Completeness and Complexity of Bounded Model Checking

1. Completeness and Complexity of Bounded Model Checking Ed Clarke Daniel Kroening Joel Ouaknine Carnegie Mellon University, Pittsburgh, USA Ofer Strichman Technion, Haifa, Israel

2. Overview • Bounded Model Checking of LTL: the (traditional) syntactic translation scheme • The semantic translation scheme • The Completeness Threshold problem • A solution to the Completeness Threshold problem • The complexity of Bounded Model Checking (2exp) • The complexity gap and how it can be closed

3. Bounded Model Checking(Biere, Cimatti, Clarke, Zhu, 1999) • Model checking: is M a model of  (M ²)? • Bounded Model Checking (BMC): is there a counterexample to M² up to a given depth k ? • BMC is widely accepted as a complementary to Model-Checking.

4. Bounded Model Checking(Biere, Cimatti, Clarke, Zhu, 1999) • BMC can be performed with SAT (no need to detect fixpoints). • SAT formulation of BMC: • Keep k copies of each variable • Check if [M]k Æ[:]k is satisfiable, where: [M]krepresents all traces of M up to length k [:]k represents all traces of length up to k that satisfy : [:]k = (… formulation in next few slides)

5. BMC (syntactic) translation(Biere, Cimatti, Clarke, Zhu, 1999) Generating []k is based on expansion formulas for LTL (Manna & Pnueli):

6. k BMC (syntactic) translation(Biere, Cimatti, Clarke, Zhu, 1999) The no-loop case (finite traces) BMC translation Expansion rule Base case:

7. k BMC (syntactic) translation(Biere, Cimatti, Clarke, Zhu, 1999) = The loop case (infinite traces) l BMC translation Expansion rule s(i) = i + 1 if i < k, and l otherwise Base case:

8. LTL model checking(Vardi-Wolper) • Given M,,construct a Buchi automatonB • LTL model checking: is : M £B empty? • Emptiness checking: is there a path to a loop with an accepting state ? s0

9. s0 A semantic BMC translation(Based on Vardi-Wolper) (Was mentioned by [De-Moura, Rushby, Sorea, 2002] in the context of infinite systems) • “Unroll” y k times • Find a witness to Gtrue with the fairness constraint

10. Advantages of the semantic translation

11. Advantages of the semantic translation

12. k = 0 BMC(M,f,k) k++ yes no k¸? Bounded Model Checking

13. How big should k be? • For every model M and LTL property there exists k s.t. • We call the minimal such k the Completeness Threshold (CT) • Clearly ifM²thenCT = 0 • Conclusion: computing CT is at least as hard as model checking

14. The Completeness Threshold • Computing CT is as hard as model checking • The value of CTdepends on the modelM, the propertyand the translation scheme. • Strategy: find over-approximations to CT based on graph theoretic properties of M

15. Basic notions… • Diameterd(M)= longest shortest path between any two reachable states. • Recurrence Diameterrd(M)=longest loop-free path between any two reachable states. d(M) = 2 rd(M) = 3 • Initialized DiameterdI(M) • Initialized Recurrence Diameter rdI(M)

16. p s0 Arbitrary path • Theorem: for Fp properties CT= rdI(M)+1 (Kroening, Strichman, 2003) p p p p p s0 The Completeness Threshold • Theorem: for Gp properties CT = dI(M) (Biere, Cimatti, Clarke, Zhu, 1999) • Theorem: for an LTL property CT = ?

17. Advantages of the semantic translation

18. s0 Completeness threshold for LTL • It cannot be longer than rdI(y)+1 • It cannot be longer than dI(y) + d(y) • Result: min(rdI(y)+1, dI(y) + d(y))

19. s0 s0 CT: examples dI(y) + d(y) = 2 rdI(y) + 1= 4 dI(y) + d(y) = 6 rdI(y) + 1= 4

20. Complexity of BMC CT · (min(rdI(y)+1, dI(y) + d(y))) • The value of CTcan be exponential in the # of state variables. • BMC SAT formula grows linearly with k Conclusion: standard SAT based BMC is worst-case 2-exp

21. The complexity GAP • SAT based BMC is 2-exp in the # state variables. • LTL model checking is 1-exp in the # state variables. • So why use BMC ? • Finding bugs when kis small • In many cases rd(y) and d(y)are not exponential and are even rather small. • SAT, in practice, is very efficient.

22. Closing the complexity gap • Why is there a complexity gap ? • LTL-MC with 2-dfs : dfs1 dfs2 • Every state is visited not more than twice

23. Closing the complexity gap • 2-dfs • Each state is visited not more than twice • SAT • Each state can potentially be visited an exponential no. of times, because all paths are explored.

24. Closing the complexity gap (for Gp) • Force a static order, following a forward traversal • Each time a state i is fully evaluated (assigned): • Prevent the search from revisiting it through deeper paths (by adding conflict clauses) • When backtracking from state i, prevent the search from revisiting it in step i • If :pi holds stop and return “Counterexample found”

25. Closing the complexity gap • Is ‘1-exp SAT’ better or worse than BMC ? • Bad news: • We gave up the main power of SAT: dynamic splitting heuristics. • We may generate an exponential no. of added constraints • Good news • Single exp. instead of double exp. • No need to compute CT. (Instead of pre-computing CT we can maintain a list of states and add their negation ‘when needed’).

26. Closing the complexity gap • Is restricted SAT better or worse than explicit LTL-MC ? • Not clear ! • Unlike dfs, SAT has heuristics for progressing. • SAT has pruning ability of sets of states

27. Comparing the algorithms… * Assuming the SAT solver restricts the size of its added clauses