Download - 5 oshi abs
Fro
mM
odelCheckin
gto
Pro
of
Checkin
g...
and
Back
Kedar
Nam
josh
iBell
Labs
April29,2005
Abstr
action◦
ModelCheckin
g=
Deductive
Pro
of
Cer
tifyi
ng M
odel
Che
cker
MO
DE
L C
HE
CK
ING
PR
OO
F C
HE
CK
ING
Abs
trac
tion
Proo
f Lif
ting
Com
plet
enes
s
M`φ
M|=φ
M`φ
M|=φ
I.Fro
mM
odelCheckin
gto
Pro
ofCheckin
g
We
show
how
tobuild
a“cert
ifyin
g”
modelchecker,
one
that
genera
tes
apro
of
toju
stify
its
resu
lt.
Why
both
er?
•Pro
ofs
genera
lize
counte
rexam
ple
traces
for
failure
•A
pro
of
isan
independently-c
heckable
cert
ificate
for
success
(thin
kPCC
for
tem
pora
lpro
pert
ies)
•A
pro
of
isa
convenie
nt
data
stru
ctu
refo
rin
tera
ctive
explo
ration
and
incre
menta
lm
odelcheckin
g
CT
LBasics
The
CT
Llo
gic
isbuiltoutofato
mic
pro
positions,
boole
an
opera
tors
,and
the
tem
pora
lopera
tors
EX(φ
)(“φ
hold
sof
som
esu
ccess
or”
),E(φ
Wψ)
(“φ
unle
ssψ”),
and
E(φ
Uψ)
(“φ
untilψ”).
Som
ederived
opera
tors
:
EF(φ
)(“φ
isre
achable
”)
=E(t
rueUφ)
AX(φ
)(“
all
success
ors
satisf
yφ)
=¬
EX(¬φ)
AG(φ
)(“φ
isin
variant”
)=
¬EF(¬φ)
CT
Lvia
fixpoin
ts
The
basic
CT
Lopera
tors
can
be
defined
as
fixpoin
tsof
EX-form
ula
s.
•EF(φ
)=
(minZ
:φ∨
EX(Z
))
•E(φ
Wψ)=
(max
Z:ψ∨
(φ∧
EX(Z
)))
Fix
poin
tfo
rmula
scan
be
re-w
ork
ed
into
ast
ructu
rally
sim
-
ple
nota
tion:
altern
ating
auto
mata
.
Sim
ple
Altern
ating
Auto
mata
(SAA)
ASAA
isju
stlike
an
NFA,exceptth
atth
etr
ansition
func-
tionδ
maps
ast
ate
toa
boole
an
form
ula
over
ato
mic
pro
positions
and
EX.
E.g
.,EF(P
)has
a3-s
tate
auto
mato
n,w
ith
initia
lst
ate
q 0
δ(q
0)=q 1
∨q 2
;δ(q
1)=P;δ(q
2)=
EX(q
0)
This
isju
stth
epars
egra
ph
of(m
inZ
:P
∨EX(Z
)).
The
(Buchi)
accepta
nce
set,F,is
em
pty
.
Theore
m0
Every
CT
Lfo
rmula
can
be
repre
sente
dby
an
SAA
ofpro
port
ionalsize.
An
Auto
mato
n-b
ased
pro
ofsyste
m
To
show
thata
pro
gra
mM
with
state
setS
and
transition
rela
tionR
satisfi
es
an
auto
mato
npro
pert
y(Q,q,δ,F
)we
need,fo
reach
auto
mato
nst
ate
q:
•An
invariance
pre
dic
ate
,φq⊆S,and
•A
part
ialra
nk
function,ρq:S→
N
Roughly
speakin
g,th
ein
variance
ass
ert
ions
state
that
any
(reachable
)st
ate
ofM
satisf
yin
gq
falls
within
the
“sa
fe”
setφq.
The
rank
function
mark
sth
e“dista
nce”
tore
achin
g
aBuchist
ate
;it
isre
-set
when
the
dista
nce
is0.
Conditio
ns
fora
valid
Pro
of
�Consist
ency:ρq
isdefined
for
every
state
inφq
�In
itia
lity
:Every
initia
lst
ate
ofM
satisfi
esφq
�Safe
tyand
Pro
gre
ss:
Base
donδ(q
)
•l(a
lite
ral):φq(s
)⇒
l(s)
,fo
ralls.
•(∨j:q j
):(s
imilarly
for∧
)φq(s
)⇒
(∃j:φq j(s
)∧
(ρq j(s
)<qρq(s
)))
•EX(r
):(s
imilarly
for
AX)
φq(s
)⇒
(∃t:sRt:φr(t
)∧
(ρr(t
)<qρq(s
)))
The
rela
tiona<qb=
ifq6∈F
thena<bels
etr
ue
Pro
gre
ssand
safe
tyhave
tobe
checked
togeth
er
because
ofth
eEX
and∨
opera
tors
.
Genera
ting
aPro
of-I
Key:
modelcheck
with
auto
mata
inst
ead
ofCT
L
1.
Turn
CT
Lsp
ecifi
cation
into
asim
ple
auto
mato
n
2.
Form
an
AND
-OR
pro
duct
gra
ph
of
the
pro
gra
mM
and
auto
mato
nA
3.
Check
the
canonic
al
pro
pert
y:
does
Pla
yer
Ihave
a
win
nin
gst
rate
gy?
WI
=m
axZ;m
inY
:
tt∨
(OR∧
(F⇒
EX(Z
))∧
(¬F
⇒EX(Y
)))∨
(AND
∧(F
⇒AX(Z
))∧
(¬F
⇒AX(Y
)))
Genera
ting
aPro
of-II
Now
set:
1.
the
invariantφq
tobe{s
:(s,q
)∈WI}
2.
the
rankρq(s
)to
the
index
of
the
earlie
stst
age
forY
where
(s,q
)is
added,during
the
last
Zitera
tion.
This
work
s!
Theore
m1
The
pro
of
syst
em
isso
und
and
(rela
tively
)
com
ple
te.
Genera
ting
Pro
ofs
-IV
Pro
ble
m:
we
do
not
know
befo
re-h
and
wheth
erth
echeck
succeeds
or
fails.
Imm
edia
teSolu
tion:
Genera
tepro
ofs
aft
er
norm
alm
odel
checkin
g.
(this
requires
two
runs
ofth
em
odelchecker)
Bett
er
Solu
tion?
Explo
itduality
.IfWI
fails
tohold
of
all
initia
lst
ate
s,th
en
its
dual,WII,
hold
sof
som
ein
itia
l
state
.So
keep
appro
xim
ations
for
both
YandZ,and
use
whic
hever
isappro
priate
at
the
end.
ASim
ple
Exam
ple
2-p
rocess
,Ato
mic
Bakery
Pro
tocol
varst
1,st 2
:{N
,W,C}
(*N
=“Non-c
ritical”
,W
=“W
aitin
g”,C=
“Critical”
*)
vary1,y
2:natu
ral
init
ially
(st 1
=N
)∧
(y1=
0)∧
(st 2
=N
)∧
(y2=
0)
wai
t 1st
1=N
↪→st
1,y
1:=
W,y
2+
1en
ter 1
st1=W
∧(y
2=
0∨y1≤y2)↪→
st1
:=C
releas
e 1st
1=C
↪→st
1,y
1:=
N,0
wai
t 2st
2=N
↪→st
2,y
2:=
W,y
1+
1en
ter 2
st2=W
∧(y
1=
0∨y2<y1)↪→
st2
:=C
releas
e 2st
2=C
↪→st
2,y
2:=
N,0
The
Abstr
acte
dPro
tocol
Abst
raction:b 1
=(y
1=
0);b 2
=(y
2=
0);b 3
=(y
1≤y2)
varst
1,st 2
:{N
,W,C}
varb 1,b
2,b
3:boole
an
initia
lly
(st 1
=N
)∧b 1
∧(st 2
=N
)∧b 2
∧b 3
wai
t 1st
1=N
↪→st
1,b
1,b
2,b
3:=
W,f
alse,b
2,f
alse
ente
r 1st
1=W
∧(b
2∨b 3
)↪→
st1,b
1,b
2,b
3:=
C,b
1,b
2,b
3
releas
e 1st
1=C
↪→st
1,b
1,b
2,b
3:=
N,t
rue,b
2,t
rue
wai
t 2st
2=N
↪→st
2,b
1,b
2,b
3:=
W,b
1,f
alse,t
rue
ente
r 2st
2=W
∧(b
1∨¬b 3
)↪→
st2,b
1,b
2,b
3:=
C,b
1,b
2,b
3
releas
e 2st
2=C
↪→st
2,b
1,b
2,b
3:=
N,b
1,t
rue,b
1
Abstr
act
Pro
of
(W C
ff
ff f
f)
(N N
tt tt
tt)
(W N
ff
tt ff
)
(N W
tt f
f tt)
(C N
ff
tt ff
)(W
W f
f ff
tt) (W
W f
f ff
ff)
(N C
tt f
f tt)
(C W
ff
ff tt
)
For
the
mutu
alexclu
sion
pro
pert
yφ
=AG(¬
(C1∧
C2))
,
the
invariants
are
just
the
set
ofre
achable
state
s.
Concre
tizin
gth
isPro
of
Letξ
be
asim
ula
tion
rela
tion
fromM
toM
.A
pro
of(φ,ρ
)
onM
can
be
concre
tized
toa
pro
of(φ′ ,ρ′ )
onM
by
lett
ing
φ′ q(s)
≡(∃t:sξt:φq(t
)),and
ρ′ q(s)
=(m
int:sξt∧φq(t
):ρq(t
))
So:
φ′ q(st
1,st 2,y
1,y
2)
=(b
ydefinitio
n)
(∃b 1,b
2,b
3:b 1≡
(y1
=0)∧b 2≡
(y2
=0)∧b 3
=(y
1≤y2)∧
φq(st 1,st 2,b
1,b
2,b
3))
=(s
implify
ing)
φq(st 1,st 2,(y1
=0),
(y2
=0),
(y1≤y2))
Sum
mary
:Pro
ofG
enera
tion
•It
isposs
ible
todesign
am
odelcheckerw
hic
hgenera
tes
an
independently
checkable
pro
ofofits
resu
lts.
•T
his
can
be
done
quite
easily
:CO
SPAN
modifi
cation
(experim
enta
l)about
200
lines
ofC.
•G
enera
ted
pro
ofs
have
severa
lapplications
...
and
per-
haps
som
eas-
yet-
unknow
nones!
Abstr
action◦
ModelCheckin
g=
Deductive
Pro
of
Cer
tifyi
ng M
odel
Che
cker
MO
DE
L C
HE
CK
ING
PR
OO
F C
HE
CK
ING
Abs
trac
tion
Proo
f Lif
ting
Com
plet
enes
s
M`φ
M|=φ
M`φ
M|=φ
II.Com
ple
teness
ofVerification
via
Abstr
action
(jo
int
work
with
Dennis
Dam
s)
Giv
en:
Pro
gra
mM
,pro
pert
yφ;to
checkM
|=φ
Const
ruct
Abst
raction:
afinite
pro
gra
mM
ModelCheck:
wheth
erM
|=φ
An
Abst
raction
Fra
mework
specifi
es
the
pre
cise
rela
tion-
ship
betw
eenM
andM
.
Soundness
:fo
ranyM,φ
:ifM
|=φ,th
enM
|=φ
Com
ple
teness
:fo
ranyM,φ
:ifM
|=φ,
there
exists
an
abst
ractionM
such
thatM
|=φ
Sum
mary
ofNew
Results
Forpro
pert
ies
expre
ssed
inbra
nchin
gtim
ete
mpora
llo
gic
s
(e.g
.,CT
L,CT
L∗ ,
or
theµ-c
alc
ulu
s)
*Negative:
Severa
lwell-s
tudie
dabst
raction
fram
ework
s
are
incom
ple
te.
Exam
ple
s:bisim
ula
tion
[Milner7
1],
modal
transition
syst
em
refinem
ent
[Lars
en-T
hom
sen88].
This
hold
s
even
with
enhancem
ents
such
as
fairness
or
stutt
ering.
*Positive:
Asim
ple
exte
nsion
of
modaltr
ansition
sys-
tem
sw
ith
new
focus
opera
tions
giv
es
rise
toa
com
ple
te
fram
ework
.
This
isin
tim
ate
lyconnecte
dto
the
repre
senta
tion
ofpro
p-
ert
ies
by
finite
tree
auto
mata
.
Com
ple
teness
and
“Sm
all
Model”
Theore
ms
Sm
all
ModelT
heore
m[H
oss
ley-R
ackoff
72,Em
ers
on85]:
Any
satisfi
able
pro
pert
yofth
eµ-c
alc
ulu
shas
afinite
model.
Why
doesn
’tth
isse
ttle
the
quest
ion?
...
because
the
small
modelneed
not
abst
ractM
.
Exam
ple
:{Q}
NM
{Q}
Nis
asm
all
modelfo
rth
epro
pert
y“th
ere
isa
reachable
Q-s
tate
”
BuN
andM
are
unre
late
dby,
say,
sim
ula
tion
or
modal
refinem
ent.
ModalTra
nsitio
nSyste
ms
[Lars
en-T
hom
sen
1988]
A(K
ripke)
MT
Sis
atr
ansition
syst
em
with
•tw
otr
ansition
rela
tions:
may
(over-
appro
xim
ate
)and
must
(under-
appro
xim
ate
)tr
ansitions,
with
must⊆
may
•a3-v
alu
ed
(tru
e,f
alse,⊥
)pro
positionalvalu
ation
atst
ate
s
For
tem
pora
llo
gic
s,existe
ntialpath
modalities
(e.g
.,EX)
are
inte
rpre
ted
overm
ust
-tra
nsitions;
univ
ers
alpath
modal-
itie
s(e
.g.,
AX)
over
may-t
ransitions.
The
outc
om
eofm
odelcheckin
gis
also
3-v
alu
ed.
Abstr
action
with
MT
S’s
Ifcva
then:
–∀c′ :
c−→
c′⇒
(∃a′ :
amay
−→a′∧c′va′ )
–∀a
′ :amust
−→a′⇒
(∃c′
:c−→
c′∧c′va′ )
Program
M
integer
x;
L1:
{x
is
even}
L2:
if
(*)
then
x:=
x+2
else
x:=
x+4;
L3:
mus
t tra
nsiti
on
may
tran
sitio
n
{L2,e
ven(x
)}
{L3,e
ven(x
)}{L
3,d
iv3(x
)}
Incom
ple
teness
ProgramM
L0:initially
even(x)
L1:while
(x>
0)
do
x:=x-2od;
L2:x
:=-1
. . .
2n
L1:L0:
L2:
20
4
−1
. . .
Letφ=
E(e
ven(x
)W(x<
0))
.
Theore
m2
No
finite
MT
Sabst
ractsM
and
satisfi
esφ.
Pro
of
by
contr
adic
tion.
The
pro
pert
yhold
sfo
rm
ust
-path
sin
M;
soeither
(i)
even
(x)
hold
sfo
rever,
or
(ii)
by
finiteness
,x
isnegative
within
abounded
num
ber
of
steps.
The
must
-abst
raction
enfo
rces
these
pro
pert
ies
at
every
initia
lst
ate
ofM
,a
contr
adic
ation!
Consequences
and
Variations
(Bi-)s
imula
tion
isa
specia
lcase
ofM
TS
refinem
ent.
Hence,
Coro
llary
0Abst
raction
with
revers
esim
ula
tion
or
bisim
-
ula
tion
isin
com
ple
tefo
rexiste
ntialCT
Lpro
pert
ies.
With
aslig
ht
modifi
cation
toth
eexam
ple
:
Theore
m3
Abst
raction
by
MT
S’s
with
fairness
or
stut-
tering
isalso
incom
ple
tefo
rexiste
ntialCT
Lpro
pert
ies.
Am
ore
ela
bora
tepro
pert
ysh
ow
sth
atth
esa
me
resu
ltscan
be
obta
ined
even
ifM
has
asingle
initia
lst
ate
.
Sta
te-o
f-th
e-a
rtfo
rCom
ple
teness
*M
odelAbstr
action:
abst
ract
the
model,
pre
serv
eth
e
pro
pert
y
–ACT
L,A
CT
L∗ :
fair
sim
ula
tion
[Gru
mberg
-Long
1994,K
upfe
rman-
Vard
i1997]
–µ-c
alc
ulu
s:fa
irFocuse
dTra
nsition
Syst
em
abst
raction
*G
am
eAbstr
action:
abst
ractth
em
odel-checkin
ggam
e,
pre
serv
eth
ew
innin
gconditio
n.
–linear-
tim
e:
fair
sim
ula
tion
[Uribe
1999,K
est
en-P
nueli
2000,
Kest
en-P
nueli-V
ard
i2001]
–µ-c
alc
ulu
s:fa
iraltern
ating
refinem
ent+
choic
e[N
am
josh
i
2003]
The
Need
forFocus
Opera
tions
Tra
nsitionamust
−→b
exists
only
ifevery
c:cva
has
atr
an-
sition
toa
state
abst
racte
dbyb.
This
forc
es
any
abst
ract
MT
Sfo
rour
exam
ple
tobe
in-
finite.
E.g
.,L1
:ev
en(x
)must
6−→L2
:(x<
0);
soth
eso
urc
e
must
be
split;
say
toL1
:(x<
0),L1
:(x
≥0)∧
even
(x).
But
againL1
:(x
≥0)∧
even
(x)must
6−→(x<
0).
Can
one
som
ehow
rela
xth
em
ust
-tra
nsition
definitio
n?
(Such
are
laxation
must
pre
serv
eso
undness
.)
Altern
ating
Auto
mata
An
altern
ating
auto
mato
nfo
rE(e
ven(x
)W(x<
0))
OK
OK
∨
EX
∧
q 1
q 3
q 2
q 4
q 0
(x<
0)
even
(x)
During
modelcheckin
g,
each
auto
mato
nst
ate
isass
oci-
ate
dw
ith
ase
tofpro
gra
mst
ate
s.
Can
an
auto
mato
nbe
vie
wed
asan
abst
racttr
ansition
sys-
tem
?
Focus
Ste
ps
Afo
cus
step
splits
an
abst
ract
state
into
ase
tof
more
pre
cise
abst
ract
state
s(c
ase
-splitt
ing).
AFocuse
dTra
nsition
Syst
em
(FT
S)is
an
MT
Sw
ith
focus
and
(dual)
de-focus
steps.
For
our
exam
ple
:
a4
FO
CUS
MUST
DEFO
CUS
{eve
n(x
)}
{(x<
0)}
a0
a1
a2
a3
a0
:L0,L
1:ev
en(x
),L2
:(x<
0)
a1
:L2
:(x<
0)
a2
:L0,L
1:ev
en(x
)
a3
:L0,L
1:ev
en(x
)
a4
:L0,L
1:ev
en(x
)
Note
the
sim
ilarity
toth
eauto
mato
n—
this
isno
accid
ent.
Com
ple
teness
via
Auto
mata
Theore
m4
For
anyM
and
anyµ-c
alc
ulu
spro
pert
yφ,if
M|=φ,th
ere
isa
finite
FT
SM
such
thatM
both
abst
racts
Mand
satisfi
esφ.
The
FT
SM
may
be
obta
ined
by:
(i)
convert
ingφ
toa
finite
altern
ating
tree
auto
mato
nAφ,th
en
(ii)
convert
ing
Aφ
toan
FT
SAφ
(roughly
)as
follow
s.
AX-m
ove⇒
may
transition
EX-m
ove⇒
must
transition
∨-m
ove⇒
focus
transition
∧-m
ove⇒
de-focus
transition
accepta
nce
conditio
n⇒
fairness
conditio
n
Maxim
alM
odels
Notice
thatM
=Aφ
isin
dependent
ofM
!T
hus,Aφ
isa
maxim
alm
odelfo
rφ
By
resu
lts
of
[Em
ers
on-J
utla
1991],
this
maxim
alm
odelhas
size
linear
inth
esize
ofφ.
Maxim
al
model
resu
lts
for
ACT
L,
ACT
L∗
[Gru
mberg
-Long
1994,K
upfe
rman-V
ard
i1997]re
quire
exponential-size
models.
Maxim
alm
odels
reduce
modelcheckin
gto
sim
ula
tion-c
heckin
g.
Com
ple
teness:
Sum
mary
•M
ay-M
ust
abst
raction
does
not
guara
nte
eth
eexis-
tence
offinite
abst
ractionsfo
rexiste
ntialte
mpora
lpro
p-
ert
ies.
•T
he
key
toobta
inin
gcom
ple
teness
seem
sto
be
ano-
tion
ofε-
state
-splitt
ing
we
call
afo
cus
step.
•FT
S’s
are
intim
ate
lyconnecte
dto
altern
ating
tree
au-
tom
ata
.It
turn
sout
[Dam
s-Nam
josh
i,VM
CAI2005]th
at
non-d
ete
rmin
istic
auto
mata
suffi
ce.
Ineffect:
transi-
tion
syst
em
s+
fairness
+choic
e
•FT
S’s
also
ensu
rem
ore
pre
cisio
nin
must
-abst
ractions.
(cf.
[de
Alfaro
-Godefroid
-Jagadeesa
n,LIC
S2004])
To
sum
up
Model
Checkin
gand
Pro
of
Checkin
gare
clo
sely
linked,
with
Abst
raction
as
the
“glu
e”.
(Part
ial)
Refe
rence
List
I.Fro
mM
odelCheckin
gto
Pro
ofCheckin
g
[Ste
vens-
Stirlin
g,TACAS
1998]Pra
cticalM
odel-Checkin
gUsing
Gam
es
[Nam
josh
i,CAV
2001]Cert
ifyin
gM
odelCheckers
[Pele
d-Z
uck,SPIN
2001]Fro
mM
odelCheckin
gto
aTem
pora
lPro
of
[Pele
d-P
nueli-Z
uck,FST
TCS
2001]Fro
mFalsifi
cation
toVerification
[Cla
rke-J
ha-L
u-V
eith,LIC
S2002]Tre
e-lik
eCounte
rexam
ple
sin
Model
Checkin
g
[Tan-C
leavela
nd,CAV
2002]Evid
ence-B
ase
dM
odelCheckin
g
[Henzin
ger-
Jhala
-Maju
mdar-
Necula
-Sutr
e-W
eim
er,
CAV
2002]Tem
pora
l-
Safe
tyPro
ofs
for
Syst
em
sCode
[Gurfi
nkel-Chechik
,TACAS
2003]Pro
of-like
counte
rexam
ple
s
[Nam
josh
i,VM
CAI
2003]Lifting
Tem
pora
lPro
ofs
thro
ugh
Abst
rac-
tions
[Nam
josh
i,CAV
2004]An
Effi
cie
ntly
Checkable
,Pro
of-Base
dForm
u-
lation
ofVacuity
inM
odelCheckin
g
Refe
rence
List-
II
II....
and
Back
[Uribe,T
hesis
2000]Abst
raction-B
ase
dD
eductive-A
lgorith
mic
Verifi-
cation
ofReactive
Syst
em
s
[Kest
en-P
nueli,
Inf.
Com
p.
2000]Verification
by
augm
ente
dfinitary
abst
raction
[Nam
josh
i,CAV
2003]Bra
nchin
g-T
ime
Abst
raction
[Dam
s-Nam
josh
i,LIC
S2004]T
he
Existe
nce
ofFin
ite
Abst
ractionsfo
r
Bra
nchin
gT
ime
ModelCheckin
g
[Dam
s-Nam
josh
i,VM
CAI2005]Auto
mata
as
Abst
ractions
...
Additio
nalSlides
...
FT
S’s
and
Disju
nctive
MT
S’s
[Lars
en-X
inxin
1990]
DM
TS’s
intr
oduced
toguara
nte
ea
solu
tion
toCCS
equa-
tions
ofth
efo
rm{C
i(X
)=Ei}
DM
TS’s
splita
must
-tra
nsition
into
case
s:in
stead
ofamust
−→b,
allowamust
−→{B
0,B
1,...}
where
theBiare
sets
ofabst
ract
state
s.
Re-d
iscovere
din
[Shoham
-Gru
mberg
2004,
de
Alfaro
-Godefroid
-
Jagadeesa
n2004]fo
rin
cre
asing
the
pre
cisio
nofabst
ractions.
FT
S’s
are
diff
ere
nt
inth
at
one
firs
tsp
lits
state
,th
en
con-
stru
cts
ord
inary
must
transitions.