VIEWS: 1 PAGES: 52 POSTED ON: 1/31/2012
Abstraction for Falsification Thomas Ball Microsoft Research, Redmond, US Orna Kupferman Hebrew University, Jerusalem, Israel Greta Yorsh Tel Aviv University, Israel CAV’05 Abstraction for Verification • Goal: prove properties • Sound abstraction for verification – properties of abstract system hold for corresponding concrete system –:CA – if abstract state a satisfies property P then all concrete states represented by a satisfy P Abstraction for Verification • Goal: prove properties • Sound abstraction for verification – properties of abstract system hold for corresponding concrete system –:CA – a A if a P then c C . (c)=a c P Abstraction for Verification • Goal: prove properties • Sound abstraction for verification – properties of abstract system hold for corresponding concrete system –:CA – a A if a P then c C . (c)=a c P Abstraction for Verification • Goal: prove properties • Sound abstraction for verification – errors of the abstract system exist in corresponding concrete system –:CA – a A if a P then c C . (c)=a c P Abstraction for Verification • Goal: prove properties • Sound abstraction for verification – errors of the abstract system exist in corresponding concrete system –:CA – a A if a P then c C . (c)=a c P c C . (c)=a c P Motivation • An abstraction that is sound for falsification need not be sound for verification. • Existing frameworks for abstraction for verification – Modal Transition System (MTS) – MTS, PKS,KMTS - equivalent in expressive power [ Godefroid,Jagadessan – VMCAI’03 ] – can be too restrictive for falsification Main Results • New framework for abstraction – Ternary Modal Transition System (TMTS) – TMTS is stronger than MTS – Semantics of -calculus for TMTS • Weak reachability – TMTS with parameterized transitions gives tighter underapproximation – TMTS with assume-guarantee transitions for complete reasoning Modal Transition Systems Concrete Abstract a MAY(a,a’) (existential abstraction) may c, c’ . c c’ (c) = a (c’) = a’ overapproximation a’ MUST+(a,a’) a c. (c) = a c’ . (c’) = a’ c must c’ total underapproximation a’ must may MUST–(a,a’) [ T. Ball - FMCO’04 ] a c’. (c’) = a’ c. (c) = a c must c’ onto underapproximation a’ must may must+ and must– are incomparable TMTS strictly more expressive than MTS MTS • may and must+ transitions • precision preorder is logically characterized by PML ::= p | AX | | TMTS • may, must+ and must– transitions • precision preorder is logically characterized by full-PML ::= p | AX | AY | | • full-PML is strictly more expressive than PML [Pinter,Wolper - PODC’84] [Kupferman,Pnueli - LICS’95] TMTS: what does it buy us? • Verifying specifications with past operators • Reasoning about specifications in falsification setting – must+ for verification and must- for falsification • Tighter weak reachability in abstract system – combine must+ and must- along the path Semantics of -calculus for TMTS •:CA • (C, c1) • [ (A, a1) ] - the value of the -calculus formula in state a1 of TMTS A Semantics of -calculus for TMTS • [ (A, a) ] = T – for all concrete state c with (c) = a, (C, c) • [ (A, a) ] = T – there exists a concrete state c with (c) = a and (C, c) • [ (A, a) ] = F – for all concrete state c with (c) = a, (C, c) • [ (A, a) ] = F – there exists a concrete state c with (c) = a and (C, c) • [ (A, a) ] = M – there exist concrete states c and c’ such that (c) = (c’) = a and (C, c) and (C, c’) • [ (A, a) ] = Information Truth Lattice Lattice T T F F Information Truth Lattice Lattice T T F M T F M T F F Semantics of -calculus for TMTS • [ (A, a) 1 2 ] • [ (A, a) EX ] • [ (A, a) ] 6-valued Semantics of 1 2 [ (A, a) 1 2 ] = [ (A, a) 1 ] # [ (A, a) 2 ] 6-valued Semantics of 1 2 # F F M T T F F F F F F F F F F F F F F M F F ? F M F T F F F ? T T F F M ? T F F F 6-valued Semantics of 1 2 # F F M T T F F F F F F F F F F F F F F M F F ? F M F T F F F ? T T F F M T T F F F 6-valued Semantics of 1 2 # F F M T T F F F F F F F F F F F F F F M F F ? F M F T F F F T T F F M T T F F F Information Truth Lattice Lattice T T F M T F M T F F 6-valued Semantics of 1 2 # F F M T T F F F F F F F F F F F F F F M F F ? F M F T F F F T T F F M T T F F F 6-valued Semantics of 1 2 # F F M T T F F F F F F F F F F F F F F M F F F F M F T F F F T T F F M T T F F F Semantics of EX [ (A, a) EX ] = F if for all a’, if may(a,a’) then [(A, a’) ] = F T if exists a’ s.t. must+(a,a’) and [(A,a’) ] = T T if exists a’ s.t. must–(a,a’) and [(A,a’) ] T otherwise if [ (A, a) EX ] = T then there exists c with (c) = a and c EX • [ (A, a) EX ] = T • exists a’ s.t. must–(a,a’) and [(A,a’) ] = T • exists c’ such that (c’)=a’ and c’ • for all c’ with (c’)=a’ there is c with (c)=a such that cc’ c EX a EX = T must– c’ a’ = T Semantics of • The semantics of PML operators is monotonic – Least fixpoint operator can be computed by iterations from F is the usual way: – [(A,a) Z . (Z) ] = [ (A, a) *(F) ] Semantics of -calculus for TMTS • The 6-valued semantics is at least as precise as the standard 3-valued semantics of -calculus for MTS 10 x=7 • [(A,a) ] = – 3-valued abstraction refinement of must+ transitions T 7 8 9 ... [Shoham,Grumberg – CAV’03] x > adapt EX(x>6) F 6 for must- =? • Hypermust transitions x:=x–3 – [Larsen,Xinxin-LICS‘90] [Shoham,Grumberg – CAV’04] must – may – adapt for must– – MTS with hypermust+ is incomparable with TMTS 7 8 9 ... x>6 Semantics of -calculus for TMTS • The 6-valued semantics is at least as precise as the standard 3-valued semantics of -calculus for MTS • [(A,a) ] = – 3-valued abstraction refinement of must+ transitions [Shoham,Grumberg – CAV’03] adapt for must- • Hypermust transitions – [Larsen,Xinxin-LICS‘90] [Shoham,Grumberg – CAV’04] – adapt for must– – MTS with hypermust+ is incomparable with TMTS Weak Reachability c a initial state a’ c’ error state • a’ is weakly-reachable from a • c, c’ . (c)=a (c’)=a’ c * c’ Related to testing Example Predicates: x<6 x>7 (x=6)(x=7) (x < 6) (x > 7) L1: TF L0: FT L0: FF L0: if x<6 then must– must– may L1: x:= x + 3 L2: TF L3: FT L2: FF L2: if x > 7 then L3: x :=x – 3 may must– must– L4: L4: TF L4: FT L4: FF Example Predicates: x<6 x>7 (x=6)(x=7) (x < 6) (x > 7) L1: TF L0: FT L0: FF L0: if x<6 then must– must– may L1: x:= x + 3 L2: TF L3: FT L2: FF L2: if x > 7 then L3: x :=x – 3 may must– must– L4: L4: TF L4: FT L4: FF x=5 Underapproximation of Weak Reachability • if [must+]*(a,a’) then a’ is weakly reachable from a • Arbitrary combinations of must+ and must– transitions do not preserve weak reachability • Find a tighter underapproximation of weak-reachability Example Predicates: x<6 x>7 (x=6)(x=7) (x < 6) (x > 7) x=6 x = 2 L1: TF L0: FT L0: FF L0: if x<6 then must– must– may L1: x:= x + 3 – must + ? L2: TF L3: FT L2: FF L2: if x > 7 then x=5 x=9 L3: x :=x – 3 may must– must– L4: L4: TF L4: FT L4: FF Underapproximation of Weak Reachability • if [must+]*(a,a’) then a’ is weakly reachable from a • Arbitrary combinations of must+ and must– transitions do not preserve weak reachability • Find a tighter underapproximation of weak-reachability Observations • a3 is weakly reachable from a1 if there exists a2 such that a1 must–(a1,a2) and must+(a2,a3) must– a2 • Onto nature of must– is preserved by [must-]* must+ • Total nature of must+ a3 is preserved by [must+]* [T.Ball – FMCO’04] Underapproximation If there exists a1, a2, a3 such that [must–]*(a1,a2) and a1 [must+]*(a2,a3) [must–]* a2 then a3 is weakly-reachable from a1 [must+]* a3 [T.Ball – FMCO’04] Example Predicates: x<6 x>7 (x=6)(x=7) (x < 6) (x > 7) L1: TF L0: FT L0: FF L0: if x<6 then must– must– may L1: x:= x + 3 L2: TF L3: FT L2: FF L2: if x > 7 then L3: x :=x – 3 may must– must– L4: L4: TF L4: FT L4: FF Parameterized Transitions MUST+ ? ( total from a? ) NO a MUST– ? ( onto a’ ?) NO a’ MAY Parameterized Transitions MUST+() a must+() c. (c) = a c c’ . (c’) = a’ c c’ a’ total from a MUST–() must–() c’. (c’) = a’ c’ c. (c) = a c c’ a’ onto if is TRUE then must+() is must+ and must–() is must– Observation a1 • a3 is weakly reachable from a1 if there exists a2 such that must–(1) – must–(1)(a1,a2) – must+(2) (a2,a3) – 1 2 a2 is satisfiable 1 a2 2 must+(2) a3 Observation a1 • a3 is weakly reachable from a1 if there exists a2 such that must–(1) – must–(1)(a1,a2) – must+(2) (a2,a3) – 1 2 a2 is satisfiable 1 a2 2 • Strongest parameters 1 and 2 must+(2) a3 Strongest Parameters MUST+ ( WP(s,a’) ) a s c. (c) = a c c’ . (c’) = a’ c c’ a’ if must+() then a ( WP(s,a’)) a MUST– ( SP (s,a) ) s c’. (c’) = a’ c’ c. (c) = a c c’ a’ if must–() then a ( SP(s,a)) Generated automatically as part of the construction of TMTS Example Predicates: (x < 6) (x > 7) x<6 x>7 (x=6)(x=7) L1: TF L0: FT L0: FF L0: if x<6 then L1: x:= x + 3 must– L2: if x > 7 then must– may L3: x :=x – 3 L2: TF L3: FT L2: FF L4: SP(x:=x+3, x<6) = x < 9 may must– must– L4: TF L4: FT L4: FF WP(x:=x-3, x<6) = x < 9 Example Predicates: (x < 6) (x > 7) x<6 x>7 (x=6)(x=7) L1: TF L0: FT L0: FF L0: if x<6 then L1: x:= x + 3 must– L2: if x > 7 then must– must–(x<9) L3: x :=x – 3 L2: TF L3: FT L2: FF L4: must+(x<9) SP(x:=x+3, x<6) = x < 9 must– must– must– (x < 9) L4: TF L4: FT L4: FF WP(x:=x-3, x<6) = x < 9 must+ (x < 9) Tighter Underapproximation a1 [must–]* If there exists a1,...,a5 s.t. [must–]*(a1,a2) a2 must–(1)(a2,a3) must+(2) (a3,a4) must–(1) [must+]*(a4,a5) 1 a3 1 2 a3 is satisfiable 2 must+(2) then a5 is weakly-reachable from a1 a4 [must+]* a5 Complete Reasoning – a’ is reachable by a certain sequence of abstract transitions from a – a’ is weakly-reachable from a • Assume-guarantee transitions – another type of parameterized transitions: <> must+ <’> Assume-Guarantee Transitions < > MUST+ < ’> a <>must+<‘ > c. (c) = a c c’ . (c’) = a’ c’ ’ c c’ a’ ’ a < > MUST– < ’> c’. (c’) = a’ c’ ’ <>must–<‘ > c . (c) = a c c c’ a’ ’ Which and ’ predicates do we need? The idea... a1 s1 <1>must– <2> 1 = a1 2 = SP(s1, 1) a2 a2 <2>must– <3> 3 = SP(s2, 2) s2 3a= WP(s3,4) 3 3 a3 a3 3 4 = WP(s4,5) s3 <3>must+ < 4> a4 a4 5 = a 5 3 3 s4 <4>must+ < 5> is satisfiable a5 Assume-guarantee transitions • Complete Reasoning about Weak Reachability – a’ is reachable by a certain sequence of assume-guarantee transitions from a – a’ is weakly-reachable from a • Finding right parameters ~ computing loop invariants Weak Reachability: Summary • Previous work [T.Ball – FMCO’04]: [must–] * [must+]* • Parameterized transitions [must–] * must–(1) must+(2) [must+]* • Assume-guarantee transitions – complete reasoning Applications • Falsification of properties in CTL, LTL • Abstraction-guided test generation – tighter underapproximation of weakly- reachable states improves coverage of the generated tests – example of QuickSort’s partition function Summary • Ternary Modal Transition System (TMTS) – onto and total must transitions – full-PML logical characterizes precision preorder on TMTS • 6-valued semantics of -calculus for TMTS • Tighten underapproximation of weak reachability with parameterized transitions – completeness result using assume-guarantee transitions