Bounded Model Checking for Finite-State Systems Copenhagen, 2 March - PowerPoint PPT Presentation

Bounded Model Checking for Finite-State Systems Copenhagen, 2 March 2010 Quantitative Model Checking PhD School Keijo Heljanko Aalto University Keijo.Heljanko@tkk.fi Bounded Model Checking Tutorial, Part II, Keijo Heljanko – 1/49

Co-Author of Slides Many of the slides used in this tutorial are from Advanced Tutorial on Bounded Model Checking at ACSD 2006 / Petri Nets 2006, co-authored with my colleague: D.Sc. (Tech.) Tommi Junttila Email: Tommi.Junttila@tkk.fi Homepage: http://users.ics.tkk.fi/tjunttil Many thanks to Tommi for letting me use also his slides in preparing this tutorial. Bounded Model Checking Tutorial, Part II, Keijo Heljanko – 2/49

Kripke Structures Kripke structures are a fully modelling language independent way of representing the behaviour of parallel and distributed systems. Kripke structures are graphs which describe all the possible executions of the system, where all internal state information has been hidden, except for some interesting atomic propositions. Bounded Model Checking Tutorial, Part II, Keijo Heljanko – 3/49

Formal Definition Let AP be a finite set of atomic propositions. A Kripke structure is a four-tuple M = ( S , s init , T , L ) , where S is a finite set of states, s init ∈ S is the initial state (marked with a wedge), T ⊆ S × S is a total transition relation, ( ( s , s ′ ) ∈ T is drawn as an arc from s to s ′ ), and L : S → 2 AP is a valuation, i.e. a function which maps each state to those atomic propositions which hold in that state. Bounded Model Checking Tutorial, Part II, Keijo Heljanko – 4/49

Running Example: Mutex AP = { NC0 , TR0 , CS0 , NC1 , TR1 , CS1 } The Kripke structure of our running example is: {nc0,nc1,m} L={NC0,NC1} {tr0,nc1,m} {nc0,tr1,m} L={TR0,NC1} L={NC0,TR1} {cs0,nc1} {tr0,tr1,m} {nc0,cs1} L={CS0,NC1} L={TR0,TR1} L={NC0,CS1} {cs0,tr1} {tr0,cs1} L={CS0,TR1} L={TR0,CS1} Bounded Model Checking Tutorial, Part II, Keijo Heljanko – 5/49

Paths and ( k , l ) -Loops A path in a Kripke structure M = ( S , s init , T , L ) is an infinite sequence π = s 0 s 1 ... of states in S such that s 0 = s init , and T ( s i , s i + 1 ) holds for all i ≥ 0 A path π = s 0 s 1 ... is a ( k , l ) -loop if π = ( s 0 s 1 ... s l − 1 )( s l ... s k ) ω such that 0 < l ≤ k and s l − 1 = s k If π is a ( k , l ) -loop, then it is a ( k + 1 , l + 1 ) -loop Bounded Model Checking Tutorial, Part II, Keijo Heljanko – 6/49

Running Example: Paths The dashed path in the figure is a ( 4 , 2 ) -loop as it equals to { nc0 , nc1 , m } { tr0 , nc1 , m } ( { tr0 , tr1 , m } { tr0 , cs1 } { tr0 , nc1 , m } ) ω {nc0,nc1,m} L={NC0,NC1} {tr0,nc1,m} {nc0,tr1,m} L={TR0,NC1} L={NC0,TR1} {cs0,nc1} {tr0,tr1,m} {nc0,cs1} L={CS0,NC1} L={TR0,TR1} L={NC0,CS1} {cs0,tr1} {tr0,cs1} L={CS0,TR1} L={TR0,CS1} Bounded Model Checking Tutorial, Part II, Keijo Heljanko – 7/49

LTL Syntax Each p ∈ AP is an LTL formula If ψ 1 and ψ 2 are LTL formulae, then the following are LTL formulae: ¬ ψ 1 negation ψ 1 ∨ ψ 2 disjunction ψ 1 ∧ ψ 2 conjunction X ψ 1 “next” F ψ 1 “finally” (or “eventually”) G ψ 1 “globally” (or “always”) ψ 1 U ψ 2 “until” ψ 1 R ψ 2 “release” Bounded Model Checking Tutorial, Part II, Keijo Heljanko – 8/49

Examples of LTL formulae Invariance: G ¬ ( CS0 ∧ CS1 ) Process 0 always finally leaves the critical section: G ( CS0 ⇒ F ( ¬ CS0 )) “Justice” fairness (infinitely often): GF ( CS0 ) “Weak” fairness: ( FG ( TR0 )) ⇒ ( GF ( CS0 )) “Strong” fairness: ( GF ( TR0 )) ⇒ ( GF ( CS0 )) Bounded Model Checking Tutorial, Part II, Keijo Heljanko – 9/49

Semantics of LTL Let π = s 0 s 1 ... be a path with labelling L ( s i ) ∈ 2 AP The relation π i | = ψ for “ ψ holds at time point i in π ”: π i | = ψ ⇔ ψ ∈ L ( s i ) for ψ ∈ AP π i | ⇔ π i �| = ¬ ψ = ψ π i | = ψ 1 ∨ ψ 2 ⇔ π i | = ψ 1 or π i | = ψ 2 π i | = ψ 1 ∧ ψ 2 ⇔ π i | = ψ 1 and π i | = ψ 2 π i | ⇔ π i + 1 | = X ψ = ψ π i | ⇔ ∃ n ≥ i : π n | = F ψ 1 = ψ 1 π i | ⇔ ∀ n ≥ i : π n | = G ψ 1 = ψ 1 π i | = ψ 1 U ψ 2 ⇔ ∃ n ≥ i : ( π n | = ψ 2 ∧∀ i ≤ j < n : π j | = ψ 1 ) π i | = ψ 1 R ψ 2 ⇔ ( ∀ n ≥ i : π n | = ψ 2 ) ∨ ( ∃ n ≥ i : π n | = ψ 1 ∧∀ i ≤ j ≤ n : π j | = ψ 2 ) Bounded Model Checking Tutorial, Part II, Keijo Heljanko – 10/49

Semantics of LTL i 0 1 2 3 4 5 T T T T T ... s i L ( s i ) { P } { P } { Q } { P , Q } { Q } π 0 | = P , π 0 �| = Q , π 2 | = Q π 0 | = P U Q , π 0 �| = Q R P π 0 | = F Q , π 0 �| = G P π 2 | = G Q π 0 | = FG Q π 0 | = GF P Bounded Model Checking Tutorial, Part II, Keijo Heljanko – 11/49

Semantics of LTL = ψ if π 0 | We write π | = ψ and say that π is a witness path for ψ An LTL formula ψ holds in a Kripke structure M = ( S , s init , T , L ) if π | = ψ for each path π in M = ψ Model checking problem: find whether M | Dually: is there a counter-example path π in M such that π | = ¬ ψ ? = ψ . If there is, then M �| = ψ . Otherwise, M | Bounded Model Checking Tutorial, Part II, Keijo Heljanko – 12/49

Running Example: LTL The dashed path below is a witness for G ( ¬ CS0 ) and thus a counter-example for ¬ G ( ¬ CS0 ) ≡ F ( CS0 ) {nc0,nc1,m} L={NC0,NC1} {tr0,nc1,m} {nc0,tr1,m} L={TR0,NC1} L={NC0,TR1} {cs0,nc1} {tr0,tr1,m} {nc0,cs1} L={CS0,NC1} L={TR0,TR1} L={NC0,CS1} {cs0,tr1} {tr0,cs1} L={CS0,TR1} L={TR0,CS1} Bounded Model Checking Tutorial, Part II, Keijo Heljanko – 13/49

Bounded Paths BMC considers k -paths, i.e., bounded paths with k transitions A k -path can represent all its infinite extensions (the “no loop” case), or a ( k , l ) -loop s 0 ... s l − 1 ( s l ... s k ) ω if s k = s l − 1 for some 1 ≤ l ≤ k s l s 0 s k s 0 s l − 1 s k − 1 s k (b) ( k , l ) -loop (a) no loop Bounded Model Checking Tutorial, Part II, Keijo Heljanko – 14/49

No-Loop Case: Safety Properties s 0 s k L ( s i ) { p } { p } { p , q } { p } { p } ? No-loop case is tailored to detect counterexamples to safety properties with small bounds Consider the no-loop case above = F q for each infinite extension π We know that π | = G p for any infinite But we don’t know whether π | extension π To formalize this, we need bounded semantics of LTL Bounded Model Checking Tutorial, Part II, Keijo Heljanko – 15/49

Positive Normal Form for LTL From now on, we assume that negations can only appear in front of atomic propositions Every LTL formula can be translated to equivalent positive normal form formula by using: ¬ ( ψ 1 ∨ ψ 2 ) ≡ ( ¬ ψ 1 ) ∧ ( ¬ ψ 2 ) ¬ ( ψ 1 ∧ ψ 2 ) ≡ ( ¬ ψ 1 ) ∨ ( ¬ ψ 2 ) ¬ ( ¬ ψ ) ≡ ψ ¬ ( X ψ ) ≡ X ( ¬ ψ ) ¬ ( ψ 1 U ψ 2 ) ≡ ( ¬ ψ 1 ) R ( ¬ ψ 2 ) ¬ ( ψ 1 R ψ 2 ) ≡ ( ¬ ψ 1 ) U ( ¬ ψ 2 ) Bounded Model Checking Tutorial, Part II, Keijo Heljanko – 16/49

Bounded Semantics of LTL Given a path π = s 0 s 1 ... and a bound k ≥ 0 , π | = k ψ iff (i) π is a ( k , l ) -loop and π 0 | = ψ , or (ii) π 0 | = nl ψ , where: π i | = nl p ⇔ p ∈ L ( s i ) for p ∈ AP π i | = nl ¬ p ⇔ p / ∈ L ( s i ) for p ∈ AP π i | = nl ψ 1 ∨ ψ 2 ⇔ π i | = nl ψ 1 or π i | = nl ψ 2 π i | = nl ψ 1 ∧ ψ 2 ⇔ π i | = nl ψ 2 and π i | = nl ψ 2 π i | ⇔ i < k and π i + 1 | = nl X ψ 1 = nl ψ 1 π i | ⇔ ∃ i ≤ n ≤ k : π n | = nl F ψ 1 = nl ψ 1 π i | = nl G ψ 1 ⇔ ⊥ π i | = nl ψ 1 U ψ 2 ⇔ ∃ i ≤ n ≤ k : ( π n | = nl ψ 2 ∧∀ i ≤ j < n : π j | = nl ψ 1 ) π i | = nl ψ 1 R ψ 2 ⇔ ∃ i ≤ n ≤ k : ( π n | = nl ψ 1 ∧∀ i ≤ j ≤ n : π j | = nl ψ 2 ) Bounded Model Checking Tutorial, Part II, Keijo Heljanko – 17/49

Bounded Semantics of LTL | = k under-approximates | = . If π | = k ψ , then π | = ψ . For each ultimately periodic path π there is a k such that π is a ( k , l ) -loop and thus π | = ψ iff π | = k ψ . If π | = k ψ , then π | = k + 1 ψ . The | = nl semantics corresponds to the informative safety counterexamples as defined in: Kupferman, O. and Vardi, M. Y.: Model Checking of Safety Properties. Formal Methods in System Design 19(3): 291-314 (2001) Bounded Model Checking Tutorial, Part II, Keijo Heljanko – 18/49

BMC Encoding for LTL Given a symbolic representation of a Kripke structure M , a LTL formula ψ , and a bound k Goal: build a formula | [ M , ψ , k ] | that is satisfiable iff M has a path π such that π | = k ψ Bounded Model Checking Tutorial, Part II, Keijo Heljanko – 19/49

BMC Encoding for LTL The generic form of | [ M , ψ , k ] | is | [ M ] | k ∧| [ ψ , k ] | 0 As before, | [ M ] | k ≡ I ( s 0 ) ∧ V k i = 1 T ( s i − 1 , s i ) encodes paths by unrolling transition relation k times | [ ψ , k ] | 0 constraints paths to be witnesses for ψ under the bounded semantics Bounded Model Checking Tutorial, Part II, Keijo Heljanko – 20/49

Our Approach: Simple BMC Heljanko, K., Junttila, T., and Latvala, T.: Incremental and Complete Bounded Model Checking for Full PLTL . CAV’05. - Incremental and complete version of the encoding for LTL with past time operators Biere, A., Heljanko, K., Junttila, T., Latvala, T., and Schuppan, V.: Linear Encodings of Bounded LTL Model Checking . Logical Methods in Computer Science 2(5:5):1-64, 2006. - Survey of linear LTL encodings for BMC, including also approaches based on Büchi automata based LTL model checking Bounded Model Checking Tutorial, Part II, Keijo Heljanko – 21/49