Bounded Model Checking

Bounded Model CheckingA. Biere, A. Cimatti, E. Clarke, Y. Zhu,

Symbolic Model Checking without BDDs, TACAS’99

Presented by Daniel ChoiProvable Software Laboratory

KAIST

Bounded Model Checking - Daniel Choi@pswlab, KAIST

Contents• Introduction• First glance at Bounded Model Checking

– Bounded Model Checking – Safety– Bounded Model Checking – Liveness

• Linear Temporal Logic Semantics in BMC• Translation LTL into Propositional Formula• Determining the Bound• Further Study

2/30


Introduction(1/3)• Model Checking without SAT-Solver

– Symbolic model checking• Binary Decision Diagrams(BDDs) are often become

too large• Selecting right variable ordering is very important

for obtaining small BDDs– Often time consuming or needs manual intervention– Sometimes, no space efficient variable ordering exists

– Explicit model checking• Generate states explicitly

• State explosion problem3/30


Bad ordering

• Variable ordering of BDDs– BDD of (a1 ∧ b1) ∨ (a2 ∧ b2)

Good ordering

Introduction(2/3)

4/30

a1

a2

a2

b1 b1

b2

0 1

a1

a2

b1

b2

0 1


Introduction(3/3)• Model Checking with SAT-solver

– SAT procedures also operate on Boolean formu-las

– Does not suffer from the potential space explo-sion of BDDs

– Very efficient implementations existe.g. MiniSAT, zChaff, …

5/30


First Glance at BMC

6/30

Given a property p: (e.g. “signal_a = signal_b”)

Is there a state reachable in k cycles, which satis-fies p ?

. . .s0 s1 s2 sk-1 sk

p p p p p

Counter example Trace


Bounded Model Checking - Safety

7/30

The reachable states in k steps are captured by:

The property p fails in one of the k steps



8/30

The safety property p is valid up to step k iff W(k) is unsatisfiable:

. . .s0 s1 s2 sk-1 sk

p p p p p



9/30

Example: a two bit counter

Property: G (l r).

00

01 10

11

For k = 2, W(k) is unsatisfiable. For k = 3 W(k) is satisfiable

Initial state:I: l ^ rTransition: R: l’ = (l r) ^ r’ = r


Bounded Model Checking - Live-ness

10/30

There is no counterexample of length k to theLiveness property Fp iff W(k) is unsatisfiable:

Loop Con-straint

. . .s0 s1 s2 sk-1 sk

:p :p p:p :p

=


LTL Semantics in BMC – Key Idea• Consider only a finite prefix of a path (bounded

by k) and look for possible counterexample

• Finite prefix may represent an infinite path if there is a back loop from the last state of the pre-fix to any of the previous states.

• If no back loop, can’t say anything about infinite behavior

11/30

. . .s0 s1 s2 sk-1 sk

:p :p p:p :p

=

???


LTL Semantics in BMC• Definition 1 : A Kripke structure is a tuple M = (S,I,T,L) with a finite

set of states S, the set of initial states I S , a transition relation be-tween states T S X S and the labeling of the states L: S P(A) with atomic propositions A

• Boolean encoding of state ( vector of state variables )

• Each state has a successor state

• p = (s0,s1,,…) p(i) = si and pi = (si,si+1,…)

12/30

s0 s1 s2 sk-1 sk

. . .


LTL Semantics• Definition 2 (Semantics of LTL) : Let M be a Kripke

structure, p be a path in M and f be an LTL formula. Then p ⊨ f ( f is valid along p) is defined as

13/30


LTL Semantics in BMC• Definition 3 (Validity):

– An LTL formula f is universally valid in a Kripke structure M ( in symbols M ⊨ Af ) iff p ⊨ f for all paths p in M with p (0) I.

– An LTL formula f is existentially valid in a Kripke structure M ( in symbols M ⊨ Ef ) iff there exists a path p in M with p ⊨ f and p(0) I

• We consider existential model checking problem – Searching for a counterexample for existential model checking

problem

14/30


LTL Semantics in BMC• However, we are considering bounded sequence

…

• Definition 4 : For l k we call a path p a (k,l)-loop if p(k) p(l) and p =u.vw with u = (p(0),…., p(l-1)) and v=(p(l),.., p(k)). We call p simply a k-loop if there is an l N with l Mk for which p is a (k,l)-loop

15/30


LTL Semantics in BMC• Definition 5 (Bounded Semantics for a

Loop). Let k ∈ N and π be a k-loop. Then an LTL formula f

is valid along the path π with bound k (π ⊨k f) iff π ⊨ f.

16/30


LTL Semantics in BMC• Definition 6 (Bounded Semantics without a

Loop). Let k ∈ N and let ∈ be a path that is not a k-loop.

Then an LTL formula f is valid along the path π with bound k (π ⊨k f ) iff π ⊨0

k f where

17/30


LTL Semantics in BMC• Lemma 7 : Let h be an LTL formula and p be a path and

p ⊨k h p ⊨ h

• Lemma 8 : Let f be an LTL formula and M a Kripke struc-ture. If M ⊨ Ef then there exists k ∈ N with M ⊨k Ef

• Theorem 9 : Let f be an LTL formula, M a Kripke struc-ture. Then M |= Ef iff there exists k ∈ N with M ⊨k Ef

18/30


Translation LTL into Propositional For-mula

• Given a Kripke structure M, LTL formula f, bound k– We need to construct a Propositional Formula

[[ M,f ]]k which represents the constraints on s0,….,sk such that [[ M,f ]]k is satisfiable iff f is valid along p

– The size of [[ M,f ]]k is polynomial in the size of f

– The size of [[ M,f ]]k is quadratic in k

– The size of [[ M,f ]]k is linear in the size of the propositional formulas for R, I and the p ∈ A.

19/30



• Definition 10 ( Unfolding the Transition Relation ) For a Kripke structure M, k ∈ N ,

[[ M ]]k = I(s0) T (si , si+1)

20/30

i=0

k-1


Example – 3bit shift register• 3-bit misbehaving shift register (x[0],x[1],x[2])• T(x, x’): (x’[0]=x[1]) (x’[1]=x[2]) (x’[2]=1) • “Eventually register will be empty” : AF( x=0 )

– AF( x=0 ) ¬EG( x != 0 ) • Restrict search to path having k+1 states (k=2)

21/30

x1[0]x1[1]x1[2]

x0[0]x0[1]x0[2]

x0 x1 x2

x2[0]x2[1]x2[2]


Example – 3bit shift register• fm = I(x0) T(x0,x1) T(x1,x2)• T(x0,x1) =• T(x1,x2) = • Property : ¬EG( x != 0 )

22/30

(x1[0] = x0[1]) (x1[1] = x0[2]) (x1[2]=1)(x2[0] = x1[1]) (x2[1] = x1[2]) (x2[2]=1)

x1[0]x1[1]x1[2]

x0[0]x0[1]x0[2]

x0 x1 x2

x2[0]x2[1]x2[2]

L0 L1L2

“Any path with three states that is a wit-ness for G(x != 0 ) must contain a loop”



23/30

• Definition 10 ( Unfolding the Transition Relation ) For a Kripke structure M, k ∈ N ,

[[ M ]]k = I(s0) T (si , si+1)

• In 3-bit shifter example,– fm = I(x0) T(x0,x1) T(x1,x2)– I(x0) = (x0[0] = 0) (x0[1] = 0) (x0[2]=0) (arbitrary)– T(x0,x1) = (x1[0] = x0[1]) (x1[1] = x0[2]) (x1[2]=1)– T(x1,x2) = (x2[0] = x1[1]) (x2[1] = x1[2]) (x2[2]=1)

• Constraint formula– (xi != 0 ) : ( xi [0] = 1) V ( xi [1] = 1 ) V ( xi [2] = 1 )

i=0

k-1



• Depending on whether a path is a k-loop or not, two differ-ent translations exist for temporal formula f

• Translation if path not a k-loop : [[ . ]]i

k

• Translation if path is a k-loop : l[[ . ]]i

k

Definition 12(Successor in a Loop) : Let k,l,i ∈ N, with l,i k. Define the successor succ(i) in a (k,l)-loop as succ(i) = i+1 for i < k and succ(i) = l for i = k

24/30


• Definition 11 (Translation of an LTL formula without a Loop): For an LTL formula f and k, i ∈ N with i k

25/30




• Definition 13 (Translation of an LTL formula for a Loop): Let f be an LTL formula, k,l,i e N with l,i k

26/30



• Definition 14 ( Loop Condition) : For k,l ∈ N , let lLk = T(sk,sl), Lk= Vl=0

k Lk

• Definition 15 ( General Translation ) : Let f be an LTL formula, M a Kripke structure and k ∈ N

• Theorem 16 :[[ M,f ]]k is satisfiable iff M ⊨k Ef• Corollary 17 : M ⊨ A ¬f iff [[ M,f ]]k is unsatisfiable for

all k ∈ N

27/30

without loop

with loop


Determining the Bound

28/30


Further Study• CBMC

– Making the Most of BMC Counterexamplesby Alex Groce, Daniel Koening. In BMC 2004

• This paper introduces counterexample minimization

29/30


Reference• Bounded and Unbounded Model Checking us-

ing SAT(Invited talk) By E. Clarke. In Satisfiability Solvers and Program Verification 2006.

• Symbolic Model Checking without BDDsBy A. Biere, A. Cimatti, E. Clarke, Y. Zhu. In TACAS’99

30/30

Documents

Bounded Model Checking