3-Valued Abstraction and 3-Valued Model-Checking

1
3-Valued Abstraction and 3-Valued Model-Checking
2
Abstraction

• Abstraction
• an effective technique to combat state explosion
  problem
• approximate sets of concrete states by an
  abstract state
• approximate sets of concrete transitions by an
  abstract transition
• Using 2-valued logic (over-approximation)
• False variables represent unknown value
• True transitions represent possible behaviour
• r (s0,1)T ? r (s0)T p (s0,1)F ? ?

s0,1
s2
s0
p q r
p q r
s1
r
p q r
p q r
s2
3
Abstraction, Contd

• Using 2-valued logic
• False variables represent unknown value
• True transitions represent possible behaviour
• AX (r ? p)(s0,1)T ? AX (r ? p)(s0)T
• AX r (s0,1)F ? ?
• EX (?r ? ?p)(s0,1)F ? EX (?r ? ?p)(s0)F
• EX r(s0,1)T ? ?

s0,1
s2
s0
p q r
p q r
s1
r
p q r
p q r
s2
4
Abstraction, Contd

• Soundness
• Only with respect to True universal properties
• For existential properties use
  under-approximation
• For False properties
• play counter-example to determine whether
  spurious
• Use counter-example-based abstraction refinement

5
3-valued abstraction

• Goals
• Reason about mixed properties
• Not have to tell which counterexamples are
  spurious
• Not have an increase in statespace, when compared
  to 2-valued
• Use counterexample for abstraction refinement
• Outline
• 3-valued logic, properties, models,
  model-checking
• 3-valued abstractions
• Abstraction refinement

6
Logic 3-valued Kleene logic

• Logic order
• Properties
• F ? M, M ? T
• A ? B min (A, B)
• A ? B max (A, B)
• ?T F, ?F T, ?M M
• Preserves
• Commutativity, associativity, idempotence, De
  Morgan laws
• Does not preserve
• Law of excluded middle A??A T (top)
• Law of non-contradiction A??A? (bottom)

7
Note

• 3-valued logic forms a lattice
• Ordering ? less than or equal
• Meet operation ? min
• Join operation ? max
• Negation horizontal symmetry
• This is an example of a quasi-boolean algebra
• Equality and Identity are different!
• a ? b
• a b

8
Logic

• Information order
• M contains least amount of information
• T, F maximum amount of information
• If one refines M it can change to T or F or
  stay at M

9
Overview of Model Checking
Overview of MV-Model Checking
SW/HW artifact
Correctness properties
Correct?
How correct?
MV-Logic
Translation
Model Extraction
Model of System
Temporal logic
MV-Model Checker
Model Checker
Yes/No Answer
MV-Logic Answer
10
Multi-valued state machines Xkripke structures

• Extension of conventional state machines (Kripke
  structures)
• variables take any value from the logic (T, F, M)
• transitions between states take any value from
  the logic
• False transitions are not shown (by convention)

• Example

11
Formally,

• Kripke structures extended for MV case
• M ltL, S, A, s0, I , Rgt
• L is a quasi-boolean algebra (L, ?, ?,?, ?) ,
  where (L, ?) is a lattice
• S is a (finite) set of states, each with a unique
  name
• A is a set of atomic propositions
• s0 is a unique initial state (s0 ? S)
• I S ? A? L is the interpretation function that
  assigns a logic value to each atomic proposition
• R S ? S? L is the function that assigns a logic
  value to each transition between states

12
3-valued CTL

• multi-valued extension of CTL
• same syntax as CTL
• plus constants from the logic (T, M, F )

• semantics
• replace existential quantification by
  disjunction, universal quantification by
  conjunction, so
• (EX ?) (s)

• ?t?S ( R(s,t) ? ? (t) )

• ? t? S s.t. ( R(s,t) ? ? (t) )

• other operators are defined as in CTL

For all states s, (AX ? ) (s) (? EX(? ? ))
(s) (EG ? ) (s) ? (s) ? (EX EG ? ) (s) (AG ?
) (s) (? EF(? ? )) (s) Examples AG (request
-gt AX pressed) ? AG (pressed \/ request) ?
13
Model-Checking Contd

• Can a True property evaluate to M?
• Answer
• Yes
• AG (pressed \/ ? pressed) M
• Comes from law of excluded middle
• Some terminology
• Compositional semantics
• Evaluate each CTL operator, compose according to
  lattice rules
• Thorough semantics BrunsGodefroid 00
• Property evaluates to M iff exists a refinement
  where it evaluates to T and a refinement where it
  evaluates to F.
• to evaluate

14
Symbolic mv model-checking

• Similar idea to classical model-checking
• recursively go through the structure of XCTL
  property
• encode sets of states symbolically
• encode transition relation symbolically

• Data structures
• direct approach MDDs
• the number of terminal nodes and branching
• factor equal to number of values in logic
• Example x?y in 3-valued logic

• can use BDD vector
• or mixed approaches (MBTDDs, MTBDDs)

15
Reduction to Classical

• BrunsGodefroid99. Assumption transition
  relation is classical
• Move negation to level of atomic propositions
• Create a positive and negative version of every
  atomic proposition
• Let x M.
• Positive cut
• Set x and and ? x to True
• PosAnswer check property
• Negative cut
• Set x and and ? x to False
• NegAnswer check property
• If NegAnswer PosAnswer (True or False)
• Return this as answer
• Else
• Return Maybe

16
Example
p T q T q- T z F
p T q F z- T zT
p T q F z F
Model
Positive Cut
p ?q ?z (s0) T
17
Example
p T q F q- F z F
p T q F z- F z F
p T q F z F
Model
Negative Cut
p ?q ?z (s0) F Therefore, the answer is M
18
Example
p T q T q- T z F
p T q F z- T z T
p T q F z F
Model
Positive Cut
EX (p ?q ?z )(s0) T
19
Example
p T q F q- F z F
p T q F z- F z F
p T q F z F
Model
Negative Cut
EX (p ?q ?z )(s0) T Therefore, the answer
is T
20
Reduction to Classical (Take Two)

• GurfinkelChechik 2003
• Assumptions
• States can be 3-valued, transition relation can
  be three-valued
• Reduction steps
• for True and Maybe, construct a cut formula
  equivalent to ?(s)?j
• logic from mv CTL to restricted mv-logic with
  two-valued answers
• model unchanged
• transform each cut to a classical model-checking
  problem
• logic from restricted mv-logic to classical CTL
• model from ?Kripke structure to classical Kripke
  structure

21
Propositional Logic

• p ?q ?z (s0) M
• T ?M ?F (s0)
• T ?M ?F (s0)
• M ?F (s0)
• M (s0)

22
Propositional Logic the cut
?p ?q ?z ?(s0) ? M
p ?q ?z (s0) ? T
(s0)
(p ? T)
(q ? T)
(z ? T)
?
?

• T ?F ?F (s0)
• F ? F (s0)
• F

T
23
Combining Results
p ?q ?z (s0) ? T
p ?q ?z (s0) ? M
Therefore, p ?q ?z (s0) M
24
Propositional Logic final step
p z-
p q-
Legend p represents p ? j p- represents p ? j
p q- z-
(p ? T) ?(q ? T) ?(z ? T)(s0)

• p ?q- ?z (s0)
• T?F ?F(s0)
• F(s0)

25
Existential Temporal Logic the cut

• EX (p ?q ?z )(s0) ? T
• ?t?S R(s0,t) ?p ?q ?z (t) ? T
• ?t?S (R(s0,t) ? T) ?(p ?q ?z (t) ? T)
• ?t?S (R(s0,t) ? T) ?(p ?T)?(q ?T)?(z ?T)(t)
• EX?T ((p ?T)?(q ?T)?(z ?T))(s0)

26
Existential Temporal Logic final step
M
p T q F z M
p T q M z F
p z-
p q-
T
T
T
p T q F z F
M
p q- z-
EX?T ((p ?T)?(q ?T)?(z ?T))(s0)

• EX?T (p ?q- ?z)(s0)
• EX(p ?q- ?z)(s0)

27
Universal Temporal Logic the cut

• Dealing with negation
• In 3-valued logic
• b ? T iff (b ? M)
• since b ? T iff b F

• AX(p ?q ?z )(s0) ? T
• ?t?S R(s0,t) ?p ?q ?z (t) ? T
• ?t?S R(s0,t) ? p ?q ?z (t) ? T
• ?t?S R(s0,t) ? T ? p ?q ?z (t) ? T
• ?t?S (R(s0,t) ? M) ? p ?q ?z (t) ? T
• ?t?S(R(s0,t) ? M) ? p ?q ?z (t) ? T
• AX?M ((p ?T) ?(q ?T) ?(z ?T))(s0)

28
Universal Temporal Logic final step
M
p T q F z M
p T q M z F
p z-
p q-
T
T
T
p T q F z F
M
p q- z-

• AX?M ((p ?T)?(q ?T)?(z ?T))(s0)
• AX?M (p ?q- ?z)(s0)
• AX(p ?q- ?z)(s0)

29
Handling Mixed Modalities

• The first reduction step does not change
• AX EXp(s0)?T is transformed into AX?M
  EX?T(p?T)(s0)
• Problem with the second step
• need a Kripke structure with two types of
  transitions
• ?M for universal modality
• ?T for existential modality
• Solution
• treat transitions labels as actions
• convert the resulting Labeled Transition System
  into a Kripke structure
• Disadvantage
• introduces a new variable
• size of the statespace doubles

30
Summary of the Reduction

• Multi-valued model-checking problem is reduced to
  several classical problems
• one classical problem for True and one for Maybe
• size of the formula does not change
• atomic literals are changed to plus and minus
  versions
• other parts remain unchanged
• for universal and existential fragments
• statespace of resulting Kripke structure is
  similar to the original
• for formulas with both universal and existential
  modalities
• statespace of the resulting Kripke structure is
  double of the original
• formulas with fixpoint operators are handled
  similarly
• (see Gurfinkel, Chechik, CONCUR03)

31
Abstraction
S
S
Abstraction Function ? S ! S
32
Abstraction

• Using 3-valued logic
• introduce new special value Maybe to stand for
  unknown
• Formally
• v (a) T iff ? s ? ?(a) v(s) T
• v (a) F iff ? s ? ?(a) v(s) F
• v (a) M iff ? s ? ?(a) v(s) T and ?
  t ? ?(a) v(t) F
• Examples
• r (s0,1)T ? r (s0)T p (s0,1)M

s0,1
s2
s0
p q r
p q r
s1
pM qF rT
pT qT rF
p q r
s2
33
Refresher Over- and Under-approximations

• M is an over-approximation of M, or M simulates
  M if
• R?? Dams97 (t, t1) ? R iff ? s ? ?(t) s.t. ?
  s1 ? ?(t1) and (s, s1) ? R
• M is an under-approximation of M, or M simulates
  M if
• R?? Dams97 (t, t1) ? R iff ? s ? ?(t) s.t. ?
  s1 ? ?(t) and (s, s1) ? R

34
Existential Abstraction (Over-Approximation)
I
I
35
Universal Abstraction (Under-Approximation)
I
I
36
3-Val Transition Relation

• Let R(s,t) T if R(s,t) ? R??
• R?? Dams97 (t, t1) ? R iff ? s ? ?(t) s.t. ?
  s1 ? ?(t) and (s, s1) ? R
• Let R(s,t) F if R(s,t) ? R??
• R?? Dams97 (t, t1) ? R iff ? s ? ?(t) s.t. ?
  s1 ? ?(t1) and (s, s1) ? R
• Else R(s,t) M

37
3-valued abstraction
I
M
T
M
M
T
M
I
T
M
M
M
38
Abstraction

• Using 3-valued logic
• introduce new special value Maybe to stand for
  unknown
• AX r (s0,1)M
• EX r (s0,1)T

s0,1
s2
s0
p q r
p q r
s1
r
p q r
p q r
s2
39
Model Checking 3-Val abstract Models

• Let f be an arbitrary property (i.e., expressed
  in LTL, CTL, mu-calculus) and M is a 3-val
  abstraction of M

• Preservation Theorem
• M ? f ? M ? f

• No guarantee is given about a Maybe answer

• False counterexample cannot be spurious
• No need for simulation!
• Maybe counterexample requires refinement

40
3-Val Abstraction-Refinement Loop
Model Check
Abstract
M, f
M, f, ?
Pass
No Bug
Fail
Bug
?
Check Counterexample
Refine
Spurious
41
No spurious counterexamples, but abstraction can
be too coarse
T
M
M
42
Refinement
?
?
?
?
?
?
Refinement ?
43
Other use of 3-valued logic

• Algebra
• use three-valued algebra (Kleene)
• intermediate value represents incomplete
  information or uncertainty

• compact representation for all possible
  refinements of this model
• if a property is True/False on the partial model,
  it is True/False on a refined one
• initial theory developed by Bruns Godefroid,
  CAV99

• Application
• Most models are incomplete!
• Allows verification before
• specification is completed

44
Summary

• Abstraction
• Effective tool for combating state explosion
• Over-approximation sound for true universal
  properties, otherwise check if counterexample
  is feasible and then refine
• Under-approximation same for existential
  properties
• 3-Valued Abstraction
• Specified in 3-val Kleene logic
• Allows reasoning about mixed-quantifier
  properties
• No need to check if counter-example is spurious
• Counterexample used for refinement
• 3-Val Model-Checking
• Reduces to two runs of classical model-checker
• Or can be done directly, say, using MDDs

45
Next topic

• Software model-checking
• (and software model-checking with 3-valued logic)