Kind-AI: When abstract interpretation and SMT-based model-checking meet Pierre-Loïc Garoche – Onera – U. of Iowa joint work with T. Kashai and C. Tinelli 04/13/2012 Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 1/53
C ONTEXT : SAFETY PROPERTIES FOR CONTROLLER Open/Closed system Simulink analysis + Proofs Control theorists Computer scientists PVS 4 Lustre (RC & NASA) Model Controller Kind (U.of Iowa) lustre + Spec Stuff (ONERA & RCF) Implementation model C code PVS 4 C (GT & NASA) Low level implementation + ACSL Spec Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 2/53
C ONTEXT : SAFETY PROPERTIES FOR CONTROLLER Open/Closed system Simulink analysis + Proofs Control theorists Computer scientists PVS 4 Lustre (RC & NASA) Model Controller Kind (U.of Iowa) lustre + Spec Stuff (ONERA & RCF) Implementation model C code PVS 4 C (GT & NASA) Low level implementation + ACSL Spec Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 3/53
M OTIVATION Motivation: ◮ prove a safety property over a transition system ◮ interested in numerical invariants Available elements/Application ◮ k-induction engine for the transition system ◮ numerical abstract domains, ie. APRON ◮ application to Lustre models analysis Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 4/53
N UMERICAL INVARIANTS ◮ Intervals ◮ Polyhedra ◮ Linear templates ◮ Linear expression under implication, eg. cond 1 and cond 2 = ⇒ linear expression Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 5/53
W HAT FOR ? ◮ Identify an over-approximation of reachable states ◮ prove target properties expressed as such invariants ◮ enrich the description of the system by make explicit the implicit properties ◮ or address more complex user-defined properties by considering only interesting states ◮ Constrains k-induction Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 6/53
A BSTRACT INTERPRETATION ◮ Ideal approach to compute numerical invariants ◮ But . . . Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 7/53
A BSTRACT INTERPRETATION ◮ Ideal approach to compute numerical invariants ◮ But . . . ◮ results and time to get them depend on 1. the abstraction used 2. and speed-up parameters (widening, narrowing) Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 8/53
A BSTRACT INTERPRETATION ◮ Ideal approach to compute numerical invariants ◮ But . . . ◮ results and time to get them depend on 1. the abstraction used 2. and speed-up parameters (widening, narrowing) ◮ (could be) painful to define Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 9/53
A BSTRACT INTERPRETATION – T HE USUAL PICTURE ⊑ E I � E , ⊑ E � Set of formulas Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 10/53
A BSTRACT INTERPRETATION – T HE USUAL PICTURE ⊑ E g E ( I ) g E I � E , ⊑ E � Set of formulas Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 11/53
A BSTRACT INTERPRETATION – T HE USUAL PICTURE ⊑ E g E g E ( I ) g E I � E , ⊑ E � Set of formulas Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 12/53
A BSTRACT INTERPRETATION – T HE USUAL PICTURE lfp I g E ⊑ E g E g E ( I ) g E I � E , ⊑ E � Set of formulas Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 13/53
A BSTRACT INTERPRETATION – T HE USUAL PICTURE lfp I g E ⊑ E ⊑ A g E g E ( I ) g E I α � E , ⊑ E � � A , ⊑ A � Set of formulas Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 14/53
A BSTRACT INTERPRETATION – T HE USUAL PICTURE lfp g A lfp I g E g A g A ⊑ E ⊑ A g E g A g E ( I ) g A ( α ( I )) α ( I ) g A g E I α � E , ⊑ E � � A , ⊑ A � Set of formulas Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 15/53
A BSTRACT INTERPRETATION – T HE USUAL PICTURE γ lfp g A lfp I g E g A g A ⊑ E ⊑ A g E g A g E ( I ) g A ( α ( I )) α ( I ) g A g E I α � E , ⊑ E � � A , ⊑ A � Set of formulas Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 16/53
A BSTRACT INTERPRETATION – T HE USUAL PICTURE γ lfp g A γ lfp I g E g A γ ( g A ( α ( x ))) g A ( α ( x )) g A g A ⊑ E g E ( x ) ⊑ A g E g A α ( x ) g E ( I ) g A ( α ( I )) g E x α ( I ) g A g E α I α � E , ⊑ E � � A , ⊑ A � Set of formulas Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 17/53
A BSTRACT INTERPRETATION – T HE USUAL PICTURE γ lfp g A lfp I g E g A g A ⊑ E ⊑ A g E g A g E ( I ) g A ( α ( I )) α ( I ) g A g E I α � E , ⊑ E � � A , ⊑ A � Set of formulas Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 18/53
A BSTRACT INTERPRETATION – T HE USUAL PICTURE γ lfp g A lfp I g E g A g A ⊑ E ⊑ A g E g A g E ( I ) g A ( α ( I )) α ( I ) g A g E I α � E , ⊑ E � � A , ⊑ A � Set of formulas Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 19/53
B ASIC INGREDIENTS ◮ Initial semantics expressed as fixpoint of a function g E : E → E over a lattice � E , ⊑ E � . Easy for safety analysis: collecting semantics of a transition system (Σ , I , � T ) lfp I λ X . X ∪ { x ′ | x ∈ X , x � T x ′ } ◮ Abstract representation of semantics values, here set of states: abstract domain � A , ⊑ A � ◮ Relationship between original values and abstract ones, ie. a Galois connexion α : E → A γ : A → E ◮ Sound abstract transformers to mimic the concrete transitions in the abstract g A : A → A lfp α ( I ) g A Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 20/53
A BSTRACT DOMAINS y y x x congruences intervals y y x x polyhedra octagons Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 21/53
A BSTRACT TRANSFORMERS Usually the transition relation � T : Σ → Σ is defined using smaller operators ◮ control flow ops: branching statements, loops, function calls, automaton transitions for FSM ◮ data flow ops: assigns of a variable, clock issues ◮ expression wise: depending on the available types, boolean operators, arithmetics operators, bitwise operators, or more complex data operators (arrays, trees, graphs, lists) ◮ memory wise: access to the value or the function of the pointer address ◮ etc . . . Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 22/53
S OUND ABSTRACT TRANSFORMERS ◮ either the Galois connection is implementable . We can define a best transformer for each op E . op A b ( a 1 , ... a n ) = α ( op E ( γ ( a 1 ) , . . . , γ ( a n ))) It is sound versus the Galois connection: ∀ c 1 , . . . , c n ∈ E , a 1 , . . . a n ∈ A � � ∀ i ∈ [ 1 , n ] , c i ⊑ E γ ( a i ) = ⇒ op E ( c 1 , . . . , c n ) ⊑ E γ op A b ( a 1 , . . . , a n ) Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 23/53
S OUND ABSTRACT TRANSFORMERS ◮ either the Galois connection is implementable . We can define a best transformer for each op E . op A b ( a 1 , ... a n ) = α ( op E ( γ ( a 1 ) , . . . , γ ( a n ))) It is sound versus the Galois connection: ∀ c 1 , . . . , c n ∈ E , a 1 , . . . a n ∈ A � � ∀ i ∈ [ 1 , n ] , c i ⊑ E γ ( a i ) = ⇒ op E ( c 1 , . . . , c n ) ⊑ E γ op A b ( a 1 , . . . , a n ) ◮ or it is not : we have to produce some op A satisfying the soundness condition. e.g. op A ( a 1 , . . . , a n ) = ⊤ A is sound. Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 24/53
W HAT DO WE HAVE ? ◮ A set of abstract domains provided by APRON ◮ environment with intervals x �→ [ a , b ] , y �→ [ c , d ] ◮ linear relations among variables (loose/strict polyhedra, octagons) ◮ associated concretization function γ mapping abstract value to predicate of state variables in FOL: γ ( a )[ x ] ◮ An axiomatisation of the system semantics (Σ , I , � T ) expressed in FOL (targeting SMT) I [ x ] T [ x , y ] ◮ An abstraction function from states to abstract elements: α Q : Σ → A Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 25/53
O BJECTIVE : AUTOMATIC ABSTRACT TRANSFORMERS What do we want: generate automatically an abstract transformer for op E : A sound function op A : A → A based on ◮ the concretization function γ : A → E ◮ the concrete operator op E : E → E Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 26/53
Recommend
More recommend
![Abstract interpretation based Analysis [FPCA 95], Predicate Abstraction [Mannas festschrift](https://c.sambuz.com/842045/abstract-interpretation-s.jpg)
