Docteur De L’école Polytechnique En Informatique

operators To verify Aμ-formulas, we need to abstract the operators. For each p in Π, let π(p) be an element of P ] such that π(p) ⊆ γ(π(p)), and π(p) an element of P ] such that Σ\π(p) ⊆ γ(π(p)). For each subset I of P, we define the abstract controllable predecessor relation CPre]I ∈ P ] → P ] and the abstract uncontrollable predecessor relation UPre ] I ∈ P ] → P . These relations must satisfy, ∀X ⊆ Σ: α ◦ CPreI(X) v CPre]I ◦ α(X) α ◦ UPreI(X) v UPre]I ◦ α(X) To make the backward-forward combination, we need an abstract successor operator for forward analysis. This abstract successor relation post must satisfy: α ◦ post(X) v post ◦ α(X) Again, we define post∗ = λX.lfp λY.(X t post(Y )). One can easily check that: α ◦ post∗(σ) v post∗ ◦ α(σ) We consider the closed Aμ formulas φ generated by the grammar: φ ::= p | ¬p | φ1 ∨ φ2 | φ1 ∧ φ2 | 〈〈I〉〉 © φ1 | JIK© φ1 | μ ν x.(φ ∨ ∨ I∈℘(P)\{∅}(φI ∧ 〈〈I〉〉 © x) ∨ ∨ I′∈℘(P)\{∅}(φI′ ∧ JI ′K© x)). As before, the last term of the grammar can be rewritten exchanging ∨ and ∧ without modifying the expressivity of the logic. 2If α(π(p)) is computable, we can take π](p) = α(π(p)) CHAPTER 3. COMBINATION FOR COMPLEX PROPERTIES 30 As for the non-game case, we can now define, if φ is a formula, Ωφ ∈ P ] → P ] as follows: Ωp(S) = π(p) u S Ω¬p(S) = π(p) u S Ωφ1∧φ2(S) = gfpλX(S u Ωφ1(X) u Ωφ2(X)) Ωφ1∨φ2(S) = Ωφ1(S) t Ωφ2(S) Ω〈〈I〉〉©φ(S) = CPre ] I(Ωφ(post (S))) ΩJIK©φ(S) = UPre ] I(Ωφ(post (S))) Ωμ ν x.(φ∨ ∨ I(φI∧〈〈I〉〉©x)∨ ∨ I′ (φI′∧JI′K©x))(S) = L]lgfp( λX.(S t post(X)), λY.( Ωφ(post(S)) t ⊔] I(ΩφI (post ∗(S)) u CPre(Y )) t ⊔] I′(ΩφI′ (post ∗(S)) u UPre(Y )))) Theorem 3.2.2 For all formulas φ generated by the grammar above, and I ⊆ Q: α(I ∩ JφK) v α(I) u Ωφ(α(I)) Proof. The proof is essentially the same of the non-game case. All we need are the equalities I ∩UCPreI(Jφ1K) ⊆ UCPreI(post(I ∩ Jφ1K)) with UCPre = UPre or CPre, and the equivalence: Y ⊆ b(X)⇐⇒ Y ⊆ b(X ∩ post(Y )) with b = λX.(A ∪ ⋃ I(BI ∩ CPreI(X)) ∪ ⋃ I′(CI′ ∩ UPreI′(X))). These properties are quite easy to check. 3.3 A simple example We illustrate the combination with a very short and easy example. We will analyse the small non-deterministic program shown in Fig. 3.3. In this figure, x, n are integers, (random in [0,1]) returns a random integer in [0, 1], and (input in [0,1]) returns a integer in [0, 1] entered by the user (these commands behave in the same way in the transition relation). Control point (0) is the program entry, we differentiate it from control point (1), which is the while loop entry. With initial condition x=1 at control point (0), we will try to prove that the user cannot be sure to have x=0 at control point (9), that is, the initial condition satisfies νx.((¬A) ∧ (B ∨ ♦x) ∧ (C ∨ x)) with A meaning that x=0 at control point (9), C being the set of states at control point (2), and B being the set of states at other control points. CHAPTER 3. COMBINATION FOR COMPLEX PROPERTIES 31 (0) { x = 1 } (1) while (n>0) do { (2) if (random in [0,1]=0) then (3) x = x * n; (4) else (5) x = x * (n-1); (6) fi (7) n = n (input in [0,1]); (8) } (9) Figure 3.3: A short non-deterministic program. As we use an upper approximation, we take the negation of the proposition, that is (knowing that ¬B = C) : μx.(A∨(B∧♦X)∨(C∧ X)). So we must approximate lfp λx.(JAK ∪ (JBK ∩ pre(x)) ∪ (JCK ∩ p̃re(x))). We will use interval analysis [CC76], with the improvement of the results of local decreasing iterations [Gra92] for assignments in the backward analysis. We must abstract post(X), pre(X) and p̃re(X). Abstract operators may be described as systems of semantics equations [Cou78, Cou81]. The program is almost deterministic, and p̃re is very close to pre. The differences appear at control points (2) and (7), but we only need to express it at control point (2), with the equation: P2 = P3 u P5 (u being the intersection of abstract environments). The table of Fig. 3.4 gives the results with a single forward analysis (F (>)), a single backward analysis (B(>)), the intersection of both analyses (F (>) u B(>)), and the first iteration of combination (B(F (>))). The next iteration of the combination will lead to ∅ everywhere, which is of course the abstract fixpoint L. So L = ∅ (which is not equal to F (>) ∩ B(>)). As, for this kind of temporal property, L ∩ I = I ∩ B(>), we obtained the expected result. CHAPTER 3. COMBINATION FOR COMPLEX PROPERTIES 32 Lab. (var.) F (>) B(>) F (>) u B(>) B(F (>)) (0) x: [1] [−∞,+∞] [1] ∅ n: [−∞,+∞] [−∞,+∞] [−∞,+∞] ∅ (1) x: [0,+∞] [−∞,+∞] [0,+∞] [0] n: [−∞,+∞] [−∞,+∞] [−∞,+∞] [−∞,+∞] (2) x: [0,+∞] [−∞,+∞] [0,+∞] [0] n: [1,+∞] [−∞,+∞] [1,+∞] [1,+∞] (3) x: [0,+∞] [−∞,+∞] [0,+∞] [0] n: [1,+∞] [−∞,+∞] [1,+∞] [1,+∞] (4) x: [0,+∞] [−∞,+∞] [0,+∞] [0] n: [1,+∞] [−∞,+∞] [1,+∞] [1,+∞] (5) x: [0,+∞] [−∞,+∞] [0,+∞] [0,+∞] n: [1,+∞] [−∞,+∞] [1,+∞] [1,+∞] (6) x: [0,+∞] [−∞,+∞] [0,+∞] [0] n: [1,+∞] [−∞,+∞] [1,+∞] [1,+∞] (7) x: [0,+∞] [−∞,+∞] [0,+∞] [0] n: [1,+∞] [−∞,+∞] [1,+∞] [1,+∞] (8) x: [0,+∞] [−∞,+∞] [0,+∞] [0] n: [0,+∞] [−∞,+∞] [0,+∞] [0,+∞] (9) x: [0,+∞] [0] [0] [0] n: [−∞,+∞] [−∞,+∞] [−∞,+∞] [−∞,+∞] Figure 3.4: Result of the analysis of the program. CHAPTER 3. COMBINATION FOR COMPLEX PROPERTIES 33