e.g. hash regular model
.call, {table:=[false,…,false,┴]} user.call,
(user-arg.call, n.call, n.x, n.call, n.y,n.call,n.z, b:=table[x+y+z], b.ret, user-arg.ret,{if x+y+z < tablesize-1} )*
(user.ret, .ret)+(user-arg.call, n.call, n.x, n.call, n.y,n.call,n.z,
exception.┴ {if x+y+z=tablesize-1} )
game based checking v1
• Build automaton model of each atom (large-constant time)
• Compose sub-models to make composite models. Composing is: automaton projection; intersection; hide matched moves
(order sub-model size squared time)• Check finished model
[Ghica, 2004]
O N + T TECHNIQUES E + F L Y
top-down composition
• Bottom-up composition is always bad
• Top-down can be made bad or good:
• Build model of M(N) according to language semantics:– Start in M model– When it calls its argument build transitions
from N model, etc
lazy composition
• Want checker result, not the model– Make transitions as demanded by checker– Do not store them– Only store set of visited states– Exploring large models is more space-
feasible and time-similar– Stop checking at first error
symbolic models
-replace automaton (state & transition graph) with a function to generate the transitions from a given state
-combine with laziness, produce the transitions as consumed by the checker:now transition function generates ith transition
put it all together:
MAGE
e.g. lazy hash check…
TECEGARHNIQUES
data approximation
• Replace types of identifier occurrence models with approximations
• Redefine operator models to accept approx inputs and produce approx results
• Check & certify: counterexample trace is valid iff it does no nondeterministic branching– n.d. info extends game model by cst factor
on-demand refinement
• Refine model by refining identifier approxes; everything else will work
• Refine only contributors to counterexample– Need hidden (non-game) info
• Iteration guaranteed to terminate
• Stay lazy!– cf. eager tool Game Checker [2006]
P L A N RESULTS
hash e.g. check times
0.001
0.01
0.1
1
10
100
1000
10000
2 4 8 16 32 64 80 96 112 128 256
table size
tim
e (
seco
nd
s)
BLAST2.4
MAGE
MAGE
timeout (45min)
spaceout0.75GB
(CEGAR)
benefits
• The symbolic, lazy, on-demand, approximate, validation, and refinement tricks work well with the compositional models.
• They make verification feasible for many problems involving unfeasibly large unapproximated models
penalties
• Truly compositional modelling still incurs a small inherent time disadvantage
• Laziness not guaranteed to get best (shortest) counterexample
• Refinement approximation-pruning is conservative
plans and hopes
• Modelling a real language, C• Game-based predicate abstraction
• Exploiting compositionality• Prune more• Integrate with heap verification
come to GaLoP!