The partition refinement algorithm defined in Chapter 2 is defined over PDL programsα∈Π. However, it only uses the control flow graphG(α) to verifyα and not the specific PDL constructs. When we replaceG(α) byGd(δ), we can
therefore use the same definitions and proofs to define the algorithm on D-PDL. The second change we make in the algorithm is that we use a different way of splitting along a path. This definition makes the algorithm more efficient when it splits along a path that contains deterministic actions.
The last change is that the algorithm searches for the shortest abstract path from (I, ϕpre) to (F,¬ϕpost) instead of an arbitrary path. This enables us to give a proof that the algorithm terminates on incorrect programs.
The algorithm is given in Listing 5.1 on the next page together with refer- ences to the relevant definitions and proofs.
Refinements
When we know that an action is deterministic, we can remove more edges when we split along a transition labeled by that action. See Figure 5.3 on page 40 for an illustration of all the possible cases.
Definition 5.13 (Splitting along a transition). LetS = (g, ϕ) andT = (h, ψ) be two nodes in the abstract programAwith an edge fromS toT labeled with a∈ A. We obtain a new abstract program by splitting this transition as follows. First we refine the abstraction according to Definition 4.16 on page 28. Re- call that when χ∧ϕ is not satisfiable where χ = WPa(ψ), this results in an abstraction as shown in Figure 5.3c. When it is satisfiable it results in an abstraction as shown in Figure 5.3b.
When this refinement causedSto be split intoS− andS+andais a deter-
ministic action, we additionally do the following. We remove all outgoing edges fromS+except the edge toT labeled witha. An illustration is shown in Figure
Listing 5.1 The abstraction refinement algorithm on D-PDL
The algorithm
1. Initialize the abstraction A as the deterministic control flow graph of δ where each node is associated with the formula>.
2. Split (I,>) into (I, ϕpre) and (I,¬ϕpre). Split (F,>) into (F, ϕpost) and (F,¬ϕpost).
3. Repeat the following
(a) Find the shortest abstract path S0, . . . , Sn in A withS0 = (I, ϕpre) andSn= (F,¬ϕpost).
(b) If such a path does not exist, output thatδis correct. Else, continue. (c) Fori∈ {0, . . . , n}letρi be the path constraintρi ofS0, . . . , Si. Find
the smallest isuch thatρi is not satisfiable.
(d) If such an i does not exist, output that δ is incorrect. Continue otherwise.
(e) Change the abstractionAby splitting along the path S0, . . . , Si.
Explanation
1. Abstractions and the initial abstraction are defined analogously to Defini- tion 4.7 and 4.8 on page 24, where we use the deterministic control graph Gd(δ) in stead ofG(α).
2. In Definition 4.14 on page 26 it is defined how to split nodes.
3. In each iteration the abstractionAis changed, or the algorithm terminates.
(a) An abstraction is a finite directed graph. (b) The correctness is proved in Theorem 5.17.
(c) Path constraints are defined in Definition 4.12 on page 26. (d) The correctness is proved in Theorem 5.17.
(a) Original abstraction (b) When χ ∧ ϕ is satisfiable and a non- deterministic
(c) Whenχ∧ϕis unsatisfiable (d) Whenχ∧ϕis satisfiable andadeterministic
To prove the correctness of the algorithm, we want that abstractions are always overapproximations. The following Lemma shows that splitting along a transition using the new definition will result in an overapproximation.
Lemma 5.14. Let A and A0 be abstractions where A0 is obtained from A by splitting along a transition according to Definition 5.13. If Ais an overapprox- imation, thenA0 is an overapproximation.
Proof. Let the transition from S to T with label a be the transition that is being split. Splitting along this transition is defined by first splitting according to Definition 4.16, letBbe the resulting abstraction. By Lemma 4.17 on page 28 it follows that B is an overapproximation.
If S has not been split or ais non-deterministic, we have A0 = B and we are finished. Else,S has been split intoS− andS+ and we have thatA0equals
B where certain edges are removed. We will prove that these edges cannot be part of a satisfying trace.
LetS = (g, ϕ) and T = (h, ψ), by Definition 4.16 we haveS+ = (g, ϕ∧χ)
withχ= WPa(ψ) . Let (s, r) be a (part of a) trace that satisfies the transition from S+to T0= (h0, ψ0) with edge-labela0.
Sincesϕ∧χwe have by the definition of weakest preconditions that there exists atwith (s, t)∈ R(a) andtψ. By Lemma 5.10 on page 37 we have that the control flow graph Gd(δ) is deterministic. Since ais the edge label of the
edge fromg tohwith (s, r)∈ R(a) anda0 is the edge label of the edge fromg0 toh0 with (s, t)∈ R(a0), we have by Definition 5.6 of deterministic control flow graphs thata=a0 andh=h0.
Sinceais deterministic, we haver=t, sorψ. Sinceψandψ0 are part of a partition of the state space andrsatisfies both, we must haveψ=ψ0. Hence, T =T0.
The edge fromS+toT with labelais not removed when splitting along the
transition. Hence,A0 is an overapproximation.
We define splitting along a path in the same way as in Definition 4.18 on page 29, except that we use a different definition of splitting along a transition.
Definition 5.15 (Splitting along a path). Let S0, . . . , Sn be a path in the abstract program A with edge-labels a1, . . . , an. First we split A along the transition Sn−1, Sn with label an. If this split resulted in new states S+ and S−, and we haven >1, then we recursively split along the pathS0, . . . , Sn−1, S−
with edge labelsa1, . . . , an−1. Else we are finished.
Lemma 5.16. Let A and A0 be abstractions where A0 is obtained from A by splitting along a path according to Definition 5.13. IfAis an overapproximation, thenA0 is an overapproximation.
Proof. Splitting along a path is defined by repeatedly splitting along a transi- tion. The result follows from repeatedly applying Lemma 5.14.
Correctness
Proof. The proof is the same as Theorem 4.26 on page 31, except that we use Lemma 5.16 to prove that the abstractions used are always overapproxi- mations and we use Theorem 5.5 on page 35 for the equivalence between the denotational semantics and the structural operational semantics of deterministic propositional dynamic logic.