## A game-based framework for CTL counterexamples and 3-valued abstraction-refinement (2003)

### Cached

### Download Links

- [www.cs.technion.ac.il]
- [www.cs.technion.ac.il]
- [www.cs.technion.ac.il]
- [www.cs.technion.ac.il]
- DBLP

### Other Repositories/Bibliography

Venue: | In Computer Aided Verification (CAV), LNCS 2725 |

Citations: | 24 - 6 self |

### BibTeX

@INPROCEEDINGS{Shoham03agame-based,

author = {Sharon Shoham and Orna Grumberg},

title = {A game-based framework for CTL counterexamples and 3-valued abstraction-refinement},

booktitle = {In Computer Aided Verification (CAV), LNCS 2725},

year = {2003},

pages = {275--287},

publisher = {Springer}

}

### OpenURL

### Abstract

Abstract. This work exploits and extends the game-based framework of CTL model checking for counterexample and incremental abstraction-refinement. We define a game-based CTL model checking for abstract models over the 3-valued semantics, which can be used for verification as well as refutation. The model checking may end with an indefinite result, in which case we suggest a new notion of refinement, which eliminates indefinite results of the model checking. This provides an iterative abstraction-refinement framework. It is enhanced by an incremental algorithm, where refinement is applied only where indefinite results exist and definite results from prior iterations are used within the model checking algorithm. We also define the notion of annotated counterexamples, which are sufficient and minimal counterexamples for full CTL. We present an algorithm that uses the game board of the model checking game to derive an annotated counterexample in case the examined system model refutes the checked formula. 1

### Citations

2601 | Model Checking
- Clarke, Grumberg, et al.
- 2000
(Show Context)
Citation Context ...model checking for counterexample and incremental abstraction-refinement. The first goal of this work is to suggest a game-based new model checking algorithm for the branching-time temporal logic CTL =-=[11]-=- in the context of abstraction. Model checking is a successful approach for verifying whether a system model M satisfies a specification ϕ, written as a temporal logic formula. Yet, concrete (regular)... |

1983 |
Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints
- Cousot, Cousot
- 1977
(Show Context)
Citation Context ...d in the framework of Abstract Interpretation [24, 11]. Let MC = (SC, S0C, →, LC) be a (concrete) KS. Let (SA, ⊑) be a poset of abstract states and (γ : SA → 2 SC , α : 2 SC → SA) a Galois connection =-=[10, 24]-=- from (2 SC , ⊆) to (SA, ⊑). γ is the concretization function that maps each abstract statesto the set of concrete states that it represents. α is the abstraction function that maps each set of concre... |

837 | Design and synthesis of synchronization skeletons using branching-time temporal logic - Clarke, Emerson - 1982 |

658 | Model checking and abstraction
- Clarke, Grumberg, et al.
- 1992
(Show Context)
Citation Context ...predicates from a specification and iteratively compute the predicates required for the abstraction relative to the specification. All these works use the general framework of existential abstraction =-=[14]-=- and are thus suitable for verifying universal properties only (without existential quantifiers). Unlike them, [45] shows how boolean abstractions can be constructed simply, efficiently and precisely ... |

652 | Counterexample-guided abstraction refinement
- Clarke, Grumberg, et al.
- 2000
(Show Context)
Citation Context ...This is an indication that our abstraction cannot determine the value of the checked property in the concrete model and therefore needs to be refined. The traditional abstraction-refinement framework =-=[19, 6]-=- is designed for 2-valued abstractions, where false may be a false-alarm, thus refinement is aimed at eliminating false results. As such, it is usually based on a counterexample analysis. Unlike this ... |

639 | Construction of abstract state graphs with PVS
- Graf, Säıdi
(Show Context)
Citation Context ...partial coloring algorithm, presented in Definition 3.6. Note that for many abstractions, checking if a node is a sub-node of another is simple. For example, in the framework of predicate abstraction =-=[23, 45, 40, 20]-=-, this means that the abstract states “agree” on all the predicates that exist before the refinement. When the abstraction is based on invisible variables [12], this means that the abstract states “ag... |

477 | Lazy abstraction
- Henzinger, Jhala, et al.
(Show Context)
Citation Context ...tation, thus it is more general. It also has the advantage of being most suitable for using results from previous iterations, resulting in an incremental algorithm. Incremental Abstraction-Refinement =-=[26]-=- introduces the concept of lazy abstraction to integrate and optimize the three phases of the abstract-check-refine loop within the abstraction-refinement framework. Lazy abstraction continuously buil... |

313 | An automata-theoretic approach to branching-time model checking
- Kupferman, Vardi, et al.
(Show Context)
Citation Context ...rithm. Yet, it is then not clear how to guide the refinement, in case it is needed. The game-based approach to model checking, used in this work, is closely related to the Automata-theoretic approach =-=[18]-=-, as described in [22]. Thus, our work can also be described in this framework, using alternating automata. Organization. The rest of the paper is organized as follows. In Section 2 we give some backg... |

255 | Abstract interpretation of reactive systems
- Dams, Gerth, et al.
- 1997
(Show Context)
Citation Context ... sets of concrete states. In order to be conservative w.r.t. CTL, two types of transitions are required: maytransitions which represent possible transitions in the concrete model, and musttransitions =-=[33, 16]-=- which represent definite transitions in the concrete model. May and must transitions correspond to over and under approximations, and are needed in order to preserve formulae of the form AXψ and EXψ,... |

244 | Checking that finite state concurrent programs satisfy their linear specification - Lichtenstein, Pnueli |

144 |
A modal process logic
- Larsen, Thomsen
- 1988
(Show Context)
Citation Context ...tt (ff) ⇔ ∃loise (∀belard) has a winning strategy for the game starting at (s, ϕ1) ⇔ (s, ϕ1) is colored by T (F ). 2.2 Abstraction Abstract models preserving CTL need to have two transition relations =-=[20, 11]-=-. This is achieved by using Kripke Modal Transition Systems [17, 13]. Definition 2. A Kripke Modal Transition System (KMTS) is a tuple M = (S, S0, must −→ , may −→, L), where S is a finite set of stat... |

141 | Property preserving abstractions for the verification of concurrent systems
- Loiseaux, Graf, et al.
- 1995
(Show Context)
Citation Context ... one of p and ¬p is in L(s). We consider abstractions that collapse sets of concrete states into single abstract states. Such abstractions can be described in the framework of Abstract Interpretation =-=[24, 11]-=-. Let MC = (SC, S0C, →, LC) be a (concrete) KS. Let (SA, ⊑) be a poset of abstract states and (γ : SA → 2 SC , α : 2 SC → SA) a Galois connection [10, 24] from (2 SC , ⊆) to (SA, ⊑). γ is the concreti... |

137 | Experience with predicate abstraction - Das, Dill, et al. - 1999 |

104 | Model Checking Partial State Spaces with 3-Valued Temporal Logics
- Bruns, Godefroid
- 1999
(Show Context)
Citation Context ... be combined with any of these abstractions. 3-Valued Logic Unlike the traditional (2-valued) abstraction, that preserves only truth of a formula from the abstract model to the concrete one, recently =-=[6, 7, 20, 21, 28, 22]-=- it was shown how automatic abstraction can be performed to verify modal µ-calculus formulae, based on a 3-valued semantics, such that both truth and falseness are preserved. The key to make this poss... |

97 | Modal Transition Systems: A Foundation for Three-Valued Program Analysis
- Huth, Jagadeesan, et al.
- 2001
(Show Context)
Citation Context ...ing at (s, ϕ1) ⇔ (s, ϕ1) is colored by T (F ). 2.2 Abstraction Abstract models preserving CTL need to have two transition relations [20, 11]. This is achieved by using Kripke Modal Transition Systems =-=[17, 13]-=-. Definition 2. A Kripke Modal Transition System (KMTS) is a tuple M = (S, S0, must −→ , may −→, L), where S is a finite set of states, S0 ⊆ S is a set of initial states, must −→⊆ S × S and may −→⊆ S ... |

95 |
Modal and Temporal Properties of Processes
- Stirling
- 2001
(Show Context)
Citation Context ... of the model checking game to derive an annotated counterexample in case the examined system model refutes the checked formula. 1 Introduction This work exploits and extends the game-based framework =-=[31]-=- of CTL model checking for counterexample and incremental abstraction-refinement. The first goal of this work is to suggest a game-based new model checking algorithm for the branching-time temporal lo... |

88 |
Abstract and model check while you prove
- Sädi, Shankar
- 1999
(Show Context)
Citation Context ...s more general than the invisible variables abstraction since it exploits logical relationships among variables. Their technique is similar to predicate abstraction (also called boolean abstractions) =-=[23, 17, 44, 40, 45]-=-. In predicate abstraction, abstract models are constructed by using boolean variables to represent concrete predicates. More specifically, [23] describes a method for the automatic construction of an... |

83 |
Local model checking games
- STIRLING
- 1995
(Show Context)
Citation Context ... Related Work Games and Automata Our work uses a characterization of the CTL model checking problem in terms of two-players games. The game-based approach to model checking was introduced by Stirling =-=[46]-=- as a way of combining the algorithmic approach to model checking and the proof system approach. [47, 32, 31] present model checking algorithms based on games for various temporal logics, including CT... |

79 | Generalized Model Checking: Reasoning about Partial State Spaces
- Bruns, Godefroid
- 2000
(Show Context)
Citation Context ... be combined with any of these abstractions. 3-Valued Logic Unlike the traditional (2-valued) abstraction, that preserves only truth of a formula from the abstract model to the concrete one, recently =-=[6, 7, 20, 21, 28, 22]-=- it was shown how automatic abstraction can be performed to verify modal µ-calculus formulae, based on a 3-valued semantics, such that both truth and falseness are preserved. The key to make this poss... |

76 | Temporal-safety proofs for systems code
- Henzinger, Jhala, et al.
- 2002
(Show Context)
Citation Context ...uniform abstract model whose predicates change from state to state. They present an algorithm for model checking safety properties using lazy abstraction. The idea of lazy abstraction is also used in =-=[25]-=-. Our incremental algorithm generalizes the idea of Lazy abstraction to model checking of CTL 13sproperties, where any abstraction that is described within the framework of abstract interpretation can... |

73 |
Modal specifications
- Larsen
- 1989
(Show Context)
Citation Context ...roperties that are true, false and unknown of the concrete system. Different formalisms of abstract models suitable for the 3-valued semantics are proposed in the literature: Modal Transition Systems =-=[33, 34]-=-, Partial Kripke Structures [6, 7], and Kripke Modal Transition Systems [28, 21]. It is shown in [22] that they have the same expressiveness and that their model checking problem can be reduced to two... |

70 | Automated abstraction refinement for model checking large state spaces using sat based conflict analysis
- Chauhan, Clarke, et al.
- 2002
(Show Context)
Citation Context ...ulted in an indefinite answer. When the result is ⊥, there is no reason to assume either one of the definite answers tt or ff. Thus, we would like to base the refinement not on a counterexample as in =-=[19, 6, 2, 8, 4]-=-, but on the point(s) that are responsible for the uncertainty. The goal of the refinement is to discard these points, in the hope of getting a definite result on the refined abstraction. Let MC = (SC... |

70 | Abstraction-based model checking using modal transition systems
- Godefroid, Huth, et al.
- 2001
(Show Context)
Citation Context ... be combined with any of these abstractions. 3-Valued Logic Unlike the traditional (2-valued) abstraction, that preserves only truth of a formula from the abstract model to the concrete one, recently =-=[6, 7, 20, 21, 28, 22]-=- it was shown how automatic abstraction can be performed to verify modal µ-calculus formulae, based on a 3-valued semantics, such that both truth and falseness are preserved. The key to make this poss... |

65 |
Syntactic program transformations for automatic abstraction
- Namjoshi, Kurshan
- 2000
(Show Context)
Citation Context ...s more general than the invisible variables abstraction since it exploits logical relationships among variables. Their technique is similar to predicate abstraction (also called boolean abstractions) =-=[23, 17, 44, 40, 45]-=-. In predicate abstraction, abstract models are constructed by using boolean variables to represent concrete predicates. More specifically, [23] describes a method for the automatic construction of an... |

58 |
An iterative approach to language containment
- Balarin, Sangiovanni-Vincentelli
- 1993
(Show Context)
Citation Context ...s refined to eliminate the possibility of this counterexample in the next iteration. The reduction (abstraction) used in their work is based on invisible variables. A similar approach is described in =-=[2]-=-. Other researchers [3, 12, 8] have also addressed localization reduction based on invisible variables. [3] presents algorithmic improvements to the localization reduction. They present a symbolic alg... |

54 |
Efficient generation of counterexamples and witnesses in symbolic model checking
- McMillan, Grumberg, et al.
- 1995
(Show Context)
Citation Context ... existing model checking tools return as a counterexample either a finite path (for refuting formulae of the form AGp) or a finite path followed by a cycle (for refuting formulae of the form AF p 1 ) =-=[5, 7]-=-. Recently, this approach has been extended to provide counterexamples for all formulae of the universal branching-time temporal logic ACTL [9]. In this case the part of the model given as the counter... |

53 | Efficient generation of counterexamples and witnesses in symbolic model checking, 32nd design Automation Conference, DAC’95. A. Fantechi et al - Clarke, Grumberg, et al. - 2005 |

51 | Tree-like counterexamples in model checking
- Clarke, Jha, et al.
- 2002
(Show Context)
Citation Context ...y a cycle (for refuting formulae of the form AF p 1 ) [5, 7]. Recently, this approach has been extended to provide counterexamples for all formulae of the universal branching-time temporal logic ACTL =-=[9]-=-. In this case the part of the model given as the counterexample has the form of a tree. Other works also extract information from model checking [29, 12, 25, 32]. Yet, it is presented in the form of ... |

44 | SAT based abstraction-refinement using ILP and machine learning techniques
- Clarke, Gupta, et al.
- 2002
(Show Context)
Citation Context ...ulted in an indefinite answer. When the result is ⊥, there is no reason to assume either one of the definite answers tt or ff. Thus, we would like to base the refinement not on a counterexample as in =-=[19, 6, 2, 8, 4]-=-, but on the point(s) that are responsible for the uncertainty. The goal of the refinement is to discard these points, in the hope of getting a definite result on the refined abstraction. Let MC = (SC... |

41 |
Model checking guided abstraction and analysis
- Säıdi
- 2000
(Show Context)
Citation Context ...s more general than the invisible variables abstraction since it exploits logical relationships among variables. Their technique is similar to predicate abstraction (also called boolean abstractions) =-=[23, 17, 44, 40, 45]-=-. In predicate abstraction, abstract models are constructed by using boolean variables to represent concrete predicates. More specifically, [23] describes a method for the automatic construction of an... |

38 | Certifying model checkers
- Namjoshi
- 2001
(Show Context)
Citation Context ...f the universal branching-time temporal logic ACTL [9]. In this case the part of the model given as the counterexample has the form of a tree. Other works also extract information from model checking =-=[29, 12, 25, 32]-=-. Yet, it is presented in the form of a temporal proof, rather than a part of the model. In this work we provide counterexamples for full CTL. As for ACTL, counterexamples are part of the model. Howev... |

34 | Evidence-based model checking
- Tan, Cleaveland
- 2002
(Show Context)
Citation Context ...f the universal branching-time temporal logic ACTL [9]. In this case the part of the model given as the counterexample has the form of a tree. Other works also extract information from model checking =-=[29, 12, 25, 32]-=-. Yet, it is presented in the form of a temporal proof, rather than a part of the model. In this work we provide counterexamples for full CTL. As for ACTL, counterexamples are part of the model. Howev... |

33 |
Automatic abstraction using generalized model checking
- Godefroid, Jagadeesan
- 2002
(Show Context)
Citation Context ...ing at (s, ϕ1) ⇔ (s, ϕ1) is colored by T (F ). 2.2 Abstraction Abstract models preserving CTL need to have two transition relations [20, 11]. This is achieved by using Kripke Modal Transition Systems =-=[17, 13]-=-. Definition 2. A Kripke Modal Transition System (KMTS) is a tuple M = (S, S0, must −→ , may −→, L), where S is a finite set of states, S0 ⊆ S is a set of initial states, must −→⊆ S × S and may −→⊆ S ... |

32 | On the Expressiveness of 3-Valued Models
- Godefroid, Jagadeesan
- 2003
(Show Context)
Citation Context ...-valued semantics defines a formula ϕ to be either true or false in an abstract model. True is guaranteed to hold for the concrete model as well, whereas false may be spurious. The 3-valued semantics =-=[14]-=- introduces a new truth value: the value of a formula on an abstract model may be indefinite, which gives no information on its value on the concrete model. On the other hand, both satisfaction and fa... |

29 | Automatic abstraction techniques for propositional -calculus model checking
- Pardo, Hachtel
- 1997
(Show Context)
Citation Context ...ious branching time temporal logics. In [21] the tearing paradigm is presented as a way to obtain lower and upper approximations of the system . Yet, their technique is restricted to ACTL or ECTL. In =-=[27, 28]-=- the full propositional mu-calculus is considered. In their abstraction, the concrete and abstract systems share the same state space. The simplification is based on taking supersets and subsets of a ... |

28 | Using branching time logic to synthesize synchronization skeletons - Emerson, rke - 1982 |

27 |
Orna Grumberg. Abstract interpretation of reactive systems
- Dams, Gerth
- 1997
(Show Context)
Citation Context ...tt (ff) ⇔ ∃loise (∀belard) has a winning strategy for the game starting at (s, ϕ1) ⇔ (s, ϕ1) is colored by T (F ). 2.2 Abstraction Abstract models preserving CTL need to have two transition relations =-=[20, 11]-=-. This is achieved by using Kripke Modal Transition Systems [17, 13]. Definition 2. A Kripke Modal Transition System (KMTS) is a tuple M = (S, S0, must −→ , may −→, L), where S is a finite set of stat... |

25 | Implementing a multi-valued symbolic model checker - Chechik, Devereux, et al. |

25 | Chek: A Multi-Valued Model-Checker - Chechik, Devereux, et al. - 2002 |

24 | Tearing Based Automatic Abstraction for CTL Model Checking
- Lee, Pardo, et al.
(Show Context)
Citation Context ...ion-refinement. – A sufficient and minimal counterexample for full CTL. Related Work. Other researchers have suggested abstraction-refinement mechanisms for various branching time temporal logics. In =-=[21]-=- the tearing paradigm is presented as a way to obtain lower and upper approximations of the system . Yet, their technique is restricted to ACTL or ECTL. In [27, 28] the full propositional mu-calculus ... |

23 | M (2002) Local parallel model checking for the alternation-free µ-calculus. In: Bosnacki D, Leue S (eds
- Bollig, Leucker, et al.
- 2002
(Show Context)
Citation Context ...C) in GM×ϕ, i.e. an SCC with one edge at least, contains exactly one witness and is classified as an AU, AV , EU, or EV SCC, based on its witness. Coloring Algorithm. The following Coloring Algorithm =-=[3]-=- labels each node in GM×ϕ by T or F , depending on whether ∃loise or ∀belard has a winning strategy. GM×ϕ is partitioned into its Maximal Strongly Connected Components (MSCCs), denoted Qi’s, and an or... |

21 | Incremental CTL Model Checking Using BDD Subsetting
- Pardo, Hachtel
- 1998
(Show Context)
Citation Context ...ious branching time temporal logics. In [21] the tearing paradigm is presented as a way to obtain lower and upper approximations of the system . Yet, their technique is restricted to ACTL or ECTL. In =-=[27, 28]-=- the full propositional mu-calculus is considered. In their abstraction, the concrete and abstract systems share the same state space. The simplification is based on taking supersets and subsets of a ... |

19 | Stepwise CTL model checking of state/event systems
- Lind-Nielsen, Anderson
- 1999
(Show Context)
Citation Context ... their abstraction, the concrete and abstract systems share the same state space. The simplification is based on taking supersets and subsets of a given set with a more compact BDD representation. In =-=[23]-=- full CTL is handled. However, the verified system has to be described as a cartesian product of machines. The initial abstraction considers only machines that directly influence the formula and in ea... |

17 | Symbolic localization reduction with reconstruction layering and backtrackin
- Barner, Geist, et al.
- 2002
(Show Context)
Citation Context ...ulted in an indefinite answer. When the result is ⊥, there is no reason to assume either one of the definite answers tt or ff. Thus, we would like to base the refinement not on a counterexample as in =-=[19, 6, 2, 8, 4]-=-, but on the point(s) that are responsible for the uncertainty. The goal of the refinement is to discard these points, in the hope of getting a definite result on the refined abstraction. Let MC = (SC... |

17 | Proof-like counter-examples
- Chechik, Gurfinkel
- 2003
(Show Context)
Citation Context ...ation gained during the run of a model checker. However, we use it to present a counterexample, which is an extended sub-model, rather than a deductive proof. In this sense, our approach is closer to =-=[13, 24]-=-. [13] introduces tree-like counterexamples, which are a general form of ACTL counterexamples (and in fact suitable for a universal fragment of an extended branching time logic based on ω-regular temp... |

16 | Local model checking and protocol analysis
- Du, Smolka, et al.
- 1999
(Show Context)
Citation Context ...iness of 1SWABA from [4] and show that it can be used to determine a winning strategy for the winner of the game. Thus, our work can also be described 9sin this framework, using alternating automata. =-=[19]-=- also presents a local model checking algorithm for the alternation-free modal µ-calculus that is similar to the algorithm that results from the game-based or the automata-theoretic approach. These mo... |

14 |
Automata-TheoreticVerification of Coordinating Processes
- Kurshan
- 1993
(Show Context)
Citation Context ...This is an indication that our abstraction cannot determine the value of the checked property in the concrete model and therefore needs to be refined. The traditional abstraction-refinement framework =-=[19, 6]-=- is designed for 2-valued abstractions, where false may be a false-alarm, thus refinement is aimed at eliminating false results. As such, it is usually based on a counterexample analysis. Unlike this ... |

13 | From model checking to a temporal proof
- Peled, Zuck
- 2001
(Show Context)
Citation Context ...f the universal branching-time temporal logic ACTL [9]. In this case the part of the model given as the counterexample has the form of a tree. Other works also extract information from model checking =-=[29, 12, 25, 32]-=-. Yet, it is presented in the form of a temporal proof, rather than a part of the model. In this work we provide counterexamples for full CTL. As for ACTL, counterexamples are part of the model. Howev... |

13 | Verification by approximate forward and backward reachability - Govindaraju, Dill - 1998 |

11 | Specification and verification of concurrent systems - Quielle, Sifakis - 1981 |