Counterexample-Guided Control

A major hurdle in the algorithmic veri cation and control of systems is the need to nd suitable abstract models, which omit enough details to overcome the state-explosion problem, but retain enough details to exhibit satisfaction or controllability with respect to the speci cation. The paradigm of counterexample-guided abstraction re nement suggests a fully automatic way of nding suitable abstract models: one starts with a coarse abstraction, attempts to verify or control the abstract model, and if this attempt fails and the abstract counterexample does not correspond to a concrete counterexample, then one uses the spurious counterexample to guide the re nement of the abstract model. We present a scheme for counterexample-guided re nement with the following properties. First, our scheme is the rst such method for control. The main diÆculty here is that in control, unlike in veri cation, counterexamples are strategies in a game between system and controller. Second, our scheme can be implemented symbolically and is therefore applicable to in nite-state systems. Third, in the case that the controller has no choices, our scheme subsumes the known algorithms for counterexample-guided veri cation. In particular, we present a symbolic algorithm that employs counterexample-guided abstraction re nement in a uniform way to check satisfaction as well as controllability for all linear-time speci cations (LTL or Buchi automata). Our algorithm is game-based and can be applied in all situations where games provide an adequate model, such as supervisory control, hardware and program synthesis and modular veri cation.