Predicate Abstraction - PowerPoint PPT Presentation

About This Presentation

Title:

Predicate Abstraction

Description:

Only a small subset of all abstract states is reachable ... Construct more precise abstraction by adding new predicates. Implementation Overview ... – PowerPoint PPT presentation

Number of Views:66

Avg rating:3.0/5.0

Slides: 41

Provided by: yao3

Learn more at: https://www3.cs.stonybrook.edu

Category:

more less

Transcript and Presenter's Notes

Title: Predicate Abstraction

1
Predicate Abstraction
2
Abstract state space exploration

Method
(1) start in the abstract initial state
(2) use to compute reachable states
(invariants)

3
Abstract state space exploration

Approximation ?1 all reachable states are
monomials.
Where

4
Least upper bound on lattice
L length of longest chains
5
Abstract state space exploration

Approximation ?2 strongest invariant of
by allowing approximation to be boolean
expressions on B1 Bl and applying only
on canonical monomials ( B1 Bl )
representing a single state

6
where
7
Abstract state space exploration

Canonical monomial the set of atoms of M0
---- the set 2l over B1 Bl
Note
Boolean expressions on B1 Bl arbitrary
elements of Qk

8
Complexity of ?1 and ?2

Complexity of computation
The number of necessary proofs
Successor of expA ? K2pl1
2 B.1 B.2
P number of transitions
L number of predicates
1 enabledness

9
Complexity of ?1 and ?2

Computation of ?1
Needs maximally lk proofs
Computation of ?2
Worst case 2l k proofs (all successors
computed)

10
Computation of ?2

Much better in practice
Some ?j leave ?I unchanged (or transform ?I
independently)
Only a small subset of all abstract states is
reachable
?1 ?I need not be independent ? not all 2l
canonical monomials represent a non-empty set of
concrete states
Dependency predicate consider only non-spurious
abstract states

11
Improvements of the computed invariants

Use backwards analysis

where
12
Improvements of the computed invariants

Approximations yj
are arbitrary predicates of the concrete property
lattice and not necessarily boolean combinations
of ?1 ?I
Abstract backwards analysis
Would require a lower approximation of

13
Construction of the abstract state graph

Computation of a successor require several
proofs
Only a small abstract state (few thousand) can be
explored
Additional cost of storing transitions is almost
negligible

14
Advantages of storing the abs. state graph

Use model checker to verify any temporal logic
formula on atomic proposition on B1 Bl without
existential quantifier over executions
Precise global control flow graph
Especially if guards of the program are boolean
combination over ?I
Stronger structure invariants than for initial
control structure ? used to improve backwards
analysis

15
Refinement of the abstract state graph

Add more predicates to ?1 ?I deduced form
The so far constructed transition relation
See later abstraction refinement (done in an
incremental way)

16
Given expA and Bnew

Not all implications in (3) have to be checked
Only the new ones and those which could not be
proved valid during the computation of the
successors of expA

17
When to add

If the abstract state space exploration by using
does not allow to verify some property
Construct more precise abstraction by adding new
predicates

18
Implementation Overview

Invariant checker tool impliments
1)backwards computation of inductive invariants
(true in initial state and preserved by
transitions)
2) generation of structural invariants (preserved
by system structure)
3) abstract state graph generation (added)

19
Integration with PVS

All implications (3) submitted to PVS
Proof strategy combining decision procedures,
rewriting and boolean simplification using BDDs
is systematically applied

20
Abstract state

Is a tuple (ctrl, ) where
ctrl ---- is a concrete control configuration
---- is a valuation of a set of boolean
vars B1 Bl

21
Dependency predicate

Given ?1 ?I an upper approximation of a
dependency predicate is computed and used to
generate successors
Exact computation if ?1 ?I can be divided
using syntactical independency into a set of
small sets of potentially dependent predicates

22
Auxiliary invariants

Generated using initial control structure where
Qk control configuration of a system consisting
of several parallel components are considered
reachable

23
Abstract state graph

The invariant is a conjunction of
Already known invariants in the system relevant
for the transition under study
? is used to smaller successors by replacing (3)
by weaker ones
Only implication compatible with dependency
predicate and not already computed are generated

24
Reachability algorithm (Defs)

For simplicity shown for systems without
explicit control locations
Based on QA and over B1 Bl ,can be
implemented with BDDs
Abstract invariant by analysis of
dependencies between ?1 ?I

25
Reachability algorithm (Defs)

Concrete invariant ? generated using the
facilities of the tool
Constraints Ctaui(B1 Bl, B1 Bl ) for
each ?i by static analysis
E.g. which predicates ?j are not touched gt Bj
Bj

26
Reachability algorithm (Defs)

Abstract predicate Aguardi?(gi) generated
for each ?i
?1 ?I are chosen such that Aguardi is exactly
the guard of ?i
AReach the so far computed set of reachable
states (invariant at the end)

27
Reachability algorithm (Defs)

Ataui at each stage an upper approximation of
To_explore auxiliary variable representing the
set of states for which we have to compute the
successors

28
Reachability algorithm
Initializations AInit ?(init) For all i
Ataui AReach AInit To_explore
AInit Iteration While To_explore !
false choose m in To_explore To_explore
To_explore ??m if mgt Aguardi then SEE NEXT
PAGE ATaui ATaui ? (
) To_explore To_explore ? (succ
? ? AReach) AReach AReach ? succ
29
(No Transcript)
30
Choice of the Predicates ?i

Use guards in the transitions the system
Allows to construct successors only via
transitions enabled in all represented concrete
states
Replaces enabledness checks (3.0) by boolean
tests.
To prove that ? is an invariant
One can also try to use ? for the definition of
the abstract state space

31
Choice of the Predicates ?i

Split each predicate into its set of literals
(atomic pred.)
E.g. use ?1 (out in) and Choice of the
Predicates ?2 (out tail(in)) instead of ?1 v ?2
Alternating bit protocol example verified
that?(out in V out tail(in) )
List of already received messages Out is a prefix
of the list of messages sent so far In

32
Alternating bit protocol verification

Verified correctness ?(out in V out tail(in) )
Already received message Out is prefix of
messages sent so far In
Using implemented backward computation
The computation of the appropriate inductive
invariant does not terminate
The computation of structual invariants does not
generate interesting results

33
Alternating bit protocol verification

Using the two predicates as ?1 and ?2
Deterministic graph is generated
34 decidable implications
5 abstract states
68s

34
Alternating bit protocol verification

Obtaining more precise approximation
?3 message (message_channel) head(In)
Internal predicate
Last sent message is the head of In --? same
graph but all states satisfy either InOut or
outtail(In)
Use abstract state graph to generate stronger
structural invariants
Apply strengthening backward computation-? (6)
proved

35
Bounded retransmission protocol