LTL Software Model Checking in CPAchecker · 2021. 1. 21. · Spec Parser & Results CFA Builder...

LTL Software Model Checkingin CPAchecker

Thomas BunkLMU Munich, Germany

October 01, 2019

Thomas Bunk LMU Munich, Germany 1 / 20

LTL Software Model Checking [1]Program P LTL property ϕ

Transition System TS Büchi automaton A¬ϕ

Product automatonTS ⊗ A¬ϕ

Emptiness checkL(TS⊗A¬ϕ) ?= ∅

P � ϕ P 2 ϕτ is CEX

yes no

[1] M. Vardi, P. Wolper: An Automata-Theoretic Approach to Automatic Program Verification [LICS’86]Thomas Bunk LMU Munich, Germany 2 / 20

Büchi Automata in CPAchecker

1. Parsing of LTL properties

I Consider e.g.: [] (x -> F y U X "z > 0")

2. Transformation into Büchi automata using external Tools

3. Parsing and converting the result into automata from theCPAchecker-framework


Büchi Automata in CPAchecker

1. Parsing of LTL propertiesI Consider e.g.: [] (x -> F y U X "z > 0")

2. Transformation into Büchi automata using external Tools

3. Parsing and converting the result into automata from theCPAchecker-framework


Büchi Automata in CPAcheckerLTL properties already used in SV-Comp, e.g.:I Unreachability of Error Function:

CHECK( init(main()), LTL(G ! call(__VERIFIER_error())) )

I Termination:CHECK( init(main()), LTL(F end) )

Keep format for LTL software model checking, i.e.I CHECK ( init(<init_function>) , LTL(<property>) )

Example:I CHECK( init(main()), LTL([]("x>0" ==> <>("y==0"))) )

Execution with CPAchecker:I scripts/cpa.sh -ltl <path/program> -spec <path/specification>


LTL Software Model Checking [1]Program P LTL property ϕ

Transition System TS Büchi automaton A¬ϕ

Product automatonTS ⊗ A¬ϕ

Emptiness checkL(TS⊗A¬ϕ) ?= ∅

P � ϕ P 2 ϕτ is CEX

yes no

[1] M. Vardi, P. Wolper: An Automata-Theoretic Approach to Automatic Program Verification [LICS’86]Thomas Bunk LMU Munich, Germany 6 / 20

Example [1]

1 i n t x , y ;2 whi le ( t r u e ) {3 x := ∗ ;4 y := 1 ;5 whi le ( x > 0) {6 x−−;7 i f ( x <= 1) {8 y := 0 ;9 }

10 }11 }

Listing 1: Program P aspseudocode

l0

l1

l2

l3

x := ∗; y := 1

x > 0

x−−

x <= 1; y := 0 !(x <= 1)

!(x > 0)

Figure: CFA of program P

[1] D. Dietsch, M. Heizmann, V. Langenfeld, and A. Podelski:Fairness modulo theory: A new approach to LTL software model checking. [CAV’15]


Combining the CFA and LT property

1 i n t x , y ;2 whi le ( t r u e ) {3 x := ∗ ;4 y := 1 ;5 whi le ( x > 0) {6 x−−;7 i f ( x <= 1) {8 y := 0 ;9 }

10 }11 }

Listing 2: Program P

l0

l1

l2

l3

x := ∗; y := 1

x > 0

x−−

x <= 1; y := 0 !(x <= 1)

!(x > 0)

Figure: CFA of P

LTL property:ϕ = �(x > 0→ ♦(y = 0))

q0

q1

true

(x > 0) ∧ !(y == 0)

!(y == 0)

Figure: Büchi Automaton A¬ϕ


Büchi-programl0q0

l1q0

l2q0

l3q0

l0q1

l1q1

l2q1

l3q1

x:=∗; y:=1

true

!(x > 0)

true

x > 0

true

!(x <= 1)

true

x <= 1; y:=0

true

x−−

true

x:=∗; y:=1

!(y == 0)

!(x > 0)

!(y == 0)

x > 0!(y == 0)

x <= 1; y:=0

!(y == 0)

!(x <= 1)

!(y == 0)

x−−

!(y == 0)

x:=∗; y:=1

!(y == 0) ∧ (x > 0)

!(x > 0)

!(y == 0) ∧ (x > 0)

x > 0!(y == 0) ∧ (x > 0)

x−−

!(y == 0) ∧ (x > 0)

!(x <= 1)

!(y == 0) ∧ (x > 0)


CPAchecker: Architecture

SourceCode

Spec

ResultsParser &CFA Builder

CEGARAlgorithm

CPAAlgorithm

DCACPA

LocationCPA

CallstackCPA

PredicateCPA

Func.Pt.CPA


Local infeasibilityl0q0

l1q0

l2q0

l3q0

l0q1

l1q1

l2q1

l3q1

x:=∗; y:=1

true

!(x > 0)

true

x > 0

true

!(x <= 1)

true

x <= 1; y:=0

true

x−−

true

x:=∗; y:=1

!(y == 0)

!(x > 0)

!(y == 0)

x > 0!(y == 0)

x <= 1; y:=0

!(y == 0)

!(x <= 1)

!(y == 0)

x−−

!(y == 0)

x:=∗; y:=1

!(y == 0) ∧ (x > 0)

!(x > 0)

!(y == 0) ∧ (x > 0)

x > 0!(y == 0) ∧ (x > 0)

x−−

!(y == 0) ∧ (x > 0)

!(x <= 1)

!(y == 0) ∧ (x > 0)


Local infeasibilityl0q0

l1q0

l2q0

l3q0

l0q1

l1q1

l2q1

l3q1

x:=∗; y:=1

true

!(x > 0)

true

x > 0

true

!(x <= 1)

true

x <= 1; y:=0

true

x−−

true

x:=∗; y:=1

!(y == 0)

!(x > 0)

!(y == 0)

x > 0!(y == 0)

x <= 1; y:=0

!(y == 0)!(x <= 1)

!(y == 0)

x−−

!(y == 0)

x:=∗; y:=1

!(y == 0) ∧ (x > 0)

!(x > 0)

!(y == 0) ∧ (x > 0)

x > 0!(y == 0) ∧ (x > 0)

x−−

!(y == 0) ∧ (x > 0)

!(x <= 1)

!(y == 0) ∧ (x > 0)


Infeasibility of a finite prefixl0q0

l1q0

l2q0

l3q0

l0q1

l1q1

l2q1

l3q1

x:=∗; y:=1

true

!(x > 0)

true

x > 0

true

!(x <= 1)

true

x <= 1; y:=0

true

x−−

true

x:=∗; y:=1

!(y == 0)

!(x > 0)

!(y == 0)

x > 0!(y == 0)

!(x <= 1)

!(y == 0)

x−−

!(y == 0)

x:=∗; y:=1

!(y == 0) ∧ (x > 0)

x > 0!(y == 0) ∧ (x > 0)

x−−

!(y == 0) ∧ (x > 0)

!(x <= 1)

!(y == 0) ∧ (x > 0)


Trace abstraction [1]

Goal:I Generalize infeasible error tracesI Exclude classes of infeasible traces

[1] M. Heizmann, J. Hoenicke, and A. Podelski: Software model checking for people who love automata. [CAV’13]Thomas Bunk LMU Munich, Germany 13 / 20

Example for Trace Abstraction

Approach:

1. take trace τ1

2. consider trace asautomaton A1

3. analyze correctness of A1

4. generalize automaton A1

p0

p1

perr

x:=∗; y:=1 ∧!(y == 0) ∧ (x > 0)

!(x > 0) ∧ !(y == 0)

>

x > 0

⊥


Trace Abstraction – Interpolant Based Approach

Approach:

1. take trace τ1

2. consider trace asautomaton A1

3. analyze correctness of A1

4. generalize automaton A1I add transitionsI merge locations

p0

p1

perr

x:=∗; y:=1 ∧!(y == 0) ∧ (x > 0)

. . .

!(x > 0) ∧ !(y == 0)

. . .

. . .

. . .

. . .

>

x > 0

⊥


Trace Abstraction for Infeasible Prefixes

l0

l1

l2

l3

x := ∗; y := 1

x > 0

x−−

x <= 1; y := 0 !(x <= 1)

!(x > 0)

Figure: CFA of P

LTL property:ϕ = �(x > 0→ ♦(y = 0))

q0

q1

true

(x > 0) ∧ !(y == 0)

!(y == 0)

Figure: Büchi Automaton A¬ϕ

p0

p1

perr

x:=∗; y:=1 ∧!(y == 0) ∧ (x > 0)

. . .

!(x > 0) ∧ !(y == 0)

. . .

. . .

. . .

. . .

>

x > 0

⊥

Figure: Trace automaton A1


Buechi Program after Refinementl0q0p0

l1q0p0

l2q0p1

l3q0p0

l0q1perr

l1q1p1

l2q1p1

l3q1p0

x:=∗; y:=1

true

!(x > 0)

true

x > 0

true

!(x <= 1)

true

x <= 1; y:=0

true

x−−

true

!(x > 0)

!(y == 0)

x > 0!(y == 0)

!(x <= 1)

!(y == 0)

x−−

!(y == 0)

x:=∗; y:=1

!(y == 0) ∧ (x > 0)

x > 0!(y == 0) ∧ (x > 0)

x−−

!(y == 0) ∧ (x > 0)

!(x <= 1)

!(y == 0) ∧ (x > 0)


Buechi Program after Refinementl0q0p0

>

l0q0perr⊥

l1q0p0

>

l1q0p1x > 0

l2q0p1 x > 0

l3q0p0>

l0q1perr ⊥

l1q1p1 x > 0

l2q1p1 x > 0

l3q1p0 >

!(x <= 1)

true

!(x > 0)

true

x:=∗; y:=1

true

!(x > 0)

true

x > 0

true

x <= 1; y:=0

true

x−−

true

!(x > 0)

!(y == 0)

x > 0!(y == 0)

!(x <= 1)

!(y == 0)

x−−

!(y == 0)

x:=∗; y:=1

!(y == 0) ∧ (x > 0)

x > 0!(y == 0) ∧ (x > 0)

x−−

!(y == 0) ∧ (x > 0)

!(x <= 1)

!(y == 0) ∧ (x > 0)


ω-Infeasibilityl0q0p0

l0q0perr

l1q0p0

l1q0p1

l2q0p1

l3q0p0

l0q1perr

l1q1p1

l2q1p1

l3q1p0

!(x <= 1)

true

!(x > 0)

true

x:=∗; y:=1

true

!(x > 0)

true

x > 0

true

x <= 1; y:=0

true

x−−

true

!(x > 0)

!(y == 0)

x > 0

!(y == 0)

!(x <= 1)

!(y == 0)

x−−

!(y == 0)

x:=∗; y:=1

!(y == 0) ∧ (x > 0)

x > 0!(y == 0) ∧ (x > 0)

x−−

!(y == 0) ∧ (x > 0)

!(x <= 1)

!(y == 0) ∧ (x > 0)


LTL Software Model CheckingProgram P LTL property ϕ

Control-flow automaton CFA Büchi automaton A¬ϕ

Büchi ProgramB:=CFA⊗A¬ϕ

τ exists ?

τ = τ1τω2

τ1τ2 ∈ L(B)

τ1τ2 feasible ?

τ terminating ?

P � ϕno

P 2 ϕτ is CEX

no

yesnoB:=B ∪ refineF (τ)

yesyesB:=B ∪ refineω(τ)


Outlook

I Implement Trace Abstraction algorithm for terminationarguments[1]

I Make use of Adjustable Block Encoding (ABE)

I ...

[1] M. Heizmann, J. Hoenicke, and A. Podelski: Termination analysis by learning terminating programs. [CAV’14]Thomas Bunk LMU Munich, Germany 19 / 20

Thank you for your attention!

LTL Software Model Checking in CPAchecker · 2021. 1. 21. · Spec Parser & Results CFA Builder...

Documents

Transcript of LTL Software Model Checking in CPAchecker · 2021. 1. 21. · Spec Parser & Results CFA Builder...