Abstraction and Refinement in Static Model-Checking
aa r X i v : . [ c s . D S ] F e b Abstraction and Refinement in Static Model-Checking
Kaninda MusumbuLaBRI (UMR 5800 du CNRS),Universit´e Bordeaux 1, France351, cours de la Lib´eration, F-33.405 TALENCE Cedexe-mail: [email protected]
Abstract — Abstract interpretation is a general methodologyfor building static analyses of programs. It was introduced by P.and R. Cousot in [3]. We present, in this paper, an application ofa generic abstract interpretation to domain of model-checking.Dynamic checking are usually easier to use, because the conceptare established and wide well know. But they are usually limitedto systems whose states space is finite. In an other part, certainfaults cannot be detected dynamically, even by keeping trackof the history of the states space.Indeed, the classical problemof finding the right test cases is far from trivial and limitthe abilities of dynamic checkers further. Static checking havethe advantage that they work on a more abstract level thandynamic checker and can verify system properties for all inputs.Problem, it is hard to guarantee that a violation of a modeledproperty corresponds to a fault in the concrete system. Wepropose an approach, in which we generate counter-examplesdynamically using the abstract interpretation techniques. a) Keywords: static analysis, model-checking, abstractinterpetation, refinementI. I
NTRODUCTION
Being given that the number of state of a model believesin an exponential way with the number of variables andcomponents of the system, the model-checking became com-plicated to treat in an automatic way. In order to make thiswork realizable, it is necessary to reduce the sizes of thesemodels with an aim of reaching time and reasonable memorycapacities. The techniques of reduction seek to suppressthe harmful effects of the combative explosion. When thegraphs of behavior comprise several million or milliards ofstates and transitions, the physical limits of the memory arequickly reached. It is then necessary to resort to techniquescompressions of the graphs of behavior. Most known is basedon the BDD (Binary Decision Diagrams). At the enumerationtime, to decide if a reached state was already met requiresto traverse the explored part of the graph. This subgraph,which does not cease growing bigger, must be arrangedin the read-write memory. The limits of this memory arequickly exceeded and the implementation of algorithms ofpagination know a considerable fall of performances. Themethods of abstraction make it possible to eliminate theproliferation from different states(ones from the other) bypossibly unimportant details within sight of the propertiesto be checked. It is essential that the small-scale modelpreserve sufficient information to produce the same resultsas the models of origin and to preserve the same propertiesthat one wishes to check. These two exigences must beconsidered with attention at the time of the generation of a abstract model starting from a concrete model. To conceive a“good” method of reduction consists to produce a reductionrelation verifying three criteria: an important reduction ratio,a relation of strong preservation and an easy deduction ofthe relation of reduction starting from the description of thesystem, the ideal being the construction of the reduced graphdirectly starting from the description. The way whose detailsof the abstraction will be selected for the checking can bemade in an automatic or manual way. The manual techniqueincludes abstract interpretations selected by the user. Theabstractions considered generally preserve the properties ina weak way, which means that they are only preservedabstracted model with the concrete model. Thus, if one canguarantee that a property is checked, that is different withits negation. The abstract interpretation is a methodologyaiming at defining, analyzes and justifier your techniquesof approximate computation of properties of systems in [3].Whatever the semantics may be used. It then consists inplacing the analysis not in the concrete domain but in aabstract domain, (simplified and limited) which conserves thesearch properties, the major disadvantage is that the resultsare in general less precise and that one needs accommodateapproximations of the properties. In our paper, we present atechnique of abstraction called abstraction by predicate of arefinement to reduce the generality and the minimality of theanalysis, thus a violation of a property detected on one ofabstract path has a strong probability of existing on a path ofthe concrete model. Analysis is made at the global state spacelevel: traversal algorithm (similar to the one used to buildthe state space) is used to check out deadlock, livelock ordivergent states. Example pathes starting from the initial stateand leading to a deadlock, livelock or divergent state can beextracted. To this end, we have to collect during the search ofthese special states the intermediate state sets reached beforethem. verication is based on bisimulation minimizations andcomparisons . II. G
ENERALITY
Small Example: The rule of Signs − − + + − − + ∼ × Such that the following diagram commutates ✲✲ ❄✻
SgnInt × Int Int g × a ∼ × Sgn × Sgn
Consistency (soundness): ∀ x , y ∈ Int : X × y ∈ g ( a ( x ) ∼ × a ( y )) A. Definition
Abstract Interpretation is a general methodologies forautomatic analysis of the run-time properties of system..The problem is that the exact analysis may be very expen-sive, sometimes through decidable properties may be NP-complete. The idea is to find a decidable approximationwhich is soundness and calculable.
B. Mathematical theory of Abstract Interpretation
Often, AI refers to the concept of connection galoisienne a 4-tuple ( C , A , a , g ) where C and A are complete lattices , g : A → C and a : C → A are monotonous functionssuch as: ∀ b ∈ a : a ( g ( b )) = b , ∀ C ∈ C : g ( a ( c )) ≥ C . Impossible into practice of generating and analyzing allpossible traces of execution for a given program .
C. Motivation
Abstract interpretation is based on three fundamental ideas: abstract domain, abstract operators and point fixes compu-tation
Abstract domain and abstract operators are used tocarry out a program on abstract values. Computation of thefixed point: directs the process on abstract values (definein a certain way the semantics of the program) Objective:To obtain information on the execution and the results ofprogram. Provided that the abstract domain and operatorssatisfy certain constraints.
D. Semantics
Its definition has two view points: • Theoretical associates a meaning to objects handled bythe programs. • Piratical associates a program a semantic function (stomata). < P , e > t −→ < P ′ , e ′ > P = t . P ′ and e ′ = t ( e ) t is a transition related. Note: t [ P ]( e ) = cal if cal = < , e n > then the results of the program are thevalues of variables in the last state. • Denotational t : ( D −→ D ) −→ ( D −→ D ) t = l f . l x . ( if p ( x ) then x else f ( h ( x )) fiwhere p is a predicate , h any function. ExampleF91McCarthy: t = l f . l x . ( if x >
100 then x −
10 else f ( f ( x + ) fi
1) Abstract Domain: : Any program P handles data whichbelong to a D s domain says standard. To make abstractinterpretation will consist in choosing an abstraction of data D abs First Approach q = { x ← t , . . . , x n ← t n } b approximates q iff b = { x ← prop ( t ) , . . . , x n ← prop ( t n ) } this define concretes semanticsMore often no-calculable.Construction process P can be consider like a partial functionof P : D ms −→ D ns , n , m F ( x ) = if x >
100 then x −
10 else F ( F ( x + )) int F91(int x)int F;if (x >100) f =x-10;else f=F95(F95(x+11));return F;int F91McCarthy(void){int x;scanf(&x);printf("value of F91 of %d = %d ",x, F95(x));exit(0);} ote:: There is not a proof of termination of F McCarthy , ∀ X ∈ Z The idea is to replace Z by its power set P ( Z ) .We get the following definition: F ( X ) = { x −
10 : x > ∧ x ∈ X ⊆ Z }∪ F ( F ( { x +
11 : x ≤ ∧ x ∈ X ⊆ Z } )) It is easy to show that F ( C ) = C verifies the condition: ∀ x ∈ C ∃ y ∈ C : y = f ( x ) Note:: the calculation of such function is too expensivefor simple value, the definition of the operations on a suchdomain is too complex.Second ApproachTo choose ”a good” system of representation of properties b = { x ← a ( prop ( t )) , . . . , x n ← a ( prop ( t n )) } Choice of an (judicious) approximation of each element of P ( Z ) by an interval [ min .. max ] D abs = { [ s .. t ] : s , t ∈ Z ∪ {− ¥ , + ¥ }} we define an order on D abs , noted ⊆ : [ s .. t ] ⊆ [ s ′ . t ′ ] iff s ≥ s ′ t ≤ t ′ a) Lemma:: ( D abs , ⊆ ) , is a lattice whose lower boundis [] and the upper bound is [ − ¥ , + ¥ ] . Abstraction andconcretization function: a : C −→ A : C → a ( c ) = [ min ( c ) .. max ( c )] g : A −→ C : a → g ( a ) = [ s , s + ..., t − , t ] with a = [ s .. t ] such that they verifying the constraints ofcoherence: ∀ c ∈ C : g ( a ( c )) ⊇ c ∀ a ∈ A : a ( g ( a )) = a . b) Remark: • an equivalent abstract of a program carries out the samestandard operations that the original except that thedomains are different. • for a real Pascal, C or Java programs, the work of rewritewould be too tiresome. In fact one defines abstractedoperators, the abstract interpretor uses those to carryout calculations on the abstract data by interpreting theprogram to be analyzed. • In practice each operator or function of the languagemust have an abstract equivalent. The quality requiredis their consistency, their coherency with respect to theirequivalent concrete operator. For the reason of perfor-mance, one requires the efficiency and convergence toguarantee a termination and acceptable computing time.Abstract version of the F91 function: F a ([ s .. t ]) = [ max ( , s − ) .. ( t − )] ∪ F a ( F a ([( s + ) .. min ( t + , )])) ∀ I i , I j ∈ D a : I i = [ s .. t ] , I j = [ s ′ .. t ′ ] ⇒ I i ∪ I j = lub ( I i , I j ) = [ min ( s ) .. max ( t , you )] , The abstract calculus: F a ([ − ¥ .. + ¥ ]) = [ , + ¥ ] ∪ F a ( F a ([ − ¥ .., ])) F a ([ − ¥ .. ]) = [ , ] ∪ F a ( F a ([ − ¥ .., ])) Note::
The set of functions of D a −→ D a can be providedwith an order f ≤ G iff ∀ I ∈ D a : f ( I ) ⊆ g ( I ) The fixpoints calculus: it is useful at the time of therecursive calls, to ensure the termination while proceedingby successive approximations. c) Complete lattice: • a lattice iff ∃⊥ ∈ D and ∃⊤ ∈ D • complete iff – ∀ X ⊆ D ∃ U ∈ D : ∀ X ∈ Xx ≤ U and – ∀ X ⊆ D ∃ L ∈ D : ∀ X ∈ Xx ≥ L It is obvious thats ( D , ≤ ) satisfy this conditions. d) Monotonicity and continuity: Let A be a completelattice with a partial order ≤ and T : A −→ A a transformation • T is monotonous iff ∀ X , y ∈ a : X ≤ y ⇒ T ( x ) ≤ T ( y ) • T is continuous iff ∀ X ⊆ a : T ( lub ( X )) = lub ( T ( X )) The transformation that we consider is a functional from aset of function in i ts self. T : ( D a −→ D a ) −→ ( D a −→ D a )( T F a )([ s .. t ]) = [ max ( , s − ) .. ( t − )] ∪ F a ( F a ([( s + ) .. min ( t + , )])) e) Lemma:: T is continuous and monotonous: • ∀ I i , I j ∈ D a : I i ≤ I j ⇒ f ( I i ) ≤ f ( I j ) • ∀ I ⊆ I ⊆ ... ⊆ I n ⊆ ... ⇒ f ( ∪ i = ... ¥ I i ) = ∪ i = ... ¥ f ( I i ) Theorem Let f ([ s .. t ]) , the computing fixpoint consist of T to f ([ s .. t ]) . • If the constraints on the domain and the operators aresatisfied:then any fixpoint of T is a correct approximation of thefunction f • the smallest fixpoint of T exists and constitutes the bestapproximation of f • the smallest fixpoint of T coincide with the limit of anincreasing • the smallest fixpoint of T coincide with the limit of anincreasing sequence of approximation: f ≤ f ≤ f ≤ f ... ≤ f n ≤ ... such as: f ( I ) = ⊥ ∀ I ∈ D a f k + = T ( f k > ) ∀ k ≥
2) Fixpoint Approach:
Fixpoint Approach is based onthe monotonicity (continuity) of the transformation of thetuples set representing the pre and post condition for allpredicate. Termination of the algorithm in the case of aninfinite abstract domain, it did not guarantee. Which is thecase if one makes an infinity different recursive call. One canlimit oneself to abstract fields finished in certain cases thatcan averrer genant itself or unacceptable. A possible solution,would be to replace an infinite sequence of approximationby a number of the approximate values. ) Approach Widening/Narrowing:
Suppose the ab-stract semantics of the program given by a function f P : D abs −→ D abs . The analysis proceeds as follows:1) Widening : calculation of sequences limit X built by: x = ⊥ x i + = x i and f P ( x i )) ⊑ x i else x i ▽ f P ( x i ) • Narrowing to improve the result obtained by thewidening: bycalculating the sequences limit of Y built by: y = ⊔ Xy i + = and f P ( y i ) = y i then y i else y i △ f P ( y i )) b) Properties: Widening : ▽ : l × L −→ L ∀ X , Y ∈ L : X ⊑ Y ▽ Y and Y ⊑ X ▽ Y → X ⊔ Y ⊆ X ▽ Y ⊥ ▽ X = X ▽ ⊥ = X Narrowing △ : l × L −→ L ∀ X , Y ∈ L : Y ⊑ X ⇒ Y ⊆ X △ Y ⊑ Xc) Widening applied to the intervals: [ l , u ] ▽ [ l , u ] = [ and l u then + ¥ else u ] Example instead of making the recursive call with F a ([ − ¥ .. ]) one will do it with F a ([ − ¥ .. + ¥ ]) . Buta loss of precision would be introduced. This will allow tospeed up the computation of the fixpoint.III. R EFINEMENT d) Motivation:
The abstract interpretation frameworkestablishes a methodology based on rigorous semantics forconstructing abstraction that overapproximate the behaviorof the program, so that every behavior in the program iscovered by a corresponding abstract execution. Thus, theabstract behavior can be exhautively checked for an invatiantin temporal logic. Refinement guided by counterexampleconsist on approximation of the set of sates that lie on a pathfrom initial state to a bad state which is successsively refinethat is done by forward or backward passes. This process isrepeated until the fixpoint is reached. If the the resulting setof state is empty then the property is proven. Otherwise, yhemethode does not guaranties that the contreexample trace isgenuine.
A. PreliminariesDefinition 3.1:Theorem 3.1:
Cousot77
Let S = ( Q , Q init , (cid:229) , → ) a system representing the semanticsof program. The system S A = ( Q A , Q Ainit , (cid:229) , → A ) is an ab-straction of S ⇐⇒ there exists a Galois connexion: a : P ( Q ) P ( Q A ) , g : P ( Q A ) P ( Q ) such that • Q init ⊆ g ( Q Ainit ) • ∀ t ∈ (cid:229) , ∀ Q Ai ⊆ Q A . post [ t → ]( g ( Q Ai )) ⊆ g ( post [ t A → ]( g ( Q Ai )) Definition 3.2:
Predicat Abstraction
Graf&Saidi97 e) Abstract State:
Let
Prog = ( V , T = { t , . . . , t n } , Init ) and j , . . . , j k predicates over the Prog ’s variableswe define an abstraction S A = ( Q A , Q Ainit , (cid:229) , → A ) asfollowing: • Q A = B k , Q A is the valuations’ set of k booleanvariables,any subset Q A can be represented by a boolean expres-sion over the variables B , . . . , B k • S A as the form Prog A = ( V A , T A = { t A , . . . , t An } , Init A ) f) Abstract transition: Let T A , be an abstract transi-tion, it must satisfy the condition of the definition of abstractprogram , s.t. all transition t , post [ t A ]( P B ) , where t A isthe abstract transition corresponding to t , have to representall concrete states q ′ which are successors by t of concretestate q represented by P B . We must show :: post [ t ]( g ( P B )) ⇒ g ( P ′ B ) , B. Algorithmic checking of refining
This model-checking needs methodological and correct-ness conditions:
1) Methodological conditions: • New actions and variables will be introduced by refining • the variables of refine system and abstract system mustbe linked by a “collage” invariant. •
2) Correctness conditions:: • simulation of the refine system by the abstract • no cycle between the new action • no new deadlock Fig. 1. Simulation with old actions
It is a question of carrying out an iteratif calculation ofthe simulation of
T S by T S cfr figures 1 and 2 wheretransisition a is replace by t . The algorithm terminates whenthe fixpoint is reached. Theorem 3.2: • If P is property satisfied by T S and T S refines T S then T S | = P , ⊢ T S ⊆ T S T S | = P ig. 2. Simulation with new actions • If P is property satisfied by T S and T S refines T S and if P is a reformulation of P then T S | = P , ⊢ T S ⊆ T S T S | = P Definition 3.3: : Let K, K’ two systems (resp concreteand abstract). we call false-counterexample or negative-false a false universal property in K’ but true in K We say thatthe counterexample specified in K’ cannot be reproduced inK a) Corollary:
If K’ is too small, it is very probable thatit appears the negative one. If K’ is too large, then the check-ing is not possible the refinement guided by counterexampleis thus a natural approach to solve this problem by usinga adaptive algorithm which gradually creates an abstractionfunction by the analysis of false-negative: b) Pseudo Algorithm: Initialization: generate a first abstraction function;2.
Model-Checking: check the model.if the checking is a success:then the specification is correct andthe algorithm terminateselse generate a counterexample from the abstract modelverify if this counterexample is a negative-falseif It is a success then terminateelse refine the abstract function such thatthe negative-false can be avoidgoto step 2.IV. S
UMMARY
It is thus a question of starting by carrying out anapproximation of a way which carries out initial state in abad condition. Then, a refinement ”forwards” or ”backward”is carried out, and this process is to repeat until a fixpoint ismet. If the resulting set of states is empty then the property isprove, since one no bad condition is reachable, else, nothing
Fig. 3. Example of predicate abstractionFig. 4. abstraction too coarse guaranteed the value of against example which perhapsdistorted by approximation coarse. Heuristics is employedto determine the subset of the reachable states since theinitial states. If an equivalence is found, it really acts of anerror which can be deferred like a bug, one speaks aboutpositive-false. Abstraction by Predicate : the checking ofprogram by abstraction of closed predicate is a techniqueof checking of program by abstract interpretation where theabstract domain is composed of the set of guard relating tothe states and the transitions from the system. This domaincan be generated automatically and checked by a theorems-prover. Like, the set of predicates is always finished, it canbe coded by a vector of Boolean, which makes it possible onthe other hand to use the model-checker for calculations offixpoint.Si, the domain is very large, one can use a chaoticiterator and to use a widening if it is necessary of speed upthe convergence. The termination and reachability decidablein this case. The one limitation of this technique of checkingby predicate abstraction is that the processes of refinement,which primarily consists in calculating the weakest invariant,are extremely slow. This obligates the users to require at leastthe atomic predicate necessary to the proof. This fact thehuman intervention which specific is given must be repeatedfor different programs even if they are very similarities. andit V. C
ONCLUSION AND F UTURE W ORK
It has been shown that static checker can cover a largenumber of potential faults, their automatic usage is stillfar from realistic. However, as a verification step prior totesting or code review, static checkers, can already enhancethe software development process today. Several techniques ig. 5. Example of refinement like Altarica, B or CSP2B were proposed to specify andcheck reactive systems by using hierarchic developmentby refinement. In this case, the systems design is realizedgradually by increasing the systems design to each step ofthe specification from a very abstract sight of the system untilits implementation. For us, a system implements (refines)another system if all the traces of execution of the mostdetailed system are too traces of the most abstract ( modulothe introduction of details during refinement). The checkingof the system thus will use refinement to model the initialsystem in a more precise way, if the model-checker providesa erroneous result consequence of coarse approximation atthe time of the abstraction.R
EFERENCES[1]
Andr´e Arnold, G´erald Point, Alain Griffault Antoine Rauzy : TheAltarRica Formalisme for describing concurrent systems. Nov. 1999,Fundamental Informatica Volume 40 issue 2-3, Publisher: IOS Press,[2]
Edmound Clarke
Contreexemple-guided abstraction refinement. In10Th International Symposium on Temporal Representation and Rea-sonning and Fourt International Confernce on Temporal Logic, 2003.[3]
P. Cousot, R. Cousot
Abstract Interpretation: A Unified Lattice Modelfor Static Analysis of Programs by Construction of Approximation ofFixpoints , POPL 1977, Sigact Sigplan, pp 238–252.[4]
T. Kanamori, T. Kawamura
Analysing success patterns of LogicPrograms by Abstract Hybrid Interpretation , Technical report, ICOT,1987.[5]
B. Le Charlier, K. Musumbu, P. Van Hentenryck
A generic abstractInterpretation algorithm and its complexity analysis , In Proc ICLP 91,June 91.[6]
D. Knuth
Semantics of context-free languages ; Math. Systems Theory2 (1968), pp 127-145, 5 th ICLP–SLP 88;tutorial N o T. Henzinger, R.Jhala, R.Majumdar, G. Sutre
Lazy abstraction ;Technical report University of California and LaBRI, 2002.[8]
David D´eharde
Interprtation abstraite: introduction et applicationsl’analyse statique et la vrification de modles ; Technical report LORIA,2002[9]
T. Ball, A. Podelski, S. Rajammani