## Better under-approximation of programs by hiding of variables (2006)

Venue: | In: Proc. 7th VMCAI (2006 |

Citations: | 2 - 1 self |

### BibTeX

@INPROCEEDINGS{Ball06betterunder-approximation,

author = {Thomas Ball and Orna Kupferman},

title = {Better under-approximation of programs by hiding of variables},

booktitle = {In: Proc. 7th VMCAI (2006},

year = {2006},

pages = {314--328},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

Abstract. Abstraction frameworks use under-approximating transitions in order to prove existential properties of concrete systems. Under-approximating transitions refer to the concrete states that correspond to a particular abstract state in a universal manner. For example, there is a must transition from abstract state a to abstract state a ′ only if all the concrete states in a have successors in a ′. The universal nature of under-approximating transitions makes them closed under transitivity. Consequently, reachability queries about the concrete system, which have applications in falsification and testing, can be answered by reasoning about its abstraction. On the negative side, the universal nature of under-approximating transitions makes them dependent on all the variables of the program. The abstraction, on the other hand, often hides some of the variables. Since the universal quantification in must transitions ranges over all variables, this often prevents the abstraction from associating a must transition with statements that refer to hidden variables. We introduce and study partitioned-must transitions. The idea is to partition the program variables to relevant and irrelevant ones, and restrict the universal quantification inside must transitions to the relevant variables. Usual must transitions are a special case of partitioned-must transitions in which all variables are relevant. Partitioned-must transitions exist in many realistic settings in which usual must transitions do not exist. As we show, they retain the advantages of must transitions: they are closed under transitivity, their calculation can be automated, and the three-valued semantics induced by usual must transitions is refined to a multi-valued semantics that takes into an account the set of relevant variables. 1

### Citations

1902 |
Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints
- Cousot, Cousot
- 1977
(Show Context)
Citation Context ...and the three-valued semantics induced by usual must transitions is refined to a multi-valued semantics that takes into an account the set of relevant variables. 1 Introduction Abstraction frameworks =-=[CC77]-=- generally use over-approximation to check safety properties. If a safety property holds in the abstract (over-approximate) system then it holds in the concrete system that it abstracts. However, if t... |

252 | Reasoning about infinite computations - Vardi, Wolper - 1994 |

130 |
A modal process logic
- Larsen, Thomsen
- 1988
(Show Context)
Citation Context ...on. This allows us to prove thatsif a safety property does not hold in the abstract system then it does not hold in the concrete system. Our investigations are based on modal transition systems (MTS) =-=[LT88]-=-, which combine both overapproximation and under-approximation. Traditional MTSs have two types of transitions: may (over-approximating transitions) and must (underapproximating transitions). A must t... |

76 | Computer Aided Verification of Coordinating Processes - Kurshan - 1994 |

75 | P.: Generalized model checking: Reasoning about partial state spaces. In: CONCUR’00
- Bruns, Godefroid
- 2000
(Show Context)
Citation Context ...sfy θ. Likewise, [a |= θ] = F, only if all the concrete states in γ(a) do not satisfy θ. Sometimes, neither case holds, or our reasoning is not sufficiently strong to infer that one of the cases hold =-=[BG00]-=-, in which case the value of θ in a is unknown, denoted [a |= θ] = ⊥. Since must transitions underapproximate the transitions of the concrete system, they are used in the three-valued semantics for pr... |

55 | A theory of predicate-complete test coverage and generation,” Microsoft Research
- Ball
- 2004
(Show Context)
Citation Context ...MTSs with hyper-must transitions [LX90,SG04] does not help in this setting either (and is orthogonal to the contribution we describe here). Such cases motivated the introduction of must − transitions =-=[Bal04]-=-. A must − transition from a to a ′ implies that for all concrete states c ′ that correspond to a ′ there is a concrete predecessor state c that corresponds to a. In the above example, there is a must... |

50 | L.: Equation solving using modal transition systems - Larsen, Xinxin - 1990 |

32 |
Automatic abstraction using generalized model checking
- Godefroid, Jagadeesan
- 2002
(Show Context)
Citation Context ...i-valued semantics Since abstraction hides information, the truth value of temporal-logic formulas with respect to states of a MTS may not be definite. According to the three-valued semantics for MTS =-=[GJ02]-=-, the value of a formula θ in abstract state a is T, denoted [a |= θ] = T, only if all the concrete states in γ(a) satisfy θ. Likewise, [a |= θ] = F, only if all the concrete states in γ(a) do not sat... |

25 | Monotonic Abstraction-Refinement for CTL - Shoham, Grumberg - 2004 |

24 | A game-based framework for CTL counter-examples and 3-valued abstraction-refinement
- Shoham, Grumberg
- 2003
(Show Context)
Citation Context ...he usual three-valued semantics to µ-calculus [BG04]. Note that in the special case of CTL and CTL⋆ formulas, this amounts to letting existential path formulas range over pmust + X and pmust− X paths =-=[SG03]-=-. 6 Choosing the Relevant Variables In this section we discuss the choice of the relevant variables. We first show that some of our previous results can be simplified in case the abstraction refers on... |

20 | Abstraction for falsification
- Ball, Kupferman, et al.
- 2005
(Show Context)
Citation Context ...rom the three-valued semantics. Also, when X = ∅, we have that [c]X = D V . Accordingly, the values T ∅ and F ∅ coincide with the existential T∃ and F∃ values from the six-valued semantics studied in =-=[BKY05]-=-. Finally, it is interesting to note that the semantics is monotonic, in the sense that if [a |= θ] ⊒ TX and X ′ ⊆ X, then [a |= θ] ⊒ TX ′. Thus, our semantics is a natural refinement of the existenti... |

9 | On the construction of fine automata for safety properties
- Kupferman, Lampert
- 2006
(Show Context)
Citation Context ...ns of the MTS, the less under-approximating the abstraction is, the more we are likely to detect errors. When ψ is a safety property, A¬ψ can be replaced by an automaton accepting finite bad prefixes =-=[KL06]-=-, and detection can be reduced to weak reachability in the product. In the general case, we have to find a concrete state that is reachable from itself. The latter cannot be reduced to two weak reacha... |

5 |
A Discipline of Programming
- Dijksta
- 1976
(Show Context)
Citation Context ...rogram, and thus it is also associated with a statement. For a statement s and a predicate e over V , the weakest precondition WP(s, e) and the strongest postcondition SP(s, e) are defined as follows =-=[Dij76]-=-: – The execution of s from every state that satisfies WP(s, e) results in a state that satisfies e, and WP(s, e) is the weakest predicate for which the above holds. – The execution of s from a state ... |

4 |
Model checking with 3-valued temporal logics
- Bruns, Godefroid
- 2004
(Show Context)
Citation Context ...ixed-point operators, the closure of partitioned-must transitions under transitivity guarantees we can iterate the local ∃ ❢ and ∃ ❢ - modalities, as in the usual three-valued semantics to µ-calculus =-=[BG04]-=-. Note that in the special case of CTL and CTL⋆ formulas, this amounts to letting existential path formulas range over pmust + X and pmust− X paths [SG03]. 6 Choosing the Relevant Variables In this se... |