Counterexample-guided Abstraction Refinement for the Analysis of ...

More documents

Recommendations

Info

Proposition 2. The equivalence ̂Q constructed above is the smallest equivalencecontained in Θ.Example: We consider again the abstract error trace J which can be obtainedby firing transitions “Cross Location” and “Error”. However, this error trace hasno real runs that correspond to it, which can be seen by computing the set Hof runs corresponding to prefixes of J . Here, the set H 0 consists of the initialhypergraph and the set H 1 contains one graph G 1 . The next rule “Error” cannotbe applied to G 1 in such a way that the corresponding diagram commutes andtherefore the set H 2 is empty.Fig. 4 shows the left-hand side of rule “Error”, G 1 ∈ H 1 and graph(m 1 ), thegraph corresponding to the marking reached after one step. One notices thatno appropriate morphism η can be found unless the nodes w 1 and w 2 in G 1are merged. Therefore we have Q w ′1= {w 1 ,w 2 }, Q w ′2= {w 2 } and the smallestequivalence relation ̂Q relates the nodes w 1 and w 2 and no other nodes. Notefor instance that w 2 must be contained in Q w ′1since both are attached to theunary edge labelled UP.left-hand side of rule ”Error”L 2UPFw ′ 1 w ′ 2η”real graph” G 1 graph(m 1 ) (graph generated by m 1 )UPL F Lv 1 w 1 w 2 v 2ξw 1,2UPLLv 1,2ϕFFig. 4. Hypergraphs G 1 ∈ H 1, L 2 and graph(m 1) from the firewall example.4.3 Elimination of Spurious RunsThe general idea for destroying spurious runs is to avoid the merging of nodesfrom the same equivalence class of ̂Q. For this reason we assign colours to thenodes of the graphs contained in H and disallow the merging of nodes correspondingto nodes with the same colour. For reasons that will become clearbelow a node may have several colours, i.e., a node v is associated to a set cols(v)of colours.For each G ∈ H k we and each morphism ξ k : G → graph(m k ) we considerthe corresponding relation Q G,ξk . Then we assign colours to nodes in such away that there exists at least one pair v 1 ,v 2 of nodes such that v 1 Q G,ξk v 2 andcols(v 1 ) ∩ cols(v 2 ) ≠ ∅. There are several ways to do this and all of them willhelp to eliminate the counterexample. In our implementation we choose a colorfor each set of nodes Q v and assign it to all nodes contained in Q v .In order to catch “bad” mergings as early as possible, these colours have tobe distributed to the remaining graphs contained in H. Let us recall here that
according to Definition 3 for each real run J r = (G 0 ⇒ r1 G 1 ... ⇒ rk G k ) fromH we have injective partial morphisms ν i : G i → G i+1 for i = 0,...,k−1. Usingthese partial morphisms we assign the colours of G k to the remaining graphs G icontained in H. We start from G k and proceed as follows: if a node v ∈ G i+1 hasa colour then we also assign this colour to the node ν −1 (v) if such a node exists.In this way a node may obtain several colours, due to the branching structureof the runs contained in H. We denote by cols(v) the set of colours of the nodev ∈ V Gj where G j ∈ H j .We are now ready to give the algorithm for computing the refined overapproximation.Algorithm 10 (Refined approximated unfolding)Input: A gts G, a set H of runs corresponding to prefixes of the counterexampleand a function cols assigning sets of colours to the nodes of the graphs in H.Output: The refined over-approximation C ′ G .We start constructing the new over-approximation C G ′ with the initial graphG 0 . Unfolding steps will be performed as described in Algorithm 7.For a folding step we disallow the merging of nodes corresponding to nodes inH having the same colour. More specifically, consider the over-approximation C G ′ ,which is currently being constructed. Now for each run J r = G 0 ⇛ r1 ... ⇛ rl G lin H where l < k check the following:We consider all abstract runs J = graph(m 0 ) ⇛ r1 ... ⇛ rl graph(m l ) of thecurrent Petri graph C G′ for which J r ≪ J and all edge-bijective morphismsξ:G i → graph(m i ) for i = 0,...,l. Whenever there are two nodes v 1 ,v 2 in G iwith cols(v 1 ) ∩ cols(v 2 ) ≠ ∅ and ξ(v 1 ) = ξ(v 2 ), we have erroneously merged twonodes in the approximation which should not have been merged. Consequentlythis folding step is undone.Previously rejected folding steps are recorded and are not any more consideredby the algorithm.In this way we will eliminate not only the spurious run but several more runswhich are characterized below (see Proposition 5).Example: Fig. 5 depicts the hypergraph obtained for the firewall example afterthe abstraction refinement procedure. As one can see, the “critical nodes” of thehypergraph, namely the nodes w 1 and w 2 , are now separated.4.4 CorrectnessIn the following we will show that Algorithm 10 terminates and that the refinedover-approximation is correct and more exact then the previous one.Let C G be an over-approximation with a spurious run J and let C G ′ be thecorresponding refined over-approximation. In [3] it is shown that the algorithmconstructing the over-approximating Petri graph terminates. We modified thealgorithm by forbidding some of the folding steps and hence we have to reprovetermination for the new version of the algorithm.
Page 1 and 2: Counterexample-guided Abstraction R
Page 3 and 4: (edge-injective) whenever it is bij
Page 5 and 6: Definition 4 (Petri net). Let ∆ b
Page 7 and 8: Cross FirewallErrorErrorF SP 2LCros
Page 9: 4.2 Relations on Nodes for Refining
Page 13 and 14: 5 Implementation and Experimental R
Page 15: References1. P.A. Abdulla, B. Jonss

Counterexample-guided Abstraction Refinement for the Analysis of ...

Create successful ePaper yourself

Delete template?

Save as template?