Abstract Interpretation of CTL Properties Caterina Urban, Samuel - PowerPoint PPT Presentation

Abstract Interpretation of CTL Properties Caterina Urban, Samuel Ueltschi, Peter Müller

Computation Tree Logic  Branching-time logic  ::= p |  |  |  A(true U black) E(blue U black) AX  | EX  | A(  U  ) | E(  U  ) | AG  | EG  |  Goal: Automatically check CTL properties of programs ‐ Infer sufficient preconditions ‐ Handle existential properties 2

Example  CTL specification while ( rand() ) { A( true U x = 0 ) x := 1 y := y + 1 x := 0  Inferred precondition } while ( true ) { } x = 0 3

Maximal Trace Semantics  Contains all finite and infinite traces of a program 1 5 5 5 5 5 1 x=0, y=0 x=0, y=0 x=0, y=0 x=0, y=0 x=0, y=0 … x := 1 1 2 3 4 1 5 while ( rand() ) { 2 x=0, y=0 x=1, y=0 x=1, y=1 x=0, y=1 x=0, y=1 … x := 1 y := y + 1 y := y + 1 x := 0 1 5 5 5 5 5 3 x=2, y=3 x=2, y=3 x=2, y=3 x=2, y=3 x=2, y=3 … } x := 0 while ( true ) { } 1 2 3 4 1 5 4 5 x=2, y=3 x=1, y=3 x=1, y=4 x=0, y=4 x=0, y=4 … 4

Program Semantics for CTL   (  ) = 0 if  (x)=0 and undefined otherwise  For a given CTL formula  and a set   (  ) = 0 if  (x)=0 of program traces, define a partial and 3 otherwise 1 function   from states to ordinals x := 1 2  A program satisfies a CTL formula  y := y + 1 for all traces starting from an initial 3 state  if and only if  dom(   ) x := 0 4 5  If defined for an until-formula  1 U  2 ,   (  ) yields the number of steps until  2 holds (ranking function) A( true U x = 0 ) E( true U x = 0 ) 5

Piecewise-defined Ranking Functions  Program Abstract Semantics semantics for CTL Σ ⇀ � x Earlier work by Caterina Urban and Antoine Miné [SAS’13, SAS’14, ESOP’14] 6

Abstract Domain: Decision Trees  Piecewise-defined functions are represented as decision trees x  4 4 x  2 4 x 2 4  if x  4 7 – x 4 7 – x if x  2 f(x) =  otherwise 7

Static Analysis  Map each point to a function over-approximating concrete semantics  Analysis is performed backward for each constituent formula A( true U x = 0 ) 1 x := 1 2 x y := y + 1 3 x := 0 4 5 x x 8

Static Analysis A( true U x = 0 ) x For universal formulas, merge 3 preserves 1 x undefinedness x := 1 x 2 2 y := y + 1 x 3 1 x := 0 x 4 5 x x 9

Conditional Statements A( true U y = 1 ) x  2 1 NIL if ( x >= 2 ) { 2 x 2 x y := 1 } else { x  2 y := 0 x < 2 }  2  NIL 2 x 10

Conditional Statements A( true U y = 1 ) x  2  x%2 = 0 x  2 1 NIL NIL if ( x >= 2 && x%2 == 0 ) { 2 x 2 x y := 1 } else { true y := 0 x < 2  x%2 = 1 true }  NIL  NIL NIL For universal formulas, merge 2 x preserves undefinedness 11

Conditional Statements E( true U y = 1 ) Unsound! x  2  x%2 = 0 true 1 NIL NIL if ( x >= 2 || x%2 == 0 ) { 2 x 2 x y := 1 } else { true y := 0 x < 2  x%2 = 1 x < 2 } 2 NIL  NIL NIL For existential formulas, merge 2 x preserves definedness 12

Conditional Statements E( true U y = 1 ) x  2  x%2 = 0 x  2 1 NIL NIL if ( x >= 2 || x%2 == 0 ) { 2 x 2 x y := 1 } else { x  2 y := 0 x < 2  x%2 = 1 false } 2 NIL  NIL NIL For existential formulas, merge 2 x preserves definedness 13

Soundness A program satisfies a CTL formula  for all traces starting from an initial state  if  dom(  (    ) ) 14

Evaluation  Implementation in FuncTion static analyzer ‐ C-like input language ‐ Available at https://github.com/caterinaurban/function  Evaluated on test cases and benchmarks from the literature and SV-COMP competition  Abstract domains ‐ Polyhedra for constraints ‐ Affine functions and ordinals for leaves of decision trees 15

Experimental Results 16

Summary  Theory for analyzing CTL properties with abstract interpretation  Automatic inference of sufficient preconditions  Implementation in FuncTion static analyzer: https://github.com/caterinaurban/function  Future work: extension to LTL 17