Generation of Minimum Tree-Like Witnesses for Existential CTL

Abstract

An advantage of model checking is its ability to generate witnesses or counterexamples. Approaches exist to generate small or minimum witnesses for simple unnested formulas, but no existing method guarantees minimality for general nested ones. Here, we give a definition of witness size, use edge-valued decision diagrams to recursively compute the minimum witness size for each subformula, and describe a general approach to build minimum tree-like witnesses for existential CTL. Experimental results show that for some models, our approach is able to generate minimum witnesses while the traditional approach is not.

1 Introduction

Model checking is an automated technique to rigorously establish the correctness of a system by exploring its computation graph, explicitly or symbolically. Instead of merely answering “yes” or “no”, model checkers may be able to return a witness or counterexample to verify satisfaction or violation of a specification. Since witnesses and counterexamples provide important debugging information and may be inspected by engineers, smaller ones are always preferable.

Computation Tree Logic (CTL) is widely used to express temporal properties due to its simple yet expressive semantics. Although much work has been published on witness or counterexample generation [8, 11, 14], to the best of our knowledge, no existing method guarantees their minimality for a general CTL formula with nested temporal quantifiers. Clarke et al. [7] showed that the general form of a counterexample to a universal CTL formula is tree-like; of course, for CTL, counterexample generation for a universal formula can be converted to witness generation for an existential formula, thus we choose to limit our discussion to witness generation for the existential fragment of CTL. The use of backward exploration to verify \({\mathbf {\mathsf{{EX}}}}\), \({\mathbf {\mathsf{{EF}}}}\), and \({\mathbf {\mathsf{{EU}}}}\) properties inherently guarantees minimality of their linear witnesses, while a minimum lasso-shaped \({\mathbf {\mathsf{{EG}}}}\) witness can be generated by computing transitive closures, for example using the saturation algorithm [17]. However, these approaches do not extend to general tree-like witnesses, i.e., local minimality does not imply global minimality.

By recursively computing local fixpoints, the saturation algorithm [3] has clear advantages over traditional symbolic breadth-first approaches for state-space generation. It has also been applied to the computation of minimum \({\mathbf {\mathsf{{EF}}}}\) [4] and \({\mathbf {\mathsf{{EG}}}}\) [17] witnesses. Here, we extend these ideas into a global approach to build minimum witnesses for arbitrary existential CTL formulas.

Our paper is organized as follows. Section 2 summarizes background on CTL, decision diagrams, and symbolic CTL model checking. Section 3 defines the witness size and formalizes the computation of its minimum. Section 4 proposes saturation-based algorithms to symbolically encode minimum witness sizes for each existential temporal operator, needed to obtain an overall minimum witness size. Section 5 describes how to generate a witness from the computed witness size functions. Section 6 presents experimental results, Sect. 7 comments on our definition of witness size, and Sect. 8 concludes and outlines future work.

2 Background

We denote sets using calligraphic letters (e.g., \(\mathcal {A}\), \(\mathcal {B}\), \(\mathcal {C}\)), except for the booleans \(\mathbb {B}= \{0,1\}\), the natural numbers \(\mathbb {N}= \{0,1,2...\}\), and \(\mathbb {N}_{\infty }= \mathbb {N}\cup \{\infty \}\).

2.1 Kripke Structures, CTL, and Witnesses

A Kripke structure is a tuple \((\mathcal {S},\mathcal {S}_{init},\mathcal {N}, \mathcal {A},\mathcal {L})\), where \(\mathcal {S}\) is the state space, \(\mathcal {S}_{init} \subseteq \mathcal {S}\) are the initial states, \(\mathcal {N}\!:\!\mathcal {S}\!\rightarrow \! 2^{\mathcal {S}}\) is the next-state function, \(\mathcal {A}\) is a set of atomic propositions, and \(\mathcal {L}:\mathcal {S}\rightarrow 2^{\mathcal {A}}\) is a labeling that gives the atomic propositions holding in each state (subject to \( true \in \mathcal {A}\) holding in every state).

We assume \(\mathcal {S}\) to be the product \(\mathcal {S}_{1} \times \cdots \times \mathcal {S}_{L}\) of L finite state spaces, i.e., each global state \(\mathbf {i}\in \mathcal {S}\) is a tuple \((i_1,...,i_L)\), where \(i_k \in \mathcal {S}_k\) is the local state for the \(k^{\mathrm {th}}\) submodel. We also assume \(\mathcal {N}\) to be disjunctively partitioned according to a set \(\mathcal {E}\) of asynchronous events, i.e., \(\mathcal {N}= \bigcup _{e \in \mathcal {E}} \mathcal {N}_e\) and, for each \(e \in \mathcal {E}\), \(\mathcal {N}_e\!:\!\mathcal {S}\!\rightarrow \! 2^{\mathcal {S}}\). \(\mathcal {N}_e(\mathbf {i})\) contains the states that can be nondeterministically reached in one step when event e occurs in state \(\mathbf {i}\). Correspondingly, we let \(\mathcal {N}^{-1}_e\) denote the previous-state function, i.e., \(\mathcal {N}_e^{-1}(\mathbf {j}) = \{\mathbf {i}: \mathbf {j}\in \mathcal {N}_e(\mathbf {i})\}\), the set of states that can reach \(\mathbf {j}\) in one step through the occurrence of event e, and we let \(\mathcal {N}^{-1} = \bigcup _{e \in \mathcal {E}} \mathcal {N}_e^{-1}\).

Let \(\mathcal {P}(\mathbf {i})\) be the set of paths starting at \(\mathbf {i}\in \mathcal {S}\), i.e., finite sequences \((\mathbf {i}_0,\mathbf {i}_1,...,\mathbf {i}_n)\) for \(n \ge 0\), or infinite sequences \((\mathbf {i}_0,\mathbf {i}_1,...)\), where \(\mathbf {i}_0 = \mathbf {i}\) and \(\mathbf {i}_m \in \mathcal {N}(\mathbf {i}_{m-1})\) for all applicable m. Let \(\mathcal {C}(\mathbf {i}) \subseteq \mathcal {P}(\mathbf {i})\) be the set of cycles starting at \(\mathbf {i}\), i.e., finite paths \((\mathbf {i}_0,\mathbf {i}_1,...,\mathbf {i}_n)\) with \(n > 0\) and \(\mathbf {i}_0 = \mathbf {i}_n = \mathbf {i}\).

We consider ECTL, the existential fragment of the temporal logic CTL [6], where formulas have syntax (\(\phi \) and \(\rho \) are formulas, a is an atomic proposition):

$$ \phi \,\,{:}{:}\!= a \,|\, \lnot a \,|\, \phi \wedge \rho \,|\, \phi \vee \rho \,|\, {\mathbf {\mathsf{{EX}}}}\phi \,|\, {\mathbf {\mathsf{{E}}}}\phi {\mathbf {\mathsf{{U}}}}\rho \,|\, {\mathbf {\mathsf{{EG}}}}\phi , $$

and the conditions for state \(\mathbf {i}\) to satisfy formula \(\phi \), written \(\mathbf {i}\models \phi \), are as follows:

(formula \({\mathbf {\mathsf{{EF}}}}\phi \) is just a shorthand for \({\mathbf {\mathsf{{E}}}} true {\mathbf {\mathsf{{U}}}}\phi \), so we do not discuss it separately).

Since the state space \(\mathcal {S}\) is finite, all infinite paths contain a cycle. Thus, path \((\mathbf {i}_0,\mathbf {i}_1,...)\) demonstrating \(\mathbf {i}\, \models \, {\mathbf {\mathsf{{EG}}}}\phi \) must have a finite prefix \((\mathbf {i}_0,...,\mathbf {i}_m,...,\mathbf {i}_n)\), for some \(m \ge 0\) and \(n > m\), where \(\mathbf {i}_m = \mathbf {i}_n\), that is, it is a “lasso” formed by merging (on state \(\mathbf {i}_m\)) a possibly empty “handle” \((\mathbf {i}_0,...,\mathbf {i}_m)\) and a “cycle” \((\mathbf {i}_m,...,\mathbf {i}_n)\).

We focus on witness generation, i.e., the computation of “tree-like” subgraphs demonstrating how a state satisfies an ECTL formula. This also serves to generate counterexamples for ACTL, the universal fragment of CTL, since a counterexample to \({\mathbf {\mathsf{{AX}}}}\phi \), \({\mathbf {\mathsf{{AG}}}}\phi \), or \({\mathbf {\mathsf{{A}}}}[\phi {\mathbf {\mathsf{{U}}}}\rho ]\) is a witness to \({\mathbf {\mathsf{{EX}}}}(\lnot \phi )\), \({\mathbf {\mathsf{{EF}}}}(\lnot \phi )\), or \({\mathbf {\mathsf{{E}}}}[\lnot \rho {\mathbf {\mathsf{{U}}}}(\lnot \phi \wedge \lnot \rho )] \vee {\mathbf {\mathsf{{EG}}}}(\lnot \rho )\), respectively (where the negation \(\lnot \) can be “pushed down” to atomic propositions), i.e., the negation of an ACTL formula is an ECTL formula.

2.2 Decision Diagrams

We encode sets and relations symbolically with (ordered) multiway decision diagrams (MDDs) [10]. An L-level MDD over \(\mathcal {S}= \mathcal {S}_1 \times \cdots \times \mathcal {S}_L\) is an acyclic directed edge-labeled level graph with terminal nodes 0 and 1, at level 0, while each nonterminal node p is at some level \(p. lvl = k \in \{1,...,L\}\), and, for \(i_k \in \mathcal {S}_k\), has an outgoing edge labeled with \(i_k\) and pointing to a child \(p[i_k]\) at level \(p[i_k]. lvl < k\).

MDD node p at level k encodes function \(f_p : \mathcal {S}\rightarrow \mathbb {B}\), recursively defined by \(f_p(i_1,...,i_L) = f_{p[i_k]}(i_1,...,i_L)\), with base case \(f_p(i_1,...,i_L) = p\) when \(k = 0\). Interpreting \(f_p\) as an indicator function, p encodes set \(\mathcal {X}_p = \{\mathbf {i}: f_p(\mathbf {i}) = 1\} \subseteq \mathcal {S}\). To encode relations over \(\mathcal {S}\), we use 2L-level MDDs over \((\mathcal {S}_1 \times \mathcal {S}_1) \times \cdots \times (\mathcal {S}_L \times \mathcal {S}_L)\), where the first set in each pair corresponds to a “from”, or “unprimed”, local state and the second set corresponds to a “to”, or “primed”, local state.

We use instead (ordered) additive edge-valued MDDs, (EV\(^+\)MDDs) [4] to encode partial integer-valued functions. An EV\(^+\)MDD is an acyclic directed edge-labeled and edge-valued level graph with terminal node \(\varOmega \), at level 0, while each nonterminal node p is at some level \(p. lvl = k \in \{1,...,L\}\), and, for \(i_k \in \mathcal {S}_k\), has an outgoing edge with label \(i_k\), pointing to a child \(p[i_k].c\) at a level \(p[i_k].c. lvl < k\), and value \(p[i_k].v \in \mathbb {N}_{\infty }\). We write \(p[i_k] = \langle {p[i_k].v}, {p[i_k].c}\rangle \).

EV\(^+\)MDD node p at level k encodes function \(f_p: \mathcal {S}\rightarrow \mathbb {N}_{\infty }\) recursively defined by \(f_p(i_1,...,i_L) = p[i_k].v + f_{p[i_k].c}(i_1,...,i_L)\), with base case \(f_{\varOmega }(i_1,...,i_L) = 0\).

For efficiency, we restrict ourselves to canonical forms of decision diagrams, where each function that can be encoded by a given class of decision diagrams has a unique representation in that class. All such forms forbid duplicate nodes: if \(p. lvl = q. lvl = k > 0\) and \(\forall i_k \in \mathcal {S}_k, p[i_k] = q[i_k]\), then \(p = q\). For ease of exposition, we only consider the quasi-reduced form in this paper, achieved by forbidding skipped levels: all roots (nodes without parent nodes) are at level L and, if \(p. lvl = k\), then all p’s children are at level \(k-1\). For EV\(^+\)MDDs, in addition, we require normalized nodes: each nonterminal node must have at least one edge with value 0 and all edges with value \(\infty \) must point to \(\varOmega \). This means that the minimum value of the function encoded by any node is 0, but we can encode any partial function \(g : \mathcal {S}\rightarrow \mathbb {N}_{\infty }\) with a “root edge” \(\langle {\sigma }, {p}\rangle \), where \(\sigma \) is the minimum value assumed by g, while p at level L satisfies \(f_p = g - \sigma \).

However, our algorithms are actually implemented using the more efficient fully-identity-reduced form for 2L-level MDDs and EV\(^+\)MDDs (indicated MDD2 and EV\(^+\)MDD2 in our algorithms, respectively) [5]. This form allows us to exploit independence of events from local states: given \(e \in \mathcal {E}\), let \( Top (e) = k\) if e affects or depends on the \(k^{\mathrm {th}}\) local state but not the \(l^{\mathrm {th}}\) one, for any \(l > k\). In the following, we then define \(\mathcal {N}_k = \bigcup _{e : Top (e) = k} \mathcal {N}_e\).

Procedure \( Min \) in Fig. 1 shows the classic recursive manipulation of decision diagrams. Given functions \(f, g: \mathcal {S}\rightarrow \mathbb {N}_{\infty }\), let \( Min _{f,g}: \mathcal {S}\rightarrow \mathbb {N}_{\infty }\) be their element-wise minimum: for \(\mathbf {i}\in \mathcal {S}\), \( Min _{f,g}(\mathbf {i}) = \min \{f(\mathbf {i}), g(\mathbf {i})\}\). Given two EV\(^+\)MDDs \( \langle {\alpha }, {p}\rangle \) and \( \langle {\beta }, {q}\rangle \) encoding f and g, procedure \( Min \) returns the EV\(^+\)MDD encoding \( Min _{f, g}\). As the EV\(^+\)MDDs are quasi-reduced, \(p. lvl \!=\! q. lvl \) unless \(\alpha \!=\! \infty \) or \(\beta \!=\! \infty \).

Procedure \( Normalize \) (line 8) normalizes a node u by subtracting the minimum edge value \(\mu \) from all its edge values, so that at least one is 0, stores the normalized u in the unique table (if not already there), and returns \(\langle {\mu }, {u}\rangle \).

Throughout this paper, procedures \( XxxGet \) (line 4) or \( XxxPut \) (line 10) are queries to or insertions into compute tables (or “caches”), commonly used in decision diagrams operations to avoid re-computation. The structure of the hash key and returned value may of course depend on the specific operation \( Xxx \).

Fig. 1.

Algorithm to compute the element-wise minimum of two functions.

2.3 Symbolic CTL Algorithms

McMillan proposed symbolic CTL model checking based on binary decision diagrams (BDDs) [12]. Given the BDDs encoding the set of states satisfying \(\phi \) and \(\rho \), algorithms to compute the BDD encoding the set of states satisfying \({\mathbf {\mathsf{{EX}}}}\phi \), \({\mathbf {\mathsf{{E}}}}\phi {\mathbf {\mathsf{{U}}}}\rho \), and \({\mathbf {\mathsf{{EG}}}}\phi \) suffice, since all CTL formulas can be expressed using these three CTL operators, plus the standard logical operations of negation, conjunction, and disjunction. Using MDDs instead of BDDs is a relatively obvious extension.

Clarke et al. [8] proposed the first symbolic approach to CTL witness generation. Considering first unnested CTL formulas, a witness for \({\mathbf {\mathsf{{EX}}}}a\) can be generated by one image computation, and is by definition minimum since all witnesses have size two. Using a symbolic breadth-first search, witness generation for \({\mathbf {\mathsf{{E}}}}a {\mathbf {\mathsf{{U}}}}b\) also guarantees minimality, while minimality is more difficult to satisfy for \({\mathbf {\mathsf{{EG}}}}a\), where a witness is a path from an initial state to a cycle, such that all states along that path and on the cycle satisfy a. In other words, a state \(\mathbf {i}\) satisfying \({\mathbf {\mathsf{{EG}}}}a\) must have a successor also satisfying \({\mathbf {\mathsf{{EG}}}}a\); thus, we can incrementally build a path of states satisfying \({\mathbf {\mathsf{{EG}}}}a\), which must finally lead to a state already on the path, closing the cycle and resulting in a witness. A witness generation algorithm for (weakly fair) \({\mathbf {\mathsf{{EG}}}}\) was proposed in [8] based on this idea. Since \(\mathbf {i}\) might have multiple successors satisfying \({\mathbf {\mathsf{{EG}}}}a\), the algorithm is nondeterministic and the size of the witness depends on the state chosen at each step. While the algorithm uses a symbolic encoding, the approach is largely explicit, as it follows a single specific path. Decision diagrams help by efficiently encoding all states satisfying \({\mathbf {\mathsf{{EG}}}}\), but offer no help at all when deciding which of the states in \(\mathcal {N}(\mathbf {i})\) satisfying \({\mathbf {\mathsf{{EG}}}}\) should be chosen next, to continue the path from \(\mathbf {i}\).

Witness generation for arbitrarily nested CTL formulas is much harder. Of course, we cannot exhibit witnesses for universal formulas, only counterexamples, thus the presence of both existential and universal (non-negated) quantifiers in a CTL formula \(\phi \) means that we can neither provide a witness (in case \(\phi \) holds) nor a counterexample (in case \(\phi \) does not hold). The most general approach to date is by Clarke et al. [7] for general (nested) ACTL formulas, which proposed algorithms to generate tree-like counterexamples, or witnesses for general (nested) ECTL formulas. However, their work did not address minimality.

3 Defining the Minimum Witness Size

We focus on the generation of minimum witnesses for general (nested) ECTL formulas. As discussed by Clarke et al. [7], these witnesses are finite tree-like Kripke structures and complete for ECTL. To discuss their size, we unfold these witnesses, i.e., the same state may appear multiple times and each appearance contributes to the count defining the size of the witness. For example, consider the (portion of a) Kripke structure shown in Fig. 2(a), satisfying formula \({\mathbf {\mathsf{{E}}}}({\mathbf {\mathsf{{EG}}}}a) {\mathbf {\mathsf{{U}}}}b\) (state are identified by numbers and the atomic propositions holding in each state are listed close to it). An unfolded tree-like witness for this formula is shown in Fig. 2(b), where state 5’s self-loop is repeated three times, once for each of the states 1, 2, and 3, since we need to show that each of them satisfies \({\mathbf {\mathsf{{EG}}}}a\) (for clarity, a cycle is represented as a linear path along which the first and the last states are the same; dashed nodes represent the states closing cycles). Another way to think of this witness is that the first states of paths \([\![{1,5,\overline{5}}]\!]\), \([\![{2,5,\overline{5}}]\!]\), and \([\![{3,5,\overline{5}}]\!]\), each satisfying the inner formula \(\phi ' = {\mathbf {\mathsf{{EG}}}}a\), are “glued” onto the first three states of path \([\![{1,2,3,4}]\!]\), satisfying the outermost formula \({\mathbf {\mathsf{{E}}}}\phi ' {\mathbf {\mathsf{{U}}}}\phi ''\), as is the first (and only) state of path \([\![{4}]\!]\), satisfying the (atomic) inner formula \(\phi '' = b\). We write \(\overline{5}\) for the last state of the \({\mathbf {\mathsf{{EG}}}}\) witnesses to stress that state 5 does not need to have its witness repeated, since it is just closing the cycle. We define the size of a witness as the number of nodes in the resulting tree-like graph. Thus, a witness for a is path \([\![{1}]\!]\), of size 1, a witness for \({\mathbf {\mathsf{{EX}}}}a\) is path \([\![{1,2}]\!]\), of size 2, a witness for \({\mathbf {\mathsf{{E}}}}a {\mathbf {\mathsf{{U}}}}b\) is path \([\![{1, 2, 3, 4}]\!]\), of size 4, and a witness to \({\mathbf {\mathsf{{E}}}}({\mathbf {\mathsf{{EG}}}}a) {\mathbf {\mathsf{{U}}}}b\) is the three-like graph \([\![{[\![{1,5,\overline{5}}]\!], [\![{2,5,\overline{5}}]\!], [\![{3,5,\overline{5}}]\!], 4}]\!]\), of size 10. For conjunction, we need additional path notation: a witness for \({\mathbf {\mathsf{{EX}}}}a \wedge {\mathbf {\mathsf{{E}}}}a {\mathbf {\mathsf{{U}}}}b\) is a tree-like graph \([\![{[\![{1,5}]\!] \Diamond [\![{1, 2, 3, 4}]\!]}]\!]\), of size 5, where the separator \(\Diamond \) indicates that the tree-like graphs to its left and its right are to be merged on their root.

Fig. 2.

A Kripke structure satisfying \({\mathbf {\mathsf{{E}}}}({\mathbf {\mathsf{{EG}}}}a) {\mathbf {\mathsf{{U}}}}b\) and its tree-like witness.

We recursively define function \({\pi }_{\phi }: \mathcal {S}\rightarrow \mathbb {N}_{\infty }\) describing the minimum witness size for an ECTL formula \(\phi \) starting from a state \(\mathbf {i}\in \mathcal {S}\) as follows:

where \(\mathcal {C}(\mathbf {i})\) is the set of cycles starting at \(\mathbf {i}\), and \(\chi _{\phi }(\mathbf {i})\) is the minimum witness size among cycles satisfying \({\mathbf {\mathsf{{EG}}}}\phi \) and starting at \(\mathbf {i}\). In the sum for \(\chi _{\phi }(\mathbf {i})\), we exclude \({\pi }_{\phi }(\mathbf {i}_0)\) and add 1 because state \(\mathbf {i}= \mathbf {i}_0 = \mathbf {i}_n\) starting and ending the cycle appears twice, but we should not count the witness for \(\mathbf {i}\,\models \, \phi \) twice.

4 Computing the Minimum Witness Size

The first and most complex step to generate a minimum tree-like witness for an arbitrary ECTL formula \({\phi ^*}\) is to build: (1) for each subformula \(\phi \) of \({\phi ^*}\), starting from the innermost atomic propositions, an EV\(^+\)MDD encoding the size \({\pi }_{\phi }(\mathbf {i})\) of a minimum witness for \(\phi \) starting from each state \(\mathbf {i}\), and (2) for each subformula \({\mathbf {\mathsf{{EG}}}}\phi \) of \({\phi ^*}\), an EV\(^+\)MDD2 encoding the size, \(TC_{\phi }(\mathbf {i},\mathbf {j})\), of a minimum witness for a path of states satisfying \(\phi \) from each state \(\mathbf {i}\) to each state \(\mathbf {j}\).

We present algorithms to compute the minimum witness size for \({\mathbf {\mathsf{{EU}}}}\) and \({\mathbf {\mathsf{{EG}}}}\), while we omit the simpler ones for logical operators, \({\mathbf {\mathsf{{EX}}}}\), and atomic propositions.

4.1 Computing the Minimum Witness Size for \({\mathbf {\mathsf{{EU}}}}\) Formulas

In [15], we introduced a “constrained” variant of saturation that restricts exploration to states satisfying a given property. Instead of applying “after-the-fact” intersections, this approach employs a “check-and-fire” policy, firing an event only when the next states to be obtained satisfy the given property, through an on-the-fly check. Now, we further extend this idea to take into account the sizes of subwitnesses demonstrating the satisfaction of subformulas.

Fig. 3.

Algorithm to compute the minimum witness size for \({\mathbf {\mathsf{{EU}}}}\) formulas.

\( EUSat \) in Fig. 3 is the top-level procedure to compute \({\pi }_{{\mathbf {\mathsf{{E}}}}\phi {\mathbf {\mathsf{{U}}}}\rho }\), given \(\langle {\alpha _{\rho }}, {p_{\rho }}\rangle \) encoding \({\pi }_{\rho }\) and \(\langle {\beta _{\phi }}, {q_{\phi }}\rangle \) encoding \({\pi }_{\phi }\) (both obtained by computing the minimum witness size function of subformulas). \( ConsSat \) computes a fixpoint for the subfunction encoded by \(\langle {\alpha }, {p}\rangle \), under constraint \(\langle {\beta }, {q}\rangle \), w.r.t. events affecting variables up to p’s level. \( ConsRelProdSat \) first recursively computes the \(\langle {\beta }, {q}\rangle \)-constrained relational product of \(\langle {\alpha }, {p}\rangle \) and r (specifically, it serves as a constrained version of the pre-image operation since we use the previous-state function), then it saturates the resulting node to ensure that it reaches a local fixpoint.

When exploring the pre-image of state \(\mathbf {i}\), we compute, for each predecessor \(\mathbf {j}\in \mathcal {N}(\mathbf {i})\), the sum of \({\pi }_{\rho }(\mathbf {j})\) and the value currently associated to \(\mathbf {i}\) (line 3 in \( ConsRelProdSat \)), and use it to reduce the value associated to \(\mathbf {j}\), if smaller (line 12 in \( ConsSat \) and line 8 in \( ConsRelProdSat \)). Upon reaching a fixpoint, we have the size of the minimum tree-like \({\mathbf {\mathsf{{E}}}}\phi {\mathbf {\mathsf{{U}}}}\rho \) witness for each state \(\mathbf {i}\) (\(\infty \) if ).

The hash-key for the cache entries of \( ConsSat \) and \( ConsRelProdSat \) consists of two nodes, p and q, plus the value \(\beta \) attached to the edge for q, representing the constraint. Storing the difference \(\alpha - \beta \), as done for \( Min \), would be incorrect because saturation computes local fixpoints and thus may fire an event multiple times in one call, and \(\alpha \) just serves as an offset to all the values in the final function, while, for each individual state, it does not affect whether the new value obtained from one firing is smaller than the currently associated value. In other words, if it is known that \( ConsSat (\langle {0}, {p}\rangle ,\langle {\beta }, {q}\rangle ) = \langle {\gamma }, {u}\rangle \), then we can conclude that \( ConsSat (\langle {\alpha }, {p}\rangle ,\langle {\beta }, {q}\rangle ) = \langle {\alpha +\gamma }, {u}\rangle \), for any \(\alpha > 0\).

4.2 Computing the Minimum Witness Size for \({\mathbf {\mathsf{{EG}}}}\) Formulas

A witness of \({\mathbf {\mathsf{{EG}}}}p\) is a lasso-shaped infinite path consisting of a finite prefix leading to a cycle [1]. Thus, two steps are needed to compute a minimum tree-like witness for \({\mathbf {\mathsf{{EG}}}}\phi \): (1) identify all states in cycles of states satisfying \(\phi \), and their minimum witness size; (2) starting from these states, explore the model backward to find all states satisfying \({\mathbf {\mathsf{{EG}}}}p\), and their minimum witness size. This second step is essentially an \({\mathbf {\mathsf{{EU}}}}\) computation, thus we focus on the first step.

Given a graph, the transitive closure (TC) describes the reachability between any pair of nodes. Computing TCs was deemed infeasible for large models [13], but recent attempts using saturation to compute TCs symbolically have been successful [16, 17]. We generalize this approach so that, for \({\mathbf {\mathsf{{EG}}}}\phi \), the size of a minimum \(\phi \) witness for each state in a \(\phi \) cycle contributes to the cycle size.

We compute function \(TC_{\phi }: \mathcal {S}\times \mathcal {S}\rightarrow \mathbb {N}_{\infty }\) s.t. \(TC_{\phi }(\mathbf {i}, \mathbf {j})\) is the minimum size of any path \(\mathbf {i}, \mathbf {i}_1, \cdots , \mathbf {j}\), computed as \({\pi }_{\phi }(\mathbf {i}_1) + \cdots + {\pi }_{\phi }(\mathbf {j})\), or \(\infty \) if no such path exists. We do not include \({\pi }_{\phi }(\mathbf {i})\) because we compute \(TC_{\phi }\) to obtain the minimum witness size of cycles, \(\chi _{\phi }(\mathbf {i}) = TC_{\phi }(\mathbf {i}, \mathbf {i}) + 1\), and \({\pi }_{\phi }(\mathbf {i})\) should not be added twice.

The procedure to compute \(TC_{\phi }\) is analogous to a symbolic implementation of Dijkstra’s algorithm in a weighted graph. We initialize the function

$$\begin{aligned} \lambda _{\phi }(\mathbf {i}_1, \mathbf {i}_2) = \left\{ \begin{array}{l @{~~} l} {\pi }_{\phi }(\mathbf {i}_2) &{} \text{ if } \mathbf {i}_2 \in \mathcal {N}(\mathbf {i}_1)\text{, } \mathbf {i}_1 \, \models \, \phi \text{, } \text{ and } \mathbf {i}_2 \, \models \, \phi \\ \infty &{} \text{ otherwise } \end{array} \right. \end{aligned}$$

and repeat the following computation until reaching a fixpoint:

$$\begin{aligned} \lambda _{\phi }(\mathbf {i}_1, \mathbf {i}_2) = \min \{\lambda _{\phi }(\mathbf {i}_1, \mathbf {i}_2), \min \{\lambda _{\phi }(\mathbf {i}_1, \mathbf {i}) + {\pi }_{\phi }(\mathbf {i}_2) : \forall \mathbf {i}\in \mathcal {N}^{-1}(\mathbf {i}_2)\}\} . \end{aligned}$$

Fig. 4.

Algorithm to compute the minimum witness size for \({\mathbf {\mathsf{{EG}}}}\) formulas.

This iteration never increases the value of \(\lambda _{\phi }\), thus it terminates, and when it does the resulting fixpoint is \(TC_{\phi }\). Procedures \( TCSat \) and \( TCRelProdSat \) in Fig. 4 are similar to \( ConsSat \) and \( ConsRelProdSat \) in Fig. 3, except that they apply saturation to an EV\(^+\)MDD2. \( TCMin \) (line 14 in \( TCSat \), line 11 in \( TCRelProdSat \)) is an implementation of \( Min \) over pairs of states: for each \(\mathbf {i}, \mathbf {j}\in \mathcal {S}\), \( TCMin _{f,g}(\mathbf {i}, \mathbf {j}) = \min \{ f(\mathbf {i}, \mathbf {j}), g(\mathbf {i}, \mathbf {j}) \}\).

Finally, we compute \({\pi }_{{\mathbf {\mathsf{{EG}}}}\phi }\) with procedure EGSat, where \(\langle {\beta _{\phi }}, {q_{\phi }}\rangle \) encodes \({\pi }_{\phi }\). \( BuildLambda \) (line 1) builds an EV\(^+\)MDD2 encoding function \(\lambda _{\phi }\), to initialize the computation of \(TC_{\phi }\). \( ExtractCycles \) (line 2) returns an EV+MDD encoding \(\chi _{\phi }(\mathbf {i})\) by extracting elements \(TC_{\phi }(\mathbf {i}, \mathbf {i})\) from \(TC_{\phi }\), for \(\mathbf {i}\in \mathcal {S}\), and adding 1 to them.

5 Generating a Minimum Tree-Like Witness

Recall that, if function f is encoded as an EV\(^+\)MDD, one can retrieve \( MinVal (f)\), the minimum value of f, in constant time (as the value labeling the edge pointing to the root node) and \( MinState (f)\), a state achieving that minimum value, in time proportional to the number of levels L (follow a path of 0-valued edges from the root to \(\varOmega \)). Evaluating \(f(\mathbf {i})\) for a given state \(\mathbf {i}\) also requires just L steps.

To obtain a minimum overall witness recursively, we start from an initial state \({\mathbf {i}^*}\) with a minimum witness for \({\phi ^*}\). This state can be found by building an EV\(^+\)MDD encoding the function \(f_{init} : \mathcal {S}\rightarrow \{0,\infty \}\) evaluating to 0 iff \(\mathbf {i}\in \mathcal {S}_{init}\), and then the EV\(^+\)MDD encoding \({\pi }_{{\phi ^*}\wedge init }\), the elementwise maximum of \(f_{init}\) and \({\pi }_{{\phi ^*}}\) (i.e., the restriction of the minimum witness size for \({\phi ^*}\) to the initial states). If \( MinVal ({\pi }_{{\phi ^*}\wedge init }) = \infty \), no initial state satisfies \({\phi ^*}\), thus no witness exists. Otherwise, there is a minimum witness of size \( MinVal ({\pi }_{{\phi ^*}\wedge init })\) starting from an initial state \({\mathbf {i}^*}= MinState ({\pi }_{{\phi ^*}\wedge init })\), and the call \( MinWit ({\mathbf {i}^*},{\phi ^*},{\pi }_{{\phi ^*}}({\mathbf {i}^*}))\) (see Fig. 5) will recursively generate one such minimum witness.

Fig. 5.

Algorithm to generate a minimum tree-like witness.

6 Experimental Results

We implemented both our EV\(^+\)MDD-based approach to generate minimum tree-like witnesses (MinWit) and the traditional MDD-aided BFS approach [7] to generate (not necessarily minimum) tree-like witnesses (Wit) in our model checker SMART [2]. Then we ran them on a benchmark suite consisting of nine Petri net models from the 2017 Model Checking Contest (https://mcc.lip6.fr/2017/). All models have one or more scaling parameters affecting the number of states and state-to-state transitions, thus the model size and complexity. To generate tree-like witnesses, we define an ECTL formula that the model satisfies (the specific formula is listed in the results presented in Table 1). The datasets we utilized are available in the figshare repository [9].

Table 1. Performance comparison of MinWit and Wit.

For MinWit, we run each model instance with a timeout of one hour, and report the runtime, the peak memory consumption, and the size of the minimum witness. For Wit, we run each instance 100 times and report the total runtime, the peak memory consumption, and the minimum, average and maximum size among the all the generated witnesses. The minimum witness size is in bold when Wit did not manage to generate a minimum witness in any of the 100 runs. Obviously, the choice of \(R = 100\) runs is arbitrary: the larger R is, the more likely Wit is to generate smaller witnesses, possibly a minimum one, but, on the other hand, the overall time Wit spends for witness generation is roughly proportional to R. Fundamentally, however, we have no easy way to know if the smallest witness generated by Wit is a minimum one, regardless of how large R is, while MinWit guarantees minimality.

A few observations are in order. First, it is not surprising that MinWit is sometimes orders of magnitude slower and requires more memory than Wit. Building EV\(^+\)MDDs or EV\(^+\)MDD2s encoding both states and size information is much more expensive than the image computations on MDDs used to just run the model checking phase, as Wit does. However, this is offset by a minimality guarantee. Interestingly, there are cases where MinWit completes with a runtime and memory consumption comparable to a single run of Wit (e.g., Kanban) or even faster (e.g., SmallOS). We give credit to the saturation algorithm for its efficient locality-exploiting exploration.

Second, for models where small, simple witnesses exist, Wit may be able to generate a minimum witness. Since the backward exploration guarantees the local minimality of subwitnesses for \({\mathbf {\mathsf{{EX}}}}\), \({\mathbf {\mathsf{{EF}}}}\) and \({\mathbf {\mathsf{{EU}}}}\) segments, such greedy strategy may result in a global minimum witness, determined by the structure of the model. But this occurrence cannot be guaranteed, regardless of whether we use 100 runs or 10,000 runs, so that, even when Wit happens to generate a minimum witness, users do not know that this is indeed the case.

Third, for models where only large, complex witnesses exist, generating a minimum witness is almost impossible for Wit, while the witness from MinWit can be only 40% as large as the smallest one generated by Wit (e.g., CircularTrain with \(N=24\)). Additionally, Wit’s greedy strategy may trap itself into a local optimum. For example, the ECTL formula used for model MAPK does not contain \({\mathbf {\mathsf{{EG}}}}\), and the minimum, average, and maximum witness sizes generated by Wit are equal, implying that Wit is unaware of other possibilities when it chooses branching states. Adopting a probabilistic non-optimal strategy like simulated annealing may alleviate this problem, but it still would not provide guarantees and would likely require many more runs.

The main limitation of MinWit is that, since computing the minimum witness size function is computationally intensive, long runtimes and large amounts of memory are required as the model complexity scales up. However, engineers usually debug models with small scaling parameters first, perhaps running model checking tools overnight, thus, the resource requirement of MinWit may often be acceptable in practice. In real-world applications, we believe that MinWit and Wit can complement each other. Wit generates a large number of witnesses in a short time, but if all the witnesses are complex, MinWit can be run to find a smaller, easier-to-inspect one. Conversely, if MinWit fails to generate a minimum witness due to time or memory limitation, Wit can be run to obtain not-necessarily-minimum ones by running it repeatedly, as many times as one can afford. The best approach, given enough resources and in the presence of critical deadlines, may well be to run both methods in parallel, so that we can be sure to have a minimum witness if MinWit completes, but we have at least some witnesses from Wit, if MinWit fails to complete in time.

7 A Comment About Our Definition of Witness Size

In Sect. 3, we defined the witness size as “the number of appearances of states in the unfolded tree-like witness”. An alternative definition could have been “the number of distinct states in the unfolded tree-like witness”. However, a state may appear multiple times for different purposes in a witness. For example, the witness for \({\mathbf {\mathsf{{EF}}}}(a \wedge {\mathbf {\mathsf{{EG}}}}b)\) in Fig. 6 contains state 2 twice, one in \([\![{3,2,\overline{3}}]\!]\) to verify for the \({\mathbf {\mathsf{{EG}}}}\) fragment, the other in \([\![{1,2,3}]\!]\) to verify the \({\mathbf {\mathsf{{EF}}}}\) fragment. Considering each appearance separately makes each subpath independently verifiable, while merging states that appear multiple times and counting only distinct states loses this information. Admittedly, our definition of witness size also enables our approach to obtain minimum witnesses, while we do not know a practical algorithm that can derive minimum witnesses according to a definition of size where common paths and states appearing multiple times are counted without repetition. Of course, after obtaining a minimum witness according to our definition, we could attempt to merge shared portions among subpaths that demonstrate the same property, but doing so would not generally result in minimum witnesses according to this alternative view of witness size.

Fig. 6.

A witness for \({\mathbf {\mathsf{{EF}}}}(a \wedge {\mathbf {\mathsf{{EG}}}}b)\).

8 Conclusions

We presented a definition of witness size and an approach to compute minimum tree-like witnesses for ECTL formulas, based on edge-valued decision diagrams to capture a global view of witness size. Experimental results demonstrate that our approach is able to generate minimum witnesses (with a guarantee that it is doing so) for some models, while the traditional approach is not. While the runtime and memory requirements of our approach tend to be higher, sometimes they are comparable to that of the traditional approach.

There are several directions for future work to improve this approach itself or extend its applicability. One interesting possibility is to selectively employ our approach or the traditional approach for different subformulas; this would not guarantee witness minimality, but could generate smaller witness than with the traditional approach alone, while being faster than using our approach alone. Especially for \({\mathbf {\mathsf{{EG}}}}\) formulas, the traditional approach has no global view about the size of witnesses it generates, while, for formulas where the minimum witness size from each state varies widely, the EV\(^+\)MDDs and EV\(^+\)MDD2s built by our method tend to be large and costly to compute. Thus, heuristics that consider both the structure of the model and of the formula are needed.

Finally, our approach could be further extended by generalizing the concept of “size” to “weight”. Specifically, by assigning a weight to each state, engineers could convey their preference to model checkers, which would then tend to generate witnesses containing the desired states and subpaths, instead of just counting the number of states in the witness. The algorithmic difference in doing so would be negligible, the only additional cost could be a potential growth in the size of the corresponding EV\(^+\)MDDs and EV\(^+\)MDD2s, as the functions being encoded might have less sharing of nodes.

Data Availability Statement and Acknowledgments

The datasets we utilized are available in the figshare repository [9]. This work was supported in part by the National Science Foundation under grant ACI-1642397.