lect10b.pdf

Overview 

Algorithmic Verification 

Comp3153/9153 

Lecture 10b 

Comp 3153 Ansgar Fehnker 

Model checking 

Explicit state model checking 

� Bottom-up recursive labelling algorithm for CTL 

� LTL tableau or automaton-based algorithms 

Symbolic model checking 

� Efficient algorithm through efficient operations of BDD 

representation of sets 

SAT-based model checking 

� Bounded-model checking uses SAT-solver to show absence 

of counterexamples in finite unrolling of the model 

SAT-solving 

History 


� 1st generation (1960s) 

� DP, DLL 

� 2nd generation (1980s/90s) 

� POSIT, Tableau, … 

� 3rd generation (mid 1990s) 

� SATO, satz, grasp, … 

� 4th generation (2000s) 

� Chaff, BerkMin, … 

� 5th generation? 


Vars 

100000 

10000 

1000 

100 

10 

1 

1960 1970 1980 1990 2000 2010 

Year 

Number of variables tackled by SAT-solvers 

graphs thanks to Daniel Kroening 

Overview 

Modelling 

� Finite automata 

� Büchi automata 

� Kripke structures 

Specification 

� Linear Time Logic 

� Computation Tree Logic 

� CTL* 

Overview 


Today: SAT-based model checking 

Basic Idea 


s 0 

s 0 

s 1 

CTL* 

s 1 

LTL CTL 

Use algorithms that solve (in practice) difficult problems 

efficiently. 

Transform model checking problem to an problem instance 

for that solver. 

SAT-solver are such efficient solvers. 

SAT Solving and Model Checking 

Reminder 

Set of initial states and transition relation can be 

represented as Boolean functions 

SAT-solvers for model checking? 

� Bounded Model Checking 

� SAT-based Abstraction Refinement 


s 2 

1

Bounded Model Checking 

void f(...) { 

... 

while(cond) { 

Body; 

} 

Rest; 

} 



void f(...) { 

... 

if(cond) { 

Body; 

if(cond) { 

Body; 

while(cond) { 

Body; 

} 

} 

} 

Rest; 

} 



void f(...) { 

... 

if(cond) { 

Body; 

if(cond) { 

Body; 

if(cond) { 

Body; 

if(cond) { 

assert(FALSE); 

} 

} 

} 

} 

Rest; 

} 


Rather than checking infinite 

loops, check finite unwinding 

� Unwind while() loops 







� Until the bound k is 

reached 

� Add assertion after last 

iteration. 

Check whether error is 

real or due to 

insufficient bound k. 


void f(...) { 

... 

if(cond) { 

Body; 

while(cond) { 

Body; 

} 

} 

Rest; 

} 

void f(...) { 

... 

if(cond) { 

Body; 

if(cond) { 

Body; 

if(cond) { 

Body; 

while(cond) { 

Body; 

} 

} 

} 

} 

Rest; 

} 










� Until the bound k is 

reached 


Basic Idea 

� Show absence of counterexamples of length k 

� Translate model checking problem to SAT problem 

� Use SAT solver to show absence of counterexamples. 

� Complete for sufficiently large k 


Based on 

presentations Daniel 

Kroening and Ofer 

Shtrichman 

2


Reminder 

� Safety properties 

� Invariants, deadlocks, reachability, etc. 

� Can be checked on finite traces 

� “something bad never happens” 

� Liveness Properties 

� Fairness, response, etc. 

� Infinite traces 

� “something good will eventually happen” 

Safety Properties 


Given a Kripke Stucture M=(S, S 0, R, L) 

The reachable states in k steps are captured by: 

p p p ¬p p 

. . . 

s0 s1 s2 sk-1 sk Safety Properties 


Formulation as SAT problem 

� The safety property p is valid up to step k iff Ω(k) is 

not satisfiable: 

p p p ¬p p 

. . . 

s0 s1 s2 sk-1 sk Comp 3153 Ansgar Fehnker 


Typical property: G p 

Bounded check: Is a state reachable within k steps, 

which satisfies ¬p ? 

p p p ¬p p 

. . . 

s0 s1 s2 sk-1 sk Counterexample for safety properties are finite paths 




The property p fails in one of the states 1..k if 

p p p ¬p p 

. . . 

s0 s1 s2 sk-1 sk Safety Properties 


Example: a two-bit counter 

00 

11 

01 10 

The property holds within 2 steps if Ω(k) is unsatisfiable 


Initial state: I 0= ¬ l ∧ ¬ r 

Transition: R: l’ = (l ≠ r) ∧ 

r’ = ¬ r 

Property: G (¬l ∨ ¬r). 

3

Liveness Properties 

Typical property: F p 

Bounded check: Is there a path of length k, that 

ends in a loop, such that never p ? 

¬p ¬p ¬p ¬p ¬p 

. . . 

s0 s1 s2 sk-1 sk Counterexamples for liveness properties end in a loop 




The property p never holds in the states 1..k if 

¬p ¬p ¬p ¬p ¬p 

. . . 




� The liveness property Fp is valid up to cycle k iff 

Ω(k) is unsatisfiable: 





¬p ¬p ¬p ¬p ¬p 

. . . 




The path ends in a loop if 

¬p ¬p ¬p ¬p ¬p 

. . . 



Example: another bit counter 

00 

11 

Transition: R: l’ = (l ≠ r) ∧ 

01 10 

r’ = ¬ r 

Property: F (l ∧ r). 

The property holds within 2 steps if Ω(k) is unsatisfiable 


Initial state: I 0= ¬ l ∧ ¬ r 

4

LTL 

Checking an arbitrary formula φ 

LTL 

1. Build Buechi Automaton for ¬ φ 

2. Compose A x A ¬ φ 

3. Check if L(A x A ¬ φ ) is empty 

Bounded check: Is there a path of length k, that ends 

in a loop with an accepting state? 


Given Buechi Automaton A= 〈Σ, Q, Q 0,δ, F〉 

LTL 


F 

. . . 



� The LTL formula formula φ is valid up to cycle k iff 

Ω(k) for Buechi automaton A x A ¬ φ is not 

satisfiable: 


LTL 

Given Buechi Automaton A= 〈Σ, Q, Q 0,δ, F〉 

LTL 

Check fairness condition GF f 

L(A) is non-empty if a witness exists 

Witness ends in a loop with some state satisfying f 

F 

. . . 


Given Buechi Automaton 〈Σ, Q, Q 0,δ, F〉 

Path ends in a loop, with accepting state 

F 

. . . 



Safety 

� Check if counterexample of length k exists 

Liveness 

LTL 

� Check if counterexample of length k exists that ends 

in loop 

� Check if accepting run of length k exists in Buechi 

automaton of the negation 


5


BMC-loop 

Resources 

exceeded 

k++ 

no 

k = 0 

BMC(M,φ,k) 

k ⊤ CT ? 


yes 


Completeness Threshold 

� Diameter D(M) = longest shortest path between 

any two reachable states. 

� Recurrence Diameter RD(M) = longest loop-free 

path between any two reachable states. 

� The initialized versions: DI(M) and RDI(M) 

start from an initial state 



Intermediate Summary 

� Show absence of counterexamples of length k 

� Bounded model checking problem can be 

formulated as SAT problem 

� Only complete for sufficiently large k 

� For Safety, Liveness and LTL 

� Also for ACTL or ECTL 

Either A or E 

path quantifiers 

only 




� For every finite model M and LTL property φ there 

exists k s.t. 

� The Completeness Threshold (CT) is the minimal 

such k 

� Clearly if M|≠ φ then CT = 0 

� Computing CT is a model checking problem by itself 




� DI(M) is an upper bound for safety properties 

� RDI(M) +1 is an upper bound for liveness properties 

� Completeness threshold for general LTL is unknown 

� However, in practice the CT is of little interest. Too 

hard to compute, and too large. 


Tuning SAT for BMC 

Common heuristics for general CNF formula 

� Most Frequent in unsatisfied clauses (DLCS) 

� Satisfies the most clauses (DLIS) 

� Satisfies the most shortest clauses (MOM, JW) 

� Conflict Driven (VSIDS) 

⇒ Local sets of variables are satisfied in arbitrary order. 

Static ordering, taking structure of Ω(k) into account, often better 


Based on 

presentations Daniel 

Kroening and Ofer 

Shtrichman 

6


Replicating Clauses 

� If x 3=1, y 7 = 0, z 5 = 1 leads to a conflict, then so 

will x 2=1, y 6 = 0, z 4 = 1 

� Therefore, we can also add: 

(¬x 2 ∨ y 6 ∨ ¬z 4) ∧ … ∧ (¬x 0 ∨ y 4 ∨ ¬z 2) and... 

(¬x 4 ∨ y 8 ∨ ¬z 6) ∧ … ∧ (¬x k-4 ∨ y k ∨ ¬z k-2) 



Summary 

� BMC is available e.g. in NuSMV 

� SAT-based BMC can solve instance that BDD 

symbolic model checkers cannot. 

� And vice versa 

� BMC with SAT for finding shallow errors. 

� BDD-based procedures for proving their absence. 

� BMC and BDD model checkers used as 

complementary methods 



Reusing Clauses 

� Most clauses in Ω(k+1), except encoding of the 

property, last transition, are also in Ω(k) 

� Reuse conflict clause C of Ω(k), if possible, when 

solving Ω(k+1), 


7

lect10b.pdf

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?