## Abstraction for falsification (2005)

Venue: | In Proceedings of Computer Aided Verification (CAV 2005), volume 3576 of LNCS |

Citations: | 20 - 2 self |

### BibTeX

@INPROCEEDINGS{Ball05abstractionfor,

author = {Thomas Ball and Orna Kupferman and Greta Yorsh},

title = {Abstraction for falsification},

booktitle = {In Proceedings of Computer Aided Verification (CAV 2005), volume 3576 of LNCS},

year = {2005},

pages = {67--81},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. Abstraction is traditionally used in the process of verification. There, an abstraction of a concrete system is sound if properties of the abstract system also hold in the concrete system. Specifically, if an abstract state a satisfies a property ψ then all the concrete states that correspond to a satisfy ψ too. Since the ideal goal of proving a system correct involves many obstacles, the primary use of formal methods nowadays is falsification. There, as in testing, the goal is to detect errors, rather than to prove correctness. In the falsification setting, we can say that an abstraction is sound if errors of the abstract system exist also in the concrete system. Specifically, if an abstract state a violates a property ψ, then there exists a concrete state that corresponds to a and violates ψ too. An abstraction that is sound for falsification need not be sound for verification. This suggests that existing frameworks for abstraction for verification may be too restrictive when used for falsification, and that a new framework is needed in order to take advantage of the weaker definition of soundness in the falsification setting. We present such a framework, show that it is indeed stronger (than other abstraction frameworks designed for verification), demonstrate that it can be made even stronger by parameterizing its transitions by predicates, and describe how it can be used for falsification of branching-time and linear-time temporal properties, as well as for generating testing goals for a concrete system by reasoning about its abstraction. 1

### Citations

1983 |
Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints
- Cousot, Cousot
- 1977
(Show Context)
Citation Context ...r generating testing goals for a concrete system by reasoning about its abstraction. 1 Introduction Automated abstraction is a powerful technique for reasoning about systems. An abstraction framework =-=[CC77]-=- consists of a concrete system with (large, possibly infinite) state space C, an abstract system with (smaller, often finite) state space A, and an abstraction function ρ: C → A that relates concrete ... |

837 | Design and synthesis of synchronization skeletons using branching-time temporal logic - Clarke, Emerson - 1982 |

745 |
Introduction to Metamathematics
- Kleene
- 1952
(Show Context)
Citation Context ...may(a, a ′ ), must + (a, a ′ ), and must− (a, a ′ ) instead of a may −→A a, a must+ −→A a ′ , and a must− −→A a ′ , respectively. The elements of {T, F, ⊥} can be arranged in an “information lattice” =-=[Kle87]-=- in which ⊥ ⊑ T and ⊥ ⊑ F. We say that a concrete state c satisfies an abstract state a if for all p ∈ AP , we have LA(a, p) ⊑ LC(c, p) (equivalently, if LA(a, p) �= ⊥ then LC(c, p) = LA(a, p)). Let C... |

639 | Construction of abstract state graphs with PVS
- Graf, Säıdi
(Show Context)
Citation Context ... P that is based on Φ is a TMTS with state space 2 Φ , thus each state is associated (and is labeled by) the set of predicates that hold in it. For a detailed description of predicate abstraction see =-=[GS97]-=-. Note that all the transitions of the concrete system in which only the variables that encode the program location are changed (all transitions associated with statements that are not assignments, c.... |

313 |
Results on the propositional µ-calculus
- Kozen
- 1983
(Show Context)
Citation Context ...− ] ∗ (a, a ′ ) only if a ′ is onto reachable from a, and [must + ] ∗ (a, a ′ ) only if a ′ is total reachable from a [Bal04]. By extending PML by fixed-point operators, one gets the logic µ-calculus =-=[Koz83]-=-, which subsumes the branching temporal logics CTL and CTL ⋆ . The 3-valued semantics of PML can be extended to the µ-calculus [BG04]. Note that in the special case of CTL and CTL ⋆ formulas, this amo... |

255 | Abstract interpretation of reactive systems - Dams, Gerth, et al. - 1997 |

250 | Specification and verification of concurrent systems is CESAR - Queille, Sifakis - 1982 |

144 |
A modal process logic
- Larsen, Thomsen
- 1988
(Show Context)
Citation Context ... system to have). We develop a new abstraction framework to take advantage of the weaker definition of soundness in the falsification setting. Our framework is based on modal transition systems (MTS) =-=[LT88]-=-. Traditional MTS have two types of transitions: may (over-approximating transitions) and must (under-approximating transitions). The use of must transitions in the falsification setting was explored ... |

104 | Model Checking Partial State Spaces with 3-Valued Temporal Logics - Bruns, Godefroid - 1999 |

70 | Abstraction-based model checking using modal transition systems - Godefroid, Huth, et al. - 2001 |

56 | A theory of predicate-complete test coverage and generation
- Ball
- 2005
(Show Context)
Citation Context ...ation setting was explored in [PDV01,GLST05], with different motivations. Our framework contains, in addition, a new type of transition, which can be viewed as the reverse version of must transitions =-=[Bal04]-=-. Accordingly, we refer to transitions of this type as must − transitions and refer to the traditional must transitions as must + transitions. While a must + transition from an abstract state a to an ... |

53 | Equation solving using modal transition systems - Larsen, Xinxin - 1990 |

50 | Finding feasible counter-examples when model checking abstracted Java programs - Pasareanu, Dwyer, et al. - 2001 |

33 |
Automatic abstraction using generalized model checking
- Godefroid, Jagadeesan
- 2002
(Show Context)
Citation Context ...st + transitions are logically characterized by a 3-valued modal logic with the AX and EX (for all suc4 Note that the falsification setting is different than the problem of generalized model checking =-=[GJ02]-=-. There, the existential quantifier ranges over all possible concrete systems and the problem is one of satisfiability (does there exist a concrete system with the same property as the abstract system... |

29 | Proof-guided underapproximation-widening for multi-process systems - Grumberg, Lerda, et al. - 2005 |

19 |
Automata as abstractions
- Dams, Namjoshi
- 2005
(Show Context)
Citation Context ... and refinement, and we believe that several other ideas in verification can be lifted to falsification in the same way. This includes generalized model checking [GJ02], making the framework complete =-=[DN05]-=-, and its augmentation with hyper-transitions [LX90,SG04]. Another interesting direction is to use must − transitions in order to strengthen abstractions in the verification setting: the ability to mo... |

16 | Prioritized traversal: efficient reachability analysis for verification and falsification - FRASER, KAMHI, et al. - 2000 |

9 | Language in action: categories, lambdas and dynamic logic - Benthem - 1991 |

9 |
Model checking of safety properties. Formal methods
- Kupferman, Vardi
- 2001
(Show Context)
Citation Context ...he system is actually executed. The infeasible task of executing the system with respect to all inputs is replaced by 11 When ψ is a safety property, A¬ψ is an automaton accepting finite bad prefixes =-=[KV01]-=-, and weak reachability is sufficient. 12schecking a test suite consisting of a finite subset of inputs. It is very important to measure the exhaustiveness of the test suite, and indeed, there has bee... |

5 |
A Discipline of Programming
- Dijksta
- 1976
(Show Context)
Citation Context ...gram, and thus it is also associated with a statement. For a statement s and a predicate e over X, the 10sweakest precondition WP(s, e) and the strongest postcondition SP(s, e) are defined as follows =-=[Dij76]-=-: – The execution of s from every state that satisfies WP(s, e) results in a state that satisfies e, and WP(s, e) is the weakest predicate for which the above holds. – The execution of s from a state ... |

4 |
Model checking with 3-valued temporal logics
- Bruns, Godefroid
- 2004
(Show Context)
Citation Context ...nding PML by fixed-point operators, one gets the logic µ-calculus [Koz83], which subsumes the branching temporal logics CTL and CTL ⋆ . The 3-valued semantics of PML can be extended to the µ-calculus =-=[BG04]-=-. Note that in the special case of CTL and CTL ⋆ formulas, this amounts to letting path formulas range over may and must + paths [SG03]. The fact that the “onto” nature of must − transitions is retain... |

2 | Model checking partial state spaces with 3-valued temporal logics. In: ESOP - Huth, Jagadeesan, et al. - 2001 |