Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bounded Model Checking A. Biere, A. Cimatti, E. Clarke, Y. Zhu, Symbolic Model Checking without BDDs, TACAS’99 Presented by Daniel Choi Provable Software.

Published byAllen Cunningham Modified over 8 years ago

Similar presentations

Presentation on theme: "Bounded Model Checking A. Biere, A. Cimatti, E. Clarke, Y. Zhu, Symbolic Model Checking without BDDs, TACAS’99 Presented by Daniel Choi Provable Software."— Presentation transcript:

1 Bounded Model Checking A. Biere, A. Cimatti, E. Clarke, Y. Zhu, Symbolic Model Checking without BDDs, TACAS’99 Presented by Daniel Choi Provable Software Laboratory KAIST

2 Contents Introduction First glance at Bounded Model Checking –Bounded Model Checking – Safety –Bounded Model Checking – Liveness Linear Temporal Logic Semantics in BMC Translation LTL into Propositional Formula Determining the Bound Further Study Bounded Model Checking - Daniel Choi@pswlab, KAIST2/30

3 Introduction(1/3) Model Checking without SAT-Solver –Symbolic model checking Binary Decision Diagrams(BDDs) are often become too large Selecting right variable ordering is very important for obtaining small BDDs –Often time consuming or needs manual intervention –Sometimes, no space efficient variable ordering exists –Explicit model checking Generate states explicitly State explosion problem Bounded Model Checking - Daniel Choi@pswlab, KAIST3/30

4 Bad ordering Variable ordering of BDDs –BDD of (a 1 ∧ b 1 ) ∨ (a 2 ∧ b 2 ) Good ordering Introduction(2/3) Bounded Model Checking - Daniel Choi@pswlab, KAIST4/30 a1a1 a2a2 a2a2 b1b1 b1b1 b2b2 01 a1a1 a2a2 b1b1 b2b2 01

5 Introduction(3/3) Model Checking with SAT-solver –SAT procedures also operate on Boolean formulas –Does not suffer from the potential space explosion of BDDs –Very efficient implementations exist e.g. MiniSAT, zChaff, … Bounded Model Checking - Daniel Choi@pswlab, KAIST5/30

6 First Glance at BMC Bounded Model Checking - Daniel Choi@pswlab, KAIST6/30 Given a property p : ( e.g. “ signal_a = signal_b”) Is there a state reachable in k cycles, which satisfies  p ?... s0s0 s1s1 s2s2 s k-1 sksk pp p pp p Counter example Trace

7 Bounded Model Checking - Safety Bounded Model Checking - Daniel Choi@pswlab, KAIST7/30 The reachable states in k steps are captured by: The property p fails in one of the k steps

8 Bounded Model Checking - Safety Bounded Model Checking - Daniel Choi@pswlab, KAIST8/30 The safety property p is valid up to step k iff  k  is unsatisfiable:... s0s0 s1s1 s2s2 s k-1 sksk pp p pp p

9 Bounded Model Checking - Safety Bounded Model Checking - Daniel Choi@pswlab, KAIST9/30 Example: a two bit counter Property: G (  l   r ). 00 01 10 11 For k = 2,  k  is unsatisfiable. For k = 3  k  is satisfiable Initial state:I :  l ^  r Transition:R : l ’ = ( l  r ) ^ r ’ =  r

10 Bounded Model Checking - Liveness Bounded Model Checking - Daniel Choi@pswlab, KAIST10/30 There is no counterexample of length k to the Liveness property F p iff  k  is unsatisfiable: Loop Constraint... s0s0 s1s1 s2s2 s k-1 sksk :p:p :p:p pp :p:p :p:p =

11 LTL Semantics in BMC – Key Idea Consider only a finite prefix of a path (bounded by k) and look for possible counterexample Finite prefix may represent an infinite path if there is a back loop from the last state of the prefix to any of the previous states. If no back loop, can’t say anything about infinite behavior Bounded Model Checking - Daniel Choi@pswlab, KAIST11/30... s0s0 s1s1 s2s2 s k-1 sksk :p:p :p:p pp :p:p :p:p = ???

12 LTL Semantics in BMC Definition 1 : A Kripke structure is a tuple M = (S,I,T,L) with a finite set of states S, the set of initial states I  S, a transition relation between states T  S X S and the labeling of the states L: S  P(A) with atomic propositions A Boolean encoding of state ( vector of state variables ) Each state has a successor state  (s 0,s 1,,…)  (i) = s i and  i = (s i,s i+1,…) Bounded Model Checking - Daniel Choi@pswlab, KAIST12/30 s0s0 s1s1 s2s2 s k-1 sksk...

13 LTL Semantics Definition 2 (Semantics of LTL) : Let M be a Kripke structure,  be a path in M and f be an LTL formula. Then  ⊨ f ( f is valid along p) is defined as Bounded Model Checking - Daniel Choi@pswlab, KAIST13/30

14 LTL Semantics in BMC Definition 3 (Validity): –An LTL formula f is universally valid in a Kripke structure M ( in symbols M ⊨ Af ) iff  ⊨ f for all paths  in M with  (0)  I. –An LTL formula f is existentially valid in a Kripke structure M ( in symbols M ⊨ Ef ) iff there exists a path  in M with  ⊨ f and  (0)  I We consider existential model checking problem –Searching for a counterexample for existential model checking problem Bounded Model Checking - Daniel Choi@pswlab, KAIST14/30

15 LTL Semantics in BMC However, we are considering bounded sequence … Definition 4 : For l  k we call a path  a (k,l)-loop if  (k)   (l) and  =u.v  with u = (  (0),….,  (l-1)) and v=(  (l),..,  (k)). We call  simply a k-loop if there is an l  N with l Mk for which  is a (k,l)-loop Bounded Model Checking - Daniel Choi@pswlab, KAIST15/30

16 LTL Semantics in BMC Definition 5 (Bounded Semantics for a Loop). Let k ∈ N and π be a k-loop. Then an LTL formula f is valid along the path π with bound k (π ⊨ k f) iff π ⊨ f. Bounded Model Checking - Daniel Choi@pswlab, KAIST16/30

17 LTL Semantics in BMC Definition 6 (Bounded Semantics without a Loop). Let k ∈ N and let ∈ be a path that is not a k-loop. Then an LTL formula f is valid along the path π with bound k (π ⊨ k f ) iff π ⊨ 0 k f where Bounded Model Checking - Daniel Choi@pswlab, KAIST17/30

18 LTL Semantics in BMC Lemma 7 : Let h be an LTL formula and  be a path and  ⊨ k h   ⊨ h Lemma 8 : Let f be an LTL formula and M a Kripke structure. If M ⊨ Ef then there exists k ∈ N with M ⊨ k Ef Theorem 9 : Let f be an LTL formula, M a Kripke structure. Then M |= Ef iff there exists k ∈ N with M ⊨ k Ef Bounded Model Checking - Daniel Choi@pswlab, KAIST18/30

19 Translation LTL into Propositional Formula Given a Kripke structure M, LTL formula f, bound k –We need to construct a Propositional Formula [[ M,f ]] k which represents the constraints on s 0,….,s k such that [[ M,f ]] k is satisfiable iff f is valid along p –The size of [[ M,f ]] k is polynomial in the size of f –The size of [[ M,f ]] k is quadratic in k –The size of [[ M,f ]] k is linear in the size of the propositional formulas for R, I and the p ∈ A. Bounded Model Checking - Daniel Choi@pswlab, KAIST19/30

20 Translation LTL into Propositional Formula Definition 10 ( Unfolding the Transition Relation ) For a Kripke structure M, k ∈ N, [[ M ]] k = I(s 0 )    T (s i, s i+1 ) Bounded Model Checking - Daniel Choi@pswlab, KAIST20/30 i=0 k-1

21 Example – 3bit shift register 3-bit misbehaving shift register (x[0],x[1],x[2]) T(x, x’): (x’[0]=x[1])  (x’[1]=x[2])  (x’[2]=1) “Eventually register will be empty” : AF( x=0 ) –AF( x=0 )  ¬EG( x != 0 ) Restrict search to path having k+1 states (k=2) Bounded Model Checking - Daniel Choi@pswlab, KAIST21/30 x 1 [0] x 1 [1] x 1 [2] x 0 [0] x 0 [1] x 0 [2] x0x0 x1x1 x2x2 x 2 [0] x 2 [1] x 2 [2]

22 Example – 3bit shift register f m = I(x 0 )  T(x 0,x 1 )  T(x 1,x 2 ) T(x 0,x 1 ) = T(x 1,x 2 ) = Property : ¬EG( x != 0 ) Bounded Model Checking - Daniel Choi@pswlab, KAIST22/30 (x 1 [0]  x 0 [1])  x 1 [1]  x 0 [2])  x 1 [2]=1) (x 2 [0]  x 1 [1])  x 2 [1]  x 1 [2])  x 2 [2]=1) x 1 [0] x 1 [1] x 1 [2] x 0 [0] x 0 [1] x 0 [2] x0x0 x1x1 x2x2 x 2 [0] x 2 [1] x 2 [2] L0L0 L1L1 L2L2 “Any path with three states that is a witness for G(x != 0 ) must contain a loop”

23 Translation LTL into Propositional Formula Bounded Model Checking - Daniel Choi@pswlab, KAIST23/30 Definition 10 ( Unfolding the Transition Relation ) For a Kripke structure M, k ∈ N, [[ M ]] k = I(s 0 )    T (s i, s i+1 ) In 3-bit shifter example, –f m = I(x 0 )  T(x 0,x 1 )  T(x 1,x 2 ) –I(x 0 ) = (x 0 [0]  0)  x 0 [1]  0)  x 0 [2]=0) (arbitrary) –T(x 0,x 1 ) = (x 1 [0]  x 0 [1])  x 1 [1]  x 0 [2])  x 1 [2]=1) –T(x 1,x 2 ) = (x 2 [0]  x 1 [1])  x 2 [1]  x 1 [2])  x 2 [2]=1) Constraint formula –(x i != 0 ) : ( x i [0] = 1) V ( x i [1] = 1 ) V ( x i [2] = 1 ) i=0 k-1

24 Translation LTL into Propositional Formula Depending on whether a path is a k-loop or not, two different translations exist for temporal formula f Translation if path not a k-loop : [[. ]] i k Translation if path is a k-loop : l [[. ]] i k Definition 12(Successor in a Loop) : Let k,l,i ∈ N, with l,i  k. Define the successor succ(i) in a (k,l)-loop as succ(i) = i+1 for i < k and succ(i) = l for i = k Bounded Model Checking - Daniel Choi@pswlab, KAIST24/30

25 Definition 11 (Translation of an LTL formula without a Loop): For an LTL formula f and k, i ∈ N with i  k Bounded Model Checking - Daniel Choi@pswlab, KAIST25/30 Translation LTL into Propositional Formula

26 Definition 13 (Translation of an LTL formula for a Loop): Let f be an LTL formula, k,l,i e N with l,i  k Bounded Model Checking - Daniel Choi@pswlab, KAIST26/30

27 Translation LTL into Propositional Formula Definition 14 ( Loop Condition) : For k,l ∈ N, let l L k = T(s k, s l ), L k = V l=0 k L k Definition 15 ( General Translation ) : Let f be an LTL formula, M a Kripke structure and k ∈ N Theorem 16 :[[ M,f ]] k is satisfiable iff M ⊨ k Ef Corollary 17 : M ⊨ A ¬f iff [[ M,f ]] k is unsatisfiable for all k ∈ N Bounded Model Checking - Daniel Choi@pswlab, KAIST27/30 without loopwith loop

28 Determining the Bound Bounded Model Checking - Daniel Choi@pswlab, KAIST28/30

29 Further Study CBMC –Making the Most of BMC Counterexamples by Alex Groce, Daniel Koening. In BMC 2004 This paper introduces counterexample minimization Bounded Model Checking - Daniel Choi@pswlab, KAIST29/30

30 Reference Bounded and Unbounded Model Checking using SAT (Invited talk) By E. Clarke. In Satisfiability Solvers and Pr ogram Verification 2006. Symbolic Model Checking without BDDs By A. Biere, A. Cimatti, E. Clarke, Y. Zhu. In TACAS’99 Bounded Model Checking - Daniel Choi@pswlab, KAIST30/30

Download ppt "Bounded Model Checking A. Biere, A. Cimatti, E. Clarke, Y. Zhu, Symbolic Model Checking without BDDs, TACAS’99 Presented by Daniel Choi Provable Software."

Similar presentations

SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,

SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,
Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.

Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.
Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.

Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.

1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.
SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
 Dr. Vered Gafni 1 LTL Decidability Enables consistency check, but also base for verification.

 Dr. Vered Gafni 1 LTL Decidability Enables consistency check, but also base for verification.
CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.

CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.
Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.

Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.

Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.
Weizmann Institute Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Shtrichman Weizmann Institute & IBM (HRL)

Weizmann Institute Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Shtrichman Weizmann Institute & IBM (HRL)

Similar presentations

Ads by Google