Detecting Spurious Counterexamples Efficiently in Abstract Model Checking

Abstraction is one of the most important strategies for dealing with the state space explosion problem in model checking. In the abstract model, the state space is largely reduced, however, a counterexample found in such a model may not be a real counterexample in the concrete model. Accordingly, the abstract model needs to be further refined. How to check whether or not a reported counterexample is spurious is a key problem in the abstraction-refinement loop. In this paper, a formal definition for spurious path is given. Based on it, efficient algorithms for detecting spurious counterexamples are proposed.

💡 Research Summary

The paper addresses a fundamental bottleneck in counterexample‑guided abstraction‑refinement (CEGAR): determining whether a counterexample produced by an abstract model is spurious, i.e., does not correspond to any concrete execution. The authors first formalize the notion of a “failure state” within a counterexample. Given an abstraction function h : S → Ŝ that maps concrete states S to abstract states Ŝ, each abstract state ŝ has a concrete pre‑image h⁻¹(ŝ). For a counterexample Π̂ = ⟨ŝ₀, ŝ₁, …, ŝₙ⟩, they define two families of concrete state sets: Inⁿ(ŝᵢ) (states in h⁻¹(ŝᵢ) reachable from h⁻¹(ŝᵢ₋₁) within n steps) and Outⁿ(ŝᵢ) (states in h⁻¹(ŝᵢ) that can reach h⁻¹(ŝᵢ₊₁) within n steps). The unions In̂(ŝᵢ)=⋃ₙ Inⁿ(ŝᵢ) and Out̂(ŝᵢ)=⋃ₙ Outⁿ(ŝᵢ) capture all concrete states that can be entered from the predecessor and exit to the successor, respectively. An abstract state ŝᵢ is a failure state iff In̂(ŝᵢ)∩Out̂(ŝᵢ)=∅. Consequently, a counterexample is spurious if it contains at least one failure state.

The classic SplitPath algorithm checks spuriousness by iteratively intersecting reachable concrete state sets along the whole prefix of the counterexample. For infinite counterexamples, it must unwind loops a polynomial number of times, leading to high overhead. The authors propose a new family of algorithms that rely only on the immediate predecessor and successor of each abstract state, eliminating the need for full prefix recomputation.

Algorithm CheckSpurious‑I processes the counterexample’s Complete Finite Prefix (CFP). For each position i, it computes In̂(ŝᵢ) and Out̂(ŝᵢ) and tests whether their intersection is empty. The first i where the intersection is empty yields the first failure state; if none exist, the counterexample is real. Because only local information is required, the algorithm works for both finite and infinite counterexamples without repeated loop unwinding, achieving linear time O(n) in the length of the CFP.

Algorithm CheckSpurious‑II observes that several failure states may appear in a single counterexample. Refining the “heaviest” failure state—i.e., the one that participates in the most concrete paths—can reduce the total number of refinement iterations. The weight of an abstract state ŝ is defined as w(ŝ)=E_in(ŝ)·E_out(ŝ), where E_in counts edges entering h⁻¹(ŝ) from outside and E_out counts edges leaving h⁻¹(ŝ) to outside. The algorithm sorts the states in the counterexample by decreasing weight and then applies the same local failure test. By targeting the most influential failure state first, the overall CEGAR loop converges faster.

Algorithms CheckSpurious‑III and CheckSpurious‑IV exploit the locality of the failure test for parallel execution. Each processor independently checks a subset of indices i; if any processor discovers a failure state, a shared flag aborts all other workers and the failure state is reported. If no processor finds a failure, the counterexample is real. This design scales naturally on multicore or cluster architectures, offering near‑linear speedup.

The paper also provides a detailed example (traffic‑light controller) illustrating how abstraction can introduce an infinite spurious loop that SplitPath would need to unwind many times, while the new algorithms detect the failure after examining only the loop’s entry and exit states.

In terms of complexity, CheckSpurious‑I runs in O(n) time and O(1) additional space per state, dramatically improving over SplitPath’s O(n·k) where k is the number of unwindings. CheckSpurious‑II adds a sorting step O(n log n) but reduces the number of refinement cycles. The parallel versions achieve theoretical speedup proportional to the number of processors, limited only by synchronization overhead.

Overall, the contribution is threefold: (1) a rigorous formal definition of spurious counterexamples via failure states; (2) efficient sequential algorithms that avoid costly loop unwinding and prioritize the most impactful refinements; (3) parallel algorithms that make spurious‑counterexample detection scalable. The proposed methods are compatible with existing SAT‑based model checkers and can be integrated into CEGAR frameworks to accelerate verification of large hardware and software systems.