Download
1 / 23
230 likes | 366 Views
Completeness and Complexity of Bounded Model Checking. k = 0. BMC( M , f , k ). k ++. yes. no. k ¸ ?. Bounded Model Checking. How big should k be?. For every model M and LTL property there exists k s.t. M ² k ! M ²
E N D
k = 0 BMC(M,f,k) k++ yes no k¸? Bounded Model Checking
How big shouldkbe? • For every model M and LTL property there exists k s.t. M²k!M² • We call the minimal such k the Completeness Threshold (CT) • Clearly ifM²thenCT = 0 • Conclusion: computingCTis at least as hard as model checking
The Completeness Threshold • Computing CT is as hard as model checking • The value of CT depends on the model M the property . • First strategy: find over-approximations to CT based on graph theoretic properties of M
Basic notions… • Diameterd(M)= longest shortest path between any two reachable states. • Recurrence Diameterrd(M)=longest loop-free path between any two reachable states. d(M) = 2 rd(M) = 3 • Initialized DiameterdI(M) • Initialized Recurrence Diameter rdI(M)
p s0 Arbitrary path p p p p p s0 The Completeness Threshold • Theorem: for p properties CT = d(M) • Theorem: for }p properties CT= rd(M)+1 • Theorem: for an LTL property CT = ?
LTL model checking • Given M,,construct a Buchi automatonB • LTL model checking: is : M £B empty? • Emptiness checking: is there a path to a loop with an accepting state ? s0
s0 Generating the BMC formula(Based on the Vardi-Wolper algorithm) • “Unroll” y k times • Find a path to a loop that satisfies, in at least one of its states, one of F states. • …that is, one of the states in the loop satisfies
Initial state: k transitions: Closing a cycle with an accepting state: Generating the BMC formula One of the states in the loop Satisfies one of F states Closing the loop s0 sl sk
s0 Completeness Threshold for LTL • It cannot be longer than rdI(y)+1 • It cannot be longer than dI(y) + d(y) • Result: min(rdI(y)+1, dI(y) + d(y))
s0 s0 CT: examples dI(y) + d(y) = 2 rdI(y) + 1= 4 dI(y) + d(y) = 6 rdI(y) + 1= 4
k+1-long path s0 --sk+1 k-long path s0 --sk+1 Computing CT (diameter) • Computing d(y)symbolically with QBF: find minimal k s.t. for all i,j, if j is reachable from i, it is reachable in k or less steps. • Complexity: 2-exp
Computing CT (diameter) • Computing d(y) explicitly: • Generate the graph y • Find shortest paths (O|y|3) (‘Floyd-Warshall’ algorithm) • Find longest among all shortest paths • O(|y|3) exp3 in the size of the representation of y • Why is there a complexity gap (2-exp Vs. exp3)? • QBF tries in the worst case all paths between every two states. • Unlike Floyd-Warshall, QBF does not use transitivity information like:
Computing CT (recurrence diameter) • Finding the longest loop-free path in a graph is NP- complete in the size of the graph. • The graph can be exponential in the number of variables. • Conclusion: in practice computing the recurrence diameter is 2-exp in the no. of variables. • Computing rd(y) symbolically with SAT. Find largest k that satisfies:
Complexity of BMC CT· (min(rdI(y)+1, dI(y) + d(y))) • Computing CTis 2exp. • The value of CTcan be exponential in the # of state variables. • BMC SAT formula grows linearly with k, which can be as high as CT. Conclusion: standard SAT based BMC is worst-case 2-exp
The complexity GAP • SAT based BMC is 2-exp • LTL model checking is exponential in |f| and linear in |M| (to be accurate, it is ‘Pspace-complete’ in |f|) • So why use BMC ? • Finding bugs when kis small • In many cases rd(y) and d(y)are not exponential and are even rather small. • SAT, in practice, is very efficient.
Closing the complexity gap • Why is there a complexity gap ? • LTL-MC with 2-dfs : dfs1 dfs2 • Every state is visited not more than twice
DFS1(s) { push(s,Stack1); hash(s,Table1); for each t 2 Succ(s) {if t Ï Table1 then DFS1(t);} if s 2 F then DFS2(s); pop(Stack1); } DFS2(s) { push(s,Stack2); hash( s,Table2) ; for each t2 Succ(s) do { if tis onStack1{ output(“bad cycle:”); output( Stack1,Stack2,t); exit; } else if t Ï Table2 then DFS2(t) } pop( Stack2); } The Double-DFS algorithm Upon finding a bad cycle, Stack1, Stack2, t, determines a counterexample: a bad cycle reached from an init state.
Closing the complexity gap • 2-dfs • Each state is visited not more than twice • SAT • Each state can potentially be visited an exponential no. of times, because all paths are explored.
Closing the complexity gap (for p) • Force a static order, following a forward traversal • Each time a state i is fully evaluated (assigned): • Prevent the search from revisiting it through deeper paths e.g. If (xiÆ:yi) is a visited state, then for i < j· CT add the following state clause: (:xjÇyj) • When backtracking from state i, prevent the search from revisiting it in step i(add (:xiÇyi)). • If :pi holds stop and return “Counterexample found”
Closing the complexity gap • Is restricted SAT better or worse than BMC ? • Bad news: • We gave up the main power of SAT: dynamic splitting heuristics. • We may generate an exponential no. of added constraints • Good news • Single exp. instead of double exp. • No need to compute CT. (Instead of pre-computing CT we can maintain a list of states and add their negation ‘when needed’).
Closing the complexity gap • Is restricted SAT better or worse than explicit LTL-MC ? • Not clear ! • Unlike dfs, SAT has heuristics for progressing. • SAT has pruning ability of sets of states
Comparing the algorithms… * Assuming the SAT solver restricts the size of its added clauses
