Presentation is loading. Please wait.

Presentation is loading. Please wait.

אימות אוטומטי Intertwined Forward-Backward Reachability Analysis Using Interpolants Work by: Yakir Vizel, Orna Grumberg and Sharon Shoham (TACAS 2013)

Published byWillis Webster Modified over 6 years ago

Similar presentations

Presentation on theme: "אימות אוטומטי Intertwined Forward-Backward Reachability Analysis Using Interpolants Work by: Yakir Vizel, Orna Grumberg and Sharon Shoham (TACAS 2013)"— Presentation transcript:

1 אימות אוטומטי Intertwined Forward-Backward Reachability Analysis Using Interpolants Work by: Yakir Vizel, Orna Grumberg and Sharon Shoham (TACAS 2013)

2 Notations System is modeled as (V,INIT,T), where:
V is a finite set of variables INIT  2V is the set of initial states T  2V2V is the set of transitions A safety property of the form AGP p is a propositional formula over V Notions we will use during the talk. Our system is modeled as a tupple where V is a finite set of variables that induces a set of states. INIT, initial states and T the transition relation. We deal with safety properties of the form AGp since we know that all other kinds of LTL properties can be reduced to AGp.

3 Interpolants Given an inconsistent pair (A,B) of propositional formulas Then, there exist a formula I such that: A  I I ∧ B is unsatisfiable I is over the common variables of A and B I = Itp(A,B)

4 Interpolation in the context of model checking
Given the following BMC formula k B A I

5 Interpolation in the context of model checking
I is over V1 A I I over-approximates the set S1 I  B  false States in I cannot reach a bug in k-1 steps

6 Interpolation-Sequence
The same BMC formula partitioned in a different manner: A2 A3 Ak Ak+1 A1 I1 I2 I3 Ik-1 Ik 6 6 6

7 Interpolation-Sequence
Ij – over-approximation of the set of states reachable in j steps Ik  Ak+1  false the states in Ik do not violate p

8 Forward Reachability Analysis
Does AGp hold? Fn=Img(Fn-1,T) F2=Img(F1,T) F1=Img(INIT,T) Bad=¬P INIT How do we do that? How do we determine if our safety property hold? We have a set of states that we call “bad states” this set is simply defined by the negation of P. We compute the states that are reachable in the system. As it usually described, our system has a set of initial states, and a transition relation describing how the system moves from one state to the other. So we start from the initial state, and then by applying one step we get the set F_1. This is done with an Image operator. I will refer to the set F_1 as the states reachable in the first time frame. We then apply another step and get F_2 which is the states reachable in the second time frames and so on. The i-th time frame, states reachable in i steps. The computation stops either when a fixpoint is reached or either when the states computed intersect with the bad states. F_i is the set of reachable states at the i-th time frame (explain that we use the term time frame to indicate the number of TRs applied) Usually, doing the exact Image and PreImage operations is expansive so usually an approximated Image operator is used.

9 Approximated Forward Reachability
F(V) – a set of states For the unsatisfiable formula F(V) ∧T(V,V’) ∧¬P(V’), define: A = F(V) ∧T(V,V’) B = ¬P(V’) Approximated forward reachability: ApxImg(F,T) = Itp(A, B)

10 Backward Reachability Analysis
Does AGp hold? Bn=PreImg(Bn-1,T) B2=PreImg(B1,T) B1=PreImg(¬P,T) Bad=¬P INIT We can also do the analysis in a "backward" manner. What does it mean? Instead of starting from the initial states we start from the bad states. Then instead of going forward with the TR we go backwards. We define a PreImage operator and compute predecessors of the states. This is also done till a fixpoint is found or untill the initial states are intersected.

11 Duality In a SAT Query INIT(V) ∧T(V,V’) ∧¬P(V’)
Do we reach the bad states? and making one step forwards Starting from the initial states INIT(V) ∧T(V,V’) ∧¬P(V’) We tend to read it "Forwards" From left to right

12 Duality In a SAT Query INIT(V) ∧T(V,V’) ∧¬P(V’)
and making one step backwards Starting from the bad states Do we reach the initial states? INIT(V) ∧T(V,V’) ∧¬P(V’) We tend to read it "Forwards" From left to right We can also read it "Backwards" From right to left Does the pre-image of the bad states intersect the initial states This observation is the motivation for this work.

13 Approximated Backward Reachability
B(V) – a set of states For the unsatisfiable formula INIT(V) ∧T(V,V’) ∧ B(V’), define: A = T(V,V’) ∧ B(V’) B = INIT(V) Approximated backward reachability: ApxPreImg(B,T) = Itp(A, B)

14 Dual Approximated Reachability (DAR)
Compute two sequences of reachable states Forward Sequence: <F0,F1,…,Fn> Backward Sequence: <B0,B1,…,Bn> Sequences are over-approximations For the forward sequence: Fi(V)  T(V,V’)  Fi+1(V’) Fi(V)  P(V) For the backward sequence Bi+1(V)  T(V,V’)  Bi(V’) Bi(V)  INIT(V) Formally, DAR computes these two sequences. What makes DAR unique is the way these sequences are computed

15 Dual Approximated Reachability (DAR)
Two main phases during the computation Local Strengthening No unrolling Global Strengthening Limited unrolling In case the Local Strengthening fails DAR uses two main phases to compute the Forward Sequence and Backward Sequence. The first is called Local Strengthing. It is called “Local” since during this phase no unrolling of the TR is used. The other phase is called Global Strengthening. Global Strengthening is used when the Local phase fails. In the GS phase, unrolling is applied gradually. We will see this in a few moments.

16 Dual Approximated Reachability
Check the formula: INIT(V) ∧ T(V,V’) ∧ ¬P(V’) B0=¬P F0=INIT Lets assume that the initial states do not intersect the bad states and therefore there are no trivial CEXs. So the next thing to do is to check for a CEX of length 1. This is done with the following SAT query. From the unsatisfiability of this query two things can be derived: If SAT then CEX is found

17 Dual Approximated Reachability
UNSAT: INIT(V) ∧ T(V,V’) ∧ ¬P(V’) A B A B B1 F1 B0=¬P F0=INIT Lets assume that the initial states do not intersect the bad states and therefore there are no trivial CEXs. So the next thing to do is to check for a CEX of length 1. This is done with the following SAT query. From the unsatisfiability of this query two things can be derived:

18 Local Strengthening - Intuition
What if F1 and B1 intersect each other? There may be a counterexample B1 F1 B0=¬P F0=INIT There may be a CEX. But it may also be due to the over-approximation.

19 Local Strengthening - Intuition
What if F1 and B1 intersect each other? F1(V) ∧ T(V,V’) ∧ B0(V’) F0(V) ∧ T(V,V’) ∧ B1(V’) B1 F1 B0=¬P F0=INIT

20 Local Strengthening - Intuition
B A B F1(V) ∧ T(V,V’) ∧ B0(V’) Compute forward and backward interpolants F2 is the forward interpolant Backward interpolant strengthens the already existing B1 F2 B1 F1 B1 B0=¬P F0=INIT

21 Local Strengthening - Intuition
B A B F0(V) ∧ T(V,V’) ∧ B1(V’) Must be UnSAT Compute forward and backward interpolants B2 is the backward interpolant F’1 is strengthening the already existing F1 F2 B2 F1 F1 B1 B0=¬P F0=INIT

22 Local Strengthening Assume: F[n]=<F0,F1,…,Fn> and B[n]=<B0,B1,…,Bn> Fi over-approximates states reachable from INIT in i steps Bj over-approximates states that can reach p in j steps.  Fi  Bj over-approximates states that appear in the i-th step of a counterexample of length i+j (F[n],B[n])= <INIT,F1Bn,F2Bn-1,….,FnB1,p> over-approximate all CEXs of length n+1 Fi  Bj over-approximate states that appear in the i-th step of a counterexample of length i+j

23 Local Strengthening (F[n],B[n])= <INIT,F1Bn,F2Bn-1,….,FnB1,p> At each iteration: Check (locally) if no CEX of length n+1 exists For every 0in: check if SAT: i(V)  T(V,V’)  i+1(V’) If UNSAT: no CEX of length n+1

24 Local Strengthening (F[n],B[n])= <INIT,F1Bn,F2Bn-1,….,FnB1,p> For every 0in: check if SAT: i(V)  T(V,V’)  i+1(V’) Check: For every 1in-1: Fi(V)Bn-i+1(V)T(V,V’)Fi+1(V’)Bn-i(V’) INIT(V) T(V,V’)F1(V’)Bn(V’) Fn(V)B1(V)T(V,V’)p(V’)

25 Local Strengthening (F[n],B[n])= <INIT,F1Bn,F2Bn-1,….,FnB1,p> For every 0in: check if SAT: i(V)  T(V,V’)  i+1(V’) Check: For every 1in-1: Fi(V)  T(V,V’)  Bn-i(V’) F0(V)  T(V,V’)  Bn(V’) Fn(V)  T(V,V’)  B0(V’)

26 Local Strengthening (F[n],B[n])= <INIT,F1Bn,F2Bn-1,….,FnB1,p> For every 0in: check if SAT: i(V)  T(V,V’)  i+1(V’) Check: For every 0in: Fi(V)  T(V,V’)  Bn-i(V’) If for some i Fi(V)T(V,V’)Bn-i(V’) UNSAT: apply local strengthening and extract (F[n],B[n])

27 Local Strengthening Assume: Fi(V)T(V,V’)Bn-i(V’) unsat for some i
Extraction: If Fn(V)T(V,V’)B0(V’) unsat: obtain Fn+1 If F0(V)T(V,V’)Bn(V’) unsat: obtain Bn+1 If Fi(V)T(V,V’)Bn-i(V’) unsat for some i then not necessarily true Need to strengthen F[n] and B[n]

28 Fi(V)T(V,V’)Bn-i(V’)
Local Strengthening Fi(V)T(V,V’)Bn-i(V’) Find forward interpolant and strengthen Fi+1: Fi+1=Fi+1  Itp(A,B) Find backward interpolant and strengthen Bn-i+1: Bn-i+1=Bn-i+1  Itp(A,B) B A A B

29 Fi(V)T(V,V’)Bn-i(V’)
Local Strengthening Fi(V)T(V,V’)Bn-i(V’) Fi+1=Fi+1  Itp(A,B): Fi+1  Bn-i After stengthening: Fi+1(V)T(V,V’)Bn-(i+1)(V’) is unsat Strengthen Fi+2 similarly Dually, Bn-i+1  Fi: Fi-1(V)T(V,V’)Bn-i+1(V’) is unsat Strengthen Bn-i+2 similarly

30 Iterative Local Strengthening
Given i s.t. Fi(V)T(V,V’)Bj(V’) unsat: Function IterativeLS(F[n],B[n],i,j) while i<n do Fi+1 = Fi+1  Itp(Fi(V)T(V,V’),Bn-i(V’)) i=i+1 end while Fn+1=Itp(Fn(V)T(V,V’),B0(V’)) while j<n do Bj+1 = Bj+1  Itp(T(V,V’)Bj(V’),Fn-j (V)) j=j+1 Bn+1=Itp(T(V,V’)Bn(V’),F0(V))

31 Local Strengthening Fails
F1(V) ∧ T(V,V’) ∧ B2(V’) F0(V) ∧ T(V,V’) ∧ B3(V’) F2(V) ∧ T(V,V’) ∧ B1(V’) F3(V) ∧ T(V,V’) ∧ ¬P(V’) B3 B2 F3 F2 B1 F1 B0=¬P F0=INIT All checks are independent. Therefore they can be executed in parallel. It is enough that only one check is UnSAT to apply Local Strengthening.

32 Global Strengthening Apply unrolling gradually
Start from the initial states Try to reach the backward sequence using an increasing number of T’s

33 Global Strengthening F0(V) ∧ T(V,V’) ∧ T(V’,V’’) ∧ T(V’’,V’’’)∧T(V’’’,V’’’’)∧¬P(V’’’’) F0(V) ∧ T(V,V’) ∧ T(V’,V’’) ∧ B2(V’’) F0(V) ∧ T(V,V’) ∧ T(V’,V’’) ∧ T(V’’,V’’’)∧ B1(V’’’) B3 B2 B1 B0=¬P F0=INIT

34 Interpolantion-Sequence
Given a sequence <A1,…,An> such that its conjunction is unsatisfiable Then, there exist an interpolation sequence <I0,…,In> such that: I0 = TRUE, In=FALSE Ii ∧ Ai+1  Ii+1 is unsatisfiable Ii is over the common variables of A1,…,Ai and Ai+1,…,An

35 F0(V) ∧ T(V,V’) ∧ T(V’,V’’) ∧ T(V’’,V’’’)∧ B1(V’’’)
Global Strengthening A1 A2 A3 A4 I1 I2 I3 T F F0(V) ∧ T(V,V’) ∧ T(V’,V’’) ∧ T(V’’,V’’’)∧ B1(V’’’)

36 F0(V) ∧ T(V,V’) ∧ T(V’,V’’) ∧ T(V’’,V’’’)∧ B1(V’’’)
Global Strengthening F0(V) ∧ T(V,V’) ∧ T(V’,V’’) ∧ T(V’’,V’’’)∧ B1(V’’’) Formula is unsatisfiable Extract an interpolation-sequence: I1, I2, I3 Ij over-approximates states reachable in j steps Use Ij to strengthen Fj Example: F3’ = F3 ∧ I3 F3 ∧ B1 is unsatisfiable Re-Apply Local Strengthening F3(V) ∧ T(V,V’) ∧ ¬P(V’) is unsatisfiable

37 Global Strengthening If a CEX exists – Full unrolling
Otherwise, gradually unroll the model Try to reach the Backward sequence When the backward sequence is not reachable Extract interpolation sequence Strengthen forward sequence Reapply Local Strengthening

38 Global Strengthening of (F[n],B[n])
Function GlobalStrengthen(F[n],B[n]) for i=2 to n+1 do if INITT T.. T Bn-i+1 == UNSAT then I=GetInterpolationSeq() for j=1 to min{i,n} do Fj=Fj  Ij end for IterativeLS(F[n],B[n],i-1,n-i+1) end if return CEX

39 Summary Interpolation-based model checking algorithm
Uses both Forwards and Backwards traversals Two main phases during the computation Local Strengthening No unrolling Global Strengthening Limited unrolling In case the Local Strengthening fails Mostly local – No unrolling When unrolling is used, it is restricted

Download ppt "אימות אוטומטי Intertwined Forward-Backward Reachability Analysis Using Interpolants Work by: Yakir Vizel, Orna Grumberg and Sharon Shoham (TACAS 2013)"

Similar presentations

Model Checking Base on Interoplation

Model Checking Base on Interoplation
The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.

Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.
Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.
Yakir Vizel 1,2 and Orna Grumberg 1 1.Computer Science Department, The Technion, Haifa, Israel. 2.Architecture, System Level and Validation Solutions,

Yakir Vizel 1,2 and Orna Grumberg 1 1.Computer Science Department, The Technion, Haifa, Israel. 2.Architecture, System Level and Validation Solutions,
Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
CLASSICAL PLANNING What is planning ?  Planning is an AI approach to control  It is deliberation about actions  Key ideas  We have a model of the.

CLASSICAL PLANNING What is planning ?  Planning is an AI approach to control  It is deliberation about actions  Key ideas  We have a model of the.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Hidden Markov Models (1)  Brief review of discrete time finite Markov Chain  Hidden Markov Model  Examples of HMM in Bioinformatics  Estimations Basic.

Hidden Markov Models (1)  Brief review of discrete time finite Markov Chain  Hidden Markov Model  Examples of HMM in Bioinformatics  Estimations Basic.
Aaron Bradley University of Colorado, Boulder

Aaron Bradley University of Colorado, Boulder
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Compatibility between shared variable valuations in timed automaton network model- checking Zhao Jianhua, Zhou Xiuyi, Li Xuandong, Zheng Guoliang Presented.

Compatibility between shared variable valuations in timed automaton network model- checking Zhao Jianhua, Zhou Xiuyi, Li Xuandong, Zheng Guoliang Presented.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.

© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.
Digitaalsüsteemide verifitseerimise kursus1 Formal verification: Property checking Property checking.

Digitaalsüsteemide verifitseerimise kursus1 Formal verification: Property checking Property checking.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

Similar presentations

Ads by Google