Kind-AI: When abstract interpretation and SMT-based model-checking - - PowerPoint PPT Presentation

Kind-AI: When abstract interpretation and SMT-based model-checking meet Pierre-Loïc Garoche – Onera – U. of Iowa joint work with T. Kashai and C. Tinelli 04/13/2012

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 1/53

CONTEXT: SAFETY PROPERTIES FOR CONTROLLER

Open/Closed system analysis Controller Implementation model Low level implementation Simulink + Proofs Model lustre + Spec C code + ACSL Spec

Control theorists Computer scientists

PVS 4 Lustre (RC & NASA) Kind (U.of Iowa) Stuff (ONERA & RCF) PVS 4 C (GT & NASA)

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 2/53

CONTEXT: SAFETY PROPERTIES FOR CONTROLLER

Open/Closed system analysis Controller Implementation model Low level implementation Simulink + Proofs Model lustre + Spec C code + ACSL Spec

Control theorists Computer scientists

PVS 4 Lustre (RC & NASA) Kind (U.of Iowa) Stuff (ONERA & RCF) PVS 4 C (GT & NASA)

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 3/53

MOTIVATION

Motivation:

◮ prove a safety property over a transition system ◮ interested in numerical invariants

Available elements/Application

◮ k-induction engine for the transition system ◮ numerical abstract domains, ie. APRON ◮ application to Lustre models analysis

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 4/53

NUMERICAL INVARIANTS

◮ Intervals ◮ Polyhedra ◮ Linear templates ◮ Linear expression under implication,

• eg. cond1 and cond2 =

⇒ linear expression

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 5/53

WHAT FOR ?

◮ Identify an over-approximation of reachable states

◮ prove target properties expressed as such invariants ◮ enrich the description of the system by make explicit the

implicit properties

◮ or address more complex user-defined properties by

considering only interesting states

◮ Constrains k-induction

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 6/53

ABSTRACT INTERPRETATION

◮ Ideal approach to compute numerical invariants ◮ But . . .

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 7/53

ABSTRACT INTERPRETATION

◮ Ideal approach to compute numerical invariants ◮ But . . .

◮ results and time to get them depend on

• 1. the abstraction used
• 2. and speed-up parameters (widening, narrowing)

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 8/53

ABSTRACT INTERPRETATION

◮ Ideal approach to compute numerical invariants ◮ But . . .

◮ results and time to get them depend on

• 1. the abstraction used
• 2. and speed-up parameters (widening, narrowing)

◮ (could be) painful to define Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 9/53

ABSTRACT INTERPRETATION – THE USUAL PICTURE

E, ⊑E Set of formulas ⊑E I

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 10/53

ABSTRACT INTERPRETATION – THE USUAL PICTURE

E, ⊑E Set of formulas ⊑E I gE(I)

gE

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 11/53

ABSTRACT INTERPRETATION – THE USUAL PICTURE

E, ⊑E Set of formulas ⊑E I gE(I)

gE gE

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 12/53

ABSTRACT INTERPRETATION – THE USUAL PICTURE

E, ⊑E Set of formulas ⊑E I gE(I) lfpI gE

gE gE

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 13/53

ABSTRACT INTERPRETATION – THE USUAL PICTURE

⊑A E, ⊑E Set of formulas A, ⊑A ⊑E I gE(I) lfpI gE

gE gE α

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 14/53

ABSTRACT INTERPRETATION – THE USUAL PICTURE

⊑A lfp gA gA (α(I)) α(I)gA

gA gA gA

E, ⊑E Set of formulas A, ⊑A ⊑E I gE(I) lfpI gE

gE gE α

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 15/53

ABSTRACT INTERPRETATION – THE USUAL PICTURE

⊑A lfp gA gA (α(I)) α(I)gA

gA gA gA

E, ⊑E Set of formulas A, ⊑A ⊑E I gE(I) lfpI gE

gE gE γ α

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 16/53

ABSTRACT INTERPRETATION – THE USUAL PICTURE

⊑A lfp gA gA (α(I)) α(I)gA

gA gA gA

E, ⊑E Set of formulas A, ⊑A ⊑E I gE(I) lfpI gE

gE gE γ α

x gE(x) γ (gA(α(x))) α(x) gA(α(x))

gE gA γ α

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 17/53

ABSTRACT INTERPRETATION – THE USUAL PICTURE

⊑A lfp gA gA (α(I)) α(I)gA

gA gA gA

E, ⊑E Set of formulas A, ⊑A ⊑E I gE(I) lfpI gE

gE gE γ α

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 18/53

ABSTRACT INTERPRETATION – THE USUAL PICTURE

⊑A lfp gA gA (α(I)) α(I)gA

gA gA gA

E, ⊑E Set of formulas A, ⊑A ⊑E I gE(I) lfpI gE

gE gE γ α

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 19/53

BASIC INGREDIENTS

◮ Initial semantics expressed as fixpoint of a function

gE : E → E over a lattice E, ⊑E. Easy for safety analysis: collecting semantics of a transition system (Σ, I, T) lfpI λX.X ∪ {x′|x ∈ X, x T x′}

◮ Abstract representation of semantics values, here set of

states: abstract domain A, ⊑A

◮ Relationship between original values and abstract ones, ie.

a Galois connexion α : E → A γ : A → E

◮ Sound abstract transformers to mimic the concrete

transitions in the abstract gA : A → A lfpα(I) gA

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 20/53

ABSTRACT DOMAINS

x y intervals x y congruences x y polyhedra x y

• ctagons

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 21/53

ABSTRACT TRANSFORMERS

Usually the transition relation T: Σ → Σ is defined using smaller operators

◮ control flow ops: branching statements, loops, function

calls, automaton transitions for FSM

◮ data flow ops: assigns of a variable, clock issues ◮ expression wise: depending on the available types,

boolean operators, arithmetics operators, bitwise

• perators, or more complex data operators (arrays, trees,

graphs, lists)

◮ memory wise: access to the value or the function of the

pointer address

◮ etc . . .

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 22/53

SOUND ABSTRACT TRANSFORMERS

◮ either the Galois connection is implementable. We can

define a best transformer for each opE.

• pAb(a1, ...an) = α (opE (γ(a1), . . . , γ(an)))

It is sound versus the Galois connection: ∀c1, . . . , cn ∈ E, a1, . . . an ∈ A ∀i ∈ [1, n], ci ⊑E γ(ai) = ⇒ opE(c1, . . . , cn) ⊑E γ

• pAb(a1, . . . , an)
• Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 23/53

SOUND ABSTRACT TRANSFORMERS

◮ either the Galois connection is implementable. We can

define a best transformer for each opE.

• pAb(a1, ...an) = α (opE (γ(a1), . . . , γ(an)))

It is sound versus the Galois connection: ∀c1, . . . , cn ∈ E, a1, . . . an ∈ A ∀i ∈ [1, n], ci ⊑E γ(ai) = ⇒ opE(c1, . . . , cn) ⊑E γ

• pAb(a1, . . . , an)
• ◮ or it is not: we have to produce some opA satisfying the

soundness condition. e.g. opA(a1, . . . , an) = ⊤A is sound.

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 24/53

WHAT DO WE HAVE ?

◮ A set of abstract domains provided by APRON

◮ environment with intervals x → [a, b], y → [c, d] ◮ linear relations among variables (loose/strict polyhedra,

• ctagons)

◮ associated concretization function γ mapping abstract

value to predicate of state variables in FOL: γ(a)[x]

◮ An axiomatisation of the system semantics (Σ, I, T)

expressed in FOL (targeting SMT) I[x] T[x, y]

◮ An abstraction function from states to abstract elements:

αQ : Σ → A

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 25/53

OBJECTIVE: AUTOMATIC ABSTRACT TRANSFORMERS

What do we want: generate automatically an abstract transformer for opE: A sound function opA : A → A based on

◮ the concretization function γ : A → E ◮ the concrete operator opE : E → E

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 26/53

FROM SYSTEM AXIOMATISAT. TO ABS. TRANSFORMERS

The abstract transformer gA maps an abstract state a to a bigger element describing more reachable states. Input: a ∈ A F[ x, y] := γ(a)[ x] ∧ T[ x, y] ∧ ¬γ(a)[ y] if F is unsatisfiable then return a else let v, u two states satisfying F[ x, y] return a ⊔A αQ( u)

T[x, y]

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 27/53

SOUNDNESS

⊑A E, ⊑E A, ⊑A a αγ ◦g◦γ(a)

gAb

⊑E γ(a) ⊔E [A

u]

[A

u]

γ(a)

gE γ αγ

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 28/53

SOUNDNESS

⊑A E, ⊑E A, ⊑A a αγ ◦g◦γ(a) αγ([A

u])

gAb

⊑E γ(a) ⊔E [A

u]

[A

u]

γ(a)

gE γ αγ αγ

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 29/53

SOUNDNESS

⊑A E, ⊑E A, ⊑A a αγ ◦g◦γ(a) αγ([A

u])

αQ( u)

gAb

⊑E γ(a) ⊔E [A

u]

[A

u]

γ(a)

gE γ αγ αQ αγ

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 30/53

SOUNDNESS

⊑A E, ⊑E A, ⊑A a αγ ◦g◦γ(a) αγ([A

u])

αQ( u) αQ( u) ⊔A a

gAb

⊑E γ(a) ⊔E [A

u]

[A

u]

γ(a)

gE γ αγ αQ αγ

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 31/53

SOUNDNESS

⊑A E, ⊑E A, ⊑A a αγ ◦g◦γ(a) αγ([A

u])

αQ( u) αQ( u) ⊔A a

gAb gA

⊑E γ(a) ⊔E [A

u]

[A

u]

γ(a)

gE γ αγ αQ αγ

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 32/53

THE INITIAL STATE ABSTRACTION

The fixpoint computation starts from an abstract of initial states. IA := ⊥ while (I[ x] ∧ ¬γ(IA)[ x] is satisfiable) do let v be a state satisfying I ∧ ¬γ(IA) IA := IA ⊔A αQ( v) return IA

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 33/53

KIND-AI

The tool takes a Lustre model and generates numerical invariants

◮ uses all domains of APRON ◮ uses Kind front-end to parse Lustre and obtain the

axiomatisation in SMT

◮ is parametric wrt the iteration strategies and widening

threasholds

◮ is integrated with Kind to generate invariants but can be

runned independantly

◮ open-source, written in OCaml

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 34/53

KIND-AI CONT’D

Kind-AI can be parametrized by

◮ packing primitives: (oct : x z) (poly : x y z) ◮ partitioning primitives: {expr1; expr2 : packs}

Provided models will be injected in all partitions they satisfy model | =L ¬expr1 ∧ expr2 = ⇒ model is injected in partitions ¬expr1 ∧ expr2. Could also handle partitions over (small) finite range: {x : ()} for x bounded.

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 35/53

EXAMPLE

1 node parallel_counters (a, b, c : bool ) returns (x, y : int ; obs : bool ) ; 2 var n1, n2 : int ; 3 l e t 4 n1 = 10000; n2 = 5000; 5 x = 0 −> i f (b or c) then 0 else 6 i f a and ( pre x) < n1 then ( pre x) + 1 else pre x ; 7 y = 0 −> i f c then 0 else 8 i f a and ( pre y) < n2 then ( pre y) + 1 else pre y ; 9

• bs = (x = n1 )

implies (y = n2 ) ; 10 t e l

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 36/53

EXAMPLE CONT’D

x y 1 2 3 4 1 2

1

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 37/53

EXAMPLE CONT’D

x y 1 2 3 4 1 2

1 2

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 38/53

EXAMPLE CONT’D

x y 1 2 3 4 1 2

1 2 3

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 39/53

EXAMPLE CONT’D

x y 1 2 3 4 1 2

1 2 3

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 40/53

EXAMPLE CONT’D

x y 1 2 3 4 1 2

1 2 3 4

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 41/53

EXAMPLE CONT’D

x y 1 2 3 4 1 2

1 2 3 4

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 42/53

EXAMPLE CONT’D

x y 1 2 3 4 1 2

1 2 3 4 5

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 43/53

EXAMPLE CONT’D

x y 1 2 3 4 1 2

1 2 3 4 5

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 44/53

EXAMPLE CONT’D

x y 1 2 3 4 1 2

1 2 3 4 5 6

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 45/53

EXAMPLE CONT’D

x y 1 2 3 4 1 2

1 2 3 4 5 6

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 46/53

EXAMPLE CONT’D

x y 1 2 3 4 1 2

1 2 3 4 5 6 7

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 47/53

EXAMPLE CONT’D

x y 1 2 3 4 1 2

1 2 3 4 5 6 7

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 48/53

EXAMPLE CONT’D

x y 1 2 3 4 1 2

1 2 3 4 5 6 7

Widening Widening

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 49/53

EXAMPLE CONT’D

x y 5 10 500 5000 10 100 1000 10000

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 50/53

EARLY INVARIANTS

Using a multiproperty technique for induction, concretization is expressed as a conjunction of identified sub-formula: γ(a) = P1 ∧ . . . ∧ Pn At each iteration of the fixpoint computation, we identify stable subparts, ie. invariants. Example: x ∈ [a, b] is concretized to x ≥ a ∧ x ≤ b. For increasing values of x, x ≥ a can be produced before the fixpoint is reached.

Kahsai, Garoche, Tinelli and Whalen. Incremental verification with mode variable invariants in state machines Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 51/53

EXAMPLE CONT’D

x y 1 2 3 4 1 2

1 2 3 4

y ≥ 0 x ≥ 0 y < n2 ⇒ x ≤ y

At the fourth iteration, the following properties are proven:

◮ x ≥ 0

y ≥ 0 y < n2 = ⇒ x ≤ y

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 52/53

CONCLUSION

◮ A generic approach for synthetizing abstract interpreters

◮ needs the encoding of the transition systems in logic with

entailment

◮ and abstract domains that can be concretized to this logic

◮ Instanciation on Lustre models analysis

◮ APRON domains ◮ Kind k-induction Lustre axiomatization

◮ Generates a flow of (guarantied) invariants before reaching

the final fixed point.

Kind-AI: When abstract interpretation and SMT-based model-checking meet - P.L. Garoche - 04/13/2012 - 53/53