1 / 67

Abstraction in Model Checking

Abstraction in Model Checking. Nishant Sinha. Model Checking. Given a: Finite transition system M A temporal property p The model checking problem: Does M satisfy p ?. Model Checking (safety). I. Too many states to handle !. MUST ABSTRACT!!. = bad state. Abstraction.

ryann
Télécharger la présentation

Abstraction in Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Abstraction in Model Checking Nishant Sinha

  2. Model Checking • Given a: • Finite transition system M • A temporal property p • The model checking problem: • Does Msatisfy p?

  3. Model Checking (safety) I Too many states to handle ! MUST ABSTRACT!! = bad state

  4. Abstraction • Eliminate details irrelevant to the property • Obtain simple finite models sufficient to verify the property • E.g., Infinite state ! Finite state approximation • Disadvantage • Loss of Precision: False positives/negatives

  5. h h h h h Data Abstraction S S’ Abstraction Function h : S ! S’

  6. Even Odd Neg Zero Pos Data Abstraction Example • Abstraction proceeds component-wise, where variables are components …, -2, 0, 2, 4, … x:int …, -3, -1, 1, 3, … …, -3, -2, -1 y:int 0 1, 2, 3, …

  7. Data Abstraction Example • Partition concrete variables into visible(V) and invisible(I) variables. The abstract model consists of V variables. I variables are existentially quantified out. The abstraction function maps each state to its projection over V.

  8. Data Abstraction Example x1 x2 x3 x4 0 0 0 0 0 0 0 1 0 0 1 0 0 0 1 1 x1 x2 h 0 0 Group concrete states with identical visible part to a single abstract state.

  9. int (n<0) : NEG (n==0): ZERO (n>0) : POS Signs Signs x = ZERO; if (Signs.eq(x,ZERO)) x = Signs.add(x,POS); NEG ZERO POS Data Type Abstraction Code Abstract Data domain int x = 0; if (x == 0) x = x + 1;

  10. How do we Abstract Behaviors? • Abstract domain A • Abstract concrete values to those in A • Then compute transitions in the abstract domain • Over-approximations: Add extra behaviors • Under-approximations: Remove actual behaviors

  11. Formalism: Kripke Structures • M = (S,s0,!,L) on AP • S: Set of States • s0: Initial State • !: Transition Relation • L: S ! 2AP, Labeling on States p p !p p,q

  12. Simulations on Kripke Structures M = (S, s0, !, L) M’ = (S’, s’0, !’, L’) Definition: R  S  S’is a simulation relation between M and M’ iff M’ simulates M (M ¹ M’) iff (s0, t0)2 R • (s,s’)  R implies • L(s) = L’(s’) • for all t s.t. s  t , exists t’ s.t. s’ ’ t’ and (t,t’)  R. Intuitively, every transition in M can be matched by some transition in M’

  13. Guarantees from Abstraction • Strong Preservation: • M’ ² P iff M ² P • Weak Preservation: • M’ ² P ) M ² P • Simulation preserves ACTL* properties • If M ¹ M’ then M’ ²AG p)M ² AG p

  14. Overview • Formalizing Abstraction/Refinement • Homomorphic Abstractions • Abstract Interpretation Theory • Guarantees from Abstractions – Safe • Automated Abstraction Refinement - CEGAR • Applications • Hardware – e.g., Hom. Abstraction • Software – e.g., Predicate Abstraction

  15. Building an Abstraction • Computing Abstract Domain • Computing Abstract Transitions

  16. Homomorphisms • Clarke et. al.- ’94, ’00 • Concrete States S, Abstract states S’ • Abstraction function (Homomorphism) • h: S ! S’ • Induces a partition on S equal to size of S’

  17. Existential/Universal Abstractions • Existential • Make a transition from an abstract state if at least one corresponding concrete state has the transition. • Abstract model M’ simulates concrete model M • Universal • Make a transition from an abstract state if all the corresponding concrete states have the transition.

  18. h Existential Abstraction (Over-approximation) I S I S’

  19. h Universal Abstraction (Under-Approximation) I S I S’

  20. Guarantees from Exist. Abstraction Let φbe a ACTL* property M’ existentially abstracts M, so M ¹ M’ M’ • Preservation Theorem M’⊨φM ⊨ φ M Converse does not hold M’⊭φM⊭φ M’ ⊭ φ : counterexample may be spurious

  21. Deadend states I I f Bad States Failure State Why spurious counterexample?

  22. Refinement • Problem: Deadend and Bad States are in the same abstract state. • Solution: Refine abstraction function. • The sets of Deadend and Bad states should be separated into different abstract states.

  23. Refinement h’ Refinement : h’

  24. Abstract Interpretation • Cousot et. al. ‘77 • Framework for approximating fixpoint computations • Galois Connections • Concrete: S, Abstract: S’ • Abstract S. F(S) = S as S’. F’(S’) = S’ • Homomorphisms are a particular case • Widening/Narrowing

  25. Galois Connections  • S – concrete, S’– abstract • S’ must be a complete lattice • : 2S→ S’- abstraction function • : S’ → 2S - concretization function • Properties of  and : • ((A)) · A, for A in S’ • ((X)) ⊇ X, for X µS • The above properties mean that  and  are Galois-connected S S’ 

  26. Abs. Interpretation: Example • int -> {even, odd, T} • (even) = {..,-2,0,2,4..} • (odd) = {..,-3,-1,1,3..} • (T) = int • Predicate abstraction is an instance

  27. Computing Abstract Transition Relation  R R’ Existential Abstraction • R[Dams’97]: (t, t1)  R’ iff  s (t) and  s1  (t1) s.t. (s, s1)  R • This ensures that • M’ simulates M • Preservation Theorem applies • Similarly, Universal Abstraction R89 S S’ 

  28. Other kinds of Abstraction • Cone of Influence • Slicing

  29. Automated Abstraction/Refinement • Good abstractions are hard to obtain • Automate both Abstraction and Refinement processes • Counterexample-Guided AR (CEGAR) • Build an abstract model M’ • Model check property P, M’ ² P? • If M’ ² P, then M ² P by Preservation Theorem • Otherwise, check if Counterexample (CE) is spurious • Refine abstract state space using CE analysis results • Repeat

  30. Counterexample-Guided Abstraction-Refinement (CEGAR) Build New Abstract Model Model Check M M’ Pass No Bug Fail Check Counterexample Obtain Refinement Cue Real CE Spurious CE Bug

  31. Use of Abstractions in Hardware and Software Verification

  32. Applications • Hardware Verification: • Thousands of Latches • Abstract using homomorphisms • SAT-based methods (Clarke et. al.) • Software Verification: • Integer variables, Undecidability • Predicate Abstraction • SLAM • MAGIC, BLAST • All these approaches are automated (CEGAR)

  33. Verifying Hardware: Abstraction • A number of approaches • Localization (Kurshan et. Al.) • SAT-based (’02) • … • We consider a homomorphism-based approach inside CEGAR framework

  34. Counterexample-Guided Abstraction-Refinement (CEGAR) Build New Abstract Model Model Check M M’ Pass No Bug Fail Check Counterexample Obtain Refinement Cue Real CE Spurious CE Bug

  35. Abstraction Function • Partition variables into visible(V) and invisible(I) variables. The abstract model consists of V variables. I variables are made inputs (existentially quantified). The abstraction function maps each state to its projection over V.

  36. Abstraction Function Example x1 x2 x3 x4 0 0 0 0 0 0 0 1 0 0 1 0 0 0 1 1 x1 x2 h 0 0 Group concrete states with identical visible part to a single abstract state.

  37. h Abstract Model Computation • Existential Abstraction: I I

  38. Obtaining Exist. Abstraction Symbolically • Concrete Model : (S, I, R, L) • Abstract Model: (S’,I’,R’,L’) • h: S ! S’ • S’ = {s’ j9s 2 S. h(s)=s’} • I’ = {s’ j9s 2 S. I(s) Æ h(s)=s’} • R’ = {(s1’,s2’) j 9s1,s2. R(s1,s2) Æ h(s1)=s1’ Æ h(s2)=s2’}

  39. Checking the Counterexample • Model check the abstract model • Yes or a Counterexample CE • Counterexample : (c1, …,cm) • Each ci is an assignment to V. • Simulate the counterexample on the concrete model.

  40. Checking the Counterexample • Concrete traces corresponding to the counterexample: (Initial State) (Unrolled Transition Relation) (Restriction of V to Counterexample) • Refine if CE is spurious

  41. Deadend states I I f Bad States Failure State Spurious counterexample?

  42. h’ Refinement h’ h’ h’ h’ h’ h’ Refinement (h’): Make Invisible variables Visible

  43. Frontier P Visible Invisible Inputs Refinement methods… Localization (R. Kurshan, 80’s)

  44. Refinement methods… Abstraction/refinement with conflict analysis • Simulate counterexample on concrete model with SAT • If the instance is unsatisfiable, analyze conflict • Make visible one of the variables in the clauses that lead to the conflict (Chauhan, Clarke, Kukula, Sapra, Veith, Wang, FMCAD 2002)

  45. Deadend States f Failure State Refinement as Separation

  46. Refinement as Separation Deadend States Bad States

  47. 1 0 0 1 0 0 1 0 0 1 0 0 1 1 1 0 1 0 1 1 Refinement as Separation v1 v2 v3 v4 v5 v6 v7 Refinement : Find subset U of I that separates between all pairs of deadend and bad states. Make them visible. Keep U small ! d1 0 1 0 0 1 0 1 I b1 V b2

  48. 0 1 0 1 0 1 0 0 1 0 0 1 0 0 1 0 0 1 1 1 0 1 0 1 Refinement as Separation v1 v2 v3 v4 v5 v6 v7 Refinement : Find subset U of I that separates between all pairs of deadend and bad states. Make them visible. Keep U small ! d1 I b1 V b2

  49. Refinement as Separation The state separation problem Input: Sets D, B Output: Minimal U subset of I s.t.:  d D,  b B, u U. d(u)  b(u) The refinement h’ is obtained by adding Uto V.

  50. Two separation methods • ILP-based separation • Minimal separating set. • Computationally expensive. • Decision Tree Learning based separation. • Not optimal. • Polynomial.

More Related