Quantitative Abstraction Refinement Pavol Černý IST Austria joint work with Thomas Henzinger, Arjun Radhakrishna Haifa, Israel November 2012 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A A A A A

Quantitative analysis of programs Quantitative requirements: Resource consumption (energy usage) Worst-case execution time, timeliness of response Application domains: (Embedded) software (Partial-)program synthesis

1 st correct solution: “Lock inside the loop” 2 nd correct solution: “Lock outside the loop” int buf[4] while (true) { buf = getBuffer(); i = 0; while (i<4) { dr = setTransf(buf,i); write(device,dr); i++; } int buf[4] while (true) { buf = getBuffer(); i = 0; while (i<4) { dr = setTransf(buf,i); lock(lock); write(device,dr); unlock(lock); i++; } int buf[4] while (true) { buf = getBuffer(); i = 0; lock(lock); while (i<4) { dr = setTransf(buf,i); write(device,dr); i++; } unlock(lock); } Quantitative analysis: Application to partial-program synthesis Spec: Mutual exclusion on device.

a,b,c,i,v:int; input v; if (v==1) for (i=0;i<16;i++) read(a); else if (v==2) for (i=0;i<16;i++) if (i mod 2 = 0) read(b); else for (i=0;i<16;i++) if (i mod 4 = 0) read(c); Example: Cache behavior for worst-case execution time No cache  worst case execution for (v==1) Cache contains address of a  worst case execution for (v==2) Cache contains address of b  worst case execution for all other values of v Cache hit < miss Abstraction has cache of limited size

Abstraction Boolean case: Safety What if the abstract system is too coarse? Answer: Abstraction refinement

Question: How do we perform abstraction with respect to quantitative objectives? Question: How do we perform abstraction refinement with respect to quantitative objectives? Based on: C., Henzinger, Radhakrishna Quantitative abstraction refinement POPL 2013 Questions for this talk

Outline Quantitative Abstractions – State-based abstrations Abstract state = set of states + numbers – Segment-based abstractions Abstract state = set of segments + numbers Abstraction refinement

Model of systems Weighted transition systems (Q,Σ,Δ,δ,q 0 ) where Δ is a subset of Q £ Q δ is a function from Δ to R A trace q 0 q 1 q 2 … (where q i and q i+1 is in ¢ ) δ extended to traces δ(q 0 q 1 q 2 …)=r 0 r 1 … (where δ(q i,q i+1 )=r i )

Properties A quantitative property f: a function from S to R f 1 evaluates a trace: f 2 summarizes the values f 1 of all traces: Limit-average objective: f 1 evaluates a trace: f 2 summarizes the values f 1 of all traces: f(S)=3

Discounted-sum objective: f 1 evaluates a trace: f 2 summarizes the values f 1 of all traces: Properties A quantitative property f: a function from S to R f 1 evaluates a trace: f 2 summarizes the values f 1 of all traces:

Properties A quantitative property f: a function from S to R f 1 evaluates a trace: f 2 summarizes the values f 1 of all traces: Safety objective: f 1 evaluates a trace: f 2 summarizes the values f 1 of all traces:

Safety objective: f 1 evaluates a trace: f 2 summarizes the values f 1 of all traces: Properties A quantitative property f: a function from S to R f 1 evaluates a trace: f 2 summarizes the values f 1 of all traces:

Properties: we consider properties that admit memoryless extremal traces. Properties A quantitative property f: a function from S to R f 1 evaluates a trace: f 2 summarizes the values f 1 of all traces:

Given a quantitative property f, construct ® and f ® such that, for all S, and for all relations where is a WTS with set of states given by the equivalence classes of Abstraction for quantitative (accumulative) properties

ExistsMax abstraction Existential abstraction weight of abstract edge = max of corresponding concrete edges Lim-avg objective f: f(S)=3 f em (S em )=10 1

Refinement of ExistsMax Lim-avg objective f: f(S)=3 f em (S em )=16/3 1

PathBound Abstraction val = max value of an internal edge maxp = the longest internal simple path minp = the shortest internal simple path loop/noloop -- is there internal loop Idea: For more precision, keep facts about paths, not states. Boolean case: segment-based abstraction [Cousot,Cousot 12, Podelski, Rybalchenko 04]

PathBound Abstraction val = 10 maxp = 2 minp = 2 noloop 10 Lim-avg objective f: f(S)=3 f pb (S pb ) = (10*2+3+1*3+3)/( )= = 29/7 = val = 1 maxp = 4 minp = 3 noloop

If ¼ is a refinement of ≡, it is desirable that: Monotonicity of Refinement Monotonicity enables anytime verification:  analysis can be stopped at any time, and return a sound approximation  the approximation gets better if analysis is given more time 1

Characteristics of abstractions  ExistMax is an overapproximation where f is LimAvg, DiscSum, Safety, Liveness, etc  ExistMax is monotonic If ¼ is a refinement of ≡, then  PathBound is an overapproximation  PathBound is not monotonic

Characteristics of abstractions  PathBound is not monotonic : Counterexample 10 Concrete system S 4 4 Lim-avg objective f: f(S)=48/6=8 10 Abstract System Abstract System f pb (S pb ) = (10*4+4+4)/(4+1+1) = 8 f pb (S pb )= (10*3+10* )/ ( ) = 78/9 > 8 Proposed solution: introduce a hierarchical abstraction to not lose the previous estimates.

Hierarchical segment-based abstraction Hierarchical segment-based abstraction [Cousot, Cousot 2012] suitable for software with hierarchical structure - nested loops, function calls init Loop1 All traces Loop2 Loop3 Concatenated segments of children nodes cover the segments in parent node

Hierarchical Segment-Based Abstraction while (true) { j  0; while (j<10) { if B then costlyOp; B  not B; j++ }; while (j<20) { cheapOp; j++ } [true] j  0; [j<10] [not B] [B] costlyOp B  not B j++ [j>=10] [j<20] cheapOp j++ [j>=10] Example program costlyOp - 10 everything else - 0 Overall cost: (5*10/79)

ABC Loop1 HPathBound [true] j  0; [j<10] [not B] [B] costlyOp B  not B j++ [j>=10] [j<20] cheapOp j++ [j>=20] A B C D E F G H I J All traces Loop2CH HA CDEFGC CDFGC HIJH

Outline Quantitative Abstractions – State-based abstrations Abstract state = set of states + numbers – Segment-based abstractions Abstract state = set of segments + numbers Abstraction refinement

Abstraction Refinement for ExistsMax handle loop  Does “handle” correspond to a real path?  Does “loop” correspond to a concrete loop with the same cost? 10

Abstraction Refinement for ExistsMax handle loop  Does “handle” correspond to a real path? 10

Abstraction Refinement for ExistsMax handle loop  Does “loop” correspond to a concrete loop with the same cost?  Loop needs to be unrolled 1+min | l j |, where l j is a size of an abstract state in the loop 10 2

Abstraction Refinement for ExistsMax handle loop  Classical CEGAR: two heuristics:  choice of ctrex  choice of refinement  Quantitative refinement  extremal ctrex  split where the difference between abstract and concrete transition is largest

ABC Loop1 Hierarchical Segment Abstraction Refinement All traces Loop2CH HA CDEFGC CDFGC HIJH Counterexample: a trace (CDEFG) ω Remove it by: adding B – prevent every iteration going through costlyOp adding loop bounds – forcing to go out of Loop1 [true] j  0; [j<10] [not B] [B] costlyOp B  not B j++ [j>=10] [j<20] cheapOp j++ [j>=20] A B C D E F G H I J

ABC Loop1 Hierarchical Segment Abstraction Refinement All traces Loop2CH HA CDEFGC HIJH Counterexample: a trace (CDEFG) ω Remove it by: adding B – prevent every iteration going through costlyOp [true] j  0; [j<10] [not B] [B] costlyOp B  not B j++ [j>=10] [j<20] cheapOp j++ [j>=20] A B C D E F G H I J CDFGC

ABC Loop1 Hierarchical Segment Abstraction Refinement All traces Loop2CH HA CDEFGC CDFGC HIJH Counterexample: a trace (CDEFG) ω Remove it by: adding loop bounds – forcing to go out of Loop1 [true] j  0; [j<10] [not B] [B] costlyOp B  not B j++ [j>=10] [j<20] cheapOp j++ [j>=20] A B C D E F G H I J

ABC Loop1 Hierarchical Segment Abstraction Refinement All traces Loop2CH HA CDEFGC CDFGC HIJH Counterexample: a trace (CDEFG) ω Remove it by: adding loop bounds – forcing to go out of Loop1 [true] j  0; [j<10] [not B] [B] costlyOp B  not B j++ [j>=10] [j<20] cheapOp j++ [j>=20] A B C D E F G H I J j’=j+1

Experimental results

a,b,c,i,v:int; input v; if (v==1) for (i=0;i<16;i++) read(a); else if (v==2) for (i=0;i<16;i++) if (i mod 2 = 0) read(b); else for (i=0;i<16;i++) if (i mod 4 = 0) read(c); Example: Worst-case execution time analysis steptrackedlim-avg value analysis time i a b c v

while(true) input(s); l = 0; r = N - 1; do { m = l + r / 2; if(s > a[m]) l = m + 1; else r = m - 1; } while(l <= r & a[m] != s) } Worst-case execution time analysis steptrackedlim-avg value analysis time m r l s a[(N - 1)/2] a[(N - 3)/4] a[(3N - 1)/4] Example: Binary search

ExistsMax vs PathBound Partition size ExistsMax lim-avg value PathBound lim-avg value Example: Karp’s algorithm for finding min-mean cycle. unsigned int graph[SIZE][SIZE]; unsigned int D[SIZE + 1][SIZE]; int main() { initialize(D); D[0][0] = 0; for(k = 1; k <= SIZE; k++) { for(v = 0; v < SIZE; v++) { for(u = 0; u < SIZE; u++) { if(D[k][u] < D[k - 1][v] + graph[u][v]) D[k][u] = D[k - 1][v] + graph[u][v]; } vNum = 0; vDen = 1; for(v = 0; v < SIZE; v++) { currNum = ; currDen = 1; for(k = 0; k < SIZE; k++) { if((D[SIZE][v] - D[k][v]) * currDen < (SIZE - k) * currNum) { currNum = D[SIZE][v] - D[k][v]; currDen = SIZE - k; } if(currNum * vDen > currDen * vNum) { vNum = currNum; vDen = currDen; }

Conclusion Contributions – Framework for abstractions for quantitative (accumulative) properties – State-based and segment-based abstractions – Counterexample-guided abstraction algorithm – Hierarchical segment-based abstraction and refinement Future work – Quantitative reasoning for CEGAR in Boolean systems – Application to partial-program synthesis

Quantitative Abstraction Refinement Pavol Černý IST Austria joint work with Thomas Henzinger, Arjun Radhakrishna Haifa, Israel November 2012 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A A A A A