180 likes | 275 Views
On bounded model checking, abstract interpretation, interpolants, and induction. K. Rustan M. Leino Microsoft Research, Redmond, WA, USA. IFIP WG 2.3, meeting 43 10 Sep 2004 Prato, Italy. State transition system. (I, T, R) where I —description of initial states T —total transition relation
E N D
On bounded model checking, abstract interpretation, interpolants, and induction K. Rustan M. Leino Microsoft Research, Redmond, WA, USA IFIP WG 2.3, meeting 4310 Sep 2004Prato, Italy
State transition system (I, T, R) where I —description of initial states T —total transition relation R —description of “good” states
Bounded model checking • Is ¬R reachable from I viaa finite number of T steps? • BMC(I,T,R,k) = ¬R is reachable from I via at most k T steps
Relations • Id(σ,σ’) = σ=σ’ • (R;S)(σ,σ’’) = ( σ’ • R(σ,σ’) S(σ’,σ’’)) • Rn = R;R;R;…;R • a predicate P can be used as a relation, with the meaning P(σ,σ’) = P(σ) σ=σ’ • R(σ’) = ( σ • R(σ,σ’)) • everywhere brackets on predicates: [P] = ( σ • P(σ)) n times
Checking reachability Reach(I,T,F,k) = { returns (n | 0≤n≤k • ¬[I;Tn ¬F]) } SAT( I(σ0) ( i | 0≤i<k • T(σi, σi+1)) ( i | 0≤i≤k • F(σi)) ) BMC(I,T,R,k) = Reach(I,T,¬R,k)
System diameter • The diameter of a system is the smallest number of steps that reaches all reachable states
Basic algorithm Main(I,T,R) =for k := 0 thru Diameter(I,T) doif Reach(I,T,¬R,k) thenreturn Errorendend;return Correct
Improved algorithm Main(I,T,R) = if SAT(I ¬R) then return Error end; for k := 1 thru Diameter(I,T) do {(n | 0≤n<k • [I;Tn R])} case Check(I,T,R,k) of Correct: return Correct Error: return Error DontKnow: skipendend;return Correct
Procedure Check Check(I,T,R,k) = {requires 1≤k (n | 0≤n<k • [I;Tn R]); ensures Error Reach(I,T,¬R,k); ensures Correct (n | 0≤n • [I;Tn R]); ensures DontKnow (n | 0≤n≤k • [I;Tn R]); } if Reach(I,T,¬R,k) thenreturn Error else … return DontKnow end
System invariant Check(I,T,R,k) = var J := I; if Reach(J,T,¬R,k) thenreturn Error else loop { [I J] (n | 0≤n≤k • [J;Tn R])} var J’ := …; { [J J’] [J;T J’] } if [J’ J] then { (n | 0≤n • [I;Tn R]) } return Correct elseif Reach(J’,T,¬R,k) then return DontKnow end; J := J’ end end
NextJ Check(I,T,R,k) = var J := I; if Reach(J,T,¬R,k) thenreturn Error else loop { [I J] (n | 0≤n≤k • [J;Tn R])} var J’ := NextJ(J,T,R,k); { [J J’] (n | 1≤n≤k • [J;Tn J’]) } if [J’ J] then { (n | 0≤n • [I;Tn R]) } return Correct elseif Reach(J’,T,¬R,k) then return DontKnow end; J := J’ end end
Goal: Implement NextJ { 1≤k(n | 0≤n≤k • [J;Tn R]) } J’ := NextJ(J,T,R,k) { [J J’] (n | 1≤n≤k • [J;Tn J’]) }
NextJ: Widen [Cousot/Cousot 1977] NextJ(J,T,R,k) = var J’ := J J;T ; { [J J’] [J;T J’] } return J’
Interpolants [Craig 1957] For any formulas A and B such that [A B], there exists an interpolant P such that • [A P] • [P B] • every free symbol in P is a free symbol in both A and B
NextJ: Interpolant [McMillan 2003] NextJ(J,T,R,k) = { (n | 0≤n≤k • [J;Tn R]) } letσ0,…,σk be fresh symbols; let A = J(σ0) T(σ0,σ1); let B = ( i | 1≤i<k • T(σi,σi+1)) ( i | 1≤i≤k • R(σi)); var P := Interpolant(A,B); { [J;T P[σ/σ1]] } return J P[σ/σ1]
NextJ: “Induction” [Sheeran/Singh/Stålmarck 2000] NextJ(J,T,R,k) = { (n | 0≤n≤k • [J;Tn R]) } { J;Tk = J;(R;T)k} var J’ := true;(R;T)k; { [J;Tk J’] } return J J’
Completeness • Widen • no completeness guarantee(so still needs diameter in main loop) • Interpolant • complete for boolean programs • “Induction” • complete for boolean programs, under the additional constraint that there are no repeated states
What would make a good NextJ? For J’ := NextJ(J,T,R,k): • [J J’] • (n | 1≤n≤k • • [J;Tn J’] • (m | 0≤m≤k-n • [J’;Tm R]) ) NextJ(J,T,R,k) = let n, P satisfy • 1 ≤ n ≤ k • [sp(Tn, J) P] • [P wp( (assert R; T)n-k, R)]; return J P