Loading in 2 Seconds...

Witness and Counterexample Li Tan tanli@saul.cis.upenn Oct. 15, 2002

Loading in 2 Seconds...

- 117 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about 'Witness and Counterexample Li Tan tanli@saul.cis.upenn Oct. 15, 2002' - arlene

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Informal Definition

Recall the model checking problem M ²f,

- A witness W should be a subsystem of M s.t. W ²f.
- $W$ should be small.
- M is a witness of f, but it is useless.
- Witness should show the evidence why M ²f.
- Any system of which $W$ is a subsystem should satisfy f.
- To show $M ²f$, it is enough to show The relation between M and W.
- Viability.
- Completeness.
- Each formula in the targeting logic should have a well-defined witness if it is satisfied by the model.
- Simple and Efficient.
- Witness should be verified and analyzed efficiently.
- Effectiveness.
- There exists an effective algorithm for generating the witness.

Witness and Counterexample

Informal Definition

- Counterexample is just the dual of witness.
- C is an counterexample for M ² iff C is a witness of M²:.
- An counterexample always exists if
- The logic is complete under negation, i.e., 2L

):2L

- The definition of witness is complete in L.
- The mechanism for generating witness/counterexample are same.
- For history reason, many model checker like SMV and SPIN only use the notion of counterexample.
- Our reference to witness/counterexample will be chose depending on the context.

Witness and Counterexample

Why we need them?

- Counterexample can be used for,
- Debugging the design.
- Counterexample-based abstract refinement.
- The abstraction is conservative
- It may cause the false alarm.
- A counterexample is generated after checking the abstract system, if it is,
- A real trace, then model checker terminates with “no”.
- Not a real trace, then refine the abstract ( add more predicators etc), and re-do the model checking.
- Witness can be used for,
- Enable efficiently checking the correctness.
- Verifying result=Verifying the property on witness+prove that a witness is a subsystem of model.
- Generating tests.
- Any system contains the witness should possess the property.

Witness and Counterexample

Formal Definition

Informal definition is ambiguous,

- What is a context of definition? => Fix a logic
- What is a “subsystem”? => Define a preordering Á on Transition system.

Definition [Natural Preorder of Logic]

Let L be a temporal logic, a preordering ÁL on Kripke structures are a nature such that for every f 2L, if T ² f and T ÁL T’, then T’ ² f.

Definition [Witness and Counterexample]

Let Á be a natural preordering for the logic L (:L), C is a witness(or, counterexample) for M² f s.t. in L if

- C ² (C ²: )
- C Á M.

Our mission: fix L, then find Á.

Witness and Counterexample

Kripke Structure and CTL*

Definition [Kripke Structure]

Transition System will be modeled as Kripke structure K=<S, s0, !, A, V> where,

- S is the set of states.
- s02 S is a starting state.
- !µ S £ S is transition relation.
- A is the set of atomic proposition.
- V : A ! 2S is the evulation for atomic proposition.

Witness and Counterexample

CTL*: Syntax

Formulae in Computational Tree Logic (CTL*) are syntactically constructed by,

S::= a | : a| SÆS |SÇS | A P | E P

P ::=S | PÆP | PÇP | X P | P U P | P R P

- S is a state formula, and P is a path formula.
- A (for all the paths), and E (exists a path) are the path quantifier.
- U and R are the “until” and “release” operators.
- X is the “next time” operator.
- CTL* formula is a state formula.
- Sometimes, we write G P (always hold) for false R P, and F P ( Eventually hold) for true U P

Witness and Counterexample

Semantics of path formulae

Witness and Counterexample

Semantics of state formulae

- s ²T a if s 2V(s)
- s ²T: a if s V(s)
- s ² A P if ²P for every path from s.
- s ² E P if there exists a from s such that ²P

Witness and Counterexample

LTL, CTL, and ACTL

- Linear Temporal Logic (LTL) is sublogic of CTL* which contains no path quantifier.
- Semantically LTL formula f = CTL* formula Af.
- Intuitively LTL check all the possible paths simultaneously.
- CTL is sublogic of CTL* such that each temporal operator (X, U, R) must be immediately preceded by a path quantifier.
- ACTL is a sublogic of CTL in which only path quantifier permitted is A.

Witness and Counterexample

x, y

s1

y

s2

An example- Does T satisfy LTL F(G : y)?
- Does T satisfy ACTL AF(: y Æ AX : X)?

Witness and Counterexample

Counterexample in LTL

Customizing the definition of counterexample,

- Fix the logic: LTL
- Fix the preordering relation Á: language inclusion 2

Definition

Let f be a LTL formula, a path is a linear counterexample for model-checking problem M ²f if ²: f and 2 L(M).

- Is the definition viable?
- 2 L(T) => T ²: f, why?
- Is the definition complete?
- If M ² f, then we can always find a 2 L(M) as a counterexample, why?

Witness and Counterexample

LTL model checking via Büchi automaton

A generalized Büchi automaton is a tuple <Q, q0, !,l, F> where,

- Q is the set of states with q0 as the starting state.
- !µ Q £ Q is the transition relation.
- l: Q ! {a,: a, Æ, Ç, <>, []}
- Fµ 2Q is Büchi acceptance condition.

Witness and Counterexample

Büchi automaton as the temporal specification

- GT, B={S, !, L} is the product graph for B and T if,
- S= S £ Q U {true, false}
- If q ! q’ and
- l(q) 2 {Ç, Æ}, <s, q> ! <s, q’>.
- l(q) = <> ([]), <s, q> ! <s’, q’> for some (all) s ! s’.
- l(q) = a (: a), <s, q> ! (s 2 a ?)( :(s 2 a ?))
- L(<s, q>)=Ç for l(q) 2 {Ç, <>} and L(<s, q>)=Æ otherwise.

Witness and Counterexample

Büchi automaton-based model checking

- B accepts T if there is a successful run in GT, B,
- A run of GT, B is a subgraph such that <s, q> keeps one (all) child(ren) if L(q)=Ç (L(q)=Æ).
- A run is successful if,
- All the leaf are true, and
- Any infinite path in a run visits some nodes in F infinitely often, for every F 2F.
- Searching for a (un)successful run,
- Mark all the leaves with true/false depending on the labeling, then propagate the values.
- For the nodes in a strong connected component, marking the nodes as true/false depending on the coverage of SCC on F, then propagate the values.
- Eventually, all the nodes will be marked as true/false.

Witness and Counterexample

Æ

s0,q0

Æ

s2,q0

Æ

s1, q1

Ç

s0, q1

Ç

s2, q1

Ç

s2, q3

Æ

s2, q4

Ç

s1, q3

Æ

s1, q4

Ç

s0, q3

Ç

s0, q4

Æ

s1, q2

Ç

s0, q2

\or

s2, q2

Ç

false

true

Witness and Counterexample

Æ

s0,q0

Æ

s2,q0

Æ

s1, q1

Ç

s0, q1

Ç

s2, q1

Ç

s2, q3

Æ

s2, q4

Ç

s1, q3

Æ

s1, q4

Ç

s0, q3

Ç

s0, q4

Æ

s1, q2

Ç

s0, q2

\or

s2, q2

Ç

false

true

Witness and Counterexample

Translate a LTL (cont.)

2. For each =P1 U P2, there is a F 2F such that F={q| ( q Æ X q) or P22 q}

- Basically F won’t contain any nodes of a loop on which P1 U P2 will produce itself. ) \cP_2 will eventually be satisfied.

Witness and Counterexample

Æ

Ç

q1

Æ

<>

q3

q4

<>

y

q2

q5

F={{q1, q2, q4}}

Translate F( G : y)- : A (F (G : y))=E(G(F y))

E(G(F y))

E(XG(F y), F y )

E(G(F y)) =

E(XG(F y), y)

E(XG(F y))

E(XG(F y), XF y )

Witness and Counterexample

Step 1: find a successful run

s0,q0

Æ

s2,q0

Æ

s1, q1

Ç

s0, q1

Ç

s2, q1

Ç

s2, q4

Ç

s1, q3

Æ

s0, q4

Æ

s1, q2

Ç

true

Witness and Counterexample

Step 2: Get the skeleton

Remove branches like (s, q) ! (s’, q’) such that (s, q) is a leaf and l(q’) Ï {<>, []}

s0,q0

Æ

s2,q0

Æ

s1, q1

Ç

s0, q1

Ç

s2, q1

Ç

s2, q4

Ç

s1, q3

Æ

s0, q4

Æ

s1, q2

Ç

Witness and Counterexample

Step 3: Unroll the skeleton and get a path.

(s0, q0) (s0, q1) (s0, q4) {(s1,q1)(s1, q3)(s1, q2)(s2, q0)(s2, q1)(s2, q4)}w

S0 S0 S0 S1 S1 S1 S2 S2 S2

Witness and Counterexample

Step 4: Eliminate the redundancy

Remove (s’, q’) from ……(s, q)(s’, q’) …… if l(q) Ï{<>, []} or (s, q) is the head of the path.

(s0, q0) (s0, q1) (s0, q4) {(s1,q1)(s1, q3)(s1, q2)(s2, q0)(s2, q1)(s2, q4)}w

(s0, q0) {(s1,q1) (s2, q0) }w

S0 { S1 S2 }w

Witness and Counterexample

Is there a witness /counterexamples for CTL*

- Any Kripke structure which are not bi- similar are distinguishable by a CTL* formula [Mil71].
- => Let Á be a nature order for CTL, then T1Á T2 iff T1 bisimulates T2.
- => The witness(counterexample) for any $T² f$ must bisimulate T.
- Since bisimularity on KS is similar to is isomorphism in graphics.
- => The witness and counterexample is trivial in CTL*

Witness and Counterexample

Is there a witness /counterexamples for CTL*?

- Any Kripke structure which are not bi- similar are distinguishable by a CTL* formula [Mil71].
- => Let Á be a nature order for CTL, then T1Á T2 iff T1 bisimulates T2.
- => The witness(counterexample) for any T² f must also bisimulate T.
- Since bisimularity on KS is basically the isomorphism in graphics.
- => The witness and counterexample is trivial in CTL*

Witness and Counterexample

Counterexample for ACTL*

- Simulation preordering is a nature preordering for ECTL* => Counterexample for ACTL* is a well-defined.
- Most of desirable safeness and fairness properties can be expressed in ACTL*

Definition [Simulation Preordering Ásim]

Ásim is a simulation preordering on T iff for every s Ásim s1 and s ! s’, there exists a s1! s’1 such that s’ Ásim s’1

T1Ásim T2 if s10Ásim s20, where s10 and s20 are the starting states of T1 and T2

Witness and Counterexample

Tree-like Counterexample for ACTL*

- Let f be a ACTL* formula and M ²: f, then there exists a tree-like Kripke structure C ÁsimM such that C ²: f [CJLV02].
- C is a tree-like Kripke structure if,
- Its (strongly-connected) component graph is a tree
- Only strongly-connected components permitted in C are circles.

Witness and Counterexample

x, y

s1

y

s’0

y

s2

s’2

s’3

s’1

y

x

An example²: AF(: y Æ AX : X)?

Ásim

²: AF(: y Æ AX : X)?

Witness and Counterexample

Generating Tree-like Counterxample for M² f

…Similar to generate a linear counterexample for LTL!

- Constructing a BTA B for : f.
- Find a successful run in GM, B.
- Get the skeleton of the run by cutting out any node (s’, q’) s.t. (s’, q’) is the only child of its father (s, q) and l(q) Ï {Æ, Ç}.
- Eliminate the redundancy and project the skeleton to states.

Witness and Counterexample

x, y

s1

y

s’0

y

s2

s’2

s’3

s’1

y

x

If we’ve know,² AF(: y Æ AX : X)?

is a tree-like counterexample for

Witness and Counterexample

Download Presentation

Connecting to Server..