counterexample-guided abstraction refinement

Counterexample-Guided Abstraction Refinement

By Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith

Presented by Yunho KimProvable Software Lab, KAIST

Contents

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 2/30

• Introduction

• Notations

• The abstraction-refinement framework–Generating the initial abstraction–Model checking the abstract model–Refining the abstraction

• Experimental results and conclusion

• The state explosion problem is a major difficulty in applying model checking to large systems

• Abstraction technique reduces a set of equivalent states to one abstract state

• Model checking an abstract model has less time and memory requirements than doing a concrete model

Introduction(1/3)

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 3/30

• Can model checking an abstract model guarantee the correctness of the concrete model?

• Existential abstraction guarantee the following with a given specification Á

• However, existential abstraction may generate spurious counterexamples

Introduction(2/3)

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 4/30

cM j= Á ) M j= Á

cM 2 Á ; M 2 Á

Introduction(3/3)

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 5/30

• Overview of counterexample-guided abstraction refinement

Building new abstract model

Modelchecking

Abstraction refinement

Spuri-ous?

Concrete model MSpec φ

Spurious Coun-terexample

φ false +

counterexam-ple

φ true

φ

Today’s focus:

cMAbstract model

Contents

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 6/30

• Introduction

• Notations

• The abstraction-refinement framework–Generating the initial abstraction–Model checking the abstract model–Refining the abstraction

• Conclusion

Notations

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 7/30

• A program P has a finite set of variables V = {v1, ,vn} , where each variable vi has an associated finite domain Dvi

• The set of all possible states for program P is Dv1 £ £ Dvn denoted by D

• Example– A example program EP has a set of variables V = {v1, v2}– v1 has domain Dv1 = {0, 1} and v2 has Dv2 = {0, 1, 2}– The set of all possible states for for EP is {0, 1} £ {0, 1,

2} • (0, 0), (0, 1), (0, 2), (1, 0), (1, 1), (1, 2)

Notations

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 8/30

• Expressions are built from variables in V, con-stants in Dvi, and function symbol – E.g. v1 + 3

• Atomic formulas are constructed from expres-sions and relation symbols– E.g. v1 + 3 < 5

• Predicates are composed of atomic formulas using :, Æ, Ç – E.g. (v1 + 3 < 5) Ç :(v2 + 4 > 7)

• Given predicate p, Atoms(p) is the set of atomic formulas occurring in it.– E.g Atoms(p) = {v1 + 3 < 5, v2 + 4 > 7}

where p is (v1 + 3 < 5) Ç :(v2 + 4 > 7)

Notations

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 9/30

• Let p be a predicate containing variables from V, and d = (d1, , dn) 2 D

• Then, d ² p when the predicate obtained by replac-ing each vi by the constant di evaluates true

• Example– A given predicate p is (v1 + 3 < 5) Ç :(v2 + 4 > 7) where

v1 has domain Dv1 = {0, 1, 2} and v2 has Dv2 = {0, 1, 2, 3, 4}

– (0, 1) ² p , (2, 4) 2 p

Notations

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 10/30

• Each variable vi has an associated transition block– A program P consists of variables and their transition

blocks• Transition block defines both the initial value and

the transition relation for the variable vi

• Bi, transition block for vi • Ii µ Dvi • Each condition is a predicate• is an expression• Semantics of case is that find

the least j such that is true and assign the value of the ex-pression to vi in the next state

• Atoms(Bi) = 15 j 5 k Atoms( )• Atoms(P) = Atoms(Á) [

Atoms(Bi)

C ji

A ji

C ji

A ji

C ji

Notations

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 11/30

• Transition block example.• A program P has a V = {x, y} and Dx = Dy = {0, 1,

2}

• Atoms(P) = Atoms(Bx) [ Atoms(By) = {x < y, x = y} [ {x = y, y = 2} = {x < y, x = y, y = 2}

0,0x, y 0,1 1,21,1 0,2 2,2

Notations

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 12/30

• Each program P corresponds to a labeled Kripke structure M = (S, I, R, L)– S = D, is a set of states– I µ S, is a set of initial states– R µ S £ S is a transition relation– L : S ! 2Atoms(P) , L(d) = {f 2 Atoms(P) | d ² f}– L maps a state to a set of predicates whose elements

evaluate true in the state

Notations

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 13/30

• Example• P has a V = {x, y} and Dx = Dy = {0, 1, 2}• Atoms(P) = {x < y, x = y, y = 2}

• M = (S, I, R, L)– S = D = {0, 1, 2} £ {0, 1, 2}– I = {(0, 1)}– R = {((0,1),(1,1)),((1,1),(0,2)),((0,2),(1,2)),((1,2),(2,2)),((2,2),

(0,0)),((0,0),(0,1))}– L(0,1)=L(0,2)=L(1,2)={x<y}, L(1,1)=L(0,0)={x=y},

L(2,2)={x=y, y=2}– I describe only reachable states from initial state.

{x=y}

x, y

{x<y}

{x<y}

{x=y}

{x<y}

{x=y,

y=2}

Notations

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 14/30

• An abstract function h is a onto function from con-crete domain D to abstract domain

• The abstract Kripke structure is de-fined as follows– is the abstract domain – iff where – iff

where –

bDh : D ! bD

cM = (bS; bI ; bR; bL)bS bDbd 2 bI

9d19d2(h(d1) = bd1 ^h(d2) = bd2 ^(d1;d2) 2 R)9d(h(d) = bd^d 2 I )

( bd1; bd2) 2 bR

bL(bd) = Sh(d)=bd L(d)

bd2 bD ^d 2 D

bd1; bd2 2 bD ^d1;d2 2 D

Notations

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 15/30

• Example• M = (S, I, R, L)

– S = D = {0, 1, 2} £ {0, 1, 2}– I = {(0, 1)}– R = {((0,1),(1,1)),((1,1),(0,2)),((0,2),(1,2)),((1,2),(2,2)),((2,2),

(0,0)),((0,0),(0,1))}– L(0,1)=L(0,2)=L(1,2)={x<y}, L(1,1)=L(0,0)={x=y},

L(2,2)={x=y, y=2}– I describe only reachable states from initial state.

• Abstraction function h– h(0,0)=h(1,1)=0, h(0,1)=1, h(0,2)=h(1,2)=2, h(1,0)=h(2,0)=h(2,1)=3, h(2,2)=4

• – = {0, 1, 2, 3, 4}– = {1}– = {(1,0),(0,2),(2,2),(2,4),(4,0),(0,1)}–

1{x<y}

0{x=y}

2{x<y}

4{x=y,

y=2}

cM = (bS; bI ; bR; bL)bSbIbR

bL(0) = fx = yg; bL(1) = bL(2) = fx < yg;bL(3) = fg; bL(4) = fx = y;y = 2g

Contents

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 16/30

• Introduction

• Notations

• The abstraction-refinement framework–Generating the initial abstraction–Model checking the abstract model–Refining the abstraction

• Conclusion

Overview

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 17/30

• Overview of counterexample-guided abstraction refinement

Building new abstract model

Modelchecking

Abstraction refinement

Spuri-ous?

Concrete model MSpec φ

Spurious Coun-terexample

φ false +

counterexam-ple

φ true

φ

Today’s focus:

cMAbstract model

Initial Abstraction

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 18/30

• Initial abstraction is based on formula cluster

• Given an atomic formula f, let var(f) be the set of variables appearing in f– E.g var(x=y) = {x, y}– Generally, for any syntactic entity X, var(X) is the set of

variables appearing in X

• Formula cluster is a equivalence class of an atomic formula f denoted by [f]– – For any two formulas from the formula cluster, they share

at least one variable.f1 ´ I f 2 i f f var(f 1) \ var(f 2) 6= ;

Initial Abstraction

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 19/30

• The formula cluster induces a variable cluster– iff vi and vj appear in atomic formulas in the

same formula cluster – The equivalence classes of are variables clusters

• Example– FC1 = {v1 > 3, v1 = v2}, FC2 = {v3 < 4, v3 + v4 = v5}

VC1 = {v1, v2}, VC2 = {v3, v4, v5}

vi ´ V vj

´ V

Initial Abstraction

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 20/30

• Let {FC1, , FCm} be the set of formula clusters and {VC1, , VCm} be the corresponding variables clusters

• Construct initial abstraction h = (h1, , hm)– Initial abstraction is based on formula clusters– For each hi, set DVCi

= v 2 VCi Dv

• For each VCi = {vi1, , vik

}, hi is defined on DVCi

• Two values are in the same equivalence class if they cannot be distinguished by atomic formulas in the FCi

hi (di ;¢¢¢;dk) = hi (e1;¢¢¢;ek) i f f8f 2 F Ci ;(d1;¢¢¢;dk) j= f , (e1;¢¢¢;ek) j= f

Initial Abstraction

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 21/30

• Example• P has a V = {x, y} and Dx = Dy = {0, 1, 2}• Atoms(P) = {x < y, x = y, y = 2}• FC1 = {x < y, x = y, y = 2}, VC1 = {x, y}

• Abstraction function h0 = {(0,0),(1,1)}, FC1 evaluates {F, T, F} 1 = {(0,1)}, FC1 evaluates {T, F, F}2 = {(0,2),(1,2)}, FC1 evaluates {T, F, T}3 = {(1,0), (2,0), (2,1)}, FC1 evaluates {F, F, F}4 = {(2,2)}, FC1 evaluates {F, T, T}

Initial Abstraction

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 22/30

• Example• M = (S, I, R, L)

– S = D = {0, 1, 2} £ {0, 1, 2}– I = {(0, 1)}– R = {((0,1),(1,1)),((1,1),(0,2)),((0,2),(1,2)),((1,2),(2,2)),((2,2),

(0,0)),((0,0),(0,1))}– L(0,1)=L(0,2)=L(1,2)={x<y}, L(1,1)=L(0,0)={x=y},

L(2,2)={x=y, y=2}– I describe only reachable states from initial state.

• Abstraction function h– h(0,0)=h(1,1)=0, h(0,1)=1, h(0,2)=h(1,2)=2, h(1,0)=h(2,0)=h(2,1)=3, h(2,2)=4

• – = {0, 1, 2, 3, 4}– = {1}– = {(1,0),(0,2),(2,2),(2,4),(4,0),(0,1)}–

{x<y}

{x=y,x<y}

{x<y}

{x=y,

y=2}

cM = (bS; bI ; bR; bL)bSbIbR

bL(0) = fx = yg; bL(1) = bL(2) = fx < yg;bL(3) = fg; bL(4) = fx = y;y = 2g

Model Checking

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 23/30

• If the abstract model satisfies the given require-ments, then the original model also satisfies the given requirements.

• We focus on the checking whether the counterex-ample is spurious or not.

Model Checking

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 24/30

• Counterexample is a path from to

• The concrete paths from are given by the follow-ing expression– Starting state s1 should be an element of the set of initial states– There is a relation from s1 to s2, s2 to s3, , sn-1 to sn– Each state si should be abstracted to

• The algorithm to compute– Let – where R is transition

relation in M• Img(Si-1, R) = {s’ | s 2 Si-1 Æ (s, s’) 2 R}

– If Sn ; then the counterexample is real

bT =< bs1;¢¢¢;csn > bs1 csn

bT

h¡ 1( bT) = f< s1;¢¢¢;sn > j V ni=1 h(si ) = bsi ^I (s1) ^V n¡ 1

i=1 R(si ;si+1)gf

bsi

h¡ 1( bT)S1 = h¡ 1( bs1) \ I

f or 1< i · n;Si := I mg(Si ¡ 1;R) \ h¡ 1(bsi )

bT

Model Checking

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 25/30

• Example• A program p has a variable v and Dv = {1, 12} • The abstract function is defined as follows

• The abstract domain

• In this model, is spruious?

h : D ! bDh(x) = b(x ¡ 1)=3c+1

bD = fb1;b2;b3;b4g

bT =< b1;b2;b3;b4>

3

1

2

3

4

5

6

7

8

9

10

11

12

b1 b2 b3 b4

Model Checking

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 26/30

• S1 = {1,2,3}• S2 = {4,5,6}• S3 = {9}• S4 = ;

• In this model, is spurious!

3

1

2

3

4

5

6

7

8

9

10

11

12

b1 b2 b3 b4

bT =< b1;b2;b3;b4>

Refining the Abstraction

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 27/30

• If concrete model does not admit the counterex-ample

, then we refine the abstraction func-tion h so that new model does not allow

• Since is spurious, there exists a such that and Si is reachable

from with 1 < i · n– Si is reachable, however, there is no transition from Si to

bT =< bs1;¢¢¢;csn >

bT =< bs1;¢¢¢;csn > Si µ h¡ 1(bsi )

h¡ 1( bs1) \ II mg(Si ;R) \ h¡ 1( dsi+1) = ;

h¡ 1( dsi+1) = ;

bT

Refining the Abstraction

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 28/30

• So we partition into three subsets Si,0, Si,1, Si,x – Si,0 = Si

• Reachable but dead states– Si,1 =

• Not reachable but has next transition– Si,x=

• New abstraction function h’ should not allow one abstract state to contain both Si,0 and Si,1

h¡ 1(bsi )

f s 2 h¡ 1(bsi )j9s02 h¡ 1( dsi+1):(s;s0) 2 R)g

h¡ 1(bsi )n(Si ;0 [ Si ;1)Si,x

Si,1

Si,0

h¡ 1(bsi )h¡ 1( dsi ¡ 1) h¡ 1( dsi+1)

Experimental Results

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 29/30

• Comparison between cone of influence and CE-GAR– #var: # of symbolic variables– #prop: # of verification properties

– #COI and #ABS denote the number of abstracted sym-bolic variables in each abstraction

– |TR|: # of BDD nodes for transition relation– |MC|: # of additional BDD nodes used during verification

References

Counterexample-Guided Abstraction Refinement, Yunho Kim, Provable Software Lab, KAIST 30/30

• Counterexample-Guided Abstraction Refinementby Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veithin Computer-Aided Verification, volume 1855 of LNCS, pages 154-169, Springer Verlag, 2000