Abstract Interpretation of CTL Properties Caterina Urban, Samuel - - PowerPoint PPT Presentation

Abstract Interpretation of CTL Properties

Caterina Urban, Samuel Ueltschi, Peter Müller

Computation Tree Logic

• Branching-time logic
• Goal: Automatically check CTL properties of programs

‐ Infer sufficient preconditions ‐ Handle existential properties

2

A(true U black) E(blue U black)

 ::= p |  |  |  | AX  | EX  | A( U ) | E( U ) | AG  | EG 

Example

• CTL specification
• Inferred precondition

3

while( rand() ) { x := 1 y := y + 1 x := 0 } while( true ) { }

A( true U x = 0 ) x = 0

Maximal Trace Semantics

• Contains all finite and infinite traces of a program

4

while( rand() ) { x := 1 y := y + 1 x := 0 } while( true ) { } x=0, y=0 1 x=0, y=0 x=0, y=0 x=0, y=0 5 5 5 x=0, y=0 … 5 5 x=2, y=3 1 x=2, y=3 x=2, y=3 x=2, y=3 5 5 5 x=2, y=3 … 5 5 x=0, y=0 1 x=1, y=0 x=1, y=1 x=0, y=1 2 4 3 x=0, y=1 … 5 1 x=2, y=3 1 x=1, y=3 x=1, y=4 x=0, y=4 2 4 3 x=0, y=4 … 5 1 x := 0 y := y + 1 x := 1 1 2 3 4 5

Program Semantics for CTL

• For a given CTL formula  and a set
• f program traces, define a partial

function  from states to ordinals

• A program satisfies a CTL formula 

for all traces starting from an initial state  if and only if dom()

• If defined for an until-formula 1 U 2,

() yields the number of steps until 2 holds (ranking function)

5

A( true U x = 0 )

() = 0 if (x)=0 and undefined

• therwise

E( true U x = 0 )

x := 0 y := y + 1 x := 1 1 2 3 4 5 () = 0 if (x)=0 and 3 otherwise

Piecewise-defined Ranking Functions

Earlier work by Caterina Urban and Antoine Miné [SAS’13, SAS’14, ESOP’14]

6

Program Semantics for CTL Σ ⇀ Abstract semantics

x



Abstract Domain: Decision Trees

• Piecewise-defined functions are represented as decision trees

7

x 2 4 4

4 if x  4 f(x) = 7 – x if x  2 

• therwise

x  4 4 x  2  7 – x

Static Analysis

• Map each point to a function over-approximating concrete semantics
• Analysis is performed backward for each constituent formula

8

x := 0 y := y + 1 x := 1 1 2 3 4 5

A( true U x = 0 )

x x x

Static Analysis

For universal formulas, merge preserves undefinedness

9

x

A( true U x = 0 )

x x

x := 0 y := y + 1 x := 1 1 2 3 4 5

x x 1 x 2 x 3

Conditional Statements

10

if( x >= 2 ) { y := 1 } else { y := 0 }

A( true U y = 1 )

x 2 x 2

1 x  2 NIL  x < 2 NIL

x 2

x  2 2 

Conditional Statements

11

if( x >= 2 && x%2 == 0 ) { y := 1 } else { y := 0 }

A( true U y = 1 )

x 2 x 2

1 x  2  x%2 = 0 NIL 

x 2

true  NIL x < 2  x%2 = 1 NIL x  2 NIL true NIL

For universal formulas, merge preserves undefinedness

x  2  x%2 = 0 NIL x < 2  x%2 = 1 NIL x < 2 NIL true NIL

Conditional Statements

12

if( x >= 2 || x%2 == 0 ) { y := 1 } else { y := 0 }

E( true U y = 1 )

x 2 x 2

1  true 2 NIL

For existential formulas, merge preserves definedness

x 2

Unsound!

x  2  x%2 = 0 NIL x < 2  x%2 = 1 NIL false NIL x  2 NIL

Conditional Statements

13

if( x >= 2 || x%2 == 0 ) { y := 1 } else { y := 0 }

E( true U y = 1 )

x 2 x 2

1  x  2 2 NIL

For existential formulas, merge preserves definedness

x 2

Soundness

A program satisfies a CTL formula  for all traces starting from an initial state  if dom( (

) )

14

Evaluation

• Implementation in FuncTion static analyzer

‐ C-like input language ‐ Available at https://github.com/caterinaurban/function

• Evaluated on test cases and benchmarks from the literature and

SV-COMP competition

• Abstract domains

‐ Polyhedra for constraints ‐ Affine functions and ordinals for leaves of decision trees

15

Experimental Results

16

Summary

• Theory for analyzing CTL properties with abstract interpretation
• Automatic inference of sufficient preconditions
• Implementation in FuncTion static analyzer:

https://github.com/caterinaurban/function

• Future work: extension to LTL

17