prev

next

out of 18

Published on

06-Jul-2016View

220Download

0

Transcript

Electronic Notes in Theoretical Computer Science 48 (2001)URL: http://www.elsevier.nl/locate/entcs/volume48.html pp. 1 18

Refining and Compressing Abstract ModelChecking 1

Agostino Dovier 2 Roberto Giacobazzi 3

Dipartimento di InformaticaUniversita` di VeronaStrada Le Grazie 1537134 Verona (Italy)

Elisa Quintarelli 4

Dipartimento di Elettronica e InformazionePolitecnico di Milano

Piazza Leonardo da Vinci 3220133 Milano (Italy)

Abstract

For verifying systems involving a wide number or even an innite number of states,standard model checking needs approximating techniques to be tractable. Abstractinterpretation oers an appropriate framework to approximate models of reactivesystems in order to obtain simpler models, where properties of interest can beeectively checked. In this work we study the impact of domain renements inabstract interpretation based model checking. We consider the universal fragmentof the branching time temporal logic CTL* and we characterize the structure oftemporal formulae that are veried in new abstract models obtained by rening anabstract domain by means of reduced product and disjunctive completion, or bysimplifying the domain by their inverse operations of complementation and leastdisjunctive bases.

1 Introduction

Model checking has emerged as a successful approach for automated veri-cation of complex reactive systems where properties are typically expressed

1 The work is partially supported by MURST project: Certificazione automatica di pro-grammi mediante interpretazione astratta.2 Email:dovier@sci.univr.it3 Email:giaco@sci.univr.it4 Email:quintare@elet.polimi.it

c2001 Published by Elsevier Science B. V.

Dovier, Giacobazzi and Quintarelli

using temporal logic [11,18] (for instance, to establish the validity of securityproperties of protocols). However, it is well known that verifying a temporallogic formula against a model, in particular nding all the system states thatverify the formula, is in general a hard problem. Recall that in the case of -nite states this problem is decidable both for CTL* and for the simpler case ofCTL. The complexity of this problem is PSPACE complete for CTL* [11] andlinear running time for CTL [1]. Model checking is usually applied to programsthat consist of several concurrent processes; the number of states represent-ing the whole program behaviour may grow exponentially in the number ofsuch processes. This problem (known as state explosion problem) and thehuge complexity for verifying temporal formulae against a model, especiallyfor CTL*, are limiting factors that have to be tackled for any practical use ofthis technique.

Abstract interpretation is a general theory for approximating the semanticsof discrete dynamic systems [4]. This theory oers an appropriate frameworkto approximate the model of a reactive system in order to obtain a simplerabstract model, over which the properties of interest can be checked for satis-faction. The idea here is that of verifying temporal properties in an abstractmodel which is systematically derived from the concrete semantics of the sys-tem we want to analyze, e.g., by abstracting the information contained inits states. Since the pioneering work on model checking and abstraction byClarke et al. [2], a number of works have applied this idea to reduce thephenomenon of state explosion (e.g. [9]). However, Abstract Interpretationtheory oers a number of methodologies that have not been applied yet inthe eld of abstract model checking. Many authors recognized in the possibil-ity of modifying abstract models by modifying abstractions a great potentialfor improving abstract model checking in precision and reducing complexity(e.g., Section 9 in [9]), but few applications of these techniques are known inabstract model checking. On the contrary, this practice is quite common instatic program analysis by abstract interpretation. A number of operationshave been studied, both in theory and in practice, to compose, decompose,rene and compress abstract domains and analyses (see [12,14] for a survey),providing advanced algebraic methodologies and techniques for tuning analy-ses in accuracy and costs.

In this work we study the impact of standard domain renement opera-tions in abstract model checking. The problem is that when a chosen abstractdomain turns out to provide a too rough abstract model for verifying a giventemporal property of interest, this model can be rened by rening the cor-responding abstract domain. Conversely, any operation acting on domainswhich is devoted to their simplication (decomposition or compression) canplay the dual role of reducing the complexity of the verication of temporalformulae, provided that the formulae of interest are veried in both abstractand concrete models. In both these situations, the key problem is to studythe structure of temporal formulae which are preserved or lost by changing

2

Dovier, Giacobazzi and Quintarelli

the abstract domain by means of domain renement or simplication, and inparticular the structure of those formulae that are veried in the new modeland which were not veried in the former. We consider the universal frag-ment of the branching time temporal logic CTL [11] and we characterize thestructure of temporal formulae that are veried in a new abstract model ob-tained either by rening an abstract domain by means of standard operationsfor domain transformation introduced in [6] (reduced product and disjunctivecompletion) or by simplifying the domain by means of their inverse operations(complementation for domain decomposition [3] or least disjunctive bases fordomain compression [15]). In particular we prove that relevant properties ofsystems can be checked compositionally by decomposing the abstract modelsby domain complementation and that disjunctive information is in some casesredundant in abstract model checking of our CTL* fragment. This may pro-vide sensible simplication algorithms for improving abstract model checkingin complexity yet maintaining accuracy. We will describe an example of theapplication of our methods to demonstrate the practical impact of domainrenement operations in abstract model checking.

2 Preliminaries

Temporal Logic appears appropriate for describing the time-varying behaviourof reactive systems, e.g. universal properties (properties that have to holdalong all executions of a program) and existential properties (properties thathave to hold along some executions), as well as safety properties (nothing badmay happen) and liveness properties (something good has to happen) [18,19].

2.1 Temporal Logic and Model Checking

In this paper we consider the fragment known as CTL* of the branchingtime temporal logic CTL* [2,11]: the formulae we deal with are the formulaeof CTL* that do not use existential quantiers. Of course, all the resultsapply to the universal fragment of the weaker language CTL, as well. InCTL* universal properties are expressed through the path quantier (forall futures) that quanties over (innite) execution sequences. The temporaloperators G (Generally, always), F (Finally, sometime), X (neXt time), andU (Until) express properties of a single execution sequence. Precisely, givena set Prop of propositions, the set Lit of literals is dened as Lit = Prop{q | q Prop} {true, false}. State formulae and Path formulae areinductively dened by the following grammar, where p Lit:

state formulae: ::= p | | | path formulae: ::= | | | G | F | X | U(, )

A transition system is a pair , R consisting of a set of states and a3

Dovier, Giacobazzi and Quintarelli

transition relation R .A Kripke structure is a tuple K = , R, I, where , R is a transitionsystem, I is the set of initial states, and : Lit () is theinterpretation function such that p = {s | s |= p}. For CTL thenotion of satisfaction of a state formula by a state s (s |= ) is as usualin modal logic [9]. If K = , R, I, is a Kripke structure, we say thatK |= if and only if s I : s |= . Given a temporal formula thesatisability problem for is that of nding if there is a Kripke structureK such that K |= . In the case of CTL* (hence of CTL) this problemis decidable [11]. For verication purposes, we are interested in the (global)model checking problem (MCP): given K = , R, I, and a formula ,check if K |= .

2.2 Abstract Interpretation

We assume basic notions of lattice theory [10]. The tuple C,,,,,denotes a complete lattice C, with ordering , lub , glb , greatest element(top) , and least element (bottom) (i.e. C is a poset (C,) such that anysubset X of C has a least upper bound X and a greatest lower bound X).The downward closure of S C is dened as S def= {x C | y S. x y}. x is a shorthand for {x}, while the upward closure is dually dened.We consider here Galois insertion/connection based abstract interpretation[5]. If A and C are posets, and : C mA and : A mC are monotonefunctions such that x C. x ((x)) and x A. ((x)) x, then thequadruple (,C,A, ) is called a Galois Connection (GC for short) betweenC and A. The concrete and abstract domains, C and A, are assumed tobe complete lattices and are related by abstraction and concretization mapsforming a GC (,C,A, ). If in addition a A. ((a)) = a, then we call(,C,A, ) a Galois Insertion (GI) of A in C. When (,C,A, ) is a GIthen each value of the abstract domain A is useful in representing C, becauseall the elements of A represent distinct members of C, being 1-1. AnyGC may be lifted to a GI identifying in an equivalence class those values ofthe abstract domain with the same concretization. This process is known asreduction of the abstract domain. Any abstract domain A in a GI (,C,A, )is isomorphic to a subset of the concrete domain C which is a Moore-familyof C, i.e. X =M(X) def= {S | S X} where = M(X). It turnsout that in general an abstract domain A corresponds to a complete meet() subsemilattice of C, but, in general, it does not correspond to a completesublattice of C, since the lub induced by A in C namely ((Y )) mightbe dierent from that in C (i.e. Y ). Indeed, the two lub s coincide whenever((C)) is a complete sublattice of C, which holds i is additive. In this casewe say that A is disjunctive. The lattice of all Moore families of C, also calledthe lattice of abstract interpretations of C [6], is denoted LC ,,,unionsq, C, {},with C being the bottom abstract domain (most concrete abstraction) and

4

Dovier, Giacobazzi and Quintarelli

{} being the top abstract domain (most abstract abstraction) of C. In thiscase A B i B A as Moore families of C.

3 Abstract Model Checking

We abstract the transition systems with simpler (in any case nite) transitionsystems, following the lines of Abstract Interpretation. Work in this directioncan be found in [2,9,8]. A (concrete) Kripke structure K = , R, I, isabstracted by a Kripke structure K = A,R, I, , where: (, (), A, ) is a GI, A is the set of abstract states, I = {(s) | s I}, and R is dened as follows: for all a, b A,

R(a, b) i b {(Y )

Y min{Y R((a), Y )

} }

where R def={(X,Y )

xXyYR(x, y)}.

Observe that each abstract value represents a set of concrete values.

We say that p Lit is satised in an abstract state a whenever it is satisedin all concrete states described by a: p def= {a A | (a) p }.

wait,n n=0 n++

n+30

n0

act1,n act2,n

wait,-wait,+wait,0

act1,+ act2,-

Fig. 1. The concrete and abstract Kripke structures C and A

The concrete transition system C of Fig. 1 represents a process that per-forms the actions wait, act1, and act2, whose interleaving is regulated byinspecting the value of a variable n ranging in Z. The set of states is theinnite set of pairs = {wait, act1, act2} Z, and I = {wait}Z. Note thatthe labeled Kripke structure C represents an innite transition system whosetransitions are not labeled. Consider in a compact way the approximatingKripke structure A in Fig. 1 given by A = {wait, act1, act2} {,, 0,+,Z}and I = {(wait, 0), (wait,), (wait,+)}. In this way, we retain the basicactions of the concrete domain and we abstract the innite part relating tointeger numbers by using the domain Sign (see Fig. 2). In all the gures wedraw only the accessible states from the initial ones in Kripke structures.

Let K = , R, I, be a Kripke structure. A path in K is an innitesequence = s0, s1, of states in such that s0 I and for every i N,

5

Dovier, Giacobazzi and Quintarelli

od

Z

ev

+

+0

Z

= 0

+

Z

0

0 +

0 0+= 0

Z

Fig. 2. The domains Parity, Nneg, Sign, and Sign.

R(si, si+1); i denotes si. We denote the set of paths of K by:

K = { | 0 I (n N)(n R(n, n+1))}.Definition 3.1 Given two Kripke structures A = A,RA, IA, A andB = B,RB, IB, B, we say that A is more precise than B (denoted asA $ B) if CTL*. B |= A |= .

IfA $ B and B $ A, then we writeA B. A rst key result on the impactof abstraction on the class of formulae satised by a model was proved in [9].This result, that holds in particular for CTL*, justies the intuitiveobservation that by abstracting a model we loose precision.

Definition 3.2 Let C = , R, I, and A = A,R, I, be theconcrete and Abstract Kripke structures obtained by using a GI (, (), A, ).We say that A is an abstraction of C.Theorem 3.3 ([9]) Let C = , R, I, and A = A,R, I, be aconcrete and an Abstract Kripke structures. Then C $ A.

It is well-known that GIs compose, namely if (1, C,A1, 1), (2, A1, A2, 2)are GIs then (21, C,A2, 12) is a GI. The same holds for abstraction ofKripke structures.

Theorem 3.4 Let A, B, C be Kripke structures such that B is an abstractionof A and C is an abstraction of B, then C is an abstraction of A and A $ C.

4 Refining abstract models

In this section we consider the two basic operations of domain renementintroduced in [6]: reduced product and disjunctive completion. A domainrenement (see [14]) is any operation R : LnC LC such that for all domainsXi LC , i = 1, . . . , n, R(X1, . . . , Xn) Xi. It is immediate by Theorems 3.3and 3.4 that if R(A1, . . . ,An) is the Kripke structure obtained by rening thedomains in Ai, then R(A1, . . . ,An) $ Ai.

4.1 Reduced product model checking

The reduced product operation is basically obtained starting from the cardinalproduct; the set of pairs is then reduced to obtain a Galois insertion. Recall

6

Dovier, Giacobazzi and Quintarelli

that given a collection of domains {Ai}i, all abstracting a given domainC by Galois insertions (i, C,Ai, i)i, then (, C, P, ) is the reducedproduct of Ais, denoted P = iAi if P is isomorphic to the subset ofC: M(i i(i(C))) [6,7]. This operation corresponds to the glb operation in the lattice of abstract interpretations LC .

Suppose that a system C has been abstracted in n dierent ways, by us-ing abstract interpretation. We assume that Ai = Ai, RAi , IAi , Ai is anabstract Kripke structure, for each i {1, . . . , n}. The following denitionformalizes the Kripke structure that can be obtained by combining the ab-stract state spaces Ai by reduced product. A transition from a to b is allowedin the product structure if a and b are obtained by the meet of states allowinga transition in each component.

Definition 4.1 Let = {1, . . . , n} and i , Ai = Ai, RAi , IAi , Aiare abstractions of a Kripke structure C = , R, I, . The ProductKripke Structure is iAi = (iAi, R,iIAi , ), where R(a, b)i (i )((ai, bi Ai)(RAi(ai, bi) i((a)) ai i((b)) bi)).a p i (a) p .

The following result species that the reduced product of domains Ai pro-vides a more precise abstract model A, where the conjunction of formulaewhich can be satised in some Ai, can be veried.Theorem 4.2 Let = {1, . . . , n}. Suppose that C = , R, I, is aKripke Structure, i ,Ai = Ai, RAi , IAi , Ai are abstractions ofC, and A = iAi, R, I, is the Product Kripke Structure. Ifi : Ai |= i, then A |=

ii.

Proof. By contradiction, suppose that (i )(Ai |= i) but A &|=ni=1i,

i.e. (j )(A &|= j). By induction on the structure of the formula j:(i) j = p, p Lit. A &|= p (i I)(i &|= p) (i) & p . For

denition of Product Kripke structure i = i1 ij in (i) =(i1 ij in) j(ij) j(ij) & p ij & p Aj . Acontradiction.

(ii) j = Xp. A &|= j (i I)(s A)(R(i, s) s &|= p). For def-inition of Product Kripke structure j such that (ij IAj)(sj Aj)(RAj(ij, sj) j((s)) sj). For denition of GC and ReducedProduct (s) j(j((s))). (s) & p because s &|= p j(j((s))) & p j((s)) & p Aj by denition of Aj .sj &|= p because sj j((s)). Thus, we obtain a contradiction.

(iii) j = 1 2, j = 1 2, j = 1 2, j = 1 2, j = X orj = U(1, 2), the proof is the same as the previous cases.

(iv) j = G. A &|= j (t A)((n N)(tn &|= )): n = 0 : (i I)(i &|= ) (ij IAj)(ij &|= ) (the proof is the sameas the rst case). We obtain a contradiction.

7

Dovier, Giacobazzi and Quintarelli

, = 0, od

, od +, od , ev +, ev 0, ev= 0,

, , od +, , ev

Z, Z

Fig. 3. The abstract domain Sign Parity. n > 0 : (t A)((n N)(tn &|= )) R(tn1, tn) tn &|= (j A)(s1, s2 Aj)(R(s1, s2)s2 &|= ) (the proof is the same as thesecond case). We obtain a contradiction.

(v) j = . A &|= j (t A)(t &|= ). The argument is the sameas the previous cases: we nd a trace in the Kripke structure Aj whichdoes not satisfy , a contradiction.

Example 4.3 Consider the concrete Kripke structure C depicted in Fig. 4.It represents a process that performs the action:

act1, if the value of a variable n is greater than zero, act2, if the value of the variable n is less than zero.

The value of the variable is modied by the process after the appropriate actionis taken. The set of states is the innite set of pairs = {wait, act1, act2} Z \ {0}, and I = {wait} Z \ {0}. A possible approximation is the abstractKripke Structure A1 whose set of abstract states is A1 = {wait, act1, act2} {,,+,Z}, and the set of initial states is I = {(wait,), (wait,+)}. An-other approximation is the abstract Kripke Structure A2 whose set of ab-stract states is A2 = {wait, act1, act2} {, ev, od,Z}, and the set of initialstates is I = {(wait, ev), (wait, od)}. The reduced product Sign Parityis represented in Fig. 3 and provides the abstract Kripke structure in Fig. 4,where only maximal nodes, corresponding to states with maximal value inthe product domain, are depicted (the label ? reported in the gure meansact1 act2). In this case it is easy to verify that A1 |= G(n 0Xn > 0),A2 |= G(even(n) XXodd(n)) and A |= G((n 0 Xn > 0) (even(n)XXodd(n))) where A is the Product Kripke structure with do-main Sign Parity.

4.2 Disjunctive model checking

Disjunctive completion was originally introduced to model multiple branchesin static program analysis [6,17]. The idea is that a domain is disjunctive ifno loss of precision is accumulated by approximating the join operation (e.g.

8

Dovier, Giacobazzi and Quintarelli

wait,n

n--n++

act2,nact1,n

wait,-wait,+ wait,ev

act2,+ act1,- act1,ev act2,ev act1,od act2,od

wait,odn>0 n

Dovier, Giacobazzi and Quintarelli

the complexity of temporal models and thus the verication of temporal for-mulae of interest. A domain simplication is any operation S : LnC LCsuch that for all domains Xi LC , i = 1, . . . , n, Xi S(X1, . . . , Xn) [14].It is immediate by Theorems 3.3 and 3.4 that if S(A1, . . . ,An) is the Kripkestructure obtained by simplifying the domains Ai, then Ai $ S(A1, . . . ,An).A simplication is a compression if it returns the most abstract domain (whenit exists) from which the original domain can be fully reconstructed back bya corresponding renement: S : LC LC is a compressor for a renementR : LC LC if S(R(X)) = S(X) and R(S(X)) = R(X) [14].

5.1 Complementing model checking

Complementation is important for domain decomposition, in fact it simpliesverication problems for complex domains, by decomposing them into sim-pler problems. Domain complementation is the inverse operation of reducedproduct, and corresponds to nd, for any domains A B, the most abstractdomain X such that X B = A, i.e. it is the compressor of the domain re-nement X. X B. The problem of domain decomposition has been solvedin [3] providing a systematic method for decomposing abstract domains intosimpler factors. Recall that if C is a complete lattice, then x C is meet-irreducible if for any y, z C, if x = y z then x = y or x = z. The set ofmeet-irreducibles of C is denoted by MI(C). We say that C is generated byMI(C) if C = M(MI(C)). The following result provides a characterizationof domain complementation in terms of meet-irreducible elements.

Theorem 5.1 ([13]) Let C be a complete lattice generated by MI(C), andlet (A, C,A, A) and (D, C,D, D) be such that A D. Then

A D =M(MI(A) \D).

By applying complementation on the state space of a Kripke structure weobtain a simpler abstract structure which in general does not satisfy sometemporal formulae of interest. We study under which conditions on the for-mulae we obtain a less precise abstract model by decomposing the abstractstate space of a transition system.

The following result characterizes the predicates which are not preservedby complementing abstract Kripke structures. By a straightforward inductionit is easy to characterize the structure of arbitrary temporal formulae that arenot preserved by complementing abstract structures (see the example below).

Theorem 5.2 Let C = , R, I, and A = A,RA, IA, A be a con-crete and an abstract Kripke structure. Let p Lit. A = A B,R, I, &|= p i

(s IA)(s |= p (x s M(MI(A) \B))(x &|= p) (x s)(x &|= p)).10

Dovier, Giacobazzi and Quintarelli

Proof. Let A : ()mA, A : A m(), A : () mA B, A :

A B m() be the abstraction and concretization functions. Let s IA bean initial state such that s |= p (x sM(MI(A) \B))(x &|= p) (x s)(x &|= p)), this means that s & MI(A) \ B. Let S be {s A | s sM(MI(A) \B)}. A(A(s)) S A(A(s)) &|= p the abstractionof the initial state s in A does not satisfy p, and therefore A &|= p. Example 5.3 Consider the concrete Kripke structure C in Fig. 5, with ={wait, act} N, and an approximated structure A with space states A ={wait, act}Sign. We observe that the variables cannot take negative valuesand thus it is possible to abstract A in a new structure which does not containstrictly negative information. Note that Sign {Z,0,} = Nneg inFig. 2. Nneg induces an abstract structure N which abstracts A, i.e. A $ N .It is now easy to verify that A |= (n = 0 n > 0) (i.e. i I , i |= (n =0 n > 0)) instead, N &|= (n = 0 n > 0) because the value 0 is abstracted in0+.

wait,n

n 0

act,n

wait,0 wait,0+wait, +

act, +

wait, +

act, +

n=0n++

n++

Fig. 5. Kripke structures C, A, and N

5.2 Compressing model checking

The relevance of compression with respect to disjunction relies upon Theo-rem 4.5 above. In this case it is natural to state the following question: Isit possible to minimize the disjunctive information in domains in such a waythe abstract model be minimal with respect to this information? In the follow-ing we consider the notion of least disjunctive bases introduced in [15]. Thisoperation is well dened in most applications of abstract interpretation andreturns the most abstract domain which induces, by disjunctive completion,a given disjunctive domain.

Definition 5.4 Given a complete lattice C, X LC is disjunctively optimiz-able if C(unionsq{A LC | C(A) = C(X)}) = C(X).If a domain A LC is disjunctively optimizable then its least disjunctivebases exists and it is denoted by C(A) [15]. This is the case when C is acompletely distributive lattice generated by its join irreducible elements, inparticular when C = (). In particular, let C = , R, I, be a Kripkestructure, then ()(A) =M(JI(()(A))) for any A L() [15].

The following result characterizes precisely those predicates which are notpreserved in the abstract Kripke structures obtained by the least disjunctivebases.

11

Dovier, Giacobazzi and Quintarelli

Theorem 5.5 Let C = , R, I, and A = A,RA, IA, A be aconcrete and an abstract Kripke structure. Let p Lit.(A) = (A), R(A), I(A), (A) &|= p i

(s IA)(s |= p (x s M(JI(A)))(x &|= p) (x s)(x &|= p)).

Proof. Let A : ()mA, A : A m(), (A) : () m(A), (A) :

(A) m() be the abstraction and concretization functions. Let s IA bean initial state such that s |= p(x sM(JI(A)))(x &|= p)(x s)(x &|=p)), this means that s & JI(A). Let S be {s A | s s M(JI(A))}.(A)(A(s)) S (A)(A(s)) &|= p the abstraction of the initial states in (A) does not satisfy p (A) &|= p. As before, those formulae which are not satised in the least disjunctive basesstructure can be characterized by a straightforward inductive argument fromthe predicates not preserved as given in Theorem 5.5.

Example 5.6 Consider the concrete Kripke structure C in Fig. 6. The set ofstates is the innite set of pairs = {wait, act}Z, and I = {wait}{0, &= 0}.Actually, in C it is not important the integer value of n but the comparisonof its value with zero. Consider an approximating Kripke structure A withdomain A = {wait, act} Sign and a further abstraction B with domainB = {wait, act} Sign. Note that the abstract Kripke structure B does notverify all the properties that hold in A. For example, if = G(n &= 0Xn &=0), A |= while B &|= because the value &= 0 is abstracted in Z.

wait,n

n 0

act,n

wait,0

n++ act, Zact, = 0

wait,0n=0n++

wait, = 0 wait, Z

Fig. 6. Kripke structures C, A, and B

6 An example

In this section we consider an example of the application of our methods todemonstrate the practical impact of domain renement operations in abstractmodel checking.

The example is drawn from [2]: a concurrent algorithm for sorting an arrayof n cells containing integer numbers. Avoiding implementation details, thesorting algorithm works as follows: the n cells are numbered consecutivelyfrom right to left. The sort proceeds in cycles. During each cycle, exactly halfthe cells (either all of the odd-numbered cells or all of the even-numbered cells)will be compared with their right neighbour cell. If the value of a cell to besorted is less than its right neighbours value then the two values are swapped

12

Dovier, Giacobazzi and Quintarelli

(for more details on the program see [2], where it is assumed that array cellscontain only two values, zero and one). In Fig. 7 we show how the algorithmintuitively works when applied to an array of eight cells. The nodes with anentering arrow are the active nodes (i.e. the nodes that control the sort inthe current cycle of execution of the program). Note that if in a cycle theodd-position nodes are active, during the next cycle the even-position nodesbecome active, and vice versa. The algorithm sorts the array in linear time.

0 32 3 4

3 43 42 1 0 4

2 3 0 31 4 4 4

441

3 40 43

3 440 42 1 3

1 4

second cycle

third cycle

fifth cycle

first cycle

fourth cycle

2

Fig. 7. An execution of the linear sorting array algorithm

This sorting algorithm can be formalized by using a Kripke structure overwhich it is possible to verify a temporal property that implies that the arrayis eventually sorted.

For example, in Fig. 8 we represent the Kripke structure for sorting twointeger numbers in ascending order (here, as usual, entering arrows denoteinitial states). The system consists of two concurrent processes that cycle(mutually exclusively) through an innite sequence of active (A) and non-active (NA) conditions. Each process swaps its cell with the right neighbourcell only if it is active and the values of the two cells are not in the right order.We want to verify that along every execution the following property holds:eventually, the value of the rst cell is less than or equal to the value of thesecond cell.

x>y

x

Dovier, Giacobazzi and Quintarelli

?

?

?

?

?

?

?

?

Z

[m,c) [c,+m][m,+m]

?

?

?

?

?

?

?

?

Z

[m,d) [d,+m][m,+m]

D

D

D

D

D

D

D

D

D

D

D

D

D

z

z

z

z

z

z

z

z

z

z

z

z

z

?

?

?

?

?

?

?

j

j

j

j

j

j

j

j

j

j

T

T

T

T

T

T

T

T

T

T

t

t

t

t

t

t

J

J

J

J

J

J

Z

[c,d]

[m,c] [d,+m]

[c,m)[m,d]

[m,+m]

Fig. 9. Abstract domains Intc, Intd, and Intc Intd

between two nodes are depicted in Fig. 8: observe that in each state only oneprocess is active.

In order to abstract the Kripke structure in Fig. 8 with an abstract Kripkestructure Ac = c, Rc, Ic, 2c (see Fig. 10) we introduce an abstract domain,which is dened by providing abstractions of the components that form theconcrete domain. We choose to leave the components {NA,A} the same.Formally, this means that we take an abstract domain containing elementsNA and A whose concretizations are {NA} and {A}, respectively. To abstractthe integer values to be sorted, we can compute a partitioning with respectto a parameter c (as in [2]). Given c Z we dene a GI (, (Z), Intc, )between (Z) and the abstract domain Intc in Fig. 9 (m N is a constantplaying the role of maxint). The abstraction function is dened as follows:S (Z), (S) = [m, c) i x S x < c; (S) = [c,+m] i x S x c;(S) = [m,+m] otherwise.

Fig. 10. Abstract Kripke structure Ac for linear sorting array program

The set c of abstract states is now dened as follows: = {NA,A,}2 Int2c . Its top element is ,,Z,Z, while the approximation relation $ isthe extension of the orderings on each of the four components. It is im-portant to note that the approximation order on the integer components(the Intc domain in Fig. 9) does not correspond to the obvious order rela-tion () used by the algorithm to sort the integer values (i.e. [m, c) [c,+m] but [m, c) &$ [c,+m]). The set of abstract initial states is: Ic ={A,NA, i1, i2, NA,A, i1, i2 | i1, i2 {[m, c), [c,+m]}}. The abstracttransition relations and the abstract interpretation of the concrete predicate are computed accordingly to the denitions stated in Section 3.It is easy to check that along every path of the abstract Kripke structure thereis a continuation of the path that reaches only sorted states, i.e. if there isa value to be sorted that is less than c then it comes before the other value.

14

Dovier, Giacobazzi and Quintarelli

The temporal formula corresponding to the property is:

c F G (x1 < c x2 c)

where x1 and x2 are the two values to be sorted. c is tautologically equivalentto:

FG((x1 < c x2 < c) x2 c)Note that if the cells to be sorted by the linear sorting array algorithm are nthen the number of abstract states is 2n+1, while the number of concrete statesis innite or 2rn, considering a range r of integer number (e.g. r . 2maxint).In order to rene the abstract sorting algorithm, it is possible to abstractthe original Kripke structure by using two dierent abstract states spaces, i.e.by partitioning the integer numbers with respect to two dierent parameters(namely c and d). Consider for example the two domains Intc and Intd inFig. 9 and suppose, without loss of generality, that c < d. By means ofreduced product operation, we obtain the domain Intc Intd (see Fig. 9)which allow us to compute a more precise abstraction on integer values. InFig. 11 it is reported a portion of the Product Kripke structure we obtainby taking into account the new domain Intc Intd, and in particular bycombining the state spaces c = {NA,A,}2 Int2c and d = {NA,A,}2 Int2d of two dierent abstract Kripke structures by means of reduced product(Ad = {NA,A,}2 Int2d, Rd, Id, 2d is obtained in the same way as Ac). Weillustrate the case where the two values to be sorted may not be in the rightorder by partitioning the integer numbers with the parameter c, while theyare in the correct order if we partition the numbers by using d. This modelsatises the temporal formula c d = FG((x1 < c x2 < c) x2 c) FG((x1 < d x2 < d) x2 d), according to Theorem 4.2. Moreover,it satises the formula cd = FG((x1 < c x2 < c) (x1 < c c x2 d) (x1 < c x2 > d) (c x1 < d x2 > d) x2 > d), stating that the twovalues are ordered also with respect to the new partition of Z.

Fig. 11. A part of the Product Kripke structure Ac Ad

Therefore, by using renement operations, such as reduced product, it ispossible to systematically rene abstract models, which approximate a givenreactive system, and consequently obtain a new abstract reactive system thatautomatically veries a combination (e.g the conjunction for the reduced prod-uct operation) of the formulae of interest. We conclude the subsection bygiving some remarks on the complexity of the model checking problem thatwe have taken into account.

15

Dovier, Giacobazzi and Quintarelli

The algorithm for determining whether a CTL formula is true in thestates of a Kripke structure S,R, P runs in timeO(length() (| S | + | R |)),where length() is the number of subformulae of (see [2]). Thus, sincec is a CTL formula and thus, the problem of checking it on the modelAc = c, Rc, Ic, 2c, has a linear complexity, more precisely the algorithm runsin time proportional to length(c)(| c | + | Rc |) . 22(222+222) = 422+2.Checking d on Ad is the same problem.In general, the length of a CTL formula which species that n integer valuesare eventually sorted, partitioning Z into k intervals, is length() . kn. Thesize of the abstract Kripke structure for this particular conguration of theproblem is | | + | R |. 2kn + 2kn (the n integers to be sorted may assumek abstract values and in the linear sorting algorithm the even-cells or theodd-cells are alternatively considered. Moreover, each abstract state has anoutgoing edge).

We have also demonstrated that by combining two dierent abstractions K1and K2 of a given Kripke structure K, such that K1 |= 1 and K2 |= 2, weautomatically obtain a new abstract Kripke structure K1 K2 which veries1 2 (we do not have to check it!). Since K1 K2 is more precise than K1andK2 we are interested in checking the satisfaction of new temporal formulaeon its states. The size of K1 K2 is less than or equal to | K1 | | K2 |, be-cause of the reduction of abstract values with the same concretization (see [6])(typically, the number is strictly lower: in the case of Fig. 9 we have 8 statesinstead of 25).

For the sorting problem we want to assure that the integers are eventuallyin the correct order with respect to the partition induced by the reducedproduct domain. In our example, we have to check on the model Ac Adthe satisfaction of the CTL formula cd = FG((x1 < c x2 < c) (x1 d) (c x1 < d c x2 < d) x2 > d).In this case the model checking problem can be solved in time proportional tolength(cd) (| c | + | Rc |) (| d | + | Rd |).To sum up, consider an abstract domain c1 cj , j > 1, that is thereduced product of j domains each of them partitions Z in 2 intervals. On theabstract Kripke structure with state space c1 cj we can check thesatisfaction of the CTL formula c1cj in time proportional to 4 (j +1)2n,where n is the number of cells to sort. Moreover, the Theorem 4.2 assuresthat the Kripke structure satises the formula c1 cj . If we wantto rene again the partition of the integer numbers we compute the abstractstate space c1 cj cj+1 of a new Product Kripke structure, whichautomatically satises the formula c1 cj cj+1 . The complexityof the model checking problem for the formula c1cjcj+1 increases with aratio proportional to (1+ 1

j)2n and thus, at each step of the systematic rening

process it is possible to check the satisfaction of a more rened formula witha small increment of the complexity.

16

Dovier, Giacobazzi and Quintarelli

Abs. Domain c1 c1 c2 c1 cj c1 cj+1Formula c1 c1 c2 . . . c1 cj c1 cj+1Complexity 4 22n 0 0 0Formula c1 c1c2 c1cj c1cjcj+1Ratio 4 22n (3

2)2n ( j

j1)2n (1 + 1

j)2n

7 Future works

On the side of domain operations we plan to study the impact of Cousotsreduced cardinal power operation [6] and Heyting completion [16] for con-structing relational abstract model checking. This operation, which does notadmit a corresponding compressor, should upgrade domains, and thereforeKripke structures, with implicational information. On the side of TemporalLogic, we plan to generalize our results to arbitrary Temporal Logics. Thiscan be achieved by considering more general -calculus, as in [8]. All theseresults should lead to the denition of a transformer of temporal formulae as-sociated with each abstract domain transformer, and appropriate algorithmsfor simplifying or rening abstract model checking.

References

[1] Clarke, E. M., E. A. Emerson and A. P. Sistla, Automatic verification of finite-state concurrent system using temporal logic specification, ACM Transaction onProgramming Languages and Systems 8 (1986), pp. 244263.

[2] Clarke, E. M., O. Grumberg and D. E. Long, Model checking and abstraction,ACM Transaction on Programming Languages and Systems 16 (1994),pp. 15121542.

[3] Cortesi, A., G. File, R. Giacobazzi, C. Palamidessi and F. Ranzato,Complementation in Abstract Interpretation, toplas 19 (1997), pp. 747.

[4] Cousot, P., Abstract Interpretation, ACM Computing Surveys 28 (1996),pp. 324328.

[5] Cousot, P. and R. Cousot, Abstract interpretation: A unified lattice model forstatic analysis of programs by construction or approximation of fixpoints, in:Conference Record of the 4th ACM Symposioum on Principles of ProgrammingLanguages (POPL 77 ) (1977), pp. 238252.

[6] Cousot, P. and R. Cousot, Systematic design of program analysis frameworks, in:Conference Record of the 6th ACM Symposioum on Principles of ProgrammingLanguages (POPL 79 ) (1979), pp. 269282.

17

Dovier, Giacobazzi and Quintarelli

[7] Cousot, P. and R. Cousot, Inductive definitions, semantics and abstractinterpretation, in: Conference Record of the 19th ACM Symposioum onPrinciples of Programming Languages (POPL 92 ) (1992), pp. 8394.

[8] Cousot, P. and R. Cousot, Temporal abstract interpretation, in: ConferenceRecord of the ACM Symposioum on Principles of Programming Languages(POPL 2000 ) (2000), pp. 1225.

[9] Dams, D., R. Gerth and O. Grumberg, Abstract interpretation of reactivesystems, ACM Transaction on Programming Languages and Systems 19 (1997),pp. 253291.

[10] Davey, B. A. and H. A. Priestley, Introduction to Lattices and Order,Cambridge University Press, Cambridge, U.K., 1990.

[11] Emerson, E. A., Temporal and modal logic, in: J. van Leeuwen, editor, Handbookof Theoretical Computer Science, B: Formal Models and Semantics, Elsevier,Amsterdam and The MIT Press, Cambridge, Mass., 1990 pp. 9971071.

[12] File, G., R. Giacobazzi and F. Ranzato, A unifying view of abstract domaindesign, ACM Computing Surveys 28 (1996), pp. 333336.

[13] File, G. and F. Ranzato, Complementation of abstract domains made easy, in:M. Maher, editor, Proceedings of the 1996 Joint International Conference andSymposium on Logic Programming (JICSLP 96 ) (1996), pp. 348362.

[14] Giacobazzi, R. and F. Ranzato, Refining and compressing abstract domains, in:P. Degano, R. Gorrieri and A. Marchetti-Spaccamela, editors, Proceedings ofthe 24th International Colloqium on Automata, Languages and Programming(ICALP 97 ), Lecture Notes in Computer Science 1256 (1997), pp. 771781.

[15] Giacobazzi, R. and F. Ranzato, Optimal domains for disjunctive abstractinterpretation, Science of Computing Programming 32 (1998), pp. 177210.

[16] Giacobazzi, R. and F. Scozzari, A logical model for relational abstract domains,ACM Transaction on Programming Languages and Systems 20 (1998),pp. 10671109.

[17] Jensen, T., Disjunctive strictness analysis, in: Proceedings of the 7th IEEESymposium on Logic in Computer Science (LICS 92 ) (1992), pp. 174185.

[18] Manna, Z. and A. Pnueli, The Temporal Logic of Reactive and ConcurrentSystems, Springer-Verlag, Berlin, 1992.

[19] Muller-Olm, M., D. Schmidt and B. Steen, Model-checking. A tutorialintroduction, in: G. File, editor, Proceedings of the International Static AnalysisSymposium (SAS 99 ), Lecture Notes in Computer Science 1694 (1999), pp.330354.

18