Bounded Model Checking Julien Schmaltz Institute for Computing and - - PowerPoint PPT Presentation

Bounded Model Checking

Julien Schmaltz

Institute for Computing and Information Sciences Radboud University Nijmegen The Netherlands julien@cs.ru.nl

April 15, 2009

• J. Schmaltz

Bounded Model Checking

Agenda coming lectures ...

√ Part I: Linear Time √ Part II: Branching Time √ Part III: Comparison √ Part IV: Binary Decision Diagrams and Symbolic Model Checking √ Part V: The SAL tool Part VI: SAT and Bounded Model Checking Part VII: k-induction, SMT, and disjunctive invariants

• J. Schmaltz

Bounded Model Checking

Agenda for today

Part I: SAT Part II: BMC

semantics translation to SAT completeness

• J. Schmaltz

Bounded Model Checking

Principles Backtracking,Resolution and DPLL

Part I Propositional SAT solvers

• J. Schmaltz

Bounded Model Checking

Principles Backtracking,Resolution and DPLL

1

Principles

2

Backtracking,Resolution and DPLL Backtracking Resolution DPLL basic algorithm Summary

• J. Schmaltz

Bounded Model Checking

Principles Backtracking,Resolution and DPLL

Principles: DPLL-style SAT solvers

(slides from McMillan’s tutorial at CAV 2003) DPLL = Davis-Putnam-Loveland-Logeman (early 60’s) CHAFF, GRASP, BERKMIN, . . . Objective: check satisfiability of a CNF formula

literal: p or ¬p clause: disjunction of literals CNF: conjunction of clauses

Method

Branch: make arbitrary decisions Propagate implication graph Use conflicts to guide inference steps

• J. Schmaltz

Bounded Model Checking

Principles Backtracking,Resolution and DPLL Backtracking Resolution DPLL basic algorithm Summary

The implication graph

Unit Propagation (UP) or Boolean Constraint Propagation (BCP) Consider CNF formula: (¬a ∨ b) ∧ (¬a ∨ c ∨ d)

decisions d b a ¬c

Assigment: a ∧ b ∧ ¬c ∧ d

• J. Schmaltz

Bounded Model Checking

Principles Backtracking,Resolution and DPLL Backtracking Resolution DPLL basic algorithm Summary

Resolution

a ∨ ¬b ∨ c ¬a ∨ ¬b ∨ d ¬b ∨ c ∨ d

Resolution is used to solve conflicts Implication graph used to guide resolution

• J. Schmaltz

Bounded Model Checking

Principles Backtracking,Resolution and DPLL Backtracking Resolution DPLL basic algorithm Summary

Conflict clauses (1)

d a ¬c decisions (¬a ∨ b) ∧ (¬b ∨ c ∨ d) ∧ (¬b ∨ ¬d) b

Implication of decisions with first 2 clauses: a ∧ b ∧ ¬c ∧ d, and then conflict with last clause

• J. Schmaltz

Bounded Model Checking

Principles Backtracking,Resolution and DPLL Backtracking Resolution DPLL basic algorithm Summary

Conflict clauses (1)

Resolve ¬b ∨ c Conflict ! d a ¬c decisions (¬a ∨ b) ∧ (¬b ∨ c ∨ d) ∧ (¬b ∨ ¬d) b

Assigment a ∧ b ∧ ¬c ∧ d. Resolution with last clause first, conflict with assignment

• J. Schmaltz

Bounded Model Checking

Principles Backtracking,Resolution and DPLL Backtracking Resolution DPLL basic algorithm Summary

Conflict clauses (1)

Conflict !! Resolve ¬a ∨ c Resolve ¬b ∨ c Conflict ! d a ¬c decisions (¬a ∨ b) ∧ (¬b ∨ c ∨ d) ∧ (¬b ∨ ¬d) b

Assigment a ∧ b ∧ ¬c ∧ d. Resolution continued and new decision: start with ¬a and c

• J. Schmaltz

Bounded Model Checking

Principles Backtracking,Resolution and DPLL Backtracking Resolution DPLL basic algorithm Summary

Conflict Clauses (2)

Generated by resolution Implied by existing clauses In conflict with current assignment Safely added to the clause set Heuristics/Implementations

when to stop resolution which clauses should be used for resolution

• J. Schmaltz

Bounded Model Checking

Principles Backtracking,Resolution and DPLL Backtracking Resolution DPLL basic algorithm Summary

Basic SAT algorithm

y All UNSAT decided? CS = { } Conflict ? add literal to CS Branch clause ? backtrack Deduce conflict clause and Empty y y SAT

• J. Schmaltz

Bounded Model Checking

Principles Backtracking,Resolution and DPLL Backtracking Resolution DPLL basic algorithm Summary

Summary(1)

SAT is an NP-hard problem Efficient implementations today/clever heuristics

which literals to consider (decisions)

• rdering of propagation (BCP)

cache-aware implementations pre-processing learning restarts . . .

Every NP problem can be reduced to SAT in polynomial time

General solver + tuning can be effective

• J. Schmaltz

Bounded Model Checking

Principles Backtracking,Resolution and DPLL Backtracking Resolution DPLL basic algorithm Summary

Summary (2)

Industrial applications (PowerPC and Intel’s Pentium 4)

SAT-based very good for small depth bugs in large systems

Automated test generation SAT on problems with hundreds of thousands of clauses SAT competition

• J. Schmaltz

Bounded Model Checking

Running Example: Mutual Exclusion Definitions and notations Model Checking and Bounded MC

Part II Model Checking

• J. Schmaltz

Bounded Model Checking

Running Example: Mutual Exclusion Definitions and notations Model Checking and Bounded MC

3

Running Example: Mutual Exclusion Pseudo-code Kripke model

4

Definitions and notations

5

Model Checking and Bounded MC

• J. Schmaltz

Bounded Model Checking

Running Example: Mutual Exclusion Definitions and notations Model Checking and Bounded MC Pseudo-code Kripke model

A simple mutual exclusion (SMUTE)

Consider 2 processes competing for a shared resource process A forever A.pc = 0 wait for B.pc = 0 A.pc = 1 access resource end forever end process process B forever B.pc = 0 wait for A.pc = 0 B.pc = 1 access resource end forever end process

• J. Schmaltz

Bounded Model Checking

Running Example: Mutual Exclusion Definitions and notations Model Checking and Bounded MC Pseudo-code Kripke model

Kripke Structure for SMUTE

1 1 0 1 0 0 1 0

State space: S = {0, 1 }2 State vector: s ∈ S = {0, 1 }2 Transition relation T ⊆ S2 An (initialized) path: 00, 01, 00, 10, 00, 01, ... SMUTE is safe: never 2 processes access the resource simultaneously (G¬(A.pc = 1 ∧ B.pc = 1))

• J. Schmaltz

Bounded Model Checking

Running Example: Mutual Exclusion Definitions and notations Model Checking and Bounded MC Pseudo-code Kripke model

Kripke Structure for unsafe SMUTE

0 1 0 0 1 0 1 1

Path: 00, 01, 11 is a counter-example to safety G¬(A.pc = 1 ∧ B.pc = 1) is false F(A.pc = 1 ∧ B.pc = 1) is true

• J. Schmaltz

Bounded Model Checking

Running Example: Mutual Exclusion Definitions and notations Model Checking and Bounded MC

Kripke Structures

A Kripke structure M is a quadruple M = S, I, T, L

S is a set of states, and I a set of initial states T is the transition relation L is the labeling function, L(s) = atomic propositions true in s

A path π is an infinite sequence of states s0, s1, s2, . . . πi = (si, si+1, . . . ) denotes suffix starting at position i M | = f means that M satisfies f (later restricted to LTL)

• J. Schmaltz

Bounded Model Checking

Running Example: Mutual Exclusion Definitions and notations Model Checking and Bounded MC

Limitations of Model Checking: why bounded ?

Model checking suffers from state-space explosion Initial motivation for BMC: leverage advances in SAT solving Idea: restrict search to counter-examples with some length k

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Part III From BMC to SAT

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

6

Principles

7

Semantics

8

Translation to SAT

9

Completeness

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Basic Idea

LTL formulas defined over all paths

finding counter-examples = exists a contradicting trace for instance, a counter-example to Gp ? = witness for F¬p ? for commodity we use path-quantifiers M | = Af ≡ M | = ¬(E¬f ) for now on, we only look at the existential problem (M | = Ef )

Finite paths may represent infinite behaviors

paths with loops

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Two cases for a bounded path

Idea: finite paths may say something about infinite behaviors

si sk

Path without a back loop Finite behavior up to sk

sl sk si

Path with a back loop Infinite behavior Definition ((k,l)-loop) For l ≤ k we call a path π a (k,l)-loop if T(π(k), π(l)) and π = u · v ω with u = (π(0), . . . , π(l − 1)) and v = (π(l), . . . , π(k)). We call π a k-loop if there exists k ≥ l ≥ 0 for wich π is a (k,l)-loop.

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Bounded path and witnesses

Can a path with no loop be a witness for Gp ?

Justify.

Can a path with no loop be a witness of Fp ?

Justify.

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Witnesses for Gp: example

Let us consider the following k-loop:

p sk si sl p p p p p Thus, it is a witness for Gp

Let us consider the following path:

p sk si p p p This cannot be a witness for Gp, as there might be states after sk that does not satisfy p.

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Witnesses for Fp: example

Let us consider the following path:

¬p sk si p ¬p ¬p Thus, it is a witness for Fp

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Bounded semantics for a loop

Prefix with loops, thus infinite behaviors preserved

All the information about the infinite behavior is contained in the bounded prefix p sk si sl p p p p p

Maintain the original LTL semantics Definition Let k ≥ 0 and π be a k-loop. Then an LTL formula f is valid along the path π with bound k (in symbols π | =k f ) iff π | = f .

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Bounded semantics without a loop: Ff

Infinite behaviors unkown Unbounded semantics: f holds on some suffix of π π | = Ff iff πi | = f for some i ≥ 0 Bounded semantics: f holds before position k π | =i

k Ff

iff ∃j, i ≤ j ≤ k.π | =j

k f

where π | =i

k f reads “f holds in state si of path π of length k”

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Bounded semantics without a loop: Gf

Infinite behaviors unkown Unbounded semantics: f holds in all suffixes π | = Gf iff πi | = f for all i ≥ 0 Bounded semantics: Gf is always false !

f might not hold after k

Consequence: the duality between G and F (¬Ff ≡ G¬f ) no longer holds in BMC !

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Bounded semantics without a loop

Let k ≥ 0 and π be a path that is not a k-loop. Then, an LTL formula f is valid along π with bound k (in symbols π | =k f ) iff π | =0

k f where:

π | =i

k p

iff p ∈ L(π(i)) π | =i

k ¬p

iff p / ∈ L(π(i)) π | =i

k f ∧ g

iff π | =i

k f and π |

=i

k g

π | =i

k f ∨ g

iff π | =i

k f or π |

=i

k g

π | =i

k Gf

is always false π | =i

k Ff

iff ∃j, i ≤ j ≤ k.πi | =j

k f

π | =i

k Xf

iff i < k and π | =i+1

k

f π | =i

k f Ug

iff ∃j, i ≤ j ≤ k.π | =j

k g and ∀n, i ≤ n < jπ |

=n

k f

π | =i

k f Rg

iff ∃j, i ≤ j ≤ k.π | =j

k f and ∀n, i ≤ n < jπ |

=n

k g

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Bounded and unbounded semantics are equivalent

Consider the existential model checking problem (M | = Ef ) It can be reduced to an equivalent bounded model checking problem Theorem Let f be an LTL formula and M be a Kripke structure. Then: M | = Ef iff ∃k ≥ 0 with M | =k Ef

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Bounded and unbounded semantics: Lemma 1

If f is valid on a bounded path, then it is valid in the unbounded path Proof: easy – only based on the definition of bounded semantics (exercise) Theorem Let f be an LTL formula and π a path, then π | =k f ⇒ π | = f

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Bounded and unbounded semantics: Lemma 2

If Ef holds in the unbounded semantics, then there is a bounded path such that f is valid Proof: easy – Note: M | = Ef ≡ ∃π : π | = f (exercise) Theorem Let f be an LTL formula and M be a Kripke structure. Then, M | = Ef ⇒ ∃k ≥ 0 with M | =k Ef

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Bounded semantics: Summary

We have given a bounded semantics for the existential model checking problem We have shown that this semantics is equivalent to the unbounded one for a sufficiently large bound Coming next: translation from BMC to SAT

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Introduction

Reducing BMC to SAT enables the use of efficient SAT solvers to perform model checking The goal of the game:

Take an LTL formula f , a Kripke structure M and a bound k Build a propositional formula [[M, f ]]k “equivalent” to f Formula [[M, f ]]k is SAT iff M has a path along which f is valid

This formula has two parts:

Unfolding the transition relation up to depth k (all valid paths

• f length k)

Constraints paths to be witnesses for formula f The latter considers the loop and the no loop cases

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Unfolding the transition relation

Formula [[M]]k represents the k-unfolding of the transition relation T It represents all valid paths of length k A valid path:

First state is initial All successors are obtained using T

Definition For a Kripke structure M and k ≥ 0 [[M]]k := I(s0) ∧

k−1

• i=0

T(si, si+1)

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Unfolding the transition relation: Example

Example show the unfolding for the mutual exclusion example

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Translation: second component

The second component restricts the paths to be witnesses for formula f The translation of an LTL formula f depends on the shape of paths

Paths with no loop Paths with a loop

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Loop condition and successor in a loop

Loop condition: simply check if there is a transition from state sk to a previous state Loop successor: increment by 1 except for the last state Definition (Loop condition) The loop condition Lk is true iff there exists a back loop from state sk to a previous state or to itself: Lk := k

l=0 T(sk, sl)

Definition (Successor in a loop) Let k, l, i be such that 0 ≤ i, l ≤ k/ Define succ(i) of i in a (k,l)-loop as succ(i) := i + 1 for i < k and succ(i) = l for i = k.

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Loop condition: Example

Example Put here loop conditions for SMUTE

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Translation for a loop

Given: LTL formula f and (k,l)-loops paths π Recursive translation over the subterms of f and states in π Introduce intermediate formulae of the form l[[·]]i

k

l start of the loop k is the bound i current position

Translation rule for Gf :

l[[Gf ]]i k := l[[f ]]i k ∧ l[[Gf ]]succ(i) k

Translation rule for Ff :

l[[Ff ]]i k := l[[f ]]i k ∨ l[[Ff ]]succ(i) k

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Translation for a loop: Example

Example show translation for SMUTE and a loop

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Translation without a loop

Special case of the translation for a loop Extend paths and consider all properties beyond k false (base case) Inductive case: ∀i ≤ k Translation for Gf : [[Gf ]]i

k := [[f ]]i k ∧ [[Gf ]]i+1 k

Translation rule for Ff : [[Ff ]]i

k := [[f ]]i k ∨ [[Ff ]]i+1 k

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Translation to SAT: Example

Example Show the translation for SMUTE and Gp

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Translation to SAT: Soundness and completeness

General translation rule [[M, f ]]k := [[M]]k∧

• ¬Lk ∧ [[f ]]0

k

• ∨

k

• l=0
• T(sk, sl) ∧ l[[f ]]0

k

• Translation scheme is sound and complete w.r.t. the bounded

semantics Theorem [[M, f ]]k is satisfiable iff M | =k Ef .

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Translation to SAT: Final example

Example show counter-example generation for Gp on the faulty SMUTE (recall the previous parts of the example)

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Completeness

Typical application of BMC = increment k until counter-example found If a witness exists (M | =k Ef ) this procedure terminates But, if there is no witness (M | =k Ef ) then does not terminates Incomplete BMC good for “bug hunting” Complete BMC needed to prove “bug-less”

Compositional proofs Proof broken for one flawed proof (one missed counter-example)

In the next slides: one technique for completeness

Completeness threshold

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Completeness threshold

For every finite system M, property p, there exists a number CT such that the absence of errors up to CT proves p for M.

for instance: the longest “shortest” path from an initial state to any reachable state

We call CT , the completeness threshold of M w.r.t. p (and the translation scheme)

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Completeness threshold: Reachability diameter (1)

Consider Gp formulae Completeness threshold = minimal number of steps to reach all states We call it “reachability diameter” of M Left part of the implication: every state that can be reached in n steps ... Right part: ... can also be reached in t steps Definition rd(M) := min{i|∀s0, . . . , sn.∃s′

0, . . . , s′ t, t ≤ i.

I(s0) ∧

i

• j=0

T(sj, sj+1) ⇒  I(s′

0) ∧ t−1

• j=0

T(s′

j, s′ j+1) ∧ s′ t = sn

 }

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Completeness threshold: Reachability diameter (2)

How big should n be ? Simple answer (worst case): size of state space, n = 2|V |, where V is set of variables defining M Better option:

Take n = i + 1 Check wether every state can be reached in i + 1 steps

rd(M) := min{i|∀s0, . . . , si+1.∃s′

0, . . . , s′ i .

I(s0)∧

i

• j=0

T(sj, sj+1) ⇒  I(s′

0) ∧ i−1

• j=0

T(s′

j, s′ j+1) ∧ i

• j=0

s′

j = si+1

 }

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Example show rd for Gp of SMUTE

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Completeness threshold: Recurrence diameter for reachability

Previous formula involved alternation of quantifiers (∀x.∃y) Hard to compute on realistic problems Overapproximation of rd(M)

noted rdr(M) compute the longest loop-free path

• verapproximation because every shortest path is also a

loop-free path

rdr(M) := max{i|∃s0, . . . , si.I(s0)∧

i

• j=0

T(sj, sj+1)∧

i−1

• j=0

i

• k=j+1

sj = sk}

• J. Schmaltz

Bounded Model Checking

Principles Semantics Translation to SAT Completeness

Example show rdr for Gp of SMUTE

• J. Schmaltz

Bounded Model Checking