Predicate Abstraction

Abstract state space exploration Method: (1) start in the abstract initial state (2) use to compute reachable states (invariants)

Abstract state space exploration Approximation  1 : all reachable states are monomials. Where

Least upper bound on lattice L length of longest chains

Abstract state space exploration Approximation  2 : strongest invariant of by allowing approximation to be boolean expressions on B 1 … B l and applying only on canonical monomials ( B 1 … B l ) representing a single state

where

Abstract state space exploration Canonical monomial : the set of atoms of M the set 2 l over B 1 … B l Note: –Boolean expressions on B 1 … B l = arbitrary elements of Q k

Complexity of  1 and  2 Complexity of computation: –The number of necessary proofs –Successor of exp A  K=2*p*l*1 2: B.1 – B.2 P: number of transitions L: number of predicates 1: enabledness

Complexity of  1 and  2 Computation of  1 : –Needs maximally l*k proofs Computation of  2: –Worst case 2 l * k proofs (all successors computed)

Computation of  2 Much better in practice –Some  j leave  I unchanged (or transform  I independently) –Only a small subset of all abstract states is reachable –  1 …  I need not be independent  not all 2 l canonical monomials represent a non-empty set of concrete states –Dependency predicate : consider only non- spurious abstract states

Improvements of the computed invariants Use backwards analysis: where

Improvements of the computed invariants Approximations y j –are arbitrary predicates of the concrete property lattice and not necessarily boolean combinations of  1 …  I Abstract backwards analysis –Would require a lower approximation of

Construction of the abstract state graph Computation of a successor: require several proofs –Only a small abstract state (few thousand) can be explored –Additional cost of storing transitions is almost negligible

Advantages of storing the abs. state graph Use model checker to verify any temporal logic formula on atomic proposition on B 1 … B l without existential quantifier over executions Precise global control flow graph –Especially if guards of the program are boolean combination over  I –Stronger structure invariants than for initial control structure  used to improve backwards analysis

Refinement of the abstract state graph Add more predicates to  1 …  I : deduced form –The so far constructed transition relation –See later: abstraction refinement (done in an incremental way)

Given exp A and B new Not all implications in (3) have to be checked Only the new ones and those which could not be proved valid during the computation of the successors of exp A

When to add If the abstract state space exploration by using does not allow to verify some property Construct more precise abstraction by adding new predicates

Implementation Overview Invariant checker tool impliments: –1)backwards computation of inductive invariants (true in initial state and preserved by transitions) –2) generation of structural invariants (preserved by system structure) –3) abstract state graph generation (added)

Integration with PVS All implications (3) submitted to PVS Proof strategy combining decision procedures, rewriting and boolean simplification using BDDs is systematically applied

Abstract state Is a tuple (ctrl, ) where: ctrl ---- is a concrete control configuration ---- is a valuation of a set of boolean vars B 1 … B l

Dependency predicate Given {  1 …  I } an upper approximation of a dependency predicate is computed and used to generate successors Exact computation if {  1 …  I } can be divided using syntactical independency into a set of small sets of potentially dependent predicates

Auxiliary invariants Generated using initial control structure where Q k control configuration of a system consisting of several parallel components are considered reachable

Abstract state graph The invariant is a conjunction of –Already known invariants in the system relevant for the transition under study –  is used to smaller successors by replacing (3) by weaker ones –Only implication compatible with dependency predicate and not already computed are generated

Reachability algorithm (Defs) For simplicity : shown for systems without explicit control locations –Based on Q A and over B 1 … B l,can be implemented with BDDs Abstract invariant : by analysis of dependencies between  1 …  I

Reachability algorithm (Defs) Concrete invariant  : generated using the facilities of the tool Constraints Ctau[i](B 1 … B l, B’ 1 … B’ l ): for each  i by static analysis –E.g. which predicates  j are not touched => B’ j = B j

Reachability algorithm (Defs) Abstract predicate Aguard[i]=  ’(g i ): generated for each  i –  1 …  I are chosen such that Aguard[i] is exactly the guard of  i AReach: the so far computed set of reachable states (invariant at the end)

Reachability algorithm (Defs) Atau[i]: at each stage an upper approximation of To_explore: auxiliary variable representing the set of states for which we have to compute the successors

Reachability algorithm Initializations: AInit:=  ’(init); For all i: Atau[i]:= AReach := AInit; To_explore := AInit; Iteration: While To_explore != false choose m in To_explore; To_explore:= To_explore  m; if m=> Aguard[i] then SEE NEXT PAGE ATau[i]:= ATau[i]  ( ) To_explore := To_explore  (succ   AReach); AReach := AReach  succ;

Choice of the Predicates  i Use guards in the transitions the system: –Allows to construct successors only via transitions enabled in all represented concrete states –Replaces enabledness checks (3.0) by boolean tests. To prove that  is an invariant –One can also try to use  for the definition of the abstract state space

Choice of the Predicates  i Split each predicate into its set of literals (atomic pred.) –E.g. use  1 = (out =in) and Choice of the Predicates  2 = (out= tail(in)) instead of  1 v  2 Alternating bit protocol example: verified that:□(out =in V out= tail(in) ) List of already received messages Out is a prefix of the list of messages sent so far In

Alternating bit protocol verification Verified correctness :□(out =in V out= tail(in) ) –Already received message Out is prefix of messages sent so far : In Using implemented backward computation: –The computation of the appropriate inductive invariant does not terminate –The computation of structual invariants does not generate interesting results

Alternating bit protocol verification Using the two predicates as  1 and  2 : –Deterministic graph is generated –34 decidable implications –5 abstract states –68s

Alternating bit protocol verification Obtaining more precise approximation: –  3 = message (message_channel) = head(In) –Internal predicate –Last sent message is the head of In --  same graph but all states satisfy either In=Out or out=tail(In) Use abstract state graph to generate stronger structural invariants –Apply strengthening backward computation-  (6) proved

Bounded retransmission protocol Extension of ABP: –Message pockets are sent, retransmitted bounded by max per message. Full parameterized version of BRP: –Pockets can be of any size –Max can be any positive number –Proven so far by hand –Large amount of user interaction

Protocol description Sending client sender ack mess receiver Receiving client

Protocol description Sender: receive message pocket from client Delivers confirmation to client –OK all messages are transmitted –Not_OK -----transmission has been aborted –DON’T_KNOW ----last message not acknowledged

Protocol description Receiver: acknowledge each received message Delivers indication to the receiving client –First –1st message received –OK –last message received –Incomplete --- for any intermediate messages –NOT_OK ---transmission aborted

Protocol description Timers T 1,T 2 : –T 1 ---message has been lost –T 2 ---transmission ahs been aborted

Correctness Verification: As for ABP –19 predicates from guards  Abstract state graph: 475 states, 685 transitions, 3 hours