Upload
marilyn-copeland
View
212
Download
0
Embed Size (px)
Citation preview
Quantitative Abstraction Refinement
Pavol ČernýIST Austria
joint work with Thomas Henzinger, Arjun Radhakrishna
Haifa, Israel November 2012
Quantitative analysis of programs
Quantitative requirements: • Resource consumption (energy usage)• Worst-case execution time, timeliness of response
Application domains:• (Embedded) software
•(Partial-)program synthesis
1st correct solution:
“Lock inside the loop”
2nd correct solution:
“Lock outside the loop”
int buf[4]while (true) { buf = getBuffer(); i = 0; while (i<4) { dr = setTransf(buf,i); write(device,dr); i++; }}
int buf[4]
while (true) { buf = getBuffer(); i = 0; while (i<4) { dr = setTransf(buf,i); lock(lock); write(device,dr); unlock(lock); i++; }}
int buf[4]
while (true) { buf = getBuffer(); i = 0; lock(lock); while (i<4) { dr = setTransf(buf,i); write(device,dr); i++; } unlock(lock);}
Quantitative analysis: Application to partial-program synthesis
Spec: Mutual exclusion on device.
a,b,c,i,v:int; input v;
if (v==1) for (i=0;i<16;i++) read(a);else if (v==2) for (i=0;i<16;i++) if (i mod 2 = 0) read(b);else for (i=0;i<16;i++) if (i mod 4 = 0) read(c);
Example: Cache behavior for worst-case execution time
•No cache worst case execution for (v==1)•Cache contains address of a worst case execution for (v==2)•Cache contains address of b worst case execution for all other values of v
•Cache hit < miss
•Abstraction has cache of limited size
Abstraction
Boolean case: Safety
What if the abstract system is too coarse? Answer: Abstraction refinement
Question: How do we perform abstraction with respect to quantitative objectives?
Question: How do we perform abstraction refinement with respect to quantitative objectives?
Based on: C., Henzinger, Radhakrishna Quantitative abstraction refinement
POPL 2013
Questions for this talk
Outline• Quantitative Abstractions
– State-based abstrations• Abstract state = set of states + numbers
– Segment-based abstractions
• Abstract state = set of segments + numbers
• Abstraction refinement
Model of systems
Weighted transition systems(Q,Σ,Δ,δ,q0)
where Δ is a subset of Q £ Q δ is a function from Δ to R
A trace q0 q1 q2 … (where qi and qi+1 is in ¢)
δ extended to traces δ(q0 q1 q2…)=r0 r1…
(where δ(qi,qi+1)=ri)
3 102
3
1
1
1
11
1 1
PropertiesA quantitative property f: a function from S to Rf1 evaluates a trace:
f2 summarizes the values f1 of all traces:
3 102
3
1
1
1
11
1 1f 1 : R! ! R
f 1(r0r2 : : :) = liminfi ! 11i
P i ¡ 1k=1 rk
Limit-average objective:f1 evaluates a trace:
f2 summarizes the values f1 of all traces:
f 2(U) = supU
f 2 : 2R ! R
f (S) = f 2(f f 1(r) j 9trace: ±(trace) = rg)f(S)=3
Discounted-sum objective:f1 evaluates a trace:
f2 summarizes the values f1 of all traces:
PropertiesA quantitative property f: a function from S to Rf1 evaluates a trace:
f2 summarizes the values f1 of all traces:
f 1 : R! ! R
f 1(r) =P 1
k=0 ¸krk
f 2(U) = supU
f 2 : 2R ! R
f (S) = f 2(f f 1(r) j 9trace: ±(trace) = rg)
PropertiesA quantitative property f: a function from S to Rf1 evaluates a trace:
f2 summarizes the values f1 of all traces:
0 0
0
0
1
0
10
0 0f 1 : R! ! R
f 1(r) = supi ri
Safety objective:f1 evaluates a trace:
f2 summarizes the values f1 of all traces:
f 2(U) = supU
f 2 : 2R ! R
f (S) = f 2(f f 1(r) j 9trace: ±(trace) = rg)
Safety objective:f1 evaluates a trace:
f2 summarizes the values f1 of all traces:
PropertiesA quantitative property f: a function from S to Rf1 evaluates a trace:
f2 summarizes the values f1 of all traces:
0 0
0
0
1
0
10
0 0f 1 : R! ! R
f 1(r) =P 1
k=1 ¸k ¢rk
f 2(U) = supU
f 2 : 2R ! R
f (S) = f 2(f f 1(r) j 9trace: ±(trace) = rg)
Properties: we consider properties that admit memoryless extremal traces.
PropertiesA quantitative property f: a function from S to Rf1 evaluates a trace:
f2 summarizes the values f1 of all traces:
f 1 : R! ! R
f 2 : 2R ! R
f (S) = f 2(f f 1(r) j 9trace: ±(trace) = rg)
3 102
3
1
1
1
11
1 1
•Given a quantitative property f,construct ® and f® such that , for all S, and for all relations
where is a WTS with set of states given by the equivalence classes of
Abstractionfor quantitative (accumulative) properties
3 102
3
1
1
1
11
1 1
f ®(®(S;´ )) ¸ f (S)
®(S;´ )
´
´
ExistsMax abstraction
3 102
3
1
1
1
11
1
1
3
3
10
Existential abstraction weight of abstract edge = max of corresponding concrete edges
Lim-avg objective f: f(S)=3
fem(Sem)=10
1
Refinement of ExistsMax
310
2
3
1
1
1
11
1
1
3
3
10
2
Lim-avg objective f: f(S)=3
fem(Sem)=16/3
1
PathBound Abstraction
310
2
3
1
1
1
11
1 1val = max value of an internal edgemaxp = the longest internal simple pathminp = the shortest internal simple pathloop/noloop -- is there internal loop
Idea: For more precision, keep facts about paths, not states.
Boolean case: segment-based abstraction [Cousot,Cousot 12, Podelski, Rybalchenko 04]
1 1 1
1 1 1 1
PathBound Abstraction
310
2
3
1
1
1
11
1
3
val = 10maxp = 2minp = 2noloop
10
Lim-avg objective f: f(S)=3
fpb(Spb) = (10*2+3+1*3+3)/(1+2+3+1)= = 29/7 = 4.1
3
1
val = 1maxp = 4minp = 3noloop
1 1 1
1 1 1 1
2
•If ¼ is a refinement of ≡, it is desirable that:
Monotonicity of Refinement
f ®(®(S;´ )) ¸ f ®(®(S;¼))
310
2
3
1
1
1
11
1
Monotonicity enables anytime verification: analysis can be stopped at any time, and return a sound approximation the approximation gets better if analysis is given more time
1
Characteristics of abstractions
310
2
3
1
1
1
11
1 1
ExistMax is an overapproximation
where f is LimAvg, DiscSum, Safety, Liveness, etc
ExistMax is monotonicIf ¼ is a refinement of ≡, then
PathBound is an overapproximation
PathBound is not monotonic
f em(®em(S;´ )) ¸ f (S)
f em(®em(S;´ )) ¸ f em(®em(S;¼))
Characteristics of abstractions PathBound is not monotonic : Counterexample
10 10 101010
10 10 10
Concrete system S
4
4
Lim-avg objective f: f(S)=48/6=8
10 10 1010
10 10 10
Abstract System
44
10 10 10
10
10 10 10
Abstract System
4
4
10
fpb(Spb) = (10*4+4+4)/(4+1+1)
= 8
fpb(Spb)=(10*3+10*3+10+4+4)/ (3+3+1+1+1)
= 78/9 > 8
Proposed solution: introduce a hierarchical abstraction to not lose the previous estimates.
Hierarchical segment-based abstraction
Hierarchical segment-based abstraction [Cousot, Cousot 2012]•suitable for software with hierarchical structure
- nested loops, function calls
init Loop1
All traces
Loop2
Loop3
Concatenated segments of children nodes cover the segments in parent node
Hierarchical Segment-Based Abstraction
while (true) { j 0; while (j<10) { if B then costlyOp; B not B; j++ }; while (j<20) { cheapOp; j++ }}
[true]
j0;
[j<10]
[not B]
[B]
costlyOp
Bnot B
j++
[j>=10]
[j<20]
cheapOp
j++
[j>=10]
Example program
costlyOp - 10everything else - 0
Overall cost: (5*10/79)
ABC Loop1
HPathBound
[true]
j0;
[j<10]
[not B]
[B]
costlyOp
Bnot B
j++
[j>=10]
[j<20]
cheapOp
j++
[j>=20]
A
B
C
D
E
F
G
H
I
J
All traces
Loop2CH HA
CDEFGCCDFGC HIJH
<0,2,2,F>
<0,1,1,F>
<0,1,1,F>
<10/5,5,4,F> <0,2,2,F>
<avg,maxp,minp,hasInfPath>
<10/5,_,0,T>
<0,_,0,T>
<10/5,_,4,T>
Outline• Quantitative Abstractions
– State-based abstrations• Abstract state = set of states + numbers
– Segment-based abstractions
• Abstract state = set of segments + numbers
• Abstraction refinement
Abstraction Refinement for ExistsMaxI nput: Abstract system Sem, concretesystem SOutput: Re ned system X , or a counterexample tecx
ecx à ¯ndMaxCtrex(Sem)(handle,loop) à ¯ndLoop(ecx)(R0;X ) à reachHandle(handle,S)if (R0 = ; )
return Xelse
loopPath à unwind(loop,m)(b,tecx,X) Ã
splitQuant(Sem,loopPath,R0)if b then return tecxelse return X endif
23
1 4
5
3
3
32
handle loop
Does “handle” correspond to a real path? Does “loop” correspond to a concrete loop with the same cost?
10
Abstraction Refinement for ExistsMax5 3
32
handle loop
Does “handle” correspond to a real path?
10
Abstraction Refinement for ExistsMax
2 4
5
3
3
32
handleloop
Does “loop” correspond to a concrete loop with the same cost? Loop needs to be unrolled 1+min |lj|, where lj is a size of an abstract state in the loop
10
10
2
Abstraction Refinement for ExistsMaxInput: Abstract system Sem, concretesystem SOutput: Re ned system X , or a counterexample tecx
ecx à ¯ndMaxCtrex(Sem)(handle,loop) à ¯ndLoop(ecx)(R0;X ) à reachHandle(handle,S)if (R0 = ; )
return Xelse
loopPath à unwind(loop,m)(b,tecx,X) Ã
splitQuant(Sem,loopPath,R0)if b then return tecxelse return X endif
23
1 4
5
3
3
3
2
2
handle loop
Classical CEGAR: two heuristics:
choice of ctrexchoice of refinement
Quantitative refinementextremal ctrexsplit where the difference between abstract and concrete transition is largest
ABC Loop1
Hierarchical Segment Abstraction Refinement
All traces
Loop2CH HA
CDEFGCCDFGC HIJH
<0,2,2,F>
<0,1,1,F>
<0,1,1,F>
<10/5,5,4,F> <0,2,2,F>
<avg,maxp,minp,hasInfPath>
<10/5,_,0,T>
<0,_,0,T>
<10/5,_,4,T>
Counterexample: a trace (CDEFG)ω
Remove it by:• adding B – prevent every iteration going through costlyOp
• adding loop bounds – forcing to go out of Loop1
[true]
j0;
[j<10]
[not B]
[B]
costlyOp
Bnot B
j++
[j>=10]
[j<20]
cheapOp
j++
[j>=20]
A
B
C
D
E
F
G
H
I
J
ABC Loop1
Hierarchical Segment Abstraction Refinement
All traces
Loop2CH HA
CDEFGCHIJH
<0,2,2,F>
<0,1,1,F>
<0,1,1,F>
<10/5,5,5,F><0,2,2,F>
<avg,maxp,minp,hasInfPath>
<10/9,_,0,T>
<0,_,0,T>
<10/9,_,4,T>
Counterexample: a trace (CDEFG)ω
Remove it by:• adding B – prevent every iteration going through costlyOp
[true]
j0;
[j<10]
[not B]
[B]
costlyOp
Bnot B
j++
[j>=10]
[j<20]
cheapOp
j++
[j>=20]
A
B
C
D
E
F
G
H
I
J
CDFGC
<0,4,4,F>
ABC Loop1
Hierarchical Segment Abstraction Refinement
All traces
Loop2CH HA
CDEFGCCDFGC HIJH
<0,2,2,F>
<0,1,1,F>
<0,1,1,F>
<10/5,5,4,F> <0,2,2,F>
<avg,maxp,minp,hasInfPath>
<10/5,_,0,T>
<0,_,0,T>
<10/5,_,4,T>
Counterexample: a trace (CDEFG)ω
Remove it by:•adding loop bounds –
forcing to go out of Loop1
[true]
j0;
[j<10]
[not B]
[B]
costlyOp
Bnot B
j++
[j>=10]
[j<20]
cheapOp
j++
[j>=20]
A
B
C
D
E
F
G
H
I
J
ABC Loop1
Hierarchical Segment Abstraction Refinement
All traces
Loop2CH HA
CDEFGCCDFGC
HIJH
<0,2,2,F>
<0,1,1,F>
<0,1,1,F>
<10/5,5,4,F><0,2,2,F>
<avg,maxp,minp,hasInfPath>
<10/5,50,40,T>
<0,_,0,T>
<100/54,_,4,T>
Counterexample: a trace (CDEFG)ω
Remove it by:•adding loop bounds –
forcing to go out of Loop1
[true]
j0;
[j<10]
[not B]
[B]
costlyOp
Bnot B
j++
[j>=10]
[j<20]
cheapOp
j++
[j>=20]
A
B
C
D
E
F
G
H
I
J
j’=j+1
Experimental results
a,b,c,i,v:int; input v;
if (v==1) for (i=0;i<16;i++) read(a);else if (v==2) for (i=0;i<16;i++) if (i mod 2 = 0) read(b);else for (i=0;i<16;i++) if (i mod 4 = 0) read(c);
Example: Worst-case execution time analysis
step tracked lim-avgvalue
analysis time
0 14.14 1240
1 i 6.50 2102
2 a 4.87 2675
3 b 4.75 3275
4 c 1.27 3864
5 v 1.03 4631
while(true) input(s); l = 0; r = N - 1; do { m = l + r / 2; if(s > a[m]) l = m + 1; else r = m - 1; } while(l <= r & a[m] != s) }
Worst-case execution time analysis
step tracked lim-avgvalue
analysis time
0 15.77 908
1 m 11.15 1130
2 r 8.23 1369
3 l 5.0 1707
4 s 3.76 1895
5 a[(N - 1)/2] 3.0 2211
6 a[(N - 3)/4] 2.97 2527
7 a[(3N - 1)/4] 2.85 3071
Example: Binary search
ExistsMax vs PathBound
Partition size
ExistsMaxlim-avg value
PathBoundlim-avgvalue
2 25 24.99
3 25 23.82
5 25 17.31
9 25 4.43
Example: Karp’s algorithm for finding min-mean cycle.unsigned int graph[SIZE][SIZE];unsigned int D[SIZE + 1][SIZE];int main() { initialize(D); D[0][0] = 0; for(k = 1; k <= SIZE; k++) { for(v = 0; v < SIZE; v++) { for(u = 0; u < SIZE; u++) { if(D[k][u] < D[k - 1][v] + graph[u][v]) D[k][u] = D[k - 1][v] + graph[u][v]; } } }
vNum = 0; vDen = 1; for(v = 0; v < SIZE; v++) { currNum = 1000000000; currDen = 1; for(k = 0; k < SIZE; k++) { if((D[SIZE][v] - D[k][v]) * currDen < (SIZE - k) * currNum) {
currNum = D[SIZE][v] - D[k][v]; currDen = SIZE - k; } } if(currNum * vDen > currDen * vNum) { vNum = currNum; vDen = currDen; }} }
Conclusion• Contributions
– Framework for abstractions for quantitative (accumulative) properties
– State-based and segment-based abstractions– Counterexample-guided abstraction algorithm– Hierarchical segment-based abstraction and refinement
• Future work– Quantitative reasoning for CEGAR in Boolean systems– Application to partial-program synthesis
Quantitative Abstraction Refinement
Pavol ČernýIST Austria joint work with Thomas Henzinger, Arjun Radhakrishna
Haifa, Israel November 2012