abstractions. outline informal intuition why do we need abstraction? what is an abstraction and what...
Post on 19-Dec-2015
219 views
TRANSCRIPT
![Page 1: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/1.jpg)
Abstractions
![Page 2: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/2.jpg)
Outline
Informal intuition Why do we need abstraction? What is an abstraction and what is
not an abstraction A framework for abstractions Commonly used abstractions
![Page 3: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/3.jpg)
Limitations of model checking
Finite state technique Cannot deal with general data
integers, lists, etc. unbounded message queues
Cannot deal with parameterized systems Suffers from state explosion
Concurrency Data domains
![Page 4: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/4.jpg)
Abstraction
Represent the program using a smaller model.
Pay attention to preserving the checked properties.
Do not affect the flow of control.
![Page 5: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/5.jpg)
Example
Use smaller data objects.
X:= f(m)Y:=g(n)if X*Y>0 then … else …X, Y never used again.
![Page 6: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/6.jpg)
How to abstract?
Assign values {-1, 0, 1} to X and Y. Based on the following connection:
sgn(X) = 1 if X>0, 0 if X=0, and -1 if X<0.sgn(X)*sgn(Y)=sgn(X*Y).
Change f and g to produce abstract values for X and Y
![Page 7: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/7.jpg)
Abstraction vs. simplification
Not every simplified system is an abstraction
The key question is: If we prove or disprove a property of
the simplified system, what have we learned about the original system?
![Page 8: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/8.jpg)
Example False positive
Can sender overwrite a value?
True in the simplified system, false in original
False negative Can receiver deadlock? False in the simplified
system, true in the original
sendreceivenot empty
empty
...
receivesend
![Page 9: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/9.jpg)
Precise abstractions
Accept neither false positives nor false negatives
Minimizations up to an equivalence
Elimination of unreachable states Very restrictive!
a a
a a a...
...
![Page 10: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/10.jpg)
Precise abstractions
int i = 0while i < 2 do i = i + 1
Replace integer type with enumerated type {0,1,2}
Requires a deductive step With “on-the-fly” model
construction, this abstraction is free – but may not terminate if you “miss”
![Page 11: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/11.jpg)
Over-approximations Throw in more behaviors Also called conservative approximations Accept false positives but not false
negatives If the property proved in the abstract
system, it also holds in the concrete system If the property fails in the abstract system,
may or may not fail in the concrete system
![Page 12: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/12.jpg)
Abstraction w.r.t. properties
A conservative approximation is always with respect to a set of properties If your set of properties is closed under
negation, you have precise abstraction Why?
Commonly used sets of properties: Reachability, safety ACTL
![Page 13: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/13.jpg)
Abstract LTL verification
Concrete correctness condition: L(ConcreteModel) L(Spec)
Over-approximation: L(ConcreteModel) L(AbstractModel)
Abstract correctness condition: L(AbstractModel) L(Spec)
Implies concrete correctness condition!
![Page 14: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/14.jpg)
What is a good abstraction?
We want an abstraction that is as compact as possible, but preserves the properties we are interested in
An abstraction that is “too loose” is not useful: too many false alarms
![Page 15: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/15.jpg)
Conservative analysis Iterative process of model checking and
abstraction refinement Verification is now semi-decidable!
concretemodel
abstractmodel
verify
counterexample
pass
fake
real
fail
abstract
fixmodel
refineabstraction
concrete model ok
![Page 16: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/16.jpg)
Under-approximations
Is under-approximation a useful abstraction technique? Yes, but not as common
Testing Abstract the set of executions to the
(equivalence class of) tested executions
Found a bug – it is real! There is always one more bug…
![Page 17: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/17.jpg)
Abstract interpretation
A framework for abstraction P. Cousot and R. Cousot (1977-2002) NOT constructive
Offers means of proving an abstraction Does not help finding an abstraction
Mathematically captured as Galois connections
![Page 18: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/18.jpg)
Galois connections
A and C are partially ordered sets α is the abstraction function γ is the concretization function
Always an over-approximation:
,, AC
)()(:, yxyxAyCx
)(xx
![Page 19: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/19.jpg)
Classical example
Abstract sets of integers as intervals C: Sets of integers ordered by inclusion A: Intervals with integer boundaries
[i1,i2] (i1≤i2) ordered by “lies within” relation
α : Set M [min(M),max(M)] γ : [i1,i2] {i1,i1+1,…,i2}
{1,4,5}
{1,2,3,4,5}[1,5]C A
α
γ
∩
![Page 20: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/20.jpg)
Fixpoint abstraction In behavioral models, concrete and
abstract domains are often sets of states Most analysis algorithms involve fixpoint
computation We want to compute abstract fixpoints
and make concrete conclusions C and A are complete lattices F is a monotonic function on C Abstract fixpoint is an overapproximation
FF lfp) lfp(
![Page 21: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/21.jpg)
State-to-state abstraction
Partition concrete states into disjoint sets
Map sets of states to abstract states α: s[s]
Initial abstract states: an abstract state contains a concrete initial state
Abstract transition: st implies [s][t]
![Page 22: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/22.jpg)
go
stop
stop
go
stop
Example Map “yellow”
and “red” to “stop”
Map “green” to “go”
Transitions: gostop stopgo stopstop
![Page 23: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/23.jpg)
What do we preserve?
go
stop
stop
go
stop
Every execution of the full model can be simulated by an execution of the reduced one.
Every LTL property that holds in the reduced model hold in the full one.
![Page 24: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/24.jpg)
Properties
Preserved:[](go->O stop)
Not preserved:[]<>go
go
stop
stop
go
stop
![Page 25: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/25.jpg)
Predicate abstraction
The concrete state space is partitioned according to a set of predicates.
Example:
Is the right state reachable? Predicates: x<5,x==5
x==5
x<5x=x+2
x=0
![Page 26: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/26.jpg)
Predicate abstraction
Predicates define partitioning of the state space
Add transitions according to predicates
Property fails!
ff tt
ft tf
x==5
x<5x=x+2
x=0
![Page 27: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/27.jpg)
Predicate abstraction
Counterexample is fake!
Refine abstraction: add predicates
New predicate: x is even
Property is true!
fft
ftt tft
fff
ftf tff
![Page 28: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/28.jpg)
Symmetry A permutation is a one-one and onto
function p:A->A.For example, 1->3, 2->4, 3->1, 4->5, 5->2.
One can combine permutations, e.g.,p1: 1->3, 2->1, 3->2p2: 1->2, 2->1, 3->3p1@p2: 1->3, 2->2, 3->1
A set of permutations with @ is called a symmetry group.
![Page 29: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/29.jpg)
Using symmetry in analysis
Want to find some symmetry group suchthat for each permutation p in it,R(s,t) if and only if R(p(s), p(t))and L(p(s))=L(s).
Let K(s) be all the states that can be permuted to s. This is a set of states such that each one can be permuted to the other.
![Page 30: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/30.jpg)
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
init
![Page 31: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/31.jpg)
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
init
The quotient model
![Page 32: Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions](https://reader034.vdocuments.mx/reader034/viewer/2022051618/56649d405503460f94a19960/html5/thumbnails/32.jpg)
Partial order reduction
With independent transitions, you do not have to explore all transitions to prove a property