1 / 30

Symbolic Model Checking without BDDs

Symbolic Model Checking without BDDs. Armin Biere Alessandro Cimatti Edmund Clarke Yunshan Zhu Presented by Manikantan & Prakash Prabhu. Outline. Introduction Example Semantics Translation Determining the bound Exp. Results & Conclusion. Introduction. Model Checking (MC)

patrice
Download Presentation

Symbolic Model Checking without BDDs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Symbolic Model Checking without BDDs Armin BiereAlessandro CimattiEdmund Clarke Yunshan Zhu Presented by Manikantan & Prakash Prabhu

  2. Outline • Introduction • Example • Semantics • Translation • Determining the bound • Exp. Results & Conclusion

  3. Introduction • Model Checking (MC) • Automatic, Spec – temporal logic, system – FSM ( # states ? ) • Symbolic MC, BDDs ( Size, Right Ordering ) • Propositional Decision Procedures • Boolean Expressions, but not on canonical forms • No potential state space explosion • Davis/Putnam Procedure (Implementation)

  4. Introduction • Bounded Model Checking (BMC) • Based on SAT •  Counterexample of length k  Propositional Formula is satisifiable • BMC for LTL reduced to SAT in poly time • BMC – Advantages • CounterExamples – found fast , minimal length • Less space , No manual ordering ( vs BDD )

  5. Example • 3-bit shift register (x[0],x[1],x[2]) • T(x,x’): (x’[0]=x[1])  (x’[1]=x[2])  (x’[2]=1) • “Eventually register will be empty” : AF( x=0 ) • AF( x=0 )  ¬EG( x != 0 ) • Restrict search to path having k+1 states (k=2) L2 L0 L1 x0 x1 x2

  6. Example • fm = I(x0) T(x0,x1) T(x1,x2) • T(x0,x1) = ? • T(x1,x2) = ? • “Any path with three states that is a witness for G(x != 0 ) must contain a loop” addT(x2,xi ) • Constraint imposed by the formula ( Si defined as xi != 0 ) : ( xi [0] = 1) V ( xi [1] = 1 ) V ( xi [2] = 1 ) • Final Propositional Formula • fm V Li V Si Counterexample of length 2 2 2 i=0 i=0

  7. Semantics • ACTL* :  CTL* that are in Negative Normal Form (NNF) & contain only ‘A’ s • ECTL* • Consider only X , F , G, U operators • LTL : No path quantifiers are allowed • Paper concentrates on LTL model checking ( BMC for LTL can be extended handle ACTL* & ECTL* )

  8. Semantics • Definition 1 : A Kripke structure is a tuple M = (S,I,T,L) with a finite set of states S, the set of initial states I S , a transition relation between states TS X S and the labeling of the states L: S P(A) with atomic propositions A • Boolean encoding of state ( vector of state variables ) • Each state has a successor state • p = (s0,s1,,…) p(i) = si and pi = (si,si+1,…)

  9. Semantics • Definition 2(Semantics) : Let M be a Kripke structure, p be a path in M and f be an LTL formula. Then p|= f ( f is valid along p) is defined as :

  10. Semantics - Validity • Definition 3: An LTL formula is universally valid in a Kripke structure M ( in symbols M |= Af ) iff p |= f for all paths p in M with p (0) e I . An LTL formula f is existentially valid in a Kripke structure M ( in symbols M |= Ef ) iff there exists a path p in M with p |= f and p(0) e I • Paper considers existential model checking problem ( Search for a counterexample for EMCP )

  11. Semantics - Basic Idea of BMC • Consider only a finite prefixof a path ( bounded by k) and look for possible counterexample • Finite Prefix may represent an infinite path if there is a back loop from the last state of the prefix to any of the previous states. • If no back loop, cant say anything abt infinite behavior • Example : Gp – Even if p holds from s0 to sk , can’t conclude anything if there is no back loop from sk to s0

  12. Semantics • Definition 4 : For l  k we call a path p a (k,l)-loop if p(k) p(l) and p =u.vw with u = (p(0),…., p(l-1)) and v=(p(l),.., p(k)). We call p simply a k-loop if there is a l e N with l <= k for which p is a (k,l)-loop

  13. Semantics • Definition 5 (Bounded Semantics for a Loop) : Let k e N and p be a k-loop. Then an LTL formula is valid along the path p with bound k ( in symbols p |=k f ) iff p |= f. • Definition 6 (Bounded Semantics without a Loop) : Let k e N and p be a path that is not a k-loop. Then an LTL formula is valid along the path p with bound k ( in symbols p |=k f ) iff p | f where:

  14. Semantics

  15. Semantics • Lemma 7 : Let h be an LTL formula and p be a path and p |=k h p |= h • Lemma 8 : Let f be an LTL formula f and M a Kripke structure. If M |= Ef then there exists k e N with M |=k Ef • Theorem 9 : Let f be an LTL formula , M a Kripke structure. Then M |= Ef iff there exists k e N with M |=k Ef

  16. Translation • Given a Kripke structure M, LTL formula f, bound k : • We need to construct a Propostional Formula[[ M,f ]]k which represents the constraints on s0,….,sk ( variables denoting a finite sequence of states on a path p ) such that [[ M,f ]]kis satisfiable iff f is valid along p • Size poly(f) , quadratic(k), linear(size(prop(T,I,p e A)) • Definition 10 ( Unfolding the Transition Relation ) For a Kripke structure M, k e N , [[ M ]]k = I(s0)   T (si , si+1) k-1 i=0

  17. Translation • Depending on whether a path is a k-loop or not, two different translations for temporal formula f. • Translation if path not a k-loop : [[ . ]]ik • Translation if path is a k-loop : l[[ . ]]ik • Example : h = p U q on a non-k-loop-path

  18. Translation • Definition 11 (Translation of an LTL formula without a Loop): For an LTL formula f and k, i e N with i k • Defn 12(Successor in a Loop) : Let k,l,i e N, with l,i  k. Define the successor succ(i) in a (k,l)-loop as succ(i) = i+1 for i < k and succ(i) = l for i = k

  19. Translation • Definition 13 (Translation of an LTL formula for a Loop): Let f be an LTL formula, k,l,i e N with l,i  k

  20. Translation • Definition 14 ( Loop Condition) : For k,l e N , let lLk = T(sk,sl), Lk= Vl=0k Lk • Definition 15 ( General Translation ) : Let f be an LTL formula, M a Kripke structure and k e N • Theorem 16 :[[ M,f ]]k is satisfiable iff M |=kEf • Corollary 17 : M |= A¬f iff [[ M,f ]]k is unsatisfiable for all k e N

  21. Determining the Bound • To check whether M |= E f , the procedure checks M |=k E f for k = 0,1, 2… • If M |=kE f , then the procedure proves that M |= E f and produces a witness of length k. • If M |= E f , we have to increment the value of k indefinitely, and the procedure does not terminate

  22. Determining the Bound - ECTL • ECTL  ECTL* with each temporal operator preceded by one ‘E’ • Theorem 18 : Given an ECTL formula f and a Kripke structure M. Let |M| be the number of states in M, then M |= E f iff there exists k  |M| with M |= kE f • Definition 19 (Diameter). Given a Kripke structure M, the diameter of M is the minimal number d e IN with the following property. For every sequence of states s0.. sd+1with (si ,si+1 ) e T for i  d, there exists a sequence of states t0…tl where l  d such that t0 = s0 , tl = sd+1 and (tj,tj+1 ) e T for j  l. In other words, if a state v is reachable from a state u, then v is reachable from u via a path of length d or less.

  23. Determining the Bound - ECTL • Theorem 20: Given an ECTL formula f := EFp and a Kripke structure M with diameter d, M |= EFp iff there exists k  d with M |= k EFp. • Theorem 21: Given a Kripke structure M, its diameter d is the minimal number that satisfies the following formula:

  24. Determining the Bound - ECTL • Definition 22 (Recurrence Diameter) : Given a Kripke structure M, its recurrence diameter is the minimal number d e IN with the following property. For every sequence of states s0..sd+1 with (si , si+1) e T for i  d, there exists j  d such that sd+1 = sj . • Theorem 23 :Given an ECTL formula f and a Kripke structure M with recurrence diameter d, M |= E f iff there exists k  d with M |= k E f

  25. Determining the Bound - ECTL • Theorem 24: Given any Kripke structure M, its recurrence diameter d is the minimal number that satisfies the following formula:

  26. Determining the Bound - LTL • LTL model checking is known to be PSPACE complete • LTL model checking can be reduced to propositional satisfiability and thus it is in NP • Theorem 25. Given an LTL formula f and a Kripke structure M, let |M| be the number of states in M, then M |= E f iff there exists k  |M| X 2 | f | with M |= k E f .

  27. Determining the Bound - LTL • Definition 26 (Loop Diameter): We say a Kripke structure M is lasso shaped if every path p starting from an initial state is of the form up vwp , where up and vp are finite sequences of length less or equal to u and v, respectively. We define the loop diameter of M as (u,v). • Theorem 27: Given an LTL formula f and a lasso shaped Kripke structure M, let the loop diameter of M be (u,v), then M |= E f iff there exists k  u+ v with M |= k E f .

  28. Experimental Results • BMC • Model Checker based on bounded model checking. • Input language is a subset of the SMV language • It takes in a circuit description, a property to be proven, and a user supplied time bound k. • It then generates the propositional formula. • propositional formula can be solved using TOOLS like SATO

  29. Experimental Results • Experiments on : • Sequential multiplier, shift & add multiplier • Barrel shifter • Asynchronous circuit for distributed mutual exclusion • For buggy designs , ( eg those w/o fairness constraints while testing for liveness ) , counterexample obtained easily

  30. Conclusion • BMC is the first step in applying SAT procedures to symbolic model checking • New techniques needed to determine the diameter of a system • Recent Work • http://www.inf.ethz.ch/personal/biere/papers/papers.html • http://sra.itc.it/people/cimatti/publist.html

More Related