Predicate Abstraction

Predicate Abstraction

Abstract state space exploration

• Method:

(1) start in the abstract initial state

(2) use to compute reachable states (invariants)

Ai


• Approximation 1: all reachable states are monomials.

• Where

10

ji

x

0

Ax

11

( )l

Ai i j

i

x x

Least upper bound on lattice

L length of longest chains


• Approximation 2 : strongest invariant of by allowing approximation to be boolean expressions on B1 … Bl and applying only on canonical monomials ( B1 … Bl ) representing a single state

AiAi

cm

20

jj

x

0

Ax where

1 { ( ) | , 1.. }A c

i i c jx m m x j p


• Canonical monomial : the set of atoms of M0

---- the set 2l over B1 … Bl

• Note:

– Boolean expressions on B1 … Bl = arbitrary elements of Qk

cm

1 2 1 2( ) ( ) ( )A c A c A c c

i i im m m m

Complexity of 1 and 2

• Complexity of computation:– The number of necessary proofs– Successor of expA K=2*p*l*1

• 2: B.1 – B.2• P: number of transitions• L: number of predicates• 1: enabledness

Complexity of 1 and 2

• Computation of 1 :

– Needs maximally l*k proofs

• Computation of 2:

– Worst case 2l * k proofs (all successors computed)

Computation of 2

• Much better in practice– Some j leave I unchanged (or transform I

independently) – Only a small subset of all abstract states is

reachable 1… I need not be independent not all 2l

canonical monomials represent a non-empty set of concrete states

– Dependency predicate : consider only non-spurious abstract states

Improvements of the computed invariants

• Use backwards analysis:

00

kjy

0 ky

1 1

[ ]( )p

j j i jiy y pre y

where

Improvements of the computed invariants

• Approximations yj – are arbitrary predicates of the concrete property latti

ce and not necessarily boolean combinations of 1

… I

• Abstract backwards analysis– Would require a lower approximation of

[ ]( )i jpre y

Construction of the abstract state graph

• Computation of a successor: require several proofs– Only a small abstract state (few thousand)

can be explored– Additional cost of storing transitions is almost

negligible

Advantages of storing the abs. state graph

• Use model checker to verify any temporal logic formula on atomic proposition on B1 … Bl without existential quantifier over executions

• Precise global control flow graph– Especially if guards of the program are boolea

n combination over I

– Stronger structure invariants than for initial control structure used to improve backwards analysis

Refinement of the abstract state graph

• Add more predicates to 1… I: deduced form– The so far constructed transition relation– See later: abstraction refinement (done in an

incremental way)

Given expA and Bnew

• Not all implications in (3) have to be checked

• Only the new ones and those which could not be proved valid during the computation of the successors of expA

When to add

• If the abstract state space exploration by using does not allow to verify some property

• Construct more precise abstraction by adding new predicates

Ai

Implementation Overview

• Invariant checker tool impliments:– 1)backwards computation of inductive invaria

nts (true in initial state and preserved by transitions)

– 2) generation of structural invariants (preserved by system structure)

– 3) abstract state graph generation (added)

Integration with PVS

• All implications (3) submitted to PVS

• Proof strategy combining decision procedures, rewriting and boolean simplification using BDDs is systematically applied

Abstract state

• Is a tuple (ctrl, ) where:

• ctrl ---- is a concrete control configuration

• ---- is a valuation of a set of boolean vars B1 … Bl

cm

cm

Dependency predicate

• Given {1… I} an upper approximation of a dependency predicate is computed and used to generate successors

• Exact computation if {1… I} can be divided using syntactical independency into a set of small sets of potentially dependent predicates

Auxiliary invariants

• Generated using initial control structure where

• Qk control configuration of a system consisting of several parallel components are considered reachable

Abstract state graph

• The invariant is a conjunction of – Already known invariants in the system relevant for

the transition under study is used to smaller successors by replacing (3) by

weaker ones

– Only implication compatible with dependency predicate and not already computed are generated

(3.1) (exp ) [ ( ) / ]Ai j ig ass x x

Reachability algorithm (Defs)

• For simplicity: shown for systems without explicit control locations

– Based on QA and over B1 … Bl ,can be implemented with BDDs

• Abstract invariant : by analysis of dependencies between 1… I

Ai

AD


• Concrete invariant : generated using the facilities of the tool

• Constraints Ctau[i](B1 … Bl, B’1 … B’l ): for each i by static analysis

– E.g. which predicates j are not touched => B’j = Bj


• Abstract predicate Aguard[i]=’(gi): generated for each i

1… I are chosen such that Aguard[i] is exactly the guard of i

• AReach: the so far computed set of reachable states (invariant at the end)


• Atau[i]: at each stage an upper approximation of

• To_explore: auxiliary variable representing the set of states for which we have to compute the successors

Ai

Reachability algorithm

' [ ];A AD D Ctau i

Initializations:AInit:= ’(init);For all i: Atau[i]:= AReach := AInit;To_explore := AInit;

Iteration:While To_explore != false

choose m in To_explore; To_explore:= To_explore m;if m=> Aguard[i] thenSEE NEXT PAGEATau[i]:= ATau[i] ( ) To_explore := To_explore (succ AReach);AReach := AReach succ;

[ / ']m succ B B

j

j

1

if Atau[i] m B'

if Atau[i] m B'

: if post[ ]( ( )) '

if post[ ]( ( )) '

else

j

j

l

j i jj

j i j

B

B

succ B m

B m

true

Choice of the Predicates i

• Use guards in the transitions the system:– Allows to construct successors only via transit

ions enabled in all represented concrete states

– Replaces enabledness checks (3.0) by boolean tests.

• To prove that is an invariant– One can also try to use for the definition of t

he abstract state space

Choice of the Predicates i

• Split each predicate into its set of literals (atomic pred.)– E.g. use 1 = (out =in) and Choice of the Predi

cates 2= (out= tail(in)) instead of 1 v 2

• Alternating bit protocol example: verified that:□(out =in V out= tail(in) )

• List of already received messages Out is a prefix of the list of messages sent so far In

Alternating bit protocol verification

• Verified correctness :□(out =in V out= tail(in) )– Already received message Out is prefix of me

ssages sent so far : In

• Using implemented backward computation:– The computation of the appropriate inductive i

nvariant does not terminate– The computation of structual invariants does n

ot generate interesting results


• Using the two predicates as 1 and 2:

– Deterministic graph is generated– 34 decidable implications– 5 abstract states– 68s


• Obtaining more precise approximation: 3= message (message_channel) = head(In)– Internal predicate– Last sent message is the head of In -- same

graph but all states satisfy either In=Out or out=tail(In)

• Use abstract state graph to generate stronger structural invariants – Apply strengthening backward computation-

(6) proved

Bounded retransmission protocol

• Extension of ABP:– Message pockets are sent, retransmitted

bounded by max per message.

• Full parameterized version of BRP:– Pockets can be of any size– Max can be any positive number– Proven so far by hand– Large amount of user interaction

Protocol description

Sendingclient

sender

ack

mess

receiverReceiving

client


• Sender: receive message pocket from client

• Delivers confirmation to client– OK ----- all messages are transmitted– Not_OK -----transmission has been aborted– DON’T_KNOW ----last message not acknowle

dged


• Receiver: acknowledge each received message

• Delivers indication to the receiving client– First –1st message received– OK –last message received– Incomplete --- for any intermediate messages– NOT_OK ---transmission aborted


• Timers T1,T2:

– T1 ---message has been lost

– T2 ---transmission ahs been aborted

Correctness

• Verification: As for ABP– 19 predicates from guards Abstract state

graph: 475 states, 685 transitions, 3 hours

Documents

Predicate Abstraction