Presentation is loading. Please wait.

Presentation is loading. Please wait.

3-Valued Abstraction and 3-Valued Model-Checking.

Published byMorris Collins Modified over 9 years ago

Similar presentations

Presentation on theme: "3-Valued Abstraction and 3-Valued Model-Checking."— Presentation transcript:

1 3-Valued Abstraction and 3-Valued Model-Checking

2 2 Abstraction Ü Abstraction:  an effective technique to combat state explosion problem  approximate sets of concrete states by an abstract state  approximate sets of concrete transitions by an abstract transition Ü Using 2-valued logic (over-approximation)  False variables represent “unknown” value  True transitions represent possible behaviour r (s 0,1 )=T ⇒ r (s 0 )=T p (s 0,1 )=F ⇒ ? p¬qrp¬qr pq¬rpq¬r ¬p¬qr¬p¬qr s0s0 s1s1 s2s2 r pq¬rpq¬r s 0,1 s2s2

3 3 Abstraction, Cont’d Ü Using 2-valued logic  False variables represent “unknown” value  True transitions represent possible behaviour AX (r  p)(s 0,1 )=T ⇒ AX (r  p)(s 0 )=T AX r (s 0,1 )=F ⇒ ? EX (  r   p)(s 0,1 )=F ⇒ EX (  r   p)(s 0 )=F EX r(s 0,1 )=T ⇒ ? p¬qrp¬qr pq¬rpq¬r ¬p¬qr¬p¬qr s0s0 s1s1 s2s2 r pq¬rpq¬r s 0,1 s2s2

4 4 Abstraction, Cont’d Ü Soundness:  Only with respect to True universal properties  For existential properties – use under-approximation  For False properties:  play counter-example to determine whether spurious  Use counter-example-based abstraction refinement

5 5 3-valued abstraction Ü Goals:  Reason about mixed properties  Not have to tell which counterexamples are spurious  Not have an increase in statespace, when compared to 2- valued  Use counterexample for abstraction refinement Ü Outline:  3-valued logic, properties, models, model-checking  3-valued abstractions  Abstraction refinement

6 6 Logic: 3-valued Kleene logic Logic order Ü Properties:  F ⊑ M, M ⊑ T  A  B = min (A, B)  A  B = max (A, B)   T = F,  F = T,  M = M Ü Preserves:  Commutativity, associativity, idempotence, De Morgan laws Ü Does not preserve  Law of excluded middle: A  A= T (top)  Law of non-contradiction: A  A=  (bottom) T F M

7 7 Note Ü 3-valued logic forms a lattice  Ordering ⊑ : less than or equal  Meet operation ⊓ : min  Join operation ⊔ : max  Negation : horizontal symmetry Ü This is an example of a quasi-boolean algebra Ü Equality and Identity are different!  a  b  a = b T F M

8 8 Logic Ü Information order  M contains least amount of information  T, F – maximum amount of information  If one refines M – it can change to T or F or stay at M TF M

9 9 Overview of MV-Model CheckingOverview of Model Checking Yes/No Answer Yes/No Answer SW/HW artifact SW/HW artifact Correctness properties Correctness properties Temporal logic Temporal logic Model of System Model of System Model Extraction Model Extraction Translation Model Checker Model Checker Correct? MV-Logic Answer MV-Logic Answer MV-Model Checker MV-Model Checker How correct?

10 10 Multi-valued state machines: Xkripke structures Ü Extension of conventional state machines (Kripke structures)  variables take any value from the logic ( T, F, M )  transitions between states take any value from the logic  False transitions are not shown (by convention) Ü Example: pressed = T request = F pressed = T request = F pressed = M request = T T TM T

11 11 Formally, Ü Kripke structures extended for MV case  M =  L is a quasi-boolean algebra (ℒ, ⊑, ⊓,⊔,  ), where ( ℒ, ⊑ ) is a lattice  S is a (finite) set of states, each with a unique name  A is a set of atomic propositions  s 0 is a unique initial state ( s 0  S )  I: S  A  ℒ is the interpretation function that assigns a logic value to each atomic proposition  R: S  S  ℒ is the function that assigns a logic value to each transition between states

12 12 3-valued CTL Ü multi-valued extension of CTL  same syntax as CTL  plus constants from the logic ( T, M, F ) Ü semantics:  replace existential quantification by disjunction, universal quantification by conjunction, so (EX  ) (s) =  t  S s.t. ( R(s,t)   (t) )  t  S ( R(s,t)   (t) ) For all states s, (AX  ) (s) = (  EX(   )) (s) (EG  ) (s) =  (s)  (EX EG  ) (s) (AG  ) (s) = (  EF(   )) (s) Examples: AG (request -> AX pressed) ≟ AG (pressed \/ request) ≟  other operators are defined as in CTL: T F M pressed = T request = F pressed = T request = F pressed = M request = T T TM T

13 13 Model-Checking Cont’d Ü Can a True property evaluate to M? Ü Answer:  Yes  AG (pressed \/  pressed) = M  Comes from law of excluded middle Ü Some terminology:  Compositional semantics  Evaluate each CTL operator, compose according to lattice rules  Thorough semantics [Bruns&Godefroid 00]  Property evaluates to M iff exists a refinement where it evaluates to T and a refinement where it evaluates to F.  $$ to evaluate

14 14 Symbolic mv model-checking Ü Similar idea to classical model-checking  recursively go through the structure of XCTL property  encode sets of states symbolically  encode transition relation symbolically Ü Data structures  direct approach: MDDs  the number of terminal nodes and branching factor equal to number of values in logic  Example: x  y in 3-valued logic x yy FMT F F F M M M T TT  can use BDD vector …  or mixed approaches (MBTDDs, MTBDDs)

15 15 Reduction to Classical Ü [Bruns&Godefroid’99]. Assumption: transition relation is classical  Move negation to level of atomic propositions  Create a positive and negative version of every atomic proposition  Let x = M.  Positive cut:  Set x and and  x to True  PosAnswer = check property  Negative cut:  Set x and and  x to False  NegAnswer = check property Ü If NegAnswer = PosAnswer (True or False)  Return this as answer Ü Else  Return Maybe

16 16 Example p = T q = F z- =T z+=T p = T q = F z = F p = T q+ = T q- = T z = F Model Positive Cut [[p ∧¬q ∨z ]](s 0 ) = T p = T q = F z = M p = T q = F z = F p = T q = M z = F

17 17 Example p = T q = F z- = F z = F p = T q = F z = F p = T q+ = F q- = F z = F Model Negative Cut p = T q = F z = M p = T q = F z = F p = T q = M z = F [[p ∧¬q ∨z ]](s 0 ) = F Therefore, the answer is M

18 18 Example p = T q = F z- =T z+= T p = T q = F z = F p = T q+ = T q- = T z = F Model Positive Cut p = T q = F z = M p = T q = F z = F p = T q = M z = F [[EX (p ∧¬q ∨z )]](s 0 ) = T

19 19 Example p = T q = F z- = F z = F p = T q = F z = F p = T q+ = F q- = F z = F Model Negative Cut p = T q = F z = M p = T q = F z = F p = T q = M z = F [[EX (p ∧¬q ∨z )]](s 0 ) = T Therefore, the answer is T

20 20 Reduction to Classical (Take Two) Ü [Gurfinkel&Chechik 2003] Ü Assumptions:  States can be 3-valued, transition relation can be three- valued Ü Reduction steps  for True and Maybe, construct a cut formula equivalent to [[ ϕ ]](s)⊒j  logic: from mv CTL to restricted mv-logic with two-valued answers  model: unchanged  transform each cut to a classical model-checking problem  logic: from restricted mv-logic to classical CTL  model: from ΧKripke structure to classical Kripke structure

21 21 Propositional Logic [[p ∧¬q ∨z ]](s 0 ) = M [[T ∧¬M ∨F ]](s 0 ) [[T ∧M ∨F ]](s 0 ) [[M ∨F ]](s 0 ) [[M ]](s 0 ) p = T q = F z = M p = T q = F z = F p = T q = M z = F M M T T T

22 22 Propositional Logic – the cut [[T ∧F ∨F ]](s 0 ) [[F ∨ F ]](s 0 ) F ‖p ∧¬q ∨z ‖(s 0 ) ⊒ M [[p ∧¬q ∨z ]](s 0 ) ⊒ T [[ ]](s 0 )(p ⊒ T)(¬q ⊒ T)(z ⊒ T)∧∨ T p = T q = F z = M p = T q = F z = F p = T q = M z = F M M T T T

23 23 Combining Results [[p ∧¬q ∨z ]](s 0 ) ⋣ T [[p ∧¬q ∨z ]](s 0 ) ⊒ M Therefore, [[p ∧¬q ∨z ]](s 0 ) = M T M F  p = T q = F z = M p = T q = F z = F p = T q = M z = F M M T T T

24 24 Propositional Logic – final step [[p + ∧q - ∨z + ]](s 0 ) [[T∧F ∨F]](s 0 ) [[F]](s 0 ) [[(p ⊒ T) ∧(¬q ⊒ T) ∨(z ⊒ T)]](s 0 ) Legend p + represents p ⊒ j p - represents ¬p ⊒ j p = T q = F z = M p = T q = F z = F p = T q = M z = F M M T T T p+z-p+z- p+q-z-p+q-z- p+q-p+q-

25 25 Existential Temporal Logic – the cut [[ EX ( p ∧¬q ∨z )]](s 0 ) ⊒ T ∨ t∈S R(s 0,t) ∧[[p ∧¬q ∨z ]](t) ⊒ T ∨ t∈S (R(s 0,t) ⊒ T) ∧([[p ∧¬q ∨z ]](t) ⊒ T) ∨ t∈S (R(s 0,t) ⊒ T) ∧[[(p ⊒T)∧(¬q ⊒T)∨(z ⊒T)]](t) [[ EX ⊒ T (( p ⊒T)∧(¬q ⊒T)∨(z ⊒T))]](s 0 ) p = T q = F z = M p = T q = F z = F p = T q = M z = F

26 26 Existential Temporal Logic – final step [[EX ⊒T ( p + ∧q - ∨z + )]](s 0 ) [[ EX( p + ∧q - ∨z + )]](s 0 ) [[EX ⊒T ((p ⊒T)∧(¬q ⊒T)∨(z ⊒T))]](s 0 ) p = T q = F z = M p = T q = F z = F p = T q = M z = F M M T T T p + z - p + q - z - p + q -

27 27 Universal Temporal Logic – the cut [[AX(p ∧¬q ∨z )]](s 0 ) ⊒ T ∧ t∈S R(s 0,t) ⇒[[p ∧¬q ∨z ]](t) ⊒ T ∧ t∈S ¬R(s 0,t) ∨ [[p ∧¬q ∨z ]](t) ⊒ T ∧ t∈S ¬R(s 0,t) ⊒ T ∨ [[p ∧¬q ∨z ]](t) ⊒ T ∧ t∈S ¬(R(s 0,t) ⊒ M) ∨ [[p ∧¬q ∨z ]](t) ⊒ T ∧ t∈S (R(s 0,t) ⊒ M) ⇒ [[p ∧¬q ∨z ]](t) ⊒ T [[AX ⊒ M (( p ⊒T) ∧(¬q ⊒T) ∨(z ⊒T))]](s 0 ) p = T q = F z = M p = T q = F z = F p = T q = M z = F M M T T T Dealing with negation  In 3-valued logic  ¬b ⊒ T iff ¬(b ⊒ M)  since ¬b ⊒ T iff b = F T M F

28 28 Universal Temporal Logic – final step [[AX ⊒ M (( p ⊒T)∧(¬q ⊒T)∨(z ⊒T))]](s 0 ) [[AX ⊒ M (p + ∧q - ∨z + )]](s 0 ) [[AX(p + ∧q - ∨z + )]](s 0 ) p = T q = F z = M p = T q = F z = F p = T q = M z = F M M T T T p + z - p + q - z - p + q -

29 29 Handling Mixed Modalities Ü The first reduction step does not change  [[AX EXp]](s 0 )⊒T is transformed into [[AX ⊒M EX ⊒T (p⊒T)]](s 0 ) Ü Problem with the second step  need a Kripke structure with two types of transitions  ⊒M for universal modality  ⊒T for existential modality Ü Solution  treat transitions labels as actions  convert the resulting Labeled Transition System into a Kripke structure Ü Disadvantage  introduces a new variable  size of the statespace doubles

30 30 Summary of the Reduction Ü Multi-valued model-checking problem is reduced to several classical problems  one classical problem for True and one for Maybe  size of the formula does not change  atomic literals are changed to “plus” and “minus” versions  other parts remain unchanged  for universal and existential fragments  statespace of resulting Kripke structure is similar to the original  for formulas with both universal and existential modalities  statespace of the resulting Kripke structure is double of the original  formulas with fixpoint operators are handled similarly  (see Gurfinkel, Chechik, CONCUR’03)

31 31 Abstraction  Abstraction Function  : S ! S’ S S’

32 32 Abstraction Ü Using 3-valued logic  introduce new special value Maybe to stand for “unknown”  Formally:  [[v]] (a) = T iff  s   (a) [[v]](s) = T  [[v]] (a) = F iff  s   (a) [[v]](s) = F  [[v]] (a) = M iff  s   (a) [[v]](s) = T and  t   (a) [[v]](t) = F  Examples:  r (s 0,1 )=T ⇒ r (s 0 )=Tp (s 0,1 )=M p¬qrp¬qr pq¬rpq¬r ¬p¬qr¬p¬qr s0s0 s1s1 s2s2 s 0,1 s2s2 p=M q=F r=T p=T q=T r=F T F M

33 33 Refresher: Over- and Under-approximations Ü M’ is an over-approximation of M, or M’ simulates M if  R  [Dams’97]: (t, t 1 )  R’ iff  s   (t) s.t.  s 1   (t 1 ) and (s, s 1 )  R Ü M’ is an under-approximation of M, or M simulates M’ if  R  [Dams’97]: (t, t 1 )  R’ iff  s   (t) s.t.  s 1   (t’) and (s, s 1 )  R

34 34 Existential Abstraction (Over-Approximation) I I

35 35 Universal Abstraction (Under-Approximation) I I

36 36 3-Val Transition Relation Ü Let R(s,t) = T if R(s,t)  R   R  [Dams’97]: (t, t 1 )  R’ iff  s   (t) s.t.  s 1   (t’) and (s, s 1 )  R  Let R(s,t) = F if R(s,t) ∉ R   R  [Dams’97]: (t, t 1 )  R’ iff  s   (t) s.t.  s 1   (t 1 ) and (s, s 1 )  R Ü Else R(s,t) = M

37 37 3-valued abstraction I I M T T M M M M M M T

38 38 T F M Abstraction Ü Using 3-valued logic  introduce new special value Maybe to stand for “unknown” AX r (s 0,1 )=M EX r (s 0,1 )=T p¬qrp¬qr pq¬rpq¬r ¬p¬qr¬p¬qr s0s0 s1s1 s2s2 r pq¬rpq¬r s 0,1 s2s2 T M T p=M q=F r=T p=T q=T r=F

39 39 Model Checking 3-Val abstract Models Ü Preservation Theorem M’ ⊨ φ ⇔ M ⊨ φ False counterexample cannot be spurious No need for simulation! Maybe counterexample requires refinement No guarantee is given about a “Maybe” answer Let φ be an arbitrary property (i.e., expressed in LTL, CTL, mu-calculus) and M’ is a 3-val abstraction of M

40 40 3-Val Abstraction-Refinement Loop Check Counterexample Refine Model CheckAbstract M’, φ M, φ,  No Bug Pass Fail Bug Spurious ’’

41 41 No spurious counterexamples, but abstraction can be too coarse I I Deadend states Bad States Failure State f T MM

42 42 Refinement ’’ ’’ ’’ ’’ ’’ Refinement :  ’ ’’ ’’

43 43 Other use of 3-valued logic Ü Algebra:  use three-valued algebra (Kleene)  intermediate value represents incomplete information or uncertainty T F M  compact representation for all possible refinements of this model  if a property is True/False on the partial model, it is True/False on a refined one  initial theory developed by Bruns & Godefroid, CAV’99 p= T q= F r= T p= M q= M r= F p= T q= M r= T s0s0 s2s2 s1s1 T T M M T Application: Most models are incomplete! Allows verification before specification is completed

44 44 Summary Ü Abstraction  Effective tool for combating state explosion  Over-approximation – sound for true universal properties, otherwise – check if counterexample is feasible and then refine  Under-approximation – same for existential properties Ü 3-Valued Abstraction  Specified in 3-val Kleene logic  Allows reasoning about mixed-quantifier properties  No need to check if counter-example is spurious  Counterexample used for refinement Ü 3-Val Model-Checking  Reduces to two runs of classical model-checker  Or can be done directly, say, using MDDs

45 45 Next topic: Ü Software model-checking  (and software model-checking with 3-valued logic)

Download ppt "3-Valued Abstraction and 3-Valued Model-Checking."

Similar presentations

1 Abstraction (Cont’d) Defining an Abstract Domain variable elimination, data abstraction, predicate abstraction Abstraction for Universal/Existential.

1 Abstraction (Cont’d) Defining an Abstract Domain variable elimination, data abstraction, predicate abstraction Abstraction for Universal/Existential.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.

Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 

Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 
SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
Possibilistic and probabilistic abstraction-based model checking Michael Huth Computing Imperial College London, United Kingdom.

Possibilistic and probabilistic abstraction-based model checking Michael Huth Computing Imperial College London, United Kingdom.
Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.

Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.

1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.
1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.

1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.
Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions.

Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions.
Using 3-Valued Models in Abstraction-based Model Checking Seminar in Formal Verification Spring 2006 Presented by Alik Zamansky.

Using 3-Valued Models in Abstraction-based Model Checking Seminar in Formal Verification Spring 2006 Presented by Alik Zamansky.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.

Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.
The Theory of NP-Completeness

The Theory of NP-Completeness
Witness and Counterexample Li Tan Oct. 15, 2002.

Witness and Counterexample Li Tan Oct. 15, 2002.

Similar presentations

Ads by Google