CounterExample-Guided Abstraction Refinement

(1)

CounterExample-Guided Abstraction Refinement

(CEGAR)

Martin Fr¨anzle^a

(with many slides c S. Ratschan^b)

a Carl von Ossietzky Universit ¨at, Oldenburg, Germany

b Czech Academy of Sciences, Prague, Czech Rep.

02917: CEGAR for HS – p.1/32

(2)

The problem

• Abstraction is a powerful method for verifying systems

• maps complex system (e.g., infinite state) to simpler system (e.g., finite Kripke structure)

• simpler model may be amenable to automatic state-exploratory verification

• but finding the right abstraction is hard

• may be too coarse verification fails

• may be too fine state-space exploration impossible

• may even be too fine in some places and too coarse in others

(3)

The problem

02917: CEGAR for HS – p.2/32

(4)

The problem

(5)

The problem

02917: CEGAR for HS – p.2/32

(6)

The problem

(7)

The problem

02917: CEGAR for HS – p.2/32

(8)

The problem

(9)

The idea

In manual verification, we often add information on demand:

• Upon a failing proof, we analyze the reasons and

• add preconditions as necessary.

Can we do the same within abstraction-based model checking?

• Upon a failing proof, let the model-checker analyze the reasons and

• refine the abstraction as necessary.

02917: CEGAR for HS – p.3/32

(10)

The idea

In manual verification, we often add information on demand:

• Upon a failing proof, we analyze the reasons and

• add preconditions as necessary.

Can we do the same within abstraction-based model checking?

• Upon a failing proof, let the model-checker analyze the reasons and

• refine the abstraction as necessary.

(11)

Abstraction Refinement

Idea:

• conservatively approximate the hybrid system by a finite Kripke structure (the abstraction)

• if abstraction safe, done

• while abstraction not safe, refine it

• counter-example based: refine to remove a given spurious counter-example (Clarke et al. 03, Alur et al. 03)

02917: CEGAR for HS – p.4/32

(12)

Abstraction Refinement

Idea:

(13)

Abstraction Refinement

Idea:

02917: CEGAR for HS – p.4/32

(14)

Abstraction Refinement

Idea:

(15)

Abstraction Refinement

Idea:

02917: CEGAR for HS – p.4/32

(16)

Basic CEGAR

(17)

Spurious counterexample

Def: Let A C be an homomorphic abstraction wrt. abstraction

function h_{. Let} φ _{be an} ∀CTL formula and π = (c₁, c₂ . . .) _{be an} anchored path of C witnessing violation of φ _on C_.

Then π _{is called} a counterexample for φ _on C_. Furthermore, h(π) = (h(c₁), h(c₂), . . .) then is an anchored path

of A which violates φ, i.e. a counterexample on A. We do then call h(π) _the abstract counterexample corresponding to π _and we call π _the concrete counterexample corresponding to h(π)_.

Def: If π_A is a counterexample on the abstraction A C _{which has} no corresponding concrete counterexample on C then we call π_A _a spurious counterexample.

02917: CEGAR for HS – p.6/32

(18)

Spurious counterexample

Then π _{is called} a counterexample for φ _on C_.

Furthermore, h(π) = (h(c₁), h(c₂), . . .) then is an anchored path of A which violates φ, i.e. a counterexample on A. We do then call h(π) _the abstract counterexample corresponding to π _and we call π _the concrete counterexample corresponding to h(π)_.

(19)

Spurious counterexample

Then π _{is called} a counterexample for φ _on C_.

Furthermore, h(π) = (h(c₁), h(c₂), . . .) then is an anchored path of A which violates φ, i.e. a counterexample on A. We do then call h(π) _the abstract counterexample corresponding to π _and we call π _the concrete counterexample corresponding to h(π)_.

02917: CEGAR for HS – p.6/32

(20)

Abstraction Refinement

Def: If C ≺ A⁰ ≺ A _then A _and A⁰ _{are called} abstraction of C _and A⁰ is called an abstraction refinement of A_.

Idea: Whenever there is a spurious counterexample in A, identify an abstraction refinement A⁰ that lacks that particular spurious

counterexample.

(21)

Abstraction Refinement

Def: If C ≺ A⁰ ≺ A _then A _and A⁰ _{are called} abstraction of C _and A⁰ is called an abstraction refinement of A_.

Idea: Whenever there is a spurious counterexample in A, identify an abstraction refinement A⁰ that lacks that particular spurious

counterexample.

02917: CEGAR for HS – p.7/32

(22)

CEGAR algorithm (simple version: invariants)

To verify C |= AGp _do

1. build finite Kripke structure A C_, 2. model-check A |= AGp_,

3. if this holds then report C |= AGp _{and stop,}

4. otherwise validate the counterexample on C, i.e., find a corresponding concrete counterexample,

5. if a corresponding concrete counterexample exists then report C 6|= AGp _{and stop,}

6. otherwise use the spurious counterexample to refine A _and restart from 2.

(23)

The crucial ingredients of CEGAR

• Model checking,

• validation/concretization of counterexample,

• guided refinement of abstraction.

02917: CEGAR for HS – p.9/32

(24)

Validation of counterexample

Given: A C and an abstract counterexample φ = (a₁, a₂, . . . , a_n) on A_.

Alg: Provided we can effectively manipulate pre-images of the abstraction morphism h, proceed as follows:

1. Compute S₁ := h⁻¹(a₁) ∩ I_C_{, where} I_C is the set of initial states of C_,

2. For i = 2 _to n_{, compute} S_i := h⁻¹(a_i) ∩ Post(S_i−1)_. Abort as soon as some S_i _becomes ∅^.

In this case, the counterexample has been shown to be spurious.

3. In case of proper termination of the loop, the counterexample is real.

N.B. Assumes that h⁻¹(a_i), Post(S_i), and their intersections are computable (in the sense of an effective emptiness test)!

(25)

Validation of counterexample

Alg: Provided we can effectively manipulate pre-images of the abstraction morphism h, proceed as follows:

1. Compute S₁ := h⁻¹(a₁) ∩ I_C_{, where} I_C is the set of initial states of C_,

2. For i = 2 _to n_{, compute} S_i := h⁻¹(a_i) ∩ Post(S_i−1)_. Abort as soon as some S_i _becomes ∅^.

In this case, the counterexample has been shown to be spurious.

3. In case of proper termination of the loop, the counterexample is real.

N.B. Assumes that h⁻¹(a_i), Post(S_i), and their intersections are computable (in the sense of an effective emptiness test)!

02917: CEGAR for HS – p.10/32

(26)

State splitting

Idea: For a set C_i = h⁻¹(ai) of concrete states represented by an abstract state a_i occurring in the spurious counterexample, split it into

C_i ∩ Post(h⁻¹(a_i−1)) and C_i \ Post(h⁻¹(a_i−1)), provided both non-empty (or into C₁ ∩ I_C and C₁ \ I_C in case i = 1).

Approach: Replace a_i by two states a⁺_i and a⁻_i representing C_i ∩ Post(h⁻¹(a_i−1)) and C_i \ Post(h⁻¹(a_i−1)), resp.

Technique: Replace the Kripke structure A = (V, E, L, I) by A⁰ = (V⁰, E⁰, L⁰, I⁰) with

• V⁰ = V \ {a_i} ∪ {a⁺_i , a⁻_i }, where the latter are 6∈ V,

• E⁰ = E ∩ (V⁰ × V⁰) ∪ {(a⁺_i , a⁻_i ),(a⁻_i , a⁺_i )} ∪ {(a, a⁺_i ) | (a, a_i) ∈ E}∪ {(a, a⁻_i ) | (a, a_i) ∈ E, a 6= a_i−1} ∪ {(a⁺_i , a),(a⁻_i , a) | (a_i, a) ∈ E}

• L⁰(v) =

L(v) if v ∈ V,

L(a_i) if v ∈ {a⁺_i , a⁻_i },

• I⁰ =

I if C_i ∩ I_C = ∅,

I \ {a_i} ∪ {a⁺_i } otherwise.

(27)

State splitting

• L⁰(v) =

L(v) if v ∈ V,

L(a_i) if v ∈ {a⁺_i , a⁻_i },

• I⁰ =

I if C_i ∩ I_C = ∅,

I \ {a_i} ∪ {a⁺_i } otherwise.

02917: CEGAR for HS – p.11/32

(28)

State splitting

• L⁰(v) =

L(v) if v ∈ V,

L(a ) if v ∈ {a⁺, a⁻},

(29)

Resulting morphism

h⁰(c) =







a⁺_i _if c ∈ C_i ∩ Post(h⁻¹(a_i−1)), a⁻_i _if c ∈ C_i \ Post(h⁻¹(a_i−1)), h(c) otherwise.

02917: CEGAR for HS – p.12/32

(30)

Refining E

⁰

: transition pruning

Observation: Pre- and post-images of h⁰⁻¹(a⁺_i ) _or h⁰⁻¹(a⁻_i ) _{may well} have empty intersections with sets that the pre- or post-set of h⁰⁻¹(a_i) did intersect with.

In such cases, E⁰ contains spurious edges.

Solution: Remove such edges by pruning E⁰ _to

E⁰⁰ = {(s, t) ∈ E⁰ | Post(h⁰⁻¹(s)) ∩ h⁰⁻¹(t) 6= ∅}

(31)

Refining E

⁰

: transition pruning

Observation: Pre- and post-images of h⁰⁻¹(a⁺_i ) _or h⁰⁻¹(a⁻_i ) _{may well} have empty intersections with sets that the pre- or post-set of h⁰⁻¹(a_i) did intersect with.

In such cases, E⁰ contains spurious edges.

Solution: Remove such edges by pruning E⁰ _to

E⁰⁰ = {(s, t) ∈ E⁰ | Post(h⁰⁻¹(s)) ∩ h⁰⁻¹(t) 6= ∅}

02917: CEGAR for HS – p.13/32

(32)

CEGAR algorithm (simple version: invariants)

6. otherwise use the spurious counterexample to split states in A_, 7. perform transition pruning on the resulting refinement A⁰_,

Concrete version is just an example, variants of split/prune rules abound.

(33)

CEGAR algorithm (simple version: invariants)

6. otherwise use the spurious counterexample to split states in A_, 7. perform transition pruning on the resulting refinement A⁰_,

8. goto 2.

Concrete version is just an example, variants of split/prune rules abound.

02917: CEGAR for HS – p.14/32

(34)

Application to hybrid systems

• Above procedure is effective if h⁻¹(a_i)_, Post(S_i), and their intersections are computable (in the sense of an effective emptiness test).

• This is in general not true for hybrid systems.

⇒ Need to embed an appropriate form of approximation of the above sets into CEGAR.

(35)

CEGAR on hybrid states

Conservative approximation of state sets

02917: CEGAR for HS – p.16/32

(36)

Application to hybrid systems

• “Naive” CEGAR procedure is effective if h⁻¹(a_i)_, Post(S_i)_{, and} their intersections are computable (in the sense of an effective emptiness test).

• In general not true for hybrid systems, thus embed an appropriate form of approximation of the above sets into CEGAR.

• Main difficulty is computation of successor states: explicit (jumps) and implicit transitions (flows, defined by ODE)

• Multiple shapes of overapproximation can be used

• various effective representations of subsets of Rⁿ^:

rectangular boxes, zonotopes, polyhedra, ellipsoids, . . ._,

• multiple techniques for conservatively approximating hybrid transitions (jumps & flows)

(37)

Computing successors

• CEGAR algorithm applies different approximations of successor computation in sequence,

• proceeds from coarse to fine, investing more computational effort to increase precision only when necessary,

• hope is that crucial deductions (absence of counterexamples, non-concretizability of a certain counter-example) can often be obtained on coarse abstractions,

• CEGAR needs to compute different relative successors Succ(X, Y) = Post(X) ∩ Y_{, where} X, Y ∈ P (Rⁿ).

• Can approximate these by any operation SUCC : P (Rⁿ) × P (Rⁿ) → P (Rⁿ) _with

1. Overapproximation: SUCC(X, Y) ⊇ Post(X) ∩ Y_, 2. Reasonability: SUCC(X, Y) ⊆ Y_.

02917: CEGAR for HS – p.18/32

(38)

Validation of counterexample

Alg: For a sequence of successively tighter overapproximations (SUCC_i)_i=1,...,k, proceed as follows:

1. Start with i = 1, i.e., the coarsest approximation.

2. Compute Sⁱ₁ := overapprox_i(h⁻¹(a₁) ∩ I_C)_{, where} I_C _{is the} set of initial states of C_,

3. For j = 2 _to n_{, compute} Sⁱ_j := SUCC_i(Sⁱ_j−1, h⁻¹(a_i)) Abort as soon as some Sⁱ_j _becomes ∅^.

In this case, the counterexample is spurious.

4. In case of proper termination of the inner loop, restart at 1.

with i := i + 1, i.e., the next finer approximation, if i < k_.

(39)

HSolver

Overapproximation via Constraint-based Reasoning

Stefan Ratschan, Czech Academy of Sciences Shikun She, MPII, Saarbr¨ucken

02917: CEGAR for HS – p.20/32

(40)

Starting Point: Interval Grid Method

Stursberg/Kowalewski et. al., one-mode case:

• put transitions between all neighboring hyperrectangles (boxes), mark all as initial/unsafe

• remove impossible transitions/marks (interval arithmetic check on boundaries/boxes)

Result: finite abstraction

(41)

Starting Point: Interval Grid Method

02917: CEGAR for HS – p.21/32

(42)

Starting Point: Interval Grid Method

x˙ ∈ [−5, −1]

(43)

Starting Point: Interval Grid Method

x˙ ∈ [−5, 1]

02917: CEGAR for HS – p.21/32

(44)

Starting Point: Interval Grid Method

x˙ ∈ [−5, 1]

(45)

Interval arithmetic

Is a method for calculating an interval covering the possible values of a real operator if its arguments range over intervals:

[a, A] +^◦ [b, B] = [a + b, A + B]

[a, A] ^◦· [b, B] = [min{ab, aB, Ab, AB}, max{ab, aB, Ab, AB}]

min◦ ([a, A], [b, B]) = [min{a, b}, min{A, B}]

sin◦ ([a, A]) =

"

min{sin x | x ∈ [a, A]},

max{sin x | x ∈ [a, A]}

#

f◦ ([a, A], [b, B], . . .) =

"

min{f(~x) | ~x ∈ [a, A] × [b, B] × . . .},

max{f(~x) | ~x ∈ [a, A] × [b, B] × . . .}

# Theorem: For each term t with free variables ~v_:

{t(~v 7→ ~x) | ~x ∈ [a, A]×[b, B]×. . .} ⊆ t^◦ (v₁ 7→ [a, A], v₂ 7→ [b, B], . . .)

02917: CEGAR for HS – p.22/32

(46)

Interval arithmetic

Is a method for calculating an interval covering the possible values of a real operator if its arguments range over intervals:

[a, A] +^◦ [b, B] = [a + b, A + B]

[a, A] ^◦· [b, B] = [min{ab, aB, Ab, AB}, max{ab, aB, Ab, AB}]

min◦ ([a, A], [b, B]) = [min{a, b}, min{A, B}]

sin◦ ([a, A]) =

"

min{sin x | x ∈ [a, A]},

max{sin x | x ∈ [a, A]}

#

f◦ ([a, A], [b, B], . . .) =

"

min{f(~x) | ~x ∈ [a, A] × [b, B] × . . .},

max{f(~x) | ~x ∈ [a, A] × [b, B] × . . .}

#

(47)

Is the approximation tight?

1. In the limit: yes!

t(~v 7→ ~x) = t^◦ (v₁ 7→ [x₁, x₁], v₂ 7→ [x₂, x₂], . . .) t(~v 7→ ~x) = lim

ε→0

t◦ (v₁ 7→ [x₁ − ε, x₁ + ε], v₂ 7→ [x₂ − ε, x₂ + ε], . . .) provided t is uniformly continuous.

2. In general: No! If a < A _then

x − x(x 7→ [a, A]) = [a, A] − [a, A]^◦ = [a − A, A − a] 6= [0, 0]

Dependency problem of interval arithmetic:

Tight bounds only if each variable occurs at most once!

02917: CEGAR for HS – p.23/32

(48)

Is the approximation tight?

1. In the limit: yes!

t(~v 7→ ~x) = t^◦ (v₁ 7→ [x₁, x₁], v₂ 7→ [x₂, x₂], . . .) t(~v 7→ ~x) = lim

ε→0

t◦ (v₁ 7→ [x₁ − ε, x₁ + ε], v₂ 7→ [x₂ − ε, x₂ + ε], . . .)

provided t is uniformly continuous.

2. In general: No! If a < A _then

x − x(x 7→ [a, A]) = [a, A] − [a, A]^◦ = [a − A, A − a] 6= [0, 0]

Dependency problem of interval arithmetic:

(49)

Interval Grid Method II

Check safety on resulting finite abstraction if safe: finished, otherwise: refine grid;

continue until success

More modes: separate grid for each mode Jumps: also check using interval arithmetic

02917: CEGAR for HS – p.24/32

(50)

Interval Grid Method II

continue until success More modes: separate grid for each mode

Jumps: also check using interval arithmetic

(51)

Interval Grid Method II

02917: CEGAR for HS – p.24/32

(52)

Interval Grid Method II

(53)

Discussion

Advantages:

• can deal with constants that are only known up to intervals

• interval tests cheap (e.g., compare to explicit computation of continuous reach sets, or full decision procedures)

Disadvantages:

• may require a very fine grid to provide an affirmative answer (curse of dimensionality)

• ignores the continuous behavior within the grid elements Let’s remove them!

02917: CEGAR for HS – p.25/32

(54)

Discussion

Advantages:

Disadvantages:

(55)

Discussion

Advantages:

Disadvantages:

02917: CEGAR for HS – p.25/32

(56)

Discussion

Advantages:

Disadvantages:

(57)

Discussion

Advantages:

Disadvantages:

02917: CEGAR for HS – p.25/32

(58)

Discussion

Advantages:

Disadvantages:

(59)

Discussion

Advantages:

Disadvantages:

02917: CEGAR for HS – p.25/32

(60)

Discussion

Advantages:

Disadvantages:

(61)

Removing Disadvantages

reflect more information in abstraction without creating more boxes by splitting

Observation: we do not need to include information on unreachable state space, remove such parts from boxes

Method: form constraints that hold on reachable parts of state space, remove non-solutions by constraint solver

02917: CEGAR for HS – p.26/32

(62)

Removing Disadvantages

(63)

Removing Disadvantages

02917: CEGAR for HS – p.26/32

(64)

Removing Disadvantages

(65)

Removing Disadvantages

02917: CEGAR for HS – p.26/32

(66)

Reach Set Pruning

A point in a box B can be reachable

• from the initial set via a flow in B

• from a jump via a flow in B

• from a neighboring box via a flow in B

Init

B

formulate corresponding constraints, remove all points from box that do not fulfill one of these constraints

(67)

Reach Set Pruning

A point in a box B can be reachable

• from the initial set via a flow in B

• from a jump via a flow in B

• from a neighboring box via a flow in B

Init

B

formulate corresponding constraints, remove all points from box that do not fulfill one of these constraints

02917: CEGAR for HS – p.27/32

(68)

Constraints in Specification

We specify system using constraints:

• Flow(s,~x,~x)^˙ _(e.g., s = off → x^˙ = x sin(x) + 1 . . . ₎

• _˙purely syntactic!

• even implicit and algebraic!

• Jump(s,~x, s⁰,~x⁰) _(e.g.,

(s = off ∧ x ≥ 10) → (s⁰ = on ∧ x⁰ = 0))

• Init(s,~x)

(69)

Reachability Constraints

Lemma (n-dimensional mean value theorem): For a box B_, mode s, if a point (y₁, . . . , y_n) ∈ B is reachable from a point (x₁, . . . , x_n) ∈ B via a flow in B _then

∃t ∈ R≥0

^

1≤i≤n

∃a₁, . . . , a_k, a˙₁, . . . , a˙_k[(a₁, . . . , a_k) ∈ B ∧

Flow(s, (a₁, . . . , a_k), (a˙₁, . . . , a˙_k)) ∧ y_i = x_i + a˙_i · t]

xi

yi

ta ^time

0 t

Denote this constraint by flow_B(s,~x,~y)_.

02917: CEGAR for HS – p.29/32

(70)

Reachability Constraints

Lemma: For a box B ⊆ R^k^{, mode} s_{, if} ~y ∈ B is reachable from the initial set via a flow in B _then

∃~x ∈ B [Init(s,~x) ∧ flow_B(s,~x,~y)]

Lemma: For a box B ⊆ R^k^{, mode} s_, ~y ∈ B_, (s,~y) is reachable from a jump from a box B^∗ _{and mode} s^∗ via a flow in B _then

∃~x^∗∈B^∗∃~x ∈ B [Jump(s^∗,~x^∗, s,~x) ∧ flow_B(s,~x, ~y)]

(71)

Reachability Constraints

Lemma: For a box B ⊆ R^k^{, mode} s_{, if} ~y ∈ B is reachable from the initial set via a flow in B _then

∃~x ∈ B [Init(s,~x) ∧ flow_B(s,~x,~y)]

Lemma: For a box B ⊆ R^k^{, mode} s_, ~y ∈ B_, (s,~y) is reachable from a jump from a box B^∗ _{and mode} s^∗ via a flow in B _then

∃~x^∗∈B^∗∃~x ∈ B [Jump(s^∗,~x^∗, s,~x) ∧ flow_B(s,~x, ~y)]

02917: CEGAR for HS – p.30/32

(72)

Reachability Constraints

Lemma: For a box B ⊆ R^k^{, mode} s_{, if} ~y ∈ B is reachable from a neighboring box over a face F _of B and a flow in B _then

∃~x ∈ F [incoming_F(s,~x) ∧ flow_B(s,~x,~y)] , where incoming(s,~x) is of the form

∃x^˙₁, . . . , x˙_k[Flow(s,~x, (x˙₁, . . . , x˙_k)) ∧ x˙_j r 0]

where r ∈ {≤, ≥}_, j ∈ {1, . . . , k} depends on the face F

B

F

~ y

(73)

Using Constraints

After substituting definitions, getting rid of quantifiers, interval

constraint propagation algorithms can remove parts from boxes not fulfilling such constraints.

• correct handling of rounding errors

• almost negligible time

• result not necessarily tight (but tight for flow_B(s,~x,~y) _{in linear} case)

http://rsolver.sourceforge.net

02917: CEGAR for HS – p.32/32

(74)

Using Constraints

(75)

Using Constraints

02917: CEGAR for HS – p.32/32

(76)

Using Constraints

(77)

Using Constraints

02917: CEGAR for HS – p.32/32

(78)

Using Constraints

• result not necessarily tight (but tight for flow (s,~x,~y) _{in linear}