Generalized Strong Preservation by Abstract Interpretation

Standard abstract model checking relies on abstract Kripke structures which approximate concrete models by gluing together indistinguishable states, namely by a partition of the concrete state space. Strong preservation for a specification language L encodes the equivalence of concrete and abstract model checking of formulas in L. We show how abstract interpretation can be used to design abstract models that are more general than abstract Kripke structures. Accordingly, strong preservation is generalized to abstract interpretation-based models and precisely related to the concept of completeness in abstract interpretation. The problem of minimally refining an abstract model in order to make it strongly preserving for some language L can be formulated as a minimal domain refinement in abstract interpretation in order to get completeness w.r.t. the logical/temporal operators of L. It turns out that this refined strongly preserving abstract model always exists and can be characterized as a greatest fixed point. As a consequence, some well-known behavioural equivalences, like bisimulation, simulation and stuttering, and their corresponding partition refinement algorithms can be elegantly characterized in abstract interpretation as completeness properties and refinements

Enhancing Test Coverage by Back-tracing Model-checker Counterexamples

AbstractThe automatic detection of unreachable coverage goals and generation of tests for "corner-case" scenarios is crucial to make testing and simulation based verification more effective. In this paper we address the problem of coverability analysis and test case generation in modular and component based systems. We propose a technique that, given an uncovered branch in a component, either establishes that the branch cannot be covered or produces a test case at the system level which covers the branch. The technique is based on the use of counterexamples returned by model checkers, and exploits compositionality to cope with large state spaces typical of real applications

Generalizing the Paige-Tarjan Algorithm by Abstract Interpretation

The Paige and Tarjan algorithm (PT) for computing the coarsest refinement of a state partition which is a bisimulation on some Kripke structure is well known. It is also well known in model checking that bisimulation is equivalent to strong preservation of CTL, or, equivalently, of Hennessy-Milner logic. Drawing on these observations, we analyze the basic steps of the PT algorithm from an abstract interpretation perspective, which allows us to reason on strong preservation in the context of generic inductively defined (temporal) languages and of possibly non-partitioning abstract models specified by abstract interpretation. This leads us to design a generalized Paige-Tarjan algorithm, called GPT, for computing the minimal refinement of an abstract interpretation-based model that strongly preserves some given language. It turns out that PT is a straight instance of GPT on the domain of state partitions for the case of strong preservation of Hennessy-Milner logic. We provide a number of examples showing that GPT is of general use. We first show how a well-known efficient algorithm for computing stuttering equivalence can be viewed as a simple instance of GPT. We then instantiate GPT in order to design a new efficient algorithm for computing simulation equivalence that is competitive with the best available algorithms. Finally, we show how GPT allows to compute new strongly preserving abstract models by providing an efficient algorithm that computes the coarsest refinement of a given partition that strongly preserves the language generated by the reachability operator.Comment: Keywords: Abstract interpretation, abstract model checking, strong preservation, Paige-Tarjan algorithm, refinement algorith

Finite-State Abstractions for Probabilistic Computation Tree Logic

Probabilistic Computation Tree Logic (PCTL) is the established temporal logic for probabilistic verification of discrete-time Markov chains. Probabilistic model checking is a technique that verifies or refutes whether a property specified in this logic holds in a Markov chain. But Markov chains are often infinite or too large for this technique to apply. A standard solution to this problem is to convert the Markov chain to an abstract model and to model check that abstract model. The problem this thesis therefore studies is whether or when such finite abstractions of Markov chains for model checking PCTL exist. This thesis makes the following contributions. We identify a sizeable fragment of PCTL for which 3-valued Markov chains can serve as finite abstractions; this fragment is maximal for those abstractions and subsumes many practically relevant specifications including, e.g., reachability. We also develop game-theoretic foundations for the semantics of PCTL over Markov chains by capturing the standard PCTL semantics via a two-player games. These games, finally, inspire a notion of p-automata, which accept entire Markov chains. We show that p-automata subsume PCTL and Markov chains; that their languages of Markov chains have pleasant closure properties; and that the complexity of deciding acceptance matches that of probabilistic model checking for p-automata representing PCTL formulae. In addition, we offer a simulation between p-automata that under-approximates language containment. These results then allow us to show that p-automata comprise a solution to the problem studied in this thesis

Model Checking a Temporal Logic via Program Verification

openThe thesis explores the possibility of viewing Model Checking as an instance of program verification in order to allow for the reuse of the vast theory and toolset of Abstract Interpretation in the setting of Model Checking. Model Checking is a formal verification technique used to analyse the correctness of software systems, based on a representation of the system as a formal model, such as a finite-state machine or a transition system, and on a representation of the properties it must satisfy as temporal logic formulae. On the other hand, Abstract Interpretation is a program analysis method, based on the idea of extracting properties of programs by (over-)approximating their semantics over a so-called abstract domain, typically a complete lattice, whose elements represent program properties. The thesis focuses on ACTL, the universal fragment of the temporal logic CTL, which can describe properties of executions which are universally quantified. It shows how properties expressed in ACTL can be mapped into programs written in a suitable programming language, whose semantics consists of counterexamples to the validity of the formula. Then such a program is analysed by Abstract Interpretation over some abstract domain, exploiting the idea of local completeness as put forward in some recent work, combining lower- and under-approximations.The thesis explores the possibility of viewing Model Checking as an instance of program verification in order to allow for the reuse of the vast theory and toolset of Abstract Interpretation in the setting of Model Checking. Model Checking is a formal verification technique used to analyse the correctness of software systems, based on a representation of the system as a formal model, such as a finite-state machine or a transition system, and on a representation of the properties it must satisfy as temporal logic formulae. On the other hand, Abstract Interpretation is a program analysis method, based on the idea of extracting properties of programs by (over-)approximating their semantics over a so-called abstract domain, typically a complete lattice, whose elements represent program properties. The thesis focuses on ACTL, the universal fragment of the temporal logic CTL, which can describe properties of executions which are universally quantified. It shows how properties expressed in ACTL can be mapped into programs written in a suitable programming language, whose semantics consists of counterexamples to the validity of the formula. Then such a program is analysed by Abstract Interpretation over some abstract domain, exploiting the idea of local completeness as put forward in some recent work, combining lower- and under-approximations

Modular Verification of Biological Systems

Systems of interest in systems biology (such as metabolic pathways, signalling pathways and gene regulatory networks) often consist of a huge number of components interacting in different ways, thus exhibiting very complex behaviours. In biology, such behaviours are usually explored by means of simulation techniques applied to models defined on the basis of system observation and of hypotheses on its functioning. Model checking has also been recently applied to the analysis of biological systems. This analysis technique typically relies on a state space representation whose size, unfortunately, makes the analysis often intractable for realistic models. A method for trying to avoid the state space explosion problem is to consider a decomposition of the system, and to apply a modular verification technique. In particular, properties to be verified often concern only a small portion of the modelled system rather than the system as a whole. Hence, for each property it would be useful to be able to isolate a minimal fragment of the model that is necessary to verify such a property. In this thesis we introduce a modular verification technique in which the system of interest is described by means of an automata-based formalism, called sync-programs, that supports modular construction. Our modular verification technique is based on results of Grumberg et al.~and on their application to the theory of concurrent systems proposed by Attie and Emerson. In particular, we adapt Attie and Emerson's approach to deal with biological systems by allowing automata to synchronise by performing transitions simultaneously. Modular verification allows qualitative aspects of systems to be analysed with the guarantee that properties proved to hold in a suitable model fragment also hold in the whole model. The correctness of the verification technique is proved. The class of properties preserved is ACTL$^{-}$, the universal fragment of temporal logic CTL. The preservation holds only for positive answers and negative answers are not necessarily preserved. In order to verify properties we use the NuSMV model checker, which is a well-established and efficient instrument. We provide a formal translation of sync-programs to simpler automata, which can be given as input to NuSMV. We prove the correspondence of the verification problems. We show the application of our verification technique in some biological case studies. We compare the time required to verify the property on the whole model with the time needed to verify the same property by only considering those modules which are involved in the behaviour of the system related to the property. In order to handle modelling and verification of more realistic biological scenarios, we propose also a dynamic version of our formalism. It allows entities to be created dynamically, in particular by other already running entities, as it often happens in biological systems. Moreover, multiple copies of the same entities can be present at the same time in a system. We show a correspondence of our model with Petri Nets. This has a consequence that tools developed for Petri Nets could be used also for dynamic sync-programs. Modular verification allows properties expressed as DACTL- formulae (dynamic version of ACTL-) to be verified on a portion of the model. The results of analysis of the case study of the MAP kinase cascade activated by surface and internalised EGF receptors, which consists of 143 species and 80 reactions, suggest applicability and scalability of the approach. The results raise the prospect of rendering tractable problems that are currently intractable in the verification of biological systems. In addition, we expect that the techniques developed in the thesis could be applied with profit not only to models of biological systems, but more generally to models of concurrent systems

Practical Abstraction for Model Checking of Multi-Agent Systems

Model checking of multi-agent systems (MAS) is known to be hard, both theoretically and in practice. A smart abstraction of the state space may significantly reduce the model, and facilitate the verification. In this paper, we propose and study an intuitive agent-based abstraction scheme, based on the removal of variables in the representation of a MAS. This allows to do the reduction without generating the global model of the system. Moreover, the process is easy to understand and control even for domain experts with little knowledge of computer science. We formally prove the correctness of the approach, and evaluate the gains experimentally on models of a postal voting procedure

A state/event-based model-checking approach for the analysis of abstract system properties.

AbstractWe present the UMC framework for the formal analysis of concurrent systems specified by collections of UML state machines. The formal model of a system is given by a doubly labelled transition system, and the logic used to specify its properties is the state-based and event-based logic UCTL. UMC is an on-the-fly analysis framework which allows the user to interactively explore a UML model, to visualize abstract behavioural slices of it and to perform local model checking of UCTL formulae. An automotive scenario from the service-oriented computing (SOC) domain is used as case study to illustrate our approach