Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Progress

VIEWS: 1 PAGES: 52

									Abstraction for Falsification


Thomas Ball      Microsoft Research, Redmond, US

Orna Kupferman   Hebrew University, Jerusalem, Israel

Greta Yorsh      Tel Aviv University, Israel



                                                  CAV’05
   Abstraction for Verification
• Goal: prove properties
• Sound abstraction for verification
  – properties of abstract system hold for
    corresponding concrete system

  –:CA
  – if abstract state a satisfies property P then all
    concrete states represented by a satisfy P
   Abstraction for Verification
• Goal: prove properties
• Sound abstraction for verification
  – properties of abstract system hold for
    corresponding concrete system

  –:CA
  –  a  A if a  P
            then  c  C . (c)=a  c  P
   Abstraction for Verification
• Goal: prove properties
• Sound abstraction for verification
  – properties of abstract system hold for
    corresponding concrete system

  –:CA
  –  a  A if a  P
            then  c  C . (c)=a  c  P
   Abstraction for Verification
• Goal: prove properties
• Sound abstraction for verification
  – errors of the abstract system exist in
    corresponding concrete system

  –:CA
  –  a  A if a  P
            then  c  C . (c)=a  c  P
   Abstraction for Verification
• Goal: prove properties
• Sound abstraction for verification
  – errors of the abstract system exist in
    corresponding concrete system

  –:CA
  –  a  A if a  P
            then  c  C . (c)=a  c  P
                c  C . (c)=a  c  P
              Motivation
• An abstraction that is sound for
  falsification need not be sound for
  verification.
• Existing frameworks for abstraction for
  verification
  – Modal Transition System (MTS)
  – MTS, PKS,KMTS - equivalent in expressive
    power [ Godefroid,Jagadessan – VMCAI’03 ]
  – can be too restrictive for falsification
             Main Results
• New framework for abstraction
  – Ternary Modal Transition System (TMTS)
  – TMTS is stronger than MTS
  – Semantics of -calculus for TMTS
• Weak reachability
  – TMTS with parameterized transitions gives
    tighter underapproximation
  – TMTS with assume-guarantee transitions for
    complete reasoning
                   Modal Transition Systems
    Concrete       Abstract
                     a        MAY(a,a’)        (existential abstraction)
               
                   may          c, c’ . c  c’  (c) = a  (c’) =
                                a’
                                overapproximation
                    a’


                               MUST+(a,a’)
                     a
                               c. (c) = a  c’ . (c’) = a’  c 
                   must         c’
                                total
                                underapproximation
                     a’
                               must  may

                               MUST–(a,a’)          [ T. Ball - FMCO’04 ]
                          a
                              c’. (c’) = a’  c. (c) = a  c 
                   must
                                c’
                                onto
                                underapproximation
                        a’    must  may
                                must+ and must– are incomparable
TMTS strictly more expressive than MTS

MTS
• may and must+ transitions
• precision preorder is logically characterized by PML
   ::= p | AX  |   |   

TMTS
• may, must+ and must– transitions
• precision preorder is logically characterized by full-PML
   ::= p | AX  | AY  |  |   

• full-PML is strictly more expressive than PML
  [Pinter,Wolper - PODC’84] [Kupferman,Pnueli - LICS’95]
      TMTS: what does it buy us?

• Verifying specifications with past operators

• Reasoning about specifications in
  falsification setting
  – must+ for verification and must- for falsification


• Tighter weak reachability in abstract system
  – combine must+ and must- along the path
Semantics of -calculus for TMTS

•:CA
• (C, c1)  
• [ (A, a1)   ] - the value of
  the -calculus formula 
  in state a1 of TMTS A
Semantics of -calculus for TMTS
• [ (A, a)   ] = T
   – for all concrete state c with (c) = a, (C, c)  
• [ (A, a)   ] = T
   – there exists a concrete state c with (c) = a and (C, c)  
• [ (A, a)   ] = F
   – for all concrete state c with (c) = a, (C, c)  
• [ (A, a)   ] = F
   – there exists a concrete state c with (c) = a and (C, c)  
• [ (A, a)   ] = M
   – there exist concrete states c and c’ such that
     (c) = (c’) = a and (C, c)   and (C, c’)  
• [ (A, a)   ] = 
Information    Truth
   Lattice    Lattice

                 T
T        F
                 

    
                 F
Information        Truth
   Lattice        Lattice

                     T
T        F
     M
                     T
         F               M
T                   F
                    

                     F
  Semantics of -calculus for TMTS

• [ (A, a)  1  2 ]
• [ (A, a)  EX  ]
• [ (A, a)    ]
 6-valued Semantics of 1           2
[ (A, a)  1  2 ] =
[ (A, a)  1 ] # [ (A, a)  2 ]
6-valued Semantics of 1           2
  #   F   F   M    T   T    

   F   F   F    F    F    F    F
  F   F   F   F   F   F   F
  M    F   F   ?    F   M    F
  T   F   F   F   ?    T   
   T   F   F   M    ?    T    
      F   F   F           
6-valued Semantics of 1           2
  #   F   F   M    T   T    

   F   F   F    F    F    F    F
  F   F   F   F   F   F   F
  M    F   F   ?    F   M    F
  T   F   F   F   ?    T   
   T   F   F   M    T   T    
      F   F   F           
6-valued Semantics of 1           2
  #   F   F   M    T   T    

   F   F   F    F    F    F    F
  F   F   F   F   F   F   F
  M    F   F   ?    F   M    F
  T   F   F   F       T   
   T   F   F   M    T   T    
      F   F   F           
Information        Truth
   Lattice        Lattice

                     T
T        F
     M
                     T
         F               M
T                   F
                    

                     F
6-valued Semantics of 1           2
  #   F   F   M    T   T    

   F   F   F    F    F    F    F
  F   F   F   F   F   F   F
  M    F   F   ?    F   M    F
  T   F   F   F       T   
   T   F   F   M    T   T    
      F   F   F           
6-valued Semantics of 1           2
  #   F   F   M    T   T    

   F   F   F    F    F    F    F
  F   F   F   F   F   F   F
  M    F   F   F   F   M    F
  T   F   F   F       T   
   T   F   F   M    T   T    
      F   F   F           
           Semantics of EX

[ (A, a)  EX ] =

  F    if for all a’, if may(a,a’) then [(A, a’)  ] = F
  T    if exists a’ s.t. must+(a,a’) and [(A,a’)  ] = T
  T   if exists a’ s.t. must–(a,a’) and [(A,a’)  ]  T
      otherwise
if [ (A, a)  EX ] = T
then there exists c with (c) = a and c  EX
•   [ (A, a)  EX ] = T
•   exists a’ s.t. must–(a,a’) and [(A,a’)  ] = T
•   exists c’ such that (c’)=a’ and c’  
•   for all c’ with (c’)=a’ there is c
    with (c)=a such that cc’



               c
                    EX               a     EX = T
                              

                               must–



                   c’               a’     = T
          Semantics of 
• The semantics of PML operators is
  monotonic

  – Least fixpoint operator can be computed by
    iterations from F is the usual way:
  – [(A,a)  Z . (Z) ] = [ (A, a)  *(F) ]
       Semantics of -calculus for
                 TMTS
• The 6-valued semantics is at least as precise as the
  standard 3-valued semantics of -calculus for MTS

        10
      x=7
• [(A,a)  ] = 
     – 3-valued abstraction refinement of must+ transitions T
 7     8    9  ...
       [Shoham,Grumberg – CAV’03]
                         
                                  x > adapt EX(x>6)  F 
                                      6     for must-
                                                          =?


• Hypermust transitions
        x:=x–3
     – [Larsen,Xinxin-LICS‘90] [Shoham,Grumberg – CAV’04]
                                      must –
                                      may
     – adapt for must–
     – MTS with hypermust+ is incomparable with TMTS
 7     8   9   ...             x>6
     Semantics of -calculus for
               TMTS
• The 6-valued semantics is at least as precise as the
  standard 3-valued semantics of -calculus for MTS

• [(A,a)  ] = 
   – 3-valued abstraction refinement of must+ transitions
     [Shoham,Grumberg – CAV’03] adapt for must-


• Hypermust transitions
   – [Larsen,Xinxin-LICS‘90] [Shoham,Grumberg – CAV’04]
   – adapt for must–
   – MTS with hypermust+ is incomparable with TMTS
   Weak Reachability
            c
                         a
                             initial state




                        a’
                c’            error state



• a’ is weakly-reachable from a
• c, c’ . (c)=a  (c’)=a’  c *
  c’
        Related to testing
                  Example
Predicates:
                           x<6            x>7         (x=6)(x=7)
(x < 6) (x > 7)
                           L1: TF         L0: FT           L0: FF


L0: if x<6 then                                 must–
                        must–       may
L1:     x:= x + 3
                           L2: TF         L3: FT           L2: FF
L2:     if x > 7 then
L3:         x :=x – 3       may       must–        must–
L4:                       L4: TF          L4: FT           L4: FF
                  Example
Predicates:
                           x<6            x>7         (x=6)(x=7)
(x < 6) (x > 7)
                           L1: TF         L0: FT           L0: FF


L0: if x<6 then                                 must–
                        must–       may
L1:     x:= x + 3
                           L2: TF         L3: FT           L2: FF
L2:     if x > 7 then
L3:         x :=x – 3       may       must–        must–
L4:                       L4: TF          L4: FT           L4: FF

                          x=5
       Underapproximation of
         Weak Reachability
• if [must+]*(a,a’)
  then a’ is weakly reachable from a

• Arbitrary combinations of must+ and must–
  transitions do not preserve weak reachability


• Find a tighter underapproximation of
  weak-reachability
                  Example
Predicates:
                                 x<6            x>7        (x=6)(x=7)
(x < 6) (x > 7)
                        x=6
                        x = 2  L1: TF         L0: FT           L0: FF


L0: if x<6 then                                       must–
                            must–        may
L1:     x:= x + 3                             –
                                         must + ?
                                L2: TF       L3: FT             L2: FF
L2:     if x > 7 then                    x=5
                                         x=9

L3:         x :=x – 3            may        must–       must–
L4:                            L4: TF          L4: FT           L4: FF
       Underapproximation of
         Weak Reachability
• if [must+]*(a,a’)
  then a’ is weakly reachable from a

• Arbitrary combinations of must+ and must–
  transitions do not preserve weak reachability


• Find a tighter underapproximation of
  weak-reachability
                     Observations
 • a3 is weakly reachable from a1
   if there exists a2 such that     
                                            a1

   must–(a1,a2) and must+(a2,a3)        must–



                                            a2
                                    
 • Onto nature of must–
   is preserved by [must-]*             must+


 • Total nature of must+                   a3
   is preserved by [must+]*

[T.Ball – FMCO’04]
           Underapproximation
 If there exists a1, a2, a3 such that
 [must–]*(a1,a2) and                           a1
                                           
 [must+]*(a2,a3)                        [must–]*

                                               a2
 then a3 is weakly-reachable
 from a1                                [must+]*

                                              a3




[T.Ball – FMCO’04]
                  Example
Predicates:
                           x<6            x>7         (x=6)(x=7)
(x < 6) (x > 7)
                           L1: TF         L0: FT           L0: FF


L0: if x<6 then                                 must–
                        must–       may
L1:     x:= x + 3
                           L2: TF         L3: FT           L2: FF
L2:     if x > 7 then
L3:         x :=x – 3       may       must–        must–
L4:                       L4: TF          L4: FT           L4: FF
Parameterized Transitions

            MUST+ ?   ( total from a? )   NO
        a
    
             MUST– ?     ( onto a’ ?)      NO
       a’

             MAY
    Parameterized Transitions

     
                          MUST+()
                 a
          
          must+()        c. (c) = a  c    c’ . (c’) = a’  c
                           c’
                 a’       total from 
         




                     a    MUST–()
         
          must–()        c’. (c’) = a’  c’    c. (c) = a  c 
                          c’
                     a’   onto 
        


           if  is TRUE then must+() is must+ and must–() is must–
                  Observation
                  a1
                      • a3 is weakly reachable from a1
                         if there exists a2 such that
          must–(1)
                          – must–(1)(a1,a2)
                          – must+(2) (a2,a3)
                          – 1 2  a2 is satisfiable
     1    
                  a2
2

          must+(2)



                 a3
                  Observation
                  a1
                      • a3 is weakly reachable from a1
                         if there exists a2 such that
          must–(1)
                          – must–(1)(a1,a2)
                          – must+(2) (a2,a3)
                          – 1 2  a2 is satisfiable
     1    
                  a2
2
                       • Strongest parameters 1 and 2
          must+(2)



                 a3
         Strongest Parameters

                       MUST+ ( WP(s,a’) )
                   a
           
               s        c. (c) = a  c    c’ . (c’) = a’  c
                         c’
                  a’   if must+() then a  (  WP(s,a’))



                   a    MUST– ( SP (s,a) )
           
               s        c’. (c’) = a’  c’    c. (c) = a  c 
                        c’
                  a’    if must–() then a  (  SP(s,a))
     


Generated automatically as part of the construction of TMTS
                         Example
 Predicates:
 (x < 6) (x > 7)               x<6            x>7         (x=6)(x=7)

                               L1: TF         L0: FT           L0: FF
 L0: if x<6 then
 L1:     x:= x + 3                                  must–
 L2:     if x > 7 then      must–       may

 L3:         x :=x – 3         L2: TF         L3: FT           L2: FF
 L4:
SP(x:=x+3, x<6) = x < 9         may       must–        must–

                              L4: TF          L4: FT           L4: FF
WP(x:=x-3, x<6) = x < 9
                         Example
 Predicates:
 (x < 6) (x > 7)                x<6          x>7         (x=6)(x=7)

                               L1: TF        L0: FT           L0: FF
 L0: if x<6 then
 L1:     x:= x + 3                                 must–
 L2:     if x > 7 then      must–
                                    must–(x<9)
 L3:         x :=x – 3         L2: TF        L3: FT           L2: FF
 L4:
                             must+(x<9)
SP(x:=x+3, x<6) = x < 9                   must–       must–
     must– (x < 9)
                              L4: TF         L4: FT           L4: FF
WP(x:=x-3, x<6) = x < 9
     must+ (x < 9)
 Tighter Underapproximation
                 a1
           
          [must–]*
                          If there exists a1,...,a5 s.t.
                          [must–]*(a1,a2)
                     a2   must–(1)(a2,a3)
            
                          must+(2) (a3,a4)
          must–(1)
                          [must+]*(a4,a5)
     1              a3   1 2  a3 is satisfiable
2          

          must+(2)       then a5 is weakly-reachable
                          from a1
                    a4

          [must+]*

                    a5
       Complete Reasoning

  – a’ is reachable by a certain sequence of
    abstract transitions from a
  – a’ is weakly-reachable from a


• Assume-guarantee transitions
  – another type of parameterized transitions:
    <> must+ <’>
Assume-Guarantee Transitions
                            <  > MUST+ <    ’>
                       a
                
            <>must+<‘ >     c. (c) = a  c   

                                 c’ . (c’) = a’  c’   ’  c  c’
                      a’
’



        
                       a      <  > MUST– <   ’>
                
                               c’. (c’) = a’  c’   ’ 
            <>must–<‘ >          c . (c) = a  c    c  c’

                       a’
      ’

                             Which  and ’ predicates do we need?
                    The idea...
                   a1
          
              s1 <1>must– <2>
                                         1 = a1
                                         2 = SP(s1, 1) 
                   a2                      a2
          
                        <2>must– <3>   3 = SP(s2, 2) 
              s2
                                         3a= WP(s3,4) 
                                            3
     3            a3                      a3
3        
                                         4 = WP(s4,5) 
              s3 <3>must+ < 4>
                                           a4
                  a4                    5 = a 5
                                             3  3
              s4 <4>must+ < 5>
                                           is satisfiable
                  a5
Assume-guarantee transitions
• Complete Reasoning about
  Weak Reachability
  – a’ is reachable by a certain sequence of
    assume-guarantee transitions from a
  – a’ is weakly-reachable from a
• Finding right parameters ~ computing loop
  invariants
 Weak Reachability: Summary
• Previous work [T.Ball – FMCO’04]:
               [must–] *   [must+]*


• Parameterized transitions
   [must–] *     must–(1) must+(2)   [must+]*


• Assume-guarantee transitions
  – complete reasoning
             Applications
• Falsification of properties in CTL, LTL

• Abstraction-guided test generation
  – tighter underapproximation of weakly-
    reachable states improves coverage of the
    generated tests
  – example of QuickSort’s partition function
                 Summary
• Ternary Modal Transition System (TMTS)
  – onto and total must transitions
  – full-PML logical characterizes precision
    preorder on TMTS
• 6-valued semantics of -calculus for TMTS
• Tighten underapproximation of weak
  reachability with parameterized transitions
  – completeness result using assume-guarantee
    transitions

								
To top