Counterexample-guided abstraction refinement

Last updated February 13, 2024

Counterexample-guided abstraction refinement (CEGAR) is a technique for symbolic model checking.^[1]^[2] It is also applied in modal logic tableau calculi algorithms to optimise their efficiency.^[3]

In computer-aided verification and analysis of programs, models of computation often consist of states. Models for even small programs, however, may have an enormous number of states. This is identified as the state explosion problem.^[4] CEGAR addresses this problem with two stages — abstraction, which simplifies a model by grouping states, and refinement, which increases the precision of the abstraction to better approximate the original model.

If a desired property for a program is not satisfied in the abstract model, a counterexample is generated. The CEGAR process then checks whether the counterexample is spurious, i.e., if the counterexample also applies to the under-abstraction but not the actual program. If this is the case, it concludes that the counterexample is attributed to inadequate precision of the abstraction. Otherwise, the process finds a bug in the program. Refinement is performed when a counterexample is found to be spurious.^[5] The iterative procedure terminates either if a bug is found or when the abstraction has been refined to the extent that it is equivalent to the original model.

Program verification

Abstraction

To reason about the correctness of a program, particularly those involving the concept of time for concurrency, state transition models are used. In particular, finite-state models can be used along with temporal logic in automatic verification.^[6] The concept of abstraction is thus founded upon a mapping between two Kripke structures. Specifically, programs can be described with control flow automata (CFA).^[7]

Define a Kripke structure $M$ as $\langle S,s_{0},R,L\rangle$ , where

$S$ is a finite set of states,
$s_{0}$ is an initial state in $S$ ,
$R$ is a total transition relation, and
$L$ is a function that labels each state with a set of propositional names that hold therein.

An abstraction of $M$ is defined by $\langle S_{\alpha },s_{0}^{\alpha },R_{\alpha },L_{\alpha }\rangle$ where $\alpha$ is an abstraction mapping that maps every state in $S$ to a state in $S_{\alpha }$ .^[5]

To preserve the critical properties of the model, the abstraction mapping maps the initial state in the original model $s_{0}$ to its counterpart $s_{0}^{\alpha }$ in the abstract model. The abstraction mapping also guarantees that the transition relations between two states are preserved.

Model Checking

In each iteration, model checking is performed for the abstract model. Bounded model checking, for instance, generates a propositional formula that is then checked for Boolean satisfiability by a SAT solver.^[5]

When counterexamples are found, they are examined to determine if they are spurious examples, i.e., they are unauthentic ones that emerge from the under-abstraction of the model. A non-spurious counterexample reflects the incorrectness of the program, which may be sufficient to terminate the program verification process and conclude that the program is incorrect. The main objective of the refinement process handle spurious counterexamples. It eliminates them by increasing the granularity of the abstraction.

The refinement process ensures that the dead-end states and the bad states do not belong to the same abstract state. A dead-end state is a reachable one with no outgoing transition whereas a bad-state is one with transitions causing the counterexample.^[2]

Tableau calculi

Since modal logic is often interpreted with Kripke semantics, where a Kripke frame resembles the structure of state transition systems concerned in program verification, the CEGAR technique is also implemented for automated theorem proving.^[3]

Related Research Articles

In computer science, abstract interpretation is a theory of sound approximation of the semantics of computer programs, based on monotonic functions over ordered sets, especially lattices. It can be viewed as a partial execution of a computer program which gains information about its semantics without performing all the calculations.

In programming language theory and proof theory, the Curry–Howard correspondence is the direct relationship between computer programs and mathematical proofs.

In computer science, model checking or property checking is a method for checking whether a finite-state model of a system meets a given specification. This is typically associated with hardware or software systems, where the specification contains liveness requirements as well as safety requirements.

In logic, temporal logic is any system of rules and symbolism for representing, and reasoning about, propositions qualified in terms of time. It is sometimes also used to refer to tense logic, a modal logic-based system of temporal logic introduced by Arthur Prior in the late 1950s, with important contributions by Hans Kamp. It has been further developed by computer scientists, notably Amir Pnueli, and logicians.

In theoretical computer science a bisimulation is a binary relation between state transition systems, associating systems that behave in the same way in that one system simulates the other and vice versa.

Kripke semantics is a formal semantics for non-classical logic systems created in the late 1950s and early 1960s by Saul Kripke and André Joyal. It was first conceived for modal logics, and later adapted to intuitionistic logic and other non-classical systems. The development of Kripke semantics was a breakthrough in the theory of non-classical logics, because the model theory of such logics was almost non-existent before Kripke.

Bunched logic is a variety of substructural logic proposed by Peter O'Hearn and David Pym. Bunched logic provides primitives for reasoning about resource composition, which aid in the compositional analysis of computer and other systems. It has category-theoretic and truth-functional semantics, which can be understood in terms of an abstract concept of resource, and a proof theory in which the contexts Γ in an entailment judgement Γ ⊢ A are tree-like structures (bunches) rather than lists or (multi)sets as in most proof calculi. Bunched logic has an associated type theory, and its first application was in providing a way to control the aliasing and other forms of interference in imperative programs. The logic has seen further applications in program verification, where it is the basis of the assertion language of separation logic, and in systems modelling, where it provides a way to decompose the resources used by components of a system.

In proof theory, the semantic tableau is a decision procedure for sentential and related logics, and a proof procedure for formulae of first-order logic. An analytic tableau is a tree structure computed for a logical formula, having at each node a subformula of the original formula to be proved or refuted. Computation constructs this tree and uses it to prove or refute the whole formula. The tableau method can also determine the satisfiability of finite sets of formulas of various logics. It is the most popular proof procedure for modal logics.

A Kripke structure is a variation of the transition system, originally proposed by Saul Kripke, used in model checking to represent the behavior of a system. It consists of a graph whose nodes represent the reachable states of the system and whose edges represent state transitions, together with a labelling function which maps each node to a set of properties that hold in the corresponding state. Temporal logics are traditionally interpreted in terms of Kripke structures.

In computer science, partial order reduction is a technique for reducing the size of the state-space to be searched by a model checking or automated planning and scheduling algorithm. It exploits the commutativity of concurrently executed transitions that result in the same state when executed in different orders.

In theoretical computer science, the modal μ-calculus is an extension of propositional modal logic by adding the least fixed point operator μ and the greatest fixed point operator ν, thus a fixed-point logic.

In computer science, the International Conference on Computer-Aided Verification (CAV) is an annual academic conference on the theory and practice of computer-aided formal analysis of software and hardware systems, broadly known as formal methods. Among the important results originally published in CAV are techniques in model checking, such as Counterexample-Guided Abstraction Refinement (CEGAR) and partial order reduction. It is often ranked among the top conferences in computer science.

In computer science and in mathematics, abstraction model checking is for systems where an actual representation is too complex in developing the model alone. So, the design undergoes a kind of translation to scaled down "abstract" version.

In theoretical computer science, a transition system is a concept used in the study of computation. It is used to describe the potential behavior of discrete systems. It consists of states and transitions between states, which may be labeled with labels chosen from a set; the same label may appear on more than one transition. If the label set is a singleton, the system is essentially unlabeled, and a simpler definition that omits the labels is possible.

A multimodal logic is a modal logic that has more than one primitive modal operator. They find substantial applications in theoretical computer science.

The KeY tool is used in formal verification of Java programs. It accepts specifications written in the Java Modeling Language to Java source files. These are transformed into theorems of dynamic logic and then compared against program semantics that are likewise defined in terms of dynamic logic. KeY is significantly powerful in that it supports both interactive and fully automated correctness proofs. Failed proof attempts can be used for a more efficient debugging or verification-based testing. There have been several extensions to KeY in order to apply it to the verification of C programs or hybrid systems. KeY is jointly developed by Karlsruhe Institute of Technology, Germany; Technische Universität Darmstadt, Germany; and Chalmers University of Technology in Gothenburg, Sweden and is licensed under the GPL.

In computer science, Hennessy–Milner logic (HML) is a dynamic logic used to specify properties of a labeled transition system (LTS), a structure similar to an automaton. It was introduced in 1980 by Matthew Hennessy and Robin Milner in their paper "On observing nondeterminism and concurrency" (ICALP).

Helmut Veith was an Austrian computer scientist who worked on the areas of computer-aided verification, software engineering, computer security, and logic in computer science. He was a Professor of Informatics at the Vienna University of Technology, Austria.

In model checking, a branch of computer science, linear time properties are used to describe requirements of a model of a computer system. Example properties include "the vending machine does not dispense a drink until money has been entered" or "the computer program eventually terminates". Fairness properties can be used to rule out unrealistic paths of a model. For instance, in a model of two traffic lights, the liveness property "both traffic lights are green infinitely often" may only be true under the unconditional fairness constraint "each traffic light changes colour infinitely often".

Modal clausal form, also known as separated normal form by modal levels (SNF_ml) and Mints normal form, is a normal form for modal logic formulae.

References

↑ Clarke, Edmund; Grumberg, Orna; Jha, Shomesh; Lu, Yuan; Veith, Helmut (1 September 2003). "Counterexample-guided abstraction refinement for symbolic model checking". Journal of the ACM. 50 (5): 752–794. doi:10.1145/876638.876643.
1 2 Clarke, Edmund; Grumberg, Orna; Jha, Shomesh; Lu, Yuan; Veith, Helmut (2000). Counterexample-Guided Abstraction Refinement. International Conference on Computer Aided Verification CAV 2000: Computer Aided Verification. Lecture Notes in Computer Science. Vol. 1855. Berlin, Heidelberg: Springer. pp. 154–169. doi:10.1007/10722167_15. ISBN 978-3-540-45047-4.
1 2 Goré, Rajeev; Kikkert, Cormac (6 September 2021). CEGAR-Tableaux: Improved Modal Satisfiability via Modal Clause-Learning and SAT. Automated Reasoning with Analytic Tableaux and Related Methods: 30th International Conference, TABLEAUX 2021, Birmingham, UK. Lecture Notes in Computer Science. Vol. 12842. Cham: Springer. pp. 74–91. doi:10.1007/978-3-030-86059-2_5. ISBN 978-3-030-86059-2.
↑ Valmari, Antti (1998). The State Explosion Problem. Advanced Course on Petri Nets, ACPN 1996. Lecture Notes in Computer Science. Vol. 1491. Berlin, Heidelberg: Springer. pp. 429–528. doi:10.1007/978-3-642-35746-6_1. ISBN 978-3-540-49442-3 . Retrieved 27 December 2023.
1 2 3 Clarke, Edmund; Klieber, William; Nováček, Miloš; Zuliani, Paolo (2011). Model Checking and the State Explosion Problem. LASER Summer School on Software Engineering: LASER 2011. Lecture Notes in Computer Science. Vol. 7682. pp. 1–30. doi:10.1007/978-3-642-35746-6_1. ISBN 978-3-642-35746-6 . Retrieved 27 December 2023.
↑ Clarke, Edmund; Browne, Michael C.; Emerson, E. Allen; Sistla, A.P. "Using Temporal Logic for Automatic Verification of Finite State Systems". Logics and Models of Concurrent Systems. NATO ASI. Vol. 13. Berlin, Heidelberg: Springer. doi: 10.1007/978-3-642-82453-1_1 . ISBN 978-3-642-82453-1.
↑ Hajdu, Ákos; Micskei, Zoltán (11 November 2019). "Efficient Strategies for CEGAR-Based Model Checking". Journal of Automated Reasoning. Springer Nature. 64 (4): 1051–1091. doi: 10.1007/s10817-019-09535-x .

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Clarke, Edmund; Grumberg, Orna; Jha, Shomesh; Lu, Yuan; Veith, Helmut (1 September 2003). "Counterexample-guided abstraction refinement for symbolic model checking". Journal of the ACM. 50 (5): 752–794. doi:10.1145/876638.876643.

[CEGAR2000-2] 1 2 Clarke, Edmund; Grumberg, Orna; Jha, Shomesh; Lu, Yuan; Veith, Helmut (2000). Counterexample-Guided Abstraction Refinement. International Conference on Computer Aided Verification CAV 2000: Computer Aided Verification. Lecture Notes in Computer Science. Vol. 1855. Berlin, Heidelberg: Springer. pp. 154–169. doi:10.1007/10722167_15. ISBN 978-3-540-45047-4.

[CEGAR-Tableaux-3] 1 2 Goré, Rajeev; Kikkert, Cormac (6 September 2021). CEGAR-Tableaux: Improved Modal Satisfiability via Modal Clause-Learning and SAT. Automated Reasoning with Analytic Tableaux and Related Methods: 30th International Conference, TABLEAUX 2021, Birmingham, UK. Lecture Notes in Computer Science. Vol. 12842. Cham: Springer. pp. 74–91. doi:10.1007/978-3-030-86059-2_5. ISBN 978-3-030-86059-2.

[4] Valmari, Antti (1998). The State Explosion Problem. Advanced Course on Petri Nets, ACPN 1996. Lecture Notes in Computer Science. Vol. 1491. Berlin, Heidelberg: Springer. pp. 429–528. doi:10.1007/978-3-642-35746-6_1. ISBN 978-3-540-49442-3 . Retrieved 27 December 2023.

[model-checking-5] 1 2 3 Clarke, Edmund; Klieber, William; Nováček, Miloš; Zuliani, Paolo (2011). Model Checking and the State Explosion Problem. LASER Summer School on Software Engineering: LASER 2011. Lecture Notes in Computer Science. Vol. 7682. pp. 1–30. doi:10.1007/978-3-642-35746-6_1. ISBN 978-3-642-35746-6 . Retrieved 27 December 2023.

[6] Clarke, Edmund; Browne, Michael C.; Emerson, E. Allen; Sistla, A.P. "Using Temporal Logic for Automatic Verification of Finite State Systems". Logics and Models of Concurrent Systems. NATO ASI. Vol. 13. Berlin, Heidelberg: Springer. doi: 10.1007/978-3-642-82453-1_1 . ISBN 978-3-642-82453-1.

[7] Hajdu, Ákos; Micskei, Zoltán (11 November 2019). "Efficient Strategies for CEGAR-Based Model Checking". Journal of Automated Reasoning. Springer Nature. 64 (4): 1051–1091. doi: 10.1007/s10817-019-09535-x .

[1]

[2]

[3]

[4]

[5]

[6]

[7]