Abstraction in Model Checking

1
Abstraction in Model Checking

• Nishant Sinha

2
Model Checking

• Given a
• Finite transition system M
• A temporal property p
• The model checking problem
• Does M satisfy p?

3
Model Checking (safety)
I
Too many states to handle !
MUST ABSTRACT!!
bad state
4
Abstraction

• Eliminate details irrelevant to the property
• Obtain simple finite models sufficient to verify
  the property
• E.g., Infinite state ! Finite state approximation
• Disadvantage
• Loss of Precision False positives/negatives

5
Data Abstraction
S
S
Abstraction Function h S ! S
6
Data Abstraction Example

• Abstraction proceeds component-wise, where
  variables are components

, -2, 0, 2, 4,
xint
, -3, -1, 1, 3,
, -3, -2, -1
yint
0
1, 2, 3,
7
Data Abstraction Example

• Partition concrete variables into visible(V) and
  invisible(I) variables.

• The abstract model consists of V variables. I
  variables are existentially quantified out.

• The abstraction function maps each state to its
  projection over V.

8
Data Abstraction Example
x1 x2 x3 x4
0 0 0 0 0 0 0 1 0 0 1
0 0 0 1 1
x1 x2
h
0 0
Group concrete states with identical visible part
to a single abstract state.
9
Data Type Abstraction
Abstract Data domain
Code
int x 0 if (x 0) x x 1
10
How do we Abstract Behaviors?

• Abstract domain A
• Abstract concrete values to those in A
• Then compute transitions in the abstract domain
• Over-approximations Add extra behaviors
• Under-approximations Remove actual behaviors

11
Formalism Kripke Structures

• M (S,s0,!,L) on AP
• S Set of States
• s0 Initial State
• ! Transition Relation
• L S ! 2AP, Labeling on States

p
p
!p
p,q
12
Simulations on Kripke Structures

• M (S, s0, !, L)
• M (S, s0, !, L)
• Definition R ? S ? S is a simulation relation
• between M and M iff
• M simulates M (M ¹ M) iff (s0, t0)2 R

• (s,s) ? R implies
• L(s) L(s)
• for all t s.t. s ? t , exists t
  s.t. s ? t and (t,t) ? R.

Intuitively, every transition in M can be matched
by some transition in M
13
Guarantees from Abstraction

• Strong Preservation
• M ² P iff M ² P
• Weak Preservation
• M ² P ) M ² P
• Simulation preserves ACTL properties
• If M ¹ M then M ² AG p ) M ² AG p

14
Overview

• Formalizing Abstraction/Refinement
• Homomorphic Abstractions
• Abstract Interpretation Theory
• Guarantees from Abstractions Safe
• Automated Abstraction Refinement - CEGAR
• Applications
• Hardware e.g., Hom. Abstraction
• Software e.g., Predicate Abstraction

15
Building an Abstraction

• Computing Abstract Domain
• Computing Abstract Transitions

16
Homomorphisms

• Clarke et. al.- 94, 00
• Concrete States S, Abstract states S
• Abstraction function (Homomorphism)
• h S ! S
• Induces a partition on S equal to size of S

17
Existential/Universal Abstractions

• Existential
• Make a transition from an abstract state if at
  least one corresponding concrete state has the
  transition.
• Abstract model M simulates concrete model M
• Universal
• Make a transition from an abstract state if all
  the corresponding concrete states have the
  transition.

18
Existential Abstraction (Over-approximation)
I
S
I
S
19
Universal Abstraction (Under-Approximation)
I
S
I
S
20
Guarantees from Exist. Abstraction

• Let f be a ACTL property
• M existentially abstracts M, so M ¹ M

M

• Preservation Theorem
• M ? f ? M ? f

M

• Converse does not hold
• M ? f ? M ? f

• M ? f counterexample may be spurious

21
Guarantees from Univ. Abstraction

• Let f be a existential-quantified property
  (i.e., expressed in ECTL) and M simulates M

• Preservation Theorem
• M 2 f ? M 2 f

• Converse does not hold
• M ? f ? M ? f

22
Why spurious counterexample?
23
Refinement

• Problem Deadend and Bad States are in the same
  abstract state.
• Solution Refine abstraction function.
• The sets of Deadend and Bad states should be
  separated into different abstract states.

24
Refinement
h
Refinement h
25
Abstract Interpretation

• Cousot et. al. 77
• Framework for approximating fixpoint computations
• Galois Connections
• Concrete S, Abstract S
• Abstract ?S. F(S) S as ?S. F(S) S
• Homomorphisms are a particular case
• Widening/Narrowing

26
Galois Connections
?
S
S

• S concrete, S abstract
• S must be a complete lattice
• ? 2S ? S - abstraction function
• ? S ? 2S - concretization function
• Properties of ? and ?
• ?(?(A)) A, for A in S
• ?(?(X)) ? X, for X µ S
• The above properties mean that ? and ? are
  Galois-connected

?
27
Abs. Interpretation Example

• int -gt even, odd, T
• ?(even) ..,-2,0,2,4..
• ?(odd) ..,-3,-1,1,3..
• ?(T) int
• Predicate abstraction is an instance

28
Computing Abstract Transition Relation
?
R
R

• Existential Abstraction
• R?? Dams97 (t, t1) ? R iff
• ? s ? ?(t) and ? s1 ? ?(t1) s.t. (s, s1) ? R
• This ensures that
• M simulates M
• Preservation Theorem applies
• Similarly, Universal Abstraction R89

S
S
?
29
Other kinds of Abstraction

• Cone of Influence
• Slicing

30
Automated Abstraction/Refinement

• Good abstractions are hard to obtain
• Automate both Abstraction and Refinement
  processes
• Counterexample-Guided AR (CEGAR)
• Build an abstract model M
• Model check property P, M ² P?
• If M ² P, then M ² P by Preservation Theorem
• Otherwise, check if Counterexample (CE) is
  spurious
• Refine abstract state space using CE analysis
  results
• Repeat

31
Counterexample-Guided Abstraction-Refinement
(CEGAR)
Model Check
Build New Abstract Model
M
M
Pass
No Bug
Fail
Check Counterexample
Obtain Refinement Cue
Real CE
Spurious CE
Bug
32
Use of Abstractions in Hardware and Software
Verification
33
Applications

• Hardware Verification
• Thousands of Latches
• Abstract using homomorphisms
• SAT-based methods (Clarke et. al.)
• Software Verification
• Integer variables, Undecidability
• Predicate Abstraction
• SLAM
• MAGIC, BLAST
• All these approaches are automated (CEGAR)

34
Verifying Hardware Abstraction

• A number of approaches
• Localization (Kurshan et. Al.)
• SAT-based (02)
• We consider a homomorphism-based approach inside
  CEGAR framework

35
Counterexample-Guided Abstraction-Refinement
(CEGAR)
Model Check
Build New Abstract Model
M
M
Pass
No Bug
Fail
Check Counterexample
Obtain Refinement Cue
Real CE
Spurious CE
Bug
36
Abstraction Function

• Partition variables into visible(V) and
  invisible(I) variables.

• The abstract model consists of V variables. I
  variables are made inputs (existentially
  quantified).

• The abstraction function maps each state to its
  projection over V.

37
Abstraction Function Example
x1 x2 x3 x4
0 0 0 0 0 0 0 1 0 0 1
0 0 0 1 1
x1 x2
h
0 0
Group concrete states with identical visible part
to a single abstract state.
38
Abstract Model Computation

• Existential Abstraction

I
I
39
Obtaining Exist. Abstraction Symbolically

• Concrete Model (S, I, R, L)
• Abstract Model (S,I,R,L)
• h S ! S
• S s j 9s 2 S. h(s)s
• I s j 9s 2 S. I(s) Æ h(s)s
• R (s1,s2) j
• 9 s1,s2. R(s1,s2) Æ h(s1)s1 Æ
  h(s2)s2

40
Checking the Counterexample

• Model check the abstract model
• Yes or a Counterexample CE
• Counterexample (c1, ,cm)
• Each ci is an assignment to V.
• Simulate the counterexample on the concrete
  model.

41
Checking the Counterexample

• Concrete traces corresponding to the
  counterexample

(Initial State)
(Unrolled Transition Relation)
(Restriction of V to Counterexample)

• Refine if CE is spurious

42
Spurious counterexample?
43
Refinement
h
h
h
h
h
h
Refinement (h) Make Invisible variables Visible

44
Refinement methods
Localization
(R. Kurshan, 80s)
45
Refinement methods
Abstraction/refinement with conflict analysis
(Chauhan, Clarke, Kukula, Sapra, Veith, Wang,
FMCAD 2002)

• Simulate counterexample on concrete model with
  SAT
• If the instance is unsatisfiable, analyze
  conflict
• Make visible one of the variables in the clauses
  that lead to the conflict

46
Refinement as Separation
47
Refinement as Separation
Deadend States
Bad States
48
Refinement as Separation
v1 v2 v3 v4 v5 v6 v7
0 1 0 1
0 1 0
d1
I
b1
V
b2

• Refinement Find subset U of I that separates
  between all pairs of deadend and bad states. Make
  them visible.
• Keep U small !

49
Refinement as Separation
v1 v2 v3 v4 v5 v6 v7
d1
I
b1
V
b2

• Refinement Find subset U of I that separates
  between all pairs of deadend and bad states. Make
  them visible.
• Keep U small !

50
Refinement as Separation

• The state separation problem
• Input Sets D, B
• Output Minimal U subset of I s.t.
• ? d ?D, ? b ?B, ?u? U. d(u) ? b(u)

The refinement h is obtained by adding U to V.
51
Two separation methods

• ILP-based separation
• Minimal separating set.
• Computationally expensive.
• Decision Tree Learning based separation.
• Not optimal.
• Polynomial.

52
More Details ..

• SAT-based Abstraction Refinement Using ILP and
  Machine Learning, Edmund Clarke, Anubhav Gupta,
  James Kukula, Ofer Strichman. CAV02
• Automated Abstraction Refinement for Model
  Checking Large State Spaces Using SAT Based
  Conflict Analysis, Pankaj Chauhan, Edmund M.
  Clarke, James H. Kukula, Samir Sapra, Helmut
  Veith, Dong Wang. FMCAD02

53
Software Predicate Abstraction

• Graf, Saidi 97
• Abstraction using Galois Connections
• Predicates define abstract states
• Existential abstraction using theorem provers
• Example
• P p1, p2 p1 xlt5, p2 y4
• States (p1,p2), (!p1,p2)

54
Defining an Abstract Domain

• Predicates on Variables
• E.g., p1 xlt3
• Do not abstract program location variables
• Weakest Preconditions (WP)
• WP(xy1, p1) (y1lt3) (ylt2)
• WP (Y, xe) Y e/x
• Predicate Discovery using WP

ylt2
x y1
xlt3
55
CEGAR

• Build Model
• Using initial set of predicates P
• Model Check
• Generate reachable states explicitly/symbolically
• Obtain CE
• Check if CE is spurious
• SAT-based
• Refinement Cue
• Find new predicates to add to P

56
Example
Example ( ) 1 do lock()
old new 2 if () 3
unlock() new
4 while ( new ! old) 5
unlock () return
Q Is Error Reachable ?
lock() sets LOCK1 unlock() sets LOCK0
57
ExampleCFG
lock() old new
Example ( ) 1 do lock()
old new 2 if () 3
unlock() new
4 while ( new ! old) 5
unlock () return
58
ExampleCFG
Example ( ) 1 do lock()
old new 2 if () 3
unlock() new
4 while ( new ! old) 5
unlock () return
Q Is Error Reachable ?
59
Step 1 Generate and Model Check Abstract space
1
LOCK0
lock() old new
gt
unlock() new
4
LOCK0
newold
unlock()
Set of predicates LOCK0, LOCK1
60
Step 2 Analyze Counterexample
Q When can
Fwd Reachable (Deadend) States at node n Rn
Err
LOCK0
Formulate as satisfiability problem for a logic
61
Step 2 Analyze Counterexample
lock() old new
unlock() new
LOCK0 Æ new old
newold
LOCK0
unlock()
Formulate as satisfiability problem for a logic
62
Step 2 Analyze Counterexample
LOCK0 Æ new1 new
LOCK1 Æ new1 old
LOCK1 Æ new 1 old
LOCK0 Æ new old
LOCK0
Track the predicate new old
LOCK0
63
Step 3 Resume Search
gt
4
LOCK0 Æ new old
new!old
1
Set of predicates LOCK0, LOCK1, new old
64
Step 3 Resume Search
ERROR Unreachable
2
LOCK1 Æ new old
3
LOCK1 Æ new old
4
LOCK0 Æ new old
5
1
?
Set of predicates LOCK0, LOCK1, new old
LOCK0 Æ new old
65
CEGAR for Software Verification

• (C programs) SLAM 00
• Abstract C programs to Boolean programs (C2BP)
• Symbolic Model Checker (Bebop), CE-analysis
  (Newton)
• (C programs) BLAST
• On-the-fly Predicate Abstraction
• Lazy Abstraction
• Proof-based CE analysis
• (C programs) MAGIC
• Handles concurrent message-passing programs
• Two-level CEGAR
• (Java programs) ESC/Java, Bandera,

66
Using SAT in Predicate Abstraction

• Build Abstraction All-SAT for computing abstract
  transitions
• Model Check BDD-based
• Checking CE BMC-like simulation of CE
• Refinement Uses proof of infeasibility of CE
  from SAT solver

67
Conclusion

• Formal basis for Abstraction/Refinement
• Homomorphic Abstractions
• Abstract Interpretation
• Safe Abstractions
• Applications
• Hardware e.g., Hom. Existential Abstraction
• Software e.g., Predicate Abstraction

68
Acknowledgements

• We thank the following sources for the slides
• Model Checking Group, CMU
• BLAST group, Berkeley
• Bandera group, KSU