SlideShare a Scribd company logo

Slides SAS'2002

Maria Del Mar Gallardo
Maria Del Mar Gallardo

Slides presented in the Static Analysis Symposium SAS'02

1 of 37
Download to read offline
Refinement of LTL Formulas for Abstract Model Checking Mar´ del Mar Gallardo, Pedro Merino, Ernesto Pimentel ıa Universidad de M´laga a {gallardo,pedro,ernesto}@lcc.uma.es
Index of the talk - Abstract Model Checking - Two dual methods for abstracting properties - The Extended relation - Dealing with Imprecision - Dealing with Incompleteness - Intermediate Precision - Conclusions 1
Model Checking A powerful method to verify complex software systems. It differs from classic deductive methods in several aspects: • It is only applicable to small or medium size systems due to the state-explosion problem • It is a fully automatic method 2
The Process of Model Checking Applying model checking consists of Modelling Specify the system M using a Modelling Language Specification State the properties f that the design must satisfy. It is common to use Temporal Logic Verification Use a model checking algorithm |= to check whether the design is a model of the property. M |= f 3
The State-Explosion Problem What can we do if the tool cannot answer the question M |= f due to the state-explosion problem? Symbolic Model Checking uses Binary Decision Diagrams (BDDs) to represent transition systems Partial Order Reduction Techniques that exploit the indepen- dence of concurrently executed events Bit State Techniques Each system state is represented by a bit. Produce the Partial Model Checking Abstract Model Checking Obtain more reduced models using Abstract Interpretation 4
Integrating Model Checking and Abstraction If the tool cannot prove neither M |= f nor M |= f due to the state-explosion problem 1. Construct a reduced/abstract model M α 2. Define an abstract satisfiability relation |=α c (usually denoted by |= in the literature) 3. Study the preservation results regarding universal (∀f ) or existential (∃f ) properties M α |= ∀f ⇒ M |= ∀f M α |= ∀f ⇐ M |= ∀f M α |= ∃f ⇒ M |= ∃f M α |= ∃f ⇐ M |= ∃f 5
Abstract Model Checking Two alternatives: 1. M α over-approximates M Each concrete execution corresponds to an abstract one. M α |= ∀f ⇒ M |= ∀f α 2. M∃ under-approximates M Each abstract execution corresponds to a concrete one. α M∃ |= ∃f ⇒ M |= ∃f 6
Abstract Model Checking: our proposal What do we do when M α |= ∀f ?? M α may contain “spurious traces”, that may lead to obtaining false results. In order to eliminate them, we may 1. Focuss on the abstract model, M α, and refine it Mr (a α counter-example guided refinement/model-driven refinement). (Dams et al.,1997), (Clarke et al.,2000), (Giacobazzi et al.,2001) α Mr |= ∀f 2. Focuss on the property f , and use the model checking mechanism |= to automatically refine the model M α. Mα ∀f 7
Abstracting the model Execution of concurrent programs may be defined by means of − labeled transition systems such as M = (A, Σ, −→, s0), where 1. A is the set of observable atomic actions 2. Σ is the set of states − 3. −→⊆ Σ × A × Σ is a labelled transition relation. We write a − s −→ s for (s, a, s ) ∈−→ 4. s0 ∈ Σ is the initial state 0 a O(M ) = {x : x = s0 −→ . . . is a full − trace } defines the trace semantics determined by the transition system M 8
Abstract Interpretation of Transition Systems − − Let M = (A, Σ, −→, s0) and M α = (A, Σα, −→α, sα) be two la- 0 beled transitions system. Iα = (Σ, (Σα, ≤α), α) be an abstract interpretation of the set of states Σ, where ≤α is a partial order α : Σ → Σα is the abstraction function 9
Abstract Interpretation of Transition Systems Definition. We say that M α is Iα−correct wrt M , iff ∀x ∈ O(M ) there exists xα ∈ O(M α) such that α(x) ≤α xα. Imprecision vs. Incompleteness 10
Example ň α(si) = sα tα sα α(t) = tα ʼn Concrete Model M s0 t s0 s1 t s0 s1 s2 .... t ...... Abstract Model Mα sα tα Spurious trace sα sα sα .... sα ....
Our Temporal Logic Given a set of propositions P rop, construct the set P = P rop ∪ ¬P rop, where ¬P rop = {¬p : p ∈ P rop} The set of LTL temporal formulas F is built inductively using - the elements of P - the standard Boolean operators (except ¬) - the temporal operators: next “ ” always “2” eventually “3” until “U” 12
(Weak) Kripke Structures − Given M = (A, Σ, −→, s0) and τ : Σ → 2P K = M, τ is a weak Kripke structure It is Kripke structure when the Principle of Non-Contradiction holds, i. e. ∀s ∈ Σ, ∀p ∈ P rop p ∈ τ (s) ∨ ¬p ∈ τ (s) the Principle of Excluded Middle holds, i. e. ∀s ∈ Σ, ∀p ∈ P rop p ∈ τ (s) ∨ ¬p ∈ τ (s) K defines an interpretation of both actions and atomic proposi- tions. 13
Satisfiability Relation Definition. Given K = M, τ a weak Kripke structure, a0 x = t0 −→ t1 . . . , p ∈ P, and f, g ∈ F x |=τ p ⇐⇒ p ∈ τ (t0) x |=τ f ∨ g ⇐⇒ x |=τ f or x |=τ g x |=τ f ∧ g ⇐⇒ x |=τ f and x |=τ g x |=τ f → g ⇐⇒ x |=τ f implies x |=τ g x |=τ f ⇐⇒ x1 |=τ f x |=τ 2f ⇐⇒ ∀k.xk |=τ f x |=τ 3f ⇐⇒ ∃k ≥ 0.xk |=τ f x |=τ f U g ⇐⇒ ∃k ≥ 0.(xk |=τ g and ∀j < k.(xj |=τ f )) 1. Universal formulas: M |=τ ∀f iff ∀x ∈ O(M ).x |=τ f . 2. Existential formulas: M |=τ ∃f iff ∃x ∈ O(M ).x |=τ f . 14
The classic Method Given the weak Kripke structures K = M, τ and Kα = M α, τc α The classic way of defining τc (sα) is α τc (sα) = α {τ (s)|α(s) ≤α sα} (U nderc) Properties of U nderc It is possible that p ∈ τc (sα), ¬p ∈ τc (sα) α α α τc under − approximates τ : α(s) ≤α sα ⇒ τ (s) ⊇ τc (sα) α τc is monotonic decreasing : sα ≤α sα, ∃s.α(s) ≤α sα ⇒ τc (sα) ⊇ τc (sα α 1 2 1 α 1 α 2 15
The Classic Method: Preservation Results I The extension to abstract traces preserves the satisfiability rela- tion from the abstract to the concrete model α(x) ≤α xα ⇒ (xα |=α f ⇒ x |= f ) c Theorem. Given f ∈ F , if M α |=α ∀f ⇒ M |= ∀f c 16
Example: The classic method Concrete Kripke structure K Abstract Kripke str. K α p,q,r ¬p, ¬q,r sα tα s0 t p,r ¬p, ¬q,r p,q,r p, ¬q,r ¬p, ¬q,r Mα α c r⇒M r s0 s1 t Mα α c p⇒M p p,q,r p, ¬q,r p, ¬q,r ¬p, ¬q,r s0 s1 s2 .... t Mα ŋc p α ......
The Over-Approximation Method Given the weak Kripke structures K = M, τ and Kα = M α, τ α The dual way of defining τ α(sα) is τ α(sα) = {τ (s)|α(s) ≤α sα} (Over) Properties of Over It is possible that p ∈ τ α(sα), ¬p ∈ τ α(sα) τ α over − approximates τ : α(s) ≤α sα ⇒ τ (s) ⊆ τ α(sα) τ α is monotonic increasing : sα ≤α sα ⇒ τ α(sα) ⊆ τ α(sα) 1 2 1 2 19
Over-Approximation: Preservation Results II The extension to abstract traces preserves the satisfiability rela- tion from the concrete to the abstract model α(x) ≤α xα ⇒ (x |= f ⇒ xα |=α f ) Theorem. Given f ∈ F , M α |=α ∃f ⇒ M |= ∃f 20
Example: The over-approximation method Concrete Kripke structure K Abstract Kripke str. K α p,q,r ¬p, ¬q,r sα tα s0 t p,r,q, ¬q ¬p, ¬q,r p,q,r p, ¬q,r ¬p, ¬q,r M α ŋα ¬ r ⇒ M ŋ ¬ r s0 s1 t M α ŋα ¬ p ⇒ Mŋ ¬p p,q,r p, ¬q,r p, ¬q,r ¬p, ¬q,r s0 s1 s2 .... t Mα α ¬q ......
Relating the classic and the over-approximation methods Definition. We say that p ∈ P is precise in the original structure K = M, τ iff ∀s ∈ Σ, p ∈ τ (s) ⇔ ¬p ∈ τ (s) (P recp) Proposition. Given p ∈ P and f ∈ F , (a) ∀sα ∈ Σα.(¬p ∈ τ α(sα) ⇔ p ∈ τc (sα)) α (b) ∀xα ∈ O(M α).(xα |=α ¬f ⇔ xα |=α f ) c 22
Relating the classic and the over-approximation methods Proposition. Given f ∈ F , (a) M α |=α ∀f ⇒ M α |=α ∀f c (b) M α |=α ∃f ⇒ M α |=α ∃f c (c) M α |=α ∀f ⇔ M α |=α ∃¬f c Point (c) says that both methods may be used for proving or refuting a given property. But, in practice, it is not always possible/efficient to construct/verify the negation normal form of a temporal formula. For instance, ¬(pU q). 23
The Extended Relation Definition. Consider the sets P α = {pα : p ∈ P} and P = P ∪P α. We construct the weak Kripke structure Kα = M α, τ α , where P τ α : Σα → P is defined as: p ∈ τ α(sα) ⇔ ¬p ∈ τ α(sα)(⇔ p ∈ τc (sα)) α pα ∈ τ α(sα) ⇔ p ∈ τ α(sα) The relation denotes the satisfiability relation |= τ α. xα p means that the abstract satisfaction of p does not involve loss of information xα pα means that the abstract satisfaction of p “may” involve loss of information. xα p ⇒ xα pα 24
The Extended Relation Let F denote the set of temporal formulas which can be con- structed using the atomic propositions of P. xα f α ⇔ xα |=α f xα f ⇔ xα |=α f c may be used to model both the classic relation |=α and |=α c 25
Dealing with Imprecision Definition. We say that formula f ∈ F does not lose precision wrt O(M α) iff ∀xα ∈ O(M α), if xα |=α f then xα |=α ¬f . Proposition. Given f ∈ F , if M α ∀(f α → f ) then (a) M α |=α ∀f ⇔ M α |=α ∀f c (b) M α |=α ∃f ⇔ M α |=α ∃f c 26
Example: Dealing with imprecision Concrete Kripke structure K Abstract Kripke str. K α p,q,r ¬p, ¬q,r sα tα s0 t p,r,q, ¬q ¬p, ¬q,r p,q,r p, ¬q,r ¬p, ¬q,r Mα (r α r) s0 s1 t Mα α c r Mα α r p,q,r p, ¬q,r p, ¬q,r ¬p, ¬q,r s0 s1 s2 .... t ......
Dealing with Incompleteness Proposition. Let f, g ∈ F . (a) M |= ∀g and M α ∀(g α → f ) ⇒ M |= ∀f (b) M |= ∃g and M α ∀(f α → g) ⇒ M |= ∃f 27
Example: Dealing with incompleteness Transition System Global variables Int x, proc; x = Min; Process P2 Process P1 even(x)/proc =1 s2 x!=Max/proc =2 o1 o2 /x = x+1 s1 /x = x-1 odd(x)/proc =1 x!=Min/proc =2 s3 noprogress = (proc == 1) Mŋ noprogress
Example: Dealing with incompleteness Concrete Model s1, o1,x=0,proc even(x)/proc =1 x!=Max/proc =2 s1, o2,x=0,proc=1 s2, o1,x=0,proc=2 even(x)/proc =1 /x = x+1 .... s2, o2,x=0,proc=1 s1, o1,x=1,proc=2 x!=Max/proc =2 .... s1, o1,x=2,proc=2 Mŋ (x == Max) ??? ....
Example: Dealing with incompleteness Abstract Model s1, o1,x=min,proc α(Min) = min x!=Max/proc =2 α(Max) = max even(x)/proc =1 α(v) = middle (min v max) s2, o1,x=min,proc=2 ň s1, o2,x=min,proc=1 even(x)/proc =1 /x = x+1 min middle max s1, o2,x=min,proc=1 s1, o1,x=middle,proc=2 even(x)/proc =1 odd(x)/proc =1 ʼn s1, o2, x=middle,proc=1 x!=Max/proc =2 s1, o1, x=middle,proc=1 /x = x+1 s1, o2, x=max,proc=2 even(x)/proc =1 even(x)/proc =1 odd(x)/proc =1 s1, o2, x=max,proc=1 s1, o2, x=max,proc=1 Mα α (x == Max) odd(x)/proc =1
Example: Dealing with incompleteness Mŋ noprogress Mα ( (x == Max)α noprogress) Mŋ (x == Max)
Intermediate Precision Relation induces a partial order relation ⇒ over the set of formulas F as f1 ⇒ f2 ⇔ ∀xα ∈ O(M α).xα f1 ⇒ xα f2 Clearly, it holds that for all f ∈ F , f ⇒ f α We may construct an intermediate Kripke structure Ki = M α, τiα , ∀sα ∈ Σα, τc (sα) ⊆ τiα(sα) ⊆ τ α(sα) α 28
Intermediate Precision Consider the sets P i = {pi : p ∈ P} and P = P ∪ P α ∪ P i. We construct the weak Kripke structure Kα = M α, τ α , where τ α : P Σ α → P is defined as: p ∈ τ α(sα) ⇔ p ∈ τc (sα), α pi ∈ τ α(sα) ⇔ p ∈ τiα(sα) pα ∈ τ α(sα) ⇔ p ∈ τ α(sα) Now consider the extension of F xα f α ⇔ xα |=α f xα f i ⇔ xα |=α f i xα f ⇔x α |=α f c ∀f ∈ F , f ⇒ f i ⇒ f α 29
Methodological Guidelines: satisfaction-oriented method Specify the desired property f ∈ F to be held over the model If M α ∀f , then M |= ∀f If M α ∀f , try ∀f α. If M α ∀f α, the generous way of defining f α makes an error on M very probable, except for spurious traces. If M α ∀f α, the model satisfies ∀f , “from the abstract point of view”,but this information may be too imprecise. 30
Methodological Guidelines: satisfaction-oriented method The user may refine f with an intermediate formula f i, verifying f ⇒ f i ⇒ f α. If M α ∀f i, then the user knows that property f holds on all traces of M until the precision defined by f i. We could incrementally refine the formula until the desired pre- cision is achieved. The probability of obtaining a real error when M α ∀f i decreases when the precision of f i increases. 31
Conclusions - Considering a unique correct abstract model M α, we simulta- neously achieve the preservation of the satisfaction of universal properties and the refutation of existential ones. - The extended relation allows us to formalize the notion of pre- cision of the abstract model with respect to the analysis of a given property. - Using relation allows us to implicitly refine the model. The model checking tool exclusively produces the part of M α required to analyze the property. - The approach is suitable for refining properties depending on the actual precision of the abstract model. - We are currently extending our tool αspin to incorporate this capability. http://www.lcc.uma.es/~gisum/fmse/tools/ 32

Recommended

Deformation 1
Deformation 1Deformation 1
Deformation 1anashalim
 
Functional analysis in mechanics 2e
Functional analysis in mechanics 2eFunctional analysis in mechanics 2e
Functional analysis in mechanics 2eSpringer
 
Functional analysis in mechanics
Functional analysis in mechanicsFunctional analysis in mechanics
Functional analysis in mechanicsSpringer
 
The Estimations Based on the Kolmogorov Complexity and ...
The Estimations Based on the Kolmogorov Complexity and ...The Estimations Based on the Kolmogorov Complexity and ...
The Estimations Based on the Kolmogorov Complexity and ...butest
 
project report(1)
project report(1)project report(1)
project report(1)Conor Bradley
 
Steven Duplij, "Developing new supermanifolds by revitalizing old ideas"
Steven Duplij, "Developing new supermanifolds by revitalizing old ideas"Steven Duplij, "Developing new supermanifolds by revitalizing old ideas"
Steven Duplij, "Developing new supermanifolds by revitalizing old ideas"Steven Duplij (Stepan Douplii)
 
PRML Reading Chapter 11 - Sampling Method
PRML Reading Chapter 11 - Sampling MethodPRML Reading Chapter 11 - Sampling Method
PRML Reading Chapter 11 - Sampling MethodHa Phuong
 
Lesson 16: Inverse Trigonometric Functions
Lesson 16: Inverse Trigonometric FunctionsLesson 16: Inverse Trigonometric Functions
Lesson 16: Inverse Trigonometric FunctionsMatthew Leingang
 

Recommended

Deformation 1
Deformation 1Deformation 1
Deformation 1anashalim
 
Functional analysis in mechanics 2e
Functional analysis in mechanics 2eFunctional analysis in mechanics 2e
Functional analysis in mechanics 2eSpringer
 
Functional analysis in mechanics
Functional analysis in mechanicsFunctional analysis in mechanics
Functional analysis in mechanicsSpringer
 
The Estimations Based on the Kolmogorov Complexity and ...
The Estimations Based on the Kolmogorov Complexity and ...The Estimations Based on the Kolmogorov Complexity and ...
The Estimations Based on the Kolmogorov Complexity and ...butest
 
project report(1)
project report(1)project report(1)
project report(1)Conor Bradley
 
Steven Duplij, "Developing new supermanifolds by revitalizing old ideas"
Steven Duplij, "Developing new supermanifolds by revitalizing old ideas"Steven Duplij, "Developing new supermanifolds by revitalizing old ideas"
Steven Duplij, "Developing new supermanifolds by revitalizing old ideas"Steven Duplij (Stepan Douplii)
 
PRML Reading Chapter 11 - Sampling Method
PRML Reading Chapter 11 - Sampling MethodPRML Reading Chapter 11 - Sampling Method
PRML Reading Chapter 11 - Sampling MethodHa Phuong
 
Lesson 16: Inverse Trigonometric Functions
Lesson 16: Inverse Trigonometric FunctionsLesson 16: Inverse Trigonometric Functions
Lesson 16: Inverse Trigonometric FunctionsMatthew Leingang
 
Richard Everitt's slides
Richard Everitt's slidesRichard Everitt's slides
Richard Everitt's slidesChristian Robert
 
Nature-Inspired Metaheuristic Algorithms for Optimization and Computational I...
Nature-Inspired Metaheuristic Algorithms for Optimization and Computational I...Nature-Inspired Metaheuristic Algorithms for Optimization and Computational I...
Nature-Inspired Metaheuristic Algorithms for Optimization and Computational I...Xin-She Yang
 
Tensor Decomposition and its Applications
Tensor Decomposition and its ApplicationsTensor Decomposition and its Applications
Tensor Decomposition and its ApplicationsKeisuke OTAKI
 
Markov Chain Monte Carlo Methods
Markov Chain Monte Carlo MethodsMarkov Chain Monte Carlo Methods
Markov Chain Monte Carlo MethodsFrancesco Casalegno
 
Lesson 12: Linear Approximation
Lesson 12: Linear ApproximationLesson 12: Linear Approximation
Lesson 12: Linear ApproximationMatthew Leingang
 
Jere Koskela slides
Jere Koskela slidesJere Koskela slides
Jere Koskela slidesChristian Robert
 
Introduction to MCMC methods
Introduction to MCMC methodsIntroduction to MCMC methods
Introduction to MCMC methodsChristian Robert
 
Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...
Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...
Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...The Statistical and Applied Mathematical Sciences Institute
 
Application of analytic function
Application of analytic functionApplication of analytic function
Application of analytic functionDr. Nirav Vyas
 
Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...
Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...
Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...The Statistical and Applied Mathematical Sciences Institute
 
Integration in the complex plane
Integration in the complex planeIntegration in the complex plane
Integration in the complex planeAmit Amola
 
Brief Introduction About Topological Interference Management (TIM)
Brief Introduction About Topological Interference Management (TIM)Brief Introduction About Topological Interference Management (TIM)
Brief Introduction About Topological Interference Management (TIM)Pei-Che Chang
 
QMC Program: Trends and Advances in Monte Carlo Sampling Algorithms Workshop,...
QMC Program: Trends and Advances in Monte Carlo Sampling Algorithms Workshop,...QMC Program: Trends and Advances in Monte Carlo Sampling Algorithms Workshop,...
QMC Program: Trends and Advances in Monte Carlo Sampling Algorithms Workshop,...The Statistical and Applied Mathematical Sciences Institute
 
Dag in mmhc
Dag in mmhcDag in mmhc
Dag in mmhcKyusonLim
 
Estimation of the score vector and observed information matrix in intractable...
Estimation of the score vector and observed information matrix in intractable...Estimation of the score vector and observed information matrix in intractable...
Estimation of the score vector and observed information matrix in intractable...Pierre Jacob
 
Poster for Bayesian Statistics in the Big Data Era conference
Poster for Bayesian Statistics in the Big Data Era conferencePoster for Bayesian Statistics in the Big Data Era conference
Poster for Bayesian Statistics in the Big Data Era conferenceChristian Robert
 
Estimation of the score vector and observed information matrix in intractable...
Estimation of the score vector and observed information matrix in intractable...Estimation of the score vector and observed information matrix in intractable...
Estimation of the score vector and observed information matrix in intractable...Pierre Jacob
 
RSS discussion of Girolami and Calderhead, October 13, 2010
RSS discussion of Girolami and Calderhead, October 13, 2010RSS discussion of Girolami and Calderhead, October 13, 2010
RSS discussion of Girolami and Calderhead, October 13, 2010Christian Robert
 
Numerical analysis convexity, concavity
Numerical analysis convexity, concavityNumerical analysis convexity, concavity
Numerical analysis convexity, concavitySHAMJITH KM
 
NC time seminar
NC time seminarNC time seminar
NC time seminarTapio Salminen
 
Bag of Pursuits and Neural Gas for Improved Sparse Codin
Bag of Pursuits and Neural Gas for Improved Sparse CodinBag of Pursuits and Neural Gas for Improved Sparse Codin
Bag of Pursuits and Neural Gas for Improved Sparse CodinKarlos Svoboda
 
Hastings 1970
Hastings 1970Hastings 1970
Hastings 1970Julyan Arbel
 

More Related Content

What's hot

Nature-Inspired Metaheuristic Algorithms for Optimization and Computational I...
Nature-Inspired Metaheuristic Algorithms for Optimization and Computational I...Nature-Inspired Metaheuristic Algorithms for Optimization and Computational I...
Nature-Inspired Metaheuristic Algorithms for Optimization and Computational I...Xin-She Yang
 
Tensor Decomposition and its Applications
Tensor Decomposition and its ApplicationsTensor Decomposition and its Applications
Tensor Decomposition and its ApplicationsKeisuke OTAKI
 
Markov Chain Monte Carlo Methods
Markov Chain Monte Carlo MethodsMarkov Chain Monte Carlo Methods
Markov Chain Monte Carlo MethodsFrancesco Casalegno
 
Lesson 12: Linear Approximation
Lesson 12: Linear ApproximationLesson 12: Linear Approximation
Lesson 12: Linear ApproximationMatthew Leingang
 
Introduction to MCMC methods
Introduction to MCMC methodsIntroduction to MCMC methods
Introduction to MCMC methodsChristian Robert
 
Application of analytic function
Application of analytic functionApplication of analytic function
Application of analytic functionDr. Nirav Vyas
 
Integration in the complex plane
Integration in the complex planeIntegration in the complex plane
Integration in the complex planeAmit Amola
 
Brief Introduction About Topological Interference Management (TIM)
Brief Introduction About Topological Interference Management (TIM)Brief Introduction About Topological Interference Management (TIM)
Brief Introduction About Topological Interference Management (TIM)Pei-Che Chang
 
Estimation of the score vector and observed information matrix in intractable...
Estimation of the score vector and observed information matrix in intractable...Estimation of the score vector and observed information matrix in intractable...
Estimation of the score vector and observed information matrix in intractable...Pierre Jacob
 
Poster for Bayesian Statistics in the Big Data Era conference
Poster for Bayesian Statistics in the Big Data Era conferencePoster for Bayesian Statistics in the Big Data Era conference
Poster for Bayesian Statistics in the Big Data Era conferenceChristian Robert
 
Estimation of the score vector and observed information matrix in intractable...
Estimation of the score vector and observed information matrix in intractable...Estimation of the score vector and observed information matrix in intractable...
Estimation of the score vector and observed information matrix in intractable...Pierre Jacob
 
RSS discussion of Girolami and Calderhead, October 13, 2010
RSS discussion of Girolami and Calderhead, October 13, 2010RSS discussion of Girolami and Calderhead, October 13, 2010
RSS discussion of Girolami and Calderhead, October 13, 2010Christian Robert
 
Numerical analysis convexity, concavity
Numerical analysis convexity, concavityNumerical analysis convexity, concavity
Numerical analysis convexity, concavitySHAMJITH KM
 

What's hot (20)

Richard Everitt's slides
Richard Everitt's slidesRichard Everitt's slides
Richard Everitt's slides
 
Nature-Inspired Metaheuristic Algorithms for Optimization and Computational I...
Nature-Inspired Metaheuristic Algorithms for Optimization and Computational I...Nature-Inspired Metaheuristic Algorithms for Optimization and Computational I...
Nature-Inspired Metaheuristic Algorithms for Optimization and Computational I...
 
Tensor Decomposition and its Applications
Tensor Decomposition and its ApplicationsTensor Decomposition and its Applications
Tensor Decomposition and its Applications
 
Markov Chain Monte Carlo Methods
Markov Chain Monte Carlo MethodsMarkov Chain Monte Carlo Methods
Markov Chain Monte Carlo Methods
 
Lesson 12: Linear Approximation
Lesson 12: Linear ApproximationLesson 12: Linear Approximation
Lesson 12: Linear Approximation
 
Jere Koskela slides
Jere Koskela slidesJere Koskela slides
Jere Koskela slides
 
Introduction to MCMC methods
Introduction to MCMC methodsIntroduction to MCMC methods
Introduction to MCMC methods
 
Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...
Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...
Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...
 
Application of analytic function
Application of analytic functionApplication of analytic function
Application of analytic function
 
Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...
Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...
Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...
 
Integration in the complex plane
Integration in the complex planeIntegration in the complex plane
Integration in the complex plane
 
Brief Introduction About Topological Interference Management (TIM)
Brief Introduction About Topological Interference Management (TIM)Brief Introduction About Topological Interference Management (TIM)
Brief Introduction About Topological Interference Management (TIM)
 
QMC Program: Trends and Advances in Monte Carlo Sampling Algorithms Workshop,...
QMC Program: Trends and Advances in Monte Carlo Sampling Algorithms Workshop,...QMC Program: Trends and Advances in Monte Carlo Sampling Algorithms Workshop,...
QMC Program: Trends and Advances in Monte Carlo Sampling Algorithms Workshop,...
 
Dag in mmhc
Dag in mmhcDag in mmhc
Dag in mmhc
 
Estimation of the score vector and observed information matrix in intractable...
Estimation of the score vector and observed information matrix in intractable...Estimation of the score vector and observed information matrix in intractable...
Estimation of the score vector and observed information matrix in intractable...
 
Poster for Bayesian Statistics in the Big Data Era conference
Poster for Bayesian Statistics in the Big Data Era conferencePoster for Bayesian Statistics in the Big Data Era conference
Poster for Bayesian Statistics in the Big Data Era conference
 
Estimation of the score vector and observed information matrix in intractable...
Estimation of the score vector and observed information matrix in intractable...Estimation of the score vector and observed information matrix in intractable...
Estimation of the score vector and observed information matrix in intractable...
 
RSS discussion of Girolami and Calderhead, October 13, 2010
RSS discussion of Girolami and Calderhead, October 13, 2010RSS discussion of Girolami and Calderhead, October 13, 2010
RSS discussion of Girolami and Calderhead, October 13, 2010
 
Numerical analysis convexity, concavity
Numerical analysis convexity, concavityNumerical analysis convexity, concavity
Numerical analysis convexity, concavity
 
NC time seminar
NC time seminarNC time seminar
NC time seminar
 

Similar to Slides SAS'2002

Bag of Pursuits and Neural Gas for Improved Sparse Codin
Bag of Pursuits and Neural Gas for Improved Sparse CodinBag of Pursuits and Neural Gas for Improved Sparse Codin
Bag of Pursuits and Neural Gas for Improved Sparse CodinKarlos Svoboda
 
Linear models for classification
Linear models for classificationLinear models for classification
Linear models for classificationSung Yub Kim
 
Stratified sampling and resampling for approximate Bayesian computation
Stratified sampling and resampling for approximate Bayesian computationStratified sampling and resampling for approximate Bayesian computation
Stratified sampling and resampling for approximate Bayesian computationUmberto Picchini
 
Quantum fields on the de sitter spacetime - Ion Cotaescu
Quantum fields on the de sitter spacetime - Ion CotaescuQuantum fields on the de sitter spacetime - Ion Cotaescu
Quantum fields on the de sitter spacetime - Ion CotaescuSEENET-MTP
 
Andrei rusu-2013-amaa-workshop
Andrei rusu-2013-amaa-workshopAndrei rusu-2013-amaa-workshop
Andrei rusu-2013-amaa-workshopAndries Rusu
 
Monte Carlo Berkeley.pptx
Monte Carlo Berkeley.pptxMonte Carlo Berkeley.pptx
Monte Carlo Berkeley.pptxHaibinSu2
 
R exam (B) given in Paris-Dauphine, Licence Mido, Jan. 11, 2013
R exam (B) given in Paris-Dauphine, Licence Mido, Jan. 11, 2013R exam (B) given in Paris-Dauphine, Licence Mido, Jan. 11, 2013
R exam (B) given in Paris-Dauphine, Licence Mido, Jan. 11, 2013Christian Robert
 
Application of the Monte-Carlo Method to Nonlinear Stochastic Optimization wi...
Application of the Monte-Carlo Method to Nonlinear Stochastic Optimization wi...Application of the Monte-Carlo Method to Nonlinear Stochastic Optimization wi...
Application of the Monte-Carlo Method to Nonlinear Stochastic Optimization wi...SSA KPI
 
Accelerated approximate Bayesian computation with applications to protein fol...
Accelerated approximate Bayesian computation with applications to protein fol...Accelerated approximate Bayesian computation with applications to protein fol...
Accelerated approximate Bayesian computation with applications to protein fol...Umberto Picchini
 
TMPA-2015: Implementing the MetaVCG Approach in the C-light System
TMPA-2015: Implementing the MetaVCG Approach in the C-light SystemTMPA-2015: Implementing the MetaVCG Approach in the C-light System
TMPA-2015: Implementing the MetaVCG Approach in the C-light SystemIosif Itkin
 
Mit2 092 f09_lec15
Mit2 092 f09_lec15Mit2 092 f09_lec15
Mit2 092 f09_lec15Rahman Hakim
 
Natural and Clamped Cubic Splines
Natural and Clamped Cubic SplinesNatural and Clamped Cubic Splines
Natural and Clamped Cubic SplinesMark Brandao
 
Simulated annealing for MMR-Path
Simulated annealing for MMR-PathSimulated annealing for MMR-Path
Simulated annealing for MMR-PathFrancisco Pérez
 
Approximate Bayesian Computation with Quasi-Likelihoods
Approximate Bayesian Computation with Quasi-LikelihoodsApproximate Bayesian Computation with Quasi-Likelihoods
Approximate Bayesian Computation with Quasi-LikelihoodsStefano Cabras
 

Similar to Slides SAS'2002 (20)

Bag of Pursuits and Neural Gas for Improved Sparse Codin
Bag of Pursuits and Neural Gas for Improved Sparse CodinBag of Pursuits and Neural Gas for Improved Sparse Codin
Bag of Pursuits and Neural Gas for Improved Sparse Codin
 
Hastings 1970
Hastings 1970Hastings 1970
Hastings 1970
 
Linear models for classification
Linear models for classificationLinear models for classification
Linear models for classification
 
Stratified sampling and resampling for approximate Bayesian computation
Stratified sampling and resampling for approximate Bayesian computationStratified sampling and resampling for approximate Bayesian computation
Stratified sampling and resampling for approximate Bayesian computation
 
Quantum fields on the de sitter spacetime - Ion Cotaescu
Quantum fields on the de sitter spacetime - Ion CotaescuQuantum fields on the de sitter spacetime - Ion Cotaescu
Quantum fields on the de sitter spacetime - Ion Cotaescu
 
Andrei rusu-2013-amaa-workshop
Andrei rusu-2013-amaa-workshopAndrei rusu-2013-amaa-workshop
Andrei rusu-2013-amaa-workshop
 
Monte Carlo Berkeley.pptx
Monte Carlo Berkeley.pptxMonte Carlo Berkeley.pptx
Monte Carlo Berkeley.pptx
 
R exam (B) given in Paris-Dauphine, Licence Mido, Jan. 11, 2013
R exam (B) given in Paris-Dauphine, Licence Mido, Jan. 11, 2013R exam (B) given in Paris-Dauphine, Licence Mido, Jan. 11, 2013
R exam (B) given in Paris-Dauphine, Licence Mido, Jan. 11, 2013
 
Application of the Monte-Carlo Method to Nonlinear Stochastic Optimization wi...
Application of the Monte-Carlo Method to Nonlinear Stochastic Optimization wi...Application of the Monte-Carlo Method to Nonlinear Stochastic Optimization wi...
Application of the Monte-Carlo Method to Nonlinear Stochastic Optimization wi...
 
Input analysis
Input analysisInput analysis
Input analysis
 
Germany2003 gamg
Germany2003 gamgGermany2003 gamg
Germany2003 gamg
 
Ch7
Ch7Ch7
Ch7
 
Accelerated approximate Bayesian computation with applications to protein fol...
Accelerated approximate Bayesian computation with applications to protein fol...Accelerated approximate Bayesian computation with applications to protein fol...
Accelerated approximate Bayesian computation with applications to protein fol...
 
TMPA-2015: Implementing the MetaVCG Approach in the C-light System
TMPA-2015: Implementing the MetaVCG Approach in the C-light SystemTMPA-2015: Implementing the MetaVCG Approach in the C-light System
TMPA-2015: Implementing the MetaVCG Approach in the C-light System
 
Mit2 092 f09_lec15
Mit2 092 f09_lec15Mit2 092 f09_lec15
Mit2 092 f09_lec15
 
QMC: Transition Workshop - Importance Sampling the Union of Rare Events with ...
QMC: Transition Workshop - Importance Sampling the Union of Rare Events with ...QMC: Transition Workshop - Importance Sampling the Union of Rare Events with ...
QMC: Transition Workshop - Importance Sampling the Union of Rare Events with ...
 
Modeling the dynamics of molecular concentration during the diffusion procedure
Modeling the dynamics of molecular concentration during the diffusion procedureModeling the dynamics of molecular concentration during the diffusion procedure
Modeling the dynamics of molecular concentration during the diffusion procedure
 
Natural and Clamped Cubic Splines
Natural and Clamped Cubic SplinesNatural and Clamped Cubic Splines
Natural and Clamped Cubic Splines
 
Simulated annealing for MMR-Path
Simulated annealing for MMR-PathSimulated annealing for MMR-Path
Simulated annealing for MMR-Path
 
Approximate Bayesian Computation with Quasi-Likelihoods
Approximate Bayesian Computation with Quasi-LikelihoodsApproximate Bayesian Computation with Quasi-Likelihoods
Approximate Bayesian Computation with Quasi-Likelihoods
 

Slides SAS'2002

  • 1. Refinement of LTL Formulas for Abstract Model Checking Mar´ del Mar Gallardo, Pedro Merino, Ernesto Pimentel ıa Universidad de M´laga a {gallardo,pedro,ernesto}@lcc.uma.es
  • 2. Index of the talk - Abstract Model Checking - Two dual methods for abstracting properties - The Extended relation - Dealing with Imprecision - Dealing with Incompleteness - Intermediate Precision - Conclusions 1
  • 3. Model Checking A powerful method to verify complex software systems. It differs from classic deductive methods in several aspects: • It is only applicable to small or medium size systems due to the state-explosion problem • It is a fully automatic method 2
  • 4. The Process of Model Checking Applying model checking consists of Modelling Specify the system M using a Modelling Language Specification State the properties f that the design must satisfy. It is common to use Temporal Logic Verification Use a model checking algorithm |= to check whether the design is a model of the property. M |= f 3
  • 5. The State-Explosion Problem What can we do if the tool cannot answer the question M |= f due to the state-explosion problem? Symbolic Model Checking uses Binary Decision Diagrams (BDDs) to represent transition systems Partial Order Reduction Techniques that exploit the indepen- dence of concurrently executed events Bit State Techniques Each system state is represented by a bit. Produce the Partial Model Checking Abstract Model Checking Obtain more reduced models using Abstract Interpretation 4
  • 6. Integrating Model Checking and Abstraction If the tool cannot prove neither M |= f nor M |= f due to the state-explosion problem 1. Construct a reduced/abstract model M α 2. Define an abstract satisfiability relation |=α c (usually denoted by |= in the literature) 3. Study the preservation results regarding universal (∀f ) or existential (∃f ) properties M α |= ∀f ⇒ M |= ∀f M α |= ∀f ⇐ M |= ∀f M α |= ∃f ⇒ M |= ∃f M α |= ∃f ⇐ M |= ∃f 5
  • 7. Abstract Model Checking Two alternatives: 1. M α over-approximates M Each concrete execution corresponds to an abstract one. M α |= ∀f ⇒ M |= ∀f α 2. M∃ under-approximates M Each abstract execution corresponds to a concrete one. α M∃ |= ∃f ⇒ M |= ∃f 6
  • 8. Abstract Model Checking: our proposal What do we do when M α |= ∀f ?? M α may contain “spurious traces”, that may lead to obtaining false results. In order to eliminate them, we may 1. Focuss on the abstract model, M α, and refine it Mr (a α counter-example guided refinement/model-driven refinement). (Dams et al.,1997), (Clarke et al.,2000), (Giacobazzi et al.,2001) α Mr |= ∀f 2. Focuss on the property f , and use the model checking mechanism |= to automatically refine the model M α. Mα ∀f 7
  • 9. Abstracting the model Execution of concurrent programs may be defined by means of − labeled transition systems such as M = (A, Σ, −→, s0), where 1. A is the set of observable atomic actions 2. Σ is the set of states − 3. −→⊆ Σ × A × Σ is a labelled transition relation. We write a − s −→ s for (s, a, s ) ∈−→ 4. s0 ∈ Σ is the initial state 0 a O(M ) = {x : x = s0 −→ . . . is a full − trace } defines the trace semantics determined by the transition system M 8
  • 10. Abstract Interpretation of Transition Systems − − Let M = (A, Σ, −→, s0) and M α = (A, Σα, −→α, sα) be two la- 0 beled transitions system. Iα = (Σ, (Σα, ≤α), α) be an abstract interpretation of the set of states Σ, where ≤α is a partial order α : Σ → Σα is the abstraction function 9
  • 11. Abstract Interpretation of Transition Systems Definition. We say that M α is Iα−correct wrt M , iff ∀x ∈ O(M ) there exists xα ∈ O(M α) such that α(x) ≤α xα. Imprecision vs. Incompleteness 10
  • 12. Example ň α(si) = sα tα sα α(t) = tα ʼn Concrete Model M s0 t s0 s1 t s0 s1 s2 .... t ...... Abstract Model Mα sα tα Spurious trace sα sα sα .... sα ....
  • 13. Our Temporal Logic Given a set of propositions P rop, construct the set P = P rop ∪ ¬P rop, where ¬P rop = {¬p : p ∈ P rop} The set of LTL temporal formulas F is built inductively using - the elements of P - the standard Boolean operators (except ¬) - the temporal operators: next “ ” always “2” eventually “3” until “U” 12
  • 14. (Weak) Kripke Structures − Given M = (A, Σ, −→, s0) and τ : Σ → 2P K = M, τ is a weak Kripke structure It is Kripke structure when the Principle of Non-Contradiction holds, i. e. ∀s ∈ Σ, ∀p ∈ P rop p ∈ τ (s) ∨ ¬p ∈ τ (s) the Principle of Excluded Middle holds, i. e. ∀s ∈ Σ, ∀p ∈ P rop p ∈ τ (s) ∨ ¬p ∈ τ (s) K defines an interpretation of both actions and atomic proposi- tions. 13
  • 15. Satisfiability Relation Definition. Given K = M, τ a weak Kripke structure, a0 x = t0 −→ t1 . . . , p ∈ P, and f, g ∈ F x |=τ p ⇐⇒ p ∈ τ (t0) x |=τ f ∨ g ⇐⇒ x |=τ f or x |=τ g x |=τ f ∧ g ⇐⇒ x |=τ f and x |=τ g x |=τ f → g ⇐⇒ x |=τ f implies x |=τ g x |=τ f ⇐⇒ x1 |=τ f x |=τ 2f ⇐⇒ ∀k.xk |=τ f x |=τ 3f ⇐⇒ ∃k ≥ 0.xk |=τ f x |=τ f U g ⇐⇒ ∃k ≥ 0.(xk |=τ g and ∀j < k.(xj |=τ f )) 1. Universal formulas: M |=τ ∀f iff ∀x ∈ O(M ).x |=τ f . 2. Existential formulas: M |=τ ∃f iff ∃x ∈ O(M ).x |=τ f . 14
  • 16. The classic Method Given the weak Kripke structures K = M, τ and Kα = M α, τc α The classic way of defining τc (sα) is α τc (sα) = α {τ (s)|α(s) ≤α sα} (U nderc) Properties of U nderc It is possible that p ∈ τc (sα), ¬p ∈ τc (sα) α α α τc under − approximates τ : α(s) ≤α sα ⇒ τ (s) ⊇ τc (sα) α τc is monotonic decreasing : sα ≤α sα, ∃s.α(s) ≤α sα ⇒ τc (sα) ⊇ τc (sα α 1 2 1 α 1 α 2 15
  • 17. The Classic Method: Preservation Results I The extension to abstract traces preserves the satisfiability rela- tion from the abstract to the concrete model α(x) ≤α xα ⇒ (xα |=α f ⇒ x |= f ) c Theorem. Given f ∈ F , if M α |=α ∀f ⇒ M |= ∀f c 16
  • 18. Example: The classic method Concrete Kripke structure K Abstract Kripke str. K α p,q,r ¬p, ¬q,r sα tα s0 t p,r ¬p, ¬q,r p,q,r p, ¬q,r ¬p, ¬q,r Mα α c r⇒M r s0 s1 t Mα α c p⇒M p p,q,r p, ¬q,r p, ¬q,r ¬p, ¬q,r s0 s1 s2 .... t Mα ŋc p α ......
  • 19. The Over-Approximation Method Given the weak Kripke structures K = M, τ and Kα = M α, τ α The dual way of defining τ α(sα) is τ α(sα) = {τ (s)|α(s) ≤α sα} (Over) Properties of Over It is possible that p ∈ τ α(sα), ¬p ∈ τ α(sα) τ α over − approximates τ : α(s) ≤α sα ⇒ τ (s) ⊆ τ α(sα) τ α is monotonic increasing : sα ≤α sα ⇒ τ α(sα) ⊆ τ α(sα) 1 2 1 2 19
  • 20. Over-Approximation: Preservation Results II The extension to abstract traces preserves the satisfiability rela- tion from the concrete to the abstract model α(x) ≤α xα ⇒ (x |= f ⇒ xα |=α f ) Theorem. Given f ∈ F , M α |=α ∃f ⇒ M |= ∃f 20
  • 21. Example: The over-approximation method Concrete Kripke structure K Abstract Kripke str. K α p,q,r ¬p, ¬q,r sα tα s0 t p,r,q, ¬q ¬p, ¬q,r p,q,r p, ¬q,r ¬p, ¬q,r M α ŋα ¬ r ⇒ M ŋ ¬ r s0 s1 t M α ŋα ¬ p ⇒ Mŋ ¬p p,q,r p, ¬q,r p, ¬q,r ¬p, ¬q,r s0 s1 s2 .... t Mα α ¬q ......
  • 22. Relating the classic and the over-approximation methods Definition. We say that p ∈ P is precise in the original structure K = M, τ iff ∀s ∈ Σ, p ∈ τ (s) ⇔ ¬p ∈ τ (s) (P recp) Proposition. Given p ∈ P and f ∈ F , (a) ∀sα ∈ Σα.(¬p ∈ τ α(sα) ⇔ p ∈ τc (sα)) α (b) ∀xα ∈ O(M α).(xα |=α ¬f ⇔ xα |=α f ) c 22
  • 23. Relating the classic and the over-approximation methods Proposition. Given f ∈ F , (a) M α |=α ∀f ⇒ M α |=α ∀f c (b) M α |=α ∃f ⇒ M α |=α ∃f c (c) M α |=α ∀f ⇔ M α |=α ∃¬f c Point (c) says that both methods may be used for proving or refuting a given property. But, in practice, it is not always possible/efficient to construct/verify the negation normal form of a temporal formula. For instance, ¬(pU q). 23
  • 24. The Extended Relation Definition. Consider the sets P α = {pα : p ∈ P} and P = P ∪P α. We construct the weak Kripke structure Kα = M α, τ α , where P τ α : Σα → P is defined as: p ∈ τ α(sα) ⇔ ¬p ∈ τ α(sα)(⇔ p ∈ τc (sα)) α pα ∈ τ α(sα) ⇔ p ∈ τ α(sα) The relation denotes the satisfiability relation |= τ α. xα p means that the abstract satisfaction of p does not involve loss of information xα pα means that the abstract satisfaction of p “may” involve loss of information. xα p ⇒ xα pα 24
  • 25. The Extended Relation Let F denote the set of temporal formulas which can be con- structed using the atomic propositions of P. xα f α ⇔ xα |=α f xα f ⇔ xα |=α f c may be used to model both the classic relation |=α and |=α c 25
  • 26. Dealing with Imprecision Definition. We say that formula f ∈ F does not lose precision wrt O(M α) iff ∀xα ∈ O(M α), if xα |=α f then xα |=α ¬f . Proposition. Given f ∈ F , if M α ∀(f α → f ) then (a) M α |=α ∀f ⇔ M α |=α ∀f c (b) M α |=α ∃f ⇔ M α |=α ∃f c 26
  • 27. Example: Dealing with imprecision Concrete Kripke structure K Abstract Kripke str. K α p,q,r ¬p, ¬q,r sα tα s0 t p,r,q, ¬q ¬p, ¬q,r p,q,r p, ¬q,r ¬p, ¬q,r Mα (r α r) s0 s1 t Mα α c r Mα α r p,q,r p, ¬q,r p, ¬q,r ¬p, ¬q,r s0 s1 s2 .... t ......
  • 28. Dealing with Incompleteness Proposition. Let f, g ∈ F . (a) M |= ∀g and M α ∀(g α → f ) ⇒ M |= ∀f (b) M |= ∃g and M α ∀(f α → g) ⇒ M |= ∃f 27
  • 29. Example: Dealing with incompleteness Transition System Global variables Int x, proc; x = Min; Process P2 Process P1 even(x)/proc =1 s2 x!=Max/proc =2 o1 o2 /x = x+1 s1 /x = x-1 odd(x)/proc =1 x!=Min/proc =2 s3 noprogress = (proc == 1) Mŋ noprogress
  • 30. Example: Dealing with incompleteness Concrete Model s1, o1,x=0,proc even(x)/proc =1 x!=Max/proc =2 s1, o2,x=0,proc=1 s2, o1,x=0,proc=2 even(x)/proc =1 /x = x+1 .... s2, o2,x=0,proc=1 s1, o1,x=1,proc=2 x!=Max/proc =2 .... s1, o1,x=2,proc=2 Mŋ (x == Max) ??? ....
  • 31. Example: Dealing with incompleteness Abstract Model s1, o1,x=min,proc α(Min) = min x!=Max/proc =2 α(Max) = max even(x)/proc =1 α(v) = middle (min v max) s2, o1,x=min,proc=2 ň s1, o2,x=min,proc=1 even(x)/proc =1 /x = x+1 min middle max s1, o2,x=min,proc=1 s1, o1,x=middle,proc=2 even(x)/proc =1 odd(x)/proc =1 ʼn s1, o2, x=middle,proc=1 x!=Max/proc =2 s1, o1, x=middle,proc=1 /x = x+1 s1, o2, x=max,proc=2 even(x)/proc =1 even(x)/proc =1 odd(x)/proc =1 s1, o2, x=max,proc=1 s1, o2, x=max,proc=1 Mα α (x == Max) odd(x)/proc =1
  • 32. Example: Dealing with incompleteness Mŋ noprogress Mα ( (x == Max)α noprogress) Mŋ (x == Max)
  • 33. Intermediate Precision Relation induces a partial order relation ⇒ over the set of formulas F as f1 ⇒ f2 ⇔ ∀xα ∈ O(M α).xα f1 ⇒ xα f2 Clearly, it holds that for all f ∈ F , f ⇒ f α We may construct an intermediate Kripke structure Ki = M α, τiα , ∀sα ∈ Σα, τc (sα) ⊆ τiα(sα) ⊆ τ α(sα) α 28
  • 34. Intermediate Precision Consider the sets P i = {pi : p ∈ P} and P = P ∪ P α ∪ P i. We construct the weak Kripke structure Kα = M α, τ α , where τ α : P Σ α → P is defined as: p ∈ τ α(sα) ⇔ p ∈ τc (sα), α pi ∈ τ α(sα) ⇔ p ∈ τiα(sα) pα ∈ τ α(sα) ⇔ p ∈ τ α(sα) Now consider the extension of F xα f α ⇔ xα |=α f xα f i ⇔ xα |=α f i xα f ⇔x α |=α f c ∀f ∈ F , f ⇒ f i ⇒ f α 29
  • 35. Methodological Guidelines: satisfaction-oriented method Specify the desired property f ∈ F to be held over the model If M α ∀f , then M |= ∀f If M α ∀f , try ∀f α. If M α ∀f α, the generous way of defining f α makes an error on M very probable, except for spurious traces. If M α ∀f α, the model satisfies ∀f , “from the abstract point of view”,but this information may be too imprecise. 30
  • 36. Methodological Guidelines: satisfaction-oriented method The user may refine f with an intermediate formula f i, verifying f ⇒ f i ⇒ f α. If M α ∀f i, then the user knows that property f holds on all traces of M until the precision defined by f i. We could incrementally refine the formula until the desired pre- cision is achieved. The probability of obtaining a real error when M α ∀f i decreases when the precision of f i increases. 31
  • 37. Conclusions - Considering a unique correct abstract model M α, we simulta- neously achieve the preservation of the satisfaction of universal properties and the refutation of existential ones. - The extended relation allows us to formalize the notion of pre- cision of the abstract model with respect to the analysis of a given property. - Using relation allows us to implicitly refine the model. The model checking tool exclusively produces the part of M α required to analyze the property. - The approach is suitable for refining properties depending on the actual precision of the abstract model. - We are currently extending our tool αspin to incorporate this capability. http://www.lcc.uma.es/~gisum/fmse/tools/ 32