O MN O+ DTECHNIQUESH L CE H+ GAME-BASEDFOR CL KY I N G

Adam Bakewell& Dan GhicaUniversity ofBirmingham

on-the-fly techniques for compositional model checking

1. What are game models (&why)?

2. On-the-fly techniques

3. CEGAR techniques

4. Results and prospects

GAMODELSE

game models

Compositional: handle open code, components, unknown user behaviours

Encode exact behaviour: get all errors

Hide internal activity: only record actions in interface (environment + result)

e.g. interface

b:boolean,n:natk

,

user:command -> command|-M : command

Component ‘M’ is a command that canCall ‘user’ and read or write ‘b’ and ‘n’(with different results each time)

game models

• 1up - Player O: the user/context• 2up - Player P: the program• Move: place (.call | :=v | .ret | .v)• Play: valid sequence of alternating

moves• Model: all plays

e.g. model

e.g. model

e.g. code: hashing

|-boolean table[2*k];

for(i := 2*k - 1; i > 0; table[--i] := false);

command hashword (x:natk) {nat2*k h := 0;for (i := 3; i > 0; i--) h := h + !x;b := table[h];table[h] := true

}

user (hashword (n))

Model building

• Model has regular language representation– for languages excluding recursion, 2nd+-

order functions, infinite integers, heap

e.g. regular model

.call,{table:=[false,…,false]}user.call, (

user-arg.call,n.call, n.x, n.call, n.y, n.call, n.z,{h=(x+y+z)%tablesize}b:=table[h], b.ret,{table[h]:=true}user-arg.ret, )*

user.ret,.ret

e.g. hash regular model

.call, {table:=[false,…,false,┴]} user.call,

(user-arg.call, n.call, n.x, n.call, n.y,n.call,n.z, b:=table[x+y+z], b.ret, user-arg.ret,{if x+y+z < tablesize-1} )*

(user.ret, .ret)+(user-arg.call, n.call, n.x, n.call, n.y,n.call,n.z,

exception.┴ {if x+y+z=tablesize-1} )

game based checking v1

• Build automaton model of each atom (large-constant time)

• Compose sub-models to make composite models. Composing is: automaton projection; intersection; hide matched moves

(order sub-model size squared time)• Check finished model

[Ghica, 2004]

O N + T TECHNIQUES E + F L Y

top-down composition

• Bottom-up composition is always bad

• Top-down can be made bad or good:

• Build model of M(N) according to language semantics:– Start in M model– When it calls its argument build transitions

from N model, etc

lazy composition

• Want checker result, not the model– Make transitions as demanded by checker– Do not store them– Only store set of visited states– Exploring large models is more space-

feasible and time-similar– Stop checking at first error

symbolic models

-replace automaton (state & transition graph) with a function to generate the transitions from a given state

-combine with laziness, produce the transitions as consumed by the checker:now transition function generates ith transition

put it all together:

MAGE

e.g. lazy hash check…

TECEGARHNIQUES

data approximation

• Replace types of identifier occurrence models with approximations

• Redefine operator models to accept approx inputs and produce approx results

• Check & certify: counterexample trace is valid iff it does no nondeterministic branching– n.d. info extends game model by cst factor

on-demand refinement

• Refine model by refining identifier approxes; everything else will work

• Refine only contributors to counterexample– Need hidden (non-game) info

• Iteration guaranteed to terminate

• Stay lazy!– cf. eager tool Game Checker [2006]

P L A N RESULTS

hash e.g. check times

0.001

0.01

0.1

1

10

100

1000

10000

2 4 8 16 32 64 80 96 112 128 256

table size

tim

e (

seco

nd

s)

BLAST2.4

MAGE

MAGE

timeout (45min)

spaceout0.75GB

(CEGAR)

benefits

• The symbolic, lazy, on-demand, approximate, validation, and refinement tricks work well with the compositional models.

• They make verification feasible for many problems involving unfeasibly large unapproximated models

penalties

• Truly compositional modelling still incurs a small inherent time disadvantage

• Laziness not guaranteed to get best (shortest) counterexample

• Refinement approximation-pruning is conservative

plans and hopes

• Modelling a real language, C• Game-based predicate abstraction

• Exploiting compositionality• Prune more• Integrate with heap verification

come to GaLoP!