a compact linear translation for bounded model checking
play

A compact linear translation for bounded model checking Paul B. - PowerPoint PPT Presentation

A compact linear translation for bounded model checking Paul B. Jackson 1 Daniel Sheridan 2 1 University of Edinburgh 2 Adelard LLP BMC 06 Aim of translation Assume given Kripke structure M = I , T over set of Boolean


  1. A compact linear translation for bounded model checking Paul B. Jackson 1 Daniel Sheridan 2 1 University of Edinburgh 2 Adelard LLP BMC ’06

  2. Aim of translation ◮ Assume given ◮ Kripke structure ˆ M = � ˆ I , ˆ T � over set of Boolean variables V ˆ I = ˆ I ( V ) describes initial states T = ˆ ˆ T ( V , V ′ ) describes transition relation ◮ LTL formula φ in negation normal form ◮ bound k > 0 Variables V used for atomic propositions in φ ◮ A state s of ˆ M is a valuation of V (function V → B ) ◮ A path s 0 , s 1 , . . . is an infinite sequence of states such that s 0 satisfies ˆ I , and every pair � s i , s i +1 � satisfies ˆ T ◮ Translation produces Boolean formula satisfiable in two cases prefix case: all paths of ˆ M with some common prefix s 0 , . . . s k − 1 satisfy φ loop case: some loop path of form s 0 , . . . s l − 1 ( s l , . . . , s k − 1 ) ω for some l satisfies φ

  3. Sketch of translation ◮ For every subformula ψ of φ and each timestep i < k , introduce a new Boolean variable ( ψ ) i ◮ Create constraints relating variables. Constraints for F , G , U , R are based on fixpoint characterisations. G θ is greatest solution to G θ = θ ∧ X G θ and get constraints of form ( G θ ) i ⇒ ( θ ) i ∧ ( G θ ) i +1 ◮ Could use ⇔ too. ⇒ is sufficient and more concise ◮ Strong similarity with automata-based LTL translations and Helsinki work ◮ For least-fixpoint operators ( F , U ), additional constraints are necessary (cf B¨ uchi acceptance conditions)

  4. Structure of translation result ◮ Boolean formula produced is equivalent to 1 k − � �� [ ˆ [ ψ ] 0 � k ( ˆ l ψ ] 0 M ] k ∧ k ∨ � M ) ∧ [ L l k l =0 where . [ ˆ ˆ I ( V 0 ) ∧ � k − 2 i =0 ˆ T ( V i , V i +1 ) M ] k = . k ( ˆ ˆ T ( V k − 1 , V l ) M ) = L l ◮ Size of formula translations [ ψ ] 0 l ψ ] 0 k and [ k is linear in k . Formulae very similar. Can factor so overall size is linear in k .

  5. Approach to deriving and verifying translation ◮ Bulk of translation expressed as series of equational transformations on LTL syntax. ◮ Most important transformation steps are: ◮ Conversion of temporal operators F , G , U , R into explicit fixpoint versions. Syntax added: µα.φ and να.φ . G φ − → να. φ ∧ X α ◮ Replacement of fixpoint expressions by suitably constrained existentially quantified variables. Syntax added: ∃ α.φ . ◮ Advantages of approach ◮ Aids understanding and justification of translation ◮ Simplifies consideration of alternate translations In literature, translations usually given in monolithic form

  6. Outline Overview Denotational semantics framework Translation of greatest fixpoint operators Translation of least fixpoint operators Distinction between denotation and translation Conclusions

  7. Denotational semantics ◮ Equational transformations justified using denotational semantics ◮ Each equational step justified by asserting equality of denotations of formulae before and after ◮ Denotational approach well-suited for giving semantics of fixpoint operators ◮ 3 semantics ◮ Infinite semantics ◮ Finite prefix-case semantics ◮ Finite loop-case semantics ◮ Finite semantics also guide generation of Boolean formulae from LTL formulae produced by equational transformations

  8. Infinite denotation function ◮ LTL semantics commonly given using satisfaction relation = i φ for path π and position i on path. π | = i G φ = j φ π | ⇔ ∀ j ≥ i . π | π φ ]] of formula φ is an element of ◮ The infinite denotation [[ B ω . Has property π φ ]]( i ) = i φ [[ ⇔ π | ◮ Example 0 1 2 3 4 . . . π φ ]] [[ = ⊥ ⊤ ⊥ ⊤ ⊤ ω π G φ ]] ⊥ ⊥ ⊥ ⊤ ⊤ ω [[ =

  9. Finite loop-case representations ◮ Finite loop-case denotation function works with finite representations of infinite loop paths and denotations ◮ Assume given bound k and loop start l < k . finite path s 0 , . . . , s k − 1 such that T ( s k − 1 , s l ) represents infinite loop path s 0 . . . s l − 1 ( s l . . . s k − 1 ) ω finite denotation a 0 , . . . , a k − 1 where a i ∈ B represents infinite denotation a 0 . . . a l − 1 ( a l . . . a k − 1 ) ω ◮ A loop-case inflation function ↑ ∞ ◦ maps finite paths and denotations to the corresponding infinite paths and denotations.

  10. The finite loop-case denotation function F ◮ Written as ˙ [[ φ ]] k . ˙ π is a k -bounded path representing a ( k , l ) π l loop path. Maps φ to element of B k ◮ Constructed from auxiliary function on LTL operators F F F . ˙ [[ O ]] k ( ˙ [[ O φ ]] k = [[ φ ]] k ) for O ∈ { X , F , G } π π l l l  a ( i +1) ˙ if i < k − 1 F .  [[ X ]] k (˙ a )( i ) = l if i = k − 1 a ( l ) ˙  F . [[ G ]] k (˙ a )( i ) = ∀ j ∈ { min( i , l ) .. k − 1 } . ˙ a ( j ) l a ∈ B k is a finite denotation, position i ∈ { 0 .. k − 1 } where ˙ ◮ Finite denotation exactly mimics infinite denotation F π ↑ ∞ ˙ ˙ [[ φ ]] k ↑ ∞ [[ φ ]] = π ◦ l ◦

  11. Correctness of loop-case equational transformations ◮ Correctness statement F π ↑ ∞ ˙ ˙ [[ N ( φ )]] k ↑ ∞ [[ φ ]] = π ◦ l ◦ where N () carries out equational transformations ◮ Proof involves justifying π · ]] semantics 1. initial equational steps with [[ F 2. switch to ˙ [[ · ]] k semantics π l F 3. subsequent equational steps with ˙ [[ · ]] k semantics π l

  12. Semantics of fixpoint operators ◮ Infinite semantics is standard Tarski-Knaster construction π να.φ ]] ρ π λα.φ ]] ρ � � [[ = [[ gfp = ⊔ { a ∈ B ω | a ⊑ [[ π φ ]] ρ [ α �→ a ] } Here ⊔ is least upper bound operator on complete lattice � B ω , ⊑� where . a ⊑ b = ∀ i ∈ N . a ( i ) ⇒ b ( i ) ◮ finite loop-case and prefix-case semantics are similar

  13. Translation of greatest-fixpoint operators (loop-case) 1. Introduce gfp operator ν π G β ]] = π να. β ∧ X α ]] [[ [[ where π is any infinite path 2. Switch to finite semantics F π ↑ ∞ ˙ ˙ [[ να. β ∧ X α ]] k ↑ ∞ [[ να. β ∧ X α ]] = π ◦ l ◦ where ˙ π is a length k path representing a ( k , l ) loop path

  14. Introduction of the existential quantification ◮ Translation is F F [[ Ψ[ να. φ ] ]] ˙ [[ ∃ α. G 0 ( α ⇒ φ ) ∧ Ψ[ α ] ]] ˙ ˙ ˙ π ρ = π ρ l k l k where Ψ[ · ] is a monotone context and F F . [[ φ ]] ˙ ρ [ α �→ ˙ a ] [[ ∃ α. φ ]] ˙ ˙ a ∈ B k . ˙ ρ π k ( i ) = ∃ ˙ π ( i ) l l k F . ∀ j ∈ { 0 .. k − 1 } . ˙ [[ G 0 ]] k (˙ a )( i ) = a ( j ) l ◮ Intuition is from semantics of να.φ : F F a ∈ B k | ˙ [[ φ ]] ˙ ρ [ α �→ ˙ a ] [[ να.φ ]] ˙ = ⊔ { ˙ ˙ a ⊑ ˙ ρ } π π l k l k ◮ ∃ derives from ⊔ operator F [[ φ ]] ˙ ρ [ α �→ ˙ a ] ◮ G 0 ( α ⇒ φ ) expresses in syntax the constraint ˙ a ⊑ ˙ π l k ◮ Both pulled through context Ψ

  15. Example of translation ◮ Translation yielding Boolean formula satisfiable by finite path F π just when ˙ ˙ [[ p ∧ G q ]] k (0) = ⊤ π l ◮ Equational transformations are p ∧ G q − → p ∧ να. q ∧ X α − → ∃ α. G 0 ( α ⇒ q ∧ X α ) ∧ p ∧ α ◮ Final (existentially quantified) Boolean formula is k − 2 � ( a i ⇒ q i ∧ a i +1 ) ∧ ( a k − 1 ⇒ q k − 1 ∧ a l ) ∧ p 0 ∧ a 0 ∃ a 0 , . . . , a k − 1 . i =0

  16. Translation of least-fixpoint operators (loop case) 1. Introduce lfp operator µ π F β ]] = π µα. β ∨ X α ]] [[ [[ where π is any infinite path 2. Switch to finite semantics F π ↑ ∞ ˙ ˙ [[ µα. β ∨ X α ]] k ↑ ∞ [[ µα. β ∨ X α ]] = π ◦ ◦ l where ˙ π is a length k path representing a ( k , l ) loop path. 3. Eliminate gfp operator µ F F [[ Ψ[ µα. φ ] ]] ˙ [[ ∀ α. G 0 ( φ ⇒ α ) ∧ Ψ[ α ] ]] ˙ ˙ ˙ π ρ = π ρ l k l k 4. Translation yields QBF problems, not SAT problems 5. Way out: enable switch to gfp by making fixpoint unique

  17. Approach to least fixpoints using single loop unroll ◮ Want alternate expression of finite loop-case semantics for F that involves fixpoint characterisation where fixpoint is unique a ∈ B k represent infinite ( k , l ) loop denotation a = ˙ ◮ Let ˙ a ↑ ∞ ◦ . Consider i ∈ { 0 .. k − 1 } . Have that F [[ F ]] k (˙ a )( i ) = [[ F ]]( a )( i ) l ∃ j ≥ i . a ( j ) = ∃ j ∈ { i .. k ′ − 1 } . a ( j ) = *** F [[ ˜ F ⊥ ]] k ′ ( a | k ′ )( i ) = l where k ′ = k + ( k − l ) (1 loop unroll) ◮ Step *** valid since sufficient to visit distinct values of a once ◮ Similar argument explains F , U treatment in original TACAS ’99 paper and F , U , G , R treatment in Helsinki FMCAD ’04 paper

  18. Alternate F using a greatest fixpoint ◮ Definitions are � F a ( i + 1) ˙ if i < k − 1 . [[ X ⊥ ]] k (˙ a )( i ) = l ⊥ if i = k − 1 . F ⊥ α νβ. α ∨ X ⊥ β ˜ = F F ⊥ has property l ◮ ˜ [[ ˜ F ⊥ ]] k (˙ a )( i ) = ∃ j ∈ { i .. k − 1 } . ˙ a ( j ) F [[ ˜ a ) is greatest ˙ F ⊥ ]] k (˙ b such that ◮ l ˙ a ( j ) ∨ ˙ b ( j ) ⇔ ˙ b ( j +1) ∀ j < k − 1 ˙ b ( k − 1) ⇔ a ( k − 1) ∨ ⊥ ˙ ◮ Existence of upper bound on position at which fixpoint constraint calculated forces uniqueness of fixpoint ◮ Hence ν is adequate

Recommend


More recommend