Presented by: Hagit Cohen April 2006

Tree-Like Counterexamples in Model Checking Edmund Clarke Somesh Jha Yuan Lu Helmut Veith Presented by: Hagit Cohen April 2006

Outline • Introduction and linear counterexamples. • Tree-like Kripke structures. • Tree-like counterexamples for ACTL. • Tree-like counterexamples for AΩ. • Applications.

Counterexamples - motivation • A tool for detecting bugs. • Major importance in verification of large systems. • Automatic generation. • Abstraction refinement methodology for model checking.

S: φ S: φ What are counterexamples? • Given a property φ claimed to hold for each element of a given set S: • φ can be disproved by choosing a single element s ∈ S such that φ does not hold for s.

What are counterexamples? (cont.) • Existential properties can not be disproved by counterexamples. • For temporal logics counterexamples are expected for universal fragments.

Universal logics • A logic L is universal if the simulation theorem holds for L: Let ψ be an ACTL formula. If K ≽ C and K ⊨ψ then C⊨ψ. AΩ ACTL(*)

Linear counterexamples • Simple non-branching structures. • Finite or infinite paths. • Limitation of most model checkers. • Example: AF¬x x x x x

Linear counterexamples (cont.) • Insufficient for ACTL – only properties in ACTL ∩ LTL have linear counterexamples. • AFAXp – a counterexample has to show that there exists an infinite path π such that from every state of π, a state with property ¬p is reachable in one step. ⇒ Branching by definition. • Recognizing ACTL formulas with linear counterexamples is PSPACE-hard.

From Linear to Tree-Like • Desired attributes of a counterexample class: Completeness Intelligibility Effectiveness Viability

Counterexamples for ACTL • K ⊭ φ, C - a counterexample. • What do we expect of C ? • C violates φ: C ⊭ φ , or: C ⊨ ¬φ. Where ¬φ is an ECTL formula. C is a witness of ¬φ.

Counterexamples for ACTL (cont.) • What do we expect of C ? • Violation on C “explains” the Violation on K: By the relation K ≽ C. • C is viable: Demand that C is tree-like.

Tree-like graphs and Kripke structures • A graph is tree-like, if: • All SCCs are cycles. • The component graph is a directed tree. • A Kripke structure K = (S, R, L, {sinit}) is tree-like if the graph (S, R) is a finite tree-like graph whose root is the initial state sinit of K.

S1 S1 S2 S2 S6 S6 S4 S4 S3 S3 S7 S7 S5 S5 Tree-like Kripke structure - example

Tree-like CE for ACTL - Example • φ = AG¬x ⋁ AF¬y • A counterexample for φ shows existence of: • A finite path leading to a state satisfying x. AND • An infinite path along which y is always true.

Tree-like CE for ACTL - Example (cont.) • Counterexample for the ACTL formula φ = AG¬x ⋁ AF¬y is a model of the ECTL formula φ’ = EFx ⋀ EGy y y y x y

Duality of ACTL and ECTL • Counterexamples for ACTL are closely related to finite models for ECTL. • ECTL has the tree-like model property. φ - an ACTL formula ¬φ - an ECTL formula A tree-like model of ¬φ A possible counterexample of the formula φ Duality of ACTL & ECTL One of all possible counterexamples over all different Kripke structures Tree-like model property of ECTL

1 2 3 4 5 6 … Weakness of ACTL(*) • Weakness of the path formulas. • Example: no ACTL formula to express the property “φ holds at all even time points“:

… … Monotonicity of linear time operators • Example: φ = Fp • π⊨ Fp • For every ϭ such that π ⊆pϭ, ϭ⊨ Fp: … … • Results from the monotonicity of the operator F.

From ACTL(*) to AΩ (cont.) • AΩ – an extension of ACTL by ω-regular linear time operators. • More expression power. • Retains the monotonicity of the linear time operators.

LTL operators as patterns • View LTL operators as patterns on the time line. • Can be observed on paths. • Example: Fφ describes the following path patterns: M1, ⊥M1, ⊥ ⊥ M1, ⊥ ⊥ ⊥ M1, … M1- marker - the position where φ holds. ⊥ - “don’t care”.

LTL operators as regular expressions • F (⊥)*M1 • X ⊥M1 • G (M1(ω • U (M1)*M2

Temporal operators as regular expressions – formal definition • A temporal operator O with n input formulas is defined over the set of words over the alphabet Σ = P({M1....Mn}). • Abbreviations: • ⊥ for Φ • M1 for the singleton {M1}

Temporal operators as regular expressions- terminology • If O is defined by an ω-regular expression, we say that O is: • Buchi operator • regular • computable

Semantics of regular temporal operators • Let • O – a regular temporal operator. • π = s0, s1,… a path in in aKripke structure K. • φ1,…, φn – formulas. • Then K,π ⊨ O(φ1,…, φn) if there exists a pattern o ∈ O such that for all positions i < |o|, and for all Mk ∈ o(i), it holds that K,πi ⊨ φk.

1 2 3 4 5 6 … Regular temporal operators – example 1 • Define a new operator – Oeven(φ): φ holds at all even time points. • An ω-regular expression for Oeven: (⊥ M1)ω

Regular temporal operators – example 1 (cont.) • K,π ⊨ Oeven(φ) ? • The marker M1 denotes that φ1 holds. • A single possible pattern o ∈ O: o = ⊥ M1⊥ M1⊥ M1⊥ M1⊥ M1 … • For a path π such that K,π ⊨ Oeven(φ): ∀i: even(i) πi ⊨ φ1, since M1 ∈ o(i). ⇒ φ1 holds at all even time points.

1 2 3 4 5 6 … 1 2 3 4 5 6 … Regular temporal operators – example 1 (cont.) • ¬even(i) ? • πi ⊨ φ1 √ • πi ⊭ φ1 √ • Monotonicity of Oeven.

… … Regular temporal operators – example 2 • Define a new operator – Omax4gap(φ): There should be no more than four time units between two occurrences of φ. • An ω-regular expression for Omax4gap: (M1| ⊥M1 | ⊥⊥M1 | ⊥⊥⊥M1 | ⊥⊥⊥⊥M1)ω

Regular temporal operators – example 2 (cont.) • K,π ⊨ Omax4gap(φ) ? • The marker M1 denotes that φ1 holds. • Many (infinity) possible patterns o ∈ O, constructed of the 5 building blocks. • Any path π with more than four time units between two occurrences of φ1 will not match any of the patterns, and thus will not satisfy O(φ1).

Preservation of monotonicity • No enforcement of negation of a sub-formula as a marker. • Therefore all operators we define are monotonic.

Monotonicity – formal definition • Given a path π and a formula φ, φπ denotes the set of states in π whereφ holds. • For a sequenceof formulas {φ1,.., φn}, we define π⊆φ1,.., φnϭiff⋀i=1 φiπ⊆φi ϭ. • Lemma - Monotonicity: If K,π ⊨ O(φ1,.., φn) and π⊆φ1,.., φnϭ, then K,ϭ ⊨ O(φ1,.., φn). n

Monotonicity and counterexamples • We conclude that if K,π ⊭ O(φ1,.., φn) and π⊆φ1,.., φnϭ, then K,ϭ ⊭ O(φ1,.., φn). • The refutation of O(φ1,.., φn) on π does not depend on satisfied sub-formulas, but only on violated sub-formulas.

Counterexample For O(φ1,.., φn) CE For φ1 CE For φn … Monotonicity and counterexamples (cont.) • Example: if K,π ⊭ Oevenφ, then K,π ⊨ Oevenφ can be disproved by finding an even position j such that K, πj⊭ φ. • In general: disprove O(φ1,.., φn) by identifying all violations of φ1,.., φn on π.

The logic AΩ Given: • Ω - a set of temporal regular operators. • AP – a set of atomic proposition. AΩ consists of the following formulas: • Every p ∈ AP is in AΩ. • For each p ∈ AP, ¬p is in AΩ. • If O ∈ Ω is an n-ary operator, and φ1,.., φn ∈ AΩ, then AO(φ1,.., φn) ∈ AΩ.

The logic AΩ (cont.) • If φ1, φ2 are in AΩ, then φ1⋀φ2 ∈ AΩ and φ1⋁φ2 ∈ AΩ. • If φ1,φ2… ∈ AΩ, then ⋀i≥1φi ∈ AΩ.

Semantics of AΩ • K,s ⊨ φ ? • If φ is atomic then K,s ⊨ φiff φ ∈L(s). • K,s ⊨ ¬φiffK,s ⊭ φ. • K,s ⊨ AO(φ1,.., φn) iff for all paths π starting at s it holds that K,s ⊨ O(φ1,.., φn).

Semantics of AΩ (cont.) • K,s ⊨ φ1⋁φ2iffK,s ⊨ φ1 or K,s ⊨ φ2. • K,s ⊨ φ1⋀φ2iffK,s ⊨ φ1 and K,s ⊨ φ2. • K,s ⊨ ⋀i≥1φiiffK,s ⊨ φi for all i≥1.

The logic AΩ (cont.) • AΩ is universal. • ACTL and ACTL* can be defined assubsets of AΩ with finite conjunction. • Any prove of the tree-like counterexample property for AΩ is also valid for ACTL(*). • EΩ is defined similarly by replacing: • A ⇒ E • ⋀i≥1φi ⇒ ⋁i≥1φi

Counterexample theorem • Let Ω be a set of temporal Buchi operators. Then AΩ has tree-like counterexamples. • Furthermore, the tree-like counterexamples are effectively computable. • Corollary: EΩ has the tree-like model property.

Constructing counterexamples • Lemma: Let O be a Buchi operator, K a Kripke structure, and s0 a state such that K, s0⊭ AO(Ψ1,..Ψk). Then there exists a path ϭ=s0,... such that: • K,ϭ ⊭ O(Ψ1,..Ψk). • ϭ has the form: s0,…,sN, sN,…,sN+M, sN,… sN+M,…

Proof sketch for the lemma • The idea: Construct a Buchi automaton for the patterns of ¬O, and use an accepting run of the automaton to obtain a path ϭ with the required property.

Proof sketch for the lemma (cont.) • O – a set of patterns over the alphabet Σk = P({M1,…,Mk}). • Patterns for ¬O cannot be obtained by using the set-theoretic complement of O, Example: The pattern (⊥)*M1 for the operator F. it’s complement contains the pattern M1M1, although a path where the constraint M1M1 holds will satisfy F.

Proof sketch for the lemma (cont.) • Therefore, the complement should be calculated for the set O’, where O’ is the “monotonic hull” of O. • Denoting: • R - the regular expression for O. • R’ - the regular expression for O’. • ϭ’ - the set of all symbols of the alphabet which are supersets of ϭ∊ Σk. • R’ is obtained from R by replacing all occurrences of ϭ by ϭ’.

Proof sketch for the lemma (cont.) • What is O’ = L(R’)? If a pattern o is in O, then all patterns obtained from o by adding zero or more additional markers are in O’. • ⇒ ¬O’ is the set of all patterns which violate the operator. • Due to monotonicity, in the context of AΩ the operators O and O’ are identical!

Proof sketch for the lemma (cont.) • Let A be the Buchi automata accepting ¬O’, and π a path such that K,π ⊭ O(Ψ1,..Ψk). • Construct a word sπsuch that sπ is accepted by A: sπ(i) = {Mj : K,πi ⊭Ψj} for all i≥0. • Let q be an accepting state of A which appears infinitely in an accepting run of A for sπ, for the indices a1<a2<…, and the corresponding states in K: π(a1), π(a2)...

Proof sketch for the lemma (cont.) • K has a finite number of states. ⇒ There are 2 indices J<J’such that π(J)=π(J’). • Choosing the minimal such J<J’, the path ϭ given by: π(0),…, π(aJ), π(aJ),…, π(aJ’-1), π(aJ),… π(aJ’-1),… matches a word excepted by A. • ⇒ A path as stated by the lemma.

The tree-like property of the path ϭ = s0,…,sN, sN,…,sN+M, sN,… sN+M,… • If all states are different, then ϭ describes a simple tree-like substructure of K containing the path s0,…,sN, leading to the loop sN,…,sN+M. • Otherwise, a tree-like structure is obtained by un-raveling the path using the indexed Kripke structure.

The indexed Kripke structure - Kω • K=(S,I,R,L) ⇒ Kω=(Sω,Iω,Rω,Lω): • Sω=S x ℕ • Iω=I x ℕ • (s1i,s2j) ∈ Rω ⇔ (s1,s2) ∈ R • Lω(si)=L(si) • π = s0,s1,s2… a path on K. ⇒ unravel (C,π) = s0C,s1C+1,s2C+2…

The algorithm CEX • Given K, s, φ such that K,s ⊭ φ, CEX(K,s0,φ) computes a tree-like counterexample for K,s ⊨ φ. • The tree-like counterexample is constructed as a substructure of Kω (the index of states is denoted by a global constant C, initialized to 0). • Assumptions: • K,s ⊭ φ • A model checking procedure for AΩ.

Algorithm CEX - output format • Description, constructed of: • Path descriptors <s0,…,sn> • Loop descriptors <s0,…,sn,s0 > or <s0,…, sn >ω S1 <s1,s2> <s1,s5,s6> <s6,s6> <s2,s3,s4>ω S2 S5 S3 S4 S6

Presented by: Hagit Cohen April 2006