CEGAR:Counterexample-Guided Abstraction Refinement

Size: px

Start display at page:

Download "CEGAR:Counterexample-Guided Abstraction Refinement"

Allison Shepherd
5 years ago
Views:

1 CEGAR: Counterexample-guided Abstraction Refinement Sayan Mitra ECE/CS 584: Embedded System Verification November 13, 2012

2 Outline Finite State Systems: Abstraction Refinement CEGAR Validation Refinment based on counterexample analysis Cegar for Hybrid Systems

3 Preliminaries Finite state system (FSS) T Q - finite set of states Σ - transition labels q init - initial state Q Σ Q - transition function

4 Abstraction Definition Let T 1 and T 2 be two FSSs. T 2 is an abstraction of T 1 if there exists a function α : Q 1 Q 2 such that α(q1 init ) = q2 init and for a every q 1 1 q 2, α(q 1 ) a 2 α(q 2 ). Notation: T 1 T 2. Given an equivalence relation Q 1 Q 1, define an abstraction T 2 = T 1 / of T 1 as follows: Example Q 2 = Q 1 / a q 2 2 q 2 if there exists q 1 q 2 and q 1 q 2 such that a q 1 1 q 1.

5 Abstraction Why do we want/need to abstract?

6 Abstraction Why do we want/need to abstract? To obtain simpler systems Does an abstraction preserve all properties?

7 Abstraction Why do we want/need to abstract? To obtain simpler systems Does an abstraction preserve all properties? No. It preserves certain properties. Example: If the abstraction is safe, then the original system is safe. Can an abstraction always prove the safety of a safe system?

8 Abstraction Why do we want/need to abstract? To obtain simpler systems Does an abstraction preserve all properties? No. It preserves certain properties. Example: If the abstraction is safe, then the original system is safe. Can an abstraction always prove the safety of a safe system? No. It might not be the right abstraction. How do we search for a right abstraction?

9 Abstraction Why do we want/need to abstract? To obtain simpler systems Does an abstraction preserve all properties? No. It preserves certain properties. Example: If the abstraction is safe, then the original system is safe. Can an abstraction always prove the safety of a safe system? No. It might not be the right abstraction. How do we search for a right abstraction? Refinement!

10 Refinement Definition Let T 1 be a FSS and T 2 its abstraction. A refinement of T 2 is an FSS T 3 such that T 1 T 3 T 2. Example

11 Refinement Definition Let T 1 be a FSS and T 2 its abstraction. A refinement of T 2 is an FSS T 3 such that T 1 T 3 T 2. Example How do we refine? One approach - CEGAR

12 Counter-example guided abstraction refinement Reachability problem: Given a state q f, is it reachable from the initial state of T 1? Construct an abstraction T 2. Model check T 2 : Is α(q f ) is reachable from the initial state of T 2? Answer no T 1 is safe. Answer yes don t know. If yes, returns a path in T 2 which reaches α(q 2 ) - abstract counter-example. Check if the abstract counter-example has a corresponding concrete counter-example - validation If yes, you have found a counter-example, and can conclude that the system is unsafe. Otherwise, abstract counter-example is spurious. Use it to refine the abstraction.

13 CEGAR loop

14 Validation σ = q 1 Definition a 1 2 q 2 a 2 2 q 3 a 3 a k q k+1 : counter-example in T 2. a Validation: Does there exist σ = q 1 a 1 2 q 2 a 2 2 q 3 a 3 k qk+1 in T 1 such that q 1 = q1 init, q k+1 = q f and α(q i ) = q i for all i?

15 Validation σ = q 1 Definition a 1 2 q 2 a 2 2 q 3 a 3 a k q k+1 : counter-example in T 2. a Validation: Does there exist σ = q 1 a 1 2 q 2 a 2 2 q 3 a 3 k qk+1 in T 1 such that q 1 = q1 init, q k+1 = q f and α(q i ) = q i for all i? Validation procedure For 1 i k + 1, compute Reach i : set of all states which can mimic q i a i a k q k+1 and reach q f. Reach k+1 = {q f }. Reach i = α 1 (q i ) Pre(Reach i+1, a i ) for 1 i k. Proposition Concrete σ exists iff Reach 0.

16 Refinement using the counterexample analysis Let j be the largest integer such that Reach j =, i.e., first set in the backward computation which becomes empty. Post(α 1 (q j )) Reach j+1 =. Split q j+1 into two states, such that one contains Post(α 1 (q j )) and the other contains Reach j+1. This is the new abstraction T 3.

17 Related Work CEGAR used in software verification Clarke et. al Microsoft research: SLAM, boolean programs Abstraction mechanisms: Predicate abstraction

18 Review of CEGAR algorithm

19 Hybrid system H = (Loc, q 0, edges, Cont, Cont 0, flow, invariant, guard, reset): Loc - finite set of locations, l 0 Loc - initial location, edges Loc Loc, Cont = R n - set of continuous states, Cont 0 Cont - initial continuous states, flow : Loc Cont (R + Cont), invariant : Loc 2 Cont, guard : edges 2 Cont, and reset : edges 2 Cont Cont.

20 Example: thermostat Loc = {off, on}, l 0 = off, edges = {(off, on), (on, off )}, Cont = R, Cont 0 = {20}, flow(off, x, t) = xe 0.1t and flow(on, x, t) =, invariant(off ) = {x x 18} and invariant(on) =, guard(off, on) = {x x < 19} and guard(on, off ) =, and reset(off, on) = reset(on, off ) = {(x, x) x R}.

21 Semantics of a Hybrid Automaton [[H]] = (Q, Σ, q init, ): Q = Loc Cont, Σ = Actions {τ}, q init = {q 0 } Cont 0. (l, x) a (l, x ): Discrete transitions: a Actions, Continuous transitions: a = τ.

22 Semantics of HA Discrete transitions (l 1, x 1 ) a (l 2, x 2 ) iff edge = (l 1, a, l 2 ): x 1 guard(edge), and (x 1, x 2 ) reset(edge).

23 Semantics of HA Continuous transitions (l 1, x 1 ) τ (l 2, x 2 ) iff l 1 = l 2, t such that flow(l 1, x 1 )(t) = x 2, and for all t [0, t], flow(l 1, x 1 )(t ) invariant(l 1 ).

24 Discrete abstraction Definition Let H 1 and H 2 be two HSs. H 2 is an abstraction of H 1 if there exists a function α : Q 1 Q 2 such that α(q1 init ) = q2 init and for a every q 1 1 q 2, α(q 1 ) a 2 α(q 2 ).

25 Discrete abstraction Definition Let H 1 and H 2 be two HSs. H 2 is an abstraction of H 1 if there exists a function α : Q 1 Q 2 such that α(q1 init ) = q2 init and for a every q 1 1 q 2, α(q 1 ) a 2 α(q 2 ). Finite partition of the state space Construct the transitions - time transitions and discrete transitions

26 Challenges Defining the partition - by linear constraints, polynomial constraints, ellipsoids etc.

27 Challenges Defining the partition - by linear constraints, polynomial constraints, ellipsoids etc. Computing discrete transitions - computing weakest preconditions, intersections. P a P iff Pre(P, a) P.

28 Challenges Defining the partition - by linear constraints, polynomial constraints, ellipsoids etc. Computing discrete transitions - computing weakest preconditions, intersections. P a P iff Pre(P, a) P. Computing time transitions - computing time predecessors, intersections. Depends on the continuous dynamics P τ P iff t Pre(P, t) P.

29 Challenges Defining the partition - by linear constraints, polynomial constraints, ellipsoids etc. Computing discrete transitions - computing weakest preconditions, intersections. P a P iff Pre(P, a) P. Computing time transitions - computing time predecessors, intersections. Depends on the continuous dynamics P τ P iff t Pre(P, t) P. Often can only compute an approximation of t Pre(P, t). But still an abstraction!

30 CEGAR loop

31 Validation σ = q 1 a 1 2 q 2 a 2 2 q 3 Validation procedure a 3 a k q k+1 : counter-example in T 2. For 1 i k + 1, compute Reach i : set of all states which can mimic q i a i a k q k+1 and reach q f. Reach k+1 = {q f } inv(q f ). Reach i = α 1 (q i ) Pre(Reach i+1, a i ) for 1 i k.

32 Validation σ = q 1 a 1 2 q 2 a 2 2 q 3 Validation procedure a 3 a k q k+1 : counter-example in T 2. For 1 i k + 1, compute Reach i : set of all states which can mimic q i a i a k q k+1 and reach q f. Reach k+1 = {q f } inv(q f ). Reach i = α 1 (q i ) Pre(Reach i+1, a i ) for 1 i k. Cannot compute Reach i exactly. What do we do?

33 Validation σ = q 1 a 1 2 q 2 a 2 2 q 3 Validation procedure a 3 a k q k+1 : counter-example in T 2. For 1 i k + 1, compute Reach i : set of all states which can mimic q i a i a k q k+1 and reach q f. Reach k+1 = {q f } inv(q f ). Reach i = α 1 (q i ) Pre(Reach i+1, a i ) for 1 i k. Cannot compute Reach i exactly. What do we do? If validation fails, i.e., Reach k = for some k, continue to the refinement step. Otherwise, use better Pre computation. (After sometime, give up!) If Reach 0, cannot conclude anything. But can only conjecture that the design is probably not good.

34 Refinement Let k be the largest integer such that Reach k =, i.e., first set in the backward computation which becomes empty. Post(α 1 (q i )) Reach k+1 =. Split q k+1 into two states, such that one contains Post(α 1 (q i )) and the other contains Reach k+1. This is the new abstraction T 3. Add some constraint that splits the two sets of states. Alur et. al - find separating predicates for polyhedra.

35 Some remarks Need not terminate, unlike for the finite state case. Even upon termination due to validation of a counter-example, cannot conclude that the system is erroneous (due to overapproximations). In general, computing abstractions is expensive.

36 Hybrid Automata based CEGAR Main concept Abstract a hybrid automaton by another simpler hybrid automaton.

37 Hybrid Automata based CEGAR Main concept Abstract a hybrid automaton by another simpler hybrid automaton. Constructing abstractions may be easier, example, approximating a linear system by a rectangular system. Need different refinement methods. Hybrid Automata based CEGAR for rectangular hybrid automata - complete for the initialized fragment.

38 Abstraction α Loc : Loc 1 Loc 2. α edges : edges 1 edges 2. α Var : R Var 1 R Var 2.

39 Abstraction Example: α Loc : Loc 1 Loc 2. α edges : edges 1 edges 2. α Var : R Var 1 R Var 2. x 1, x 2, x 3 - variables in H 1. z 1, z 2 - variables in H 2. α Var (z 1 ) = x 1 + 3x 2 α Var (z 2 ) = x 1 x 3

40 CEGAR for rectangular hybrid automata Abstract a rectangular hybrid automata by another hybrid automata. Example

41 CEGAR for rectangular hybrid automata Abstract a rectangular hybrid automata by another hybrid automata. Example Focus on scaling/omitting variable abstractions. Refinement in rectangular hybrid automaton by adding or scaling variables. Completeness Can compute reach exactly. When the variable abstraction function corresponds to scaling/omitting variables, and the rectangular hybrid automaton is initialized rectangular, the CEGAR loop terminates always with the right answer. Abstracts initialized RHA to initialized RHA. IRHA have finite bisimilation (when converted to multirate automata).

42 Summary CEGAR for discrete systems. CEGAR for hybrid systems. Discrete abstractions Alur et. al - TACAS 2003 Clarke et. al - TACAS 2003 Hybrid abstractions Larsen et. al - FORMATS 2007, Prabhakar et. al - VMCAI CEGAR for stability Duggirala & Mitra ICCPS 2011, HSCC 2012

Lecture 6: Reachability Analysis of Timed and Hybrid Automata

University of Illinois at Urbana-Champaign Lecture 6: Reachability Analysis of Timed and Hybrid Automata Sayan Mitra Special Classes of Hybrid Automata Timed Automata ß Rectangular Initialized HA Rectangular