Counterexample-guided Abstraction Refinement
(with Lazy Abstraction)
Hongping Tao, January 25
OutlinesPart 1. Counterexample-guided Abstraction Refinement
· 1.1 Introduction· 1.2 Generate Abstraction· 1.3 Model-check Abstraction· 1.4 Refine Abstraction
Part 2. Lazy Abstraction
· 2.1 Concept and Principle· 2.2 Algorithm Implementation· 2.3 Model Checking with BLAST
Section 1.1Part 1. Counterexample-guided Abstraction Refinement
· 1.1 Introduction· 1.2 Generate Abstraction· 1.3 Model-check Abstraction· 1.4 Refine Abstraction
Part 2. Lazy Abstraction
· 2.1 Concept and Principle· 2.2 Algorithm Implementation· 2.3 Model Checking with BLAST
Model AbstractionReduce state-space by merging states into equivalent abstract states.Avoid wasting state-space on uninteresting states.
Constraint:Ensure red occurs infinitely often in every path.
Example Spurious CounterexampleAG AF red· For every state, for every path leading from that state red must be eventually asserted.
<red, go, go, go, ……>· This infinite trace invalid the specification.
Abstract Model Refinement Overview
Section 1.2Part 1. Counterexample-guided Abstraction Refinement
· 1.1 Introduction· 1.2 Generate Abstraction· 1.3 Model-check Abstraction· 1.4 Refine Abstraction
Part 2. Lazy Abstraction
· 2.1 Concept and Principle· 2.2 Algorithm Implementation· 2.3 Model Checking with BLAST
Generate AbstractionPartition formulas into Formula Clusters, FCi.· The equivalence class of an atomic formula
f is called the formula cluster, denoted by [f].·
Partition states into equivalence classes.· States are equivalent if they are indistinguishable w.r.t. their FCi
Generate an abstract function for each equivalent class.
( ) ( ) [ ] [ ]1 2 1 2var var .f f implies that f f∩ ≠∅ =
Example AbstractionConsider program P with three variables.
The set of atomic formula is,{ } { }, 0, 1, 2 , .x y and reset TRUE FALSE∈ ∈
( ){ }, ( ), ( ), ( 2) .reset TRUE x y x y y= = < =
Example Abstraction (cont.1)There are two formula clusters,
There are five equivalent class w.r.t. FC1
{ } ( ){ }1 2( ), ( ), ( 2) .FC x y x y y and FC reset TRUE= = < = = =
( ) ( ){ }( ){ }( ) ( ){ }( ) ( ) ( ){ }( ){ }
1
2
3
4
5
0 0, 0 , 1, 1 ,
1 0, 1 ,
2 0, 2 , 1, 2 ,
3 1, 0 , 2, 0 , 2, 1 ,
4 2, 2 .
EC
EC
EC
EC
EC
= =
= =
= =
= =
= =
Example Abstraction (cont.2)Therefore, we define two abstraction functions.
21
2
: {0, 1, 2} {0, 1, 2, 3, 4}
: {TRUE, FALSE} {TRUE, FALSE}
handh
→
→
1 1 1
1 1
1 1 1 1
2
(0,0) (1,1) 0, (0,1) 1,(0,2) (1,2) 2,
(1,0) (2,0) (2,1) 3, (2, 2) 4( )
h h hh h
h h h hh reset reset
= = == =
= = = ==
Section 1.3Part 1. Counterexample-guided Abstraction Refinement
· 1.1 Introduction· 1.2 Generate Abstraction· 1.3 Model-check Abstraction· 1.4 Refine Abstraction
Part 2. Lazy Abstraction
· 2.1 Concept and Principle· 2.2 Algorithm Implementation· 2.3 Model Checking with BLAST
Abstract Kripke Structure
( , , , )M S I R L=
1 2 1 2 1 1 2 2 1 2
( )
1. is the abstract domain
2. ( ) iff ( ( ) ( ))
3. ( , ) iff ( ( ) ( ) ( , ))
4. ( ) ( )h d d
S D
I d d h d d I d
R d d d d h d d h d d R d d
L d L d=
∃ = ∧
∃ ∃ = ∧ = ∧
=∪
Spurious CounterexampleA counterexample found in the abstracted design not present in the concrete design.
Almost one of two types: spurious path, and spurious loops.
Detected by finding no valid matching counterexample in the origin concrete design.
Spurious Path
( )( ) ( ) ( )
11 1
11
: .
: Img , . 1i i i
S h s I
S S R h s i n
−
−−
= ∩
= ∩ < ≤
Spurious Path (cont.)
{ }( )
( )
1,...,12
: 1 / 3 1
counterexample: 1, 2,3,4
D
h x D x
T
=
∈ → − +⎢ ⎥⎣ ⎦
=
::
arrow transition in concrete designsmall dot non reachable state−
Spurious Loops Counterexample
Section 1.4Part 1. Counterexample-guided Abstraction Refinement
· 1.1 Introduction· 1.2 Generate Abstraction· 1.3 Model-check Abstraction· 1.4 Refine Abstraction
Part 2. Lazy Abstraction
· 2.1 Concept and Principle· 2.2 Algorithm Implementation· 2.3 Model Checking with BLAST
Refine the AbstractionModify equivalence class to separate spurioustransition(s) from abstracted state.
Need to discover which state(s) in the abstracted state causes the spurious transition.
Ideally, want to obtain the coarsest refinement which eliminates the counterexample.
Refining Out a Spurious Path( )1
,0 ,1 ,Partition into three subsets , ,i i i i xh s S S S−
{ } { } { }3,0 3,1 3,9 , 7 , 8 .xS S S= = =
Refining Out a Spurious Path (cont.)Ñ
Ñ In order to refine the abstraction h such that the new model does not allow the spurious counterexample, we need a refined abstraction function which separates Si,0, Si,1
,1 1Since is not empty, there is a spurious transition .
This causes the spurious counterexample T.i i iS s s +→
Section 2.1Part 1. Counterexample-guided Abstraction Refinement
· 1.1 Introduction· 1.2 Generate Abstraction· 1.3 Model-check Abstraction· 1.4 Refine Abstraction
Part 2. Lazy Abstraction
· 2.1 Concept and Principle· 2.2 Algorithm Implementation· 2.3 Model Checking with BLAST
Abstractionstate ↔ region· a set of states is abstracted as a region, which is represented as a square.
Lazy AbstractionTo integrate and optimize the three phases of the abstract-check-refine loop.Two principles:
· On-the-fly Abstraction· On-demand Refinement
The BLASTBerkeley Lazy Abstraction Software Verification Tool,developed by University of California, Berkeley.
On-the-fly AbstractionSome abstracted regions may never be visited.Abstract a region only when needed in the next step of checking. The abstraction task is driven by the checking process.
On-demand RefinementRe-use the partial answer that has obtained.Refinement is applied starting from the pivot state.
· pivot state: the earliest state which the abstract counterexample fails to have a concrete counterpart.
Section 2.2Part 1. Counterexample-guided Abstraction Refinement
· 1.1 Introduction· 1.2 Generate Abstraction· 1.3 Model-check Abstraction· 1.4 Refine Abstraction
Part 2. Lazy Abstraction
· 2.1 Concept and Principle· 2.2 Algorithm Implementation· 2.3 Model Checking with BLAST
ImplementationHow lazy abstraction works on C programs?
Translate into Control flow automaton.Verification Process:· Forward search
if error state reachable?· Backward counterexample analysis
if error is real or not?
Example C Program
Control Flow Automaton
Variable:local and global variables that C function uses.
Vertices: control locations of the C function.
Labeled directed Edges:basic block of instructions, oran assume predicate.
Forward SearchThe algorithm constructs in a depth-first order search tree, whose nodes corresponding to vertices of CFA.
The labels of nodes are formulas, called reachable regions, which represent what is know about the state w.r.t. the predicate set.
Also it is computed from the reachable region of the parent node and instructions on corresponding edge.
Forward search keeps on until hit the Error region or safely finishes.
Forward Search (cont.)
Backward Counterexample AnalysisActivated when hit an error node in the forward search process.
Tracing from the error node back to it predecessors. And calculating the weakest precondition which would lead the error node, also called bad regions.
Try to identity the first node in search tree where the intersection of bad region with the reachable region is empty, also called pivot node.
Backward Counterexample Analysis (cont.)
Search with new PredicatesIf cannot find any pivot node before the root node reachable in the backward tracing, the trace path is a concrete counterexample.
If not, the verification would resume with the forward search and add new predicates for abstraction.
The reachable region of a node is covered, if it resides in a safe reachable region of the same node. we can stop the forward search if the node is covered.
Search with new Predicates (cont.)Aa
Section 2.3Part 1. Counterexample-guided Abstraction Refinement
· 1.1 Introduction· 1.2 Generate Abstraction· 1.3 Model-check Abstraction· 1.4 Refine Abstraction
Part 2. Lazy Abstraction
· 2.1 Concept and Principle· 2.2 Algorithm Implementation· 2.3 Model Checking with BLAST
BLASTBLAST is a software model checker for C programs.
The main goal of BLAST is to be able to check the safety properties of C code.
Current release is 2.0, does not support function pointer.
http://embedded.eecs.berkeley.edu/blast/
BLAST
The pblast.opt is the BLAST executable.
The spec.opt is the specification instrumenter.
Remember, keep Simplify in your Path.
Model Checking with BLASTThe basic command to run:
>pblast.opt filename –main mainfunction –L ErrorLabel
Static Assertion Checking>gcc -E -I path filename.c > filename.i
Notice: the path includes assert.h
Specification Language>spec.opt filename.spc filename.c>pblast.opt –pred instrumented.pred instrumented.c
ReferencesCounterexample-guided Abstraction Refinement http://www.cs.technion.ac.il/users/orna/CAV00-automatic-abstraction.ps
Lazy Abstraction http://www.eecs.berkeley.edu/%7Etah/Publications/lazy_abstraction.html
BLAST Documentationhttp://embedded.eecs.berkeley.edu/blast/
Top Related