Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Philosophy

Document 17865261

advertisement 
>> Francesco Logozzo: So good evening. Thank you for coming to the talk this afternoon. So it’s an
honor for me to introduce Francesco Ranzato. It’s a wonderful name. First name Francesco is me. And
he’s professor at the University of Padova which is one of the oldest universities in the world. It’s the
one in which [indiscernible] was professor so in a way you are connected directly to [indiscernible]. You
can say like that. He is an expert of abstract interpretation and his work was, is mainly in domain
[indiscernible] interpretation refining abstract domains and the notion of completeness which he used
together with Roberto and paper by [indiscernible] interpretation to prove that state based model
checking is inherently incomplete. And today he is going to talk us how to simplify abstractions. Thank
you.
>> Francesco Ranzato: Thank you Francesco. So I will give a talk on what we call correctness kernel of
abstraction interpretation. And this is a joint work of some years ago together with Roberto. And there
will be some links with the presentation gave by Roberto two days ago.
So first what is an abstraction refinement? So we already have seen in the talk by Roberto some
example of refinement so it’s usable in static analysis and verification and for example the CEGAR
paradigm so the CounterExample-Guided Abstraction Refinement is an example, an instance of
abstraction refinement.
What are the magic things for solve, doing abstraction refinement? So we need to identify when and
how to refine some abstraction. For example an abstract domain. And then what is the goal of refining
is to remove some [indiscernible] or some [indiscernible] traces in model, abstract model checking.
On the other hand, what is abstract simplification and the other way around? So a little less known
there are less example. One example if I remember well we have seen in the presentation by Roberto,
the principles here is that we need to identify when and how to simplify an abstraction. And the goal is
then, at least in my view, is to keep the same approximate behavior of the abstract model.
So let’s look at an example in abstract model checking. So we have a finite state model. So we have
state. We have transition between state and this gives rise to a concrete model K. This graph for
example. What is an abstraction? Here it’s a state abstraction so some states are blurred in an abstract
state and so we actually handle a partition of the state’s base. And what is the abstract model? So we
need to define what is the transition between abstract state. And so we have the substantial transition
between set of state, between blocks or the partition. And so this is the abstract model.
So what is the problem of having an abstract model? The problem is that we have spurious paths. So
for example the blue one is an abstract path which is first because there is not real concrete path that
can be abstracted in that abstract path. So with the simplification here, simplification consists at least
one way of simplifying this abstraction, this state partition is merging blocks. So joining blocks together.
So here we have a simplified abstract model. So where the upper block has been joined with the lower
block 2, 3 and 4, 5. So now we have a new block. Here again we have the spurious abstract factor as
before. This situation is depicted here. And here the observation is that on the simplified model we
have a not spurious path, so a real abstract path let’s say, and I call these not spurious abstract path
example let’s say, because counter example actually can be also called, counter example can be viewed
as a spurious abstract path. And on the source model, source abstract model, let’s say A, we have two
corresponding abstract path that are not spurious. So this is the first one and this is the second one.
Okay?
The observation here is that the simplification of A, A prime preserve the same examples. So what does
it mean? That if I have a spurious path in the simplified model A prime, then we are able to find a
corresponding path in the source abstract model A such that the abstraction of that abstract path is
spurious and the abstraction of that abstract path in A is the spurious abstract path in A prime.
We can read this property also in the following way. So for any abstract path by prime in the simplified
abstract model if we have this property so any abstraction of the path in A, any path in A that is
abstracted in ∏ prime is not spurious. Then ∏ prime is not spurious. So that’s a property that can be
read as the fact that A prime, the simplification of prime, maintains the same example of A.
>>: What is alpha then?
>> Francesco Ranzato: Alpha simply is the way of, so for example, here, here, this path and this path are
both attracted to the same path because when we map this block in the corresponding block because
this is a simplification. So this block can be simplified and yet attracted to a corresponding block in A
prime. Then we have a corresponding path. And the path is the same. The abstraction of this is one.
>>: [indiscernible]
>> Francesco Ranzato: Yeah. Okay, so for that example of simplification we join these two blocks. So 6
and 7 becomes a unit block. Here again we have the preservation of examples. So let’s look at an
example where we do not preserve example. If we try to merge these two blocks in a single block, then
we use this property. Why? Because here we introduce this path so we have a self loop into this block.
And this is spurious of course. And we do not have a corresponding spurious path in the [indiscernible]
for model A. And so this is an example of the simplification which is not good. Simplification that does
not keep the same example of the source at [indiscernible].
Okay. So here we have the spurious abstract path. This block that stays there forever. While here we
do not have a corresponding abstract path. Because when we move from one, from this block to this
one, we cannot stay there or going back to one.
So the goal here is to give a good definition of this, let’s say informal notion. So try to distill the model,
the formal model for [indiscernible] this kind of simplification. This has the good simplification in this
approach.
Let’s look at an example in more general abstract interpretation. So let us consider if it is a variable.
Let’s consider it as a function, as operation of the + 1 operation. So we perform X + 1, X++. Let us
consider a couple of let’s say toy abstractions. So sign for example, sign-like abstractions. So here we
have the property of being negative of 0, positive of 0 or 0. And then a simplification of this abstraction
just to the property of being positive of 0. So of course this is a simplification of this. If it is a good
simplification, abstraction simplification, of this one with respect to this property let’s say.
So the observation is the following. That if we consider how to, how the increment operation,
increment by one operation is modeled in the abstraction A1, the behavior is the following. So when we
have 0 then the only thing that we can say is that the output is abstracted by positive of 0. Negative of 0
is abstracted to the top because we have the possibility of jumping from 0 to 1, while minus 1 is, minus 2
goes to minus 1, and minus 1 goes to 0. And so the only thing that we can say is top. Positive of course
is positive. While top is top.
On the other hand for A2 of course we have positive of 0 is positive of 0, top is top. But the observation
here is that these two of the function actually encode the same function. What does it mean? It means
that when we project these two abstract functioning, the concrete domain, so we see these two of the
function as complete function. And we interpret this abstract function as concrete function. Then they
boil down to the same function.
For example, if we take the 0 element, view as a concrete element, then we abstract this element in A2
as positive of 0. ++ is positive of zero. And then we go to the concrete. So we concretize this element.
Then we get the positive of zero. And that, okay. What is the observation here? The observation is that
this behavior in A1 can be safely omitted because the same behavior can be retrieved from the behavior
in A2, which is simulated by the abstract function on positive of 0. So in a sense, in a sense, these two
elements, 0 and the negative of 0, are not relevant for the approximation of the increment operation in
A1.
>>: [indiscernible]
>> Francesco Ranzato: For example …
>>: Oh I see it’s because you, it’s because the less than or equal to 0 [indiscernible].
>> Francesco Ranzato: Yeah. Yeah.
>>: If it were less than 0 then, yeah.
>> Francesco Ranzato: Okay. Okay. Look at further example. If you take this set of negative of 0
elements, then in A1 you abstracted these sets of course in negative of 0. Then you do the
[indiscernible]. You get X less than or equal to 1 and so the only thing that you can say is top. On the
other hand, the same [indiscernible] is in A2. And so in A2 you jump directly to top. Top stays on top.
And so the result is the same. Okay. So here again the objective, the goal, is to give a model in order to
identify the fact that A2 is a good simplification of A1 with respect to increment operation.
So this problem, so this goal, is achieved through formalization abstract interpretation. So in general
abstract interpretation, the ingredients are always the same so approximation is formalized through
partial orders. We have a concrete domain where the partial order means [indiscernible]
approximation. We have an abstraction which is formalized through Galois connection. For example we
have an alpha. We have a gamma. Concrete objects. So the consequence of the Galois connection of
[indiscernible] is that concrete objects have best correct approximation. And here is the point. And a
concrete function as a best correct approximation in some abstract domain. Because the abstract
domain is formalized through [indiscernible] connection. And that correct approximation is denoted.
This is important for the rest of the talk through this notation. So fA means the best way of
approximating behavior f in the abstraction A.
So now we assume to have an abstraction A, an abstraction B, the corresponding Galois connection. We
have a concrete semantic function f on the concrete domain. And then we define this relation. We say
that abstraction in A and abstraction in B are in some sense equivalent when the following equality
holds. What is this equality? So here we have the best correct abstraction of f here. Here we have the
best correct abstraction of f and B. And here we project these two function in A and B in the concrete.
So here we put the alpha in A, here the gamma in A, here the alpha in B, here the gamma in B. So these
two guys are two concrete function and we require equality between these two concrete function. And
we say that A and B are the same for approximating the function f when this equality holds. Okay? So
this is the central concept of this approach.
So, look, the question now is the following. We define the correctness kernel of the fraction A for the
function f as the most abstract domain. Let’s call it B such that [indiscernible]. So the point is that here
we define B as the most abstract domain. So they [indiscernible] that we throw away as much
information is possible from A preserving the same behavior, the same approximate behavior for the
function. And…
>>: [indiscernible]
>> Francesco Ranzato: Of course B is an abstraction of A. Of course. And the point is try to answer the
question. First if this domain exists and second how to compute how to characterize the data set.
>>: [indiscernible]
>> Francesco Ranzato: Ah, yes, yes, yes, yes, yes.
>>: [indiscernible]
>> Francesco Ranzato: It exists as one. It cannot be too different.
>>: [indiscernible]
>> Francesco Ranzato: See here, actually when I write most of the domain actually more technical in
ways that we have [indiscernible].
>>: And this is the case if the concrete domain is a concrete [indiscernible]?
>> Francesco Ranzato: Yes.
>>: But just through your example with the [indiscernible]
>> Francesco Ranzato: Maybe it’s enough to consider [indiscernible].
>>: [indiscernible]
>> Francesco Ranzato: Okay. So technically the question is solving this problem. And the solution is not
discussed in detail here but just, I give the result, so the result is that when the function f, more precisely
the function f when we consider it where first abstractor [indiscernible] put in A is continuous.
Continuous means it’s got continuous, so it preserves a [indiscernible]. Then this correctness kernel
actually exists and we are also able to give a characterization. And that characterization is quite
interesting because, so what are the element of A which are really necessary for approximating the
behavior f, the function f.
So the results say that we need to consider all the points of A which are images of the best correct
approximation of A. Plus, plus for any of them, so for any Y which is in the image of fA, we need to
[indiscernible]. So here is the [indiscernible] so we need to consider the most abstract element in A, the
most abstract X in A such that the best correct approximation on X provides Y. So we can see that. The
image and then for any element of the image, the greatest [indiscernible] or the most abstract of the
element whose output is that image. And so any other element in A which is not in this, so technically
the [indiscernible] which is not here can be thrown away.
Technically, the proof of this result is not easy and relies on the completeness of abstract interpretation.
And you can see this fact in [indiscernible] that this function is continuous. Which is the [indiscernible] is
that also Roberto mentioned today several if I remember well.
>>: I don’t see [indiscernible].
>> Francesco Ranzato: I, because technically, technically these rely on some completion.
>>: [indiscernible]
>> Francesco Ranzato: [indiscernible]
>>: [indiscernible]
>> Francesco Ranzato: [indiscernible] because you need to prove first that this domain is good in the
sense that the approximation of the function f over the domain is the same. And second, and that’s the
hardest part, you need to prove that this is the most abstract among this class of domains. And since
the proof, of course the kind of universal proof for all domains is the least of this domain. We need
some tool in order to prove this and the tool is quite surprising. Let’s say that we were able to find the
tool in that this problem can be abusive, can be abusive to the problem of completing an abstract
interpretation. That’s it.
So, let’s look at this result actually works so let’s go back to the examples. Here we have A and we want
to prove that these two elements are not used for approximating the increment operation. So what is
the answer? The answer is just the collection of the guys here. So the top and the positive of 0. Then
for any guy here, so for top we need to consider the greatest of the element in A such that the image of
the abstract increment is at the top. What is the greatest? There are two of them. This one and this
one and the greatest is here. And so this can be throw away.
For the positive of 0 then we have two because 0++ is positive of 0 and the same is for positive of 0. 0 is
below this one and so can be throw away. We just keep the greatest. More in general the marks.
Actually it is not guaranteed that there is one so the least upper bond but if there are more than one we
take the maximum one. And so in this case the kernel, the correctness kernel, actually is A2. And so the
model actually seems to work.
Abstract model checking. So let that apply this result in abstract model checking so we have the
concrete model. We have, so how to cast abstract model checking as abstract interpretations. So the
usual trick is to view this partition as an abstraction. How to view these as an abstraction? So is an
abstraction a set of states? So when we have a set of states we call the set of states through the blocks
of that partition. And is an abstraction. Quite easy.
What is here the operation? The operation of course is the set of transition in the model, so what is the
best correct approximation of this operation if for this abstraction is of course the abstract transition
and the abstract transition is the transition which is called the existential abstraction of the transition.
So if block B goes to block C when there is some X and B, some Y and C such that there is a transition
from X to Y.
More technically here the concrete function of the predecessor function, the successor function on set
of state. Partition is an abstraction of set of states and so here the question is what is the correctness
kernel of the partition P? View it as an abstraction of this concrete domain for these two concrete
functions. Predecessor and successor.
So, here again the example that we have seen at beginning. So here we have these two blocks that are
merged in a unique block. Here the blue one and the green one, 6 and 7 are joined in the unique block 6
and 7. So is this the correctness kernel? This is yes. Because the result here is that in the correctness
kernel and the correctness kernel here actually does exist because the predecessor and the successor
function are continuous of course. [indiscernible] and so anything from technical point of view actually
works smooth. And so here the correct realization is that in the correctness kernel of the partition P for
the predecessor and the successor, two blocks are merged together when these hold. And so this says
that B1 and B2 have exactly the same predecessor, abstract predecessor, and the same abstract
successor.
And so look. This 1 and this 1. What is the set of after predecessor? 1. What is here? 1. Here. 6, 7, 6,
7. And so that’s the same. The point here is that the property of correctness kernel for and after model,
for and after kernel construction, actually satisfied the regional goal that I mention at the beginning. So
correctness kernels do not add the spurious paths. So when we add the spurious paths in the
correctness kernel then actually there exists a spurious path in the regional domain such that the
corresponding spurious path so, such that the abstraction of that corresponding spurious path is the
spurious path in this [indiscernible].
We call this particular correctness kernel we call Example-Guided Abstraction Simplification for the
reason that I mention before because here we simplified abstraction and instead of being guided by
counterexample, actually we are guided, let’s say we are guided by example. So example mean not
spurious abstract path.
So why is this useful? So we found an application that seems interesting. So in CEGAR, in the CEGAR
loop a counterexample guide of fraction refinement, the three basic steps to follow are the following.
So first the model checker provides as an answer an abstract path that is a counterexample. So we have
a trace of blocks of the partition of the model. Then the CEGAR loop determines if this abstract path is
spurious or not. Is it spurious or not? If that abstract path is spurious then the methodology and
according to the methodology we need to identify the block which is the reason, the cause of the
spuriousness of this abstract block. And then when we have identified that block Bk, let’s call it Bk, then
we need to find that block. So we need to split that block in order to separate the state that provoke
the spuriousness of that abstract path. So the methodology actually call the states inside that block Bk,
that call bad state, dead-end states, and there is a method for splitting, for separating bad and the deadend states.
So let’s look at example. So here we have a spurious abstract path 1. This block 6 of course this is
spurious. This is called a dead-end state. This is Bk. So this block is the reason why this path is spurious.
This is called the dead-end state because it is reached from the initial block but we cannot move from
that state. And this is called the bad state because it’s the state that provides the transition which is the
fake transition. Why this state is called an irrelevant state? Because actually is there in the block but it’s
not the reason of spuriousness of the abstract path.
So CEGAR, so actually the real problem is to find the least way of refining that block. But this problem
cannot be solved in an efficient way. Actually it is NP-hard. And so there is heuristics. Heuristics means
that dead-end states are separated from bad and irrelevant states. So irrelevant states are joined
together with bad states. But this strategy, this heuristics which is refined heuristics in CEGAR actually in
some cases, in some cases does not work well. What does it mean? So here if we put the irrelevant
state 4 together with a bad state 3 so the situation is the following. So from this model we refine to this
model. Here again we have an abstract path which is spurious.
So look to these block 3, 4, 6 so we have an abstract path. And here again we have a spuriousness. 3 is
the bad. 4 is the dead-end. So we refine again. So we separate…
>>: [indiscernible]
>> Francesco Ranzato: Yes. 4 can be joined together with 3 or 5.
>>: [indiscernible]
>> Francesco Ranzato: Yeah. This is the standard heuristic of CEGAR. Is not true?
>>: [indiscernible]. You split the state to distinguish the path that is spurious. So you split the 3, 4 state.
Right?
>> Francesco Ranzato: No. The point is that the irrelevant state 4…
>>: [indiscernible] I’m just saying traditional CEGAR takes [indiscernible] splits 3, 4. Because it looks like
there is a spurious path because you can go through 2 to 3, 4 and 3, 4, 6. Right? So how I do that is go
back to 6 [indiscernible].
>> Francesco Ranzato: The question is good because why 4 is joined to 3 because [indiscernible]. We
try to join 4 with 5 so the solution is here. The refinement is the 4 way. Then we are done. And we are
done because here we do not have any more and is spurious abstract path. And so actually this is the
point. I want to avoid this situation because here we need [indiscernible] refinement. While here we
stop.
>>: [indiscernible] In these pictures which are [indiscernible] just samples it looks like you’re sort of
creating abstract states where you have lost transitions. Like all the edges, like once you prove 4 and 5
it’s nice because all the edges out of 4 and 5 [indiscernible] in the same place. [indiscernible] lost
transition.
>> Francesco Ranzato: Maybe it’s related. So let’s look at the solution. So why we are able, so how we
are able to distinguish these refinement strategies from these refinement strategies. So the problem is
that sometime these heuristics lead to some refinement which are not effective let’s say. So the
observation here is that the state 4 can be viewed as a dead irrelevant state. Instead of viewing 4 as a
generic irrelevant state, actually is dead irrelevant in what sense. The sense that we can join 4 to 5 and
this does not affect the set of paths, of abstract paths that go through 5. Why? Because if we do the, if
we consider the predecessor of 5 is 2. The successor of 5 is 7. But if we join 5 with 4 the set of
predecessors, successor are the same. That observation. And so I think that it is reasonable to join 5, 4
with 5, for this reason.
So when this happens, so when we are able to find that some irrelevant state actually is more than
irrelevant, so it is dead irrelevant, then the reasonable strategy is joining that set of dead irrelevant
states with dead-end states.
>>: I just don’t understand the word dead-end. Why do you call 5 dead-end because it still goes
somewhere? A dead-end usually is like you go into an alley and there is no way out except the way you
came in. Why do you call it a dead-end?
>> Francesco Ranzato: It’s dead-end because here the abstract, the abstract path is blocked at 6 and so
for the abstract path, this block at 6, so this transition is not considered.
>>: Oh because 5 doesn’t go there. [indiscernible]
>> Francesco Ranzato: Yeah.
>>: Okay.
>> Francesco Ranzato: So, the new let’s say refinement strategy is if you find that an irrelevant state is
dead-irrelevant in this sense and I have, I will make more precise this definition, then you can join that
irrelevant state with dead-end state. And this, the benefit of this that you do not introduce new
spurious paths.
So what is more precisely a dead-irrelevant state? A state which is irrelevant is dead-irrelevant when
you join with dead and the predecessor and the successor does not change. And so the predecessor of
dead with s and the predecessor with dead without s are the same. And the same for their successor.
Of course there is a dual notion of dead-irrelevant state where here we consider them bad state instead
of dead-end states. And of course still there are some states that are not dead-irrelevant. Neither
dead-irrelevant and this is the case or they are both bad and dead-irrelevant. So these states are called
fully irrelevant or really irrelevant let’s say. Really irrelevant. And so here this is dead-end irrelevant
and so is joined here and so here we do not add spurious path. And so we are done. We are done.
To conclude, so this can be viewed as a contribution in looking for some usefulness of simplifying
abstraction, both in static analysis and model checking, so generally in the generic frame of abstract
interpretation.
And as future work I see two interesting points. First to investigate more in detail the relationship
between the integration of these strategies in the CEGAR loop and to find new context where the ideas
of this approach can be useful in some sense. That’s it.
[applause]
>>: Are there questions?
>>: I have a crazy question. During your talk you talked about abstract compilation [indiscernible] and
then you specialize with respect to domains to get a cheaper domain somehow relating to this
[discernible] evaluation.
>> Francesco Ranzato: I don’t know but I think that this can fall in [indiscernible].
>>: Okay.
>> Francesco Ranzato: Could be a context different from the two that I consider here where this can be
related in some way.
>>: Thank you.
>> Francesco Ranzato: Okay.
[applause]
Related documents
The Great Gatsby: Chapter 8 Name: Study Guide & Vocabulary
The Great Gatsby: Chapter 8 Name: Study Guide & Vocabulary
NC DPI Update School Spotlight 9-17-15 F:
NC DPI Update School Spotlight 9-17-15 F:
Event ID: Event Started: Please stand by for real time captions.
Event ID: Event Started: Please stand by for real time captions.
Russell Pryba Perceiving Meanings: The Cultural Embodiment of Aesthetic Value Presents:
Russell Pryba Perceiving Meanings: The Cultural Embodiment of Aesthetic Value Presents:
Chapter Preparation Guide #3 Chapter 5
Chapter Preparation Guide #3 Chapter 5
Public Finance
Public Finance
e-books for learning and reference: behavioral patterns and design
e-books for learning and reference: behavioral patterns and design
Download
advertisement