Ranked Predicate Abstraction for Branching Time. Complete, Incremental, and Precise

Size: px

Start display at page:

Download "Ranked Predicate Abstraction for Branching Time. Complete, Incremental, and Precise"

Christopher Harvey
5 years ago
Views:

1 : Complete, Incremental, and Precise Harald Fecher 1 Michael Huth 2 1 Christian-Albrechts-University at Kiel, Germany 2 Imperial College London, United Kingdom Beijing, ATVA 2006

2 Main Issues Foundation for counter-example-guided abstraction refinement (CEGAR) for the full mu-calculus: Development of extended predicate abstraction: sound, precise, incremental, and complete

3 Introduction Branching time (multiple system observers; biological systems) Branching time logic: mu-calculus having least and greatest fixpoints Model checking not directly applicable on large or infinite systems Counter-example-guided abstraction refinement (CEGAR): initial abstraction; model check; spurious counterexample refinement; loop Abstraction technique: predicate abstraction (synthesized automatically using theorem prover)

4 Predicate abstraction Divide concrete state space by a set of predicates: abstract state is subset of predicates (related concrete are those satisfing the contained predicates and not satisfying the omitted). Mu-calculus needs over approximation (may-transition) and under approximation (must-transition). Must-hypertransition increase expressiveness.

5 Intro Ranking Model Statements Conclusion Predicate abstraction illustration p 0 p 1 p 1 p 1 = AX (νx.(p 0 EX (p 1 EX EX EX X )))

6 Intro Ranking Model Statements Conclusion Predicate abstraction illustration p 0 p 1 p 1 p 1 = AX (νx.(p 0 EX (p 1 EX EX EX X )))

7 Intro Ranking Model Statements Conclusion Predicate abstraction illustration p p 1 p 1 p 1 3 = AX (νx.(p 0 EX (p 1 EX EX EX X ))) = p0 0 p p 1 p + 1

8 Intro Ranking Model Statements Conclusion Current predicate abstraction insufficient Problem: least fixpoint formulas p 0 p 1 p 1 p 1 = AX (µx.(p 0 EX (p 1 EX EX EX X )))

9 Intro Ranking Model Statements Conclusion Current predicate abstraction insufficient Problem: least fixpoint formulas 1 p 0 0 p 1 p 1 p 1 = AX (µx.(p 0 EX (p 1 EX EX EX X ))) 2 3 = p0 0 p p 1 p + 1

10 Intro Ranking Model Statements Conclusion Current predicate abstraction insufficient Problem: least fixpoint formulas 1 p 0 0 p 1 p 1 p 1 = AX (µx.(p 0 EX (p 1 EX EX EX X ))) No other predicate abstraction does. 2 3 = p0 0 p p 1 p + 1

11 Intro Ranking Model Statements Conclusion Current predicate abstraction insufficient Problem: least fixpoint formulas 1 p 0 0 p 1 p 1 p 1 = AX (µx.(p 0 EX (p 1 EX EX EX X ))) No other predicate abstraction does. Solution: ranking functions 2 3 = p0 0 p p 1 p + 1

12 Ranked predicate abstraction Definition A ranked predicate abstraction ℵ of a state space S is a tuple (I, h ) where h : S I is a surjective function mapping concrete (S) to abstract (I ) states

13 Ranked predicate abstraction Definition A ranked predicate abstraction ℵ of a state space S is a tuple (I, h, ( k ) k K ) where h : S I is a surjective function mapping concrete (S) to abstract (I ) states for all k K, with K a (possible empty) index set, k (S ) (S ) is a pre-order with well-founded irreflexive version < k ;

14 Ranked predicate abstraction Definition A ranked predicate abstraction ℵ of a state space S is a tuple (I, h, J, ( k ) k K ) where h : S I is a surjective function mapping concrete (S) to abstract (I ) states J is a non-empty set of rank locations; [think J to be the subproperties] for all k K, with K a (possible empty) index set, k (S J) (S J) is a pre-order with well-founded irreflexive version < k ;

15 Ranked predicate abstraction Definition A ranked predicate abstraction ℵ of a state space S is a tuple (I, h, J, ( k ) k K ) where h : S I is a surjective function mapping concrete (S) to abstract (I ) states J is a non-empty set of rank locations; [think J to be the subproperties] for all k K, with K a (possible empty) index set, k (S J) (S J) is a pre-order with well-founded irreflexive version < k ; I + J + K is finite.

16 Hypermixed Kripke structures The abstract model has to be extended by Fairness constraints (Streett over transitions naturally occur) and May-hypertransition (conjunctively interpreted) for handling J.

17 Hypermixed Kripke structures The abstract model has to be extended by Fairness constraints (Streett over transitions naturally occur) and May-hypertransition (conjunctively interpreted) for handling J. Streett: Infinite 1-transitions infinite 2-transitions

18 Hypermixed Kripke structures The abstract model has to be extended by Fairness constraints (Streett over transitions naturally occur) and May-hypertransition (conjunctively interpreted) for handling J. refines Streett: Infinite 1-transitions infinite 2-transitions

19 Satisfaction Via Games: in EX : Verifier choose must hypertrans; Refuter choose element from target in AX : Refuter choose may hypertrans; Verifier choose element from target Verifier wins infinite plays: Non-acceptance at the model or acceptance at the property

20 Satisfaction example S 00 = AX (µx.(p 0 EX (p 1 EX EX EX X ))) AX : Player I chooses s10 2 or s2 20 EX -circle: Player I chooses must-transition to {s31 0 } she chooses must-transition to {s21 0 } she chooses must-transition to {s1 10, s0 20 } she chooses must-transition to s01 1, resp. to {s1 10, s1 20 } either p 0 is reached or non-acceptant model sequence

21 Soundness Winning conditions for satisfaction are Rabin conditions (since Streett RabinChain). Thus deciding satisfaction is in NP Theorem (Soundness) Suppose M 1 refines M 2 and φ is mu-calculus formula: M 2 = φ M 1 = φ

22 ℵ-abstraction game Player I tries to show that model M 1 is abstracted by model M 2 up to ranked predicate abstraction ℵ (is ℵ-abstracted by): Player II can additionally switch between states of M 1 that map to the same elements via the abstraction function h as long as no contradiction to the ranking functions of ℵ is produced. Player I controls the ranking positions J. Theorem If M 1 is ℵ-abstracted by M 2, then M 1 is abstracted by M 2.

23 Intro Ranking Model Statements Conclusion Precise abstraction 0,0 p ,1 3,2 4,3 5,4 p 1 p 1 p 1 1,2 2,3 3,4 2 3 J={g,b} and (s,j ) 0 (s,j) ω(s,j ) ω(s,j) where ω(s,j) is depicted with colors

24 Intro Ranking Model Statements Conclusion Precise abstraction State space: I J (K {0, 1, 2}) function indicates for k K if k remains equal, decrease, or increase 0,0 p ,1 3,2 4,3 5,4 p 1 p 1 p 1 1,2 2,3 3,4 2 3 J={g,b} and (s,j ) 0 (s,j) ω(s,j ) ω(s,j) where ω(s,j) is depicted with colors

25 Intro Ranking Model Statements Conclusion Precise abstraction State space: I J (K {0, 1, 2}) function indicates for k K if k remains equal, decrease, or increase 0,0 p ,1 3,2 4,3 5,4 p 1 p 1 p 1 1,2 2,3 3,4 2 3 J={g,b} and (s,j ) 0 (s,j) ω(s,j ) ω(s,j) where ω(s,j) is depicted with colors

26 Intro Ranking Model Statements Conclusion Precise abstraction State space: I J (K {0, 1, 2}) function indicates for k K if k remains equal, decrease, or increase 0,0 p ,1 3,2 4,3 5,4 p 1 p 1 p 1 1,2 2,3 3,4 2 3 J={g,b} and (s,j ) 0 (s,j) ω(s,j ) ω(s,j) where ω(s,j) is depicted with colors

27 Intro Ranking Model Statements Conclusion Precise abstraction State space: I J (K {0, 1, 2}) function indicates for k K if k remains equal, decrease, or increase 0,0 p ,1 3,2 4,3 5,4 p 1 p 1 p 1 1,2 2,3 3,4 2 3 J={g,b} and (s,j ) 0 (s,j) ω(s,j ) ω(s,j) where ω(s,j) is depicted with colors Streett fairness: at any k K, if the state function (third component) at k is infinitely often 1, then it is also infinitely often 2.

28 Preciseness Theorem (Precision) The defined abstraction M ℵ is finite and a precise ℵ-abstraction, i.e., M ℵ is a ℵ-abstraction of M and if M 2 is a ℵ-abstraction of M, then M 2 abstracts M ℵ.

29 Incremental Definition ℵ 1 is an extension of ℵ 2 if the partition is finer and only ranking functions are added. Theorem If ℵ 1 is an extension of ℵ 2, then M ℵ1 is abstracted by M ℵ2. Theorem (Confluence of extensions) For ℵ 1 and ℵ 2 there is constructible predicate abstraction being an extension of ℵ 1 and of ℵ 2.

30 Intro Ranking Model Statements Conclusion Non-trivial ranking positions J necessary for completeness There is no ranked predicate abstraction ℵ of p 0 p 1 p 1 p 1 such that its J is a singleton and its abstraction satisfies AX (µx.(p 0 EX (p 1 EX EX EX X ))). We already saw that it is possible with non-singleton J.

31 Completeness Let M Kripke structure and θ memoryless strategy for M = φ. Partition (function h θ ): states are equivalent if they satisfy same subformulas via θ and θ behaves same on -properties Ranking locations J: set of subproperties Ranking function ω θ,k : the least number of unfoldings necessary to guarantee that no further 2k + 1 value (level of fixpoint operator nesting; odd number always corresponds to least fixpoints) can be reached via θ by remaining below 2k + 2. Theorem (Completeness) For this constructed ranked predicate abstraction ℵ θ we have (M ℵθ, (h θ (s), q, g)) = φ whenever θ is winning for (s, q).

32 Conclusion Development of extended predicate abstraction that is sound, precise, incremental, and complete for the full mu-calculus (i.e. liveness properties are adequately handled). Good foundation for the automated synthesis of abstractions and counter-example-guided abstraction-refinement for branching time. Application: extension of existing tools like BLAST or SLAM.

3-Valued Abstraction-Refinement

3-Valued Abstraction-Refinement Sharon Shoham Academic College of Tel-Aviv Yaffo 1 Model Checking An efficient procedure that receives: A finite-state model describing a system A temporal logic formula