<latexit sha1_base64="P4jUJHo6g1yopyZBD74hiv3LdI=">AIZHicjVRb9NIFD6kXEKW6l4QEhoCBalIa4JYJqVcTSF14QRaIFqanQ2D5xRpnYZjxpG6L8Cn7d/oH9EfvEmWPnRgy7juw5/ubMd75zif1Uq8w2m39fqKxcvHT5SvVq7Y9r12/cvLV6+yhLBibAwyDRifnsywy1ivHQKqvxc2pQ9n2Nn/zevtv/dIomU0n80Q5TPOnLKFYdFUhL0JfVyve2j5GKR1b1vqUqsAOD41o7TkI8zqy0WO8orfd8PcAH2826ULGySuoTsfHV2xSjtsVz63fyNeuM9t+/OxiPx38uMxgMmUD6ySkKo6KuFUln76tHVHqnhGqnOdUJRotU/mok7OfqXZLqHbLqSKDGJeJ0ruOqSw/r5xpiJqkMNWMhOW0Skha5STBUMZzeTmKVl0GAaZWxRGX6fzXdQqNPMubgmGEXIgydGeGuqoXqDeH7paiM4bWHNqa8Z5vFikJacWGV9/yGtNWkMq/dJQYZbt9FYgjNMJZO0Yhwvz9+XWerPR5EsG15hrENxHSrlTa0IYQEAhAHxBisGRrkJDR7xg8aEJK2AmMCDNkKd5HGEONzg7IC8lDEtqjZ0RvxwUa07vjzPh0QFE03YZOCnhc+IRkdxjNVxdfzPn+KsaIuZ3GIa1+wdkn1EKX0P86N/H8v+dcTpYUvuRcFOlMGXFZBgsZdWjV9G5Jv3sOyRPJCumUISsgTBOaIy6GoTWvq8u8y3W7Idk/S4Xd6oH3zj+xGeCaVp9ZjIUzeU9YE15rhLqdCal96yI7mrv8op4x50yhJ3Rvu0zBhzqOMyGsLXrH3K9gj1OmVFNdV8gnj+l28Xo8BYJ3cIFdMCKpFm7f5767majRvfyLaT+cVjPjPFz9keJ70IAW2f1p5IwrH5Bnh+5FBX3OVdHq5n6Zz2lxWZ7R0/VYsJ3MacgonoB97lfM/RAcyXkgc7jpzKvfWMoI4ZS7O2SdlnuC8Iw8M54ZzTmNWK/intf5H6JoR9NOxJ0dwgPKuUkdmuXsVM9nmnKlU45mp3WY/OeQJ6oLQtyd6SB7vtaLyvO6WZ7dfM4Rzum5B4/o7dFvlEw8c0SyJUlZyioM+yZFrfMTuSJTeM5mpgbuW+f9/GVbNo62G97zxvMP2+uv3xRfvSrcg4ewQfPyAl7DWziAQwgq/6Ilc2Vp1f+qV6rlXv5K6VC8WZNVi4qvd/AB3w9Tw=</latexit> CEGAR Predicate Abstraction 3 COMP 1 5 9 3 Algorithmic Verification CEGAR and Predicate Abstraction Dr. Liam O’Connor CSE, UNSW (for now) Term 1 2020 1
CEGAR Predicate Abstraction Model Checking with Abstractions Abstractions typically have a smaller state space, so it is advantageous to try to model check with abstractions rather than a concrete model. We need: To know that properties that hold for our abstractions hold for our model — true for all ϕ ∈ ACTL. To know that when our properties don’t hold for our abstractions, they don’t hold for our model — not true in general! We need to pick the abstraction based on the properties we care about, and if necessary change our abstraction on the fly based on the results we see. 2
CEGAR Predicate Abstraction Model Checking with Abstractions green yellow red red ¬ red Consider the following ACTL formulae: AG (red ⇒ AX ¬ red) AG (red ⇒ AX AX red) AG (red ⇒ AX AX AX red) We know that if A ⊑ C then ( A | = ϕ ) ⇒ ( C | = ϕ ) for ϕ ∈ ACTL, but what about if A �| = ϕ ? 3
CEGAR Predicate Abstraction Counterexamples Note If A �| = ϕ for some ϕ ∈ ACTL, then there exists a run that serves as a counterexample to the formula ϕ . If A �| = ϕ , that tells us either that C �| = ϕ or that our abstraction is not precise enough — the counterexample will be spurious . Our approach: To check if our counterexample is spurious, convert it to a concrete run ∈ C. 4
CEGAR Predicate Abstraction Abstract to Concrete Run Let α be our abstraction mapping Q C → Q A and our run be q 0 q 1 q 2 . . . . We apply the mapping in reverse, α − 1 , and try to find a concrete run starting from our initial state I C according to transition relation δ C : I C ∩ α − 1 ( q 0 ) = S 0 δ C ( S 0 ) ∩ α − 1 ( q 1 ) S 1 = δ C ( S 1 ) ∩ α − 1 ( q 2 ) = etc.. S 2 If there is such a run (i.e. no S i = ∅ ), the run is not spurious. Example AG (red ⇒ AX AX red) C 1 C 2 C 3 Counterexample: A 1 A 2 A 2 α − 1 ( A 1 A 2 A 2 ) = { C 1 }{ C 2 , C 3 }{ C 2 , C 3 } There is a run δ C δ C − → C 2 − → C 3 C 1 A 1 A 2 ∴ Not spurious . 5
CEGAR Predicate Abstraction Spurious Counterexamples C 1 C 2 C 3 A 1 A 2 AG (red ⇒ AX AX AX red) Counterexample: A 1 A 2 A 2 A 2 I C ∩ α − 1 ( A 1 ) = = { C 1 } ∩ { C 1 } = { C 1 } S 0 δ C ( S 0 ) ∩ α − 1 ( A 2 ) S 1 = = { C 2 } ∩ { C 2 , C 3 } = { C 2 } δ C ( S 1 ) ∩ α − 1 ( A 2 ) { C 3 } ∩ { C 2 , C 3 } { C 3 } S 2 = = = δ C ( S 2 ) ∩ α − 1 ( A 2 ) S 3 = = { C 1 } ∩ { C 2 , C 3 } = ∅ There is no concrete run — this counterexample is spurious. Our abstraction is too imprecise. 6
CEGAR Predicate Abstraction Abstraction Refinement Definition An abstraction mapping α generates an equivalence relation on states ≡ α where q ≡ α q ′ ⇔ α ( q ) = α ( q ′ ). Consider two abstractions α : Q C → Q A and α ′ : Q C → Q B . We say that α ′ refines α iff ≡ α ′ ⊆ ≡ α . Similarly, we say α ′ strictly refines α iff ≡ α ′ � ≡ α Informal Notion We previously considered abstractions as grouping together concrete states into equivalence classes. We can refine abstractions by splitting those equivalence classes. 7
CEGAR Predicate Abstraction Abstraction Refinement We have a spurious counterexample q 1 q 2 q 3 . . . . Which classes should we split up in our new abstraction? Counterexample Guidance For each q i in our counterexample, the class of concrete states it is abstracting is α − 1 ( q i ). We will split this class into two sets: Those that follow directly from the previous state: 1 α − 1 ( q i ) ∩ δ C ( S i − 1 ) Those that don’t: α − 1 ( q i ) \ δ C ( S i − 1 ) 2 The resulting classes will form the new, refined abstraction of our model. If both of these sets are non-empty, we split the state q i into two states, one for each set. 8
CEGAR Predicate Abstraction Example C 1 C 2 C 3 A 1 A 2 AG (red ⇒ AX AX AX red) Counterexample: A 1 A 2 A 2 A 2 I C ∩ α − 1 ( A 1 ) = = { C 1 } ∩ { C 1 } = { C 1 } S 0 δ C ( S 0 ) ∩ α − 1 ( A 2 ) S 1 = = { C 2 } ∩ { C 2 , C 3 } = { C 2 } δ C ( S 1 ) ∩ α − 1 ( A 2 ) { C 3 } ∩ { C 2 , C 3 } { C 3 } S 2 = = = δ C ( S 2 ) ∩ α − 1 ( A 2 ) S 3 = = { C 1 } ∩ { C 2 , C 3 } = ∅ α − 1 ( A 2 ) = { C 2 , C 3 } . We have to split this into those that follow from S 0 ( { C 2 } ) and those that don’t ( { C 3 } ). 9
CEGAR Predicate Abstraction After Splitting We split A 2 into A ′ 2 and A ′ 3 C 1 C 2 C 3 A ′ A ′ A ′ 1 2 3 We now have an abstraction that does not exhibit our spurious counterexample, but the state space has increased. In fact, it’s impossible to refine this further, why? 10
CEGAR Predicate Abstraction CEGAR This technique gives us an approach called Counterexample Guided Abstraction Refinement (CEGAR). We have a starting abstraction α 0 and an ACTL formula ϕ : Yes α k | = ϕ ? α k | = ϕ k := 0 k := k + 1 No , get counterexample a α k := Split( α k − 1 ) Yes No Is a spurious? α k �| = ϕ 11
CEGAR Predicate Abstraction C Programs Objective : Prove that our assertion is never violated. ℓ 2 int main() { 1 int i = 0, n = 0; 2 while (i < n) { ℓ 3 3 i++; 4 ℓ 4 } 5 if (i < n) ℓ 6 6 assert(false); 7 ℓ 7 } 8 ℓ 8 Need to check reachability, but can we simplify the state space first? 12
CEGAR Predicate Abstraction Predicate Abstraction Predicate Abstraction A predicate abstraction of a program is a version of the program with the same control flow graph, where all variables are replaced with boolean overapproximations. Booleans can be true, false, or * (nondeterministically true or false). 13
CEGAR Predicate Abstraction Basic PA To start with, let’s try using i < n as our only predicate: int main() { int main() { 1 1 int i = 0, n = 0; int b = false; 2 2 while (i < n) { while (b) { 3 3 i++; b = b?*:false; 4 4 } } 5 5 if (i < n) if (b) 6 6 assert(false); assert(false); 7 7 } } 8 8 we want our boolean program to be an abstraction. Requirement If a location is not reachable in the abstraction, it is not reachable in the concrete program. 14
CEGAR Predicate Abstraction Harder PA Now let’s try using i < 2 and n >= 3 as our only predicates: int main() { int main() { 1 1 int i = 0, n = 0; int b1 = true, b2 = false; 2 2 while (i < n) { while (??) { 3 3 i++; b1 = b1?*:false; 4 4 } } 5 5 if (i < n) if (??) 6 6 assert(false); assert(false); 7 7 } } 8 8 What do we use for the ?? It must overapproximate i < n . 15
CEGAR Predicate Abstraction Abstract Condition n i < 2 i < n 5 4 3 n >= 3 2 1 i 0 1 2 3 4 5 The only overapproximation is ¬ ( i < 2 ∧ n ≥ 3) i.e. !(b1 && b2) 16
CEGAR Predicate Abstraction Harder PA int main() { int main() { 1 1 int i = 0, n = 0; int b1 = true, b2 = false; 2 2 while (i < n) { while (!(b1 && b2)){ 3 3 i++; b1 = b1?*:false; 4 4 } } 5 5 if (i < n) if (!(b1 && b2)) 6 6 assert(false); assert(false); 7 7 } } 8 8 17
CEGAR Predicate Abstraction No Predicates The abstraction with no predicates has all states reachable: int main() { int main() { 1 1 int i = 0, n = 0; ;; 2 2 while (i < n) { while (*){ 3 3 i++; ;; 4 4 } } 5 5 if (i < n) if (*) 6 6 assert(false); assert(false); 7 7 } } 8 8 How do we find out what predicates to add? Use CEGAR! Example (Abstract Counterexample) Lines 3 → 6 → 7.Looking at the concrete program, this path would require i >= n (to move from line 3 to 6) and i < n (to move from line 6 to 7). Both can’t be true simultaneously. This path is spurious. 18
Recommend
More recommend
