Concrete Model Checking with Abstract Matching and Refin...(PPT-33)文档文档.pptVIP

* API = application program interface * Green - yellow is no necessarily a must transition Refinement x=10 x0 - x--; * Refinement x=10 x0 - x--; * Equiv relation: trans, refl, symm Quotient system is the minimized (or reduced) system with respect to bisimulation Usually, ~ is the “largest”; the quotient defines the “coarsest partition” – not really nencessary here; Not the coarsest partition will emerge (because of extra predicates) * -predicates = quantifier free formulas over a first order logic May: a1 -may a2 iff there exists concrete s1 s.t. a(s1)=a1 and there exists concrete s2 s.t. a(s2)=a2, s.t. s1 - s2 Must: a1 -must a2 iff for all concrete s1 s.t. a(s1)=a1, there exists concrete s2 s.t. a(s2)=a2 and s1 - s2 * Not really fair to compare Applications Property verification for the Bakery mutual exclusion protocol Search order matters 5 iterations for breadth first search order 4 iterations for depth first search order Error detection in RAX (Remote Agent Executive) Component extracted from an embedded spacecraft-control application Deadlocked in space Error found faster than over-approximation based analysis Test input generation for Java container classes using JPF Abstract matching but no refinement Explore method call sequences Match states between calls to avoid generation of redundant tests Better testing coverage as compared to other methods * ? Willem Visser 2002 Related Work Refinement of under-approximations For SAT based bounded model checking – Grumberg et al. [POPL’05] May and must abstractions Branching time properties – Godefroid et al [Concur’01] “Hyper” must transitions for monotonicity – Shoham and Grumberg [TACAS’04] Dams and Namjoshi, de Alfaro et al [LICS’04], Ball et al [CAV’05] Our previous work – choice free search [TACAS’01] Model driven software verification Use abstraction mappings during concrete model checking – Holzmann and Joshi [SPIN’04] Over-approximation based predicate abstraction * ? Willem Visser 2002 Conclusions Mo