1 Completeness and Complexity of Bounded Model Checking
2 Symbolic model checking Model checking can be very efficient for synchronous systems, such as synchronous hardware circuits. Represented as a symbolic transition system. Can be exponentially smaller than an explicit transition system such as a Kripke structure.
3 Symbolic transition system A set of (propositional) atoms AP v 1,....,v n Another copy AP’ of the variables v 1 ’,...,v n ’ Initial state predicate I over AP For each atom in AP’, a transition function over AP.
4 AP = {v 0,v 1,v 2 }, AP’ = {v’ 0,v’ 1,v’ 2 } I: : v 0 Æ : v 1 Æ : v 2 R: v 0 ’ = : v 0 v 1 ’ = v 0 © v 1 v 2 ’ = (v 0 Æ v 1 ) © v 2 ` Example
5 Given a property p : (e.g. “G (signal_a = signal_b)”) Is there a state reachable within k cycles, which satisfies p ?... s0s0 s1s1 s2s2 s k-1 sksk pp p pp p Bounded Model Checking
6 The reachable states in k steps are captured by: The property p fails in one of the cycles 1.. k : Bounded Model Checking
7 The safety property p is valid up to cycle k iff k is unsatisfiable:... s0s0 s1s1 s2s2 s k-1 sksk pp p pp p Bounded Model Checking
8 Example: a two bit counter Property: G ( l r ) For k · 2, k is unsatisfiable. For k ¸ 3 k is satisfiable Initial state: I : : l Æ : r Transition: R : l ’ $ ( l © r ) Æ r ’ $ : r Bounded Model Checking
9 LTL model checking Given M, , construct a Buchi automaton B LTL model checking: is : M £ B empty? Emptiness checking: is there a path to a loop with an accepting state ? s0s0
10 “Unroll” k times Find a path to a loop that satisfies, in at least one of its states, one of F states. …that is, one of the states in the loop satisfies s0s0 Generating the BMC formula (Based on the Vardi-Wolper algorithm)
11 s0s0 The BMC formula Initial state: k transitions: Closing a cycle with an accepting state: sksk slsl One of the states in the loop Satisfies one of F states Closing the loop Transitions of M and of B :
12 Example Same 2 bit counter as before and k =2. Property: GF ( l Æ r ). First: represent the Buchi automaton of the negated property as a transition system I: : v R: v’ = ( : l Ç : r) 0 1 : l Ç: r FG( : l Ç : r) Two states. We will represent them with 1 variable v. Simplification of: : v Æ ( : l Ç : r) Ç v Æ ( : l Ç : r)
13 Example (cont’d) Last part, exapmle for l = 1: s 1 = s 2 F = {v}
14 Bounded Model Checking k = 0 BMC(M, ,k) yes k++ k ¸ ?k ¸ ? no
15 How big should k be? For every model M and LTL property there exists k s.t. M ² k ! M ² We call the minimal such k the Completeness Threshold ( CT ) Clearly if M ² then CT = 0 Conclusion: computing CT is at least as hard as model checking
16 The Completeness Threshold Computing CT is as hard as model checking The value of CT depends on the model M and the property . First strategy: find over-approximations to CT based on graph theoretic properties of M
17 Diameter d(M) = longest shortest path between any two reachable states. Recurrence Diameter rd(M) = longest loop-free path between any two reachable states. d(M) = 2 rd(M) = 3 Initialized Diameter d I (M) Initialized Recurrence Diameter rd I (M) Basic notions…
18 The Completeness Threshold Theorem: for Gp properties CT · d(M) s0s0 pp Arbitrary path Theorem: for Fp properties CT · rd(M)+1 s0s0 pp pp pp pp pp Theorem: for an LTL property CT · ?
19 Generating the BMC formula (Based on the Vardi-Wolper algorithm) Buchi automata B: h S,S 0, ,F,L i Let inf(W) be the set of states visited infinite no. of times by a run W B accepts W iff there exists f 2 F s.t. inf(W) Å f ;
20 Completeness Threshold for LTL It cannot be longer than rd I ( )+1 It cannot be longer than d I ( ) + d( ) Result: min(rd I ( )+1, d I ( ) + d( )) s0s0
21 Completeness Threshold for LTL It cannot be longer than d I ( ) + d( ): a path to the accepting state + a path back to the accepting state. s0s0 · d I ( Ã ) · d( Ã )
22 CT: examples d I ( ) + d( ) = 6 rd I ( ) + 1= 4 d I ( ) + d( ) = 2 rd I ( ) + 1= 4 s0s0 s0s0
23 Computing CT (diameter) Computing d ( ) symbolically with QBF: find minimal k s.t. for all i, j, if j is reachable from i, it is reachable in k or less steps. k-long path s 0 -- s k Complexity: 2-exp k+1-long path s 0 -- s k+1
24 Computing CT (diameter) Computing d( ) explicitly: Generate the graph Find shortest paths (O| | 2 ) (BFS from each node) Find longest among all shortest paths O(| | 2 ) exp 2 in the size of the representation of Why is there a complexity gap (2-exp Vs. exp 2 )? QBF tries in the worst case all paths between every two states. Unlike Floyd-Warshall, QBF does not use transitivity information like:
25 Computing CT (recurrence diameter) Finding the longest loop-free path in a graph is NP- complete in the size of the graph. The graph can be exponential in the number of variables. Conclusion: in practice computing the recurrence diameter is 2-exp in the no. of variables. Computing rd(y) symbolically with SAT. Find largest k that satisfies:
26 Complexity of BMC CT · (min(rd I ( )+1, d I ( ) + d( ))) Computing CT is 2exp. The value of CT can be exponential in the # of state variables. BMC SAT formula grows linearly with k, which can be as high as CT. Conclusion: standard SAT based BMC is worst-case 2-exp
27 The complexity GAP SAT-based BMC is 2-exp LTL model checking is exponential in | | and linear in | M | (to be accurate, it is ‘Pspace-complete’ in | |) So why use BMC ?
28 The complexity GAP So why use BMC ? Finding bugs when k is small In many cases rd(y) and d(y) are not exponential and are even rather small. SAT, in practice, is very efficient.
29 Closing the complexity gap Why is there a complexity gap ? LTL-MC with 2-dfs : dfs1 dfs2 Every state is visited not more than twice
30 The Double-DFS algorithm DFS1(s) { push(s,Stack1); hash(s,Table1); for each t 2 Succ (s) {if t Table1 then DFS1(t);} if s 2 F then DFS2(s); pop(Stack1); } DFS2(s) { push(s,Stack2); hash( s,Table2) ; for each t 2 Succ (s) do { if t is on Stack1 { output(“bad cycle:”); output( Stack1,Stack2,t); exit; } else if t Table2 then DFS2(t) } pop( Stack2); } Upon finding a bad cycle, Stack1, Stack2, t, determines a counterexample: a bad cycle reached from an init state.
31 Closing the complexity gap 2-dfs Each state is visited not more than twice SAT Each state can potentially be visited an exponential no. of times, because all paths are explored.
32 Closing the complexity gap (for Gp) Force a static order, following a forward traversal Each time a state i is fully evaluated (assigned): Prevent the search from revisiting it through deeper paths e.g. If ( x i Æ : y i ) is a visited state, then for i < j · CT add the following state clause: ( : x j Ç y j ) When backtracking from state i, prevent the search from revisiting it in step i (add ( : x i Ç y i )). If : p i holds stop and return “Counterexample found”
33 Work in progress Challenges: Formally prove that the restricted version is 1-exp. Remove requirement of static order, and stay 1-exp. Extend to full LTL How to combine logic minimization and template clauses Implementation & experiments
34 Closing the complexity gap Restricted SAT-BMC for LTL (/symbolic 2-dfs) Force a static order, following a forward traversal Each time a state i is fully evaluated (assigned): Prevent the search from revisiting it through deeper paths, e.g. If ( x i Æ : y i ) is a visited state, then for i < j · CT add the following state clause: ( : x j Ç y j ). We denote this clause by Sc i j When backtracking, from state i, prevent the search from revisiting it in step i (add ( : x i Ç y i )). Let last-accepting[i] = index of the last accepting state · i If a conflict arises in step j due to a state-clause SC i j s.t. i · last-accepting[j-1] and SC i i is satisfied, Return (“counterexample found”)
35 Closing the complexity gap Is restricted SAT better or worse than BMC ? Bad news: We gave up the main power of SAT: dynamic splitting heuristics. We may generate an exponential no. of added constraints Good news Single exp. instead of double exp. No need to compute CT. (Instead of pre-computing CT we can maintain a list of states and add their negation ‘when needed’).
36 Closing the complexity gap Is restricted SAT better or worse than explicit LTL- Model-Checking ? Not clear ! Unlike DFS, SAT has heuristics for progressing. SAT has pruning ability of sets of states
37 Comparing the algorithms… 2-dfs LTL MCRestricted-SAT BMC SAT - BMC TimeEXPEXP 2 2-EXP Memory*EXPEXP 2 EXP GuidanceNoneRestrictedFull PruningStatesSets of states * Assuming the SAT solver restricts the size of its added clauses
38 Proving properties So far we saw how to refute properties. Now we consider an algorithm for proving them. Sometimes it even works.
39 Proof by induction Let = Gp Suppose that we prove that Initially p holds. Every state that satisfies p, all its successors also satisfy p. By induction, we can argue that M ² .
40 This rarely works... even when indeed M ² . Why ? Because of unreachable states. ppp :p:p M
41 A better method: k-induction Check that all states reachable from an initial state in k steps satisfy . With Bounded Model Checking Check that if holds on a k -long path, then all states reachable in the k +1-th step also satisfy . We can still do better...
42 k-induction For which k we can prove correctness in the following model ? ppp :p:p M pp
43 k-induction For which k we can prove correctness in the following model ? ppp :p:p M
44 The problem: cycles We will change the criterion: Prove that each loop-free path of length k that satisfies , also satisfies in the next step. Will it prove the following model ? ppp :p:p M
45 k-induction It is common to have very long chains of unreachable states. ppp :p:p M pp... n
46 k-induction Consider the system: init(x) = 0; init(y) = 0; init(cnt) = 0; x’ = x y’ = y cnt’ = cnt + 1. where cnt is an n-bit variable (x=1,y=1,cnt) is unreachable for any value of cnt. What is the length of the chain of unreachable states ?