Symbolic Model Checking without BDDs

# Symbolic Model Checking without BDDs

## Symbolic Model Checking without BDDs

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
##### Presentation Transcript

1. Symbolic Model Checking without BDDs Armin BiereAlessandro CimattiEdmund Clarke Yunshan Zhu Presented by Manikantan & Prakash Prabhu

2. Outline • Introduction • Example • Semantics • Translation • Determining the bound • Exp. Results & Conclusion

3. Introduction • Model Checking (MC) • Automatic, Spec – temporal logic, system – FSM ( # states ? ) • Symbolic MC, BDDs ( Size, Right Ordering ) • Propositional Decision Procedures • Boolean Expressions, but not on canonical forms • No potential state space explosion • Davis/Putnam Procedure (Implementation)

4. Introduction • Bounded Model Checking (BMC) • Based on SAT •  Counterexample of length k  Propositional Formula is satisifiable • BMC for LTL reduced to SAT in poly time • BMC – Advantages • CounterExamples – found fast , minimal length • Less space , No manual ordering ( vs BDD )

5. Example • 3-bit shift register (x[0],x[1],x[2]) • T(x,x’): (x’[0]=x[1])  (x’[1]=x[2])  (x’[2]=1) • “Eventually register will be empty” : AF( x=0 ) • AF( x=0 )  ¬EG( x != 0 ) • Restrict search to path having k+1 states (k=2) L2 L0 L1 x0 x1 x2

6. Example • fm = I(x0) T(x0,x1) T(x1,x2) • T(x0,x1) = ? • T(x1,x2) = ? • “Any path with three states that is a witness for G(x != 0 ) must contain a loop” addT(x2,xi ) • Constraint imposed by the formula ( Si defined as xi != 0 ) : ( xi [0] = 1) V ( xi [1] = 1 ) V ( xi [2] = 1 ) • Final Propositional Formula • fm V Li V Si Counterexample of length 2 2 2 i=0 i=0

7. Semantics • ACTL* :  CTL* that are in Negative Normal Form (NNF) & contain only ‘A’ s • ECTL* • Consider only X , F , G, U operators • LTL : No path quantifiers are allowed • Paper concentrates on LTL model checking ( BMC for LTL can be extended handle ACTL* & ECTL* )

8. Semantics • Definition 1 : A Kripke structure is a tuple M = (S,I,T,L) with a finite set of states S, the set of initial states I S , a transition relation between states TS X S and the labeling of the states L: S P(A) with atomic propositions A • Boolean encoding of state ( vector of state variables ) • Each state has a successor state • p = (s0,s1,,…) p(i) = si and pi = (si,si+1,…)

9. Semantics • Definition 2(Semantics) : Let M be a Kripke structure, p be a path in M and f be an LTL formula. Then p|= f ( f is valid along p) is defined as :

10. Semantics - Validity • Definition 3: An LTL formula is universally valid in a Kripke structure M ( in symbols M |= Af ) iff p |= f for all paths p in M with p (0) e I . An LTL formula f is existentially valid in a Kripke structure M ( in symbols M |= Ef ) iff there exists a path p in M with p |= f and p(0) e I • Paper considers existential model checking problem ( Search for a counterexample for EMCP )

11. Semantics - Basic Idea of BMC • Consider only a finite prefixof a path ( bounded by k) and look for possible counterexample • Finite Prefix may represent an infinite path if there is a back loop from the last state of the prefix to any of the previous states. • If no back loop, cant say anything abt infinite behavior • Example : Gp – Even if p holds from s0 to sk , can’t conclude anything if there is no back loop from sk to s0

12. Semantics • Definition 4 : For l  k we call a path p a (k,l)-loop if p(k) p(l) and p =u.vw with u = (p(0),…., p(l-1)) and v=(p(l),.., p(k)). We call p simply a k-loop if there is a l e N with l <= k for which p is a (k,l)-loop

13. Semantics • Definition 5 (Bounded Semantics for a Loop) : Let k e N and p be a k-loop. Then an LTL formula is valid along the path p with bound k ( in symbols p |=k f ) iff p |= f. • Definition 6 (Bounded Semantics without a Loop) : Let k e N and p be a path that is not a k-loop. Then an LTL formula is valid along the path p with bound k ( in symbols p |=k f ) iff p | f where:

14. Semantics

15. Semantics • Lemma 7 : Let h be an LTL formula and p be a path and p |=k h p |= h • Lemma 8 : Let f be an LTL formula f and M a Kripke structure. If M |= Ef then there exists k e N with M |=k Ef • Theorem 9 : Let f be an LTL formula , M a Kripke structure. Then M |= Ef iff there exists k e N with M |=k Ef

16. Translation • Given a Kripke structure M, LTL formula f, bound k : • We need to construct a Propostional Formula[[ M,f ]]k which represents the constraints on s0,….,sk ( variables denoting a finite sequence of states on a path p ) such that [[ M,f ]]kis satisfiable iff f is valid along p • Size poly(f) , quadratic(k), linear(size(prop(T,I,p e A)) • Definition 10 ( Unfolding the Transition Relation ) For a Kripke structure M, k e N , [[ M ]]k = I(s0)   T (si , si+1) k-1 i=0

17. Translation • Depending on whether a path is a k-loop or not, two different translations for temporal formula f. • Translation if path not a k-loop : [[ . ]]ik • Translation if path is a k-loop : l[[ . ]]ik • Example : h = p U q on a non-k-loop-path

18. Translation • Definition 11 (Translation of an LTL formula without a Loop): For an LTL formula f and k, i e N with i k • Defn 12(Successor in a Loop) : Let k,l,i e N, with l,i  k. Define the successor succ(i) in a (k,l)-loop as succ(i) = i+1 for i < k and succ(i) = l for i = k

19. Translation • Definition 13 (Translation of an LTL formula for a Loop): Let f be an LTL formula, k,l,i e N with l,i  k

20. Translation • Definition 14 ( Loop Condition) : For k,l e N , let lLk = T(sk,sl), Lk= Vl=0k Lk • Definition 15 ( General Translation ) : Let f be an LTL formula, M a Kripke structure and k e N • Theorem 16 :[[ M,f ]]k is satisfiable iff M |=kEf • Corollary 17 : M |= A¬f iff [[ M,f ]]k is unsatisfiable for all k e N

21. Determining the Bound • To check whether M |= E f , the procedure checks M |=k E f for k = 0,1, 2… • If M |=kE f , then the procedure proves that M |= E f and produces a witness of length k. • If M |= E f , we have to increment the value of k indefinitely, and the procedure does not terminate

22. Determining the Bound - ECTL • ECTL  ECTL* with each temporal operator preceded by one ‘E’ • Theorem 18 : Given an ECTL formula f and a Kripke structure M. Let |M| be the number of states in M, then M |= E f iff there exists k  |M| with M |= kE f • Definition 19 (Diameter). Given a Kripke structure M, the diameter of M is the minimal number d e IN with the following property. For every sequence of states s0.. sd+1with (si ,si+1 ) e T for i  d, there exists a sequence of states t0…tl where l  d such that t0 = s0 , tl = sd+1 and (tj,tj+1 ) e T for j  l. In other words, if a state v is reachable from a state u, then v is reachable from u via a path of length d or less.

23. Determining the Bound - ECTL • Theorem 20: Given an ECTL formula f := EFp and a Kripke structure M with diameter d, M |= EFp iff there exists k  d with M |= k EFp. • Theorem 21: Given a Kripke structure M, its diameter d is the minimal number that satisfies the following formula:

24. Determining the Bound - ECTL • Definition 22 (Recurrence Diameter) : Given a Kripke structure M, its recurrence diameter is the minimal number d e IN with the following property. For every sequence of states s0..sd+1 with (si , si+1) e T for i  d, there exists j  d such that sd+1 = sj . • Theorem 23 :Given an ECTL formula f and a Kripke structure M with recurrence diameter d, M |= E f iff there exists k  d with M |= k E f

25. Determining the Bound - ECTL • Theorem 24: Given any Kripke structure M, its recurrence diameter d is the minimal number that satisfies the following formula:

26. Determining the Bound - LTL • LTL model checking is known to be PSPACE complete • LTL model checking can be reduced to propositional satisfiability and thus it is in NP • Theorem 25. Given an LTL formula f and a Kripke structure M, let |M| be the number of states in M, then M |= E f iff there exists k  |M| X 2 | f | with M |= k E f .

27. Determining the Bound - LTL • Definition 26 (Loop Diameter): We say a Kripke structure M is lasso shaped if every path p starting from an initial state is of the form up vwp , where up and vp are finite sequences of length less or equal to u and v, respectively. We define the loop diameter of M as (u,v). • Theorem 27: Given an LTL formula f and a lasso shaped Kripke structure M, let the loop diameter of M be (u,v), then M |= E f iff there exists k  u+ v with M |= k E f .

28. Experimental Results • BMC • Model Checker based on bounded model checking. • Input language is a subset of the SMV language • It takes in a circuit description, a property to be proven, and a user supplied time bound k. • It then generates the propositional formula. • propositional formula can be solved using TOOLS like SATO

29. Experimental Results • Experiments on : • Sequential multiplier, shift & add multiplier • Barrel shifter • Asynchronous circuit for distributed mutual exclusion • For buggy designs , ( eg those w/o fairness constraints while testing for liveness ) , counterexample obtained easily

30. Conclusion • BMC is the first step in applying SAT procedures to symbolic model checking • New techniques needed to determine the diameter of a system • Recent Work • http://www.inf.ethz.ch/personal/biere/papers/papers.html • http://sra.itc.it/people/cimatti/publist.html