Generalized Craig interpolation for Stability analysis

5.5. INTERPOLATION-BASED PROBABILISTIC BOUNDED MODEL CHECKING

0,11183904

0 0,1 0,2 0,3 0,4 0,5 0,6 0,7 0,8 0,9 1

0 10 20 30 40 50 60 70 80 90 100

LB UB Computed by

Interpolnat

computed by PBMC

Figure 5.9: Probability of reachingfailonce by using PBMC and once by us-ing GCI.

We summarize the results obtained by our prototypical tool in Table5.2, where different sizes of transition sys-tem were used during interpolating, namely j = 1,2 and 3. We observe that the interpolant stabilizes in case of j ≥ 2, where it overapproximates the reachable states; i.e,C∨ ¬E. Fig-ure5.9represents two results: the up-per (red) curve represents the upper bound on the step-unbounded proba-bility to reach locationfail, as com-puted by GCI. The numbers on the horizontal axis here refer to the itera-tion (the number of steps), while the

vertical axis refers to the computed probabilities. Thelower (blue) curverepresents the lower bound on the probability to reach anfailstate, as computed by PBMC.

One may observe that upper and lower bounds almost coincide after stepk= 11.

5.5. INTERPOLATION-BASED PROBABILISTIC BOUNDED MODEL CHECKING

least as the threshold point:

MinStable(M,R) := lim

k→∞MinReach^k_M,R(init) (5.7) and

MinReach^k_M,R(`) =











1 if`∈ R

0 if` /∈ R and k= 0

min_t∈Enabled^P<sub>`</sub>0∈Locp(t)·MinReach<sup>k−1</sup><sub>M,R</sub>(`⁰) if` /∈ Rand k >0

(5.8)

where Enabled refers to transitions that have a source `, a destination `⁰, and their guards are satisfied.

• considering stabilization within R as a desired-property allows us to establish the probability of stabilizing in the worst scenario, i.e. under an optimal opposing sched-uler, namely whether MinReach(M,R)≥ϑ holds or not.

MinReach(M,R) ≥ ϑ can be addressed in terms of the complement of the maximum probability of avoiding theregion too, i.e.

MinStable(M,R) = 1−MaxAvoid(M,R) = 1− lim

k→∞MaxAvoid^k_M,R(init) (5.9) where

MaxAvoid^k_M,R(`) =











1 if`∈ R

0 if` /∈ R and k= 0 maxt∈EnabledP

`<sup>0</sup>∈Locp(t)·MaxAvoid<sup>k−1</sup><sub>M,R</sub>(`⁰) if` /∈ R and k >0

(5.10)

Teige et al. [Tei12] used the last scheme, Scheme5.9, to compute the minimum probability of staying inRin MDPs, where the encoding is done in terms of SSAT formulae.

Now, using generalized Craig interpolation together with Scheme 5.9 or Scheme 5.6 is straightforward, where the same procedure is applied, with typical steps used in reacha-bility in Subsection5.6.

j I¹ R¹ I² R² R

1 true false true false false

2 B∨D ¬C∧x≤7∧ ¬B∧ ¬D B∨D ¬C∧x≤7∧ ¬B∧ ¬D ¬C∧x≤7∧ ¬B∧ ¬D 3 B∨D ¬C∧x≤7∧ ¬B∧ ¬D B∨D ¬C∧x≤7∧ ¬B∧ ¬D ¬C∧x≤7∧ ¬B∧ ¬D Table 5.3: Results of interpolation-based approach of Example5.5, where jrepresents the

number of the transitions considered by the interpolation to increase the pre-ciseness, I represents the interpolant computed atj-th step, andR represents an overapproximation of possible reachable set of states in M.

5.5. INTERPOLATION-BASED PROBABILISTIC BOUNDED MODEL CHECKING

Example 5.5: Action planning: stability problem

In this example, we consider the stability problem for the action planning example depicted in Figure 5.8. We want to verify by using GCI the maximum probability of avoiding the region representing “fail state and x is less than or equal 7” is 0.8.

However, we use the Scheme 5.6to prove that the minimum probability of staying outside the region representing “fail state andxis less than or equal 7” is 0.8. This can be achieved by using GCI as follows:

• We have R⁰ :=¬C∧x≤7. After that we computeI₁ :=B∨D as shown in interpolation based reachability procedure.

• Now, we computeR¹ by consideringR⁰∧ ¬I₁.

• We continue as before untilRreaches a fixed point i.e. once it is entered, the system cannot leave it. Formally, it means thatR^k+1→ R^k.

0 0,1 0,2 0,3 0,4 0,5 0,6 0,7 0,8 0,9 1

0 2 4 6 8 10 12

LB Exact Computed by

Interpolnat

Figure 5.10: Probability of avoiding fail ∧ x≤7 by using GCI.

We summarize the results obtained by our prototypical tool in Table5.3, where different sizes of transition sys-tem were used during interpolating, namely j = 1,2 and 3. We ob-serve that the interpolant stabilizes in case of j ≥ 2, where it overapprox-imates the reachable states. Figure 5.10 represents two results: the up-per (green) line represents the upper bound on the step-unbounded proba-bility to avoid unwanted region. The numbers on the horizontal axis here refer to the iteration (the number of steps), while the vertical axis refers to

the computed probabilities. The lower (blue) curverepresents the lower bound on the probability to stay outside “fail state andxis less than or equal 7”, as computed by Scheme5.6. One may observe that the lower bound and the exact value almost coincide after stepk= 3.

To this end, one can encode region stability problems in SSMT formulae and probabilistic reachability problems as well, which reflects the main contributions of our approach to probabilistic unbounded model checking problems.

timed and (probabilisitc) hybird models + arithmetic programs

safetyproperty:invariantsorcontracts

safe(95%) unsafe(7%)

safe unsafe Is probabilistic?

YES NO

Abstract the mode + eliminate the continous behaviour

Apply resolution calculus for SSMT

Use Generalized Craig interpolation for SSMT

Hastheproperty a“P→Q”form? Slicethemodelbyapplyingtransformationfunctions Useadmissbletransformatione.g.redirctingedges

Usesemi-admissbletransformatione.g.removingedges

YES

NO

convert model to CFG encode the problem in iSAT3

UseCEGAR+Craiginterpolation UseCDCL(T)+ICP UseCraiginterpolation

Stochastic reachabilit

y

Classical reachabilit

y

Chapter 3 Chapter

4 Chapter

5

6

Conclusion

But then of course you reach a point where you have to say, I’ve got to figure out how this book’s going to end. Otherwise, you’re going to write yourself into so many dead-ends.

(Anthony Doerr)

Contents

6.1 Achievements of this dissertation . . . 155 6.2 Outlook . . . 158 6.2.1 Applying transformation for models admitting system modes . . 158 6.2.2 Extending iSAT3-CFG with interprocedural calls . . . 158 6.2.3 Computing loop summaries – maximum number of while-loop

un-windings. . . 159 6.2.4 Integrating generalized Craig interpolation with DPLL-based SSMT

solving. . . 159

In this chapter, we recap the main achievements and findings of this dissertation and sketch possible future tracks to take from here.

6.1 Achievements of this dissertation

In this thesis, we made three contributions to software model checking. Aside from pre-senting a consistent view of various related formal models that cover real, embedded and hybrid systems, the core achievements presented in this thesis lie in advancing model check-ing by uscheck-ing interpolation beyond decidable theories; covercheck-ing stochastic and deterministic reachability analyses.

At first, we introduced a novel preprocessing and verification approach that deals with a wide scope of models ranging from programs, finite, timed and hybrid automata and even more system models as long as they induce computational transition systems. Given consistent transition systems and specifications with assumption-commitment form, one can apply the suggested transformations to eliminate some computational paths of these models – as required for reducing verification complexity – without changing the verifica-tion verdict. The idea is that all non-persistent traces trivially satisfy the specificaverifica-tion, since the assumption is broken in the latter traces. Although its principle seems to be

6.1. ACHIEVEMENTS OF THIS DISSERTATION

simple, it significantly optimises the verification time by up to a factor of ten as shown on Fischer’s protocol and WFAS’s models in Chapter 3. The first main contribution in that direction was introducing the concept of “an edge supporting a specification”, which generalizes the linear-time, trace-based satisfaction relation with respect to a single edge as a model element. Informally, an edge supports a specification, if there exists a valid computation path of the model such that the edge is used and the specification is sat-isfied. Based on this, two transformation functions are proposed as valid instances and exploited within source-to-source transformations, which will mark edges that do not sup-port a specification as to be removed or redirected. Both transformation functions lead to simpler and often considerably smaller models in comparison to the original one. It is found that proving the original model satisfies the assumption-commitment property can be assured by proving that the commitment only is satisfied in the resultant model in case of removing non-support edges. Likewise, verifying the assumption-commitment property in the original model can be performed by verifying the whole property in the resultant model after redirecting non-support edges.

Second, we built an unprecedented framework to handle subtle reachability problems in non-trivial embedded software, namely the rigorous detection of dead code. It is found that dead code has a bad impact in automotive and avionics domains since it affects the testability of embedded programs. Therefore several pertinent standards for embedded system development demand adequate handling of dead code during testing or even bar it altogether, like DO-178C [EH10], DO-278A [Che09], or ISO/IEC PDTR 24772 [TRn09].

In non-trivial embedded software like Simulink-Stateflow auto-generated programs, we expect industrial-scale programs with richer arithmetic operations including polynomials and transcendental functions combined with long chains of conditional and loop state-ments that affect the control flow of these programs. In such a situation, all verification approaches; e.g., SMT model checkers, abstract interpretation, static analysers and CE-GAR are inapt to address a solution for this problem individually since they lack the exactness or they are currently confined to linear and polynomial arithmetics only. How-ever, the combination is beneficial if all are tightly integrated in a way such that each approach is used in its proper field.

For that purpose, CEGAR is employed in order to handle large arithmetic programs and avert the state space explosion problem due its well defined abstraction. In each iteration, either a refinement step is performed by adding necessary side-conditions to the desired model edges in case of a spurious counterexample, or a real counterexample violating the safety property is obtained at the level of program code. In order to economize the time consumption needed for back-and-forth translation between different tools, all steps are done within iSAT3. So the iSAT3 input language is extended to read control-flow graphs based on programs in order to use CEGAR as a frontend of our toolchain.

Moreover, verifying the abstraction is done by using interpolation-based model checking techniques. Furthermore, in this approach conflict-driven clause learning and interval constraint propagation are used to solve very large complex Boolean formulae, and capture the arithmetic reasoning over non-polynomial constraints respectively.

Craig interpolation with SAT-based as well as SMT-based bounded model checking is able to verify non-probabilistic safety properties by proving that certain target states or rather code fragments are unreachable, namely if the overapproximated set of all reachable states has an empty intersection with the set of unsafe states. Refinement in CEGAR is done

6.1. ACHIEVEMENTS OF THIS DISSERTATION

by using (inductive) interpolants as in lazy abstraction where refinement is accomplished by adding necessary predicates to edges as side-conditions with assumption-commitment form. The latter form can restrict the current and the next valuations of variables as iSAT3 input language supports that option. That is, we conjunct these side conditions and eke out the size of the abstraction model during verification.

In order to use our approach on real industrial problems, we built a special parser that converts SMI code provided by BTC-ES AG to iSAT3-CFG input language. SMI code is an intermediate language representation of the C language that consists of one unconstrained while-loop block with a list of assignments.

These SMI programs admit linear and non-linear assignments and conditions besides bit-wise operations, loops, and distinguishing cases as well. Also, for the purpose of real certification, IEEE 754 for floating point arithmetic is extended from iSAT3 to iSAT3-CFG where special values such as NaNs, +∞ −∞, −0, +0 and subnormal numbers are handled. This support enables us to precisely solve the cases where a weak satisfiability (candidate solution) often appears. After that, these programs are verified by using our approach with several options where the verification results shows the effectiveness of our approach.

The last but the not least contribution is a generalization of Craig interpolation such that it deals with all SAT, SMT, SSAT and SSMT problems. It does not only go be-yond probabilistic bounded state reachability problems, but also covers richer fragment of arithmetic theories beyond Teige’s approach for probabilistic finite-state models like Markov decision processes. Namely, this approach addresses a solution for both reach-ability unbounded model checking and streach-ability problems in probabilistic hybrid system models with discrete time steps. For this purpose, the generalized Craig interpolation for SSMT formulae was introduced. At the first point, a sound and relatively-complete reso-lution calculus for SSMT formulae called SSMT resoreso-lution was introduced. We augmented it – non-exclusively – with an extension of Pudlák-style symmetric rules for interpolant generation. This resolution misses the completeness due to interval constraint propagation used as arithmetic reasoner for non-linear constraints, where the latter are i.g. undecidable problems when non-linear constraints contain transcendental functions.

In order to utilize the generalized Craig interpolation in model checking, a probabilis-tic state reachability is introduced for probabilisprobabilis-tic hybrid automata such that we get a probabilistic (in)finite-state systems at the end, akin to SSAT’s approach, however in our case, either finite-state abstraction or safe approximation must be used. We devel-oped a symbolic verification procedure for probabilistic safety properties of probabilistic (in)finite-state systems obtained after abstraction or approximation.

Akin to symbolic methods for non-probabilistic systems, generalized Craig interpolation provides a technique for computing a symbolic overapproximation of the (backward) reach-able state set of probabilistic systems. While Craig interpolation-based model checking for stochastic propositional satisfiability problems was able to verify safety properties of the shape “the probability of reaching the unsafe states is at most 1% in worst case”, many safety properties representing richer fragment of arithmetic constraints are frequently un-avoidable in probabilistic scenarios. Thereby, in this thesis, verifying safety properties of the shape “the probability that x is larger than or equal 3 is at most 1% in worst case”, wherexis a real number representing continuous behaviour in hybrid models and appears

Im Dokument Advancing software model-checking by SMT interpolation beyond decidable arithmetic theories : an approach to verify safety properties in embedded and hybrid system models (Seite 177-184)