Space-Efficient Bounded Model Checking

Space-Efficient Bounded Model Checking Jacob Katz 1 , Ziyad Hanna 1 , Nachum Dershowitz 2 1 Intel Corporation, Haifa, {jacob.katz, ziyad.hanna}@intel.com 2 School of Computer Science, Tel Aviv University, Tel Aviv, Israel, nachum.dershowitz@cs.tau.ac.il Abstract Current algorithms for bounded model checking use SAT methods for checking satisfiability of Boolean formulae. These methods suffer from the potential memory explosion problem. Methods ba sed on the validity of Quantified Boolean Formulae (QBF) allow an exponentially more su ccinct representation of formu lae to be checked, because no “unr olling” of the transition relation is required. These methods have not been widely used, because of th e lack of an efficient decision p rocedure for QBF. We evaluate the usage of QBF in bounded model checking (BMC), using general-purpose SAT and QB F solvers. We develop a special-purpose deci sion procedure for QBF used i n BMC, and compare our techni que with the methods using general-purpose SAT and QBF solvers on real-life industrial benchmarks. 1 Introduction * Model checking is a technique for the verification of the correctness of a finite-state system with respect to a desired behavior. Sym bolic model checking uses image computation to verify propert ies. Symbolic m odel checking methods include, am ong others, BDD- based techniques, SAT-based methods for im age computation that use an explicit quantifier elimination, and SAT-based reachability analysis based on “all-solu tions” SAT solvers. All these methods suffe r from the mem ory explosion pr oblem on modern test cases. Bounded Model Checking (BMC) with a specific bound k represents the paths of length k in the system by “unrolling” the transition relation k times, and examines whether the set of states falsifying the property is reached by these paths. To implement a complete model ch ecking procedure the bound sh ould be increased iteratively up to the length of the longest simple path in the system, causing the number of copies of the transition relation within the formulae being checked for validity to increase from iteration to iteration up to an exponential num ber of times, * Due to space constraints references have been omitted in this text. leading, again, to a memory explosion for large systems and large bounds. Induction based m ethods provide another t echnique for estimating whether a bound is sufficient to en sure a full proof, but there are still ma ny cases where the induction depth is exponential in th e size of the model. Finally, the methods based on Craig interpolation as an over-approxim ation technique for image computation aimed at reducing the num ber of iterations for a complete model checking procedure. The in terpolants are ob tained as a by-product of the SAT solv er used to check BMC problems. This techni que, like other techniques base d on image computation, als o suffers from a potential mem ory blow-up. In this paper we present a short abst ract of our research on the usage of Quantified Boolean Formulae (QBF) for BMC, in which the unro lling of the transition relation is not performed and, thus, the m emo ry explosion problem is avoided. We evaluate available genera l-purpose QBF solvers, and develop a speci al-purpose decis ion procedure for QBF used in BMC. We also compare our techni que with the classical SAT-ba sed BMC methods. 2 Formulations of bounded reachability checking problem Given a system M=(S, I, TR), where S is the set of states, I is the characteristic function of the set of the initial states, and TR is the transition relation, the problem of reachability of the final states given by a characteristic function F in exactly k steps can be expressed in a number of ways. As in classical BMC, the fact that the state Z k is reachable from the state Z 0 in exactly k steps may be formulated by “unrolling” t he transition relation k times: (1) 01 1 0 1 1 0 ( , ) , ..., : ( ) ( ) ( , ) kk k k i i k i RZ Z Z Z I Z F Z T R Z Z       The validity of this form ula may be proven or disprove d by performing the SAT decision procedure on its Proceedings of the Design, Automation and Test in Europe C onference and Exhibition (DATE’05) 1530-1591/05 $ 20.00 IEEE propositional part. Noticeably, the num ber of copies of the transition relation in this formula is as the number of steps being checked. To p artially overcome the potential memory explosion, a QBF formulation of bounded reachability problem can be used: (2) 01 1 0 1 1 0 ( , ) , ..., : ( ) ( ) ,: ( )( ) ( , ) kk k k ii k i RZ Z Z Z I Z F Z UV U Z V Z T R UV       §· ¨¸ l  l o ¨¸ ©¹  Note that (2) contains only one copy of t he transition relation. Increasing the bound, thus, woul d mean an addition of a new intermediate state and a term of the form (U l Z i )  (V l Z i+1 ). Hence, the formula increase from iteration to iteration does not depend on the size of the transition relation, which is usually the biggest formula in the specification of the model. The solution of (2) with a QBF solver usua lly requires a transformation of the pr opositi onal part of the form ula into a CNF, which introduces artific ial variables, resulting with a QBF having  pattern of the quantifier prefix. The number of t he universally quantified va riables does not change in the QBF from iteration to iteration. This approach to reachability checkin g partially solves the issue of formula growt h, reducing the growth of the formula from iteration to iteration, but still requires an exponential number of iterations to fully verify the reachability. To reduce the number of iterations, it is possible to apply the “iterative squaring” technique, similar to the one used in BDD-based model checking. In this technique, eac h successive iteration checks the reachability of a final state in twice as many steps as the previous iteration. Gi ven a formula R k/2 (X,Y) for checking reachabil ity in k /2 steps, the following formula ch ecks the reachability in k steps: (3) 00 0/ 2 (, ) : ( ) ( ) , : () ( ) ( ) ( ) ( , ) kk k kk RZ Z Z I Z F Z U V UZ V Z UZV Z R U V     l l  l  l o ªº ¬¼ The transition relation appears in (3) only once, as in the previously describe d techni que. However, the num ber of universally quantified vari ables and the num ber of quantifier alternations grows from iteration to iteration. This technique allows reduc ing t he number of iterations to be as the number of the state encodi ng variables in the model. Note that not all boun ds are checked by this technique, but o nly the bounds that are a power of 2. It is possible, however, to overc ome this problem by adding a self-loop in each state of th e m odel, which would not change the reachability between states, but rather make (3) check reachability in k or fewer steps, instead of exactly k steps. 3 BMC using QBF We have used a bounded model checker to generate the three kinds of form ulae mentioned in the previous section. We have evaluated a few a va ilable state-of-the-art DPLL- based SAT and QBF solvers, to check the feasibility of the QBF formulations of the reach ability checking problem on a set of thirteen proprietary Intel® model checking test cases of different sizes. It appeared t hat the general-purpose QBF solvers were unable to solve practically any o f the formulae of the form s (2) and (3), while m any of the corresponding propositional fo rmulae of the form (1) were solved by the SAT solvers, the m ajority of them in a matter of seconds. Motivated by the inefficiency of the general-purpose QBF solvers dem onstrated on formulae of the form (2), we develop a special-purpose DP LL-based decision procedure, called jSAT, for formulae of this specific structure. As in (2), jSAT holds i n memory the encoding variables representing the states Z 0 , Z 1 , …, Z k , U an d V, but only holds the following pr opositional formula: (4) 0 () ( , ) ( ) k I ZT R U V F Z   The states Z i represent a path; the states U and V represent two neighboring states in that path. Instead of explicitly holding the fact that U and V represent a pair of neighboring states as done in (2) with ass istance of the terms of the form (U l Z i )  (V l Z i+1 ), our algorithm implicitly assumes this information. Th e idea of the algorithm is to iteratively associate U and V with a pair of successive states, called the current state and the next state , until all states are decided. Intuitively, jSAT algorithm can be seen as a depth-first search in the state graph of the system from the initial states to the final ones. The algorithm starts by associating U with Z 0 and V with Z 1 ; thus the formula (4) becomes semantically equivalent to: (5) 00 1 () (, ) ( ) k I ZT R Z ZF Z  The states Z 0 and Z 1 are then decided, if possible, so that Z 0 is an initial state and Z 1 is its successor. As soon as t hey are decided, the algorithm makes Z 1 to be the current state and Z 2 to be the next one. The algorithm proceeds so on, until all states are successfully decided, or until it discovers that such a decision is im possible. The first implementation of our algorithm succeeded to solve 143 out of 234 instances of the form (2) in our test base, compared to 184 corresponding SAT instances solve d by the solver on which we ba sed our implementation, and 3 instances solved by the ge neral purpose QBF solvers, within 300 seconds time limit and 1GB memory limit. Proceedings of the Design, Automation and Test in Europe C onference and Exhibition (DATE’05) 1530-1591/05 $ 20.00 IEEE