- 104 Views
- Uploaded on
- Presentation posted in: General

Completeness and Complexity of Bounded Model Checking

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Completeness and Complexity of Bounded Model Checking

k = 0

BMC(M,f,k)

k++

yes

no

k¸?

- For every model M and LTL property there exists k s.t.
M²k!M²

- We call the minimal such k the Completeness Threshold (CT)
- Clearly ifM²thenCT = 0
- Conclusion: computingCTis at least as hard as model checking

- Computing CT is as hard as model checking
- The value of CT depends on the model M the property .
- First strategy: find over-approximations to CT based on graph theoretic properties of M

- Diameterd(M)= longest shortest path between any two reachable states.
- Recurrence Diameterrd(M)=longest loop-free path between any two reachable states.

d(M) = 2

rd(M) = 3

- Initialized DiameterdI(M)
- Initialized Recurrence Diameter rdI(M)

p

s0

Arbitrary path

p

p

p

p

p

s0

- Theorem: for p properties CT = d(M)

- Theorem: for }p properties CT= rd(M)+1

- Theorem: for an LTL property CT = ?

- Given M,,construct a Buchi automatonB
- LTL model checking: is : M £B empty?
- Emptiness checking: is there a path to a loop with an accepting state ?

s0

s0

- “Unroll” y k times
- Find a path to a loop that satisfies, in at least one of its states, one of F states.
- …that is, one of the states in the loop satisfies

Initial state:

k transitions:

Closing a cycle with

an accepting state:

One of the states in the loop

Satisfies one of F states

Closing the loop

s0

sl

sk

s0

- It cannot be longer than rdI(y)+1
- It cannot be longer than dI(y) + d(y)
- Result: min(rdI(y)+1, dI(y) + d(y))

s0

s0

dI(y) + d(y) = 2

rdI(y) + 1= 4

dI(y) + d(y) = 6

rdI(y) + 1= 4

k+1-long path s0 --sk+1

k-long path s0 --sk+1

- Computing d(y)symbolically with QBF: find minimal k s.t. for all i,j, if j is reachable from i, it is reachable in k or less steps.

- Complexity: 2-exp

- Computing d(y) explicitly:
- Generate the graph y
- Find shortest paths (O|y|3) (‘Floyd-Warshall’ algorithm)
- Find longest among all shortest paths
- O(|y|3) exp3 in the size of the representation of y

- Why is there a complexity gap (2-exp Vs. exp3)?
- QBF tries in the worst case all paths between every two states.
- Unlike Floyd-Warshall, QBF does not use transitivity information like:

- Finding the longest loop-free path in a graph is NP- complete in the size of the graph.
- The graph can be exponential in the number of variables.
- Conclusion: in practice computing the recurrence diameter is 2-exp in the no. of variables.
- Computing rd(y) symbolically with SAT. Find largest k that satisfies:

CT· (min(rdI(y)+1, dI(y) + d(y)))

- Computing CTis 2exp.
- The value of CTcan be exponential in the # of state variables.
- BMC SAT formula grows linearly with k, which can be as high as CT.
Conclusion: standard SAT based BMC is worst-case 2-exp

- SAT based BMC is 2-exp
- LTL model checking is exponential in |f| and linear in |M| (to be accurate, it is ‘Pspace-complete’ in |f|)
- So why use BMC ?

- Finding bugs when kis small
- In many cases rd(y) and d(y)are not exponential and are even rather small.
- SAT, in practice, is very efficient.

- Why is there a complexity gap ?
- LTL-MC with 2-dfs :

dfs1

dfs2

- Every state is visited not more than twice

DFS1(s) {

push(s,Stack1);

hash(s,Table1);

for each t 2 Succ(s)

{if t Ï Table1 then DFS1(t);}

if s 2 F then DFS2(s);

pop(Stack1);

}

DFS2(s) {

push(s,Stack2);

hash( s,Table2) ;

for each t2 Succ(s) do {

if tis onStack1{

output(“bad cycle:”);

output( Stack1,Stack2,t);

exit; }

else if t Ï Table2 then DFS2(t)

}

pop( Stack2); }

Upon finding a bad cycle, Stack1, Stack2, t, determines a counterexample:

a bad cycle reached from an init state.

- 2-dfs
- Each state is visited not more than twice

- SAT
- Each state can potentially be visited an exponential no. of times, because all paths are explored.

- Force a static order, following a forward traversal
- Each time a state i is fully evaluated (assigned):
- Prevent the search from revisiting it through deeper paths e.g. If (xiÆ:yi) is a visited state, then for i < j· CT add the following state clause: (:xjÇyj)
- When backtracking from state i, prevent the search from revisiting it in step i(add (:xiÇyi)).
- If :pi holds stop and return “Counterexample found”

- Is restricted SAT better or worse than BMC ?
- Bad news:
- We gave up the main power of SAT: dynamic splitting heuristics.
- We may generate an exponential no. of added constraints

- Good news
- Single exp. instead of double exp.
- No need to compute CT. (Instead of pre-computing CT we can maintain a list of states and add their negation ‘when needed’).

- Is restricted SAT better or worse than explicit LTL-MC ?
- Not clear !
- Unlike dfs, SAT has heuristics for progressing.
- SAT has pruning ability of sets of states

* Assuming the SAT solver restricts the size of its added clauses