Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008."— Presentation transcript:

1 1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008

2 2 CTL* Allows any combination of temporal operators and path quantifiers More expressive than LTL or CTL ACTL / ACTL* The universal fragments of CTL/CTL* with only universal path quantifiers  -calculus: More expressive than CTL*

3 3 Model Checking An efficient procedure that receives:  A finite-state model M, describing a system  A temporal logic formula , describing a property It returns yes, M |=  no + Counterexample, otherwise Main Limitation: The state explosion problem

4 4 Possible solution Replacing the system model by a smaller one (less states and transitions) that still preserves properties of interest Modular verification Symmetry Abstraction

5 5 Definitions equivalence between models that strongly preserves CTL* (  -calculus): If M 1  M 2 then for every CTL* formula , M 1 |=   M 2 |=  preorder on models that weakly preserves ACTL*: If M 2  M 1 then for every ACTL* formula , M 2 |=   M 1 |= 

6 6 H={ (1,1’), (2,4’), (4,2’), (3,5’), (3,6’), (5,3’), (6,3’) } ab aa b b Equivalence of models M 1  M 2 M1M1 a bb ddc 1 4 3 6 2 5 a bb ccd 1’1’ 2’2’ 3’3’ 4’4’ 5’5’ 6’6’ M2M2

7 7 M1M1 M2M2 Preorder between models M 1  M 2 wait coin pepsicoke wait coin cokepepsi

8 8 Abstraction One of the most useful ways to fight the state explosion problem They should preserve properties of interest: properties that hold for the abstract model should hold for the concrete model Abstractions should be constructed directly from the program

9 9 Abstraction Removes or simplifies details Removes entire components that are irrelevant to the property under consideration, thus reducing # of states Manual abstraction requires great creativity.

10 10 Outline for abstraction Define an abstract model that preserves the checked property Consider different types of abstractions Automatically construct an abstract model Different constructions for different types Automatically refine it, if the abstraction is not detailed enough

11 11 We first define an abstract model M h based on a concrete (full) model M of the system Goal: constructing M h directly from the program text P M MhMh  Concrete model Abstract model Outline for abstraction (cont.)

12 12 Abstraction preserving ACTL/ACTL* We use Existential Abstraction in which the abstract model is an over-approximation of the concrete model: The abstract model has more behaviors But no concrete behavior is lost Every ACTL/ACTL* property true in the abstract model is also true in the concrete model

13 13 Existential Abstraction M MhMh Given an abstraction function h : S  S h, the concrete states are grouped and mapped into abstract states : hhh M ≤ M h

14 14 How to define an abstract model: Given M and , choose S h - a set of abstract states AP – a set of atomic propositions that label concrete and abstract states h : S  S h - a mapping from S on S h that satisfies: h(s) = t only if L(s)=L(t)

15 15 How to define an abstract model: The abstract model M h = ( S h, I h, R h, L h ) s h  I h   s  I : h(s) = s h (s h,t h )  R h   s,t [ h(s) = s h  h(t) = t h  (s,t)  R ] L h (s h ) = L(s) for some s where h(s) = s h This is an exact abstraction

16 16 An approximated abstraction (an approximation ) s h  I h   s  I : h(s) = s h (s h,t h )  R h   s,t [ h(s) = s h  h(t) = t h  (s,t)  R ] L h is as before Notation: M r – reduced (exact) M h - approximated

17 17 Logic preservation M h (exact or approximated) has less states but more behaviors: M h  M therefore: Theorem If  is an ACTL/ACTL* specification over AP, then M h |=   M |=  However, the reverse may not be valid

18 18 Abstraction example Program with one variable x over the integers Initially x may be either 0 or 1 At any step, x may non-deterministically either decrease or increase by 1

19 19 Abstraction example (cont.) Abstraction 1: S h1 = { a –, a 0, a + } a + if s(x)>0 h 1 (s) = a 0 if s(x)=0 a – if s(x)<0 Abstraction 2: S h2 = { a even, a odd } h 2 (s) = if even( |s(x)| ) then a even else a odd

20 20 The concrete model x=0x=1 x=-1 x=-2x=3 x=2 a even a odd Abstraction 2 a0a0 a+a+ a–a– Abstraction 1

21 21 Types of Abstraction  Localization reduction: each variable either keeps its concrete behavior or is fully abstracted (has free behavior) [Kurshan94]  Predicate abstraction: concrete states are grouped together according to the set of predicates they satisfy [GS97,SS99]  Data abstraction: the domain of each variable is abstracted into a small abstract domain [CGL94,LONG94]

22 22 Predicate abstraction Given a program over variables V Predicate P i is a first-order atomic formula over V Examples: x+y < z 2, x=5 Choose: AP = { P 1,…,P k } that includes the atomic formulas in the property  and conditions in if, while statements of the program Labeling of concrete states: L(s) = { P i | s |= P i }

23 23 Abstract model Abstract states are defined over Boolean variables { B 1,...,B k }: S h  { 0,1 } k h(s) = s h  for all 1  j  k : [ s |= P j  s h |= B j ] L h (s h ) = { P j | s h |= B j }

24 24 Example Program over natural variables x, y AP = { P 1, P 2, P 3 } where P 1 = x≤1, P 2 = x>y, P 3 = y=2 AP = { x≤1, x>y, y=2 } L((0,0)) = L((1,1)) = L(0,1)) = { P 1 } L((0,2)) = L((1,2)) = { P 1, P 3 } L((2,0)) = { P 2 }

25 25 Example (cont.) S h  { 0,1 } 3 h((0,0)) = h((1,1)) = h(0,1)) = (1,0,0) h((0,2)) = h((1,2)) = (1,0,1) h((2,0)) = (0,1,0) No concrete state is mapped to (1,1,1) L h ((1,0,0)) = { P 1 } L h ((1,0,1)) = { P 1, P 3 } The concrete state and its abstract state are labeled identically (s h,t h )  R h   s,t [ h(s) = s h  h(t) = t h  (s,t)  R ]

26 26 Computing R h (same example) Program with one statement: x := x+1 ( (b 1,b 2,b 3 ), (b’ 1,b’ 2,b’ 3 ) )  R h   xyx’y’ [ P 1 (x,y)  b 1  P 2 (x,y)  b 2  P 3 (x,y)  b 3  x’=x+1  y’=y  P 1 ( x’,y’ )  b’ 1  P 2 ( x’,y’ )  b’ 2  P 3 ( x’,y’ )  b’ 3 ]

27 27 Traffic Light Example red green yellow M Property:  = AG AF ¬ (state=red) Abstraction function h maps green, yellow to go. red go MhMh M h |=  M |=  

28 28 Traffic Light Example (Cont) If the abstract model invalidates a specification, the actual model may still satisfy the specification.  Property:  = AG AF (state=red)  M |=  but M h |=  red green yellow red go M MhMh  Spurious Counterexample :  red,go,go,... 

29 29 CounterExample-Guided Abstraction-Refinement (CEGAR)

30 30 The CEGAR Methodology T h is not spurious check spurious counterexample ThTh stop M h |=  generate counterexample T h M h |=  model check MhMh generate initial abstraction M and  refinement ThTh is spurious

31 31 Generating the Initial Abstraction  If we use predicate abstraction then predicates are extracted from the program’s control flow and the checked property  If we use localization reduction then the unabstracted variables are those appearing in the predicates above

32 32 Example init(x) := 0 next(x) := case : 0; : x + 1; : 0; else : x; esac; init(y) := 1; next(y) := case : 0;  ¬ : y + 1; : 0; else : y; esac; reset=TRUE x < yy=2x=y  = AF x=y AP = { reset=TRUE, x<y, x=y, y=2 }

33 33 Model Check The Abstract Model Given the abstract model M h  If M h |  , then the model checker generates a counterexample trace (T h )  Most current model checkers generate paths or loops  Question : is T h spurious?

34 34 Path Counterexample Assume that we have four abstract states {1,2,3}   {4,5,6}   {7,8,9}   {10,11,12}   Abstract counterexample T h = , , ,     therefore, M |=  T h is not spurious,

35 35 Spurious Path Counterexample T h is spurious failure state The concrete states mapped to the failure state are partitioned into 3 sets

36 36 Refining The Abstraction  Goal : refine h so that the dead-end states and bad states do not belong to the same abstract state.  For this example, two possible solutions.

37 37 Refining the abstraction Refinement separates dead-end states from bad states, thus, eliminating the spurious transition from S i-1 to S i

38 38 The CEGAR Methodology T h is not spurious check spurious counterexample ThTh stop M h |=  generate counterexample T h M h |=  model check MhMh generate initial abstraction M and  refinement ThTh is spurious

39 39 Conclusion We defined several types of abstractions We showed how to extract them from the concrete model or from the program text We presented the CEGAR framework for abstraction-refinement

40 40 THE END

Download ppt "1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008."

Similar presentations

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
1 Abstraction (Cont’d) Defining an Abstract Domain variable elimination, data abstraction, predicate abstraction Abstraction for Universal/Existential.

1 Abstraction (Cont’d) Defining an Abstract Domain variable elimination, data abstraction, predicate abstraction Abstraction for Universal/Existential.
Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.

Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.

Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.

Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.
1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.

1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.

Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

Similar presentations

Ads by Google