INF9140 INF9140 Paper Presentation Paper Presentation Biere et - PowerPoint PPT Presentation

INF9140 INF9140 – Paper Presentation Paper Presentation Biere et al. 2003 – B Bounded Model Checking d d M d l Ch ki B Y M A R T I N F . J O H A N S E N

Model Checking  Model the design as a finite state machine. M d l th d i fi it t t hi  Write the specification as temporal logic.  Safety properties  What should not happen.  A counterexample: something bad happens.  Liveness properties  What should eventually happen.  A counter example: something good never happens.

Bounded Model Checking (BMC) g ( )  The basic idea of BMC is to search for a counter Th b i id f BMC i t h f t example in executions whose length is bounded by some integer k some integer k.  Thus, does not show the absence of errors.  Experiments have shown that BMC can solve many E i t h h th t BMC l cases that cannot be solved by other approaches.  The BMC problem can be efficiently reduced to a h bl b ffi i l d d propositional satisfiability problem […] SAT procedures do not suffer from the space explosion d d t ff f th l i problem of BDD-based methods.

Bounded Semantics  Paths with loops P th ith l  (k,l)-loop path, π = u v ω  For LTL formula f with π as a loop F LTL f l f ith l π |= k f iff π |= f  Where there are no loops  Where there are no loops  a property that hold along π k , might not hold along π k+1 .  Theorem 1 : If we take a sufficiently high bound, If t k ffi i tl hi h b d Th then the bounded and unbounded semantics are equivalent equivalent.

Reduction of BMC to SAT  Given Gi  Kripke Structure M  LTL formula f LTL f l f  Bound k  Construct C t t  Propositional formula [[M, f]] k (-x1 * -x2 * -x3) + (x1 * x1 * x2) + (x2 * x3)

Kripke Structures p  Kripke structure M is a quadruple M = (S, I,T,L) K i k t t M i d l M (S I T L)  S is the set of states  I S is the set of initial states I S i th t f i iti l t t  T S×S is the transition relation  L:S > P(A) is the labeling function  L:S -> P(A) is the labeling function  is the set of atomic propositions  P(A) denotes the powerset over A ( ) de otes t e po e set o e  L(s) is m ade of the atom ic propositions that hold in s.  Each path π in M is a sequence π = (s 0 , s 1 , . . .) of states  π ( i) the i-th state s i  π i =(s i , s i+1 , . . .) the suffix of π starting with state s i

Note on symbols y  Symbols: S b l   p – Xp  ◊ p – Fp ◊ F  □ p – Gp

 p Xp  p - Xp ◊ p - Fp □ p - Gp

Bounded Semantics without a Loop an LTL form ula f is valid along p w ith bound k (in sym bols an LTL form ula f is valid along p w ith bound k (in sym bols  p - Xp  p Xp ◊ p - Fp □ p - Gp

Path Quantifiers Q  M satisfies f over all initialized paths M ti fi f ll i iti li d th  M |= Af  there exists an initialized path in M that satisfies f h i i i i li d h i M h i fi f  M |= Ef

Reduction of BMC to SAT  Unfolding of the Transition Relation Unfolding of the Transition Relation  There are valid paths from the initial state to any state reachable in k steps.  Loop condition  l L k is true iff there is a transition from s k to s l i iff h i i i f  L k is true iff there exists a back loop from s k to a previous state or to itself. or to itself.  Successor in a loop  In a (k,l)-loop, a successor function succ(i) is i+1 unless i=k,  In a (k,l) loop, a successor function succ(i) is i+1 unless i k, then it is l

Reduction of BMC to SAT  The intermediate formula depends on three Th i t di t f l d d th parameters: l, k and i. We use l for the start position of the loop k for the bound and i for the current of the loop, k for the bound, and i for the current position in π .

Translation of an LTL formula for a loop  p Xp  p - Xp ◊ p - Fp □ p - Gp

Translation of an LTL formula without a loop a s at o o a o u a t out a oop  p Xp  p - Xp ◊ p - Fp □ p - Gp

BMC with SAT  Given  Given  Kripke Structure M  LTL formula f  Bound k  Construct  Propositional formula [[M, f]] k l f l f  General Translation  Theorem 2:  Theorem 2:  [[ M, f ]] k is satisfiable iff M |= k Ef  ( M |= Ef means there exists an initialized path in M that satisfies f ) ( p f ) | f f

Completeness threshold p  The completeness threshold for Gp Th l t th h ld f G  p Xp  p - Xp ◊ p - Fp formulas is simply the minimal number of □ p - Gp steps required to reach all states steps required to reach all states.  Theorem 3:   The procedure terminates if the liveness property holds holds.  Since we know that either AFp or EG¬p must hold for M, one of the semi-decision procedures must , p terminate. Combining the two, we obtain a complete decision procedure for liveness.

Techniques for SAT solving q g  A part of the paper is about techniques for SAT A t f th i b t t h i f SAT solving.

Experiments p  BDD based model checking g  IBM benchmark on 13  IBM benchmark on 13 vs SAT based bounded hardware designs model checking  16x16 bit sequential shift  16x16 bit sequential shift and add multiplier

Experiments p  Intel benchmark, I t l b h k  Compaq C verifying various benchmark, circuits circuits verifying an alpha if i l h microprocessor

In conclusion  an effective technique ff ti t h i  complements BDD-based model checking  In some cases both tools are run in parallel, and the first tool that finds a solution, terminates the other process