Temporal Logic Model Checking

ion reduces the state space by removing irrelevant features of a Kripke structure. Given a Kripke structure K, an abstraction is a Kripke structure K̂ such that K̂ is significantly smaller than K, and K̂ preserves a useful class of specifications for K. Consequently, the expensive task of model checking K can be reduced to the more feasible task of model checking K̂. We know from above that in order to preserve all CTL specifications, K and K̂ must be bisimilar. But bisimilarity, by its very definition, expresses that K and K̂ are behaviorally equivalent. Consequently, K̂ still models a lot of irrelevant behavior and will therefore be quite large in general. Temporal Logic Model Checking 551 A more practical approach is to employ the fact explained in Section 2 that simulation preserves ACTL! formulas, i.e., A * B and B |= φ imply A |= φ. Consequently, for an abstract system K̂ where K * K̂ holds, a successful run of the model checker over K̂ implies correctness over the original Kripke structure K, without model checking K. The converse implication, however, will not hold in general: an ACTL! property which is false in K̂ may still be true in K. In this case, the abstract counterexample obtained over K̂ cannot be reconstructed for the concrete Kripke structure K, and is called a spurious counterexample [10], or a false negative. An important instance of simulation-based abstraction is existential abstraction [11, 14] where the abstract states are essentially equivalence classes of concrete states; a transition between two abstract states holds if there was a transition between any two concrete member states in the corresponding equivalence classes. Formally, an abstraction function h is a surjection h : S → Ŝ where Ŝ is the set of abstract states. The surjection h induces an equivalence relation ≡ on the state space S where d ≡ e iff h(d) = h(e). The abstract Kripke structure K̂ = (Ŝ, Ŝ0, R̂, L̂,AP) derived from h is defined as follows:Kripke structure K̂ = (Ŝ, Ŝ0, R̂, L̂,AP) derived from h is defined as follows: Ŝ0 = {d̂ | ∃d ∈ S0 . h(d) = d̂} R̂ = {(d̂1, d̂2) | ∃d1, d2 ∈ S . h(d1) = d̂1 ∧ h(d2) = d̂2 ∧ R(d1, d2)}