Refinement of Trace Abstraction for Real-Time Programs September 9, - PowerPoint PPT Presentation

Refinement of Trace Abstraction for Real-Time Programs September 9, 2017 Franck Cassez 2 , Peter G. Jensen 1 , 2 and Kim G. Larsen 1 pgj@cs.aau.dk Department of Computer Science, Aalborg University Department of Computing, Macquarie University

Franck Cassez, Peter G. Jensen and Kim G. Larsen pgj@cs.aau.dk | Refinement of Trace Abstraction for Real-Time Programs Setting of Talk 1 Modelchecking ◮ Generic framework for Timed Systems ◮ Verification of Reachability/Safety Properties ◮ Synthesis of Reachable/Safe parameter sets

Franck Cassez, Peter G. Jensen and Kim G. Larsen pgj@cs.aau.dk | Refinement of Trace Abstraction for Real-Time Programs Trace Abstraction Refinement 2 Overview ◮ Consider system as two parts ◮ Control Flow Graph (CFG) ◮ “Semantics” instructions as constraint-systems ◮ Check system one (abstract) trace at a time ◮ The CFG is our coarsest abstraction ◮ Refine CFG Conditions ◮ System has to be in CFG/Semantics form ◮ We need methods for; ◮ encoding of trace as constraint-system ( Enc ), ◮ checking satisfiability of constraint-system (Z3), ◮ generalizing unsatisfiable traces, and ◮ refining abstraction.

Franck Cassez, Peter G. Jensen and Kim G. Larsen pgj@cs.aau.dk | Refinement of Trace Abstraction for Real-Time Programs Real-Time Programs 3 Motivation ◮ Plethora of formalisms ◮ Time(d) (Arc) Petri-Net, ◮ Timed Automata, ◮ Hybrid Automata, ◮ Timed Process Algebras, ◮ . . . , ◮ Trace Abstraction Refinement origins from program-verification, ◮ Decouple control-flow and semantics

Franck Cassez, Peter G. Jensen and Kim G. Larsen pgj@cs.aau.dk | Refinement of Trace Abstraction for Real-Time Programs Real-Time Programs 4 Example t 1 t 0 t 2 i ι ℓ 0 ℓ 1 ℓ 2 Edge Guard Update Rate i true x:=y:=z:=0 dy/dt=1 t 0 true z:=0 dy/dt=0 t 1 x==1 x:=0 dy/dt=0 t 2 x-y>=1 and z<1 - dy/dt=0 Notice Because we are only concerned with Reachability , invariants can be seen as guards.

Franck Cassez, Peter G. Jensen and Kim G. Larsen pgj@cs.aau.dk | Refinement of Trace Abstraction for Real-Time Programs Real-Time Programs 5 Preliminaries Let V be a set of real-valued variables ◮ ν : V → R is a valuation, ◮ the set of valuations is [ V → R ] ◮ β ( V ) is a set of constraints on V , ◮ ν | = ϕ when ϕ ( ν ) = True for ϕ ∈ β ( V ) ◮ U ( V ) be the set of updates on the variables in V , ◮ µ ⊆ [ V → R ] × [ V → R ] for µ ∈ U ( V ) , ◮ R ( V ) ⊆ Q V be the set of rates Let I = β ( V ) × U ( V ) × R ( V ) denote the set of instructions.

Franck Cassez, Peter G. Jensen and Kim G. Larsen pgj@cs.aau.dk | Refinement of Trace Abstraction for Real-Time Programs Real-Time Programs 6 Semantics Let ν : V → R and ν ′ : V → R be two valuations over the variables. For each pair ( α, δ ) ∈ I × R ≥ 0 we define the following transition relation:  1 . ν | = γ α (guard is satisfied in ν ) ,  α,δ → ν ′ ⇐  ∃ ν ′′ s.t. ( ν, ν ′′ ) ∈ µ α (discrete update) and ν − − − ⇒ 2 . ν ′ = ν ′′ + δ × ρ α (continuous update).  3 . 

Franck Cassez, Peter G. Jensen and Kim G. Larsen pgj@cs.aau.dk | Refinement of Trace Abstraction for Real-Time Programs Real-Time Programs 7 Semantics The semantics of α ∈ I is a mapping � α � : [ V → R ] → [ V → R ] that can be extended to sets of valuations as follows: { ν ′ | ∃ δ ≥ 0 , ν α,δ → ν ′ } ν ∈ [ V → R ] , � α � ( ν ) = − − − � K ⊆ [ V → R ] , � α � ( K ) = � α � ( ν ) . ν ∈ K We inductively define the post operator Post as follows: Post ( K , ǫ ) = K Post ( K , α. w ) = Post ( � α � ( K ) , w )

Franck Cassez, Peter G. Jensen and Kim G. Larsen pgj@cs.aau.dk | Refinement of Trace Abstraction for Real-Time Programs Real-Time Programs 8 Formal A Real-Time Program is a pair P = ( A P , � · � ) where ◮ A P = ( Q , ι, I , ∆ , F ) is a finite automaton defining the control-flow graph (CFG) and ◮ Q is the set of states, ◮ ι ∈ Q is the initial state, ◮ I is a set of labels (instructions), ◮ ∆ ⊆ Q × I × Q is the transition-relation, and ◮ F is a set of accepting states. ◮ � · � gives semantics to each instruction.

Franck Cassez, Peter G. Jensen and Kim G. Larsen pgj@cs.aau.dk | Refinement of Trace Abstraction for Real-Time Programs Traces 9 Feasibility Timed Word A timed word (over alphabet I ) is a finite sequence σ = ( α 0 , δ 0 ) . ( α 1 , δ 1 ) . · · · . ( α n , δ n ) such that for each 0 ≤ i ≤ n , δ i ∈ R ≥ 0 and α i ∈ I . The timed word σ is feasible if and only if there exists a set of valuations { ν 0 , . . . , ν n + 1 } ⊆ [ V → R ] such that: α 0 ,δ 0 α 1 ,δ 1 α n ,δ n ν 0 − − − − → ν 1 − − − − → ν 2 · · · ν n − − − − → ν n + 1 .

Franck Cassez, Peter G. Jensen and Kim G. Larsen pgj@cs.aau.dk | Refinement of Trace Abstraction for Real-Time Programs Traces 10 Feasibility cont’d Let Unt ( σ ) = α 0 .α 1 . · · · .α n be the untimed version of σ . Lemma An untimed word w ∈ I ∗ is feasible iff Post ( True , w ) � = False. Checking Feasibility Assume Enc ( w ) ∈ β ( V N ) then w is feasible iff there exists ν s.t. ν | = Enc ( w ) .

Franck Cassez, Peter G. Jensen and Kim G. Larsen pgj@cs.aau.dk | Refinement of Trace Abstraction for Real-Time Programs Traces 11 Complexity ◮ If the trace can be encoded in a decidable theory, checking the trace is decidable. ◮ Linear Hybrid Automata traces can be encoded in Linear Real Arithmetic (LRA). ◮ SAT of LRA is decidable – essentially Linear Programming. ◮ Even if theory is not decidable, we can be lucky. ◮ Off-the-shelf solvers such as Z3.

Franck Cassez, Peter G. Jensen and Kim G. Larsen pgj@cs.aau.dk | Refinement of Trace Abstraction for Real-Time Programs Real-Time Programs 12 Example t 1 t 0 t 2 i ι ℓ 0 ℓ 1 ℓ 2 Edge Guard Update Rate i true x:=y:=z:=0 dy/dt=1 t 0 true z:=0 dy/dt=0 t 1 x==1 x:=0 dy/dt=0 t 2 x-y>=1 and z<1 - dy/dt=0 Enc ( i . t 0 . t 2 ) = x 0 = y 0 = z 0 = δ 0 ∧ δ 0 ≥ 0 x 1 = x 0 + δ 1 ∧ y 1 = y 0 ∧ z 1 = δ 1 ∧ δ 1 ≥ 0 x 1 − y 1 ≥ 1 ∧ z 1 < 1 ∧ x 2 = x 1 + δ 2 ∧ y 2 = y 1 ∧ z 2 = z 1 + δ 2 ∧ δ 2 ≥ 0

Franck Cassez, Peter G. Jensen and Kim G. Larsen pgj@cs.aau.dk | Refinement of Trace Abstraction for Real-Time Programs Trace Abstraction Refinement 13 Overview Conditions ◮ System has to be in CFG/Semantics form � ◮ We need methods for; ◮ encoding of trace as constraint-system ( Enc ), � ◮ checking satisfiability of constraint-system (Z3), � ◮ generalizing unsatisfiable traces, and ◮ refining abstraction.

Franck Cassez, Peter G. Jensen and Kim G. Larsen pgj@cs.aau.dk | Refinement of Trace Abstraction for Real-Time Programs TAR 14 Algorithm R = ∅ Step 3: R := R ∪ L ( IA ( w )) No Step 1: L ( A P ) ⊆ R ? Step 2: w is feasible? No. Let w ∈ L ( A P ) \ R Yes Yes T L ( P ) = ∅ T L ( P ) � = ∅ , w is a witness Trace Abstraction Refinement Semi-Algorithm for Real-Time Programs

Franck Cassez, Peter G. Jensen and Kim G. Larsen pgj@cs.aau.dk | Refinement of Trace Abstraction for Real-Time Programs TAR 15 Generalization of Infeasibility Consider an infeasible word w over the program ( A P , � · � ) then we can ◮ we can encode w as a conjunction of constraint-systems c = C 0 ∧ · · · C n where, for 0 ≤ m ≤ n we have C m is the encoding of the effect of instruction i m , ◮ check feasibility using a solver ◮ construct Craig -interpolants using an interpolanting solver (as Z3). Craig Interpolant A Craig-interpolant is a sequence of sufficient conditions for showing unsatisfiability of a constraint-system.

Franck Cassez, Peter G. Jensen and Kim G. Larsen pgj@cs.aau.dk | Refinement of Trace Abstraction for Real-Time Programs TAR 16 Example Edge Guard Update A 2 t 0 i true x:=y:=k:=0 t 2 i x ≥ 1 ι 0 t 0 — 1 2 t 1 true x:=0; k++ t 1 t 2 y < k —

Franck Cassez, Peter G. Jensen and Kim G. Larsen pgj@cs.aau.dk | Refinement of Trace Abstraction for Real-Time Programs TAR 16 Example Edge Guard Update A 2 t 0 i true x:=y:=k:=0 t 2 i t 0 x ≥ 1 — ι 0 1 2 t 1 true x:=0; k++ t 1 t 2 y < k — Consider an infeasible word w n for n > 1 of the form i . t 0 . ( t 1 . t 0 ) n . t 2 , encoded as c = � x 0 = y 0 = k 0 = 0 ∧ δ 0 ≥ 0 ∧ x 1 = x 0 + δ 0 ∧ y 1 = y 0 + δ 0 � x 1 ≥ 1 ∧ δ 1 ≥ 0 ∧ x 2 = x 1 + δ 1 ∧ y 2 = y 1 + δ 1 � x 3 = 0 ∧ k 1 = k 0 + 1 δ 2 ≥ 0 ∧ x 4 = x 3 + δ 2 ∧ y 3 = y 2 + δ 2 � x 4 ≥ 1 ∧ δ 3 ≥ 0 ∧ x 5 = x 4 + δ 3 ∧ y 4 = y 3 + δ 3 � · · · y n < k m

Franck Cassez, Peter G. Jensen and Kim G. Larsen pgj@cs.aau.dk | Refinement of Trace Abstraction for Real-Time Programs TAR 16 Example Edge Guard Update A 2 t 0 i true x:=y:=k:=0 t 2 i t 0 x ≥ 1 — ι 0 1 2 t 1 true x:=0; k++ t 1 t 2 y < k — Consider an infeasible word w n for n > 1 of the form i . t 0 . ( t 1 . t 0 ) n . t 2 If we give c to Z3, we get the following interpolants (modulo indexes) 1. I 0 = y ≥ x ∧ k ≤ 0, 2. I 1 = y ≥ 1 ∧ k ≤ 0, 3. I 2 = y ≥ k + x , Notice that for n > 4 we 4. I 3 = y ≥ k + 1, have I n = I n + 2 . 5. I 4 = y ≥ k + x , 6. I 5 = y ≥ k + 1, 7. . . .