![Page 1: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/1.jpg)
1
Completeness and Complexity of Bounded Model Checking
Ed Clarke
Daniel Kroening
Joel Ouaknine
Carnegie Mellon University, Pittsburgh, USA
Ofer Strichman
Technion, Haifa, Israel
![Page 2: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/2.jpg)
2
Overview
Bounded Model Checking of LTL: the (traditional) syntactic translation scheme
The semantic translation scheme The Completeness Threshold problem A solution to the Completeness Threshold problem The complexity of Bounded Model Checking (2exp) The complexity gap and how it can be closed
![Page 3: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/3.jpg)
3
Bounded Model Checking (Biere, Cimatti, Clarke, Zhu, 1999)
Model checking: is M a model of (M ² )?
Bounded Model Checking (BMC): is there a counterexample to M ² up to a given depth k ?
BMC is widely accepted as a complementary to Model-Checking.
![Page 4: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/4.jpg)
4
Bounded Model Checking (Biere, Cimatti, Clarke, Zhu, 1999)
BMC can be performed with SAT (no need to detect fixpoints).
SAT formulation of BMC: Keep k copies of each variable
Check if [M]k Æ[:]k is satisfiable, where:
[M]k represents all traces of M up to length k
[:]k represents all traces of length up to k that satisfy :
[:]k = (… formulation in next few slides)
![Page 5: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/5.jpg)
5
Generating []k is based on expansion formulas for LTL (Manna & Pnueli):
BMC (syntactic) translation(Biere, Cimatti, Clarke, Zhu, 1999)
![Page 6: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/6.jpg)
6
BMC (syntactic) translation(Biere, Cimatti, Clarke, Zhu, 1999)
The no-loop case (finite traces)
Expansion rule BMC translation
Base case:
k
![Page 7: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/7.jpg)
7
BMC (syntactic) translation(Biere, Cimatti, Clarke, Zhu, 1999)
The loop case (infinite traces)
Expansion rule BMC translation
Base case:
l
s(i) = i + 1 if i < k, and l otherwise
k=
![Page 8: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/8.jpg)
8
LTL model checking(Vardi-Wolper)
Given M,, construct a Buchi automaton B
LTL model checking: is : M £ B empty?
Emptiness checking: is there a path to a loop with an accepting state ?
s0
![Page 9: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/9.jpg)
9
“Unroll” k times Find a witness to Gtrue with the fairness constraint
s0
A semantic BMC translation(Based on Vardi-Wolper)
(Was mentioned by [De-Moura, Rushby, Sorea, 2002] in the context of infinite systems)
![Page 10: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/10.jpg)
10
Advantages of the semantic translation
Syntactic Translation Semantic Translation
Size of formula O(k ¢ |M| + k2 ¢||) O (k ¢ |M| + k ¢||)
Optimizations w.r.t. LTL formulas
None Efficient Buchi construction from LTL
Computing CT Only for Gp and Fp Full LTL
![Page 11: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/11.jpg)
11
Advantages of the semantic translation
Syntactic Translation Semantic Translation
Size of formula O(k ¢ |M| + k2 ¢||) O (k ¢ |M| + k ¢||)
Optimizations w.r.t. LTL formulas
None Efficient Buchi construction from LTL
Computing CT Only for Gp and Fp Full LTL
![Page 12: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/12.jpg)
13
Bounded Model Checking
k = 0
BMC(M,,k)
yes
k++
k ¸ ?no
![Page 13: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/13.jpg)
14
How big should k be?
For every model M and LTL property there exists k s.t.
We call the minimal such k the Completeness Threshold (CT)
Clearly if M ² then CT = 0
Conclusion: computing CT is at least as hard as model checking
![Page 14: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/14.jpg)
15
The Completeness Threshold
Computing CT is as hard as model checking
The value of CT depends on the model M, the property and the translation scheme.
Strategy: find over-approximations to CT based on graph theoretic properties of M
![Page 15: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/15.jpg)
16
Diameter d(M) = longest shortest path between any two reachable states.
Recurrence Diameter rd(M) = longest loop-free path between any two reachable states.
d(M) = 2
rd(M) = 3
Initialized Diameter dI(M) Initialized Recurrence Diameter rdI(M)
Basic notions…
![Page 16: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/16.jpg)
17
The Completeness Threshold
Theorem: for Gp properties CT = dI(M)
(Biere, Cimatti, Clarke, Zhu, 1999) s0
p
Arbitrary path
Theorem: for Fp properties CT= rdI(M)+1
(Kroening, Strichman, 2003)s0
ppppp
Theorem: for an LTL property CT = ?
![Page 17: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/17.jpg)
18
Advantages of the semantic translation
Syntactic Translation Semantic Translation
Size of formula O(k ¢ |M| + k2 ¢||) O (k ¢ |M| + k ¢||)
Optimizations w.r.t. LTL formulas
None Efficient Buchi construction from LTL
Computing CT Only for Gp and Fp Full LTL
![Page 18: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/18.jpg)
19
Completeness threshold for LTL
It cannot be longer than rdI()+1 It cannot be longer than dI() + d() Result: min(rdI()+1, dI() + d())
s0
![Page 19: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/19.jpg)
20
CT: examples
dI() + d() = 6rdI() + 1= 4
dI() + d() = 2rdI() + 1= 4 s0
s0
![Page 20: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/20.jpg)
26
Complexity of BMC
CT · (min(rdI()+1, dI() + d()))
The value of CT can be exponential in the # of state variables.
BMC SAT formula grows linearly with k
Conclusion: standard SAT based BMC is worst-case 2-exp
![Page 21: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/21.jpg)
27
The complexity GAP
SAT based BMC is 2-exp in the # state variables. LTL model checking is 1-exp in the # state variables.
So why use BMC ?
Finding bugs when k is small
In many cases rd(y) and d(y) are not exponential and are even rather
small.
SAT, in practice, is very efficient.
![Page 22: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/22.jpg)
28
Closing the complexity gap
Why is there a complexity gap ? LTL-MC with 2-dfs :
dfs1
dfs2
Every state is visited not more than twice
![Page 23: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/23.jpg)
29
Closing the complexity gap
2-dfs Each state is visited not more than twice
SAT Each state can potentially be visited an exponential no. of times,
because all paths are explored.
![Page 24: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/24.jpg)
30
Closing the complexity gap (for Gp)
Force a static order, following a forward traversal
Each time a state i is fully evaluated (assigned):
Prevent the search from revisiting it through deeper paths (by adding conflict clauses)
When backtracking from state i, prevent the search from revisiting it in step i
If :pi holds stop and return “Counterexample found”
![Page 25: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/25.jpg)
33
Closing the complexity gap
Is ‘1-exp SAT’ better or worse than BMC ? Bad news:
We gave up the main power of SAT: dynamic splitting heuristics. We may generate an exponential no. of added constraints
Good news Single exp. instead of double exp. No need to compute CT. (Instead of pre-computing CT we can
maintain a list of states and add their negation ‘when needed’).
![Page 26: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/26.jpg)
34
Closing the complexity gap
Is restricted SAT better or worse than explicit LTL-MC ? Not clear !
Unlike dfs, SAT has heuristics for progressing. SAT has pruning ability of sets of states
![Page 27: Completeness and Complexity of Bounded Model Checking](https://reader030.vdocuments.us/reader030/viewer/2022032612/56812f69550346895d94f2d0/html5/thumbnails/27.jpg)
35
Comparing the algorithms…
2-dfs LTL MC Restricted-SAT BMC
SAT - BMC
Time EXP EXP2 2-EXP
Memory* EXP EXP2 EXP
Guidance None Restricted Full
Pruning States Sets of states Sets of states
* Assuming the SAT solver restricts the size of its added clauses