Changeset 58
- Timestamp:
- Mar 9, 2012, 5:16:33 PM (13 years ago)
- Location:
- papers/FDL2012
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
papers/FDL2012/abstraction_refinement.tex
r57 r58 1 1 2 We suppose that our concrete model is a composition of several components and each component has been previously verified. Hence, we have a set of verified properties for each component of the concrete model. The main idea of this technique is that we would like to make use of these properties to generate a better abstract model. Properties of the components that appear to be related to the global property to be verified, $\phi$ are selected to generate the abstract model $\widehat{M}_i$. This method is particularly interesting as it gives a possibility to converge quicker to an abstract model that is sufficient to satisfy the global property $\phi$.3 2 4 3 \subsection{Properties of good refinement} … … 8 7 %\medskip 9 8 10 \begin{ property}9 \begin{definition} An efficient \emph{refinement} verified the following properties: 11 10 \begin{enumerate} 12 11 \item The new refinment is an over-approximation of the concrete model: $\widehat{M}_{i+1} \sqsubseteq \widehat{M}$. … … 16 15 $\widehat{M_{i+1}}$. 17 16 \end{enumerate} 18 \end{ property}17 \end{definition} 19 18 20 19 Moreover, the refinement steps should be easy to compute and ensure a fast … … 26 25 \TODO{discussion sur comment garantir les points 1/2/3 et le reste du bon 27 26 rafinement} 28 \subsection{ The Counterexample}29 30 \TODO{Mettre la def avant }27 \subsection{Refinment by negation of the counterexample} 28 29 \TODO{Mettre la def avant ?} 31 30 \TODO{Rafinement par négation du contre-exemple} 32 31 The counterexample at a refinement step $i$, $\sigma$ is a path in the … … 50 49 \end{definition} 51 50 51 2. Negation of states in an AKS 52 53 a) An (abstract) configuration in a state of the AKS represents a (convex ?) set of states of the concrete component. 54 55 b) The negation of an configuration may be represented by a set of abstract configurations 56 57 c) building the AKS of a spurious counter-example may lead to a blow-up of the number of states of the AKS 58 59 52 60 %\bigskip 53 61 … … 150 158 151 159 152 \subsection{Initial abstraction generation} 153 154 In the initial abstraction generation, all primary variables have to be represented. Therefore the first element(s) in the list where the primary variables are present will be used to generate the initial abstraction, $\widehat{M}_0$ and we will verify the satisfiability of the global property $\phi$ on this abstract model. If the model-checking failed and the counterexample given is found to be spurious, we will then proceed with the refinement process. 155 156 157 158 \subsection{Abstraction refinement} 160 161 162 163 \subsection{Filtering properties} 159 164 160 165 The refinement process from $\widehat{M}_i$ to $\widehat{M}_{i+1}$ can be seperated into 2 steps: -
papers/FDL2012/framework.tex
r57 r58 1 The model-checking technique we propose is based on the Counterexample-guided Abstraction Refinement (CEGAR) methodology \cite{clarke00cegar}. We take into account the structure of the system as a set of synchronous components, each of which has been previously verified and a set of CTL properties is attached to each component. This set refers to the specification of the component. We would like to verify whether a concrete model, $M$ presumedly huge sized composed of several components, satisfies a global property $\Phi$. Due to state space combinatorial explosion phenomenon that occurs when verifying huge and complex systems, an abstraction or approximation of the concrete model has to be done in order to be able to verify the system with model-checking techniques. Instead of building the product of the concrete components, we replace each concrete component by an abstraction of its behavior derived from a subset of the CTL properties it satisfies. Each abstract component represents an over-approximation of the set of behaviors of its related concrete component \cite{braunstein07ctl_abstraction}. 1 The model-checking technique we propose is based on the Counterexample-guided 2 Abstraction Refinement (CEGAR) methodology \cite{clarke00cegar}. The overall 3 descritpion of our methodology is shown in figure \ref{cegar}. 4 We take into account the structure of the system as a set of synchronous components, 5 each of which has been previously verified and a set of CTL properties is attached to each component. This set refers to the specification of the component. We would like to verify whether a concrete model, $M$ presumedly huge sized composed of several components, satisfies a global property $\Phi$. Due to state space combinatorial explosion phenomenon that occurs when verifying huge and complex systems, an abstraction or approximation of the concrete model has to be done in order to be able to verify the system with model-checking techniques. Instead of building the product of the concrete components, we replace each concrete component by an abstraction of its behavior derived from a subset of the CTL properties it satisfies. Each abstract component represents an over-approximation of the set of behaviors of its related concrete component \cite{braunstein07ctl_abstraction}. 2 6 3 \subsection{Overall Description of our methodology}7 %\subsection{Overall Description of our methodology} 4 8 In CEGAR loop methodology, in order to verify a global property $\Phi$ on a 5 9 concrete model $M$, an abstraction of the concrete model $\widehat{M}$ is 6 10 generated and tested in the model-checker. As the abstract model is an 7 11 over-approximation of the concrete model and we have restrained our 8 verification to ACTL properties only ,if $\Phi$ holds on the the abstract model then we are certain that it holds in the concrete model as well.12 verification to ACTL properties only. As shown in \cite{clarke94model} if $\Phi$ holds on the the abstract model then we are certain that it holds in the concrete model as well. 9 13 However, if $\Phi$ doesn't hold in the abstract model then we can't conclude anything regarding the concrete model until the counterexample, 10 $\sigma$ given by the model-checker has been analyzed. \remark{Cecile}{cite 11 Grumberg ovver-approx et ACTL poperties} 14 $\sigma$ given by the model-checker has been analyzed. 15 16 In the case where model-checking failed, the counterexample given by the 17 model-checker has to be analysed. We use a SAT solver to check whether the counterexample is spurious or not. When a counterexample is proved to be spurious, we proceed to the refinement phase. 18 \TODO{ref du papier sur le spurious + petite explication sur SAT et 19 déroulement} 12 20 %\bigskip 13 21 %\begin{definition} … … 16 24 %\end{definition} 17 25 18 \begin{definition}19 Given $\widehat{M} = (\widehat{AP}, \widehat{S}, \widehat{S}_0, \widehat{L}, \widehat{R}, \widehat{F})$ an abstract model of a concrete model, $M$ and $\Phi$, a global property to be verified on $M$, the model-checking result can be interpreted as follows:20 21 \begin{itemize}22 \item{$\widehat{M} \vDash \Phi \Rightarrow M \vDash \Phi$ : verification completed }23 \item{$\widehat{M} \nvDash \Phi$ and $\exists \sigma$ : counterexample analysis required in order to determine whether $M \nvDash \Phi$ or $\widehat{M}$ is too coarse. }24 \end{itemize}25 \end{definition}26 %\begin{definition} 27 %Given $\widehat{M} = (\widehat{AP}, \widehat{S}, \widehat{S}_0, \widehat{L}, \widehat{R}, \widehat{F})$ an abstract model of a concrete model, $M$ and $\Phi$, a global property to be verified on $M$, the model-checking result can be interpreted as follows: 28 % 29 %\begin{itemize} 30 %\item{$\widehat{M} \vDash \Phi \Rightarrow M \vDash \Phi$ : verification completed } 31 %\item{$\widehat{M} \nvDash \Phi$ and $\exists \sigma$ : counterexample analysis required in order to determine whether $M \nvDash \Phi$ or $\widehat{M}$ is too coarse. } 32 %\end{itemize} 33 %\end{definition} 26 34 27 35 %\bigskip 28 We can conclude that the property $\Phi$ doesn't hold in the concrete model $M$ if the counterexample path is possible in M. Otherwise the abstract model at step $i : \widehat{M}_i$, has to be refined if $\widehat{M}_i \nvDash \Phi$ and the counterexample obtained during model-checking was proven to be \emph{spurious}.36 %We can conclude that the property $\Phi$ doesn't hold in the concrete model $M$ if the counterexample path is possible in M. Otherwise the abstract model at step $i : \widehat{M}_i$, has to be refined if $\widehat{M}_i \nvDash \Phi$ and the counterexample obtained during model-checking was proven to be \emph{spurious}. 29 37 30 38 \begin{figure}[h!] … … 36 44 \end{figure} 37 45 46 \subsection{Concrete system definition} 38 47 As mention earlier, in our verification methodology, we have a concrete model which consists of several components and each component comes with its specification or more precisely, properties that hold in the component. Given a global property $\Phi$, the property to be verified by the composition of the concrete components model, an abstract model is generated by selecting some of the properties of the components which are relevant to $\varphi$. 39 48 40 In the case where model-checking failed, the counterexample given by the model-checker \cite{ucberkeley96vis} has to be analysed. We use a SATSolver to check whether the counterexample is spurious or not. When a counterexample is proved to be spurious, we proceed to the refinement phase.41 \TODO{ref du papier sur le spurious + petite explication sur SAT et42 déroulement}43 \subsection{Concrete system definition}44 49 45 50 The concrete system is a synchronous compositon of components, each of which … … 57 62 \end{definition} 58 63 59 \emph{States} (or configurations) of the circuit correspond to boolean configurations of all the sequential elements. From now on, let $C = \langle I, O, R, \delta, \lambda, \mathbf{R}_0 \rangle$ be a sequential circuit.64 \emph{States} (or configurations) of the circuit correspond to boolean configurations of all the sequential elements. 60 65 61 66 \begin{definition} … … 64 69 $M = C_1 \parallel C_2 \parallel \ldots \parallel C_n$,where each $C_i$ is a 65 70 Moore machine with a specification associated $\varphi_i = \{\varphi_i^1 \ldots 66 \varphi_i^k\}$ Each $\varphi_i^j$ beinga CTL$\setminus$X formula whose71 \varphi_i^k\}$ Each $\varphi_i^j$ is a CTL$\setminus$X formula whose 67 72 propositions $AP$ belongs to $\{I_i\cup O_i\cup R_i\}$ . 68 73 \end{definition} … … 71 76 72 77 Our abstraction consists in reducing the size of the representation model by 73 freeing some its variables. The point is to determine the good set of variable78 freeing some of its variables. The point is to determine the good set of variable 74 79 to be freed and when to free them. We take advantage of the CTL specification 75 80 of each component: a CTL property may be seen as a partial view of the tree of 76 81 behaviors of its variables. All the variables not specified by the property 77 82 can be freed. We introduced the Abstract Kripke Structure (AKS for short) which exactly 78 specifies when the variable of the prperty can be fr reed.83 specifies when the variable of the prperty can be freed. 79 84 The abstraction of a component is represented by an AKS, 80 85 derived from a subset of the CTL properties the component satisfies. … … 89 94 90 95 %Assume that we have an abstract Kripke structure (AKS) representing the abstract model $\widehat{M}$ of the concrete model of the system M with regard to the property to be verified, $\Phi$. The abstraction method is based on the work described in \cite{ braunstein07ctl_abstraction}. 91 The AKS associated with a CTL property $\varphi$ whose set of atomic propositions is $AP$ is a 6-tuple, \\ $\widehat{C} =(\widehat{AP}, \widehat{S}, \widehat{S}_0, \widehat{L}, \widehat{R}, \widehat{F})$ which is defined as follows:92 96 93 97 \begin{definition} 94 An abstract Kripke structure,\\ $\widehat{C} =(\widehat{AP}, \widehat{S}, \widehat{S}_0, \widehat{L}, \widehat{R}, \widehat{F})$ is a 6-tuple consisting of : 98 Give a CTL$\setminus$X property $\varphi$ whose set of atomic propositions is 99 $\widehat{AP}$, An \emph{Abstract Kripke Structure}, \\ $AKS(\varphi) =(AP, \widehat{S}, \widehat{S}_0, \widehat{L}, \widehat{R}, \widehat{F})$ is a 6-tuple consisting of : 95 100 96 101 \begin{itemize} 97 \item { $ \widehat{AP}$ : a finite set of atomic propositions}102 \item { $AP$ : The finite set of atomic propositions of property $\varphi$ } 98 103 \item { $\widehat{S}$ : a finite set of states} 99 104 \item { $\widehat{S}_0 \subseteq \widehat{S}$ : a set of initial states} … … 119 124 %\bigskip 120 125 121 \begin{definition} 126 \begin{definition} An \emph{Abstract model} $\widehat{M}$is obtained by 127 synchronous composition of components abstractions. 122 128 Let $C_j$ be a component of the concrete model $M$ and $\varphi_{j}^k$ is a CTL formula describing a satisfied property of component $C_j$. Let $AKS (\varphi_{C_j^k})$ the AKS generated from $\varphi_j^k$. We have $\forall j \in [1,n]$ and $\forall k \in [1,m]$: 123 129 … … 140 146 141 147 142 \subsection{Characterization of AKS} 143 TODO : PEUT ETRE A VENTILER DANS DIFFERENTES PARTIES ?? 148 %\subsection{Characterization of AKS} 144 149 145 \begin{definition}146 A state $s$ is an abstract state if one its variable $p$ is {\it unknown}. It150 In an abstract kripke structure a state where a variable $p$ is {\it unknown} 151 can simulate all states in which $p$ is either true or false. It 147 152 is concise representation of the set of more concrete states in which $p$ 148 is either true or false. 149 \end{definition} 153 is either true or false. A state $s$ is said to be an \emph{abstract state} 154 if one its variable $p$ is {\it unknown}. 150 155 151 \begin{definition} 152 The {\emph concretization} of an abstract $s$ with respect to the variable $p$ 156 %\begin{definition} 157 %A state $s$ is an {\emph abstract state} if one its variable $p$ is {\it unknown}. 158 %\end{definition} 159 160 \begin{definition}[] 161 The \emph {concretization} of an abstract state $s$ with respect to the variable $p$ 153 162 ({\it unknown} in that state), assigns either true or false to $p$. 154 163 155 The {\emphabstraction} of a state $s$ with respect to the variable $p$164 The \emph {abstraction} of a state $s$ with respect to the variable $p$ 156 165 (either true or false in that state), assigns {\it unknown} to $p$. 157 166 \end{definition} 158 167 159 168 \begin{property} 160 Let A1 and A2 two AKSsuch that A2 is obtained by concretizing one abstract variable of A1 (resp A1 is obtained by abstracting one variable in A2). Then A1 simulates A2.169 Let A1 and A2 two abstractions such that A2 is obtained by concretizing one abstract variable of A1 (resp A1 is obtained by abstracting one variable in A2). Then A1 simulates A2. 161 170 \end{property} 162 171 \begin{proof} … … 166 175 \end{proof} 167 176 168 169 2. Negation of states in an AKS 177 \TODO{Name the simulation/concretization relation} 170 178 171 a) An (abstract) configuration in a state of the AKS represents a (convex ?) set of states of the concrete component. 179 \subsection{Initial abstraction} 180 We suppose that our concrete model is a composition of several components and 181 each component has been previously verified. Hence, we have a set of verified 182 properties for each component of the concrete model. The main idea of this 183 technique is that we would like to make use of these properties to generate a 184 better abstract model. Properties of the components that appear to be related 185 to the global property to be verified, $\Phi$ are selected to generate the 186 abstract model $\widehat{M}_i$. This method is particularly interesting as it 187 gives a possibility to converge quicker to an abstract model that is 188 sufficient to satisfy the global property $\Phi$. 189 In the following, we will name primary variables the set of variable that 190 appears in the global property. 172 191 173 b) The negation of an configuration may be represented by a set of abstract configurations 174 175 c) building the AKS of a spurious counter-example may lead to a blow-up of the number of states of the AKS 192 In the initial abstraction generation, all primary variables have to be 193 represented. Therefore the properties in the specification of each component 194 where the primary variables are present will be used to generate the initial 195 abstraction, $\widehat{M}_0$ and we will verify the satisfiability of the 196 global property $\Phi$ on this abstract model. If the model-checking failed and the counterexample given is found to be spurious, we will then proceed with the refinement process. 176 197 177 198 -
papers/FDL2012/myBib.bib
r57 r58 262 262 } 263 263 264 @ARTICLE{clarke94model, 265 author = {E.M.~Clarke and O.~Grumberg and D.E.~Long}, 266 title = {{Model Checking and Abstraction}}, 267 journal = {ACM Transactions on Programming Languages and Systems}, 268 year = {1994}, 269 volume = {16}, 270 pages = {1512--1542}, 271 number = {5}, 272 address = {New York, NY, USA}, 273 doi = {http://doi.acm.org/10.1145/186025.186051}, 274 issn = {0164-0925}, 275 keywords = {model cheking, abstraction, CTL, preservation}, 276 publisher = {ACM Press} 277 } 264 278 265 279 @inproceedings{pwk2009-date,
Note: See TracChangeset
for help on using the changeset viewer.