Bjrn Wachter Bernd Westphal

1
The Spotlight Principle

• Björn Wachter Bernd Westphal
• Universität des Saarlandes CvO-Universität
  Oldenburg

2
Outlook

• Idea
• Systems Consisting of Interlinked Processes
• Studied 3 Abstraction Methods CA, EA, DTR
• Structure
• Motivating Example
• EA/DTR as Instances of Spotlight Principle
  
• Expressiveness (Main Result)
  
• Combination EA DTR (Very Briefly)
• Conclusion

3
Car Platooningsort of ad-hoc network

• Interlinked processes
• Joint maneuvers change lane, platoon merge
  
• Verify maneuvers

highway
4
Car Platooningas transition
system
Unboundedly many cars Each car infinite-state

• Local State
• control location ldr
• arithm. data d1
• links

state labeled graph
fl
fl
(ldr,d1)
(flw,d4)
(flw,d3)
(flw,d2)
fl
fl
ld
(ldr,d5)
(flw,d6)
(flw,d7)
fl
ld
ld
5
Predicates

• Building blocks of complex properties
• Atomic Properties of Processes
• valpc,ldr u is a leader
• refg global link g to u
• Atomic Properties of Pairs of Processes
• reffl u follows v

6
Temporal Properties

• Reason about temporal evolution
• Safety cars never enter bad state
• Liveness eventually enter good state

7
Outlook

• Idea
• Systems Consisting of Interlinked Processes
• Studied 3 Abstraction Methods CA, EA, DTR
• Structure
• Motivating Example
• Spotlight Principle
• Expressiveness
• Combination EA DTR
• Conclusion

8
The Spotlight Principle

• Keep important processes precise
• Less information about other processes

Shadow
Spotlight
9
The Important Processes

• Important processes come from Property
• Case 1
• Case 2
• Case 3

(flw,d4)
(flw,d4)
(flw,d4)
global link
(flw,d4)
(flw,d4)
(flw,d4)
global link
(flw,d4)
(flw,d4)
(flw,d4)

global link
10
The Important Processes

• Important processes come from Property
• Case 1
• Case 2
• Case 3

Shadow
(flw,d4)
(flw,d4)
(flw,d4)
Cases fall Together to
tractable number under abstraction
global link
(flw,d4)
(flw,d4)
Shadow
(flw,d4)
global link
Shadow
(flw,d4)
(flw,d4)
(flw,d4)

global link
11
The Important Processes

• Each quantification variable
• introduces a global link
• Global Link like Pointer in Heap
• However global link remains fixed

12
The Spotlight Principle (cont)

• Keep Process precise for which we have to show
  properties

Shadow
Spotlight
(ldr,d4)
(flw,d4)
(flw,d4)
(flw,d4)
global link
global link
(flw,d4)
(flw,d4)
13
The Spotlight Principle (cont)

• Idea
• Be Precise Where It is Needed Most
• Spotlight Principle used successfully by
• different abstraction methods
• Data Type Reduction
• Environment Abstraction
• Canonical Abstraction

14
The Spotlight Principle DTR

• Hardware Verification
• Tomasulo Scheduler McMillan
• Verification of UML models
• Damm/Westphal
• Support Unbounded of Process
• Support for Links
• Radical Form of Spotlight Principle

15
The Spotlight Principle DTR

• Keep spotlight concrete
• Collapse the rest and forget everything
• abstract proc. spotlight proc. 1

Shadow
Shadow
Spotlight
Spotlight
(ldr,d4)
(flw,d4)
(flw,d4)
(flw,d4)
(flw,d4)
global link
global link
global link
global link
(flw,d4)
?
(flw,d4)
16
Restrictions of DTR

• No information about Shadow
• Can lead to Spurious Counterexamples where
  Shadows Interfere with Spotlight
• No Abstraction of Spotlight Processes
• no support for unbounded local data

17
Environment AbstractionClarke, Veith, Talupur
VMCAI06

• Mutual exclusion protocols
• Bakery algorithm, Szymanski
• Unbounded number of processes
• with counter variables
• Counters Abstracted with Interpredicates
• inequalities between counter variables
• appearing in guards

18
Environment Abstraction

• Control states pc in a,b
• Counter variable v
• Interpredicate le(u)g.v lt u.v

u.pc a g.v lt u.v
g
a,3
a,1
b,2
u.pc a !g.v lt u.v
u.pc b !g.v lt u.v
a
EA
a,4
b,1
a,1
u.pc b g.v lt u.v
19
Environment Abstraction

• Control states pc in a,b
• Counter variable v
• Interpredicate le(u)g.v lt u.v

u.pc a g.v lt u.v
g
a,3
a,1
b,2
u.pc a !g.v lt u.v
u.pc b !g.v lt u.v
a
EA
a,4
b,1
a,1
u.pc b g.v lt u.v
20
Environment Abstraction

• Control states pc in a,b
• Counter variable v
• Interpredicate le(u)g.v lt u.v

u.pc a g.v lt u.v
g
a,3
a,1
b,2
u.pc a !g.v lt u.v
u.pc b !g.v lt u.v
a
EA
a,4
b,1
a,1
u.pc b g.v lt u.v
21
Environment Abstraction

• Control states pc in a,b
• Counter variable v
• Interpredicate le(u)g.v lt u.v

u.pc a g.v lt u.v
g
a,3
a,1
b,2
u.pc a !g.v lt u.v
u.pc b !g.v lt u.v
a
EA
a,4
b,1
a,1
u.pc b g.v lt u.v
22
Environment Abstraction

• Control states pc in a,b
• Counter variable v
• Interpredicate le(u)g.v lt u.v

u.pc a g.v lt u.v
g
a,3
a,1
b,2
u.pc a !g.v lt u.v
u.pc b !g.v lt u.v
a
EA
a,4
b,1
a,1
23
Restrictions of EA

• No support for links
• Always exactly 1 spotlight process
• restricts the kind of properties one can
  show
• two-process safety
• Platooning 3-Process SAFETY!!
• one-process liveness

24
Canonical AbstractionSagiv,Reps,Wilhelm

• Originally analysis of heap-manipulating
  programs
• Spotlights Pointer Variables

x
n
n
n
n
n
shadow
shadow
head
25
Canonical AbstractionSagiv,Reps,Wilhelm

• supports links
• Can preserve information about shadow

x
shadow
n
n
n
n
n
shadow
head
x
y
x
head
Reachable from head Not pointed to by head
Reachable from x head Not pointed to by x or
head
26
Outlook

• Idea
• Systems Consisting of Interlinked Processes
• Studied 3 Abstraction Methods CA, EA, DTR
• Structure
• Motivating Example
• Spotlight Principle
• Expressiveness (MAIN RESULT)
• Combination EA DTR
• Conclusion

27
Abstraction Methods

• Want finite transition systems (FTS)
• Look at different Abstraction Methods
• Methods are like recipes

Abstraction Method
Ingredients
FTS
28
Finitary Abstraction

29
Main Result Expressiveness

• Compared Methods that Support
• Unbounded of Proc.
• Canonical Abstraction (CA)
• Data Type Reduction (DTR)
• Environment Abstraction (EA)
• Result
• Canonical Abstraction most general
• What does that mean ?? .

30
Contribution Expressiveness
Ingredients Special Predicates Interpredicates,
finite control
Ingredients Predicates
Translate
Environment Abstraction
Canonical Abstraction
Abstraction function
Abstraction function
equivalent
Abstract Transition System
Abstract Transition System
bisimulation
() indistinguishable by properties
31
Contribution Expressiveness
Ingredients Property
Ingredients Predicates
Translate
Data Type Reduction
Canonical Abstraction
Abstraction function
Abstraction function
equivalent
Abstract Transition System
Abstract Transition System
bisimulation
32
Outlook

• Idea
• Systems Consisting of Interlinked Processes
• Studied 3 Abstraction Methods CA, EA, DTR
• Structure
• Motivating Example
• Spotlight Principle
• Expressiveness
• Combination EA DTR
• Conclusion

33
ContributionEA DTR
More about that in the paper Only shortly
invariants in shadow
EA DTR links integers/reals
links more properties
Data Type Red (DTR) links - integers/reals

• Environment Abs (EA)
• integers/reals
• Links

34
Conclusion Future Work

• The Gist
• EA, DTR expressible by CA
• Idea of Spotlights
• Future
• Liveness for Platooning
• Other Ad-hoc Networks?
• Compare more abstractions

35
Canonical Abstraction Sagiv/Reps/Wilhelm

• unary abstraction preds induce equiv. classes
• get best safe information for remaining preds
• Example predicates is_ldr/1, refg/1, refh/1,
  fl/2

state (simplified)
4 classes
abs. state (ld missing)
g
110
000
flw
ldr
110
000
1.
flw
flw
000
000
h
100
001
ldr
flw
001
100
36
Canonical Abstraction Sagiv/Reps/Wilhelm

• unary abstraction preds induce equiv. classes
• get best safe information for remaining preds
• Example predicates is_ldr/1, refg/1, refh/1,
  fl/2
• fl(001,100)1, fl(110,100) 0, fl(000,100)
  0,1

abs. state
state (simplified)
4 classes
g
110
000
flw
ldr
110
000
2.
1.
flw
flw
000
000
h
100
001
ldr
flw
001
100