3 questions to test your understanding
What is a spurious counterexample in the CEGAR framework?
Abstraction over-approximates the concrete system: it includes all real behaviors but may also include behaviors that are not actually possible. A spurious counterexample is a trace that exists in the abstract model but cannot be replayed in the concrete system because the abstraction lost a critical distinction. For example, if the abstraction merges two variable values that the program keeps separate, it might exhibit a path that the real program can never take. CEGAR refines the abstraction to separate these merged values.
CEGAR always terminates.
Answer: False
CEGAR is not guaranteed to terminate in general. Each refinement step eliminates the current spurious counterexample, but the number of refinements needed could be unbounded (though in practice it is usually small). For finite-state systems with finite abstractions, termination is guaranteed because there are finitely many possible refinements. For infinite-state systems or when using predicate abstraction, the set of possible predicates is infinite and termination depends on the specific system and property. Many practical CEGAR implementations terminate quickly, but theoretical guarantees are limited.
Explain the three main steps of a CEGAR iteration and what happens at each step.
The elegance of CEGAR is that refinement is targeted: the spurious counterexample tells you exactly what the abstraction got wrong. In predicate abstraction, refinement adds new predicates that distinguish the states the counterexample conflated. This means the abstraction grows only as much as needed — it starts maximally coarse and gets refined only where counterexamples demand it, keeping the abstract model as small as possible.