350 likes | 496 Views
Witness and Counterexample Li Tan tanli@saul.cis.upenn.edu Oct. 15, 2002. Informal Definition. Recall the model checking problem M ² f , A witness W should be a subsystem of M s.t. W ² f . $W$ should be small. M is a witness of f , but it is useless.
E N D
Witness and Counterexample Li Tan tanli@saul.cis.upenn.edu Oct. 15, 2002 Witness and Counterexample
Informal Definition Recall the model checking problem M ²f, • A witness W should be a subsystem of M s.t. W ²f. • $W$ should be small. • M is a witness of f, but it is useless. • Witness should show the evidence why M ²f. • Any system of which $W$ is a subsystem should satisfy f. • To show $M ²f$, it is enough to show The relation between M and W. • Viability. • Completeness. • Each formula in the targeting logic should have a well-defined witness if it is satisfied by the model. • Simple and Efficient. • Witness should be verified and analyzed efficiently. • Effectiveness. • There exists an effective algorithm for generating the witness. Witness and Counterexample
Informal Definition • Counterexample is just the dual of witness. • C is an counterexample for M ² iff C is a witness of M²:. • An counterexample always exists if • The logic is complete under negation, i.e., 2L ):2L • The definition of witness is complete in L. • The mechanism for generating witness/counterexample are same. • For history reason, many model checker like SMV and SPIN only use the notion of counterexample. • Our reference to witness/counterexample will be chose depending on the context. Witness and Counterexample
Why we need them? • Counterexample can be used for, • Debugging the design. • Counterexample-based abstract refinement. • The abstraction is conservative • It may cause the false alarm. • A counterexample is generated after checking the abstract system, if it is, • A real trace, then model checker terminates with “no”. • Not a real trace, then refine the abstract ( add more predicators etc), and re-do the model checking. • Witness can be used for, • Enable efficiently checking the correctness. • Verifying result=Verifying the property on witness+prove that a witness is a subsystem of model. • Generating tests. • Any system contains the witness should possess the property. Witness and Counterexample
Formal Definition Informal definition is ambiguous, • What is a context of definition? => Fix a logic • What is a “subsystem”? => Define a preordering Á on Transition system. Definition [Natural Preorder of Logic] Let L be a temporal logic, a preordering ÁL on Kripke structures are a nature such that for every f 2L, if T ² f and T ÁL T’, then T’ ² f. Definition [Witness and Counterexample] Let Á be a natural preordering for the logic L (:L), C is a witness(or, counterexample) for M² f s.t. in L if • C ² (C ²: ) • C Á M. Our mission: fix L, then find Á. Witness and Counterexample
Kripke Structure and CTL* Definition [Kripke Structure] Transition System will be modeled as Kripke structure K=<S, s0, !, A, V> where, • S is the set of states. • s02 S is a starting state. • !µ S £ S is transition relation. • A is the set of atomic proposition. • V : A ! 2S is the evulation for atomic proposition. Witness and Counterexample
CTL*: Syntax Formulae in Computational Tree Logic (CTL*) are syntactically constructed by, S::= a | : a| SÆS |SÇS | A P | E P P ::=S | PÆP | PÇP | X P | P U P | P R P • S is a state formula, and P is a path formula. • A (for all the paths), and E (exists a path) are the path quantifier. • U and R are the “until” and “release” operators. • X is the “next time” operator. • CTL* formula is a state formula. • Sometimes, we write G P (always hold) for false R P, and F P ( Eventually hold) for true U P Witness and Counterexample
Semantics of path formulae Witness and Counterexample
Semantics of state formulae • s ²T a if s 2V(s) • s ²T: a if s V(s) • s ² A P if ²P for every path from s. • s ² E P if there exists a from s such that ²P Witness and Counterexample
LTL, CTL, and ACTL • Linear Temporal Logic (LTL) is sublogic of CTL* which contains no path quantifier. • Semantically LTL formula f = CTL* formula Af. • Intuitively LTL check all the possible paths simultaneously. • CTL is sublogic of CTL* such that each temporal operator (X, U, R) must be immediately preceded by a path quantifier. • ACTL is a sublogic of CTL in which only path quantifier permitted is A. Witness and Counterexample
s0 x, y s1 y s2 An example • Does T satisfy LTL F(G : y)? • Does T satisfy ACTL AF(: y Æ AX : X)? Witness and Counterexample
Counterexample in LTL Customizing the definition of counterexample, • Fix the logic: LTL • Fix the preordering relation Á: language inclusion 2 Definition Let f be a LTL formula, a path is a linear counterexample for model-checking problem M ²f if ²: f and 2 L(M). • Is the definition viable? • 2 L(T) => T ²: f, why? • Is the definition complete? • If M ² f, then we can always find a 2 L(M) as a counterexample, why? Witness and Counterexample
LTL model checking via Büchi automaton A generalized Büchi automaton is a tuple <Q, q0, !,l, F> where, • Q is the set of states with q0 as the starting state. • !µ Q £ Q is the transition relation. • l: Q ! {a,: a, Æ, Ç, <>, []} • Fµ 2Q is Büchi acceptance condition. Witness and Counterexample
Büchi automaton as the temporal specification • GT, B={S, !, L} is the product graph for B and T if, • S= S £ Q U {true, false} • If q ! q’ and • l(q) 2 {Ç, Æ}, <s, q> ! <s, q’>. • l(q) = <> ([]), <s, q> ! <s’, q’> for some (all) s ! s’. • l(q) = a (: a), <s, q> ! (s 2 a ?)( :(s 2 a ?)) • L(<s, q>)=Ç for l(q) 2 {Ç, <>} and L(<s, q>)=Æ otherwise. Witness and Counterexample
Büchi automaton-based model checking • B accepts T if there is a successful run in GT, B, • A run of GT, B is a subgraph such that <s, q> keeps one (all) child(ren) if L(q)=Ç (L(q)=Æ). • A run is successful if, • All the leaf are true, and • Any infinite path in a run visits some nodes in F infinitely often, for every F 2F. • Searching for a (un)successful run, • Mark all the leaves with true/false depending on the labeling, then propagate the values. • For the nodes in a strong connected component, marking the nodes as true/false depending on the coverage of SCC on F, then propagate the values. • Eventually, all the nodes will be marked as true/false. Witness and Counterexample
s0 q0 x, y Æ Ç s1 q1 y Æ <> q3 q4 <> s2 y q2 q5 F={{q1, q2, q4}} An example Witness and Counterexample
s1, q0 Æ s0,q0 Æ s2,q0 Æ s1, q1 Ç s0, q1 Ç s2, q1 Ç s2, q3 Æ s2, q4 Ç s1, q3 Æ s1, q4 Ç s0, q3 Ç s0, q4 Æ s1, q2 Ç s0, q2 \or s2, q2 Ç false true Witness and Counterexample
s1, q0 Æ s0,q0 Æ s2,q0 Æ s1, q1 Ç s0, q1 Ç s2, q1 Ç s2, q3 Æ s2, q4 Ç s1, q3 Æ s1, q4 Ç s0, q3 Ç s0, q4 Æ s1, q2 Ç s0, q2 \or s2, q2 Ç false true Witness and Counterexample
Translate a LTL to a “never claim” BTA Construct BTA for :f by, Witness and Counterexample
Translate a LTL (cont.) 2. For each =P1 U P2, there is a F 2F such that F={q| ( q Æ X q) or P22 q} • Basically F won’t contain any nodes of a loop on which P1 U P2 will produce itself. ) \cP_2 will eventually be satisfied. Witness and Counterexample
q0 Æ Ç q1 Æ <> q3 q4 <> y q2 q5 F={{q1, q2, q4}} Translate F( G : y) • : A (F (G : y))=E(G(F y)) E(G(F y)) E(XG(F y), F y ) E(G(F y)) = E(XG(F y), y) E(XG(F y)) E(XG(F y), XF y ) Witness and Counterexample
Step 1: find a successful run s0,q0 Æ s2,q0 Æ s1, q1 Ç s0, q1 Ç s2, q1 Ç s2, q4 Ç s1, q3 Æ s0, q4 Æ s1, q2 Ç true Witness and Counterexample
Step 2: Get the skeleton Remove branches like (s, q) ! (s’, q’) such that (s, q) is a leaf and l(q’) Ï {<>, []} s0,q0 Æ s2,q0 Æ s1, q1 Ç s0, q1 Ç s2, q1 Ç s2, q4 Ç s1, q3 Æ s0, q4 Æ s1, q2 Ç Witness and Counterexample
Step 3: Unroll the skeleton and get a path. (s0, q0) (s0, q1) (s0, q4) {(s1,q1)(s1, q3)(s1, q2)(s2, q0)(s2, q1)(s2, q4)}w S0 S0 S0 S1 S1 S1 S2 S2 S2 Witness and Counterexample
Step 4: Eliminate the redundancy Remove (s’, q’) from ……(s, q)(s’, q’) …… if l(q) Ï{<>, []} or (s, q) is the head of the path. (s0, q0) (s0, q1) (s0, q4) {(s1,q1)(s1, q3)(s1, q2)(s2, q0)(s2, q1)(s2, q4)}w (s0, q0) {(s1,q1) (s2, q0) }w S0 { S1 S2 }w Witness and Counterexample
Is there a witness /counterexamples for CTL* • Any Kripke structure which are not bi- similar are distinguishable by a CTL* formula [Mil71]. • => Let Á be a nature order for CTL, then T1Á T2 iff T1 bisimulates T2. • => The witness(counterexample) for any $T² f$ must bisimulate T. • Since bisimularity on KS is similar to is isomorphism in graphics. • => The witness and counterexample is trivial in CTL* Witness and Counterexample
Is there a witness /counterexamples for CTL*? • Any Kripke structure which are not bi- similar are distinguishable by a CTL* formula [Mil71]. • => Let Á be a nature order for CTL, then T1Á T2 iff T1 bisimulates T2. • => The witness(counterexample) for any T² f must also bisimulate T. • Since bisimularity on KS is basically the isomorphism in graphics. • => The witness and counterexample is trivial in CTL* Witness and Counterexample
Counterexample for ACTL* • Simulation preordering is a nature preordering for ECTL* => Counterexample for ACTL* is a well-defined. • Most of desirable safeness and fairness properties can be expressed in ACTL* Definition [Simulation Preordering Ásim] Ásim is a simulation preordering on T iff for every s Ásim s1 and s ! s’, there exists a s1! s’1 such that s’ Ásim s’1 T1Ásim T2 if s10Ásim s20, where s10 and s20 are the starting states of T1 and T2 Witness and Counterexample
Tree-like Counterexample for ACTL* • Let f be a ACTL* formula and M ²: f, then there exists a tree-like Kripke structure C ÁsimM such that C ²: f [CJLV02]. • C is a tree-like Kripke structure if, • Its (strongly-connected) component graph is a tree • Only strongly-connected components permitted in C are circles. Witness and Counterexample
s0 x, y s1 y s’0 y s2 s’2 s’3 s’1 y x An example ²: AF(: y Æ AX : X)? Ásim ²: AF(: y Æ AX : X)? Witness and Counterexample
Generating Tree-like Counterxample for M² f …Similar to generate a linear counterexample for LTL! • Constructing a BTA B for : f. • Find a successful run in GM, B. • Get the skeleton of the run by cutting out any node (s’, q’) s.t. (s’, q’) is the only child of its father (s, q) and l(q) Ï {Æ, Ç}. • Eliminate the redundancy and project the skeleton to states. Witness and Counterexample
s0 x, y s1 y s’0 y s2 s’2 s’3 s’1 y x If we’ve know, ² AF(: y Æ AX : X)? is a tree-like counterexample for Witness and Counterexample
s0 x, y s1 y y s2 … and want to prove, ²: AF(: y Æ AX : X) Witness and Counterexample
s0 x, y s’0 y s’2 s’3 s1 y y s’1 y x s2 We only need to show, Ásim Witness and Counterexample