Presentation is loading. Please wait.

Presentation is loading. Please wait.

Witness and Counterexample Li Tan Oct. 15, 2002.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Witness and Counterexample Li Tan Oct. 15, 2002."— Presentation transcript:

1 Witness and Counterexample Li Tan tanli@saul.cis.upenn.edu Oct. 15, 2002

2 Witness and Counterexample Informal Definition What is a witness for M ²  1. A witness W should be a subsystem of M W should be small. M is a witness of , but it is useless. 2. W ² . 3. Any property held by any system T should also be held by the system T’ of which T is a subsystem. To show M ² , it is enough to show The relation between M and W. 4. Viability. 1. Completeness w.r.t. a logic. 1. Each formula in this logic should have a well-defined witness if it is satisfied by the model. 2. Simple and Efficient. 1. Witness should be verified and analyzed efficiently. 3. Effectiveness. 1. There exists an effective algorithm for generating the witness.

3 Witness and Counterexample Informal Definition Counterexample is just the dual of witness. 1. C is an counterexample for M ²  iff C is a witness of M ² : . 2. An counterexample always exists if 1. The logic is complete under negation, i.e.,  2 L ) :  2 L, and 1. The definition of witness is complete in L. 3. The mechanism for generating witness/counterexample are same. 1. For history reason, many model checker like SMV and SPIN only use the notion of counterexample. 2. Our reference to witness/counterexample will be chose depending on the context.

4 Witness and Counterexample Why we need them? 1. Counterexample can be used for, 1. Debugging the design. 2. Counterexample-based abstract refinement. 1. The abstraction is conservative 1. It may cause the false alarm. 2. A counterexample is generated after checking the abstract system, if it is, 1. A real trace, then model checker terminates with “no”. 2. Not a real trace, then refine the abstract ( add more predicators etc), and re-do the model checking. 2. Witness can be used for, 1. Enabling efficiently checking the correctness. 1. Verifying result=verifying the property on witness+prove that a witness is a subsystem of model. 2. Generating tests. 1. Any system contains the witness should possess the property.

5 Witness and Counterexample Formal Definition Informal definition is ambiguous, What is a context of definition? => Fix a logic What is a “subsystem”? => Define a preordering Á on Transition system. Definition [Natural Preorder of Logic] Let L be a temporal logic, Á on transition systems is a nature preordering of L iff, for every f 2 L, if T ² f and T Á T’, then T’ ² f. Definition [Witness and Counterexample] Let Á be a natural preordering for the logic L ( : L ), C is a witness(or, counterexample) for M ² f s.t. in L if C ²  (C ² :  ) C Á M. Our mission: fix L, then find Á.

6 Witness and Counterexample Kripke Structure and CTL* Definition [Kripke Structure] Transition system will be modeled as Kripke structure K = where, S is the set of states. s 0 2 S is a starting state. ! µ S £ S is transition relation. A is the set of atomic proposition. V : A ! 2 S is the evaluation for atomic proposition.

7 Witness and Counterexample CTL*: Syntax Formulae in Computational Tree Logic (CTL*) are syntactically constructed by, S ::= a | : a| S Æ S | S Ç S | A P | E P P ::= S | P Æ P | P Ç P | X P | P U P | P R P S is a state formula, and P is a path formula. A (for all the paths), and E (exists a path) are the path quantifier. U and R are the “until” and “release” operators. X is the “next time” operator. CTL* formula is a state formula. Sometimes, we write G P (always hold) for false R P, and F P ( Eventually hold) for true U P

8 Witness and Counterexample Semantics of path formulae

9 Witness and Counterexample Semantics of state formulae 1. s ² T a if s 2 V (a) 2. s ² T : a if s  V (a) 3. s ² A P if  ² P for every path  from s. 4. s ² E P if there exists a path  from s such that  ² P

10 Witness and Counterexample LTL, CTL, and ACTL* 1. Linear Temporal Logic (LTL) is sublogic of CTL* which contains no path quantifier. 1. Semantically LTL formula f = CTL* formula Af. 2. Intuitively LTL check all the possible paths simultaneously. 2. CTL is sublogic of CTL* such that each temporal operator (X, U, R) must be immediately preceded by a path quantifier (A, E). 3. ACTL* is a sublogic of CTL* in which the only path quantifier permitted is A.

11 Witness and Counterexample An example 1. Does T satisfy LTL F(G : y)? 2. Does T satisfy ACTL AF( : y Æ AX : X)? x, y y s0s0 s2s2 s1s1

12 Witness and Counterexample Counterexample in LTL Customizing the definition of counterexample, 1. Fix the logic: LTL 2. Fix the preordering relation Á : language inclusion 2 Definition Let f be a LTL formula, a path  is a linear counterexample for model-checking problem M ² f if  ² : f and  2 L(M). Is the definition complete? If M ² f, then we can always find a  2 L(M) as a counterexample, why?

13 Witness and Counterexample LTL model checking via Büchi tree automaton A generalized Büchi tree automaton is a tuple where, 1. Q is the set of states with q 0 as the starting state. 2. ! µ Q £ Q is the transition relation. 3. l: Q ! {a, : a, Æ, Ç, <>, []} 4. F µ 2 Q is Büchi acceptance condition.

14 Witness and Counterexample An example <> Æ Ç y q0q0 q 1 q2q2 q3q3 q4q4 q5q5 Æ F ={{q 0, q 2, q 3, q 5 }} x, y y s0s0 s2s2 s1s1

15 Witness and Counterexample Acceptance Condition of BTA 1. A run R of B on T is a maximal tree with (s 0, q 0 ) as the root such that, 1. If (s, q) 2 R and l(q)= Æ ( Ç ), then, (s, q’) is a child of (s, q) in R for every (some) child q’ of q. 2. If (s, q) 2 R, l(q)=[](<>), and q’ is a child of q, then, (s’, q’) is a child of (s, q) in R for every (some) successor s’ of s. 2. R is a successful run if, 1. Each leaf (s, l) is successful (i.e., s 2 V (l)). 2. Any infinite path in R will visit some nodes in F infinitely often, for every F 2 F. 3. B accepts T if there is a successful run of B on T.

16 Witness and Counterexample Büchi automaton as the temporal specification G T, B ={ S, !, L} is the product graph for B and T if, 1. S = S £ Q 2. If q ! q’ and 1. l(q) 2 { Ç, Æ }, !. 2. l(q) = <> ([]), ! for some (all) s ! s’. 3. L( )= Ç for l(q) 2 { Ç, <>} and L( )= Æ otherwise.

17 Witness and Counterexample Büchi automaton-based model checking 1. A successful run  a successful subgraph in G T, B, 1. G’ is a subgraph of G T, B iff keeps some (all) of its child(ren) if L( )= Ç (L( )= Æ ). 2. A subgraph is successful if, 1. All the leaves are true, and 2. Any (non-trivial) strongly connected component covers some nodes in F, for every F 2 F. 2. Searching for a successful subgraph, 1. Mark all the leaves with true/false depending on the labeling, then propagate the values. 2. For the nodes in a strong connected component (SCC), marking the nodes as true/false depending on the coverage of SCC on F, then propagate the values. 3. Eventually, all the nodes will be marked as true/false.

18 Witness and Counterexample An example <> Æ Ç y q0q0 q 1 q2q2 q3q3 q4q4 q5q5 Æ F ={{q 0, q 2, q 3, q 5 }} x, y y s0s0 s2s2 s1s1

19 Witness and Counterexample s 0, q 2 \or true s 1, q 0 Æ s 0,q 0 Æ s 0, q 1 Ç s 0, q 3 Ç s 0, q 4 Æ s 1, q 1 Ç s 1, q 3 Æ s 1, q 4 Ç s 1, q 2 Ç s 2,q 0 Æ s 2, q 1 Ç s 2, q 3 Æ s 2, q 4 Ç false s 2, q 2 Ç

20 Witness and Counterexample s 0, q 2 \or true s 1, q 0 Æ s 0,q 0 Æ s 0, q 1 Ç s 0, q 3 Ç s 0, q 4 Æ s 1, q 1 Ç s 1, q 3 Æ s 1, q 4 Ç s 1, q 2 Ç s 2,q 0 Æ s 2, q 1 Ç s 2, q 3 Æ s 2, q 4 Ç false s 2, q 2 Ç

21 Witness and Counterexample Translate a LTL to a “never claim” BTA Construct BTA for : f by,

22 Witness and Counterexample Translate a LTL (cont.) 2. For each  = P 1 U P 2, there is a F 2 F such that F={q| (   q Æ X   q) or P 2 2 q} Basically F won’t contain any nodes of a loop on which P 1 U P 2 will produce itself. ) P 2 will eventually be satisfied.

23 Witness and Counterexample Translate F( G : y) : A (F (G : y))=E(G(F y)) <> Æ Ç y q0q0 q 1 q2q2 q3q3 q4q4 q5q5 Æ F ={{q 0, q 3, q 5 }} E(G(F y)) = E(G(F y)) E(XG(F y), F y ) E(XG(F y), y) E(XG(F y), XF y ) E(XG(F y))

24 Witness and Counterexample Step 1: find a successful subgraph true s 0,q 0 Æ s 0, q 1 Ç s 0, q 4 Æ s 1, q 1 Ç s 1, q 3 Æ s 1, q 2 Ç s 2,q 0 Æ s 2, q 1 Ç s 2, q 4 Ç

25 Witness and Counterexample Step 2: Get the skeleton Recursively remove branches like (s, q) ! (s’, q’) such that (s, q) is a leaf and l(q’)  {<>, []} s 0,q 0 Æ s 0, q 1 Ç s 0, q 4 Æ s 1, q 1 Ç s 1, q 3 Æ s 1, q 2 Ç s 2,q 0 Æ s 2, q 1 Ç s 2, q 4 Ç

26 Witness and Counterexample Step 3: Unroll the skeleton and get a path. (s 0, q 0 ) (s 0, q 1 ) (s 0, q 4 ) {(s 1,q 1 )(s 1, q 3 )(s 1, q 2 )(s 2, q 0 )(s 2, q 1 )(s 2, q 4 )}  S 0 S 0 S 0 S 1 S 1 S 1 S 2 S 2 S 2

27 Witness and Counterexample Step 4: Eliminate the redundancy Remove (s’, q’) from ……(s, q)(s’, q’) …… if l(q)  {<>, []}. (s 0, q 0 ) (s 0, q 1 ) (s 0, q 4 ) {(s 1,q 1 )(s 1, q 3 )(s 1, q 2 )(s 2, q 0 )(s 2, q 1 )(s 2, q 4 )}  (s 0, q 0 ) {(s 1,q 1 ) (s 2, q 0 ) }   S 0 { S 1 S 2 } 

28 Witness and Counterexample Is there a witness /counterexamples for CTL*? Any Kripke structure which are not bi- similar are distinguishable by a CTL* formula [Mil71]. => Let Á be a nature order for CTL*, then T 1 Á T 2 iff T 1 bisimulates T 2. => The witness(counterexample) for any T ² f must also bisimulate T. Since bisimularity on Kripke structures is basically the isomorphism in graphics. => The witness and counterexample is trivial in CTL*

29 Witness and Counterexample Counterexample for ACTL* Simulation preordering is a nature preordering for ECTL* => witness for ECTL* and Counterexample for ACTL* are well-defined. Most of desirable safeness and fairness properties can be expressed in ACTL* Definition [Simulation Preordering Á sim ] Á sim is a simulation preordering on T iff for every s Á sim s 1 and s ! s’, there exists a s 1 ! s’ 1 such that s’ Á sim s’ 1 T 1 Á sim T 2 if s 1 0 Á sim s 2 0, where s 1 0 and s 2 0 are the starting states of T 1 and T 2

30 Witness and Counterexample Tree-like Counterexample for ACTL* Let f be a ACTL* formula and M ² : f, then there exists a tree-like Kripke structure C Á sim M such that C ² : f [CJLV02]. C is a tree-like Kripke structure if, Its (strongly-connected) component graph is a tree Only strongly-connected components permitted in C are circles.

31 Witness and Counterexample An example ² : AF( : y Æ AX : X)? x, y y s0s0 s2s2 s1s1 y y s’ 0 s’ 2 s’ 1 x s’ 3 ² : AF( : y Æ AX : X)? Á sim

32 Witness and Counterexample Generating Tree-like Counterxample for M ² f …Similar to generate a linear counterexample for LTL! 1. Constructing a BTA B for : f. 2. Find a successful subgraph in G M, B. 3. Get the proof skeleton by cutting out any node (s’, q’) s.t. (s’, q’) is the only child of its father (s, q) and l(q)  { Æ, Ç }. 4. Eliminate the redundancy and project the skeleton to states.

33 Witness and Counterexample If we’ve know, ² AF( : y Æ AX : X)? x, y y s0s0 s2s2 s1s1 y y s’ 0 s’ 2 s’ 1 x s’ 3 is a tree-like counterexample for

34 Witness and Counterexample … and want to prove, ² : AF( : y Æ AX : X) x, y y s0s0 s2s2 s1s1 y

35 Witness and Counterexample We only need to show, x, y y s0s0 s2s2 s1s1 y y y s’ 0 s’ 2 s’ 1 x s’ 3 Á sim

Download ppt "Witness and Counterexample Li Tan Oct. 15, 2002."

Similar presentations

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.

Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
Determinization of Büchi Automata

Determinization of Büchi Automata
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.

Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
 Dr. Vered Gafni 1 LTL Decidability Enables consistency check, but also base for verification.

 Dr. Vered Gafni 1 LTL Decidability Enables consistency check, but also base for verification.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Digitaalsüsteemide verifitseerimise kursus1 Formal verification: Property checking Property checking.

Digitaalsüsteemide verifitseerimise kursus1 Formal verification: Property checking Property checking.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

Similar presentations

Ads by Google