Systematic design of abstract model checking

interpretation theory o ers a number of methodologies that have not been applied yet in the eld of abstract model checking. A number of authors recognized in the possibility of modifying abstract models by modifying abstractions a great potential for improving abstract model checking in precision and complexity (e.g. see Section 9 in [6]), but few applications of these techniques are known in abstract model checking. On the contrary, this practice is quite common in static program analysis by abstract interpretation. A number of operations have been studied both in theory and in practice to compose, decompose, re ne and compress abstract domains and analyses (see [8, 9] for a survey), providing advanced algebraic methodologies and techniques for tuning analyses in accuracy and costs. This work is in progress and consists basically in two parts: (1) we study domain operations such as re nements and compressors for respectively systematically improving precision and reducing complexity in abstract model checking, and (2) applying these operations for systematically deriving optimal domains for abstract model checking. Re ning and compressing abstract model checking In this work we study the impact of standard domain re nement operations in abstract model checking. The problem is that when a chosen abstract domain turns out to provide a too rough abstract model for verifying a given temporal property of interest, this model can be re ned by re ning the corresponding abstract domain. Conversely, any operation acting on domains which is devoted to their simpli cation (decomposition or compression) can play the dual rôle of reducing the complexity of the veri cation of temporal formulae, provided that the formulae of interest are veri ed in both abstract and concrete models. In both these situations, the key problem is to study the structure of temporal formulae which are preserved or lost by changing the abstract domain by means of domain re nement or simpli cation, and in particular the structure of those formulae that are veri ed in the new model and which were not veri ed in the former. We consider the universal fragment of the branching time temporal logic CTL* [7] and we characterize the structure of temporal formulae that are veri ed in a new abstract model which is obtained either by re ning an abstract domain by means of standard operations for domain transformation introduced in [4], namely: reduced product [4], and disjunctive completion [4], or by simplifying the domain by means of their inverse operations, namely by complementation for domain decomposition [2] or by least disjunctive bases for domain compression [10]. In particular we prove that relevant properties of systems can be checked compositionally by decomposing the abstract models by domain complementation and that disjunctive information is in some cases redundant in abstract model checking of CTL*. This may provide sensible simpli cation algorithms for improving abstract model checking in complexity yet maintaining accuracy. Systematic design of abstract models Correctness is a basic requirement of any approximation technique, and this holds also for abstract interpretation. In abstract model checking the notion of soundness is also required: suppose C is a transition system representing the behaviour of a reactive system and ' is a temporal logic formula which estabilishes a security property of the system. If we verify ' in an abstract model A which is derived from C, it must hold that A j= ' implies C j= '. Although the notion of soundness is the basic requirement for any abstract interpretation, completeness is instead an ideal and uncommon situation [11]. Completeness means that, relatively to the semantic properties encoded by the abstract domains, no loss of information occurs. In this case, roughly speaking, the abstract semantic is able to take full advantage of the power of the underlying abstract domain. In abstract interpretation completeness is meant as the natural strenghtening of the notion of soundness, requiring its reverse relation hold. In the case of abstract model checking by applying the results in [11], we provide a systematic methodology for deriving complete abstract models for verifying a temporal logic formula ', namely the most abstract model A such that A j= ' i C j= '. Moreover, the same methodology allows us to nd, for any given abstraction, the structure of the most precise temporal calculus T (T could be a subset of some well known temporal logics as in [5]) such that 8' 2 T A j= ' i C j= '. All these methods are constructively driven by the speci cation (e.g. by a transition system) of the system we want to analyze and contribute to the systematic derivation of \optimal" abstract domains for abstract model checking.