1 / 40

Predicate Abstraction

Predicate Abstraction. Abstract state space exploration. Method : (1) start in the abstract initial state (2) use to compute reachable states (invariants). Abstract state space exploration. Approximation  1 : all reachable states are monomials. Where.

naida
Download Presentation

Predicate Abstraction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Predicate Abstraction

  2. Abstract state space exploration • Method: (1) start in the abstract initial state (2) use to compute reachable states (invariants)

  3. Abstract state space exploration • Approximation 1: all reachable states are monomials. • Where

  4. Least upper bound on lattice L length of longest chains

  5. Abstract state space exploration • Approximation 2 : strongest invariant of by allowing approximation to be boolean expressions on B1 … Bland applying only on canonical monomials ( B1 … Bl ) representing a single state

  6. where

  7. Abstract state space exploration • Canonical monomial : the set ofatoms of M0 ---- the set 2lover B1 … Bl • Note: • Boolean expressions on B1 … Bl = arbitrary elements of Qk

  8. Complexity of 1 and 2 • Complexity of computation: • The number of necessary proofs • Successor of expA  K=2*p*l*1 • 2: B.1 – B.2 • P: number of transitions • L: number of predicates • 1: enabledness

  9. Complexity of 1 and 2 • Computation of 1 : • Needs maximally l*k proofs • Computation of 2: • Worst case 2l * k proofs (all successors computed)

  10. Computation of 2 • Much better in practice • Some j leave Iunchanged (or transform Iindependently) • Only a small subset of all abstract states is reachable • 1… I need not be independent not all 2l canonical monomials represent a non-empty set of concrete states • Dependency predicate : consider only non-spurious abstract states

  11. Improvements of the computed invariants • Use backwards analysis: where

  12. Improvements of the computed invariants • Approximations yj • are arbitrary predicates of the concrete property lattice and not necessarily boolean combinations of 1… I • Abstract backwards analysis • Would require a lower approximation of

  13. Construction of the abstract state graph • Computation of a successor: require several proofs • Only a small abstract state (few thousand) can be explored • Additional cost of storing transitions is almost negligible

  14. Advantages of storing the abs. state graph • Use model checker to verify any temporal logic formula on atomic proposition on B1 … Blwithout existential quantifier over executions • Precise global control flow graph • Especially if guards of the program are boolean combination over I • Stronger structure invariants than for initial control structure used to improve backwards analysis

  15. Refinement of the abstract state graph • Add more predicates to 1… I: deduced form • The so far constructed transition relation • See later: abstraction refinement (done in an incremental way)

  16. Given expA and Bnew • Not all implications in (3) have to be checked • Only the new ones and those which could not be proved valid during the computation of the successors of expA

  17. When to add • If the abstract state space exploration by using does not allow to verify some property • Construct more precise abstraction by adding new predicates

  18. Implementation Overview • Invariant checker tool impliments: • 1)backwards computation of inductive invariants (true in initial state and preserved by transitions) • 2) generation of structural invariants (preserved by system structure) • 3) abstract state graph generation (added)

  19. Integration with PVS • All implications (3) submitted to PVS • Proof strategy combining decision procedures, rewriting and boolean simplification using BDDs is systematically applied

  20. Abstract state • Is a tuple (ctrl, ) where: • ctrl ---- is a concrete control configuration • ---- is a valuation of a set of boolean vars B1 … Bl

  21. Dependency predicate • Given {1… I} an upper approximation of a dependency predicate is computed and used to generate successors • Exact computation if {1… I} can be divided using syntactical independency into a set of small sets of potentially dependent predicates

  22. Auxiliary invariants • Generated using initial control structure where • Qk control configuration of a system consisting of several parallel components are considered reachable

  23. Abstract state graph • The invariant is a conjunction of • Already known invariants in the system relevant for the transition under study •  is used to smaller successors by replacing (3) by weaker ones • Only implication compatible with dependency predicate and not already computed are generated

  24. Reachability algorithm (Defs) • For simplicity: shown for systems without explicit control locations • Based on QA and over B1 … Bl ,can be implemented with BDDs • Abstract invariant : by analysis of dependencies between 1… I

  25. Reachability algorithm (Defs) • Concrete invariant : generated using the facilities of the tool • Constraints Ctau[i](B1 … Bl, B’1 … B’l): for each i by static analysis • E.g. which predicates j are not touched => B’j = Bj

  26. Reachability algorithm (Defs) • Abstract predicate Aguard[i]=’(gi): generated for each i • 1… I are chosen such that Aguard[i] is exactly the guard of i • AReach: the so far computed set of reachable states (invariant at the end)

  27. Reachability algorithm (Defs) • Atau[i]: at each stage an upper approximation of • To_explore: auxiliary variable representing the set of states for which we have to compute the successors

  28. Reachability algorithm Initializations: AInit:= ’(init); For all i: Atau[i]:= AReach := AInit; To_explore := AInit; Iteration: While To_explore != false choose m in To_explore; To_explore:= To_explore m; if m=> Aguard[i] then SEE NEXT PAGE ATau[i]:= ATau[i]  ( ) To_explore := To_explore  (succ   AReach); AReach := AReach  succ;

  29. Choice of the Predicates i • Use guards in the transitions the system: • Allows to construct successors only via transitions enabled in all represented concrete states • Replaces enabledness checks (3.0) by boolean tests. • To prove that  is an invariant • One can also try to use  for the definition of the abstract state space

  30. Choice of the Predicates i • Split each predicate into its set of literals (atomic pred.) • E.g. use 1 = (out =in) and Choice of the Predicates 2= (out= tail(in)) instead of 1 v 2 • Alternating bit protocol example: verified that:□(out =in V out= tail(in)) • List of already received messages Out is a prefix of the list of messages sent so far In

  31. Alternating bit protocol verification • Verified correctness :□(out =in V out= tail(in)) • Already received message Out is prefix of messages sent so far : In • Using implemented backward computation: • The computation of the appropriate inductive invariant does not terminate • The computation of structual invariants does not generate interesting results

  32. Alternating bit protocol verification • Using the two predicates as 1 and 2: • Deterministic graph is generated • 34 decidable implications • 5 abstract states • 68s

  33. Alternating bit protocol verification • Obtaining more precise approximation: • 3= message (message_channel) = head(In) • Internal predicate • Last sent message is the head of In -- same graph but all states satisfy either In=Out or out=tail(In) • Use abstract state graph to generate stronger structural invariants • Apply strengthening backward computation- (6) proved

  34. Bounded retransmission protocol • Extension of ABP: • Message pockets are sent, retransmitted bounded by max per message. • Full parameterized version of BRP: • Pockets can be of any size • Max can be any positive number • Proven so far by hand • Large amount of user interaction

  35. Protocol description mess receiver Receiving client Sending client sender ack

  36. Protocol description • Sender: receive message pocket from client • Delivers confirmation to client • OK ----- all messages are transmitted • Not_OK -----transmission has been aborted • DON’T_KNOW ----last message not acknowledged

  37. Protocol description • Receiver: acknowledge each received message • Delivers indication to the receiving client • First –1st message received • OK –last message received • Incomplete --- for any intermediate messages • NOT_OK ---transmission aborted

  38. Protocol description • Timers T1,T2: • T1 ---message has been lost • T2 ---transmission ahs been aborted

  39. Correctness • Verification: As for ABP • 19 predicates from guards  Abstract state graph: 475 states, 685 transitions, 3 hours

More Related