## Easier and More Informative Vacuity Checks

Citations: | 7 - 1 self |

### BibTeX

@MISC{Chockler_easierand,

author = {Hana Chockler and Ofer Strichman},

title = {Easier and More Informative Vacuity Checks},

year = {}

}

### OpenURL

### Abstract

In formal verification, we verify that a system is correct with respect to a specification. Cases like antecedent failure can make a successful pass of the verification procedure meaningless. Vacuity detection can signal such “meaningless” passes of the specification, and indeed vacuity checks are now a standard component in many commercial model checkers. We address two dimensions of vacuity: the computational effort and the information that is given to the user. As for the first dimension, we present several preliminary vacuity checks that can be done without the design itself, which implies that some information can be found with a significantly smaller effort. As for the second dimension, we present algorithms for deriving three types of information that are not provided by standard vacuity checks, assuming M | = ϕ for a model M and property ϕ: a) behaviors that are possibly missing from M (or wrongly restricted by the environment) b) the largest subset of occurrences of literals in ϕ that can be replaced with false simultaneously without falsifying ϕ in M, and finally c) the degree of responsibility of each occurrence of a literal in ϕ to its satisfaction in the model M, which can be seen as a fine-grain form of vacuity. The complexity of each of these problems is proven. Overall this extra information can lead to tighter specifications and more guidance for finding errors. 1

### Citations

1109 | Temporal and Modal Logic
- Emerson
- 1998
(Show Context)
Citation Context ... theorems and lemmas appear in the full version of this article [CS07]. 2 Definitions We assume that specifications are given by LTL formulas and the verified systems are modeled by Kripke structures =-=[Eme90]-=-. It is shown in [VW94] that given an LTL formula ϕ, we can construct a nondeterministic Büchi automaton Bϕ over the alphabet 2 AP such that Bϕ accepts exactly all the words that satisfy ϕ. Formally, ... |

682 |
Approximation algorithms for combinatorial problems
- Johnson
- 1974
(Show Context)
Citation Context ...of M is polynomial (because of model checking), the resulting overall complexity is O(|M|2 2|ϕ| ). The minimum-hitting set problem can also be approximated within 1 + ln |U| by a polynomial algorithm =-=[Joh74]-=-, which leads to an approximation algorithm for solving MAX-VACUOUS-SET. 5 Vacuity Extended to Responsibility Responsibility was formally defined in [CH04] based on the definition of causality by Halp... |

335 | On a decision method in restricted second order arithmetic - Büchi - 1962 |

252 | Reasoning about infinite computations
- Vardi, Wolper
- 1994
(Show Context)
Citation Context ...ear in the full version of this article [CS07]. 2 Definitions We assume that specifications are given by LTL formulas and the verified systems are modeled by Kripke structures [Eme90]. It is shown in =-=[VW94]-=- that given an LTL formula ϕ, we can construct a nondeterministic Büchi automaton Bϕ over the alphabet 2 AP such that Bϕ accepts exactly all the words that satisfy ϕ. Formally, L(Bϕ) = {τ ∈ (2 AP ) ω ... |

240 |
Specification and verification of concurrent systems in cesar
- Queille, Sifakis
- 1982
(Show Context)
Citation Context ...f vacuity. The complexity of each of these problems is proven. Overall this extra information can lead to tighter specifications and more guidance for finding errors. 1 Introduction In model checking =-=[QS81]-=-, we verify the correctness of a finite-state system with respect to a desired behavior by checking whether a labeled state-transition graph that models the system satisfies a specification of this be... |

188 | The complexity of optimization problems - Krentel - 1986 |

121 | Causes and Explanations: A Structural-Model Approach. Part I: Causes
- Halpern, Pearl
- 2001
(Show Context)
Citation Context ... we discuss the relationship between vacuity and responsibility. Responsibility is a notion that was introduced in [CH04]. It is a quantitative measure of causality as defined by Halpern and Pearl in =-=[HP01]-=-. Informally, responsibility measures how much a value of a variable affects the truth value of a Boolean formula. Using responsibility for refining the notion of vacuity is done similarly to the way... |

92 | Fixed-parameter tractability and completeness ii: on completeness for w[1]. Theor
- Downey, Fellows
- 1995
(Show Context)
Citation Context ...er than the size of the system, the hardness result might not mean that the problem is infeasible. The complexity of MAX-VACUOUS-LIT is more accurately described using parameterized complexity theory =-=[DF95]-=-. In parameterized complexity, there are two parameters that describe the size of the input, and the complexity of the problem depends on each one of these parameters differently. The parameterized co... |

62 | Vacuity detection in temporal model checking
- Kupferman, Vardi
(Show Context)
Citation Context ...ample to support the result. Hence, it is more natural to worry about vacuous satisfaction in the event of a positive result. This is also the case that we focus on in this paper. Kupferman and Vardi =-=[KV03]-=- suggested looking at occurrences of subformulas, which gives different information than the original definition. For example, given the formula ϕ : p ∧ X(q ∨ p) and a model M which satisfies it, it i... |

54 |
Efficient generation of counterexamples and witnesses in symbolic model checking
- McMillan, Grumberg, et al.
- 1995
(Show Context)
Citation Context ...e system. Thus, together with a negative answer, the model checker returns some erroneous execution of the system. These counterexamples can be essential in detecting subtle errors in complex designs =-=[CGMZ95]-=-. On the other hand, when the answer to the correctness query is positive, most model-checking tools terminate with no further information to the user. Since a positive answer means that the system is... |

43 | Formally Verifying a Microprocessor using a Simulation Methodology
- Derek, Bryant
- 1994
(Show Context)
Citation Context ... in the specification. Probably the most common method for systematically searching for such errors is vacuity detection [BBER01, PS02, KV03, CG04b, CG04a, Kup06], where cases like antecedent failure =-=[BB94]-=- make parts of the specification irrelevant to its satisfaction. For example, the specification ϕ = G(req → F grant) (“every request is eventually followed by a grant”) is vacuously satisfied in a sys... |

31 |
Efficient Detection of Vacuity
- Beer, Ben-David, et al.
- 2001
(Show Context)
Citation Context ...rrect with respect to the specification, this at first seems like a reasonable policy. Beer et al. raised the issue of suspecting the system of containing an error even if the model checking succeeds =-=[BBER01]-=-. The main justification of such suspicions are possible errors in the modeling of the system and a possible incompleteness in the specification. Probably the most common method for systematically sea... |

30 | Responsibility and blame: a structural-model approach
- Chockler, Halpern
- 2003
(Show Context)
Citation Context ...fications). We also present an iterative algorithm for finding this set. In Section 5 we discuss the relationship between vacuity and responsibility. Responsibility is a notion that was introduced in =-=[CH04]-=-. It is a quantitative measure of causality as defined by Halpern and Pearl in [HP01]. Informally, responsibility measures how much a value of a variable affects the truth value of a Boolean formula.... |

22 | Vacuum cleaning CTL formulae - Purandare, Somenzi |

19 | How vacuous is vacuous
- Gurfinkel, Chechik
- 2004
(Show Context)
Citation Context ...as is intractable for LTL as well. Chechik and Gurfinkel proved that checking vacuity with respect to all occurrences of literals in ϕ is equivalent to checking all occurrences of general subformulas =-=[CG04b]-=-, and is computationally cheaper (as literals are a subset of all subformulas). Hence, unless otherwise stated in this paper, we concentrate on vacuity with respect to occurrences of literals. Continu... |

17 | Extending extended vacuity
- Gurfinkel, Chechik
- 2004
(Show Context)
Citation Context ... are the subject of this and the next sections. We now focus on the problem of detecting vacuous satisfaction with respect to several literal occurrences, which was first defined by Chechik et al. in =-=[CG04a]-=-. Definition 4.1 (MAX-VACUOUS) Given a temporal logic formula ϕ and a Kripke structure M that satisfies ϕ, let MAX-VACUOUS (ϕ, M) be the maximal number of literal occurrences in lit-occur(ϕ) that can ... |

15 | Sanity checks in formal verification - Kupferman - 2006 |

8 | An efficiently checkable, proof-based formulation of vacuity in model checking - Namjoshi - 2004 |

4 |
What causes a system to satisfy a specification? CoRR cs.LO/0312036
- Chockler, Halpern, et al.
- 2003
(Show Context)
Citation Context ...lity measures how much a value of a variable affects the truth value of a Boolean formula. Using responsibility for refining the notion of vacuity is done similarly to the way it is done in coverage =-=[CHK03]-=-. For example, in the specification ϕ = G(a∨b∨c) and a system M as above, none of the literals is directly (or counterfactually) responsible for the value of ϕ in M. However, replacing a with false re... |

1 |
Easier and More Informative Vacuity Checks (Full version
- Chockler, Strichman
(Show Context)
Citation Context ...de in Section 6 by reporting the results of applying some of the techniques presented in this paper to a real design. Full proofs of all theorems and lemmas appear in the full version of this article =-=[CS07]-=-. 2 Definitions We assume that specifications are given by LTL formulas and the verified systems are modeled by Kripke structures [Eme90]. It is shown in [VW94] that given an LTL formula ϕ, we can con... |

1 |
EfficientBüchi automata from LTL formulae
- Somenzi, Bloem
- 2000
(Show Context)
Citation Context ... and a set of environment restrictions. Building the Buchi automaton corresponding to the conjunction of all of them turned out to be too time-consuming in our experimental setting (we used the Wring =-=[SB00]-=- script, which builds Buchi automata from LTL formulas). We therefore broke the set of properties to three subsets, thus sacrificing the quality of the checks. Here we bring the results with the first... |