INF9140 INF9140 Paper Presentation Paper Presentation Biere et - - PowerPoint PPT Presentation

▶

Apr 25, 2023 410 likes •632 views

INF9140 INF9140 Paper Presentation Paper Presentation Biere et al. 2003 B Bounded Model Checking d d M d l Ch ki B Y M A R T I N F . J O H A N S E N Model Checking Model the design as a finite state machine. M d l th d i

SLIDE 1

INF9140 Paper Presentation INF9140 – Paper Presentation Biere et al. 2003 – B d d M d l Ch ki Bounded Model Checking

B Y M A R T I N F . J O H A N S E N

SLIDE 2

Model Checking

M d l th d i fi it t t hi

 Model the design as a finite state machine.  Write the specification as temporal logic.  Safety properties

 What should not happen.  A counterexample: something bad happens.

 Liveness properties

 What should eventually happen.  A counter example: something good never happens.

SLIDE 3

Bounded Model Checking (BMC) g ( )

Th b i id f BMC i t h f t

 The basic idea of BMC is to search for a counter

example in executions whose length is bounded by some integer k some integer k.

 Thus, does not show the absence of errors.

E i t h h th t BMC l

 Experiments have shown that BMC can solve many

cases that cannot be solved by other approaches. h bl b ffi i l d d

 The BMC problem can be efficiently reduced to a

propositional satisfiability problem […] SAT d d t ff f th l i procedures do not suffer from the space explosion problem of BDD-based methods.

SLIDE 4

Bounded Semantics

P th ith l

 Paths with loops

 (k,l)-loop path, π = u vω

F LTL f l f ith l

 For LTL formula f with π as a loop

π |=k f iff π |= f

 Where there are no loops  Where there are no loops

 a property that hold along πk, might not hold along πk+1.

Th If t k ffi i tl hi h b d

 Theorem 1: If we take a sufficiently high bound,

then the bounded and unbounded semantics are equivalent equivalent.

SLIDE 5

Reduction of BMC to SAT

Gi

 Given

 Kripke Structure M

LTL f l f

 LTL formula f  Bound k

C t t

 Construct

 Propositional formula [[M, f]]k

(-x1 * -x2 * -x3) + (x1 * x1 * x2) + (x2 * x3)

SLIDE 6

Kripke Structures p

K i k t t M i d l M (S I T L)

 Kripke structure M is a quadruple M = (S, I,T,L)

 S is the set of states

I S i th t f i iti l t t

 I S is the set of initial states  T

S×S is the transition relation

 L:S > P(A) is the labeling function  L:S -> P(A) is the labeling function  is the set of atomic propositions  P(A) denotes the powerset over A

( ) de otes t e po e set o e

 L(s) is m ade of the atom ic propositions that hold in s.  Each path π in M is a sequence π = (s0, s1, . . .) of states  π(i) the i-th state si  πi =(si, si+1, . . .) the suffix of π starting with state si

SLIDE 7

Note on symbols y

S b l

 Symbols:

 p – Xp

◊ F

 ◊p – Fp  □p – Gp

SLIDE 8

p Xp p - Xp ◊p - Fp □p - Gp

SLIDE 9

Bounded Semantics without a Loop

an LTL form ula f is valid along p w ith bound k (in sym bols an LTL form ula f is valid along p w ith bound k (in sym bols p - Xp p Xp ◊p - Fp □p - Gp

SLIDE 10

Path Quantifiers Q

M ti fi f ll i iti li d th

 M satisfies f over all initialized paths

 M |= Af

h i i i i li d h i M h i fi f

 there exists an initialized path in M that satisfies f

 M |= Ef

SLIDE 11

Reduction of BMC to SAT

 Unfolding of the Transition Relation

Unfolding of the Transition Relation

 There are valid paths from the initial state to any state

reachable in k steps.

 Loop condition

i iff h i i i f

 lLk is true iff there is a transition from sk to sl  Lk is true iff there exists a back loop from sk to a previous state

r to itself.
r to itself.

 Successor in a loop

 In a (k,l)-loop, a successor function succ(i) is i+1 unless i=k,  In a (k,l) loop, a successor function succ(i) is i+1 unless i k,

then it is l

SLIDE 12

Reduction of BMC to SAT

Th i t di t f l d d th

 The intermediate formula depends on three

parameters: l, k and i. We use l for the start position

f the loop k for the bound and i for the current
f the loop, k for the bound, and i for the current

position in π.

SLIDE 13

Translation of an LTL formula for a loop

p Xp p - Xp ◊p - Fp □p - Gp

SLIDE 14

Translation of an LTL formula without a loop a s at o

t out a oop

p Xp p - Xp ◊p - Fp □p - Gp

SLIDE 15

BMC with SAT

 Given  Given

 Kripke Structure M  LTL formula f  Bound k

 Construct

l f l f

 Propositional formula [[M, f]]k

 General Translation  Theorem 2:  Theorem 2:

 [[ M, f ]]k is satisfiable iff M |=k Ef  (M |= Ef means there exists an initialized path in M that satisfies f )

( | f p f f )

SLIDE 16

Completeness threshold p

Th l t th h ld f G

p Xp

 The completeness threshold for Gp

formulas is simply the minimal number of steps required to reach all states

p - Xp ◊p - Fp □p - Gp

steps required to reach all states.

 Theorem 3:

  The procedure terminates if the liveness property

holds holds.

 Since we know that either AFp or EG¬p must hold

for M, one of the semi-decision procedures must , p

terminate. Combining the two, we obtain a

complete decision procedure for liveness.

SLIDE 17

Techniques for SAT solving q g

A t f th i b t t h i f SAT

 A part of the paper is about techniques for SAT

solving.

SLIDE 18

Experiments p

 BDD based model checking  IBM benchmark on 13

g vs SAT based bounded model checking

 16x16 bit sequential shift  IBM benchmark on 13

hardware designs

 16x16 bit sequential shift

and add multiplier

SLIDE 19

Experiments p

I t l b h k C

 Intel benchmark,

verifying various circuits

 Compaq

benchmark, if i l h circuits verifying an alpha microprocessor