Automating Modular Veri cation
暂无分享,去创建一个
module (9WP :(P &RP )). In a similar way, we compute the reachability predicate RQ for Q and construct the abstract module (9WQ:(Q&RQ)). To complete the veri cation process, we then use the following rule: (9WP :(P &RP )) k (9WQ:(Q&RQ)) j= 2' P kQ j= 2' (2) Since the systems P kQ and (P &RP ) k (Q&RQ) have the same reachable states, rule (2) is sound. As we shall see, unlike the simplistic rule (1), the improved rule (2) can often be successfully applied even when the setsWP andWQ include variables that contribute to ensure the invariant '. Yet the savings in checking the premise of rule (2) are just as great as those for checking the premise of the earlier rule (1), because the same sets of variables are erased. In other words, (9WP :(P &RP )) k (9WQ:(Q&RQ)) is a more accurate but no more detailed abstraction of P kQ than is (9WP :P )k (9WQ:Q). In our experiments we shall obtain dramatic results by applying rule (2) with the simple heuristics of erasing those variables that are not involved in the communication between P and Q. While reachability information is often used in algorithmic veri cation, the novelty of rule (2) consists in the use of such information for the modular construction of abstractions. The e ectiveness of a rule such as (1) or (2) is directly related to the number of variables that can be erased in a successful application of the rule. Rule (2) improves on rule (1) by using reachability information about the individual modules in the construction of the abstractions, which usually permits the erasure of more variables. It is possible to further improve on the rule (2) by using, in addition to reachability information, also information about the controllability of the individual modules with respect to the speci cation 2'. This improvement is based on the following observation. The predicate RP used in (2) de nes the reachable states of P when P is in a completely general environment. However, the module P may exhibit anomalous behaviors in a completely general environment; in particular, more states may be reachable under a completely general environment than under the speci c environment provided by Q. Of course, we do not want to compute the reachable states of P when P is composed with Q: doing so would require the exploration of the state space of the global system P kQ, which is exactly what our modular veri cation rules try to avoid. To study the module P under a suitable con ning environment, while still avoiding the exploration of the global state space, we consider the module P in the most general environment E that ensures the invariant '; that is, E is the least restrictive module such that P kE j= 2'. In practice, we need not construct E explicitly, but compute only the predicate DP that de nes the set of reachable states of P kE. Since E is more restrictive than the completely general environment, the predicate DP is stronger than RP , and the implication DP ! RP holds. The algorithm for computingDP follows from the standard game-theoretic algorithm for computing the set of states of the module P that are controllable with respect to the invariant '; it can be implemented symbolically or enumeratively, with a time complexity that is linear in the size of the state space of P [Bee80]. 4 This leads to the following modular veri cation rule: (IP ^ IQ)! (DP ^DQ) P k (9WQ:(Q&DQ)) j= 2DP Q k (9WP :(P &DP )) j= 2DQ P kQ j= 2' (3) where WP VP and WQ VQ. The soundness of this rule depends on an inductive argument, and it will be proved in detail in the paper. Essentially, the rst premise ensures that the modules P and Q are initially in states satisfying DP ^ DQ. The second premise shows that, as long as Q does not leave the set de ned by DQ, the module P will not leave the set de ned by DP ; the third premise is symmetrical. As the implications DP ! ' and DQ ! ' hold, the three premises lead to the conclusion. The rule is in fact closely related to inductive forms of assume-guarantee reasoning [Sta85, AL95, AH96, McM97]. The use of the stronger predicates DP and DQ in the second and third premises of the rule (3) potentially enables the erasure of more variables compared to the earlier rule (2). However, in rule (3) this erasure can take place only on one side of the parallel composition operator or, in the case of multi-module systems, for all modules but one. While automatic approaches to the construction of abstractions for model checking have been proposed, for example, in [Kur94, Dam96, GS97, CC99], these approaches do not exploit reachability and controllability information in a modular fashion. In particular, instead of the standard principle \ rst abstract, then model check the abstraction," our approach follows the more re ned principle \ rst model check the components, then use this information to abstract, then model check the compound abstraction." In this way, our modular veri cation rules are doubly geared towards automatic veri cation methods: state-space exploration is used both to compute the reachability and controllability predicates, and to check all temporal premises (those which contain the j= operator). It is worth pointing out that nontemporal premises would result in rules that are considerably less powerful. For example, suppressing variable erasures, the temporal premise (P &RP ) k (Q&RQ) j= 2' of rule (2) is weaker than the two nontemporal premises IP ^ IQ ! ' and ' ^RP ^ TP ^RQ ^ TQ ! '0 would be (here, '0 results from ' by replacing all variables with their primed versions). Similarly, the second premise of rule (3) is weaker than the two nontemporal premises IP ^ IQ ! DQ ^DP and DP ^ TP ^DQ ^ TQ ! D0 P would be. It is easy to nd examples where our temporal premises apply, but their nontemporal counterparts do not. The outline of the paper is as follows. After introducing preliminary de nitions in Section 2, we develop the technical details of the proposed modular veri cation rules in Section 3. The veri cation rules have been implemented on top of the Mocha model checker [AHM+98], using BDD-based xpoint algorithms for the computation of the reachability and controllability predicates. In Section 4 we discuss the implementation of the veri cation rules, and we describe the script language we devised in order to be able to experiment e ciently with 5 various modular veri cation techniques. In Section 5 we present experimental results for three examples: a demarcation protocol used to maintain the consistency between distributed databases [BGM92], a token-ring arbiter, and a sliding-window protocol for data communication [Hol91]. We conclude the paper with some insights gathered in the course of the experimentation with the proposed veri cation rules. 2 Modules Given a set V of typed variables with nite domain, a state s over V is an assignment for V that assigns to each x 2 V a value s[[x]]. We also denote by V0 = fx0 j x 2 Vg the set obtained by priming each variable in V. Given a predicate H over V, we denote by H 0 the predicate obtained by replacing in H every x 2 V with x0 2 V 0. Given a set A and an element x, we often write Anx for Anfxg, when this generates no confusion. A module P = (CP ; EP ; IP ; TP ) consists of the following components: 1. A ( nite) set CP of controlled variables, each with nite domain, consisting of the variables whose values can be accessed and modi ed by P . 2. A ( nite) set EP of external variables, each with nite domain, consisting of the variables whose values can be accessed, but not modi ed, by P . 3. A transition predicate TP over CP [ EP [ C0 P . 4. An initial predicate IP over CP . We denote by VP = CP [ EP the set of variables mentioned by the module. Given a state s over VP , we write s j= IP if IP is satis ed under the variable interpretation speci ed by s. Given two states s; s0 over VP , we write (s; s0) j= TP if predicate TP is satis ed by the interpretation that assigns to x 2 VP the value s[[x]], and to x0 2 V 0 P the value s0[[x]]. A module P is non-blocking if the predicate IP is satis able, i.e., if the module has at least one initial state, and if the assertion 8VP : 9C0 P : TP holds, so that every state has a successor. A trace of module P is a nite sequence of states s0; s1; s2; : : : sn 2 States(VP ), where n 0 and (sk; sk+1) j= TP for all 0 k < n; the trace is initial if s0 j= IP . Two modules P and Q are composable if CP \CQ = ;; in this case, their parallel composition P kQ is de ned as: P kQ = CP [ CQ; (EP [ EQ)n(CP [ CQ); IP ^ IQ; TP ^ TQ : Given a module P and a predicate H over VP , we denote by (P &H) = CP ; EP ; IP ^H;TP ^H the module like P , except that only transitions from states that satisfy H are allowed. Given a module P and a set W of variables, we let (9W:P ) = CPnW; EP nW; 9W : IP ; 9W;W 0 : TP be the module obtained by erasing the variables W in P . Note that the module (P &H) can be blocking even if module P is non-blocking. On the other hand, 6 the parallel composition of non-blocking modules is non-blocking, and a module obtained from a non-blocking module by erasing variables is also non-blocking. A state of a module P is reachable if it appears in some initial trace of P . We denote by Reach(P ) the predicate de ning the reachable states of P ; this predicate can be compute using standard state-space exploration techniques [CES83]. Given a module P and a predicate ', the relation P j= 2' holds i the implication Reach(P ) ! ' is valid. In this paper, we present modular techniques for verifying whether the relation P1 k kPn j= 2' holds, where P1, P2, : : : , Pn are composable modules, for n > 0, and where ' is de ned over the set of variables Sni=1 VPi . This veri cation problem is known as the invariant veri cation problem, and it is one of the most basic problems in formal veri cation. 3 Modular Rules for Invariant Veri cation In this section, we present three modular rules for the veri cation of invariants; the rules are presented in order of increasing sophistication, and
[1] Dennis Dams,et al. Abstract interpretation and partition refinement for model checking , 1996 .
[2] Kenneth L. McMillan,et al. A Compositional Rule for Hardware Design Refinement , 1997, CAV.
[3] P. Ramadge,et al. Supervisory control of a class of discrete event processes , 1987 .
[4] Eugene W. Stark,et al. A Proof Technique for Rely/Guarantee Properties , 1985, FSTTCS.
[5] Thomas A. Henzinger,et al. MOCHA: Modularity in Model Checking , 1998, CAV.
[6] BeeriCatriel. On the menbership problem for functional and multivalued dependencies in relational databases , 1980 .
[7] E. Clarke,et al. Automatic Veriication of Nite-state Concurrent Systems Using Temporal-logic Speciications. Acm , 1993 .
[8] Martin Peschke,et al. Design and Validation of Computer Protocols , 2003 .
[9] Hassen Saïdi,et al. Construction of Abstract State Graphs with PVS , 1997, CAV.
[10] Hector Garcia-Molina,et al. The Demarcation Protocol: A Technique for Maintaining Linear Arithmetic Constraints in Distributed Database Systems , 1992, EDBT.
[11] Thomas A. Henzinger,et al. Reactive Modules , 1996, Proceedings 11th Annual IEEE Symposium on Logic in Computer Science.