Changeset 79 for papers/FDL2012/ordering_filter_properties.tex

Timestamp:

Mar 30, 2012, 5:02:20 PM (12 years ago)

Author:

cecile

Message:

correction counter-example and its negation representation

File:

• papers/FDL2012/ordering_filter_properties.tex (modified) (7 diffs)

papers/FDL2012/ordering_filter_properties.tex

@@ -1 @@
-We take advantage of the specification of verified components to build more
-accurate abstractions. The key is how to select the part of the
-specification relevant enough to prove the global property. We propose an
+ We propose an
 heuristic to order the properties  depending on the structure
 of each component.
@@ -10 +8 @@
 %\bigskip
 
-The ordering of the properties will be based on the variable dependency graph
+The ordering of the properties is based on the variable dependency graph
 where the roots are primary variables.
 The variables in the model are weighted according to their dependency level
-\emph{vis-Ã -vis} primary variables and the properties will be weighted according to the sum of the weights
+\emph{vis-Ã -vis} primary variables and the properties is weighted according to the sum of the weights
 of the variables present in it. We want to select the properties specifying 
 behaviors that may have an impact on the global property. We observed that 
 the more closer a variable is from the primary
-variable the more it affects the primary variable. Hence, a property will
+variable the more it affects the primary variable. Hence, a property 
 have higher priority according to the number of primary or close to primary variables it
 contains.
 Moreover, a global property often specifies the behavior at the interface of
-components. Typically, a global property will ensure that a message sent is
-always acknowledge or the good target get the message. This kind of behavior
+components. Typically, a global property ensures that a message sent is
+always acknowledged or the good target gets the message. This kind of behavior
 relates the input-output behaviors of components. 
 We have decided to allocate an extra weight for variables which are present at the interface of a component 
-whereas variables which do not interfere with a primary variable will be weighted 0. 
+whereas variables which do not interfere with a primary variable are weighted 0. 
 Here is how we proceed:
 \begin{enumerate}
-\item Build the dependency graph for all primary variables.
+\item Build the structural dependency graph for all primary variables.
 \item Compute the depth of all variables (DFS or BFS)
-in all dependency graph.
+in all dependency graphs.
 Note that a variable may belong to more than one dependency graph, in that case
 we consider the minimum depth.
-\item Give a weight to each variables (see algorithm  \ref{algo:weight}).
+\item Give a weight to each variable (see algorithm  \ref{algo:weight}).
 \item Compute the weight of properties for each component.
 \end{enumerate}
@@ -131 +129 @@
 
 
-Each verified properties available pertinence will be evaluated by adding the weights of all the variables in it.
+Each properties  pertinence is evaluated by adding the weights of all the variables in it.
 It is definitely not an exact pertinence calculation of properties but provides a good indicator 
 of their possible impact on the global property.
-After this pre-processing phase, we will have a list of properties $L_\phi$
-ordered according to their pertinence in comparison to the global property.
+After this pre-processing phase, we  have a list of properties $L_\phi$
+ordered according to their pertinence with regards to the global property.
 
 
@@ -143 +141 @@
 The refinement step consists of adding new AKS of properties selected according to
 their pertinence. This refinement respects items 1 and 2 of definition
-\ref{def:goodrefinement}. The first item comes form AKS definition.
-<<<<<<< .mine
+\ref{def:goodrefinement}. The first item comes from AKS definition and the
+composition property \ref{prop:concrete_compose}.
 Adding a new AKS in the abstraction leads to an abstraction where more behaviors
 are characterized. Hence there is more constrains behavior and more concretize
 states.
 
-\remark{Cécile}{Mettre definition, property and proof ?????}
 
 Unfortunately, this refinement does not ensure that the spurious counterexample
 is evicted.
-As we would like to ensure the elimination of the counterexample previously found,
-we filter out properties that don't have an impact on the counterexample $\sigma$ thus won't eliminate it. 
+As we would like to ensure the elimination of the counter-example previously found,
+we filter out properties that do not have an impact on the counterexample
+$\sigma$ thus will not eliminate it. 
 In order to reach this objective, a Abstract Kripke structure of the counterexample $\sigma$, $K(\sigma)$
 is generated. $K(\sigma)$ is a succession of states corresponding to the counterexample path which dissatisfies 
-the global property $\Phi$ as show in figure \ref{AKSNegCex}. We add a last
-state $s_t$ where all variable are free({\it unknown}). The tree starting from this
+the global property $\Phi$ as show in figure \ref{AKSNegCex}. In case where
+the counter-example exibits a bounded path, we add a last
+state $s_T$ where all variable are free({\it unknown}). The tree starting from this
 state represents all the possible future of the counterexample.
 
@@ -184 +183 @@
 \item $S_{\sigma} = \{s_{i}|s_i\in \sigma\}\cup\{s_T\}$
 \item $S_{0\sigma} = \{s_{0}\}$
-\item $L_{\sigma} = \widehat{L}_i$
+\item $L_{\sigma} = \check{L}_i$
 \item $R_{\sigma} =  \{(s_{k}, s_{k+1})|(s_{k}\rightarrow s_{k+1})\in
 \sigma\}\cup\{(s_{n-1},s_T)\}$ 
@@ -243 +242 @@
 property holds then the property will not discriminate the counterexample.
 Hence this property is not a good candidate for refinement.
-Therefore all properties that are satisfied won't be chosen to be integrated in the next step of refinement. At this stage, we already have a list of potential properties that will definitely eliminate the current counterexample $\sigma$ and might converge the abstract model towards a model sufficient to verify the global property $\Phi$.
-
-\begin{property}{Counterexample evicted}
+Therefore all properties that are satisfied are chosen to be
+integrated in the next step of refinement. At this stage, we already have a
+list of potential properties that definitely eliminates the current counterexample $\sigma$ and might converge the abstract model towards a model sufficient to verify the global property $\Phi$.
+
+\begin{property}{Counterexample eviction}
 \begin{enumerate}
 \item If {\textbf{$K(\sigma) \vDash \varphi  \Rightarrow AKS(\varphi) $ will
@@ -254 +255 @@
 \end{property}
 \begin{proof}
-By construction, $AKS(\varphi)$ simulates all model that verify 
-$\varphi$. Thus the tree describes by $K(\sigma)$ exists in $AKS(\varphi)$,
-$\sigma$ is still a possible path in $AKS(\varphi)$.\\
-Conversely $K(\sigma_i)$, where $\varphi$ does not hold, is not simulated by
+\begin{enumerate}
+\item By construction, $AKS(\varphi)$ simulates all models that verify 
+$\varphi$. Thus the tree described by $K(\sigma)$ is simulated by $AKS(\varphi)$,
+it implies that $\sigma$ is still a possible path in $AKS(\varphi)$.
+\item $K(\sigma)$, where $\varphi$ does not hold, is not simulated by
 $AKS(\varphi)$, thus $\sigma$ is not a possible path in $AKS(\varphi)$
 otherwise $AKS(\varphi)\not\models \varphi$ that is not feasible due to AKS
-definition.
-
+definition and the composition with $M_i$ with $AKS(\varphi)$ will eleiminate
+$\sigma$.
+\end{enumerate}
 \end{proof}
 
 The property at the top of the list (not yet selected and excluding the properties
 which are satisfied by $K(\sigma)$) is selected to be integrated in the generation of $\widehat{M}_{i+1}$.
-We ensure that our refinement respect the definition \ref{def:goodrefinement}.
-Moreover, the time needed to build an AKS can be neglected and building the
+We ensure that our refinement respects the definition \ref{def:goodrefinement}.
+Moreover, the time needed to build an AKS is neglectible and building the
 next abstraction is just a parallel composition with the previous one. Thus the refinement
  we propose is not time consuming.