Changeset 79
- Timestamp:
- Mar 30, 2012, 5:02:20 PM (13 years ago)
- Location:
- papers/FDL2012
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
papers/FDL2012/abstraction_refinement.tex
r76 r79 30 30 31 31 The counterexample at a refinement step $i$, $\sigma$, is a path in the 32 abstract model $\widehat{M}_i$ which dissatisfies $\Phi$. In the counterexample given by the model-checker, the variable configuration in each state is boolean. 32 abstract model $\widehat{M}_i$ which dissatisfies $\Phi$. In the 33 counterexample given by the model-checker, the variable configuration in each 34 state is boolean. We name $\check{L_i}$ this new labeling. 33 35 The spurious counterexample $\sigma$ is defined such that : 34 36 \begin{definition} 35 37 Let $\sigma$ be a \emph{counter-example} in $\widehat{M}_i =\langle \widehat{AP}_i, \widehat{S}_i, \widehat{S}_{0i}, 36 \widehat{L}_i, \widehat{R}_i, \widehat{F}_i \rangle$ of length $|\sigma| = n$: $ \sigma = s_{0} \rightarrow s_{1} \ldots38 \widehat{L}_i, \widehat{R}_i, \widehat{F}_i \rangle$ of length $|\sigma| = n$: $ \sigma = s_{0} \rightarrow s_{1} \ldots 37 39 \rightarrow s_{n}$ with $(s_{k}, s_{k+1}) \in \widehat{R}_i$ $\forall k \in [0..n-1]$. 38 40 \begin{itemize} 39 41 \item All its variables are concrete: $\forall s_i$ and $\forall p\in 40 \widehat{AP}_i$, $p$ is either true or false 42 \widehat{AP}_i$, $p$ is either true or false according to $\check{L_i}$. 41 43 (not {\it unknown}), and $s_0 $ is an initial state of the concrete system: $s_0 \in \mathbf{R}_0$ 42 44 \item $\sigma$ is a counterexample in $\widehat{M}_i$: $s_0\not\models \Phi$. … … 45 47 \end{itemize} 46 48 \end{definition} 47 49 In the following we denote by 48 50 The construction of the AKS representing all executions except the one described by the spurious counter-example is done in two steps. 49 51 \subsubsection{step 1 : Build the structure of the AKS.} 50 Let us denote $AKS(\overline{\sigma})$ this AKS. $AKS(\overline{\sigma}) = \langle \widehat{AP}_{\overline{\sigma}}, \widehat{S}_{\overline{\sigma}}, \widehat{S}_{0{\overline{\sigma}}}, 51 \widehat{L}_{\overline{\sigma}}, \widehat{R}_{\overline{\sigma}}, \widehat{F}_{\overline{\sigma}} \rangle$. 52 53 \begin{definition} 54 Let $\sigma$ be a counter-example of length $|\sigma| = n$, the \emph{ AKS of the 55 counter-example negation} $AKS(\overline{\sigma}) = \langle \widehat{AP}_{\overline{\sigma}}, \widehat{S}_{\overline{\sigma}}, \widehat{S}_{0{\overline{\sigma}}}, 56 \widehat{L}_{\overline{\sigma}}, \widehat{R}_{\overline{\sigma}}, 57 \widehat{F}_{\overline{\sigma}} \rangle$ is such that : 52 58 \begin{itemize} 53 \item The set of atomic propositions coincides with the one of $\sigma$ : $AP_{\overline{\sigma}} = {AP}_i$ 54 \item Build a state $s_T$, and for each state $s_i$ in $\sigma$, build two states $s'_i$ and $s"_i$. $s_T \in S_{\overline{\sigma}}$ and forall $i$ in $[0..n-1]$ : $s'_i \in S_{\overline{\sigma}}$ and $s"_i \in S_{\overline{\sigma}}.$ 55 \item State labeling : $s'_i$ represents the (concrete) configuration of state $s_i$ and state $s"_i$ represents all configurations but the one of $s_i$. This last set may not be representable by the labeling function defined in def \ref{def-aks}. State labeling is treated in the second step. 56 \item States $s'_0$ and $s"_0$ are initial states. 57 \item Transitions : Forall $i$ in $[1..n-1]$, connect $s'_i$ and $s"_i$ to their predecessor state $s'_{i-1}$: $(s'_{i-1},s'_i) \in R_{\overline{\sigma}}$ and $(s'_{i-1},s"_i) \in R_{\overline{\sigma}}$ and connect all $s"$ states as predecessor of the $s_T$ state : $(s"_i,s_T) \in R_{\overline{\sigma}}$. 58 \item \TODO{FAIRNESS} 59 \item $AP_{\overline{\sigma}} = {AP}_i$: 60 The set of atomic propositions coincides with the one of $\sigma$ 61 \item $\widehat{S}_{\overline{\sigma}}$: $\{s_T\} \cup \{s_{i}'|\forall i`in 62 [0..n-2] \vee s_i\in 63 \sigma\}\cup \{\bar{s_{i}}|\forall i in [0..n-1] \vee s_i\in \sigma\}$ 64 \item $\widehat{L}_{\overline{\sigma}}$ is such that $s_i'$ represents the 65 (concrete) configuration of state $s_i$ and state $\bar{s_i}$ represents all 66 configurations but the one of $s_i$. This last set may not be representable by 67 the labeling function defined in def \ref{def-aks}. State labeling is treated 68 in the second step. $s_t$ is a state where all atomic propositions are {\it unknown}. 69 70 \item $\widehat{S}_{0{\overline{\sigma}}} = \{ s_0',\bar{s_0}\}$ 71 \item $\widehat{R}_{\overline{\sigma}} = \{(\bar{s_i},s_T), \forall i\in 72 [0..n-1]\} \cup \{(s_i',\bar{s_{i+1}}), \forall i\in[0..n-2]\} \cup 73 \{(s_i',s_{i+1}',\forall i\in[0..n-3]\}$ 74 75 \item $\widehat{F}_{\overline{\sigma}} = \emptyset$ 59 76 \end{itemize} 77 \end{definition} 60 78 The size of this structure is linear with the size of the counter-example, however it is not a strict AKS since the representation of the set of configurations in states $s"$ may lead to a union of labels. 61 79 -
papers/FDL2012/framework.tex
r77 r79 108 108 We denote by $\widehat{L}(s)$ the configuration of atomic propositions in state $s$ and by $\widehat{L}(s)[p]$ the projection of configuration $\widehat{L}(s)$ according to atomic proposition $p$. 109 109 110 110 111 As the abstract model $\widehat{M}$ is generated from the conjunction of verified properties of the components in the concrete model $M$, it can be seen as the composition of the AKS of each property. 111 112 The AKS composition has been defined in \cite{braunstein_phd07}; it extends … … 114 115 %\bigskip 115 116 116 \begin{definition} An \emph{Abstract model} $\widehat{M}$ is obtained by117 \begin{definition} An \emph{Abstract model} $\widehat{M}$ is obtained by 117 118 synchronous composition of components abstractions. Let $n$ be the number of components in the model and $m$ be the number of selected verified properties of a component; 118 119 let $C_j$ be a component of the concrete model $M$ and $\varphi_{j}^k$ is a CTL formula describing a satisfied property of component $C_j$. Let $AKS (\varphi_{C_j^k})$ the AKS generated from $\varphi_j^k$. We have $\forall j \in [1,n]$ and $\forall k \in [1,m]$: … … 149 150 \end{definition} 150 151 151 \begin{property} 152 Let $A_i$ and $A_j$ two abstractions such that $A_j$ is obtained by concretizing one abstract variable of $A_i$ (resp $A_i$ is obtained by abstracting one variable in $A_j$). Then $A_i$ simulates $A_j$, denoted by $A_j \sqsubseteq A_i$. 152 \begin{property}[Concretization] 153 Let $A_i$ and $A_j$ two abstractions such that $A_j$ is obtained by 154 concretizing one abstract variable of $A_i$ (resp $A_i$ is obtained by 155 abstracting one variable in $A_j$). Then $A_i$ simulates $A_j$, denoted by 156 $A_i \sqsubseteq A_j$. 153 157 \end{property} 154 158 \begin{proof} … … 158 162 \end{proof} 159 163 160 \TODO{Name the simulation/concretization relation} 164 \begin{property}[Compostion and Concretization] 165 \label{prop:concrete_compose} 166 Let $\widehat{M_i}$ be an abstract model of $M$ and $\varphi_j^k$ be a property 167 of a component $C_j$ of M, $\widehat{M}_{i+1} = \widehat{M_i}\parallel 168 AKS(\varphi_j^k) $ is simulated by $ \widehat{M_i}$, $\widehat{M_i} 169 \sqsubseteq \widehat{M}_{i+1}$. 170 \end{property} 171 172 \begin{proof} 173 By the property of the parallel composition, we have directly $\widehat{M_i} 174 \sqsubseteq \widehat{M}_{i} \parallel AKS(\varphi_j^k$. 175 \end{proof} 161 176 162 177 \subsection{Initial abstraction} -
papers/FDL2012/ordering_filter_properties.tex
r69 r79 1 We take advantage of the specification of verified components to build more 2 accurate abstractions. The key is how to select the part of the 3 specification relevant enough to prove the global property. We propose an 1 We propose an 4 2 heuristic to order the properties depending on the structure 5 3 of each component. … … 10 8 %\bigskip 11 9 12 The ordering of the properties will bebased on the variable dependency graph10 The ordering of the properties is based on the variable dependency graph 13 11 where the roots are primary variables. 14 12 The variables in the model are weighted according to their dependency level 15 \emph{vis-à -vis} primary variables and the properties will beweighted according to the sum of the weights13 \emph{vis-à -vis} primary variables and the properties is weighted according to the sum of the weights 16 14 of the variables present in it. We want to select the properties specifying 17 15 behaviors that may have an impact on the global property. We observed that 18 16 the more closer a variable is from the primary 19 variable the more it affects the primary variable. Hence, a property will17 variable the more it affects the primary variable. Hence, a property 20 18 have higher priority according to the number of primary or close to primary variables it 21 19 contains. 22 20 Moreover, a global property often specifies the behavior at the interface of 23 components. Typically, a global property will ensurethat a message sent is24 always acknowledge or the good target getthe message. This kind of behavior21 components. Typically, a global property ensures that a message sent is 22 always acknowledged or the good target gets the message. This kind of behavior 25 23 relates the input-output behaviors of components. 26 24 We have decided to allocate an extra weight for variables which are present at the interface of a component 27 whereas variables which do not interfere with a primary variable will be weighted 0.25 whereas variables which do not interfere with a primary variable are weighted 0. 28 26 Here is how we proceed: 29 27 \begin{enumerate} 30 \item Build the dependency graph for all primary variables.28 \item Build the structural dependency graph for all primary variables. 31 29 \item Compute the depth of all variables (DFS or BFS) 32 in all dependency graph .30 in all dependency graphs. 33 31 Note that a variable may belong to more than one dependency graph, in that case 34 32 we consider the minimum depth. 35 \item Give a weight to each variable s(see algorithm \ref{algo:weight}).33 \item Give a weight to each variable (see algorithm \ref{algo:weight}). 36 34 \item Compute the weight of properties for each component. 37 35 \end{enumerate} … … 131 129 132 130 133 Each verified properties available pertinence will beevaluated by adding the weights of all the variables in it.131 Each properties pertinence is evaluated by adding the weights of all the variables in it. 134 132 It is definitely not an exact pertinence calculation of properties but provides a good indicator 135 133 of their possible impact on the global property. 136 After this pre-processing phase, we willhave a list of properties $L_\phi$137 ordered according to their pertinence in comparisonto the global property.134 After this pre-processing phase, we have a list of properties $L_\phi$ 135 ordered according to their pertinence with regards to the global property. 138 136 139 137 … … 143 141 The refinement step consists of adding new AKS of properties selected according to 144 142 their pertinence. This refinement respects items 1 and 2 of definition 145 \ref{def:goodrefinement}. The first item comes f orm AKS definition.146 <<<<<<< .mine 143 \ref{def:goodrefinement}. The first item comes from AKS definition and the 144 composition property \ref{prop:concrete_compose}. 147 145 Adding a new AKS in the abstraction leads to an abstraction where more behaviors 148 146 are characterized. Hence there is more constrains behavior and more concretize 149 147 states. 150 148 151 \remark{Cécile}{Mettre definition, property and proof ?????}152 149 153 150 Unfortunately, this refinement does not ensure that the spurious counterexample 154 151 is evicted. 155 As we would like to ensure the elimination of the counterexample previously found, 156 we filter out properties that don't have an impact on the counterexample $\sigma$ thus won't eliminate it. 152 As we would like to ensure the elimination of the counter-example previously found, 153 we filter out properties that do not have an impact on the counterexample 154 $\sigma$ thus will not eliminate it. 157 155 In order to reach this objective, a Abstract Kripke structure of the counterexample $\sigma$, $K(\sigma)$ 158 156 is generated. $K(\sigma)$ is a succession of states corresponding to the counterexample path which dissatisfies 159 the global property $\Phi$ as show in figure \ref{AKSNegCex}. We add a last 160 state $s_t$ where all variable are free({\it unknown}). The tree starting from this 157 the global property $\Phi$ as show in figure \ref{AKSNegCex}. In case where 158 the counter-example exibits a bounded path, we add a last 159 state $s_T$ where all variable are free({\it unknown}). The tree starting from this 161 160 state represents all the possible future of the counterexample. 162 161 … … 184 183 \item $S_{\sigma} = \{s_{i}|s_i\in \sigma\}\cup\{s_T\}$ 185 184 \item $S_{0\sigma} = \{s_{0}\}$ 186 \item $L_{\sigma} = \ widehat{L}_i$185 \item $L_{\sigma} = \check{L}_i$ 187 186 \item $R_{\sigma} = \{(s_{k}, s_{k+1})|(s_{k}\rightarrow s_{k+1})\in 188 187 \sigma\}\cup\{(s_{n-1},s_T)\}$ … … 243 242 property holds then the property will not discriminate the counterexample. 244 243 Hence this property is not a good candidate for refinement. 245 Therefore all properties that are satisfied won't be chosen to be integrated in the next step of refinement. At this stage, we already have a list of potential properties that will definitely eliminate the current counterexample $\sigma$ and might converge the abstract model towards a model sufficient to verify the global property $\Phi$. 246 247 \begin{property}{Counterexample evicted} 244 Therefore all properties that are satisfied are chosen to be 245 integrated in the next step of refinement. At this stage, we already have a 246 list of potential properties that definitely eliminates the current counterexample $\sigma$ and might converge the abstract model towards a model sufficient to verify the global property $\Phi$. 247 248 \begin{property}{Counterexample eviction} 248 249 \begin{enumerate} 249 250 \item If {\textbf{$K(\sigma) \vDash \varphi \Rightarrow AKS(\varphi) $ will … … 254 255 \end{property} 255 256 \begin{proof} 256 By construction, $AKS(\varphi)$ simulates all model that verify 257 $\varphi$. Thus the tree describes by $K(\sigma)$ exists in $AKS(\varphi)$, 258 $\sigma$ is still a possible path in $AKS(\varphi)$.\\ 259 Conversely $K(\sigma_i)$, where $\varphi$ does not hold, is not simulated by 257 \begin{enumerate} 258 \item By construction, $AKS(\varphi)$ simulates all models that verify 259 $\varphi$. Thus the tree described by $K(\sigma)$ is simulated by $AKS(\varphi)$, 260 it implies that $\sigma$ is still a possible path in $AKS(\varphi)$. 261 \item $K(\sigma)$, where $\varphi$ does not hold, is not simulated by 260 262 $AKS(\varphi)$, thus $\sigma$ is not a possible path in $AKS(\varphi)$ 261 263 otherwise $AKS(\varphi)\not\models \varphi$ that is not feasible due to AKS 262 definition. 263 264 definition and the composition with $M_i$ with $AKS(\varphi)$ will eleiminate 265 $\sigma$. 266 \end{enumerate} 264 267 \end{proof} 265 268 266 269 The property at the top of the list (not yet selected and excluding the properties 267 270 which are satisfied by $K(\sigma)$) is selected to be integrated in the generation of $\widehat{M}_{i+1}$. 268 We ensure that our refinement respect the definition \ref{def:goodrefinement}.269 Moreover, the time needed to build an AKS can be neglectedand building the271 We ensure that our refinement respects the definition \ref{def:goodrefinement}. 272 Moreover, the time needed to build an AKS is neglectible and building the 270 273 next abstraction is just a parallel composition with the previous one. Thus the refinement 271 274 we propose is not time consuming.
Note: See TracChangeset
for help on using the changeset viewer.