Trace Abstraction (Recap) Andreas Podelski University of Freiburg, Germany Tuesday, December 15, 2011
Preliminaries: Programs program = graph if (x==0) ℓ 0 : ℓ 0 x==0 x!=0 y:=1 ℓ 1 : ℓ 2 : ℓ 1 ℓ 3 else y:=1 y:=2 ℓ 3 : y:=2 ℓ 4 : ℓ 2 ℓ 4 ◮ nodes = control locations ◮ edges labeled by statements two special nodes: only two kinds of statements: y:=1 , y:=2 initial location ℓ 0 update e.g., error location ℓ err assume e.g., x==0 , x!=0
Running Example: Program P ℓ 0 x:=0 x:=0 ℓ 1 ℓ 0 : y:=0 ℓ 1 : y:=0 while(nondet) { x++ } ℓ 2 : ℓ 2 x++ assert x!= -1 assert y!= -1 y==-1 x==-1 program P ℓ err program P
Trace = Word over an Alphabet alphabet Σ = set of statements ℓ 0 � � x:=0 Σ = x:=0 , y:=0 , x++ , x==-1 , y==-1 ℓ 1 y:=0 ℓ 2 x++ examples y==-1 x==-1 w 1 = y==-1 . x++ . x++ . x:=0 . x==-1 ℓ err w 2 = x:=0 . y:=0 . x++ . x++ . y==-1 program P
Error Trace ℓ 0 error trace = word w along path from ℓ 0 to ℓ err x:=0 ℓ 1 y:=0 w 1 = x:=0 . y:=0 . y==-1 ℓ 2 x++ y==-1 x==-1 w 2 = x:=0 . y:=0 . x++ . x++ . y==-1 ℓ err program P
Feasible Trace feasible trace = word w formed by letter of an possible execution path w 1 = x==-1 . x:=0 feasible w 2 = x:=0 . x==-1 not feasible w 3 = x>=0 . x-- . x-- . . . . . x-- . x-- feasible � �� � finitely many w 4 = x>=0 . x-- . x-- . x-- . x-- . . . . not feasible � �� � infinitely many
Automata over Alphabet Σ of Statements ℓ 0 x:=0 ◮ automaton A P defines set of error traces ℓ 1 y:=0 ℓ 2 x++ ◮ note: set of feasible traces can not be defined by automaton y==-1 x==-1 ℓ err automaton A P
Correctness of Program P all traces Σ ∗ traces of P error traces of P feasible traces
Incorrectness of Program P all traces Σ ∗ traces of P error traces of P feasible traces
Decomposition of Correctness Proof all traces Σ ∗ traces of P error traces of P feasible traces
Decomposition of Correctness Proof all traces Σ ∗ traces of P error traces of P feasible traces
Decomposition of Correctness Proof all traces Σ ∗ traces of P error traces of P feasible traces
program P alphabet Σ = set of statements automaton A P = set of error traces for program P Proof Rule A P ⊆ A 1 ∪ · · · ∪ A n ⇒ program P is correct Σ ∗ \ F EASIBLE A 1 , . . . , A n ⊆ “ A 1 , . . . , A n are a decomposition of a correctness proof for program P ”
How? how do we obtain a decomposition A 1 , . . . , A n of a correctness proof for program P ? next: 1. specific algorithm ` a la CEGAR 2. generalization
How? how do we obtain a decomposition A 1 , . . . , A n of a correctness proof for program P ? next: 1. specific algorithm ` a la CEGAR 2. generalization
Compute Decomposition of Correctness Proof ` a la CEGAR program P construct A n +1 such that w ∈ A n +1 yes w ∈ Σ ∗ \ F EASIBLE ? A P ⊆ A 1 ∪ · · · ∪ A n ? no yes no take w such that w ∈ A P \A 1 ∪ · · · ∪ A n P is correct P is incorrect
next: generalization of counterexamples given trace w such that 1. w ∈ A P \A 1 ∪ · · · ∪ A n (“ w is counterexample”) 2. w ∈ Σ ∗ \ F EASIBLE (“w is infeasible”)
next: generalization of counterexamples given trace w such that 1. w ∈ A P \A 1 ∪ · · · ∪ A n (“ w is counterexample”) 2. w ∈ Σ ∗ \ F EASIBLE (“w is infeasible”) construct automaton A n +1 such that 1. w ∈ A n +1 2. w ∈ Σ ∗ \ F EASIBLE
First Iteration of Algorithm for Example Program P ℓ 0 x:=0 n=0, i.e. A 1 ∪ · · · ∪ A n = ∅ ℓ 1 take w 1 ∈ A P \A 1 ∪ · · · ∪ A n y:=0 w 1 = x:=0 . y:=0 . y==-1 ℓ 2 x++ w 1 is not feasible y==-1 x==-1 ℓ err automaton A P
First Iteration of Algorithm for Example Program P w 1 = x:=0 . y:=0 . y==-1 q 0 construct automaton A 1 such that 1. w ∈ A 1 x:=0 2. w ∈ Σ ∗ \ F EASIBLE q 1 trivial solution: A 1 = { w 1 } y:=0 q 2 y==-1 q 3
First Iteration of Algorithm for Example Program P w 1 = x:=0 . y:=0 . y==-1 q 0 construct automaton A 1 such that 1. w ∈ A 1 x:=0 2. w ∈ Σ ∗ \ F EASIBLE q 1 trivial solution: A 1 = { w 1 } y:=0 observe: q 2 x++ statement x:++ does not affect variable y y==-1 therefore x:=0 . y:=0 . x:++ . y==-1 q 3 is also infeasible
Second Iteration of Algorithm for Example Program P q 0 w 2 ∈ A P \A 1 n=1 x:=0 w 2 = x:=0 . y:=0 . x==-1 q 1 construct automaton A 2 such that 1. w ∈ A 2 y:=0 2. w ∈ Σ ∗ \ F EASIBLE q 2 trivial solution: A 2 = { w 2 } x==-1 q 3
observe: proof of infeasiblity of w 2 = x:=0 . y:=0 . x==-1 is correctness proof of Hoare triple { true } w 2 { false }
Second Iteration of Algorithm for Example Program P { true } { x ≥ 0 } q 0 { true } x:=0 x:=0 { x ≥ 0 } { x ≥ 0 } y:=0 q 1 { x ≥ 0 } { x ≥ 0 } { false } x==-1 y:=0 { x ≥ 0 } q 2 x==-1 q 3 { false }
Second Iteration of Algorithm for Example Program P { true } { x ≥ 0 } q 0 { true } x:=0 x:=0 { x ≥ 0 } { x ≥ 0 } y:=0 q 1 { x ≥ 0 } { x ≥ 0 } { false } x==-1 y:=0 observe: { x ≥ 0 } q 2 x++ { x ≥ 0 } { x ≥ 0 } x++ x==-1 is a valid Hoare triple q 3 { false }
A 1 and A 2 are Decomposition of a Correctness Proof for Program P q 0 q 0 ℓ 0 x:=0 x:=0 x:=0 q 1 q 1 ℓ 1 y:=0 y:=0 y:=0 q 2 q 2 x++ x++ ℓ 2 x++ y==-1 x==-1 y==-1 x==-1 q 3 q 3 ℓ err automaton A 1 automaton A 2 automaton A P A 1 ⊆ Σ ∗ \ F EASIBLE A 2 ⊆ Σ ∗ \ F EASIBLE A P ⊆ A 1 ∪ A 2 Proof Rule A P ⊆ A 1 ∪ · · · ∪ A n ⇒ program P is correct A 1 , . . . , A n ⊆ Σ ∗ \ F EASIBLE
Interpolant Automaton A I Definition (Interpolant Automaton A I ) I = I 0 , I 1 , . . . , I n sequence of state predicates (“Interpolants”) A I = � Q I , δ I , Q init I , Q fin I � Q I = { q 0 , . . . , q n } ( q i , st , q j ) ∈ δ I { I i } st { I j } only if q i ∈ Q init only if I i = true q i ∈ Q fin only if I i = false
Interpolant Automaton A I Definition (Interpolant Automaton A I ) I = I 0 , I 1 , . . . , I n sequence of state predicates (“Interpolants”) A I = � Q I , δ I , Q init I , Q fin I � Q I = { q 0 , . . . , q n } ( q i , st , q j ) ∈ δ I { I i } st { I j } only if q i ∈ Q init only if I i = true q i ∈ Q fin only if I i = false Theorem An interpolant automaton A I recognizes a subset of infeasible traces. L ( A I ) ⊆ Infeasible
CEGAR with Database of Interpolant Automata program P A n +1 := A yes A P ⊆ A 1 ∪ · · · ∪ A n ? exists A that accepts π ? no yes no take w such that w ∈ A P \A 1 ∪ · · · ∪ A n P is correct P is incorrect
Recommend
More recommend
