Symbolic model checking with SAT/SMT Fu Song

Fixpoint Computation The fixpoint formulation for EG p: nu Z. p ∧ EXZ (greatest fixpoint) Z0(v) = True Zk(v) = p(v) ∧ Ǝv' [ R(v, v') ∧ Zk-1(v)], for all k>0 Stop when Zk = Zk−1

Counterexample and Witness Witness: an execution path that demonstrates satisfaction of the property φ by model M EF p: s0s1…sn with p(sn) EG p: s0s1…sns0 with p(si) for 0<=i<=n Counterexample: an execution path that demonstrates violation of the property φ by model M AG p: s0s1…sn with ! p(sn) AF p: s0s1…sns0 with ! p(si) for 0<=i<=n

until si+1 equals to some sj with 0<=j<=i Witness Computation The fixpoint formulation for EG p: nu Z. p ∧ EXZ (greatest fixpoint) Z0(v) = True Zk(v) = p(v) ∧ Ǝv' [ R(v, v') ∧ Zk-1(v)], for all k>0 Stop when Zk = Zk−1 Fact: Z0>=Z1>=…>= Zk−1 =Zk If S0 cap Zk = \emptyset, then not hold Else, select one initial state s0 from Zk For each i>=0, choose si+1 such that si+1 in Zk and R(si,si+1) until si+1 equals to some sj with 0<=j<=i

Bounded model checking Given: A kripke structure M, an LTL property φ, and an integer bound k. Question: Is there an execution of M of length at most k that violates φ? We can write this: M |=k φ.

Semantics of LTL

Bounded semantics of LTL without a Loop K is bound i is the current position Pi is a path without any loops

Bounded semantics of LTL with (k,l)-loop pi= s0s1s2…slsl+1….skslsl+1…sk…

Bounded model checking Simple idea: “Unroll” description, use SAT/SMT to find a property violation. State description: I(s) – initial state R(s,t) – t is a successor of s P(s) – property of all states k-step violation of the property would satisfy: G p: I(s0)R(s0,s1)R(s1,s2)...R(sk-1,sk)P(sk) F p: I(s0)R(s0,s1)R(s1,s2)...R(sk-1,sk) P(s0) …,  P(sk) R(sk,s0)\/…\/R(sk,sk) Use SAT to check this for k = 0, 1, ... until it gets too big G p

Example A three bit shift register: should be empty (all bits set to zero) after three consecutive shifts (F x= 0). R(x,x’)= (x’[0] = x[1])∧(x’[1] = x[2])∧(x’[2] = 1) k=2: I(x0)R(x0,x1)R(x1,x2), I(x0)= True R(x0,x1): R(x1,x2): R(x2,xi): (loop) Check G x!= 0 xi!=0 xi[0]=1 or xi[1]=1 or xi[2]=1 This formula is satisfiable iff there is a counterexample of length 2 for the original formula F(x = 0). In our example we find a satisfying assignment for (1) by setting xi[ j] := 1 for all i, j = 0,1,2.

Bounded LTL model checking Unfolding the Transition Relation Translation of an LTL Formula without a Loop

Bounded LTL model checking Translation of an LTL Formula for a (k,l)-loop

Bounded LTL model checking Loop Condition General Translation

Verification with BMC

Verification with BMC Bounded model checking is a good way to search for counterexamples (up to some depth). How does one know that the k value is good enough? k=0,1,2,3,4,5,6…. If we find no bugs with k but increase the bound to k + 1, we might find a bug.

Verification with BMC For proving “always properties” Define “depth” of a state as the length of the shortest path from a start state to the state. Searching all k up to the maximum-depth state is sufficient to prove property P. If there are |V| Boolean state variables, there is a bound of 2|V| on this path length. The maximum depth is usually much less than this. This is impractically large in most cases. It’s not helpful for infinite-state systems (e.g., unbounded integers).

Liveness properties Reminder: Properties like “eventually P” are liveness properties. They don’t have finite-length counterexamples. But, for finite-state systems, there is a counterexample that is a single infinite path with a loop. The following says that there exists a loop where P is always false (a violation of “AF P”) I(s0)N(s0,s1)...N(si,si+1)P(si+1)...P(sk-1) N(sk-1,si)P(si)

Boundedness Trivial: the bound is |M| But it is still too larger in practice Diameter: the longest shortest path between two nodes resp. states, i.e., maximum distance If a bad state is reachable, then it is reachable in a shortest path from an initial state, <=diameter Computing diameters directly is quite hard, as hard as model checking (QBF) Reoccurrence diameter: the length of the longest simple path in, >= diameter simple path:  a path which contains no repeated

Example A fully connected graph with n nodes Diameter ？ Reoccurrence diameter ？ 1, 7

Complexity of BMC Original translation O(k|M|+k2|φ|) Automata based translation (Buchi Automata) O(k|M|2|φ|) Fixpoint based translation O(k|M|+|φ|) Diameter: exponential of the number of variables SAT solver is also exponential time BMC is doubly-exponential time But: LTL model checking is singly-exponential time 1, 7

Fixpoint based translation loop selector variables l0,…,lk At most one is true 1, 7

Fixpoint based translation 1, 7

SAT-based MC vs. BDD-based MC LTL and ACTL Do not canonical form Shortest counterexample Efficient SAT solvers exist Diameter is small in many cases BDD CTL and mu-calculus Canonical representation Variable ordering sensitive Often tool larger Cannot handle more than a couple of hundred latches 1, 7