Quantitative Abstraction
Refinement
Pavol Černý
IST Austria
joint work with Thomas Henzinger,
Arjun Radhakrishna
Haifa, Israel
November 2012
Quantitative analysis of programs
Quantitative requirements:
• Resource consumption (energy usage)
• Worst-case execution time, timeliness of response
Application domains:
• (Embedded) software
•(Partial-)program synthesis
Quantitative analysis:
Application to partial-program synthesis
1st correct solution:
“Lock inside the loop”
int buf[4]
while (true) {
buf = getBuffer();
i = 0;
while (i<4) {
dr =
setTransf(buf,i);
lock(lock);
write(device,dr);
unlock(lock);
i++;
}
}
int buf[4]
while (true) {
buf = getBuffer();
i = 0;
while (i<4) {
dr =
setTransf(buf,i);
write(device,dr);
i++;
}
}
Spec:
Mutual exclusion
on device.
2nd correct solution:
“Lock outside the loop”
int buf[4]
while (true) {
buf = getBuffer();
i = 0;
lock(lock);
while (i<4) {
dr =
setTransf(buf,i);
write(device,dr);
i++;
}
unlock(lock);
}
Example: Cache behavior for
worst-case execution time
a,b,c,i,v:int; input v;
if (v==1)
for (i=0;i<16;i++) read(a);
else if (v==2)
for (i=0;i<16;i++)
if (i mod 2 = 0) read(b);
else
for (i=0;i<16;i++)
if (i mod 4 = 0) read(c);
•Cache hit
< miss
•Abstraction has
cache of limited size
•No cache  worst case execution for (v==1)
•Cache contains address of a  worst case execution for (v==2)
•Cache contains address of b  worst case execution for all other
values of v
Abstraction
Boolean case:
Safety
What if the abstract system is too coarse?
Answer: Abstraction refinement
Questions for this talk
Question: How do we perform abstraction with respect to
quantitative objectives?
Question: How do we perform abstraction refinement with
respect to quantitative objectives?
Based on: C., Henzinger, Radhakrishna
Quantitative abstraction refinement
POPL 2013
Outline
• Quantitative Abstractions
– State-based abstrations
• Abstract state = set of states + numbers
– Segment-based abstractions
• Abstract state = set of segments + numbers
• Abstraction refinement
Model of systems
Weighted transition systems
(Q,Σ,Δ,δ,q0)
where
Δ is a subset of Q £ Q
δ is a function from Δ to R
A trace q0 q1 q2 …
(where qi and qi+1 is in ¢)
δ extended to traces
δ(q0 q1 q2…)=r0 r1…
(where δ(qi,qi+1)=ri)
10
3
2
1
1
3
1
1
1
1
1
Properties
A quantitative property
f: a function from S to R
f1 evaluates a trace:
f 1 : R! ! R
10
3
1
1
f2 summarizes
the values f1 of all traces:
f 2 : 2R ! R
2
3
1
1
1
1
1
f (S) = f 2 (f f 1 (r ) j 9trace : ±(trace) = r g)
Limit-average objective:
f1 evaluates a trace:
P
f 1 (r 0 r 2 : : :) = lim inf i ! 1 1i
f2 summarizes the values f1 of all traces:
f 2 (U) = sup U
i¡ 1
k= 1 rk
f(S)=3
Properties
A quantitative property
f: a function from S to R
f1 evaluates a trace:
f 1 : R! ! R
f2 summarizes
the values f1 of all traces:
f 2 : 2R ! R
f (S) = f 2 (f f 1 (r ) j 9trace : ±(trace) = r g)
Discounted-sum objective:
f1 evaluates a trace:
P
1
f 1 (r ) = k = 0 ¸ k r k
f2 summarizes the values f1 of all traces:
f 2 (U) = sup U
Properties
A quantitative property
f: a function from S to R
f1 evaluates a trace:
f 1 : R! ! R
0
0
0
f2 summarizes
the values f1 of all traces:
f 2 : 2R ! R
0
0
0
0
1
1
f (S) = f 2 (f f 1 (r ) j 9trace : ±(trace) = r g)
Safety objective:
f1 evaluates a trace:
f 1 (r ) = supi r i
f2 summarizes the values f1 of all traces:
f 2 (U) = sup U
0
Properties
A quantitative property
f: a function from S to R
f1 evaluates a trace:
0
f 1 : R! ! R
0
0
f2 summarizes
the values f1 of all traces:
f 2 : 2R ! R
0
0
0
0
1
1
f (S) = f 2 (f f 1 (r ) j 9trace : ±(trace) = r g)
Safety objective:
f1 evaluates a trace:
P
1
f 1 (r ) = k = 1 ¸ k ¢r k
f2 summarizes the values f1 of all traces:
f 2 (U) = sup U
0
Properties
A quantitative property
f: a function from S to R
f1 evaluates a trace:
f 1 : R! ! R
f2 summarizes
the values f1 of all traces:
f 2 : 2R ! R
10
3
2
1
1
3
1
1
1
1
1
f (S) = f 2 (f f 1 (r ) j 9trace : ±(trace) = r g)
Properties: we consider properties that admit
memoryless extremal traces.
Abstraction
for quantitative (accumulative) properties
•Given a quantitative
property f,
construct ® and f® such
that , for all S, and for all
relations ´
f (®(S; ´ )) ¸ f (S)
3
1
1
´
2
1
1
®
where ®(S; ´ )
is a WTS with set of
states given by the
equivalence classes of
10
3
1
1
1
ExistsMax abstraction
Existential abstraction
weight of abstract edge = max of corresponding concrete edges
10
3
2
10
1
3
1
1
3
1
1
3
1
1
1
Lim-avg objective f:
f(S)=3
fem(Sem)=10
Refinement of ExistsMax
10
3
2
1
10
1
1
3
1
1
3
1
3
1
1
Lim-avg objective f:
f(S)=3
fem(Sem)=16/3
2
PathBound Abstraction
10
3
1
2
1
1
1
1
1
1
1
val =
3
1
1
1
1
1
1
max value of an
internal edge
maxp = the longest internal
simple path
minp = the shortest internal
simple path
loop/noloop -- is there
internal loop
Idea: For more precision, keep facts about paths, not states.
Boolean case: segment-based abstraction [Cousot,Cousot 12,
Podelski, Rybalchenko 04]
PathBound Abstraction
10
3
1
2
1
1
1
1
Lim-avg objective f:
f(S)=3
10
2
3
3
1
3
1
1
val = 10
maxp = 2
minp = 2
noloop
1
1
1
1
1
1
val = 1
maxp = 4
minp = 3
noloop
fpb(Spb) = (10*2+3+1*3+3)/(1+2+3+1)=
= 29/7 = 4.1
Monotonicity of Refinement
10
3
2
•If ¼ is a refinement of ≡, it is
desirable that:
f ®(®(S; ´ )) ¸ f ®(®(S; ¼))
1
1
3
1
1
1
1
1
Monotonicity enables anytime verification:
 analysis can be stopped at any time, and return a
sound approximation
 the approximation gets better if analysis is given
more time
Characteristics of abstractions
 ExistMax is an
overapproximation
f
em
10
3
em
2
(® (S; ´ )) ¸ f (S)
where f is LimAvg, DiscSum,
Safety, Liveness, etc
 ExistMax is monotonic
If ¼ is a refinement of ≡, then
f em (®em (S; ´ )) ¸ f em (®em (S; ¼))
 PathBound is an overapproximation
 PathBound is not monotonic
1
3
1
1
1
1
1
1
Characteristics of abstractions
 PathBound is not monotonic : Counterexample
Concrete system S
4
10
10
10
10
10
10
Abstract System
10
10
10
10
10
4
Lim-avg objective f:
f(S)=48/6=8
Abstract System
10
10
10
10
10
10
4
10
10
10
4
fpb(Spb) = (10*4+4+4)/(4+1+1)
= 8
4
10
10
10
4
fpb(Spb)=(10*3+10*3+10+4+4)/
(3+3+1+1+1)
= 78/9 > 8
Proposed solution: introduce a hierarchical abstraction to not
lose the previous estimates.
Hierarchical segment-based abstraction
Hierarchical segment-based abstraction [Cousot, Cousot 2012]
•suitable for software with hierarchical structure
- nested loops, function calls
All traces
init
Loop1
Loop2
Loop3
Concatenated segments of children
nodes cover the segments in parent
node
Hierarchical Segment-Based Abstraction
Example program
while (true) {
j  0;
while (j<10) {
if B then costlyOp;
B  not B; j++
};
while (j<20) {
cheapOp;
j++
}
}
costlyOp - 10
everything else - 0
[true]
j0;
[j<10]
[B]
[j>=10]
costlyOp
Bnot B
[j<20]
j++
cheapOp
Overall cost: (5*10/79)
[j>=10]
[not B]
j++
HPathBound
[j>=10]
A
All traces
[true]
<10/5,_,4,T>
[j>=20]
B
j0;
ABC
C
[j<10]
D
CH
Loop2
<0,2,2,F> <10/5,_,0,T> <0,1,1,F> <0,_,0,T>
[B]
[not B]
F
Loop1
CDEFGC
CDFGC
E
costlyOp
HIJH
j++
<10/5,5,4,F>
<0,2,2,F>
Bnot B
G
H
[j<20]
I
j++
cheapOp
J
<avg,maxp,minp,hasInfPath>
HA
<0,1,1,F>
Outline
• Quantitative Abstractions
– State-based abstrations
• Abstract state = set of states + numbers
– Segment-based abstractions
• Abstract state = set of segments + numbers
• Abstraction refinement
Abstraction Refinement for ExistsMax
I nput : Abstract system Sem , concrete system S
Out put : Re¯ned system X , or a counterexample tecx
ecx à ¯ndMaxCtrex(Sem )
(handle,loop) Ã ¯ndLoop(ecx)
(R0 ; X ) Ã reachHandle(handle,S)
if (R 0 = ; )
r et ur n X
else
loopPath à unwind(loop,m)
(b,tecx,X) Ã
splitQuant(Sem ,loopPath,R 0 )
if b t hen r et ur n tecx
else r et ur n X endif
1
3
 Does “handle” correspond
to a real path?
 Does “loop” correspond to
a concrete loop with the
same cost?
2
4
3
handle
3
5
2
3
loop
10
Abstraction Refinement for ExistsMax
3
5
2
3
handle
loop
 Does “handle” correspond to a real path?
10
Abstraction Refinement for ExistsMax
3
5
2
4
3
handle
2
3
loop
10
2
10
 Does “loop” correspond to
a concrete loop with the same cost?
 Loop needs to be unrolled 1+min |lj|, where lj is a size of an
abstract state in the loop
Abstraction Refinement for ExistsMax
I nput : Abstract system Sem , concrete system S
Out put : Re¯ned system X , or a counterexample tecx
 Classical CEGAR:
ecx à ¯ndMaxCtrex(Sem )
two heuristics:
(handle,loop) Ã ¯ndLoop(ecx)
choice of ctrex
(R0 ; X ) Ã reachHandle(handle,S)
choice of refinement
if (R 0 = ; )
 Quantitative refinement
r et ur n X
extremal ctrex
else
split where the difference
loopPath à unwind(loop,m)
between abstract and concrete
(b,tecx,X) Ã
transition is largest
splitQuant(Sem ,loopPath,R 0 )
if b t hen r et ur n tecx
else r et ur n X endif
1
3
2
4
3
handle
3
5
2
3
loop
2
Hierarchical Segment Abstraction Refinement
A
[true]
All traces
[j>=20]
<10/5,_,4,T>
B
j0;
C
ABC
[j<10]
D
[j>=10]
F
E
costlyOp
j++
CDEFGC
CDFGC
<10/5,5,4,F>
Bnot B
G
Loop2
HA
<0,1,1,F>
HIJH
<0,2,2,F>
Counterexample: a trace (CDEFG)ω
H
[j<20]
I
CH
<0,2,2,F> <10/5,_,0,T> <0,1,1,F> <0,_,0,T>
[B]
[not B]
Loop1
j++
cheapOp
J
Remove it by:
• adding B – prevent every iteration going
through costlyOp
• adding loop bounds –
<avg,maxp,minp,hasInfPath>
forcing to go out of Loop1
Hierarchical Segment Abstraction Refinement
A
[true]
All traces
[j>=20]
<10/9,_,4,T>
B
j0;
C
ABC
[j<10]
D
[j>=10]
F
Loop2
<0,2,2,F> <10/9,_,0,T> <0,1,1,F> <0,_,0,T>
[B]
[not B]
CH
Loop1
E
costlyOp
j++
Bnot B
CDEFGC
CDFGC
<10/5,5,5,F>
G
HA
<0,1,1,F>
HIJH
<0,2,2,F>
<0,4,4,F>
H
[j<20]
I
j++
cheapOp
J
<avg,maxp,minp,hasInfPath>
Counterexample: a trace (CDEFG)ω
Remove it by:
• adding B – prevent every iteration going
through costlyOp
Hierarchical Segment Abstraction Refinement
A
[true]
All traces
[j>=20]
<10/5,_,4,T>
B
j0;
C
ABC
[j<10]
D
[j>=10]
F
E
costlyOp
j++
Loop2
CDEFGC
CDFGC
<10/5,5,4,F>
Bnot B
G
HA
<0,1,1,F>
HIJH
<0,2,2,F>
Counterexample: a trace (CDEFG)ω
H
[j<20]
I
CH
<0,2,2,F> <10/5,_,0,T> <0,1,1,F> <0,_,0,T>
[B]
[not B]
Loop1
j++
cheapOp
J
<avg,maxp,minp,hasInfPath>
Remove it by:
•adding loop bounds –
forcing to go out of Loop1
Hierarchical Segment Abstraction Refinement
A
[true]
All traces
[j>=20]
<100/54,_,4,T>
B
j0;
C
ABC
[j<10]
D
[j>=10]
F
E
costlyOp
j++
Bnot B
CDEFGC
CDFGC
Loop2
j’=j+1
<10/5,5,4,F>
G
HA
<0,1,1,F>
HIJH
<0,2,2,F>
Counterexample: a trace (CDEFG)ω
H
[j<20]
I
CH
<0,2,2,F><10/5,50,40,T> <0,1,1,F> <0,_,0,T>
[B]
[not B]
Loop1
j++
cheapOp
J
<avg,maxp,minp,hasInfPath>
Remove it by:
•adding loop bounds –
forcing to go out of Loop1
Experimental results
Example: Worst-case execution time analysis
a,b,c,i,v:int; input v;
if (v==1)
for (i=0;i<16;i++) read(a);
else if (v==2)
for (i=0;i<16;i++)
if (i mod 2 = 0) read(b);
else
for (i=0;i<16;i++)
if (i mod 4 = 0) read(c);
step
tracked
0
lim-avg
value
analysis
time
14.14
1240
1
i
6.50
2102
2
a
4.87
2675
3
b
4.75
3275
4
c
1.27
3864
5
v
1.03
4631
Worst-case execution time analysis
Example: Binary search
while(true)
input(s);
l = 0; r = N - 1;
do {
m = l + r / 2;
if(s > a[m])
l = m + 1;
else
r = m - 1;
} while(l <= r & a[m] != s)
}
step
tracked
0
lim-avg analysis
value
time
15.77
908
1
m
11.15
1130
2
r
8.23
1369
3
l
5.0
1707
4
s
3.76
1895
5
a[(N - 1)/2]
3.0
2211
6
a[(N - 3)/4]
2.97
2527
7
a[(3N - 1)/4]
2.85
3071
ExistsMax vs PathBound
Example: Karp’s algorithm for finding min-mean cycle.
unsigned int graph[SIZE][SIZE];
unsigned int D[SIZE + 1][SIZE];
int main() {
initialize(D);
D[0][0] = 0;
for(k = 1; k <= SIZE; k++) {
for(v = 0; v < SIZE; v++) {
for(u = 0; u < SIZE; u++) {
if(D[k][u] < D[k - 1][v] + graph[u][v])
D[k][u] = D[k - 1][v] + graph[u][v];
}
}
}
vNum = 0; vDen = 1;
for(v = 0; v < SIZE; v++) {
currNum = 1000000000;
currDen = 1;
for(k = 0; k < SIZE; k++) {
if((D[SIZE][v] - D[k][v]) * currDen
< (SIZE - k) * currNum) {
currNum = D[SIZE][v] - D[k][v];
currDen = SIZE - k;
}
}
if(currNum * vDen > currDen * vNum) {
vNum = currNum; vDen = currDen;
}
} }
Partition ExistsMax PathBound
size
lim-avg
lim-avg
value
value
2
25
24.99
3
25
23.82
5
25
17.31
9
25
4.43
Conclusion
• Contributions
– Framework for abstractions for quantitative (accumulative)
properties
– State-based and segment-based abstractions
– Counterexample-guided abstraction algorithm
– Hierarchical segment-based abstraction and refinement
• Future work
– Quantitative reasoning for CEGAR in Boolean systems
– Application to partial-program synthesis
Quantitative Abstraction
Refinement
Pavol Černý
IST Austria
joint work with Thomas Henzinger,
Arjun Radhakrishna
Haifa, Israel
November 2012