ProPed. Tool for Symbolic Verification of Probablistic Recursive Programs. University of Missouri Columbia, Missouri, USA

Size: px

Start display at page:

Download "ProPed. Tool for Symbolic Verification of Probablistic Recursive Programs. University of Missouri Columbia, Missouri, USA"

Audra Conley
6 years ago
Views:

ProPed Tool for Symbolic Verification of Probablistic Recursive Programs Rohit Chadha 1 Umang Mathur 2 Stefan Schwoon 3 1 Computer Science Department University of Missouri Columbia,

1 ProPed Tool for Symbolic Verification of Probablistic Recursive Programs Rohit Chadha 1 Umang Mathur 2 Stefan Schwoon 3 1 Computer Science Department University of Missouri Columbia, Missouri, USA 2 Department of Computer Science and Engineering Indian Institute of Tchnology - Bombay Mumbai 3 LSV, ENS Cachan France January 23, 2014 Rohit Chadha, Umang Mathur, Stefan Schwoon 1 of 17

2 ProPed: Symbolic Verification + Probablistic + Recursion Figure: Comparison with existing state-of-the-art tools Rohit Chadha, Umang Mathur, Stefan Schwoon 2 of 17

3 ProPed: Symbolic Verification + Probablistic + Recursion Figure: Comparison with existing state-of-the-art tools Moped: Recursion and symbolic program verification but no probability Rohit Chadha, Umang Mathur, Stefan Schwoon 2 of 17

4 ProPed: Symbolic Verification + Probablistic + Recursion Figure: Comparison with existing state-of-the-art tools Moped: Recursion and symbolic program verification but no probability PRISM: Symbolic program analysis and probability but no recursion Rohit Chadha, Umang Mathur, Stefan Schwoon 2 of 17

5 ProPed: Symbolic Verification + Probablistic + Recursion Figure: Comparison with existing state-of-the-art tools Moped: Recursion and symbolic program verification but no probability PRISM: Symbolic program analysis and probability but no recursion PReMo: Recursion and probability but explicit state model checking Rohit Chadha, Umang Mathur, Stefan Schwoon 2 of 17

6 ProPed: Symbolic Verification + Probablistic + Recursion Figure: Comparison with existing state-of-the-art tools Moped: Recursion and symbolic program verification but no probability PRISM: Symbolic program analysis and probability but no recursion PReMo: Recursion and probability but explicit state model checking ProPed = Moped PRISM PReMo Rohit Chadha, Umang Mathur, Stefan Schwoon 2 of 17

7 ProPed: Symbolic Verification + Probablistic + Recursion Figure: Comparison with existing state-of-the-art tools Moped: Recursion and symbolic program verification but no probability PRISM: Symbolic program analysis and probability but no recursion PReMo: Recursion and probability but explicit state model checking ProPed = Moped PRISM PReMo ProPed is a MTBDD-based tool that analyzes probabilistic recursive programs Rohit Chadha, Umang Mathur, Stefan Schwoon 2 of 17

8 Probabilistic Recursive Programs Analysis of Probabilistic Recursive Programs: Modeling the program Rohit Chadha, Umang Mathur, Stefan Schwoon 3 of 17

9 Probabilistic Recursive Programs Analysis of Probabilistic Recursive Programs: Modeling the program Reachability Analysis and Property Checking Rohit Chadha, Umang Mathur, Stefan Schwoon 3 of 17

10 Probabilistic Recursive Programs Analysis of Probabilistic Recursive Programs: Modeling the program Reachability Analysis and Property Checking Calculating Information Leakage Rohit Chadha, Umang Mathur, Stefan Schwoon 3 of 17

11 Example program procedure p; p0: if? then p1: call s; p2: if? then wp 0.2 -> call p; wp 0.8 -> skip; end if; else p3: call p; P4: return end if procedure s; s0: if? then return; end if; s1: call p; s2: return; procedure main ; m0: call s; m1: return; S = {p 0,..., p 4, s 0,..., s 2, m 0, m 1 }, initial state = m 0 Rohit Chadha, Umang Mathur, Stefan Schwoon 4 of 17

12 Example program procedure p; p0: if? then p1: call s; p2: if? then wp 0.2 -> call p; wp 0.8 -> skip; end if; else p3: call p; P4: return end if procedure s; s0: if? then return; end if; s1: call p; s2: return; procedure main ; m0: call s; m1: return; S = {p 0,..., p 4, s 0,..., s 2, m 0, m 1 }, initial state = m 0 m1 ε m0 s0 m1 p1 s2 m1 s0 p2 s2 m1 s1 m1 p0 s2 m1 p3 s2 m1 p0 p4 s2 m1 Rohit Chadha, Umang Mathur, Stefan Schwoon 4 of 17

13 Analysis of Recursive Programs is not Straightforward Potentially infinite state space! Rohit Chadha, Umang Mathur, Stefan Schwoon 5 of 17

14 Analysis of Recursive Programs is not Straightforward Potentially infinite state space! Simple unrolling/inlining is not applicable Rohit Chadha, Umang Mathur, Stefan Schwoon 5 of 17

15 Analysis of Recursive Programs is not Straightforward Potentially infinite state space! Simple unrolling/inlining is not applicable Cannot be analyzed by naively searching all reachable states Rohit Chadha, Umang Mathur, Stefan Schwoon 5 of 17

16 Analysis of Recursive Programs is not Straightforward Potentially infinite state space! Simple unrolling/inlining is not applicable Cannot be analyzed by naively searching all reachable states Some finite representation is required Rohit Chadha, Umang Mathur, Stefan Schwoon 5 of 17

17 Computation Model for Probabilistic Recursive Programs Control flow: Sequential (probabilistic) program Procedures Mutual procedure calls (possibly recursive) Rohit Chadha, Umang Mathur, Stefan Schwoon 6 of 17

18 Computation Model for Probabilistic Recursive Programs Control flow: Sequential (probabilistic) program Procedures Mutual procedure calls (possibly recursive) Data: Global Variables (finite memory) Local Variables in each procedure (one copy per call) Rohit Chadha, Umang Mathur, Stefan Schwoon 6 of 17

19 Pushdown Systems: Syntax and Semantics A pushdown system is a triple (P, Γ, δ), where P is a finite set of control locations (states) Γ is a finite stack alphabet δ (P Γ) (P Γ ) is a finite set of rules Rohit Chadha, Umang Mathur, Stefan Schwoon 7 of 17

20 Pushdown Systems: Syntax and Semantics A pushdown system is a triple (P, Γ, δ), where P is a finite set of control locations (states) Γ is a finite stack alphabet δ (P Γ) (P Γ ) is a finite set of rules A configuration is a pair pα, where p P and α Γ Semantics: A (possibly infinite) transition system with configurations as states and transitions given by If px qα δ, then pxβ qαβ for every β Γ Rohit Chadha, Umang Mathur, Stefan Schwoon 7 of 17

21 Pushdown Systems: Syntax and Semantics A pushdown system is a triple (P, Γ, δ), where P is a finite set of control locations (states) Γ is a finite stack alphabet δ (P Γ) (P Γ ) is a finite set of rules A configuration is a pair pα, where p P and α Γ Semantics: A (possibly infinite) transition system with configurations as states and transitions given by If px qα δ, then pxβ qαβ for every β Γ Normalization α 2 (each transition pushes atmost 2 symbols on the stack), termination only by empty stack. Rohit Chadha, Umang Mathur, Stefan Schwoon 7 of 17

22 Probabilistic Pushdown Systems: Syntax and Semantics A probabilistic pushdown system is a tuple P = (P, Γ, δ, P rob), where (P, Γ, δ) is a PDS P rob : δ (0, 1] such that for every pair px, we have P px qα P rob(px qα) = 1 px x qα to denote P rob(px qα) = x Rohit Chadha, Umang Mathur, Stefan Schwoon 8 of 17

23 Probabilistic Pushdown Systems: Syntax and Semantics A probabilistic pushdown system is a tuple P = (P, Γ, δ, P rob), where (P, Γ, δ) is a PDS P rob : δ (0, 1] such that for every pair px, we have P px qα P rob(px qα) = 1 px x qα to denote P rob(px qα) = x Semantics: A (possibly infinite) Markov chain with configurations as states and transition probabilities given by If px x qα δ, then pxβ x qαβ for every β Γ Rohit Chadha, Umang Mathur, Stefan Schwoon 8 of 17

24 From programs to pushdown systems State of a procedural program: (g, n, l, (n 1, l 1) (n k, l k )), where g is a valuation of the global variables, n is the value of the program counter, l is a valuation of local variables of the current active procedure, n i is a return address, and l i is a saved valuation of the local variables of a calling procedure Modeled as a configuration pxy 1 Y k where p = g X = (n, l) Y i = (n i, l i) Rohit Chadha, Umang Mathur, Stefan Schwoon 9 of 17

25 From programs to pushdown systems The following correspondence between a program and PDS holds: State p corresponds to valuations of global variables Γ corresponds to tuples of the form (program counter, local valuations) Configuration paw can be interpreted with globals in p, current procedure with local variables in A and suspended procedures in w Rule px qy corresponds to a sequential statement within a procedure Rule px qy Z corresponds to a call to some procedure Rule px qε corresponds to a return from some procedure Rohit Chadha, Umang Mathur, Stefan Schwoon 10 of 17

26 Probabilistic Verification Qualitative properties: Does a program property hold with probability 1? Rohit Chadha, Umang Mathur, Stefan Schwoon 11 of 17

27 Probabilistic Verification Qualitative properties: Does a program property hold with probability 1? Quantitative properties: What is the probability with which a certain property hold? Reachability of control states simple PCTL properties such as (l 1 l 2 l k ), where l i are labels in the program Rohit Chadha, Umang Mathur, Stefan Schwoon 11 of 17

28 Quantitative Verification: Formulating system of non-linear equations Define a variable [pxq] as the probability of starting at the configuration px and eventually reaching the configuration qε. Rohit Chadha, Umang Mathur, Stefan Schwoon 12 of 17

29 Quantitative Verification: Formulating system of non-linear equations Define a variable [pxq] as the probability of starting at the configuration px and eventually reaching the configuration qε. Theorem (J. Esparza, A. Kucĕra, R. Mayr) The [pxq]s are the least solution of the following system of equations: [pxq] = P px qε x x + P px ry x x.[ry q] + P px ry x x. P Z t P [ry t].[tzq] Rohit Chadha, Umang Mathur, Stefan Schwoon 12 of 17

30 Quantitative Verification: Formulating system of non-linear equations Define a variable [pxq] as the probability of starting at the configuration px and eventually reaching the configuration qε. Theorem (J. Esparza, A. Kucĕra, R. Mayr) The [pxq]s are the least solution of the following system of equations: [pxq] = P px qε x x + P px ry x x.[ry q] + P px ry x x. P Z t P [ry t].[tzq] The system is of the form x = P (x), and the sequence 0, P (0), P 2 (0) converges to the least solution. Rohit Chadha, Umang Mathur, Stefan Schwoon 12 of 17

31 Fixed-point Computation The variables [pxq] are just relations over the initial and final valuations of variables The statements of the program are also similar relations Stmt Stmt: x =!x x 0x2c x' 0x29 0x2b 0 1 Can be represented efficiently as MTBBDs (= BDDs + real values on the terminal nodes) Fixed point computation - Jacobi Iterative Method Use of CUDD library for MTBDD (ADD) manipulations. Rohit Chadha, Umang Mathur, Stefan Schwoon 13 of 17

32 Information Leakage Leakage measured in terms of min-entropy (G. Smith) For a given set of inputs S and outputs O, min-entropy leakage, L SO =, where log V (S O) V (S) S is a random variable on S and having distribution P S O is a random variable on O and having distribution P O V (S) = max s S P S[s] V (S O) = P o O P O[o].max s S P [s o] Computing the above metric is simply basic ADD manipulation! Rohit Chadha, Umang Mathur, Stefan Schwoon 14 of 17

33 Technical details about the tool Input language: Remopla with an additional pchoice construct define N 32 define DEFAULT_INT_BITS N unsigned int var1; bool g; module void f(unsigned int v, bool z){ } bool k; pchoice :: 0.2 -> label2: k = g && z; :: 0.8 -> var1 = var1 + v; choicep module void main(){ } var1 = 53; pchoice :: 0.3 -> label1: g = true; :: 0.7 -> f(var1,!g); choicep Figure: An input program for ProPed Parser and other libraries (CUDD, etc.,) : C Analysis (Fixed point computation) : C++ Rohit Chadha, Umang Mathur, Stefan Schwoon 15 of 17

34 More about MTBDDs main 0 0x x1942 0x193f 0x1940 0x1941 0x1938 0x193b 0x193e 0x1937 0x193a 0x193d 0x1935 0x1936 MTBDD = Multi Terminal Binary Decision Diagram Figure: An MTBDD CUDD : ADD (Algebraic Decision Diagram) interface Provides important Utilities: Cudd addtimes Cudd addplus Cudd addpermute Cudd addmatrixmultiply Cudd addcmpl, Cudd addxnor, Cudd addexistabstract, Cudd addmaxabstract, Rohit Chadha, Umang Mathur, Stefan Schwoon 16 of 17

35 Possible Improvements and Extensions Use faster iteration methods (Jacobi is too slow) such as Newton-Raphson iterations Repeated Reachability : Büchi Information leakage by energy characterization Rohit Chadha, Umang Mathur, Stefan Schwoon 17 of 17

Model checking pushdown systems

Model checking pushdown systems R. Ramanujam Institute of Mathematical Sciences, Chennai jam@imsc.res.in Update Meeting, IIT-Guwahati, 4 July 2006 p. 1 Sources of unboundedness Data manipulation: integers,