Testing reactive systems with data: enumerative methods and constraint solving

ion, i.e. ha(a(d)) = a(hd(d)), so that two actions a(x) and b(y) cannot be mapped to the same abstract action. However, applying abstractions directly on a system’s specification S rather than on its LTS leads to a loss of precision. Let S be the abstract interpretation of S, and let M and M be their underlying LTSs. It is well known that M is only an overapproximation of α(M), with α(M) denoting the abstraction of M on the level of LTSs here (cf. Clarke et al., 1994). In particular, we will still have trace inclusion up to α: M ⊆α α(M) ⊆α M. 7.3.2 Abstraction of eALTL formulae The abstraction of eALTL formulae is based on the notions of contracting and precise abstractions as introduced by Kesten and Pnueli (2000). In a contracting abstraction, a property φ holds for a trace π if and only if the property φ holds for all concrete traces π with π = α(π). Note that for soundness of abstract model checking, we need contracting abstractions. This does, however, not imply that all properties that hold for the original system, must also hold in the abstract system (see Figure 7.4, ellipse vs. the hatched square). In precise abstractions, this cannot happen. Definition 7.10 (Contracting and Precise Abstraction). Let φ be a property over an alphabet Λ. Its abstraction φ is contracting if and only if: ∀π ∈ Λ : α(π) |= φ ⇒ π |= φ. precise if and only if: ∀π ∈ Λ : α(π) |= φ ⇔ π |= φ. In the following, we will define an abstraction of eALTL formulae that is guaranteed to be contracting. We will first consider action formulae. For the standard boolean operations, as well as for > and ⊥, abstractions are straight forward. The difficult part are those formulae, where statements are made whether an action label belongs to a particular set of labels or not. We abstract those as follows: In the positive case, we preserve the name of the action under consideration, since we only abstract data here. For parameters, we check whether all concrete data values for the abstract one fulfill the original data property expr(x). For the abstraction of the negation of such a set formula, we require either the action name to be different or none of the concrete data values for the abstracted parameters to fulfill the expression. This is not exactly the inverse of the abstracted positive set formula, but we want to achieve a contracting abstraction as shown in Figure 7.4. Doing so is safer w.r.t. counterexamples found for the abstract system, since the abstract system does not fulfill more properties than the original one. Definition 7.11 (Abstraction of Action Formulae). Action formulae as defined in Definition 7.2 are abstracted as follows: 7.3 Abstracting eALTL 155 α(>) := > (7.6) α(⊥) := ⊥ (7.7) α({a(x) | expr(x)}) := {a(x) | ∀x : hd(x) = x → expr(x))} (7.8) α(¬{a(x) | expr(x)}) := ∨