Title: Model-Checking Frameworks: Outline
1Model-Checking Frameworks Outline
- Theory (Part 1)
- Notion of Abstraction
- Aside over- and under-approximation,
simulation, bisimulation - Counter-example-based abstraction refinement
- Abstraction and abstraction refinement in program
analysis (Part 2) - Kinds of abstraction
- Data, predicate
- Building abstractions
- Aside weakest precondition
- Counter-example-based abstraction refinement
2Outline, contd
- 3-valued abstraction and abstraction-refinement
(Part 3) - 3-valued logic
- Theory of 3-valued abstractions combining over-
and under-approximation - 3-valued model-checking
- Building 3-valued abstractions
- Counter-example-based abstraction refinement
3Acknowledgements
- The following materials have been used in the
preparation of this lecture - Edmund Clarke
- SAT-based abstraction/refinement in
model-checking, a course lecture at CMU - Corina Pasareanu
- Conference presentations at TACAS01 and ICSE01
- John Hatcliff
- Course materials from Specification and
Verification in Reactive Systems - Many thanks for providing this material!
4Model Checking
- Given a
- Finite transition system M(S, s0, R, L)
- A temporal property f
- The model checking problem
- Does M satisfy f?
- ?
- M ? f
5Model Checking (safety)
Add reachable states until reaching a fixed-point
bad state
6Model Checking (safety)
Too many states to handle !
bad state
7Abstraction
S
S
Abstraction Function ? S ! S
8Abstraction Function A Simple Example
- Partition variables into visible(V) and
invisible(I) variables.
- The abstract model consists of V variables. I
variables are made inputs.
- The abstraction function maps each state to its
projection over V.
9Abstraction Function Example
x1 x2 x3 x4
0 0 0 0 0 0 0 1 0 0 1
0 0 0 1 1
x1 x2
?
0 0
Group concrete states with identical visible part
to a single abstract state.
10Computing Abstractions
?
S
S
- S concrete state space
- S abstract state space
- ? S ? S - abstraction function
- ? S ? S - concretization function
- Properties of ? and ?
- ?(?(A)) A, for A in S
- ?(?(C)) ? C, for C in S
- The above properties mean that ? and ? are
Galois-connected
?
11Aside simulations
- M (s0, S, R, L)
- M (t0, S, R, L)
- Definition p is a simulation between M and M
if - (s0, t0) ? p
- ? (t, t1) ? R ?(s, s1) ? R s.t. (s, t) ? p and
(s1, t1) ? p - Intuitively, every transition in M corresponds
to some transition in M
12Aside bisimulation
- M (s0, S, R, L)
- M (t0, S, R, L)
- Definition p is a bisimulation between M and M
if - p is a simulation between M and M and
- p is a simulation between M and M
13Computing Existential Transition Relation
- R?? Dams97 (t, t1) ? R iff ? s ? ?(t) s.t.
? s1 ? ?(t1) and (s, s1) ? R - This ensures that M is the over-approximation
if M, or M simulates M.
14Abstract Kripke Structure
- Abstract interpretation of atomic propositions
- I (a, p) true iff forall s in ?(a),
I (s, p) true - I (a, p) false iff forall s in ?(a),
I (s, p) false - Abstract Transition Relation (2 choices)
- Over-Approximation (Existential)
- Make a transition from an abstract state if at
least one corresponding concrete state has the
transition. - Under-Approximation (Universal)
- Make a transition from an abstract state if all
the corresponding concrete states have the
transition.
15Existential Abstraction (Over-Approximation)
I
I
16Preservation via Over-Approximation
- Let f be a universal temporal formula (ACTL, LTL)
- Let K be an over-approximating abstraction of K
- Preservation Theorem
- K ? f implies K ? f
- Converse does not hold
- K ? f does not imply K ? f !!!
- K may have extra behaviors
17Computing Transition Relation
- R?? Dams97 (t, t1) ? R iff ? s ? ?(t)
? s1 ? ?(t) and (s, s1) ? R - This ensures that M is the under-approximation
if M, or M simulates M.
18Universal Abstraction (Under-Approximation)
I
I
19Preservation via Under-Approximation
- Let f be an existential temporal formula (ECTL)
- Let K be an under-approximating abstraction of K
- Preservation Theorem
- K ? f implies K ? f
- Converse does not hold
- K ? f does not imply K ? f !!!
- K may miss some behaviors
20Which abstraction to use?
Property Type Expected Result Abstraction to use
Universal (ACTL, LTL) True Over-
Universal (ACTL, LTL) False Under-
Existential (ECTL) True Under-
Existential (ECTL) False Over-
But what about mixed properties?!
21Our specific problem
- Let f be a universally-quantified property
(i.e., expressed in LTL or ACTL) and M
simulates M
- Preservation Theorem
- M ? f ? M ? f
- Converse does not hold
- M ? f ? M ? f
- The counterexample may be spurious
22Checking the Counterexample
- Counterexample (c1, ,cm)
- Each ci is an assignment to V.
- Simulate the counterexample on the concrete
model.
23Checking the Counterexample
Concrete traces corresponding to the
counterexample
(Initial State lt- s0 in our case)
(Unrolled Transition Relation)
(Restriction of V to Counterexample)
24Abstraction-Refinement Loop
Model Check
Abstract
M, f
M, f, ?
Pass
No Bug
Fail
?
Check Counterexample
Refine
Spurious
Real
Bug
25Refinement methods
Localization
(R. Kurshan, 80s)
26Refinement methods
Abstraction/refinement with conflict analysis
(Chauhan, Clarke, Kukula, Sapra, Veith, Wang,
FMCAD 2002)
- Simulate counterexample on concrete model with
SAT - If the instance is unsatisfiable, analyze
conflict - Make visible one of the variables in the clauses
that lead to the conflict
27Why spurious counterexample?
28Refinement
- Problem Deadend and Bad States are in the same
abstract state. - Solution Refine abstraction function.
- The sets of Deadend and Bad states should be
separated into different abstract states.
29Refinement
?
?
?
?
?
?
Refinement ?
30Refinement
31Refinement
32Refinement as Separation
0 1 0 1
0 1 0
d1
I
b1
V
b2
- Refinement Find subset U of I that separates
between all pairs of deadend and bad states. Make
them visible. - Keep U small !
33Refinement as Separation
d1
I
b1
V
b2
- Refinement Find subset U of I that separates
between all pairs of deadend and bad states. Make
them visible. - Keep U small !
34Refinement as Separation
- The state separation problem
- Input Sets D, B
- Output Minimal U ? I s.t.
- ? d ?D, ? b ?B, ?u? U. d(u) ? b(u)
The refinement ? is obtained by adding U to V.
35Two separation methods
- ILP-based separation
- Minimal separating set.
- Computationally expensive.
- Decision Tree Learning based separation.
- Not optimal.
- Polynomial.
- We will not talk about these in class