Algorithms for Software Model Checking: Predicate Abstraction vs
Using 3-Valued Models in Abstraction-based Model Checking
description
Transcript of Using 3-Valued Models in Abstraction-based Model Checking
Using 3-Valued Models in Abstraction-based Model Checking
Seminar in Formal Verification
Spring 2006
Presented by Alik Zamansky
References
On the Expressiveness of 3-Valued Models Patrice Godefroid and Radha Jagadeesan, 2003
Abstraction-based Model Checking using Modal Transition Systems Patrice Godefroid, Michael Huth, and Radha
Jagadeesan, 2001
Abstraction-based Model Checking (reminder)
Extract an abstract model A out of a program C Automatically, by a static analysis of the code
Analyze the model using model-checking techniques Check whether A satisfies some property φ
Transfer the result to the original program C
Can be complete, but is generally unsound Reports spurious errors
3-Valued Models: Motivation
3-valued models introduce some elements of uncertainty E.g. “unknown” truth value or uncertain transactions
between states They can be used in model checking to guarantee
both completeness and soundness A formula evaluating to true or false on an abstract
model holds (does not hold) on the concrete system If the result is “unknown”, a more complete (i.e. less
abstract) model is required
Outline
3-valued modeling formalisms PKS, MTS and KMTS Equal expressiveness
Translation from PKS to MTS Translation from MTS to KMTS
Summary and conclusions of paper 1 Relational abstraction and implementations
Predicate abstraction Predicate-Cartesian abstraction Summary and conclusions of paper 2
Partial Kripke Structures (PKS)
A Kripke structure whose atomic prepositions can have a third truth value ┴ (“unknown”)
A standard Kripke structure is a special case of PKS Formally, a tuple (S, P, →, L)
S : a set of states P : a set of atomic prepositions → S x S : a transition relation on S L : S x P → { true, , false} : associates a truth value
with each atomic preposition in P for each state in S
Partial Kripke Structures (cont’d)
p q : true if p = true and q = true false if p = false or q = false otherwise
p : true if p = false false if p = true if p =
p q = (p q)
Propositional Modal Logic (PML)
Propositional logic extended with the modal operator AX (“for all immediate successors”)
Syntax: φ ::== p I φ I φ1φ2 I AXφ
Semantics for 3-valued PML: [(M,s)φ] [(M,s)p] = L(s,p)
[(M,s)φ] = comp([(M,s)φ])
[(M,s)φ1φ2] = [(M,s)φ1] and [(M,s)φ2]
[(M,s)AXφ] = ss’ [(M,s’)φ]
Modal Transition Systems (MTS)
MTS is a tuple (S, Σ, →must , →may) S : a set of states Σ : a set of action symbols →must, →may S x Σ x S : transition relations →must →may (must-transitions are also may-transitions)
MTS therefore: Is a Labeled Transition System (LTS) with two types of
transitions instead of one Reasoning about the existence of transitions can be
viewed as reasoning with a 3-valued logic
MTS – Example
A specification of a slot machine must-transitions: fixed behavior may-transitions: uncertain behavior
inactive
winning
active
reset
must
winCoin
must
winAnotherCoin may
acceptCoin must
loseCoin may
PMLAct (3-valued PML for MTS)
Syntax: φ ::== tt I φ I φ1φ2 I (α)φ (for some αΣ)
Semantics: [(M,s)φ] [(M,s)tt] = true
[(M,s)φ] = comp([(M,s)φ])
[(M,s)φ1φ2] = [(M,s)φ1] and [(M,s)φ2]
[(M,s)(α)φ] = true if (s, α, s’) →may : [(M,s’)φ] = true
false if (s, α, s’) →must : [(M,s’)φ] = false
otherwise
Kripke Modal Transition Systems
KMTS combines features of both PKS and MTS Is a tuple: (S, P, →must , →may , L)
S : a set of states P : a set of atomic prepositions →must, →may S x S : transition relations (→must →may) L : S x P → { true, , false} : associates a truth value
with each atomic preposition in P for each state in S KMTS generalizes PKS
PKS is a KMTS where →must = →may
3-valued PML for KMTS
Syntax: same as for the 3-valued PML Semantics: [(M,s)φ]
[(M,s)p] = L(s,p)
[(M,s)φ] = comp([(M,s)φ])
[(M,s)φ1φ2] = [(M,s)φ1] and [(M,s)φ2]
[(M,s)AXφ] = true if s’: (s, s’) →may [(M,s’)φ] = true
false if s’: (s, s’) →must [(M,s’)φ] = false
otherwise
Translation from PKS to MTS
For a PKS M = (S, P, →, L) we define an equivalent MTS M’ = (S’, Σ, →must , →may): S’ = S U {snew } Σ = P U {x} →must = {(s, p, snew ) I L(s,p) = true} U {(s, x, s’) | ss’ }
→may = {(s, p, snew ) I L(s,p) {true,}} U {(s, x, s’) | ss’ }
Translation complexity: Input PKS is of the size O(I→I + ISI·IPI) Output MTS: O(I→mustI + I→mayI) = O(I→I + ISI·IPI) I.e., linear in the size of the input
Translation from PML to PMLAct
φ: a PML formula defined on PKS M
T(φ): an equivalent PMLAct formula on MTS M’ defined by applying recursively the following rules: For all p P, T(p) = (p)tt = (p)tt T(φ) = T(φ) T(φ1φ2) = T(φ1) T(φ2) T(AXφ) = (x)T(φ) (x Σ )
Theorem: [(M,s)φ] = [(M’,s)T(φ)]
PKS to MTS – Example
s0
s1
s2
p = false q = true
p = true q =
p = true q = true
M
[(M,s0) AXq ] = [(M’,s0) (x)(q)tt ] = [(M,s0) AXAXq ] = [(M’,s0) (x)(x)(q)tt ] = true
M’
s0
s1
s2
snew
q
must
x
must
x
must
x must
p must
q may
p must
q must
x must
Translation from MTS to KMTS
For a MTS M = (S, Σ, →must , →may) we define an equivalent KMTS M’ = (S’, P, →must’ , →may’, L): S’ = S Σ P = Σ →must’ = {((s,α),(s’,α’)) I (s, α’, s’) →must } →may’ = {((s,α),(s’,α’)) I (s, α’, s’) →may } (s,α) S’: p P:
L((s,α),p) = true if p = α L((s,α),p) = false otherwise
Translation complexity is linear The number of states is ISI·IΣI – linear for fixed Σ
Translation from PMLAct to PML
φ: a PMLAct formula defined on MTS M T(φ): an equivalent PML formula on KMTS M’
defined by applying recursively the following rules: T(tt) = true T(φ) = T(φ) T(φ1φ2) = T(φ1) T(φ2) T((α)φ) = AX((α) T(φ)) (i.e. AX(αT(φ)) )
Theorem: [(M,s)φ] = [(M’,(s,α))T(φ)] for any α Σ
MTS to KMTS – Example
standing
walking
running
SU
SD
SUSD
SU SU
M
SU – Speed up, SD – Slow down – a must-transition ; – a may-transition
M’
standing,SD
walking,SD
running,SD
running,SU
walking,SU
standing,SU
SU = true SD = false
SU = true SD = false
SU = false SD = true
SU = false SD = true
SU = true SD = false
SU = false SD = true
MTS to KMTS – Example (cont’d)
Q1: [(M,standing) (SD)tt ] = ? false (can be written as (SD)tt )
Q2: how to ask this in PML on KMST? [(M’,(standing,SD)) (AX(SD false)) ] = ? [(M’,(standing,SU)) (AX(SD false)) ] = ?
Q3: [(M,running) (SU)tt ] = – why? Q4: [(M,walking) (SD)(SU)tt ] = ?
[(M’,(walking,SU)) AX(SD AX(SU true)] = [(M’,(walking,SD)) AX(SD AX(SU true)] = true
Summary and Conclusions – I
Translation from KMTS to PKS also exists The construction is somewhat more complicated
The three 3-valued models are equally expressive Yet, both PKS and MTS are useful: state vs behavior
This result holds not only for PML, but also for PML with fixpoint operators, i.e. the -calculus And therefore, it holds for LTL, CTL and CTL*
All translations require only linear time Thus, 3-valued model checking for any temporal logic
and any 3-valued formalism takes the same time
Simulation – reminder
Consider a program C represented by LTS LTS is a tuple K = (ΣK,Act,→); ΣK is a set of states, Act
is a set of action symbols and → is a transition relation Suppose that A is an abstract LTS generated from C A is usually constructed so that the initial states of A
and C are related by a simulation Simulation (definition):
A relation ρ ΣCΣA is a simulation iff for any c ρ a and c →α c’ there is some a’ΣA such that a →α a’ and c’ ρ a’. c ρ a means (c,a) ρ , and c →α c’ stands for (c,α,c’) →
Simulation – example
Note: C and A are LTSs, not MTSs as in the similar example shown earlier, there are no may-transition here!
standing’ moving
SU
SD
SU
SD
C: A:
ρ = {(standing, standing’), (walking, moving), (running, moving) }
standing
walking
running
SU
SD
SUSD
Refinement
MTS can be defined as a pair K = (Kmust, Kmay): Kmust = (ΣK,Act,→must) and Kmay = (ΣK,Act,→may) are two
LTSs such that →must →may Refinement: An MTS A1 is a refinement of an MTS
A2 if there exists a relation ρ ΣA1ΣA2
such that:
ρ is a simulation from A1may to A2
may
ρ is a simulation from A2must to A1
must
We write A1A2 that means: A1 is a refinement of A2
A2 is an abstraction of A1
Relational Abstraction
A tool to specify an abstract MTS, given: An MTS A1 = (A1
must, A1may)
A set of abstract states ΣA2
A total relation ρ ΣA1ΣA2
We define A2 = (ΣA2 , Act, →must , →may):
a2 →αmust a’2 iff for all a1ΣA1
with a1 ρ a2 there exists a’1ΣA1
such that a’1 ρ a’2 and a1 →αmust a’1
a2 →αmay a’2 iff there exists a1ΣA1
and a’1ΣA1 such that a1 ρ
a2 , a’1 ρ a’2 , and a1 →αmay a’1
Lemma: A2 is an MTS and an abstraction of A1
Relational Abstraction – Example
A1 is an LTS (i.e., an MTS with A1may = A1
must): Its infinite state space is given by all possible valuations
of three integer variables x, y, z Any state c is of the form {x=i, y=j, z=k} Transitions in A1 are those induced by x := z
I.e., there is a transition from c to c’ = {x=k, y=j, z=k }
A fragment of A1:
{1,2,3} {3,2,3}x := z
x := z
{0,2,3} x := z …
Rel. Abstraction – Example (cont)
Consider the following three predicates: φ1 = odd(x) , φ2 = (y > 0) , φ3 = (z < 0)
Induce an equivalence relation on the states of A1
States are equivalent if they agree on all 3 predicates
Let ΣA2 contain all equivalence classes of states of A1
States of A2 are boolean formulae built from the φi ’s.
A fragment of A2: may
(φ1φ2φ3)(φ1φ2φ3)(φ1φ2φ3)
(φ1φ2φ3)must
may
Predicate Abstraction
Collapses an infinite-state LTS into a finite-state MTS By choosing finitely many quantifier-free formulae of
first-order logic Φ = {φ1 , φ2 , … , φn }
Abstract states: Are build out of monomials over predicates Are represented by binary vectors of length n Given a binary vector b{0,1}n, <b,Φ> is a monomial
whose i-th conjunct is φi if bi =1, and φi otherwise
Predicate Abstraction – definition
Given an LTS S and Φ = {φ1 , φ2 , … , φn }
We want to build a finite-state abstract MTS BΦ
In order to use the relational abstraction, we need a total relation ρ and a set of abstract states ΣBΦ
We use the following definition: ρ = ρb Σs {0,1}n, where s ρb b iff s <b,Φ>
ΣBΦ = { b {0,1}n I s ρb b for some sΣs } (which makes ρb total)
post() and pre() operators
Let us present definitions useful for implementing may- and must-successors of a predicate abstraction Defined for a predicate η on a set Σs of states, for a
label α Act
postα(η) = { s’ Σs I sΣs : s η , s →α s’ }
A set of states to which there exists a transition α from states where η is true
preα(η) = { s Σs I s’Σs : s →α s’ implies s’ η }
A set of states from which all α transitions lead to states where η is true
Implementing successors
Let ψ be is a boolean combination of {φ1 ,φ2 , … ,φn }
may-successors of ψ: next(ψ)b
may = { b’ΣBΦ : post(ψ) <b’,Φ> is satisfiable }
post(ψ) <b’,Φ> means states that can be reached from ψ
must-successors of ψ: next(ψ)b
must = { b’ΣBΦ : ψ pre(<b’,Φ>) is unsatisfiable }
ψ pre(<b’,Φ>) means states where ψ is true and from which we can reach states where <b’,Φ> is not true
Soundness and Completeness
Theorem: b →may b’ in BΦ iff b’ next(<b,Φ>)b
may
b →must b’ in BΦ iff b’ next(<b,Φ>)bmust
Reminder: a2 →α
may a’2 iff there exists a1ΣA1 and a’1ΣA1
such that a1 ρ a2 , a’1 ρ a’2 and a1 →αmay a’1
a2 →αmust a’2 iff for all a1ΣA1
with a1 ρ a2 there
exists a’1ΣA1 such that a’1 ρ a’2 and a1 →α
must
a’1
Completeness is relative to the theorem prover
may
must
a2 a’2
a’2a2
a’1
a’1
Computational Cost
In the paper it is shown that both next(ψ)bmay and
next(ψ)bmust can be computed using BDDs
Since there are 2n boolean vectors b’, we should make 2n calls to the theorem prover for a single ψ
We have n predicates and, therefore, 2n boolean combinations ψ of {φ1 ,φ2 , … ,φn }
Thus, computing all may transitions (i.e. next(ψ)bmay
for all ψ’s) takes 22n calls to the theorem prover
Same is for all must transitions in BΦ
Predicate Abstraction is not Incremental
Example (revisited): φ1 = odd(x), φ2 = (y>0), φ3 = (z<0) Suppose that we have Φ = {φ2 , φ3 } first
BΦ has four states, each with a must-transition to itself
Now we add φ1 to Φ There is no must-transition from φ1 φ2 φ3 in BΦ The information about y is lost
No transition that guarantees there is no change in y However, there is a must-transition from φ1 φ2 φ3 to the
disjunction (φ1 φ2 φ3 ) (φ1 φ2 φ3 ) Computing transitions to such states is too expensive
22n possible states for n predicates
Predicate-Cartesian Abstraction (1)
Motivation: Predicate abstraction is not incremental Adding a new predicate may not yield a refinement
The idea: Replace sets of tuples by a tuple of sets E.g., replace {<0, 1>, <1, 1>} by {<,1>} ( – a wildcard)
Formally: Given Φ = {φ1 ,φ2 , … ,φn } and a “tri-vector” c {0,1,}n
<c,Φ> is a monomial whose i-th conjunct is φi if ci =1, φi if ci =0, and true otherwise
Predicate-Cartesian Abstraction (2)
The formal definition of ρ and ΣCΦ :
ρ = ρc ρb Σs {0,1,}n
b ρc c iff i {1..n } : [ci ≠ ci = bi ]
ΣCΦ = { c {0,1,}n I b ρc c for some bΣBΦ
}
This makes ρc total
The symbol means “don’t care”
s ( ρc ρb ) c iff s <c,Φ>
Easy to show, by construction
Example (revisited)
Our example: φ1 = odd(x), φ2 = (y>0), φ3 = (z<0)
s = (5, 2, 3) , s Σs
s ρb b for b = (110)
Recall: b ρc c iff i {1..n } : [ci ≠ ci = bi ]
ρc = {(110, 110), (110, 10), (110, 10), (110, 11), (110, 0), (110, 1), (110, 1), (110, ), … }
ρc ρb = { (s, 110), (s, 10), (s, 10), (s, 11), (s, 0), (s, 1), (s, 1), (s, ), … }
Example (cont’d)
BΦ (a fragment)
010
110
maymay
may
may 110
010
10 maymay
may
may
must
must
must
may
may
CΦ (a fragment)
Example (cont’d)
Why s ( ρc ρb ) c iff s <c,Φ> ?
For example: (s,10) ρc ρb iff s φ1 true φ3
(s,10) ρc ρb s ρb b for b = 100 or 110 either
s φ1 φ2 φ3 or s φ1 φ2 φ 3 s φ1 true
φ3
Incremental Refinement
Theorem: If Φ = {φ1 ,φ2 , … , φn } and Ψ = Φ { φn+1 , φn+2 , … , φn+m }
Then the MTS CΨ is a refinement of the MTS CΦ
The refinement relation ρ is given by: ρ ΣCΨ
ΣCΦ = { (c’,c) | c is a prefix of c’ }
Intuitively, newly-added predicates replace “don’t care”s.
This is not the case for predicate abstraction
Implementing successors
Similar to the case with the predicate abstraction Let ψ be is a boolean combination of {φ1 ,φ2 , … ,φn } may-successors of ψ:
next(ψ)cmay = { c’ΣCΦ
: post(ψ) <c’,Φ> is satisfiable }
must-successors of ψ: next(ψ)c
must = { c’ΣBΦ : ψ pre(<c’,Φ>) is unsatisfiable }
Both next(ψ)cmay and next(ψ)c
must can be computed using Ternary Decision Diagrams (TDDs) TDDs are like BDDs, but with 3 values (children)
Soundness, Completeness and Cost
Theorem: c →may c’ in CΦ iff c’ next(<c,Φ>)c
may
c →must c’ in CΦ iff c’ next(<c,Φ>)cmust
Completeness is relative to the theorem prover Computational cost:
We have n predicates and, therefore, 3n ternary combinations ψ of {φ1 ,φ2 , … ,φn }
For each ψ it takes 3n calls to the theorem prover Thus, computing next(ψ)c
may and next(ψ)cmust for all ψ’s
takes 32n calls to the theorem prover (each)
Summary and Conclusions – II
We showed a framework for automatic program abstraction based on MTSs Can be used for model-checking any formula of the
modal -calculus Both soundness and completeness are guaranteed
Predicate Cartesian abstraction allows incremental refinement, unlike the predicate abstraction Though it does not have a significant cost overhead
3-valued model checking on MTSs can be reduced to two traditional model checking problems on LTSs
Thank you!