Automated abstraction refinement II Heuristic aspects Ken McMillan Cadence Berkeley Labs.

Automated abstraction refinement II Heuristic aspects Ken McMillan Cadence Berkeley Labs

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction Part I – introduced the framework of abstract interpretation and discusses practical instances, such as predicate abstraction Part II –will discuss heuristic aspects of abstraction, i.e., how do we find useful abstractions in an automated way? Will locate methods on three axes...

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Axis 1 Embedding abstractions (E) –Encode the state in an abstract space, e.g., Predicate abstraction Polyhedral abstractions Weakening abstractions (W) –Throw away information about the system without re-encoding the state, e.g., Localization Interpolation Some methods combine these types

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Axis 2 A priori bias (A) –Abstraction represents a general bias and is not property-specific, e.g., Polyhedral abstraction Van Eicks's method Invisible invariants Property-specific abstractions (P) –Abstraction is tailored to verification of a specific property, e.g., Predicate abstraction Localization

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Axis 3 Cartesian lattice (C) –Invariants are conjunctions of literals, e.g., Polyhedral abstraction Van Eick's method Predicate abstraction Boolean lattice (B) –Invariants are Boolean combinations of atoms, e.g., Localization Predicate abstraction Boolean case more expressive but may explode!

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Property-specific abstraction We must abstract from a system just the information relevant to proving a given property. –In the end this must take the form of an inductive invariant But how do we decide what information is "relevant"?

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. The refinement loop All methods are based on the following principle: The refutation relevance principle (RRP): Facts used to refute a class of potential models are considered relevant. This leads to a refinement loop, in which facts used to refute classes of counterexamples are added to the abstraction

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Outline Applications of the RRP: –SAT solvers –Localization abstraction –Interpolant-based methods –Predicate abstraction

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. DPLL-style SAT solvers Objective: –Check satisfiability of a CNF formula literal: v or : v clause: disjunction of literals CNF: conjunction of clauses Approach: –Branch: make arbitrary decisions –Propagate implication graph –Conflicts (search failures) guide inference steps –Inferred clauses guide search SATO,GRASP,CHAFF,BERKMIN Very effective at narrowing to relevant facts

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Model refutation in SAT Heuristics in the SAT solver are based on the RRP. –Class of models = partial assignment –Relevant facts: clauses The SAT solver raises the "relevance" measure of a variable used in the refutation of a partial assignment –increaing the chance that a clause containing that variable is used –key is the interaction between model search and deduction

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Basic SAT algorithm A = empty clause? y UNSAT conflict? Deduce conflict clause and backtrack y n is A total? y SAT Branch: add some literal to A

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Resolution a Ç b Ç c a Ç c Ç d b Ç c Ç d When a conflict occurs, the implication graph is used to guide the resolution of clauses, so that the same conflict will not occur again.

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Conflict Clauses ( a Ç b) Æ ( b Ç c Ç d) Æ ( b Ç d) a c Decisions b Assignment: a Æ b Æ c Æ d d Conflict! ( b Ç c ) resolve Conflict! ( a Ç c) resolve Conflict!

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Decision heuristics Conflict clause is a refutation of a partial assignment. –Solvers increase the "relevance" score of variables used in this refutation (e.g., the VSIDS heuristic) –Variables with higher score are decided first –Thus the solver is biased toward using facts that refuted earlier solution attempts. Decision heuristics are thus an instance of the RRP –Solvers are quite effective in ignoring irrelevant clauses -- many abstraction methods are based on this fact.

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Localization abstraction Abstract by removing system components not relevant to a given property. system property localization Think of system components as constraints and localization as removing constraints. A weaking abstraction (WPB) Kurshan

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Components as constraints Transition system described by a set of constraints a b cp g g = a b p = g c c' = p Model: T = { g = a b, p = g c, c' = p }

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Localization abstraction Property: G (c X c) a b cp g Model: T = { g = a b, p = g c, c' = p } # free variable Localization does not recode the state. It just weakens the transition relation.

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Localization, cont T # may refer to fewer state variables than T –reduction in the state explosion problem Key issue: how to choose constraints in T # –apply the RRP

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. CEGAR loop Model check abstraction T # Choose initial T # Can extend Cex from T # to T? Add constraints to T # true, done Cex yes, Cex no Kurshan

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. CEGAR, cont CEGAR is an instance of RRP, where: –class of models = partial trace i.e., trace of subset of variables, or an abstract cex –relevant facts: system components

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Formalizing CEGAR Straightforward in terms of Bounded Model Checking [BCCZ99] New notation: let Q denote Q with t primes added to each symbol variable v with t primes represents value of v at time t thus, Q is Q shifted t time units into the future

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Unfolding Unfold the model k times: Unf k (T) = T T... T a b cp g a b cp g a b cp g... I F Use SAT solver to check satisfiability of I Æ Unf k (T) Æ F A satisfying assignment is a k-step cex If unsat, refutes a class of models -- all traces of length k

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Abstract counterexamples Abstract TR subset of concrete TR: T # µ T Abstract variables: V # = support(T # ) Abstract counterxample truth assignment to: V #k = { v | v in V #, t in 0..k } where k is the number of steps.

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Abstract counterexamples, cont. Let A # be a solution to (I Æ Unf k (T # ) Æ F ) + V #k A # can be computed using a model checker Note that A # defines a class of models –all models consistent with A #

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Concretization Think of A # as a minterm over V #k A concretization A of A # is a model of A # Æ I Æ Unf k (T) Æ F (A is a counterexample consistent with A # ) If a concretization exists we are done, else we must refine the abstraction. –Note that existence of a concretization is a SAT problem. CGJLV 2000

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Abstraction refinement Refinement = adding constraints to T # sufficient to refute A #. An extension is E µ T such that this is unsat: A # Æ I Æ Unf k (T # [ E) Æ F By RRP, constraints in E are relevant: –They refute the class of models defined by A #. How to find E? –Many complex heuristsics used for this... –Recall that a SAT solver can produce a resolution- based refutation in the UNSAT case....

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Proof-based refinement Recall, a concretization satisfies this: A # Æ I Æ Unf k (T) Æ F If UNSAT, we obtain refutation proof P –proof that A # cannot be concretized Let E be set of constraints used in proof P: E = { c T | some c occurs in P } A # cannot be extended to a Cex for E –P is the proof of this. Thus, add E to T # and continue... [CCKSVW02]

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. In other words... The refutation of the formula: A # Æ I Æ Unf k (T) Æ F gives us a sufficient set of constraints to refute the class of models defined by A #. We rely on the SAT solver's ability to focus on relevant facts (using the RRP) to produce a small E.

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. CCKSVW approach (FMCAD02) Find the shortest prefix of Cex A # that cannot be extended. That is, A # Æ I Æ Unf k (T) Æ F is feasible for all k < i, but not for k=i. s0s0 s1s1 s2s2 s i-1 sisi... OK NO!

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. CCKSVW approach cont. Let P be a refutation of A # Æ I Æ Unf k (T) Æ F Let E be set of constraints used in proof P only on state s i-1: E = { c T | c occurs in P } s0s0 s1s1 s2s2 s i-1 sisi... OK NO! add constraints used here

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Optimal abstractions? Greedily remove constraints as long as all the abstract counterexamples are still refuted. –Will produce a local minimum Optimal abstraction (Gupta et al) –Samples: failed attempts to concretize A # –Each sample falsifies a subset of constraints –Find a minimal cover But note, these methods are expensive, and may not make model checking faster.

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Weakness of Cex-based approach The CEGAR approach refutes fairly small model classes. Arbitrarily chosen abstract Cex may be refutable for many reasons not related to property. –Thus, may add irrelevant constraints. –To remedy, may try to generalize abstract Cex's to represent a larger class of models (e.g., GKM- HFV,TACAS03). Alternative: don't use counterexamples

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Proof-based abstraction Also based on RRP: –class of models = all models of length k –relevant facts: transition constraints By refuting larger classes of models, we hope to converge faster, and include fewer irrelevant constraints.

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Proof-based abstraction BMC at depth k Cex? done No Cex? Use refutation to choose abstraction MC abstraction done True? False? Increase k [MA03]

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. BMC phase Use SAT solver to check satisfiability of I Æ Unf k (T) Æ F If unsatisfiable: property has no Cex of length k produce a refutation proof P

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Abstraction phase Let T # be set of constraints used in proof P: T # = { c T | some c occurs in P } T # admits no counterexample of length k –P is a refutation of I Æ Unf k (T # ) Æ F Model check property on T # –property true for T # implies true for T –else Cex of length k' > k –restart for k = k' Note, "refinement" here is just increasing k

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Algorithm BMC T at depth k Cex? done No Cex? Refutation P induces abstraction T # Model check T # done True? Cex of depth k'? let k = k' Notice: MC counterexample is thrown away!

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Termination Depth k increases at each iteration Eventually k > d, diameter of T # If k > d, no counterexample is possible In practice, termination uses occurs when k d/2 Usually, diameter T # << diameter of T

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Weakness of proof-based abs BMC must refute all counterexamples of length k, while in Cex-based, BMC must refute only one (partial) counterexample. In practice, PBA converges in fewer iterations that CEGAR, but is sometimes slower because refuting all cex's can be slow. Various compromises between the two are possible.

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Also note... CEGAR relies heavily on the model checker –Uses model checker as decision heuristic for SAT solver. –Note the interaction between model search and refutation. PBA only uses model checker to provide the unfolding depth –Relies more heavily on RRP loop inside SAT solver.

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. RRP trade-off Abstraction methods that refute more general classes of models converge in fewer iterations. Refuting more general classes can be more expensive. Practical tools need to balance these considerations.

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Interpolants as abstractions Abstraction is extracting sufficient information from a system to prove a given property. This notion is in some sense closely related to Craig's interpolation lemma.

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Interpolation Lemma If A B = false, there exists an interpolant A' for (A,B) such that: A A' A' B = false A' refers only to common variables of A,B Example: –A = p q, B = q r, A' = q Interpolants from proofs –given a resolution refutation of A B, A' can be derived in linear time. (Craig,57) (Pudlak,Krajicek,97)

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Interpolants from proofs An interpolant for (A,B) derived from a refutation... –is in some sense an abstraction of A relative to B –captures the information about A that the prover used to refute B This can give us a very general method for extracting information about a system to prove a given property. –with many possible applications in model checking

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Applications Propositional case –Finite-state model checking using a SAT solver –Very robust method for hardware verification First-order case –Infinite-state model checking using a FO prover. –Verify, for example, parameterized protocols Predicate abstraction –Discover useful predicates for predicate abstraction –Computation of the abstract transition relation Here will consider just the propositional case...

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Interpolant-based image A property-specific weakening abstraction –Use interpolants to compute a weakened image operator (abstract transformer) –Strong enough to refute a class of models Applying the RRP: –class of models = continuations of length k –relevant fact: any next-state property

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. k-adequate image operator Abstract transformer T # is k-adequate (w.r.t.) F, when –if P cannot reach F, T # (P) cannot reach F within k steps Intuition: want T # to avoid adding states that can reach a bad state

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Interpolation-based image Idea -- use unfolding to enforce k-adequacy A = P T B = T T T F P F TTTTTTT AB t=0 t=k Let T # (P) = A', where A' is an interpolant for (A,B)... T # is a k-adequate abstract transformer!

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Huh? sup(A') µ sup(A) Å sup(B) –sup(A') = V 0 (A' is a state predicate) A A' –T(P) T # (P) (T # is sound) A' B = false – T # (P) cannot reach F in k steps P F CCCCCCC AB t=0 t=k A'

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Intuition A' tells is everything the prover deduced about the image of P in proving it can't reach F in k steps. Hence, A' is in some sense an abstraction of the image relative to the property. P F CCCCCCC AB t=0 t=k A'

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Refinement Model checking with T # may fail –T # may add a state that reaches F in k+1 steps Refinement is just increasing k –Increasing k refutes a larger class of models

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Termination In the finite-state case: Since k increases at every refinement, eventually k > d, the diameter, in which case T # is adequate (adds no bad states) hence we terminate. Notes: –don't need to know when k > d in order to terminate –often termination occurs with k << d

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Interpolants Interpolant for (A,B) provides an abstraction of A that refutes B. –Exploits provers ability to focus on relevant facts. Provides an image weakening abstraction –Strong enough to refute continuations of length k –Embodies the RRP: facts that refute classes of models are considered relevant.

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Predicate abstraction Encode the state of a system by the truth values of a finite set of predicates P Two aspects of abstraction refinement in predicate abstraction: –Selection of predicates in P –Weakening of the abstract transition relation or transformer

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Predicate selection Static heuristics –Choose predicates occurring in branch conditions –Apply weakest precondition to these predicates Not very property-specific –Can use localization to remove irrelevent preds But this could involve unfoldings with 100's of preds We can apply the RRP directly to predicate selection

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Predicate refinement The RRP for predicate selection: –Class of models = program path –Relevant facts: predicates A decision procedure is used to refute program paths. Predicates in the refutation are considered relevant. –Example: "lazy abstraction" in BLAST [HJMS02]

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Example do { lock(); old = new; if (*) { unlock(); new++; } } while (new != old); unlock(); Let P = {LOCK=0} LOCK = 0 LOCK 0 LOCK = 0 ERR! lock(); old = new; [T] unlock(); new++; [T] [old = new] unlock(); T LOCK 1 = 1 old 1 =new 0 T LOCK 2 = 0, new 1 =new 0 +1 old 1 =new 1 LOCK 2 = 0

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Example, cont old 1 =new 1 0=1 new 1 =new 0 +1 old 1 =new 0 new 1 =old 1 +1 old=new new=old+1 LOCK 1 = 1 old 1 =new 0 LOCK 2 = 0, new 1 =new 0 +1 old 1 =new 1 LOCK 2 = 0 Path facts...Refute the path...Extract preds Principle: facts used to refute class of models are relevant.

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Check with new preds LOCK = 0 LOCK 0, old=new LOCK = 0, old new FALSE! lock(); old = new; [T] unlock(); new++; [T] [old = new] unlock();

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Bad example Refutation predicates not always adequate to rule out a path, however... x:=ctr; ctr := ctr+1; y := ctr; ctr:=*; m:=*; [x=m] [y m+1] x 1 = ctr 0 ctr 1 = ctr 0 +1 y 1 = ctr 1 x 1 = m 1 y 1 m 1 +1 Refutation preds: x=m x=ctr m=ctr ctr=m+1 y=ctr y=m+1

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Bad example, cont Check with new preds... x:=ctr; ctr := ctr+1; [x=m] [y m+1] T x=ctr ctr=m+1 x=m, x ctr y=ctr y=ctr,x=m y=ctr,x=m,y m+1,ctr m+1 Refutation preds: x=m x=ctr m=ctr ctr=m+1 y=ctr y=m+1 y := ctr; ctr:=*; m:=*;

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. What went wrong? Prover did not prove facts about particular states –Rather, predicates in proof span states –Thus we missed the needed predicate y=x+1 How do we know what was proved about a given state in refuting the trace? –Jhala: This is precisely an interpolant!

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Predicates from interpolants Compute interpolant at each path cut x:=ctr; ctr := ctr+1; y := ctr; ctr:=*; m:=*; [x=m] [y m+1] x 1 = ctr 0 ctr 1 = ctr 0 +1 y 1 = ctr 1 x 1 = m 1 y 1 m 1 +1 x 1 = ctr 0 x 1 +1 = ctr 1 x 1 +1 = y 1 m 1 +1 = y 1 each interpolant implies the next Extract preds from interpolants

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Predicates from interpolants Guaranteed to rule out program path Assign predicates to particular locations –fewer preds per state -> less state explosion Provides a way to apply the RRP to predicate selection –tells us which facts (state predicates) are relevant to refuting a class of models (program path)

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Abstract transition relations In PA, the abstract transition relation can be very expensive to compute. abstract states concrete states T T#T# a a We can represent T # symbolically... T # = a -1 ± T ± a

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Symbolic transition relation Let V = {v p | p P }, and W be concrete symbs Represent R ± S like this: (R ± S)(V,V') = R(V,U) S(U,V)...where U is a set of fresh symbols The abstraction relation is: a(W,V) = Æ p P (v p p) The symbolic abstract transition relation: T # = a -1 ± T ± a... implictly projected onto V V'

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. What's the problem? Projecting T # onto the abstract state is expensive –Best known solution is to enumerate the minterms over V V' and test for consistency with T #. –This can be made more efficient by translating T # to a satisfiability-equivalent Boolean formula and using incremental SAT. [LBC03] –The alternative is to apply a weaking abstraction to that abstract transition relation. Weakened relation may easier to compute but still prove property...

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Transition relation weakening A priori bias –Boolean programs abstraction (SLAM) abstracts transition relation –Cartesian image abstraction (BLAST) abstracts the image compution Both methods lose correlation between predicates at next time –In effect, can only infer conjunctions of predicates –Avoid enumerating the next states These weakenings are surprisingly effective, but sometimes fail on trivial problems.

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Bad Example a[x] := y; y := y + 1; [a[z] y-1] [z=x] Predicates: x=z a[z] = y a[z] = y-1 T T T x=z Cartesian Boolean T x=z a[z] = y x=z a[z] = y - 1 a[z] = y - 1 F Array properties almost always require disjunctions!

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. The Das/Dill approach TR weakening for predicate abstraction Applies the RRP in this sense: –Model class = abstract trace i.e., a sequence of predicate assignments –Relevant fact: clause in the abstract TR allows to introduce disjunctions

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Example a[x] := y; y := y + 1; [a[z] y-1] x z, a[z] y, a[z] y-1 [z=x] x=z, a[z] y, a[z] = y-1 x z, a[z] = y, a[z] y-1 x=z, a[z] y, a[z] y-1 x=z, a[z] = y, a[z] = y-1 Initially, abstract TR is just "true"... this transition is inconsistent with T #

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Refining the TR Inconsistent transition a minterm over V [ V' Greedily drop literals as long as it remains inconsistent with T #... x z, a[z] y, a[z] y-1, x'=z', a'[z'] y', a'[z'] = y'-1 x'=z', a'[z'] y' Complement is a TR clause implied by T # x'=z' a'[z'] = y'

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. TR refinement, cont The new TR clause is implied by T #, but inconsistent with the abstract trace –i.e, it as a fact that refutes a class of models, and thus is relevant by the RRP By iterating this process, we can guarantee to converge to a weakened abstract TR that proves the property, if T # proves the property. –else we must add predicates

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Summary Abstraction is extracting information from a system relevant to proving a property We can distinguish abstraction stragies as... –A priori vs property-specific –Embedding vs weaking Property specific techniques are based on the refutaion relevance principle. –Distinguished primarily by the class of models that is refuted

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Summary, cont. SAT solvers (PW) –class of models = partial assignment Localization (PW) –class of models = partial trace --> "CEGAR" –class of models = trace of length k --> "PBA" Predicate abstraction –selection: class = program path (PE) –transition relation weakening: A priori: Boolean progs, Cartesian image (AW) Das/Dill: class of models = abstract trace (PW)

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Summary, cont All the property specific techniques are based on the RRP. This provides a tight coupling between model search and deduction –Model search provides model classes to be refuted –Deduction provides relevance information that guides model search Applying this principle allows us to automatically extract relevant information from systems in many applications.

Automated abstraction refinement II Heuristic aspects Ken McMillan Cadence Berkeley Labs.

Similar presentations

Presentation on theme: "Automated abstraction refinement II Heuristic aspects Ken McMillan Cadence Berkeley Labs."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Automated abstraction refinement II Heuristic aspects Ken McMillan Cadence Berkeley Labs.

Similar presentations

Presentation on theme: "Automated abstraction refinement II Heuristic aspects Ken McMillan Cadence Berkeley Labs."— Presentation transcript:

Similar presentations

About project

Feedback