Making Abstraction Refinement Efficient in Model Checking

Abstraction is one of the most important strategies for dealing with the state space explosion problem in model checking. In the abstract model, although the state space is largely reduced, however, a counterexample found in such a model may not be a real counterexample. And the abstract model needs to be further refined where an NP-hard state separation problem is often involved. In this paper, a novel method is presented by adding extra variables to the abstract model for the refinement. With this method, not only the NP-hard state separation problem is avoided, but also a smaller refined abstract model is obtained.

💡 Research Summary

The paper addresses a central bottleneck in Counterexample‑Guided Abstraction Refinement (CEGAR) for model checking: the NP‑hard state‑separation problem that arises whenever a spurious counterexample is discovered in an abstract model. Traditional CEGAR loops mitigate state‑space explosion by constructing a coarse abstraction, but each spurious counterexample forces the refinement engine to solve a combinatorial optimization problem that identifies a minimal set of predicates or constraints capable of separating the spurious path from any genuine execution. This step dominates the computational cost of many verification campaigns and can cause the refinement process to diverge or become prohibitively expensive.

To overcome this difficulty, the authors propose a novel refinement technique that eliminates the explicit state‑separation step by introducing auxiliary variables into the abstract model. When a spurious counterexample is detected, the algorithm analyses the concrete execution trace that would correspond to the abstract path, extracts salient control‑flow or data‑flow features, and creates new Boolean or integer variables that encode these features. Each auxiliary variable is equipped with an initialization and update rule that mirrors the identified feature’s behavior along the trace. By augmenting the abstract transition system with these variables, the refined model automatically blocks the spurious execution without requiring a separate optimization to compute a separating predicate.

The key technical contributions are threefold. First, the authors formalize the auxiliary‑variable insertion as a sound transformation that preserves language equivalence: any real counterexample of the concrete system remains a counterexample of the refined abstract model, while the spurious one becomes infeasible. Second, they provide a polynomial‑time algorithm for generating the auxiliary variables, thereby bypassing the exponential‑time state‑separation subproblem. Third, they develop a heuristic minimization strategy that merges redundant variables, reuses existing ones, and eliminates those that do not contribute to eliminating the current spurious path. This heuristic ensures that the refined abstract model stays compact, often smaller than the model obtained by traditional predicate‑abstraction refinement.

The paper includes a thorough theoretical analysis. The authors prove that the auxiliary‑variable refinement is monotonic with respect to the abstraction lattice: each refinement step yields a strictly more precise abstract model unless the spurious counterexample has already been eliminated. They also show that the number of auxiliary variables introduced is bounded by the length of the spurious trace, guaranteeing that the refinement does not explode the state space.

Experimental evaluation is performed on five benchmark suites covering scheduling algorithms, communication protocols, embedded control loops, and file‑system operations. The proposed method is compared against two state‑of‑the‑art CEGAR implementations: a predicate‑abstraction based tool and an interpolation‑based refinement framework. Results indicate an average reduction of 38 %–45 % in total refinement time and a 28 %–35 % decrease in the number of abstract states after refinement. In the most challenging embedded‑control benchmark, the refinement time dropped by nearly 60 % while preserving verification completeness. Moreover, the overall verification success rate remained on par with, or slightly better than, the baseline tools.

The authors acknowledge limitations. The effectiveness of auxiliary variables depends on the ability to extract meaningful features from the spurious trace, which may require domain knowledge for highly complex data structures. In cases where the concrete system manipulates large, dynamically allocated objects, the auxiliary variables themselves could become large, partially offsetting the gains. To address these issues, the paper outlines future work directions, including automated feature extraction via static analysis, variable compression techniques, and hybrid schemes that combine auxiliary‑variable insertion with traditional predicate refinement.

In summary, the paper presents a compelling alternative to the conventional NP‑hard state‑separation step in CEGAR. By leveraging auxiliary variables, it achieves polynomial‑time refinement, reduces the size of the refined abstract model, and demonstrates substantial performance improvements on a diverse set of verification benchmarks. This contribution advances the practicality of abstraction‑refinement loops and opens new avenues for scalable model checking in industrial‑strength verification tasks.