Refining and Compressing Abstract Model Checking

  • Published on
    06-Jul-2016

  • View
    221

  • Download
    0

Embed Size (px)

Transcript

<ul><li><p>Electronic Notes in Theoretical Computer Science 48 (2001)URL: http://www.elsevier.nl/locate/entcs/volume48.html pp. 1 18</p><p>Refining and Compressing Abstract ModelChecking 1</p><p>Agostino Dovier 2 Roberto Giacobazzi 3</p><p>Dipartimento di InformaticaUniversita` di VeronaStrada Le Grazie 1537134 Verona (Italy)</p><p>Elisa Quintarelli 4</p><p>Dipartimento di Elettronica e InformazionePolitecnico di Milano</p><p>Piazza Leonardo da Vinci 3220133 Milano (Italy)</p><p>Abstract</p><p>For verifying systems involving a wide number or even an innite number of states,standard model checking needs approximating techniques to be tractable. Abstractinterpretation oers an appropriate framework to approximate models of reactivesystems in order to obtain simpler models, where properties of interest can beeectively checked. In this work we study the impact of domain renements inabstract interpretation based model checking. We consider the universal fragmentof the branching time temporal logic CTL* and we characterize the structure oftemporal formulae that are veried in new abstract models obtained by rening anabstract domain by means of reduced product and disjunctive completion, or bysimplifying the domain by their inverse operations of complementation and leastdisjunctive bases.</p><p>1 Introduction</p><p>Model checking has emerged as a successful approach for automated veri-cation of complex reactive systems where properties are typically expressed</p><p>1 The work is partially supported by MURST project: Certificazione automatica di pro-grammi mediante interpretazione astratta.2 Email:dovier@sci.univr.it3 Email:giaco@sci.univr.it4 Email:quintare@elet.polimi.it</p><p>c2001 Published by Elsevier Science B. V.</p></li><li><p>Dovier, Giacobazzi and Quintarelli</p><p>using temporal logic [11,18] (for instance, to establish the validity of securityproperties of protocols). However, it is well known that verifying a temporallogic formula against a model, in particular nding all the system states thatverify the formula, is in general a hard problem. Recall that in the case of -nite states this problem is decidable both for CTL* and for the simpler case ofCTL. The complexity of this problem is PSPACE complete for CTL* [11] andlinear running time for CTL [1]. Model checking is usually applied to programsthat consist of several concurrent processes; the number of states represent-ing the whole program behaviour may grow exponentially in the number ofsuch processes. This problem (known as state explosion problem) and thehuge complexity for verifying temporal formulae against a model, especiallyfor CTL*, are limiting factors that have to be tackled for any practical use ofthis technique.</p><p>Abstract interpretation is a general theory for approximating the semanticsof discrete dynamic systems [4]. This theory oers an appropriate frameworkto approximate the model of a reactive system in order to obtain a simplerabstract model, over which the properties of interest can be checked for satis-faction. The idea here is that of verifying temporal properties in an abstractmodel which is systematically derived from the concrete semantics of the sys-tem we want to analyze, e.g., by abstracting the information contained inits states. Since the pioneering work on model checking and abstraction byClarke et al. [2], a number of works have applied this idea to reduce thephenomenon of state explosion (e.g. [9]). However, Abstract Interpretationtheory oers a number of methodologies that have not been applied yet inthe eld of abstract model checking. Many authors recognized in the possibil-ity of modifying abstract models by modifying abstractions a great potentialfor improving abstract model checking in precision and reducing complexity(e.g., Section 9 in [9]), but few applications of these techniques are known inabstract model checking. On the contrary, this practice is quite common instatic program analysis by abstract interpretation. A number of operationshave been studied, both in theory and in practice, to compose, decompose,rene and compress abstract domains and analyses (see [12,14] for a survey),providing advanced algebraic methodologies and techniques for tuning analy-ses in accuracy and costs.</p><p>In this work we study the impact of standard domain renement opera-tions in abstract model checking. The problem is that when a chosen abstractdomain turns out to provide a too rough abstract model for verifying a giventemporal property of interest, this model can be rened by rening the cor-responding abstract domain. Conversely, any operation acting on domainswhich is devoted to their simplication (decomposition or compression) canplay the dual role of reducing the complexity of the verication of temporalformulae, provided that the formulae of interest are veried in both abstractand concrete models. In both these situations, the key problem is to studythe structure of temporal formulae which are preserved or lost by changing</p><p>2</p></li><li><p>Dovier, Giacobazzi and Quintarelli</p><p>the abstract domain by means of domain renement or simplication, and inparticular the structure of those formulae that are veried in the new modeland which were not veried in the former. We consider the universal frag-ment of the branching time temporal logic CTL [11] and we characterize thestructure of temporal formulae that are veried in a new abstract model ob-tained either by rening an abstract domain by means of standard operationsfor domain transformation introduced in [6] (reduced product and disjunctivecompletion) or by simplifying the domain by means of their inverse operations(complementation for domain decomposition [3] or least disjunctive bases fordomain compression [15]). In particular we prove that relevant properties ofsystems can be checked compositionally by decomposing the abstract modelsby domain complementation and that disjunctive information is in some casesredundant in abstract model checking of our CTL* fragment. This may pro-vide sensible simplication algorithms for improving abstract model checkingin complexity yet maintaining accuracy. We will describe an example of theapplication of our methods to demonstrate the practical impact of domainrenement operations in abstract model checking.</p><p>2 Preliminaries</p><p>Temporal Logic appears appropriate for describing the time-varying behaviourof reactive systems, e.g. universal properties (properties that have to holdalong all executions of a program) and existential properties (properties thathave to hold along some executions), as well as safety properties (nothing badmay happen) and liveness properties (something good has to happen) [18,19].</p><p>2.1 Temporal Logic and Model Checking</p><p>In this paper we consider the fragment known as CTL* of the branchingtime temporal logic CTL* [2,11]: the formulae we deal with are the formulaeof CTL* that do not use existential quantiers. Of course, all the resultsapply to the universal fragment of the weaker language CTL, as well. InCTL* universal properties are expressed through the path quantier (forall futures) that quanties over (innite) execution sequences. The temporaloperators G (Generally, always), F (Finally, sometime), X (neXt time), andU (Until) express properties of a single execution sequence. Precisely, givena set Prop of propositions, the set Lit of literals is dened as Lit = Prop{q | q Prop} {true, false}. State formulae and Path formulae areinductively dened by the following grammar, where p Lit:</p><p>state formulae: ::= p | | | path formulae: ::= | | | G | F | X | U(, )</p><p>A transition system is a pair , R consisting of a set of states and a3</p></li><li><p>Dovier, Giacobazzi and Quintarelli</p><p>transition relation R .A Kripke structure is a tuple K = , R, I, where , R is a transitionsystem, I is the set of initial states, and : Lit () is theinterpretation function such that p = {s | s |= p}. For CTL thenotion of satisfaction of a state formula by a state s (s |= ) is as usualin modal logic [9]. If K = , R, I, is a Kripke structure, we say thatK |= if and only if s I : s |= . Given a temporal formula thesatisability problem for is that of nding if there is a Kripke structureK such that K |= . In the case of CTL* (hence of CTL) this problemis decidable [11]. For verication purposes, we are interested in the (global)model checking problem (MCP): given K = , R, I, and a formula ,check if K |= .</p><p>2.2 Abstract Interpretation</p><p>We assume basic notions of lattice theory [10]. The tuple C,,,,,denotes a complete lattice C, with ordering , lub , glb , greatest element(top) , and least element (bottom) (i.e. C is a poset (C,) such that anysubset X of C has a least upper bound X and a greatest lower bound X).The downward closure of S C is dened as S def= {x C | y S. x y}. x is a shorthand for {x}, while the upward closure is dually dened.We consider here Galois insertion/connection based abstract interpretation[5]. If A and C are posets, and : C mA and : A mC are monotonefunctions such that x C. x ((x)) and x A. ((x)) x, then thequadruple (,C,A, ) is called a Galois Connection (GC for short) betweenC and A. The concrete and abstract domains, C and A, are assumed tobe complete lattices and are related by abstraction and concretization mapsforming a GC (,C,A, ). If in addition a A. ((a)) = a, then we call(,C,A, ) a Galois Insertion (GI) of A in C. When (,C,A, ) is a GIthen each value of the abstract domain A is useful in representing C, becauseall the elements of A represent distinct members of C, being 1-1. AnyGC may be lifted to a GI identifying in an equivalence class those values ofthe abstract domain with the same concretization. This process is known asreduction of the abstract domain. Any abstract domain A in a GI (,C,A, )is isomorphic to a subset of the concrete domain C which is a Moore-familyof C, i.e. X =M(X) def= {S | S X} where = M(X). It turnsout that in general an abstract domain A corresponds to a complete meet() subsemilattice of C, but, in general, it does not correspond to a completesublattice of C, since the lub induced by A in C namely ((Y )) mightbe dierent from that in C (i.e. Y ). Indeed, the two lub s coincide whenever((C)) is a complete sublattice of C, which holds i is additive. In this casewe say that A is disjunctive. The lattice of all Moore families of C, also calledthe lattice of abstract interpretations of C [6], is denoted LC ,,,unionsq, C, {},with C being the bottom abstract domain (most concrete abstraction) and</p><p>4</p></li><li><p>Dovier, Giacobazzi and Quintarelli</p><p>{} being the top abstract domain (most abstract abstraction) of C. In thiscase A B i B A as Moore families of C.</p><p>3 Abstract Model Checking</p><p>We abstract the transition systems with simpler (in any case nite) transitionsystems, following the lines of Abstract Interpretation. Work in this directioncan be found in [2,9,8]. A (concrete) Kripke structure K = , R, I, isabstracted by a Kripke structure K = A,R, I, , where: (, (), A, ) is a GI, A is the set of abstract states, I = {(s) | s I}, and R is dened as follows: for all a, b A,</p><p>R(a, b) i b {(Y )</p><p>Y min{Y R((a), Y )</p><p>} }</p><p>where R def={(X,Y )</p><p>xXyYR(x, y)}.</p><p>Observe that each abstract value represents a set of concrete values.</p><p>We say that p Lit is satised in an abstract state a whenever it is satisedin all concrete states described by a: p def= {a A | (a) p }.</p><p>wait,n n=0 n++</p><p>n+30</p><p>n0</p><p>act1,n act2,n</p><p>wait,-wait,+wait,0</p><p>act1,+ act2,-</p><p>Fig. 1. The concrete and abstract Kripke structures C and A</p><p>The concrete transition system C of Fig. 1 represents a process that per-forms the actions wait, act1, and act2, whose interleaving is regulated byinspecting the value of a variable n ranging in Z. The set of states is theinnite set of pairs = {wait, act1, act2} Z, and I = {wait}Z. Note thatthe labeled Kripke structure C represents an innite transition system whosetransitions are not labeled. Consider in a compact way the approximatingKripke structure A in Fig. 1 given by A = {wait, act1, act2} {,, 0,+,Z}and I = {(wait, 0), (wait,), (wait,+)}. In this way, we retain the basicactions of the concrete domain and we abstract the innite part relating tointeger numbers by using the domain Sign (see Fig. 2). In all the gures wedraw only the accessible states from the initial ones in Kripke structures.</p><p>Let K = , R, I, be a Kripke structure. A path in K is an innitesequence = s0, s1, of states in such that s0 I and for every i N,</p><p>5</p></li><li><p>Dovier, Giacobazzi and Quintarelli</p><p>od</p><p>Z</p><p>ev</p><p>+</p><p>+0</p><p>Z</p><p>= 0</p><p>+</p><p>Z</p><p> 0</p><p> 0 +</p><p>0 0+= 0</p><p>Z</p><p>Fig. 2. The domains Parity, Nneg, Sign, and Sign.</p><p>R(si, si+1); i denotes si. We denote the set of paths of K by:</p><p>K = { | 0 I (n N)(n R(n, n+1))}.Definition 3.1 Given two Kripke structures A = A,RA, IA, A andB = B,RB, IB, B, we say that A is more precise than B (denoted asA $ B) if CTL*. B |= A |= .</p><p>IfA $ B and B $ A, then we writeA B. A rst key result on the impactof abstraction on the class of formulae satised by a model was proved in [9].This result, that holds in particular for CTL*, justies the intuitiveobservation that by abstracting a model we loose precision.</p><p>Definition 3.2 Let C = , R, I, and A = A,R, I, be theconcrete and Abstract Kripke structures obtained by using a GI (, (), A, ).We say that A is an abstraction of C.Theorem 3.3 ([9]) Let C = , R, I, and A = A,R, I, be aconcrete and an Abstract Kripke structures. Then C $ A.</p><p>It is well-known that GIs compose, namely if (1, C,A1, 1), (2, A1, A2, 2)are GIs then (21, C,A2, 12) is a GI. The same holds for abstraction ofKripke structures.</p><p>Theorem 3.4 Let A, B, C be Kripke structures such that B is an abstractionof A and C is an abstraction of B, then C is an abstraction of A and A $ C.</p><p>4 Refining abstract models</p><p>In this section we consider the two basic operations of domain renementintroduced in [6]: reduced product and disjunctive completion. A domainrenement (see [14]) is any operation R : LnC LC such that for all domainsXi LC , i = 1, . . . , n, R(X1, . . . , Xn) Xi. It is immediate by Theorems 3.3and 3.4 that if R(A1, . . . ,An) is the Kripke structure obtained by rening thedomains in Ai, then R(A1, . . . ,An) $ Ai.</p><p>4.1 Reduced product model checking</p><p>The reduced product operation is basically obtained starting from the cardinalproduct; the set of pairs is then reduced to obtain a Galois insertion. Recall</p><p>6</p></li><li><p>Dovier, Giacobazzi and Quintarelli</p><p>that given a collection of domains {Ai}i, all abstracting a given domainC by Galois insertions (i, C,Ai, i)i, then (, C, P, ) is the reducedproduct of Ais, denoted P = iAi if P is isomorphic to the subset ofC: M(i i(i(C))) [6,7]. This operation corresponds to the glb operation in the lattice of abstract interpretations LC .</p><p>Suppose that a system C has been abstracted in n dierent ways, by us-ing abstract interpretation. We assume that Ai = Ai, RAi , IAi , Ai is anabstract Kripke structure, for each i {1, . . . , n}. The following denitionformalizes the Kripke structure that can be obtained by combining the ab-stract state spaces Ai by reduced product. A transition from a to b is allowedin the produc...</p></li></ul>