Upload
others
View
18
Download
0
Embed Size (px)
Citation preview
Intro Ranking Model Statements Conclusion
Ranked Predicate Abstraction for Branching Time:Complete, Incremental, and Precise
Harald Fecher1 Michael Huth2
1Christian-Albrechts-University at Kiel, Germany
2Imperial College London, United Kingdom
Beijing, ATVA 2006
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Main Issues
Foundation for counter-example-guided abstraction refinement(CEGAR) for the full mu-calculus:Development of extended predicate abstraction:
sound,
precise,
incremental, and
complete
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Introduction
Branching time (multiple system observers; biological systems)
Branching time logic: mu-calculus having least and greatest
fixpoints
Model checking not directly applicable on large or infinite systems
Counter-example-guided abstraction refinement (CEGAR):initial abstraction; model check; spurious counterexample →refinement; loop
Abstraction technique: predicate abstraction(synthesized automatically using theorem prover)
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Predicate abstraction
Divide concrete state space by a set of predicates: abstract state is
subset of predicates (related concrete are those satisfing the contained
predicates and not satisfying the omitted).
Mu-calculus needs over approximation (may-transition) and under
approximation (must-transition). Must-hypertransition increase
expressiveness.
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Predicate abstraction illustration
?dp0
d d- d- d- -d- - d- - d- - -
p1 p1 p1�
- - - -
· · ·
· · ·· · ·
|=
AX (νX .(p0∨̃EX (p1∧̃EXEXEXX )))
p−0p+0
0
1
2
p−1p+1
3
��
������
����
��
��
,3
9
OO OO��
ww vv
P N KA
0�
�}
spn
jjjj •kkVVVVV
oo
OO��
������
pp_ V
sd
OO OO��
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Predicate abstraction illustration
?dp0
d d- d- d- -d- - d- - d- - -
p1 p1 p1�
- - - -
· · ·
· · ·· · ·
|=
AX (νX .(p0∨̃EX (p1∧̃EXEXEXX )))
�� � ��� �� � �� �
p−0p+0
0
1
2
p−1p+1
3
��
������
����
��
��
,3
9
OO OO��
ww vv
P N KA
0�
�}
spn
jjjj •kkVVVVV
oo
OO��
������
pp_ V
sd
OO OO��
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Predicate abstraction illustration
?dp0
d d- d- d- -d- - d- - d- - -
p1 p1 p1�
- - - -
· · ·
· · ·· · ·
|=
AX (νX .(p0∨̃EX (p1∧̃EXEXEXX )))
�� � ��� �� � �� �
0
1 2
3
|=p−0p+0
0
1
2
p−1p+1
3
��
������
����
��
��
,3
9
OO OO��
ww vv
P N KA
0�
�}
spn
jjjj •kkVVVVV
oo
OO��
������
pp_ V
sd
OO OO��
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Current predicate abstraction insufficient
Problem: least fixpoint formulas
?dp0
d d- d- d- -d- - d- - d- - -
p1 p1 p1�
- - - -
· · ·
· · ·· · ·
|=
AX (µX .(p0∨̃EX (p1∧̃EXEXEXX )))
p−0p+0
0
1
2
p−1p+1
3
��
������
����
��
��
,3
9
OO OO��
ww vv
P N KA
0�
�}
spn
jjjj •kkVVVVV
oo
OO��
������
pp_ V
sd
OO OO��
No other predicate abstraction does.
Solution: ranking functions
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Current predicate abstraction insufficient
Problem: least fixpoint formulas
?dp0
d d- d- d- -d- - d- - d- - -
p1 p1 p1�
- - - -
· · ·
· · ·· · ·
|=
AX (µX .(p0∨̃EX (p1∧̃EXEXEXX )))
�� � 0��� 1
�� � 2�� � 3
6|=
p−0p+0
0
1
2
p−1p+1
3
��
������
����
��
��
,3
9
OO OO��
ww vv
P N KA
0�
�}
spn
jjjj •kkVVVVV
oo
OO��
������
pp_ V
sd
OO OO��
No other predicate abstraction does.
Solution: ranking functions
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Current predicate abstraction insufficient
Problem: least fixpoint formulas
?dp0
d d- d- d- -d- - d- - d- - -
p1 p1 p1�
- - - -
· · ·
· · ·· · ·
|=
AX (µX .(p0∨̃EX (p1∧̃EXEXEXX )))
�� � 0��� 1
�� � 2�� � 3
6|=
p−0p+0
0
1
2
p−1p+1
3
��
������
����
��
��
,3
9
OO OO��
ww vv
P N KA
0�
�}
spn
jjjj •kkVVVVV
oo
OO��
������
pp_ V
sd
OO OO��
No other predicate abstraction does.
Solution: ranking functions
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Current predicate abstraction insufficient
Problem: least fixpoint formulas
?dp0
d d- d- d- -d- - d- - d- - -
p1 p1 p1�
- - - -
· · ·
· · ·· · ·
|=
AX (µX .(p0∨̃EX (p1∧̃EXEXEXX )))
�� � 0��� 1
�� � 2�� � 3
6|=
p−0p+0
0
1
2
p−1p+1
3
��
������
����
��
��
,3
9
OO OO��
ww vv
P N KA
0�
�}
spn
jjjj •kkVVVVV
oo
OO��
������
pp_ V
sd
OO OO��
No other predicate abstraction does.
Solution: ranking functions
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Ranked predicate abstraction
Definition
A ranked predicate abstraction ℵ of a state space S is a tuple(I , h
, J, (≤k)k∈K
) where
h : S → I is a surjective function mapping concrete (S) toabstract (I ) states
J is a non-empty set of rank locations;[think J to be the subproperties]
for all k ∈ K , with K a (possible empty) index set,≤k ⊆ (S
× J
)× (S
× J
) is a pre-order with well-foundedirreflexive version <k ;
|I |+ |J|+ |K | is finite.
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Ranked predicate abstraction
Definition
A ranked predicate abstraction ℵ of a state space S is a tuple(I , h
, J
, (≤k)k∈K ) where
h : S → I is a surjective function mapping concrete (S) toabstract (I ) states
J is a non-empty set of rank locations;[think J to be the subproperties]
for all k ∈ K , with K a (possible empty) index set,≤k ⊆ (S
× J
)× (S
× J
) is a pre-order with well-foundedirreflexive version <k ;
|I |+ |J|+ |K | is finite.
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Ranked predicate abstraction
Definition
A ranked predicate abstraction ℵ of a state space S is a tuple(I , h, J, (≤k)k∈K ) where
h : S → I is a surjective function mapping concrete (S) toabstract (I ) states
J is a non-empty set of rank locations;[think J to be the subproperties]
for all k ∈ K , with K a (possible empty) index set,≤k ⊆ (S × J)× (S × J) is a pre-order with well-foundedirreflexive version <k ;
|I |+ |J|+ |K | is finite.
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Ranked predicate abstraction
Definition
A ranked predicate abstraction ℵ of a state space S is a tuple(I , h, J, (≤k)k∈K ) where
h : S → I is a surjective function mapping concrete (S) toabstract (I ) states
J is a non-empty set of rank locations;[think J to be the subproperties]
for all k ∈ K , with K a (possible empty) index set,≤k ⊆ (S × J)× (S × J) is a pre-order with well-foundedirreflexive version <k ;
|I |+ |J|+ |K | is finite.
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Hypermixed Kripke structures
The abstract model has to be extended by
Fairness constraints (Streett over transitions naturally occur) and
May-hypertransition (conjunctively interpreted) for handling J.
Streett: Infinite 1-transitions ⇒ infinite 2-transitions
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Hypermixed Kripke structures
The abstract model has to be extended by
Fairness constraints (Streett over transitions naturally occur) and
May-hypertransition (conjunctively interpreted) for handling J.
Streett: Infinite 1-transitions ⇒ infinite 2-transitions
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Hypermixed Kripke structures
The abstract model has to be extended by
Fairness constraints (Streett over transitions naturally occur) and
May-hypertransition (conjunctively interpreted) for handling J.
refines
Streett: Infinite 1-transitions ⇒ infinite 2-transitions
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Satisfaction
Via Games:
in EX : Verifier choose must hypertrans;Refuter choose element from target
in AX : Refuter choose may hypertrans;Verifier choose element from target
Verifier wins infinite plays:Non-acceptance at the model or acceptance at the property
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Satisfaction example
S00|= AX (µX .(p0∨̃EX (p1∧̃EXEXEXX )))
AX : Player I chooses s210 or s2
20
EX -circle: Player I chooses must-transition to {s031} — she chooses
must-transition to {s021} — she chooses must-transition to {s1
10, s020} —
she chooses must-transition to s101, resp. to {s1
10, s120}
⇒ either p0 is reached or non-acceptant model sequence
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Soundness
Winning conditions for satisfaction are Rabin conditions (sinceStreett ⇒ RabinChain).Thus deciding satisfaction is in NP
Theorem (Soundness)
Suppose M1 refines M2 and φ is mu-calculus formula:
M2 |= φ ⇒ M1 |= φ
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
ℵ-abstraction game
Player I tries to show that model M1 is abstracted by model M2 up toranked predicate abstraction ℵ (is ℵ-abstracted by):Player II can additionally switch between states of M1 that map to the
same elements via the abstraction function h as long as nocontradiction to the ranking functions of ℵ is produced. Player I
controls the ranking positions J.
Theorem
If M1 is ℵ-abstracted by M2, then M1 is abstracted by M2.
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Precise abstraction
State space: I × J × (K → {0, 1, 2})function indicates for k ∈ K if ≤k remains equal, decrease, or increase
?d
d d- d- d- -d- - d- - d- - -
p00,0
p1 p1 p1
2,1 3,2 4,3 5,4
1,2 2,3 3,4
�
- - - -
· · ·
· · ·· · ·
J={g,b} and (s′,j′)≤0(s,j)⇔ω(s′,j′)≤ω(s,j)
where ω(s,j) is depicted with colors
�� � 0�� ��1
�� ��2�� � 3
Streett fairness: at any k ∈ K , if the state function (third component)
at k is infinitely often 1, then it is also infinitely often 2.
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Precise abstraction
State space: I × J × (K → {0, 1, 2})function indicates for k ∈ K if ≤k remains equal, decrease, or increase
?d
d d- d- d- -d- - d- - d- - -
p00,0
p1 p1 p1
2,1 3,2 4,3 5,4
1,2 2,3 3,4
�
- - - -
· · ·
· · ·· · ·
J={g,b} and (s′,j′)≤0(s,j)⇔ω(s′,j′)≤ω(s,j)
where ω(s,j) is depicted with colors
�� � 0�� ��1
�� ��2�� � 3
Streett fairness: at any k ∈ K , if the state function (third component)
at k is infinitely often 1, then it is also infinitely often 2.
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Precise abstraction
State space: I × J × (K → {0, 1, 2})function indicates for k ∈ K if ≤k remains equal, decrease, or increase
?d
d d- d- d- -d- - d- - d- - -
p00,0
p1 p1 p1
2,1 3,2 4,3 5,4
1,2 2,3 3,4
�
- - - -
· · ·
· · ·· · ·
J={g,b} and (s′,j′)≤0(s,j)⇔ω(s′,j′)≤ω(s,j)
where ω(s,j) is depicted with colors
�� � 0�� ��1
�� ��2�� � 3
Streett fairness: at any k ∈ K , if the state function (third component)
at k is infinitely often 1, then it is also infinitely often 2.
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Precise abstraction
State space: I × J × (K → {0, 1, 2})function indicates for k ∈ K if ≤k remains equal, decrease, or increase
?d
d d- d- d- -d- - d- - d- - -
p00,0
p1 p1 p1
2,1 3,2 4,3 5,4
1,2 2,3 3,4
�
- - - -
· · ·
· · ·· · ·
J={g,b} and (s′,j′)≤0(s,j)⇔ω(s′,j′)≤ω(s,j)
where ω(s,j) is depicted with colors
�� � 0�� ��1
�� ��2�� � 3
Streett fairness: at any k ∈ K , if the state function (third component)
at k is infinitely often 1, then it is also infinitely often 2.
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Precise abstraction
State space: I × J × (K → {0, 1, 2})function indicates for k ∈ K if ≤k remains equal, decrease, or increase
?d
d d- d- d- -d- - d- - d- - -
p00,0
p1 p1 p1
2,1 3,2 4,3 5,4
1,2 2,3 3,4
�
- - - -
· · ·
· · ·· · ·
J={g,b} and (s′,j′)≤0(s,j)⇔ω(s′,j′)≤ω(s,j)
where ω(s,j) is depicted with colors
�� � 0�� ��1
�� ��2�� � 3Streett fairness: at any k ∈ K , if the state function (third component)
at k is infinitely often 1, then it is also infinitely often 2.
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Preciseness
Theorem (Precision)
The defined abstraction Mℵ is finite and a precise ℵ-abstraction,i.e.,
Mℵ is a ℵ-abstraction of M and
if M2 is a ℵ-abstraction of M, then M2 abstracts Mℵ.
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Incremental
Definition
ℵ1 is an extension of ℵ2 if the partition is finer and only rankingfunctions are added.
Theorem
If ℵ1 is an extension of ℵ2, then Mℵ1 is abstracted by Mℵ2 .
Theorem (Confluence of extensions)
For ℵ1 and ℵ2 there is constructible predicate abstraction being anextension of ℵ1 and of ℵ2.
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Non-trivial ranking positions J necessary for completeness
There is no ranked predicate abstraction ℵ of
?dp0
d d- d- d- -d- - d- - d- - -
p1 p1 p1
�
- - - -
· · ·
· · ·· · ·
such that its J is a singleton and its abstraction satisfiesAX (µX .(p0∨̃EX (p1∧̃EXEXEXX ))).
We already saw that it is possible with non-singleton J.
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Completeness
Let M Kripke structure and θ memoryless strategy for M |= φ.
Partition (function hθ): states are equivalent if they satisfy same
subformulas via θ and θ behaves same on ∨̃-properties
Ranking locations J: set of subproperties
Ranking function ωθ,k : the least number of unfoldings necessary to
guarantee that no further 2k + 1 value (level of fixpoint operator
nesting; odd number always corresponds to least fixpoints) can be
reached via θ by remaining below 2k + 2.
Theorem (Completeness)
For this constructed ranked predicate abstraction ℵθ we have(Mℵθ
, (hθ(s), q, g)) |= φ whenever θ is winning for (s, q).
Fecher and Huth Ranked Predicate Abstraction for Branching Time
Intro Ranking Model Statements Conclusion
Conclusion
Development of extended predicate abstraction that is sound,precise, incremental, and complete for the full mu-calculus(i.e. liveness properties are adequately handled).
Good foundation for the automated synthesis of abstractionsand counter-example-guided abstraction-refinement forbranching time.
Application: extension of existing tools like BLAST or SLAM.
Fecher and Huth Ranked Predicate Abstraction for Branching Time