700 likes | 1.02k Views
Abstraction in Model Checking. Nishant Sinha. Model Checking. Given a: Finite transition system M A temporal property p The model checking problem: Does M satisfy p ?. Model Checking (safety). I. Too many states to handle !. MUST ABSTRACT!!. = bad state. Abstraction.
E N D
Abstraction in Model Checking Nishant Sinha
Model Checking • Given a: • Finite transition system M • A temporal property p • The model checking problem: • Does Msatisfy p?
Model Checking (safety) I Too many states to handle ! MUST ABSTRACT!! = bad state
Abstraction • Eliminate details irrelevant to the property • Obtain simple finite models sufficient to verify the property • E.g., Infinite state ! Finite state approximation • Disadvantage • Loss of Precision: False positives/negatives
h h h h h Data Abstraction S S’ Abstraction Function h : S ! S’
Even Odd Neg Zero Pos Data Abstraction Example • Abstraction proceeds component-wise, where variables are components …, -2, 0, 2, 4, … x:int …, -3, -1, 1, 3, … …, -3, -2, -1 y:int 0 1, 2, 3, …
Data Abstraction Example • Partition concrete variables into visible(V) and invisible(I) variables. The abstract model consists of V variables. I variables are existentially quantified out. The abstraction function maps each state to its projection over V.
Data Abstraction Example x1 x2 x3 x4 0 0 0 0 0 0 0 1 0 0 1 0 0 0 1 1 x1 x2 h 0 0 Group concrete states with identical visible part to a single abstract state.
int (n<0) : NEG (n==0): ZERO (n>0) : POS Signs Signs x = ZERO; if (Signs.eq(x,ZERO)) x = Signs.add(x,POS); NEG ZERO POS Data Type Abstraction Code Abstract Data domain int x = 0; if (x == 0) x = x + 1;
How do we Abstract Behaviors? • Abstract domain A • Abstract concrete values to those in A • Then compute transitions in the abstract domain • Over-approximations: Add extra behaviors • Under-approximations: Remove actual behaviors
Formalism: Kripke Structures • M = (S,s0,!,L) on AP • S: Set of States • s0: Initial State • !: Transition Relation • L: S ! 2AP, Labeling on States p p !p p,q
Simulations on Kripke Structures M = (S, s0, !, L) M’ = (S’, s’0, !’, L’) Definition: R S S’is a simulation relation between M and M’ iff M’ simulates M (M ¹ M’) iff (s0, t0)2 R • (s,s’) R implies • L(s) = L’(s’) • for all t s.t. s t , exists t’ s.t. s’ ’ t’ and (t,t’) R. Intuitively, every transition in M can be matched by some transition in M’
Guarantees from Abstraction • Strong Preservation: • M’ ² P iff M ² P • Weak Preservation: • M’ ² P ) M ² P • Simulation preserves ACTL* properties • If M ¹ M’ then M’ ²AG p)M ² AG p
Overview • Formalizing Abstraction/Refinement • Homomorphic Abstractions • Abstract Interpretation Theory • Guarantees from Abstractions – Safe • Automated Abstraction Refinement - CEGAR • Applications • Hardware – e.g., Hom. Abstraction • Software – e.g., Predicate Abstraction
Building an Abstraction • Computing Abstract Domain • Computing Abstract Transitions
Homomorphisms • Clarke et. al.- ’94, ’00 • Concrete States S, Abstract states S’ • Abstraction function (Homomorphism) • h: S ! S’ • Induces a partition on S equal to size of S’
Existential/Universal Abstractions • Existential • Make a transition from an abstract state if at least one corresponding concrete state has the transition. • Abstract model M’ simulates concrete model M • Universal • Make a transition from an abstract state if all the corresponding concrete states have the transition.
h Existential Abstraction (Over-approximation) I S I S’
h Universal Abstraction (Under-Approximation) I S I S’
Guarantees from Exist. Abstraction Let φbe a ACTL* property M’ existentially abstracts M, so M ¹ M’ M’ • Preservation Theorem M’⊨φM ⊨ φ M Converse does not hold M’⊭φM⊭φ M’ ⊭ φ : counterexample may be spurious
Deadend states I I f Bad States Failure State Why spurious counterexample?
Refinement • Problem: Deadend and Bad States are in the same abstract state. • Solution: Refine abstraction function. • The sets of Deadend and Bad states should be separated into different abstract states.
Refinement h’ Refinement : h’
Abstract Interpretation • Cousot et. al. ‘77 • Framework for approximating fixpoint computations • Galois Connections • Concrete: S, Abstract: S’ • Abstract S. F(S) = S as S’. F’(S’) = S’ • Homomorphisms are a particular case • Widening/Narrowing
Galois Connections • S – concrete, S’– abstract • S’ must be a complete lattice • : 2S→ S’- abstraction function • : S’ → 2S - concretization function • Properties of and : • ((A)) · A, for A in S’ • ((X)) ⊇ X, for X µS • The above properties mean that and are Galois-connected S S’
Abs. Interpretation: Example • int -> {even, odd, T} • (even) = {..,-2,0,2,4..} • (odd) = {..,-3,-1,1,3..} • (T) = int • Predicate abstraction is an instance
Computing Abstract Transition Relation R R’ Existential Abstraction • R[Dams’97]: (t, t1) R’ iff s (t) and s1 (t1) s.t. (s, s1) R • This ensures that • M’ simulates M • Preservation Theorem applies • Similarly, Universal Abstraction R89 S S’
Other kinds of Abstraction • Cone of Influence • Slicing
Automated Abstraction/Refinement • Good abstractions are hard to obtain • Automate both Abstraction and Refinement processes • Counterexample-Guided AR (CEGAR) • Build an abstract model M’ • Model check property P, M’ ² P? • If M’ ² P, then M ² P by Preservation Theorem • Otherwise, check if Counterexample (CE) is spurious • Refine abstract state space using CE analysis results • Repeat
Counterexample-Guided Abstraction-Refinement (CEGAR) Build New Abstract Model Model Check M M’ Pass No Bug Fail Check Counterexample Obtain Refinement Cue Real CE Spurious CE Bug
Applications • Hardware Verification: • Thousands of Latches • Abstract using homomorphisms • SAT-based methods (Clarke et. al.) • Software Verification: • Integer variables, Undecidability • Predicate Abstraction • SLAM • MAGIC, BLAST • All these approaches are automated (CEGAR)
Verifying Hardware: Abstraction • A number of approaches • Localization (Kurshan et. Al.) • SAT-based (’02) • … • We consider a homomorphism-based approach inside CEGAR framework
Counterexample-Guided Abstraction-Refinement (CEGAR) Build New Abstract Model Model Check M M’ Pass No Bug Fail Check Counterexample Obtain Refinement Cue Real CE Spurious CE Bug
Abstraction Function • Partition variables into visible(V) and invisible(I) variables. The abstract model consists of V variables. I variables are made inputs (existentially quantified). The abstraction function maps each state to its projection over V.
Abstraction Function Example x1 x2 x3 x4 0 0 0 0 0 0 0 1 0 0 1 0 0 0 1 1 x1 x2 h 0 0 Group concrete states with identical visible part to a single abstract state.
h Abstract Model Computation • Existential Abstraction: I I
Obtaining Exist. Abstraction Symbolically • Concrete Model : (S, I, R, L) • Abstract Model: (S’,I’,R’,L’) • h: S ! S’ • S’ = {s’ j9s 2 S. h(s)=s’} • I’ = {s’ j9s 2 S. I(s) Æ h(s)=s’} • R’ = {(s1’,s2’) j 9s1,s2. R(s1,s2) Æ h(s1)=s1’ Æ h(s2)=s2’}
Checking the Counterexample • Model check the abstract model • Yes or a Counterexample CE • Counterexample : (c1, …,cm) • Each ci is an assignment to V. • Simulate the counterexample on the concrete model.
Checking the Counterexample • Concrete traces corresponding to the counterexample: (Initial State) (Unrolled Transition Relation) (Restriction of V to Counterexample) • Refine if CE is spurious
Deadend states I I f Bad States Failure State Spurious counterexample?
h’ Refinement h’ h’ h’ h’ h’ h’ Refinement (h’): Make Invisible variables Visible
Frontier P Visible Invisible Inputs Refinement methods… Localization (R. Kurshan, 80’s)
Refinement methods… Abstraction/refinement with conflict analysis • Simulate counterexample on concrete model with SAT • If the instance is unsatisfiable, analyze conflict • Make visible one of the variables in the clauses that lead to the conflict (Chauhan, Clarke, Kukula, Sapra, Veith, Wang, FMCAD 2002)
Deadend States f Failure State Refinement as Separation
Refinement as Separation Deadend States Bad States
1 0 0 1 0 0 1 0 0 1 0 0 1 1 1 0 1 0 1 1 Refinement as Separation v1 v2 v3 v4 v5 v6 v7 Refinement : Find subset U of I that separates between all pairs of deadend and bad states. Make them visible. Keep U small ! d1 0 1 0 0 1 0 1 I b1 V b2
0 1 0 1 0 1 0 0 1 0 0 1 0 0 1 0 0 1 1 1 0 1 0 1 Refinement as Separation v1 v2 v3 v4 v5 v6 v7 Refinement : Find subset U of I that separates between all pairs of deadend and bad states. Make them visible. Keep U small ! d1 I b1 V b2
Refinement as Separation The state separation problem Input: Sets D, B Output: Minimal U subset of I s.t.: d D, b B, u U. d(u) b(u) The refinement h’ is obtained by adding Uto V.
Two separation methods • ILP-based separation • Minimal separating set. • Computationally expensive. • Decision Tree Learning based separation. • Not optimal. • Polynomial.