abstraction for falsification
Post on 15-Jan-2016
33 Views
Preview:
DESCRIPTION
TRANSCRIPT
Abstraction for FalsificationAbstraction for Falsification
Thomas Ball
Orna Kupferman
Greta Yorsh
Microsoft Research, Redmond, US
Hebrew University, Jerusalem, Israel
Tel Aviv University, Israel
CAV’05
Abstraction for VerificationAbstraction for Verification
• Goal: prove properties
• Sound abstraction for verification– properties of abstract system hold for
corresponding concrete system
: C A– if abstract state a satisfies property P then all
concrete states represented by a satisfy P
Abstraction for VerificationAbstraction for Verification
• Goal: prove properties
• Sound abstraction for verification– properties of abstract system hold for
corresponding concrete system
: C A a A if a P
then c C . (c)=a c P
Abstraction for VerificationAbstraction for Verification
• Goal: prove properties
• Sound abstraction for verification– properties of abstract system hold for
corresponding concrete system
: C A a A if a P
then c C . (c)=a c P
FalsificationFalsification
detect errors
Abstraction for VerificationAbstraction for Verification
• Goal: prove properties
• Sound abstraction for verification– errors of the abstract system exist in
corresponding concrete system
: C A a A if a P
then c C . (c)=a c P
FalsificationFalsification
falsificationdetect errors
Abstraction for VerificationAbstraction for Verification
• Goal: prove properties
• Sound abstraction for verification– errors of the abstract system exist in
corresponding concrete system
: C A a A if a P
then c C . (c)=a c P
FalsificationFalsification
falsificationdetect errors
c C . (c)=a c P
MotivationMotivation
• An abstraction that is sound for falsification need not be sound for verification.
• Existing frameworks for abstraction for verification – Modal Transition System (MTS)– MTS, PKS,KMTS - equivalent in expressive
power [ Godefroid,Jagadessan – VMCAI’03 ]
– can be too restrictive for falsification
Main ResultsMain Results
• New framework for abstraction – Ternary Modal Transition System (TMTS)– TMTS is stronger than MTS– Semantics of -calculus for TMTS
• Weak reachability– TMTS with parameterized transitions gives
tighter underapproximation– TMTS with assume-guarantee transitions for
complete reasoning
may
Modal Transition SystemsModal Transition Systems
underapproximation
overapproximation
Concrete Abstract
a
a’
total
a
a’
must
c. (c) = a c’ . (c’) = a’ c c’
MAY(a,a’)MAY(a,a’)
MUST+(a,a’)MUST+(a,a’)
MUSTMUST––(a,a’)(a,a’)
c, c’ . c c’ (c) = a (c’) = a’
(existential abstraction)
must may
underapproximation
c’. (c’) = a’ c. (c) = a c c’onto
a
a’
must
[ T. Ball - FMCO’04 ]
must maymust+ and must– are incomparable
TMTS strictly more expressive than MTSTMTS strictly more expressive than MTS
MTS • may and must+ transitions• precision preorder is logically characterized by PML
::= p | AX | |
TMTS• may, must+ and must– transitions• precision preorder is logically characterized by full-PML
::= p | AX | AY | |
• full-PML is strictly more expressive than PML [Pinter,Wolper - PODC’84] [Kupferman,Pnueli - LICS’95]
TMTS: what does it buy us?TMTS: what does it buy us?
• Verifying specifications with past operators
• Reasoning about specifications in falsification setting– must+ for verification and must- for falsification
• Tighter weak reachability in abstract system – combine must+ and must- along the path
Semantics of Semantics of -calculus for TMTS-calculus for TMTS
: C A• (C, c1)
• [ (A, a1) ] - the value of the -calculus formula in state a1 of TMTS A
• [ (A, a) ] = T – for all concrete state c with (c) = a, (C, c)
• [ (A, a) ] = T – there exists a concrete state c with (c) = a and (C, c)
• [ (A, a) ] = F– for all concrete state c with (c) = a, (C, c)
• [ (A, a) ] = F
– there exists a concrete state c with (c) = a and (C, c) • [ (A, a) ] = M
– there exist concrete states c and c’ such that
(c) = (c’) = a and (C, c) and (C, c’) • [ (A, a) ] =
Semantics of Semantics of -calculus for TMTS-calculus for TMTS
Information Information LatticeLattice
T F
Truth Truth LatticeLattice
T
F
Information Information LatticeLattice
T F
Truth Truth LatticeLattice
T F
M
T
F
F
T
M
Semantics of Semantics of -calculus for TMTS-calculus for TMTS
• [ (A, a) 1 2 ]
• [ (A, a) EX ]• [ (A, a) ]
[ (A, a) 1 2 ] =
[ (A, a) 1 ] # [ (A, a) 2 ]
6-valued Semantics of 6-valued Semantics of 11 22
# F F M T T
F F F F F F F
F F F F F F F
M F F ? F M F
T F F F ? T
T F F M ? T
F F F
6-valued Semantics of 6-valued Semantics of 11 22
# F F M T T
F F F F F F F
F F F F F F F
M F F ? F M F
T F F F ? T
T F F M T T
F F F
6-valued Semantics of 6-valued Semantics of 11 22
# F F M T T
F F F F F F F
F F F F F F F
M F F ? F M F
T F F F T
T F F M T T
F F F
6-valued Semantics of 6-valued Semantics of 11 22
Information Information LatticeLattice
T F
Truth Truth LatticeLattice
T F
M
T
F
F
T
M
# F F M T T
F F F F F F F
F F F F F F F
M F F ? F M F
T F F F T
T F F M T T
F F F
6-valued Semantics of 6-valued Semantics of 11 22
# F F M T T
F F F F F F F
F F F F F F F
M F F F F M F
T F F F T
T F F M T T
F F F
6-valued Semantics of 6-valued Semantics of 11 22
[ (A, a) EX ] =
Semantics of EXSemantics of EX
F if for all a’, if may(a,a’) then [(A, a’) ] = F
T if exists a’ s.t. must+(a,a’) and [(A,a’) ] = T
T if exists a’ s.t. must–(a,a’) and [(A,a’) ] T
otherwise
c’
a EX = T
a’
must–
= T
c
• [ (A, a) EX ] = T
• exists a’ s.t. must–(a,a’) and [(A,a’) ] = T
• exists c’ such that (c’)=a’ and c’ • for all c’ with (c’)=a’ there is c
with (c)=a such that cc’
if [ (A, a) EX ] = T then there exists c with (c) = a and c EX
EX
Semantics of Semantics of
• The semantics of PML operators is monotonic
– Least fixpoint operator can be computed by iterations from F is the usual way:
– [(A,a) Z . (Z) ] = [ (A, a) *(F) ]
• The 6-valued semantics is at least as precise as the standard 3-valued semantics of -calculus for MTS
• [(A,a) ] = – 3-valued abstraction refinement of must+ transitions
[Shoham,Grumberg – CAV’03] adapt for must-
• Hypermust transitions– [Larsen,Xinxin-LICS‘90] [Shoham,Grumberg – CAV’04]– adapt for must– – MTS with hypermust+ is incomparable with TMTS
EX(x>6) T EX(x>6) F EX(x>6) = T
Semantics of Semantics of -calculus for TMTS-calculus for TMTS
EX(x>6) = ?
must –
x = 7x = 10
may
x > 6
x > 6
x:=x–3
7 8 9 ...
7 8 9 ...
Semantics of Semantics of -calculus for TMTS-calculus for TMTS
• The 6-valued semantics is at least as precise as the standard 3-valued semantics of -calculus for MTS
• [(A,a) ] = – 3-valued abstraction refinement of must+ transitions
[Shoham,Grumberg – CAV’03] adapt for must-
• Hypermust transitions– [Larsen,Xinxin-LICS‘90] [Shoham,Grumberg – CAV’04]– adapt for must– – MTS with hypermust+ is incomparable with TMTS
Weak ReachabilityWeak Reachability
• a’ is weakly-reachable from a c, c’ . (c)=a (c’)=a’ c * c’
c
c’ a’
ainitial state
error state
error trace
Related to testing
L1: TF L0: FT L0: FF
L2: TF L3: FT L2: FF
L4: FT L4: FFL4: TF
x<6 x>7 (x=6)(x=7)
may
may must– must–
must–must–
L0: if x<6 then
L1: x:= x + 3
L2: if x > 7 then
L3: x :=x – 3
L4:
Predicates: (x < 6) (x > 7)
ExampleExample
L1: TF L0: FT L0: FF
L2: TF L3: FT L2: FF
L4: FT L4: FFL4: TF
x<6 x>7 (x=6)(x=7)
may
may must– must–
must–must–
L0: if x<6 then
L1: x:= x + 3
L2: if x > 7 then
L3: x :=x – 3
L4:
Predicates: (x < 6) (x > 7)
ExampleExample
x = 5
Underapproximation of Underapproximation of Weak ReachabilityWeak Reachability
• if [must+]*(a,a’) then a’ is weakly reachable from a
• Arbitrary combinations of must+ and must– transitions do not preserve weak reachability
• Find a tighter underapproximation of weak-reachability
L1: TF L0: FT L0: FF
L2: TF L3: FT L2: FF
L4: FT L4: FFL4: TF
x<6 x>7 (x=6)(x=7)
may
may must– must–
must–must–
L0: if x<6 then
L1: x:= x + 3
L2: if x > 7 then
L3: x :=x – 3
L4:
Predicates: (x < 6) (x > 7)
ExampleExample
must – ?must + ?
x = 9
x = 6
x = 5
x = 2
Underapproximation of Underapproximation of Weak ReachabilityWeak Reachability
• if [must+]*(a,a’) then a’ is weakly reachable from a
• Arbitrary combinations of must+ and must– transitions do not preserve weak reachability
• Find a tighter underapproximation of weak-reachability
ObservationsObservations
• a3 is weakly reachable from a1
if there exists a2 such that
must–(a1,a2) and must+(a2,a3)
• Onto nature of must– is preserved by [must-]*
• Total nature of must+ is preserved by [must+]*
a3
must+
a1
a2
must–
[T.Ball – FMCO’04]
UnderapproximationUnderapproximation
If there exists a1, a2, a3 such that
[must–]*(a1,a2) and
[must+]*(a2,a3)
then a3 is weakly-reachable from a1
a3
[must+]*
a1
a2
[must–]*
[T.Ball – FMCO’04]
L1: TF L0: FT L0: FF
L2: TF L3: FT L2: FF
L4: FT L4: FFL4: TF
x<6 x>7 (x=6)(x=7)
may
may must– must–
must–must–
L0: if x<6 then
L1: x:= x + 3
L2: if x > 7 then
L3: x :=x – 3
L4:
Predicates: (x < 6) (x > 7)
ExampleExample
a
a’
( total from a? )MUST+ ?MUST+ ?
( onto a’ ?)MUSTMUST– – ??
NONO
NONO
MAYMAY
Parameterized TransitionsParameterized Transitions
a
a’
must+()
total from
c. (c) = a c c’ . (c’) = a’ c c’
MUST+(MUST+())
Parameterized TransitionsParameterized Transitions
a
a’
must–()
MUSTMUST–(–())
c’. (c’) = a’ c’ c. (c) = a c c’
onto
if is TRUE then must+() is must+ and must–() is must–
ObservationObservation
• a3 is weakly reachable from a1
if there exists a2 such that
– must–(1)(a1,a2)
– must+(2) (a2,a3)
– 1 2 a2 is satisfiable
a3
must+(2)
a1
a2
must–(1)
12
ObservationObservation
• a3 is weakly reachable from a1
if there exists a2 such that
– must–(1)(a1,a2)
– must+(2) (a2,a3)
– 1 2 a2 is satisfiable
• Strongest parameters 1 and 2
a3
a1
a2
must–(1)
12
must+(2)
a
a’
s
MUST+ ( WP(s,a’) )MUST+ ( WP(s,a’) )
Strongest ParametersStrongest Parameters
Generated automatically as part of the construction of TMTS
c. (c) = a c c’ . (c’) = a’ c c’
if must+() then a ( WP(s,a’))
a
a’
s
MUSTMUST– – ( SP (s,a) )( SP (s,a) )
c’. (c’) = a’ c’ c. (c) = a c c’
if must–() then a ( SP(s,a))
L1: TF L0: FT L0: FF
L2: TF L3: FT L2: FF
L4: FT L4: FFL4: TF
x<6 x>7 (x=6)(x=7)
may
may must– must–
must–must–
L0: if x<6 then
L1: x:= x + 3
L2: if x > 7 then
L3: x :=x – 3
L4:
Predicates: (x < 6) (x > 7)
ExampleExample
SP(x:=x+3, x<6) = x < 9
WP(x:=x-3, x<6) = x < 9
L1: TF L0: FT L0: FF
L2: TF L3: FT L2: FF
L4: FT L4: FFL4: TF
x<6 x>7 (x=6)(x=7)
must– must–
must–must–
L0: if x<6 then
L1: x:= x + 3
L2: if x > 7 then
L3: x :=x – 3
L4:
Predicates: (x < 6) (x > 7)
ExampleExample
SP(x:=x+3, x<6) = x < 9
WP(x:=x-3, x<6) = x < 9
must–(x<9)
must+(x<9)
must– (x < 9)
must+ (x < 9)
Tighter UnderapproximationTighter Underapproximation
If there exists a1,...,a5 s.t.
[must–]*(a1,a2)
must–(1)(a2,a3)
must+(2) (a3,a4)
[must+]*(a4,a5)
1 2 a3 is satisfiable
then a5 is weakly-reachable from a1
a4
a2
a3
12
a5
a1
must+(2)
must–(1)
[must+]*
[must–]*
Complete Reasoning Complete Reasoning
– a’ is reachable by a certain sequence of abstract transitions from a
– a’ is weakly-reachable from a
• Assume-guarantee transitions– another type of parameterized transitions:
<> must+ <’>
a
a’
<>must+<‘ > c. (c) = a c
c’ . (c’) = a’ c’ ’ c c’
< < > MUST+ > MUST+ < < ’ ’ >>
Assume-Guarantee TransitionsAssume-Guarantee Transitions
’
Which and ’ predicates do we need?
’
a
a’
c’. (c’) = a’ c’ ’
c . (c) = a c c c’
< < > MUST> MUST–– < < ’ > ’ >
<>must–<‘ >
The idea...The idea...
33
3 3
is satisfiable
a4
a2
a3
a5
a1
s1
s2
s3
s4
<1>must– <2>
<2>must– <3>
1 = a1
2 = SP(s1, 1) a2
3 = SP(s2, 2) a3
<4>must+ < 5>
<3>must+ < 4>
3 = WP(s3,4) a3
4 = WP(s4,5) a4
5 = a5
Assume-guarantee transitionsAssume-guarantee transitions
• Complete Reasoning about Weak Reachability– a’ is reachable by a certain sequence of
assume-guarantee transitions from a– a’ is weakly-reachable from a
• Finding right parameters ~ computing loop invariants
Weak Reachability: SummaryWeak Reachability: Summary
[must–] * [must+]*must–(1) must+(2)
[must–] * [must+]*
• Previous work [T.Ball – FMCO’04]:
• Parameterized transitions
• Assume-guarantee transitions – complete reasoning
ApplicationsApplications
• Falsification of properties in CTL, LTL
• Abstraction-guided test generation– tighter underapproximation of weakly-
reachable states improves coverage of the generated tests
– example of QuickSort’s partition function
SummarySummary
• Ternary Modal Transition System (TMTS)– onto and total must transitions– full-PML logical characterizes precision
preorder on TMTS
• 6-valued semantics of -calculus for TMTS
• Tighten underapproximation of weak reachability with parameterized transitions– completeness result using assume-guarantee
transitions
top related