Changeset 93
- Timestamp:
- Apr 10, 2012, 4:30:02 PM (13 years ago)
- Location:
- papers/FDL2012
- Files:
-
- 6 edited
Legend:
- Unmodified
- Added
- Removed
-
papers/FDL2012/FDL2012.tex
r92 r93 33 33 34 34 35 \title{ An efficient refinement strategy exploiting component s'properties in a CEGAR process}35 \title{ An efficient refinement strategy exploiting component properties in a CEGAR process} 36 36 % \name{Syed Hussein S. ALWI, C\'{e}cile BRAUNSTEIN and Emmanuelle ENCRENAZ} 37 37 % \thanks{This work was supported by...}} … … 96 96 complete specification of every components of the concrete model. Futhermore, 97 97 it may be possible that none of the properties available is capable of 98 eliminating the counterexample which is probably due to an uncomplete98 eliminating the counterexample which is probably due to an incomplete 99 99 specification or a counterexample that should be eliminated by the product of 100 100 local properties. In this case, other refinement techniques such as the … … 102 102 good set of local properties to be integreted simultaneously, should be considered. 103 103 We are currently investigating other complementary techniques to overcome these particular cases. 104 A complementary approach consists in oimproving the specification of the104 A complementary approach consists in improving the specification of the 105 105 model~: at the component level, or for groups of components. The work of 106 106 Kroening \cite{pwk2009-date} could help us in this direction. -
papers/FDL2012/abstraction_refinement.tex
r92 r93 24 24 25 25 Refinements based on the concretization of selected abstract variables in 26 $\widehat{M}_i$ ensure item 2. Concretization can be performed either in27 modifying the AKS of $\widehat{M}_i$ ,by changing some abstract value to28 concrete ones , butthis approach is rude : in order to ensure item 1,29 concretization needs to be consistent with the sequences of values in the concrete system. The difficulty resides in defining the proper abstract variable to concretize, at which precise instant, and with which Boolean value.26 $\widehat{M}_i$ ensure item 2. Concretization can be performed by 27 modifying the AKS of $\widehat{M}_i$ by changing some abstract value to 28 concrete ones. However, this approach is rude : in order to ensure item 1, 29 the concretization needs to be consistent with the sequences of values in the concrete system. The difficulty resides in defining the proper abstract variable to concretize, at which precise instant, and with which Boolean value. 30 30 %Another way to concretize some variables at selected instants is to compose 31 31 %(by a synchronous product) the AKS of $\widehat{M}_i$ with a new AKS, provided this latest represents over-approximations of the set of behaviors of $M$. By construction, this product satisfies items 1 and 2. We now have to compute an AKS eliminating the spurious counterexample, being easily computable and ensuring a quick convergence of the CEGAR loop. … … 96 96 \end{itemize} 97 97 \end{definition} 98 The labeling function fo$s_i'$ represents (concrete) configuration of state $s_i$ and state $\bar{s_i}$ represents all98 The labeling function of $s_i'$ represents (concrete) configuration of state $s_i$ and state $\bar{s_i}$ represents all 99 99 configurations {\it but} the one of $s_i$. This last set may not be representable by 100 100 the labeling function defined in def \ref{def-aks}. State labeling is treated … … 114 114 and assigns to each of them a label of $k$ variables $\{v_0, \ldots, 115 115 v_{k-1}\}$ defined such that : $\widehat{L}(\bar{s_i^j}) = \{\forall l \in [0..k-1], 116 v_l = \neg {L}_{i}(s_i)[v_l], \forall l \in [j+1..k-1], v_l = \top\}$. each116 v_l = \neg {L}_{i}(s_i)[v_l], \forall l \in [j+1..k-1], v_l = \top\}$. Each 117 117 state $\bar{s_i^j}$ is connected to the same predecessor and successor states 118 118 as state $\bar{s_i}$. -
papers/FDL2012/exp_results.tex
r92 r93 121 121 122 122 123 In Table \ref{TabVerif}, we compare the execution time and the number of refin ment123 In Table \ref{TabVerif}, we compare the execution time and the number of refinement 124 124 between our technique (Prop. Select.), \emph{incremental\_ctl\_verification} 125 125 (Incremental) and the standard model checking (Standard MC) computed using the … … 128 128 $\phi_1$ is the type $AF((p=1)*AF(q=1))$ and $\phi_2$ is actually a stronger 129 129 version of the same formula with $AG(AF((p=1)*AF(q=1)))$. We have a total of 130 26 verifed components properties to be selected in VCI-PI plat eform.130 26 verifed components properties to be selected in VCI-PI platform. 131 131 In comparison to $\phi_2$, we can see that, a better set of properties available will result in a better abstraction and less refinement iterations. 132 132 -
papers/FDL2012/framework.tex
r92 r93 15 15 %generated and tested in the model-checker. As the abstract model is an 16 16 %over-approximation of the concrete model and the global property $\Phi$ is in the ACTL fragment, 17 As show in \cite{clarke94model} for over-approximation abstraction, if $\Phi$18 holds on thethe abstract model then it holds in the concrete model as well.17 As shown in \cite{clarke94model} for over-approximation abstraction, if $\Phi$ 18 holds in the abstract model then it holds in the concrete model as well. 19 19 However, if $\Phi$ does not hold in the abstract model then one cannot conclude anything regarding the concrete model until the counterexample has been analyzed. 20 20 The test of spurious counter-example is then translated into a … … 60 60 %\topsep -0.5em 61 61 \itemsep -0.3em 62 \item $I$ is a finite set of Boolean input ssignals.63 \item $O$ is a finite set of Boolean output ssignals.62 \item $I$ is a finite set of Boolean input signals. 63 \item $O$ is a finite set of Boolean output signals. 64 64 \item $R$ is a finite set of Boolean sequential elements (registers). 65 65 \item $\delta : 2^I \times 2^R \rightarrow 2^R$ is the transition function. … … 76 76 $M = C_1 \parallel C_2 \parallel \ldots \parallel C_n$,where each $C_i$ is a 77 77 Moore machine with a specification associated $\varphi_i = \{\varphi_i^1 \ldots 78 \varphi_i^k\}$ Each $\varphi_i^j$ is a CTL$\setminus$X formula whose78 \varphi_i^k\}$. Each $\varphi_i^j$ is a CTL$\setminus$X formula whose 79 79 propositions $AP$ belong to $\{I_i\cup O_i\cup R_i\}$ . 80 80 \end{definition} … … 126 126 127 127 \vspace*{-2mm} 128 We denote by $\widehat{L}(s)$ the configuration of atomic propositions in state $s$ and by $\widehat{L}(s)[p]$the projection of configuration $\widehat{L}(s)$ according to atomic proposition $p$.128 We denote by $\widehat{L}(s)$, the configuration of atomic propositions in state $s$, and by $\widehat{L}(s)[p]$, the projection of configuration $\widehat{L}(s)$ according to atomic proposition $p$. 129 129 130 130 … … 155 155 %\subsection{Characterization of AKS} 156 156 157 In an AKS a state where a variable $p$ is {\it unknown}157 In an AKS, a state where a variable $p$ is {\it unknown} 158 158 can simulate all states in which $p$ is either true or false. It 159 159 is a concise representation of the set of more concrete states in which $p$ 160 160 is either true or false. A state $s$ is said to be an \emph{abstract state} 161 if one its variable $p$ is {\it unknown}.161 if one of its variable $p$ is {\it unknown}. 162 162 163 163 %\begin{definition} -
papers/FDL2012/introduction.tex
r92 r93 7 7 and programmers as it may delay getting a new product to the market or cause 8 8 failure of some critical devices that are already in use. System verification 9 using formal methods such as model checking guarantee a high level of quality in terms of safety and reliability while reducing financial risk.9 using formal methods such as model checking guarantees a high level of quality in terms of safety and reliability while reducing financial risk. 10 10 11 11 … … 25 25 26 26 27 Xie and Browne have proposed a method for software verification based on composition of several components \cite{XieBrowne03composition_soft}. Their main objective is developing components that could be reused with certitude that their behaviors will always respect their specification when associated in a proper composition. Therefore, temporal properties of the software are specified, verified and packaged with the component for possible reuse. The implementation of this approach on software ha vebeen succesful and the application of the assume-guarantee reasoning has considerably reduced the model checking complexity. A comprehensive approach to model-check component-based systems with abstraction refinement technique that uses verified properties as abstractions has been presented in \cite{LiSunXieSong08compAbsRef}.27 Xie and Browne have proposed a method for software verification based on composition of several components \cite{XieBrowne03composition_soft}. Their main objective is developing components that could be reused with certitude that their behaviors will always respect their specification when associated in a proper composition. Therefore, temporal properties of the software are specified, verified and packaged with the component for possible reuse. The implementation of this approach on software has been succesful and the application of the assume-guarantee reasoning has considerably reduced the model checking complexity. A comprehensive approach to model-check component-based systems with abstraction refinement technique that uses verified properties as abstractions has been presented in \cite{LiSunXieSong08compAbsRef}. 28 28 29 29 … … 34 34 35 35 36 Recently, a CEGAR based technique that combines precise and approximated methods within one abstraction-refinement loop was proposed for software verification \cite{Sharygina_al12PreciseApprox}. This technique uses predicate abstraction and provides a strategy that interleaves approximated ab traction which is fast to compute and precise abstraction which is slow. The result shows a good compromise between the number of refinement iterations and verification time.36 Recently, a CEGAR based technique that combines precise and approximated methods within one abstraction-refinement loop was proposed for software verification \cite{Sharygina_al12PreciseApprox}. This technique uses predicate abstraction and provides a strategy that interleaves approximated abstraction which is fast to compute and precise abstraction which is slow. The result shows a good compromise between the number of refinement iterations and verification time. 37 37 38 38 … … 42 42 In 2007, a method to build abstractions of components into AKS (Abstract 43 43 Kripke Structure), based on the set of the properties (CTL) each component 44 verifies \cite{braunstein07ctl_abstraction}. The method is actually a44 verifies was presented in \cite{braunstein07ctl_abstraction}. The method is actually a 45 45 tentative to associate compositional and abstraction-refinement verification 46 46 techniques. The generations of AKS from CTL formula have been successfully -
papers/FDL2012/ordering_filter_properties.tex
r92 r93 15 15 %behaviors that may have an impact on the global property. 16 16 We observed that 17 the closer a variable is fromthe primary17 the closer a variable is to the primary 18 18 variable, the higher influence it has on it. 19 19 %Hence, a property
Note: See TracChangeset
for help on using the changeset viewer.