Learning to verify systems

Making high quality and reliable software systems remains a difficult problem. One approach to address this problem is automated verification which attempts to demonstrate algorithmically that a software system meets its specification. However, verification of software systems is not easy: such systems are often modeled using abstractions of infinite structures such as unbounded integers, infinite memory for allocation, unbounded space for call stack, unrestricted queue sizes and so on. It can be shown that for most classes of such systems, the verification problem is actually undecidable (there exists no algorithm which will always give the correct answer for arbitrary inputs). In spite of this negative theoretical result, techniques have been developed which are successful on some practical examples although they are not guaranteed to always work. This dissertation is in a similar spirit and develops a new paradigm for automated verification of large or infinite state systems. We observe that even if the state space of a system is infinite, for practical examples, the set of reachable states (or other fixpoints needed for verification) is often expressible in a simple representation. Based on this observation, we propose an entirely new approach to verification: the idea is to use techniques from computational learning theory to identify the reachable states (or other fixpoints) and then verify the property of interest. To use learning techniques, we solve key problems of either getting positive and negative examples for the fixpoint of interest or of answering membership and equivalence queries for this fixpoint. We show that learning-based verification is a powerful approach: as long as one has suitable algorithms which can learn the fixpoints needed and decision procedures for some common set-theoretic operations, one can guarantee that the verification procedure will either find a bug or prove that the system is correct. In particular, we have seen that for a large number of practical systems, the class of regular languages is rich enough to express these fixpoints, allowing us to automatically verify such systems using learning algorithms for regular sets. We show how the learning-based verification paradigm can be applied to a number of systems and for different kinds of specifications. First, we use learning to verify safety properties of finite state machines communicating over unbounded first-in-first-out channels. (Abstract shortened by UMI.)

[1]  Boris A. Trakhtenbrot,et al.  Finite automata : behavior and synthesis , 1973 .

[2]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[3]  Jeffrey D. Ullman,et al.  Introduction to Automata Theory, Languages and Computation , 1979 .

[4]  Jean Berstel,et al.  Transductions and context-free languages , 1979, Teubner Studienbücher : Informatik.

[5]  Daniel Brand,et al.  On Communicating Finite-State Machines , 1983, JACM.

[6]  Chin-Laung Lei,et al.  Efficient Model Checking in Fragments of the Propositional Mu-Calculus (Extended Abstract) , 1986, LICS.

[7]  Pierre Wolper,et al.  An Automata-Theoretic Approach to Automatic Program Verification (Preliminary Report) , 1986, LICS.

[8]  Dana Angluin,et al.  Learning Regular Sets from Queries and Counterexamples , 1987, Inf. Comput..

[9]  Nicolas Halbwachs,et al.  Minimal Model Generation , 1990, CAV.

[10]  Gul A. Agha,et al.  ACTORS - a model of concurrent computation in distributed systems , 1985, MIT Press series in artificial intelligence.

[11]  Moshe Y. Vardi Verification of Concurrent Programs: The Automata-Theoretic Framework , 1991, Ann. Pure Appl. Log..

[12]  Michael J. C. Gordon,et al.  Introduction To The Hol System , 1991, 1991., International Workshop on the HOL Theorem Proving System and Its Applications.

[13]  David Lee,et al.  Online minimization of transition systems (extended abstract) , 1992, STOC '92.

[14]  Thomas A. Henzinger,et al.  Symbolic model checking for real-time systems , 1992, [1992] Proceedings of the Seventh Annual IEEE Symposium on Logic in Computer Science.

[15]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[16]  Randal E. Bryant,et al.  Symbolic Boolean manipulation with ordered binary-decision diagrams , 1992, CSUR.

[17]  Zohar Manna,et al.  The Temporal Logic of Reactive and Concurrent Systems , 1991, Springer New York.

[18]  Thomas A. Henzinger,et al.  Hybrid Automata: An Algorithmic Approach to the Specification and Verification of Hybrid Systems , 1992, Hybrid Systems.

[19]  Ronald L. Rivest,et al.  Inference of finite automata using homing sequences , 1989, STOC '89.

[20]  Rajeev Alur,et al.  A Theory of Timed Automata , 1994, Theor. Comput. Sci..

[21]  Umesh V. Vazirani,et al.  An Introduction to Computational Learning Theory , 1994 .

[22]  Zohar Manna,et al.  Temporal Verification Diagrams , 1994, TACS.

[23]  R. Bryant Binary decision diagrams and beyond: enabling technologies for formal verification , 1995, Proceedings of IEEE International Conference on Computer Aided Design (ICCAD).

[24]  Pravin Varaiya,et al.  What's decidable about hybrid automata? , 1995, STOC '95.

[25]  Thomas A. Henzinger,et al.  The Algorithmic Analysis of Hybrid Systems , 1995, Theor. Comput. Sci..

[26]  Pierre Dupont,et al.  Incremental regular inference , 1996, ICGI.

[27]  Henny B. Sipma,et al.  Deductive Model Checking , 1996, CAV.

[28]  T. Henzinger The theory of hybrid automata , 1996, LICS 1996.

[29]  Laurent Fribourg,et al.  Reachability sets of parameterized rings as regular languages , 1997, INFINITY.

[30]  Patrice Godefroid,et al.  Automatic Synthesis of Specifications from the Dynamic Observation of Reactive Programs , 1997, TACAS.

[31]  J. Strother Moore,et al.  An Industrial Strength Theorem Prover for a Logic Based on Common Lisp , 1997, IEEE Trans. Software Eng..

[32]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[33]  Hugo Herbelin,et al.  The Coq proof assistant : reference manual, version 6.1 , 1997 .

[34]  R. Gerber,et al.  Automated symbolic analysis of reactive systems , 1998 .

[35]  William G. Griswold,et al.  Dynamically discovering likely program invariants to support program evolution , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[36]  Mihalis Yannakakis,et al.  Black Box Checking , 1999 .

[37]  Bruce H. Krogh,et al.  Verification of Polyhedral-Invariant Hybrid Automata Using Polygonal Flow Pipe Approximations , 1999, HSCC.

[38]  Lawrence C. Paulson Introduction to Isabelle , 1999 .

[39]  Giorgio Delzanno,et al.  Model Checking in CLP , 1999, TACAS.

[40]  Ahmed Bouajjani,et al.  Symbolic Reachability Analysis of FIFO-Channel Systems with Nonregular Sets of Configurations , 1999, Theor. Comput. Sci..

[41]  David L. Dill,et al.  Experience with Predicate Abstraction , 1999, CAV.

[42]  Thomas Genet,et al.  Rewriting for Cryptographic Protocol Verification , 2000, CADE.

[43]  Amir Pnueli,et al.  Liveness and Acceleration in Parameterized Verification , 2000, CAV.

[44]  Pierre Wolper,et al.  An automata-theoretic approach to branching-time model checking , 2000, JACM.

[45]  Marcus Nilsson,et al.  Transitive Closures of Regular Relations for Verifying Infinite-State Systems , 2000, TACAS.

[46]  Pravin Varaiya,et al.  Ellipsoidal Techniques for Reachability Analysis , 2000, HSCC.

[47]  J. Meseguer,et al.  Building Equational Proving Tools by Reflection in Rewriting Logic , 2000 .

[48]  Marcus Nilsson,et al.  Regular Model Checking , 2000, CAV.

[49]  Ahmed Bouajjani,et al.  TReX: A Tool for Reachability Analysis of Complex Systems , 2001, CAV.

[50]  Rajesh Parekh,et al.  DFA Learning from Simple Examples , 2001 .

[51]  Philippe Schnoebelen,et al.  Well-structured transition systems everywhere! , 2001, Theor. Comput. Sci..

[52]  Yassine Lakhnech,et al.  Iterating transducers , 2001, J. Log. Algebraic Methods Program..

[53]  Stefan Leue,et al.  Protocol verification with heuristic search , 2001 .

[54]  Tayssir Touili Regular Model Checking using Widening Techniques , 2001, Electron. Notes Theor. Comput. Sci..

[55]  Alex Groce,et al.  Adaptive Model Checking , 2002, Log. J. IGPL.

[56]  Narciso Martí-Oliet,et al.  Maude: specification and programming in rewriting logic , 2002, Theor. Comput. Sci..

[57]  Paul E. McKenney,et al.  READ-COPY UPDATE: USING EXECUTION HISTORY TO SOLVE CONCURRENCY PROBLEMS , 2002 .

[58]  D. Dill,et al.  Counter-Example Based Predicate Discovery in Predicate Abstraction , 2002, FMCAD.

[59]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[60]  Andrei Voronkov,et al.  BRAIN : Backward Reachability Analysis with Integers , 2002, AMAST.

[61]  Marco Pistore,et al.  Nusmv version 2: an opensource tool for symbolic model checking , 2002, CAV 2002.

[62]  Laure Petrucci,et al.  FAST: Fast Acceleration of Symbolikc Transition Systems , 2003, CAV.

[63]  José Meseguer,et al.  The Maude LTL Model Checker and Its Implementation , 2003, SPIN.

[64]  Alain Finkel,et al.  Well-abstracted transition systems: application to FIFO automata , 2003, Inf. Comput..

[65]  Stefan Biffl,et al.  Software Reviews: The State of the Practice , 2003, IEEE Softw..

[66]  Paul E. McKenney,et al.  Using Read-Copy-Update Techniques for System V IPC in the Linux 2.5 Kernel , 2003, USENIX Annual Technical Conference, FREENIX Track.

[67]  David Monniaux Abstracting cryptographic protocols with tree automata , 2003, Sci. Comput. Program..

[68]  Gerard J. Holzmann,et al.  The SPIN Model Checker , 2003 .

[69]  Parosh Aziz Abdulla,et al.  Algorithmic Improvements in Regular Model Checking , 2003, CAV.

[70]  Pierre Wolper,et al.  Iterating Transducers in the Large (Extended Abstract) , 2003, CAV.

[71]  Tevfik Bultan,et al.  Widening Arithmetic Automata , 2004, CAV.

[72]  Alex Groce,et al.  Modular verification of software components in C , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[73]  Tomás Vojnar,et al.  Regular Model Checking Using Inference of Regular Languages , 2004, INFINITY.

[74]  José Meseguer,et al.  Symbolic Reachability Analysis Using Narrowing and its Application to Verification of Cryptographic Protocols , 2004, WRLA.

[75]  Toshinori Takai,et al.  A Verification Technique Using Term Rewriting Systems and Abstract Interpretation , 2004, RTA.

[76]  Rajeev Alur,et al.  Visibly pushdown languages , 2004, STOC '04.

[77]  Grégoire Sutre,et al.  On Flatness for 2-Dimensional Vector Addition Systems with States , 2004, CONCUR.

[78]  Mahesh Viswanathan,et al.  Learning to Verify Safety Properties , 2004, ICFEM.

[79]  Mahesh Viswanathan,et al.  Actively Learning to Verify Safety for FIFO Automata , 2004, FSTTCS.

[80]  Grigore Rosu,et al.  An Overview of the Runtime Verification Tool Java PathExplorer , 2004, Formal Methods Syst. Des..

[81]  Jonathan Walpole,et al.  Exploiting deferred destruction: an analysis of read-copy-update techniques in operating system kernels , 2004 .

[82]  Mahesh Viswanathan,et al.  Using Language Inference to Verify Omega-Regular Properties , 2005, TACAS.

[83]  José Meseguer,et al.  Natural Narrowing for General Term Rewriting Systems , 2004, RTA.

[84]  Thomas W. Reps,et al.  Abstraction Refinement via Inductive Learning , 2005, CAV.

[85]  José Meseguer,et al.  Complete symbolic reachability analysis using back-and-forth narrowing , 2005, Theor. Comput. Sci..

[86]  Mahesh Viswanathan,et al.  Learning to verify branching time properties , 2005, ASE '05.

[87]  Grégoire Sutre,et al.  Flat Counter Automata Almost Everywhere! , 2005, ATVA.

[88]  Rajeev Alur,et al.  Symbolic Compositional Verification by Learning Assumptions , 2005, CAV.

[89]  Sagar Chaki,et al.  Automated Assume-Guarantee Reasoning for Simulation Conformance , 2005, CAV.

[90]  Edmund M. Clarke,et al.  Design and Synthesis of Synchronization Skeletons Using Branching Time Temporal Logic , 2008, 25 Years of Model Checking.