Predicate Abstraction for Dense Real-Time Systems oller 1 , Harald - PowerPoint PPT Presentation

Predicate Abstraction for Dense Real-Time Systems oller 1 , Harald Rueß 2 , Maria Sorea 2 Oliver M¨ 2 SRI International BRICS 1 ª Arhus, Denmark Menlo Park, California, USA { ruess,sorea } @csl.sri.com omoeller@brics.dk 1 O LIVER M ¨ 7 A PRIL 2002 OLLER : P REDICATE A BSTRACTION FOR D ENSE R EAL -T IME S YSTEMS

Outline 1 Framework Timed systems Propositional µ -calculus 2 Predicate abstraction of timed systems 3 Restricted delay steps 4 Completeness of Refinement Algorithm 5 Small Example 2 O LIVER M ¨ 7 A PRIL 2002 OLLER : P REDICATE A BSTRACTION FOR D ENSE R EAL -T IME S YSTEMS

Timed Systems Timing constraints Γ , propositional Symbols A Timed System S = � L, P, C, → , l 0 , I � x := 0 l 0 y ≤ 1 x := 0 y > x y := 0 x > y l 1 l 2 Semantics as transition system M = � L × V C , P, ⇒ , ( l 0 , ν 0 ) � with non-zenoness assumption: if trace infinite, sum over all delays is ∞ 3 O LIVER M ¨ 7 A PRIL 2002 OLLER : P REDICATE A BSTRACTION FOR D ENSE R EAL -T IME S YSTEMS

Clock Regions Given: S , C , ˜ c Finite partition of the infinite state space Clock region: X C ⊆ V C s.t. for all χ ∈ Constr ( c ) and for any two ν, ν ′ ∈ X C it is the case that ν | ≈ χ if and only if ν ′ | ≈ χ ν 1 ≡ S ν 2 4 O LIVER M ¨ 7 A PRIL 2002 OLLER : P REDICATE A BSTRACTION FOR D ENSE R EAL -T IME S YSTEMS

Propositional Next-Free µ -Calculus Syntax: ϕ := p | ∀ ( ϕ 1 Uϕ 2 ) | ∃ ( ϕ 1 Uϕ 2 ) | Z | µZ.ϕ | ¬ ϕ | ϕ ∧ ϕ | tt ] M Semantics: [ [ ϕ ] ϑ . . . set of states for which ϕ holds Intuitively, an existential (strong) until formula ∃ ( ϕ 1 Uϕ 2 ) holds in some states s iff ϕ 1 holds on some path from s until ϕ 2 holds. def ] M [ [ ∃ ( ϕ 1 Uϕ 2 )] = ϑ ] M { s 0 ∈ S | there exists a path τ = ( s 0 ⇒ s 1 ⇒ . . . ) , s.t. s i ∈ [ [ ϕ 2 ] ϑ ] M for some i ≥ 0 , and for all 0 ≤ j < i , s j ∈ [ [ ϕ 1 ] ϑ } 5 O LIVER M ¨ 7 A PRIL 2002 OLLER : P REDICATE A BSTRACTION FOR D ENSE R EAL -T IME S YSTEMS

Model Checking Given: M , ϕ ? ] M → Yes/No Model checking problem: l 0 ∈ [ [ ϕ ] Finite quotient for timed systems: region construction Our approach: successive refinements of finite approximations 6 O LIVER M ¨ 7 A PRIL 2002 OLLER : P REDICATE A BSTRACTION FOR D ENSE R EAL -T IME S YSTEMS

Abstract Interpretation: Galois Connections P A ( Q A , ⊑ A ) abstract α ( P ) system ( Q A , ⊑ A ) ( Q , ⊑ ) concrete γ α system γ ( P A ) α : Q → Q A abstraction P γ : Q A → Q concretization ( Q , ⊑ ) Essence: connection of 2 lattice structures Problems: stability and self-loops 7 7 A PRIL 2002 O LIVER M ¨ OLLER : P REDICATE A BSTRACTION FOR D ENSE R EAL -T IME S YSTEMS

Predicate Abstraction of Timed Systems Abstraction Predicates with respect to a given clock set C formula with the set of free variables in C set of abstractions predicates Ψ = { ψ 0 , . . . , ψ n − 1 } Abstraction function Concretization function α : V C → B n γ : B n → ℘ ( V C ) γ ( b ) := { ν ∈ V C | � n − 1 i =0 ψ i ν ≡ b ( i ) } α ( ν )( i ) := ψ i ν 8 O LIVER M ¨ 7 A PRIL 2002 OLLER : P REDICATE A BSTRACTION FOR D ENSE R EAL -T IME S YSTEMS

Over-/Under-Approximation Given: M , Ψ Over-approximation of M : M + Ψ = � S A , P, ⇒ + , s A 0 � Under-approximation of M : M − Ψ = � S A , P, ⇒ − , s A 0 � S A := L × B n ( l, b ) ⇒ + ( l ′ , b ′ ) iff ∃ ν ∈ γ ( b ) . ∃ ν ′ ∈ γ ( b ′ ) . ( l, ν ) ⇒ ( l ′ , ν ′ ) ( l, b ) ⇒ − ( l ′ , b ′ ) iff ∀ ν ∈ γ ( b ) . ∃ ν ′ ∈ γ ( b ′ ) . ( l, ν ) ⇒ ( l ′ , ν ′ ) s A 0 := ( l 0 , b 0 ) , where b 0 ( i ) = 1 if ψ i ν 0 and 0 otherwise. ⇒ − ⊆ ⇒ + 9 O LIVER M ¨ 7 A PRIL 2002 OLLER : P REDICATE A BSTRACTION FOR D ENSE R EAL -T IME S YSTEMS

Over-/Under-Approximation – Example Ψ = { ψ } , where ψ ≡ x > y l 0 , ¬ ψ l 0 , ¬ ψ l 0 , ψ l 0 , ψ l 1 , ¬ ψ l 1 , ¬ ψ l 1 , ψ l 1 , ψ l 2 , ¬ ψ l 2 , ¬ ψ l 2 , ψ l 2 , ψ a: Over-Approximation b: Under-Approximation 10 O LIVER M ¨ 7 A PRIL 2002 OLLER : P REDICATE A BSTRACTION FOR D ENSE R EAL -T IME S YSTEMS

Example for Abstraction l 0 x = 1 l 1 x ≤ 1 We want to verify: ϕ = ∀ ( tt Uat l 1 ) Abstraction predicates: { x = 0 , x < 1 , x = 1 } Assume the following sequence in the concrete trace: 1 / 2 1 / 4 1 / 4 true ( l 0 , x = 0) ⇒ ( l 0 , x = 1 / 2) ⇒ ( l 0 , x = 3 / 4) ⇒ ( l 0 , x = 1) ⇒ ( l 1 , x = 1) Abstraction yields (only a fragment is illustrated): l 0 , ψ 0 ψ 1 ψ 2 l 0 , ¬ ψ 0 ψ 1 ¬ ψ 2 l 0 , ¬ ψ 0 ¬ ψ 1 ψ 2 Problem: spurious self-loop 11 O LIVER M ¨ 7 A PRIL 2002 OLLER : P REDICATE A BSTRACTION FOR D ENSE R EAL -T IME S YSTEMS

Modified Semantics: Restricted Delay Step Given: S , C , ˜ c δ A delay step ( l, ν ) − → ( l, ( ν + δ )) is a restricted delay step iff ∃ x ∈ C. ∃ k ∈ { 0 , . . . , c } . ν ( x ) = k ∨ ( ν ( x ) < k ∧ ν ( x ) + δ ≥ k ) Restricted transition relation: ⇒ R ⊆ ( L, V C ) × ( L, V C ) The second delay step in the previous trace is disallowed: ( l 0 , x = 0) ⇒ ( l 0 , x = 1 / 2) �⇒ ( l 0 , x = 3 / 4) ⇒ ( l 0 , x = 1) ⇒ ( l 1 , x = 1) Theorem: ] M R ] M [ [ ϕ ] = [ [ ϕ ] ϑ ϑ 12 O LIVER M ¨ 7 A PRIL 2002 OLLER : P REDICATE A BSTRACTION FOR D ENSE R EAL -T IME S YSTEMS

Predicate Abstracted Semantics M σ S A [ [ tt ] ] Ψ := ϑ { ( l, b ) ∈ S A | p ∈ P ( l ) } M σ [ [ p ] ] Ψ := ϑ M σ M σ M σ [ [ ϕ 1 ∧ ϕ 2 ] ] := [ [ ϕ 1 ] ] ∩ [ [ ϕ 2 ] ] Ψ Ψ Ψ ϑ ϑ ϑ S A \ [ M ¯ M σ σ [ [ ¬ ϕ ] ] := [ ϕ ] ] Ψ Ψ ϑ ϑ { s 0 ∈ S A | there exists a path τ = ( s 0 ⇒ σ s 1 ⇒ σ s 1 . . . ) , M σ [ [ ∃ ( ϕ 1 Uϕ 2 )] ] := Ψ ϑ M σ s.t. s i ∈ [ [ ϕ 2 ] ] for some i ≥ 0 , and Ψ ϑ M σ for all 0 ≤ j < i , s j ∈ [ [ ϕ 1 ] ] Ψ ϑ { s 0 ∈ S A | for every path τ = ( s 0 ⇒ ¯ σ . . . ) , M σ σ s 1 ⇒ ¯ [ [ ∀ ( ϕ 1 Uϕ 2 )] ] Ψ := ϑ M σ there exists i ≥ 0 s.t. s i ∈ [ [ ϕ 2 ] ] Ψ , and ϑ M σ for all 0 ≤ j < i , s j ∈ [ [ ϕ 1 ] ] Ψ } ϑ M σ [ [ Z ] ] Ψ := ϑ ( Z ) ϑ ∩{ S ′ ∈ S A | [ M σ M σ ϑ [ Z := S ′ ] ⊆ S ′ } [ [ µZ.ϕ ] ] Ψ := [ ϕ ] ] Ψ ϑ 13 O LIVER M ¨ 7 A PRIL 2002 OLLER : P REDICATE A BSTRACTION FOR D ENSE R EAL -T IME S YSTEMS

Soundness & Completeness M = � S C , P, ⇒ , s C Given: 0 � a transition system Ψ a set of predicates Ψ , M − M + the over-/under-approximations Ψ ] M ⊆ γ ([ ] M − ] M + γ ([ [ ϕ ] Ψ ) ⊆ [ [ ϕ ] [ ϕ ] Ψ ) Theorem: 14 O LIVER M ¨ 7 A PRIL 2002 OLLER : P REDICATE A BSTRACTION FOR D ENSE R EAL -T IME S YSTEMS

Soundness & Completeness M = � S C , P, ⇒ , s C Given: 0 � a transition system Ψ a set of predicates Ψ , M − M + the over-/under-approximations Ψ ] M ⊆ γ ([ ] M − ] M + γ ([ [ ϕ ] Ψ ) ⊆ [ [ ϕ ] [ ϕ ] Ψ ) Theorem: ( ∀ ψ ∈ Ψ . ψν 1 ⇔ ψν 2 ) ⇒ ν 1 ≡ S ν 2 15 O LIVER M ¨ 7 A PRIL 2002 OLLER : P REDICATE A BSTRACTION FOR D ENSE R EAL -T IME S YSTEMS

Soundness & Completeness M = � S C , P, ⇒ , s C Given: 0 � a transition system Ψ a set of predicates Ψ , M − M + the over-/under-approximations Ψ ] M ⊆ γ ([ ] M − ] M + γ ([ [ ϕ ] Ψ ) ⊆ [ [ ϕ ] [ ϕ ] Ψ ) Theorem: Theorem: ( ∀ ψ ∈ Ψ . ψν 1 ⇔ ψν 2 ) ⇒ ν 1 ≡ S ν 2 If M − M + [ [ ϕ ] ] = [ [ ϕ ] ] Then Ψ Ψ ϑ ϑ 16 O LIVER M ¨ 7 A PRIL 2002 OLLER : P REDICATE A BSTRACTION FOR D ENSE R EAL -T IME S YSTEMS

Refinement of the Abstraction Basis: the ”exact” abstract transition system can be computed Not practicable Successive approximation of the abstract transition relation Counterexamples Given: M , Ψ , ϕ Algorithm for computing M + ψ stepwise s.t. ( ψ ⊆ Ψ ) = ϕ iff M + M | ψ | = ϕ 17 O LIVER M ¨ 7 A PRIL 2002 OLLER : P REDICATE A BSTRACTION FOR D ENSE R EAL -T IME S YSTEMS

Example (Refinement) ϕ := ¬∃ ( tt Uat l 2 ) Ψ := { x = 0 , y = 0 , x ≤ 1 , x ≥ 1 , y ≤ 1 , y ≥ 1 , x > y, x < y } I. ψ 0 ≡ x = 0 l 0 , ψ 0 l 1 , ψ 0 l 2 , ψ 0 l 0 , ¬ ψ 0 l 1 , ¬ ψ 0 l 2 , ¬ ψ 0 ? M + | = ϕ NO { x =0 } � � ( l 0 , ψ 0 ) ⇒ + ( l 1 , ψ 0 ) ⇒ + ( l 1 , ¬ ψ 0 ) ⇒ + ( l 2 , ¬ ψ 0 ) τ = 18 O LIVER M ¨ 7 A PRIL 2002 OLLER : P REDICATE A BSTRACTION FOR D ENSE R EAL -T IME S YSTEMS

Example – Continuation I. ⇒ + ( l 1 , ψ 0 ) ⇒ + ( l 1 , ¬ ψ 0 ) ⇒ + ( l 2 , ¬ ψ 0 )) τ = (( l 0 , ψ 0 ) � �� � � �� � � �� � � �� � s 0 s 1 s 2 s 3 Is there a corresponding counterexample on the concrete transition sys- tem? ∃ τ c = ( y 0 ⇒ y 1 ⇒ y 2 ⇒ y 3 ) s.t. y 0 ∈ γ ( s 0 ) , y 1 ∈ γ ( s 1 ) , y 2 ∈ γ ( s 2 ) , y 3 ∈ γ ( s 3 ) , y 0 = s c 0 F := ∃ y 0 , y 1 , y 2 , y 3 ∈ S C . y 0 ∈ γ ( s 0 ) ∧ y 1 ∈ γ ( s 1 ) ∧ y 2 ∈ γ ( s 2 ) ∧ y 3 ∈ γ ( s 3 ) ∧ y 1 ⇒ y 2 ∧ y 2 ⇒ y 3 ∧ y 0 = s c 0 Is F valid? 19 O LIVER M ¨ 7 A PRIL 2002 OLLER : P REDICATE A BSTRACTION FOR D ENSE R EAL -T IME S YSTEMS

Example – Continuation II. Here F is unsatisfiable! y 0 ∈ ( l 0 , x = y = 0) ∈ γ ( s 0 ) ⇓ y 1 ∈ ( l 1 , x = 0 ∧ 0 ≤ y ≤ 1) ∈ γ ( s 1 ) ⇓ y 2 ∈ ( l 1 , x > 0 ∧ y > x ) ∈ γ ( s 2 ) �⇓ y 3 ∈ ( l 1 , x > 0 ∧ y ≥ 0) = γ ( s 3 ) 20 O LIVER M ¨ 7 A PRIL 2002 OLLER : P REDICATE A BSTRACTION FOR D ENSE R EAL -T IME S YSTEMS