Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Completeness and Complexity of Bounded Model Checking Ed Clarke Daniel Kroening Joel Ouaknine Carnegie Mellon University, Pittsburgh, USA Ofer Strichman.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Completeness and Complexity of Bounded Model Checking Ed Clarke Daniel Kroening Joel Ouaknine Carnegie Mellon University, Pittsburgh, USA Ofer Strichman."— Presentation transcript:

1 1 Completeness and Complexity of Bounded Model Checking Ed Clarke Daniel Kroening Joel Ouaknine Carnegie Mellon University, Pittsburgh, USA Ofer Strichman Technion, Haifa, Israel

2 2 Overview  Bounded Model Checking of LTL: the (traditional) syntactic translation scheme  The semantic translation scheme  The Completeness Threshold problem  A solution to the Completeness Threshold problem  The complexity of Bounded Model Checking (2exp)  The complexity gap and how it can be closed

3 3 Bounded Model Checking ( Biere, Cimatti, Clarke, Zhu, 1999 )  Model checking: is M a model of  (M ²  )?  Bounded Model Checking (BMC): is there a counterexample to M ²  up to a given depth k ?  BMC is widely accepted as a complementary to Model- Checking.

4 4 Bounded Model Checking ( Biere, Cimatti, Clarke, Zhu, 1999 )  BMC can be performed with SAT (no need to detect fixpoints).  SAT formulation of BMC: Keep k copies of each variable Check if [ M ] k Æ [ :  ] k is satisfiable, where: [ M ] k represents all traces of M up to length k [ :  ] k represents all traces of length up to k that satisfy :  [ :  ] k = (… formulation in next few slides)

5 5 Generating [  ] k is based on expansion formulas for LTL (Manna & Pnueli): BMC (syntactic) translation ( Biere, Cimatti, Clarke, Zhu, 1999 )

6 6 The no-loop case (finite traces) Expansion rule BMC translation Base case: k

7 7 BMC (syntactic) translation ( Biere, Cimatti, Clarke, Zhu, 1999 ) The loop case (infinite traces) Expansion rule BMC translation Base case: l s( i ) = i + 1 if i < k, and l otherwise k =

8 8 LTL model checking (Vardi-Wolper)  Given M, , construct a Buchi automaton B   LTL model checking: is  : M £ B   empty?  Emptiness checking: is there a path to a loop with an accepting state ? s0s0

9 9  “Unroll”  k times  Find a witness to Gtrue with the fairness constraint s0s0 A semantic BMC translation (Based on Vardi-Wolper) (Was mentioned by [De-Moura, Rushby, Sorea, 2002] in the context of infinite systems)

10 10 Advantages of the semantic translation Syntactic TranslationSemantic Translation Size of formula O( k ¢ | M | + k 2 ¢ |  |)O ( k ¢ | M | + k ¢ |  |) Optimizations w.r.t. LTL formulas NoneEfficient Buchi construction from LTL Computing CTOnly for Gp and FpFull LTL

11 11 Advantages of the semantic translation Syntactic TranslationSemantic Translation Size of formula O( k ¢ | M | + k 2 ¢ |  |)O ( k ¢ | M | + k ¢ |  |) Optimizations w.r.t. LTL formulas NoneEfficient Buchi construction from LTL Computing CTOnly for Gp and FpFull LTL

12 12 The no-loop case (finite traces) For i  k: For i > k: BMC syntactic translation (Biere, Cimatti, Clarke, Zhu, 1999)

13 13 Bounded Model Checking k = 0 BMC(M, ,k) yes k++ k ¸ ?k ¸ ? no

14 14 How big should k be?  For every model M and LTL property  there exists k s.t.  We call the minimal such k the Completeness Threshold ( CT )  Clearly if M ²  then CT = 0  Conclusion: computing CT is at least as hard as model checking

15 15 The Completeness Threshold  Computing CT is as hard as model checking  The value of CT depends on the model M, the property  and the translation scheme.  Strategy: find over-approximations to CT based on graph theoretic properties of M

16 16  Diameter d(M) = longest shortest path between any two reachable states.  Recurrence Diameter rd(M) = longest loop-free path between any two reachable states. d(M) = 2 rd(M) = 3  Initialized Diameter d I (M)  Initialized Recurrence Diameter rd I (M) Basic notions…

17 17 The Completeness Threshold  Theorem: for Gp properties CT = d I (M) ( Biere, Cimatti, Clarke, Zhu, 1999 ) s0s0 pp Arbitrary path  Theorem: for Fp properties CT= rd I (M)+1 (Kroening, Strichman, 2003) s0s0 pp pp pp pp pp  Theorem: for an LTL property  CT = ?

18 18 Advantages of the semantic translation Syntactic TranslationSemantic Translation Size of formula O( k ¢ | M | + k 2 ¢ |  |)O ( k ¢ | M | + k ¢ |  |) Optimizations w.r.t. LTL formulas NoneEfficient Buchi construction from LTL Computing CTOnly for Gp and FpFull LTL

19 19 Completeness threshold for LTL  It cannot be longer than rd I (  )+1  It cannot be longer than d I (  ) + d(  )  Result: min(rd I (  )+1, d I (  ) + d(  )) s0s0

20 20 CT: examples d I (  ) + d(  ) = 6 rd I (  ) + 1= 4 d I (  ) + d(  ) = 2 rd I (  ) + 1= 4 s0s0 s0s0

21 21 Completeness Threshold for CTL  CTL is modular. It can be analyzed one temporal operator at a time. s0s0 p p EGEFp CT(EG) CT(EF)

22 22 Completeness Threshold for CTL A tight (?) bound on CT:

23 23 Computing CT (diameter)  Computing d(  ) symbolically with QBF: find minimal k s.t. for all i,j, if j is reachable from i, it is reachable in k or less steps. k-long path s 0 -- s k+1  Complexity: 2-exp k+1-long path s 0 -- s k+1

24 24 Computing CT (diameter)  Computing d(  ) explicitly: Generate the graph  Apply Floyd-Warshall (O|  | 3 ) to find shortest paths Find longest among all shortest paths  O(|  | 3 )  exp 3 in the size of the representation of   Why is there a complexity gap (2-exp Vs. exp 3 )? QBF tries in the worst case all paths between every two states. Unlike Floyd-Warshall, QBF does not use transitivity information like:

25 25 Computing CT (recurrence diameter)  Finding the longest loop-free path in a graph is NP- complete in the size of the graph.  The graph can be exponential in the number of variables.  Conclusion: in practice computing the recurrence diameter is 2-exp in the no. of variables.  Computing rd(y) symbolically with SAT. Find largest k that satisfies: With Sorting Networks: O(n log n)

26 26 Complexity of BMC CT · (min(rd I (  )+1, d I (  ) + d(  )))  The value of CT can be exponential in the # of state variables.  BMC SAT formula grows linearly with k Conclusion: standard SAT based BMC is worst-case 2-exp

27 27 The complexity GAP  SAT based BMC is 2-exp in the # state variables.  LTL model checking is 1-exp in the # state variables.  So why use BMC ? Finding bugs when k is small In many cases rd(y) and d(y) are not exponential and are even rather small. SAT, in practice, is very efficient.

28 28 Closing the complexity gap  Why is there a complexity gap ?  LTL-MC with 2-dfs : dfs1 dfs2  Every state is visited not more than twice

29 29 Closing the complexity gap  2-dfs Each state is visited not more than twice  SAT Each state can potentially be visited an exponential no. of times, because all paths are explored.

30 30 Closing the complexity gap (for G p)  Force a static order, following a forward traversal  Each time a state i is fully evaluated (assigned): Prevent the search from revisiting it through deeper paths (by adding conflict clauses) When backtracking from state i, prevent the search from revisiting it in step i If : p i holds stop and return “Counterexample found”

31 31 Work in progress  Challenges: Formally prove that the restricted version is 1-exp. Remove requirement of static order, and stay 1-exp. Extend to full LTL How to combine logic minimization and template clauses Implementation & experiments

32 32 Closing the complexity gap  Restricted SAT-BMC for LTL (/symbolic 2-dfs) Force a static order, following a forward traversal Each time a state i is fully evaluated (assigned): Prevent the search from revisiting it through deeper paths, e.g. If (x i Æ : y i ) is a visited state, then for i < j · CT add the following state clause: ( : x j Ç y j ). We denote this clause by Sc i j When backtracking, from state i, prevent the search from revisiting it in step i (add ( : x i Ç y i )). Let last-accepting[i] = index of the last accepting state · i If a conflict arises in step j due to a state-clause SC i j s.t. i · last-accepting[j-1] and SC i i is satisfied, Return (“counterexample found”)

33 33 Closing the complexity gap  Is ‘1-exp SAT’ better or worse than BMC ?  Bad news: We gave up the main power of SAT: dynamic splitting heuristics. We may generate an exponential no. of added constraints  Good news Single exp. instead of double exp. No need to compute CT. (Instead of pre-computing CT we can maintain a list of states and add their negation ‘when needed’).

34 34 Closing the complexity gap  Is restricted SAT better or worse than explicit LTL-MC ?  Not clear ! Unlike dfs, SAT has heuristics for progressing. SAT has pruning ability of sets of states

35 35 Comparing the algorithms… 2-dfs LTL MCRestricted-SAT BMC SAT - BMC TimeEXPEXP 2 2-EXP Memory*EXPEXP 2 EXP GuidanceNoneRestrictedFull PruningStatesSets of states * Assuming the SAT solver restricts the size of its added clauses

36 36 LTL-MC vs. restricted SAT BMC 2-dfs LTL MCRestricted-SAT BMC SAT - BMC TimeEXPEXP 2 2-EXP MemoryEXP P Shortest CE ‘from below’ Yes Requires CTNo Yes (2-EXP) GuidanceNoneRestrictedFull PruningStatesSets of states

37 37 LTL-MC vs. restricted SAT BMC 2-dfs LTL MCRestricted-SAT BMC SAT - BMC TimeEXPEXP 2 2-EXP MemoryEXP P Shortest CE ‘from below’ Yes Requires CTNo Yes (2-EXP) GuidanceNoneRestrictedFull PruningStatesSets of states

38 38 LTL-MC vs. restricted SAT BMC 2-dfs LTL MCRestricted-SAT BMC SAT - BMC TimeEXPEXP 2 2-EXP MemoryEXP P Shortest CE ‘from below’ Yes Requires CTNo Yes (2-EXP) GuidanceNoneRestrictedFull PruningStatesSets of states

39 39 lk The loop case (infinite traces) i+1 i < k li = k succ(i) = BMC syntactic translation (Biere, Cimatti, Clarke, Zhu, 1999)

40 40 A semantic translation (Based on the Vardi-Wolper algorithm)  Buchi automata B: h S,S 0, ,F,L i  Let inf(W) be the set of states visited infinite no. of times by a run W  B accepts W iff there exists f 2 F s.t. inf(W) Å f  ;

Download ppt "1 Completeness and Complexity of Bounded Model Checking Ed Clarke Daniel Kroening Joel Ouaknine Carnegie Mellon University, Pittsburgh, USA Ofer Strichman."

Similar presentations

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.

Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.
Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,

SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,
Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.
A Survey of Runtime Verification Jonathan Amir 2004.

A Survey of Runtime Verification Jonathan Amir 2004.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
Lecture 24 MAS 714 Hartmut Klauck

Lecture 24 MAS 714 Hartmut Klauck
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.

© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.

Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.
CPSC 322, Lecture 9Slide 1 Search: Advanced Topics Computer Science cpsc322, Lecture 9 (Textbook Chpt 3.6) January, 23, 2009.

CPSC 322, Lecture 9Slide 1 Search: Advanced Topics Computer Science cpsc322, Lecture 9 (Textbook Chpt 3.6) January, 23, 2009.
Weizmann Institute Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Shtrichman Weizmann Institute & IBM (HRL)

Weizmann Institute Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Shtrichman Weizmann Institute & IBM (HRL)

Similar presentations

Ads by Google