Abstract interpretation of temporal logic:
abstract model checking revisited
John Gallagher12
1 Roskilde
Gourinath Banda1
University
2 IMDEA
Pierre Ganty2
Software, Madrid
DANSAS 2010, Odense
Example 1: Temporal properties of a water level
controller [Halbwachs et al. 94]
w := 0
l0
w < 10
w = 10
x = 1
x := 0 w = 1
l1
x < 2
x = 1
w = 1
x = 2
l2
w > 5
x = 1
w = ­2
w = 5
x := 0 l3
x < 2
x = 1
w = ­2
x = 2
• Safety property: AG(0 ≤ w ∧ w ≤ 12). (w always stays
between 0 and 12)
• Existential properties. EF (w = 10). (w can reach the
value 10).
• Eventual safety (nested CTL property).
AF (AG(1 ≤ w ∧ w ≤ 12)). (Eventually, w remains
between 1 and 12).
Example 2: Properties of a task scheduler [Halbwachs
et al. 94]
• AG(k 2 > 0 → AF (k 2 = 0)). (A waiting high priority task is
eventually scheduled).
• EF (k 2 = 1). (A high priority task can arise).
• AG(k 2 ≤ 1). (No more than one high priority task can be
waiting).
The model checking framework
• Express system as a transition system (Kripke structure).
• Evaluate temporal properties over the structure.
• Given a property φ, [[φ]] denotes the states at which φ
holds.
• Model checking algorithms are essentially algorithms for
evaluating [[φ]]. The algorithms terminate if the structure is
finite.
Model checking infinite-state transition systems
(Kripke models)
• The original approach [Clarke, Grumberg & Long, 1992].
• Define a finite partition of the infinite set of states.
• Partition induces a finite abstract transition system which
over-approximates the concrete transition relation
• Model checking in such an abstract transition system is
sound only for universal properties (or for refutation of
existential properties).
The need for Over- and Under-approximations in
Abstract Transition Systems
Let s1 be some abstract state (a set of concrete states).
s1
EX(s1) - overapproximation
s1
AX(s1) - underapproximation
One approach: Dual (Modal/Mixed) Transition
Systems
• In order to handle both universal and existential properties,
various authors suggest creating two abstract transition
systems.
• e.g. [Larsen & Thomsen 1988], [Dams, Gerth & Grumberg
1997], [Godefroid, Huth & Jagadeesan 2001]
• One (may-transitions) for proving existential properties, the
other (must-transitions) for universal properties.
• ⇒ a modified model checking algorithm and extra
correctness proofs
Abstract interpretation approach: Concrete Semantics
Semantics of the µ-calculus (more general than CTL, LTL, etc).
[[Z ]]µ σ
[[p]]µ σ
[[¬p]]µ σ
[[φ1 ∨ φ2 ]]µ σ
[[φ1 ∧ φ2 ]]µ σ
[[EX φ]]µ σ
[[AX φ]]µ σ
[[µZ .φ]]µ σ
[[νZ .φ]]µ σ
= σ(Z )
= states(p)
= states(¬p)
= [[φ1 ]]µ σ ∪ [[φ2 ]]µ σ
= [[φ1 ]]µ σ ∩ [[φ2 ]]µ σ
= pre([[φ]]µ σ)
g
=p
re([[φ]]µ σ)
= lfp(F )
where F (S 0 ) = [[φ]]µ σ[Z /S 0 ]
= gfp(F )
where F (S 0 ) = [[φ]]µ σ[Z /S 0 ]
g
pre and p
re functions
A Kripke structure K = hS, ∆, I, L, Pi.
g
Functions pre : 2S → 2S , p
re : 2S → 2S , states : P → 2S as
follows.
pre(S)
S
pre~(S)
• states(p) = {s ∈ S | p ∈ L(s)} returns the set of states
where p ∈ P holds.
Galois connection
• Let S be set of concrete states.
• Let A be set of abstract states.
γ
−→
− h2A , ⊆i is a Galois connection between the
• h2S , ⊆i ←
−−
α
complete lattices h2S , ⊆i and h2A , ⊆i.
• α : 2S → 2A and γ : 2A → 2S are adjoint functions.
• α(X ) ⊆ Y ≡ X ⊆ γ(Y ).
g
Abstract pre, p
re and states functions
g
re are monotonic.
The functions pre, p
γ
−→
− h2A , ⊆i, and a Kripke
Given a Galois connection h2S , ⊆i ←
−−
α
structure, define
apre = α ◦ pre ◦ γ
g
a]
pre = α ◦ p
re ◦ γ
astates = α ◦ states
These are optimal for a given Galois connection. We can also
take any upper-approximation.
Abstract Semantics of the µ-calculus
The abstract µ-calculus semantic function
[[·]]aµ : Mu → (V → 2A ) → 2A is defined as follows.
[[Z ]]aµ σ
[[p]]aµ σ
[[¬p]]aµ σ
[[φ1 ∨ φ2 ]]aµ σ
[[φ1 ∧ φ2 ]]aµ σ
[[EX φ]]aµ σ
[[AX φ]]aµ σ
[[µZ .φ]]aµ σ
[[νZ .φ]]aµ σ
= σ(Z )
= astates(p)
= astates(¬p)
= [[φ1 ]]aµ σ ∪ [[φ2 ]]aµ σ
= [[φ1 ]]aµ σ ∩ [[φ2 ]]aµ σ
= apre([[φ]]aµ σ)
= a]
pre([[φ]]aµ σ)
= lfp(Fa )
where Fa (A0 ) = [[φ]]aµ σ[Z /A0 ]
= gfp(Fa )
where Fa (A0 ) = [[φ]]aµ σ[Z /A0 ]
Soundness of abstraction for model checking
γ([[ϕ]]aµ)
[[ϕ]]µ
All this is completely standard abstract interpretation. An
abstract model checking procedure follows directly (with proofs
by refutation).
A Constraint based abstract domain
• Transition systems in which the transitions can be
represented as a finite set of transition rules of the form
c(x̄1 ,x̄2 )
x̄1 −→ x̄2 .
• Concrete state space is a (possibly infinite) set of n-tuples
C ⊆ Rn.
• Abstract state space is a finite partition of the reachable
states of C (computed automatically)
• Each region in the partition {d1 , . . . , dn } is represented by
a linear constraint. Constraint cdi represents di .
Abstract operations expressed using constraint
operations
W
c(x̄,ȳ )
pre(c 0 (ȳ )) = {projx̄ (c 0 (ȳ ) ∧ c(x̄, ȳ )) | x̄ −→ ȳ ∈ T }
g
p
re(c 0 (ȳ )) = ¬(pre(¬c 0 (ȳ )))
states(p) = p
α(c) = {d
W ∈ A | SAT(cd ∧ c)}
γ(V ) = {cd | d ∈ V }
• SAT can be implemented by an SMT solver. We use Yices
(http://yices.csl.sri.com/) interfaced to Prolog.
• proj can be implemented by a linear constraint solver. We
use The Parma Polyhedra Library.
g
• (α ◦ pre ◦ γ) and (α ◦ p
re ◦ γ) can be directly implemented
with no loss of precision. Some optimisations on the
composed functions can be performed (see LPAR paper).
Some Experiments
System
Water
Monitor
Task
Sched.
Property
AF (W ≥ 10)
AG(0 ≤ W ∧ W ≤ 12)
AF (AG(1 ≤ W ∧ W ≤ 12))
AG(W = 10 → AF (W < 10 ∨ W > 10))
AG(AG(AG(AG(AG(0 ≤ W ∧ W ≤ 12)))))
EF (W = 10)
EU(W < 12, AU(W < 12, W ≥ 12))
EF (K 2 = 1)
AG(K 2 > 0 → AF (K 2 = 0))
AG(K 2 ≤ 1)
A
5
5
5
10
5
10
7
18
18
18
∆
4
4
4
4
4
4
4
12
12
12
secs.
0.02
0.01
0.02
0.05
0.02
0.01
0.04
0.53
0.30
0.04
The story so far ...
• Direct abstraction framework, yielding over-approximation
of temporal logic semantics
• Galois connections not tied to any particular kind of
abstraction (e.g. partitions)
• No need for (dual) abstract transition systems
• For constraint-based domains, direct implementation using
constraint solvers and satisfiability checkers.
Modalities in program analysis
Possibly vs. definitely.
Describe values that possibly arise.
Describe values that definitely arise.
The two are related: definitely(P) ⇔ ¬ possibly(¬ P).
Over- and Under-approximations
Suppose that there is a Galois connection from 2Q to some
γ
−→
− hA, vi.
abstract domain A, written h2Q , ⊆i ←
−−
α
γ̃
−→
− hA, wi.
Then there is a dual Galois connection h2Q , ⊇i ←
−−
α̃
where α̃ = ∼ ◦α ◦ ¬ and γ̃ = ¬ ◦ γ◦ ∼. (This assumes that there
is a complement operator ∼ on the abstract domain.)
These Galois connections give over- and under-approximations
(w.r.t. ⊆ in 2Q ) respectively.
(See P. Cousot, SARA 2000).
Application to µ-calculus abstraction
Plugging in the dual Galois connections
γ
−→
− h2A , ⊆i and
• h2Q , ⊆i ←
−−
α
γ̃
−→
− h2A , ⊇i,
• h2Q , ⊇i ←
−−
α̃
we can derive dual abstractions of the µ-calculus as shown
above, yielding over- and under-approximations respectively.
Let us call these abstractions [[.]]poss and [[.]]nec respectively
(following Godefroid et al.).
Another approach: derivation of [[.]]nec from [[.]]poss
As noted earlier, definitely(P) ⇔ ¬ possibly(¬ P).
Thus, starting with our previous abstract semantics [[.]]a (which
we now call [[.]]poss ), we could define [[φ]]nec = ¬[[¬φ]]poss
Then, for example,
[[EX φ]]nec = ¬[[¬EX φ]]poss
= ¬[[AX ¬φ]]poss
= ¬a]
pre[[¬φ]]poss
g
= ¬α p
re γ[[¬φ]]poss
g
= ¬α p
re 㬬[[¬φ]]poss
= ¬α¬pre¬ 㬬[[¬φ]]poss
= ᾱ pre γ̄[[φ]]nec
From dual abstraction to dual transition systems
Suppose we have a partition-based abstraction A and dual
Galois connections
γ
−→
− h2A , ⊆i and
• h2Q , ⊆i ←
−−
α
γ̃
−→
− h2A , ⊇i,
• h2Q , ⊇i ←
−−
α̃
Define two transition relations on A, called Tmay and Tmust .
These are respectively over- and under-approximations of the
concrete transition relation T .
pre[Tmay ] = α pre[T ] γ
pre[Tmust ] = α̃ pre[T ] γ̃
Then it also follows that
g
g
p
re[Tmay ] = α̃ p
re[T ] γ̃
g
g
pre[Tmust ] = α pre[T ] γ
From dual abstraction to dual transition systems: II
Using these four equations we can rewrite our original abstract
semantics in terms of abstract transition systems. Note that
both Tmay and Tmust are needed to compute an
over-approximation.
[[Z ]]poss
σ
µ
[[p]]poss
σ
µ
[[¬p]]poss
σ
µ
[[φ1 ∨ φ2 ]]poss
σ
µ
[[φ1 ∧ φ2 ]]poss
σ
µ
[[EX φ]]poss
σ
µ
[[AX φ]]poss
σ
µ
[[µZ .φ]]poss
σ
µ
[[νZ .φ]]poss
σ
µ
= σ(Z )
= astates(p)
= astates(¬p)
= [[φ1 ]]poss
σ ∪ [[φ2 ]]poss
σ
µ
µ
poss
= [[φ1 ]]µ σ ∩ [[φ2 ]]poss
σ
µ
= pre[Tmay ]([[φ]]poss
σ)
µ
g
=p
re[Tmust ]([[φ]]poss
σ)
µ
= lfp(Fa )
where Fa (A0 ) = [[φ]]poss
σ[Z /A0 ]
µ
= gfp(Fa )
where Fa (A0 ) = [[φ]]poss
σ[Z /A0 ]
µ
Summary and wider perspectives
• Abstract transition systems, while intuitive, can introduce
unnecessary complications and provide restricted forms of
abstraction.
• Abstract interpretation provides a general framework in
which over- and under-approximations (possible vs.
necessary analyses) are dual.
• Insights from abstract model checking can throw light on
classical static analyses, such as
• type inference (calculation of the states that cannot possibly
reach a type error), and other runtime guarantees;
• analysis of liveness properties vs. analysis of safety
properties.