Dynamic Invariant Detection for Program Understanding and Reliability

MIT 2001-01


Progress Report: July 1, 2002‹December 31, 2002


Michael Ernst




Project Overview


The Program Analysis Group (PAG) of MIT is collaborating with Tadashi Araragi of NTT on problems raised by NTT's Erdös internet agent system.  The goal is to formally verify mobile agent systems in which agents may be widely separated and may move about a network, yet must communicate, coordinate, and negotiate in order to perform useful work.  Examples include internet marketplaces (in which directories of shops must be maintained), auctions (in which programs may be dynamically downloaded), and airline ticket reservation (in which multiple ticket agencies must have a consistent view of a database).  In each of these cases, it is crucial that the system perform correctly, yet it is difficult to understand and verify it.  PAG has provided several technologies that can increase confidence in such systems.



Progress Through December 2002


One of PAG's key contributions is a technique for automatically generating operational abstractions, which are formal mathematical descriptions of program operation.  They are syntactically identical to program specifications, but they describe what the program does (as opposed to what it is supposed to do), which makes them uniquely useful for many program analysis and understanding tasks.  A description of program behavior is required for most program understanding, maintenance, and verification tasks.  Specifications are rarely present, but operational abstractions can be automatically generated by PAG's Daikon system, which requires only a program and a test suite.


Between July and December 2002, we have made additional progress on the project's goals.  Infrastructure is now largely in place, though we have continued to support users, for instance by making 9 public releases of the Daikon tool during the period and by adding new functionality requested by users.  Our research has focused on two main areas of interest to NTT:  automated theorem-proving and detection of temporal properties.  The first is directly applicable to verification goals, and the second represents a domain of interest to for the Erdos system.


Because the final goal of this NTT-MIT project is program verification, PAG has continued to press forward on proofs of program correctness.  Our focus during this period of the grant has been on automating proofs.  (During this period of the grant, we switched from the LP to the Isabelle proof assistant, as we had planned in our last progress report.)  Generally speaking, there are two sorts of theorem proving tools:  automatic theorem provers and proof assistants.  The first variety, automatic theorem provers, are easy to use, but relatively weak.  No user interaction is permitted, and they have limited built-in ability to perform search, so they can handle proofs of only relatively simple properties.  This makes them useful in certain well-understood circumstances that can be tailored to their abilities, but they scale poorly to new situations.  The second variety, proof assistants, provide no more search capabilities, but they do present a user interface that permits users to specify each step of a proof.  The proof assistant checks the steps and performs low-level bookkeeping.  The tools are applicable to almost any situation that a human can imagine (and can structure a proof for).  The problem with such tools is their lack of automation:  humans must make all decisions about the proofs.  Since human expertise is the most expensive part of most systems, this approach does not scale.  Our goal is to provide the best of both worlds:  the automation of an automatic theorem prover and the power of a proof assistant.  We have made substantial steps toward this goal.  A proof assistant requires two types of input:  lemmas to be proved, and the tactics (such as case analysis, induction, deduction, or the like) that are used to prove them.  For a collection of small but realistic distributed algorithms, the Daikon tool has automatically proposed nearly all the necessary lemmas, and another tool that we have built has proposed nearly all the required tactics.  The result is a reduction of over 90% in the human effort required for theorem-proving.  The system has also led to a new, simpler proof for one of the algorithms.


Our other focus has been on detecting temporal properties (invariants), which are of particular interest to NTT and which are crucial in understanding and verifying distributed systems such as the Erdos distributed agent system.  As planned in our previous progress report, we have implemented a technique for detecting such properties.  In fact, we have devised and implemented three distinct techniques, each with its own strengths and weaknesses.  We briefly discuss them here.


The first technique determines which calling sequences are consistent with automatically generated program specifications (operational abstractions).  In particular, the Daikon tool generates an operational abstraction for each procedure in an interface.  Then we automatically perform logical analysis, using a specialized theorem-prover, to determine which preconditions are compatible with which postconditions.  When the properties are incompatible, then it is not permitted to call one routine immediately after the other.  Experiments show that this technique is more accurate than methods proposed by other researchers, and that it converges to a good answer more quickly and with a smaller test suite.


The second technique is a general-purpose dynamic detector of temporal invariants.  The invariants are built up out of the basic elements (exists, always, before, after) that make up temporal logics.  Dynamic instantiation prevents the need to know all events before processing starts, and optimizations permit retraction of events that are later determined not to be true.


The third technique is an optimized dynamic detector of temporal invariants that detects a smaller grammar of properties, but is able to operate on much larger traces.  It also incorporates certain universal and existential quantifiers.


We have run all three techniques on traces from Java libraries, from a commercial application, and from Erdos programs.  We have discovered problems with the libraries, have verified properties of the application test suites, and have recovered desired properties of the Erdos programs.  At present our greatest need from NTT is feedback about what extensions would be most useful, and additional Erdos programs to use in further experiments.



Research Plan for the Next Six Months


Having obtained good research results in our laboratory, we wish to disseminate and use these at NTT and elsewhere.  We plan to generalize the theorem-proving results to additional application domains and to automate the parts of proofs that still require some human interaction.  Our examinations of the proofs have indicated promising directions.  With respect to temporal invariant detection, we are pleased with our current results, but we wish our future efforts to be guided by industrial applications.  We are looking forward to receiving additional programs that will indicate either that we have been successful or the directions in which we should proceed next.  In their absence, we will continue with our experiments on Java libraries and commercial applications.