THETA: a Framework for Abstraction Refinement-Based Model Checking - - PowerPoint PPT Presentation

theta a framework for abstraction
SMART_READER_LITE
LIVE PREVIEW

THETA: a Framework for Abstraction Refinement-Based Model Checking - - PowerPoint PPT Presentation

May 18, 2023 658 likes •793 views

THETA: a Framework for Abstraction Refinement-Based Model Checking Tams Tth 1 , kos Hajdu 1,2 , Andrs Vrs 1,2 , Zoltn Micskei 1 , Istvn Majzik 1 1 Budapest University of Technology and Economics Department of Measurement and

slide-1
SLIDE 1

1 THETA: a Framework for Abstraction Refinement-Based Model Checking

Budapest University of Technology and Economics Department of Measurement and Information Systems

THETA: a Framework for Abstraction Refinement-Based Model Checking

Tamás Tóth1, Ákos Hajdu1,2, András Vörös1,2, Zoltán Micskei1, István Majzik1

1Budapest University of Technology and Economics

Department of Measurement and Information Systems

2MTA-BME Lendület Cyber-Physical Systems Research Group

FMCAD 2017, Vienna, Austria, 05.10.2017.

slide-2
SLIDE 2

2 THETA: a Framework for Abstraction Refinement-Based Model Checking

Introduction

  • Motivation: a framework for
  • Abstraction refinement-based algorithms
  • Easy development, evaluation and combination
  • Supporting various formalisms
  • Applicable where systems have

different aspects (e.g. CPS)

  • Our solution: Theta
  • Open source: github.com/FTSRG/theta Θ
slide-3
SLIDE 3

3 THETA: a Framework for Abstraction Refinement-Based Model Checking

Theta – Characteristics

Θ

Generic

Various kinds of formal models

Modular

Reusable and combinable modules

Configurable

Different algorithms and strategies

slide-4
SLIDE 4

4 THETA: a Framework for Abstraction Refinement-Based Model Checking

Generic – Formalisms

  • Symbolic transition systems
  • Low level formalism
  • Based on SMT formulas
  • Control flow automata
  • Programs as graphs
  • Edges annotated with statements
  • Timed automata
  • Clock variables
  • Operations over clocks
  • Support for new formalisms
  • Reusable components, e.g. expressions

I := x = 0 Ʌ y = 0 T := x' = y + 1 Ʌ y’ = 2 * y x := 0 [x ≥ 5] [x < 5] x := x + 1 t := 0 t > 3 t ≤ 3

slide-5
SLIDE 5

5 THETA: a Framework for Abstraction Refinement-Based Model Checking

Generic – Language frontends

  • Symbolic transition systems [FORTE’16]
  • AIGER format
  • Intermediate language for PLCs
  • Control flow automata [VPT’17]
  • Subset of C
  • Size reduction techniques
  • Timed automata [FORMATS’17]
  • UPPAAL XTA

extern int nondet_int(); int main() { int a = nondet_int(); int b = nondet_int(); int c; while (a != 0) { c = a; a = b % a; b = c; } assert(b != 0); }

slide-6
SLIDE 6

6 THETA: a Framework for Abstraction Refinement-Based Model Checking

Modular – Architecture

Formalisms and language front-ends Transition systems Control flow automata Timed automata C programs UPPAAL XTA AIGER PLC Verification back-end SMT solver interface Abstract domain Interpreter

Init func. Transfer func. Action func.

Abstraction refinement loop Abstractor Refiner ART

slide-7
SLIDE 7

7 THETA: a Framework for Abstraction Refinement-Based Model Checking

Formalisms and language front-ends Transition systems Control flow automata Timed automata C programs UPPAAL XTA AIGER PLC Verification back-end SMT solver interface Interpreter

Init func. Transfer func. Action func.

Abstraction refinement loop ART

Modular – Extensibility

  • New algorithms

Abstract domain Abstractor Refiner

slide-8
SLIDE 8

8 THETA: a Framework for Abstraction Refinement-Based Model Checking

Formalisms and language front-ends Transition systems Control flow automata Timed automata C programs UPPAAL XTA AIGER PLC Verification back-end SMT solver interface Abstraction refinement loop ART Abstractor Refiner Interpreter

Init func. Transfer func. Action func.

Modular – Extensibility

  • New formalisms

? ? ? ? Abstract domain

slide-9
SLIDE 9

9 THETA: a Framework for Abstraction Refinement-Based Model Checking

Configurable – Parameters

78 configs for control flow automata 52 configs for transition systems 15 configs for timed automata Abstract domain

  • Predicate
  • Explicit value
  • Zone
  • Location
  • Composition

Refinement strategy

  • Binary interp. forw.
  • Binary interp. backw.
  • Sequence interp.
  • Unsat core

Search strategy

  • BFS
  • DFS
  • Dist. to error
  • Random

Initial precision

  • Empty
  • Property-based

Precision granularity

  • Global
  • Local

Predicate split

  • Atoms
  • Conjuncts
  • Whole
slide-10
SLIDE 10

10 THETA: a Framework for Abstraction Refinement-Based Model Checking

Configurable – Use Cases

  • Developing and evaluating new algorithms
  • Extending predicate abstraction with explicit values [FORTE’16]
  • Lazy reachability checking of timed automata [FORMATS’17]
  • Diverse results support configurability

HWMCC & PLC [MiniSym’17] SV-COMP [VPT’17] UPPAAL [FORMATS’17]

Comparison of execution time in case of different analysis configurations on various models

slide-11
SLIDE 11

11 THETA: a Framework for Abstraction Refinement-Based Model Checking

Conclusions

  • Theta: Model checking framework
  • Generic, modular, configurable
  • Various formalisms and frontends
  • Abstraction refinement algorithms
  • Current and future work
  • Extend the C frontend (LLVM)
  • Experiment with novel algorithms
  • Increase input models in experiments
  • Automatic configuration selection

Formalisms and language front-ends Transition systems Control flow automata Timed automata C programs UPPAAL XTA AIGER PLC Verification back-end SMT solver interface Abstract domain Interpreter Init func. Transfer func. Action func. Abstraction refinement loop Abstractor Refiner ART

→ github.com/FTSRG/theta

extern int nondet_int(); int main() { int a = nondet_int(); int b = nondet_int(); int c; while (a != 0) { c = a; a = b % a; b = c; } assert(b != 0); }

slide-12
SLIDE 12

12 THETA: a Framework for Abstraction Refinement-Based Model Checking

References

  • [FORTE’16] A Configurable CEGAR Framework with Interpolation-based
  • Refinements. Hajdu, Á.; Tóth, T.; Vörös, A.; and Majzik, I. In Formal

Techniques for Distributed Objects, Components and Systems, vol. 9688

  • f LNCS, pages 158--174. Springer, 2016.
  • [MiniSym’17] Exploratory Analysis of the Performance of a Configurable

CEGAR Framework. Hajdu, Á.; and Micskei, Z. In Proceedings of the 24th PhD Mini-Symposium, pages 34--37, 2017. Budapest University of Technology and Economics, Department

  • f

Measurement and Information Systems

  • [VPT’17] Towards Evaluating Size Reduction Techniques for Software

Model Checking. Sallai, Gy.; Hajdu, Á.; Tóth, T.; and Micskei, Z. In Proceedings of the Fifth International Workshop on Verification and Program Transformation, vol. 253 of EPTCS, pages 75--91. Open Publishing Association, 2017.

  • [FORMATS’17] Lazy Reachability Checking for Timed Automata using
  • Interpolants. Tóth, T.; and Majzik, I. In Formal Modelling and Analysis of

Timed Systems, vol. 10419 of LNCS, pages 264--280. Springer, 2017.