Witness and Counterexample Li Tan [email protected] Oct. 15, 2002.

Witness and Counterexample


Li [email protected]

Oct. 15, 2002


Informal DefinitionRecall the model checking problem M ² ,1. A witness W should be a subsystem of M s.t. W ² .

$W$ should be small. M is a witness of , but it is useless.

2. Witness should show the evidence why M ² . Any system of which $W$ is a subsystem should satisfy . To show $M ² $, it is enough to show The relation between

M and W.3. Viability.

1. Completeness. 1. Each formula in the targeting logic should have a well-defined

witness if it is satisfied by the model.2. Simple and Efficient.

1. Witness should be verified and analyzed efficiently.3. Effectiveness.

1. There exists an effective algorithm for generating the witness.


Informal Definition1. Counterexample is just the dual of

witness.1. C is an counterexample for M ² iff C is a

witness of M² : .2. An counterexample always exists if

1. The logic is complete under negation, i.e., 2 L ) : 2 L

1. The definition of witness is complete in L.

3. The mechanism for generating witness/counterexample are same.

1. For history reason, many model checker like SMV and SPIN only use the notion of counterexample.

2. Our reference to witness/counterexample will be chose depending on the context.


Why we need them?1. Counterexample can be used for,

1. Debugging the design.2. Counterexample-based abstract refinement.

1. The abstraction is conservative1. It may cause the false alarm.

2. A counterexample is generated after checking the abstract system, if it is,1. A real trace, then model checker terminates with “no”.2. Not a real trace, then refine the abstract ( add more

predicators etc), and re-do the model checking.

2. Witness can be used for,1. Enable efficiently checking the correctness.

1. Verifying result=Verifying the property on witness+prove that a witness is a subsystem of model.

2. Generating tests.1. Any system contains the witness should possess the

property.


Formal DefinitionInformal definition is ambiguous, What is a context of definition? => Fix a logic What is a “subsystem”? => Define a preordering Á on

Transition system.

Definition [Natural Preorder of Logic]Let L be a temporal logic, a preordering ÁL on Kripke

structures are a nature such that for every f 2 L, if T ² f and T ÁL T’, then T’ ² f.

Definition [Witness and Counterexample]Let Á be a natural preordering for the logic L (: L), C is a

witness(or, counterexample) for M² f s.t. in L if C ² (C ² : ) C Á M.

Our mission: fix L, then find Á.


Kripke Structure and CTL*Definition [Kripke Structure]Transition System will be modeled as Kripke

structure K=<S, s0, !, A, V> where, S is the set of states. s0 2 S is a starting state. ! µ S £ S is transition relation. A is the set of atomic proposition. V : A ! 2S is the evulation for atomic

proposition.


CTL*: Syntax Formulae in Computational Tree Logic (CTL*) are

syntactically constructed by, S::= a | : a| S Æ S |S Ç S | A P | E P P ::=S | P Æ P | P Ç P | X P | P U P | P R P S is a state formula, and P is a path formula. A (for all the paths), and E (exists a path) are

the path quantifier. U and R are the “until” and “release” operators. X is the “next time” operator. CTL* formula is a state formula. Sometimes, we write G P (always hold) for false

R P, and F P ( Eventually hold) for true U P


Semantics of path formulae


Semantics of state formulae

1. s ²T a if s 2 V(s)

2. s ²T : a if s V(s)

3. s ² A P if ² P for every path from s.

4. s ² E P if there exists a from s such that ² P


LTL, CTL, and ACTL1. Linear Temporal Logic (LTL) is sublogic of

CTL* which contains no path quantifier.1. Semantically LTL formula f = CTL* formula Af.2. Intuitively LTL check all the possible paths

simultaneously.

2. CTL is sublogic of CTL* such that each temporal operator (X, U, R) must be immediately preceded by a path quantifier.

3. ACTL is a sublogic of CTL in which only path quantifier permitted is A.


An example

1. Does T satisfy

LTL F(G : y)?2. Does T satisfy

ACTL AF(: y Æ AX : X)?

x, y

y

s0

s2

s1


Counterexample in LTL

Customizing the definition of counterexample,1. Fix the logic: LTL2. Fix the preordering relation Á: language

inclusion 2DefinitionLet f be a LTL formula, a path is a linear

counterexample for model-checking problem M ² f if ² : f and 2 L(M).

Is the definition viable? 2 L(T) => T ² : f, why?

Is the definition complete? If M ² f, then we can always find a 2 L(M) as a

counterexample, why?


LTL model checking via Büchi automaton

A generalized Büchi automaton is a tuple <Q, q0, !,l, F> where,

1. Q is the set of states with q0 as the starting state.

2. ! µ Q £ Q is the transition relation.3. l: Q ! {a,: a, Æ, Ç, <>, []}4. F µ 2Q is Büchi acceptance

condition.


Büchi automaton as the temporal specification

1. GT, B={S, !, L} is the product graph for B and T if,

1. S= S £ Q U {true, false}2. If q ! q’ and

1. l(q) 2 {Ç, Æ}, <s, q> ! <s, q’>.2. l(q) = <> ([]), <s, q> ! <s’, q’> for some

(all) s ! s’.3. l(q) = a (: a), <s, q> ! (s 2 a ?)( :(s 2 a ?))

3. L(<s, q>)=Ç for l(q) 2 {Ç, <>} and L(<s, q>)=Æ otherwise.


Büchi automaton-based model checking

1. B accepts T if there is a successful run in GT, B,1. A run of GT, B is a subgraph such that <s, q> keeps

one (all) child(ren) if L(q)=Ç (L(q)=Æ).2. A run is successful if,

1. All the leaf are true, and2. Any infinite path in a run visits some nodes in F infinitely

often, for every F 2 F.

2. Searching for a (un)successful run,1. Mark all the leaves with true/false depending on the

labeling, then propagate the values.2. For the nodes in a strong connected component,

marking the nodes as true/false depending on the coverage of SCC on F, then propagate the values.

3. Eventually, all the nodes will be marked as true/false.


An example

<>

<>Æ

Ç

y

q0

q1

q2

q3 q4

q5

Æ

F={{q1, q2, q4}}

x, y

y

s0

s2

s1


s0, q2

\or

true

s1, q0

Æs0,q0

Æ

s0, q1

Ç

s0, q3

Çs0, q4

Æ

s1, q1

Ç

s1, q3

Æs1, q4

Ç

s1, q2

Ç

s2,q0

Æ

s2, q1

Ç

s2, q3

Æs2, q4

Ç

false

s2, q2

Ç


s0, q2

\or

true

s1, q0

Æs0,q0

Æ

s0, q1

Ç

s0, q3

Çs0, q4

Æ

s1, q1

Ç

s1, q3

Æs1, q4

Ç

s1, q2

Ç

s2,q0

Æ

s2, q1

Ç

s2, q3

Æs2, q4

Ç

false

s2, q2

Ç


Translate a LTL to a “never claim” BTA

Construct BTA for :f by,


Translate a LTL (cont.)

2. For each =P1 U P2, there is a F 2 F such that F={q| ( q Æ X q) or P2 2 q}

Basically F won’t contain any nodes of a loop on which P1 U P2 will produce itself. ) \cP_2 will eventually be satisfied.


Translate F( G : y)

: A (F (G : y))=E(G(F y))

<>

<>Æ

Ç

y

q0

q1

q2

q3 q4

q5

Æ

F={{q1, q2, q4}}

E(G(F y)) =

E(G(F y))

E(XG(F y), F y )

E(XG(F y), y)

E(XG(F y), XF y )E(XG(F y))


Step 1: find a successful run

true

s0,q0

Æ

s0, q1

Ç

s0, q4

Æ

s1, q1

Ç

s1, q3

Æ

s1, q2

Ç

s2,q0

Æ

s2, q1

Ç

s2, q4

Ç


Step 2: Get the skeletonRemove branches like (s, q) ! (s’, q’) such that (s, q) is

a leaf and l(q’) {<>, []}

s0,q0

Æ

s0, q1

Ç

s0, q4

Æ

s1, q1

Ç

s1, q3

Æ

s1, q2

Ç

s2,q0

Æ

s2, q1

Ç

s2, q4

Ç


Step 3: Unroll the skeleton and get a path.

(s0, q0) (s0, q1) (s0, q4) {(s1,q1)(s1, q3)(s1, q2)(s2, q0)(s2, q1)(s2, q4)}

S0

S0

S0

S1

S1

S1

S2

S2

S2


Step 4: Eliminate the redundancy

Remove (s’, q’) from ……(s, q)(s’, q’) …… if l(q) {<>, []} or (s, q) is the head of the path.

(s0, q0) (s0, q1) (s0, q4) {(s1,q1)(s1, q3)(s1, q2)(s2, q0)(s2, q1)(s2, q4)}

(s0, q0) {(s1,q1) (s2, q0) }

S0 { S1 S2 }


Is there a witness /counterexamples for CTL*

Any Kripke structure which are not bi- similar are distinguishable by a CTL* formula [Mil71].

=> Let Á be a nature order for CTL, then T1 Á T2 iff T1 bisimulates T2.

=> The witness(counterexample) for any $T² f$ must bisimulate T.

Since bisimularity on KS is similar to is isomorphism in graphics.

=> The witness and counterexample is trivial in CTL*


Is there a witness /counterexamples for CTL*?

Any Kripke structure which are not bi- similar are distinguishable by a CTL* formula [Mil71].

=> Let Á be a nature order for CTL, then T1 Á T2 iff T1 bisimulates T2.

=> The witness(counterexample) for any T² f must also bisimulate T.

Since bisimularity on KS is basically the isomorphism in graphics.

=> The witness and counterexample is trivial in CTL*


Counterexample for ACTL* Simulation preordering is a nature

preordering for ECTL* => Counterexample for ACTL* is a well-defined. Most of desirable safeness and fairness

properties can be expressed in ACTL*

Definition [Simulation Preordering Ásim]

Ásim is a simulation preordering on T iff for every s Ásim s1 and s ! s’, there exists a s1 ! s’1 such that s’ Ásim s’1

T1 Ásim T2 if s10 Ásim s2

0, where s10 and s2

0 are the starting states of T1 and T2


Tree-like Counterexample for ACTL*

Let f be a ACTL* formula and M ² : f, then there exists a tree-like Kripke structure C ÁsimM such that C ² : f [CJLV02].

C is a tree-like Kripke structure if, Its (strongly-connected) component

graph is a tree Only strongly-connected

components permitted in C are circles.


An example

² : AF(: y Æ AX : X)?

x, y

y

s0

s2

s1

y

y

s’0

s’2

s’1 x

s’3² : AF(: y Æ AX : X)?

Ási

m


Generating Tree-like Counterxample for M² f

…Similar to generate a linear counterexample for LTL!

1. Constructing a BTA B for : f.2. Find a successful run in GM, B.3. Get the skeleton of the run by

cutting out any node (s’, q’) s.t. (s’, q’) is the only child of its father (s, q) and l(q) {Æ, Ç}.

4. Eliminate the redundancy and project the skeleton to states.


If we’ve know,

² AF(: y Æ AX : X)?

x, y

y

s0

s2

s1

y

y

s’0

s’2

s’1 x

s’3

is a tree-like counterexample for


… and want to prove,

² : AF(: y Æ AX : X)

x, y

y

s0

s2

s1 y


We only need to show,

x, y

y

s0

s2

s1 y

y

y

s’0

s’2

s’1 x

s’3

Ásim

Date post:	21-Dec-2015
Category:	Documents
View:	217 times
Download:	0 times

Witness and Counterexample Li Tan [email protected] Oct. 15, 2002.

Documents