Trace Abstraction Monday, December 14, 2011 Example Our Model of a - - PowerPoint PPT Presentation

trace abstraction
SMART_READER_LITE
LIVE PREVIEW

Trace Abstraction Monday, December 14, 2011 Example Our Model of a - - PowerPoint PPT Presentation

Dec 16, 2023 336 likes •637 views

Trace Abstraction Monday, December 14, 2011 Example Our Model of a Verification Problem 0 x:=0 x:=0 0 : y:=0 1 : 1 while(nondet) { x++ } 2 : y:=0 assert x!= -1 2 x++ assert y!= -1 Example program P y==-1 x==-1

slide-1
SLIDE 1

Trace Abstraction

Monday, December 14, 2011

slide-2
SLIDE 2

Example – Our Model of a Verification Problem

ℓ0:

x:=0

ℓ1:

y:=0

ℓ2:

while(nondet) {x++} assert x!= -1 assert y!= -1

Example program P ℓ0 ℓ1 ℓ2 ℓerr x:=0 y:=0 x++ x==-1 y==-1 Control flow graph of P

slide-3
SLIDE 3

Statements

Statement

Letter of our alphabet. No further meaning. In our example: Σ =

  • x:=0 , y:=0 , x++ , x==-1 , y==-1
  • ℓ0

ℓ1 ℓ2 ℓerr x:=0 y:=0 x++ x==-1 y==-1 Control flow graph of P

slide-4
SLIDE 4

Statements

Statement

Letter of our alphabet. No further meaning. In our example: Σ =

  • x:=0 , y:=0 , x++ , x==-1 , y==-1
  • Trace

Word over the alphabet of statements. Example: π = y==-1 . x++ . x++ . x:=0 . x==-1 ℓ0 ℓ1 ℓ2 ℓerr x:=0 y:=0 x++ x==-1 y==-1 Control flow graph of P

slide-5
SLIDE 5

Error Traces

Control Automaton AP

Automaton over the set of statements. Encodes a verification problem.

AP = LOC, δ, {ℓinit}, {ℓerr} Error Trace of P

Trace accepted by AP In our example π = x:=0 . y:=0 . x++ . x==-1 is an error trace. ℓ0 ℓ1 ℓ2 ℓerr x:=0 y:=0 x++ x==-1 y==-1 Control automaton AP

slide-6
SLIDE 6

Set Theoretic View of Trace Abstraction

set of all traces Σ∗ traces respecting the control flow of P L(AP) Error Traces Feasible Traces x:=0 . x++ . y==-1 x:=0 . y:=0 . x++ . x==-1

slide-7
SLIDE 7

Set Theoretic View of Trace Abstraction

set of all traces Σ∗ traces respecting the control flow of P L(AP) Error Traces Feasible Traces x:=0 . x++ . y==-1 x:=0 . y:=0 . x++ . x==-1

slide-8
SLIDE 8

Set Theoretic View of Trace Abstraction

set of all traces Σ∗ traces respecting the control flow of P L(AP) Error Traces Feasible Traces x:=0 . x++ . y==-1 x:=0 . y:=0 . x++ . x==-1

slide-9
SLIDE 9

Set Theoretic View of Trace Abstraction

set of all traces Σ∗ traces respecting the control flow of P L(AP) Error Traces Feasible Traces x:=0 . x++ . y==-1 x:=0 . y:=0 . x++ . x==-1

slide-10
SLIDE 10

Set Theoretic View of Trace Abstraction

set of all traces Σ∗ traces respecting the control flow of P L(AP) Error Traces Feasible Traces x:=0 . x++ . y==-1 x:=0 . y:=0 . x++ . x==-1

slide-11
SLIDE 11

Set Theoretic View of Trace Abstraction

set of all traces Σ∗ traces respecting the control flow of P L(AP) Error Traces Feasible Traces x:=0 . x++ . y==-1 x:=0 . y:=0 . x++ . x==-1

slide-12
SLIDE 12

Set Theoretic View of Trace Abstraction

set of all traces Σ∗ traces respecting the control flow of P L(AP) Error Traces Feasible Traces x:=0 . x++ . y==-1 x:=0 . y:=0 . x++ . x==-1

slide-13
SLIDE 13

Set Theoretic View of Trace Abstraction

set of all traces Σ∗ traces respecting the control flow of P L(AP) Error Traces Feasible Traces x:=0 . x++ . y==-1 x:=0 . y:=0 . x++ . x==-1

slide-14
SLIDE 14

Trace Abstraction

Definition (Trace Abstraction)

A trace abstraction is given by a tuple of automata (A1, . . . , An) such that each Ai recognizes a subset of infeasible traces, for i = 1, . . . , n. We say that the trace abstraction (A1, . . . , An) does not admit an error trace if AP ∩ A1 ∩ . . . ∩ An is empty.

slide-15
SLIDE 15

Trace Abstraction

Definition (Trace Abstraction)

A trace abstraction is given by a tuple of automata (A1, . . . , An) such that each Ai recognizes a subset of infeasible traces, for i = 1, . . . , n. We say that the trace abstraction (A1, . . . , An) does not admit an error trace if AP ∩ A1 ∩ . . . ∩ An is empty.

Theorem (Soundness)

L(AP ∩ A1 ∩ . . . ∩ An) = ∅ ⇒ P is correct

Theorem (Completeness)

If P is correct, there is a trace abstraction (A1, . . . , An) such that L(AP ∩ A1 ∩ . . . ∩ An) = ∅

slide-16
SLIDE 16

Example – Exclude an Infeasible Trace

AP : ℓ0 ℓ1 ℓ2 ℓerr x:=0 y:=0 x++ x==-1 y==-1

A1 : q0 q1 q2 q3 q4

x:=0 y:=0 x++ x==-1

slide-17
SLIDE 17

Example – Exclude an Infeasible Trace

AP : ℓ0 ℓ1 ℓ2 ℓerr x:=0 y:=0 x++ x==-1 y==-1

A1 : q0 q1 q2 q3 q4

x:=0 y:=0 x++ x==-1

qs . . . . . . . . . . . . . . .

slide-18
SLIDE 18

Example – Exclude an Infeasible Trace

AP : ℓ0 ℓ1 ℓ2 ℓerr x:=0 y:=0 x++ x==-1 y==-1

A1 : q0 q1 q2 q3 q4

x:=0 y:=0 x++ x==-1

qs . . . . . . . . . . . . . . . AP ∩ A1 :

ℓ0q0 ℓ1q1 ℓ2q2 ℓ2q3 ℓ2qs ℓerrq4 ℓerrqs

x:=0 y:=0 x++ y==-1 , x==-1 x++ y==-1 x++ y==-1 , x==-1 x==-1

slide-19
SLIDE 19

Control flow as finite automaton

ℓ0: x:=0 ℓ1: y:=0 ℓ2: while(nondet) {x++}

assert x!= -1 assert y!= -1

Example program P ℓ0 ℓ1 ℓ2 ℓerr x:=0 y:=0 x++ x==-1 y==-1 Control flow graph of P

slide-20
SLIDE 20

Floyd-Hoare proof as finite automaton

{⊤}

ℓ0: x:=0

{x ≥ 0}

ℓ1: y:=0

{x ≥ 0 ∧ y = 0}

ℓ2: while(nondet) {x++}

assert x!= -1 assert y!= -1

Example program P x:=0 y:=0 x++ x==-1 y==-1 true x ≥ 0 x ≥ 0 ∧ y =0 false Control flow graph of P

slide-21
SLIDE 21

Floyd-Hoare proof as finite automaton

ℓ0: x:=0 ℓ1: y:=0 ℓ2: while(nondet) {x++}

assert x!= -1 assert y!= -1

Example program P x:=0 y:=0 x++ x==-1 y==-1 true x ≥ 0 x ≥ 0 ∧ y =0 false Control flow graph of P Observation: Every transition is related to a Hoare triple! e.g. ( , y:=0 , )∈ δ post( x ≥ 0 , y:=0 ) ⊆ x ≥ 0 ∧ y =0

slide-22
SLIDE 22

Interpolant Automata

Given: Sequence of predicates I = I0, I1, . . . , In

Definition (Interpolant Automaton AI)

AI = QI, δI, Qinit

I , Qfin I

QI = {q0, . . . , qn} (qi, st, qj) ∈ δI implies post(st, Ii) ⊆ Ij qi ∈ Qinit implies Ii = true qi ∈ Qfin implies Ii = false

slide-23
SLIDE 23

Interpolant Automata

Given: Sequence of predicates I = I0, I1, . . . , In

Definition (Interpolant Automaton AI)

AI = QI, δI, Qinit

I , Qfin I

QI = {q0, . . . , qn} (qi, st, qj) ∈ δI implies post(st, Ii) ⊆ Ij qi ∈ Qinit implies Ii = true qi ∈ Qfin implies Ii = false

Theorem

An interpolant automaton AI recognizes a subset of infeasible traces. L(AI) ⊆ Infeasible

slide-24
SLIDE 24

Example – Refinement Using Interpolant Automata

set of all traces Σ∗ traces respecting the control flow of P L(AP) Error Traces Feasible Traces x:=0 . y:=0 . x++ . x==-1

slide-25
SLIDE 25

Example – Refinement Using Interpolant Automata

set of all traces Σ∗ traces respecting the control flow of P L(AP) Error Traces Feasible Traces x:=0 . y:=0 . x++ . x==-1

A1

q0 q1 q2 x:=0 y:=0 x++ x==-1

L(A1)

slide-26
SLIDE 26

Example – Refinement Using Interpolant Automata

set of all traces Σ∗ traces respecting the control flow of P L(AP) Error Traces Feasible Traces x:=0 . y:=0 . x++ . y==-1 L(A1)

slide-27
SLIDE 27

Example – Refinement Using Interpolant Automata

set of all traces Σ∗ traces respecting the control flow of P L(AP) Error Traces Feasible Traces x:=0 . y:=0 . x++ . y==-1 L(A1)

A2

q0 q1 q2 x:=0 y:=0 x++ x==-1

L(A2)

slide-28
SLIDE 28

CEGAR for Trace Abstraction

annotated program P P is correct P is incorrect L(AP ∩ A1 ∩ . . . ∩ An) = ∅ ? π ∈ INFEASIBLE ? no return error trace π such that π ∈ L(AP ∩ A1 ∩ . . . ∩ An) yes return trace automaton An+1 such that π ∈ L(An+1) and L(An+1) ⊆ INFEASIBLE n := n + 1 yes no n := 0