Linear Completeness Thresholds for Bounded Model Check - PDF document

BMCintoacompletemethodwiththeabilityalsotoguaranteetheabsenceofcounterexamplesofanylength.See,forinstance,theoriginalworkofBiereetal.[4],orthe2008TuringAwardlectureofEdClarke[7],inwhichtheproblemisdescribedasatopicofactiveresearch.In[4],Biereetal.observedthatforsafetypropertiesoftheformGp,acom-pletenessthresholdisgivenbythediameter(longestdistancebetweenanytwostates)oftheKripkestructureunderconsideration:indeed,ifnocounterexam-pletoGpoflengthatmostthediameterofthesystemcanbefound,thennocounterexampleofanylengthcanpossiblyexist.Likewise,forlivenessproper-tiessuchasFq,therecurrencediameter(longestloop-freepath)oftheKripkestructurecanbeseentobeanadequatecompletenessthreshold.ButthegeneralproblemofdeterminingreasonablytightcompletenessthresholdsforarbitraryLTLformulasremainswideopentothisday.Notethatthediameter(forsafetyproperties)andtherecurrencediameter(forlivenessproperties)arenotmerelysoundbounds,theyarealsoworst-casetight.Inotherwords,nosmallercompletenessthresholdexpressiblestrictlyintermsofthediameterscanbeachieved.Ofcourse,inanyparticularsituationtheleastcompletenessthresholdmaywellbeordersofmagnitudesmallerthanthediameter,butdeterminingitsvalueisclearlyatleastashardassolvingtheoriginalmodel-checkingproblemintherstplace,andwemustthereforebecontentwithsoundbutreasonablytightover-approximations.Inthispaper,wedescribeanecienttechniqueforobtainingfairlytight,lin-earcompletenessthresholdsforawiderangeofLTLformulas,asafunctionofthediameterandrecurrencediameterofanyKripkestructureunderconsideration.AllBuchiautomatathatarecliquey,i.e.,thatcanbedecomposedintoclique-shapedstronglyconnectedcomponents,admitlinearcompletenessthresholds.Moreover,weshowthatsuchautomatasubsumeunarylineartemporallogic,andindeedcompriseawiderangeofformulasusedinpractice,including,forexample,thevastmajorityofspecicationsappearinginMannaandPnueli'sclassictextonthespecicationofreactiveandconcurrentsystems[12].3WealsoshowthatcomputingtheselinearcompletenessthresholdscanbedoneintimelinearinthesizeofthegivenBuchiautomata.Finally,weexhibitsomesimple(non-cliquey)Buchiautomata,andcorrespondingLTLformulas,havingsuperpolynomialandevenexponentialcompletenessthresholds.Inthepast,researchershavebeenabletoachievecompletenessthresholdsbystudyingtheproductstructureoftheKripkemodelandtheBuchiautomatoncorrespondingtothespecicationofinterest;see,e.g.,[6,1].Suchthresholdsareingeneralincomparablewiththeoneswepresentinthispaper.Moreover,asignicantdisadvantageoftheearlierapproachisthatitrequiresonetoinves-tigateastructurewhichisoftenmuchtoolargeandunwieldytoconstruct,letaloneperformanycalculationsupon.Anotherbenetofthepresentapproachisthat,oncethediameterandrecurrencediameterofagivenKripkestructureareknown(orover-approximated),theycanbeputtouseagainstanynum- 3Forinstance,specicationssuchasconditionalsafety,guarantee,obligation,response,persistence,reactivity,justice,compassion,etc.,allfallwithinourframework.2 {R00=f((s1;s01);(s2;s02))2S00S00j(s1;s2)2Rand(s01;s02)2R0g{L00:S00!2APB(AP)withL00(s;s0)=(L(s);L0(s0)){A00=f(ST0)\S00jT02A0g.NotethatthelabellingfunctionsofMandBdeterminewhichstatesexist(arevalid)intheproductMB.Thereisatransitionintheproducticorrespondingtransitionsarepresentinbothcomponents.Forourpurposes,thelabellingofstatesintheproductautomatonisirrelevant.Finally,theacceptancesetfamilyA00isderivedfromthatoftheBuchiautomaton.TheproductconstructionisrelatedtoLTLmodelcheckingasfollows:Theorem1([9])LetMbeaKripkestructureand'anLTLformula.ThereexistsageneralisedBuchiautomatonB:'suchthatMj='exactlyifMB:'hasnoacceptingpath.Ingures,werepresentBuchiautomataasdirectedgraphs.Initialstateshaveanincomingedgewithoutsource.Acceptingstatesaredrawnaslleddiscs(ourillustratingexamplesallhaveasingletonacceptancesetfamily,inotherwordstheyaresimpleBuchiautomata),andotherstatesaredrawnashollowcircles.InKripkestructures(cf.Figure4),wedepictthelabelofastateasasetofpropositions,omittingthebracesfg.ForaKripkestructureM,wewriteMj=k'todenotethateverylasso-shapedk-boundedpathinMsatises'.AcompletenessthresholdforMand'isanintegerksuchthatMj=k')Mj=':Thisdenitionre ectstheintuitionbehindboundedmodelchecking:assumingthatthereisnocounterexampleto'oflengthatmostk,'shouldholdinM.WecangeneralisethisdenitiontoBuchiautomataasfollows:acompletenessthresholdforaKripkestructureMandaBuchiautomatonBisanyintegerksuchthat,ifMBhasanyacceptingpath,thenithasak-boundedlasso-shapedacceptingpath.Withthesedenitions,anintegerkisacompletenessthresholdforaKripkestructureMandformula'preciselyifitisacompletenessthresholdforMandB:',whereB:'istheresultoftranslating:'intoanyequivalentgeneralisedBuchiautomaton.Thefollowingarekeynotionsinthispaper:Denition2LetMbeaKripkestructure.Thedistancefromastatestoastatetisthelengthofashortestpathfromstot(or1ifthereisnosuchpath).ThediameterofM,denotedd(M),isthelargestdistancebetweenanytworeachablestates(`longestshortestpath').TherecurrencediameterofM,denotedrd(M),isthelengthofalongestsimple(loop-free)paththroughM.3BuchiAutomatawithLinearCompletenessThresholdsGivenaKripkestructureandanLTLformula,itisclearthatdeterminingthesmallestcompletenessthresholdisatleastashardasthemodel-checkingprob-lemitself,andisthusnotsomethingweareaimingtoachieve.Rather,the4 ioflengthjij�1exceedsM'srecurrencediameterrd.Thuswecanndtwoproductstatesoftheform(m;b)and(m;b0)alongthissegment.Let(m00;b00)bethesuccessorof(m;b0)alongi(notethat(m00;b00)stillbelongstoi):(m;b) (m;b0)!(m00;b00):From(m;b0)!(m00;b00)in,weconcludem!m00inM.SinceCiisaclique,weconcludeb!b00inB.Hence,(m;b)!(m00;b00)in.This,however,contradictsthefactthatisanSAPthrough.Therefore,jijrd+1.ConsidernowthenalSCCCs,andletthefamilyofacceptingsetsofBbeA=fA1;:::;Ang.ThesegmentsoftraversingCsvisitseachAiinnitelyoften.SinceeachAiisnite,thereexistsinfactaxedstateai2Aiineachofthemthatisvisitedinnitelyoften.Segmentsthuslookslikethis:(m;b) (m1;a1) (m2;a2) ::: (mn;an) (m;b):Usingthesameargumentasinthenon-nalcase,eachsegmentabbreviatedby haslengthatmostrd+1(otherwise,ashorteracceptingpathcouldbeconstructed).Asaresult,jsj(n+1)(rd+1).Intotal,jj(s�1)(rd+1)+(n+1)(rd+1),clearlyinducingalinearcompletenessthreshold,forexamplewithconstantc=2(s+n)(notethatsandnareparametersofBanddonotdependonM).3.2ComputingCompletenessThresholdsofCliqueyAutomataTheproofinSection3.1establisheslinearityofthecompletenessthresholdforcliqueyBuchiautomata.Itis,however,verycoarse.Amongothers,theargumentignoresthestructureoftheSCCquotientgraph.Inthefollowing,wegiveahigher-orderalgorithmthattakesacliqueyBuchiautomatonBasinputandreturnsafunctionctovertwoarguments.WhensuppliedwiththediameterdandtherecurrencediameterrdofaKripkestructureM,thisfunctionreturnsacompletenessthresholdforMandB:sap(MB)ct(d;rd).ExploitingthefactthatBiscliquey,ct(d;rd)willbelinearindandrd.Thealgorithmproceedsintwostages.Intherststage,eachcliqueintheSCCquotientgraphofBisassignedacost,asafunctionofdandrd,oftraversingitintheproductautomatonMB,namelythemaximumlengthapathsegmentcan`spend'inthisclique,giventhatthepathisanSAP.Inthesecondstage,thealgorithmtraversestheSCCquotientgraph,inordertosymbolicallycomputerespectivelongestpathsfrominitialcliquestoallcliques,usingthecostmeasurescomputedduringtherststage.Theresultreturnedbyfunctionctisthenthemaximumpathlengthcomputed,overallcliquesthatcouldpotentiallyserveasthecliquevisitedlastalonganacceptingpath.TheCostofTraversingaClique.ForageneralisedBuchiautomatonBwithacceptingsetsA1;:::;An,callacliqueCinBacceptingifforeachi2f1;:::;ng,C\Ai6=;.Suchacliquecontainsastatefromeachacceptingsetandisthus6 TheCostofTraversingtheSCCQuotientGraph.Thesecondstageisto`collect'thecostswehavecomputedpercliqueinstage1.WhichcliquesofBarevisitedinanactualSAPinMBofcoursedependsonM.ForourresultstoholdoveranyKripkestructure,wedeterminealongestpaththroughtheSCCquotientgraph.Thisquotientgraphisacyclic,sothatthesingle-sourcelongestpathproblemcanbesolvedintimelinearinthenumberofquotientedges,bytraversingthegraphintopologicalorder.Acomplicationisthat,sincewedonothavetheconcreteKripkestructureathand,thecostsofmovingfromcliquetocliquearegivensymbolically,byexpressionsoftheformappearinginTable1.Thus,whencomparingthelengthsofpathstoaparticularcliquefoundsofar,insteadofrecordingthenewlengthasthenumericalmaximumofthetwogivenlengths,werecorditasthesymbolicmaximumofthetwolengthexpressions.ThenalresultreportedbythefunctionwillthusbeanexpressioninvolvingtheparametersdandrdoftheunknownKripkestructure,aswellaslinearoperatorsconnectingthem,suchasaddition,constantmultiplication,andmax.ThetraversaloftheSCCquotientgraphisshowninAlgorithm1.ItassumestheBuchiautomatonhasauniqueinitialcliqueC0(i.e.,acliquecontaininginitialstatesofB);wehandlethegeneralcasebelow.Thealgorithmkeepsthecostoftraversingaclique,ascomputedinTable1,inanarraycost,andthecostofreachingandtraversingacliqueinanarrayreach,bothasanon-nalandnalclique(thelatterstoredinarrayswithsubscriptf).Thereachvaluesareinitialisedto0.Fortheinitialclique,thesevaluesaresettothecosttotraverseit(Line4). Algorithm1MaximumlengthofanSAPinMB Input:BwithinitialcliqueC00:foreachcliqueCdo1:initialisecost[C],costf[C]asinTable12:reach[C]:=reachf[C]:=03:endfor4:reach[C0]:=cost[C0],reachf[C0]:=costf[C0]5:foreachcliqueCofBinatopologicalorder,startingatC0do6:foreachsuccessorcliqueDofCdo7:reach[D]:=maxfreach[D];reach[C]+cost[D]g8:ifDisacceptingthen9:reachf[D]:=maxfreachf[D];reach[C]+costf[D]g10:endif11:endfor12:endfor13:returnmaxfreachf[C]jCisacceptingg ThealgorithmtraversesthecliquesCofBinsometopologicalorder,startingwithC0,andexaminesallofC'ssuccessorcliquesD.ValuereachisupdatedtothemaximumofitscurrentvalueandthevalueobtainedbyreachingDviaC.8 Forexample,acliqueofthreestates,withtheentrystatelabelleda,exitstatelabelledbandathirdstatelabelledc,wherea;b;c22AP,isencodedasaregularexpressiona:fa;b;cg:b.Expression(1)canbeturnedintoastar-free!-regularexpressionbyreplac-ingthesubexpressionsL(Cl)by ;: L(Cl): ;,where Xdenotescomplementation.Beingstar-free,itiswell-knownthatthisexpressionisequivalenttoasuitableLTLformula[10,15].Lemma7CL6LTLnX:thereexistcliqueyautomatathatcannotbeencodedasLTLnXformulas.Proof:ConsidertheBuchiautomatonBinFigure1(a).Biscliquey:thetwop-labelledstatesformoneSCC,theq-labelledstateformstheotherSCC,andbotharecliques.Bdoesnot,however,correspondtoanyLTLnXformula:B'slanguagecontainsthewordfpg:fpg:fqg!,butnotthewordfpg:fqg!.Sincethesetwowordsarestutteringequivalent,anencodingofBasanLTLnXformulawouldviolatethestutteringclosureofLTLnX.(a) (b) Fig.1.(a)AcliqueyBuchiautomatonthatdoesnotcorrespondtoanyLTLnXformula;(b)Anon-cliqueyBuchiautomatonwithlinearcompletenessthresholdLemma8LTLnX6CL:notallLTLnXformulashaveacliqueyautomatonencoding.Proof:LetAP=fp;q;rg,andletp!beashort-handnotationforp^:q^:r,andsimilarlyforq!andr!.ConsidertheLTLnXformula'=p!^G((p!)(p!Uq!))^(q!)(q!Ur!))^(r!)(r!Up!))):(2)Toprovethat'doesnothaveacliqueyBuchiencoding,werstshow:Property9AnycliqueyBuchiautomatonoverAP=fp;q;rgthatacceptstheword(fpg:fqg:frg)!alsoacceptssomewordin(2AP):fqg:fpg:(2AP).Proof:LetBbecliqueyandacceptw:=(fpg:fqg:frg)!.WeshowthatBalsoacceptssomewordwiththesubstringfqg:fpg.AnypathinBalongwhichwisacceptedcontainsinnitelymanystateswithalabelthatissatisedbyfpg.SinceBhasnitelymanystates,thesestatesarenotalldierent;letbbeastatewithsuchalabelthatoccurstwicealong.Letcbethestatefollowingtherstoccurrenceofb;thelabelofcissatisedbyfqg.Sincecisbetweentwo10 onlyif 2s.Thestate-labellingfunctionL:S!B(AP)isdenedbyL(s)=V(s\AP)^Vf:pjp2APnsg.ThetransitionrelationRconsistsofthosepairs(s;t)suchthat(i) �F 2tieither 2tor �F 2s,(ii)F 2sand 62simpliesF 2t,and(iii):F 2simplies:F 2t.TheacceptingsetfamilyisA=fAF jF 2cl(')g,whereAF =fsj 2sorF 62sg.ThiscompletesthedenitionofA'.WenallyarguethatautomatonA'iscliquey:bythedenitionofthetran-sitionrelationofA',statessandtareinthesameconnectedcomponentist.Anytwostatessandtwithstareconnectedbyatransition.CombiningTheorem5andLemma10yieldsoneofourmainresults:Theorem11EveryUTLnXformulaadmitsalinearcompletenessthreshold.Finally,onemaywonderwhetherLTLnXformulasthathaveacliqueyrep-resentationareinfactalwaysequivalenttosomeUTLnXformula.Theanswerisno,asournextresultshows:Lemma12LTLnX\CL6UTLnX:thereexistLTLnXformulasthatdohaveacliqueyrepresentationyetarenotequivalenttoanyUTLnXformula.Proof(sketch):Leta;b;cbedistinctelementsof2AP,andconsiderthelanguageL=(a+b+c):a:a:b:(a+b+c)!.LiscapturedbytheLTLnXformulaF(a^(aUb)),anditisalsoclearthatLiscliquey.Usingtheresultsof[17],onecanshowthatthislanguageisinexpressibleinUTL(letaloneUTLnX).Forexample,onecancomputethesyntacticmonoidassociatedwithLandinvokethecharacterisationofsyntacticmonoidsofUTL-denablelanguagesfrom[17]toobtainthedesiredresult.Weomitthedetails.Figure2summarisesourexpressivenessresults.Allinclusionsarestrict. Fig.2.Relationshipsamongvariousclassesof!-regularlanguages12 5BeyondCliqueynessTwonaturalquestionsariseastowhethercliqueynessisnecessaryinordertoachievealinearcompletenessthreshold,andwhetherthereactuallyareany!-regularlanguagesthatfailtohavelinearcompletenessthresholds.Weanswertherstquestionnegativelyandthesecondonepositively.Infact,weshowthat!-regularlanguagescanbeengineeredtohavecompletenessthresholdsboundedbelowintheworstcasebysuperpolynomialandevenexponentialfunctionsoftherecurrencediameterofKripkestructures.5.1LinearCompletenessThresholdswithoutCliqueynessConsidertheBuchiautomatonBdepictedinFigure1(b).Itisclearlynotcliqueyandisinfactsemanticallynon-cliquey,i.e.,notequivalenttoanycliqueyBuchiautomaton.Toseethis,observethatBacceptsthewordw:=(fpg:fqg:frg)!,yetnowordwiththesubstringfqg:fpg.ByProperty9,Bcannotbeequivalenttoacliqueyautomaton.WeclaimthatBnonethelesshasalinearcompletenessthreshold:namely,foranyKripkestructureM,sap(MB)rd(M)+1.Indeed,ifanSAPhadlengthgreaterthanrd(M)+1,itsprojectionontoMwouldhavetoexhibitan`inner'loopthatforsomereasoncouldnotbecutout.Astraightforwardcaseanalysisthenquicklyleadstoacontradiction.5.2BuchiAutomatawithNon-LinearCompletenessThresholdsOntheotherhand,noteveryLTLformulaandinfactnoteveryLTLnXformulahasalinearcompletenessthreshold.Considerthenon-cliqueyautomatonBinFigure3,whichencodestheLTLnXformula'=p^:r^G((p^:r))((p^:r)U(q^:r))^(q^:r))((q^:r)Ur!)^r!)(r!U(p^:r)_Gr!)):Again,thenotationr!isshortforr^:p^:q. Fig.3.Anon-cliqueyBuchiautomatonwithsuperpolynomialcompletenessthresholdToshowthatBhasnolinearcompletenessthreshold,weconstructacollec-tion(Mi)1i=1ofKripkestructuressuchthat,foreachi,wehavesap(MiB)i=4
rd(Mi).13 Alongsidethesepracticalconsiderations,twointerestingtheoreticalquestionsarise:(i)isitdecidablewhetheragivenLTLformula(ormoregenerallyagiven!-regularlanguage)hasalinearcompletenessthreshold;and(ii)isthecomplete-nessthresholdofan!-regularlanguagealwayseitherlinearorsuperpolynomial?Weleavethesequestionsasfurtherresearch.References1.MohammadAwedhandFabioSomenzi.Provingmorepropertieswithboundedmodelchecking.InCAV,pages96{108,2004.2.JasonBaumgartner,AndreasKuehlmann,andJacobA.Abraham.Propertycheck-ingviastructuralanalysis.InCAV,pages151{165,2002.3.ArminBiere,AlessandroCimatti,EdmundClarke,OferStrichman,andYunshanZhu.Boundedmodelchecking.AdvancesinComputers,58:118{149,2003.4.ArminBiere,AlessandroCimatti,EdmundClarke,andYunshanZhu.SymbolicmodelcheckingwithoutBDDs.InTACAS,pages193{207,1999.5.EdmundClarke,OrnaGrumberg,andDoronPeled.ModelChecking.MITPress,2000.6.EdmundClarke,DanielKroening,JoelOuaknine,andOferStrichman.Complete-nessandcomplexityofboundedmodelchecking.InVMCAI,pages85{96,2004.7.EdmundM.Clarke,E.AllenEmerson,andJosephSifakis.Modelchecking:Algo-rithmicvericationanddebugging.CACM,52(11):75{84,2008.8.MalayGanai,AartiGupta,andPranavAshar.EcientSAT-basedunboundedsymbolicmodelcheckingusingcircuitcofactoring.InICCAD,pages510{517,2004.9.RobGerth,DoronPeled,MosheVardi,andPierreWolper.Simpleon-the- yautomaticvericationoflineartemporallogic.InPSTV,pages3{18,1995.10.HansKamp.TenseLogicandtheTheoryofLinearOrder.PhDthesis,UniversityofCalifornia,1968.11.LeslieLamport.Whatgoodistemporallogic?InIFIPCongress,pages657{668,1983.12.ZoharMannaandAmirPnueli.TheTemporalLogicofReactiveandConcurrentSystems|Specication.Springer,1991.13.KennethMcMillan.ApplyingSATmethodsinunboundedsymbolicmodelcheck-ing.InCAV,pages250{264,2002.14.KennethMcMillan.InterpolationandSAT-basedmodelchecking.InCAV,pages1{13.Springer,2003.15.Marcel-PaulSchutzenberger.Onnitemonoidshavingonlytrivialsubgroups.InformationandControl,8(2):190{194,1965.16.MarySheeran,SatnamSingh,andGunnarStalmarck.CheckingsafetypropertiesusinginductionandaSAT-solver.InFMCAD,pages108{125,2000.17.DenisTherienandThomasWilke.Overwords,twovariablesareaspowerfulasonequantieralternation.InSTOC,pages234{240,1998.16