1 / 44

Using 3-Valued Models in Abstraction-based Model Checking

Using 3-Valued Models in Abstraction-based Model Checking. Seminar in Formal Verification Spring 2006 Presented by Alik Zamansky. References. On the Expressiveness of 3-Valued Models Patrice Godefroid and Radha Jagadeesan, 2003 Abstraction-based Model Checking using Modal Transition Systems

domani
Télécharger la présentation

Using 3-Valued Models in Abstraction-based Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Using 3-Valued Models in Abstraction-based Model Checking Seminar in Formal Verification Spring 2006 Presented by Alik Zamansky

  2. References • On the Expressiveness of 3-Valued Models • Patrice Godefroid and Radha Jagadeesan, 2003 • Abstraction-based Model Checking using Modal Transition Systems • Patrice Godefroid, Michael Huth, and Radha Jagadeesan, 2001

  3. Abstraction-based Model Checking (reminder) • Extract an abstract model A out of a program C • Automatically, by a static analysis of the code • Analyze the model using model-checking techniques • Check whether A satisfies some property φ • Transfer the result to the original program C • Can be complete, but is generally unsound • Reports spurious errors

  4. 3-Valued Models: Motivation • 3-valued models introduce some elements of uncertainty • E.g. “unknown” truth value or uncertain transactions between states • They can be used in model checking to guarantee both completeness and soundness • A formula evaluating to true or false on an abstract model holds (does not hold) on the concrete system • If the result is “unknown”, a more complete (i.e. less abstract) model is required

  5. Outline • 3-valued modeling formalisms • PKS, MTS and KMTS • Equal expressiveness • Translation from PKS to MTS • Translation from MTS to KMTS • Summary and conclusions of paper 1 • Relational abstraction and implementations • Predicate abstraction • Predicate-Cartesian abstraction • Summary and conclusions of paper 2

  6. Partial Kripke Structures (PKS) • A Kripke structure whose atomic prepositions can have a third truth value┴(“unknown”) • A standard Kripke structure is a special case of PKS • Formally, a tuple (S, P, →, L) • S : a set of states • P : a set of atomic prepositions • → S x S : a transition relation on S • L : Sx P → { true, , false} : associates a truth value with each atomic preposition in P for each state in S

  7. Partial Kripke Structures (cont’d) • pq : • true if p = trueandq = true • false if p = falseorq = false • otherwise • p : • true if p = false • false if p = true •  if p =  • pq = (pq)

  8. Propositional Modal Logic (PML) • Propositional logic extended with the modal operator AX (“for all immediate successors”) • Syntax: φ::== p IφIφ1φ2I AXφ • Semantics for 3-valued PML: [(M,s)φ] • [(M,s)p] = L(s,p) • [(M,s)φ] = comp([(M,s)φ]) • [(M,s)φ1φ2] = [(M,s)φ1] and[(M,s)φ2] • [(M,s)AXφ] = ss’[(M,s’)φ]

  9. Modal Transition Systems (MTS) • MTS is a tuple (S, Σ, →must , →may) • S : a set of states • Σ : a set of action symbols • →must,→may  S x Σ x S : transition relations • →must →may (must-transitions are also may-transitions) • MTS therefore: • Is a Labeled Transition System (LTS) with two types of transitions instead of one • Reasoning about the existence of transitions can be viewed as reasoning with a 3-valued logic

  10. inactive winAnotherCoin may reset must loseCoin may acceptCoin must winning winCoin must active MTS – Example • A specification of a slot machine • must-transitions: fixed behavior • may-transitions: uncertain behavior

  11. PMLAct (3-valued PML for MTS) • Syntax: φ ::== ttIφIφ1φ2I (α)φ(for some αΣ) • Semantics: [(M,s)φ] • [(M,s)tt] = true • [(M,s)φ] = comp([(M,s)φ]) • [(M,s)φ1φ2] = [(M,s)φ1] and[(M,s)φ2] • [(M,s)(α)φ] = • true if (s, α, s’)  →may: [(M,s’)φ] = true • falseif (s, α, s’)  →must: [(M,s’)φ] = false •  otherwise

  12. Kripke Modal Transition Systems • KMTS combines features of both PKS and MTS • Is a tuple: (S, P, →must , →may , L) • S : a set of states • P : a set of atomic prepositions • →must,→may  S x S : transition relations (→must →may) • L : Sx P → { true, , false} : associates a truth value with each atomic preposition in P for each state in S • KMTS generalizes PKS • PKS is a KMTS where →must=→may

  13. 3-valued PML for KMTS • Syntax: same as for the 3-valued PML • Semantics: [(M,s)φ] • [(M,s)p] = L(s,p) • [(M,s)φ] = comp([(M,s)φ]) • [(M,s)φ1φ2] = [(M,s)φ1] and[(M,s)φ2] • [(M,s)AXφ] = • true if s’: (s, s’)  →may[(M,s’)φ] = true • falseif s’: (s, s’)  →must[(M,s’)φ] = false •  otherwise

  14. Translation from PKS to MTS • For a PKS M = (S, P, →, L) we define an equivalent MTS M’ = (S’, Σ, →must , →may): • S’ = S U{snew } • Σ= P U {x} • →must= {(s, p, snew ) I L(s,p) = true} U {(s, x, s’) | ss’ } • →may= {(s, p, snew ) I L(s,p){true,}} U {(s, x, s’) | ss’ } • Translation complexity: • Input PKS is of the size O(I→I + ISI·IPI) • Output MTS: O(I→mustI + I→mayI) = O(I→I + ISI·IPI) • I.e., linear in the size of the input

  15. Translation from PML to PMLAct • φ: a PML formula defined on PKS M • T(φ): an equivalent PMLAct formula on MTS M’ defined by applying recursively the following rules: • For all pP, T(p) = (p)tt = (p)tt • T(φ) = T(φ) • T(φ1φ2) = T(φ1)  T(φ2) • T(AXφ) = (x)T(φ) (x Σ) • Theorem: [(M,s)φ] = [(M’,s)T(φ)]

  16. x must M M’ p = true q =  p must q may p = falseq = true s1 s2 s0 s1 s2 s0 q must x must snew p = trueq = true q must p must x must x must PKS to MTS – Example • [(M,s0) AXq] = [(M’,s0) (x)(q)tt] = • [(M,s0) AXAXq] = [(M’,s0) (x)(x)(q)tt] = true

  17. Translation from MTS to KMTS • For a MTS M = (S, Σ, →must , →may) we define an equivalent KMTS M’ = (S’, P, →must’, →may’, L): • S’ = S Σ • P = Σ • →must’= {((s,α),(s’,α’)) I (s, α’, s’)  →must} • →may’= {((s,α),(s’,α’)) I (s, α’, s’)  →may} • (s,α)  S’: p  P: • L((s,α),p) = true if p = α • L((s,α),p) = false otherwise • Translation complexity is linear • The number of statesis ISI·IΣI – linear for fixed Σ

  18. Translation from PMLAct to PML • φ: a PMLAct formula defined on MTS M • T(φ): an equivalent PML formula on KMTS M’ defined by applying recursively the following rules: • T(tt) = true • T(φ) = T(φ) • T(φ1φ2) = T(φ1)  T(φ2) • T((α)φ) = AX((α)  T(φ)) (i.e. AX(αT(φ))) • Theorem: [(M,s)φ] = [(M’,(s,α))T(φ)]for any αΣ

  19. SU = true SD = false M’ M standing SU = true SD = false SU = false SD = true standing,SD walking,SD running,SD running,SU walking,SU standing,SU walking SU running SD SD SU SU SU SU = true SD = false SU = false SD = true SU = false SD = true MTS to KMTS – Example • SU – Speed up, SD – Slow down •  – a must-transition ;  – a may-transition

  20. MTS to KMTS – Example (cont’d) • Q1: [(M,standing) (SD)tt ] = ? • false (can be written as (SD)tt) • Q2: how to ask this in PML on KMST? • [(M’,(standing,SD))  (AX(SD  false)) ] = ? • [(M’,(standing,SU))  (AX(SD  false)) ] = ? • Q3: [(M,running) (SU)tt ] = – why? • Q4: [(M,walking) (SD)(SU)tt ] = ? • [(M’,(walking,SU)) AX(SD AX(SU  true)] = • [(M’,(walking,SD))  AX(SD AX(SU  true)] = true

  21. Summary and Conclusions – I • Translation from KMTS to PKS also exists • The construction is somewhat more complicated • The three 3-valued models are equally expressive • Yet, both PKS and MTS are useful: state vs behavior • This result holds not only for PML, but also for PML with fixpoint operators, i.e. the -calculus • And therefore, it holds for LTL, CTL and CTL* • All translations require only linear time • Thus, 3-valued model checking for any temporal logic and any 3-valued formalism takes the same time

  22. Simulation – reminder • Consider a program C represented by LTS • LTS is a tuple K = (ΣK,Act,→); ΣK is a set of states, Act is a set of action symbols and → is a transition relation • Suppose that A is an abstract LTS generated from C • A is usually constructed so that the initial states of A and C are related by a simulation • Simulation (definition): • A relation ρΣCΣAis a simulation iff for any cρa and c→αc’ there is some a’ΣA such that a→αa’ and c’ρa’. • cρa means (c,a)  ρ, and c→αc’ stands for (c,α,c’)  →

  23. standing SU walking SU SU SD running SU SD standing’ moving SD SD Simulation – example • Note: C and A are LTSs, not MTSs as in the similar example shown earlier, there are no may-transition here! C: A: • ρ = {(standing, standing’), (walking, moving), (running, moving) }

  24. Refinement • MTS can be defined as a pair K = (Kmust, Kmay): • Kmust = (ΣK,Act,→must) and Kmay = (ΣK,Act,→may) are two LTSs such that →must →may • Refinement: An MTS A1 is a refinement of an MTS A2 if there exists a relation ρΣA1ΣA2such that: • ρ is a simulation from A1may to A2may • ρ is a simulation from A2must to A1must • We write A1A2 that means: • A1 is a refinement of A2 • A2 is anabstraction of A1

  25. Relational Abstraction • A tool to specify an abstract MTS, given: • An MTS A1 = (A1must, A1may) • A set of abstract states ΣA2 • A total relation ρΣA1ΣA2 • We define A2 = (ΣA2, Act, →must, →may): • a2→αmusta’2 iff for alla1ΣA1 with a1ρa2 there exists a’1ΣA1such that a’1ρa’2 and a1→αmusta’1 • a2→αmaya’2 iff there existsa1ΣA1 and a’1ΣA1 such that a1ρa2 , a’1ρa’2 , and a1→αmaya’1 • Lemma: A2 is an MTS and an abstraction of A1

  26. x := z {1,2,3} {3,2,3} x := z … x := z {0,2,3} Relational Abstraction – Example • A1 is an LTS (i.e., an MTS with A1may = A1must): • Its infinite state space is given by all possible valuations of three integer variables x, y, z • Any state c is of the form {x=i, y=j, z=k} • Transitions in A1 are those induced by x := z • I.e., there is a transition from c to c’ = {x=k, y=j, z=k} • A fragment of A1:

  27. may must may (φ1φ2φ3) (φ1φ2φ3)(φ1φ2φ3) (φ1φ2φ3) Rel. Abstraction – Example (cont) • Consider the following three predicates: • φ1 = odd(x) , φ2 = (y > 0) , φ3 = (z < 0) • Induce an equivalence relation on the states of A1 • States are equivalent if they agree on all 3 predicates • Let ΣA2 contain all equivalence classes of states of A1 • States of A2 are boolean formulae built from the φi ’s. • A fragment of A2:

  28. Predicate Abstraction • Collapses an infinite-state LTS into a finite-state MTS • By choosing finitely many quantifier-free formulae of first-order logic Φ = {φ1 , φ2 , … , φn} • Abstract states: • Are build out of monomials over predicates • Are represented by binary vectors of length n • Given a binary vector b{0,1}n, <b,Φ> is a monomial whose i-th conjunct is φi if bi=1, and φi otherwise

  29. Predicate Abstraction – definition • Given an LTS S and Φ = {φ1 , φ2 , … , φn} • We want to build a finite-state abstract MTS BΦ • In order to use the relational abstraction, we need a total relation ρand a set of abstract states ΣBΦ • We use the following definition: • ρ=ρbΣs {0,1}n, where sρb biffs <b,Φ> • ΣBΦ = {b  {0,1}n I sρbbfor some sΣs} (which makes ρb total)

  30. post() and pre() operators • Let us present definitions useful for implementing may- and must-successors of a predicate abstraction • Defined for a predicate η on a set Σsof states, for a label αAct • postα(η) = {s’ΣsI sΣs: s  η , s→αs’} • A set of states to which there exists a transition α from states where η is true • preα(η) = {sΣsI s’Σs: s→αs’implies s’  η} • A set of states from which allα transitions lead to states where η is true

  31. Implementing successors • Let ψ be is a boolean combination of {φ1 ,φ2 , … ,φn} • may-successors of ψ: • next(ψ)bmay = {b’ΣBΦ: post(ψ)  <b’,Φ>is satisfiable} • post(ψ)<b’,Φ> means states that can be reached from ψ • must-successors of ψ: • next(ψ)bmust = {b’ΣBΦ: ψpre(<b’,Φ>)is unsatisfiable} • ψ pre(<b’,Φ>)means states where ψ is true and from which we can reach states where <b’,Φ> is not true

  32. a’1 may a2 a’2 a’1 must a’2 a2 Soundness and Completeness • Theorem: • b→mayb’in BΦ iff b’ next(<b,Φ>)bmay • b→mustb’in BΦ iff b’ next(<b,Φ>)bmust • Reminder: • a2→αmaya’2 iff there existsa1ΣA1 and a’1ΣA1 such that a1ρ a2 , a’1ρ a’2 and a1→αmaya’1 • a2→αmusta’2 iff for alla1ΣA1 with a1ρ a2 there exists a’1ΣA1such that a’1ρ a’2 and a1→αmusta’1 • Completeness is relative to the theorem prover

  33. Computational Cost • In the paper it is shown that both next(ψ)bmay and next(ψ)bmust can be computed using BDDs • Since there are 2n boolean vectors b’, we should make 2n calls to the theorem prover for a single ψ • We have n predicates and, therefore, 2n boolean combinations ψ of {φ1 ,φ2 , …,φn} • Thus, computing all may transitions (i.e. next(ψ)bmay for all ψ’s) takes 22n calls to the theorem prover • Same is for all must transitions in BΦ

  34. Predicate Abstraction is not Incremental • Example (revisited): φ1 =odd(x), φ2 =(y>0), φ3 =(z<0) • Suppose that we have Φ = {φ2 , φ3} first • BΦ has four states, each with a must-transition to itself • Now we add φ1 to Φ • There is no must-transition from φ1 φ2 φ3in BΦ • The information about y is lost • No transition that guarantees there is no change in y • However, there is a must-transition from φ1 φ2 φ3to the disjunction (φ1 φ2 φ3)  (φ1 φ2 φ3) • Computing transitions to such states is too expensive • 22n possible states for n predicates

  35. Predicate-Cartesian Abstraction (1) • Motivation: • Predicate abstraction is not incremental • Adding a new predicate may not yield a refinement • The idea: • Replace sets of tuples by a tuple of sets • E.g., replace {<0,1>,<1,1>} by {<,1>} ( – a wildcard) • Formally: • Given Φ = {φ1 ,φ2 ,…,φn} and a “tri-vector” c {0,1,}n • <c,Φ> is a monomial whose i-th conjunct is φi if ci=1, φiif ci=0, and trueotherwise

  36. Predicate-Cartesian Abstraction (2) • The formal definition of ρ and ΣCΦ: • ρ= ρcρbΣs {0,1,}n • bρcc iffi{1..n}: [ci ≠  ci = bi ] • ΣCΦ = {c  {0,1,}n I bρccfor some bΣBΦ} • This makes ρc total • The symbol  means “don’t care” • s (ρcρb) c iffs<c,Φ> • Easy to show, by construction

  37. Example (revisited) • Our example: φ1 =odd(x), φ2 =(y>0), φ3 =(z<0) • s = (5, 2, 3) , s Σs •  s ρbbfor b = (110) • Recall:bρcc iffi{1..n}: [ci ≠  ci = bi ] • ρc= {(110, 110), (110, 10), (110, 10), (110, 11), (110, 0), (110, 1), (110, 1), (110, ), …} •  ρcρb= {(s, 110), (s, 10), (s, 10), (s, 11), (s, 0), (s, 1), (s, 1), (s, ), …}

  38. 10 010 110 110 010 may may may must may may must may may must may may may Example (cont’d) BΦ(a fragment) CΦ(a fragment)

  39. Example (cont’d) • Why s (ρcρb) c iffs<c,Φ> ? • For example: (s,10) ρcρb iff sφ1 trueφ3 • (s,10) ρcρbsρbb for b = 100 or 110  either sφ1 φ2 φ3 or sφ1 φ2 φ3 sφ1 true φ3

  40. Incremental Refinement • Theorem: • If Φ = {φ1 ,φ2 ,…, φn} and Ψ = Φ{φn+1 , φn+2 ,…, φn+m } • Then the MTS CΨis a refinement of the MTS CΦ • The refinement relation ρ is given by: • ρ ΣCΨ ΣCΦ= {(c’,c) | c is a prefix of c’} • Intuitively, newly-added predicates replace “don’t care”s. • This is not the case for predicate abstraction

  41. Implementing successors • Similar to the case with the predicate abstraction • Let ψ be is a boolean combination of {φ1 ,φ2 , … ,φn} • may-successors of ψ: • next(ψ)cmay = {c’ΣCΦ: post(ψ)  <c’,Φ>is satisfiable} • must-successors of ψ: • next(ψ)cmust = {c’ΣBΦ: ψpre(<c’,Φ>)is unsatisfiable} • Both next(ψ)cmay and next(ψ)cmust can be computed using Ternary Decision Diagrams (TDDs) • TDDs are like BDDs, but with 3 values (children)

  42. Soundness, Completeness and Cost • Theorem: • c→mayc’in CΦ iff c’ next(<c,Φ>)cmay • c→mustc’in CΦ iff c’ next(<c,Φ>)cmust • Completeness is relative to the theorem prover • Computational cost: • We have n predicates and, therefore, 3n ternary combinations ψ of {φ1 ,φ2 , …,φn} • For each ψ it takes 3n calls to the theorem prover • Thus, computing next(ψ)cmay and next(ψ)cmust for all ψ’s takes 32n calls to the theorem prover (each)

  43. Summary and Conclusions – II • We showed a framework for automatic program abstraction based on MTSs • Can be used for model-checking any formula of the modal -calculus • Both soundness and completeness are guaranteed • Predicate Cartesian abstraction allows incremental refinement, unlike the predicate abstraction • Though it does not have a significant cost overhead • 3-valued model checking on MTSs can be reduced to two traditional model checking problems on LTSs

  44. Thank you!

More Related