Variability Abstraction and Refinement for Game-Based Lifted Model Checking of Full CTL

One of the most promising approaches to fighting the configuration space explosion problem in lifted model checking are variability abstractions. In this work, we define a novel game-based approach for variability-specific abstraction and refinement for lifted model checking of the full CTL, interpreted over 3-valued semantics. We propose a direct algorithm for solving a 3-valued (abstract) lifted model checking game. In case the result of model checking an abstract variability model is indefinite, we suggest a new notion of refinement, which eliminates indefinite results. This provides an iterative incremental variability-specific abstraction and refinement framework, where refinement is applied only where indefinite results exist and definite results from previous iterations are reused. The practicality of this approach is demonstrated on several variability models

Evaluating Model Testing and Model Checking for Finding Requirements Violations in Simulink Models

Matlab/Simulink is a development and simulation language that is widely used by the Cyber-Physical System (CPS) industry to model dynamical systems. There are two mainstream approaches to verify CPS Simulink models: model testing that attempts to identify failures in models by executing them for a number of sampled test inputs, and model checking that attempts to exhaustively check the correctness of models against some given formal properties. In this paper, we present an industrial Simulink model benchmark, provide a categorization of different model types in the benchmark, describe the recurring logical patterns in the model requirements, and discuss the results of applying model checking and model testing approaches to identify requirements violations in the benchmarked models. Based on the results, we discuss the strengths and weaknesses of model testing and model checking. Our results further suggest that model checking and model testing are complementary and by combining them, we can significantly enhance the capabilities of each of these approaches individually. We conclude by providing guidelines as to how the two approaches can be best applied together.Comment: 10 pages + 2 page reference

Model Checking CTL is Almost Always Inherently Sequential

The model checking problem for CTL is known to be P-complete (Clarke, Emerson, and Sistla (1986), see Schnoebelen (2002)). We consider fragments of CTL obtained by restricting the use of temporal modalities or the use of negations—restrictions already studied for LTL by Sistla and Clarke (1985) and Markey (2004). For all these fragments, except for the trivial case without any temporal operator, we systematically prove model checking to be either inherently sequential (P-complete) or very efficiently parallelizable (LOGCFL-complete). For most fragments, however, model checking for CTL is already P-complete. Hence our results indicate that in most applications, approaching CTL model checking by parallelism will not result in the desired speed up. We also completely determine the complexity of the model checking problem for all fragments of the extensions ECTL, CTL +, and ECTL +

Model Checking CTL is Almost Always Inherently Sequential

The model checking problem for CTL is known to be P-complete (Clarke, Emerson, and Sistla (1986), see Schnoebelen (2002)). We consider fragments of CTL obtained by restricting the use of temporal modalities or the use of negations---restrictions already studied for LTL by Sistla and Clarke (1985) and Markey (2004). For all these fragments, except for the trivial case without any temporal operator, we systematically prove model checking to be either inherently sequential (P-complete) or very efficiently parallelizable (LOGCFL-complete). For most fragments, however, model checking for CTL is already P-complete. Hence our results indicate that, in cases where the combined complexity is of relevance, approaching CTL model checking by parallelism cannot be expected to result in any significant speedup. We also completely determine the complexity of the model checking problem for all fragments of the extensions ECTL, CTL+, and ECTL+

Analysis of partial Software Model Checking results

Las herramientas de análisis estático de código han mostrado un progresosignificativo en la última década. Una de las formulaciones del problema aresolver es el de descubrir si una propiedad es satisfecha necesariamente porun determinado sistema bajo análisis o si, por el contrario, existen ejecuciones de dicho sistema que violan la propiedad deseada. Dicha enunciación del problema es conocida como Software Model Checking y el mismo es indecidible en el caso caso general. Habitualmente las herramientas de Software Model Checking buscan llegara estar en condiciones de producir un resultado afirmativo, confirmando quela propiedad es satisfecha, o negativo, que habitualmente incluye un contraejemplo que viola la propiedad en cuestión. Sin embargo, en muchos casos, las herramientas se ven obligadas a producir un tercer resultado que indica que no se pudo demostrar la propiedad pero tampoco generar un contraejemplo. Además de los límites teóricos mencionados, en la práctica el problema resulta intratable para una gran cantidad de instancias de relevancia debido a que insume una elevada cantidad de recursos y de tiempo, incluso para casos en los que se alcanzaría finalmente una solución. En estos casos la gran mayoría de las herramientas indican al usuarioúnicamente que el intento de verificación no alcanzó un resultado concluyente, sin ninguna aclaración adicional. Este trabajo se centra en proveer al usuario información adicional en dichos intentos de verificación. Con ese objetivo en mente, proponemos distintas formas de presentar e interpretar la información que se puede extraer en esos casos, teniendo en cuenta distintos posibles grados de familiaridad con las técnicas de verificación subyacente por parte del usuario. En particular, nos centramos en una amplia familia de técnicas de verificación y presentamos varias vistas del progreso realizado por la herramienta previo a interrumpir el intento de verificación, acompañadas de su correspondiente caracterización formal. Adicionalmente, adaptamos la noción de cobertura, más frecuentemente utilizada en testing, a la familia de técnicas analizada. En ambos casos brindamos algoritmos que generan automáticamentetanto las vistas propuestas como sub-aproximaciones de la métrica de cobertura. Las técnicas propuestas son evaluadas sobre instancias de referencias ampliamente utilizadas tanto para determinar la practicalidad en cuanto al tiempo de ejecución requerido como para analizar la interpretabilidad de los resultados generados. La experimentación realizada confirma que es factible extraer informacióna partir de resultados inconcluyentes e interpretar dichos resultados revelando información no trivial.Static analysis tools have shown significant progress in the past decade. The problem these tools tackle can be formulated as deciding whether a property always holds for a specific system-under-verification or, on the contrary, certain execution in fact violates the desired safety property. Such problem definition is known as Software Model Checking and is, in the general case, undecidable. Software Model Checkers usually attempt to either prove the propertyholds or, when it does not, to produce a counterexample that constitutes aviolation. However, in many cases, tools produce neither and instead theyare forced to produce a third kind of result, indicating the attempt failedto produce a conclusive result, i.e. the property could not be proved but acounterexample was not found either. Taking the undecidability results aside,in practice the problem remains intractable for a large number of industrialinstances due to the immense resources required to solve them, even when aconclusive result would, at last, be produced. In all of these cases most tools would indicate, without any further clarifications, that the resource limits were reached and the result was inconclusive. This work aims to provide users with additional information in these cases. With that goal, we propose a number of approaches to presenting and interpreting the information that can be extracted from an inconclusive verification attempt. Moreover, we take into account the different possible degrees of expertise that a user could have with the underlying verification techniques and attempt to make our output understandable to all users. Concretely, we focus on a broad family of verification techniques andpresent a number of views of the progress achieved during verification. Weprovide, in each case, a formal characterization. Furthermore, we adapt thenotion of coverage, more commonly used in testing, to the family of verification techniques discussed. In both cases, we present algorithms to automatically compute both the views and the coverage metric proposed without requiring additional user input. The ideas proposed are evaluated on standard benchmark instances, bothto assess the practicality in terms of performance and also to determine theunderstandability of the results generated. Our experiments confirm that it is possible to extract information frominconclusive verification results and gather non-trivial insights from the results.Fil: Castaño, Rodrigo. Universidad de Buenos Aires. Facultad de Ciencias Exactas y Naturales; Argentina

Progress in Certifying Hardware Model Checking Results

We present a formal framework to certify k-induction-based model checking results. The key idea is the notion of a k-witness circuit which simulates the given circuit and has a simple inductive invariant serving as proof certificate. Our approach allows to check proofs with an independent proof checker by reducing the certification problem to pure SAT checks and checking a simple QBF with one quantifier alternation. We also present Certifaiger, the resulting certification toolkit, and evaluate it on instances from the hardware model checking competition. Our experiments show the practical use of our certification method.Peer reviewe

Model-checking Quantitative Alternating-time Temporal Logic on One-counter Game Models

We consider quantitative extensions of the alternating-time temporal logics ATL/ATLs called quantitative alternating-time temporal logics (QATL/QATLs) in which the value of a counter can be compared to constants using equality, inequality and modulo constraints. We interpret these logics in one-counter game models which are infinite duration games played on finite control graphs where each transition can increase or decrease the value of an unbounded counter. That is, the state-space of these games are, generally, infinite. We consider the model-checking problem of the logics QATL and QATLs on one-counter game models with VASS semantics for which we develop algorithms and provide matching lower bounds. Our algorithms are based on reductions of the model-checking problems to model-checking games. This approach makes it quite simple for us to deal with extensions of the logical languages as well as the infinite state spaces. The framework generalizes on one hand qualitative problems such as ATL/ATLs model-checking of finite-state systems, model-checking of the branching-time temporal logics CTL and CTLs on one-counter processes and the realizability problem of LTL specifications. On the other hand the model-checking problem for QATL/QATLs generalizes quantitative problems such as the fixed-initial credit problem for energy games (in the case of QATL) and energy parity games (in the case of QATLs). Our results are positive as we show that the generalizations are not too costly with respect to complexity. As a byproduct we obtain new results on the complexity of model-checking CTLs in one-counter processes and show that deciding the winner in one-counter games with LTL objectives is 2ExpSpace-complete.Comment: 22 pages, 12 figure

Safety Model Checking with Complementary Approximations

Formal verification techniques such as model checking, are becoming popular in hardware design. SAT-based model checking techniques such as IC3/PDR, have gained a significant success in hardware industry. In this paper, we present a new framework for SAT-based safety model checking, named Complementary Approximate Reachability (CAR). CAR is based on standard reachability analysis, but instead of maintaining a single sequence of reachable- state sets, CAR maintains two sequences of over- and under- approximate reachable-state sets, checking safety and unsafety at the same time. To construct the two sequences, CAR uses standard Boolean-reasoning algorithms, based on satisfiability solving, one to find a satisfying cube of a satisfiable Boolean formula, and one to provide a minimal unsatisfiable core of an unsatisfiable Boolean formula. We applied CAR to 548 hardware model-checking instances, and compared its performance with IC3/PDR. Our results show that CAR is able to solve 42 instances that cannot be solved by IC3/PDR. When evaluated against a portfolio that includes IC3/PDR and other approaches, CAR is able to solve 21 instances that the other approaches cannot solve. We conclude that CAR should be considered as a valuable member of any algorithmic portfolio for safety model checking