3-Valued Abstraction and 3-Valued Model-Checking.

Slides:



Advertisements
Similar presentations
1 Abstraction (Cont’d) Defining an Abstract Domain variable elimination, data abstraction, predicate abstraction Abstraction for Universal/Existential.
Advertisements

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 
SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
Possibilistic and probabilistic abstraction-based model checking Michael Huth Computing Imperial College London, United Kingdom.
Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.
1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.
Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions.
Using 3-Valued Models in Abstraction-based Model Checking Seminar in Formal Verification Spring 2006 Presented by Alik Zamansky.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.
The Theory of NP-Completeness
Witness and Counterexample Li Tan Oct. 15, 2002.
1 2-Valued and 3-Valued Abstraction- Refinement Frameworks for Model Checking Orna Grumberg Technion Haifa, Israel Tutorials at ATVA, 2009.
¹ -Calculus Based on: “Model Checking”, E. Clarke and O. Grumberg (ch. 6, 7) “Symbolic Model Checking: 10^20 States and Beyond”, Burch, Clark, et al “Introduction.
ECE Synthesis & Verification - L211 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Verification Equivalence checking.
Review of the automata-theoretic approach to model-checking.
Embedded Systems Laboratory Department of Computer and Information Science Linköping University Sweden Formal Verification and Model Checking Traian Pop.
ESE601: Hybrid Systems Introduction to verification Spring 2006.
Witness and Counterexample Li Tan Oct. 15, 2002.
Proof by Deduction. Deductions and Formal Proofs A deduction is a sequence of logic statements, each of which is known or assumed to be true A formal.
Programming Language Semantics Denotational Semantics Chapter 5 Part III Based on a lecture by Martin Abadi.
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.
Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking.
Propositional Calculus Math Foundations of Computer Science.
Copyright © Cengage Learning. All rights reserved.
Systems Architecture I1 Propositional Calculus Objective: To provide students with the concepts and techniques from propositional calculus so that they.
CSC2108: Automated Verification or Everything you Wanted to Know about Model-Checking Ü Instructor: Marsha Chechik Ü
On Reducing the Global State Graph for Verification of Distributed Computations Vijay K. Garg, Arindam Chakraborty Parallel and Distributed Systems Laboratory.
Advanced Topics in Propositional Logic Chapter 17 Language, Proof and Logic.
Data Abstractions for the Verification of Web Service Compositions Raman KazhamiakinMarco Pistore DIT, University.
1 Bisimulations as a Technique for State Space Reductions.
Propositional Calculus CS 270: Mathematical Foundations of Computer Science Jeremy Johnson.
CS 267: Automated Verification Lecture 3: Fixpoints and Temporal Properties Instructor: Tevfik Bultan.
Theory and Applications
LDK R Logics for Data and Knowledge Representation Propositional Logic: Reasoning First version by Alessandro Agostini and Fausto Giunchiglia Second version.
A Logic of Partially Satisfied Constraints Nic Wilson Cork Constraint Computation Centre Computer Science, UCC.
Logical Agents Chapter 7. Outline Knowledge-based agents Logic in general Propositional (Boolean) logic Equivalence, validity, satisfiability.
Section 1.2: Propositional Equivalences In the process of reasoning, we often replace a known statement with an equivalent statement that more closely.
- 1 -  P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Validation - Formal verification -
How Model-Checking Can Help Model Exploration Marsha Chechik Dept of Computer Science University of Toronto Joint work with Arie Gurfinkel, Benet Devereux.
1 Reasoning with Infinite stable models Piero A. Bonatti presented by Axel Polleres (IJCAI 2001,
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
1 CSEP590 – Model Checking and Automated Verification Lecture outline for July 9, 2003.
1 Temporal logic. 2 Prop. logic: model and reason about static situations. Example: Are there truth values that can be assigned to x,y simultaneously.
Albert Gatt LIN3021 Formal Semantics Lecture 3. Aims This lecture is divided into two parts: 1. We make our first attempts at formalising the notion of.
Bounded Model Checking A. Biere, A. Cimatti, E. Clarke, Y. Zhu, Symbolic Model Checking without BDDs, TACAS’99 Presented by Daniel Choi Provable Software.
Asymmetry and 3-Valued Symmetry Reduction Course Project of CSC 2108H, 2003 Ou Wei Yong Yuan Department of Computer Science, University of Toronto, 2004.
Verifying Component Substitutability Nishant Sinha Sagar Chaki Edmund Clarke Natasha Sharygina Carnegie Mellon University.
Counterexample-Guided Abstraction Refinement By Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith Presented by Yunho Kim Provable Software.
Logical Agents. Outline Knowledge-based agents Logic in general - models and entailment Propositional (Boolean) logic Equivalence, validity, satisfiability.
Complexity of Compositional Model Checking of Computation Tree Logic on Simple Structures Krishnendu Chatterjee Pallab Dasgupta P.P. Chakrabarti IWDC 2004,
Basic concepts of Model Checking
Logic.
Formal methods: Lecture
Propositional Calculus: Boolean Algebra and Simplification
Over-Approximating Boolean Programs with Unbounded Thread Creation
Formal Methods in software development
Computer Security: Art and Science, 2nd Edition
Predicates and Quantifiers
Introduction to verification
Formal Methods in software development
Formal Methods in software development
Presentation transcript:

3-Valued Abstraction and 3-Valued Model-Checking

2 Abstraction Ü Abstraction:  an effective technique to combat state explosion problem  approximate sets of concrete states by an abstract state  approximate sets of concrete transitions by an abstract transition Ü Using 2-valued logic (over-approximation)  False variables represent “unknown” value  True transitions represent possible behaviour r (s 0,1 )=T ⇒ r (s 0 )=T p (s 0,1 )=F ⇒ ? p¬qrp¬qr pq¬rpq¬r ¬p¬qr¬p¬qr s0s0 s1s1 s2s2 r pq¬rpq¬r s 0,1 s2s2

3 Abstraction, Cont’d Ü Using 2-valued logic  False variables represent “unknown” value  True transitions represent possible behaviour AX (r  p)(s 0,1 )=T ⇒ AX (r  p)(s 0 )=T AX r (s 0,1 )=F ⇒ ? EX (  r   p)(s 0,1 )=F ⇒ EX (  r   p)(s 0 )=F EX r(s 0,1 )=T ⇒ ? p¬qrp¬qr pq¬rpq¬r ¬p¬qr¬p¬qr s0s0 s1s1 s2s2 r pq¬rpq¬r s 0,1 s2s2

4 Abstraction, Cont’d Ü Soundness:  Only with respect to True universal properties  For existential properties – use under-approximation  For False properties:  play counter-example to determine whether spurious  Use counter-example-based abstraction refinement

5 3-valued abstraction Ü Goals:  Reason about mixed properties  Not have to tell which counterexamples are spurious  Not have an increase in statespace, when compared to 2- valued  Use counterexample for abstraction refinement Ü Outline:  3-valued logic, properties, models, model-checking  3-valued abstractions  Abstraction refinement

6 Logic: 3-valued Kleene logic Logic order Ü Properties:  F ⊑ M, M ⊑ T  A  B = min (A, B)  A  B = max (A, B)   T = F,  F = T,  M = M Ü Preserves:  Commutativity, associativity, idempotence, De Morgan laws Ü Does not preserve  Law of excluded middle: A  A= T (top)  Law of non-contradiction: A  A=  (bottom) T F M

7 Note Ü 3-valued logic forms a lattice  Ordering ⊑ : less than or equal  Meet operation ⊓ : min  Join operation ⊔ : max  Negation : horizontal symmetry Ü This is an example of a quasi-boolean algebra Ü Equality and Identity are different!  a  b  a = b T F M

8 Logic Ü Information order  M contains least amount of information  T, F – maximum amount of information  If one refines M – it can change to T or F or stay at M TF M

9 Overview of MV-Model CheckingOverview of Model Checking Yes/No Answer Yes/No Answer SW/HW artifact SW/HW artifact Correctness properties Correctness properties Temporal logic Temporal logic Model of System Model of System Model Extraction Model Extraction Translation Model Checker Model Checker Correct? MV-Logic Answer MV-Logic Answer MV-Model Checker MV-Model Checker How correct?

10 Multi-valued state machines: Xkripke structures Ü Extension of conventional state machines (Kripke structures)  variables take any value from the logic ( T, F, M )  transitions between states take any value from the logic  False transitions are not shown (by convention) Ü Example: pressed = T request = F pressed = T request = F pressed = M request = T T TM T

11 Formally, Ü Kripke structures extended for MV case  M =  L is a quasi-boolean algebra (ℒ, ⊑, ⊓,⊔,  ), where ( ℒ, ⊑ ) is a lattice  S is a (finite) set of states, each with a unique name  A is a set of atomic propositions  s 0 is a unique initial state ( s 0  S )  I: S  A  ℒ is the interpretation function that assigns a logic value to each atomic proposition  R: S  S  ℒ is the function that assigns a logic value to each transition between states

12 3-valued CTL Ü multi-valued extension of CTL  same syntax as CTL  plus constants from the logic ( T, M, F ) Ü semantics:  replace existential quantification by disjunction, universal quantification by conjunction, so (EX  ) (s) =  t  S s.t. ( R(s,t)   (t) )  t  S ( R(s,t)   (t) ) For all states s, (AX  ) (s) = (  EX(   )) (s) (EG  ) (s) =  (s)  (EX EG  ) (s) (AG  ) (s) = (  EF(   )) (s) Examples: AG (request -> AX pressed) ≟ AG (pressed \/ request) ≟  other operators are defined as in CTL: T F M pressed = T request = F pressed = T request = F pressed = M request = T T TM T

13 Model-Checking Cont’d Ü Can a True property evaluate to M? Ü Answer:  Yes  AG (pressed \/  pressed) = M  Comes from law of excluded middle Ü Some terminology:  Compositional semantics  Evaluate each CTL operator, compose according to lattice rules  Thorough semantics [Bruns&Godefroid 00]  Property evaluates to M iff exists a refinement where it evaluates to T and a refinement where it evaluates to F.  $$ to evaluate

14 Symbolic mv model-checking Ü Similar idea to classical model-checking  recursively go through the structure of XCTL property  encode sets of states symbolically  encode transition relation symbolically Ü Data structures  direct approach: MDDs  the number of terminal nodes and branching factor equal to number of values in logic  Example: x  y in 3-valued logic x yy FMT F F F M M M T TT  can use BDD vector …  or mixed approaches (MBTDDs, MTBDDs)

15 Reduction to Classical Ü [Bruns&Godefroid’99]. Assumption: transition relation is classical  Move negation to level of atomic propositions  Create a positive and negative version of every atomic proposition  Let x = M.  Positive cut:  Set x and and  x to True  PosAnswer = check property  Negative cut:  Set x and and  x to False  NegAnswer = check property Ü If NegAnswer = PosAnswer (True or False)  Return this as answer Ü Else  Return Maybe

16 Example p = T q = F z- =T z+=T p = T q = F z = F p = T q+ = T q- = T z = F Model Positive Cut [[p ∧¬q ∨z ]](s 0 ) = T p = T q = F z = M p = T q = F z = F p = T q = M z = F

17 Example p = T q = F z- = F z = F p = T q = F z = F p = T q+ = F q- = F z = F Model Negative Cut p = T q = F z = M p = T q = F z = F p = T q = M z = F [[p ∧¬q ∨z ]](s 0 ) = F Therefore, the answer is M

18 Example p = T q = F z- =T z+= T p = T q = F z = F p = T q+ = T q- = T z = F Model Positive Cut p = T q = F z = M p = T q = F z = F p = T q = M z = F [[EX (p ∧¬q ∨z )]](s 0 ) = T

19 Example p = T q = F z- = F z = F p = T q = F z = F p = T q+ = F q- = F z = F Model Negative Cut p = T q = F z = M p = T q = F z = F p = T q = M z = F [[EX (p ∧¬q ∨z )]](s 0 ) = T Therefore, the answer is T

20 Reduction to Classical (Take Two) Ü [Gurfinkel&Chechik 2003] Ü Assumptions:  States can be 3-valued, transition relation can be three- valued Ü Reduction steps  for True and Maybe, construct a cut formula equivalent to [[ ϕ ]](s)⊒j  logic: from mv CTL to restricted mv-logic with two-valued answers  model: unchanged  transform each cut to a classical model-checking problem  logic: from restricted mv-logic to classical CTL  model: from ΧKripke structure to classical Kripke structure

21 Propositional Logic [[p ∧¬q ∨z ]](s 0 ) = M [[T ∧¬M ∨F ]](s 0 ) [[T ∧M ∨F ]](s 0 ) [[M ∨F ]](s 0 ) [[M ]](s 0 ) p = T q = F z = M p = T q = F z = F p = T q = M z = F M M T T T

22 Propositional Logic – the cut [[T ∧F ∨F ]](s 0 ) [[F ∨ F ]](s 0 ) F ‖p ∧¬q ∨z ‖(s 0 ) ⊒ M [[p ∧¬q ∨z ]](s 0 ) ⊒ T [[ ]](s 0 )(p ⊒ T)(¬q ⊒ T)(z ⊒ T)∧∨ T p = T q = F z = M p = T q = F z = F p = T q = M z = F M M T T T

23 Combining Results [[p ∧¬q ∨z ]](s 0 ) ⋣ T [[p ∧¬q ∨z ]](s 0 ) ⊒ M Therefore, [[p ∧¬q ∨z ]](s 0 ) = M T M F  p = T q = F z = M p = T q = F z = F p = T q = M z = F M M T T T

24 Propositional Logic – final step [[p + ∧q - ∨z + ]](s 0 ) [[T∧F ∨F]](s 0 ) [[F]](s 0 ) [[(p ⊒ T) ∧(¬q ⊒ T) ∨(z ⊒ T)]](s 0 ) Legend p + represents p ⊒ j p - represents ¬p ⊒ j p = T q = F z = M p = T q = F z = F p = T q = M z = F M M T T T p+z-p+z- p+q-z-p+q-z- p+q-p+q-

25 Existential Temporal Logic – the cut [[ EX ( p ∧¬q ∨z )]](s 0 ) ⊒ T ∨ t∈S R(s 0,t) ∧[[p ∧¬q ∨z ]](t) ⊒ T ∨ t∈S (R(s 0,t) ⊒ T) ∧([[p ∧¬q ∨z ]](t) ⊒ T) ∨ t∈S (R(s 0,t) ⊒ T) ∧[[(p ⊒T)∧(¬q ⊒T)∨(z ⊒T)]](t) [[ EX ⊒ T (( p ⊒T)∧(¬q ⊒T)∨(z ⊒T))]](s 0 ) p = T q = F z = M p = T q = F z = F p = T q = M z = F

26 Existential Temporal Logic – final step [[EX ⊒T ( p + ∧q - ∨z + )]](s 0 ) [[ EX( p + ∧q - ∨z + )]](s 0 ) [[EX ⊒T ((p ⊒T)∧(¬q ⊒T)∨(z ⊒T))]](s 0 ) p = T q = F z = M p = T q = F z = F p = T q = M z = F M M T T T p + z - p + q - z - p + q -

27 Universal Temporal Logic – the cut [[AX(p ∧¬q ∨z )]](s 0 ) ⊒ T ∧ t∈S R(s 0,t) ⇒[[p ∧¬q ∨z ]](t) ⊒ T ∧ t∈S ¬R(s 0,t) ∨ [[p ∧¬q ∨z ]](t) ⊒ T ∧ t∈S ¬R(s 0,t) ⊒ T ∨ [[p ∧¬q ∨z ]](t) ⊒ T ∧ t∈S ¬(R(s 0,t) ⊒ M) ∨ [[p ∧¬q ∨z ]](t) ⊒ T ∧ t∈S (R(s 0,t) ⊒ M) ⇒ [[p ∧¬q ∨z ]](t) ⊒ T [[AX ⊒ M (( p ⊒T) ∧(¬q ⊒T) ∨(z ⊒T))]](s 0 ) p = T q = F z = M p = T q = F z = F p = T q = M z = F M M T T T Dealing with negation  In 3-valued logic  ¬b ⊒ T iff ¬(b ⊒ M)  since ¬b ⊒ T iff b = F T M F

28 Universal Temporal Logic – final step [[AX ⊒ M (( p ⊒T)∧(¬q ⊒T)∨(z ⊒T))]](s 0 ) [[AX ⊒ M (p + ∧q - ∨z + )]](s 0 ) [[AX(p + ∧q - ∨z + )]](s 0 ) p = T q = F z = M p = T q = F z = F p = T q = M z = F M M T T T p + z - p + q - z - p + q -

29 Handling Mixed Modalities Ü The first reduction step does not change  [[AX EXp]](s 0 )⊒T is transformed into [[AX ⊒M EX ⊒T (p⊒T)]](s 0 ) Ü Problem with the second step  need a Kripke structure with two types of transitions  ⊒M for universal modality  ⊒T for existential modality Ü Solution  treat transitions labels as actions  convert the resulting Labeled Transition System into a Kripke structure Ü Disadvantage  introduces a new variable  size of the statespace doubles

30 Summary of the Reduction Ü Multi-valued model-checking problem is reduced to several classical problems  one classical problem for True and one for Maybe  size of the formula does not change  atomic literals are changed to “plus” and “minus” versions  other parts remain unchanged  for universal and existential fragments  statespace of resulting Kripke structure is similar to the original  for formulas with both universal and existential modalities  statespace of the resulting Kripke structure is double of the original  formulas with fixpoint operators are handled similarly  (see Gurfinkel, Chechik, CONCUR’03)

31 Abstraction  Abstraction Function  : S ! S’ S S’

32 Abstraction Ü Using 3-valued logic  introduce new special value Maybe to stand for “unknown”  Formally:  [[v]] (a) = T iff  s   (a) [[v]](s) = T  [[v]] (a) = F iff  s   (a) [[v]](s) = F  [[v]] (a) = M iff  s   (a) [[v]](s) = T and  t   (a) [[v]](t) = F  Examples:  r (s 0,1 )=T ⇒ r (s 0 )=Tp (s 0,1 )=M p¬qrp¬qr pq¬rpq¬r ¬p¬qr¬p¬qr s0s0 s1s1 s2s2 s 0,1 s2s2 p=M q=F r=T p=T q=T r=F T F M

33 Refresher: Over- and Under-approximations Ü M’ is an over-approximation of M, or M’ simulates M if  R  [Dams’97]: (t, t 1 )  R’ iff  s   (t) s.t.  s 1   (t 1 ) and (s, s 1 )  R Ü M’ is an under-approximation of M, or M simulates M’ if  R  [Dams’97]: (t, t 1 )  R’ iff  s   (t) s.t.  s 1   (t’) and (s, s 1 )  R

34 Existential Abstraction (Over-Approximation) I I

35 Universal Abstraction (Under-Approximation) I I

36 3-Val Transition Relation Ü Let R(s,t) = T if R(s,t)  R   R  [Dams’97]: (t, t 1 )  R’ iff  s   (t) s.t.  s 1   (t’) and (s, s 1 )  R  Let R(s,t) = F if R(s,t) ∉ R   R  [Dams’97]: (t, t 1 )  R’ iff  s   (t) s.t.  s 1   (t 1 ) and (s, s 1 )  R Ü Else R(s,t) = M

37 3-valued abstraction I I M T T M M M M M M T

38 T F M Abstraction Ü Using 3-valued logic  introduce new special value Maybe to stand for “unknown” AX r (s 0,1 )=M EX r (s 0,1 )=T p¬qrp¬qr pq¬rpq¬r ¬p¬qr¬p¬qr s0s0 s1s1 s2s2 r pq¬rpq¬r s 0,1 s2s2 T M T p=M q=F r=T p=T q=T r=F

39 Model Checking 3-Val abstract Models Ü Preservation Theorem M’ ⊨ φ ⇔ M ⊨ φ False counterexample cannot be spurious No need for simulation! Maybe counterexample requires refinement No guarantee is given about a “Maybe” answer Let φ be an arbitrary property (i.e., expressed in LTL, CTL, mu-calculus) and M’ is a 3-val abstraction of M

40 3-Val Abstraction-Refinement Loop Check Counterexample Refine Model CheckAbstract M’, φ M, φ,  No Bug Pass Fail Bug Spurious ’’

41 No spurious counterexamples, but abstraction can be too coarse I I Deadend states Bad States Failure State f T MM

42 Refinement ’’ ’’ ’’ ’’ ’’ Refinement :  ’ ’’ ’’

43 Other use of 3-valued logic Ü Algebra:  use three-valued algebra (Kleene)  intermediate value represents incomplete information or uncertainty T F M  compact representation for all possible refinements of this model  if a property is True/False on the partial model, it is True/False on a refined one  initial theory developed by Bruns & Godefroid, CAV’99 p= T q= F r= T p= M q= M r= F p= T q= M r= T s0s0 s2s2 s1s1 T T M M T Application: Most models are incomplete! Allows verification before specification is completed

44 Summary Ü Abstraction  Effective tool for combating state explosion  Over-approximation – sound for true universal properties, otherwise – check if counterexample is feasible and then refine  Under-approximation – same for existential properties Ü 3-Valued Abstraction  Specified in 3-val Kleene logic  Allows reasoning about mixed-quantifier properties  No need to check if counter-example is spurious  Counterexample used for refinement Ü 3-Val Model-Checking  Reduces to two runs of classical model-checker  Or can be done directly, say, using MDDs

45 Next topic: Ü Software model-checking  (and software model-checking with 3-valued logic)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.