SlideShare a Scribd company logo

Slides SAS'2002

Maria Del Mar Gallardo, profile picture
Maria Del Mar Gallardo

The document discusses abstract model checking techniques for verifying temporal logic properties on abstract models derived from concrete models using abstraction. It presents two dual methods - the classic method and over-approximation method - for defining satisfiability relations on abstract models and analyzes their properties and relationships. The document also proposes techniques for dealing with imprecision and incompleteness that can arise from working with abstract models.

1 of 37
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
Refinement of LTL Formulas for Abstract Model Checking Mar´ del Mar Gallardo, Pedro Merino, Ernesto Pimentel ıa Universidad de M´laga a {gallardo,pedro,ernesto}@lcc.uma.es
Index of the talk - Abstract Model Checking - Two dual methods for abstracting properties - The Extended relation - Dealing with Imprecision - Dealing with Incompleteness - Intermediate Precision - Conclusions 1
Model Checking A powerful method to verify complex software systems. It differs from classic deductive methods in several aspects: • It is only applicable to small or medium size systems due to the state-explosion problem • It is a fully automatic method 2
The Process of Model Checking Applying model checking consists of Modelling Specify the system M using a Modelling Language Specification State the properties f that the design must satisfy. It is common to use Temporal Logic Verification Use a model checking algorithm |= to check whether the design is a model of the property. M |= f 3
The State-Explosion Problem What can we do if the tool cannot answer the question M |= f due to the state-explosion problem? Symbolic Model Checking uses Binary Decision Diagrams (BDDs) to represent transition systems Partial Order Reduction Techniques that exploit the indepen- dence of concurrently executed events Bit State Techniques Each system state is represented by a bit. Produce the Partial Model Checking Abstract Model Checking Obtain more reduced models using Abstract Interpretation 4
Integrating Model Checking and Abstraction If the tool cannot prove neither M |= f nor M |= f due to the state-explosion problem 1. Construct a reduced/abstract model M α 2. Define an abstract satisfiability relation |=α c (usually denoted by |= in the literature) 3. Study the preservation results regarding universal (∀f ) or existential (∃f ) properties M α |= ∀f ⇒ M |= ∀f M α |= ∀f ⇐ M |= ∀f M α |= ∃f ⇒ M |= ∃f M α |= ∃f ⇐ M |= ∃f 5
Abstract Model Checking Two alternatives: 1. M α over-approximates M Each concrete execution corresponds to an abstract one. M α |= ∀f ⇒ M |= ∀f α 2. M∃ under-approximates M Each abstract execution corresponds to a concrete one. α M∃ |= ∃f ⇒ M |= ∃f 6
Abstract Model Checking: our proposal What do we do when M α |= ∀f ?? M α may contain “spurious traces”, that may lead to obtaining false results. In order to eliminate them, we may 1. Focuss on the abstract model, M α, and refine it Mr (a α counter-example guided refinement/model-driven refinement). (Dams et al.,1997), (Clarke et al.,2000), (Giacobazzi et al.,2001) α Mr |= ∀f 2. Focuss on the property f , and use the model checking mechanism |= to automatically refine the model M α. Mα ∀f 7
Abstracting the model Execution of concurrent programs may be defined by means of − labeled transition systems such as M = (A, Σ, −→, s0), where 1. A is the set of observable atomic actions 2. Σ is the set of states − 3. −→⊆ Σ × A × Σ is a labelled transition relation. We write a − s −→ s for (s, a, s ) ∈−→ 4. s0 ∈ Σ is the initial state 0 a O(M ) = {x : x = s0 −→ . . . is a full − trace } defines the trace semantics determined by the transition system M 8
Abstract Interpretation of Transition Systems − − Let M = (A, Σ, −→, s0) and M α = (A, Σα, −→α, sα) be two la- 0 beled transitions system. Iα = (Σ, (Σα, ≤α), α) be an abstract interpretation of the set of states Σ, where ≤α is a partial order α : Σ → Σα is the abstraction function 9
Abstract Interpretation of Transition Systems Definition. We say that M α is Iα−correct wrt M , iff ∀x ∈ O(M ) there exists xα ∈ O(M α) such that α(x) ≤α xα. Imprecision vs. Incompleteness 10
Example ň α(si) = sα tα sα α(t) = tα ʼn Concrete Model M s0 t s0 s1 t s0 s1 s2 .... t ...... Abstract Model Mα sα tα Spurious trace sα sα sα .... sα ....
Our Temporal Logic Given a set of propositions P rop, construct the set P = P rop ∪ ¬P rop, where ¬P rop = {¬p : p ∈ P rop} The set of LTL temporal formulas F is built inductively using - the elements of P - the standard Boolean operators (except ¬) - the temporal operators: next “ ” always “2” eventually “3” until “U” 12
(Weak) Kripke Structures − Given M = (A, Σ, −→, s0) and τ : Σ → 2P K = M, τ is a weak Kripke structure It is Kripke structure when the Principle of Non-Contradiction holds, i. e. ∀s ∈ Σ, ∀p ∈ P rop p ∈ τ (s) ∨ ¬p ∈ τ (s) the Principle of Excluded Middle holds, i. e. ∀s ∈ Σ, ∀p ∈ P rop p ∈ τ (s) ∨ ¬p ∈ τ (s) K defines an interpretation of both actions and atomic proposi- tions. 13
Satisfiability Relation Definition. Given K = M, τ a weak Kripke structure, a0 x = t0 −→ t1 . . . , p ∈ P, and f, g ∈ F x |=τ p ⇐⇒ p ∈ τ (t0) x |=τ f ∨ g ⇐⇒ x |=τ f or x |=τ g x |=τ f ∧ g ⇐⇒ x |=τ f and x |=τ g x |=τ f → g ⇐⇒ x |=τ f implies x |=τ g x |=τ f ⇐⇒ x1 |=τ f x |=τ 2f ⇐⇒ ∀k.xk |=τ f x |=τ 3f ⇐⇒ ∃k ≥ 0.xk |=τ f x |=τ f U g ⇐⇒ ∃k ≥ 0.(xk |=τ g and ∀j < k.(xj |=τ f )) 1. Universal formulas: M |=τ ∀f iff ∀x ∈ O(M ).x |=τ f . 2. Existential formulas: M |=τ ∃f iff ∃x ∈ O(M ).x |=τ f . 14
The classic Method Given the weak Kripke structures K = M, τ and Kα = M α, τc α The classic way of defining τc (sα) is α τc (sα) = α {τ (s)|α(s) ≤α sα} (U nderc) Properties of U nderc It is possible that p ∈ τc (sα), ¬p ∈ τc (sα) α α α τc under − approximates τ : α(s) ≤α sα ⇒ τ (s) ⊇ τc (sα) α τc is monotonic decreasing : sα ≤α sα, ∃s.α(s) ≤α sα ⇒ τc (sα) ⊇ τc (sα α 1 2 1 α 1 α 2 15
The Classic Method: Preservation Results I The extension to abstract traces preserves the satisfiability rela- tion from the abstract to the concrete model α(x) ≤α xα ⇒ (xα |=α f ⇒ x |= f ) c Theorem. Given f ∈ F , if M α |=α ∀f ⇒ M |= ∀f c 16
Example: The classic method Concrete Kripke structure K Abstract Kripke str. K α p,q,r ¬p, ¬q,r sα tα s0 t p,r ¬p, ¬q,r p,q,r p, ¬q,r ¬p, ¬q,r Mα α c r⇒M r s0 s1 t Mα α c p⇒M p p,q,r p, ¬q,r p, ¬q,r ¬p, ¬q,r s0 s1 s2 .... t Mα ŋc p α ......
The Over-Approximation Method Given the weak Kripke structures K = M, τ and Kα = M α, τ α The dual way of defining τ α(sα) is τ α(sα) = {τ (s)|α(s) ≤α sα} (Over) Properties of Over It is possible that p ∈ τ α(sα), ¬p ∈ τ α(sα) τ α over − approximates τ : α(s) ≤α sα ⇒ τ (s) ⊆ τ α(sα) τ α is monotonic increasing : sα ≤α sα ⇒ τ α(sα) ⊆ τ α(sα) 1 2 1 2 19
Over-Approximation: Preservation Results II The extension to abstract traces preserves the satisfiability rela- tion from the concrete to the abstract model α(x) ≤α xα ⇒ (x |= f ⇒ xα |=α f ) Theorem. Given f ∈ F , M α |=α ∃f ⇒ M |= ∃f 20
Example: The over-approximation method Concrete Kripke structure K Abstract Kripke str. K α p,q,r ¬p, ¬q,r sα tα s0 t p,r,q, ¬q ¬p, ¬q,r p,q,r p, ¬q,r ¬p, ¬q,r M α ŋα ¬ r ⇒ M ŋ ¬ r s0 s1 t M α ŋα ¬ p ⇒ Mŋ ¬p p,q,r p, ¬q,r p, ¬q,r ¬p, ¬q,r s0 s1 s2 .... t Mα α ¬q ......
Relating the classic and the over-approximation methods Definition. We say that p ∈ P is precise in the original structure K = M, τ iff ∀s ∈ Σ, p ∈ τ (s) ⇔ ¬p ∈ τ (s) (P recp) Proposition. Given p ∈ P and f ∈ F , (a) ∀sα ∈ Σα.(¬p ∈ τ α(sα) ⇔ p ∈ τc (sα)) α (b) ∀xα ∈ O(M α).(xα |=α ¬f ⇔ xα |=α f ) c 22
Relating the classic and the over-approximation methods Proposition. Given f ∈ F , (a) M α |=α ∀f ⇒ M α |=α ∀f c (b) M α |=α ∃f ⇒ M α |=α ∃f c (c) M α |=α ∀f ⇔ M α |=α ∃¬f c Point (c) says that both methods may be used for proving or refuting a given property. But, in practice, it is not always possible/efficient to construct/verify the negation normal form of a temporal formula. For instance, ¬(pU q). 23
The Extended Relation Definition. Consider the sets P α = {pα : p ∈ P} and P = P ∪P α. We construct the weak Kripke structure Kα = M α, τ α , where P τ α : Σα → P is defined as: p ∈ τ α(sα) ⇔ ¬p ∈ τ α(sα)(⇔ p ∈ τc (sα)) α pα ∈ τ α(sα) ⇔ p ∈ τ α(sα) The relation denotes the satisfiability relation |= τ α. xα p means that the abstract satisfaction of p does not involve loss of information xα pα means that the abstract satisfaction of p “may” involve loss of information. xα p ⇒ xα pα 24
The Extended Relation Let F denote the set of temporal formulas which can be con- structed using the atomic propositions of P. xα f α ⇔ xα |=α f xα f ⇔ xα |=α f c may be used to model both the classic relation |=α and |=α c 25
Dealing with Imprecision Definition. We say that formula f ∈ F does not lose precision wrt O(M α) iff ∀xα ∈ O(M α), if xα |=α f then xα |=α ¬f . Proposition. Given f ∈ F , if M α ∀(f α → f ) then (a) M α |=α ∀f ⇔ M α |=α ∀f c (b) M α |=α ∃f ⇔ M α |=α ∃f c 26
Example: Dealing with imprecision Concrete Kripke structure K Abstract Kripke str. K α p,q,r ¬p, ¬q,r sα tα s0 t p,r,q, ¬q ¬p, ¬q,r p,q,r p, ¬q,r ¬p, ¬q,r Mα (r α r) s0 s1 t Mα α c r Mα α r p,q,r p, ¬q,r p, ¬q,r ¬p, ¬q,r s0 s1 s2 .... t ......
Dealing with Incompleteness Proposition. Let f, g ∈ F . (a) M |= ∀g and M α ∀(g α → f ) ⇒ M |= ∀f (b) M |= ∃g and M α ∀(f α → g) ⇒ M |= ∃f 27
Example: Dealing with incompleteness Transition System Global variables Int x, proc; x = Min; Process P2 Process P1 even(x)/proc =1 s2 x!=Max/proc =2 o1 o2 /x = x+1 s1 /x = x-1 odd(x)/proc =1 x!=Min/proc =2 s3 noprogress = (proc == 1) Mŋ noprogress
Example: Dealing with incompleteness Concrete Model s1, o1,x=0,proc even(x)/proc =1 x!=Max/proc =2 s1, o2,x=0,proc=1 s2, o1,x=0,proc=2 even(x)/proc =1 /x = x+1 .... s2, o2,x=0,proc=1 s1, o1,x=1,proc=2 x!=Max/proc =2 .... s1, o1,x=2,proc=2 Mŋ (x == Max) ??? ....
Example: Dealing with incompleteness Abstract Model s1, o1,x=min,proc α(Min) = min x!=Max/proc =2 α(Max) = max even(x)/proc =1 α(v) = middle (min v max) s2, o1,x=min,proc=2 ň s1, o2,x=min,proc=1 even(x)/proc =1 /x = x+1 min middle max s1, o2,x=min,proc=1 s1, o1,x=middle,proc=2 even(x)/proc =1 odd(x)/proc =1 ʼn s1, o2, x=middle,proc=1 x!=Max/proc =2 s1, o1, x=middle,proc=1 /x = x+1 s1, o2, x=max,proc=2 even(x)/proc =1 even(x)/proc =1 odd(x)/proc =1 s1, o2, x=max,proc=1 s1, o2, x=max,proc=1 Mα α (x == Max) odd(x)/proc =1
Example: Dealing with incompleteness Mŋ noprogress Mα ( (x == Max)α noprogress) Mŋ (x == Max)
Intermediate Precision Relation induces a partial order relation ⇒ over the set of formulas F as f1 ⇒ f2 ⇔ ∀xα ∈ O(M α).xα f1 ⇒ xα f2 Clearly, it holds that for all f ∈ F , f ⇒ f α We may construct an intermediate Kripke structure Ki = M α, τiα , ∀sα ∈ Σα, τc (sα) ⊆ τiα(sα) ⊆ τ α(sα) α 28
Intermediate Precision Consider the sets P i = {pi : p ∈ P} and P = P ∪ P α ∪ P i. We construct the weak Kripke structure Kα = M α, τ α , where τ α : P Σ α → P is defined as: p ∈ τ α(sα) ⇔ p ∈ τc (sα), α pi ∈ τ α(sα) ⇔ p ∈ τiα(sα) pα ∈ τ α(sα) ⇔ p ∈ τ α(sα) Now consider the extension of F xα f α ⇔ xα |=α f xα f i ⇔ xα |=α f i xα f ⇔x α |=α f c ∀f ∈ F , f ⇒ f i ⇒ f α 29
Methodological Guidelines: satisfaction-oriented method Specify the desired property f ∈ F to be held over the model If M α ∀f , then M |= ∀f If M α ∀f , try ∀f α. If M α ∀f α, the generous way of defining f α makes an error on M very probable, except for spurious traces. If M α ∀f α, the model satisfies ∀f , “from the abstract point of view”,but this information may be too imprecise. 30
Methodological Guidelines: satisfaction-oriented method The user may refine f with an intermediate formula f i, verifying f ⇒ f i ⇒ f α. If M α ∀f i, then the user knows that property f holds on all traces of M until the precision defined by f i. We could incrementally refine the formula until the desired pre- cision is achieved. The probability of obtaining a real error when M α ∀f i decreases when the precision of f i increases. 31
Conclusions - Considering a unique correct abstract model M α, we simulta- neously achieve the preservation of the satisfaction of universal properties and the refutation of existential ones. - The extended relation allows us to formalize the notion of pre- cision of the abstract model with respect to the analysis of a given property. - Using relation allows us to implicitly refine the model. The model checking tool exclusively produces the part of M α required to analyze the property. - The approach is suitable for refining properties depending on the actual precision of the abstract model. - We are currently extending our tool αspin to incorporate this capability. http://www.lcc.uma.es/~gisum/fmse/tools/ 32

More Related Content

PDF
Deformation 1
anashalim
 
PDF
Functional analysis in mechanics 2e
Springer
 
PDF
Functional analysis in mechanics
Springer
 
DOC
The Estimations Based on the Kolmogorov Complexity and ...
butest
 
PDF
project report(1)
Conor Bradley
 
PDF
Steven Duplij, "Developing new supermanifolds by revitalizing old ideas"
Steven Duplij (Stepan Douplii)
 
PDF
PRML Reading Chapter 11 - Sampling Method
Ha Phuong
 
PDF
Lesson 16: Inverse Trigonometric Functions
Matthew Leingang
 
Deformation 1
anashalim
 
Functional analysis in mechanics 2e
Springer
 
Functional analysis in mechanics
Springer
 
The Estimations Based on the Kolmogorov Complexity and ...
butest
 
project report(1)
Conor Bradley
 
Steven Duplij, "Developing new supermanifolds by revitalizing old ideas"
Steven Duplij (Stepan Douplii)
 
PRML Reading Chapter 11 - Sampling Method
Ha Phuong
 
Lesson 16: Inverse Trigonometric Functions
Matthew Leingang
 

What's hot (20)

PDF
Richard Everitt's slides
Christian Robert
 
PDF
Nature-Inspired Metaheuristic Algorithms for Optimization and Computational I...
Xin-She Yang
 
PDF
Tensor Decomposition and its Applications
Keisuke OTAKI
 
PDF
Markov Chain Monte Carlo Methods
Francesco Casalegno
 
PDF
Lesson 12: Linear Approximation
Matthew Leingang
 
PDF
Jere Koskela slides
Christian Robert
 
PDF
Introduction to MCMC methods
Christian Robert
 
PDF
Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...
The Statistical and Applied Mathematical Sciences Institute
 
PDF
Application of analytic function
Dr. Nirav Vyas
 
PDF
Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...
The Statistical and Applied Mathematical Sciences Institute
 
PDF
Integration in the complex plane
Amit Amola
 
PDF
Brief Introduction About Topological Interference Management (TIM)
Pei-Che Chang
 
PDF
QMC Program: Trends and Advances in Monte Carlo Sampling Algorithms Workshop,...
The Statistical and Applied Mathematical Sciences Institute
 
PDF
Dag in mmhc
KyusonLim
 
PDF
Estimation of the score vector and observed information matrix in intractable...
Pierre Jacob
 
PDF
Poster for Bayesian Statistics in the Big Data Era conference
Christian Robert
 
PDF
Estimation of the score vector and observed information matrix in intractable...
Pierre Jacob
 
PDF
RSS discussion of Girolami and Calderhead, October 13, 2010
Christian Robert
 
PDF
Numerical analysis convexity, concavity
SHAMJITH KM
 
PDF
NC time seminar
Tapio Salminen
 
Richard Everitt's slides
Christian Robert
 
Nature-Inspired Metaheuristic Algorithms for Optimization and Computational I...
Xin-She Yang
 
Tensor Decomposition and its Applications
Keisuke OTAKI
 
Markov Chain Monte Carlo Methods
Francesco Casalegno
 
Lesson 12: Linear Approximation
Matthew Leingang
 
Jere Koskela slides
Christian Robert
 
Introduction to MCMC methods
Christian Robert
 
Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...
The Statistical and Applied Mathematical Sciences Institute
 
Application of analytic function
Dr. Nirav Vyas
 
Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...
The Statistical and Applied Mathematical Sciences Institute
 
Integration in the complex plane
Amit Amola
 
Brief Introduction About Topological Interference Management (TIM)
Pei-Che Chang
 
QMC Program: Trends and Advances in Monte Carlo Sampling Algorithms Workshop,...
The Statistical and Applied Mathematical Sciences Institute
 
Dag in mmhc
KyusonLim
 
Estimation of the score vector and observed information matrix in intractable...
Pierre Jacob
 
Poster for Bayesian Statistics in the Big Data Era conference
Christian Robert
 
Estimation of the score vector and observed information matrix in intractable...
Pierre Jacob
 
RSS discussion of Girolami and Calderhead, October 13, 2010
Christian Robert
 
Numerical analysis convexity, concavity
SHAMJITH KM
 
NC time seminar
Tapio Salminen
 
Ad

Similar to Slides SAS'2002 (20)

PDF
Bag of Pursuits and Neural Gas for Improved Sparse Codin
Karlos Svoboda
 
PDF
Hastings 1970
Julyan Arbel
 
PDF
Linear models for classification
Sung Yub Kim
 
PDF
Stratified sampling and resampling for approximate Bayesian computation
Umberto Picchini
 
PDF
Quantum fields on the de sitter spacetime - Ion Cotaescu
SEENET-MTP
 
PDF
Andrei rusu-2013-amaa-workshop
Andries Rusu
 
PPTX
Monte Carlo Berkeley.pptx
HaibinSu2
 
PDF
R exam (B) given in Paris-Dauphine, Licence Mido, Jan. 11, 2013
Christian Robert
 
PDF
Application of the Monte-Carlo Method to Nonlinear Stochastic Optimization wi...
SSA KPI
 
PPT
Input analysis
Bhavik A Shah
 
PDF
Germany2003 gamg
M Reza Rahmati
 
PDF
Ch7
pammikavitha1978
 
PDF
Accelerated approximate Bayesian computation with applications to protein fol...
Umberto Picchini
 
PDF
TMPA-2015: Implementing the MetaVCG Approach in the C-light System
Iosif Itkin
 
PDF
Mit2 092 f09_lec15
Rahman Hakim
 
PDF
QMC: Transition Workshop - Importance Sampling the Union of Rare Events with ...
The Statistical and Applied Mathematical Sciences Institute
 
PDF
Modeling the dynamics of molecular concentration during the diffusion procedure
International Journal of Engineering Inventions www.ijeijournal.com
 
PDF
Natural and Clamped Cubic Splines
Mark Brandao
 
PDF
Simulated annealing for MMR-Path
Francisco Pérez
 
PDF
Approximate Bayesian Computation with Quasi-Likelihoods
Stefano Cabras
 
Bag of Pursuits and Neural Gas for Improved Sparse Codin
Karlos Svoboda
 
Hastings 1970
Julyan Arbel
 
Linear models for classification
Sung Yub Kim
 
Stratified sampling and resampling for approximate Bayesian computation
Umberto Picchini
 
Quantum fields on the de sitter spacetime - Ion Cotaescu
SEENET-MTP
 
Andrei rusu-2013-amaa-workshop
Andries Rusu
 
Monte Carlo Berkeley.pptx
HaibinSu2
 
R exam (B) given in Paris-Dauphine, Licence Mido, Jan. 11, 2013
Christian Robert
 
Application of the Monte-Carlo Method to Nonlinear Stochastic Optimization wi...
SSA KPI
 
Input analysis
Bhavik A Shah
 
Germany2003 gamg
M Reza Rahmati
 
Ch7
pammikavitha1978
 
Accelerated approximate Bayesian computation with applications to protein fol...
Umberto Picchini
 
TMPA-2015: Implementing the MetaVCG Approach in the C-light System
Iosif Itkin
 
Mit2 092 f09_lec15
Rahman Hakim
 
QMC: Transition Workshop - Importance Sampling the Union of Rare Events with ...
The Statistical and Applied Mathematical Sciences Institute
 
Modeling the dynamics of molecular concentration during the diffusion procedure
International Journal of Engineering Inventions www.ijeijournal.com
 
Natural and Clamped Cubic Splines
Mark Brandao
 
Simulated annealing for MMR-Path
Francisco Pérez
 
Approximate Bayesian Computation with Quasi-Likelihoods
Stefano Cabras
 
Ad

Slides SAS'2002

  • 1. Refinement of LTL Formulas for Abstract Model Checking Mar´ del Mar Gallardo, Pedro Merino, Ernesto Pimentel ıa Universidad de M´laga a {gallardo,pedro,ernesto}@lcc.uma.es
  • 2. Index of the talk - Abstract Model Checking - Two dual methods for abstracting properties - The Extended relation - Dealing with Imprecision - Dealing with Incompleteness - Intermediate Precision - Conclusions 1
  • 3. Model Checking A powerful method to verify complex software systems. It differs from classic deductive methods in several aspects: • It is only applicable to small or medium size systems due to the state-explosion problem • It is a fully automatic method 2
  • 4. The Process of Model Checking Applying model checking consists of Modelling Specify the system M using a Modelling Language Specification State the properties f that the design must satisfy. It is common to use Temporal Logic Verification Use a model checking algorithm |= to check whether the design is a model of the property. M |= f 3
  • 5. The State-Explosion Problem What can we do if the tool cannot answer the question M |= f due to the state-explosion problem? Symbolic Model Checking uses Binary Decision Diagrams (BDDs) to represent transition systems Partial Order Reduction Techniques that exploit the indepen- dence of concurrently executed events Bit State Techniques Each system state is represented by a bit. Produce the Partial Model Checking Abstract Model Checking Obtain more reduced models using Abstract Interpretation 4
  • 6. Integrating Model Checking and Abstraction If the tool cannot prove neither M |= f nor M |= f due to the state-explosion problem 1. Construct a reduced/abstract model M α 2. Define an abstract satisfiability relation |=α c (usually denoted by |= in the literature) 3. Study the preservation results regarding universal (∀f ) or existential (∃f ) properties M α |= ∀f ⇒ M |= ∀f M α |= ∀f ⇐ M |= ∀f M α |= ∃f ⇒ M |= ∃f M α |= ∃f ⇐ M |= ∃f 5
  • 7. Abstract Model Checking Two alternatives: 1. M α over-approximates M Each concrete execution corresponds to an abstract one. M α |= ∀f ⇒ M |= ∀f α 2. M∃ under-approximates M Each abstract execution corresponds to a concrete one. α M∃ |= ∃f ⇒ M |= ∃f 6
  • 8. Abstract Model Checking: our proposal What do we do when M α |= ∀f ?? M α may contain “spurious traces”, that may lead to obtaining false results. In order to eliminate them, we may 1. Focuss on the abstract model, M α, and refine it Mr (a α counter-example guided refinement/model-driven refinement). (Dams et al.,1997), (Clarke et al.,2000), (Giacobazzi et al.,2001) α Mr |= ∀f 2. Focuss on the property f , and use the model checking mechanism |= to automatically refine the model M α. Mα ∀f 7
  • 9. Abstracting the model Execution of concurrent programs may be defined by means of − labeled transition systems such as M = (A, Σ, −→, s0), where 1. A is the set of observable atomic actions 2. Σ is the set of states − 3. −→⊆ Σ × A × Σ is a labelled transition relation. We write a − s −→ s for (s, a, s ) ∈−→ 4. s0 ∈ Σ is the initial state 0 a O(M ) = {x : x = s0 −→ . . . is a full − trace } defines the trace semantics determined by the transition system M 8
  • 10. Abstract Interpretation of Transition Systems − − Let M = (A, Σ, −→, s0) and M α = (A, Σα, −→α, sα) be two la- 0 beled transitions system. Iα = (Σ, (Σα, ≤α), α) be an abstract interpretation of the set of states Σ, where ≤α is a partial order α : Σ → Σα is the abstraction function 9
  • 11. Abstract Interpretation of Transition Systems Definition. We say that M α is Iα−correct wrt M , iff ∀x ∈ O(M ) there exists xα ∈ O(M α) such that α(x) ≤α xα. Imprecision vs. Incompleteness 10
  • 12. Example ň α(si) = sα tα sα α(t) = tα ʼn Concrete Model M s0 t s0 s1 t s0 s1 s2 .... t ...... Abstract Model Mα sα tα Spurious trace sα sα sα .... sα ....
  • 13. Our Temporal Logic Given a set of propositions P rop, construct the set P = P rop ∪ ¬P rop, where ¬P rop = {¬p : p ∈ P rop} The set of LTL temporal formulas F is built inductively using - the elements of P - the standard Boolean operators (except ¬) - the temporal operators: next “ ” always “2” eventually “3” until “U” 12
  • 14. (Weak) Kripke Structures − Given M = (A, Σ, −→, s0) and τ : Σ → 2P K = M, τ is a weak Kripke structure It is Kripke structure when the Principle of Non-Contradiction holds, i. e. ∀s ∈ Σ, ∀p ∈ P rop p ∈ τ (s) ∨ ¬p ∈ τ (s) the Principle of Excluded Middle holds, i. e. ∀s ∈ Σ, ∀p ∈ P rop p ∈ τ (s) ∨ ¬p ∈ τ (s) K defines an interpretation of both actions and atomic proposi- tions. 13
  • 15. Satisfiability Relation Definition. Given K = M, τ a weak Kripke structure, a0 x = t0 −→ t1 . . . , p ∈ P, and f, g ∈ F x |=τ p ⇐⇒ p ∈ τ (t0) x |=τ f ∨ g ⇐⇒ x |=τ f or x |=τ g x |=τ f ∧ g ⇐⇒ x |=τ f and x |=τ g x |=τ f → g ⇐⇒ x |=τ f implies x |=τ g x |=τ f ⇐⇒ x1 |=τ f x |=τ 2f ⇐⇒ ∀k.xk |=τ f x |=τ 3f ⇐⇒ ∃k ≥ 0.xk |=τ f x |=τ f U g ⇐⇒ ∃k ≥ 0.(xk |=τ g and ∀j < k.(xj |=τ f )) 1. Universal formulas: M |=τ ∀f iff ∀x ∈ O(M ).x |=τ f . 2. Existential formulas: M |=τ ∃f iff ∃x ∈ O(M ).x |=τ f . 14
  • 16. The classic Method Given the weak Kripke structures K = M, τ and Kα = M α, τc α The classic way of defining τc (sα) is α τc (sα) = α {τ (s)|α(s) ≤α sα} (U nderc) Properties of U nderc It is possible that p ∈ τc (sα), ¬p ∈ τc (sα) α α α τc under − approximates τ : α(s) ≤α sα ⇒ τ (s) ⊇ τc (sα) α τc is monotonic decreasing : sα ≤α sα, ∃s.α(s) ≤α sα ⇒ τc (sα) ⊇ τc (sα α 1 2 1 α 1 α 2 15
  • 17. The Classic Method: Preservation Results I The extension to abstract traces preserves the satisfiability rela- tion from the abstract to the concrete model α(x) ≤α xα ⇒ (xα |=α f ⇒ x |= f ) c Theorem. Given f ∈ F , if M α |=α ∀f ⇒ M |= ∀f c 16
  • 18. Example: The classic method Concrete Kripke structure K Abstract Kripke str. K α p,q,r ¬p, ¬q,r sα tα s0 t p,r ¬p, ¬q,r p,q,r p, ¬q,r ¬p, ¬q,r Mα α c r⇒M r s0 s1 t Mα α c p⇒M p p,q,r p, ¬q,r p, ¬q,r ¬p, ¬q,r s0 s1 s2 .... t Mα ŋc p α ......
  • 19. The Over-Approximation Method Given the weak Kripke structures K = M, τ and Kα = M α, τ α The dual way of defining τ α(sα) is τ α(sα) = {τ (s)|α(s) ≤α sα} (Over) Properties of Over It is possible that p ∈ τ α(sα), ¬p ∈ τ α(sα) τ α over − approximates τ : α(s) ≤α sα ⇒ τ (s) ⊆ τ α(sα) τ α is monotonic increasing : sα ≤α sα ⇒ τ α(sα) ⊆ τ α(sα) 1 2 1 2 19
  • 20. Over-Approximation: Preservation Results II The extension to abstract traces preserves the satisfiability rela- tion from the concrete to the abstract model α(x) ≤α xα ⇒ (x |= f ⇒ xα |=α f ) Theorem. Given f ∈ F , M α |=α ∃f ⇒ M |= ∃f 20
  • 21. Example: The over-approximation method Concrete Kripke structure K Abstract Kripke str. K α p,q,r ¬p, ¬q,r sα tα s0 t p,r,q, ¬q ¬p, ¬q,r p,q,r p, ¬q,r ¬p, ¬q,r M α ŋα ¬ r ⇒ M ŋ ¬ r s0 s1 t M α ŋα ¬ p ⇒ Mŋ ¬p p,q,r p, ¬q,r p, ¬q,r ¬p, ¬q,r s0 s1 s2 .... t Mα α ¬q ......
  • 22. Relating the classic and the over-approximation methods Definition. We say that p ∈ P is precise in the original structure K = M, τ iff ∀s ∈ Σ, p ∈ τ (s) ⇔ ¬p ∈ τ (s) (P recp) Proposition. Given p ∈ P and f ∈ F , (a) ∀sα ∈ Σα.(¬p ∈ τ α(sα) ⇔ p ∈ τc (sα)) α (b) ∀xα ∈ O(M α).(xα |=α ¬f ⇔ xα |=α f ) c 22
  • 23. Relating the classic and the over-approximation methods Proposition. Given f ∈ F , (a) M α |=α ∀f ⇒ M α |=α ∀f c (b) M α |=α ∃f ⇒ M α |=α ∃f c (c) M α |=α ∀f ⇔ M α |=α ∃¬f c Point (c) says that both methods may be used for proving or refuting a given property. But, in practice, it is not always possible/efficient to construct/verify the negation normal form of a temporal formula. For instance, ¬(pU q). 23
  • 24. The Extended Relation Definition. Consider the sets P α = {pα : p ∈ P} and P = P ∪P α. We construct the weak Kripke structure Kα = M α, τ α , where P τ α : Σα → P is defined as: p ∈ τ α(sα) ⇔ ¬p ∈ τ α(sα)(⇔ p ∈ τc (sα)) α pα ∈ τ α(sα) ⇔ p ∈ τ α(sα) The relation denotes the satisfiability relation |= τ α. xα p means that the abstract satisfaction of p does not involve loss of information xα pα means that the abstract satisfaction of p “may” involve loss of information. xα p ⇒ xα pα 24
  • 25. The Extended Relation Let F denote the set of temporal formulas which can be con- structed using the atomic propositions of P. xα f α ⇔ xα |=α f xα f ⇔ xα |=α f c may be used to model both the classic relation |=α and |=α c 25
  • 26. Dealing with Imprecision Definition. We say that formula f ∈ F does not lose precision wrt O(M α) iff ∀xα ∈ O(M α), if xα |=α f then xα |=α ¬f . Proposition. Given f ∈ F , if M α ∀(f α → f ) then (a) M α |=α ∀f ⇔ M α |=α ∀f c (b) M α |=α ∃f ⇔ M α |=α ∃f c 26
  • 27. Example: Dealing with imprecision Concrete Kripke structure K Abstract Kripke str. K α p,q,r ¬p, ¬q,r sα tα s0 t p,r,q, ¬q ¬p, ¬q,r p,q,r p, ¬q,r ¬p, ¬q,r Mα (r α r) s0 s1 t Mα α c r Mα α r p,q,r p, ¬q,r p, ¬q,r ¬p, ¬q,r s0 s1 s2 .... t ......
  • 28. Dealing with Incompleteness Proposition. Let f, g ∈ F . (a) M |= ∀g and M α ∀(g α → f ) ⇒ M |= ∀f (b) M |= ∃g and M α ∀(f α → g) ⇒ M |= ∃f 27
  • 29. Example: Dealing with incompleteness Transition System Global variables Int x, proc; x = Min; Process P2 Process P1 even(x)/proc =1 s2 x!=Max/proc =2 o1 o2 /x = x+1 s1 /x = x-1 odd(x)/proc =1 x!=Min/proc =2 s3 noprogress = (proc == 1) Mŋ noprogress
  • 30. Example: Dealing with incompleteness Concrete Model s1, o1,x=0,proc even(x)/proc =1 x!=Max/proc =2 s1, o2,x=0,proc=1 s2, o1,x=0,proc=2 even(x)/proc =1 /x = x+1 .... s2, o2,x=0,proc=1 s1, o1,x=1,proc=2 x!=Max/proc =2 .... s1, o1,x=2,proc=2 Mŋ (x == Max) ??? ....
  • 31. Example: Dealing with incompleteness Abstract Model s1, o1,x=min,proc α(Min) = min x!=Max/proc =2 α(Max) = max even(x)/proc =1 α(v) = middle (min v max) s2, o1,x=min,proc=2 ň s1, o2,x=min,proc=1 even(x)/proc =1 /x = x+1 min middle max s1, o2,x=min,proc=1 s1, o1,x=middle,proc=2 even(x)/proc =1 odd(x)/proc =1 ʼn s1, o2, x=middle,proc=1 x!=Max/proc =2 s1, o1, x=middle,proc=1 /x = x+1 s1, o2, x=max,proc=2 even(x)/proc =1 even(x)/proc =1 odd(x)/proc =1 s1, o2, x=max,proc=1 s1, o2, x=max,proc=1 Mα α (x == Max) odd(x)/proc =1
  • 32. Example: Dealing with incompleteness Mŋ noprogress Mα ( (x == Max)α noprogress) Mŋ (x == Max)
  • 33. Intermediate Precision Relation induces a partial order relation ⇒ over the set of formulas F as f1 ⇒ f2 ⇔ ∀xα ∈ O(M α).xα f1 ⇒ xα f2 Clearly, it holds that for all f ∈ F , f ⇒ f α We may construct an intermediate Kripke structure Ki = M α, τiα , ∀sα ∈ Σα, τc (sα) ⊆ τiα(sα) ⊆ τ α(sα) α 28
  • 34. Intermediate Precision Consider the sets P i = {pi : p ∈ P} and P = P ∪ P α ∪ P i. We construct the weak Kripke structure Kα = M α, τ α , where τ α : P Σ α → P is defined as: p ∈ τ α(sα) ⇔ p ∈ τc (sα), α pi ∈ τ α(sα) ⇔ p ∈ τiα(sα) pα ∈ τ α(sα) ⇔ p ∈ τ α(sα) Now consider the extension of F xα f α ⇔ xα |=α f xα f i ⇔ xα |=α f i xα f ⇔x α |=α f c ∀f ∈ F , f ⇒ f i ⇒ f α 29
  • 35. Methodological Guidelines: satisfaction-oriented method Specify the desired property f ∈ F to be held over the model If M α ∀f , then M |= ∀f If M α ∀f , try ∀f α. If M α ∀f α, the generous way of defining f α makes an error on M very probable, except for spurious traces. If M α ∀f α, the model satisfies ∀f , “from the abstract point of view”,but this information may be too imprecise. 30
  • 36. Methodological Guidelines: satisfaction-oriented method The user may refine f with an intermediate formula f i, verifying f ⇒ f i ⇒ f α. If M α ∀f i, then the user knows that property f holds on all traces of M until the precision defined by f i. We could incrementally refine the formula until the desired pre- cision is achieved. The probability of obtaining a real error when M α ∀f i decreases when the precision of f i increases. 31
  • 37. Conclusions - Considering a unique correct abstract model M α, we simulta- neously achieve the preservation of the satisfaction of universal properties and the refutation of existential ones. - The extended relation allows us to formalize the notion of pre- cision of the abstract model with respect to the analysis of a given property. - Using relation allows us to implicitly refine the model. The model checking tool exclusively produces the part of M α required to analyze the property. - The approach is suitable for refining properties depending on the actual precision of the abstract model. - We are currently extending our tool αspin to incorporate this capability. http://www.lcc.uma.es/~gisum/fmse/tools/ 32