1 / 52

Abstraction for Falsification

Abstraction for Falsification. Thomas Ball Orna Kupferman Greta Yorsh. Microsoft Research, Redmond, US Hebrew University, Jerusalem, Israel Tel Aviv University, Israel. CAV’05. Abstraction for Verification. Goal: prove properties Sound abstraction for verification

fox
Télécharger la présentation

Abstraction for Falsification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Abstraction for Falsification Thomas Ball Orna Kupferman Greta Yorsh Microsoft Research, Redmond, US Hebrew University, Jerusalem, Israel Tel Aviv University, Israel CAV’05

  2. Abstraction for Verification • Goal: prove properties • Sound abstraction for verification • properties of abstract system hold for corresponding concrete system •  : C  A • if abstract state a satisfies property P then all concrete states represented by a satisfy P

  3. Abstraction for Verification • Goal: prove properties • Sound abstraction for verification • properties of abstract system hold for corresponding concrete system •  : C  A • a  A if a P then  c  C . (c)=a  c  P

  4. Falsification detect errors Abstraction for Verification • Goal: prove properties • Sound abstraction for verification • properties of abstract system hold for corresponding concrete system •  : C  A • a  A if a P then  c  C . (c)=a  c  P

  5. Falsification detect errors falsification Abstraction for Verification • Goal: prove properties • Sound abstraction for verification • errors of the abstract system exist in corresponding concrete system •  : C  A • a  A if a P then  c  C . (c)=a  c  P

  6. Falsification detect errors falsification Abstraction for Verification • Goal: prove properties • Sound abstraction for verification • errors of the abstract system exist in corresponding concrete system •  : C  A • a  A if a P then  c  C . (c)=a  c  P  c  C . (c)=a  c  P

  7. Motivation • An abstraction that is sound for falsification need not be sound for verification. • Existing frameworks for abstraction for verification • Modal Transition System (MTS) • MTS, PKS,KMTS - equivalent in expressive power [ Godefroid,Jagadessan – VMCAI’03 ] • can be too restrictive for falsification

  8. Main Results • New framework for abstraction • Ternary Modal Transition System (TMTS) • TMTS is stronger than MTS • Semantics of -calculus for TMTS • Weak reachability • TMTS with parameterized transitions gives tighter underapproximation • TMTS with assume-guarantee transitions for complete reasoning

  9. Modal Transition Systems Concrete Abstract a  (existential abstraction) MAY(a,a’)  may c, c’ . c  c’  (c) = a  (c’) = a’ a’   a MUST+(a,a’)  c. (c) = a  c’ . (c’) = a’  c  c’ must a’  [ T. Ball - FMCO’04 ] a MUST–(a,a’)  c’. (c’) = a’  c. (c) = a  c  c’ must onto underapproximation a’  must  may overapproximation  total underapproximation  must  may   must+ and must– are incomparable

  10. TMTS strictly more expressive than MTS MTS • may and must+ transitions • precision preorder is logically characterized by PML  ::= p | AX  |   |    TMTS • may, must+ and must– transitions • precision preorder is logically characterized by full-PML  ::= p | AX  | AY  |  |    • full-PML is strictly more expressive than PML [Pinter,Wolper - PODC’84] [Kupferman,Pnueli - LICS’95]

  11. TMTS: what does it buy us? • Verifying specifications with past operators • Reasoning about specifications in falsification setting • must+ for verification and must- for falsification • Tighter weak reachability in abstract system • combine must+ and must- along the path

  12. Semantics of -calculus for TMTS •  : C  A • (C, c1)   • [ (A, a1)   ] - the value of the -calculus formula  in state a1 of TMTS A

  13. Semantics of -calculus for TMTS • [ (A, a)   ] = T • for all concrete state c with (c) = a, (C, c)   • [ (A, a)   ] = T • there exists a concrete state c with (c) = a and (C, c)   • [ (A, a)   ] = F • for all concrete state c with (c) = a, (C, c)   • [ (A, a)   ] = F • there exists a concrete state c with (c) = a and (C, c)   • [ (A, a)   ] = M • there exist concrete states c and c’ such that (c) = (c’) = a and (C, c)   and (C, c’)   • [ (A, a)   ] = 

  14. Information Lattice Truth Lattice T T F   F

  15. Information Lattice Truth Lattice T T F M T  M T F F  F

  16. Semantics of -calculus for TMTS • [ (A, a)  1  2 ] • [ (A, a)  EX ] • [ (A, a)    ]

  17. [ (A, a)  1  2 ] = [ (A, a)  1 ] # [ (A, a)  2 ] 6-valued Semantics of 1 2

  18. 6-valued Semantics of 1 2

  19. 6-valued Semantics of 1 2

  20. 6-valued Semantics of 1 2

  21. Information Lattice Truth Lattice T T F M T  M T F F  F

  22. 6-valued Semantics of 1 2

  23. 6-valued Semantics of 1 2

  24. [ (A, a)  EX ] = Semantics of EX F if for all a’, if may(a,a’) then [(A, a’)  ] = F T if exists a’ s.t. must+(a,a’) and [(A,a’)  ] = T Tif exists a’ s.t. must–(a,a’) and [(A,a’)  ]  T  otherwise

  25. EX = T a  must– a’   = T c’ c  if [ (A, a)  EX ] = Tthen there exists c with (c) = a and c  EX • [ (A, a)  EX ] = T • exists a’ s.t. must–(a,a’) and [(A,a’)  ] = T • exists c’ such that (c’)=a’ and c’   • for all c’ with (c’)=a’ there is c with (c)=a such that cc’  EX  

  26. Semantics of  • The semantics of PML operators is monotonic • Least fixpoint operator can be computed by iterations from F is the usual way: • [(A,a)  Z . (Z) ] = [ (A, a)  *(F) ]

  27. x > 6 ... 7 8 9  x:=x–3 x > 6 ... 7 8 9  Semantics of -calculus for TMTS • The 6-valued semantics is at least as precise as the standard 3-valued semantics of -calculus for MTS • [(A,a)  ] =  • 3-valued abstraction refinement of must+ transitions [Shoham,Grumberg – CAV’03] adapt for must- • Hypermust transitions • [Larsen,Xinxin-LICS‘90] [Shoham,Grumberg – CAV’04] • adapt for must– • MTS with hypermust+ is incomparable with TMTS x = 7 x = 10  EX(x>6) = ?  EX(x>6) =T  EX(x>6) F  EX(x>6) T must – may

  28. Semantics of -calculus for TMTS • The 6-valued semantics is at least as precise as the standard 3-valued semantics of -calculus for MTS • [(A,a)  ] =  • 3-valued abstraction refinement of must+ transitions [Shoham,Grumberg – CAV’03] adapt for must- • Hypermust transitions • [Larsen,Xinxin-LICS‘90] [Shoham,Grumberg – CAV’04] • adapt for must– • MTS with hypermust+ is incomparable with TMTS

  29. c a  a’  c’ Weak Reachability • a’ is weakly-reachable from a • c, c’ . (c)=a  (c’)=a’  c * c’ initial state error trace error state Related to testing

  30. L0: if x<6 then L1: x:= x + 3 L2: if x > 7 then L3: x :=x – 3 L4: Example Predicates: (x < 6) (x > 7) x<6 x>7 (x=6)(x=7) L0: FT L0: FF L1: TF must– must– may L2: TF L3: FT L2: FF may must– must– L4: TF L4: FT L4: FF

  31. L0: if x<6 then L1: x:= x + 3 L2: if x > 7 then L3: x :=x – 3 L4: Example Predicates: (x < 6) (x > 7) x<6 x>7 (x=6)(x=7) L0: FT L0: FF L1: TF must– must– may L2: TF L3: FT L2: FF may must– must– L4: TF L4: FT L4: FF x = 5

  32. Underapproximation of Weak Reachability • if [must+]*(a,a’) then a’ is weakly reachable from a • Arbitrary combinations of must+ and must– transitions do not preserve weak reachability • Find a tighter underapproximation of weak-reachability

  33. L0: if x<6 then L1: x:= x + 3 L2: if x > 7 then L3: x :=x – 3 L4: x = 2  x = 6  x = 9  x = 5  Example Predicates: (x < 6) (x > 7) x<6 x>7 (x=6)(x=7) L0: FT L0: FF L1: TF must– must– may must – ? must + ? L2: TF L3: FT L2: FF may must– must– L4: TF L4: FT L4: FF

  34. Underapproximation of Weak Reachability • if [must+]*(a,a’) then a’ is weakly reachable from a • Arbitrary combinations of must+ and must– transitions do not preserve weak reachability • Find a tighter underapproximation of weak-reachability

  35. Observations • a3 is weakly reachable from a1 if there exists a2 such that must–(a1,a2) and must+(a2,a3) • Onto nature of must– is preserved by [must-]* • Total nature of must+ is preserved by [must+]* a1  must– a2  must+ a3  [T.Ball – FMCO’04]

  36. a1  [must–]* a2 [must+]* a3  Underapproximation If there exists a1, a2, a3 such that [must–]*(a1,a2) and [must+]*(a2,a3) then a3 is weakly-reachable from a1 [T.Ball – FMCO’04]

  37. L0: if x<6 then L1: x:= x + 3 L2: if x > 7 then L3: x :=x – 3 L4: Example Predicates: (x < 6) (x > 7) x<6 x>7 (x=6)(x=7) L0: FT L0: FF L1: TF must– must– may L2: TF L3: FT L2: FF may must– must– L4: TF L4: FT L4: FF

  38. MUST+ ? ( total from a? )  MUST– ? ( onto a’ ?) Parameterized Transitions NO a  NO a’  MAY

  39.  MUST+() c. (c) = a  c    c’ . (c’) = a’  c  c’ total from   a MUST–()   c’. (c’) = a’  c’    c. (c) = a  c  c’ must–() a’ onto     Parameterized Transitions a  must+() a’  if  is TRUE then must+() is must+ and must–() is must–

  40. Observation a1 • a3 is weakly reachable from a1 if there exists a2 such that • must–(1)(a1,a2) • must+(2) (a2,a3) • 1 2 a2 is satisfiable  must–(1) a2 1 2  must+(2) a3 

  41. Observation a1 • a3 is weakly reachable from a1 if there exists a2 such that • must–(1)(a1,a2) • must+(2) (a2,a3) • 1 2 a2 is satisfiable • Strongest parameters 1 and2  must–(1) a2 1 2  must+(2) a3 

  42. MUST– ( SP (s,a) ) a  s c’. (c’) = a’  c’    c. (c) = a  c  c’ a’ if must–() then a  (  SP(s,a))   Strongest Parameters MUST+ ( WP(s,a’) )  a  s c. (c) = a  c    c’ . (c’) = a’  c  c’ if must+() then a  (  WP(s,a’)) a’  Generated automatically as part of the construction of TMTS

  43. L0: if x<6 then L1: x:= x + 3 L2: if x > 7 then L3: x :=x – 3 L4: Example Predicates: (x < 6) (x > 7) x<6 x>7 (x=6)(x=7) L0: FT L0: FF L1: TF must– must– may L2: TF L3: FT L2: FF SP(x:=x+3, x<6) = x < 9 WP(x:=x-3, x<6) = x < 9 may must– must– L4: TF L4: FT L4: FF

  44. L0: if x<6 then L1: x:= x + 3 L2: if x > 7 then L3: x :=x – 3 L4: Example Predicates: (x < 6) (x > 7) x<6 x>7 (x=6)(x=7) L0: FT L0: FF L1: TF must– must– must–(x<9) L2: TF L3: FT L2: FF must+(x<9) SP(x:=x+3, x<6) = x < 9 WP(x:=x-3, x<6) = x < 9 must– must–  must– (x < 9) L4: TF L4: FT L4: FF  must+ (x < 9)

  45. [must–]* must–(1) must+(2) [must+]* Tighter Underapproximation a1  If there exists a1,...,a5 s.t. [must–]*(a1,a2) must–(1)(a2,a3) must+(2) (a3,a4) [must+]*(a4,a5) 1 2 a3 is satisfiable then a5 is weakly-reachable from a1 a2  a3 1 2  a4  a5 

  46. Complete Reasoning • a’ is reachable by a certain sequence of abstract transitions from a • a’ is weakly-reachable from a • Assume-guarantee transitions • another type of parameterized transitions: <> must+ <’>

  47. < > MUST–<  ’ > a   c’. (c’) = a’  c’   ’  c . (c) = a  c    c  c’ <>must–<‘ > a’   ’ Assume-Guarantee Transitions   < > MUST+ <  ’> a  c. (c) = a  c    c’ . (c’) = a’  c’   ’  c  c’ <>must+<‘ > a’   ’ Which  and ’ predicates do we need?

  48. a1  s1 a2  s2 a3 3 3  s3 a4  s4 a5  The idea... 1 = a1 2 = SP(s1, 1)  a2 3 = SP(s2, 2)  a3 <1>must– <2> <2>must– <3> 3 = WP(s3,4)  a3 4 = WP(s4,5)  a4 5 = a5 <3>must+ < 4> 3 3 is satisfiable <4>must+ < 5>

  49. Assume-guarantee transitions • Complete Reasoning about Weak Reachability • a’ is reachable by a certain sequence of assume-guarantee transitions from a • a’ is weakly-reachable from a • Finding right parameters ~ computing loop invariants

  50. [must–] * [must+]* [must–] * must–(1) must+(2) [must+]* Weak Reachability: Summary • Previous work [T.Ball – FMCO’04]: • Parameterized transitions • Assume-guarantee transitions • complete reasoning

More Related