Presentation is loading. Please wait.

Presentation is loading. Please wait.

Symbolic model checking with SAT/SMT

Published byWilfred Moore Modified over 6 years ago

Similar presentations

Presentation on theme: "Symbolic model checking with SAT/SMT"— Presentation transcript:

1 Symbolic model checking with SAT/SMT
Fu Song

2 Fixpoint Computation The fixpoint formulation for EG p:
nu Z. p ∧ EXZ (greatest fixpoint) Z0(v) = True Zk(v) = p(v) ∧ Ǝv' [ R(v, v') ∧ Zk-1(v)], for all k>0 Stop when Zk = Zk−1

3 Counterexample and Witness
Witness: an execution path that demonstrates satisfaction of the property φ by model M EF p: s0s1…sn with p(sn) EG p: s0s1…sns0 with p(si) for 0<=i<=n Counterexample: an execution path that demonstrates violation of the property φ by model M AG p: s0s1…sn with ! p(sn) AF p: s0s1…sns0 with ! p(si) for 0<=i<=n

4 until si+1 equals to some sj with 0<=j<=i
Witness Computation The fixpoint formulation for EG p: nu Z. p ∧ EXZ (greatest fixpoint) Z0(v) = True Zk(v) = p(v) ∧ Ǝv' [ R(v, v') ∧ Zk-1(v)], for all k>0 Stop when Zk = Zk−1 Fact: Z0>=Z1>=…>= Zk−1 =Zk If S0 cap Zk = \emptyset, then not hold Else, select one initial state s0 from Zk For each i>=0, choose si+1 such that si+1 in Zk and R(si,si+1) until si+1 equals to some sj with 0<=j<=i

5 Bounded model checking
Given: A kripke structure M, an LTL property φ, and an integer bound k. Question: Is there an execution of M of length at most k that violates φ? We can write this: M |=k φ.

6 Semantics of LTL

7 Bounded semantics of LTL without a Loop
K is bound i is the current position Pi is a path without any loops

8 Bounded semantics of LTL with (k,l)-loop
pi= s0s1s2…slsl+1….skslsl+1…sk…

9 Bounded model checking
Simple idea: “Unroll” description, use SAT/SMT to find a property violation. State description: I(s) – initial state R(s,t) – t is a successor of s P(s) – property of all states k-step violation of the property would satisfy: G p: I(s0)R(s0,s1)R(s1,s2)...R(sk-1,sk)P(sk) F p: I(s0)R(s0,s1)R(s1,s2)...R(sk-1,sk) P(s0) …,  P(sk) R(sk,s0)\/…\/R(sk,sk) Use SAT to check this for k = 0, 1, ... until it gets too big G p

10 Example A three bit shift register: should be empty (all bits set to zero) after three consecutive shifts (F x= 0). R(x,x’)= (x’[0] = x[1])∧(x’[1] = x[2])∧(x’[2] = 1) k=2: I(x0)R(x0,x1)R(x1,x2), I(x0)= True R(x0,x1): R(x1,x2): R(x2,xi): (loop) Check G x!= 0 xi!=0 xi[0]=1 or xi[1]=1 or xi[2]=1 This formula is satisfiable iff there is a counterexample of length 2 for the original formula F(x = 0). In our example we find a satisfying assignment for (1) by setting xi[ j] := 1 for all i, j = 0,1,2.

11 Bounded LTL model checking
Unfolding the Transition Relation Translation of an LTL Formula without a Loop

12 Bounded LTL model checking
Translation of an LTL Formula for a (k,l)-loop

13 Bounded LTL model checking
Loop Condition General Translation

14 Verification with BMC

15 Verification with BMC Bounded model checking is a good way to search for counterexamples (up to some depth). How does one know that the k value is good enough? k=0,1,2,3,4,5,6…. If we find no bugs with k but increase the bound to k + 1, we might find a bug.

16 Verification with BMC For proving “always properties”
Define “depth” of a state as the length of the shortest path from a start state to the state. Searching all k up to the maximum-depth state is sufficient to prove property P. If there are |V| Boolean state variables, there is a bound of 2|V| on this path length. The maximum depth is usually much less than this. This is impractically large in most cases. It’s not helpful for infinite-state systems (e.g., unbounded integers).

17 Liveness properties Reminder: Properties like “eventually P” are liveness properties. They don’t have finite-length counterexamples. But, for finite-state systems, there is a counterexample that is a single infinite path with a loop. The following says that there exists a loop where P is always false (a violation of “AF P”) I(s0)N(s0,s1)...N(si,si+1)P(si+1)...P(sk-1) N(sk-1,si)P(si)

18 Boundedness Trivial: the bound is |M|
But it is still too larger in practice Diameter: the longest shortest path between two nodes resp. states, i.e., maximum distance If a bad state is reachable, then it is reachable in a shortest path from an initial state, <=diameter Computing diameters directly is quite hard, as hard as model checking (QBF) Reoccurrence diameter: the length of the longest simple path in, >= diameter simple path:  a path which contains no repeated

19 Example A fully connected graph with n nodes Diameter ?
Reoccurrence diameter ? 1, 7

20 Complexity of BMC Original translation O(k|M|+k2|φ|)
Automata based translation (Buchi Automata) O(k|M|2|φ|) Fixpoint based translation O(k|M|+|φ|) Diameter: exponential of the number of variables SAT solver is also exponential time BMC is doubly-exponential time But: LTL model checking is singly-exponential time 1, 7

21 Fixpoint based translation
loop selector variables l0,…,lk At most one is true 1, 7

22 Fixpoint based translation
1, 7

23 SAT-based MC vs. BDD-based MC
LTL and ACTL Do not canonical form Shortest counterexample Efficient SAT solvers exist Diameter is small in many cases BDD CTL and mu-calculus Canonical representation Variable ordering sensitive Often tool larger Cannot handle more than a couple of hundred latches 1, 7

Download ppt "Symbolic model checking with SAT/SMT"

Similar presentations

Model Checking Base on Interoplation

Model Checking Base on Interoplation
The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.

Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.
SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,

SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.

François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.

CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.
Digitaalsüsteemide verifitseerimise kursus1 Formal verification: Property checking Property checking.

Digitaalsüsteemide verifitseerimise kursus1 Formal verification: Property checking Property checking.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.

Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.

Similar presentations

Ads by Google