Counterexample Generation for Markov Chains using SMT-based Bounded Model Checking (cid:63)

. Generation of counterexamples is a highly important task in the model checking process. In contrast to, e. g., digital circuits where counterexamples typically consist of a single path leading to a critical state of the system, in the probabilistic setting counterexamples may consist of a large number of paths. In order to be able to handle large systems and to use the capabilities of modern SAT-solvers, bounded model checking (BMC) for discrete-time Markov chains was established. In this paper we introduce the usage of SMT-solving over linear real arithmetic for the BMC procedure. SMT-solving, extending SAT with theories in this context on the one hand leads to a convenient way to express conditions on the probability of certain paths and on the other hand allows to handle Markov reward models. We use the former to ﬁnd paths with high probability ﬁrst. This leads to more compact counterexamples. We report on some experiments, which show promising results.


Introduction
The verification of formal systems has gained great importance both in research and industry.Model checking proves or refutes automatically (i.e. without user interaction) that a system exhibits a given set of properties (see, e. g., [1]).In many cases model checking also provides helpful diagnostic information; in case of a defective system a counterexample in form of a witnessing run is returned.The usage of symbolic representations like ordered binary decision diagrams (OBDDs) [2] assures the usability of model checking for many kinds of large systems.However, there are classes of practically relevant systems for which even these OBDD-based methods fail.To fill this gap, bounded model checking (BMC) was developed [3].Thereby the existence of a path of fixed length that refutes the property under consideration is formulated as a satisfiability (SAT) problem.
As the size of the corresponding formula is relatively small and as modern SATsolvers have strongly evolved over the last 15 years, it is not surprising that this approach is very successful.
To model real-life scenarios it is often necessary to cope with specific uncertainties using probabilities.For instance, properties can be formulated in probabilistic computation tree logic (PCTL) [4] for models called discrete-time Markov chains (DTMCs).The classical model checking approach for this setting is based on the solution of a linear equation system [4].However, it lacks the generation of counterexamples, since the solution of the equation system yields only the mere probabilities without further information.
To provide a user with such diagnostic information for probabilistic systems, there have been some recent developments during the last few years [5][6][7][8][9].Contrary to, e. g., LTL model checking for digital systems, counterexamples for a PCTL property may consist of a large number of paths to reach certain probability bounds.Various techniques have been proposed to obtain compact representations: incrementally adding the paths with the highest probability [6,8], reducing the strongly connected components of the underlying digraph of a DTMC [5,9], and using regular expressions to describe whole sets of counterexamples [6].All these techniques rely on an explicit representation of the state space.
Bounded model checking for probabilistic systems in the context of counterexample generation was introduced in [7], which represents the state space symbolically.This procedure can be used to refute probabilistic reachability problems.They can be formulated in PCTL [4] as P ≤p (a U b) with atomic propositions a and b.The meaning of this formula is that the probability to reach a b-state, passing only a-states, may be at most p.The refutation is shown by using a SAT-solver to find paths satisfying the property whose joint probability measure exceeds the bound p.The input of the solver are propositional formulae that are satisfied iff the assignment of the variables corresponds to a sequence of states of the DTMC that represents a path to a target state.This process is significantly accelerated by a loop-detection mechanism, which is used to handle sets of paths which differ only in the number of unfoldings of the same loops.
A drawback of the state-of-the-art BMC procedure for DTMCs is that paths are found in an arbitrary order while for the size of counterexamples it is often advantageous to start with paths of high probability.Moreover, it is desirable to use this procedure for Markov reward models (MRMs), which extend DTMCs by the possibility to model costs (or dually rewards) of operations.MRMs allow to verify properties like "The probability to finish the computation with costs larger than c is at most 10 −3 ." In this paper we therefore extend stochastic BMC in order to handle these problems.Instead of using a SAT-solver, we use the more powerful approach of SMT-solving.SMT stands for satisfiability modulo theories and is a generalization of SAT [10].It allows to express propositional formulae representing paths to target states together with conditions on the probability of such paths.Furthermore, real numbers that are allocated to the states by a cost-function can be added up and restrictions on the accumulated costs of paths can be imposed.We will also show how this counterexample generation can be combined with minimization techniques for Markov chains in order not only to speed up the counterexample generation but also to obtain more abstract counterexamples.
Organization of the paper.At first, we give a brief introduction to the foundations of DTMCs, counterexamples, Markov reward models, and bisimulation minimization.Section 3 then explains the concept of SMT-solving for this context.In Sect. 4 we describe the results of some experiments we did on well-known test cases.In Sect. 5 we draw a short conclusion and give an outlook to future work on this approach.

Foundations
In this section we take a brief look at the basics of discrete-time Markov chains, Markov reward models, and bisimulation minimization.

Stochastic Models
Definition 1.Let AP be a set of atomic propositions.A discrete-time Markov chain (DTMC) is a tuple M = (S, s I , P, L) such that S is a finite, non-empty set of states; s I ∈ S, the initial state; P : S × S → [0, 1], the matrix of the one-step transition probabilities; and L : S → 2 AP a labeling function that assigns each state the set of atomic propositions which hold in that state.
P has to be a stochastic matrix that satisfies s ∈S P (s, s ) = 1 for all s ∈ S. A (finite or infinite) path π is a (finite or infinite) sequence π = s 0 s 1 . . . of states such that P (s i , s i+1 ) > 0 for all i ≥ 0. A finite path π = s 0 s 1 . . .s n has length |π| = n; for infinite paths we set |π| = ∞.For i ≤ |π|, π i denotes the i th state of π, i. e., π i = s i .The i th prefix of a path π is denoted by π↑ i = s 0 s 1 . . .s i .The set of finite (infinite) paths starting in state s is called Path fin s (Path inf s ).In order to obtain a probability measure for sets of infinite paths we first need to define a probability space for DTMCs: Definition 2. Let M = (S, s I , P, L) be a DTMC and s ∈ S. We define a probability space Ψ s = (Path inf s , ∆ s , Pr s ) such that -∆ s is the smallest σ-algebra generated by Path inf s and the set of basic cylinders of the paths from Path fin s .Thereby, for a finite path π ∈ Path fin s , the basic cylinder over π is defined as -Pr s is the uniquely defined probability measure that satisfies the equation Pr s (∆(ss The properties we want to consider are formulated in PCTL [4] and are of the form P ≤p (a U b) with a, b ∈ AP.This means that the probability to walk along a path from the initial state to a state in which b holds, with all intermediate states satisfying a, is less than or equal to p.More formally: A path π satisfies Han and Katoen have shown that there is always a finite counterexample if P ≤p (a U b) is violated [11].
In order to be able to express properties like "The probability to reach a target state with costs larger than c is at most p", Markov chains have to be extended by so-called reward functions.Rewards can be used to model costs of certain operations, to count steps or to measure given gratifications.The variant of rewards we use here are state rewards.One could also assign reward values to transitions instead of states (so-called transition rewards).We restrict ourselves to state rewards; all techniques that are developed in this paper can also be applied to transition rewards.
Let π ∈ Path fin s be a finite path and R a reward function.The accumulated reward of π is given by R(π) = |π|−1 i=0 R(π i ).Note that the reward is granted when leaving a state.
We extend the PCTL-properties from above to Markov reward models.For a (possibly unbounded) interval I ⊆ R, a path π satisfies the property a U I b, written π a U I b, if there is 0 ≤ i ≤ |π| such that b ∈ L(π i ), R(π↑ i ) ∈ I, and a ∈ L(π j ) for all 0 ≤ j < i.A state s ∈ S satisfies P ≤p (a Our techniques can be extended in a straightforward way to I being the union of a finite set of intervals.Please note that the bounded until operator of PCTL is a special case of a reward condition. Our goal is to compute counterexamples to refute such reward properties using bounded model checking (BMC).

Bisimulation Minimization
For the generation of counterexamples we work with a symbolic representation of the DTMC and the reward function.Symbolic representations have the advantage that the size of the representation is not directly correlated with the size of the represented system.The representation can be smaller by orders of magnitude.By using algorithms whose running time only depends on the size of the representation, very large state spaces can be handled.
But even if the symbolic representation of a system is small, the number of paths that are needed for a counterexample can be very large.In order to reduce the number of paths, we first compute the smallest system that has the same behavior w. r. t. probabilities and rewards as the original one.This in general not only reduces the number of states, but also the number of paths, because all paths that stepwise consist of equivalent states are mapped onto a single path in the minimized system.
The methods for computing such minimal systems are based on bisimulation relations.A bisimulation groups states whose behavior is indistinguishable into equivalence classes [12]: Definition 5. Let M = (S, s I , P, L) be a DTMC and R : S → R a reward function for M .A partition P of S is a bisimulation if the following holds for all equivalence classes C of P and for all s, t ∈ S such that s and t are contained in the same block of P: , and P (s, C) = P (t, C), where P (s, C) = s ∈C P (s, s ).Two states s, t ∈ S are bisimilar (s ∼ t) if there exists a bisimulation P such that s and t are contained in the same block of P. The quotient can be considerably smaller than the original system.At the same time it still satisfies the same PCTL and reward properties.All analyses can therefore be carried out on the quotient system instead of the larger original Markov model.For symbolic algorithms to compute the bisimulation quotient of a DTMC or MRM, we refer the reader to, e. g., [13,14].

SMT-based Bounded Model Checking for Counterexample Generation
In this section we show how counterexamples can be computed using an SMTbased formulation of bounded model checking (BMC).BMC has already been applied in [7] for this purpose but in a purely propositional variant.The main drawback of the existing approach is that the propositional BMC formula only contains information about the mere existence of a path, but not about its probability measure.Hence there is no direct possibility to control the SAT-solver such that paths with high probability measure are preferred.
Here we propose the usage of a more powerful formulation than purely propositional logic.The satisfiability modulo theories (SMT) problem is a generalization of the propositional satisfiability (SAT) problem.It combines propositional logic with arithmetic reasoning.Using SMT we can create a formula that is only satisfied by paths with a certain minimal probability.This enables us to apply binary search to find paths first whose probability measures differ from the probability of the most probable path of the current unrolling depth by at most a constant ε > 0. Furthermore, this formulation allows us to compute counterexamples for Markov reward models.
Since often even counterexamples of minimal size are too large to be useful, we minimize the DTMC or MRM before determining a counterexample.The counterexample obtained for the minimized system is much more compact since all equivalent evidences of the original system are merged into a single path of the minimized system.Given a counterexample of the minimized system, it can easily be translated back to the original system -either resulting in an ordinary counterexample or in one representative evidence per equivalence class.
We first describe the SMT-based BMC formula and compare it to the SATbased approach of [7].Then we show how to handle Markov reward models with an arbitrary number of reward functions.Finally we demonstrate how minimization can be applied to make the counterexample generation more efficient.

SMT-based and SAT-based SBMC
Stochastic bounded model checking (SBMC) as proposed in [7] is based on the formulation as a (propositional) satisfiability problem that a path of a certain length exists which exhibits a given property.To handle formulae of the form P ≤p (a U b), states that satisfy either ¬a or b are made absorbing by removing all out-going edges.This reduces the problem to reaching a b-state.
After this preprocessing step, SBMC uses a SAT-solver to determine satisfying solutions for the BMC formula, which has the following structure: I(s 0 ) is a formula that is satisfied iff the assignment of s 0 corresponds to the initial state s I .Accordingly, T SAT (s i , s i+1 ) represents the transition from a state s i to a successor s i+1 , such that T SAT (s i , s i+1 ) is satisfied iff P (s i , s i+1 ) > 0, and L b (s k ) is the property which holds for s k iff b ∈ L(s k ).Each satisfying assignment of formula (1) corresponds to a path of length k that is an evidence for a U b.The authors of [7] describe how this formula can efficiently be constructed from a BDD-based representation of the Markov chain.First they construct an OBDD for the underlying directed graph by mapping positive probabilities in the MTBDD representation of the probability matrix to 1. Then they apply Tseitin-transformation [15] to the OBDDs to construct the different parts of the BMC formula.Fig. 1 gives a rough overview of the BMC procedure for a DTMC M = (S, s I , P, L) and a formula ϕ = P ≤p (a U b).
The probability measure of a path, however, is not considered within this formula.The probability measure has to be computed after the path has been found.Using an SMT-based formulation we can create a modified version of the BMC formula that allows us to put restrictions on the probability measure of evidences.We define an extended transition formula T SMT (s i , s i+1 , pi ) that is satisfied iff P (s i , s i+1 ) > 0 and the variable pi is assigned the logarithm of this probability.Following [6], the logarithm is used in order to turn the multiplication of the probabilities along a path into a summation.This leads to SMT formulae over linear real arithmetic that can be decided efficiently.This variant of the transition predicate can also be generated from an MTBDD representation of the matrix P (s, s ) of transition probabilities using Tseitin-transformation.In contrast to the propositional case, where 'true' and 'false' are used as atomic formulae for the terminal nodes, we use 'p = log v' for leaves with value v > 0 and 'false' for the leaf 0.
To let the solver find only evidences with a probability measure of at least p t ∈ [0, 1], we add the condition k−1 i=0 pi > log p t to the BMC formula: This formula is given to an SMT-solver.If the solver returns SAT, the satisfying assignment represents an evidence with a probability measure of at least p t .If we get UNSAT, there is no such path of the current length.
This enables us to do a binary search for evidences with a high probability measure in Path fin s I .In principle we could determine the most probable path of the current unrolling depth first, then the one with the second highest probability, and so on.For efficiency reasons we apply a different strategy: First, we look for paths which already exceed our probability threshold p.If this fails, we search for paths with a probability greater or equal to p / 2 .If we have found all existing paths with such a probability and the accumulated probability mass is still less than p, we start looking for paths with a probability greater or equal p / 4 , and so on.The value p t is decreased, until either all paths with length k have been found or the accumulated probability of the set of evidences is high enough.If the latter is not the case, we proceed to depth k + 1.
The optimizations for SBMC -exploiting loops and improvements of the clauses to exclude paths from the search space -, which are proposed in [7], work for SSBMC as well and without further modification.

Counterexamples for MRMs
With the proposed method, we are not only able to handle DTMCs, but to handle MRMs as well.To consider the reward structure of an MRM during the search for paths, we need to integrate the rewards into the transition relation.In the preprocessing step, which is needed to turn the PCTL-Until property P ≤p (a U I b) into a reachability property, we must not cut the transitions from all b-states.There must be the possibility to extend a path if its accumulated reward is not within I. Thus we cut the transitions only from states s with a ∈ L(s).
After that we extend the transition formula by a formula for the rewards in a similar way as we have done for the probabilities.For each time frame 0 ≤ i < k we introduce a variable ri such that the formula R(s i , ri ) is satisfied iff ri carries the value R(s i ).This formula can be created from an MTBDD representation of the reward function using Tseitin-transformation.The resulting SMT-formula, which takes rewards into account, has the following structure: R-SSBMC(k) := SSBMC(k) Since b-states are no longer absorbing when using this formula, we have to make sure that we do not find paths of which we have already found a proper prefix.This can be guaranteed by adding clauses to the formula that exclude all paths that were found in previous iterations.Using this technique it is possible to handle an arbitrary number of reward functions at the same time.We just add distinct variables for each reward function and build several reward sums which are checked against the corresponding intervals.

Bisimulation Minimization
We can use bisimulation minimization (cf.Sec.2.2) as a further preprocessing step after cutting unnecessary transitions, but before constructing a counterexample.Since in many cases the quotient system is considerably smaller than the original system, fewer paths are needed for a counterexample.
Every path in the bisimulation quotient represents a set of paths in the original system.To be more precise, let π, π ∈ Path fin (s) be two evidences in a DTMC M = (S, s I , P, L).They are equivalent if |π| = |π | and for all 0 ≤ i ≤ |π|: π i ∼ π i .All equivalent paths correspond to the same path in the quotient system, namely to the path The probability of π Q is the sum of the probabilities of the represented original paths that start in s I .Therefore in general fewer paths are needed in the quotient system for a counterexample.
Once a counterexample has been determined for the quotient DTMC, its paths can be translated back to the original system.The result is a tree that contains all evidences that are stepwise equivalent to the given path.Let us assume that ∼ is such a path in the quotient system.We set succ(s) = {s ∈ S | P (s, s ) > 0}.The root of the tree is the initial state s I that corresponds to C 0 on π Q .If s i is a node of the tree that corresponds to C i on π Q , its successor nodes in the tree are succ(s) ∩ C i+1 .They correspond to C i+1 .The probability measures of the resulting tree and of π Q coincide.
In the next section we show the effectiveness of SMT-based counterexample generation and of this optimization on a set of example benchmarks.

Experimental Results
We have implemented the SSBMC-tool in C ++ with the refinements we presented above, including the optimizations from [7].We used Yices [16] as the underlying SMT-solver.
Our benchmarks are instances of the following four case studies: (1) The contract signing protocol [17,18] (contract) provides a fair exchange of signatures between two parties A and B over a network.If B has obtained the signature of A, the protocol ensures that A will receive the signature of B as well.In our experiments we examine the violation of this property.
(2) The task of the crowds protocol [19] (crowds) is to provide a method for anonymous web browsing.The communication of a single user is hidden by routing it randomly within a group of similar users.The model contains corrupt group members who try to discern the source of a message.We explore the probability that these corrupt members succeed.
(3) The leader election protocol [20] (leader) consists of N processors in a synchronous ring.Every processor chooses a random number from {0, . . ., M }.The numbers are passed around the ring, the processor with the highest number becomes the leader if this number is unique.If this fails, a new round starts.We provide a certificate that the probability to eventually elect a leader exceeds a given bound.
(4) The self-stabilizing minimal spanning tree algorithm [21] (mst) computes a minimal spanning tree in a network with N nodes.Due to, e. g., communication failures the system may leave the state where a result has been computed, and recover after some time.For our experiments we explore the probability that the algorithm does not recover within a given number of k steps.This model is of particular interest to us, because it has a large number of paths, but only a few have a notable probability mass.Because SAT-based BMC does not find paths with high probability first, the hope is that the SMT approach finds much smaller counterexamples in less time.
We used the probabilistic model checker PRISM [22] to generate symbolic representations of these case studies.All experiments were run on a Dual Core AMD Opteron processor with 2.4 GHz per core and 4 GB of main memory.Any computation which took more than two hours ("-TO -") or needed more than 2 GB of memory ("-MO -") was aborted.
In order to compare the results we ran the same benchmarks under the same conditions also with the SBMC-tool from [7].

Counterexamples for DTMCs
In this section we present the results for the SSBMC procedure.The evaluation of bisimulation minimization and counterexamples for MRMs follows in subsequent sections.
Table 1 contains the results for counterexample generation for DTMCs using the SMT-and the SAT-approach.The first and the second column contain the names of the model and the probability threshold p.In the third column the maximal unrolling depth k max is listed.The blocks titled "SSBMC" and "SBMC" present the results for SMT-based approach and the SAT-based approach, respectively.The columns "#paths", "time", and "memory" contain the number of paths in the counterexample, the needed computation time in seconds, and the memory consumption in megabytes.
Both tools are able to solve a subset of the instances within the given limits.The SSBMC-tool was aborted due to the memory limit for one instance of the contract benchmark, most instances of the crowds benchmark, and some instances of the leader protocol.The reason is the high memory consumption of the SMT-solver Yices compared to the SAT-solver MiniSAT, which is used in SBMC.The contract and leader benchmarks exhibit the property that all evidences of the same length have the same probability.Therefore the number of paths coincide for both tools.The running time of SSBMC for these instances is slightly higher due to the modified binary search (cf.Sec.3.1) which increases the number of calls to the solver.The search strategy is also the reason why SSBMC may need slightly more evidences than SBMC, which is the case here for crowds02 07, where the probabilities of the different evidences differ only by a small amount.
Notable are the mst instances.They contain a large number of evidences with very different probabilities.SBMC is not able to compute a counterexample within the given time limit, while SSBMC returns less than 5000 paths in under 3 minutes.A more detailed look showed that SBMC had computed 633 729 paths for mst-14 before the timeout occurred.This is because the SMT-approach is able to compute the more probable evidences first, only few of which are needed for a counterexample.

Bisimulation
In Table 2 we evaluate the impact of bisimulation minimization on running time and memory consumption for SSBMC and SBMC.In Table 3 we show the results of bisimulation with subsequent back-translation of the abstract evidences.In the latter case, we converted the minimized paths completely, i. e., we obtained all original paths which were represented by an abstract path.The running time listed in Table 2 and Table 3 include the time for bisimulation minimization, counterexample generation, and, in Table 3, path conversion.Again, the block titled "SSBMC" ("SBMC") contains the result for the SMT-based (SAT-based) approach.
As we can see, bisimulation minimization causes in most cases a significant decrease in computation time and required memory of SSBMC and SBMC.This effect is somewhat alleviated when the paths are translated back to the original system, although not dramatically.Some instances of the contract and the crowds protocol which could not be solved by SSBMC within the given time and memory bounds become actually solvable, even with path conversion.
However, there is also an exception to this trend: The path conversion for the minimal spanning tree benchmark cannot be done within the given memory bounds.This is due to the fact that one abstract path in these benchmarks represents a great number of original paths, too many to convert them all.While the SMT-based approach without bisimulation minimization can pick the paths with the highest probability, leading to a small counterexample, this is not possible after bisimulation minimization.If we compute the most probable paths in the minimized system, they can correspond to huge numbers of paths in the original system each of which has only negligible probability.

Rewards
For the reward model checking we integrated rewards into the leader election protocol.A reward of 1 is granted whenever a new round starts, i. e., when each processor chooses a new ID.We want to analyze how high the probability measure is that at least three rounds are needed until a leader has been elected.For the experiments we restricted our search to a maximal path length of depth max .We computed all paths with the given property up to this length.The results are shown in Table 4.The first column contains the name of the model, the second the maximal depth depth max .The subsequent columns contain the accumulated probability measure p, the number of found paths, the computation time (in seconds) and the required memory (in megabytes).
Compared to the results in Section 4.1 we need more and longer paths to get a noteworthy probability measure.The computation time and the amount of consumed memory are higher accordingly.
We also integrated bisimulation minimization for Markov reward models with state rewards.In this case only an appropriate initial partition has to be provided for bisimulation computation.The results are shown in Table 5.For the leader benchmarks bisimulation minimization results in a enormous compression of the state space and a respective reduction of the number of evidences.Since the back-translation can be done efficiently and yields for the leader benchmark the same counterexample as the version without minimization, using bisimulation minimization as a preprocessing and back-translation as a postprocessing step reduces the overall computation time and memory consumption.

Conclusion
In our paper we showed how SMT and BMC can be combined to efficiently generate counterexamples for DTMCs.Our SSBMC method can handle systems which could not be handled with the previously presented SAT-based approach [7].With SSBMC it is also possible to analyze Markov reward models with an arbitrary number of reward functions.This enables us to refute reachability properties which impose restrictions on the accumulated reward of paths.Furthermore we presented bisimulation minimization as a preprocessing step for SSBMC.It reduces the number of evidences needed for a counterexample by merging equivalent paths.This way the counterexample generation is accelerated and the memory consumption is reduced.We are able to convert these minimized paths back to the original ones.As future work we will carry out a more detailed experimental evaluation of our methods on appropriate models.Furthermore, there are still many possible optimizations for our tool.So far, reward model checking and bisimulation minimization only work without the loop detection optimization from [7].These combinations have to be implemented.
We plan to optimize the search for paths with higher probabilities.We want to include the BDD-based method from [23], which applies Dijkstra's shortest path algorithm to compute the most probable evidences, into our tool as another preprocessing step.The advantage of this method is that it yields counterexamples of minimal size.Preliminary experiments have shown that this method is efficient as long as the number of paths is small.Since the BDD sizes grow with each path that has been found, memory consumption and running time grow accordingly.We want to combine this approach with the SMT-approach by using the BDDbased method as long as it is efficient and switch to the SMT-approach when the BDD-approach becomes too expensive.

Definition 4 .
A Markov reward model (MRM) is a pair (M, R) where M = (S, s I , P, L) is a DTMC and R : S → R a real-valued reward function.
The equivalence classes of bisimilarity and the coarsest bisimulation partition coincide.The equivalence class of a state s ∈ S w. r. t. a bisimulation P is denoted by [s] P .The classes of the bisimulation now become the states of a new DTMC.Definition 6.Let M = (S, s I , P, L) be a DTMC, R a reward function for M , and P be a bisimulation.The bisimulation quotient is the DTMC (P, C I , P , L ) with reward function R such that -For all C, C ∈ P: P (C, C ) = P (s, C ) for an arbitrary s ∈ C, -C I is the block that contains the initial state s I of M , -∀ C ∈ P : L (C) = L(s) for an arbitrary state s ∈ C, and -∀ C ∈ P : R (C) = R(s) for an arbitrary state s ∈ C.

Fig. 1 .
Fig. 1.Counterexample generation state s ∈ S satisfies the formula P ≤p (a U b) (written s P ≤p (a U b)) iff Pr s {π ∈ Path inf s |π a U b} ≤ p.Let us assume that such a formula P ≤p (a U b) is violated by a DTMC M .That means Pr s I {π ∈ Path inf s |π a U b} > p.In this case we want to compute a counterexample which certifies that the formula is indeed violated.Hence a counterexample is a set of paths that satisfy a U b and whose joint probability measure exceeds the bound p. Definition 3. Let M = (S, s I , P, L) be a discrete-time Markov chain for which the property ϕ = P ≤p (a U b) is violated in state s I .An evidence for ϕ is a finite path π ∈ Path fin s I such that π a U b, but no proper prefix of π satisfies this formula.A counterexample is a set C ⊆ Path fin s I of evidences such that Pr s I (C) > p.

Table 1 .
Counterexample generation for DTMCs using SMT-and SAT-based BMC

Table 2 .
Counterexample generation with bisimulation minimization

Table 3 .
Counterexample generation with bisimulation and path conversion

Table 4 .
Counterexample generation for MRMs using SMT-based BMC

Table 5 .
Counterexample generation for MRMs with bisimulation minimization