Abstract Interpretation of CTL Properties Caterina Urban, Samuel Ueltschi, Peter Müller
Computation Tree Logic Branching-time logic ::= p | | | A(true U black) E(blue U black) AX | EX | A( U ) | E( U ) | AG | EG | Goal: Automatically check CTL properties of programs ‐ Infer sufficient preconditions ‐ Handle existential properties 2
Example CTL specification while ( rand() ) { A( true U x = 0 ) x := 1 y := y + 1 x := 0 Inferred precondition } while ( true ) { } x = 0 3
Maximal Trace Semantics Contains all finite and infinite traces of a program 1 5 5 5 5 5 1 x=0, y=0 x=0, y=0 x=0, y=0 x=0, y=0 x=0, y=0 … x := 1 1 2 3 4 1 5 while ( rand() ) { 2 x=0, y=0 x=1, y=0 x=1, y=1 x=0, y=1 x=0, y=1 … x := 1 y := y + 1 y := y + 1 x := 0 1 5 5 5 5 5 3 x=2, y=3 x=2, y=3 x=2, y=3 x=2, y=3 x=2, y=3 … } x := 0 while ( true ) { } 1 2 3 4 1 5 4 5 x=2, y=3 x=1, y=3 x=1, y=4 x=0, y=4 x=0, y=4 … 4
Program Semantics for CTL ( ) = 0 if (x)=0 and undefined otherwise For a given CTL formula and a set ( ) = 0 if (x)=0 of program traces, define a partial and 3 otherwise 1 function from states to ordinals x := 1 2 A program satisfies a CTL formula y := y + 1 for all traces starting from an initial 3 state if and only if dom( ) x := 0 4 5 If defined for an until-formula 1 U 2 , ( ) yields the number of steps until 2 holds (ranking function) A( true U x = 0 ) E( true U x = 0 ) 5
Piecewise-defined Ranking Functions Program Abstract Semantics semantics for CTL Σ ⇀ � x Earlier work by Caterina Urban and Antoine Miné [SAS’13, SAS’14, ESOP’14] 6
Abstract Domain: Decision Trees Piecewise-defined functions are represented as decision trees x 4 4 x 2 4 x 2 4 if x 4 7 – x 4 7 – x if x 2 f(x) = otherwise 7
Static Analysis Map each point to a function over-approximating concrete semantics Analysis is performed backward for each constituent formula A( true U x = 0 ) 1 x := 1 2 x y := y + 1 3 x := 0 4 5 x x 8
Static Analysis A( true U x = 0 ) x For universal formulas, merge 3 preserves 1 x undefinedness x := 1 x 2 2 y := y + 1 x 3 1 x := 0 x 4 5 x x 9
Conditional Statements A( true U y = 1 ) x 2 1 NIL if ( x >= 2 ) { 2 x 2 x y := 1 } else { x 2 y := 0 x < 2 } 2 NIL 2 x 10
Conditional Statements A( true U y = 1 ) x 2 x%2 = 0 x 2 1 NIL NIL if ( x >= 2 && x%2 == 0 ) { 2 x 2 x y := 1 } else { true y := 0 x < 2 x%2 = 1 true } NIL NIL NIL For universal formulas, merge 2 x preserves undefinedness 11
Conditional Statements E( true U y = 1 ) Unsound! x 2 x%2 = 0 true 1 NIL NIL if ( x >= 2 || x%2 == 0 ) { 2 x 2 x y := 1 } else { true y := 0 x < 2 x%2 = 1 x < 2 } 2 NIL NIL NIL For existential formulas, merge 2 x preserves definedness 12
Conditional Statements E( true U y = 1 ) x 2 x%2 = 0 x 2 1 NIL NIL if ( x >= 2 || x%2 == 0 ) { 2 x 2 x y := 1 } else { x 2 y := 0 x < 2 x%2 = 1 false } 2 NIL NIL NIL For existential formulas, merge 2 x preserves definedness 13
Soundness A program satisfies a CTL formula for all traces starting from an initial state if dom( ( ) ) 14
Evaluation Implementation in FuncTion static analyzer ‐ C-like input language ‐ Available at https://github.com/caterinaurban/function Evaluated on test cases and benchmarks from the literature and SV-COMP competition Abstract domains ‐ Polyhedra for constraints ‐ Affine functions and ordinals for leaves of decision trees 15
Experimental Results 16
Summary Theory for analyzing CTL properties with abstract interpretation Automatic inference of sufficient preconditions Implementation in FuncTion static analyzer: https://github.com/caterinaurban/function Future work: extension to LTL 17
Recommend
More recommend
![Abstract interpretation based Analysis [FPCA 95], Predicate Abstraction [Mannas festschrift](https://c.sambuz.com/842045/abstract-interpretation-s.jpg)
