3 Valued Abstraction and 3 Valued ModelChecking Abstraction
3 -Valued Abstraction and 3 -Valued Model-Checking
Abstraction Ü Abstraction: Äan effective technique to combat state explosion problem Ø approximate sets of concrete states by an abstract state Ø approximate sets of concrete transitions by an abstract transition Ü Using 2 -valued logic (over-approximation) ÄFalse variables represent “unknown” value ÄTrue transitions represent possible behaviour r (s 0, 1)=T ⇒ r (s 0)=T s 0 p ¬q r ¬p ¬q r p q ¬r s 2 s 1 p (s 0, 1)=F ⇒ ? s 0, 1 r p q s 2 ¬r • 2
Abstraction, Cont’d Ü Using 2 -valued logic ÄFalse variables represent “unknown” value ÄTrue transitions represent possible behaviour AX (r p)(s 0, 1)=T ⇒ AX (r p)(s 0)=T AX r (s 0, 1)=F ⇒? EX ( r p)(s 0, 1)=F ⇒ EX ( r p)(s 0)=F EX r(s 0, 1)=T s 0 p ¬q r ⇒? ¬p ¬q r p q ¬r s 2 s 1 s 0, 1 r p q s 2 ¬r • 3
Abstraction, Cont’d Ü Soundness: ÄOnly with respect to True universal properties Ø For existential properties – use under-approximation ÄFor False properties: Ø play counter-example to determine whether spurious Ø Use counter-example-based abstraction refinement • 4
3 -valued abstraction Ü Goals: ÄReason about mixed properties ÄNot have to tell which counterexamples are spurious ÄNot have an increase in statespace, when compared to 2 -valued ÄUse counterexample for abstraction refinement Ü Outline: Ä3 -valued logic, properties, model-checking Ä3 -valued abstractions ÄAbstraction refinement • 5
Logic: 3 -valued Kleene logic Logic order T Ü Properties: M ÄF ⊑ M, M ⊑ T F ÄA B = min (A, B) ÄA B = max (A, B) Ä T = F, F = T, M = M Ü Preserves: ÄCommutativity, associativity, idempotence, De Morgan laws Ü Does not preserve ÄLaw of excluded middle: A A= T (top) ÄLaw of non-contradiction: A A= (bottom) • 6
Note Ü 3 -valued logic forms a lattice Ä Ordering ⊑ : less than or equal Ä Meet operation ⊓ : min T M F Ä Join operation ⊔ : max ÄNegation : horizontal symmetry Ü This is an example of a quasi-boolean algebra Ü Equality and Identity are different! Äa b Äa = b • 7
Logic Ü Information order F T M ÄM contains least amount of information ÄT, F – maximum amount of information ÄIf one refines M – it can change to T or F or stay at M • 8
Overview of MV-Model of Model Checking SW/HW artifact Model Extraction Correct? How correct? MV-Logic Correctness properties Translation Temporal logic Model of System MV-Model Checker MV-Logic Yes/No Answer • 9
Multi-valued state machines: Xkripke structures Ü Extension of conventional state machines (Kripke structures) Ävariables take any value from the logic (T, F, M) Ätransitions between states take any value from the logic Ø False transitions are not shown (by convention) pressed = T request = F Ü Example: T T pressed = T request = F T M pressed = M request = T • 10
Formally, Ü Kripke structures extended for MV case ÄM = <L, S, A, s 0, I , R> ÄL is a quasi-boolean algebra (ℒ, ⊑, ⊓, ⊔, ) , where (ℒ, ⊑) is a lattice ÄS is a (finite) set of states, each with a unique name ÄA is a set of atomic propositions Äs 0 is a unique initial state (s 0 S) ÄI: S A ℒ is the interpretation function that assigns a logic value to each atomic proposition ÄR: S S ℒ is the function that assigns a logic value to each transition between states • 11
3 -valued CTL Ü multi-valued extension of CTL T Äsame syntax as CTL M Äplus constants from the logic (T, M, F ) F Ü semantics: Äreplace existential quantification by disjunction, universal quantification by conjunction, so (t) ) tt S (SR(s, t) s. t. ( R(s, t) (EX ) (s) = pressed = T request = F Äother operators are defined as in CTL: T T For all states s, (AX ) (s) = ( EX( )) (s) pressed = T request = F (EG ) (s) = (s) (EX EG ) (s) T M (AG ) (s) = ( EF( )) (s) pressed = M Examples: request = T AG (request -> AX pressed) ≟ AG (pressed / request) ≟ • 12
Model-Checking Cont’d Ü Can a True property evaluate to M? Ü Answer: ÄYes ÄAG (pressed / pressed) = M ÄComes from law of excluded middle Ü Some terminology: ÄCompositional semantics Ø Evaluate each CTL operator, compose according to lattice rules ÄThorough semantics [Bruns&Godefroid 00] Ø Property evaluates to M iff exists a refinement where it evaluates to T and a refinement where it evaluates to F. Ø $$ to evaluate • 13
Symbolic mv model-checking Ü Similar idea to classical model-checking Ärecursively go through the structure of XCTL property Äencode sets of states symbolically Äencode transition relation symbolically Ü x Data structures Ädirect approach: MDDs Ø the number of terminal nodes and branching factor equal to number of values in logic Ø Example: x y in 3 -valued logic Äcan use BDD vector … T F M F F y M y T M M T F T Äor mixed approaches (MBTDDs, MTBDDs) • 14
Reduction to Classical Ü [Bruns&Godefroid’ 99]. Assumption: transition relation is classical ÄMove negation to level of atomic propositions ÄCreate a positive and negative version of every atomic proposition ÄLet x = M. ÄPositive cut: Ø Set x and x to True Ø Pos. Answer = check property ÄNegative cut: Ø Set x and x to False Ø Neg. Answer = check property Ü If Neg. Answer = Pos. Answer (True or False) ÄReturn this as answer Ü Else ÄReturn Maybe • 15
Example p=T q=M z=F p=T q=F z=M p=T q=F z=F Model p =T q+ = T q- = T z =F p =T q =F z- =T z+=T p=T q=F z=F Positive Cut [[p ∧¬q ∨z ]](s 0) = T • 16
Example p=T q=M z=F p=T q=F z=M p=T q=F z=F Model p =T q+ = F q- = F z =F p =T q =F z- = F z =F p=T q=F z=F Negative Cut [[p ∧¬q ∨z ]](s 0) = F Therefore, the answer is M • 17
Example p=T q=M z=F p=T q=F z=M p =T q+ = T q- = T z =F p=T q=F z=F p =T q =F z- =T z+= T p=T q=F z=F Model Positive Cut [[EX (p ∧¬q ∨z )]](s 0) = T • 18
Example p=T q=M z=F p=T q=F z=M p =T q+ = F q- = F z =F p =T q =F z- = F z =F p=T q=F z=F Model Negative Cut [[EX (p ∧¬q ∨z )]](s 0) = T Therefore, the answer is T • 19
Reduction to Classical (Take Two) Ü [Gurfinkel&Chechik 2003] Ü Assumptions: Ä States can be 3 -valued, transition relation can be three-valued Ü Reduction steps Äfor True and Maybe, construct a cut formula equivalent to [[ϕ]](s)⊒j Ø logic: from mv CTL to restricted mv-logic with two-valued answers Ø model: unchanged Ätransform each cut to a classical model-checking problem Ø logic: from restricted mv-logic to classical CTL Ø model: from ΧKripke structure to classical Kripke structure • 20
Propositional Logic M p=T q=M z=F M p=T q=F z=M T T p=T q=F z=F T [[p ∧¬q ∨z ]](s 0) = M [[T ∧¬M ∨F ]](s 0) [[T ∧M ∨F ]](s 0) [[M ]](s 0) • 21
Propositional Logic – the cut M p=T q=M z=F M p=T q=F z=M T T p=T q=F z=F [[p ∧¬q ∨z ]](s 0) ⊒ T T ‖p ∧¬q ∨z ‖(s 0) ⊒ M [[(p ⊒ T) ∧ (¬q ⊒ T)∨(z ⊒ T)]](s 0) [[T ∧F ∨F ]](s 0) [[F ∨ F ]](s 0) F T • 22
Combining Results M p=T q=M z=F M p=T q=F z=M T T p=T q=F z=F T [[p ∧¬q ∨z ]](s 0) ⋣ T [[p ∧¬q ∨z ]](s 0) ⊒ M Therefore, [[p ∧¬q ∨z ]](s 0) = M M T F • 23
Propositional Logic – final step M p z p =+T q=M z=F M p q p =+T q=F z=M T T + pp= T qq =- F z T Legend p+ represents p ⊒ j p- represents ¬p ⊒ j [[(p ⊒ T) ∧(¬q ⊒ T) ∨(z ⊒ T)]](s 0) [[p+ ∧q- ∨z+ ]](s 0) [[T∧F ∨F]](s 0) [[F]](s 0) • 24
Existential Temporal Logic – final step M p z p =+T q=M z=F M p q p =+T q=F z=M T T + pp= T qq =- F z T [[EX⊒T ((p ⊒T)∧(¬q ⊒T)∨(z ⊒T))]](s 0) [[EX⊒T (p+ ∧q- ∨z+)]](s 0) [[EX(p+ ∧q- ∨z+)]](s 0) • 26
Universal Temporal Logic – the cut M p=T q=M z=F M p=T q=F z=M T T p=T q=F z=F T Dealing with negation ØIn 3 -valued logic جb ⊒ T iff ¬(b ⊒ M) Øsince ¬b ⊒ T iff b = F [[AX(p ∧¬q ∨z )]](s 0) ⊒ T ∧t∈S R(s 0, t) ⇒[[p ∧¬q ∨z ]](t) ⊒T T ∧t∈S ¬R(s 0, t) ∨ [[p ∧¬q ∨z ]](t) ⊒T M ∧t∈S ¬R(s 0, t) ⊒ T ∨ [[p ∧¬q ∨z ]](t) ⊒ T ∧t∈S ¬(R(s 0, t) ⊒ M) ∨ [[p ∧¬q ∨z ]](t) ⊒ T F ∧t∈S(R(s 0, t) ⊒ M) ⇒ [[p ∧¬q ∨z ]](t) ⊒ T [[AX⊒M ((p ⊒T) ∧(¬q ⊒T) ∨(z ⊒T))]](s 0) • 27
Universal Temporal Logic – final step M p z p =+T q=M z=F M p q p =+T q=F z=M T T + pp= T qq =- F z T [[AX⊒M ((p ⊒T)∧(¬q ⊒T)∨(z ⊒T))]](s 0) [[AX⊒M (p+ ∧q- ∨z+)]](s 0) [[AX(p+ ∧q- ∨z+)]](s 0) • 28
Handling Mixed Modalities Ü The first reduction step does not change Ä[[AX EXp]](s 0)⊒T is transformed into [[AX⊒M EX⊒T(p⊒T)]](s 0) Ü Problem with the second step Äneed a Kripke structure with two types of transitions Ø ⊒M for universal modality Ø ⊒T for existential modality Ü Solution Ätreat transitions labels as actions Äconvert the resulting Labeled Transition System into a Kripke structure Ü Disadvantage Äintroduces a new variable Äsize of the statespace doubles • 29
Summary of the Reduction Ü Multi-valued model-checking problem is reduced to several classical problems Äone classical problem for True and one for Maybe Äsize of the formula does not change Ø atomic literals are changed to “plus” and “minus” versions Ø other parts remain unchanged Äfor universal and existential fragments Ø statespace of resulting Kripke structure is similar to the original Äfor formulas with both universal and existential modalities Ø statespace of the resulting Kripke structure is double of the original Äformulas with fixpoint operators are handled similarly Ø (see Gurfinkel, Chechik, CONCUR’ 03) • 30
Abstraction S S’ Abstraction Function : S ! S’ • 31
Abstraction Ü Using 3 -valued logic Ä introduce new special value Maybe to stand for “unknown” Ä Formally: T Ø [[v]] (a) = T iff s (a) [[v]](s) = T M Ø [[v]] (a) = F iff s (a) [[v]](s) = F F Ø [[v]] (a) = M iff s (a) [[v]](s) = T and t (a) [[v]](t) = F Ä Examples: Ø r (s 0, 1)=T ⇒ r (s 0)=T s 0 p ¬q r ¬p ¬q r p q ¬r s 2 s 1 p (s 0, 1)=M s 0, 1 p=M q=F r=T s 2 p=T q=T r=F • 32
Refresher: Over- and Under-approximations Ü M’ is an over-approximation of M, or M’ simulates M if ÄR [Dams’ 97]: (t, t 1) R’ iff s (t) s. t. s 1 (t 1) and (s, s 1) R Ü M’ is an under-approximation of M, or M simulates M’ if ÄR [Dams’ 97]: (t, t 1) R’ iff s (t) s. t. s 1 (t’) and (s, s 1) R • 33
Existential Abstraction (Over-Approximation) I I • 34
Universal Abstraction (Under-Approximation) I I • 35
3 -Val Transition Relation Ü Let R(s, t) = T if R(s, t) R ÄR [Dams’ 97]: (t, t 1) R’ iff s (t) s. t. s 1 (t’) and (s, s 1) R Ü Let R(s, t) = F if R(s, t) ∉ R ÄR [Dams’ 97]: (t, t 1) R’ iff s (t) s. t. s 1 (t 1) and (s, s 1) R Ü Else R(s, t) = M • 36
3 -valued abstraction I I M T T M M M T • 37
Abstraction Ü Using 3 -valued logic Äintroduce new special value Maybe to stand for “unknown” AX r (s 0, 1)=M T EX r (s 0, 1)=T M F s 0 p ¬q r ¬p ¬q r p q ¬r s 2 s 1 s 0, 1 p=M q=F r r=T T M p p=T q q=T r¬ =F r s 2 T • 38
Model Checking 3 -Val abstract Models Let φ be an arbitrary property (i. e. , expressed in LTL, CTL, mu-calculus) and M’ is a 3 -val abstraction of M Ü Preservation Theorem M’ ⊨ φ ⇔ M ⊨ φ No guarantee is given about a “Maybe” answer False counterexample cannot be spurious No need for simulation! Maybe counterexample requires refinement • 39
3 -Val Abstraction-Refinement Loop M , φ, M’, φ Abstract Pass No Bug Model Check Fail Bug ’ Spurious Refine Check Counterexample • 40
No spurious counterexamples, but abstraction can be too coarse Deadend states I I T M Bad States M f Failure State • 41
Refinement ’ ’ ’ Refinement : ’ ’ • 42
Other use of 3 -valued logic Ü Algebra: Äuse three-valued algebra (Kleene) Äintermediate value represents incomplete information or uncertainty Äcompact representation for all possible refinements of this model T M F Äif a property is True/False on the partial model, it is True/False on a refined one Äinitial theory developed by Bruns & Godefroid, CAV’ 99 M s 0 p=T q=F r=T T s 2 T T p=T q=M r=T p=M q=M r=F s 1 M Application: Most models are incomplete! • Allows verification before specification is completed • • 43
Summary Ü Abstraction ÄEffective tool for combating state explosion ÄOver-approximation – sound for true universal properties, otherwise – check if counterexample is feasible and then refine ÄUnder-approximation – same for existential properties Ü 3 -Valued Abstraction ÄSpecified in 3 -val Kleene logic ÄAllows reasoning about mixed-quantifier properties ÄNo need to check if counter-example is spurious ÄCounterexample used for refinement Ü 3 -Val Model-Checking ÄReduces to two runs of classical model-checker ÄOr can be done directly, say, using MDDs • 44
Next topic: Ü Software model-checking Ä(and software model-checking with 3 -valued logic) • 45
- Slides: 45