Victor Roussanaly,Ocan Sankur,Nicolas Markey

DOI: https://doi.org/10.48550/arXiv.1905.07365

2019-05-17

Formal Languages and Automata Theory

Abstract:We present abstraction-refinement algorithms for model checking safety properties of timed automata. The abstraction domain we consider abstracts away zones by restricting the set of clock constraints that can be used to define them, while the refinement procedure computes the set of constraints that must be taken into consideration in the abstraction so as to exclude a given spurious counterexample. We implement this idea in two ways: an enumerative algorithm where a lazy abstraction approach is adopted, meaning that possibly different abstract domains are assigned to each exploration node; and a symbolic algorithm where the abstract transition system is encoded with Boolean formulas.

Fei He,He Zhu,William N. N. Hung,Xiaoyu Song,Ming Gu

DOI: https://doi.org/10.1109/tase.2010.27

2010-01-01

Abstract:Model checking suffers from the state explosion problem. Compositional abstraction and abstraction refinement have been investigated in many areas to address this problem. This paper considers the compositional model checking for timed systems. We present an automated approach which combines compositional abstraction and counter-example guided abstraction refinement (CEGAR). The proposed approach exploits the semantics of a timed automaton to procure its over-approximative abstraction. Any safety property which holds on the abstraction is guaranteed to hold on the concrete model. In the case of a spurious counter-example, our proposed approach refines and strengthens the abstraction in a component-wise method. We implemented our method with the model checking tool Uppaal. Experimental results show promising improvements.

Jingyi Wang,Jun Sun,Shengchao Qin,Cyrille Jegourel

DOI: https://doi.org/10.1109/tse.2018.2886898

IF: 7.4

2018-01-01

IEEE Transactions on Software Engineering

Abstract:Precisely modeling complex systems like cyber-physical systems is challenging, which often renders model-based system verification techniques like model checking infeasible. To overcome this challenge, we propose a method called LAR to automatically ‘verify’ such complex systems through a combination of learning, abstraction and refinement from a set of system log traces. We assume that log traces and sampling frequency are adequate to capture ‘enough’ behaviour of the system. Given a safety property and the concrete system log traces as input, LAR automatically learns and refines system models, and produces two kinds of outputs. One is a counterexample with a bounded probability of being spurious. The other is a probabilistic model based on which the given property is ‘verified’. The model can be viewed as a proof obligation, i.e., the property is verified if the model is correct. It can also be used for subsequent system analysis activities like runtime monitoring or model-based testing. Our method has been implemented as a self-contained software toolkit. The evaluation on multiple benchmark systems as well as a real-world water treatment system shows promising results.

Edmund M. Clarke,Ansgar Fehnker,Zhi Han,Bruce H. Krogh,Joël Ouaknine,Olaf Stursberg,Michael Theobald

DOI: https://doi.org/10.1142/S012905410300190X

2003-01-01

Abstract:Hybrid dynamic systems include both continuous and discrete state variables. Properties of hybrid systems, which have an infinite state space, can often be verified using ordinary model checking together with a finite-state abstraction. Model checking can be inconclusive, however, in which case the abstraction must be refined. This paper presents a new procedure to perform this refinement operation for abstractions of hybrid systems. Following an approach originally developed for finite-state systems [11, 25], the refinement procedure constructs a new abstraction that eliminates a counterexample generated by the model checker. For hybrid systems, analysis of the counterexample requires the computation of sets of reachable states in the continuous state space. We show how such reachability computations with varying degrees of complexity can be used to refine hybrid system abstractions efficiently. Examples illustrate our counterexample-guided refinement procedure. Experimental results for a prototype implementation indicate significant advantages over existing methods.

Fei He,Xiaoyu Song,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1093/comjnl/bxm085

2007-01-01

The Computer Journal

Abstract:Model checking has been considered as a promising approach to establish the correctness of systems. Counterexample-guided abstraction refinement is a key strategy for model checking in verification of large-scale systems. State separation problem poses the main hurdle during the refinement. We present two fast heuristics to solve this problem. We prove the effectiveness of our heuristics by both theoretical analysis and experimental results. Experimental results show the promising performance of our approach.

E Clarke,A Fehnker,Z Han,B Krogh,O Stursberg,M Theobald

DOI: https://doi.org/10.1007/3-540-36577-X_14

2003-01-01

Abstract:Hybrid dynamic systems include both continuous and discrete state variables. Properties of hybrid systems, which have an infinite state space, can often be verified using ordinary model checking together with a finite-state abstraction. Model checking can be inconclusive, however, in which case the abstraction must be refined. This paper presents a new procedure to perform this refinement operation for abstractions of infinite-state systems, in particular of hybrid systems. Following an approach originally developed for finite-state systems [1,2], the refinement procedure constructs a new abstraction that eliminates a counterexample generated by the model checker. For hybrid systems, analysis. of the counterexample requires the computation of sets of reachable states in the continuous state space. We show how such reachability computations with varying degrees of complexity can be used to refine hybrid system abstractions efficiently.. A detailed example illustrates our counterexample-guided refinement procedure. Experimental results for a prototype implementation of the procedure indicate its advantages over existing methods.

Zhenyu Chen,Conghua Zhou,Decheng Ding

DOI: https://doi.org/10.1109/HLDVT.2005.1568832

2005-01-01

Abstract:Model checking has emerged as a promising and powerful approach to analyze Petri nets automatically, but a main challenge is the state explosion problem. To obtain an efficient state space, we implement a series of formalisms based on Petri nets to achieve automatically predicate abstraction and refinement via new predicate discovery. However, the complicated predicates would slow down the abstraction refinement process. Novel Feature of our approach is minimizing the support of predicates, via diagnosing the failure reasons of transitions and projecting places on predicates to eliminate the dumb variables. In addition, a demonstrative example shows that our techniques could work efficiently on Petri nets.

Gerd Behrmann,Patricia Bouyer,Kim G. Larsen,Radek Pelánek

DOI: https://doi.org/10.1007/s10009-005-0190-0

2005-01-01

International Journal on Software Tools for Technology Transfer

Abstract:Timed automata have an infinite semantics. For verification purposes, one usually uses zone-based abstractions w.r.t. the maximal constants to which clocks of the timed automaton are compared. We show that by distinguishing maximal lower and upper bounds, significantly coarser abstractions can be obtained. We show soundness and completeness of the new abstractions w.r.t. reachability and demonstrate how information about lower and upper bounds can be used to optimise the algorithm for bringing a difference bound matrix into normal form. Finally, we experimentally demonstrate that the new techniques dramatically increase the scalability of the real-time model checker UPPAAL.

Cong Tian,Zhenhua Duan

DOI: https://doi.org/10.1109/icse.2013.6606566

2013-05-01

Abstract:Abstraction is one of the most important strategies for dealing with the state space explosion problem in model checking. With an abstract model, the state space is largely reduced, however, a counterexample found in such a model that does not satisfy the desired property may not exist in the concrete model. Therefore, how to check whether a reported counterexample is spurious is a key problem in the abstraction-refinement loop. Particularly, there are often thousands of millions of states in systems of industrial scale, how to check spurious counterexamples in these systems practically is a significant problem. In this paper, by re-analyzing spurious counterexamples, a new formal definition of spurious path is given. Based on it, efficient algorithms for detecting spurious counterexamples are presented. By the new algorithms, when dealing with infinite counterex-amples, the finite prefix to be analyzed will be polynomially shorter than the one dealt by the existing algorithm. Moreover, in practical terms, the new algorithms can naturally be parallelized that makes multi-core processors contributes more in spurious counterexample checking. In addition, by the new algorithms, the state resulting in a spurious path (false state) that is hidden shallower will be reported earlier. Hence, as long as a false state is detected, lots of iterations for detecting all the false states will be avoided. Experimental results show that the new algorithms perform well along with the growth of system scale.

Cong Tian,Zhao Duan,Zhenhua Duan

DOI: https://doi.org/10.1145/3183440.3194955

2018-01-01

Abstract:Model checking is an automatic approach in enhancing correctness of systems. However, when it is applied to discover flaws in software systems, most of the respective verification tools lack scalability due to the state-space explosion problem. Abstraction technique is useful in reducing the state space of systems. It maps a concrete set of states to a smaller set of states that is actually an approximation of the system with respect to the property of interest. Predicate abstraction [3] is one of the most often used methods for attaining a finite abstract model from a concrete program which is often even an infinite state system. With predicate abstraction, a finite set of predicates, which determines the precision of the abstraction, is selected to keep track of certain facts about the program variables. The model obtained via predicate abstraction is an over-approximation of the original program. Thus, spurious paths may exist when an insufficient set of predicates are considered.

Jan Onderka

2024-08-27

Abstract:We present a novel algorithmic framework for Three-valued Abstraction Refinement, which extends Counterexample-guided Abstraction Refinement with the ability to verify all properties of mu-calculus including recovery (the ability of the system to always return to a certain state). The framework performs refinement on abstract system inputs rather than abstract states, avoiding problems of previous frameworks. We formalise input-based refinement by introducing the concept of generating automata, and prove that our framework is sound, monotone, and complete. We evaluate the usefulness of the framework on its implementation in our free and open-source formal verification tool.

Logic in Computer Science

Johan Bengtsson,Wang Yi

DOI: https://doi.org/10.1007/978-3-540-27755-2_3

2004-01-01

Abstract:This chapter is to provide a tutorial and pointers to results and related work on timed automata with a focus on semantical and algorithmic aspects of verification tools. We present the concrete and abstract semantics of timed automata (based on transition rules, regions and zones), decision problems, and algorithms for verification. A detailed description on DBM (Difference Bound Matrices) is included, which is the central data structure behind several verification tools for timed systems. As an example, we give a brief introduction to the tool UPPAAL.

Shuhao Li,Sandie Balaguer,Alexandre David,Kim G. Larsen,Brian Nielsen,Saulius Pusinskas

DOI: https://doi.org/10.1007/s10703-010-0103-z

2010-01-01

Formal Methods in System Design

Abstract:This article proposes two approaches to tool-supported automatic verification of dense real-time systems against scenario-based requirements, where a system is modeled as a network of timed automata (TAs) or as a set of driving live sequence charts (LSCs), and a requirement is specified as a separate monitored LSC chart.We make timed extensions to a kernel subset of the LSC language and define a trace-based semantics. By translating a monitored LSC chart to a behavior-equivalent observer TA and then non-intrusively composing this observer with the original TA-modeled real-time system, the problems of scenario-based verification reduce to computation tree logic (CTL) real-time model checking problems. When the real-time system is modeled as a set of driving LSC charts, we translate these driving charts and the monitored chart into a behavior-equivalent network of TAs by using a "one-TA-per-instance line" approach, and then reduce the problems of scenario-based verification also to CTL real-time model checking problems. We show how we exploit the expressivity of the TA formalism and the CTL query language of the real-time model checker Uppaal to accomplish these tasks. The proposed two approaches are implemented in the Uppaal tool and built as a tool chain, respectively. We carry out a number of experiments with both verification approaches, and the results indicate that these methods are viable, computationally feasible, and the tools are effective.

Li,XiaoYu Song,Ming Gu,XiangYu Luo

DOI: https://doi.org/10.1007/s11432-010-4150-2

2010-01-01

Abstract:The paper presents a new approach to computing the abstract state and a maximum weight heuristic method for finding the shortest counter-example in verification of imperative programs. The strategy is incorporated in a verification system based on the counterexample-guided abstraction refinement method. The proposed method slashes both the size of the abstract state space and the number of invokes of a decision procedure. A number of benchmarks are employed to evaluate the effectiveness of the approach.

Stefan Leue,Wei Wei

DOI: https://doi.org/10.1007/11537328_8

2005-01-01

Abstract:In precursory work we suggested an abstraction-based highly scalable semi-test for the boundedness of Communicating Finite State Machine (CFSM) based modelling and programming languages. We illustrated its application to Promela and UML-RT models. The test is sound with respect to determining boundedness, but may return inconclusive ”counterexamples” when boundedness cannot be established. In this paper we turn to the question how to effectively determine the spuriousness of these counterexamples, and how to refine the abstraction based on the analysis. We employ methods from program analysis and illustrate the application of our refinement method to a number of Promela examples.

Fei He,Xiaoyu Song,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1145/1228784.1228878

2007-01-01

Abstract:Verification of complex system-on-a-chip (SoC) designs becomes a critical problem in practice. We consider using model checking to verify the correctness of such systems. We study the state separation problem in the framework of counterexample-guided abstraction refinement. We present two fast heuristics to solve this problem. To the best of our knowledge, our work is the first study on the effectiveness of greedy heuristics for this problem. In comparison with the latest work using the decision tree learning (DTL) solver, the proposed method performs about three orders of magnitude faster and the size of the separation set is 70% smaller on average.

Li Li,Ming Gu,Xiaoyu Song,Jianmin Wang

DOI: https://doi.org/10.1109/TASE.2008.18

2008-01-01

Abstract:The paper presents a new approach to computing the abstract state and a maximum weight heuristic method for finding the shortest counter-example in verification of imperative programs. The strategy is incorporated in a verification system based on the counterexample-guided abstraction refinement method. The proposed method slashes both the size of the abstract state space and the number of invokes of a decision procedure. A number of benchmarks are employed to evaluate the effectiveness of the approach.

Cong Tian,Zhenhua Duan,Zhao Duan

DOI: https://doi.org/10.1109/tse.2014.2357442

IF: 7.4

2014-01-01

IEEE Transactions on Software Engineering

Abstract:Counter-example guided abstraction refinement (CEGAR) is widely used in software model checking. With an abstract model, the state space is largely reduced, however, a counterexample found in such a model that does not satisfy the desired property may not exist in the concrete model. Therefore, how to check whether a reported counterexample is spurious is a key problem in the abstraction-refinement loop. Next, in the case that a spurious counterexample is found, the abstract model needs to be further refined where an NP-hard state separation problem is often involved. Thus, how to refine the abstract model efficiently has attracted a great attention in the past years. In this paper, by re-analyzing spurious counterexamples, a new formal definition of spurious paths is given. Based on it, efficient algorithms for detecting spurious counterexamples are presented. By the new algorithms, when dealing with infinite counterexamples, the finite prefix to be analyzed will be polynomially shorter than the one dealt with by the existing algorithms. Moreover, in practical terms, the new algorithms can naturally be parallelized that enables multi-core processors contributes more in spurious counterexample checking. In addition, a novel refining approach by adding extra Boolean variables to the abstract model is presented. With this approach, not only the NP-hard state separation problem can be avoided, but also a smaller refined abstract model can be obtained. Experimental results show that the new algorithms perform well in practice.

Tobias Amnell,Alexandre David,Elena Fersman,M. Oliver Moller,Paul Petterson,Wang Yi

2001-01-01

Abstract:We present a real-time extension of UML statecharts to enable modelling and verification of real-timed constraints. For clarity, we shall consider a reasonable subset of the rich UML statechart model and extend it with real-time constructs (clocks, timed guards, invariants and real-time tasks). We have developed a a rule-based formal semantics for the obtained formalism, called hierarchical timed automata (HTA). To use the existing tool UPPAAL for formal verification, HTA are translated to enriched timed automata model. We report on an XML based implementation of the translation from HTA to a network of timed automata and present an example to illustrate our technique and report run-time data for the formal verification part. We also report on a prototype implementation of the code synthesis for the legOS platform.

Lianyi Zhang,Qingdi Meng,Guiming Luo

DOI: https://doi.org/10.1109/compsac.2014.28

2014-01-01

Abstract:Compositional verification of invariants is a technique for alleviating the state explosion problem in component-based verification. The efficiency of these methods depends on abstraction, which leads to verification incompleteness. In this paper, we present a unified framework that combines compositional abstraction and counterexample-guided abstraction refinement (CEGAR) to address this incompleteness problem. We propose two refinement approaches: invariant strengthening and state partitioning. In the case of a spurious counterexample, our proposed invariant strengthening approach refines the abstraction by eliminating the infeasible states. The state partitioning approach exploits the semantics of component based systems and obtains a more precise system. Any safety property that holds on the abstraction is guaranteed to hold on the model refined by the state partitioning approach. The examples and experiments in this paper show that our verification method can achieve conclusive results in the verification of safety properties with deadlock freedom in component-based systems.