Title: Li Tan
1- Witness and Counterexample
- Li Tan
- tanli_at_saul.cis.upenn.edu
- Oct. 15, 2002
2Informal Definition
- What is a witness for M ² f?
- A witness W should be a subsystem of M
- W should be small.
- M is a witness of f, but it is useless.
- W ² f.
- Any property held by any system T should also be
held by the system T of which T is a subsystem. - To show M ² f, it is enough to show The relation
between M and W. - Viability.
- Completeness w.r.t. a logic.
- Each formula in this logic should have a
well-defined witness if it is satisfied by the
model. - Simple and Efficient.
- Witness should be verified and analyzed
efficiently. - Effectiveness.
- There exists an effective algorithm for
generating the witness.
3Informal Definition
- Counterexample is just the dual of witness.
- C is an counterexample for M ² ? iff C is a
witness of M² ?. - An counterexample always exists if
- The logic is complete under negation, i.e., ? 2 L
- ) ? 2 L , and
- The definition of witness is complete in L.
- The mechanism for generating witness/counterexampl
e are same. - For history reason, many model checker like SMV
and SPIN only use the notion of counterexample. - Our reference to witness/counterexample will be
chose depending on the context.
4Why we need them?
- Counterexample can be used for,
- Debugging the design.
- Counterexample-based abstract refinement.
- The abstraction is conservative
- It may cause the false alarm.
- A counterexample is generated after checking the
abstract system, if it is, - A real trace, then model checker terminates with
no. - Not a real trace, then refine the abstract ( add
more predicators etc), and re-do the model
checking. - Witness can be used for,
- Enabling efficiently checking the correctness.
- Verifying resultverifying the property on
witnessprove that a witness is a subsystem of
model. - Generating tests.
- Any system contains the witness should possess
the property.
5Formal Definition
- Informal definition is ambiguous,
- What is a context of definition? gt Fix a logic
- What is a subsystem? gt Define a preordering Á
on Transition system. - Definition Natural Preorder of Logic
- Let L be a temporal logic, Á on transition
systems is a nature preordering of L iff, for
every f 2 L, if T ² f and T Á T, then T ² f. - Definition Witness and Counterexample
- Let Á be a natural preordering for the logic L (
L), C is a witness(or, counterexample) for M² f
s.t. in L if - C ² ? (C ² ?)
- C Á M.
- Our mission fix L, then find Á.
6Kripke Structure and CTL
- Definition Kripke Structure
- Transition system will be modeled as Kripke
structure KltS, s0, !, A, Vgt where, - S is the set of states.
- s0 2 S is a starting state.
- ! µ S S is transition relation.
- A is the set of atomic proposition.
- V A ! 2S is the evaluation for atomic
proposition. -
7CTL Syntax
- Formulae in Computational Tree Logic (CTL) are
syntactically constructed by, - S a a S Æ S S Ç S A P E P
- P S P Æ P P Ç P X P P U P P R P
- S is a state formula, and P is a path formula.
- A (for all the paths), and E (exists a path) are
the path quantifier. - U and R are the until and release operators.
- X is the next time operator.
- CTL formula is a state formula.
- Sometimes, we write G P (always hold) for false R
P, and F P ( Eventually hold) for true U P
8Semantics of path formulae
9Semantics of state formulae
- s ²T a if s 2 V(a)
- s ²T a if s ? V(a)
- s ² A P if ? ² P for every path ? from s.
- s ² E P if there exists a path ? from s such that
? ² P
10LTL, CTL, and ACTL
- Linear Temporal Logic (LTL) is sublogic of CTL
which contains no path quantifier. - Semantically LTL formula f CTL formula Af.
- Intuitively LTL check all the possible paths
simultaneously. - CTL is sublogic of CTL such that each temporal
operator (X, U, R) must be immediately preceded
by a path quantifier (A, E). - ACTL is a sublogic of CTL in which the only
path quantifier permitted is A.
11An example
-
- Does T satisfy LTL F(G y)?
- Does T satisfy ACTL AF( y Æ AX X)?
12Counterexample in LTL
- Customizing the definition of counterexample,
- Fix the logic LTL
- Fix the preordering relation Á language
inclusion 2 - Definition
- Let f be a LTL formula, a path ? is a linear
counterexample for model-checking problem M ² f
if ? ² f and ? 2 L(M). - Is the definition complete?
- If M ² f, then we can always find a ? 2 L(M) as a
counterexample, why?
13LTL model checking via Büchi tree automaton
- A generalized Büchi tree automaton is a tuple ltQ,
q0, !,l, Fgt where, - Q is the set of states with q0 as the starting
state. - ! µ Q Q is the transition relation.
- l Q ! a, a, Æ, Ç, ltgt,
- F µ 2Q is Büchi acceptance condition.
14An example
15Acceptance Condition of BTA
- A run R of B on T is a maximal tree with (s0, q0)
as the root such that, - If (s, q) 2 R and l(q)Æ (Ç), then, (s, q) is a
child of (s, q) in R for every (some) child q of
q. - If (s, q) 2 R, l(q)(ltgt), and q is a child of
q, then, (s, q) is a child of (s, q) in R for
every (some) successor s of s. - R is a successful run if,
- Each leaf (s, l) is successful (i.e., s 2 V(l)).
- Any infinite path in R will visit some nodes in F
infinitely often, for every F 2 F. - B accepts T if there is a successful run of B on
T.
16Büchi automaton as the temporal specification
- GT, BS, !, L is the product graph for B and T
if, - S S Q
- If q ! q and
- l(q) 2 Ç, Æ, lts, qgt ! lts, qgt.
- l(q) ltgt (), lts, qgt ! lts, qgt for some (all)
s ! s. - L(lts, qgt)Ç for l(q) 2 Ç, ltgt and L(lts, qgt)Æ
otherwise.
17Büchi automaton-based model checking
- A successful run ? a successful subgraph in GT,
B, - G is a subgraph of GT, B iff lts, qgt keeps some
(all) of its child(ren) if L(lts, qgt)Ç (L(lts,
qgt)Æ). - A subgraph is successful if,
- All the leaves are true, and
- Any (non-trivial) strongly connected component
covers some nodes in F, for every F 2 F. - Searching for a successful subgraph,
- Mark all the leaves with true/false depending on
the labeling, then propagate the values. - For the nodes in a strong connected component
(SCC), marking the nodes as true/false depending
on the coverage of SCC on F, then propagate the
values. - Eventually, all the nodes will be marked as
true/false.
18An example
19s1, q0 Æ
s0,q0 Æ
s2,q0 Æ
s0, q1 Ç
s1, q1 Ç
s2, q1 Ç
s2, q3 Æ
s2, q4 Ç
s1, q3 Æ
s1, q4 Ç
s0, q3 Ç
s0, q4 Æ
s0, q2 \or
s1, q2 Ç
s2, q2 Ç
false
true
20s1, q0 Æ
s0,q0 Æ
s2,q0 Æ
s0, q1 Ç
s1, q1 Ç
s2, q1 Ç
s2, q3 Æ
s2, q4 Ç
s1, q3 Æ
s1, q4 Ç
s0, q3 Ç
s0, q4 Æ
s0, q2 \or
s1, q2 Ç
s2, q2 Ç
false
true
21Translate a LTL to a never claim BTA
22Translate a LTL (cont.)
- 2. For each ?P1 U P2, there is a F 2 F such that
Fq (? ? q Æ X ? ? q) or P2 2 q - Basically F wont contain any nodes of a loop on
which P1 U P2 will produce itself. ) P2 will
eventually be satisfied. -
23Translate F( G y)
E(G(F y))
E(XG(F y), F y )
E(G(F y))
E(XG(F y), y)
E(XG(F y))
E(XG(F y), XF y )
24Step 1 find a successful subgraph
s0,q0 Æ
s2,q0 Æ
s0, q1 Ç
s1, q1 Ç
s2, q1 Ç
s2, q4 Ç
s1, q3 Æ
s0, q4 Æ
s1, q2 Ç
true
25Step 2 Get the skeleton
- Recursively remove branches like (s, q) ! (s,
q) such that (s, q) is a leaf and l(q) Ï ltgt,
-
s0,q0 Æ
s2,q0 Æ
s0, q1 Ç
s1, q1 Ç
s2, q1 Ç
s2, q4 Ç
s1, q3 Æ
s0, q4 Æ
s1, q2 Ç
26Step 3 Unroll the skeleton and get a path.
- (s0, q0) (s0, q1) (s0, q4) (s1,q1)(s1, q3)(s1,
q2)(s2, q0)(s2, q1)(s2, q4)w - S0 S0 S0
S1 S1 S1 S2
S2 S2
27Step 4 Eliminate the redundancy
- Remove (s, q) from (s, q)(s, q) if l(q)
Ïltgt, . - (s0, q0) (s0, q1) (s0, q4) (s1,q1)(s1, q3)(s1,
q2)(s2, q0)(s2, q1)(s2, q4)w - (s0, q0) (s1,q1)
(s2, q0) w - S0 S1
S2 w
28Is there a witness /counterexamples for CTL?
- Any Kripke structure which are not bi- similar
are distinguishable by a CTL formula Mil71. - gt Let Á be a nature order for CTL, then T1 Á T2
iff T1 bisimulates T2. - gt The witness(counterexample) for any T² f must
also bisimulate T. - Since bisimularity on Kripke structures is
basically the isomorphism in graphics. - gt The witness and counterexample is trivial in
CTL
29Counterexample for ACTL
- Simulation preordering is a nature preordering
for ECTL gt witness for ECTL and Counterexample
for ACTL are well-defined. - Most of desirable safeness and fairness
properties can be expressed in ACTL - Definition Simulation Preordering Ásim
- Ásim is a simulation preordering on T iff for
every s Ásim s1 and s ! s, there exists a s1 !
s1 such that s Ásim s1 - T1 Ásim T2 if s10 Ásim s20, where s10 and s20 are
the starting states of T1 and T2
30Tree-like Counterexample for ACTL
- Let f be a ACTL formula and M ² f, then there
exists a tree-like Kripke structure C ÁsimM such
that C ² f CJLV02. - C is a tree-like Kripke structure if,
- Its (strongly-connected) component graph is a
tree - Only strongly-connected components permitted in C
are circles.
31An example
Ásim
² AF( y Æ AX X)?
32Generating Tree-like Counterxample for M² f
- Similar to generate a linear counterexample for
LTL! - Constructing a BTA B for f.
- Find a successful subgraph in GM, B.
- Get the proof skeleton by cutting out any node
(s, q) s.t. (s, q) is the only child of its
father (s, q) and l(q) Ï Æ, Ç. - Eliminate the redundancy and project the skeleton
to states.
33If weve know,
is a tree-like counterexample for
34 and want to prove,
35We only need to show,
Ásim