1

Completeness and Complexity of Bounded Model Checking

Ed Clarke

Daniel Kroening

Joel Ouaknine

Carnegie Mellon University, Pittsburgh, USA

Ofer Strichman

Technion, Haifa, Israel

2

Overview

Bounded Model Checking of LTL: the (traditional) syntactic translation scheme

The semantic translation scheme The Completeness Threshold problem A solution to the Completeness Threshold problem The complexity of Bounded Model Checking (2exp) The complexity gap and how it can be closed

3

Bounded Model Checking (Biere, Cimatti, Clarke, Zhu, 1999)

Model checking: is M a model of (M ² )?

Bounded Model Checking (BMC): is there a counterexample to M ² up to a given depth k ?

BMC is widely accepted as a complementary to Model-Checking.

4

Bounded Model Checking (Biere, Cimatti, Clarke, Zhu, 1999)

BMC can be performed with SAT (no need to detect fixpoints).

SAT formulation of BMC: Keep k copies of each variable

Check if [M]k Æ[:]k is satisfiable, where:

[M]k represents all traces of M up to length k

[:]k represents all traces of length up to k that satisfy :

[:]k = (… formulation in next few slides)

5

Generating []k is based on expansion formulas for LTL (Manna & Pnueli):

BMC (syntactic) translation(Biere, Cimatti, Clarke, Zhu, 1999)

6

BMC (syntactic) translation(Biere, Cimatti, Clarke, Zhu, 1999)

The no-loop case (finite traces)

Expansion rule BMC translation

Base case:

k

7

BMC (syntactic) translation(Biere, Cimatti, Clarke, Zhu, 1999)

The loop case (infinite traces)

Expansion rule BMC translation

Base case:

l

s(i) = i + 1 if i < k, and l otherwise

k=

8

LTL model checking(Vardi-Wolper)

Given M,, construct a Buchi automaton B

LTL model checking: is : M £ B empty?

Emptiness checking: is there a path to a loop with an accepting state ?

s0

9

“Unroll” k times Find a witness to Gtrue with the fairness constraint

s0

A semantic BMC translation(Based on Vardi-Wolper)

(Was mentioned by [De-Moura, Rushby, Sorea, 2002] in the context of infinite systems)

10

Advantages of the semantic translation

Syntactic Translation Semantic Translation

Size of formula O(k ¢ |M| + k2 ¢||) O (k ¢ |M| + k ¢||)

Optimizations w.r.t. LTL formulas

None Efficient Buchi construction from LTL

Computing CT Only for Gp and Fp Full LTL

11

Advantages of the semantic translation

Syntactic Translation Semantic Translation

Size of formula O(k ¢ |M| + k2 ¢||) O (k ¢ |M| + k ¢||)

Optimizations w.r.t. LTL formulas

None Efficient Buchi construction from LTL

Computing CT Only for Gp and Fp Full LTL

13

Bounded Model Checking

k = 0

BMC(M,,k)

yes

k++

k ¸ ?no

14

How big should k be?

For every model M and LTL property there exists k s.t.

We call the minimal such k the Completeness Threshold (CT)

Clearly if M ² then CT = 0

Conclusion: computing CT is at least as hard as model checking

15

The Completeness Threshold

Computing CT is as hard as model checking

The value of CT depends on the model M, the property and the translation scheme.

Strategy: find over-approximations to CT based on graph theoretic properties of M

16

Diameter d(M) = longest shortest path between any two reachable states.

Recurrence Diameter rd(M) = longest loop-free path between any two reachable states.

d(M) = 2

rd(M) = 3

Initialized Diameter dI(M) Initialized Recurrence Diameter rdI(M)

Basic notions…

17

The Completeness Threshold

Theorem: for Gp properties CT = dI(M)

(Biere, Cimatti, Clarke, Zhu, 1999) s0

p

Arbitrary path

Theorem: for Fp properties CT= rdI(M)+1

(Kroening, Strichman, 2003)s0

ppppp

Theorem: for an LTL property CT = ?

18

Advantages of the semantic translation

Syntactic Translation Semantic Translation

Size of formula O(k ¢ |M| + k2 ¢||) O (k ¢ |M| + k ¢||)

Optimizations w.r.t. LTL formulas

None Efficient Buchi construction from LTL

Computing CT Only for Gp and Fp Full LTL

19

Completeness threshold for LTL

It cannot be longer than rdI()+1 It cannot be longer than dI() + d() Result: min(rdI()+1, dI() + d())

s0

20

CT: examples

dI() + d() = 6rdI() + 1= 4

dI() + d() = 2rdI() + 1= 4 s0

s0

26

Complexity of BMC

CT · (min(rdI()+1, dI() + d()))

The value of CT can be exponential in the # of state variables.

BMC SAT formula grows linearly with k

Conclusion: standard SAT based BMC is worst-case 2-exp

27

The complexity GAP

SAT based BMC is 2-exp in the # state variables. LTL model checking is 1-exp in the # state variables.

So why use BMC ?

Finding bugs when k is small

In many cases rd(y) and d(y) are not exponential and are even rather

small.

SAT, in practice, is very efficient.

28

Closing the complexity gap

Why is there a complexity gap ? LTL-MC with 2-dfs :

dfs1

dfs2

Every state is visited not more than twice

29

Closing the complexity gap

2-dfs Each state is visited not more than twice

SAT Each state can potentially be visited an exponential no. of times,

because all paths are explored.

30

Closing the complexity gap (for Gp)

Force a static order, following a forward traversal

Each time a state i is fully evaluated (assigned):

Prevent the search from revisiting it through deeper paths (by adding conflict clauses)

When backtracking from state i, prevent the search from revisiting it in step i

If :pi holds stop and return “Counterexample found”

33

Closing the complexity gap

Is ‘1-exp SAT’ better or worse than BMC ? Bad news:

We gave up the main power of SAT: dynamic splitting heuristics. We may generate an exponential no. of added constraints

Good news Single exp. instead of double exp. No need to compute CT. (Instead of pre-computing CT we can

maintain a list of states and add their negation ‘when needed’).

34

Closing the complexity gap

Is restricted SAT better or worse than explicit LTL-MC ? Not clear !

Unlike dfs, SAT has heuristics for progressing. SAT has pruning ability of sets of states

35

Comparing the algorithms…

2-dfs LTL MC Restricted-SAT BMC

SAT - BMC

Time EXP EXP2 2-EXP

Memory* EXP EXP2 EXP

Guidance None Restricted Full

Pruning States Sets of states Sets of states

* Assuming the SAT solver restricts the size of its added clauses