Counterexample-guided Abstraction Refinement for the Analysis of ...

More documents

Recommendations

Info

ased on a (partial order) technique that approximates gtss by Petri nets viaan unfolding construction [3]. More specifically, in this approach a finite overapproximationcalled Petri graph is constructed, which consists of a graph and aPetri net having the edges of the graph as places. The important property of theapproximation obtained in this way is that each graph reachable from the startgraph in the gts can be mapped, by merging some of its nodes, to a reachablemarking of the over-approximating Petri net. On the other hand there may besome markings reachable in the obtained Petri graph, which have no counterpartin the original gts. The sequence of events in the approximation leading to sucha graph is called a spurious run.In our case spurious runs are caused by the merging of graph nodes in theconstruction of the over-approximation. This is similar to the concept of summarynodes in shape analysis [16]. This paper describes how to construct a moreexact over-approximation by separating merged nodes for which these spuriousruns disappear. This procedure can be performed repeatedly for any number ofspurious runs.We believe that the technique of identifying the reason for the spurious runis independent of the abstraction mechanism used in this paper and could alsobe used in other frameworks dealing with approximations of graph structures.The techniques presented here are implemented as an extension of the toolAugur 1 . The experimental part of the paper compares this approach with analready existing abstraction refinement technique which reduces the number ofspurious examples by constructing an over-approximation which is exact up tosome pre-defined depth [5]. It is shown experimentally that counterexampleguidedabstraction refinement is faster and produces smaller Petri graphs.A long version of this paper is available as a technical report [11].2 Basic NotionsIn this section we describe the notions of hypergraph, gts, Petri net and Petrigraph and also show in an informal way how to construct over-approximatingPetri graphs.Definition 1 (hypergraphs and hypergraph morphisms). Let Λ be a setof labels where each label l ∈ Λ has an arity ar(l) ∈ N. A labelled hypergraphG is a tuple (V G ,E G ,c G ,l G ), where V G is a finite set of nodes, E G is a finiteset of edges, c G : E G → V ∗ G is a connection function and l G : E G → L is thelabeling function satisfying ar(l G (e)) = |c G (e)| for every e ∈ E G . The nodes arenot labelled.Let G and G ′ be two labelled hypergraphs. A hypergraph morphism (or simplymorphism) ϕ : G 1 → G 2 consists of a pair of total functions ϕ V : V G1 → V G2and ϕ E : E G1 → E G2 such that for every e ∈ E G1 it holds that l G1 (e) =l G2 (ϕ E (e)) and ϕ V (c G1 (e)) = c G2 (ϕ E (e)). A morphism is called edge-bijective1 Available from http://www.fmi.uni-stuttgart.de/szs/tools/augur/
(edge-injective) whenever it is bijective (injective) on edges. It is an isomorphismwhenever it is bijective on nodes and edges.Hypergraphs can be rewritten using rules of the following kind.Definition 2 (rewriting rule). A rewriting rule r is a triple (L,R,α), whereL and R are hypergraphs, called left-hand side and right-hand side respectivelyand α : V L → V R is an injective mapping, indicating how nodes are preserved.We demand that there are no isolated nodes in the left-hand side L and noisolated nodes in V R − α(V L ). Additionally E L must not be empty.The first condition says that we abstract from isolated nodes, whereas thesecond is a standard requirement for unfolding-based techniques, where everyrule must be consuming. Note furthermore that we do not consider rules thatpreserve edges of the left-hand side.For convenience we will in the following often assume that α is an inclusiondenoted by id, which can be enforced by renaming the nodes of the left or righthandside appropriately, and that the node and edge sets of L and R are disjointotherwise. That is, we demand that V L ⊆ V R and E L ∩ E R = ∅ which impliesthat the union L ∪ R is well-defined.Given a hypergraph, a rewriting rule and a match of the left-hand side, wecan apply this rule and replace the left-hand side by the right-hand side in thefollowing way. Additionally we define a partial morphism ν from the originalgraph to the rewritten graph, keeping track of preserved nodes and edges.Definition 3 (rewriting step). Let r = (L,R,id) be a rewriting rule. A matchof r in a hypergraph G is any morphism ϕ : L → G injective on edges. We canapply r to G according to the match ϕ and obtain a new graph H, written G ⇒ rH, which is defined as follows: V H = V G ⊎(V R −V L ), E H = (E G −ϕ(E L )) ⊎E Rand, defining ϕ:V R → V H by ϕ(v) = ϕ(v) if v ∈ V L and ϕ(v) = v otherwise, theconnection and labelling functions are given by c H (e) = c G (e), l H (e) = l G (e) ife ∈ E G − ϕ(E L ) and c H (e) = ϕ(c R (e)), l H (e) = l R (e) if e ∈ E R .We also define an injective partial morphism ν : G → H where ν V : V G → V Hand ν E : (E G − ϕ(E L )) → E H with ν(x) = x for every node or edge x.A graph transformation system (gts) G = (R,G 0 ) is a finite set of rulestogether with a start hypergraph (also called initial graph).Example: We illustrate the definitions of this chapter with an example describinga firewall system similar to the one introduced in [4]. This system contains an(arbitrarily large) set of processes running behind a firewall (safe processes) andone process in a public area (unsafe process). Any number of safe processes (SP)and connected locations (L) can be generated during runtime. The property toverify is that the unsafe process from the public area does not penetrate thefirewall. If this situation is detected, rule “Error” will be applied and an edgelabelled Error is created.Fig. 1 and Table 1 depict the initial graph and the rules of the firewall system.A double-headed arrow in a rule means that the rule can be applied in both
Page 1: Counterexample-guided Abstraction R
Page 5 and 6: Definition 4 (Petri net). Let ∆ b
Page 7 and 8: Cross FirewallErrorErrorF SP 2LCros
Page 9 and 10: 4.2 Relations on Nodes for Refining
Page 11 and 12: according to Definition 3 for each
Page 13 and 14: 5 Implementation and Experimental R
Page 15: References1. P.A. Abdulla, B. Jonss

Counterexample-guided Abstraction Refinement for the Analysis of ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?