On bounded model checking, abstract interpretation, interpolants, and induction - PowerPoint PPT Presentation
1 / 18
Title:
On bounded model checking, abstract interpretation, interpolants, and induction
Description:
On bounded model checking, abstract interpretation, interpolants, and induction. K. Rustan M. Leino. Microsoft Research, Redmond, WA, USA ... 'Induction' ... – PowerPoint PPT presentation
Number of Views:303
Avg rating:3.0/5.0
Title: On bounded model checking, abstract interpretation, interpolants, and induction
1
On bounded model checking, abstract
interpretation, interpolants, and induction
- K. Rustan M. Leino
- Microsoft Research, Redmond, WA, USA
IFIP WG 2.3, meeting 4310 Sep 2004Prato, Italy
2
State transition system
- (I, T, R)
- where
- I description of initial states
- T total transition relation
- R description of good states
3
Bounded model checking
- Is R reachable from I viaa finite number of T
steps? - BMC(I,T,R,k) R is reachable from I via at
most k T steps
4
Relations
- Id(s,s) ss
- (RS)(s,s) (? s R(s,s) ? S(s,s))
- Rn RRRR
- a predicate P can be used as a relation, with the
meaning P(s,s) P(s) ? ss - R(s) (? s R(s,s))
- everywhere brackets on predicates P (? s
P(s))
n times
5
Checking reachability
- Reach(I,T,F,k)
- returns (?n 0nk ITn ? F)
- SAT( I(s0) ? (? i 0iltk T(si, si1)) ? (?
i 0ik F(si)) ) - BMC(I,T,R,k) Reach(I,T,R,k)
6
System diameter
- The diameter of a system is the smallest number
of steps that reaches all reachable states
7
Basic algorithm
- Main(I,T,R) for k 0 thru Diameter(I,T)
do if Reach(I,T,R,k) then return
Error endendreturn Correct
8
Improved algorithm
- Main(I,T,R)
- if SAT(I ? R) then return Error end
- for k 1 thru Diameter(I,T) do
- (?n 0nltk ITn ? R)
- case Check(I,T,R,k) of Correct return
Correct Error return Error DontKnow skip en
dendreturn Correct
9
Procedure Check
- Check(I,T,R,k)
- requires 1k ? (?n 0nltk ITn ? R)
- ensures Error ? Reach(I,T,R,k)
- ensures Correct ? (?n 0n ITn ? R)
- ensures DontKnow ? (?n 0nk ITn ? R)
- if Reach(I,T,R,k) then return Error
- else
- return DontKnow
- end
10
System invariant
- Check(I,T,R,k)
- var J I
- if Reach(J,T,R,k) then return Error
- else
- loop
- I ? J ? (?n 0nk JTn ? R)
- var J
- J ? J ? JT ? J
- if J ? J then
- (?n 0n ITn ? R)
- return Correct
- else if Reach(J,T,R,k) then
- return DontKnow
- end
- J J
- end
- end
11
NextJ
- Check(I,T,R,k)
- var J I
- if Reach(J,T,R,k) then return Error
- else
- loop
- I ? J ? (?n 0nk JTn ? R)
- var J NextJ(J,T,R,k)
- J ? J ? (?n 1nk JTn ? J)
- if J ? J then
- (?n 0n ITn ? R)
- return Correct
- else if Reach(J,T,R,k) then
- return DontKnow
- end
- J J
- end
- end
12
Goal Implement NextJ
- 1k ?(?n 0nk JTn ? R)
- J NextJ(J,T,R,k)
- J ? J ?
- (?n 1nk JTn ? J)
13
NextJ Widen Cousot/Cousot 1977
- NextJ(J,T,R,k)
- var J J ? JT
- J ? J ? JT ? J
- return J
14
Interpolants Craig 1957
- For any formulas A and B such that A ? B,
- there exists an interpolant P such that
- A ? P
- P ? B
- every free symbol in P is a free symbol in both A
and B
15
NextJ Interpolant McMillan 2003
- NextJ(J,T,R,k)
- (?n 0nk JTn ? R)
- let s0,,sk be fresh symbols
- let A J(s0) ? T(s0,s1)
- let B (? i 1iltk T(si,si1)) ?
- (? i 1ik R(si))
- var P Interpolant(A,B)
- JT ? Ps/s1
- return J ? Ps/s1
16
NextJ Induction Sheeran/Singh/Stålmarck 2000
- NextJ(J,T,R,k)
- (?n 0nk JTn ? R)
- JTk J(RT)k
- var J true(RT)k
- JTk ? J
- return J ? J
17
Completeness
- Widen
- no completeness guarantee(so still needs
diameter in main loop) - Interpolant
- complete for boolean programs
- Induction
- complete for boolean programs, under the
additional constraint that there are no repeated
states
18
What would make a good NextJ?
- For J NextJ(J,T,R,k)
- J ? J
- (?n 1nk
- JTn ? J
- (?m 0mk-n JTm ? R)
- )
- NextJ(J,T,R,k)
- let n, P satisfy
- 1 n k
- sp(Tn, J) ? P
- P ? wp( (assert R T)n-k, R)
- return J ? P
Recommended
CrystalGraphics Presentations
