Arie Gurfinkel

Multi-valued symbolic model-checking

This article introduces the concept of multi-valued model-checking and describes a multi-valued symbolic model-checker, ΧChek. Multi-valued model-checking is a generalization of classical model-checking, useful for analyzing models that contain uncertainty (lack of essential information) or inconsistency (contradictory information, often occurring when information is gathered from multiple sources). Multi-valued logics support the explicit modeling of uncertainty and disagreement by providing additional truth values in the logic.This article provides a theoretical basis for multi-valued model-checking and discusses some of its applications. A companion article [Chechik et al. 2002b] describes implementation issues in detail. The model-checker works for any member of a large class of multi-valued logics. Our modeling language is based on a generalization of Kripke structures, where both atomic propositions and transitions between states may take any of the truth values of a given multi-valued logic. Properties are expressed in ΧCTL, our multi-valued extension of the temporal logic CTL.We define the class of logics, present the theory of multi-valued sets and multi-valued relations used in our model-checking algorithm, and define the multi-valued extensions of CTL and Kripke structures. We explore the relationship between ΧCTL and CTL, and provide a symbolic model-checking algorithm for ΧCTL. We also address the use of fairness in multi-valued model-checking. Finally, we discuss some applications of the multi-valued model-checking approach.

Multi-valued Model Checking via Classical Model Checking

Multi-valued model-checking is an extension of classical model-checking to reasoning about systems with uncertain information, which are common during early design stages. The additional values of the logic are used to capture the degree of uncertainty. In this paper, we show that the multi-valued μ-calculus model-checking problem is reducible to several classical model-checking problems. The reduction allows one to reuse existing model-checking tools and algorithms to solve multi-valued model-checking problems. This paper generalizes, extends and corrects previous work in this area, done in the context of 3-valued models, symbolic model-checking, and De Morgan algebras.

Model-checking infinite state-space systems with fine-grained abstractions using SPIN

In analyzing infinite-state systems, it is often useful to define multiple-valued predicates. Such predicates can determine the (finite) levels of desirability of the current system state and transitions between them. We can capture multiple-valued predicates as elements of a logic defined over finite total orders (FTOs). In this paper we extend automata-theoretic LTL model-checking to reasoning about a class of multiple-valued logics. We also show that model-checking over FTOs is reducible to classical model-checking, and thus can be implemented in SPIN.

How Vacuous Is Vacuous

Model-checking gained wide popularity for analyzing software and hardware systems. However, even when the desired property holds, the property or the model may still require fixing. For example, a property ϕ: “on all paths, a request is followed by an acknowledgment”, may hold because no requests have been generated. Vacuity detection has been proposed to address the above problem. This technique is able to determine that the above property ϕ is satisfied vacuously in systems where requests are never sent. Recent work in this area enabled the computation of interesting witnesses for the satisfaction of properties (in our case, those that satisfy ϕ and contain a request) and vacuity detection with respect to subformulas with single and multiple subformula occurrences.

YASM: a software model-checker for verification and refutation

This paper presents Yasm: a (yet another) software model-checker based on the Counter-Example Guided Abstraction Refinement (CEGAR) [6] framework. A number of well-engineered software model-checkers are available, e.g., Slam [1] and Blast [12]. Why build another one? n nTraditional software model-checkers build over-approximating abstractions of the programs they analyze and typically bias their analysis towards proving that a (safety) property of interest holds (verification). On the other hand, since model-checkers are widely known for their bug-finding abilities, they are often used for refutation. In this case, the above approach seems unreasonable: why introduce spurious behaviour and make it more difficult to find a real bug? For such circumstances, one would just want to prove that the property is false (refutation). No witness for that is required.

Why waste a perfectly good abstraction

Software model-checking based on the CEGAR framework can be made more precise by separating non-determinism from the lack of information due to abstraction. The two can be modeled individually using four-valued Belnap logic. In addition, this logic allows reasoning about negations effectively and thus enables checking of full CTL. In this paper, we present Yasm – a new symbolic software model-checker. Preliminary experience with Yasm shows that our implementation can effectively construct and analyze Belnap models without a substantial overhead when compared to its classical counterparts.

Temporal logic query checking: a tool for model exploration

Temporal logic query checking was first introduced by W. Chan in order to speed up design understanding by discovering properties not known a priori. A query is a temporal logic formula containing a special symbol ?/sub 1/, known as a placeholder. Given a Kripke structure and a propositional formula /spl phi/, we say that /spl phi/ satisfies the query if replacing the placeholder by /spl phi/ results in a temporal logic formula satisfied by the Kripke structure. A solution to a temporal logic query on a Kripke structure is the set of all propositional formulas that satisfy the query. Query checking helps discover temporal properties of a system and, as such, is a useful tool for model exploration. In this paper, we show that query checking is applicable to a variety of model exploration tasks, ranging from invariant computation to test case generation. We illustrate these using a Cruise Control System. Additionally, we show that query checking is an instance of a multi-valued model checking of Chechik et al. This approach enables us to build an implementation of a temporal logic query checker, TLQSolver, on top of our existing multi-valued model checker /sub /spl chi//Chek. It also allows us to decide a large class of queries and introduce witnesses for temporal logic queries-an essential notion for effective model exploration.

Extending Extended Vacuity

There has been a growing interest in detecting whether a logic specification holds in the system vacuously. For example, a specification every request is eventually followed by an acknowledgment holds vacuously on those systems that never generate requests. In a recent paper, Armoni et al. have argued against previous definitions of vacuity, defined as sensitivity with respect to syntactic perturbation. They suggested that vacuity should be robust, i.e., insensitive to trivial changes in the logic and in the model, and is better described as sensitivity with respect to semantic perturbation, represented by universal propositional quantification. In this paper, we extend the above suggestion by giving a formal definition of robust vacuity that allows us to define and detect vacuous satisfaction and vacuous failure for arbitrary CTL* properties, even with respect to multiple occurrences of subformulas. We discuss complexity of our approaches and study the relationship between vacuity and abstraction.

Model exploration with temporal logic query checking

A temporal logic query is a temporal logic formula with placeholders. Given a model, a solution to a query is a set of assignments of propositional formulas to placeholders, such that replacing the placeholders with any of these assignments results in a temporal logic formula that holds in the model. Query checking, first introduced by William Chan citechan00, is an automated technique for finding solutions to temporal logic queries. It allows discovery of the temporal properties of the system and as such may be a useful tool for model exploration and reverse engineering.This paper describes an implementation of a temporal logic query checker. It then suggests some applications of this tool, ranging from invariant computation to test case generation, and illustrates them using a Cruise Control System.

ΧChek: A Multi-valued Model-Checker

ΧChek is a multi-valued symbolic model-checker [CDE01a,CDEG01]. It is a generalization of an existing symbolic model-checking algorithm to an algorithm for a multivalued extension of CTL (ΧCTL). Given a system and a ΧCTL property, Chek returns the degree to which the system satisfies the property. By multi-valued logic we mean a logic whose values form a finite quasi- boolean distributive lattice. The meet and join operations of the lattice are interpreted as the logical and and or, respectively. The negation is given by a lattice dual-automorphism with period 2, ensuring the preservation of involution of negation (¬¬a = a) and De Morgan laws. For example, a 3-valued logic of abstraction (3), consisting of values true (T), maybe (M), and false (F), is given in Figure 1(a), where the negation operator is defined as: ¬T = F, ¬F = T, and ¬ M = M.