144 research outputs found
Finite-State Abstractions for Probabilistic Computation Tree Logic
Probabilistic Computation Tree Logic (PCTL) is the established temporal
logic for probabilistic verification of discrete-time Markov chains. Probabilistic
model checking is a technique that verifies or refutes whether a property
specified in this logic holds in a Markov chain. But Markov chains are often
infinite or too large for this technique to apply. A standard solution to
this problem is to convert the Markov chain to an abstract model and to
model check that abstract model. The problem this thesis therefore studies
is whether or when such finite abstractions of Markov chains for model
checking PCTL exist.
This thesis makes the following contributions. We identify a sizeable fragment
of PCTL for which 3-valued Markov chains can serve as finite abstractions;
this fragment is maximal for those abstractions and subsumes many
practically relevant specifications including, e.g., reachability. We also develop
game-theoretic foundations for the semantics of PCTL over Markov
chains by capturing the standard PCTL semantics via a two-player games.
These games, finally, inspire a notion of p-automata, which accept entire
Markov chains. We show that p-automata subsume PCTL and Markov
chains; that their languages of Markov chains have pleasant closure properties;
and that the complexity of deciding acceptance matches that of probabilistic
model checking for p-automata representing PCTL formulae. In addition,
we offer a simulation between p-automata that under-approximates
language containment. These results then allow us to show that p-automata
comprise a solution to the problem studied in this thesis
Rich Counter-Examples for Temporal-Epistemic Logic Model Checking
Model checking verifies that a model of a system satisfies a given property,
and otherwise produces a counter-example explaining the violation. The verified
properties are formally expressed in temporal logics. Some temporal logics,
such as CTL, are branching: they allow to express facts about the whole
computation tree of the model, rather than on each single linear computation.
This branching aspect is even more critical when dealing with multi-modal
logics, i.e. logics expressing facts about systems with several transition
relations. A prominent example is CTLK, a logic that reasons about temporal and
epistemic properties of multi-agent systems. In general, model checkers produce
linear counter-examples for failed properties, composed of a single computation
path of the model. But some branching properties are only poorly and partially
explained by a linear counter-example.
This paper proposes richer counter-example structures called tree-like
annotated counter-examples (TLACEs), for properties in Action-Restricted CTL
(ARCTL), an extension of CTL quantifying paths restricted in terms of actions
labeling transitions of the model. These counter-examples have a branching
structure that supports more complete description of property violations.
Elements of these counter-examples are annotated with parts of the property to
give a better understanding of their structure. Visualization and browsing of
these richer counter-examples become a critical issue, as the number of
branches and states can grow exponentially for deeply-nested properties.
This paper formally defines the structure of TLACEs, characterizes adequate
counter-examples w.r.t. models and failed properties, and gives a generation
algorithm for ARCTL properties. It also illustrates the approach with examples
in CTLK, using a reduction of CTLK to ARCTL. The proposed approach has been
implemented, first by extending the NuSMV model checker to generate and export
branching counter-examples, secondly by providing an interactive graphical
interface to visualize and browse them.Comment: In Proceedings IWIGP 2012, arXiv:1202.422
Counterexample Generation in Probabilistic Model Checking
Providing evidence for the refutation of a property is an essential, if not the most important, feature of model checking. This paper considers algorithms for counterexample generation for probabilistic CTL formulae in discrete-time Markov chains. Finding the strongest evidence (i.e., the most probable path) violating a (bounded) until-formula is shown to be reducible to a single-source (hop-constrained) shortest path problem. Counterexamples of smallest size that deviate most from the required probability bound can be obtained by applying (small amendments to) k-shortest (hop-constrained) paths algorithms. These results can be extended to Markov chains with rewards, to LTL model checking, and are useful for Markov decision processes. Experimental results show that typically the size of a counterexample is excessive. To obtain much more compact representations, we present a simple algorithm to generate (minimal) regular expressions that can act as counterexamples. The feasibility of our approach is illustrated by means of two communication protocols: leader election in an anonymous ring network and the Crowds protocol
Evidence for Fixpoint Logic
For many modal logics, dedicated model checkers offer diagnostics (e.g., counterexamples) that help the user understand the result provided by the solver. Fixpoint logic offers a unifying framework in which such problems can be expressed and solved, but a drawback of this framework is that it lacks comprehensive diagnostics generation. We extend the framework with a notion of evidence, which can be specialized to obtain diagnostics for various model checking problems, behavioural equivalence and refinement checking problems. We demonstrate this by showing how our notion of evidence can be used to obtain diagnostics for the problem of deciding stuttering bisimilarity. Moreover, we show that our notion generalizes the existing notions of counterexample and witness for LTL and ACTL* model checking
Predicate Abstraction with Under-approximation Refinement
We propose an abstraction-based model checking method which relies on
refinement of an under-approximation of the feasible behaviors of the system
under analysis. The method preserves errors to safety properties, since all
analyzed behaviors are feasible by definition. The method does not require an
abstract transition relation to be generated, but instead executes the concrete
transitions while storing abstract versions of the concrete states, as
specified by a set of abstraction predicates. For each explored transition the
method checks, with the help of a theorem prover, whether there is any loss of
precision introduced by abstraction. The results of these checks are used to
decide termination or to refine the abstraction by generating new abstraction
predicates. If the (possibly infinite) concrete system under analysis has a
finite bisimulation quotient, then the method is guaranteed to eventually
explore an equivalent finite bisimilar structure. We illustrate the application
of the approach for checking concurrent programs.Comment: 22 pages, 3 figures, accepted for publication in Logical Methods in
Computer Science journal (special issue CAV 2005
Counterexamples Revisited: Principles, Algorithms, Applications
Abstract. Algorithmic counterexample generation is a central feature of model checking which sets the method apart from other approaches such as theorem proving. The practical value of counterexamples to the verification engineer is evident, and for many years, counterexam-ple generation algorithms have been employed in model checking sys-tems, even though they had not been subject to an adequate fundamen-tal investigation. Recent advances in model checking technology such as counterexample-guided abstraction refinement have put strong em-phasis on counterexamples, and have lead to renewed interest both in fundamental and pragmatic aspects of counterexample generation. In this paper, we survey several key contributions to the subject includ-ing symbolic algorithms, results about the graph-theoretic structure of counterexamples, and applications to automated abstraction as well as software verification. Irrefutability is not a virtue of a theory (as people often think) but a vice
Integrating Topological Proofs with Model Checking to Instrument Iterative Design
System development is not a linear, one-shot process. It proceeds through refinements and revisions. To support assurance that the system satisfies its requirements, it is desirable that continuous verification can be performed after each refinement or revision step. To achieve practical adoption, formal verification must accommodate continuous verification efficiently and effectively. Model checking provides developers with information useful to improve their models only when a property is not satisfied, i.e., when a counterexample is returned. However, it is desirable to have some useful information also when a property is instead satisfied. To address this problem we propose TOrPEDO, an approach that supports verification in two complementary forms: model checking and proofs. While model checking is typically used to pinpoint model behaviors that violate requirements, proofs can instead explain why requirements are satisfied. In our work, we introduce a specific notion of proof, called Topological Proof. A topological proof produces a slice of the original model that justifies the property satisfaction. Because models can be incomplete, TOrPEDO supports reasoning on requirements satisfaction, violation, and possible satisfaction (in the case where satisfaction depends on unknown parts of the model). Evaluation is performed by checking how topological proofs support software development on 12 modeling scenarios and 15 different properties obtained from 3 examples from literature. Results show that: (i) topological proofs are ≈60% smaller than the original models; (ii) after a revision, in ≈78% of cases, the property can be re-verified by relying on a simple syntactic check
- …