Combining ModelCheckin g and Abstra ct Interpret a t ion P - - PowerPoint PPT Presentation

SLIDE 1 P arallel Combina tio n

• f

Abstra ct Interpret a ti

• n

and ModelBased A utoma tic Anal ysis

• f

Softw are P atrick COUSOT

• Ecole

No rmale Sup

• erieure

DMI

• rue

dUlm

• P

a ris cedex

• F

rance cousotd mi en s fr httpw ww e ns fr

• cousot

Radhia COUSOT CNRS

• Ecole

P

• lytechnique

LIX

• P

alaiseau cedex F rance rcousot li x pol yt ec hn iq ue fr httpli x pol yt ec hn iq ue fr

• radhia

AAS P a ris Janua ry

• Combining

ModelCheckin g and Abstra ct Interpret a ti

• n

Why

• Mo

delchecking

• Finite

state space

• Sound

and complete p rop ert y verication

• Abstract

Interp retation

• Innite

state space

• Sound

but uncomplete p rop ert y determination Combining ModelCheckin g and Abstra ct Interpret a t ion Ho w

• Abstract

symb

• lic

metho ds

• Use

symb

• lic

rep resent ations

• f

p rop erties BDDs convex p

• ly

hedra

• One

can mak e app ro ximations eg widenings

• Appr
• xima

t e pr

• per

ties

• f

an exa ct model

• Mo

del abstraction

• The

nite mo del is an abstraction

• f

the system

• Exa

ct pr

• per

ties

• f

an appr

• xima

te model

• In

this p aper

• P

a rallel combination

• f

mo delchecking and abstract interp retation

• Mo

delchecking

• Exact

symb

• lic

rep resentat ion

• f

p rop erties

• The

mo del is an exact rep resent ation

• f

the system

• Exact

p rop erties

• f

exact mo del

• Abstract

interp retation

• Prelimina

rypa rallel analysis

• f

the mo del b y abstract in terp retation

• Limit

the state sea rch space

• Exa

ct pr

• per

ties

• f

an exa ct submodel P Cousot

• R

Cousot

• AAS

Jan

SLIDE 2 Example Maximum Dela y Pr

• blem
• Find

the maximum dela y to reach a nal state sta rting from some initial state

• Maximum

Dela y Algorithm maximum

• pro

cedure maximum I

• F
• R
• S
• n
• R
• S
• F
• while

R

• R
• R
• I
• do

R

• R

n

• n
• R
• p

re t R

• S
• F
• d

return if R

• R

then

• else

n

• Halb

w achs N Dela ys analysis in synchronous p rograms CA V

• LNCS
• pp
• Camp
• s

S Cla rk e E Ma rrero W and Minea M V erus A to

• l

fo r quantitative analysis

• f

nitestate realtime systems Pro c A CM SIGPLAN

• W
• rkshop
• n

Languages Compilers

• T
• ls

fo r RealTime Systems La Jolla Calif jun

• pp
• Execution

tra ce

• f

the maximum algorithm It is useless to explo re the states which a re not

• descendants
• f

the initial states

• ascendants
• f

the initial states

• Maximum

Dela y Algorithm maximum

• with

st a te sear ch sp a ce restriction pro cedure maximum I

• F
• R
• S
• n
• R
• U
• F
• while

R

• R
• R
• I
• do

R

• R

n

• n
• R
• p

re t R

• U

n

• F
• d

return if R

• R

then

• else

n where n

• U

n

• U

def

• p
• stt
• I
• p

re t

• F

P Cousot

• R

Cousot

• AAS

Jan

SLIDE 3 Execution tra ce

• f

the maximum algorithm

• Any

upp erapp ro ximations U

• U
• U

n

• f

U can b e used

• In

the w

• rst

case U n

• S

all states hence maximum

• maximum
• Anal

ysis

• f

the model by abstra ct interpret a t ion

• W

e can compute U

• U
• U

n

• U

def

• p
• stt
• I
• p

re t

• F

b y abstract interp retation

• The

abstract interp retation can b e done in pa rallel with the mo del checking at almost no supplementa ry cost

• The

abstract interp retation results a re used

• n

the y fo r U n as they b ecome available to restrict the state sea rch space

• Several

restriction

• p

erato rs have b een p rop

• sed

fo r symb

• lic

mo del checking with BDDs

• convex

p

• lyhedra
• Halb

w achs N and Ra ymond P

• On

the use

• f

app ro ximations in symb

• lic

mo del checking T ech rep SPECTRE L jan

• verima

g lab

• rato

ry

• Grenoble

F rance Upper appr

• xima

tio n D

• f

post t

• I
• lfp
• X
• I
• post

t X by abstra ct interpret a ti

• n
• Consider

an abstract domain hL vi app ro ximating sets

• f

states hS

• i
• dene

a co rresp

• ndence

hS

• i
• hL

vi which is a Galois connection P

• S
• Q
• L
• P
• v

Q

• P
• Q
• The

abstract value P

• is

the app ro ximation

• f

P

• S
• P
• P
• Dene

an abstract p

• stimage

transfo rmer F

• L
• m
• L

Q

• L
• X
• I
• p
• st

t X

• Q

v F Q

• Dene

a widening

• p

erato r

• L
• L
• L
• it

is an upp er app ro ximation

• it

enfo rces nite convergence

• f

F up w a rd iterates

• The

up w a rd fo rw a rd iteration sequence with widening

• F
• def
• F

i def

• F

i if F

• F

i

• v
• F

i

• F

i def

• F

i

• F
• F

i

• therwise

is ultimately stationa ry its limit

• F

is a sound upp er app ro ximation

• f

p

• stt
• I

in that p

• st

t

• I
• lfp

v F

• F
• Cousot

P

• and

Cousot R Abstract interp retation a unied lattice mo del fo r static analysis

• f

p rograms b y construction

• r

app ro ximation

• f

xp

• ints

th POPL Los Angeles

• pp
• x

y

• L
• x

v x

• y

and x y

• L
• y

v x

• y
• fo

r all increasing chains x

• v

x

• v
• v

x i v

• the

increasing chain dened b y y

• x
• y

i

• y

i

• x

i

• is

not strictly increasing P Cousot

• R

Cousot

• AAS

Jan

SLIDE 4

• Dene

a na rro wing

• p

erato r

• L
• L
• L

such that

• it

is an upp er app ro ximation

• it

enfo rces nite convergence

• f

F do wnw a rd iterates

• the

do wnw a rd fo rw a rd iteration sequence with na rro wing

• F
• def
• F
• F

i def

• F

i if F

• F

i

• F

i

• F

i def

• F

i

• F
• F

i

• therwise

is ultimately stationa ry its limit

• F

is a b etter sound upp er app ro ximation p

• stt
• I

in that p

• stt
• I
• lfp

v F

• F
• F
• Abstra

ct interpret a t io n design

• The

design

• f
• the

abstract algeb ra hL v

• t

u

• f
• f

n i

• the

transfo rmer F usually comp

• sed
• ut
• f

the p rimitives f

• f

n

• a

re p roblem dep endent

• Natural

choices in the mo delchecking context a re

• BDDs

discrete systems

• Convex

p

• lyhedra

hyb rid systems fo r which widening

• p

erato rs have b een dened

• x

y

• L
• x

v y

• x

v x

• y

v y

• F
• r

all decreasing chains x

• w

x

• w
• the

decreasing chain dened b y y

• x
• y

i

• y

i

• x

i

• is

not strictly decreasing

• Maub
• rgne

L Abstract interp retation using TDGs In SAS

• sep
• LNCS
• pp
• Cousot

P

• and

Halb w achs N Automatic discovery

• f

linea r restraints among va riables

• f

a p rogram In th POPL T ucson

• pp
• Upper

appr

• xima

ti

• n

A

• f

pre t

• F
• lfp
• X
• F
• pret

X by abstra ct interpret a t ion

• Use

the same abstract algeb ra hL v

• t

u

• f
• f

n i

• Dene

an abstract p reimage transfo rmer F

• L
• m
• L

Q

• L
• X
• F
• p

re t X

• Q

v B Q

• First

use an up w a rd backw a rd iteration sequence with widening nitely converging to

• B
• Imp

rove b y a do wnw a rd iteration sequence with na rro wing nitely con verging to

• B

such that p re t

• F
• lfp
• X
• F
• p

re t X

• lfp

v B

• B
• B
• Sequence
• f

upper appr

• xima

t ion s U

• U
• U

n

• f

U

• post

t

• I
• pret
• F

by abstra ct interpret a ti

• n
• U
• S
• all

states

• U
• is

the

• concretization
• f

the limit

• f

the up w a rd fo rw a rd iteration sequence with widening fo r F

• U
• is

the

• concretization
• f

the limit

• f

the co rresp

• nding

do wnw a rd fo rw a rd iteration sequence with na rro wing fo r F sta rting from U

• Cousot

P

• and

Cousot R Systematic design

• f

p rogram analysis framew

• rks

In th POPL San Antonio

• pp
• Cousot

P

• M
• etho

des it

• eratives

de construction et dapp ro ximation de p

• ints

xes dop

• erateurs

monotones sur un treillis analyse s

• emantique

de p rogrammes Ph D thesis Universit

• e

scientique et m

• edicale

de Grenoble

• Cousot

P

• and

Cousot R Abstract interp retation and application to logic p rograms J Logic Prog

• The

edito r

• f

JLP has mistak enly published the unreadable galley p ro

• f

F

• r

a co rrect version

• f

this pap er see httpwwwensfrcousot P Cousot

• R

Cousot

• AAS

Jan

SLIDE 5

• U

n is the

• concretization
• f

the limit

• f

the up w a rd backw a rd iteration sequence with widening fo r X

• U

n u B X

• U

n is the

• concretization
• f

the limit

• f

the co rresp

• nding

do wn w a rd backw a rd iteration sequence with na rro wing fo r X

• U

n u B X

• sta

rting from U n

• U

n is the

• concretization
• f

the limit

• f

the up w a rd fo rw a rd iter ation sequence with widening fo r X

• U

n u F X

• U

n is the

• concretization
• f

the limit

• f

the co rresp

• nding

do wn w a rd fo rw a rd iteration sequence with na rro wing fo r X

• U

n u F X

• sta

rting from U n

• Correctness
• The

sequence U

• U
• U
• U

n

• U

n

• U

n

• U

n

• is

a descending chain

• The

restriction is mo re and mo re p recise as the mo delchecking go es

• n
• All

elements U k is the sequence a re sound U k

• p
• stt
• I
• p

re t

• F
• Stop

the abstract interp retation computation with a na rro wing

• r

when the pa rallel mo delchecking terminates Pr

• blema

tic termina tio n

• The

abstract interp retation alw a ys terminate

• The

abstract interp retation is app ro ximate so the statespace restric tion ma y not b e nite

• The

pa rallel combination

• f

abstract interp retation and mo delchecking is incomplete since it ma y not terminate

• In

case

• f

nontermination the info rmation gathered b y abstract inter p retation is reusable fo r verication b y

• abstract

symb

• lic

metho ds

• mo

del abstraction which a re also incomplete but gua rantee termination

• Conclusion
• W

e have p rop

• sed

a metho d fo r the pa rallel combination

• f

mo del analysis b y abstract interp retation and verication b y mo delchecking where the verication

• mak

es no app ro ximation

• n

states and transitions

• explo

res an hop efully nite subgraph

• Semialgo

rithm since there is no gua rantee that the explo red subgraph will b e nite

• classical

mo delchecking w

• uld

have failed anyw a y

• case

b y case exp erimentation is needed

• The

metho d should b e used b efo re reso rting to mo delchecking

• f

a mo re abstract mo del the info rmation gathered ab

• ut

the exact mo del b eing reusable P Cousot

• R

Cousot

• AAS

Jan