Witness and Counterexample Li Tan tanli@saul.cis.upenn Oct. 15, 2002

1 / 34

# Witness and Counterexample Li Tan tanli@saul.cis.upenn Oct. 15, 2002 - PowerPoint PPT Presentation

Witness and Counterexample Li Tan tanli@saul.cis.upenn.edu Oct. 15, 2002. Informal Definition. Recall the model checking problem M ² f , A witness W should be a subsystem of M s.t. W ² f . \$W\$ should be small. M is a witness of f , but it is useless.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'Witness and Counterexample Li Tan tanli@saul.cis.upenn Oct. 15, 2002' - arlene

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Witness and Counterexample

Li Tan

tanli@saul.cis.upenn.edu

Oct. 15, 2002

Witness and Counterexample

Informal Definition

Recall the model checking problem M ²f,

• A witness W should be a subsystem of M s.t. W ²f.
• \$W\$ should be small.
• M is a witness of f, but it is useless.
• Witness should show the evidence why M ²f.
• Any system of which \$W\$ is a subsystem should satisfy f.
• To show \$M ²f\$, it is enough to show The relation between M and W.
• Viability.
• Completeness.
• Each formula in the targeting logic should have a well-defined witness if it is satisfied by the model.
• Simple and Efficient.
• Witness should be verified and analyzed efficiently.
• Effectiveness.
• There exists an effective algorithm for generating the witness.

Witness and Counterexample

Informal Definition
• Counterexample is just the dual of witness.
• C is an counterexample for M ² iff C is a witness of M²:.
• An counterexample always exists if
• The logic is complete under negation, i.e., 2L

):2L

• The definition of witness is complete in L.
• The mechanism for generating witness/counterexample are same.
• For history reason, many model checker like SMV and SPIN only use the notion of counterexample.
• Our reference to witness/counterexample will be chose depending on the context.

Witness and Counterexample

Why we need them?
• Counterexample can be used for,
• Debugging the design.
• Counterexample-based abstract refinement.
• The abstraction is conservative
• It may cause the false alarm.
• A counterexample is generated after checking the abstract system, if it is,
• A real trace, then model checker terminates with “no”.
• Not a real trace, then refine the abstract ( add more predicators etc), and re-do the model checking.
• Witness can be used for,
• Enable efficiently checking the correctness.
• Verifying result=Verifying the property on witness+prove that a witness is a subsystem of model.
• Generating tests.
• Any system contains the witness should possess the property.

Witness and Counterexample

Formal Definition

Informal definition is ambiguous,

• What is a context of definition? => Fix a logic
• What is a “subsystem”? => Define a preordering Á on Transition system.

Definition [Natural Preorder of Logic]

Let L be a temporal logic, a preordering ÁL on Kripke structures are a nature such that for every f 2L, if T ² f and T ÁL T’, then T’ ² f.

Definition [Witness and Counterexample]

Let Á be a natural preordering for the logic L (:L), C is a witness(or, counterexample) for M² f s.t. in L if

• C ² (C ²: )
• C Á M.

Our mission: fix L, then find Á.

Witness and Counterexample

Kripke Structure and CTL*

Definition [Kripke Structure]

Transition System will be modeled as Kripke structure K=<S, s0, !, A, V> where,

• S is the set of states.
• s02 S is a starting state.
• !µ S £ S is transition relation.
• A is the set of atomic proposition.
• V : A ! 2S is the evulation for atomic proposition.

Witness and Counterexample

CTL*: Syntax

Formulae in Computational Tree Logic (CTL*) are syntactically constructed by,

S::= a | : a| SÆS |SÇS | A P | E P

P ::=S | PÆP | PÇP | X P | P U P | P R P

• S is a state formula, and P is a path formula.
• A (for all the paths), and E (exists a path) are the path quantifier.
• U and R are the “until” and “release” operators.
• X is the “next time” operator.
• CTL* formula is a state formula.
• Sometimes, we write G P (always hold) for false R P, and F P ( Eventually hold) for true U P

Witness and Counterexample

Semantics of path formulae

Witness and Counterexample

Semantics of state formulae
• s ²T a if s 2V(s)
• s ²T: a if s V(s)
• s ² A P if ²P for every path  from s.
• s ² E P if there exists a  from s such that ²P

Witness and Counterexample

LTL, CTL, and ACTL
• Linear Temporal Logic (LTL) is sublogic of CTL* which contains no path quantifier.
• Semantically LTL formula f = CTL* formula Af.
• Intuitively LTL check all the possible paths simultaneously.
• CTL is sublogic of CTL* such that each temporal operator (X, U, R) must be immediately preceded by a path quantifier.
• ACTL is a sublogic of CTL in which only path quantifier permitted is A.

Witness and Counterexample

s0

x, y

s1

y

s2

An example
• Does T satisfy LTL F(G : y)?
• Does T satisfy ACTL AF(: y Æ AX : X)?

Witness and Counterexample

Counterexample in LTL

Customizing the definition of counterexample,

• Fix the logic: LTL
• Fix the preordering relation Á: language inclusion 2

Definition

Let f be a LTL formula, a path  is a linear counterexample for model-checking problem M ²f if ²: f and 2 L(M).

• Is the definition viable?
• 2 L(T) => T ²: f, why?
• Is the definition complete?
• If M ² f, then we can always find a 2 L(M) as a counterexample, why?

Witness and Counterexample

LTL model checking via Büchi automaton

A generalized Büchi automaton is a tuple <Q, q0, !,l, F> where,

• Q is the set of states with q0 as the starting state.
• !µ Q £ Q is the transition relation.
• l: Q ! {a,: a, Æ, Ç, <>, []}
• Fµ 2Q is Büchi acceptance condition.

Witness and Counterexample

Büchi automaton as the temporal specification
• GT, B={S, !, L} is the product graph for B and T if,
• S= S £ Q U {true, false}
• If q ! q’ and
• l(q) 2 {Ç, Æ}, <s, q> ! <s, q’>.
• l(q) = <> ([]), <s, q> ! <s’, q’> for some (all) s ! s’.
• l(q) = a (: a), <s, q> ! (s 2 a ?)( :(s 2 a ?))
• L(<s, q>)=Ç for l(q) 2 {Ç, <>} and L(<s, q>)=Æ otherwise.

Witness and Counterexample

Büchi automaton-based model checking
• B accepts T if there is a successful run in GT, B,
• A run of GT, B is a subgraph such that <s, q> keeps one (all) child(ren) if L(q)=Ç (L(q)=Æ).
• A run is successful if,
• All the leaf are true, and
• Any infinite path in a run visits some nodes in F infinitely often, for every F 2F.
• Searching for a (un)successful run,
• Mark all the leaves with true/false depending on the labeling, then propagate the values.
• For the nodes in a strong connected component, marking the nodes as true/false depending on the coverage of SCC on F, then propagate the values.
• Eventually, all the nodes will be marked as true/false.

Witness and Counterexample

s0

q0

x, y

Æ

Ç

s1

q1

y

Æ

<>

q3

q4

<>

s2

y

q2

q5

F={{q1, q2, q4}}

An example

Witness and Counterexample

s1, q0

Æ

s0,q0

Æ

s2,q0

Æ

s1, q1

Ç

s0, q1

Ç

s2, q1

Ç

s2, q3

Æ

s2, q4

Ç

s1, q3

Æ

s1, q4

Ç

s0, q3

Ç

s0, q4

Æ

s1, q2

Ç

s0, q2

\or

s2, q2

Ç

false

true

Witness and Counterexample

s1, q0

Æ

s0,q0

Æ

s2,q0

Æ

s1, q1

Ç

s0, q1

Ç

s2, q1

Ç

s2, q3

Æ

s2, q4

Ç

s1, q3

Æ

s1, q4

Ç

s0, q3

Ç

s0, q4

Æ

s1, q2

Ç

s0, q2

\or

s2, q2

Ç

false

true

Witness and Counterexample

Translate a LTL to a “never claim” BTA

Construct BTA for :f by,

Witness and Counterexample

Translate a LTL (cont.)

2. For each =P1 U P2, there is a F 2F such that F={q| ( q Æ X  q) or P22 q}

• Basically F won’t contain any nodes of a loop on which P1 U P2 will produce itself. ) \cP_2 will eventually be satisfied.

Witness and Counterexample

q0

Æ

Ç

q1

Æ

<>

q3

q4

<>

y

q2

q5

F={{q1, q2, q4}}

Translate F( G : y)
• : A (F (G : y))=E(G(F y))

E(G(F y))

E(XG(F y), F y )

E(G(F y)) =

E(XG(F y), y)

E(XG(F y))

E(XG(F y), XF y )

Witness and Counterexample

Step 1: find a successful run

s0,q0

Æ

s2,q0

Æ

s1, q1

Ç

s0, q1

Ç

s2, q1

Ç

s2, q4

Ç

s1, q3

Æ

s0, q4

Æ

s1, q2

Ç

true

Witness and Counterexample

Step 2: Get the skeleton

Remove branches like (s, q) ! (s’, q’) such that (s, q) is a leaf and l(q’) Ï {<>, []}

s0,q0

Æ

s2,q0

Æ

s1, q1

Ç

s0, q1

Ç

s2, q1

Ç

s2, q4

Ç

s1, q3

Æ

s0, q4

Æ

s1, q2

Ç

Witness and Counterexample

Step 3: Unroll the skeleton and get a path.

(s0, q0) (s0, q1) (s0, q4) {(s1,q1)(s1, q3)(s1, q2)(s2, q0)(s2, q1)(s2, q4)}w

S0 S0 S0 S1 S1 S1 S2 S2 S2

Witness and Counterexample

Step 4: Eliminate the redundancy

Remove (s’, q’) from ……(s, q)(s’, q’) …… if l(q) Ï{<>, []} or (s, q) is the head of the path.

(s0, q0) (s0, q1) (s0, q4) {(s1,q1)(s1, q3)(s1, q2)(s2, q0)(s2, q1)(s2, q4)}w

(s0, q0) {(s1,q1) (s2, q0) }w

S0 { S1 S2 }w

Witness and Counterexample

Is there a witness /counterexamples for CTL*
• Any Kripke structure which are not bi- similar are distinguishable by a CTL* formula [Mil71].
• => Let Á be a nature order for CTL, then T1Á T2 iff T1 bisimulates T2.
• => The witness(counterexample) for any \$T² f\$ must bisimulate T.
• Since bisimularity on KS is similar to is isomorphism in graphics.
• => The witness and counterexample is trivial in CTL*

Witness and Counterexample

Is there a witness /counterexamples for CTL*?
• Any Kripke structure which are not bi- similar are distinguishable by a CTL* formula [Mil71].
• => Let Á be a nature order for CTL, then T1Á T2 iff T1 bisimulates T2.
• => The witness(counterexample) for any T² f must also bisimulate T.
• Since bisimularity on KS is basically the isomorphism in graphics.
• => The witness and counterexample is trivial in CTL*

Witness and Counterexample

Counterexample for ACTL*
• Simulation preordering is a nature preordering for ECTL* => Counterexample for ACTL* is a well-defined.
• Most of desirable safeness and fairness properties can be expressed in ACTL*

Definition [Simulation Preordering Ásim]

Ásim is a simulation preordering on T iff for every s Ásim s1 and s ! s’, there exists a s1! s’1 such that s’ Ásim s’1

T1Ásim T2 if s10Ásim s20, where s10 and s20 are the starting states of T1 and T2

Witness and Counterexample

Tree-like Counterexample for ACTL*
• Let f be a ACTL* formula and M ²: f, then there exists a tree-like Kripke structure C ÁsimM such that C ²: f [CJLV02].
• C is a tree-like Kripke structure if,
• Its (strongly-connected) component graph is a tree
• Only strongly-connected components permitted in C are circles.

Witness and Counterexample

s0

x, y

s1

y

s’0

y

s2

s’2

s’3

s’1

y

x

An example

²: AF(: y Æ AX : X)?

Ásim

²: AF(: y Æ AX : X)?

Witness and Counterexample

Generating Tree-like Counterxample for M² f

…Similar to generate a linear counterexample for LTL!

• Constructing a BTA B for : f.
• Find a successful run in GM, B.
• Get the skeleton of the run by cutting out any node (s’, q’) s.t. (s’, q’) is the only child of its father (s, q) and l(q) Ï {Æ, Ç}.
• Eliminate the redundancy and project the skeleton to states.

Witness and Counterexample

s0

x, y

s1

y

s’0

y

s2

s’2

s’3

s’1

y

x

If we’ve know,

² AF(: y Æ AX : X)?

is a tree-like counterexample for

Witness and Counterexample

s0

x, y

s1

y

y

s2

… and want to prove,

²: AF(: y Æ AX : X)

Witness and Counterexample

s0

x, y

s’0

y

s’2

s’3

s1

y

y

s’1

y

x

s2

We only need to show,

Ásim

Witness and Counterexample