Quantitative Abstraction Refinement Pavol Černý IST Austria joint work with Thomas Henzinger,...

Quantitative Abstraction Refinement

Pavol ČernýIST Austria

joint work with Thomas Henzinger, Arjun Radhakrishna

Haifa, Israel November 2012

Quantitative analysis of programs

Quantitative requirements: • Resource consumption (energy usage)• Worst-case execution time, timeliness of response

Application domains:• (Embedded) software

•(Partial-)program synthesis

1st correct solution:

“Lock inside the loop”

2nd correct solution:

“Lock outside the loop”

int buf[4]while (true) { buf = getBuffer(); i = 0; while (i<4) { dr = setTransf(buf,i); write(device,dr); i++; }}

int buf[4]

while (true) { buf = getBuffer(); i = 0; while (i<4) { dr = setTransf(buf,i); lock(lock); write(device,dr); unlock(lock); i++; }}

int buf[4]

while (true) { buf = getBuffer(); i = 0; lock(lock); while (i<4) { dr = setTransf(buf,i); write(device,dr); i++; } unlock(lock);}

Quantitative analysis: Application to partial-program synthesis

Spec: Mutual exclusion on device.

a,b,c,i,v:int; input v;

if (v==1) for (i=0;i<16;i++) read(a);else if (v==2) for (i=0;i<16;i++) if (i mod 2 = 0) read(b);else for (i=0;i<16;i++) if (i mod 4 = 0) read(c);

Example: Cache behavior for worst-case execution time

•No cache worst case execution for (v==1)•Cache contains address of a worst case execution for (v==2)•Cache contains address of b worst case execution for all other values of v

•Cache hit < miss

•Abstraction has cache of limited size

Abstraction

Boolean case: Safety

What if the abstract system is too coarse? Answer: Abstraction refinement

Question: How do we perform abstraction with respect to quantitative objectives?

Question: How do we perform abstraction refinement with respect to quantitative objectives?

Based on: C., Henzinger, Radhakrishna Quantitative abstraction refinement

POPL 2013

Questions for this talk

Outline• Quantitative Abstractions

– State-based abstrations• Abstract state = set of states + numbers

– Segment-based abstractions

• Abstract state = set of segments + numbers

• Abstraction refinement

Model of systems

Weighted transition systems(Q,Σ,Δ,δ,q0)

where Δ is a subset of Q £ Q δ is a function from Δ to R

A trace q0 q1 q2 … (where qi and qi+1 is in ¢)

δ extended to traces δ(q0 q1 q2…)=r0 r1…

(where δ(qi,qi+1)=ri)

3 102

3

1

1

1

11

1 1

PropertiesA quantitative property f: a function from S to Rf1 evaluates a trace:

f2 summarizes the values f1 of all traces:

3 102

3

1

1

1

11

1 1f 1 : R! ! R

f 1(r0r2 : : :) = liminfi ! 11i

P i ¡ 1k=1 rk

Limit-average objective:f1 evaluates a trace:


f 2(U) = supU

f 2 : 2R ! R

f (S) = f 2(f f 1(r) j 9trace: ±(trace) = rg)f(S)=3

Discounted-sum objective:f1 evaluates a trace:




f 1 : R! ! R

f 1(r) =P 1

k=0 ¸krk

f 2(U) = supU

f 2 : 2R ! R

f (S) = f 2(f f 1(r) j 9trace: ±(trace) = rg)



0 0

0

0

1

0

10

0 0f 1 : R! ! R

f 1(r) = supi ri

Safety objective:f1 evaluates a trace:


f 2(U) = supU

f 2 : 2R ! R


Safety objective:f1 evaluates a trace:




0 0

0

0

1

0

10

0 0f 1 : R! ! R

f 1(r) =P 1

k=1 ¸k ¢rk

f 2(U) = supU

f 2 : 2R ! R


Properties: we consider properties that admit memoryless extremal traces.



f 1 : R! ! R

f 2 : 2R ! R


3 102

3

1

1

1

11

1 1

•Given a quantitative property f,construct ® and f® such that , for all S, and for all relations

where is a WTS with set of states given by the equivalence classes of

Abstractionfor quantitative (accumulative) properties

3 102

3

1

1

1

11

1 1

f ®(®(S;´ )) ¸ f (S)

®(S;´ )

´

´

ExistsMax abstraction

3 102

3

1

1

1

11

1

1

3

3

10

Existential abstraction weight of abstract edge = max of corresponding concrete edges

Lim-avg objective f: f(S)=3

fem(Sem)=10

1

Refinement of ExistsMax

310

2

3

1

1

1

11

1

1

3

3

10

2


fem(Sem)=16/3

1

PathBound Abstraction

310

2

3

1

1

1

11

1 1val = max value of an internal edgemaxp = the longest internal simple pathminp = the shortest internal simple pathloop/noloop -- is there internal loop

Idea: For more precision, keep facts about paths, not states.

Boolean case: segment-based abstraction [Cousot,Cousot 12, Podelski, Rybalchenko 04]

1 1 1

1 1 1 1

PathBound Abstraction

310

2

3

1

1

1

11

1

3

val = 10maxp = 2minp = 2noloop

10


fpb(Spb) = (10*2+3+1*3+3)/(1+2+3+1)= = 29/7 = 4.1

3

1

val = 1maxp = 4minp = 3noloop

1 1 1

1 1 1 1

2

•If ¼ is a refinement of ≡, it is desirable that:

Monotonicity of Refinement

f ®(®(S;´ )) ¸ f ®(®(S;¼))

310

2

3

1

1

1

11

1

Monotonicity enables anytime verification: analysis can be stopped at any time, and return a sound approximation the approximation gets better if analysis is given more time

1

Characteristics of abstractions

310

2

3

1

1

1

11

1 1

ExistMax is an overapproximation

where f is LimAvg, DiscSum, Safety, Liveness, etc

ExistMax is monotonicIf ¼ is a refinement of ≡, then

PathBound is an overapproximation

PathBound is not monotonic

f em(®em(S;´ )) ¸ f (S)

f em(®em(S;´ )) ¸ f em(®em(S;¼))

Characteristics of abstractions PathBound is not monotonic : Counterexample

10 10 101010

10 10 10

Concrete system S

4

4

Lim-avg objective f: f(S)=48/6=8

10 10 1010

10 10 10

Abstract System

44

10 10 10

10

10 10 10

Abstract System

4

4

10

fpb(Spb) = (10*4+4+4)/(4+1+1)

= 8

fpb(Spb)=(10*3+10*3+10+4+4)/ (3+3+1+1+1)

= 78/9 > 8

Proposed solution: introduce a hierarchical abstraction to not lose the previous estimates.

Hierarchical segment-based abstraction

Hierarchical segment-based abstraction [Cousot, Cousot 2012]•suitable for software with hierarchical structure

- nested loops, function calls

init Loop1

All traces

Loop2

Loop3

Concatenated segments of children nodes cover the segments in parent node

Hierarchical Segment-Based Abstraction

while (true) { j 0; while (j<10) { if B then costlyOp; B not B; j++ }; while (j<20) { cheapOp; j++ }}

[true]

j0;

[j<10]

[not B]

[B]

costlyOp

Bnot B

j++

[j>=10]

[j<20]

cheapOp

j++

[j>=10]

Example program

costlyOp - 10everything else - 0

Overall cost: (5*10/79)

ABC Loop1

HPathBound

[true]

j0;

[j<10]

[not B]

[B]

costlyOp

Bnot B

j++

[j>=10]

[j<20]

cheapOp

j++

[j>=20]

A

B

C

D

E

F

G

H

I

J

All traces

Loop2CH HA

CDEFGCCDFGC HIJH

<0,2,2,F>

<0,1,1,F>

<0,1,1,F>

<10/5,5,4,F> <0,2,2,F>

<avg,maxp,minp,hasInfPath>

<10/5,_,0,T>

<0,_,0,T>

<10/5,_,4,T>

Outline• Quantitative Abstractions

– State-based abstrations• Abstract state = set of states + numbers

– Segment-based abstractions

• Abstract state = set of segments + numbers

• Abstraction refinement

Abstraction Refinement for ExistsMaxI nput: Abstract system Sem, concretesystem SOutput: Re ned system X , or a counterexample tecx

ecx Ã ¯ndMaxCtrex(Sem)(handle,loop) Ã ¯ndLoop(ecx)(R0;X ) Ã reachHandle(handle,S)if (R0 = ; )

return Xelse

loopPath Ã unwind(loop,m)(b,tecx,X) Ã

splitQuant(Sem,loopPath,R0)if b then return tecxelse return X endif

23

1 4

5

3

3

32

handle loop

Does “handle” correspond to a real path? Does “loop” correspond to a concrete loop with the same cost?

10

Abstraction Refinement for ExistsMax5 3

32

handle loop

Does “handle” correspond to a real path?

10

Abstraction Refinement for ExistsMax

2 4

5

3

3

32

handleloop

Does “loop” correspond to a concrete loop with the same cost? Loop needs to be unrolled 1+min |lj|, where lj is a size of an abstract state in the loop

10

10

2

Abstraction Refinement for ExistsMaxInput: Abstract system Sem, concretesystem SOutput: Re ned system X , or a counterexample tecx

ecx Ã ¯ndMaxCtrex(Sem)(handle,loop) Ã ¯ndLoop(ecx)(R0;X ) Ã reachHandle(handle,S)if (R0 = ; )

return Xelse

loopPath Ã unwind(loop,m)(b,tecx,X) Ã

splitQuant(Sem,loopPath,R0)if b then return tecxelse return X endif

23

1 4

5

3

3

3

2

2

handle loop

Classical CEGAR: two heuristics:

choice of ctrexchoice of refinement

Quantitative refinementextremal ctrexsplit where the difference between abstract and concrete transition is largest

ABC Loop1

Hierarchical Segment Abstraction Refinement

All traces

Loop2CH HA

CDEFGCCDFGC HIJH

<0,2,2,F>

<0,1,1,F>

<0,1,1,F>

<10/5,5,4,F> <0,2,2,F>


<10/5,_,0,T>

<0,_,0,T>

<10/5,_,4,T>

Counterexample: a trace (CDEFG)ω

Remove it by:• adding B – prevent every iteration going through costlyOp

• adding loop bounds – forcing to go out of Loop1

[true]

j0;

[j<10]

[not B]

[B]

costlyOp

Bnot B

j++

[j>=10]

[j<20]

cheapOp

j++

[j>=20]

A

B

C

D

E

F

G

H

I

J

ABC Loop1


All traces

Loop2CH HA

CDEFGCHIJH

<0,2,2,F>

<0,1,1,F>

<0,1,1,F>

<10/5,5,5,F><0,2,2,F>


<10/9,_,0,T>

<0,_,0,T>

<10/9,_,4,T>


Remove it by:• adding B – prevent every iteration going through costlyOp

[true]

j0;

[j<10]

[not B]

[B]

costlyOp

Bnot B

j++

[j>=10]

[j<20]

cheapOp

j++

[j>=20]

A

B

C

D

E

F

G

H

I

J

CDFGC

<0,4,4,F>

ABC Loop1


All traces

Loop2CH HA

CDEFGCCDFGC HIJH

<0,2,2,F>

<0,1,1,F>

<0,1,1,F>

<10/5,5,4,F> <0,2,2,F>


<10/5,_,0,T>

<0,_,0,T>

<10/5,_,4,T>


Remove it by:•adding loop bounds –

forcing to go out of Loop1

[true]

j0;

[j<10]

[not B]

[B]

costlyOp

Bnot B

j++

[j>=10]

[j<20]

cheapOp

j++

[j>=20]

A

B

C

D

E

F

G

H

I

J

ABC Loop1


All traces

Loop2CH HA

CDEFGCCDFGC

HIJH

<0,2,2,F>

<0,1,1,F>

<0,1,1,F>

<10/5,5,4,F><0,2,2,F>


<10/5,50,40,T>

<0,_,0,T>

<100/54,_,4,T>


Remove it by:•adding loop bounds –

forcing to go out of Loop1

[true]

j0;

[j<10]

[not B]

[B]

costlyOp

Bnot B

j++

[j>=10]

[j<20]

cheapOp

j++

[j>=20]

A

B

C

D

E

F

G

H

I

J

j’=j+1

Experimental results

a,b,c,i,v:int; input v;

if (v==1) for (i=0;i<16;i++) read(a);else if (v==2) for (i=0;i<16;i++) if (i mod 2 = 0) read(b);else for (i=0;i<16;i++) if (i mod 4 = 0) read(c);

Example: Worst-case execution time analysis

step tracked lim-avgvalue

analysis time

0 14.14 1240

1 i 6.50 2102

2 a 4.87 2675

3 b 4.75 3275

4 c 1.27 3864

5 v 1.03 4631

while(true) input(s); l = 0; r = N - 1; do { m = l + r / 2; if(s > a[m]) l = m + 1; else r = m - 1; } while(l <= r & a[m] != s) }

Worst-case execution time analysis

step tracked lim-avgvalue

analysis time

0 15.77 908

1 m 11.15 1130

2 r 8.23 1369

3 l 5.0 1707

4 s 3.76 1895

5 a[(N - 1)/2] 3.0 2211

6 a[(N - 3)/4] 2.97 2527

7 a[(3N - 1)/4] 2.85 3071

Example: Binary search

ExistsMax vs PathBound

Partition size

ExistsMaxlim-avg value

PathBoundlim-avgvalue

2 25 24.99

3 25 23.82

5 25 17.31

9 25 4.43

Example: Karp’s algorithm for finding min-mean cycle.unsigned int graph[SIZE][SIZE];unsigned int D[SIZE + 1][SIZE];int main() { initialize(D); D[0][0] = 0; for(k = 1; k <= SIZE; k++) { for(v = 0; v < SIZE; v++) { for(u = 0; u < SIZE; u++) { if(D[k][u] < D[k - 1][v] + graph[u][v]) D[k][u] = D[k - 1][v] + graph[u][v]; } } }

vNum = 0; vDen = 1; for(v = 0; v < SIZE; v++) { currNum = 1000000000; currDen = 1; for(k = 0; k < SIZE; k++) { if((D[SIZE][v] - D[k][v]) * currDen < (SIZE - k) * currNum) {

currNum = D[SIZE][v] - D[k][v]; currDen = SIZE - k; } } if(currNum * vDen > currDen * vNum) { vNum = currNum; vDen = currDen; }} }

Conclusion• Contributions

– Framework for abstractions for quantitative (accumulative) properties

– State-based and segment-based abstractions– Counterexample-guided abstraction algorithm– Hierarchical segment-based abstraction and refinement

• Future work– Quantitative reasoning for CEGAR in Boolean systems– Application to partial-program synthesis

Quantitative Abstraction Refinement

Pavol ČernýIST Austria joint work with Thomas Henzinger, Arjun Radhakrishna

Haifa, Israel November 2012

Quantitative Abstraction Refinement Pavol Černý IST Austria joint work with Thomas Henzinger,...

Documents

Transcript of Quantitative Abstraction Refinement Pavol Černý IST Austria joint work with Thomas Henzinger,...