abstraction for falsification

Abstraction for FalsificationAbstraction for Falsification

Thomas Ball

Orna Kupferman

Greta Yorsh

Microsoft Research, Redmond, US

Hebrew University, Jerusalem, Israel

Tel Aviv University, Israel

CAV’05

Abstraction for VerificationAbstraction for Verification

• Goal: prove properties

• Sound abstraction for verification– properties of abstract system hold for

corresponding concrete system

: C A– if abstract state a satisfies property P then all

concrete states represented by a satisfy P

Abstraction for VerificationAbstraction for Verification

• Goal: prove properties

• Sound abstraction for verification– properties of abstract system hold for

corresponding concrete system

: C A a A if a P

then c C . (c)=a c P

Abstraction for VerificationAbstraction for Verification

• Goal: prove properties

• Sound abstraction for verification– properties of abstract system hold for

corresponding concrete system

: C A a A if a P

then c C . (c)=a c P

FalsificationFalsification

detect errors

Abstraction for VerificationAbstraction for Verification

• Goal: prove properties

• Sound abstraction for verification– errors of the abstract system exist in

corresponding concrete system

: C A a A if a P

then c C . (c)=a c P

FalsificationFalsification

falsificationdetect errors

Abstraction for VerificationAbstraction for Verification

• Goal: prove properties

• Sound abstraction for verification– errors of the abstract system exist in

corresponding concrete system

: C A a A if a P

then c C . (c)=a c P

FalsificationFalsification

falsificationdetect errors

c C . (c)=a c P

MotivationMotivation

• An abstraction that is sound for falsification need not be sound for verification.

• Existing frameworks for abstraction for verification – Modal Transition System (MTS)– MTS, PKS,KMTS - equivalent in expressive

power [ Godefroid,Jagadessan – VMCAI’03 ]

– can be too restrictive for falsification

Main ResultsMain Results

• New framework for abstraction – Ternary Modal Transition System (TMTS)– TMTS is stronger than MTS– Semantics of -calculus for TMTS

• Weak reachability– TMTS with parameterized transitions gives

tighter underapproximation– TMTS with assume-guarantee transitions for

complete reasoning

may

Modal Transition SystemsModal Transition Systems

underapproximation

overapproximation

Concrete Abstract

a

a’

total

a

a’

must

c. (c) = a c’ . (c’) = a’ c c’

MAY(a,a’)MAY(a,a’)

MUST+(a,a’)MUST+(a,a’)

MUSTMUST––(a,a’)(a,a’)

c, c’ . c c’ (c) = a (c’) = a’

(existential abstraction)

must may

underapproximation

c’. (c’) = a’ c. (c) = a c c’onto

a

a’

must

[ T. Ball - FMCO’04 ]

must maymust+ and must– are incomparable

TMTS strictly more expressive than MTSTMTS strictly more expressive than MTS

MTS • may and must+ transitions• precision preorder is logically characterized by PML

::= p | AX | |

TMTS• may, must+ and must– transitions• precision preorder is logically characterized by full-PML

::= p | AX | AY | |

• full-PML is strictly more expressive than PML [Pinter,Wolper - PODC’84] [Kupferman,Pnueli - LICS’95]

TMTS: what does it buy us?TMTS: what does it buy us?

• Verifying specifications with past operators

• Reasoning about specifications in falsification setting– must+ for verification and must- for falsification

• Tighter weak reachability in abstract system – combine must+ and must- along the path

Semantics of Semantics of -calculus for TMTS-calculus for TMTS

: C A• (C, c1)

• [ (A, a1) ] - the value of the -calculus formula in state a1 of TMTS A

• [ (A, a) ] = T – for all concrete state c with (c) = a, (C, c)

• [ (A, a) ] = T – there exists a concrete state c with (c) = a and (C, c)

• [ (A, a) ] = F– for all concrete state c with (c) = a, (C, c)

• [ (A, a) ] = F

– there exists a concrete state c with (c) = a and (C, c) • [ (A, a) ] = M

– there exist concrete states c and c’ such that

(c) = (c’) = a and (C, c) and (C, c’) • [ (A, a) ] =

Semantics of Semantics of -calculus for TMTS-calculus for TMTS

Information Information LatticeLattice

T F

Truth Truth LatticeLattice

T

F

Information Information LatticeLattice

T F

Truth Truth LatticeLattice

T F

M

T

F

F

T

M

Semantics of Semantics of -calculus for TMTS-calculus for TMTS

• [ (A, a) 1 2 ]

• [ (A, a) EX ]• [ (A, a) ]

[ (A, a) 1 2 ] =

[ (A, a) 1 ] # [ (A, a) 2 ]

6-valued Semantics of 6-valued Semantics of 11 22

# F F M T T

F F F F F F F

F F F F F F F

M F F ? F M F

T F F F ? T

T F F M ? T

F F F

6-valued Semantics of 6-valued Semantics of 11 22

# F F M T T

F F F F F F F

F F F F F F F

M F F ? F M F

T F F F ? T

T F F M T T

F F F

6-valued Semantics of 6-valued Semantics of 11 22

# F F M T T

F F F F F F F

F F F F F F F

M F F ? F M F

T F F F T

T F F M T T

F F F

6-valued Semantics of 6-valued Semantics of 11 22

Information Information LatticeLattice

T F

Truth Truth LatticeLattice

T F

M

T

F

F

T

M

# F F M T T

F F F F F F F

F F F F F F F

M F F ? F M F

T F F F T

T F F M T T

F F F

6-valued Semantics of 6-valued Semantics of 11 22

# F F M T T

F F F F F F F

F F F F F F F

M F F F F M F

T F F F T

T F F M T T

F F F

6-valued Semantics of 6-valued Semantics of 11 22

[ (A, a) EX ] =

Semantics of EXSemantics of EX

F if for all a’, if may(a,a’) then [(A, a’) ] = F

T if exists a’ s.t. must+(a,a’) and [(A,a’) ] = T

T if exists a’ s.t. must–(a,a’) and [(A,a’) ] T

otherwise

c’

a EX = T

a’

must–

= T

c

• [ (A, a) EX ] = T

• exists a’ s.t. must–(a,a’) and [(A,a’) ] = T

• exists c’ such that (c’)=a’ and c’ • for all c’ with (c’)=a’ there is c

with (c)=a such that cc’

if [ (A, a) EX ] = T then there exists c with (c) = a and c EX

EX

Semantics of Semantics of

• The semantics of PML operators is monotonic

– Least fixpoint operator can be computed by iterations from F is the usual way:

– [(A,a) Z . (Z) ] = [ (A, a) *(F) ]

• The 6-valued semantics is at least as precise as the standard 3-valued semantics of -calculus for MTS

• [(A,a) ] = – 3-valued abstraction refinement of must+ transitions

[Shoham,Grumberg – CAV’03] adapt for must-

• Hypermust transitions– [Larsen,Xinxin-LICS‘90] [Shoham,Grumberg – CAV’04]– adapt for must– – MTS with hypermust+ is incomparable with TMTS

EX(x>6) T EX(x>6) F EX(x>6) = T

Semantics of Semantics of -calculus for TMTS-calculus for TMTS

EX(x>6) = ?

must –

x = 7x = 10

may

x > 6

x > 6

x:=x–3

7 8 9 ...

7 8 9 ...

Semantics of Semantics of -calculus for TMTS-calculus for TMTS

• The 6-valued semantics is at least as precise as the standard 3-valued semantics of -calculus for MTS

• [(A,a) ] = – 3-valued abstraction refinement of must+ transitions

[Shoham,Grumberg – CAV’03] adapt for must-

• Hypermust transitions– [Larsen,Xinxin-LICS‘90] [Shoham,Grumberg – CAV’04]– adapt for must– – MTS with hypermust+ is incomparable with TMTS

Weak ReachabilityWeak Reachability

• a’ is weakly-reachable from a c, c’ . (c)=a (c’)=a’ c * c’

c

c’ a’

ainitial state

error state

error trace

Related to testing

L1: TF L0: FT L0: FF

L2: TF L3: FT L2: FF

L4: FT L4: FFL4: TF

x<6 x>7 (x=6)(x=7)

may

may must– must–

must–must–

L0: if x<6 then

L1: x:= x + 3

L2: if x > 7 then

L3: x :=x – 3

L4:

Predicates: (x < 6) (x > 7)

ExampleExample

L1: TF L0: FT L0: FF

L2: TF L3: FT L2: FF

L4: FT L4: FFL4: TF

x<6 x>7 (x=6)(x=7)

may

may must– must–

must–must–

L0: if x<6 then

L1: x:= x + 3

L2: if x > 7 then

L3: x :=x – 3

L4:

Predicates: (x < 6) (x > 7)

ExampleExample

x = 5

Underapproximation of Underapproximation of Weak ReachabilityWeak Reachability

• if [must+]*(a,a’) then a’ is weakly reachable from a

• Arbitrary combinations of must+ and must– transitions do not preserve weak reachability

• Find a tighter underapproximation of weak-reachability

L1: TF L0: FT L0: FF

L2: TF L3: FT L2: FF

L4: FT L4: FFL4: TF

x<6 x>7 (x=6)(x=7)

may

may must– must–

must–must–

L0: if x<6 then

L1: x:= x + 3

L2: if x > 7 then

L3: x :=x – 3

L4:

Predicates: (x < 6) (x > 7)

ExampleExample

must – ?must + ?

x = 9

x = 6

x = 5

x = 2

Underapproximation of Underapproximation of Weak ReachabilityWeak Reachability

• if [must+]*(a,a’) then a’ is weakly reachable from a

• Arbitrary combinations of must+ and must– transitions do not preserve weak reachability

• Find a tighter underapproximation of weak-reachability

ObservationsObservations

• a3 is weakly reachable from a1

if there exists a2 such that

must–(a1,a2) and must+(a2,a3)

• Onto nature of must– is preserved by [must-]*

• Total nature of must+ is preserved by [must+]*

a3

must+

a1

a2

must–

[T.Ball – FMCO’04]

UnderapproximationUnderapproximation

If there exists a1, a2, a3 such that

[must–]*(a1,a2) and

[must+]*(a2,a3)

then a3 is weakly-reachable from a1

a3

[must+]*

a1

a2

[must–]*

[T.Ball – FMCO’04]

L1: TF L0: FT L0: FF

L2: TF L3: FT L2: FF

L4: FT L4: FFL4: TF

x<6 x>7 (x=6)(x=7)

may

may must– must–

must–must–

L0: if x<6 then

L1: x:= x + 3

L2: if x > 7 then

L3: x :=x – 3

L4:

Predicates: (x < 6) (x > 7)

ExampleExample

a

a’

( total from a? )MUST+ ?MUST+ ?

( onto a’ ?)MUSTMUST– – ??

NONO

NONO

MAYMAY

Parameterized TransitionsParameterized Transitions

a

a’

must+()

total from

c. (c) = a c c’ . (c’) = a’ c c’

MUST+(MUST+())

Parameterized TransitionsParameterized Transitions

a

a’

must–()

MUSTMUST–(–())

c’. (c’) = a’ c’ c. (c) = a c c’

onto

if is TRUE then must+() is must+ and must–() is must–

ObservationObservation

• a3 is weakly reachable from a1

if there exists a2 such that

– must–(1)(a1,a2)

– must+(2) (a2,a3)

– 1 2 a2 is satisfiable

a3

must+(2)

a1

a2

must–(1)

12

ObservationObservation

• a3 is weakly reachable from a1

if there exists a2 such that

– must–(1)(a1,a2)

– must+(2) (a2,a3)

– 1 2 a2 is satisfiable

• Strongest parameters 1 and 2

a3

a1

a2

must–(1)

12

must+(2)

a

a’

s

MUST+ ( WP(s,a’) )MUST+ ( WP(s,a’) )

Strongest ParametersStrongest Parameters

Generated automatically as part of the construction of TMTS

c. (c) = a c c’ . (c’) = a’ c c’

if must+() then a ( WP(s,a’))

a

a’

s

MUSTMUST– – ( SP (s,a) )( SP (s,a) )

c’. (c’) = a’ c’ c. (c) = a c c’

if must–() then a ( SP(s,a))

L1: TF L0: FT L0: FF

L2: TF L3: FT L2: FF

L4: FT L4: FFL4: TF

x<6 x>7 (x=6)(x=7)

may

may must– must–

must–must–

L0: if x<6 then

L1: x:= x + 3

L2: if x > 7 then

L3: x :=x – 3

L4:

Predicates: (x < 6) (x > 7)

ExampleExample

SP(x:=x+3, x<6) = x < 9

WP(x:=x-3, x<6) = x < 9

L1: TF L0: FT L0: FF

L2: TF L3: FT L2: FF

L4: FT L4: FFL4: TF

x<6 x>7 (x=6)(x=7)

must– must–

must–must–

L0: if x<6 then

L1: x:= x + 3

L2: if x > 7 then

L3: x :=x – 3

L4:

Predicates: (x < 6) (x > 7)

ExampleExample

SP(x:=x+3, x<6) = x < 9

WP(x:=x-3, x<6) = x < 9

must–(x<9)

must+(x<9)

must– (x < 9)

must+ (x < 9)

Tighter UnderapproximationTighter Underapproximation

If there exists a1,...,a5 s.t.

[must–]*(a1,a2)

must–(1)(a2,a3)

must+(2) (a3,a4)

[must+]*(a4,a5)

1 2 a3 is satisfiable

then a5 is weakly-reachable from a1

a4

a2

a3

12

a5

a1

must+(2)

must–(1)

[must+]*

[must–]*

Complete Reasoning Complete Reasoning

– a’ is reachable by a certain sequence of abstract transitions from a

– a’ is weakly-reachable from a

• Assume-guarantee transitions– another type of parameterized transitions:

<> must+ <’>

a

a’

<>must+<‘ > c. (c) = a c

c’ . (c’) = a’ c’ ’ c c’

< < > MUST+ > MUST+ < < ’ ’ >>

Assume-Guarantee TransitionsAssume-Guarantee Transitions

’

Which and ’ predicates do we need?

’

a

a’

c’. (c’) = a’ c’ ’

c . (c) = a c c c’

< < > MUST> MUST–– < < ’ > ’ >

<>must–<‘ >

The idea...The idea...

33

3 3

is satisfiable

a4

a2

a3

a5

a1

s1

s2

s3

s4

<1>must– <2>

<2>must– <3>

1 = a1

2 = SP(s1, 1) a2

3 = SP(s2, 2) a3

<4>must+ < 5>

<3>must+ < 4>

3 = WP(s3,4) a3

4 = WP(s4,5) a4

5 = a5

Assume-guarantee transitionsAssume-guarantee transitions

• Complete Reasoning about Weak Reachability– a’ is reachable by a certain sequence of

assume-guarantee transitions from a– a’ is weakly-reachable from a

• Finding right parameters ~ computing loop invariants

Weak Reachability: SummaryWeak Reachability: Summary

[must–] * [must+]*must–(1) must+(2)

[must–] * [must+]*

• Previous work [T.Ball – FMCO’04]:

• Parameterized transitions

• Assume-guarantee transitions – complete reasoning

ApplicationsApplications

• Falsification of properties in CTL, LTL

• Abstraction-guided test generation– tighter underapproximation of weakly-

reachable states improves coverage of the generated tests

– example of QuickSort’s partition function

SummarySummary

• Ternary Modal Transition System (TMTS)– onto and total must transitions– full-PML logical characterizes precision

preorder on TMTS

• 6-valued semantics of -calculus for TMTS

• Tighten underapproximation of weak reachability with parameterized transitions– completeness result using assume-guarantee

transitions