#### DMCA

## A game-based framework for CTL counterexamples and 3-valued abstraction-refinement (2003)

### Cached

### Download Links

- [www.cs.technion.ac.il]
- [www.cs.technion.ac.il]
- [www.cs.technion.ac.il]
- [www.cs.technion.ac.il]
- DBLP

### Other Repositories/Bibliography

Venue: | In Computer Aided Verification (CAV), LNCS 2725 |

Citations: | 26 - 6 self |

### Citations

3193 | Model Checking.
- Clarke, Grumberg, et al.
- 1999
(Show Context)
Citation Context ...model checking for counterexample and incremental abstraction-refinement. The first goal of this work is to suggest a game-based new model checking algorithm for the branching-time temporal logic CTL =-=[11]-=- in the context of abstraction. Model checking is a successful approach for verifying whether a system model M satisfies a specification ϕ, written as a temporal logic formula. Yet, concrete (regular)... |

2289 |
Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints
- Cousot, Cousot
- 1977
(Show Context)
Citation Context ...d in the framework of Abstract Interpretation [24, 11]. Let MC = (SC, S0C, →, LC) be a (concrete) KS. Let (SA, ⊑) be a poset of abstract states and (γ : SA → 2 SC , α : 2 SC → SA) a Galois connection =-=[10, 24]-=- from (2 SC , ⊆) to (SA, ⊑). γ is the concretization function that maps each abstract statesto the set of concrete states that it represents. α is the abstraction function that maps each set of concre... |

1009 | Design and synthesis of synchronization skeletons using branching time temporal logic - Clarke, Emerson - 1982 |

835 | Counterexample-guided abstraction refinement
- Clarke, Grumberg, et al.
- 2000
(Show Context)
Citation Context ...This is an indication that our abstraction cannot determine the value of the checked property in the concrete model and therefore needs to be refined. The traditional abstraction-refinement framework =-=[19, 6]-=- is designed for 2-valued abstractions, where false may be a false-alarm, thus refinement is aimed at eliminating false results. As such, it is usually based on a counterexample analysis. Unlike this ... |

737 | Model checking and abstraction
- Clarke, Grumberg, et al.
- 1994
(Show Context)
Citation Context ...predicates from a specification and iteratively compute the predicates required for the abstraction relative to the specification. All these works use the general framework of existential abstraction =-=[14]-=- and are thus suitable for verifying universal properties only (without existential quantifiers). Unlike them, [45] shows how boolean abstractions can be constructed simply, efficiently and precisely ... |

736 | Construction of abstract state graphs with PVS
- Graf, Saïdi
- 1997
(Show Context)
Citation Context ...partial coloring algorithm, presented in Definition 3.6. Note that for many abstractions, checking if a node is a sub-node of another is simple. For example, in the framework of predicate abstraction =-=[23, 45, 40, 20]-=-, this means that the abstract states “agree” on all the predicates that exist before the refinement. When the abstraction is based on invisible variables [12], this means that the abstract states “ag... |

531 | G.: Lazy abstraction
- Henzinger, Jhala, et al.
- 2002
(Show Context)
Citation Context ...tation, thus it is more general. It also has the advantage of being most suitable for using results from previous iterations, resulting in an incremental algorithm. Incremental Abstraction-Refinement =-=[26]-=- introduces the concept of lazy abstraction to integrate and optimize the three phases of the abstract-check-refine loop within the abstraction-refinement framework. Lazy abstraction continuously buil... |

353 | An automata-theoretic approach to branching-time model checking
- Bernholtz, Vardi, et al.
- 1994
(Show Context)
Citation Context ...rithm. Yet, it is then not clear how to guide the refinement, in case it is needed. The game-based approach to model checking, used in this work, is closely related to the Automata-theoretic approach =-=[18]-=-, as described in [22]. Thus, our work can also be described in this framework, using alternating automata. Organization. The rest of the paper is organized as follows. In Section 2 we give some backg... |

274 | Abstract interpretation of reactive systems
- Dams, Gerth, et al.
- 1997
(Show Context)
Citation Context ... sets of concrete states. In order to be conservative w.r.t. CTL, two types of transitions are required: maytransitions which represent possible transitions in the concrete model, and musttransitions =-=[33, 16]-=- which represent definite transitions in the concrete model. May and must transitions correspond to over and under approximations, and are needed in order to preserve formulae of the form AXψ and EXψ,... |

259 | A.: Checking that Finite State Concurrent Programs Satisfy their Linear Specification - Lichtenstein, Pnueli - 1985 |

190 |
A Modal Process Logic
- Larsen
- 1988
(Show Context)
Citation Context ...tt (ff) ⇔ ∃loise (∀belard) has a winning strategy for the game starting at (s, ϕ1) ⇔ (s, ϕ1) is colored by T (F ). 2.2 Abstraction Abstract models preserving CTL need to have two transition relations =-=[20, 11]-=-. This is achieved by using Kripke Modal Transition Systems [17, 13]. Definition 2. A Kripke Modal Transition System (KMTS) is a tuple M = (S, S0, must −→ , may −→, L), where S is a finite set of stat... |

151 | Property preserving abstractions for the verification of concurrent systems. Formal Methods Syst. Des
- Loiseaux, Graf, et al.
- 1995
(Show Context)
Citation Context ... one of p and ¬p is in L(s). We consider abstractions that collapse sets of concrete states into single abstract states. Such abstractions can be described in the framework of Abstract Interpretation =-=[24, 11]-=-. Let MC = (SC, S0C, →, LC) be a (concrete) KS. Let (SA, ⊑) be a poset of abstract states and (γ : SA → 2 SC , α : 2 SC → SA) a Galois connection [10, 24] from (2 SC , ⊆) to (SA, ⊑). γ is the concreti... |

142 | Experience with predicate abstraction - Das, Dill, et al. - 1999 |

121 |
Modal and Temporal Properties of Processes
- Stirling
- 2001
(Show Context)
Citation Context ... of the model checking game to derive an annotated counterexample in case the examined system model refutes the checked formula. 1 Introduction This work exploits and extends the game-based framework =-=[31]-=- of CTL model checking for counterexample and incremental abstraction-refinement. The first goal of this work is to suggest a game-based new model checking algorithm for the branching-time temporal lo... |

119 | Model checking partial state spaces with 3-valued temporal logics
- Bruns, Godefroid
- 1999
(Show Context)
Citation Context ... be combined with any of these abstractions. 3-Valued Logic Unlike the traditional (2-valued) abstraction, that preserves only truth of a formula from the abstract model to the concrete one, recently =-=[6, 7, 20, 21, 28, 22]-=- it was shown how automatic abstraction can be performed to verify modal µ-calculus formulae, based on a 3-valued semantics, such that both truth and falseness are preserved. The key to make this poss... |

115 | Modal transition systems: A foundation for three-valued program analysis
- Huth, Jagadeesan, et al.
- 2001
(Show Context)
Citation Context ...ing at (s, ϕ1) ⇔ (s, ϕ1) is colored by T (F ). 2.2 Abstraction Abstract models preserving CTL need to have two transition relations [20, 11]. This is achieved by using Kripke Modal Transition Systems =-=[17, 13]-=-. Definition 2. A Kripke Modal Transition System (KMTS) is a tuple M = (S, S0, must −→ , may −→, L), where S is a finite set of states, S0 ⊆ S is a set of initial states, must −→⊆ S × S and may −→⊆ S ... |

94 | Local model checking games
- Stirling
- 1995
(Show Context)
Citation Context ... Related Work Games and Automata Our work uses a characterization of the CTL model checking problem in terms of two-players games. The game-based approach to model checking was introduced by Stirling =-=[46]-=- as a way of combining the algorithmic approach to model checking and the proof system approach. [47, 32, 31] present model checking algorithms based on games for various temporal logics, including CT... |

88 |
Abstract and Model Check while you Prove
- Saïdi, Shankar
- 1999
(Show Context)
Citation Context ...s more general than the invisible variables abstraction since it exploits logical relationships among variables. Their technique is similar to predicate abstraction (also called boolean abstractions) =-=[23, 17, 44, 40, 45]-=-. In predicate abstraction, abstract models are constructed by using boolean variables to represent concrete predicates. More specifically, [23] describes a method for the automatic construction of an... |

87 |
Modal specifications
- Larsen
- 1989
(Show Context)
Citation Context ...roperties that are true, false and unknown of the concrete system. Different formalisms of abstract models suitable for the 3-valued semantics are proposed in the literature: Modal Transition Systems =-=[33, 34]-=-, Partial Kripke Structures [6, 7], and Kripke Modal Transition Systems [28, 21]. It is shown in [22] that they have the same expressiveness and that their model checking problem can be reduced to two... |

85 | Generalized model checking: Reasoning about partial state spaces
- Bruns, Godefroid
- 2000
(Show Context)
Citation Context ... be combined with any of these abstractions. 3-Valued Logic Unlike the traditional (2-valued) abstraction, that preserves only truth of a formula from the abstract model to the concrete one, recently =-=[6, 7, 20, 21, 28, 22]-=- it was shown how automatic abstraction can be performed to verify modal µ-calculus formulae, based on a 3-valued semantics, such that both truth and falseness are preserved. The key to make this poss... |

85 | Temporal-safety proofs for systems code
- Henzinger, Jhala, et al.
- 2002
(Show Context)
Citation Context ...uniform abstract model whose predicates change from state to state. They present an algorithm for model checking safety properties using lazy abstraction. The idea of lazy abstraction is also used in =-=[25]-=-. Our incremental algorithm generalizes the idea of Lazy abstraction to model checking of CTL 13sproperties, where any abstraction that is described within the framework of abstract interpretation can... |

81 | D (2002) Automated abstraction refinement for model checking large state spaces using SAT based conflict analysis
- Chauhan, EM, et al.
- 2002
(Show Context)
Citation Context ...ulted in an indefinite answer. When the result is ⊥, there is no reason to assume either one of the definite answers tt or ff. Thus, we would like to base the refinement not on a counterexample as in =-=[19, 6, 2, 8, 4]-=-, but on the point(s) that are responsible for the uncertainty. The goal of the refinement is to discard these points, in the hope of getting a definite result on the refined abstraction. Let MC = (SC... |

76 | Abstraction-based model checking using modal transition systems
- Godefroid, Huth, et al.
- 2001
(Show Context)
Citation Context ... be combined with any of these abstractions. 3-Valued Logic Unlike the traditional (2-valued) abstraction, that preserves only truth of a formula from the abstract model to the concrete one, recently =-=[6, 7, 20, 21, 28, 22]-=- it was shown how automatic abstraction can be performed to verify modal µ-calculus formulae, based on a 3-valued semantics, such that both truth and falseness are preserved. The key to make this poss... |

73 |
Syntactic program transformations for automatic abstraction
- Namjoshi, Kurshan
- 2000
(Show Context)
Citation Context ...s more general than the invisible variables abstraction since it exploits logical relationships among variables. Their technique is similar to predicate abstraction (also called boolean abstractions) =-=[23, 17, 44, 40, 45]-=-. In predicate abstraction, abstract models are constructed by using boolean variables to represent concrete predicates. More specifically, [23] describes a method for the automatic construction of an... |

69 | Efficient Generation of Counterexamples and Witnesses in Symbolic Model Checking - Clarke, Grumberg, et al. - 1994 |

61 | Tree-like counterexamples in model checking
- Clarke, Jha, et al.
(Show Context)
Citation Context ...y a cycle (for refuting formulae of the form AF p 1 ) [5, 7]. Recently, this approach has been extended to provide counterexamples for all formulae of the universal branching-time temporal logic ACTL =-=[9]-=-. In this case the part of the model given as the counterexample has the form of a tree. Other works also extract information from model checking [29, 12, 25, 32]. Yet, it is presented in the form of ... |

60 |
An iterative approach to language containment
- Balarin, Sangiovanni-Vincentelli
- 1993
(Show Context)
Citation Context ...s refined to eliminate the possibility of this counterexample in the next iteration. The reduction (abstraction) used in their work is based on invisible variables. A similar approach is described in =-=[2]-=-. Other researchers [3, 12, 8] have also addressed localization reduction based on invisible variables. [3] presents algorithmic improvements to the localization reduction. They present a symbolic alg... |

52 |
Efficient generation of counterexamples and witnesses in symbolic model checking
- McMillan, Grumberg, et al.
- 1995
(Show Context)
Citation Context ... existing model checking tools return as a counterexample either a finite path (for refuting formulae of the form AGp) or a finite path followed by a cycle (for refuting formulae of the form AF p 1 ) =-=[5, 7]-=-. Recently, this approach has been extended to provide counterexamples for all formulae of the universal branching-time temporal logic ACTL [9]. In this case the part of the model given as the counter... |

48 | O.: Sat based abstraction-refinement using ilp and machine learning techniques
- Clarke, Gupta, et al.
- 2002
(Show Context)
Citation Context ...ulted in an indefinite answer. When the result is ⊥, there is no reason to assume either one of the definite answers tt or ff. Thus, we would like to base the refinement not on a counterexample as in =-=[19, 6, 2, 8, 4]-=-, but on the point(s) that are responsible for the uncertainty. The goal of the refinement is to discard these points, in the hope of getting a definite result on the refined abstraction. Let MC = (SC... |

45 | Certifying Model Checkers
- Namjoshi
(Show Context)
Citation Context ...f the universal branching-time temporal logic ACTL [9]. In this case the part of the model given as the counterexample has the form of a tree. Other works also extract information from model checking =-=[29, 12, 25, 32]-=-. Yet, it is presented in the form of a temporal proof, rather than a part of the model. In this work we provide counterexamples for full CTL. As for ACTL, counterexamples are part of the model. Howev... |

44 |
Model checking guided abstraction and analysis
- Säıdi
- 2000
(Show Context)
Citation Context ...s more general than the invisible variables abstraction since it exploits logical relationships among variables. Their technique is similar to predicate abstraction (also called boolean abstractions) =-=[23, 17, 44, 40, 45]-=-. In predicate abstraction, abstract models are constructed by using boolean variables to represent concrete predicates. More specifically, [23] describes a method for the automatic construction of an... |

38 | Evidence-based model checking
- Tan, Cleaveland
- 2002
(Show Context)
Citation Context ...f the universal branching-time temporal logic ACTL [9]. In this case the part of the model given as the counterexample has the form of a tree. Other works also extract information from model checking =-=[29, 12, 25, 32]-=-. Yet, it is presented in the form of a temporal proof, rather than a part of the model. In this work we provide counterexamples for full CTL. As for ACTL, counterexamples are part of the model. Howev... |

36 |
Automatic abstraction using generalized model checking, in
- Godefroid, Jagadeesan
(Show Context)
Citation Context ...ing at (s, ϕ1) ⇔ (s, ϕ1) is colored by T (F ). 2.2 Abstraction Abstract models preserving CTL need to have two transition relations [20, 11]. This is achieved by using Kripke Modal Transition Systems =-=[17, 13]-=-. Definition 2. A Kripke Modal Transition System (KMTS) is a tuple M = (S, S0, must −→ , may −→, L), where S is a finite set of states, S0 ⊆ S is a set of initial states, must −→⊆ S × S and may −→⊆ S ... |

34 | On the expressiveness of 3-valued models
- Godefroid, Jagadeesan
- 2003
(Show Context)
Citation Context ...-valued semantics defines a formula ϕ to be either true or false in an abstract model. True is guaranteed to hold for the concrete model as well, whereas false may be spurious. The 3-valued semantics =-=[14]-=- introduces a new truth value: the value of a formula on an abstract model may be indefinite, which gives no information on its value on the concrete model. On the other hand, both satisfaction and fa... |

31 | Automatic abstraction techniques for propositional -calculus model checking
- Pardo, Hachtel
- 1997
(Show Context)
Citation Context ...ious branching time temporal logics. In [21] the tearing paradigm is presented as a way to obtain lower and upper approximations of the system . Yet, their technique is restricted to ACTL or ECTL. In =-=[27, 28]-=- the full propositional mu-calculus is considered. In their abstraction, the concrete and abstract systems share the same state space. The simplification is based on taking supersets and subsets of a ... |

31 | Using branching time logic to synthesize synchronizations skeletons - Emerson, Clarke - 1982 |

29 | Tearing based automatic abstraction for ctl model checking
- Lee, Pardo, et al.
- 1996
(Show Context)
Citation Context ...ion-refinement. – A sufficient and minimal counterexample for full CTL. Related Work. Other researchers have suggested abstraction-refinement mechanisms for various branching time temporal logics. In =-=[21]-=- the tearing paradigm is presented as a way to obtain lower and upper approximations of the system . Yet, their technique is restricted to ACTL or ECTL. In [27, 28] the full propositional mu-calculus ... |

27 |
Orna Grumberg. Abstract interpretation of reactive systems
- Dams, Gerth
- 1997
(Show Context)
Citation Context ...tt (ff) ⇔ ∃loise (∀belard) has a winning strategy for the game starting at (s, ϕ1) ⇔ (s, ϕ1) is colored by T (F ). 2.2 Abstraction Abstract models preserving CTL need to have two transition relations =-=[20, 11]-=-. This is achieved by using Kripke Modal Transition Systems [17, 13]. Definition 2. A Kripke Modal Transition System (KMTS) is a tuple M = (S, S0, must −→ , may −→, L), where S is a finite set of stat... |

26 | Stepwise CTL model checking of state/event systems
- Lind-Nielsen, Andersen
- 1999
(Show Context)
Citation Context ... their abstraction, the concrete and abstract systems share the same state space. The simplification is based on taking supersets and subsets of a given set with a more compact BDD representation. In =-=[23]-=- full CTL is handled. However, the verified system has to be described as a cartesian product of machines. The initial abstraction considers only machines that directly influence the formula and in ea... |

26 | Implementing a multi-valued symbolic model checker - Chechik, Devereux, et al. |

25 | χ-check: A multi-valued model-checker - Chechik, Gurfinkel, et al. - 2002 |

24 | Incremental CTL model checking using BDD subsetting
- Pardo, Hachtel
- 1998
(Show Context)
Citation Context ...ious branching time temporal logics. In [21] the tearing paradigm is presented as a way to obtain lower and upper approximations of the system . Yet, their technique is restricted to ACTL or ECTL. In =-=[27, 28]-=- the full propositional mu-calculus is considered. In their abstraction, the concrete and abstract systems share the same state space. The simplification is based on taking supersets and subsets of a ... |

23 | Local parallel model checking for the alternation-free mu-calculus
- Bollig, Leucker, et al.
- 2002
(Show Context)
Citation Context ...C) in GM×ϕ, i.e. an SCC with one edge at least, contains exactly one witness and is classified as an AU, AV , EU, or EV SCC, based on its witness. Coloring Algorithm. The following Coloring Algorithm =-=[3]-=- labels each node in GM×ϕ by T or F , depending on whether ∃loise or ∀belard has a winning strategy. GM×ϕ is partitioned into its Maximal Strongly Connected Components (MSCCs), denoted Qi’s, and an or... |

18 | Symbolic localization reduction with reconstruction layering and backtracking
- Barner, Geist, et al.
- 2002
(Show Context)
Citation Context ...ulted in an indefinite answer. When the result is ⊥, there is no reason to assume either one of the definite answers tt or ff. Thus, we would like to base the refinement not on a counterexample as in =-=[19, 6, 2, 8, 4]-=-, but on the point(s) that are responsible for the uncertainty. The goal of the refinement is to discard these points, in the hope of getting a definite result on the refined abstraction. Let MC = (SC... |

18 | Local Model Checking and Protocol Analysis
- Du, Smolka, et al.
- 1999
(Show Context)
Citation Context ...iness of 1SWABA from [4] and show that it can be used to determine a winning strategy for the winner of the game. Thus, our work can also be described 9sin this framework, using alternating automata. =-=[19]-=- also presents a local model checking algorithm for the alternation-free modal µ-calculus that is similar to the algorithm that results from the game-based or the automata-theoretic approach. These mo... |

18 | Proof-Like Counter-Examples
- Gurfinkel, Chechik
- 2003
(Show Context)
Citation Context ...ation gained during the run of a model checker. However, we use it to present a counterexample, which is an extended sub-model, rather than a deductive proof. In this sense, our approach is closer to =-=[13, 24]-=-. [13] introduces tree-like counterexamples, which are a general form of ACTL counterexamples (and in fact suitable for a universal fragment of an extended branching time logic based on ω-regular temp... |

16 | Verification by approximate forward and backward reachability - Govindaraju, Dill - 1998 |

16 | Specification and verification of concurrent systems - Quielle, Sifakis - 1982 |

15 |
Computer-Aided-Verification of Coordinating Processes
- Kurshan
- 1994
(Show Context)
Citation Context ...This is an indication that our abstraction cannot determine the value of the checked property in the concrete model and therefore needs to be refined. The traditional abstraction-refinement framework =-=[19, 6]-=- is designed for 2-valued abstractions, where false may be a false-alarm, thus refinement is aimed at eliminating false results. As such, it is usually based on a counterexample analysis. Unlike this ... |

12 | From model checking to a temporal proof
- Peled, Zuck
- 2001
(Show Context)
Citation Context ...f the universal branching-time temporal logic ACTL [9]. In this case the part of the model given as the counterexample has the form of a tree. Other works also extract information from model checking =-=[29, 12, 25, 32]-=-. Yet, it is presented in the form of a temporal proof, rather than a part of the model. In this work we provide counterexamples for full CTL. As for ACTL, counterexamples are part of the model. Howev... |

10 | Generating Counterexamples for Multi-Valued ModelChecking - Gurfinkel, Chechik - 2003 |

8 |
Model-Checking Modal Transition Systems Using Kripke Structures
- Huth
- 2002
(Show Context)
Citation Context ...ormalism, 3-valued model checking has the same time and space complexity both in the size of the formula and the model as traditional 2-valued model checking. Such results were introduced in [20] and =-=[27]-=- for modal µ-calculus. In our work we use Kripke Modal Transition Systems [28, 21] and solve the model checking problem directly, without reducing it to traditional model checking. The direct solution... |

7 |
Radha Jagadeesan. Abstraction-based model checking using modal transition systems
- Godefroid, Huth
(Show Context)
Citation Context ... represented by the origin abstract state: sa must −→ s ′ a only if ∀sc ∈ γ(sa) ∃s ′ c ∈ γ(s ′ a) s.t. sc → s ′ c. Other constructions of abstract models, based on Galois connections, can be found in =-=[11, 15]-=-. The relation H ∈ SC × SA, which is defined by (sc, sa) ∈ H iff sc ∈ γ(sa), then forms a mixed simulation [11, 13] from MC to the resulting abstract model MA. [17] defines the 3-valued semantics of C... |

7 |
Model checking games for the alternation free mu-calculus and alternating automata
- Leucker
- 1999
(Show Context)
Citation Context ... not clear how to guide the refinement, in case it is needed. The game-based approach to model checking, used in this work, is closely related to the Automata-theoretic approach [18], as described in =-=[22]-=-. Thus, our work can also be described in this framework, using alternating automata. Organization. The rest of the paper is organized as follows. In Section 2 we give some background for game-based C... |

6 | Model Checking with Formula-Dependent Abstract Models
- Asteroth, Aßmann
(Show Context)
Citation Context ...cribed as a cartesian product of machines. The initial abstraction considers only machines that directly influence the formula and in each iteration the cone of influence is extended in a BFS manner. =-=[1]-=- handles ACTL and full CTL. Their abstraction collapses all states that satisfy the same subformulae of ϕ into an abstract state. Thus, computing the abstract model is at least as hard as model checki... |

6 | 2000): Model Checking Games for CTL
- Lange, Stirling
(Show Context)
Citation Context ...n terms of two-players games. The game-based approach to model checking was introduced by Stirling [46] as a way of combining the algorithmic approach to model checking and the proof system approach. =-=[47, 32, 31]-=- present model checking algorithms based on games for various temporal logics, including CTL and the alternation-free µ-calculus. The model checking problem is described as a game between a refuter, ∀... |

2 | Framework for CTL Counterexamples and 3-Valued Abstraction-Refinement · 49 - Henzinger, Jhala, et al. - 2002 |

1 |
falsification to verification
- From
- 2001
(Show Context)
Citation Context |

1 | A game based approach to CTL model checking - Lange - 2000 |