State-explosion is an inherent problem in model checking. Every model checking tool - no matter how optimized - will report or demonstrate one of the following for systems that push its limits: out of memory error, non-convergence, or inconclusive result. As the target systems of interest (hardware, software, or biological systems) grow in terms of complexity, and consequently in size, a great deal of manual effort is spent on verification engineering to produce usable results. We admit that this effort will always be needed. However, we also think that hybrid approaches should be employed to push the limits for automated verification.
Abstract interpretation framework CC77 provides a theoretical basis for sound verification of finite as well as infinite-state systems. Two major elements of this framework are abstraction and approximation. Abstraction defines a mapping between a concrete domain and an abstract domain (less precise) in a conservative way so that when a property is satisfied for an abstract state the property also holds for the concrete states that map to the abstract state. Approximation, on the other hand, works on values in the same domain and provides a lower or an upper bound. Abstraction is a way to deal with the state-explosion problem whereas approximation is a way to achieve convergence and hence potentially a conclusive result. When an infinite-state system is considered there are three basic approaches that can be employed: pure abstraction, pure approximation111Assuming the logic that describes the system is decidable., and a combination of abstraction and approximation.
The most popular abstraction technique is predicate abstraction GS97 , in which the abstract domain consists of a combination of valuations of Boolean variables that represent truth values of a fixed set of predicates on the variables from the concrete system. Since it is difficult to come up with the right set of predicates that would yield a precise analysis, predicate abstraction has been combined with the counter-example guided abstraction refinement (CEGAR) framework CGJ00 . Predicate abstraction requires computing a quantifier-free version of the transformed system and, hence, potentially involves an exponential number of queries to the underlying SMT solver.
A widely used approximation technique is widening. The widening operator takes two states belonging to the same domain and computes an over-approximation of the two. A key point of the widening operator is the guarantee for stabilizing an increasing chain after a finite number of steps. So one can apply the widening operator to the iterates of a non-converging fixpoint computation and achieve convergence, where the last iterate is an over-approximation of the actual fixpoint. In this paper we use an implementation of the widening operator for convex polyhedra CH78 that is used in the infinite-state model checker Action Language Verifier (ALV) YB09 . ALV uses fixpoint approximations to check whether a CTL property is satisfied by an infinite-state system BGP97 .
In Yav16 we introduced partial predicate abstraction that combines predicate abstraction with widening for infinite-state systems described in terms of Presburger arithmetic. In partial predicate abstraction only the variables that are involved in the predicates are abstracted and all other variables are preserved in their concrete domains. In this paper, we present a counter-example guided abstraction and approximation refinement (CEGAAR) technique to deal with cases where the initial set of predicates are not precise enough to provide a conclusive result. The novelty of the approach stems from the fact that it can identify whether an infeasible counter-example is generated due to imprecision of the abstraction or imprecision of the approximation. Once the type of imprecision is identified, it uses the appropriate refinement. To refine the abstraction, it computes a Craig interpolant Cra57 for the divergence point. To refine the approximation, it delays the widening for least fixpoint computations and increases the number of steps for greatest fixpoint computations. We implemented the combined approach by extending the Action Language Verifier (ALV) YB09 with the CEGAAR technique. Our experimental results show that approximation and abstraction refinement can be merged in an effective way.
The rest of the paper is organized as follows. We first present the basic definitions and key results of the two approaches, approximate fixpoint computations and predicate abstraction in the context of CTL model checking, in Section 2. Section 3 presents the partial predicate abstraction approach and demonstrates soundness of combining the two techniques. Section 4 presents the core algorithms for the CEGAAR technique. Section 5 presents the experimental results. Section 6 discusses related work and Section 7 concludes with directions for future work.
In this paper, we consider transition systems that are described in terms of boolean and unbounded integer variables.
An infinite-state transition system is described by a Kripke structure , where , , , and denote the state space, set of initial states, the transition relation, and the set of state variables, respectively. such that , , and .
Given a Kripke structure, and a set of states , the post-image operator, , computes the set of states that can be reached from the states in in one step:
Similarly, the pre-image operator, , computes the set of states that can reach the states in in one step:
Model Checking via Fixpoint Approximations.
Symbolic Computation-Tree Logic (CTL) model checking algorithms decide whether a given Kripke structure, , satisfies a given CTL correctness property, , by checking whether , where denotes the set of states that satisfy in . Most CTL operators have either least fixpoint (, ) or greatest fixpoint (, ) characterizations in terms of the pre-image operator.
|Variables||, , , , : integer|
|, : think, try, cs|
Symbolic CTL model checking for infinite-state systems may not converge. Consider the so-called ticket mutual exclusion model for two processes And91 given in Figure 1. Each process gets a ticket number before attempting to enter the critical section. There are two global integer variables, and , that show the next ticket value that will be available to obtain and the upper bound for tickets that are eligible to enter the critical section, respectively. Local variable represents the ticket value held by process . We added variable to model an update in the critical region. It turns out that checking for this model does not terminate.
One way is to compute an over or an under approximation to the fixpoint computations as proposed in BGP97 and check , i.e., check whether all initial states in satisfy an under-approximation (denoted by superscript ) of the correctness property or check , i.e., check whether no initial state satisfies an over-approximation of the negated correctness property. If so, the model checker certifies that the property is satisfied. Otherwise, no conclusions can be made without further analysis.
The key in approximating a fixpoint computation is the availability of over-approximating and under-approximating operators. So we give the basic definitions and a brief explanation here and refer the reader to CH78 ; BGP97 for technical details on the implementation of these operators for Presburger arithmetic.
Given a complete lattice , , is a widening operator iff
For all increasing chains in L, the increasing chain is not strictly increasing, i.e., stabilizes after a number of terms.
Given a complete lattice , , is a dual of the widening operator iff
For all decreasing chains in L, the decreasing chain is not strictly decreasing, i.e., stabilizes after a number of terms.
The approximation of individual temporal operators in a CTL formula is decided recursively based on the type of approximation to be achieved and whether the operator is preceded by a negation. The over-approximation can be computed using the widening operator for least fixpoint characterizations and terminating the fixpoint iteration after a finite number of steps for greatest fixpoint characterizations. The under-approximation can be computed using the dual of the widening operator for the greatest fixpoint characterizations and terminating the fixpoint iteration after a finite number of steps for the least fixpoint characterizations. Another heuristic that is used in approximate symbolic model checking is to compute an over-approximation (denoted by superscript) of the set of reachable states (), a least fixpoint characterization, and to restrict all the fixpoint computations within this set.
Given an infinite-state transition system and , and a temporal property , the conclusive results obtained using fixpoint approximations for the temporal operators and the approximate set of reachable states are sound, i.e., (see BGP97 for the proof).
So for the example model in Figure 1, an over-approximation to , the negation of the correctness property, is computed using the widening operator. Based on the implementation of the widening operator in YB09 , it turns out that the initial states do not intersect with and hence the model satisfies .
Abstract Model Checking and Predicate Abstraction.
Let denote a set of predicates over integer variables. Let denote a predicate in and denote the boolean variable that corresponds to . represents an ordered sequence (from index 1 to ) of predicates in . The set of variables that appear in is denoted by . Let denote the set of next state predicates obtained from by replacing variables in each predicate with their primed versions. Let denote the set of that corresponds to each . Let , where denotes the set of variables in the concrete model.
A concrete state is predicate abstracted using a mapping function via a set of predicates by introducing a predicate boolean variable that represents predicate and existentially quantifying the concrete variables that appear in the predicates:
Concretization of abstract states.
An abstract state is mapped back to all the concrete states it represents by replacing each predicate boolean variable with the corresponding predicate :
Abstraction function provides a safe approximation for states:
A concrete transition system can be conservatively approximated by an abstract transition system through a simulation relation or a surjective mapping function involving the respective state spaces:
(Existential Abstraction) Given transition systems and , approximates (denoted ) iff
where is a surjective function from to .
It is a known Loi95 fact that one can use a Galois connection to construct an approximate transition system. Basically, is used as the mapping function and is used to map properties of the approximate or abstracted system to the concrete system:
Given transition systems and
, assume that , the ACTL formula describes properties of , and forms a Galois connection. represents a transformation on that descends on the subformulas recursively and transforms every atomic atomic formula with (see CGL94 for details).
For example, let be , where and represent and , respectively, when the model in Figure 1 is predicate abstracted wrt to the set of predicates and the Galois connection defined as in Equations 1 and 2. Then, .
The preservation of ACTL properties when going from the approximate system to the concrete system is proved for existential abstraction in CGL94 . Here, we adapt it to an instantiation of existential abstraction using predicate abstraction as in CGT03 :
Assume , denotes an ACTL formula that describes a property of , denotes the transformation of the correctness property as in Definition 2.7, and forms a Galois connection and defines predicate abstraction and concretization as given in Equations 1 and 2, respectively. Then, implies .
Preservation of atomic properties:
If a state in satisfies an atomic abstract property , due to the correctness preserving
property of a Galois connection, also satisfies Niel99 . Due to soundness of the mapping between the states in to states in and monotonic property of and , any state in that gets mapped to , that is every state in also satisfies .
Preservation of ACTL Properties: Follows from Corollary 1 in CGL94 and using as the mapping function in CGL94 . ∎
3 Partial Predicate Abstraction
In Section 3.1, we introduce a symbolic abstraction operator for transitions and an over-approximating abstract post operator derived from it. The abstract post operator enables partial predicate abstraction of an infinite-state system. Section 3.2 elaborates on the proposed hybrid approach that combines predicate abstraction and fixpoint approximations to perform CTL model checking of infinite-state systems. It also demonstrates soundness of the hybrid approach, which follows from the soundness results of the individual approaches and the over-approximating nature of the proposed abstract post operator.
3.1 Computing A Partially Predicate Abstracted Transition System
We compute an abstraction of a given transition system via a set of predicates such that only the variables that appear in the predicates disappear, i.e., existentially quantified, and all the other variables are preserved in their concrete domains and in the exact semantics from the original system. As an example, using the set of predicates , we can partially abstract the model in Figure 1 in a way that is removed from the model, two new boolean variables (for ) and (for ) are introduced, and , , , , , and remain the same as in the original model.
A concrete transition is predicate abstracted using a mapping function via a set of current state predicates and a set of next state predicates by introducing a predicate boolean variable that represents predicate in the current state and a predicate boolean variable that represents predicate in the next state and existentially quantifying the current and next state concrete variables that appear in the current state and next state predicates:
where represents a consistency constraint that if all the abstracted variables that appear in a predicate remains the same in the next state then the corresponding boolean variable is kept the same in the next state:
Concretization of abstract transitions.
An abstract transition is mapped back to all the concrete transitions it represents by replacing each current state boolean variable with the corresponding current state predicate and each next state boolean variable with the corresponding next state predicate :
For instance, for the model in Figure 1 and predicate set , partial predicate abstraction of , , is computed as
It is important to note that the concrete semantics pertaining to the integer variables and and the enumerated variable are preserved in the partially abstract system.
Abstraction function represents a safe approximation for transitions:
defines a Galois connection (see the Appendix for the proof).
One can compute an over-approximation to the set of reachable states via an over-approximating abstract post operator that computes the abstract successor states:
provides an over-approximate post operator:
We need to show the following:
3.2 Combining Predicate Abstraction with Fixpoint Approximations
At the heart of the hybrid approach is a partially predicate abstracted transition system and we are ready to provide a formal definition:
Given a concrete infinite-state transition system and a set of predicates , where , the partially predicate abstracted transition system is defined as follows:
A partially predicate abstracted transition system defined via and functions is a conservative approximation of the concrete transition system.
Let the abstract transition system be defined as in Definition 3.1 with respect to the concrete transition system and the set of predicates . approximates : .
It is straightforward to see, i.e., by construction, that implies . To show implies , we need to show that implies , which follows from Lemma 3.2: and , and hence . ∎
Therefore, ACTL properties verified on also holds for :
Let the abstract transition system be defined as in Definition 3.1 with respect to the concrete transition system and the set of predicates . Given an ACTL property , .
Using fixpoint approximation techniques on an infinite-state partially predicate abstracted transition system in symbolic model checking of CTL properties BGP97 preserves the verified ACTL properties due to Lemma 2.1 and Lemma 3.4.
Restricting the state space of an abstract transition system with an over-approximation of the set of reachable states also preserves the verified ACTL properties:
Let the abstract transition system be defined as in Definition 3.1 with respect to the concrete transition system . Let . Given an ACTL property , .
As an example, using the proposed hybrid approach one can show that the concrete model, given in Figure 1 satisfies the correctness property by first generating a partially predicate abstracted model, , wrt the predicate set and performing approximate fixpoint computations to prove . Due to Theorem 3.1, if satisfies , it can be concluded that satisfies .
The main merit of the proposed approach is to combat the state explosion problem in the verification of problem instances for which predicate abstraction does not provide the necessary precision (even in the case of being embedded in a CEGAR loop) to achieve a conclusive result. In such cases approximate fixpoint computations may turn out to be more precise. The hybrid approach may provide both the necessary precision to achieve a conclusive result and an improved performance by predicate abstracting the variables that do not require fixpoint approximations.
4 Counter-Example Guided Abstraction and Approximation Refinement
In this section, we present a counter-example guided abstraction and approximation refinement technique for partial predicate abstraction (CEGAAR) in the context of CTL model checking. The individual techniques that are combined in partial predicate abstraction have their own specialized techniques for refinement. Counter-example guided abstraction refinement (CEGAR) CGJ00 has been shown to be an effective way for improving precision of predicate abstraction by inferring new predicates based on the divergence between the abstract counter-example path and the concrete paths. Approximation refinement, on the other hand, involves shrinking the solution set for over-approximations and expanding the solution set for under-approximations.
In partial predicate abstraction, a fundamental dilemma is whether to apply abstraction refinement or approximation refinement. Since model checking of infinite-state systems is undecidable and both CEGAR and approximation refinement techniques may not terminate and, hence, may fail to provide a conclusive result, whatever approach we follow in applying these alternative techniques may not terminate either.
In this paper, we choose to guide the refinement process using counter-examples. However, a novel aspect of our approach is its ability to recognize source of the imprecision. So, if the imprecision is due to approximation, it switches from abstraction refinement to approximation refinement. After entering the approximation refinement mode, it may switch back to abstraction refinement, end with a conclusive result, or may keep staying in the same mode. This process of possibly interleaved refinement continues until the property is verified, a real counter-example is reached, or no new predicates can be inferred.
Figure 2 shows the CEGAAR algorithm. It gets a concrete transition system, the concrete correctness property to be checked, and a set of seed predicates. It is important that any integer variable that appears in the property can be precisely abstracted using the seed predicates so that Theorem 3.1 can be applied in a sound way. This fact is specified in the precondition of the algorithm. The algorithm also uses some global settings: the widening seed and the over-approximation bound . The former parameter decides how early in least fixpoint computations widening can be applied, e.g., 0 means starting from the first iteration, and the latter parameter decides when to stop the greatest fixpoint computation. Stopping early results in a less precise approximation than stopping at a later stage. However, the overhead gets bigger as the stopping is delayed. The algorithm keeps local variables and that receive their initial values from the global variables and , respectively (lines 5-6).
The algorithm keeps a worklist, which is a list of set of predicates to be tried for partial predicate abstraction. A challenge in CEGAR is the blow-up in the number of predicates as new predicates get inferred. To deal with this problem, we have used a breadth-first search (BFS) strategy to explore the predicate choices that are stored in the worklist until a predicate set producing a conclusive result can be found. The work list is initialized to have one item, the seed set of predicates, before the main loop gets started (lines 7-8).
The algorithm runs a main loop starting from an initial state, where abstraction is the current refinement strategy (line 9). In abstraction refinement mode, the algorithm removes a predicate set from the work list to use as the current predicate set , resets approximation parameters to their default global values (lines 13-15), and computes an abstract version of the transition system via partial predicate abstraction with the current predicate set (line 19). Then (line 20) the algorithm computes the fixpoint for the negation of the property, which happens to be an ECTL222Fragment of CTL in which only existential versions of temporal operators appear. property. The fixpoint iterates are stored in a map (declared in line 20), which can be queried for the parts of the formula to get the relevant fixpoint iterates, which are stored in a list. As an example, we can access the fixpoint solution for subformula with expression. Indices start at 1 and both and represent the first iterate and both and represent the solution set.
If the fixpoint solution to the negation of the property does not have any states in common with the set of initial states, then the property is satisfied and the algorithm terminates (lines 22-23). Otherwise, the property is not satisfied in the abstract system. At this point, GenAbsWitness is called to find out if there is a divergence between the abstract witness path for the negation of the property and the concrete transition system. If there is a divergence due to abstraction (line 27), refinement mode will set to abstraction refinement (line 28) and a Craig Interpolant is computed (line 30) for the reachable concrete states that can never reach the divergence point, deadend states, and the concrete states that can, bad states CTV03 . We use the half-space interpolants algorithm presented in AM13 to compute a compact refinement predicate. We encode the constraint for the half-space interpolant using the Omega Library omega , the polyhedra library used in ALV. If the number of variables used in the encoding reaches the limit set by the Omega Library, we revert back to a mode where we collect all the predicates in the deadend states.
When a set of refinement predicates is discovered for a given spurious counter-example path, rather than extending the current predicate set with in one shot, it considers as many extensions of as by extending with a single predicate from at a time (lines 31-33) and adds all these predicate sets to the queue to be explored using BFS. In the context of partial predicate abstraction, this strategy has been more effective in generating conclusive results compared to adding all refinement predicates at once, which has caused blow-ups in time and/or memory leading to inconclusive results for our benchmarks.
If the divergence between the abstract witness path and the concrete transition system is due to approximation, refinement mode is switched to approximation refinement and approximation parameters are updated based on the depth of the abstract witness path up to the divergence point (lines 35-37). So in this mode, rather than updating the current predicate set, the same abstract transition system is used with updated approximation parameters. The process will continue until a conclusive result is obtained or a real witness to the negation of the property can be found, i.e. the divergence is due to neither the abstraction nor the approximation (lines 38-39).
4.1 Divergence Detection
Divergence detection requires generation of possible witnesses to the negation of the property, which happens to be an ECTL property. Figure 3 presents algorithm GenAbsWitness that starts from the abstract and concrete initial states and uses the solution sets for each subformula stored in to generate a witness path by adding abstract states to the list as the solution sets are traversed. It should be noted that the witness, representing a counter-example to ACTL, is a tree-like structure as defined in CJL02 . So algorithm GenAbsWitness traverses paths on this tree to check existence of a divergence. It calls algorithm GenAbsWitnessHelper, which additionally keeps track of previous states of the abstract and concrete states. When this algorithm is called the first time (line 4) in Figure 3, the previous abstract and the previous concrete states are passed as false in the parameter list as the current states, both in the abstract and in the concrete, represent the initial states. Since ECTL can be expressed with temporal operators EX, EU, EG, and logical operators , , and , we present divergence detection in Figures 7 - 11 for these operators excluding as negation is pushed inside and appears before atomic formula only. Before explaining divergence checking for each type of operator, we first explain divergence detection algorithm.
Figure 5 presents the algorithm Divergence for checking divergence between an abstract path starting at an abstract initial state and ending at abstract state and a parallel concrete path starting at the concrete initial path and ending at concrete state . The algorithm also gets as input the previous states of and as and , respectively. If both previous states are false (lines 4-5), divergence is not possible as and represent the abstract and concrete initial states, respectively, and due to partial predicate abstraction being an Existential Abstraction (see 2.6). However, for any state other than the initial state, divergence may occur if is not enabled for the same transition that is enabled for. In that case (line 6, holding true), the algorithm computes the Deadend states, which represent those reachable concrete states that do not have any transition to the concrete states that map to abstract state (line 8), and the Bad states, which represent those concrete states that map to abstract previous state and can transition to states that map to (line 9). If all the variables are predicate abstracted, the set of Bad states cannot be empty CTV03 . However, due to partial predicate abstraction and existence of fixpoint approximations for concrete integer variables, Bad can be empty as approximation may add transitions that correspond to multiple steps. An important detail is to record the reason for divergence. If the set of Bad states is empty, divergence is due to approximation (line 10), 333Note that an over-approximation is computed for the negation of the formula, which gets propagated to each temporal operator.. Otherwise, it is due to abstraction, in which case the Deadend and the Bad states are recorded as the conflicting states (line 13) to be passed to Craig Interpolation procedure as shown in Figure 2.