Symbolic Model Checking without BDDs

1
Symbolic Model Checking without BDDs

• Armin Biere Alessandro Cimatti Edmund Clarke
  Yunshan Zhu
• Presented by
• Manikantan Prakash Prabhu

2
Outline

• Introduction
• Example
• Semantics
• Translation
• Determining the bound
• Exp. Results Conclusion

3
Introduction

• Model Checking (MC)
• Automatic, Spec temporal logic, system FSM
  ( states ? )
• Symbolic MC, BDDs ( Size, Right Ordering )
• Propositional Decision Procedures
• Boolean Expressions, but not on canonical forms
• No potential state space explosion
• Davis/Putnam Procedure (Implementation)

4
Introduction

• Bounded Model Checking (BMC)
• Based on SAT
• ? Counterexample of length k ? Propositional
  Formula is satisifiable
• BMC for LTL reduced to SAT in poly time
• BMC Advantages
• CounterExamples found fast , minimal length
• Less space , No manual ordering ( vs BDD )

5
Example

• 3-bit shift register (x0,x1,x2)
• T(x,x) (x0x1) ? (x1x2) ? (x21)
• Eventually register will be empty AF( x0 )
• AF( x0 ) ? EG( x ! 0 )
• Restrict search to path having k1 states (k2)

L2
L0
L1
x0
x1
x2
6
Example

• fm I(x0) ? T(x0,x1) ? T(x1,x2)
• T(x0,x1) ?
• T(x1,x2) ?
• Any path with three states that is a witness for
  G(x ! 0 ) must contain a loop ? add
  T(x2,xi )
• Constraint imposed by the formula ( Si defined as
  xi ! 0 ) ( xi 0 1) V ( xi 1 1 ) V (
  xi 2 1 )
• Final Propositional Formula
• fm ? V Li ? V Si ? Counterexample of length 2

2
2
i0
i0
7
Semantics

• ACTL ? CTL that are in Negative Normal Form
  (NNF) contain only A s
• ECTL
• Consider only X , F , G, U operators
• LTL No path quantifiers are allowed
• Paper concentrates on LTL model checking ( BMC
  for LTL can be extended handle ACTL ECTL )

8
Semantics

• Definition 1 A Kripke structure is a tuple M
  (S,I,T,L) with a finite set of states S, the set
  of initial states I ? S , a transition relation
  between states T ? S X S and the labeling of the
  states L S ? P(A) with atomic propositions A
• Boolean encoding of state ( vector of state
  variables )
• Each state has a successor state
• p (s0,s1,,) p(i) si and p i (si,si1,)

9
Semantics

• Definition 2 (Semantics) Let M be a Kripke
  structure, p be a path in M and f be an LTL
  formula. Then p f ( f is valid along p) is
  defined as

10
Semantics - Validity

• Definition 3 An LTL formula is universally
  valid in a Kripke structure M ( in symbols M
  Af ) iff p f for all paths p in M with p (0) e
  I . An LTL formula f is existentially valid in a
  Kripke structure M ( in symbols M Ef ) iff
  there exists a path p in M with p f and p(0) e
  I
• Paper considers existential model checking
  problem ( Search for a counterexample for EMCP )

11
Semantics - Basic Idea of BMC

• Consider only a finite prefix of a path ( bounded
  by k) and look for possible counterexample
• Finite Prefix may represent an infinite path if
  there is a back loop from the last state of the
  prefix to any of the previous states.
• If no back loop, cant say anything abt infinite
  behavior
• Example Gp Even if p holds from s0 to sk ,
  cant conclude anything if there is no back loop
  from sk to s0

12
Semantics

• Definition 4 For l ? k we call a path p a
  (k,l)-loop if p(k) ? p(l) and p u.vw with u
  (p(0),., p(l-1)) and v(p(l),.., p(k)). We call
  p simply a k-loop if there is a l e N with l lt k
  for which p is a (k,l)-loop

13
Semantics

• Definition 5 (Bounded Semantics for a Loop) Let
  k e N and p be a k-loop. Then an LTL formula is
  valid along the path p with bound k ( in symbols
  p k f ) iff p f.
• Definition 6 (Bounded Semantics without a Loop)
  Let k e N and p be a path that is not a k-loop.
  Then an LTL formula is valid along the path p
  with bound k ( in symbols p k f ) iff p f
  where

14
Semantics
15
Semantics

• Lemma 7 Let h be an LTL formula and p be a path
  and p k h ? p h
• Lemma 8 Let f be an LTL formula f and M a
  Kripke structure. If M Ef then there exists k
  e N with M k Ef
• Theorem 9 Let f be an LTL formula , M a Kripke
  structure. Then M Ef iff there exists k e N
  with M k Ef

16
Translation

• Given a Kripke structure M, LTL formula f, bound
  k
• We need to construct a Propostional Formula
  M,f k which represents the constraints
  on s0,.,sk ( variables denoting a finite
  sequence of states on a path p ) such that
  M,f k is satisfiable iff f is valid along p
• Size poly(f) , quadratic(k), linear(size(prop(T,I
  ,p e A))
• Definition 10 ( Unfolding the Transition Relation
  ) For a Kripke structure M, k e N ,
• M k I(s0) ? ? T (si , si1)

k-1
i0
17
Translation

• Depending on whether a path is a k-loop or not,
  two different translations for temporal formula
  f.
• Translation if path not a k-loop
• . ik
• Translation if path is a k-loop
• l . ik
• Example h p U q on a non-k-loop-path

18
Translation

• Definition 11 (Translation of an LTL formula
  without a Loop) For an LTL formula f and k, i e
  N with i ? k
• Defn 12(Successor in a Loop) Let k,l,i e N,
  with l,i ? k. Define the successor succ(i) in a
  (k,l)-loop as succ(i) i1 for i lt k and succ(i)
  l for i k

19
Translation

• Definition 13 (Translation of an LTL formula for
  a Loop) Let f be an LTL formula, k,l,i e N with
  l,i ? k

20
Translation

• Definition 14 ( Loop Condition) For k,l e N ,
  let lLk T(sk,sl), Lk Vl0k Lk
• Definition 15 ( General Translation ) Let f be
  an LTL formula, M a Kripke structure and k e N
• Theorem 16 M,f k is satisfiable iff M k
  Ef
• Corollary 17 M A f iff M,f k is
  unsatisfiable for all k e N

21
Determining the Bound

• To check whether M E f , the procedure checks
  M k E f for k 0,1, 2
• If M k E f , then the procedure proves that M
  E f and produces a witness of length k.
• If M E f , we have to increment the value of k
  indefinitely, and the procedure does not terminate

22
Determining the Bound - ECTL

• ECTL ? ECTL with each temporal operator
  preceded by one E
• Theorem 18 Given an ECTL formula f and a Kripke
  structure M. Let M be the number of states in
  M, then M E f iff there exists k ? M with M
  k E f
• Definition 19 (Diameter). Given a Kripke
  structure M, the diameter of M is the minimal
  number d e IN with the following property. For
  every sequence of states s0.. sd1with (si ,si1
  ) e T for i ? d, there exists a sequence of
  states t0tl where l ? d such that t0 s0 , tl
  sd1 and (tj,tj1 ) e T for j ? l. In other
  words, if a state v is reachable from a state u,
  then v is reachable from u via a path of length d
  or less.

23
Determining the Bound - ECTL

• Theorem 20 Given an ECTL formula f EFp and a
  Kripke structure M with diameter d, M EFp iff
  there exists k ? d with M k EFp.
• Theorem 21 Given a Kripke structure M, its
  diameter d is the minimal number that satisfies
  the following formula

24
Determining the Bound - ECTL

• Definition 22 (Recurrence Diameter) Given a
  Kripke structure M, its recurrence diameter is
  the minimal number d e IN with the following
  property. For every sequence of states s0..sd1
  with (si , si1) e T for i ? d, there exists j ?
  d such that sd1 sj .
• Theorem 23 Given an ECTL formula f and a Kripke
  structure M with recurrence diameter d, M E
  f iff there exists k ? d with M k E f

25
Determining the Bound - ECTL

• Theorem 24 Given any Kripke structure M, its
  recurrence diameter d is the minimal number that
  satisfies the following formula

26
Determining the Bound - LTL

• LTL model checking is known to be PSPACE complete
• LTL model checking can be reduced to
  propositional satisfiability and thus it is in NP
  
• Theorem 25. Given an LTL formula f and a Kripke
  structure M, let M be the number of states in
  M, then M E f iff there exists k ? M X 2 f
  with M k E f .

27
Determining the Bound - LTL

• Definition 26 (Loop Diameter) We say a Kripke
  structure M is lasso shaped if every path p
  starting from an initial state is of the form up
  vwp , where up and vp are finite sequences of
  length less or equal to u and v, respectively. We
  define the loop diameter of M as (u,v).
• Theorem 27 Given an LTL formula f and a lasso
  shaped Kripke structure M, let the loop diameter
  of M be (u,v), then M E f iff there exists k ?
  u v with M k E f .

28
Experimental Results

• BMC
• Model Checker based on bounded model checking.
• Input language is a subset of the SMV language
• It takes in a circuit description, a property to
  be proven, and a user supplied time bound k.
• It then generates the propositional formula.
• propositional formula can be solved using TOOLS
  like SATO

29
Experimental Results

• Experiments on
• Sequential multiplier, shift add multiplier
• Barrel shifter
• Asynchronous circuit for distributed mutual
  exclusion
• For buggy designs , ( eg those w/o fairness
  constraints while testing for liveness ) ,
  counterexample obtained easily

30
Conclusion

• BMC is the first step in applying SAT procedures
  to symbolic model checking
• New techniques needed to determine the diameter
  of a system
• Recent Work
• http//www.inf.ethz.ch/personal/biere/papers/paper
  s.html
• http//sra.itc.it/people/cimatti/publist.html