Part III: Abstraction Refinement Javier Esparza Technische Universität München Javier Esparza Part III: Abstraction Refinement
Example 1 ( X ≤ 0 ) ( X > 0 ) 2 3 The problem: X := − X ( Y > 0 ) Is the error label reachable? ( Y ≤ 0 ) 4 Y := − Y The approach: Upgrade a BDD checker with 5 abstraction refinement ( X + Y ≤ 0 ) ( X + Y > 0 ) ok error Javier Esparza Part III: Abstraction Refinement
Example 1 ( true ) ( true ) 2 3 skip ( true ) Model-check the abstract program: ( true ) 4 Is the error label reachable considering only control flow? skip 5 ( true ) ( true ) ok error Javier Esparza Part III: Abstraction Refinement
Example 1 ( true ) ( true ) 2 3 skip ( true ) Model-check the abstract program: ( true ) 4 Is the error label reachable considering only control flow? skip Yes! 5 ( true ) ( true ) ok error Javier Esparza Part III: Abstraction Refinement
Example 1 ( X ≤ 0 ) The concrete instructions 2 are inserted again. ( Y ≤ 0 ) 5 ( X + Y > 0 ) error Javier Esparza Part III: Abstraction Refinement
Example 1 ( X ≤ 0 ) The concrete instructions 2 are inserted again. Analysis of the trace ( Y ≤ 0 ) Is it real or spurious? 5 ( X + Y > 0 ) error Javier Esparza Part III: Abstraction Refinement
Example 1 { true } ( X ≤ 0 ) The concrete instructions 2 { X ≤ 0 } are inserted again. Analysis of the trace ( Y ≤ 0 ) Is it real or spurious? 5 { X + Y ≤ 0 } Spurious! ⇒ Hoare proof ( X + Y > 0 ) error { false } Javier Esparza Part III: Abstraction Refinement
Example 1 1 { true } ( X ≤ 0 ) ( X > 0 ) ( X ≤ 0 ) 2 3 X := − X ( Y > 0 ) 2 { X ≤ 0 } ( Y ≤ 0 ) 4 l 2 = ( X ≤ 0 ) ( Y ≤ 0 ) l 5 = ( X + Y ≤ 0 ) Y := − Y 5 { X + Y ≤ 0 } 5 ( X + Y > 0 ) ( X + Y ≤ 0 ) ( X + Y > 0 ) error { false } ok error Javier Esparza Part III: Abstraction Refinement
Example 1 1 { true } ( X ≤ 0 ) ( true ) ( X ≤ 0 ) 2 3 skip ( true ) 2 { X ≤ 0 } ( Y ≤ 0 ) 4 l 2 = ( X ≤ 0 ) ( Y ≤ 0 ) l 5 = ( X + Y ≤ 0 ) skip 5 { X + Y ≤ 0 } 5 ( X + Y > 0 ) ( true ) ( X + Y > 0 ) error { false } ok error Javier Esparza Part III: Abstraction Refinement
Example 1 1 { true } ( X ≤ 0 ) ( true ) ( X ≤ 0 ) 2 3 skip ( true ) 2 { X ≤ 0 } ( Y ≤ 0 ) 4 l 2 = ( X ≤ 0 ) ( Y ≤ 0 ) l 5 = ( X + Y ≤ 0 ) skip 5 { X + Y ≤ 0 } 5 ( X + Y > 0 ) ( true ) ( l 5 = false ) error { false } ok error Javier Esparza Part III: Abstraction Refinement
Example 1 1 { true } ( X ≤ 0 ) ( true ) ( X ≤ 0 ) 2 3 skip ( true ) 2 { X ≤ 0 } if ( l 2 ) 4 l 2 = ( X ≤ 0 ) l 5 := true ( Y ≤ 0 ) else l 5 = ( X + Y ≤ 0 ) l 5 :=? skip 5 { X + Y ≤ 0 } 5 ( X + Y > 0 ) ( true ) ( l 5 = false ) error { false } ok error Javier Esparza Part III: Abstraction Refinement
Example 1 1 { true } l 2 := true ( true ) ( X ≤ 0 ) 2 3 skip ( true ) 2 { X ≤ 0 } if ( l 2 ) 4 l 2 = ( X ≤ 0 ) l 5 := true ( Y ≤ 0 ) else l 5 = ( X + Y ≤ 0 ) l 5 :=? skip 5 { X + Y ≤ 0 } 5 ( X + Y > 0 ) ( true ) ( l 5 = false ) error { false } ok error Javier Esparza Part III: Abstraction Refinement
Example 1 1 { true } l 2 := true ( true ) ( X ≤ 0 ) 2 3 skip ( true ) 2 { X ≤ 0 } if ( l 2 ) 4 l 2 = ( X ≤ 0 ) l 5 := true ( Y ≤ 0 ) else l 5 = ( X + Y ≤ 0 ) l 5 :=? skip 5 { X + Y ≤ 0 } 5 ( X + Y > 0 ) skip ( l 5 = false ) error { false } ok error Javier Esparza Part III: Abstraction Refinement
Example 1 1 { true } l 2 := true ( true ) ( X ≤ 0 ) 2 3 skip ( true ) 2 { X ≤ 0 } if ( l 2 ) 4 l 2 = ( X ≤ 0 ) l 5 := true ( Y ≤ 0 ) else l 5 = ( X + Y ≤ 0 ) l 5 :=? skip 5 { X + Y ≤ 0 } 5 ( X + Y > 0 ) skip ( l 5 = false ) error { false } ok error Javier Esparza Part III: Abstraction Refinement
Example 1 ( X ≤ 0 ) 2 The concrete instructions are inserted again. ( Y > 0 ) 4 Y := − Y 5 ( X + Y > 0 ) error Javier Esparza Part III: Abstraction Refinement
Example 1 ( X ≤ 0 ) 2 The concrete instructions are inserted again. ( Y > 0 ) Analysis of the trace 4 Is it real or spurious? Y := − Y 5 ( X + Y > 0 ) error Javier Esparza Part III: Abstraction Refinement
Example 1 { true } ( X ≤ 0 ) 2 { X ≤ 0 } The concrete instructions are inserted again. ( Y > 0 ) Analysis of the trace 4 { X − Y ≤ 0 } Is it real or spurious? Y := − Y Spurious! ⇒ Hoare-like proof 5 { X + Y ≤ 0 } ( X + Y > 0 ) error { false } Javier Esparza Part III: Abstraction Refinement
Example 1 1 { true } l 2 := true ( X > 0 ) ( X ≤ 0 ) 2 3 2 { X ≤ 0 } X := − X ( Y > 0 ) ( Y > 0 ) l 2 ↔ ( X ≤ 0 ) if ( l 2 ) 4 l 5 := true l 4 ↔ ( X − Y ≤ 0 ) 4 { X − Y ≤ 0 } else l 5 :=? l 5 ↔ ( X + Y ≤ 0 ) Y := − Y Y := − Y 5 { X + Y ≤ 0 } 5 ( X + Y ≤ 0 ) ( l 5 = false ) ( X + Y > 0 ) ok error error { false } Javier Esparza Part III: Abstraction Refinement
Example 1 1 { true } l 2 := true ( X > 0 ) ( X ≤ 0 ) 2 3 2 { X ≤ 0 } if ( l 2 ) l 4 := true X := − X else l 4 :=? ( Y > 0 ) l 2 ↔ ( X ≤ 0 ) if ( l 2 ) 4 l 5 := true l 4 ↔ ( X − Y ≤ 0 ) 4 { X − Y ≤ 0 } else l 5 :=? l 5 ↔ ( X + Y ≤ 0 ) l 5 := l 4 Y := − Y 5 { X + Y ≤ 0 } 5 ( X + Y ≤ 0 ) ( l 5 = false ) ( X + Y > 0 ) ok error error { false } Javier Esparza Part III: Abstraction Refinement
Example 1 1 { true } l 2 := true ( true ) ( X ≤ 0 ) 2 3 2 { X ≤ 0 } if ( l 2 ) l 4 := true l 4 :=? else l 4 :=? ( Y > 0 ) l 2 ↔ ( X ≤ 0 ) if ( l 2 ) 4 l 5 := true l 4 ↔ ( X − Y ≤ 0 ) 4 { X − Y ≤ 0 } else l 5 :=? l 5 ↔ ( X + Y ≤ 0 ) l 5 := l 4 Y := − Y 5 { X + Y ≤ 0 } 5 skip ( l 5 = false ) ( X + Y > 0 ) ok error error { false } Javier Esparza Part III: Abstraction Refinement
Example 1 1 { true } l 2 := true ( true ) ( X ≤ 0 ) 2 3 2 { X ≤ 0 } if ( l 2 ) l 4 := true skip else l 4 :=? ( Y > 0 ) l 2 ↔ ( X ≤ 0 ) if ( l 2 ) 4 l 5 := true l 4 ↔ ( X − Y ≤ 0 ) 4 { X − Y ≤ 0 } else l 5 :=? l 5 ↔ ( X + Y ≤ 0 ) l 5 := l 4 Y := − Y 5 { X + Y ≤ 0 } 5 ( true ) ( l 5 = false ) ( X + Y > 0 ) ok error error { false } Javier Esparza Part III: Abstraction Refinement
Example 1 1 { true } l 2 := true ( true ) ( X ≤ 0 ) 2 3 2 { X ≤ 0 } if ( l 2 ) l 4 := true l 4 :=? else l 4 :=? ( Y > 0 ) l 2 ↔ ( X ≤ 0 ) if ( l 2 ) 4 l 5 := true l 4 ↔ ( X − Y ≤ 0 ) 4 { X − Y ≤ 0 } else l 5 :=? l 5 ↔ ( X + Y ≤ 0 ) l 5 := l 4 Y := − Y 5 { X + Y ≤ 0 } 5 ( l 5 = true ) ( l 5 = false ) ( X + Y > 0 ) ok error error { false } Javier Esparza Part III: Abstraction Refinement
Example 1 ( X > 0 ) 2 The concrete instructions are inserted again. X := − X 4 Y := − Y 5 ( X + Y > 0 ) error Javier Esparza Part III: Abstraction Refinement
Example 1 ( X > 0 ) 2 The concrete instructions are inserted again. X := − X Analysis of the trace 4 Is it real or spurious? Y := − Y 5 ( X + Y > 0 ) error Javier Esparza Part III: Abstraction Refinement
Example 1 ( X > 0 ) 2 The concrete instructions are inserted again. X := − X Analysis of the trace 4 Is it real or spurious? Y := − Y Real! ⇒ Report it to the user! 5 ( X + Y > 0 ) error Javier Esparza Part III: Abstraction Refinement
A Spurious Trace is an Unsatisfiable Formula. 1 X := C 2 D := C + 1 3 Y := D 4 ( Y � = X + 1 ) error Javier Esparza Part III: Abstraction Refinement
A Spurious Trace is an Unsatisfiable Formula. 1 1 X := C ( X 2 = C 1 ) ∧ ( C 2 = C 1 ) ∧ ( D 2 = D 1 ) ∧ ( Y 2 = Y 1 ) 2 2 D := C + 1 ( D 3 = C 2 + 1 ) ∧ ( C 3 = C 2 ) ∧ ( X 3 = X 2 ) ∧ ( Y 3 = Y 2 ) 3 3 Y := D ( Y 4 = D 3 ) ∧ ( C 4 = C 3 ) ∧ ( D 4 = D 3 ) ∧ ( X 4 = X 3 ) 4 4 ( Y � = X + 1 ) ( Y 4 � = X 4 + 1 ) ∧ ( C error = C 4 ) ∧ ( D error = D 4 ) ∧ ( X error = X 4 ) ∧ ( Y error = Y 4 ) error error Javier Esparza Part III: Abstraction Refinement
What is a Hoare-Proof of Spuriousness? 1 { true } X := C 2 { C = X } D := C + 1 3 { D = X + 1 } Y := D 4 { Y = X + 1 } ( Y � = X + 1 ) error { false } Javier Esparza Part III: Abstraction Refinement
What is a Hoare-Proof of Spuriousness? 1 { true } 1 { true } X := C ( X 2 = C 1 ) ∧ ( C 2 = C 1 ) ∧ ( D 2 = D 1 ) ∧ ( Y 2 = Y 1 ) 2 { C = X } 2 { C 2 = X 2 } D := C + 1 ( D 3 = C 2 + 1 ) ∧ ( C 3 = C 2 ) ∧ ( X 3 = X 2 ) ∧ ( Y 3 = Y 2 ) 3 { D = X + 1 } 3 { D 3 = X 3 + 1 } Y := D ( Y 4 = D 3 ) ∧ ( C 4 = C 3 ) ∧ ( D 4 = D 3 ) ∧ ( X 4 = X 3 ) 4 { Y = X + 1 } 4 { Y 4 = X 4 + 1 } ( Y � = X + 1 ) ( Y 4 � = X 4 + 1 ) ∧ ( C error = C 4 ) ∧ ( D error = D 4 ) ∧ ( X error = X 4 ) ∧ ( Y error = Y 4 ) error { false } error { false } Javier Esparza Part III: Abstraction Refinement
What is a Hoare Proof of Spuriousness? Observations A blue predicate {· · · } is implied by the conjunction of the instructions above . Javier Esparza Part III: Abstraction Refinement
What is a Hoare Proof of Spuriousness? Observations A blue predicate {· · · } is implied by the conjunction of the instructions above . A blue predicate is unsatisfiable together with the conjunction of the instructions below . Javier Esparza Part III: Abstraction Refinement
Recommend
More recommend
