Document Sample

Abstraction for Falsification Thomas Ball Microsoft Research, Redmond, US Orna Kupferman Hebrew University, Jerusalem, Israel Greta Yorsh Tel Aviv University, Israel CAV’05 Abstraction for Verification • Goal: prove properties • Sound abstraction for verification – properties of abstract system hold for corresponding concrete system –:CA – if abstract state a satisfies property P then all concrete states represented by a satisfy P Abstraction for Verification • Goal: prove properties • Sound abstraction for verification – properties of abstract system hold for corresponding concrete system –:CA – a A if a P then c C . (c)=a c P Abstraction for Verification • Goal: prove properties • Sound abstraction for verification – properties of abstract system hold for corresponding concrete system –:CA – a A if a P then c C . (c)=a c P Abstraction for Verification • Goal: prove properties • Sound abstraction for verification – errors of the abstract system exist in corresponding concrete system –:CA – a A if a P then c C . (c)=a c P Abstraction for Verification • Goal: prove properties • Sound abstraction for verification – errors of the abstract system exist in corresponding concrete system –:CA – a A if a P then c C . (c)=a c P c C . (c)=a c P Motivation • An abstraction that is sound for falsification need not be sound for verification. • Existing frameworks for abstraction for verification – Modal Transition System (MTS) – MTS, PKS,KMTS - equivalent in expressive power [ Godefroid,Jagadessan – VMCAI’03 ] – can be too restrictive for falsification Main Results • New framework for abstraction – Ternary Modal Transition System (TMTS) – TMTS is stronger than MTS – Semantics of -calculus for TMTS • Weak reachability – TMTS with parameterized transitions gives tighter underapproximation – TMTS with assume-guarantee transitions for complete reasoning Modal Transition Systems Concrete Abstract a MAY(a,a’) (existential abstraction) may c, c’ . c c’ (c) = a (c’) = a’ overapproximation a’ MUST+(a,a’) a c. (c) = a c’ . (c’) = a’ c must c’ total underapproximation a’ must may MUST–(a,a’) [ T. Ball - FMCO’04 ] a c’. (c’) = a’ c. (c) = a c must c’ onto underapproximation a’ must may must+ and must– are incomparable TMTS strictly more expressive than MTS MTS • may and must+ transitions • precision preorder is logically characterized by PML ::= p | AX | | TMTS • may, must+ and must– transitions • precision preorder is logically characterized by full-PML ::= p | AX | AY | | • full-PML is strictly more expressive than PML [Pinter,Wolper - PODC’84] [Kupferman,Pnueli - LICS’95] TMTS: what does it buy us? • Verifying specifications with past operators • Reasoning about specifications in falsification setting – must+ for verification and must- for falsification • Tighter weak reachability in abstract system – combine must+ and must- along the path Semantics of -calculus for TMTS •:CA • (C, c1) • [ (A, a1) ] - the value of the -calculus formula in state a1 of TMTS A Semantics of -calculus for TMTS • [ (A, a) ] = T – for all concrete state c with (c) = a, (C, c) • [ (A, a) ] = T – there exists a concrete state c with (c) = a and (C, c) • [ (A, a) ] = F – for all concrete state c with (c) = a, (C, c) • [ (A, a) ] = F – there exists a concrete state c with (c) = a and (C, c) • [ (A, a) ] = M – there exist concrete states c and c’ such that (c) = (c’) = a and (C, c) and (C, c’) • [ (A, a) ] = Information Truth Lattice Lattice T T F F Information Truth Lattice Lattice T T F M T F M T F F Semantics of -calculus for TMTS • [ (A, a) 1 2 ] • [ (A, a) EX ] • [ (A, a) ] 6-valued Semantics of 1 2 [ (A, a) 1 2 ] = [ (A, a) 1 ] # [ (A, a) 2 ] 6-valued Semantics of 1 2 # F F M T T F F F F F F F F F F F F F F M F F ? F M F T F F F ? T T F F M ? T F F F 6-valued Semantics of 1 2 # F F M T T F F F F F F F F F F F F F F M F F ? F M F T F F F ? T T F F M T T F F F 6-valued Semantics of 1 2 # F F M T T F F F F F F F F F F F F F F M F F ? F M F T F F F T T F F M T T F F F Information Truth Lattice Lattice T T F M T F M T F F 6-valued Semantics of 1 2 # F F M T T F F F F F F F F F F F F F F M F F ? F M F T F F F T T F F M T T F F F 6-valued Semantics of 1 2 # F F M T T F F F F F F F F F F F F F F M F F F F M F T F F F T T F F M T T F F F Semantics of EX [ (A, a) EX ] = F if for all a’, if may(a,a’) then [(A, a’) ] = F T if exists a’ s.t. must+(a,a’) and [(A,a’) ] = T T if exists a’ s.t. must–(a,a’) and [(A,a’) ] T otherwise if [ (A, a) EX ] = T then there exists c with (c) = a and c EX • [ (A, a) EX ] = T • exists a’ s.t. must–(a,a’) and [(A,a’) ] = T • exists c’ such that (c’)=a’ and c’ • for all c’ with (c’)=a’ there is c with (c)=a such that cc’ c EX a EX = T must– c’ a’ = T Semantics of • The semantics of PML operators is monotonic – Least fixpoint operator can be computed by iterations from F is the usual way: – [(A,a) Z . (Z) ] = [ (A, a) *(F) ] Semantics of -calculus for TMTS • The 6-valued semantics is at least as precise as the standard 3-valued semantics of -calculus for MTS 10 x=7 • [(A,a) ] = – 3-valued abstraction refinement of must+ transitions T 7 8 9 ... [Shoham,Grumberg – CAV’03] x > adapt EX(x>6) F 6 for must- =? • Hypermust transitions x:=x–3 – [Larsen,Xinxin-LICS‘90] [Shoham,Grumberg – CAV’04] must – may – adapt for must– – MTS with hypermust+ is incomparable with TMTS 7 8 9 ... x>6 Semantics of -calculus for TMTS • The 6-valued semantics is at least as precise as the standard 3-valued semantics of -calculus for MTS • [(A,a) ] = – 3-valued abstraction refinement of must+ transitions [Shoham,Grumberg – CAV’03] adapt for must- • Hypermust transitions – [Larsen,Xinxin-LICS‘90] [Shoham,Grumberg – CAV’04] – adapt for must– – MTS with hypermust+ is incomparable with TMTS Weak Reachability c a initial state a’ c’ error state • a’ is weakly-reachable from a • c, c’ . (c)=a (c’)=a’ c * c’ Related to testing Example Predicates: x<6 x>7 (x=6)(x=7) (x < 6) (x > 7) L1: TF L0: FT L0: FF L0: if x<6 then must– must– may L1: x:= x + 3 L2: TF L3: FT L2: FF L2: if x > 7 then L3: x :=x – 3 may must– must– L4: L4: TF L4: FT L4: FF Example Predicates: x<6 x>7 (x=6)(x=7) (x < 6) (x > 7) L1: TF L0: FT L0: FF L0: if x<6 then must– must– may L1: x:= x + 3 L2: TF L3: FT L2: FF L2: if x > 7 then L3: x :=x – 3 may must– must– L4: L4: TF L4: FT L4: FF x=5 Underapproximation of Weak Reachability • if [must+]*(a,a’) then a’ is weakly reachable from a • Arbitrary combinations of must+ and must– transitions do not preserve weak reachability • Find a tighter underapproximation of weak-reachability Example Predicates: x<6 x>7 (x=6)(x=7) (x < 6) (x > 7) x=6 x = 2 L1: TF L0: FT L0: FF L0: if x<6 then must– must– may L1: x:= x + 3 – must + ? L2: TF L3: FT L2: FF L2: if x > 7 then x=5 x=9 L3: x :=x – 3 may must– must– L4: L4: TF L4: FT L4: FF Underapproximation of Weak Reachability • if [must+]*(a,a’) then a’ is weakly reachable from a • Arbitrary combinations of must+ and must– transitions do not preserve weak reachability • Find a tighter underapproximation of weak-reachability Observations • a3 is weakly reachable from a1 if there exists a2 such that a1 must–(a1,a2) and must+(a2,a3) must– a2 • Onto nature of must– is preserved by [must-]* must+ • Total nature of must+ a3 is preserved by [must+]* [T.Ball – FMCO’04] Underapproximation If there exists a1, a2, a3 such that [must–]*(a1,a2) and a1 [must+]*(a2,a3) [must–]* a2 then a3 is weakly-reachable from a1 [must+]* a3 [T.Ball – FMCO’04] Example Predicates: x<6 x>7 (x=6)(x=7) (x < 6) (x > 7) L1: TF L0: FT L0: FF L0: if x<6 then must– must– may L1: x:= x + 3 L2: TF L3: FT L2: FF L2: if x > 7 then L3: x :=x – 3 may must– must– L4: L4: TF L4: FT L4: FF Parameterized Transitions MUST+ ? ( total from a? ) NO a MUST– ? ( onto a’ ?) NO a’ MAY Parameterized Transitions MUST+() a must+() c. (c) = a c c’ . (c’) = a’ c c’ a’ total from a MUST–() must–() c’. (c’) = a’ c’ c. (c) = a c c’ a’ onto if is TRUE then must+() is must+ and must–() is must– Observation a1 • a3 is weakly reachable from a1 if there exists a2 such that must–(1) – must–(1)(a1,a2) – must+(2) (a2,a3) – 1 2 a2 is satisfiable 1 a2 2 must+(2) a3 Observation a1 • a3 is weakly reachable from a1 if there exists a2 such that must–(1) – must–(1)(a1,a2) – must+(2) (a2,a3) – 1 2 a2 is satisfiable 1 a2 2 • Strongest parameters 1 and 2 must+(2) a3 Strongest Parameters MUST+ ( WP(s,a’) ) a s c. (c) = a c c’ . (c’) = a’ c c’ a’ if must+() then a ( WP(s,a’)) a MUST– ( SP (s,a) ) s c’. (c’) = a’ c’ c. (c) = a c c’ a’ if must–() then a ( SP(s,a)) Generated automatically as part of the construction of TMTS Example Predicates: (x < 6) (x > 7) x<6 x>7 (x=6)(x=7) L1: TF L0: FT L0: FF L0: if x<6 then L1: x:= x + 3 must– L2: if x > 7 then must– may L3: x :=x – 3 L2: TF L3: FT L2: FF L4: SP(x:=x+3, x<6) = x < 9 may must– must– L4: TF L4: FT L4: FF WP(x:=x-3, x<6) = x < 9 Example Predicates: (x < 6) (x > 7) x<6 x>7 (x=6)(x=7) L1: TF L0: FT L0: FF L0: if x<6 then L1: x:= x + 3 must– L2: if x > 7 then must– must–(x<9) L3: x :=x – 3 L2: TF L3: FT L2: FF L4: must+(x<9) SP(x:=x+3, x<6) = x < 9 must– must– must– (x < 9) L4: TF L4: FT L4: FF WP(x:=x-3, x<6) = x < 9 must+ (x < 9) Tighter Underapproximation a1 [must–]* If there exists a1,...,a5 s.t. [must–]*(a1,a2) a2 must–(1)(a2,a3) must+(2) (a3,a4) must–(1) [must+]*(a4,a5) 1 a3 1 2 a3 is satisfiable 2 must+(2) then a5 is weakly-reachable from a1 a4 [must+]* a5 Complete Reasoning – a’ is reachable by a certain sequence of abstract transitions from a – a’ is weakly-reachable from a • Assume-guarantee transitions – another type of parameterized transitions: <> must+ <’> Assume-Guarantee Transitions < > MUST+ < ’> a <>must+<‘ > c. (c) = a c c’ . (c’) = a’ c’ ’ c c’ a’ ’ a < > MUST– < ’> c’. (c’) = a’ c’ ’ <>must–<‘ > c . (c) = a c c c’ a’ ’ Which and ’ predicates do we need? The idea... a1 s1 <1>must– <2> 1 = a1 2 = SP(s1, 1) a2 a2 <2>must– <3> 3 = SP(s2, 2) s2 3a= WP(s3,4) 3 3 a3 a3 3 4 = WP(s4,5) s3 <3>must+ < 4> a4 a4 5 = a 5 3 3 s4 <4>must+ < 5> is satisfiable a5 Assume-guarantee transitions • Complete Reasoning about Weak Reachability – a’ is reachable by a certain sequence of assume-guarantee transitions from a – a’ is weakly-reachable from a • Finding right parameters ~ computing loop invariants Weak Reachability: Summary • Previous work [T.Ball – FMCO’04]: [must–] * [must+]* • Parameterized transitions [must–] * must–(1) must+(2) [must+]* • Assume-guarantee transitions – complete reasoning Applications • Falsification of properties in CTL, LTL • Abstraction-guided test generation – tighter underapproximation of weakly- reachable states improves coverage of the generated tests – example of QuickSort’s partition function Summary • Ternary Modal Transition System (TMTS) – onto and total must transitions – full-PML logical characterizes precision preorder on TMTS • 6-valued semantics of -calculus for TMTS • Tighten underapproximation of weak reachability with parameterized transitions – completeness result using assume-guarantee transitions

DOCUMENT INFO

Shared By:

Categories:

Tags:

Stats:

views: | 1 |

posted: | 1/31/2012 |

language: | |

pages: | 52 |

OTHER DOCS BY dfhdhdhdhjr

How are you planning on using Docstoc?
BUSINESS
PERSONAL

By registering with docstoc.com you agree to our
privacy policy and
terms of service, and to receive content and offer notifications.

Docstoc is the premier online destination to start and grow small businesses. It hosts the best quality and widest selection of professional documents (over 20 million) and resources including expert videos, articles and productivity tools to make every small business better.

Search or Browse for any specific document or resource you need for your business. Or explore our curated resources for Starting a Business, Growing a Business or for Professional Development.

Feel free to Contact Us with any questions you might have.