computed using the PVS theorem prover by verifying for each index i if φi or ¬φi is a
postcondition of it. The reason it is called predicate abstraction is because the abstract states have only Boolean variables, and an abstract transition system is formalised by a predicate over these Boolean variables, to capture non-determinism. The abstract state graph is defined in terms of a Galois connection. This approach was used to verify a bounded retransmission protocol developed by Philips. This protocol is an extension of the alternating bit protocol where instead of single messages, message packets are transmitted and the number of possible retransmissions per message is bounded by some upper bound.
2.1.6
Other forms of abstraction
Melham [74], identified the following basic abstraction techniques for hardware specifi- cation:
• Structural abstractions: these involve suppression of internal structural details, providing an externally observable view of the implementation. These kind of abstractions are very useful in modelling circuit components. For example, a simple inverter can be modelled by a not function at the gate-level, or can be modelled by using CMOS transistors, an example of which can be found in [74]. The impact of structural abstractions on our work is significant, and will become evident when we discuss our work in Chapter 5 and Chapter 6 of our thesis.
• Data abstractions: these change the representation of data between models. We will show later in Chapter 3, examples of data abstraction in STE, via X’s and symbolic indexing.
• Behavioural abstractions: these suppress behaviours between models, e.g. by hiding certain modes of operation. This kind of abstraction becomes useful in many complex designs, where one would typically hide a certain non-interesting mode of operation of a device to check properties for other more relevant parts.
• Temporal abstractions: these change the time scale between the models, for ex- ample the rise times, setup and hold times in a rising-edge latch can be abstracted and the latch can be modelled as a unit-delay device. In our work, we have used this abstraction model for latches, and flip-flops. Also we will see later that the combinational elements are modelled by zero delays, again a temporal abstraction of the real behaviour of the combinational element.
2.2
Abstraction in model checking
2.2.1
Homomorphism based abstraction
Clarke, Grumberg and Long [37] present a collection of abstraction techniques that can be used for model checking. They use homomorphisms as a central tool to compute
2.2. Abstraction in model checking 16 abstractions of program models directly from the text of the program, without ever having to examine the unabstracted model.
Programs are modelled as transition systems; the logic for specifying properties and model checking is the propositional temporal logic CTL∗. Instead of finding out whether or not a given CTL∗formula is satisfied by a given program model, the solution relies on finding out if the same CTL∗ formula is satisfied by an abstraction of the given program model. The abstraction method is based on the idea of homomorphisms.
We will commonly refer to the original program model as the concrete model and the abstraction of the program model as the abstract model. A state of a program is defined by an assignment of values from a given domain to the program variables occurring in the program.
If we denote the set of all program states in the concrete model byC then a concrete model denoted by MC is defined by a triple
MC = (C, IC, RC)
where C is the set of all concrete states, IC is the set of initial states, and RC ⊆ C × C
is the transition relation.
To perform an abstraction we need to define the notion of an abstract state. An abstract state is an assignment of abstract values to program variables. This of course assumes that we have a domain of abstract values from which we can make such assign- ments. If we denote the set of all abstract states by A, then an abstract program model is given by a triple
MA = (A, IA, RA)
where A is the set of all abstract states, IA is the set of initial abstract states, and
MA ⊆ A × A is the abstract transition relation. Homomorphisms are used to relate
the concrete and abstract models. The concrete modelMC is abstracted by the abstract
model MA when the following conditions are met:
IA(a)≡ ∃c.(H(c) = a∧IC(c))
RA(a1, a2)≡ ∃c1∃c2. (H(c1) =a1)∧(H(c2) =a2)∧RC(c1, c2)
Homomorphisms as shown above are referred to as exact homomorphisms and the abstraction they lead to (MA) is known as the canonical or exact abstraction of MC.
Computing this canonical abstraction is expensive since it requires computing a relation over abstract states that involves existential quantifications over concrete states. The authors propose to work around this problem by pushing the existential quantifications inside of the conjuncts thereby yielding an approximation of the canonical abstraction. Approximation however leads one to only check for a weak preservation of the properties; one can only check a subset of CTL∗ namely ∀CTL∗. A canonical abstraction allows one to check for a stronger preservation of the property namely the full CTL∗.
Homomorphisms induce equivalence relations on the set of concrete program states. If two states map to the same abstract state then they are in the same equivalence class. The approximate abstraction can be exact if the homomorphisms that relate
2.2. Abstraction in model checking 17 the concrete and abstract model induce an equivalence relation that is congruent with respect to the operations used in the program.
The method of Clarke et al. has several contributions. First they advocate attacking the syntax of the program directly to compute the abstractions. Second they show that not every kind of property can be verified against the abstract model and then they present results that show which fragment of CTL is preserved by which kind of abstraction. Moreover they also provide in the second half of their paper [37] other kinds of useful abstractions that can be used like single bit and product abstractions, congruence modulo n abstraction and symbolic abstractions.
Clarke et al. were not the first to use homomorphisms in performing abstractions. Kurshan [67] also used homomorphisms to relate the concrete and abstract models. He phrased the correctness criterion as an ω-language containment problem rather than model checking using a temporal logic. In his framework both the transition system and the properties to be verified are modelled as automata. Verification is done by checking containment of the language of a system in the language of the property.
In Kurshan’s approach the user specifies the homomorphisms and they are used to ensure that the relation of the concrete and the abstract model is sound. The user supplied homomorphisms are checked automatically by exploring the state space of the concrete model. This idea of automation also points out an important deficiency – what if the original model is too big to explore tractably. In this respect Clarke et al’s approach is superior since they can handle relatively large models because they do not rely on constructing the original concrete state space of the model.
2.2.2
Counterexample based abstraction refinement
In more recent work, Clarke et al. [36], propose an extension of [37]. In [37], once the abstract transition relation has been constructed, a traditional model checker is invoked to determine whether a given property expressed in ∀CTL∗ is satisfied by the abstract model. If the answer is yes, then the concrete model also satisfies the property, and if the answer is no, then the model checker generates a counterexample. Since the ab- stract model is approximate, it can have possibly more behaviours than the concrete one, and therefore the counterexample generated may not be a correct one. In [36], the authors propose an automatic technique of refining abstractions, using the information from the spurious counterexamples. The key idea in doing the abstraction refinement here is to obtain the coarsest refinement which eliminates the counterexample. The coarsest abstraction gives the smallest abstract model. The resulting abstract model is used to verify the property, and if the spurious counterexamples are not ruled out, the refinement process continues. The authors note that the problem of finding the coarsest abstraction is NP-hard so they devise heuristics to tackle the computation of refinements in polynomial time. The result is a methodology that is complete for the fragment of
∀CTL∗. The computation of initial abstraction and refinement steps is entirely auto- matic and algorithms used are all symbolic. Another advantage of this approach, is that the abstraction refinement is of much finer granularity, and is guaranteed to eliminate spurious counterexamples, while keeping the model small.
2.3. Summary 18