Bounded Model Checking A. Biere, A. Cimatti, E. Clarke, Y. Zhu, Symbolic Model Checking without BDDs, TACAS’99 Presented by Daniel Choi Provable Software Laboratory KAIST

Contents Introduction First glance at Bounded Model Checking –Bounded Model Checking – Safety –Bounded Model Checking – Liveness Linear Temporal Logic Semantics in BMC Translation LTL into Propositional Formula Determining the Bound Further Study Bounded Model Checking - Daniel KAIST2/30

Introduction(1/3) Model Checking without SAT-Solver –Symbolic model checking Binary Decision Diagrams(BDDs) are often become too large Selecting right variable ordering is very important for obtaining small BDDs –Often time consuming or needs manual intervention –Sometimes, no space efficient variable ordering exists –Explicit model checking Generate states explicitly State explosion problem Bounded Model Checking - Daniel KAIST3/30

Bad ordering Variable ordering of BDDs –BDD of (a 1 ∧ b 1 ) ∨ (a 2 ∧ b 2 ) Good ordering Introduction(2/3) Bounded Model Checking - Daniel KAIST4/30 a1a1 a2a2 a2a2 b1b1 b1b1 b2b2 01 a1a1 a2a2 b1b1 b2b2 01

Introduction(3/3) Model Checking with SAT-solver –SAT procedures also operate on Boolean formulas –Does not suffer from the potential space explosion of BDDs –Very efficient implementations exist e.g. MiniSAT, zChaff, … Bounded Model Checking - Daniel KAIST5/30

First Glance at BMC Bounded Model Checking - Daniel KAIST6/30 Given a property p : ( e.g. “ signal_a = signal_b”) Is there a state reachable in k cycles, which satisfies  p ?... s0s0 s1s1 s2s2 s k-1 sksk pp p pp p Counter example Trace

Bounded Model Checking - Safety Bounded Model Checking - Daniel KAIST7/30 The reachable states in k steps are captured by: The property p fails in one of the k steps

Bounded Model Checking - Safety Bounded Model Checking - Daniel KAIST8/30 The safety property p is valid up to step k iff  k  is unsatisfiable:... s0s0 s1s1 s2s2 s k-1 sksk pp p pp p

Bounded Model Checking - Safety Bounded Model Checking - Daniel KAIST9/30 Example: a two bit counter Property: G (  l   r ) For k = 2,  k  is unsatisfiable. For k = 3  k  is satisfiable Initial state:I :  l ^  r Transition:R : l ’ = ( l  r ) ^ r ’ =  r

Bounded Model Checking - Liveness Bounded Model Checking - Daniel KAIST10/30 There is no counterexample of length k to the Liveness property F p iff  k  is unsatisfiable: Loop Constraint... s0s0 s1s1 s2s2 s k-1 sksk :p:p :p:p pp :p:p :p:p =

LTL Semantics in BMC – Key Idea Consider only a finite prefix of a path (bounded by k) and look for possible counterexample Finite prefix may represent an infinite path if there is a back loop from the last state of the prefix to any of the previous states. If no back loop, can’t say anything about infinite behavior Bounded Model Checking - Daniel KAIST11/30... s0s0 s1s1 s2s2 s k-1 sksk :p:p :p:p pp :p:p :p:p = ???

LTL Semantics in BMC Definition 1 : A Kripke structure is a tuple M = (S,I,T,L) with a finite set of states S, the set of initial states I  S, a transition relation between states T  S X S and the labeling of the states L: S  P(A) with atomic propositions A Boolean encoding of state ( vector of state variables ) Each state has a successor state  (s 0,s 1,,…)  (i) = s i and  i = (s i,s i+1,…) Bounded Model Checking - Daniel KAIST12/30 s0s0 s1s1 s2s2 s k-1 sksk...

LTL Semantics Definition 2 (Semantics of LTL) : Let M be a Kripke structure,  be a path in M and f be an LTL formula. Then  ⊨ f ( f is valid along p) is defined as Bounded Model Checking - Daniel KAIST13/30

LTL Semantics in BMC Definition 3 (Validity): –An LTL formula f is universally valid in a Kripke structure M ( in symbols M ⊨ Af ) iff  ⊨ f for all paths  in M with  (0)  I. –An LTL formula f is existentially valid in a Kripke structure M ( in symbols M ⊨ Ef ) iff there exists a path  in M with  ⊨ f and  (0)  I We consider existential model checking problem –Searching for a counterexample for existential model checking problem Bounded Model Checking - Daniel KAIST14/30

LTL Semantics in BMC However, we are considering bounded sequence … Definition 4 : For l  k we call a path  a (k,l)-loop if  (k)   (l) and  =u.v  with u = (  (0),….,  (l-1)) and v=(  (l),..,  (k)). We call  simply a k-loop if there is an l  N with l Mk for which  is a (k,l)-loop Bounded Model Checking - Daniel KAIST15/30

LTL Semantics in BMC Definition 5 (Bounded Semantics for a Loop). Let k ∈ N and π be a k-loop. Then an LTL formula f is valid along the path π with bound k (π ⊨ k f) iff π ⊨ f. Bounded Model Checking - Daniel KAIST16/30

LTL Semantics in BMC Definition 6 (Bounded Semantics without a Loop). Let k ∈ N and let ∈ be a path that is not a k-loop. Then an LTL formula f is valid along the path π with bound k (π ⊨ k f ) iff π ⊨ 0 k f where Bounded Model Checking - Daniel KAIST17/30

LTL Semantics in BMC Lemma 7 : Let h be an LTL formula and  be a path and  ⊨ k h   ⊨ h Lemma 8 : Let f be an LTL formula and M a Kripke structure. If M ⊨ Ef then there exists k ∈ N with M ⊨ k Ef Theorem 9 : Let f be an LTL formula, M a Kripke structure. Then M |= Ef iff there exists k ∈ N with M ⊨ k Ef Bounded Model Checking - Daniel KAIST18/30

Translation LTL into Propositional Formula Given a Kripke structure M, LTL formula f, bound k –We need to construct a Propositional Formula [[ M,f ]] k which represents the constraints on s 0,….,s k such that [[ M,f ]] k is satisfiable iff f is valid along p –The size of [[ M,f ]] k is polynomial in the size of f –The size of [[ M,f ]] k is quadratic in k –The size of [[ M,f ]] k is linear in the size of the propositional formulas for R, I and the p ∈ A. Bounded Model Checking - Daniel KAIST19/30

Translation LTL into Propositional Formula Definition 10 ( Unfolding the Transition Relation ) For a Kripke structure M, k ∈ N, [[ M ]] k = I(s 0 )    T (s i, s i+1 ) Bounded Model Checking - Daniel KAIST20/30 i=0 k-1

Example – 3bit shift register 3-bit misbehaving shift register (x[0],x[1],x[2]) T(x, x’): (x’[0]=x[1])  (x’[1]=x[2])  (x’[2]=1) “Eventually register will be empty” : AF( x=0 ) –AF( x=0 )  ¬EG( x != 0 ) Restrict search to path having k+1 states (k=2) Bounded Model Checking - Daniel KAIST21/30 x 1 [0] x 1 [1] x 1 [2] x 0 [0] x 0 [1] x 0 [2] x0x0 x1x1 x2x2 x 2 [0] x 2 [1] x 2 [2]

Example – 3bit shift register f m = I(x 0 )  T(x 0,x 1 )  T(x 1,x 2 ) T(x 0,x 1 ) = T(x 1,x 2 ) = Property : ¬EG( x != 0 ) Bounded Model Checking - Daniel KAIST22/30 (x 1 [0]  x 0 [1])  x 1 [1]  x 0 [2])  x 1 [2]=1) (x 2 [0]  x 1 [1])  x 2 [1]  x 1 [2])  x 2 [2]=1) x 1 [0] x 1 [1] x 1 [2] x 0 [0] x 0 [1] x 0 [2] x0x0 x1x1 x2x2 x 2 [0] x 2 [1] x 2 [2] L0L0 L1L1 L2L2 “Any path with three states that is a witness for G(x != 0 ) must contain a loop”

Translation LTL into Propositional Formula Bounded Model Checking - Daniel KAIST23/30 Definition 10 ( Unfolding the Transition Relation ) For a Kripke structure M, k ∈ N, [[ M ]] k = I(s 0 )    T (s i, s i+1 ) In 3-bit shifter example, –f m = I(x 0 )  T(x 0,x 1 )  T(x 1,x 2 ) –I(x 0 ) = (x 0 [0]  0)  x 0 [1]  0)  x 0 [2]=0) (arbitrary) –T(x 0,x 1 ) = (x 1 [0]  x 0 [1])  x 1 [1]  x 0 [2])  x 1 [2]=1) –T(x 1,x 2 ) = (x 2 [0]  x 1 [1])  x 2 [1]  x 1 [2])  x 2 [2]=1) Constraint formula –(x i != 0 ) : ( x i [0] = 1) V ( x i [1] = 1 ) V ( x i [2] = 1 ) i=0 k-1

Translation LTL into Propositional Formula Depending on whether a path is a k-loop or not, two different translations exist for temporal formula f Translation if path not a k-loop : [[. ]] i k Translation if path is a k-loop : l [[. ]] i k Definition 12(Successor in a Loop) : Let k,l,i ∈ N, with l,i  k. Define the successor succ(i) in a (k,l)-loop as succ(i) = i+1 for i < k and succ(i) = l for i = k Bounded Model Checking - Daniel KAIST24/30

Definition 11 (Translation of an LTL formula without a Loop): For an LTL formula f and k, i ∈ N with i  k Bounded Model Checking - Daniel KAIST25/30 Translation LTL into Propositional Formula

Definition 13 (Translation of an LTL formula for a Loop): Let f be an LTL formula, k,l,i e N with l,i  k Bounded Model Checking - Daniel KAIST26/30

Translation LTL into Propositional Formula Definition 14 ( Loop Condition) : For k,l ∈ N, let l L k = T(s k, s l ), L k = V l=0 k L k Definition 15 ( General Translation ) : Let f be an LTL formula, M a Kripke structure and k ∈ N Theorem 16 :[[ M,f ]] k is satisfiable iff M ⊨ k Ef Corollary 17 : M ⊨ A ¬f iff [[ M,f ]] k is unsatisfiable for all k ∈ N Bounded Model Checking - Daniel KAIST27/30 without loopwith loop

Determining the Bound Bounded Model Checking - Daniel KAIST28/30

Further Study CBMC –Making the Most of BMC Counterexamples by Alex Groce, Daniel Koening. In BMC 2004 This paper introduces counterexample minimization Bounded Model Checking - Daniel KAIST29/30

Reference Bounded and Unbounded Model Checking using SAT (Invited talk) By E. Clarke. In Satisfiability Solvers and Pr ogram Verification Symbolic Model Checking without BDDs By A. Biere, A. Cimatti, E. Clarke, Y. Zhu. In TACAS’99 Bounded Model Checking - Daniel KAIST30/30