slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Witness and Counterexample Li Tan tanli@saul.cis.upenn Oct. 15, 2002 PowerPoint Presentation
Download Presentation
Witness and Counterexample Li Tan tanli@saul.cis.upenn Oct. 15, 2002

Loading in 2 Seconds...

play fullscreen
1 / 34

Witness and Counterexample Li Tan tanli@saul.cis.upenn Oct. 15, 2002 - PowerPoint PPT Presentation


  • 117 Views
  • Uploaded on

Witness and Counterexample Li Tan tanli@saul.cis.upenn.edu Oct. 15, 2002. Informal Definition. Recall the model checking problem M ² f , A witness W should be a subsystem of M s.t. W ² f . $W$ should be small. M is a witness of f , but it is useless.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Witness and Counterexample Li Tan tanli@saul.cis.upenn Oct. 15, 2002' - arlene


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1
Witness and Counterexample

Li Tan

tanli@saul.cis.upenn.edu

Oct. 15, 2002

Witness and Counterexample

informal definition
Informal Definition

Recall the model checking problem M ²f,

  • A witness W should be a subsystem of M s.t. W ²f.
    • $W$ should be small.
      • M is a witness of f, but it is useless.
  • Witness should show the evidence why M ²f.
    • Any system of which $W$ is a subsystem should satisfy f.
    • To show $M ²f$, it is enough to show The relation between M and W.
  • Viability.
    • Completeness.
      • Each formula in the targeting logic should have a well-defined witness if it is satisfied by the model.
    • Simple and Efficient.
      • Witness should be verified and analyzed efficiently.
    • Effectiveness.
      • There exists an effective algorithm for generating the witness.

Witness and Counterexample

informal definition1
Informal Definition
  • Counterexample is just the dual of witness.
    • C is an counterexample for M ² iff C is a witness of M²:.
    • An counterexample always exists if
      • The logic is complete under negation, i.e., 2L

):2L

      • The definition of witness is complete in L.
    • The mechanism for generating witness/counterexample are same.
      • For history reason, many model checker like SMV and SPIN only use the notion of counterexample.
      • Our reference to witness/counterexample will be chose depending on the context.

Witness and Counterexample

why we need them
Why we need them?
  • Counterexample can be used for,
    • Debugging the design.
    • Counterexample-based abstract refinement.
      • The abstraction is conservative
        • It may cause the false alarm.
      • A counterexample is generated after checking the abstract system, if it is,
        • A real trace, then model checker terminates with “no”.
        • Not a real trace, then refine the abstract ( add more predicators etc), and re-do the model checking.
  • Witness can be used for,
    • Enable efficiently checking the correctness.
      • Verifying result=Verifying the property on witness+prove that a witness is a subsystem of model.
    • Generating tests.
      • Any system contains the witness should possess the property.

Witness and Counterexample

formal definition
Formal Definition

Informal definition is ambiguous,

  • What is a context of definition? => Fix a logic
  • What is a “subsystem”? => Define a preordering Á on Transition system.

Definition [Natural Preorder of Logic]

Let L be a temporal logic, a preordering ÁL on Kripke structures are a nature such that for every f 2L, if T ² f and T ÁL T’, then T’ ² f.

Definition [Witness and Counterexample]

Let Á be a natural preordering for the logic L (:L), C is a witness(or, counterexample) for M² f s.t. in L if

    • C ² (C ²: )
    • C Á M.

Our mission: fix L, then find Á.

Witness and Counterexample

kripke structure and ctl
Kripke Structure and CTL*

Definition [Kripke Structure]

Transition System will be modeled as Kripke structure K=<S, s0, !, A, V> where,

  • S is the set of states.
  • s02 S is a starting state.
  • !µ S £ S is transition relation.
  • A is the set of atomic proposition.
  • V : A ! 2S is the evulation for atomic proposition.

Witness and Counterexample

ctl syntax
CTL*: Syntax

Formulae in Computational Tree Logic (CTL*) are syntactically constructed by,

S::= a | : a| SÆS |SÇS | A P | E P

P ::=S | PÆP | PÇP | X P | P U P | P R P

  • S is a state formula, and P is a path formula.
  • A (for all the paths), and E (exists a path) are the path quantifier.
  • U and R are the “until” and “release” operators.
  • X is the “next time” operator.
  • CTL* formula is a state formula.
  • Sometimes, we write G P (always hold) for false R P, and F P ( Eventually hold) for true U P

Witness and Counterexample

semantics of path formulae
Semantics of path formulae

Witness and Counterexample

semantics of state formulae
Semantics of state formulae
  • s ²T a if s 2V(s)
  • s ²T: a if s V(s)
  • s ² A P if ²P for every path  from s.
  • s ² E P if there exists a  from s such that ²P

Witness and Counterexample

ltl ctl and actl
LTL, CTL, and ACTL
  • Linear Temporal Logic (LTL) is sublogic of CTL* which contains no path quantifier.
    • Semantically LTL formula f = CTL* formula Af.
    • Intuitively LTL check all the possible paths simultaneously.
  • CTL is sublogic of CTL* such that each temporal operator (X, U, R) must be immediately preceded by a path quantifier.
  • ACTL is a sublogic of CTL in which only path quantifier permitted is A.

Witness and Counterexample

an example

s0

x, y

s1

y

s2

An example
  • Does T satisfy LTL F(G : y)?
  • Does T satisfy ACTL AF(: y Æ AX : X)?

Witness and Counterexample

counterexample in ltl
Counterexample in LTL

Customizing the definition of counterexample,

  • Fix the logic: LTL
  • Fix the preordering relation Á: language inclusion 2

Definition

Let f be a LTL formula, a path  is a linear counterexample for model-checking problem M ²f if ²: f and 2 L(M).

  • Is the definition viable?
    • 2 L(T) => T ²: f, why?
  • Is the definition complete?
    • If M ² f, then we can always find a 2 L(M) as a counterexample, why?

Witness and Counterexample

ltl model checking via b chi automaton
LTL model checking via Büchi automaton

A generalized Büchi automaton is a tuple <Q, q0, !,l, F> where,

  • Q is the set of states with q0 as the starting state.
  • !µ Q £ Q is the transition relation.
  • l: Q ! {a,: a, Æ, Ç, <>, []}
  • Fµ 2Q is Büchi acceptance condition.

Witness and Counterexample

b chi automaton as the temporal specification
Büchi automaton as the temporal specification
  • GT, B={S, !, L} is the product graph for B and T if,
    • S= S £ Q U {true, false}
    • If q ! q’ and
      • l(q) 2 {Ç, Æ}, <s, q> ! <s, q’>.
      • l(q) = <> ([]), <s, q> ! <s’, q’> for some (all) s ! s’.
      • l(q) = a (: a), <s, q> ! (s 2 a ?)( :(s 2 a ?))
    • L(<s, q>)=Ç for l(q) 2 {Ç, <>} and L(<s, q>)=Æ otherwise.

Witness and Counterexample

b chi automaton based model checking
Büchi automaton-based model checking
  • B accepts T if there is a successful run in GT, B,
    • A run of GT, B is a subgraph such that <s, q> keeps one (all) child(ren) if L(q)=Ç (L(q)=Æ).
    • A run is successful if,
      • All the leaf are true, and
      • Any infinite path in a run visits some nodes in F infinitely often, for every F 2F.
  • Searching for a (un)successful run,
    • Mark all the leaves with true/false depending on the labeling, then propagate the values.
    • For the nodes in a strong connected component, marking the nodes as true/false depending on the coverage of SCC on F, then propagate the values.
    • Eventually, all the nodes will be marked as true/false.

Witness and Counterexample

an example1

s0

q0

x, y

Æ

Ç

s1

q1

y

Æ

<>

q3

q4

<>

s2

y

q2

q5

F={{q1, q2, q4}}

An example

Witness and Counterexample

slide17

s1, q0

Æ

s0,q0

Æ

s2,q0

Æ

s1, q1

Ç

s0, q1

Ç

s2, q1

Ç

s2, q3

Æ

s2, q4

Ç

s1, q3

Æ

s1, q4

Ç

s0, q3

Ç

s0, q4

Æ

s1, q2

Ç

s0, q2

\or

s2, q2

Ç

false

true

Witness and Counterexample

slide18

s1, q0

Æ

s0,q0

Æ

s2,q0

Æ

s1, q1

Ç

s0, q1

Ç

s2, q1

Ç

s2, q3

Æ

s2, q4

Ç

s1, q3

Æ

s1, q4

Ç

s0, q3

Ç

s0, q4

Æ

s1, q2

Ç

s0, q2

\or

s2, q2

Ç

false

true

Witness and Counterexample

translate a ltl to a never claim bta
Translate a LTL to a “never claim” BTA

Construct BTA for :f by,

Witness and Counterexample

translate a ltl cont
Translate a LTL (cont.)

2. For each =P1 U P2, there is a F 2F such that F={q| ( q Æ X  q) or P22 q}

  • Basically F won’t contain any nodes of a loop on which P1 U P2 will produce itself. ) \cP_2 will eventually be satisfied.

Witness and Counterexample

translate f g y

q0

Æ

Ç

q1

Æ

<>

q3

q4

<>

y

q2

q5

F={{q1, q2, q4}}

Translate F( G : y)
  • : A (F (G : y))=E(G(F y))

E(G(F y))

E(XG(F y), F y )

E(G(F y)) =

E(XG(F y), y)

E(XG(F y))

E(XG(F y), XF y )

Witness and Counterexample

step 1 find a successful run
Step 1: find a successful run

s0,q0

Æ

s2,q0

Æ

s1, q1

Ç

s0, q1

Ç

s2, q1

Ç

s2, q4

Ç

s1, q3

Æ

s0, q4

Æ

s1, q2

Ç

true

Witness and Counterexample

step 2 get the skeleton
Step 2: Get the skeleton

Remove branches like (s, q) ! (s’, q’) such that (s, q) is a leaf and l(q’) Ï {<>, []}

s0,q0

Æ

s2,q0

Æ

s1, q1

Ç

s0, q1

Ç

s2, q1

Ç

s2, q4

Ç

s1, q3

Æ

s0, q4

Æ

s1, q2

Ç

Witness and Counterexample

step 3 unroll the skeleton and get a path
Step 3: Unroll the skeleton and get a path.

(s0, q0) (s0, q1) (s0, q4) {(s1,q1)(s1, q3)(s1, q2)(s2, q0)(s2, q1)(s2, q4)}w

S0 S0 S0 S1 S1 S1 S2 S2 S2

Witness and Counterexample

step 4 eliminate the redundancy
Step 4: Eliminate the redundancy

Remove (s’, q’) from ……(s, q)(s’, q’) …… if l(q) Ï{<>, []} or (s, q) is the head of the path.

(s0, q0) (s0, q1) (s0, q4) {(s1,q1)(s1, q3)(s1, q2)(s2, q0)(s2, q1)(s2, q4)}w

(s0, q0) {(s1,q1) (s2, q0) }w

S0 { S1 S2 }w

Witness and Counterexample

is there a witness counterexamples for ctl
Is there a witness /counterexamples for CTL*
  • Any Kripke structure which are not bi- similar are distinguishable by a CTL* formula [Mil71].
  • => Let Á be a nature order for CTL, then T1Á T2 iff T1 bisimulates T2.
  • => The witness(counterexample) for any $T² f$ must bisimulate T.
  • Since bisimularity on KS is similar to is isomorphism in graphics.
  • => The witness and counterexample is trivial in CTL*

Witness and Counterexample

is there a witness counterexamples for ctl1
Is there a witness /counterexamples for CTL*?
  • Any Kripke structure which are not bi- similar are distinguishable by a CTL* formula [Mil71].
  • => Let Á be a nature order for CTL, then T1Á T2 iff T1 bisimulates T2.
  • => The witness(counterexample) for any T² f must also bisimulate T.
  • Since bisimularity on KS is basically the isomorphism in graphics.
  • => The witness and counterexample is trivial in CTL*

Witness and Counterexample

counterexample for actl
Counterexample for ACTL*
  • Simulation preordering is a nature preordering for ECTL* => Counterexample for ACTL* is a well-defined.
    • Most of desirable safeness and fairness properties can be expressed in ACTL*

Definition [Simulation Preordering Ásim]

Ásim is a simulation preordering on T iff for every s Ásim s1 and s ! s’, there exists a s1! s’1 such that s’ Ásim s’1

T1Ásim T2 if s10Ásim s20, where s10 and s20 are the starting states of T1 and T2

Witness and Counterexample

tree like counterexample for actl
Tree-like Counterexample for ACTL*
  • Let f be a ACTL* formula and M ²: f, then there exists a tree-like Kripke structure C ÁsimM such that C ²: f [CJLV02].
  • C is a tree-like Kripke structure if,
    • Its (strongly-connected) component graph is a tree
    • Only strongly-connected components permitted in C are circles.

Witness and Counterexample

an example2

s0

x, y

s1

y

s’0

y

s2

s’2

s’3

s’1

y

x

An example

²: AF(: y Æ AX : X)?

Ásim

²: AF(: y Æ AX : X)?

Witness and Counterexample

generating tree like counterxample for m f
Generating Tree-like Counterxample for M² f

…Similar to generate a linear counterexample for LTL!

  • Constructing a BTA B for : f.
  • Find a successful run in GM, B.
  • Get the skeleton of the run by cutting out any node (s’, q’) s.t. (s’, q’) is the only child of its father (s, q) and l(q) Ï {Æ, Ç}.
  • Eliminate the redundancy and project the skeleton to states.

Witness and Counterexample

if we ve know

s0

x, y

s1

y

s’0

y

s2

s’2

s’3

s’1

y

x

If we’ve know,

² AF(: y Æ AX : X)?

is a tree-like counterexample for

Witness and Counterexample

and want to prove

s0

x, y

s1

y

y

s2

… and want to prove,

²: AF(: y Æ AX : X)

Witness and Counterexample

we only need to show

s0

x, y

s’0

y

s’2

s’3

s1

y

y

s’1

y

x

s2

We only need to show,

Ásim

Witness and Counterexample