Transition Predicate Abstraction and Fair Termination

1
Transition Predicate Abstraction and Fair
Termination

• Andreas Podelski
• Andrey Rybalchenko

Max-Planck-Institut für Informatik Saarbrücken,
Germany
Tobias Stamm
2
In this lesson

• What is this all about?
• safety and liveness
• What is FAIRNESS ?
• some formal definitions about enabledness,
  languages, justice and compassion.
• Big example
• Building a complete graph of a simple program
• Is the program fair?

3
Program -gt Finite State Machine
Every program can be transformed into a finite
state machine. The program-locations become the
states and the pre- and post-conditions become
the transitions.
xgt2
x 1 x x 1 if x gt 2 x 10 else x
20
xgt2 x'x
l2
xgt2 x'10
x1 x'2
l0 l1 l2 l3 l4
l0
l1
x2
x1
xlt2
xlt2 x'x
l4
xlt2 x'20
4
Predicate Abstraction
Predicate Abstraction is used for checking
properties of programs. As in a program, there
are a lot of properties, we try to reduce this
set to an abstraction. Then, we try to check the
program with this abstract definitions and see,
how far we can get. If we found an error, it is
necessary to check the occurence of the error in
the non-abstracted program too. This is solved by
"counterexample-driven abstraction
refinement." This works very good for
safety-Properties (for those, who don't know this
word it's some kind of assertion)
5
Transition Predicate Abstraction
In "simple" Predicate Abstraction, it is very
difficult (actually, it's impossible) to
implement automated liveness-checking (As
example Will this program terminate?). Transitio
n predicate abstraction goes one step further. We
don't look at the states. We look at the
relations between the states the
transitions. The main idea What are possible
sequences of transitions? As there are a lot of
transitions and therefore a lot of
transition-predicates, we will abstract them. We
will see how to transform a program P into a
transition-predicate-abstracted program P
6
What is Enabledness ?
The enabledness is the set of states on which a
transition is enabled
In other words All the states, where transitions
with the name start.
7
Reminder Languages
Let Lv be the language defined by the automaton Av
All letters that appear in some word of Lv
All letters that appear in every word of Lv
d
v
v0
b
c
a
a,b,c,d c
8
What is JUSTICE ?
(We do not consider politics here)
Simpler Question What is NOT justice? Walking
along a path, always having the ability to say,
where to go but never getting the chance to speak.
-)
-)
v
v
-(
-(
The node v is not just to the green
transition. just (v, green) false
9
What is COMPASSION ?
Simpler Question What is NOT compassion? In all
possible paths, at a certain point having the
ability to say, where to go but never getting the
chance to speak.
-)
-)
v
v
-(
-(
The node v is not compassionate to the green
transition. comp (v, green) false
10
What is FAIRNESS ?
Just Fairess means being just to
everyone. Compassionate Fairness means being
compassionate to everyone.
What are just or compassionate transitions? These
are details and not a proper restriction. Let's
assume, all transitions of a program are just and
compassionate. See paper for more details.
11
The Program P
definition x1, y1 while x 1 do y y
1 while y gt 0 do y y - 1
l0 l1 l2 l3
x 0
m0 m1
12
Control-flow of P
13
Abstraction
We have too many predicates in our original
program. Let's reduce this number.
The abstraction-function maps a binary relation T
over states to the smallest abstract transition
containing the relation T. Example y' y - 1
becomes y' lt y - 1
14
How to get from P to P ?
Put Node ID into Queue Q while Q not empty do u
dequeue(Q) foreach Transition t A
abstract(T(u) t) if A empty -gt continue
with next t if there exists already a node w
with the same Label as A -gt v w
else u new Node labeled by A
enqueue(Q,u) end if (u,v) new Edge
labeled by t end foreach end while
15
P
Put Node ID into Queue Q while Q not empty do u
dequeue(Q) foreach Transition t A
abstract(T(u) t) if A empty -gt continue
with next t if there exists already a node w
with the same Label as A -gt v w
else u new Node labeled by A
enqueue(Q,u) end if (u,v) new edge
labeled by t end foreach end while
16
When does a program terminates fair?
A program P justly/compassionately terminates if
every non-root 'fair' marked node v of the
abstract-transition program P is labeled by a
well-founded abstract transition Tv. Proof See
paper. So we only have to check the
non-well-founded states of P. If any of them is
just/compassionate, we have a problem.
A not-well-founded state in P looks like this
tx
As we don't know the beginning of state X, ty
could wait forever
root
X
tx
ty
17
Does P terminates fair?
The only non-well-founded state is T1. So the
question is Is T1 fair?
No! T1 is not just to t4. Hence the
non-well-foundedness of T1 is not required for
the just termination of P. ergo P terminates
fair.
18
Nice. But...
... What happends, if there are some
non-well-founded states which are marked as fair?
This is explicitly described in the last chapter
of the paper on page 143 "The logical next step
is to investigate counterexample-driven
abstraction refindement."
In other words See Software-Engineering-Seminar
'06 Terminated.