Using 3-Valued Models in Abstraction-based Model Checking

Using 3-Valued Models in Abstraction-based Model Checking

Seminar in Formal Verification

Spring 2006

Presented by Alik Zamansky

References

On the Expressiveness of 3-Valued Models Patrice Godefroid and Radha Jagadeesan, 2003

Abstraction-based Model Checking using Modal Transition Systems Patrice Godefroid, Michael Huth, and Radha

Jagadeesan, 2001

Abstraction-based Model Checking (reminder)

Extract an abstract model A out of a program C Automatically, by a static analysis of the code

Analyze the model using model-checking techniques Check whether A satisfies some property φ

Transfer the result to the original program C

Can be complete, but is generally unsound Reports spurious errors

3-Valued Models: Motivation

3-valued models introduce some elements of uncertainty E.g. “unknown” truth value or uncertain transactions

between states They can be used in model checking to guarantee

both completeness and soundness A formula evaluating to true or false on an abstract

model holds (does not hold) on the concrete system If the result is “unknown”, a more complete (i.e. less

abstract) model is required

Outline

3-valued modeling formalisms PKS, MTS and KMTS Equal expressiveness

Translation from PKS to MTS Translation from MTS to KMTS

Summary and conclusions of paper 1 Relational abstraction and implementations

Predicate abstraction Predicate-Cartesian abstraction Summary and conclusions of paper 2

Partial Kripke Structures (PKS)

A Kripke structure whose atomic prepositions can have a third truth value ┴ (“unknown”)

A standard Kripke structure is a special case of PKS Formally, a tuple (S, P, →, L)

S : a set of states P : a set of atomic prepositions → S x S : a transition relation on S L : S x P → { true, , false} : associates a truth value

with each atomic preposition in P for each state in S

Partial Kripke Structures (cont’d)

p q : true if p = true and q = true false if p = false or q = false otherwise

p : true if p = false false if p = true if p =

p q = (p q)

Propositional Modal Logic (PML)

Propositional logic extended with the modal operator AX (“for all immediate successors”)

Syntax: φ ::== p I φ I φ1φ2 I AXφ

Semantics for 3-valued PML: [(M,s)φ] [(M,s)p] = L(s,p)

[(M,s)φ] = comp([(M,s)φ])

[(M,s)φ1φ2] = [(M,s)φ1] and [(M,s)φ2]

[(M,s)AXφ] = ss’ [(M,s’)φ]

Modal Transition Systems (MTS)

MTS is a tuple (S, Σ, →must , →may) S : a set of states Σ : a set of action symbols →must, →may S x Σ x S : transition relations →must →may (must-transitions are also may-transitions)

MTS therefore: Is a Labeled Transition System (LTS) with two types of

transitions instead of one Reasoning about the existence of transitions can be

viewed as reasoning with a 3-valued logic

MTS – Example

A specification of a slot machine must-transitions: fixed behavior may-transitions: uncertain behavior

inactive

winning

active

reset

must

winCoin

must

winAnotherCoin may

acceptCoin must

loseCoin may

PMLAct (3-valued PML for MTS)

Syntax: φ ::== tt I φ I φ1φ2 I (α)φ (for some αΣ)

Semantics: [(M,s)φ] [(M,s)tt] = true

[(M,s)φ] = comp([(M,s)φ])

[(M,s)φ1φ2] = [(M,s)φ1] and [(M,s)φ2]

[(M,s)(α)φ] = true if (s, α, s’) →may : [(M,s’)φ] = true

false if (s, α, s’) →must : [(M,s’)φ] = false

otherwise

Kripke Modal Transition Systems

KMTS combines features of both PKS and MTS Is a tuple: (S, P, →must , →may , L)

S : a set of states P : a set of atomic prepositions →must, →may S x S : transition relations (→must →may) L : S x P → { true, , false} : associates a truth value

with each atomic preposition in P for each state in S KMTS generalizes PKS

PKS is a KMTS where →must = →may

3-valued PML for KMTS

Syntax: same as for the 3-valued PML Semantics: [(M,s)φ]

[(M,s)p] = L(s,p)

[(M,s)φ] = comp([(M,s)φ])

[(M,s)φ1φ2] = [(M,s)φ1] and [(M,s)φ2]

[(M,s)AXφ] = true if s’: (s, s’) →may [(M,s’)φ] = true

false if s’: (s, s’) →must [(M,s’)φ] = false

otherwise

Translation from PKS to MTS

For a PKS M = (S, P, →, L) we define an equivalent MTS M’ = (S’, Σ, →must , →may): S’ = S U {snew } Σ = P U {x} →must = {(s, p, snew ) I L(s,p) = true} U {(s, x, s’) | ss’ }

→may = {(s, p, snew ) I L(s,p) {true,}} U {(s, x, s’) | ss’ }

Translation complexity: Input PKS is of the size O(I→I + ISI·IPI) Output MTS: O(I→mustI + I→mayI) = O(I→I + ISI·IPI) I.e., linear in the size of the input

Translation from PML to PMLAct

φ: a PML formula defined on PKS M

T(φ): an equivalent PMLAct formula on MTS M’ defined by applying recursively the following rules: For all p P, T(p) = (p)tt = (p)tt T(φ) = T(φ) T(φ1φ2) = T(φ1) T(φ2) T(AXφ) = (x)T(φ) (x Σ )

Theorem: [(M,s)φ] = [(M’,s)T(φ)]

PKS to MTS – Example

s0

s1

s2

p = false q = true

p = true q =

p = true q = true

M

[(M,s0) AXq ] = [(M’,s0) (x)(q)tt ] = [(M,s0) AXAXq ] = [(M’,s0) (x)(x)(q)tt ] = true

M’

s0

s1

s2

snew

q

must

x

must

x

must

x must

p must

q may

p must

q must

x must

Translation from MTS to KMTS

For a MTS M = (S, Σ, →must , →may) we define an equivalent KMTS M’ = (S’, P, →must’ , →may’, L): S’ = S Σ P = Σ →must’ = {((s,α),(s’,α’)) I (s, α’, s’) →must } →may’ = {((s,α),(s’,α’)) I (s, α’, s’) →may } (s,α) S’: p P:

L((s,α),p) = true if p = α L((s,α),p) = false otherwise

Translation complexity is linear The number of states is ISI·IΣI – linear for fixed Σ

Translation from PMLAct to PML

φ: a PMLAct formula defined on MTS M T(φ): an equivalent PML formula on KMTS M’

defined by applying recursively the following rules: T(tt) = true T(φ) = T(φ) T(φ1φ2) = T(φ1) T(φ2) T((α)φ) = AX((α) T(φ)) (i.e. AX(αT(φ)) )

Theorem: [(M,s)φ] = [(M’,(s,α))T(φ)] for any α Σ

MTS to KMTS – Example

standing

walking

running

SU

SD

SUSD

SU SU

M

SU – Speed up, SD – Slow down – a must-transition ; – a may-transition

M’

standing,SD

walking,SD

running,SD

running,SU

walking,SU

standing,SU

SU = true SD = false

SU = true SD = false

SU = false SD = true

SU = false SD = true

SU = true SD = false

SU = false SD = true

MTS to KMTS – Example (cont’d)

Q1: [(M,standing) (SD)tt ] = ? false (can be written as (SD)tt )

Q2: how to ask this in PML on KMST? [(M’,(standing,SD)) (AX(SD false)) ] = ? [(M’,(standing,SU)) (AX(SD false)) ] = ?

Q3: [(M,running) (SU)tt ] = – why? Q4: [(M,walking) (SD)(SU)tt ] = ?

[(M’,(walking,SU)) AX(SD AX(SU true)] = [(M’,(walking,SD)) AX(SD AX(SU true)] = true

Summary and Conclusions – I

Translation from KMTS to PKS also exists The construction is somewhat more complicated

The three 3-valued models are equally expressive Yet, both PKS and MTS are useful: state vs behavior

This result holds not only for PML, but also for PML with fixpoint operators, i.e. the -calculus And therefore, it holds for LTL, CTL and CTL*

All translations require only linear time Thus, 3-valued model checking for any temporal logic

and any 3-valued formalism takes the same time

Simulation – reminder

Consider a program C represented by LTS LTS is a tuple K = (ΣK,Act,→); ΣK is a set of states, Act

is a set of action symbols and → is a transition relation Suppose that A is an abstract LTS generated from C A is usually constructed so that the initial states of A

and C are related by a simulation Simulation (definition):

A relation ρ ΣCΣA is a simulation iff for any c ρ a and c →α c’ there is some a’ΣA such that a →α a’ and c’ ρ a’. c ρ a means (c,a) ρ , and c →α c’ stands for (c,α,c’) →

Simulation – example

Note: C and A are LTSs, not MTSs as in the similar example shown earlier, there are no may-transition here!

standing’ moving

SU

SD

SU

SD

C: A:

ρ = {(standing, standing’), (walking, moving), (running, moving) }

standing

walking

running

SU

SD

SUSD

Refinement

MTS can be defined as a pair K = (Kmust, Kmay): Kmust = (ΣK,Act,→must) and Kmay = (ΣK,Act,→may) are two

LTSs such that →must →may Refinement: An MTS A1 is a refinement of an MTS

A2 if there exists a relation ρ ΣA1ΣA2

such that:

ρ is a simulation from A1may to A2

may

ρ is a simulation from A2must to A1

must

We write A1A2 that means: A1 is a refinement of A2

A2 is an abstraction of A1

Relational Abstraction

A tool to specify an abstract MTS, given: An MTS A1 = (A1

must, A1may)

A set of abstract states ΣA2

A total relation ρ ΣA1ΣA2

We define A2 = (ΣA2 , Act, →must , →may):

a2 →αmust a’2 iff for all a1ΣA1

with a1 ρ a2 there exists a’1ΣA1

such that a’1 ρ a’2 and a1 →αmust a’1

a2 →αmay a’2 iff there exists a1ΣA1

and a’1ΣA1 such that a1 ρ

a2 , a’1 ρ a’2 , and a1 →αmay a’1

Lemma: A2 is an MTS and an abstraction of A1

Relational Abstraction – Example

A1 is an LTS (i.e., an MTS with A1may = A1

must): Its infinite state space is given by all possible valuations

of three integer variables x, y, z Any state c is of the form {x=i, y=j, z=k} Transitions in A1 are those induced by x := z

I.e., there is a transition from c to c’ = {x=k, y=j, z=k }

A fragment of A1:

{1,2,3} {3,2,3}x := z

x := z

{0,2,3} x := z …

Rel. Abstraction – Example (cont)

Consider the following three predicates: φ1 = odd(x) , φ2 = (y > 0) , φ3 = (z < 0)

Induce an equivalence relation on the states of A1

States are equivalent if they agree on all 3 predicates

Let ΣA2 contain all equivalence classes of states of A1

States of A2 are boolean formulae built from the φi ’s.

A fragment of A2: may

(φ1φ2φ3)(φ1φ2φ3)(φ1φ2φ3)

(φ1φ2φ3)must

may

Predicate Abstraction

Collapses an infinite-state LTS into a finite-state MTS By choosing finitely many quantifier-free formulae of

first-order logic Φ = {φ1 , φ2 , … , φn }

Abstract states: Are build out of monomials over predicates Are represented by binary vectors of length n Given a binary vector b{0,1}n, <b,Φ> is a monomial

whose i-th conjunct is φi if bi =1, and φi otherwise

Predicate Abstraction – definition

Given an LTS S and Φ = {φ1 , φ2 , … , φn }

We want to build a finite-state abstract MTS BΦ

In order to use the relational abstraction, we need a total relation ρ and a set of abstract states ΣBΦ

We use the following definition: ρ = ρb Σs {0,1}n, where s ρb b iff s <b,Φ>

ΣBΦ = { b {0,1}n I s ρb b for some sΣs } (which makes ρb total)

post() and pre() operators

Let us present definitions useful for implementing may- and must-successors of a predicate abstraction Defined for a predicate η on a set Σs of states, for a

label α Act

postα(η) = { s’ Σs I sΣs : s η , s →α s’ }

A set of states to which there exists a transition α from states where η is true

preα(η) = { s Σs I s’Σs : s →α s’ implies s’ η }

A set of states from which all α transitions lead to states where η is true

Implementing successors

Let ψ be is a boolean combination of {φ1 ,φ2 , … ,φn }

may-successors of ψ: next(ψ)b

may = { b’ΣBΦ : post(ψ) <b’,Φ> is satisfiable }

post(ψ) <b’,Φ> means states that can be reached from ψ

must-successors of ψ: next(ψ)b

must = { b’ΣBΦ : ψ pre(<b’,Φ>) is unsatisfiable }

ψ pre(<b’,Φ>) means states where ψ is true and from which we can reach states where <b’,Φ> is not true

Soundness and Completeness

Theorem: b →may b’ in BΦ iff b’ next(<b,Φ>)b

may

b →must b’ in BΦ iff b’ next(<b,Φ>)bmust

Reminder: a2 →α

may a’2 iff there exists a1ΣA1 and a’1ΣA1

such that a1 ρ a2 , a’1 ρ a’2 and a1 →αmay a’1

a2 →αmust a’2 iff for all a1ΣA1

with a1 ρ a2 there

exists a’1ΣA1 such that a’1 ρ a’2 and a1 →α

must

a’1

Completeness is relative to the theorem prover

may

must

a2 a’2

a’2a2

a’1

a’1

Computational Cost

In the paper it is shown that both next(ψ)bmay and

next(ψ)bmust can be computed using BDDs

Since there are 2n boolean vectors b’, we should make 2n calls to the theorem prover for a single ψ

We have n predicates and, therefore, 2n boolean combinations ψ of {φ1 ,φ2 , … ,φn }

Thus, computing all may transitions (i.e. next(ψ)bmay

for all ψ’s) takes 22n calls to the theorem prover

Same is for all must transitions in BΦ

Predicate Abstraction is not Incremental

Example (revisited): φ1 = odd(x), φ2 = (y>0), φ3 = (z<0) Suppose that we have Φ = {φ2 , φ3 } first

BΦ has four states, each with a must-transition to itself

Now we add φ1 to Φ There is no must-transition from φ1 φ2 φ3 in BΦ The information about y is lost

No transition that guarantees there is no change in y However, there is a must-transition from φ1 φ2 φ3 to the

disjunction (φ1 φ2 φ3 ) (φ1 φ2 φ3 ) Computing transitions to such states is too expensive

22n possible states for n predicates

Predicate-Cartesian Abstraction (1)

Motivation: Predicate abstraction is not incremental Adding a new predicate may not yield a refinement

The idea: Replace sets of tuples by a tuple of sets E.g., replace {<0, 1>, <1, 1>} by {<,1>} ( – a wildcard)

Formally: Given Φ = {φ1 ,φ2 , … ,φn } and a “tri-vector” c {0,1,}n

<c,Φ> is a monomial whose i-th conjunct is φi if ci =1, φi if ci =0, and true otherwise

Predicate-Cartesian Abstraction (2)

The formal definition of ρ and ΣCΦ :

ρ = ρc ρb Σs {0,1,}n

b ρc c iff i {1..n } : [ci ≠ ci = bi ]

ΣCΦ = { c {0,1,}n I b ρc c for some bΣBΦ

}

This makes ρc total

The symbol means “don’t care”

s ( ρc ρb ) c iff s <c,Φ>

Easy to show, by construction

Example (revisited)

Our example: φ1 = odd(x), φ2 = (y>0), φ3 = (z<0)

s = (5, 2, 3) , s Σs

s ρb b for b = (110)

Recall: b ρc c iff i {1..n } : [ci ≠ ci = bi ]

ρc = {(110, 110), (110, 10), (110, 10), (110, 11), (110, 0), (110, 1), (110, 1), (110, ), … }

ρc ρb = { (s, 110), (s, 10), (s, 10), (s, 11), (s, 0), (s, 1), (s, 1), (s, ), … }

Example (cont’d)

BΦ (a fragment)

010

110

maymay

may

may 110

010

10 maymay

may

may

must

must

must

may

may

CΦ (a fragment)

Example (cont’d)

Why s ( ρc ρb ) c iff s <c,Φ> ?

For example: (s,10) ρc ρb iff s φ1 true φ3

(s,10) ρc ρb s ρb b for b = 100 or 110 either

s φ1 φ2 φ3 or s φ1 φ2 φ 3 s φ1 true

φ3

Incremental Refinement

Theorem: If Φ = {φ1 ,φ2 , … , φn } and Ψ = Φ { φn+1 , φn+2 , … , φn+m }

Then the MTS CΨ is a refinement of the MTS CΦ

The refinement relation ρ is given by: ρ ΣCΨ

ΣCΦ = { (c’,c) | c is a prefix of c’ }

Intuitively, newly-added predicates replace “don’t care”s.

This is not the case for predicate abstraction

Implementing successors

Similar to the case with the predicate abstraction Let ψ be is a boolean combination of {φ1 ,φ2 , … ,φn } may-successors of ψ:

next(ψ)cmay = { c’ΣCΦ

: post(ψ) <c’,Φ> is satisfiable }

must-successors of ψ: next(ψ)c

must = { c’ΣBΦ : ψ pre(<c’,Φ>) is unsatisfiable }

Both next(ψ)cmay and next(ψ)c

must can be computed using Ternary Decision Diagrams (TDDs) TDDs are like BDDs, but with 3 values (children)

Soundness, Completeness and Cost

Theorem: c →may c’ in CΦ iff c’ next(<c,Φ>)c

may

c →must c’ in CΦ iff c’ next(<c,Φ>)cmust

Completeness is relative to the theorem prover Computational cost:

We have n predicates and, therefore, 3n ternary combinations ψ of {φ1 ,φ2 , … ,φn }

For each ψ it takes 3n calls to the theorem prover Thus, computing next(ψ)c

may and next(ψ)cmust for all ψ’s

takes 32n calls to the theorem prover (each)

Summary and Conclusions – II

We showed a framework for automatic program abstraction based on MTSs Can be used for model-checking any formula of the

modal -calculus Both soundness and completeness are guaranteed

Predicate Cartesian abstraction allows incremental refinement, unlike the predicate abstraction Though it does not have a significant cost overhead

3-valued model checking on MTSs can be reduced to two traditional model checking problems on LTSs

Thank you!