>> Francesco Logozzo: So good evening. Thank you for coming to the talk this afternoon. So it’s an honor for me to introduce Francesco Ranzato. It’s a wonderful name. First name Francesco is me. And he’s professor at the University of Padova which is one of the oldest universities in the world. It’s the one in which [indiscernible] was professor so in a way you are connected directly to [indiscernible]. You can say like that. He is an expert of abstract interpretation and his work was, is mainly in domain [indiscernible] interpretation refining abstract domains and the notion of completeness which he used together with Roberto and paper by [indiscernible] interpretation to prove that state based model checking is inherently incomplete. And today he is going to talk us how to simplify abstractions. Thank you. >> Francesco Ranzato: Thank you Francesco. So I will give a talk on what we call correctness kernel of abstraction interpretation. And this is a joint work of some years ago together with Roberto. And there will be some links with the presentation gave by Roberto two days ago. So first what is an abstraction refinement? So we already have seen in the talk by Roberto some example of refinement so it’s usable in static analysis and verification and for example the CEGAR paradigm so the CounterExample-Guided Abstraction Refinement is an example, an instance of abstraction refinement. What are the magic things for solve, doing abstraction refinement? So we need to identify when and how to refine some abstraction. For example an abstract domain. And then what is the goal of refining is to remove some [indiscernible] or some [indiscernible] traces in model, abstract model checking. On the other hand, what is abstract simplification and the other way around? So a little less known there are less example. One example if I remember well we have seen in the presentation by Roberto, the principles here is that we need to identify when and how to simplify an abstraction. And the goal is then, at least in my view, is to keep the same approximate behavior of the abstract model. So let’s look at an example in abstract model checking. So we have a finite state model. So we have state. We have transition between state and this gives rise to a concrete model K. This graph for example. What is an abstraction? Here it’s a state abstraction so some states are blurred in an abstract state and so we actually handle a partition of the state’s base. And what is the abstract model? So we need to define what is the transition between abstract state. And so we have the substantial transition between set of state, between blocks or the partition. And so this is the abstract model. So what is the problem of having an abstract model? The problem is that we have spurious paths. So for example the blue one is an abstract path which is first because there is not real concrete path that can be abstracted in that abstract path. So with the simplification here, simplification consists at least one way of simplifying this abstraction, this state partition is merging blocks. So joining blocks together. So here we have a simplified abstract model. So where the upper block has been joined with the lower block 2, 3 and 4, 5. So now we have a new block. Here again we have the spurious abstract factor as before. This situation is depicted here. And here the observation is that on the simplified model we have a not spurious path, so a real abstract path let’s say, and I call these not spurious abstract path example let’s say, because counter example actually can be also called, counter example can be viewed as a spurious abstract path. And on the source model, source abstract model, let’s say A, we have two corresponding abstract path that are not spurious. So this is the first one and this is the second one. Okay? The observation here is that the simplification of A, A prime preserve the same examples. So what does it mean? That if I have a spurious path in the simplified model A prime, then we are able to find a corresponding path in the source abstract model A such that the abstraction of that abstract path is spurious and the abstraction of that abstract path in A is the spurious abstract path in A prime. We can read this property also in the following way. So for any abstract path by prime in the simplified abstract model if we have this property so any abstraction of the path in A, any path in A that is abstracted in ∏ prime is not spurious. Then ∏ prime is not spurious. So that’s a property that can be read as the fact that A prime, the simplification of prime, maintains the same example of A. >>: What is alpha then? >> Francesco Ranzato: Alpha simply is the way of, so for example, here, here, this path and this path are both attracted to the same path because when we map this block in the corresponding block because this is a simplification. So this block can be simplified and yet attracted to a corresponding block in A prime. Then we have a corresponding path. And the path is the same. The abstraction of this is one. >>: [indiscernible] >> Francesco Ranzato: Yeah. Okay, so for that example of simplification we join these two blocks. So 6 and 7 becomes a unit block. Here again we have the preservation of examples. So let’s look at an example where we do not preserve example. If we try to merge these two blocks in a single block, then we use this property. Why? Because here we introduce this path so we have a self loop into this block. And this is spurious of course. And we do not have a corresponding spurious path in the [indiscernible] for model A. And so this is an example of the simplification which is not good. Simplification that does not keep the same example of the source at [indiscernible]. Okay. So here we have the spurious abstract path. This block that stays there forever. While here we do not have a corresponding abstract path. Because when we move from one, from this block to this one, we cannot stay there or going back to one. So the goal here is to give a good definition of this, let’s say informal notion. So try to distill the model, the formal model for [indiscernible] this kind of simplification. This has the good simplification in this approach. Let’s look at an example in more general abstract interpretation. So let us consider if it is a variable. Let’s consider it as a function, as operation of the + 1 operation. So we perform X + 1, X++. Let us consider a couple of let’s say toy abstractions. So sign for example, sign-like abstractions. So here we have the property of being negative of 0, positive of 0 or 0. And then a simplification of this abstraction just to the property of being positive of 0. So of course this is a simplification of this. If it is a good simplification, abstraction simplification, of this one with respect to this property let’s say. So the observation is the following. That if we consider how to, how the increment operation, increment by one operation is modeled in the abstraction A1, the behavior is the following. So when we have 0 then the only thing that we can say is that the output is abstracted by positive of 0. Negative of 0 is abstracted to the top because we have the possibility of jumping from 0 to 1, while minus 1 is, minus 2 goes to minus 1, and minus 1 goes to 0. And so the only thing that we can say is top. Positive of course is positive. While top is top. On the other hand for A2 of course we have positive of 0 is positive of 0, top is top. But the observation here is that these two of the function actually encode the same function. What does it mean? It means that when we project these two abstract functioning, the concrete domain, so we see these two of the function as complete function. And we interpret this abstract function as concrete function. Then they boil down to the same function. For example, if we take the 0 element, view as a concrete element, then we abstract this element in A2 as positive of 0. ++ is positive of zero. And then we go to the concrete. So we concretize this element. Then we get the positive of zero. And that, okay. What is the observation here? The observation is that this behavior in A1 can be safely omitted because the same behavior can be retrieved from the behavior in A2, which is simulated by the abstract function on positive of 0. So in a sense, in a sense, these two elements, 0 and the negative of 0, are not relevant for the approximation of the increment operation in A1. >>: [indiscernible] >> Francesco Ranzato: For example … >>: Oh I see it’s because you, it’s because the less than or equal to 0 [indiscernible]. >> Francesco Ranzato: Yeah. Yeah. >>: If it were less than 0 then, yeah. >> Francesco Ranzato: Okay. Okay. Look at further example. If you take this set of negative of 0 elements, then in A1 you abstracted these sets of course in negative of 0. Then you do the [indiscernible]. You get X less than or equal to 1 and so the only thing that you can say is top. On the other hand, the same [indiscernible] is in A2. And so in A2 you jump directly to top. Top stays on top. And so the result is the same. Okay. So here again the objective, the goal, is to give a model in order to identify the fact that A2 is a good simplification of A1 with respect to increment operation. So this problem, so this goal, is achieved through formalization abstract interpretation. So in general abstract interpretation, the ingredients are always the same so approximation is formalized through partial orders. We have a concrete domain where the partial order means [indiscernible] approximation. We have an abstraction which is formalized through Galois connection. For example we have an alpha. We have a gamma. Concrete objects. So the consequence of the Galois connection of [indiscernible] is that concrete objects have best correct approximation. And here is the point. And a concrete function as a best correct approximation in some abstract domain. Because the abstract domain is formalized through [indiscernible] connection. And that correct approximation is denoted. This is important for the rest of the talk through this notation. So fA means the best way of approximating behavior f in the abstraction A. So now we assume to have an abstraction A, an abstraction B, the corresponding Galois connection. We have a concrete semantic function f on the concrete domain. And then we define this relation. We say that abstraction in A and abstraction in B are in some sense equivalent when the following equality holds. What is this equality? So here we have the best correct abstraction of f here. Here we have the best correct abstraction of f and B. And here we project these two function in A and B in the concrete. So here we put the alpha in A, here the gamma in A, here the alpha in B, here the gamma in B. So these two guys are two concrete function and we require equality between these two concrete function. And we say that A and B are the same for approximating the function f when this equality holds. Okay? So this is the central concept of this approach. So, look, the question now is the following. We define the correctness kernel of the fraction A for the function f as the most abstract domain. Let’s call it B such that [indiscernible]. So the point is that here we define B as the most abstract domain. So they [indiscernible] that we throw away as much information is possible from A preserving the same behavior, the same approximate behavior for the function. And… >>: [indiscernible] >> Francesco Ranzato: Of course B is an abstraction of A. Of course. And the point is try to answer the question. First if this domain exists and second how to compute how to characterize the data set. >>: [indiscernible] >> Francesco Ranzato: Ah, yes, yes, yes, yes, yes. >>: [indiscernible] >> Francesco Ranzato: It exists as one. It cannot be too different. >>: [indiscernible] >> Francesco Ranzato: See here, actually when I write most of the domain actually more technical in ways that we have [indiscernible]. >>: And this is the case if the concrete domain is a concrete [indiscernible]? >> Francesco Ranzato: Yes. >>: But just through your example with the [indiscernible] >> Francesco Ranzato: Maybe it’s enough to consider [indiscernible]. >>: [indiscernible] >> Francesco Ranzato: Okay. So technically the question is solving this problem. And the solution is not discussed in detail here but just, I give the result, so the result is that when the function f, more precisely the function f when we consider it where first abstractor [indiscernible] put in A is continuous. Continuous means it’s got continuous, so it preserves a [indiscernible]. Then this correctness kernel actually exists and we are also able to give a characterization. And that characterization is quite interesting because, so what are the element of A which are really necessary for approximating the behavior f, the function f. So the results say that we need to consider all the points of A which are images of the best correct approximation of A. Plus, plus for any of them, so for any Y which is in the image of fA, we need to [indiscernible]. So here is the [indiscernible] so we need to consider the most abstract element in A, the most abstract X in A such that the best correct approximation on X provides Y. So we can see that. The image and then for any element of the image, the greatest [indiscernible] or the most abstract of the element whose output is that image. And so any other element in A which is not in this, so technically the [indiscernible] which is not here can be thrown away. Technically, the proof of this result is not easy and relies on the completeness of abstract interpretation. And you can see this fact in [indiscernible] that this function is continuous. Which is the [indiscernible] is that also Roberto mentioned today several if I remember well. >>: I don’t see [indiscernible]. >> Francesco Ranzato: I, because technically, technically these rely on some completion. >>: [indiscernible] >> Francesco Ranzato: [indiscernible] >>: [indiscernible] >> Francesco Ranzato: [indiscernible] because you need to prove first that this domain is good in the sense that the approximation of the function f over the domain is the same. And second, and that’s the hardest part, you need to prove that this is the most abstract among this class of domains. And since the proof, of course the kind of universal proof for all domains is the least of this domain. We need some tool in order to prove this and the tool is quite surprising. Let’s say that we were able to find the tool in that this problem can be abusive, can be abusive to the problem of completing an abstract interpretation. That’s it. So, let’s look at this result actually works so let’s go back to the examples. Here we have A and we want to prove that these two elements are not used for approximating the increment operation. So what is the answer? The answer is just the collection of the guys here. So the top and the positive of 0. Then for any guy here, so for top we need to consider the greatest of the element in A such that the image of the abstract increment is at the top. What is the greatest? There are two of them. This one and this one and the greatest is here. And so this can be throw away. For the positive of 0 then we have two because 0++ is positive of 0 and the same is for positive of 0. 0 is below this one and so can be throw away. We just keep the greatest. More in general the marks. Actually it is not guaranteed that there is one so the least upper bond but if there are more than one we take the maximum one. And so in this case the kernel, the correctness kernel, actually is A2. And so the model actually seems to work. Abstract model checking. So let that apply this result in abstract model checking so we have the concrete model. We have, so how to cast abstract model checking as abstract interpretations. So the usual trick is to view this partition as an abstraction. How to view these as an abstraction? So is an abstraction a set of states? So when we have a set of states we call the set of states through the blocks of that partition. And is an abstraction. Quite easy. What is here the operation? The operation of course is the set of transition in the model, so what is the best correct approximation of this operation if for this abstraction is of course the abstract transition and the abstract transition is the transition which is called the existential abstraction of the transition. So if block B goes to block C when there is some X and B, some Y and C such that there is a transition from X to Y. More technically here the concrete function of the predecessor function, the successor function on set of state. Partition is an abstraction of set of states and so here the question is what is the correctness kernel of the partition P? View it as an abstraction of this concrete domain for these two concrete functions. Predecessor and successor. So, here again the example that we have seen at beginning. So here we have these two blocks that are merged in a unique block. Here the blue one and the green one, 6 and 7 are joined in the unique block 6 and 7. So is this the correctness kernel? This is yes. Because the result here is that in the correctness kernel and the correctness kernel here actually does exist because the predecessor and the successor function are continuous of course. [indiscernible] and so anything from technical point of view actually works smooth. And so here the correct realization is that in the correctness kernel of the partition P for the predecessor and the successor, two blocks are merged together when these hold. And so this says that B1 and B2 have exactly the same predecessor, abstract predecessor, and the same abstract successor. And so look. This 1 and this 1. What is the set of after predecessor? 1. What is here? 1. Here. 6, 7, 6, 7. And so that’s the same. The point here is that the property of correctness kernel for and after model, for and after kernel construction, actually satisfied the regional goal that I mention at the beginning. So correctness kernels do not add the spurious paths. So when we add the spurious paths in the correctness kernel then actually there exists a spurious path in the regional domain such that the corresponding spurious path so, such that the abstraction of that corresponding spurious path is the spurious path in this [indiscernible]. We call this particular correctness kernel we call Example-Guided Abstraction Simplification for the reason that I mention before because here we simplified abstraction and instead of being guided by counterexample, actually we are guided, let’s say we are guided by example. So example mean not spurious abstract path. So why is this useful? So we found an application that seems interesting. So in CEGAR, in the CEGAR loop a counterexample guide of fraction refinement, the three basic steps to follow are the following. So first the model checker provides as an answer an abstract path that is a counterexample. So we have a trace of blocks of the partition of the model. Then the CEGAR loop determines if this abstract path is spurious or not. Is it spurious or not? If that abstract path is spurious then the methodology and according to the methodology we need to identify the block which is the reason, the cause of the spuriousness of this abstract block. And then when we have identified that block Bk, let’s call it Bk, then we need to find that block. So we need to split that block in order to separate the state that provoke the spuriousness of that abstract path. So the methodology actually call the states inside that block Bk, that call bad state, dead-end states, and there is a method for splitting, for separating bad and the deadend states. So let’s look at example. So here we have a spurious abstract path 1. This block 6 of course this is spurious. This is called a dead-end state. This is Bk. So this block is the reason why this path is spurious. This is called the dead-end state because it is reached from the initial block but we cannot move from that state. And this is called the bad state because it’s the state that provides the transition which is the fake transition. Why this state is called an irrelevant state? Because actually is there in the block but it’s not the reason of spuriousness of the abstract path. So CEGAR, so actually the real problem is to find the least way of refining that block. But this problem cannot be solved in an efficient way. Actually it is NP-hard. And so there is heuristics. Heuristics means that dead-end states are separated from bad and irrelevant states. So irrelevant states are joined together with bad states. But this strategy, this heuristics which is refined heuristics in CEGAR actually in some cases, in some cases does not work well. What does it mean? So here if we put the irrelevant state 4 together with a bad state 3 so the situation is the following. So from this model we refine to this model. Here again we have an abstract path which is spurious. So look to these block 3, 4, 6 so we have an abstract path. And here again we have a spuriousness. 3 is the bad. 4 is the dead-end. So we refine again. So we separate… >>: [indiscernible] >> Francesco Ranzato: Yes. 4 can be joined together with 3 or 5. >>: [indiscernible] >> Francesco Ranzato: Yeah. This is the standard heuristic of CEGAR. Is not true? >>: [indiscernible]. You split the state to distinguish the path that is spurious. So you split the 3, 4 state. Right? >> Francesco Ranzato: No. The point is that the irrelevant state 4… >>: [indiscernible] I’m just saying traditional CEGAR takes [indiscernible] splits 3, 4. Because it looks like there is a spurious path because you can go through 2 to 3, 4 and 3, 4, 6. Right? So how I do that is go back to 6 [indiscernible]. >> Francesco Ranzato: The question is good because why 4 is joined to 3 because [indiscernible]. We try to join 4 with 5 so the solution is here. The refinement is the 4 way. Then we are done. And we are done because here we do not have any more and is spurious abstract path. And so actually this is the point. I want to avoid this situation because here we need [indiscernible] refinement. While here we stop. >>: [indiscernible] In these pictures which are [indiscernible] just samples it looks like you’re sort of creating abstract states where you have lost transitions. Like all the edges, like once you prove 4 and 5 it’s nice because all the edges out of 4 and 5 [indiscernible] in the same place. [indiscernible] lost transition. >> Francesco Ranzato: Maybe it’s related. So let’s look at the solution. So why we are able, so how we are able to distinguish these refinement strategies from these refinement strategies. So the problem is that sometime these heuristics lead to some refinement which are not effective let’s say. So the observation here is that the state 4 can be viewed as a dead irrelevant state. Instead of viewing 4 as a generic irrelevant state, actually is dead irrelevant in what sense. The sense that we can join 4 to 5 and this does not affect the set of paths, of abstract paths that go through 5. Why? Because if we do the, if we consider the predecessor of 5 is 2. The successor of 5 is 7. But if we join 5 with 4 the set of predecessors, successor are the same. That observation. And so I think that it is reasonable to join 5, 4 with 5, for this reason. So when this happens, so when we are able to find that some irrelevant state actually is more than irrelevant, so it is dead irrelevant, then the reasonable strategy is joining that set of dead irrelevant states with dead-end states. >>: I just don’t understand the word dead-end. Why do you call 5 dead-end because it still goes somewhere? A dead-end usually is like you go into an alley and there is no way out except the way you came in. Why do you call it a dead-end? >> Francesco Ranzato: It’s dead-end because here the abstract, the abstract path is blocked at 6 and so for the abstract path, this block at 6, so this transition is not considered. >>: Oh because 5 doesn’t go there. [indiscernible] >> Francesco Ranzato: Yeah. >>: Okay. >> Francesco Ranzato: So, the new let’s say refinement strategy is if you find that an irrelevant state is dead-irrelevant in this sense and I have, I will make more precise this definition, then you can join that irrelevant state with dead-end state. And this, the benefit of this that you do not introduce new spurious paths. So what is more precisely a dead-irrelevant state? A state which is irrelevant is dead-irrelevant when you join with dead and the predecessor and the successor does not change. And so the predecessor of dead with s and the predecessor with dead without s are the same. And the same for their successor. Of course there is a dual notion of dead-irrelevant state where here we consider them bad state instead of dead-end states. And of course still there are some states that are not dead-irrelevant. Neither dead-irrelevant and this is the case or they are both bad and dead-irrelevant. So these states are called fully irrelevant or really irrelevant let’s say. Really irrelevant. And so here this is dead-end irrelevant and so is joined here and so here we do not add spurious path. And so we are done. We are done. To conclude, so this can be viewed as a contribution in looking for some usefulness of simplifying abstraction, both in static analysis and model checking, so generally in the generic frame of abstract interpretation. And as future work I see two interesting points. First to investigate more in detail the relationship between the integration of these strategies in the CEGAR loop and to find new context where the ideas of this approach can be useful in some sense. That’s it. [applause] >>: Are there questions? >>: I have a crazy question. During your talk you talked about abstract compilation [indiscernible] and then you specialize with respect to domains to get a cheaper domain somehow relating to this [discernible] evaluation. >> Francesco Ranzato: I don’t know but I think that this can fall in [indiscernible]. >>: Okay. >> Francesco Ranzato: Could be a context different from the two that I consider here where this can be related in some way. >>: Thank you. >> Francesco Ranzato: Okay. [applause]