Docstoc

Progress

Document Sample
Progress Powered By Docstoc
					Abstraction for Falsification


Thomas Ball      Microsoft Research, Redmond, US

Orna Kupferman   Hebrew University, Jerusalem, Israel

Greta Yorsh      Tel Aviv University, Israel



                                                  CAV’05
   Abstraction for Verification
• Goal: prove properties
• Sound abstraction for verification
  – properties of abstract system hold for
    corresponding concrete system

  –:CA
  – if abstract state a satisfies property P then all
    concrete states represented by a satisfy P
   Abstraction for Verification
• Goal: prove properties
• Sound abstraction for verification
  – properties of abstract system hold for
    corresponding concrete system

  –:CA
  –  a  A if a  P
            then  c  C . (c)=a  c  P
   Abstraction for Verification
• Goal: prove properties
• Sound abstraction for verification
  – properties of abstract system hold for
    corresponding concrete system

  –:CA
  –  a  A if a  P
            then  c  C . (c)=a  c  P
   Abstraction for Verification
• Goal: prove properties
• Sound abstraction for verification
  – errors of the abstract system exist in
    corresponding concrete system

  –:CA
  –  a  A if a  P
            then  c  C . (c)=a  c  P
   Abstraction for Verification
• Goal: prove properties
• Sound abstraction for verification
  – errors of the abstract system exist in
    corresponding concrete system

  –:CA
  –  a  A if a  P
            then  c  C . (c)=a  c  P
                c  C . (c)=a  c  P
              Motivation
• An abstraction that is sound for
  falsification need not be sound for
  verification.
• Existing frameworks for abstraction for
  verification
  – Modal Transition System (MTS)
  – MTS, PKS,KMTS - equivalent in expressive
    power [ Godefroid,Jagadessan – VMCAI’03 ]
  – can be too restrictive for falsification
             Main Results
• New framework for abstraction
  – Ternary Modal Transition System (TMTS)
  – TMTS is stronger than MTS
  – Semantics of -calculus for TMTS
• Weak reachability
  – TMTS with parameterized transitions gives
    tighter underapproximation
  – TMTS with assume-guarantee transitions for
    complete reasoning
                   Modal Transition Systems
    Concrete       Abstract
                     a        MAY(a,a’)        (existential abstraction)
               
                   may          c, c’ . c  c’  (c) = a  (c’) =
                                a’
                                overapproximation
                    a’


                               MUST+(a,a’)
                     a
                               c. (c) = a  c’ . (c’) = a’  c 
                   must         c’
                                total
                                underapproximation
                     a’
                               must  may

                               MUST–(a,a’)          [ T. Ball - FMCO’04 ]
                          a
                              c’. (c’) = a’  c. (c) = a  c 
                   must
                                c’
                                onto
                                underapproximation
                        a’    must  may
                                must+ and must– are incomparable
TMTS strictly more expressive than MTS

MTS
• may and must+ transitions
• precision preorder is logically characterized by PML
   ::= p | AX  |   |   

TMTS
• may, must+ and must– transitions
• precision preorder is logically characterized by full-PML
   ::= p | AX  | AY  |  |   

• full-PML is strictly more expressive than PML
  [Pinter,Wolper - PODC’84] [Kupferman,Pnueli - LICS’95]
      TMTS: what does it buy us?

• Verifying specifications with past operators

• Reasoning about specifications in
  falsification setting
  – must+ for verification and must- for falsification


• Tighter weak reachability in abstract system
  – combine must+ and must- along the path
Semantics of -calculus for TMTS

•:CA
• (C, c1)  
• [ (A, a1)   ] - the value of
  the -calculus formula 
  in state a1 of TMTS A
Semantics of -calculus for TMTS
• [ (A, a)   ] = T
   – for all concrete state c with (c) = a, (C, c)  
• [ (A, a)   ] = T
   – there exists a concrete state c with (c) = a and (C, c)  
• [ (A, a)   ] = F
   – for all concrete state c with (c) = a, (C, c)  
• [ (A, a)   ] = F
   – there exists a concrete state c with (c) = a and (C, c)  
• [ (A, a)   ] = M
   – there exist concrete states c and c’ such that
     (c) = (c’) = a and (C, c)   and (C, c’)  
• [ (A, a)   ] = 
Information    Truth
   Lattice    Lattice

                 T
T        F
                 

    
                 F
Information        Truth
   Lattice        Lattice

                     T
T        F
     M
                     T
         F               M
T                   F
                    

                     F
  Semantics of -calculus for TMTS

• [ (A, a)  1  2 ]
• [ (A, a)  EX  ]
• [ (A, a)    ]
 6-valued Semantics of 1           2
[ (A, a)  1  2 ] =
[ (A, a)  1 ] # [ (A, a)  2 ]
6-valued Semantics of 1           2
  #   F   F   M    T   T    

   F   F   F    F    F    F    F
  F   F   F   F   F   F   F
  M    F   F   ?    F   M    F
  T   F   F   F   ?    T   
   T   F   F   M    ?    T    
      F   F   F           
6-valued Semantics of 1           2
  #   F   F   M    T   T    

   F   F   F    F    F    F    F
  F   F   F   F   F   F   F
  M    F   F   ?    F   M    F
  T   F   F   F   ?    T   
   T   F   F   M    T   T    
      F   F   F           
6-valued Semantics of 1           2
  #   F   F   M    T   T    

   F   F   F    F    F    F    F
  F   F   F   F   F   F   F
  M    F   F   ?    F   M    F
  T   F   F   F       T   
   T   F   F   M    T   T    
      F   F   F           
Information        Truth
   Lattice        Lattice

                     T
T        F
     M
                     T
         F               M
T                   F
                    

                     F
6-valued Semantics of 1           2
  #   F   F   M    T   T    

   F   F   F    F    F    F    F
  F   F   F   F   F   F   F
  M    F   F   ?    F   M    F
  T   F   F   F       T   
   T   F   F   M    T   T    
      F   F   F           
6-valued Semantics of 1           2
  #   F   F   M    T   T    

   F   F   F    F    F    F    F
  F   F   F   F   F   F   F
  M    F   F   F   F   M    F
  T   F   F   F       T   
   T   F   F   M    T   T    
      F   F   F           
           Semantics of EX

[ (A, a)  EX ] =

  F    if for all a’, if may(a,a’) then [(A, a’)  ] = F
  T    if exists a’ s.t. must+(a,a’) and [(A,a’)  ] = T
  T   if exists a’ s.t. must–(a,a’) and [(A,a’)  ]  T
      otherwise
if [ (A, a)  EX ] = T
then there exists c with (c) = a and c  EX
•   [ (A, a)  EX ] = T
•   exists a’ s.t. must–(a,a’) and [(A,a’)  ] = T
•   exists c’ such that (c’)=a’ and c’  
•   for all c’ with (c’)=a’ there is c
    with (c)=a such that cc’



               c
                    EX               a     EX = T
                              

                               must–



                   c’               a’     = T
          Semantics of 
• The semantics of PML operators is
  monotonic

  – Least fixpoint operator can be computed by
    iterations from F is the usual way:
  – [(A,a)  Z . (Z) ] = [ (A, a)  *(F) ]
       Semantics of -calculus for
                 TMTS
• The 6-valued semantics is at least as precise as the
  standard 3-valued semantics of -calculus for MTS

        10
      x=7
• [(A,a)  ] = 
     – 3-valued abstraction refinement of must+ transitions T
 7     8    9  ...
       [Shoham,Grumberg – CAV’03]
                         
                                  x > adapt EX(x>6)  F 
                                      6     for must-
                                                          =?


• Hypermust transitions
        x:=x–3
     – [Larsen,Xinxin-LICS‘90] [Shoham,Grumberg – CAV’04]
                                      must –
                                      may
     – adapt for must–
     – MTS with hypermust+ is incomparable with TMTS
 7     8   9   ...             x>6
     Semantics of -calculus for
               TMTS
• The 6-valued semantics is at least as precise as the
  standard 3-valued semantics of -calculus for MTS

• [(A,a)  ] = 
   – 3-valued abstraction refinement of must+ transitions
     [Shoham,Grumberg – CAV’03] adapt for must-


• Hypermust transitions
   – [Larsen,Xinxin-LICS‘90] [Shoham,Grumberg – CAV’04]
   – adapt for must–
   – MTS with hypermust+ is incomparable with TMTS
   Weak Reachability
            c
                         a
                             initial state




                        a’
                c’            error state



• a’ is weakly-reachable from a
• c, c’ . (c)=a  (c’)=a’  c *
  c’
        Related to testing
                  Example
Predicates:
                           x<6            x>7         (x=6)(x=7)
(x < 6) (x > 7)
                           L1: TF         L0: FT           L0: FF


L0: if x<6 then                                 must–
                        must–       may
L1:     x:= x + 3
                           L2: TF         L3: FT           L2: FF
L2:     if x > 7 then
L3:         x :=x – 3       may       must–        must–
L4:                       L4: TF          L4: FT           L4: FF
                  Example
Predicates:
                           x<6            x>7         (x=6)(x=7)
(x < 6) (x > 7)
                           L1: TF         L0: FT           L0: FF


L0: if x<6 then                                 must–
                        must–       may
L1:     x:= x + 3
                           L2: TF         L3: FT           L2: FF
L2:     if x > 7 then
L3:         x :=x – 3       may       must–        must–
L4:                       L4: TF          L4: FT           L4: FF

                          x=5
       Underapproximation of
         Weak Reachability
• if [must+]*(a,a’)
  then a’ is weakly reachable from a

• Arbitrary combinations of must+ and must–
  transitions do not preserve weak reachability


• Find a tighter underapproximation of
  weak-reachability
                  Example
Predicates:
                                 x<6            x>7        (x=6)(x=7)
(x < 6) (x > 7)
                        x=6
                        x = 2  L1: TF         L0: FT           L0: FF


L0: if x<6 then                                       must–
                            must–        may
L1:     x:= x + 3                             –
                                         must + ?
                                L2: TF       L3: FT             L2: FF
L2:     if x > 7 then                    x=5
                                         x=9

L3:         x :=x – 3            may        must–       must–
L4:                            L4: TF          L4: FT           L4: FF
       Underapproximation of
         Weak Reachability
• if [must+]*(a,a’)
  then a’ is weakly reachable from a

• Arbitrary combinations of must+ and must–
  transitions do not preserve weak reachability


• Find a tighter underapproximation of
  weak-reachability
                     Observations
 • a3 is weakly reachable from a1
   if there exists a2 such that     
                                            a1

   must–(a1,a2) and must+(a2,a3)        must–



                                            a2
                                    
 • Onto nature of must–
   is preserved by [must-]*             must+


 • Total nature of must+                   a3
   is preserved by [must+]*

[T.Ball – FMCO’04]
           Underapproximation
 If there exists a1, a2, a3 such that
 [must–]*(a1,a2) and                           a1
                                           
 [must+]*(a2,a3)                        [must–]*

                                               a2
 then a3 is weakly-reachable
 from a1                                [must+]*

                                              a3




[T.Ball – FMCO’04]
                  Example
Predicates:
                           x<6            x>7         (x=6)(x=7)
(x < 6) (x > 7)
                           L1: TF         L0: FT           L0: FF


L0: if x<6 then                                 must–
                        must–       may
L1:     x:= x + 3
                           L2: TF         L3: FT           L2: FF
L2:     if x > 7 then
L3:         x :=x – 3       may       must–        must–
L4:                       L4: TF          L4: FT           L4: FF
Parameterized Transitions

            MUST+ ?   ( total from a? )   NO
        a
    
             MUST– ?     ( onto a’ ?)      NO
       a’

             MAY
    Parameterized Transitions

     
                          MUST+()
                 a
          
          must+()        c. (c) = a  c    c’ . (c’) = a’  c
                           c’
                 a’       total from 
         




                     a    MUST–()
         
          must–()        c’. (c’) = a’  c’    c. (c) = a  c 
                          c’
                     a’   onto 
        


           if  is TRUE then must+() is must+ and must–() is must–
                  Observation
                  a1
                      • a3 is weakly reachable from a1
                         if there exists a2 such that
          must–(1)
                          – must–(1)(a1,a2)
                          – must+(2) (a2,a3)
                          – 1 2  a2 is satisfiable
     1    
                  a2
2

          must+(2)



                 a3
                  Observation
                  a1
                      • a3 is weakly reachable from a1
                         if there exists a2 such that
          must–(1)
                          – must–(1)(a1,a2)
                          – must+(2) (a2,a3)
                          – 1 2  a2 is satisfiable
     1    
                  a2
2
                       • Strongest parameters 1 and 2
          must+(2)



                 a3
         Strongest Parameters

                       MUST+ ( WP(s,a’) )
                   a
           
               s        c. (c) = a  c    c’ . (c’) = a’  c
                         c’
                  a’   if must+() then a  (  WP(s,a’))



                   a    MUST– ( SP (s,a) )
           
               s        c’. (c’) = a’  c’    c. (c) = a  c 
                        c’
                  a’    if must–() then a  (  SP(s,a))
     


Generated automatically as part of the construction of TMTS
                         Example
 Predicates:
 (x < 6) (x > 7)               x<6            x>7         (x=6)(x=7)

                               L1: TF         L0: FT           L0: FF
 L0: if x<6 then
 L1:     x:= x + 3                                  must–
 L2:     if x > 7 then      must–       may

 L3:         x :=x – 3         L2: TF         L3: FT           L2: FF
 L4:
SP(x:=x+3, x<6) = x < 9         may       must–        must–

                              L4: TF          L4: FT           L4: FF
WP(x:=x-3, x<6) = x < 9
                         Example
 Predicates:
 (x < 6) (x > 7)                x<6          x>7         (x=6)(x=7)

                               L1: TF        L0: FT           L0: FF
 L0: if x<6 then
 L1:     x:= x + 3                                 must–
 L2:     if x > 7 then      must–
                                    must–(x<9)
 L3:         x :=x – 3         L2: TF        L3: FT           L2: FF
 L4:
                             must+(x<9)
SP(x:=x+3, x<6) = x < 9                   must–       must–
     must– (x < 9)
                              L4: TF         L4: FT           L4: FF
WP(x:=x-3, x<6) = x < 9
     must+ (x < 9)
 Tighter Underapproximation
                 a1
           
          [must–]*
                          If there exists a1,...,a5 s.t.
                          [must–]*(a1,a2)
                     a2   must–(1)(a2,a3)
            
                          must+(2) (a3,a4)
          must–(1)
                          [must+]*(a4,a5)
     1              a3   1 2  a3 is satisfiable
2          

          must+(2)       then a5 is weakly-reachable
                          from a1
                    a4

          [must+]*

                    a5
       Complete Reasoning

  – a’ is reachable by a certain sequence of
    abstract transitions from a
  – a’ is weakly-reachable from a


• Assume-guarantee transitions
  – another type of parameterized transitions:
    <> must+ <’>
Assume-Guarantee Transitions
                            <  > MUST+ <    ’>
                       a
                
            <>must+<‘ >     c. (c) = a  c   

                                 c’ . (c’) = a’  c’   ’  c  c’
                      a’
’



        
                       a      <  > MUST– <   ’>
                
                               c’. (c’) = a’  c’   ’ 
            <>must–<‘ >          c . (c) = a  c    c  c’

                       a’
      ’

                             Which  and ’ predicates do we need?
                    The idea...
                   a1
          
              s1 <1>must– <2>
                                         1 = a1
                                         2 = SP(s1, 1) 
                   a2                      a2
          
                        <2>must– <3>   3 = SP(s2, 2) 
              s2
                                         3a= WP(s3,4) 
                                            3
     3            a3                      a3
3        
                                         4 = WP(s4,5) 
              s3 <3>must+ < 4>
                                           a4
                  a4                    5 = a 5
                                             3  3
              s4 <4>must+ < 5>
                                           is satisfiable
                  a5
Assume-guarantee transitions
• Complete Reasoning about
  Weak Reachability
  – a’ is reachable by a certain sequence of
    assume-guarantee transitions from a
  – a’ is weakly-reachable from a
• Finding right parameters ~ computing loop
  invariants
 Weak Reachability: Summary
• Previous work [T.Ball – FMCO’04]:
               [must–] *   [must+]*


• Parameterized transitions
   [must–] *     must–(1) must+(2)   [must+]*


• Assume-guarantee transitions
  – complete reasoning
             Applications
• Falsification of properties in CTL, LTL

• Abstraction-guided test generation
  – tighter underapproximation of weakly-
    reachable states improves coverage of the
    generated tests
  – example of QuickSort’s partition function
                 Summary
• Ternary Modal Transition System (TMTS)
  – onto and total must transitions
  – full-PML logical characterizes precision
    preorder on TMTS
• 6-valued semantics of -calculus for TMTS
• Tighten underapproximation of weak
  reachability with parameterized transitions
  – completeness result using assume-guarantee
    transitions

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:1
posted:1/31/2012
language:
pages:52