Parallel combination of abstract interpretation and model-based automatic analysis of software

Formal methods combining abstract interpretation and model checking have been considered for automated analysis of software A rst category concerns symbolic methods where proper ties of the system are approximated using abstract domains In this case one considers approximated representations of sets of states A second category concerns abstract model checking where the semantics of an in nite transition system is abstracted to get a nite approximation on which temporal logic calculus model checking can be directly applied In this other case one considers approximated representations of sets of transitions The objective of this paper is to develop a third comple mentary possibility of interaction between abstract interpre tation and model checking based software analysis methods Here no approximation is made on sets of states or sets of transitions Instead one performs an analysis of the sys tem by abstract interpretation This information is used to restrict the space of states and transitions which need to be explored during the veri cation process The computational overhead of computing an abstract interpretation of a model to be checked can be avoided by doing the computation in parallel with the model checking and using intermediate ab stract interpretation results as they become available AAS First ACM SIGPLAN Workshop on Automatic Analysis of Software Paris France January Introduction In the design and development of software using model based automatic analysis such as model checking or state space exploration one is confronted with high complexity for very large systems and undecidability as soon as one has to consider in nite sets of states Consequently all proper ties of all systems cannot be automatically veri ed in nite or reasonable time Some form of approximation has to be considered For example syntax driven proof techniques ul timately rely on some form of assistance from the user Al though one can prove very precise assertions with an interac tive automatic theorem prover the technique is necessarily approximate in the sense that the output of the theorem prover may not be understandable by the user and or the user s answers may mislead the theorem prover into dead ends Model checking Clarke et al places no re striction on veri able properties CTL calculus and the like but consider only quasi nite state systems Program analysis by abstract interpretation Cousot and Cousot Cousot places no restriction on systems pro gramming languages which can be imperative functional logic object oriented parallel but places restrictions on veri able properties since abstract properties are necessarily approximate Both model checking and abstract interpreta tion have bene ted from mutual cross fertilization In par ticular model checking can now consider in nite state sys tems whereas in abstract interpretation it is common to con sider properties signi cantly more complex than safety in variance see e g Dams et al Fernandez Halb wachs and Ste en We would like to consider here abstract model based au tomatic analysis that is the model based automatic analysis methods which are related to abstract interpretation and suggest further possible interactions First symbolic veri cation Burch et al Henzinger et al Daws et al makes use of a compact sym bolic formula representation of the characteristic function of sets of states For example the symbolic formula can be encoded by BDDs Akers Bryant or by a ne inequality relations Cousot and Halbwachs Such ab stract domains are of very common use when abstract in terpretation is applied to program static analysis Some symbolic abstract domains satisfy the chain condition Karr and this directly guarantees the nite convergence of the analysis However most symbolic domains are very large or in nite so that if one does not want to aban don the formal veri cation for lack of space or time some form of widening Cousot and Cousot c must ultimately be used to enforce rapid convergence of the analysis al gorithms Examples of widenings are given by Halbwachs for a ne inequality relations and Mauborgne for BDDs In this case one does not consider a faithful symbolic description of the software properties but instead an approximation of sets of states The corresponding loss of information may be without consequences for the veri cation Henzinger and Ho Jackson else it fails In a second form of reduction by abstraction one con siders exact properties of an approximate semantics More precisely one does not consider a faithful description of the software runtime behavior but instead an approxima tion of this semantical behavior Once again abstract in terpretation has been used to obtain such sound approxi mations Here the main idea for model checking or state exploration of in nite or very large nite transition sys tems is to use an abstract conservative nite transition sys tem on which existing algorithms designed for nite au tomata are directly applicable In this context conserva tive means upper approximation for safety properties and lower approximation for liveness properties This semi veri cation idea was rst introduced by Clarke et al and progressively re ned to cope with wider classes of temporal logic Kelb Dams et al Cleaveland et al or calculus formul Graf and Loiseaux Loiseaux et al Cridlig Partial order ap proaches can be understood in this way the loss of infor mation being in this case without consequences on the com pleteness Valmari We would like here to suggest a new third possible in teraction between abstract interpretation and model based automatic analysis of in nite systems Cousot It is based on the remark that although the transition system is in nite all behaviors considered in practice may be nite e g when there is a termination requirement or more gen erally a liveness requirement excluding in nite behaviors In this case abstract interpretation may be used on the in nite state system to eliminate the impossible potentially in nite behaviors In the favorable case this preliminary analysis by abstract interpretation may be used to restrict the states which must be explored to a nite number Even in the case of nite but very large state spaces the method can be useful to reduce the part of the state graph which need to be explored for veri cation in parallel with this veri cation that is at almost no cost in time Combining Abstract Interpretation and Model Checking The general idea is to improve the e ciency of symbolic model checking algorithms for verifying concurrent systems by using properties of the system that can be automatically inferred by abstract interpretation I F t Figure A nite transition system state transition

[1]  Patrick Cousot,et al.  Abstract interpretation , 1996, CSUR.

[2]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[3]  Sheldon B. Akers,et al.  Binary Decision Diagrams , 1978, IEEE Transactions on Computers.

[4]  Edmund M. Clarke,et al.  Verus: a tool for quantitative analysis of finite-state real-time systems , 1995 .

[5]  Joseph Sifakis,et al.  Property preserving abstractions for the verification of concurrent systems , 1995, Formal Methods Syst. Des..

[6]  Rance Cleaveland,et al.  Optimality in Abstractions of Model Checking , 1995, SAS.

[7]  Patrick Cousot,et al.  Comparing the Galois Connection and Widening/Narrowing Approaches to Abstract Interpretation , 1992, PLILP.

[8]  Thomas A. Henzinger,et al.  Symbolic Model Checking for Real-Time Systems , 1994, Inf. Comput..

[9]  Daniel Jackson,et al.  Abstract Model Checking of Infinite Specifications , 1994, FME.

[10]  P. Cousot Thesis: These d'Etat es sciences mathematiques: Methodes iteratives de construction et d'approximation de points fixes d'operateurs monotones sur un treillis, analyse semantique de programmes (in French) , 1978 .

[11]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[12]  Nicolas Halbwachs,et al.  Minimal State Graph Generation , 1992, Sci. Comput. Program..

[13]  Nicolas Halbwachs,et al.  Verification of Linear Hybrid Systems by Means of Convex Approximations , 1994, SAS.

[14]  François Bourdoncle,et al.  Abstract debugging of higher-order imperative languages , 1993, PLDI '93.

[15]  Robert K. Brayton,et al.  Implicit state enumeration of finite state machines using BDD's , 1990, 1990 IEEE International Conference on Computer-Aided Design. Digest of Technical Papers.

[16]  Nicolas Halbwachs,et al.  Delay Analysis in Synchronous Programs , 1993, CAV.

[17]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[18]  Laurent Mauborgne,et al.  Abstract Interpretation Using TDGs , 1994, SAS.

[19]  T. Henzinger,et al.  Algorithmic Analysis of Nonlinear Hybrid Systems , 1998, CAV.

[20]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[21]  Régis Cridlig,et al.  Semantic analysis of shared-memory concurrent languages using abstract model-checking , 1995, PEPM '95.

[22]  Patrick Cousot,et al.  Abstract Interpretation Frameworks , 1992, J. Log. Comput..

[23]  Antti Valmari,et al.  On-the-Fly Verification with Stubborn Sets , 1993, CAV.

[24]  Stavros Tripakis,et al.  The Tool KRONOS , 1996, Hybrid Systems.

[25]  Nicolas Halbwachs About Synchronous Programming and Abstract Interpretation , 1994, SAS.

[26]  Jean-Claude Fernandez,et al.  Abstract Interpretation and Verification of Reactive Systems , 1993, WSA.

[27]  Claire Loiseaux,et al.  A Tool for Symbolic Program Verification and Abstration , 1993, CAV.

[28]  Olivier Coudert,et al.  Verification of Synchronous Sequential Machines Based on Symbolic Execution , 1989, Automatic Verification Methods for Finite State Systems.

[29]  E. Clarke,et al.  Automatic Veriication of Nite-state Concurrent Systems Using Temporal-logic Speciications. Acm , 1993 .

[30]  Patrick Cousot,et al.  Abstract Interpretation and Application to Logic Programs , 1992, J. Log. Program..

[31]  Orna Grumberg,et al.  Abstract interpretation of reactive systems : abstractions preserving .. , 1994 .

[32]  Régis Cridlig,et al.  Semantic analysis of concurrent ML by abstract model-checking , 1996, INFINITY.

[33]  Olivier Coudert,et al.  Verifying Temporal Properties of Sequential Machines without Building Their State Diagrams , 1990, CAV.

[34]  Bernhard Steffen Data flow analysis as model checking , 1990 .