1. Abstraction, Verification & Refinement
Samik Basu
Dept. of Computer Science, ISU

2. What is Model Checking Model Checking (Design level)
Generate a model describing the behavior (M)
Essentially a graph
Identify the desired properties ()
Automatically verify (M ² )
Graph-traversal

3. Model Checking Source Code
Why?
Difficult: Programs are more complex
Variables, conditionals, recursion

4. Acknowledgement Abstraction-based techniques Blast (Berkeley),
Slam (MS),
CEGAR (CMU),
FocusCheck (SBU, ISU)

5. Safety Property Bad things never happen
Typical “Bad” things: valuations of variables

6. Question?
Is there a path in the program that leads to satisfaction of Bad?
Counter-Example

7. Example Example ( ) { 1: do{ lock(); old = new; q = q->next;
2: if (q != NULL){
3: q->data = new;
unlock();
new ++; }
4: } while(new != old);
5: unlock ();
return;
lock
unlock

8. What is a Program-Graph?
State
Transition pc
lock
old
new q
 3 
 5
 0x133a
3: unlock();
new++;
4:} … pc
lock
old
new q
 4 
 5
 6
 0x133a
Example ( ) {
1: do{
lock();
old = new;
q = q->next;
2: if (q != NULL){
3: q->data = new;
unlock();
new ++; }
4: } while(new != old);
5: unlock ();
return;}

9. What is infinite about programs?
Program state
Control Location: finite
Variable value: infinite
Question: Prove that for all possible values of
variables, the program behaves
correctly

10. Abstraction Over-approximation M’ ²  ) M ²  where  = Bad
Remove details and partition states
Graph over partitions: finite and manageable M’
M’ contains all behavior of M and more
M’ ²  ) M ²  where  = Bad

11. Data Abstraction x:int y:int Even Odd …, -2, 0, 2, 4, …
…, -3, -1, 1, 3, …
Pos
Neg
Zero
…, -3, -2, -1
y:int
1, 2, 3, …

12. Abstract Program Code Abstract Data domain int x = 0; if (x == 0)
x = x + 1;
(n<0) : NEG
(n==0): ZERO
(n>0) : POS
Signs
NEG
POS
ZERO
Signs x = ZERO;
if (x == ZERO)
x = x + POS;
we transform the code so that to operate on the abs domain and it looks like this; here the concrete type int was replaced by abs type signs, concrete constants 0 and 1 were replaced with abs ct 0 and pos; and primitive ops on ints were replaced with calls to some methods that implement the abs.ops.that manipulate abstract values. Ex : equality operator was replaced with a call to method signs.eq and + was replace by signs.add .
So, how do we apply this abstraction technique to the DEOS example ?
We have to decide which variables to abstract, what abstrations to use and then we have to effectively transform the system to encode the abstractions.
Abstract the data domain = Abstract the Program behavior

13. Abstraction leads to Over-approximationh I M’

14. Abstraction leads to Over-approximation
M’ > M, M’ ²  implies M ² 
No False Positives
Problem: Spurious Counter-Examples M h I M’

15. Predicate Abstraction
Look at characteristic of data NOT its exact valuation
Predicate Abstraction
Relationship between variables and constants

16. Spurious Counter-Exampleh I M’

17. Spurious Counter-Exampleh I M’

18. Break it up and Start overM h I M’

19. Summary Abstract Model Check Refine if needed
Loop-back
Blast, Slam (CFG), FocusCheck (PDS)

20. Build-and-Search Reachability Tree Predicates: LOCK 1 1 Example ( ) {
1: do{
lock();
old = new;
q = q->next;
2: if (q != NULL){
3: q->data = new;
unlock();
new ++; }
4:}while(new != old);
5: unlock (); 1
: LOCK 1
Reachability Tree

21. Build-and-Search Reachability Tree Predicates: LOCK 1 2 1 2
Example ( ) {
1: do{
lock();
old = new;
q = q->next;
2: if (q != NULL){
3: q->data = new;
unlock();
new ++; }
4:}while(new != old);
5: unlock ();
lock()
old = new
q=q->next 1
: LOCK 2
LOCK 1 2
Reachability Tree

22. Build-and-Search Reachability Tree Predicates: LOCK 1 2 3 1 2 3
Example ( ) {
1: do{
lock();
old = new;
q = q->next;
2: if (q != NULL){
3: q->data = new;
unlock();
new ++; }
4:}while(new != old);
5: unlock (); 1
: LOCK 2
LOCK
[q!=NULL] 3
LOCK 1 2 3
Reachability Tree

23. Build-and-Search Reachability Tree Predicates: LOCK 1 2 3 4 4 1 2 3
Example ( ) {
1: do{
lock();
old = new;
q = q->next;
2: if (q != NULL){
3: q->data = new;
unlock();
new ++; }
4:}while(new != old);
5: unlock (); 1
: LOCK 2
LOCK 3
q->data = new
unlock()
new++
LOCK 4
: LOCK 4 1 2 3
Reachability Tree

24. Build-and-Search Reachability Tree Predicates: LOCK 1 2 3 4 5 5 4 1 2
Example ( ) {
1: do{
lock();
old = new;
q = q->next;
2: if (q != NULL){
3: q->data = new;
unlock();
new ++; }
4:}while(new != old);
5: unlock (); 1
: LOCK 2
LOCK 3
LOCK 4
: LOCK 5
[new==old] 5
: LOCK 4 1 2 3
Reachability Tree

25. Build-and-Search Reachability Tree Predicates: LOCK 1 2 3 4 5 5 4 1 2
Example ( ) {
1: do{
lock();
old = new;
q = q->next;
2: if (q != NULL){
3: q->data = new;
unlock();
new ++; }
4:}while(new != old);
5: unlock (); 1
: LOCK 2
LOCK 3
LOCK 4
: LOCK 5 5
: LOCK 4
unlock() 1 2 3
: LOCK
Reachability Tree

26. Analyze Counterexample
Predicates: LOCK
Example ( ) {
1: do{
lock();
old = new;
q = q->next;
2: if (q != NULL){
3: q->data = new;
unlock();
new ++; }
4:}while(new != old);
5: unlock (); 1
: LOCK
lock()
old = new
q=q->next 2
LOCK
[q!=NULL] 3
LOCK
q->data = new
unlock()
new++ 4
: LOCK 5
[new==old] 5
: LOCK 4
unlock() 1 2 3
: LOCK
Reachability Tree

27. Analyze Counterexample
Predicates: LOCK
Example ( ) {
1: do{
lock();
old = new;
q = q->next;
2: if (q != NULL){
3: q->data = new;
unlock();
new ++; }
4:}while(new != old);
5: unlock (); 1
: LOCK
old = new 2
LOCK 3
LOCK
new++ 4
: LOCK 5
[new==old] 5
: LOCK 4
Inconsistent 1 2 3
: LOCK
new == old
Reachability Tree

28. Repeat Build-and-Search
Predicates: LOCK, new==old
Example ( ) {
1: do{
lock();
old = new;
q = q->next;
2: if (q != NULL){
3: q->data = new;
unlock();
new ++; }
4:}while(new != old);
5: unlock (); 1
: LOCK 1
Reachability Tree

29. Repeat Build-and-Search
Predicates: LOCK, new==old
Example ( ) {
1: do{
lock();
old = new;
q = q->next;
2: if (q != NULL){
3: q->data = new;
unlock();
new ++; }
4:}while(new != old);
5: unlock (); 1
: LOCK
lock()
old = new
q=q->next 2
LOCK , new==old 1 2
Reachability Tree

30. Repeat Build-and-Search
Predicates: LOCK, new==old
Example ( ) {
1: do{
lock();
old = new;
q = q->next;
2: if (q != NULL){
3: q->data = new;
unlock();
new ++; }
4:}while(new != old);
5: unlock (); 1
: LOCK 2
LOCK , new==old
LOCK , new==old 3
q->data = new
unlock()
new++ 4
: LOCK , : new = old 4 1 2 3
Reachability Tree

31. Repeat Build-and-Search
Predicates: LOCK, new==old
Example ( ) {
1: do{
lock();
old = new;
q = q->next;
2: if (q != NULL){
3: q->data = new;
unlock();
new ++; }
4:}while(new != old);
5: unlock (); 1
: LOCK 2
LOCK , new==old
LOCK , new==old 3 4
: LOCK , : new = old
[new==old] 4 1 2 3
Reachability Tree

32. Repeat Build-and-Search
Predicates: LOCK, new==old
Example ( ) {
1: do{
lock();
old = new;
q = q->next;
2: if (q != NULL){
3: q->data = new;
unlock();
new ++; }
4:}while(new != old);
5: unlock (); 1
: LOCK 2
LOCK , new==old
LOCK , new==old 3 4
: LOCK , : new = old
[new!=old] 1 4 4 1
: LOCK,
: new == old 2 3
Reachability Tree

33. Repeat Build-and-Search
Predicates: LOCK, new==old
Example ( ) {
1: do{
lock();
old = new;
q = q->next;
2: if (q != NULL){
3: q->data = new;
unlock();
new ++; }
4:}while(new != old);
5: unlock (); 1
: LOCK 2
LOCK , new==old
SAFE
LOCK , new==old 3 4 4
: LOCK , : new = old
LOCK , new=old 5 1 5 4 4 4 1
: LOCK,
: new == old 2 3
: LOCK , new==old
Reachability Tree