predicate abstraction

Predicate Abstraction

Abstract state space exploration

• Method:

(1) start in the abstract initial state

(2) use to compute reachable states (invariants)

Ai

Abstract state space exploration

• Approximation 1: all reachable states are monomials.

• Where

10

ji

x

0

Ax

11

( )l

Ai i j

i

x x

Least upper bound on lattice

L length of longest chains

Abstract state space exploration

• Approximation 2 : strongest invariant of by allowing approximation to be boolean expressions on B1 … Bl and applying only on canonical monomials ( B1 … Bl ) representing a single state

AiAi

cm

20

jj

x

0

Ax where

1 { ( ) | , 1.. }A c

i i c jx m m x j p

Abstract state space exploration

• Canonical monomial : the set of atoms of M0

---- the set 2l over B1 … Bl

• Note:

– Boolean expressions on B1 … Bl = arbitrary elements of Qk

cm

1 2 1 2( ) ( ) ( )A c A c A c c

i i im m m m

Complexity of 1 and 2

• Complexity of computation:– The number of necessary proofs– Successor of expA K=2*p*l*1

• 2: B.1 – B.2• P: number of transitions• L: number of predicates• 1: enabledness

Complexity of 1 and 2

• Computation of 1 :

– Needs maximally l*k proofs

• Computation of 2:

– Worst case 2l * k proofs (all successors computed)

Computation of 2

• Much better in practice– Some j leave I unchanged (or transform I

independently) – Only a small subset of all abstract states is

reachable 1… I need not be independent not all 2l

canonical monomials represent a non-empty set of concrete states

– Dependency predicate : consider only non-spurious abstract states

Improvements of the computed invariants

• Use backwards analysis:

00

kjy

0 ky

1 1

[ ]( )p

j j i jiy y pre y

where

Improvements of the computed invariants

• Approximations yj – are arbitrary predicates of the concrete property latti

ce and not necessarily boolean combinations of 1

… I

• Abstract backwards analysis– Would require a lower approximation of

[ ]( )i jpre y

Construction of the abstract state graph

• Computation of a successor: require several proofs– Only a small abstract state (few thousand)

can be explored– Additional cost of storing transitions is almost

negligible

Advantages of storing the abs. state graph

• Use model checker to verify any temporal logic formula on atomic proposition on B1 … Bl without existential quantifier over executions

• Precise global control flow graph– Especially if guards of the program are boolea

n combination over I

– Stronger structure invariants than for initial control structure used to improve backwards analysis

Refinement of the abstract state graph

• Add more predicates to 1… I: deduced form– The so far constructed transition relation– See later: abstraction refinement (done in an

incremental way)

Given expA and Bnew

• Not all implications in (3) have to be checked

• Only the new ones and those which could not be proved valid during the computation of the successors of expA

When to add

• If the abstract state space exploration by using does not allow to verify some property

• Construct more precise abstraction by adding new predicates

Ai

Implementation Overview

• Invariant checker tool impliments:– 1)backwards computation of inductive invaria

nts (true in initial state and preserved by transitions)

– 2) generation of structural invariants (preserved by system structure)

– 3) abstract state graph generation (added)

Integration with PVS

• All implications (3) submitted to PVS

• Proof strategy combining decision procedures, rewriting and boolean simplification using BDDs is systematically applied

Abstract state

• Is a tuple (ctrl, ) where:

• ctrl ---- is a concrete control configuration

• ---- is a valuation of a set of boolean vars B1 … Bl

cm

cm

Dependency predicate

• Given {1… I} an upper approximation of a dependency predicate is computed and used to generate successors

• Exact computation if {1… I} can be divided using syntactical independency into a set of small sets of potentially dependent predicates

Auxiliary invariants

• Generated using initial control structure where

• Qk control configuration of a system consisting of several parallel components are considered reachable

Abstract state graph

• The invariant is a conjunction of – Already known invariants in the system relevant for

the transition under study is used to smaller successors by replacing (3) by

weaker ones

– Only implication compatible with dependency predicate and not already computed are generated

(3.1) (exp ) [ ( ) / ]Ai j ig ass x x

Reachability algorithm (Defs)

• For simplicity: shown for systems without explicit control locations

– Based on QA and over B1 … Bl ,can be implemented with BDDs

• Abstract invariant : by analysis of dependencies between 1… I

Ai

AD

Reachability algorithm (Defs)

• Concrete invariant : generated using the facilities of the tool

• Constraints Ctau[i](B1 … Bl, B’1 … B’l ): for each i by static analysis

– E.g. which predicates j are not touched => B’j = Bj

Reachability algorithm (Defs)

• Abstract predicate Aguard[i]=’(gi): generated for each i

1… I are chosen such that Aguard[i] is exactly the guard of i

• AReach: the so far computed set of reachable states (invariant at the end)

Reachability algorithm (Defs)

• Atau[i]: at each stage an upper approximation of

• To_explore: auxiliary variable representing the set of states for which we have to compute the successors

Ai

Reachability algorithm

' [ ];A AD D Ctau i

Initializations:AInit:= ’(init);For all i: Atau[i]:= AReach := AInit;To_explore := AInit;

Iteration:While To_explore != false

choose m in To_explore; To_explore:= To_explore m;if m=> Aguard[i] thenSEE NEXT PAGEATau[i]:= ATau[i] ( ) To_explore := To_explore (succ AReach);AReach := AReach succ;

[ / ']m succ B B

j

j

1

if Atau[i] m B'

if Atau[i] m B'

: if post[ ]( ( )) '

if post[ ]( ( )) '

else

j

j

l

j i jj

j i j

B

B

succ B m

B m

true

Choice of the Predicates i

• Use guards in the transitions the system:– Allows to construct successors only via transit

ions enabled in all represented concrete states

– Replaces enabledness checks (3.0) by boolean tests.

• To prove that is an invariant– One can also try to use for the definition of t

he abstract state space

Choice of the Predicates i

• Split each predicate into its set of literals (atomic pred.)– E.g. use 1 = (out =in) and Choice of the Predi

cates 2= (out= tail(in)) instead of 1 v 2

• Alternating bit protocol example: verified that:□(out =in V out= tail(in) )

• List of already received messages Out is a prefix of the list of messages sent so far In

Alternating bit protocol verification

• Verified correctness :□(out =in V out= tail(in) )– Already received message Out is prefix of me

ssages sent so far : In

• Using implemented backward computation:– The computation of the appropriate inductive i

nvariant does not terminate– The computation of structual invariants does n

ot generate interesting results

Alternating bit protocol verification

• Using the two predicates as 1 and 2:

– Deterministic graph is generated– 34 decidable implications– 5 abstract states– 68s

Alternating bit protocol verification

• Obtaining more precise approximation: 3= message (message_channel) = head(In)– Internal predicate– Last sent message is the head of In -- same

graph but all states satisfy either In=Out or out=tail(In)

• Use abstract state graph to generate stronger structural invariants – Apply strengthening backward computation-

(6) proved

Bounded retransmission protocol

• Extension of ABP:– Message pockets are sent, retransmitted

bounded by max per message.

• Full parameterized version of BRP:– Pockets can be of any size– Max can be any positive number– Proven so far by hand– Large amount of user interaction

Protocol description

Sendingclient

sender

ack

mess

receiverReceiving

client

Protocol description

• Sender: receive message pocket from client

• Delivers confirmation to client– OK ----- all messages are transmitted– Not_OK -----transmission has been aborted– DON’T_KNOW ----last message not acknowle

dged

Protocol description

• Receiver: acknowledge each received message

• Delivers indication to the receiving client– First –1st message received– OK –last message received– Incomplete --- for any intermediate messages– NOT_OK ---transmission aborted

Protocol description

• Timers T1,T2:

– T1 ---message has been lost

– T2 ---transmission ahs been aborted

Correctness

• Verification: As for ABP– 19 predicates from guards Abstract state

graph: 475 states, 685 transitions, 3 hours