Predicate abstraction for game semantics

1
(No Transcript)
2
game-based model checking

• key game model properties
• syntax-direct behaviour of any component
  specified in isolation
• truly compositional behaviour of component built
  from sub-models

• any component can be verified in isolation
• huge programs could be verified by isolating
  difficult parts

3
game-based p.a.

• game models cannot avoid state explosion
• - would benefit from predicate abstraction!
• predicate abstraction most naturally treated as a
  model mutation
• - would benefit from syntax-direct and
  compositional explanation

4
contributions

• a game semantics of p.a.
• a verification tool for a large subset of C
• a predicate annotation approach that exploits the
  syntax-direct property
• a CEGAR verification algorithm that exploits the
  syntax-direct property

5
programming language IAL

• C-like control structure
• if break continue goto assert
• block structure state
• nat x M N x M
• expressions
• x k M(N1,..,Nn) let f(x1,..,xn) M in N

6
battle of numbers

• bool goer 0
• nat pile 10 you()10 me()10
• f (if pile gt 0
• then goer 1 pile - you()9pile
• if pile gt 0
• then goer 0 pile - me()9pile)
• if pile 0 then winner goer

7
wrestle of numbers
bool goer 0 nat pile nat n you()10
n10 9 n assert(pile9 0) f (if pile gt 0
then nat n you()9 goer
1 pile - n assert(pile9 9
- n) if pile gt 0
then pile - 9 n goer 0) assert(goer
0)
8
stateful game model no p.a.

• model M v set of traces returning val v
• distinguish ab/normally terminating traces
• trace start state, moves, end state
• state map ids in environment to vals
• move val position (in typing)

9
stateful game models
you() m qyou,myou
(for all m)
you()9 d Sm9d qyou,myou
10
p.a. game model
model M e set of traces returning expr
e distinguish ab/normally terminating
traces trace start P-state, moves, end
P-state P-state set of (negated) P members move
expr position (in typing)
11
p.a. game models
you() y qyou,yyou
you()9 y9 qyou,yyou
n you()9 () qyou,yyou
if sat( )
y9/n
12
wrestle game model
goer1
()f1
qf1,qyou,nyou
()f1
goer0
qyou,0you,qf
goer0
qf1,()f1
()f

()f
qyou,1you,qf
goer0
13
wrestle p.a. model
()f1
qf1,qyou,nyou
()f1
qyou,yyou,qf
qf1,()f1
()f
()f
14
about this formulation

• simple
• stateful and p.a. variants similar
• control semantics orthogonal to state semantics
  (control ignored in this talk!)

• less compositional in spirit than some game
  semantics
• - environments are important
• - p.a. semantics difficult to handle otherwise

15
p.a. properties

• the p.a. model is decidable (finite-state)
• if p.a. model of M has no aborting traces then M
  is safe

16
syntactic predicate annotation

• we can trivially move predicate annotations from
  the model to the program
• this can be used to minimize the predicate state
  size

17
annotated wrestle
letp goer 0 in bool goer 0 letp
pile9 0 in nat pile nat n
you()10 n10 9 n assert(pile9
0) f (if pile gt 0 then nat
n you()9 goer 1
letp pile9 9 n in
pile - n
assert(pile9 9 - n)
if pile gt 0 then pile
- 9 n goer 0) assert(goer 0)
18
annotated p.a. model
pile9!0
pile99-n
goer1
qf1,qyou,nyou
()f1
qyou,yyou,qf
qf1,()f1
pile90
goer0
()f
goer0
19
game p.a. c.e.g.a.r.

• make each conditional a predicate
• as tightly scoped as possible
• model check
• safe gt safe
• unsafe gt
• check trace feasibility
• widen scope of some letp if infeasible

20
c.e.g.a.r. wrestle
bool goer 0 nat pile nat n you()10
n10 9 n letp pile9 0 in assert(pile9
0) f (if letp pile gt 0 in pile gt 0 then nat
n you()9 goer 1 pile -
n letp pile9 9 n in
assert(pile9 9 - n) if letp
pile gt 0 in pile gt 0 then pile -
9 n goer 0) letp goer 0 in assert(goer
0)
21
c.e.g.a.r. wrestle
bool goer 0 letp pile9 0 in nat pile
nat n you()10 n10 9 n
assert(pile9 0) f (if letp pile gt 0 in pile gt
0 then nat n you()9 goer 1
pile - n letp pile9 9 n
in assert(pile9 9 - n) if letp
pile gt 0 in pile gt 0 then pile -
9 n goer 0) letp goer 0 in assert(goer
0)
22
c.e.g.a.r. wrestle
bool goer 0 letp pile9 0 in nat pile
nat n you()10 n10 9 n
assert(pile9 0) letp goer 0 in f (if
letp pile gt 0 in pile gt 0 then nat n
you()9 goer 1 pile - n
letp pile9 9 n in
assert(pile9 9 - n) if letp
pile gt 0 in pile gt 0 then pile
- 9 n goer 0) assert(goer 0)
23
c.e.g.a.r. wrestle
bool goer 0 letp goer 0 in letp pile9
0 in nat pile nat n you()10
n10 9 n assert(pile9 0) f
(if letp pile gt 0 in pile gt 0 then nat n
you()9 goer 1 pile -
n letp pile9 9 n in
assert(pile9 9 - n) if letp
pile gt 0 in pile gt 0 then pile
- 9 n goer 0) assert(goer 0)
24
c.e.g.a.r. wrestle
letp goer 0 in bool goer 0 letp
pile9 0 in nat pile nat n
you()10 n10 9 n assert(pile9
0) f (if letp pile gt 0 in pile gt 0
then nat n you()9 goer 1
pile - n letp pile9 9
n in assert(pile9 9 - n) if
letp pile gt 0 in pile gt 0 then
pile - 9 n goer 0) assert(goer 0)
25
c.e.g.a.r. wrestle
letp goer 0 in bool goer 0 letp
pile9 0 in nat pile nat n
you()10 n10 9 n assert(pile9
0) f (if letp pile gt 0 in pile gt 0
then nat n you()9 goer 1
pile - n
letp pile9 9 n in assert(pile9 9 - n)
if letp pile gt 0 in pile gt 0
then pile - 9 n goer
0) assert(goer 0)
26
c.e.g.a.r. wrestle
letp goer 0 in bool goer 0 letp
pile9 0 in nat pile nat n
you()10 n10 9 n assert(pile9
0) f (if letp pile gt 0 in pile gt 0
then nat n you()9 goer 1
letp pile9 9 n in
pile - n
assert(pile9 9 - n) if
letp pile gt 0 in pile gt 0
then pile - 9 n goer 0)
assert(goer 0)
27
c.e.g.a.r. wrestle
letp goer 0 in bool goer 0 letp
pile9 0 in nat pile nat n
you()10 n10 9 n assert(pile9
0) f (if letp pile gt 0 in pile gt 0
then nat n you()9 goer 1
letp pile9 9 n in
pile - n
assert(pile9 9 - n)
if letp pile gt 0 in pile gt 0
then pile - 9 n goer 0)
assert(goer 0)