o m n o + d techniques h l c e h + game-based for c l k y i n g adam bakewell & dan ghica...
Post on 19-Dec-2015
220 views
TRANSCRIPT
![Page 1: O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d395503460f94a13f3c/html5/thumbnails/1.jpg)
O MN O+ DTECHNIQUESH L CE H+ GAME-BASEDFOR CL KY I N G
Adam Bakewell& Dan GhicaUniversity ofBirmingham
![Page 2: O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d395503460f94a13f3c/html5/thumbnails/2.jpg)
on-the-fly techniques for compositional model checking
1. What are game models (&why)?
2. On-the-fly techniques
3. CEGAR techniques
4. Results and prospects
![Page 3: O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d395503460f94a13f3c/html5/thumbnails/3.jpg)
GAMODELSE
![Page 4: O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d395503460f94a13f3c/html5/thumbnails/4.jpg)
game models
Compositional: handle open code, components, unknown user behaviours
Encode exact behaviour: get all errors
Hide internal activity: only record actions in interface (environment + result)
![Page 5: O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d395503460f94a13f3c/html5/thumbnails/5.jpg)
e.g. interface
b:boolean,n:natk
,
user:command -> command|-M : command
Component ‘M’ is a command that canCall ‘user’ and read or write ‘b’ and ‘n’(with different results each time)
![Page 6: O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d395503460f94a13f3c/html5/thumbnails/6.jpg)
game models
• 1up - Player O: the user/context• 2up - Player P: the program• Move: place (.call | :=v | .ret | .v)• Play: valid sequence of alternating
moves• Model: all plays
![Page 7: O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d395503460f94a13f3c/html5/thumbnails/7.jpg)
e.g. model
e.g. model
![Page 8: O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d395503460f94a13f3c/html5/thumbnails/8.jpg)
e.g. code: hashing
|-boolean table[2*k];
for(i := 2*k - 1; i > 0; table[--i] := false);
command hashword (x:natk) {nat2*k h := 0;for (i := 3; i > 0; i--) h := h + !x;b := table[h];table[h] := true
}
user (hashword (n))
![Page 9: O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d395503460f94a13f3c/html5/thumbnails/9.jpg)
Model building
• Model has regular language representation– for languages excluding recursion, 2nd+-
order functions, infinite integers, heap
![Page 10: O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d395503460f94a13f3c/html5/thumbnails/10.jpg)
e.g. regular model
.call,{table:=[false,…,false]}user.call, (
user-arg.call,n.call, n.x, n.call, n.y, n.call, n.z,{h=(x+y+z)%tablesize}b:=table[h], b.ret,{table[h]:=true}user-arg.ret, )*
user.ret,.ret
![Page 11: O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d395503460f94a13f3c/html5/thumbnails/11.jpg)
e.g. hash regular model
.call, {table:=[false,…,false,┴]} user.call,
(user-arg.call, n.call, n.x, n.call, n.y,n.call,n.z, b:=table[x+y+z], b.ret, user-arg.ret,{if x+y+z < tablesize-1} )*
(user.ret, .ret)+(user-arg.call, n.call, n.x, n.call, n.y,n.call,n.z,
exception.┴ {if x+y+z=tablesize-1} )
![Page 12: O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d395503460f94a13f3c/html5/thumbnails/12.jpg)
game based checking v1
• Build automaton model of each atom (large-constant time)
• Compose sub-models to make composite models. Composing is: automaton projection; intersection; hide matched moves
(order sub-model size squared time)• Check finished model
[Ghica, 2004]
![Page 13: O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d395503460f94a13f3c/html5/thumbnails/13.jpg)
O N + T TECHNIQUES E + F L Y
![Page 14: O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d395503460f94a13f3c/html5/thumbnails/14.jpg)
top-down composition
• Bottom-up composition is always bad
• Top-down can be made bad or good:
• Build model of M(N) according to language semantics:– Start in M model– When it calls its argument build transitions
from N model, etc
![Page 15: O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d395503460f94a13f3c/html5/thumbnails/15.jpg)
lazy composition
• Want checker result, not the model– Make transitions as demanded by checker– Do not store them– Only store set of visited states– Exploring large models is more space-
feasible and time-similar– Stop checking at first error
![Page 16: O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d395503460f94a13f3c/html5/thumbnails/16.jpg)
symbolic models
-replace automaton (state & transition graph) with a function to generate the transitions from a given state
-combine with laziness, produce the transitions as consumed by the checker:now transition function generates ith transition
![Page 17: O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d395503460f94a13f3c/html5/thumbnails/17.jpg)
put it all together:
MAGE
e.g. lazy hash check…
![Page 18: O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d395503460f94a13f3c/html5/thumbnails/18.jpg)
TECEGARHNIQUES
![Page 19: O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d395503460f94a13f3c/html5/thumbnails/19.jpg)
data approximation
• Replace types of identifier occurrence models with approximations
• Redefine operator models to accept approx inputs and produce approx results
• Check & certify: counterexample trace is valid iff it does no nondeterministic branching– n.d. info extends game model by cst factor
![Page 20: O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d395503460f94a13f3c/html5/thumbnails/20.jpg)
on-demand refinement
• Refine model by refining identifier approxes; everything else will work
• Refine only contributors to counterexample– Need hidden (non-game) info
• Iteration guaranteed to terminate
• Stay lazy!– cf. eager tool Game Checker [2006]
![Page 21: O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d395503460f94a13f3c/html5/thumbnails/21.jpg)
![Page 22: O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d395503460f94a13f3c/html5/thumbnails/22.jpg)
P L A N RESULTS
![Page 23: O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d395503460f94a13f3c/html5/thumbnails/23.jpg)
hash e.g. check times
0.001
0.01
0.1
1
10
100
1000
10000
2 4 8 16 32 64 80 96 112 128 256
table size
tim
e (
seco
nd
s)
BLAST2.4
MAGE
MAGE
timeout (45min)
spaceout0.75GB
(CEGAR)
![Page 24: O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d395503460f94a13f3c/html5/thumbnails/24.jpg)
benefits
• The symbolic, lazy, on-demand, approximate, validation, and refinement tricks work well with the compositional models.
• They make verification feasible for many problems involving unfeasibly large unapproximated models
![Page 25: O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d395503460f94a13f3c/html5/thumbnails/25.jpg)
penalties
• Truly compositional modelling still incurs a small inherent time disadvantage
• Laziness not guaranteed to get best (shortest) counterexample
• Refinement approximation-pruning is conservative
![Page 26: O M N O + D TECHNIQUES H L C E H + GAME-BASED FOR C L K Y I N G Adam Bakewell & Dan Ghica University of Birmingham](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d395503460f94a13f3c/html5/thumbnails/26.jpg)
plans and hopes
• Modelling a real language, C• Game-based predicate abstraction
• Exploiting compositionality• Prune more• Integrate with heap verification
come to GaLoP!