1 / 30

Bounded Model Checking

Bounded Model Checking. A. Biere , A. Cimatti , E. Clarke, Y. Zhu, Symbolic Model Checking without BDDs, TACAS’99 Presented by Daniel Choi Provable Software Laboratory KAIST. Contents. Introduction First glance at Bounded Model Checking Bounded Model Checking – Safety

eldon
Download Presentation

Bounded Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bounded Model Checking A. Biere, A. Cimatti, E. Clarke, Y. Zhu, Symbolic Model Checking without BDDs, TACAS’99 Presented by Daniel Choi Provable Software Laboratory KAIST

  2. Contents • Introduction • First glance at Bounded Model Checking • Bounded Model Checking – Safety • Bounded Model Checking – Liveness • Linear Temporal Logic Semantics in BMC • Translation LTL into Propositional Formula • Determining the Bound • Further Study Bounded Model Checking - Daniel Choi@pswlab, KAIST

  3. Introduction(1/3) • Model Checking without SAT-Solver • Symbolic model checking • Binary Decision Diagrams(BDDs) are often become too large • Selecting right variable ordering is very important for obtaining small BDDs • Often time consuming or needs manual intervention • Sometimes, no space efficient variable ordering exists • Explicit model checking • Generate states explicitly • State explosion problem Bounded Model Checking - Daniel Choi@pswlab, KAIST

  4. Introduction(2/3) • Variable ordering of BDDs • BDD of (a1∧ b1) ∨ (a2∧ b2) Bad ordering Good ordering a1 a1 b1 a2 a2 a2 b1 b1 b2 b2 0 1 0 1 Bounded Model Checking - Daniel Choi@pswlab, KAIST

  5. Introduction(3/3) • Model Checking with SAT-solver • SAT procedures also operate on Boolean formulas • Does not suffer from the potential space explosion of BDDs • Very efficient implementations existe.g. MiniSAT, zChaff, … Bounded Model Checking - Daniel Choi@pswlab, KAIST

  6. First Glance at BMC Given a propertyp: (e.g. “signal_a = signal_b”) Is there a state reachable inkcycles, which satisfiesp? p p p p p . . . s0 s1 s2 sk-1 sk Counter example Trace Bounded Model Checking - Daniel Choi@pswlab, KAIST

  7. Bounded Model Checking - Safety The reachable states in k steps are captured by: The property p fails in one of the ksteps Bounded Model Checking - Daniel Choi@pswlab, KAIST

  8. Bounded Model Checking - Safety The safety propertypis valid up to stepk iffW(k)is unsatisfiable: p p p p p . . . s0 s1 s2 sk-1 sk Bounded Model Checking - Daniel Choi@pswlab, KAIST

  9. 11 00 10 01 Bounded Model Checking - Safety Example: a two bit counter Initial state:I:  l^ r Transition:R: l’ = (lr) ^r’ = r Property:G(l  r). Fork = 2, W(k)is unsatisfiable. Fork = 3 W(k)is satisfiable Bounded Model Checking - Daniel Choi@pswlab, KAIST

  10. Bounded Model Checking - Liveness There is no counterexample of lengthkto the Liveness propertyFpiffW(k)is unsatisfiable: Loop Constraint = p :p :p :p :p . . . s0 s1 s2 sk-1 sk Bounded Model Checking - Daniel Choi@pswlab, KAIST

  11. LTL Semantics in BMC – Key Idea • Consider only a finite prefixof a path (bounded by k) and look for possible counterexample • Finite prefix may represent an infinite path if there is a back loop from the last state of the prefix to any of the previous states. • If no back loop, can’t say anything about infinite behavior = p :p :p :p :p . . . ??? s0 s1 s2 sk-1 sk Bounded Model Checking - Daniel Choi@pswlab, KAIST

  12. LTL Semantics in BMC • Definition 1 : A Kripke structure is a tuple M = (S,I,T,L) with a finite set of states S, the set of initial states I S , a transition relation between states TS X S and the labeling of the states L: S P(A) with atomic propositions A • Boolean encoding of state ( vector of state variables ) • Each state has a successor state • p = (s0,s1,,…) p(i) = siand pi = (si,si+1,…) . . . s0 s1 s2 sk-1 sk Bounded Model Checking - Daniel Choi@pswlab, KAIST

  13. LTL Semantics • Definition 2(Semantics of LTL) : Let M be a Kripke structure, p be a path in M and f be an LTL formula. Then p⊨ f ( f is valid along p) is defined as Bounded Model Checking - Daniel Choi@pswlab, KAIST

  14. LTL Semantics in BMC • Definition 3 (Validity): • An LTL formula f is universally valid in a Kripke structure M ( in symbols M ⊨ Af ) iffp⊨ f for all paths p in M with p (0)  I. • An LTL formula f is existentially valid in a Kripke structure M ( in symbols M ⊨Ef ) iff there exists a path p in M with p⊨ f and p(0)  I • We consider existential model checking problem • Searching for a counterexample for existential model checking problem Bounded Model Checking - Daniel Choi@pswlab, KAIST

  15. LTL Semantics in BMC • However, we are considering bounded sequence … • Definition 4 : For l  k we call a path p a (k,l)-loop if p(k) p(l) and p =u.vw with u = (p(0),…., p(l-1)) and v=(p(l),.., p(k)). We call p simply a k-loop if there is an l  N with l Mk for which p is a (k,l)-loop Bounded Model Checking - Daniel Choi@pswlab, KAIST

  16. LTL Semantics in BMC • Definition 5 (Bounded Semantics for a Loop). Let k ∈ N and π be a k-loop. Then an LTL formula f is valid along the path π with bound k (π ⊨k f) iffπ⊨ f. Bounded Model Checking - Daniel Choi@pswlab, KAIST

  17. LTL Semantics in BMC • Definition 6 (Bounded Semantics without a Loop). Let k ∈ N and let ∈ be a path that is not a k-loop. Then an LTL formula f is valid along the path π with bound k (π ⊨k f ) iffπ ⊨0k f where Bounded Model Checking - Daniel Choi@pswlab, KAIST

  18. LTL Semantics in BMC • Lemma 7 : Let h be an LTL formula and p be a path and p⊨k h p⊨ h • Lemma 8 : Let f be an LTL formula and M a Kripke structure. If M ⊨Ef then there exists k ∈ N with M ⊨k Ef • Theorem 9 : Let f be an LTL formula, M a Kripke structure. Then M |= Efiff there exists k ∈ N with M ⊨k Ef Bounded Model Checking - Daniel Choi@pswlab, KAIST

  19. Translation LTL into Propositional Formula • Given a Kripke structure M, LTL formula f, bound k • We need to construct a Propositional Formula[[ M,f ]]k which represents the constraints on s0,….,sksuch that [[ M,f ]]kis satisfiableiff f is valid along p • The size of [[ M,f ]]k is polynomial in the size of f • The size of [[ M,f ]]k is quadratic in k • The size of [[ M,f ]]k is linear in the size of the propositional formulas for R, I and the p ∈ A. Bounded Model Checking - Daniel Choi@pswlab, KAIST

  20. Translation LTL into Propositional Formula • Definition 10 ( Unfolding the Transition Relation ) For a Kripke structure M, k ∈ N , [[ M ]]k = I(s0) T (si, si+1) k-1 i=0 Bounded Model Checking - Daniel Choi@pswlab, KAIST

  21. Example – 3bit shift register • 3-bit misbehaving shift register (x[0],x[1],x[2]) • T(x, x’): (x’[0]=x[1])  (x’[1]=x[2])  (x’[2]=1) • “Eventually register will be empty” : AF( x=0 ) • AF( x=0 ) ¬EG( x != 0 ) • Restrict search to path having k+1 states (k=2) x0 x1 x2 Bounded Model Checking - Daniel Choi@pswlab, KAIST

  22. Example – 3bit shift register • fm = I(x0) T(x0,x1) T(x1,x2) • T(x0,x1) = • T(x1,x2) = • Property : ¬EG( x != 0 ) (x1[0] = x0[1])  (x1[1] = x0[2])  (x1[2]=1) (x2[0] = x1[1])  (x2[1] = x1[2])  (x2[2]=1) “Any path with three states that is a witness for G(x != 0 ) must contain a loop” L2 L0 L1 x0 x1 x2 Bounded Model Checking - Daniel Choi@pswlab, KAIST

  23. Translation LTL into Propositional Formula • Definition 10 ( Unfolding the Transition Relation ) For a Kripke structure M, k ∈ N , [[ M ]]k = I(s0) T (si, si+1) • In 3-bit shifter example, • fm = I(x0) T(x0,x1) T(x1,x2) • I(x0) = (x0[0] = 0)  (x0[1] = 0)  (x0[2]=0) (arbitrary) • T(x0,x1) = (x1[0] = x0[1])  (x1[1] = x0[2])  (x1[2]=1) • T(x1,x2) = (x2[0] = x1[1])  (x2[1] = x1[2])  (x2[2]=1) • Constraint formula • (xi != 0 ) : ( xi [0] = 1) V ( xi [1] = 1 ) V ( xi [2] = 1 ) k-1 i=0 Bounded Model Checking - Daniel Choi@pswlab, KAIST

  24. Translation LTL into Propositional Formula • Depending on whether a path is a k-loop or not, two different translations exist for temporal formula f • Translation if path not a k-loop : [[ . ]]ik • Translation if path is a k-loop : l[[ . ]]ik Definition 12(Successor in a Loop) : Let k,l,i∈ N, with l,i k. Define the successor succ(i) in a (k,l)-loop as succ(i) = i+1 for i < k and succ(i) = l for i = k Bounded Model Checking - Daniel Choi@pswlab, KAIST

  25. Translation LTL into Propositional Formula • Definition 11 (Translation of an LTL formula without a Loop): For an LTL formula f and k, i∈ N with i k Bounded Model Checking - Daniel Choi@pswlab, KAIST

  26. Translation LTL into Propositional Formula • Definition 13 (Translation of an LTL formula for a Loop): Let f be an LTL formula, k,l,i e N with l,i k Bounded Model Checking - Daniel Choi@pswlab, KAIST

  27. Translation LTL into Propositional Formula • Definition 14 ( Loop Condition) : For k,l∈ N , let lLk= T(sk,sl), Lk= Vl=0k Lk • Definition 15 ( General Translation ) : Let f be an LTL formula, M a Kripke structure and k ∈ N • Theorem 16 :[[ M,f ]]k is satisfiableiff M ⊨kEf • Corollary 17 : M ⊨A¬f iff [[ M,f ]]k is unsatisfiable for all k ∈ N without loop with loop Bounded Model Checking - Daniel Choi@pswlab, KAIST

  28. Determining the Bound Bounded Model Checking - Daniel Choi@pswlab, KAIST

  29. Further Study • CBMC • Making the Most of BMC Counterexamplesby Alex Groce, Daniel Koening. In BMC 2004 • This paper introduces counterexample minimization Bounded Model Checking - Daniel Choi@pswlab, KAIST

  30. Reference • Bounded and Unbounded Model Checking using SAT(Invited talk) By E. Clarke. In Satisfiability Solvers and Program Verification 2006. • Symbolic Model Checking without BDDsBy A. Biere, A. Cimatti, E. Clarke, Y. Zhu. In TACAS’99 Bounded Model Checking - Daniel Choi@pswlab, KAIST

More Related