CEGAR is a verification technique that iteratively builds just enough abstraction to prove a property or find a real bug. It starts with a coarse abstract model of the system, model-checks the property, and if a counterexample is found, checks whether it corresponds to a real execution in the concrete system. If it does, a real bug has been found. If the counterexample is spurious (an artifact of abstraction), the abstraction is refined to eliminate it, and the process repeats. CEGAR automates the construction of abstractions, solving the key problem of how abstract to make a model — let the counterexamples guide you.
The state explosion problem limits model checking to relatively small models. Abstraction — replacing the concrete system with a smaller abstract model — is the standard remedy, but choosing the right abstraction is difficult. Too coarse and the abstract model has spurious behaviors; too fine and the model is nearly as large as the concrete system. CEGAR (Counterexample-Guided Abstraction Refinement), introduced by Clarke, Grumberg, Jha, Lu, and Veith in 2000, automates this choice by letting failed verification attempts guide the abstraction.
The CEGAR loop has three phases. First, abstract and verify: construct an abstract model that over-approximates the concrete system (every concrete behavior has a corresponding abstract behavior, but not vice versa) and model-check the desired property on the abstract model. If the property holds on the abstract model, it holds on the concrete system — the over-approximation guarantees this. If no counterexample is found, verification succeeds. Second, if a counterexample IS found, check feasibility: simulate the abstract counterexample trace on the concrete system to determine whether it corresponds to a real execution. If it does, a genuine bug has been found, and the concrete counterexample is reported to the user.
Third, if the counterexample is spurious — it exists in the abstract model but not in the concrete system — the abstraction must be refined. The key insight is that the spurious counterexample reveals exactly where the abstraction is too coarse: at some point in the trace, the abstract model conflates states that the concrete system distinguishes. The refinement step analyzes the counterexample to identify this failure point and adds new distinctions to the abstraction (new predicates in predicate abstraction, new variable partitions in other schemes). The refined abstract model eliminates the spurious counterexample while remaining as coarse as possible elsewhere, and the loop repeats.
Predicate abstraction is the most common instantiation of CEGAR for software. The abstract state space is defined by a set of Boolean predicates over program variables (e.g., x > 0, i < n, p != null). Each abstract state is a truth assignment to these predicates, representing all concrete states consistent with those truth values. Refinement adds new predicates — identified from the spurious counterexample — that make finer distinctions. Tools like SLAM (used at Microsoft for Windows driver verification), BLAST, and CPAchecker implement this approach and have verified millions of lines of real C code.
CEGAR's power is that it avoids the "abstraction design" problem entirely. The user provides only the concrete system and the property; the tool discovers the right abstraction automatically. In practice, CEGAR often converges in a handful of iterations, with the final abstract model containing only the distinctions relevant to the property being checked. This property-driven abstraction is why CEGAR has become a standard technique not just in model checking but across verification: it has been applied to hardware verification, program analysis, and even synthesis problems.
No topics depend on this one yet.