Counterexample-Guided Abstraction Refinement
Edmund Clarke
Orna Grumberg Somesh Jha
Helmut Veith
Yuan Lu
Seminal Papers in Verification (Reading Group)
June 2012
O. Rezine ()
Verification Reading Group
1 / 33
Motivations:
Apply model checking to industrial problems.
Main challenge: State explosion.
How to tackle that:
I
Use BDD (1020 states), Symmetry Reductions, POR, . . .
I
Abstraction Techniques.
O. Rezine ()
Verification Reading Group
2 / 33
Abstraction Techniques:
Idea: Remove details, simplify components that are irrelevant.
Concrete model ∼ Abstract model.
The abstract model is smaller ⇒ Easier to verify.
It comes with an information loss:
Over-approximation comes with False negatives.
Under-approximation comes with False positives.
O. Rezine ()
Verification Reading Group
3 / 33
CounterExample Guided Abstraction Refinement:
Integrates:
Symbolic model checking.
Over-approximation abstraction.
⇒ It comes with false negatives.
Fully automatic, including abstraction refinement.
O. Rezine ()
Verification Reading Group
4 / 33
CEGAR general scheme
Model extraction: Initial abstraction.
Model-Check the Abstract Model.
If no bug is found:
I
The concrete Model is safe.
If a counterexample is found: Is it a concrete one?
I
Yes. ”Happy” end.
I
No. Refine the abstraction and model-check again.
O. Rezine ()
Verification Reading Group
5 / 33
Summary:
We talked so far about:
Motivations behind CEGAR.
General scheme of the approach.
Now we will talk about:
Abstraction validity.
Initial (abstract) model extraction.
Algorithms used to:
I
I
Check validity of the counterexample.
Refine the abstraction.
Later we will present extensions and use of CEGAR approach.
O. Rezine ()
Verification Reading Group
6 / 33
Existential abstraction definition:
Formally, a program P can be modeled as a Kripke structure (S, I, R, L)
where:
S is the set of states.
I ∈ S is the set of initial states.
R ∈ S × S is the transition relation.
L : S 7→ 2Atoms(P) is the state labeling function.
Atoms(P) being the set of atomic propositions of the the program P.
O. Rezine ()
Verification Reading Group
7 / 33
Existential abstraction definition:
b that induces an equivalence
An abstraction is a surjection h : D 7→ D
relation:
d ≡ e iff h(d) = h(e)
b bI , R,
b b
The corresponding abstract Kripke tructure (S,
L) is:
b
S = h(S).
bI (d)
b iff ∃d ∈ I such that h(d) = db
b db1 , db2 ) iff ∃d1 , d2 ∈ S such that
R(
(h(d1 ) = db1 ∧ h(d2 ) = db2 ∧ R(d1 , d2 ))
b
b =S
L(d)
b L(d)
h(d)=d
This is called the Existential Abstraction.
O. Rezine ()
Verification Reading Group
8 / 33
Abstraction Validity:
An atomic formula f respects an abstraction h iff:
∀d1 , d2 ∈ D we have: d1 ≡ d2 ⇒ (d1 |= f ⇔ d2 |= f )
b is consistent iff:
For an abstract state db we say that b
L(d)
V
∀d ∈ D such that h(d) = db we have: d |= f ∈bL(d)
b f
O. Rezine ()
Verification Reading Group
9 / 33
Abstraction Validity:
ACTL∗ is the fragment of CTL∗ that:
Contains only A as path operator (no E ).
The only negations it contains concerns the atomic propositions.
Exmaple: A F p.
Theorem
Let h be an abstraction and ϕ be an ACTL∗ specification where the
atomic subformulas respect h. then the following holds:
b
b is consistent for all abstract state db in M.
b
L(d)
b |= ϕ ⇒ M |= ϕ
M
O. Rezine ()
Verification Reading Group
10 / 33
CEGAR general scheme
Model extraction: Initial abstraction.
Model-Check the Abstract Model.
If no bug is found:
I
The concrete Model is safe.
If a counterexample is found: Is it a concrete one?
I
Yes. ”Happy” end.
I
No. Refine the abstraction and model-check again.
O. Rezine ()
Verification Reading Group
11 / 33
Example:
We will model a program P using transition blocks associated to its
variables.
1
3
5
7
init ( x ) := 0;
next ( x ) := case
reset = TRUE : 0;
x<y
: x +1;
x=y
: 0;
else
: x;
esac ;
O. Rezine ()
9
11
13
init ( y ) := 1;
next ( y ) := case
reset = TRUE
( x = y ) && !( y =2)
x=y
else
esac ;
Verification Reading Group
:
:
:
:
0;
x +1;
0;
y;
12 / 33
Model Extraction:
We construct the initial abstraction such that:
V
∀d1 , d2 such that d1 ≡ d2 we have ∀f ∈Atoms(P) d1 |= f ⇔ d2 |= f
How to:
Define formula clusters FCi of formulas dealing with the same variable
set.
Define the corresponding variable clusters VCi .
For each variable cluster, define an abstraction whose abstract states
are consistent with the cluster formulas.
Cross-product all the cluster abstractions to obtain The abstraction.
O. Rezine ()
Verification Reading Group
13 / 33
Example:
We will model a program P using transition blocks associated to its
variables.
1
3
5
7
init ( x ) := 0;
next ( x ) := case
reset = TRUE : 0;
x<y
: x +1;
x=y
: 0;
else
: x;
esac ;
O. Rezine ()
9
11
13
init ( y ) := 1;
next ( y ) := case
reset = TRUE
( x = y ) && !( y =2)
x=y
else
esac ;
Verification Reading Group
:
:
:
:
0;
x +1;
0;
y;
14 / 33
Model Extraction:
Atoms(P) = {(reset=TRUE), (x=y), (x<y), (y=2)} = FC1 ∪ FC2 .
VC1 = {reset}, VC2 ={x,y}.
FC1 equivalence classes:
{0}
{1}
{}
{reset}
{(0, 0), (1, 1)}
{(0, 1)}
FC2 equivalence classes: {(0, 2), (1, 2)}
{(1, 0), (2, 0), (2, 1)}
{(2, 2)}
O. Rezine ()
Verification Reading Group
{(x
{(x
{(x
{}
{(x
= y )}
< y ), }
< y ), (y = 2)}
= y ), (y = 2)}
15 / 33
Model Extraction: Concrete State Space
X, reset=FALSE
0
1
X, reset=TRUE
2
0
1
2
0
Y
1
start
2
O. Rezine ()
Verification Reading Group
16 / 33
Model Extraction: Concrete Transition Relation
X, reset=FALSE
0
1
X, reset=TRUE
2
0
1
2
0
Y
1
start
2
O. Rezine ()
Verification Reading Group
17 / 33
Model Extraction: Abstract State Space
X, reset=FALSE
0
1
X, reset=TRUE
2
0
1
2
0
Y
1
start
2
O. Rezine ()
Verification Reading Group
18 / 33
Model Extraction: Abstract Transition Relation
X, reset=FALSE
0
1
X, reset=TRUE
2
0
1
2
0
Y
1
start
2
O. Rezine ()
Verification Reading Group
19 / 33
CEGAR general scheme
Model extraction: Initial abstraction.
Model-Check the Abstract Model.
If no bug is found:
I
The concrete Model is safe.
If a counterexample is found: Is it a concrete one?
I
Yes. ”Happy” end.
I
No. Refine the abstraction and model-check again.
O. Rezine ()
Verification Reading Group
20 / 33
Checking finite counterexample:
b = hsb1 , . . . , sbn i.
Counterexample T
Concrete traces are given by:
Vn
Vn−1
Counterexample-Guided
Refinement
{ hs1 , . . . , sn i | Abstraction
i=1 h(si ) = sbi ∧ I (s1 ) ∧
i=1 R(si , si+1 ) }
773
FIG. 6. An abstract counterexample.
si ∈ Si . O.
ByRezine
the()definition of h −1
(!
T ), sReading
Img(si , R) and si+1 ∈ h −1 ("
s21i+1
).
Verification
Group
/ 33
i+1 ∈
Checking finite counterexample:
SplitPATH: Symbolic algorithm to compute concrete paths:
S := h−1 (sb1 ) ∩ I
j := 1
while ( S 6= ∅ and j < n ) {
j := j + 1;
Sprev := S
S := Img (S, R) ∩ h−1 (b
sj )
}
if S 6= ∅ then output counterexample // –> Happy end.
else output j,Sprev // –> Move to the refinement step.
O. Rezine ()
Verification Reading Group
22 / 33
Checking infinite counterexample:
ω
b = hsb1 , . . . , sbi ihsd
Counterexample T
i+1 , . . . , sbn i .
Example:
FIG. 7. SplitPATH checks if an abstract path is spurious.
hsb1 ihsb2 , sb3 iω
Unwinding:
IG. 8. we
A loop
For one abstractFloop
get:counterexample, and its unwinding.
Many concrete loops with different sizes.
s!n . Since this case is more complicated than the path counterexamples, we first
start
points.some of the typical situations occur.
presentDifferent
an example
in which
s2 , s!3 "ω as shown in Figure 8. In orExample 4.12. We consider a loop !!
s1 "!!
der to findO. out
corresponds
to concrete loops, we unwind23 /the
Rezineif()the abstract loop
Verification
Reading Group
33
Checking infinite counterexample:
Also, the unwinding become eventually periodic.
Question: How many unwindings are necessary to check the abstract loop?
Theorem
The following are equivalent:
b corresponds to a concrete counterexample.
T
bunwind ) is not empty.
h−1 (T
path
Where:
ω
b = hsb1 , . . . , sbi ihsd
T
i+1 , . . . , sbn i
min
bunwind = hsb1 , . . . , sbi ihsd
T
i+1 , . . . , sbn i
min = mini+1≤j≤n |h−1 (b
sj )|
bunwind
We can use SplitPATH to check T
O. Rezine ()
Verification Reading Group
24 / 33
CEGAR general scheme
Model extraction: Initial abstraction.
Model-Check the Abstract Model.
If no bug is found:
I
The concrete Model is safe.
If a counterexample is found: Is it a concrete one?
I
Yes. ”Happy” end.
I
No. Refine the abstraction and model-check again.
O. Rezine ()
Verification Reading Group
25 / 33
Abstraction Refinement:
We consider here only finite path counterexample.
Let’s recall SplitPATH algorithm:
S := h−1 (sb1 ) ∩ I
j := 1
while ( S 6= ∅ and j < n ) {
j := j + 1;
Sprev := S
S := Img (S, R) ∩ h−1 (b
sj )
}
if S 6= ∅ then output counterexample // –> Happy end.
else output j,Sprev // –> Move to the refinement step.
O. Rezine ()
Verification Reading Group
26 / 33
Abstraction Refinement:
There exist i, such that Si ⊂ h−1 (b
si ), Img (Si , R) ∩ h−1 (sd
i+1 ) = ∅ andSi
−1
reachable from h (sb1 ) ∩ I
We partition h−1 (b
si ) into three subsets:
Si,0 = Si
0
Si,1 = {s ∈ h−1 (b
si )|∃s 0 ∈ h−1 (sd
i+1 ).R(s, s )}
Counterexample-Guided
Refinement
Si,x = h−1 (b
si )\(SAbstraction
i,0 ∪ Si,1 )
O. Rezine ()
FIG. 6. An abstract counterexample.
Verification Reading Group
773
27 / 33
Abstraction Refinement:
Abstraction defined by h−1 (b
s ) = E1 × . . . Em , m being the number of
variable clusters.
We need to separate Si,o and Si,1 by refining our abstraction, i.e. refining
the equivalence classes ≡j , 1 ≤ j ≤ m.
Objective: Maintain the smallest possible abstraction.
Theorem
The problem of finding the coarsest refinement is NP-hard.
When Si,x = ∅, the problem can be solved in polynomial time.
O. Rezine ()
Verification Reading Group
28 / 33
Abstraction Refinement:
Abstraction refining algorithm:
for j := 1 to m {
≡0j := ≡j
for every a, b ∈ Ej {
if proj(Si,0 , j, a) 6= proj(Si,0 , j, b)
then ≡0j := ≡0j \{(a, b)}
}
}
Where proj(Si,0 , j, a) 6= proj(Si,0 , j, b) means that:
∃(d1 , . . . , dj , dj+1 , . . . , dm ) such that:
(d1 , . . . , dj , a, dj+1 , . . . , dm ) ∈ Si,0
(d1 , . . . , dj , b, dj+1 , . . . , dm ) ∈
/ Si,0
O. Rezine ()
Verification Reading Group
29 / 33
Abstraction Refinement:
Abstraction refining algorithm:
for j := 1 to m {
≡0j := ≡j
for every a, b ∈ Ej {
if proj(Si,0 , j, a) 6= proj(Si,0 , j, b)
then ≡0j := ≡0j \{(a, b)}
}
}
Lemma
When Si,x = ∅ the relation ≡0j computed by PolyRefine is an equivalence
relation which refines ≡j and separates Si.0 and Si,1 . Furthermore, the
equivalence relation ≡0j is the coarsest refinement of ≡j
O. Rezine ()
Verification Reading Group
30 / 33
Abstraction Refinement:
Theorem
Given a model M and an ACTL∗ specification ϕ whose counterexample is
b such that
either path or loop, CEGAR will find a model M
b
M |= ϕ ⇔ M |= ϕ
O. Rezine ()
Verification Reading Group
31 / 33
Extensions and tools:
CEGAR has been implemented in many tools such as Blast, Moped ..
It has been also enriched with:
Use of SAT Solvers instead of OBDD.
Use of Inerpolants in order to refine the abstraction.
Has been also applied for infinite state systems . . .
O. Rezine ()
Verification Reading Group
32 / 33
Thanks for your attention.
O. Rezine ()
Verification Reading Group
33 / 33