3 Contents Motivation What is Bounded Model Checking Translation from Bounded MC to SAT Completeness 01112019 4 Prerequisites General Model Checking Temporal Logic 01112019 ID: 1039787
Download Presentation The PPT/PDF document "Bounded Model Checking 01.11.2019" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. Bounded Model Checking
2. 01.11.20193
3. ContentsMotivationWhat is Bounded Model Checking?Translation from Bounded MC to SATCompleteness01.11.20194
4. PrerequisitesGeneral Model CheckingTemporal Logic01.11.20195Omitted ContentSATPractical Examples
5. 01.11.20196
6. 01.11.20197
7. 01.11.20198Exhaustively examines the reachable states of a programGuaranteed to terminate if finite state spaceProduces counterexamples
8. 01.11.20199Model checking algorithms use instructions in the program to generate sets of states to be analyzed. These states must be stored to ensure that they are visited at most once.
9. 01.11.201910Model checking algorithms use instructions in the program to generate sets of states to be analyzed. These states must be stored to ensure that they are visited at most once.STATE-SPACE EXPLOSION
10. 01.11.2019111996: Partial order reduction1986: Binary Decision Diagrams1993: Counter-Example Abstraction Refinement1999: Bounded Model CheckingExplicit-state model checkingSymbolic model checkingFew thousand states10 states201977: Abstract InterpretationAbstract State Analysis
11. 01.11.201912
12. Why do we do what we doTo provide a rigorous guarantee of qualityin a highly automated and scalable way to cope with the enormous complexity of software systems01.11.201913
13. Why BMC instead of BDD?Wrong questionBMC sacrifices verification on behalf of finding (minimal) counterexamplesFor verification, use BDD01.11.201914When to use BMC instead of BDD?Sometimes the state-space is infiniteSometimes you have little faith in the systemBDD needs more manual guidance in order to optimize
14. IdeaSearch for counterexamples in executions whose length is bounded by some integer kIf counterexample found, return it.If not, increase k until problem becomes intractableor you have reached the Completeness ThresholdThe BMC problem can be reduced to SAT (which have become really efficient)k between 60 and 80 outperformed BDD-based techniques in 200301.11.201915
15. 01.11.201916Safety:What should not happenLiveness:What should eventually happen
16. Kripke Structure MM=(S,I,T,L)S: set of statesIS: set of initial statesTSxS: transition relation: the labeling function 01.11.201917
17. Definition 1 (Paths)Each path in M is a sequence of states, given in an order that respect the transition relation in M. If is an initial state, the path is initialized. The length of can be finite or infinite.We assume the set of initial states is non-empty, and that the transition relation is total. 01.11.201918
18. Definition 2 (Witness)LTL formulas are defined over all pathsFinding counterexamples corresponds to finding a contradicting traceIf we find such a trace, we call it a witness for the propertyGp corresponds to the question whether there exists a witness to F 01.11.201919
19. 01.11.201920
20. 01.11.201921
21. Definition 3 (k-loop)For -loop ifthere is a transition from state k to state and is composed of the states 0 to followed by an infinite repetition of the states to kWe call a k-loop if there exists a for which is a -loop. 01.11.201922
22. 01.11.201923
23. 01.11.201924Semantics for a path with a loopG: Global (always)F: Finally (eventually)X: neXt
24. What if the path is not a k-loopValid along if we can find an index such that p is valid along the suffix of .(k+1)-th state (k) does not have a successor.Cannot define the bounded semantics recursively over suffixes of . 01.11.201925
25. What if the path is not a k-loopIntroduce the notation 01.11.201926
26. 01.11.201927Semantics for a path without a loop
27. 01.11.201928Semantics for a path without a loop
28. If a LTL formula is valid along a path with a bound, it is valid along a path without a bound.Lemma 2. If a Kripke structure validates an unbounded existential LTL formula, then there exist a such that the Kripke structure validates the bounded existential LTL formula.Theorem 1. A Kripke structure validates an unbound existential LTL formula iff there exist a such that the Kripke structure validates the bounded existential LTL formula. 01.11.201929Lemma 1.
29. We have now defined the semantics for bounded model checking.We still have to reduce bounded model checking to propositional satisfiability.01.11.201930
30. GoalGiven a Kripke structure M,an LTL formula f and a bound kconstruct a propositional formula that is satisfiable iff f 01.11.201931
31. 01.11.201932Constraints the path to be valid (with regards to the transition relation in M) starting from an initial stateTranslation without a loopTranslation with a loop
32. Definition 4 (Unfolding of the Transition Relation)For a Kripke structure 01.11.201933
33. 01.11.201934=1
34. Definition 5 (Loop Condition)The loop condition state to a previous state or to itself: 01.11.201935
35. Definition 6 (Successor in a Loop)Let be non-negative integers such that .The successor succ of in a -loop is defined as 01.11.201936
36. Definition 7 (Translation of an LTL Formula for a Loop)Let f be an LTL formula, . 01.11.201937
37. Definition 8 (Translation of an LTL Formula without a Loop)Same principles, succ(i) simplified to i+1, and index not needed. 01.11.201938
38. 01.11.201939“But none of this matters unless I can verify that the system is correct!”
39. 01.11.201940Good news!BMC can achieve completeness.Which I’ll show it time allows.
40. The Completeness ThresholdFor every finite state system M, a property p, and a given translation scheme,there exist a number CT,such that the absence of errors up to cycle CTproves that 01.11.201941
41. The Completeness ThresholdFor formulas of the form Gp, this is simply the minimal number of steps requires to reach all states.This is called the reachability diameter:Which is a really just a formal way of stating that is the longest, ‘shortest path’ from an initial state to any reachable state. 01.11.201942
42. The Completeness ThresholdThis equation is hard to solve for realistic modelsHowever, it is possible to compute an over-approximation with a SAT instancewhich calculates the longest loop-free path in M starting from an initial state. 01.11.201943
43. 01.11.201944So far we have focused on existentially quantified temporal logic formulas:To verify an existential LTL formula against a Kripke structure, one need to find a witness.
44. 01.11.201945In the case of Liveness, the dual is also true:If a proof of liveness exist, it can be established by examining all finite sequences of length k starting from initial states
45. Definition 9 (Translation for Liveness Properties)01.11.201946
46. InductionProve safety properties by finding (manually) a strengthening inductive invariant;an invariant that is inductive,and implies the questioned safety property.01.11.201947
47. InductionThis is done over three steps:1. Check base case is unsatisfiable01.11.201948
48. InductionThis is done over three steps:2. Check induction step is unsatisfiable01.11.201949
49. InductionThis is done over three steps:3. Establish that the strengthening inductive invariant implies the property for an arbitrary i:01.11.201950
50. SummaryStated the need for symbolic model checkingDefined the semantics for Bounded Model CheckingTranslated the BMC-problem to a SAT-problemDiscussed how to regain completeness01.11.201951
51. Questions? Comments?01.11.201952
52. 01.11.201953Thank you for your attention!