Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 ›...
Transcript of Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 ›...
![Page 1: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/1.jpg)
Introduction to Software Verification
Orna Grumberg
Lectures Materialwinter 2017-18
![Page 2: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/2.jpg)
Lecture 13
16.1.18
![Page 3: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/3.jpg)
3
Other solutions to the state-explosion problem
Small models replace the full, concrete model:
• Abstraction• Compositional verification• Partial order reduction• Symmetry
![Page 4: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/4.jpg)
4
Abstraction preserving ACTL/ACTL*
We use Existential Abstraction in which the abstract model is an over-approximation of the concrete model:
– The abstract model has more behaviors– But no concrete behavior is lost
• Every ACTL/ACTL* property true in the abstract model is also true in the concrete model
![Page 5: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/5.jpg)
5
Existential Abstraction
M
Mh
Given an abstraction function h : S Sh, the concrete states are grouped and mapped into abstract states :
h h h
M Mh
![Page 6: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/6.jpg)
6
How to define an abstract model:
Given M and , choose• Sh - a set of abstract states
• AP – a set of atomic propositions that label concrete and abstract states
• h : S Sh - a mapping from S on Sh that satisfies:
h(s) = h(t) only if L(s)=L(t)
• h is called appropriate w.r.t. AP
![Page 7: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/7.jpg)
7
The abstract modelMh = (Sh, Ih, Rh, Lh)
• sh Ih sI : h(s) = sh
• (sh,th) Rh s,t [ h(s) = sh h(t) = th (s,t)R ]
• Lh(sh) = L(s) for some s where h(s) = sh
This is an exact abstraction
![Page 8: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/8.jpg)
8
An approximated abstraction(an approximation )
• sh Ih sI : h(s) = sh
• (sh,th) Rh s,t [ h(s) = sh h(t) = th (s,t)R ]
• Lh is as before
Notation: Mr – reduced (exact) Mh - approximated
![Page 9: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/9.jpg)
9
Depending on h and the size of M, Mh (I.e. Ih, Rh ) can be built using:
BDDs or
SAT solver or
Theorem prover (SMT)
We later demonstrate such constructions for
specific types of abstractions
![Page 10: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/10.jpg)
10
Predicate Abstraction
• Given a program over variables V• Predicate Pi is a first-order atomic
formula over VExamples: x+y < z2 , x=5
• Choose: AP = { P1,…,Pk } that includes– the atomic formulas in the property and– conditions in if, while statements of the
program
![Page 11: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/11.jpg)
Predicate Abstraction - Example
while (x1) {……if (y=2) { …. }……
}
=AFG(x>y)
AP={x>y,x1,y=2}11
![Page 12: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/12.jpg)
12
• Labeling of concrete states:
L(s) = { Pi | s |= Pi }
Predicate Abstraction
![Page 13: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/13.jpg)
13
Example (concrete model)Program over natural variables x, yS = N x NAP = { P1, P2, P3 } where
P1 = x≤1 , P2 = x>y , P3 = y=2AP = { x≤1 , x>y , y=2 }
L((0,0)) = L((1,1)) = L(0,1)) = { P1 }L((0,2)) = L((1,2)) = { P1, P3 }L((2,3)) =
![Page 14: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/14.jpg)
14
Abstract model - Definition
• Abstract states are defined over Boolean variables { B1,...,Bk }:Sh { 0,1 }k
• h(s) = sh for all 1jk : [ s |= Pj sh |= Bj ]
• Lh(sh) = { Pj | sh |= Bj }
• Is h appropriate for AP?
![Page 15: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/15.jpg)
15
Example (concrete model)Program over natural variables x, yS = N x NAP = { P1, P2, P3 } where
P1 = x≤1 , P2 = x>y , P3 = y=2AP = { x≤1 , x>y , y=2 }
L((0,0)) = L((1,1)) = L(0,1)) = { P1 }L((0,2)) = L((1,2)) = { P1, P3 }L((2,3)) =
![Page 16: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/16.jpg)
16
Sh { 0,1 }3
h((0,0)) = h((1,1)) = h(0,1)) = (1,0,0)h((0,2)) = h((1,2)) = (1,0,1)No concrete state is mapped to (1,1,1)
Lh((1,0,0)) = { P1 }Lh((1,0,1)) = { P1, P3 }
The concrete state and its abstract state are labeled identically
Example – (abstract model)AP={P1=(x≤1),P2=(x>y),P3=(y=2)}
![Page 17: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/17.jpg)
17
Computing Rh (same example)
(sh,th) Rh s,t [ h(s) = sh h(t) = th (s,t)R ]
![Page 18: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/18.jpg)
18
Program with one statement: x := x+1
( (b1,b2,b3) , (b’1,b’2,b’3) ) Rh
xyx’y’ [ P1(x,y) b1 P2(x,y) b2 P3(x,y) b3 x’=x+1 y’=y P1( x’,y’ ) b’1 P2( x’,y’ ) b’2 P3( x’,y’ ) b’3 ]
Computing Rh (same example)
sh th
h(s)=sh
h(t)=th
R(s,t)
s t
![Page 19: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/19.jpg)
19
Depending on h and the size of M, Mh (I.e. Ih, Rh ) can be built using:
BDDs, if S is finite and not too big
SAT solver, if S is finite and possibly big
Theorem prover (SMT), S might be infinite
![Page 20: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/20.jpg)
20
Logic preservation Theorem
Theorem If is an ACTL/ACTL* specification over AP, then
Mh |= M |=
However, the reverse may not be valid.
![Page 21: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/21.jpg)
21
Traffic Light Example
red
green
yellow
M
Property: =AG AF ¬ (state=red)
Abstraction function h maps green, yellow togo.
red
go
Mh
Mh |= M |=
![Page 22: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/22.jpg)
22
Traffic Light Example (Cont)
If the abstract model invalidates a specification, the actual model may still satisfy the specification.
Property: =AG AF (state=red)
M |= but Mh |
red
green
yellow
red
go
M Mh Spurious Counterexample:
red,go,go, ...
![Page 23: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/23.jpg)
23
CounterExample-Guided Abstraction-Refinement
(CEGAR)
![Page 24: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/24.jpg)
24
The CEGAR Methodology
Th is not spuriouscheck spuriouscounterexample
Th
stop
Mh |=
generatecounterexample Th
Mh |
model check
Mh
generate initialabstraction
M and
refinement:generate new abstraction
This spurious
Mh
![Page 25: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/25.jpg)
25
Generating the Initial Abstraction
If we use predicate abstraction then predicates are extracted from the program’s control flow and the checked property
If we use localization reduction then the un-abstracted variables are those appearing in the predicates above
![Page 26: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/26.jpg)
Predicate Abstraction - Example
while (true) {if (reset == 1) { x=y=0; }else if (x<y) { x=x+1; }else if (x==y && !(y==2)) { y=y+1; }else if (x==y) { x=y=0; }
}=AF(x==y)
AP={reset==1, x<y, x==y, y==2}26
![Page 27: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/27.jpg)
27
Model Check The Abstract Model
Given the abstract model Mh
If Mh | , then the model checker generates a counterexample trace (Th)
Most current model checkers generate paths or loops
Question : is Th spurious?
![Page 28: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/28.jpg)
28
Counterexamples• For AGp it is a path to a state satisfying p• For AFp it is a infinite path represented by a
path+loop, where all states satisfy p
On the other hand• For EFp we need to return the whole computation
tree (the whole model)
• For AX(AGpAGq) we need to return a computation tree demonstrating EX(EFp EFq)
![Page 29: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/29.jpg)
29
Path Counterexample
Assume that we have four abstract states{1,2,3} {4,5,6} {7,8,9} {10,11,12}
Abstract counterexample Th= , , ,
therefore, M | Th is not spurious,
![Page 30: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/30.jpg)
30
Spurious Path Counterexample
Th is spurious
failure stateThe concrete states mapped to the failure state are partitioned into 3 sets
dead-end bad irrelevantyes no nono yes no
statesreachableout edges
![Page 31: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/31.jpg)
31
Refining The Abstraction
Goal : refine h so that the dead-end states and bad states do not belong to the same abstract state.
For this example, two possible solutions.
![Page 32: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/32.jpg)
32
Refining the abstraction
• Refinement separates dead-end states from bad states, thus, eliminating the spurious transition from Si-1 to Si
• This can be done, for instance, by adding a new predicate to the abstract model and building a new, refined abstract model
![Page 33: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/33.jpg)
33
Completeness of CEGAR
If M is finite Our methodology refines the abstraction
until either the property is proved or a real counterexample is found
Theorem Given a finite model M and an ACTL* specification whose counterexample is either path or loop, our algorithm will find a model Ma such that
Ma |= M |=
![Page 34: Introduction to Software Verificationi-cav.org › cavlinks › wp-content › uploads › 2019 › 07 › 16-1-2018-lecture-13.pdfIntroduction to Software Verification Orna Grumberg](https://reader034.fdocuments.us/reader034/viewer/2022042323/5f0e27837e708231d43ddec7/html5/thumbnails/34.jpg)
34
Conclusion
We presented a framework for Counterexample Guided Abstraction Refinement (CEGAR) that
Automatically constructs an initial abstraction, based on the checked property and the system
If the abstract system contains a spurious counterexample then the abstraction is automatically refined in order to eliminate the counterexample