completeness and complexity of bounded model checking
Skip this Video
Download Presentation
Completeness and Complexity of Bounded Model Checking

Loading in 2 Seconds...

play fullscreen
1 / 23

Completeness and Complexity of Bounded Model Checking - PowerPoint PPT Presentation

  • Uploaded on

Completeness and Complexity of Bounded Model Checking. k = 0. BMC( M , f , k ). k ++. yes. no. k ¸ ?. Bounded Model Checking. How big should k be?. For every model M and LTL property  there exists k s.t. M ² k  ! M ² 

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Completeness and Complexity of Bounded Model Checking' - chancellor-vance

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
bounded model checking
k = 0






Bounded Model Checking
how big should k be
How big shouldkbe?
  • For every model M and LTL property there exists k s.t.


  • We call the minimal such k the Completeness Threshold (CT)
  • Clearly ifM²thenCT = 0
  • Conclusion: computingCTis at least as hard as model checking
the completeness threshold
The Completeness Threshold
  • Computing CT is as hard as model checking
  • The value of CT depends on the model M the property  .
  • First strategy: find over-approximations to CT based on graph theoretic properties of M
basic notions
Basic notions…
  • Diameterd(M)= longest shortest path between any two reachable states.
  • Recurrence Diameterrd(M)=longest loop-free path between any two reachable states.

d(M) = 2

rd(M) = 3

  • Initialized DiameterdI(M)
  • Initialized Recurrence Diameter rdI(M)
the completeness threshold1


Arbitrary path







The Completeness Threshold
  • Theorem: for p properties CT = d(M)
  • Theorem: for }p properties CT= rd(M)+1
  • Theorem: for an LTL property CT = ?
ltl model checking
LTL model checking
  • Given M,,construct a Buchi automatonB
  • LTL model checking: is : M £B empty?
  • Emptiness checking: is there a path to a loop with an accepting state ?


generating the bmc formula based on the vardi wolper algorithm
s0Generating the BMC formula(Based on the Vardi-Wolper algorithm)
  • “Unroll” y k times
  • Find a path to a loop that satisfies, in at least one of its states, one of F states.
  • …that is, one of the states in the loop satisfies
generating the bmc formula
Initial state:

k transitions:

Closing a cycle with

an accepting state:

Generating the BMC formula

One of the states in the loop

Satisfies one of F states

Closing the loop




completeness threshold for ltl
s0Completeness Threshold for LTL
  • It cannot be longer than rdI(y)+1
  • It cannot be longer than dI(y) + d(y)
  • Result: min(rdI(y)+1, dI(y) + d(y))
ct examples


CT: examples

dI(y) + d(y) = 2

rdI(y) + 1= 4

dI(y) + d(y) = 6

rdI(y) + 1= 4

computing ct diameter
k+1-long path s0 --sk+1

k-long path s0 --sk+1

Computing CT (diameter)
  • Computing d(y)symbolically with QBF: find minimal k s.t. for all i,j, if j is reachable from i, it is reachable in k or less steps.
  • Complexity: 2-exp
computing ct diameter1
Computing CT (diameter)
  • Computing d(y) explicitly:
    • Generate the graph y
    • Find shortest paths (O|y|3) (‘Floyd-Warshall’ algorithm)
    • Find longest among all shortest paths
    • O(|y|3) exp3 in the size of the representation of y
  • Why is there a complexity gap (2-exp Vs. exp3)?
    • QBF tries in the worst case all paths between every two states.
    • Unlike Floyd-Warshall, QBF does not use transitivity information like:
computing ct recurrence diameter
Computing CT (recurrence diameter)
  • Finding the longest loop-free path in a graph is NP- complete in the size of the graph.
  • The graph can be exponential in the number of variables.
  • Conclusion: in practice computing the recurrence diameter is 2-exp in the no. of variables.
  • Computing rd(y) symbolically with SAT. Find largest k that satisfies:
complexity of bmc
Complexity of BMC

CT· (min(rdI(y)+1, dI(y) + d(y)))

  • Computing CTis 2exp.
  • The value of CTcan be exponential in the # of state variables.
  • BMC SAT formula grows linearly with k, which can be as high as CT.

Conclusion: standard SAT based BMC is worst-case 2-exp

the complexity gap
The complexity GAP
  • SAT based BMC is 2-exp
  • LTL model checking is exponential in |f| and linear in |M| (to be accurate, it is ‘Pspace-complete’ in |f|)
  • So why use BMC ?
  • Finding bugs when kis small
  • In many cases rd(y) and d(y)are not exponential and are even rather small.
  • SAT, in practice, is very efficient.
closing the complexity gap
Closing the complexity gap
  • Why is there a complexity gap ?
  • LTL-MC with 2-dfs :



  • Every state is visited not more than twice
the double dfs algorithm
DFS1(s) {



for each t 2 Succ­(s)

{if t Ï Table1 then DFS1(t);}

if s 2 F­ then DFS2(s);



DFS2(s) {


hash( s,Table2) ;

for each t2 Succ­(s) do {

if tis onStack1{

output(“bad cycle:”);

output( Stack1,Stack2,t);

exit; }

else if t Ï Table2 then DFS2(t)


pop( Stack2); }

The Double-DFS algorithm

Upon finding a bad cycle, Stack1, Stack2, t, determines a counterexample:

a bad cycle reached from an init state.

closing the complexity gap1
Closing the complexity gap
  • 2-dfs
    • Each state is visited not more than twice
  • SAT
    • Each state can potentially be visited an exponential no. of times, because all paths are explored.
closing the complexity gap for p
Closing the complexity gap (for p)
  • Force a static order, following a forward traversal
  • Each time a state i is fully evaluated (assigned):
    • Prevent the search from revisiting it through deeper paths e.g. If (xiÆ:yi) is a visited state, then for i < j· CT add the following state clause: (:xjÇyj)
    • When backtracking from state i, prevent the search from revisiting it in step i(add (:xiÇyi)).
    • If :pi holds stop and return “Counterexample found”
closing the complexity gap2
Closing the complexity gap
  • Is restricted SAT better or worse than BMC ?
  • Bad news:
    • We gave up the main power of SAT: dynamic splitting heuristics.
    • We may generate an exponential no. of added constraints
  • Good news
    • Single exp. instead of double exp.
    • No need to compute CT. (Instead of pre-computing CT we can maintain a list of states and add their negation ‘when needed’).
closing the complexity gap3
Closing the complexity gap
  • Is restricted SAT better or worse than explicit LTL-MC ?
  • Not clear !
    • Unlike dfs, SAT has heuristics for progressing.
    • SAT has pruning ability of sets of states
comparing the algorithms
Comparing the algorithms…

* Assuming the SAT solver restricts the size of its added clauses