Linear Completeness Thresholds for Bounded Model Check - PDF document

LinearCompletenessThresholds forBoundedModelChecking  DanielKroening 1 ,Jo¨ elOuaknine 1 ,OferStrichman 2 ,ThomasWahl 1 , andJamesWorrell 1 1 DepartmentofComputerScience,OxfordUniversity,UK smallcompletenessthresholds.Inthispaper,weshowthatiftheB¨ uchi automatonassociatedwithanLTLformulais cliquey ,i.e.,canbedecom- posedintoclique-shapedstronglyconnectedcomponents,thentheasso- ciatedcompletenessthresholdis linear intherecurrencediameterofthe (BMC)[4,3]isasymbolicbug-“ndingmethodthat searchesforlasso-shapedcounterexamplestoanLTLformulainagivenKripke structure.Withinthreeorfouryearsfollowingitsintroduction,itwasfound tohavealmostentirelyreplacedBDD- basedmodelcheckersinthehardware industry,owingtothefactthatmanyuserscaremoreabout“ndingbugsquickly vastamountsofmemoryandtime.Thism ajorsuccesscanbeattributedmostly totheimpressiveadvancesmadeinSATtechnologyoverthepast10to15years. ThefundamentalapproachunderpinningBMCistolookforcounterexamples, orbugs,ofboundedlength.Assuch,anabsenceofcounterexampleisinconclu- sive;agenuinebugcouldstilllurkdeeperinthesystem.Forthisreason,fromthe  SupportedbytheEUFP7STREPPINCETTE. G.GopalakrishnanandS.Qadeer(Eds.):CAV2011,LNCS6806,pp.557–572,2011. c  Springer-VerlagBerlinHeidelberg2011 558D.Kroeningetal. complete methodwiththeabilityalsotoguaranteetheabsenceofcounterexam- plesofanylength.See,forinsta nce,theoriginalworkofBiere etal. [4],orthe 2008TuringAwardlectureofEdClarke[7],inwhichtheproblemisdescribed asatopicofactiveresearch. In[4],Biere etal. observedthatforsafetypropertiesoftheform G p ,a com- pletenessthreshold isgivenbythe diameter (longestdistancebetweenanytwo states)oftheKripkestructureunderconsideration:indeed,ifnocounterexam- pleto G p oflengthatmostthediameterofthesystemcanbefound,thenno counterexampleofanylengthcanpossibl yexist.Likewise,forlivenessproper- tiessuchas F q ,the recurrencediameter (longestloop-freepath)oftheKripke structurecanbeseentobeanadequatecompletenessthreshold.Butthegeneral problemofdeterminingreasonablytightcompletenessthresholdsforarbitrary LTLformulasremainswideopentothisday. Notethatthediameter(forsafetyproperties)andtherecurrencediameter (forlivenessproperties)arenotmerelysoundbounds,theyarealsoworst-case tight.Inotherwords,nosmallercompleten essthresholdexpres siblestrictlyin termsofthediameterscanbeachieved.Ofcourse,inanyparticularsituation theleastcompletenessthresholdmaywellbeordersofmagnitudesmallerthan thediameter,butdeterminingitsvalueisclearlyatleastashardassolvingthe originalmodel-checkingprobleminthe“rstplace,andwemustthereforebe contentwithsoundbutreasonablytightover-approximations. Inthispaper,wedescribeanecientt echniqueforobtainingfairlytight, lin- ear completenessthresholdsforawiderangeofLTLformulas,asafunctionofthe diameterandrecurrencediameterofanyKripkestructureunderconsideration. AllB¨ uchiautomatathatare cliquey ,i.e.,thatcanbedecomposedintoclique- shapedstronglyconnectedcomponents,a dmitlinearcomplet enessthresholds. Moreover,weshowthatsuchautomatasubsume unarylineartemporallogic , andindeedcompriseawiderangeofformulasusedinpractice,including,for example,thevastmajorityofspeci“cationsappearinginMannaandPnuelis classictextonthespeci“cationofrea ctiveandconcurrentsystems[12]. 1 We alsoshowthatcomputingtheselinearcompletenessthresholdscanbedonein timelinearinthesizeofthegivenB¨ uchiautomata.Finally,weexhibitsome simple(non-cliquey)B¨ uchiautomata,andcorrespondingLTLformulas,having superpolynomial andeven exponential completenessthresholds. Inthepast,researchershavebeenableto achievecompletenessthresholdsby studyingthe product structureoftheKripkemodelandtheB¨ uchiautomaton correspondingtothespeci“cationofinter est;see,e.g.,[6,1].Suchthresholds areingeneralincomparablewiththeoneswepresentinthispaper.Moreover, asigni“cantdisadvantageoftheearlierapproachisthatitrequiresonetoin- vestigateastructurewhichisoftenmuchtoolargeandunwieldytoconstruct, letaloneperformanycalculationsupon.Anotherbene“tofthepresentap- proachisthat,oncethediameterandrecurrencediameterofagivenKripke structureareknown(orover-approximated),theycanbeputtouseagainstany 1 Forinstance,speci“cationssuchas conditionalsafety , guarantee , obligation , response , persistence , reactivity , justice , compassion ,etc.,allfallwithinourframework. 560D.Kroeningetal.and()withs,s)=(Notethatthelabellingfunctionsofanddeterminewhichstatesexist(arevalid)intheproduct.Thereisatransitionintheproducticorrespondingtransitionsarepresentinbothcomponents.Forourpurposes,thelabellingofstatesintheproductautomatonisirrelevant.Finally,theacceptancesetfamilyisderivedfromthatoftheB¨uchiautomaton.TheproductconstructionisrelatedtoLTLmodelcheckingasfollows:Theorem1([9]).LetbeaKripkestructureandanLTLformula.ThereexistsageneralisedB¨uchiautomatonsuchthatexactlyifhasnoacceptingpath.In“gures,werepresentB¨uchiautomataasdirectedgraphs.Initialstateshaveanincomingedgewithoutsource.Acceptingstatesaredrawnas“lleddiscs(ourillustratingexamplesallhaveasingletonacceptancesetfamily,inotherwordstheyaresimpleB¨uchiautomata),andotherstatesaredrawnashollowcircles.InKripkestructures(cf.Figure4),wedepictthelabelofastateasasetofpropositions,omittingthebracesForaKripkestructure,wewritetodenotethateverylasso-shaped-boundedpathsatis“escompletenessthresholdforandisanintegersuchthatThisde“nitionre”ectstheintuitionbehindboundedmodelchecking:assumingthatthereisnocounterexampletooflengthatmostshouldholdinWecangeneralisethisde“nitiontoB¨uchiautomataasfollows:acompletenessthresholdforaKripkestructureandaB¨uchiautomatonisanyintegersuchthat,ifhasanyacceptingpath,thenithasa-boundedlasso-shapedacceptingpath.Withthesede“nitions,anintegerisacompletenessthresholdforaKripkestructureandformulapreciselyifitisacompletenessthresholdforand,whereistheresultoftranslatingintoanyequivalentgeneralisedB¨uchiautomaton.Thefollowingarekeynotionsinthispaper:Denition2.LetbeaKripkestructure.Thedistancefromastateastateisthelengthofashortestpathfrom(orifthereisnosuchpath).Thediameter,denoted,isthelargestdistancebetweenanytworeachablestates(‘longestshortestpath’).Therecurrencediameterdenotedrd,isthelengthofalongestsimple(loop-free)paththrough3B¬uchiAutomatawithLinearCompletenessThresholdsGivenaKripkestructureandanLTLformula,itisclearthatdeterminingthesmallestcompletenessthresholdisatleastashardasthemodel-checkingprob-lemitself,andisthusnotsomethingweareaimingtoachieve.Rather,the 564D.Kroeningetal. Acomplicationisthat,sincewedonothavetheconcreteKripkestructure athand,thecostsofmovingfromcliquetocliquearegivensymbolically,by expressionsoftheformappearinginTable1.Thus,whencomparingthelengths ofpathstoaparticularcliquefoundsofar,insteadofrecordingthenewlength asthenumericalmaximumofthetwogivenlengths,werecorditasthe symbolic maximum ofthetwolengthexpressions.The“nalresultreportedbythefunction willthusbeanexpressioninvolvingtheparameters d and rd oftheunknown Kripkestructure,aswellas linear operatorsconnectingthem,suchasaddition, constantmultiplication,andmax. ThetraversaloftheSCCquotientgraphisshowninAlgorithm1.Itassumes theB¨ uchiautomatonhasauniqueinitialclique C 0 (i.e.,acliquecontaining initialstatesof B );wehandlethegeneralcasebelow.Thealgorithmkeepsthe costoftraversingaclique,ascomputedinTable1,inanarray cost ,andthecost ofreachingandtraversingacliqueinanarray reach ,bothasanon-“naland “nalclique(thelatterstoredinarrayswithsubscript f ).The reach valuesare initialisedto0.Fortheinitialclique,thesevaluesaresettothecosttotraverse it(Line4). Algorithm1. MaximumlengthofanSAPin M × B Input : B withinitialclique C 0 0: foreach clique C do 1:initialise cost [ C ], cost f [ C ]asinTable1 2: reach [ C ]:= reach f [ C ]:=0 3: endfor 4: reach [ C 0 ]:= cost [ C 0 ], reach f [ C 0 ]:= cost f [ C 0 ] 5: foreach clique C of B inatopologicalorder,startingat C 0 do 6: foreach successorclique D of C do 7: reach [ D ]:=max { reach [ D ] , reach [ C ]+ cost [ D ] } 8: if D isaccepting then 9: reach f [ D ]:=max { reach f [ D ] , reach [ C ]+ cost f [ D ] } 10: endif 11: endfor 12: endfor 13: return max { reach f [ C ] | C isaccepting } Thealgorithmtraversesthecliques C of B insometopologicalorder,starting with C 0 ,andexaminesallof C ssuccessorcliques D .Value reach isupdatedto themaximumofitscurrentvalueandthevalueobtainedbyreaching D via C . Value reach f isupdatedanalogously,butonlyif D isaccepting.Afterprocessing allcliquesthisway,thealgorithmreturnsthemaximumofthevalues reach f [ C ] overallacceptingcliques. If B hasseveralinitialcliques,thealgorithmisperformedforeachofthem inturn;inthiscasewereturnthemaximumoverallvaluesobtained,asthe maximumlengthofanSAP,foranyKripkestructure M . 568D.Kroeningetal.CombiningTheorem5andLemma10yieldsoneofourmainresults:Theorem11.EveryUTLXformulaadmitsalinearcompletenessthreshold.Finally,onemaywonderwhetherLTLXformulasthathaveacliqueyrepresen-tationareinfactalwaysequivalenttosomeUTLXformula.Theanswerisno,asournextresultshows:Lemma12.LTLthereexistLTLXformulasthatdohaveacliqueyrepresentationyetarenotequivalenttoanyUTLXformula.Proof(sketch)a,b,cbedistinctelementsof2,andconsiderthelanguage.b.iscapturedbytheLTLXformula)),anditisalsoclearthatiscliquey.Usingtheresultsof[17],onecanshowthatthislanguageisinexpressibleinUTL(letaloneUTLX).Forexample,onecancomputethesyntacticmonoidassociatedwithandinvokethecharacterisationofsyntacticmonoidsofUTL-de“nablelanguagesfrom[17]toobtainthedesiredresult.Weomitthedetails.Figure2summarisesourexpressivenessresults.Allinclusionsarestrict.  Fig.2.Relationshipsamongvariousclassesof-regularlanguages5BeyondCliqueynessTwonaturalquestionsariseastowhethercliqueynessisnecessaryinordertoachievealinearcompletenessthreshold,andwhetherthereactuallyareanyregularlanguagesthatfailtohavelinearcompletenessthresholds.Weanswerthe“rstquestionnegativelyandthesecondonepositively.Infact,weshowthat-regularlanguagescanbeengineeredtohavecompletenessthresholdsboundedbelowintheworstcasebysuperpolynomialandevenexponentialfunctionsoftherecurrencediameterofKripkestructures.5.1LinearCompletenessThresholdswithoutCliqueynessConsidertheB¨uchiautomatondepictedinFigure1(b).Itisclearlynotcliqueyandisinfactsemanticallynon-cliquey,i.e.,notequivalenttoanycliqueyB¨uchi 570D.Kroeningetal. Fig.4. Kripkestructurefamily( M i )  i =1 witnessinganon-linearcompletenessthreshold AnSAPof  = M × B ,however,musttake all q -loops.Toseethis,consider theinitialstateof  ,whichislabelled( { p,q } ,p ¬ r ). B doesnotallowan r -stateassuccessor(bothpossibletransitions[oneofwhichisa B -self-loop] requiresuccessorssatisfying ¬ r ).Thusthejointpathmustenterthe“rst q - loop.Duringthisloop, B staysinthe( q ¬ r )-state,uptoandincludingthe timewhen M “nishestheloopandarrivesbackatthe p,q -state.Atthistime theshortestpathcontinuesatthestatelabelled( { r } ,r !),followedbythestate labelled( { p,q } ,p ¬ r ),atwhichpointitisforcedintothenext q -loopof M i . Notethat,forthispathtobe accepting,ithastovisitan r -stateof M i in“nitely often,whichisonlypossibleviatheself-loopreachable after allthe q -loopshave beentaken. Havingtogothrough i loopseachofsize i ,anSAPof  haslengthatleast i 2 . Combiningthiswiththesizeoftherecurrencediameterofatmost4 i ,wesee thatthecompletenessthresholdfor B isatleast quadratic intherecurrence diameterofKrip kestructures.  ItisnotdiculttoseeourfamilyofKripkestructurescaninfactbemodi“ed toexhibita cubic completenessthresholdforourverysameautomaton B ,by modifyingtheloopsslightlyandgraftingafurtheradditionalfamilyofloops ontoeachofthem.Inthisvein,oneseesth atcompletenessthresholdsexceeding anygivenpolynomialcaninfactbeachieved,sothatourformula  andB¨ uchi automaton B have superpolynomial completenessthreshold. Infact,even exponential completenessthresholdscanbeachievedforLTL formulas. 4 ConsiderafamilyofKripkestructures,eachofwhichresemblesa fullbinarytree,withbidirectionale dgesbetweeneveryparentandchild.The recurrencediameterofanysuchstructureisthelengthofalongestloop-freepath fromoneleaftoanother,andisthereforelogarithmicinthesizeofthestructure. ThesestructurescanhoweverbeinstrumentedinsuchawaythatacertainLTL formulaforcestheuniqueacceptingpathto performadepth-“r sttraversalofthe entiretree,resultinginapathoflength exponentialintherecurrencediameter. Toachievethis,atomicpropositionsareusedtokeeptrackofthedepthofnodes modulo3,andfurtherpropositionslabeltheroot,leaves,andleftandright 4 Wearegratefultooneoftheanonymousrefereesforthisobservation. LinearCompletenessThresholdsforBoundedModelChecking571childrenaccordingly.Atraversalofthetreeisthenorchestratedbyrequiringthat(i)wheneveraninteriornodeisenteredfromabove(whichisdeterminedbyknowledgeofthedepthsmodulo3ofthepresentnodeandthatofthepreviousone),thentheleftchildshouldbevisitednext;(ii)wheneveranon-leafnodeisreturnedtofromaleftchild,thentherightchildshouldbevisitednext;and(iii)wheneveranon-leafnodeisreturnedtofromarightchild,thentheparentnodeshouldbevisitednext.Finally,therightmostleafislabelledwithaspecialpropositionwhichtheformularequirestoholdeventually.6ConcludingRemarksWehavepresentedamethodforcalculatingfairlytight,linearcompletenessthresholdsforalargeclassofLTLspeci“cations.Thealgorithmweproposeishighlyecient,runningintimelinearinthesizeoftheB¨uchiautomaton.Severalpotentialbottleneckshoweverremain,includingthefollowingtwo:ComputingthediameterandrecurrencediameterofalargeKripkestructurecanbecomputationallyprohibitive;onepossibleremedymightbetosettlefortractableover-approximationsofthediameters,asin[2],inatrade-owhichwouldlikelyrequirecarefulconsideration.Ithasoftenbeenempiricallyobservedthatboundedmodelcheckingcom-putationstendnottoscaleupverywell.SincemanyKripkestructureshavedeeprecurrencediameters(oftheorderofthetotalnumberofstates,forexample),onecanexpectthatexploringthesystemtotherequireddepthproveincertaincasestobeintractable.Nonetheless,thisisanareaofactiveresearchinwhichprogressisbeingmadeonseveralfronts.Ourhopeisthatthetechniquespresentedheremayprovebene“-cialnotonlytopractitioners,butalsotootherresearcherswhosetechnologyitmightpotentiallycomplement.Alongsidethesepracticalconsiderations,twointerestingtheoreticalquestionsarise:(i)isitdecidablewhetheragivenLTLformula(ormoregenerallyagiven-regularlanguage)hasalinearcompletenessthreshold;and(ii)isthecomplete-nessthresholdofan-regularlanguagealwayseitherlinearorsuperpolynomial?Weleavethesequestionsasfurtherresearch.References1.Awedh,M.,Somenzi,F.:Provingmorepropertieswithboundedmodelchecking.In:Alur,R.,Peled,D.A.(eds.)CAV2004.LNCS,vol.3114,pp.96…108.Springer,Heidelberg(2004)2.Baumgartner,J.,Kuehlmann,A.,Abraham,J.A.:Propertycheckingviastructuralanalysis.In:Brinksma,E.,Larsen,K.G.(eds.)CAV2002.LNCS,vol.2404,p.151.Springer,Heidelberg(2002)3.Biere,A.,Cimatti,A.,Clarke,E.,Strichman,O.,Zhu,Y.:Boundedmodelchecking.AdvancesinComputers58,118…149(2003)