Laboratory for Theoretical Computer Science, by Keijo Heljanko et al.
AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Advanced Tutorial on
Bounded Model Checking (BMC)
ACSD’06 - ATPN’06
26th of June 2006
Keijo Heljanko and Tommi Junttila
Keijo.Heljanko@tkk.ﬁ, Tommi.Junttila@tkk.ﬁ
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 1/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Organisers
D.Sc. (Tech.), Academy Research Fellow
Keijo Heljanko
Email: Keijo.Heljanko@tkk.ﬁ
Homepage: http://www.tcs.tkk.ﬁ/∼kepa/
D.Sc. (Tech.) Tommi Junttila
Email: Tommi.Junttila@tkk.ﬁ
Homepage: http://www.tcs.tkk.ﬁ/∼tjunttil/
Our afﬁliation:
Laboratory for Theoretical Computer Science,
Helsinki University of Technology (TKK)
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 2/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Thanks
Thanks to co-authors on papers related to bounded
model checking (in alphabetic order):
Armin Biere, Johannes Kepler University of Linz
Toni Jussila, Johannes Kepler University of Linz
Timo Latvala, University of Illinois at
Urbana-Champaign
Ilkka Niemelä, Helsinki University of Technology
(TKK)
Jussi Rintanen, National ICT Australia Limited
(NICTA)
Viktor Schuppan, ETH Zürich
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 3/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Tutorial Homepage
All the material of the Tutorial is available as PDF
ﬁles from the tutorial homepage:
http://www.tcs.tkk.ﬁ/∼kepa/bmc-tutorial.html
The PDF ﬁles also contain lots of hyperlinks to
referenced papers, tools, etc.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 4/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Software failures
Software is used widely in many applications where a bug
in the system can cause large damage:
Safety critical systems: airplane control systems,
medical care, train signalling systems, air trafﬁc
control, etc.
Economically critical systems: e-commerce systems,
Internet, microprocessors, etc.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 5/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Price of Software Defects
Two very expensive software bugs:
Intel Pentium FDIV bug (1994, approximately $500
million).
Ariane 5 ﬂoating point overﬂow (1996, approximately
$500 million).
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 6/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Pentium FDIV - Software bug in HW
4195835 - ((4195835 / 3145727) * 3145727) = 256
The ﬂoating point division algorithm uses an array of con-
stants with 1066 elements. However, only 1061 elements
of the array were correctly initialised.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 7/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Ariane 5
Exploded 37 seconds after takeoff - the reason was an
overﬂow in a conversion of a 64 bit ﬂoating point number
into a 16 bit integer.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 8/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Finding Bugs in Concurrent Systems
The principal methods for the validation of complex
parallel and distributed systems are:
Testing (using the system itself)
Simulation (using a model of the system)
Deductive veriﬁcation (mathematical (manual) proof
of correctness, in practice done with computer aided
proof assistants/theorem provers)
Model Checking (≈ exhaustive testing of a model of
the system)
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 9/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Why is Testing Hard?
Testing should always be done! However, testing parallel
and distributed systems is not always cost effective:
Testing concurrency related problems is often done
only when rest of the system is in place
⇒ ﬁxing bugs late can be very costly.
It is labour intensive to write good tests.
It is hard if not impossible to reproduce bugs due to
concurrency encountered in testing.
- Did the bug-ﬁx work?
Testing can only prove the existence of bugs, not
their non-existence.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 10/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Simulation
The main method for the validation of hardware designs:
When designing new microprocessors, no physical
silicon implementation exists until very late in the
project.
Example: Intel Pentium 4 simulation capacity
(Roope Kaivola, talk at CAV05):
8000 CPUs
Full chip simulation speed 8 Hz
(ﬁnal silicon > 2 GHz).
Amount of real time simulated before tape-out:
around 2 minutes.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 11/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Deductive Veriﬁcation
Proving things correct by mathematical means
(mostly invariants + induction).
Computer aided proof assistants/theorem provers
used to keep you honest and to prove sub-cases.
Very high cost, requires highly skilled personnel:
Only for truly critical systems.
HW examples: Pentium 4 FPU, Pentium 4
register rename logic (Roope Kaivola: 2 man
years, 2 ’time bomb’ silicon bugs found -
thankfully masked by surrounding logic)
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 12/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Model Checking
In model checking every execution of the model of the
system is simulated obtaining a Kripke structure M
describing all its behaviours. M is then checked against a
property y:
Yes: The system functions according to the speciﬁed
property (denoted M |= y).
The symbol |= is pronounced “models”,
hence the term model checking.
No: The system is incorrect (denoted M 6|= y), a
counterexample is returned: an execution of the
system which does not satisfy the property.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 13/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Models and Properties
Modelling
Kripke
System Property
model
System
structure
Formalized
property Model checking
Formalization
of property
the model
Executing
y M |= y ? M
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 14/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Beneﬁts of Model Checking
In principle automated: Given a system model and a
property, the model checking algorithm is fully
automatic.
Counterexamples are valuable for debugging.
Already the process of modelling catches a large
percentage of the bugs: good for rapid prototyping of
concurrency related features.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 15/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Drawbacks of Model Checking
State explosion problem: Capacity limits of model
checkers can be exceeded.
Manual modelling often needed:
Model checker used might not support all
features of the ﬁnal implementation language.
Abstraction used to overcome capacity problems.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 16/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Model Checking in the Industry
Microprocessor design: Several major
microprocessor manufacturers use model checking
methods as a part of their design process.
Design of Data-communications Protocol Software:
Model checkers have been used as rapid prototyping
systems for new data-communications protocols
under standardisation.
Mission Critical Software: NASA space program is
model checking code used by the space program.
Operating Systems: Microsoft is using model
checking to verify the correct use of locking
primitives in Windows device drivers.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 17/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Modelling Languages
As a language describing system models we can for
example use:
Petri nets,
labelled transition systems (LTSs) and process
algebras,
Java programs,
UML (uniﬁed modelling language) state machines,
Promela language (input language of the Spin model
checker), and
VHDL,Verilog, or SMV languages (mostly for HW
design).
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 18/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Some Model Checking Approaches
Explicit State Model Checking: Tools include Spin,
Murj Java Pathﬁnder Maria, PROD, CPN Tools,
CADP, etc.
BDD based Symbolic Model Checking: Tools include
NuSMV 2, VIS, Cadence SMV, etc.
Bounded Model Checking: Tools include BMC,
CMBC, NuSMV 2, VIS, Cadence SMV, etc.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 19/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Bounded Model Checking
Originally presented in the paper: Armin Biere,
Alessandro Cimatti, Edmund M. Clarke, Yunshan
Zhu: Symbolic Model Checking without BDDs.
TACAS 1999: 193-207, LNCS 1579.
A closely related approach had already been used
earlier to solve artiﬁcial intelligence planning
problems in: Henry A. Kautz, Bart Selman:
Planning as Satisﬁability.Proceedings of the 10th
European conference on Artiﬁcial intelligence
(ECAI’92): 359-363, 1992, Kluwer.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 20/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Basics of Bounded Model Checking
The basic idea is the following: Encode all the
executions of the system M of length k into a
propositional formula |[M]|
k.
Conjunct this formula with a formula |[¬y]|
k which is
satisﬁable for all executions the system of length k
which violate the property y.
If the formula |[M]|
k∧|[¬y]|
k is satisﬁable, a
counterexample has been found.
If the formula |[M]|
k∧|[¬y]|
k is unsatisﬁable, no
counterexample of length k exists.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 21/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
SAT
The propositional satisﬁability problem (SAT) is one
of the main instances of NP-complete problems.
Thus no polynomial algorithms for SAT are known.
However, there are highly efﬁcient SAT solvers
available such as zChaff and MiniSAT which are able
solve many bounded model checking problems
efﬁciently.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 22/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
SAT References
zChaff: Matthew W. Moskewicz, Conor F. Madigan,
Ying Zhao, Lintao Zhang, Sharad Malik: Chaff:
Engineering an Efﬁcient SAT Solver. DAC 2001:
530-535, ACM.
MiniSAT: Niklas Eén, Niklas Sörensson:
An Extensible SAT-solver. SAT 2003: 502-518, LNCS
2919.
SATLive! - Links to SAT related events, tools, position
announcements, etc.
SAT race 2006 - In 2006 a “light weight” variant the
SAT solver competition on industrial benchmarks is
arranged.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 23/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Basic Setup
For simplicity ﬁrst consider the following setup:
As system models we consider systems whose
state vector s consist of n Boolean state variables
hs[0],s[1],...,s[n−1]i.
We take k+1 copies of the system state vector
denoted by s0,s1,...,sk.
Let I(s) be the initial state predicate of the
system, and T(s,s0) be the transition relation
both expressed as propositional formulas.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 24/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
A Simplifying Assumption
For simplicity we assume T(s,s0) to be be total for
now, i.e., every reachable state s should have a
successor s0 such that T(s,s0) holds.
This assumption can and will be dropped later in this
tutorial.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 25/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Unrolling the Transition Relation
Now the executions of the system of length k are
captured by the formula:
|[M]|
k = I(s0)∧
k ^
i=1
T(si−1,si)
For k = 3 this becomes:
|[M]|
3 = I(s0)∧T(s0,s1)∧T(s1,s2)∧T(s2,s3)
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 26/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Circuit BMC Unrolling
OR
AND
OR
OR
AND
OR
OR
AND
OR
s3[0]
s3[1]
s3[2]
s2[0]
s2[1]
s2[2]
s1[0]
s1[1]
s1[2]
s0[1]
s0[2]
s0[0]
I(s0) T(s0,s1) T(s2,s3) T(s1,s2)
0
0
0
i2[1] i2[0] i1[1] i1[0] i0[0] i0[1]
1
1
1
What do the input vectors i0, i1, and i2 need to be to reach
the state s3 = h1,1,1i?
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 27/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Circuit BMC Unrolling Solution
OR
AND
OR
OR
AND
OR
OR
AND
OR
s3[0]
s3[1]
s3[2]
s2[0]
s2[1]
s2[2]
s1[0]
s1[1]
s1[2]
s0[1]
s0[2]
s0[0]
I(s0) T(s0,s1) T(s2,s3) T(s1,s2)
0
0
0
i2[1] i2[0] i1[1] i1[0] i0[0] i0[1]
1
1
1
1 1 1 1 1 1
0
0
1
0 0
0
1
1
0
The input vectors i0 = h1,1i, i1 = h1,1i, and i2 = h1,1i
will reach the ﬁnal state s3 = h1,1,1i.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 28/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Expressing Invariants
Suppose the property y we want to model check is
that an invariant property P(s) holds for every
reachable state of the system M.
Now we get that:
|[¬y]|
k =
k _
i=0
¬P(si)
Thus for k = 3 this becomes:
|[¬y]|
3 = ¬P(s0)∨¬P(s1)∨¬P(s2)∨¬P(s3)
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 29/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Final formula
Thus the ﬁnal formula |[M]|
k∧|[¬y]|
k for k = 3
becomes:
I(s0)∧T(s0,s1)∧T(s1,s2)∧T(s2,s3)∧
(¬P(s0)∨¬P(s1)∨¬P(s2)∨¬P(s3))
If the formula is satisﬁable, then an execution of the
system of length 3 exists which violates the invariant
property P(s) in some state during the execution.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 30/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Reachability Diameter
If the formula is unsatisﬁable, we have proved that
there is no execution of length at most 3 that violates
the invariant.
Clearly for every ﬁnite state system there is some
bound d called the reachability diameter such that
from the initial state every reachable state is
reachable with an execution of at most length d.
By taking d = 2n, where n is the number of state bits,
we could guarantee completeness.
Unfortunately computing better approximations of d
are computationally hard in the general case.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 31/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Unsatisﬁable - Increase the bound
Unfortunately the approach of taking d = 2n is not
viable for anything but trivially small systems.
Usually d is only increased by a small amount, say 1,
and the procedure is repeated from the beginning
until some resource limit (running time, memory, etc.)
is hit.
We will show a more reﬁned approach to obtaining
completeness later.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 32/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
BMC: Pros and Cons
Boolean formulas can be more compact than BDDs
Leverages efﬁcient SAT-solver technology
Minimal length counterexamples (often, not always)
Basic method is incomplete (we’ll show some
approaches to obtain completeness later in the
tutorial)
Not always better than BDD-based methods or
explicit state model checking
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 33/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Alternative Transition Relations
When checking for reachability properties such as
the violation of invariants, we can often replace the
transition relation T(s,s0) with an alternative
transition relation deﬁnition T0(s,s0) provided that:
Every state that is reachable from the initial state
s0 using T(s,s0) must be reachable from s0 using
T0(s,s0).
There should not be any new states reachable
from s0 using T0(s,s0) which are not reachable
from s0 using T(s,s0).
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 34/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Encoding the Transition Relation
There are now in fact many different ways to pick and
encode an alternative transition relation T0(s,s0) if we
consider asynchronous systems containing
concurrency.
A wish-list of mutually conﬂicting requirements for
T0(s,s0) and its encoding:
Compact, hopefully linear in the size of the
model.
Covers as many reachable states as possible for
each bound k without losing soundness or
completeness.
Efﬁciently solvable by the SAT solver.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 35/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Transition Relation Encoding
Note that in the list of requirements we don’t explicitly
list that the number of state variables n should be
minimised.
This is often one of the main things to optimise with a
BDD based symbolic model checker.
Having too compact an encoding of the state vector
can lead to losses in the SAT solver efﬁciency!
More research is needed on how to more efﬁciently
encode transition relations for different classes of
systems. There are dramatic performance
differences, at least for asynchronous systems.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 36/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Asynchronous Systems Case
We consider in this tutorial two simple classes of
asynchronous systems but most of the results will
carry over to more complicated models of
concurrency.
The two system models considered are:
1-bounded Petri nets
Products of labelled transition systems (LTSs)
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 37/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Petri nets
The class Petri nets we use are called place/transition
nets (P/T-nets). A P/T-net is a tuple N = (P,T,F,W,M0),
where
P is a ﬁnite set of places,
T is a ﬁnite set of transitions,
F ⊆ (P×T)∪(T ×P) is the ﬂow relation,
W : F 7→ N\{0} is the arc weight mapping, and
M0 : P 7→ N is the initial marking.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 38/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Running Example P/T-net
p1 p2
p3
p4
p5
p6
t1 t2
t3
t4 t5
t6
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 39/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
The running Example
Places P = {p1,p2,p3,p4,p5,p6}.
Transitions T = {t1,t2,t3,t4,t5,t6}.
Flow relation F = {(p1,t1),(t1,p3), (p2,t2),(t2,p4),
(p4,t3),(t3,p5), (p3,t4),(p5,t4),(t4,p1),(t4,p2),
(p5,t5),(t5,p2), (p5,t6),(t6,p6)}.
Arc weight mapping W(x,y) = 1 for all (x,y) ∈ F.
We use the convention that only arcs weights
W(x,y) > 1 are drawn next to the arc (x,y), i.e., the
default arc weight is 1.
Initial marking M0 = {p1 7→ 1, p2 7→ 1, p3 7→ 0,
p4 7→ 0, p5 7→ 0, p6 7→ 0}.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 40/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Behaviour of P/T-nets
The state of a P/T-net consist of a marking
M : P 7→ N, which tells for each place how many
tokens (drawn as black dots) it contains.
The notation M(p) denotes the number of tokens in
place p.
In our running example M(p) ≤ 1 for all places
p ∈ P, i.e., each place contains at most one token.
However, this is not required in general.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 41/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Behaviour of P/T-nets
The preset of a node x ∈ P∪T is denoted by •x and
deﬁned to be: •x = {y ∈ P∪T | (y,x) ∈ F}.
The preset of a node consist of those nodes from
which an arc to x exist. In our running example
•t4 = {p3,p5}.
The postset of a node x ∈ P∪T is denoted by x•
and deﬁned to be: x• = {y ∈ P∪T | (x,y) ∈ F}.
The postset of a node consist of those nodes to
which an arc from x exist. In our running example
t4
• = {p1,p2}.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 42/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Enabling of transitions
A transition t ∈ T is enabled in marking M, denoted
t ∈ enabled(M), if and only if (iff from now on) for all
p ∈ •t : M(p) ≥W(p,t).
(All places p which are in the preset of t contain at
least the number of tokens speciﬁed by W(p,t).)
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 43/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Firing of transitions
To simplify deﬁnitions, we extend W(x,y) to all pairs
(x,y) ∈ (P∪T)×(T ∪P) as follows: if (x,y) 6∈ F
then W(x,y) = 0.
The marking M0 reached after ﬁring t, denoted
M0 = ﬁre(M,t), is deﬁned for all p ∈ P as:
M0(p) = M(p)−W(p,t)+W(t,p).
(First remove as many tokens as given by W(p,t)
from all places in the preset of t, and then add as
many tokens for all places in the postset of t as
denoted by W(t,p).)
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 44/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Reachability graph
Reachability graph G = (V,E,M0) is the graph
inductively deﬁned as follows:
M0 ∈V, where M0 is the initial marking of the net N,
and
if M ∈V then for all t ∈ enabled(M) it holds that
M0 = ﬁre(M,t) ∈V and (M,t,M0) ∈ E.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 45/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Reachability Graph
p1,p2
p1,p5
p1,p6
p3,p2
p3,p5
p3,p6
p3,p4
p1,p4
t1
t1
t1
t1
t2
t3
t6
t2
t3
t6 t5
t5
t4
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 46/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Reachability graph (cnt.)
A place p ∈ P is deﬁned to be k-bounded iff for all
reachable markings M ∈V it holds that M(p) ≤ k.
A net is deﬁned to be k-bounded if all its places are
k-bounded
In the following we consider how to encode the
transition relation T(s,s0) for 1-bounded P/T-nets
only.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 47/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Interleaving Executions
When the net is 1-bounded, we will use set notation
for markings.
In our running example the initial marking
M0 = {p1,p2}.
In the initial marking the transition t2 is enabled and
its ﬁring lead to marking M0 = {p1,p4}. We denote
this by: {p1,p2}[t2i{p1,p4}.
One interleaving execution of length 4 leading to a
deadlock; a marking with no enabled transitions is:
{p1,p2}[t2i{p1,p4}[t3i{p1,p5}[t6i{p1,p6}[t1i{p3,p6}
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 48/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Conjunctive Normal Form (CNF)
The SAT solvers mentioned so far require the
problem to be mapped into the so called conjunctive
normal form (CNF).
A literal is either either a propositional variable x or
its negation ¬x. A formula is in conjunctive normal
form if it is a conjunction of clauses, where each
clause is a disjunction of literals.
Example: (x∨¬y∨¬z)∧(¬x∨y)∧(¬x∨z) is in
CNF.
Using CNF formulas makes the implementation
techniques inside SAT solvers simpler which often
leads to more efﬁcient implementation techniques.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 49/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Constrained Boolean Circuit SAT
To raise the abstraction level a bit, in this tutorial we
will use constrained Boolean circuit SAT instead of
CNF.
They are Boolean circuits where some of the output
gates are constrained to true, while other can be
constrained to false.
The solver now has to ﬁnd a valuation for the input
variables of the circuit to make all the constraints to
match the value computed by the circuit.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 50/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Boolean Circuit Format
The format of the circuits used is described in
http://www.tcs.hut.ﬁ/∼tjunttil/circuits/index.html.
The page also contains constrained Boolean circuit
front-ends to the zChaff and MiniSAT solvers, which
internally convert the Boolean circuits into CNF.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 51/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
From Circuits to CNF
The page mentioned above also contains a tool
called bc2cnf, with which you can obtain CNF
formulas for other CNF based solvers.
The translation to CNF is based on the Tseitin CNF
encoding (see, e.g. page 562 of Towards an Efﬁcient
Tableau Method for Boolean Circuit Satisﬁability
Checking. Computational Logic 2000: 553-567,
LNCS 1861.)
Tseitin encoding introduces one new variable for
each gate of the Boolean circuit, and then encodes
the value of that gate with a small equivalence,
translated into CNF.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 52/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
From Circuits to CNF (cnt.)
An AND gate x := AND(y,z); would become:
x ⇔ (y∧z), and translated into CNF would give:
(x∨¬y∨¬z)∧(¬x∨y)∧(¬x∨z)
An OR gate x := OR(y,z); would become:
x ⇔ (y∨z), and translated into CNF would give:
(¬x∨y∨z)∧(x∨¬y)∧(x∨¬z)
A constraint x := true; will contribute to the CNF: x.
A constraint x := false; will contribute to the CNF: ¬x.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 53/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Cardinality Gates
We also use a special gate type called the cardinality
gate: x := [0,1](a0,a1,...,am−1); which evaluates to
true iff at most one of the m input variables
{a0,a1,...,am−1} is true.
This can be simulated with m new variables bi, as
follows: b0 := false; for all 1 ≤ i ≤ m−1 we have
bi := bi−1∨ai−1; and the ﬁnal value is obtained by
x := ¬((a1∧b1)∨···∨(am−1∧bm−1));.
There are also other linear size translations for
replacing the cardinality gates with ANDs and ORs,
the one above is picked for its simplicity.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 54/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Cardinality Gates (cnt.)
There is another O(m2) translation which does not
introduce any new variables.
It seems to have better performance for small values
of m in CNF based SAT solvers.
The use of cardinality gates is a vital ingredient to
obtain a small encoding of the transition relation
T(s,s0) for asynchronous systems.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 55/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
The Transition Relation Encoding
The following encoding almost identical to the one in:
Keijo Heljanko: Bounded Reachability Checking with
Process Semantics. CONCUR 2001: 218-232,
LNCS 2154.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 56/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Running Example (recap)
p1 p2
p3
p4
p5
p6
t1 t2
t3
t4 t5
t6
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 57/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
State Variables and Inputs
We now show how given a 1-bounded P/T-net its
transition relation can be encoded into a constrained
Boolean circuit.
The mapping has the following intuition:
The state vector bit pj(i) (= si[j]) will be true iff
in state si the place pj contains a token. For
example p3(0) is the variable corresponding to
the place p3 at the initial state s0.
The Boolean circuit will have one free input
variable tj(i) for each transition tj ∈ T and each
transition relation instance 0 ≤ i ≤ k−1. It tj(i) is
true, then the transition tj is ﬁred at time i.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 58/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
P/T-net Transition Relation Unrolling
p3(0)
p1(0)
p2(0)
p3(0)
p4(0)
p5(0)
p6(0)
I(s0) T(s0,s1) T(s2,s3) T(s1,s2)
1
1
0
0
0
0
0
p4(1)
p1(1)
p2(1)
p3(1)
p3(1)
p5(1)
p6(1)
p1(2)
p2(2)
p3(2)
p3(2)
p4(2)
p5(2)
p6(2)
p1(3)
p2(3)
p3(3)
p3(3)
p4(3)
p5(3)
p6(3)
t1(0) t6(0) t1(1) t6(1) ... ... t6(2) t1(2) ...
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 59/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Initial Marking
Handling the initial marking is easy, and goes as
follows:
For each pj ∈ P such that M(p) = 1, set
pj(0) := true;
For each pj ∈ P such that M(p) = 0, set
pj(0) := false;
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 60/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Token Updating
For each place pj ∈ P and time 1 ≤ i ≤ k create the
following gates:
gpj(i) := OR(t1(i−1),t2(i−1),...,tl(i−1));,
where •pj = {t1,t2,...,tl}. This gate models the
generation of a token to pj.
rpj(i) := OR(t1(i−1),t2(i−1),...,tl(i−1));,
where pj
• = {t1,t2,...,tl}. This gate models the
removal of a token from pj.
pj(i) := gpj(i)∨(pj(i−1)∧¬rpj(i));. A token
exists in pj if either a new one was generated, or
an old one existed and it was not removed.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 61/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Translation for Place p5
∨
∨
∧
¬
∨
t3(i−1) p5(i−1) t4(i−1) t5(i−1) t6(i−1)
gp5(i)
fp5(i)
p5(i)
nrp5(i)
rp5(i)
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 62/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Transition Enabling
We should also rule out models where a transition
tj ∈ T is ﬁred at time 0 ≤ i ≤ k−1 without being
enabled by using the following gates:
Create a gate
ptj(i) := AND(p1(i),p2(i),...,pl(i));, where
•tj = {p1,p2,...,pl}. This gate is true when the
transition tj is enabled.
Disallow the ﬁring of disabled transitions with a
gate: ttj(i) := ¬tj(i)∨ ptj(i), where ttj(i) is
constrained to true. (This is simply a constrained
Boolean circuit encoding of tj(i) ⇒ ptj(i).)
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 63/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Translation for Transition t4
>
∨ tt4(i)
¬ nt4(i)
t4(i) p3(i) p5(i)
∧ pt4(i)
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 64/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Removing Conﬂicting Transitions
The encoding so far allows for several transitions to
be ﬁred concurrently even if they are in conﬂict.
We will disallow this by adding the following gate at
each time point 0 ≤ i ≤ k−1:
rc(i) := [0,1](t1(i),t2(i),...,tl(i)), where
T = {t1,t2,...,tl}. We also constrain the gate
rc(i) to true.
The gate rc(i) intuitively removes the possibility
of two conﬂicting transitions to ﬁre at the same
time point because at most one transition is
allowed to ﬁre at each time point.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 65/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Removing Conﬂicts
>
t1(i) t2(i) t3(i) t4(i) t5(i) t6(i)
rc(i) [0,1]
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 66/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Interleaving Semantics
All parts of the encoding taken together give a
constrained Boolean circuit encoding of T(s,s0) for
the interleaving semantics.
The interleaving semantics is the standard textbook
semantics of P/T-nets where at most one transition is
allowed to ﬁre at each time point.
The size of the encoding is linear in both the size of
the input P/T-net and the bound k.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 67/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Optional Idling Removal
The circuit as show above allows no transition to be
ﬁred at any index i of the execution.
It is easy to disallow this by for all 0 ≤ i ≤ k−1
introducing a gate:
idle(i) := ¬(OR(t1(i),t2(i),...,tl(i)));, where
T = {t1,t2,...,tl}. We can now optionally constrain
the gate idle(i) to false to remove idling.
If idling is not removed, the encoding has models
corresponding to all executions of length k or less.
When idling is removed, the encoding has models
corresponding to all executions of exactly length k.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 68/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Deadlock Detection
We now assume idling has not been removed, and
also drop the assumption that T(s,s0) is total.
Deadlocking executions of length k or less can now
be captured by adding the following constraint on the
places pi(k):
First add the translation of the transition preset gates
ptj(i) also for the index i = k.
Add a gate
dead(k) := ¬(OR(pt1(k),pt2(k),...,ptl(k)));,
where T = {t1,t2,...,tl}. Constrain the gate dead(k)
to true to capture executions leading to a state where
no transition is enabled: a deadlock state.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 69/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Deadlock Checking Demo (1/3)
$ cat running.net
P = [’p1’,’p2’,’p3’,’p4’,’p5’,’p6’]
T = [’t1’,’t2’,’t3’,’t4’,’t5’,’t6’]
F = [[’p1’,’t1’],[’t1’,’p3’],
[’p2’,’t2’],[’t2’,’p4’],
[’p4’,’t3’],[’t3’,’p5’],
[’p3’,’t4’],[’p5’,’t4’],[’t4’,’p1’],[’t4’,’p2’],
[’p5’,’t5’],[’t5’,’p2’],
[’p5’,’t6’],[’t6’,’p6’]]
M_0 = [’p1’,’p2’]
bound = 4
semantics = "interleaving"
$ 1b-pn-bmc < running.net | bczchaff | cex-print
{p1, p2}[t1>{p2, p3}[t2>{p3, p4}[t3>{p3, p5}[t6>{p3, p6}
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 70/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Deadlock Checking Demo (2/3)
$ 1b-pn-bmc < running.net | bczchaff -v
Parsing from stdin
The circuit has 196 gates
The input gates are: t6_3 t3_3 t2_3 t5_3 t1_3 t4_3 t6_2 t3_2 t2_2 t5_2 t1_2 t4_2 t6_1 t3_1 t2_1 t5_1
t1_1 t4_1 t6_0 t3_0 t2_0 t5_0 t1_0 t4_0
The circuit has 138 gates and 153 edges after simpliﬁcation
The circuit has 83 gates and 134 edges after sharing
The circuit has 75 gates and 92 edges after simpliﬁcation
The circuit has 59 gates and 89 edges after sharing
The circuit has 54 gates and 66 edges after simpliﬁcation
The circuit has 48 gates and 65 edges after sharing
The circuit has 48 gates and 65 edges after simpliﬁcation
The circuit has 48 gates and 65 edges after sharing
The circuit has 56 gates after normalization
The circuit has 56 gates and 71 edges after simpliﬁcation
The circuit has 52 gates and 71 edges after sharing
The circuit has 52 gates and 71 edges after simpliﬁcation
The circuit has 52 gates and 71 edges after sharing
The max-min height of the circuit is 2
The max-max height of the circuit is 4
The circuit has 46 relevant gates
The circuit has 10 relevant input gates
The cnf has 37 variables and 96 clauses
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 71/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Deadlock Checking Demo (3/3)
Executing zchaff...
Max Decision Level 1
Num. of Decisions 2
Original Num Clauses 96
Original Num Literals 200
Added Conﬂict Clauses 0
Added Conﬂict Literals 0
Deleted Unrelevant clause 0
Deleted Unrelevant literals 0
Number of Implication 37
˜live_4 ˜gp4_4 ˜t2_3 ˜gp5_4 ˜t3_3 ˜gp1_4 ˜t4_3 ˜t5_3 ˜gp1_2 ˜t4_1 ˜t5_1 ˜t5_0 ˜gp1_1
˜t4_0 ˜p5_4 ˜p4_4 ˜p2_4 ˜p1_4 ˜p6_2 ˜gp6_2 ˜t6_1 ˜p6_1 ˜gp6_1 ˜t6_0 ˜p5_1 ˜gp5_1
˜t3_0 ˜p6_0 ˜p5_0 ˜p4_0 ˜p3_0 ˜gp1_3 ˜t4_2 ˜t5_2 ˜gp2_1 ˜gp2_2 ˜gp2_4 ˜gp4_3 ˜t2_2
˜p4_3 ˜p2_3 ˜gp2_3 rc1 rc2 gate13 gate15 gate16 gate11 gate10 gate9 rc0 gate5 gate4 gate3
gate2 gate1 gate0 p2_0 p1_0 gate19 gate20 gate21 gate22 rc3 gate23 gate18 p6_4 gp6_4 t6_3
p3_4 ˜gp3_4 ˜t1_3 gate17 gate14 gate12 p5_3 ˜p6_3 ˜gp6_3 ˜t6_2 gp5_3 t3_2 p3_3 ˜p1_3
˜gp3_3 ˜t1_2 gate8 gate7 gate6 p4_2 ˜p5_2 ˜gp5_2 ˜t3_1 p3_2 ˜p2_2 gp4_2 t2_1 ˜p1_2
˜gp3_2 ˜t1_1 p2_1 ˜p4_1 ˜gp4_1 ˜t2_0 ˜p1_1 p3_1 gp3_1 t1_0
Satisﬁable
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 72/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Step Semantics
An old well known semantics from the theory of Petri
nets is the so called step semantics.
This is not the same as maximal step semantics.
The idea is the following: Instead of ﬁring a single
enabled transition at each marking M, we can ﬁre a
step: a set of enabled transitions S ⊆ enabled(M) at
a time point provided they are all pairwise concurrent:
For all pairs of distinct transitions t,t0 ∈ S it holds
that •t ∩ •t0 = / 0.
Note: It is straightforward to prove that because
we only consider 1-bounded P/T-nets here that
actually also (•t ∪ t•) ∩ (•t0 ∪t0•) = / 0 holds.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 73/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Step Reachability graph
Step reachability graph Gs = (V,E,M0) is the graph
inductively deﬁned as follows:
M0 ∈V, where M0 is the initial marking of the net N,
and
if M ∈V then for all S ⊆ enabled(M) such that S is a
step it holds that M0 = ﬁre(M,S) ∈V and
(M,S,M0) ∈ E.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 74/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Some Properties of Steps
If a set of transitions S = {t1,t2,...,tl} is step
enabled in M, then all the l! interleaving executions
obtained by sequentialising S in all orders are
enabled interleaving executions in M, and they all
lead to the same ﬁnal state.
An intuition why this is the case: Because
(•t ∪ t•) ∩ (•t0 ∪t0•) = / 0, the transitions t and t0
happen “in different parts of the system”, and thus
cannot inﬂuence each other in any way.
Thus ﬁre(M,S) from the previous slide can be
deﬁned as: ﬁre(...(ﬁre(ﬁre(M,t1),t2),...,tl).
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 75/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Step Reachability Graph
p1,p2
p1,p5
p1,p6
p3,p2
p3,p5
p3,p6
p3,p4
p1,p4
t1
t1
t1
t1
t2
t3
t6
t2
t3
t6 t5
t5
t4
{t1,t5}
{t1,t6}
{t1,t2}
{t1,t3}
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 76/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Properties Steps Graphs
Because all singleton sets are also steps, the
(interleaving) reachability graph is always a subgraph
of the step reachability graph.
Because the ﬁnal state reached after ﬁring a step is
the ﬁnal state of every interleaving of the step, no
new reachable states have been introduced.
The reachability diameter of the system is in the
worst case as big as in the interleaving case.
In the best case the interleaving diameter has
become smaller, because a step with o transitions
has to be simulated with o time steps in the
interleaving reachability graph.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 77/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Running Example: Steps
We extend the notation M[tiM0 to also denote the
ﬁring of steps M[SiM0.
In the running example one step executions of length
3 leading to the deadlock marking {p3,p6} is:
{p1,p2}[t2i{p1,p4}[t1,t3i{p3,p5}[t6i{p3,p6}
Recall that the shortest execution to {p3,p6} was of
length 4 in the interleaving reachability graph.
⇒ Using step semantics allows one to sometimes
detect errors with smaller bounds.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 78/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Encoding the Step Semantics
It is easy to modify the interleaving transition relation
encoding to encode step semantics instead.
The only thing we have to remove is the encoding of
gate rc(i), which restricts the number of ﬁred
transitions to at most one as required by the
interleaving case.
A set of constraints has to be added to remove the
possibility of two conﬂicting transitions to ﬁre in the
same step.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 79/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Steps: Removing Conﬂicts
For each place pj ∈ P and each step 0 ≤ i ≤ k−1
we will add the following gate which disallows
concurrent ﬁring of transitions which are not
concurrent due to both having the place pj in their
preset:
ncpj(i) := [0,1](t1(i),t2(i),...,tl(i)), where
pj
• = {t1,t2,...,tl}. We also constrain the gate
ncpj(i) to true.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 80/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Steps: Removing Conﬂicts wrt. p5
t4(i) t5(i) t6(i)
>
[0,1] ncp5(i)
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 81/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Demo with Step Semantics (1/3)
$ cat step-running.net
P = [’p1’,’p2’,’p3’,’p4’,’p5’,’p6’]
T = [’t1’,’t2’,’t3’,’t4’,’t5’,’t6’]
F = [[’p1’,’t1’],[’t1’,’p3’],
[’p2’,’t2’],[’t2’,’p4’],
[’p4’,’t3’],[’t3’,’p5’],
[’p3’,’t4’],[’p5’,’t4’],[’t4’,’p1’],[’t4’,’p2’],
[’p5’,’t5’],[’t5’,’p2’],
[’p5’,’t6’],[’t6’,’p6’]]
M_0 = [’p1’,’p2’]
bound = 3
semantics = "step"
$ 1b-pn-bmc < step-running.net | bczchaff | cex-print
{p1, p2}[t2>{p1, p4}[t1, t3>{p3, p5}[t6>{p3, p6}
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 82/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Demo with Step Semantics (2/3)
$ 1b-pn-bmc < step-running.net | bczchaff -v
Parsing from stdin
The circuit has 149 gates
The input gates are: t6_2 t3_2 t2_2 t5_2 t1_2 t4_2 t6_1 t3_1 t2_1 t5_1 t1_1 t4_1 t6_0 t3_0 t2_0 t5_0 t1_0 t4_0
The circuit has 99 gates and 92 edges after simpliﬁcation
The circuit has 48 gates and 74 edges after sharing
The circuit has 39 gates and 33 edges after simpliﬁcation
The circuit has 27 gates and 32 edges after sharing
The circuit has 24 gates and 16 edges after simpliﬁcation
The circuit has 14 gates and 16 edges after sharing
The circuit has 14 gates and 16 edges after simpliﬁcation
The circuit has 14 gates and 16 edges after sharing
The circuit has 14 gates after normalization
The circuit has 14 gates and 16 edges after simpliﬁcation
The circuit has 14 gates and 16 edges after sharing
The max-min height of the circuit is 2
The max-max height of the circuit is 3
The circuit has 10 relevant gates
The circuit has 3 relevant input gates
The cnf has 8 variables and 15 clauses
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 83/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Demo with Step Semantics (3/3)
Executing zchaff...
Max Decision Level 2
Num. of Decisions 3
Original Num Clauses 15
Original Num Literals 31
Added Conﬂict Clauses 0
Added Conﬂict Literals 0
Deleted Unrelevant clause 0
Deleted Unrelevant literals 0
Number of Implication 8
˜p2_1 ˜p2_2 ˜p4_2 ˜t2_1 ˜gp4_2 ˜gp2_3 ˜gp2_2 ˜gp2_1 ˜p3_0 ˜p4_0 ˜p5_0 ˜p6_0 ˜t3_0 ˜gp5_1 ˜p5_1 ˜t6_0
˜gp6_1 ˜p6_1 ˜t6_1 ˜gp6_2 ˜p6_2 ˜p1_3 ˜p2_3 ˜p4_3 ˜p5_3 ˜t4_0 ˜gp1_1 ˜t5_0 ˜t5_1 ˜t2_2 ˜gp4_3 ˜t3_2
˜gp5_3˜t4_1 ˜gp1_2 ˜t4_2 ˜gp1_3 ˜t5_2 ˜live_3 t2_0 gp4_1 p4_1 t3_1 gp5_2 p5_2 gate7 gate8 t6_2
gp6_3 p6_3 gate16 gate15 gate14 gate13 ncp5_2 p1_0 p2_0 gate0 gate1 gate2 gate3 gate4 gate5
gate9 gate10 gate11 ncp5_0ncp5_1 gate17 gate12 p3_3 ˜gp3_3 ˜t1_2 gate6 p3_2 ˜p1_2 gp3_2 t1_1
p1_1 ˜p3_1 ˜gp3_1 ˜t1_0
Satisﬁable
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 84/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Interleaving vs. Steps
We have not yet found a domain where the
interleaving encoding would be superior in
performance to the step encoding.
Quite often even small reductions in the required
bound translate to large performance differences.
The step encoding also is more “local” than the
interleaving encoding:
Parts of the system which do not share resources
are never linked together as done by the rc(i)
gate in the interleaving case.
This might have SAT performance implications.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 85/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Running Example (recap2)
p1 p2
p3
p4
p5
p6
t1 t2
t3
t4 t5
t6
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 86/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Process Semantics
In our running example there are three step
executions of length 3 leading to the deadlock
marking {p3,p6}:
{p1,p2}[t2i{p1,p4}[t3i{p1,p5}[t1,t6i{p3,p6}
{p1,p2}[t2i{p1,p4}[t1,t3i{p3,p5}[t6i{p3,p6}
{p1,p2}[t1,t2i{p3,p4}[t3i{p3,p5}[t6i{p3,p6}
Intuitively they all correspond a concurrent execution
where “the component on the left” executes t1, and
“the component on the right” executes the sequence
t2,t3,t6.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 87/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Process Semantics (cnt.)
Can we somehow pick a unique canonical
representative of such “concurrent” behaviour, and
thus reduce the number of different executions the
SAT solver has to consider?
The answer turns out to be positive. The resulting
semantics will be called process semantics.
There is even a compact SAT encoding to capture
the process semantics!
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 88/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
The Process Normal Form
A step execution M0[S0iM1[S1i···Mk−1[Sk−1iMk is
in process normal form iff for every index i ≥ 1 and
every transition tj ∈ Si it holds that:
There is some transition t0 ∈ Si−1 such that
t0•∩•tj 6= / 0.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 89/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Process Normal Form Intuition
Intuitively the above means: In a step execution in
process normal form each transition is executed at
the earliest time moment all its tokens are available.
In the SAT encoding setting this means that a
transition should be enabled only if one of its tokens
has been generated in the previous step.
Thus the process execution for the example is:
{p1,p2}[t1,t2i{p3,p4}[t3i{p3,p5}[t6i{p3,p6}
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 90/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Normalising a Step Execution
By repeatedly running the following simple algorithm
each step execution M0[S0iM1[S1i···Mk−1[Sk−1iMk
can be converted into a process executions of at
most the same length and leading to the same ﬁnal
state:
Take a transition tj ∈ Si which violates the
process condition.
Remove tj from Si and add it to Si−1.
Proof is simple, one has to show that: (i) tj is
enabled already in Si−1, and (ii) Si−1 contains no
transitions in conﬂict with tj.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 91/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Process
As a graphical presentation of the process we can again
use a P/T-net:
b1(p2)
b2(p1)
b3(p4)
b4(p3)
b5(p5) b6(p6) e1(t2)
e2(t1)
e3(t3) e4(t6)
The step executions in process normal form correspond to
slicing the net one level at a time starting from the left.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 92/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Properties of Processes
Each state of the system is reachable by a process
execution that is among the shortest step executions
to reach that state.
Thus the set of reachable states is preserved.
Furthermore, the process reachability diameter is
always as small as the step reachability diameter.
There are at most as many process executions of
length k as there are interleaving executions of
length k.
There can be exponentially more step and
interleaving executions of length k than there are
process executions.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 93/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Encoding Process Semantics
Take the encoding for the step semantics but change
the transition enabling gate deﬁnition for all i > 0:
For each transition tj ∈ T and time 1 ≤ i ≤ k−1 use
the following gates (for i = 0 use the step version):
Create a gate
ptj(i) := AND(p1(i),p2(i),...,pl(i),
OR(gp1(i),gp2(i),...,gpl(i)));, where
•tj = {p1,p2,...,pl}. This gate is true when the
transition tj is enabled, and at least one of the
tokens has been freshly generated.
Add gate: ttj(i) := ¬tj(i)∨ ptj(i), and constrain
it to true.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 94/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Process Translation for t4
>
t4(i) p5(i) p3(i) gp3(i) gp5(i)
dpt4(i)
∨
∧ pt4(i)
∨ tt4(i)
¬ nt4(i)
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 95/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Demo with Process Semantics (1/3)
$ cat process-running.net
P = [’p1’,’p2’,’p3’,’p4’,’p5’,’p6’]
T = [’t1’,’t2’,’t3’,’t4’,’t5’,’t6’]
F = [[’p1’,’t1’],[’t1’,’p3’],
[’p2’,’t2’],[’t2’,’p4’],
[’p4’,’t3’],[’t3’,’p5’],
[’p3’,’t4’],[’p5’,’t4’],[’t4’,’p1’],[’t4’,’p2’],
[’p5’,’t5’],[’t5’,’p2’],
[’p5’,’t6’],[’t6’,’p6’]]
M_0 = [’p1’,’p2’]
bound = 3
semantics = "process"
$ 1b-pn-bmc < process-running.net | bczchaff | ./cex-print
{p1, p2}[t1, t2>{p3, p4}[t3>{p3, p5}[t6>{p3, p6}
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 96/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Demo with Process Semantics (2/3)
$ 1b-pn-bmc < process-running.net | bczchaff -v
Parsing from stdin
The circuit has 161 gates
The input gates are: t6_2 t3_2 t2_2 t5_2 t1_2 t4_2 t6_1 t3_1 t2_1 t5_1 t1_1 t4_1 t6_0 t3_0 t2_0 t5_0 t1_0 t4_0
The circuit has 101 gates and 88 edges after simpliﬁcation
The circuit has 44 gates and 70 edges after sharing
The circuit has 30 gates and 11 edges after simpliﬁcation
The circuit has 10 gates and 10 edges after sharing
The circuit has 8 gates and 0 edges after simpliﬁcation
The circuit has 2 gates and 0 edges after sharing
The circuit has 2 gates and 0 edges after simpliﬁcation
The circuit has 2 gates and 0 edges after sharing
The circuit has 2 gates after normalization
The circuit has 2 gates and 0 edges after simpliﬁcation
The circuit has 2 gates and 0 edges after sharing
The max-min height of the circuit is 0
The max-max height of the circuit is 0
The circuit has 0 relevant gates
Note that with the more constrained process encoding, the
preprocessing already solves the circuit.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 97/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Demo with Process Semantics (3/3)
˜p1_1 ˜p2_1 ˜p2_2 ˜p1_2 ˜gp2_2 ˜gp2_1 ˜gp2_3 ˜t2_1 ˜gp4_2 ˜p4_2 ˜p3_0 ˜p4_0 ˜p5_0 ˜p6_0 ˜t3_0
˜gp5_1 ˜p5_1 ˜t6_0 ˜gp6_1 ˜p6_1 ˜t6_1 ˜gp6_2 ˜p6_2 ˜t1_2 ˜gp3_3 ˜p1_3 ˜p2_3 ˜p4_3 ˜p5_3 ˜t5_0
˜t4_0 ˜gp1_1 ˜t5_1 ˜t2_2 ˜gp4_3 ˜t3_2 ˜gp5_3 ˜t4_1 ˜gp1_2 ˜t1_1 ˜gp3_2 ˜t4_2 ˜gp1_3 ˜t5_2 ˜live_3
t3_1 gp5_2 p5_2 gate8 t6_2 gp6_3 p6_3 gate16 p3_3 p3_2 gate15 gate14 gate13 p1_0 p2_0 gate0
gate1 gate2 gate3 gate4 gate5 gate6 gate9 gate10 gate11 gate12 ncp5_2 p4_1 gp4_1 t2_0 gate7
ncp5_0 ncp5_1 p3_1 gp3_1 t1_0 gate17
Satisﬁable
No need to invoke zChaff, just output the solution.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 98/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Steps vs. Processes
Unfortunately there is some bad news: processes
are not always faster than steps with the latest SAT
solvers such as zChaff and Siege. (Cause unknown.)
Often a polynomial time preprocessing algorithm is
used to compute the earliest time each transition can
ﬁre or a place can become marked.
This allows for simpliﬁcation of the BMC encoding by
introducing constant values for variables.
Process semantics can be used as a better
polynomial time preprocessing step as it can prove
for more transitions that they can never be enabled at
certain time points in process executions.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 99/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Steps vs. Processes (cnt.)
The transition relation for steps can be represented
as: T(si,ii,si+1), where ii is the current input vector
(in the running example, the set of transitions to be
ﬁred in step Si: ii = ht1(i),t2(i),...,t6(i)i).
The transition relation for processes can be
represented as: T(si,ii−1,ii,si+1), where ii is the
current input vector (step Si) and ii−1 is the previous
input vector (step Si−1).
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 100/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
History Dependence
Thus the process semantics semantics has a history
dependent transition relation.
Another way to present this is to use “three valued
tokens”, a place can either contain: no tokens,
contain a freshly generated token, or contain an old
token.
This makes the use of process semantics
unattractive in a BDD model checking setting, as the
number of state bits needed to represent the state
vector grows.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 101/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Processes and Temporal Induction
It follows from Theorem 17 in
Toni Jussila’s Doctoral dissertation that the
SimplePath constraint used in the temporal induction
(k-induction) method (to be presented later in this
tutorial) can treat old tokens and fresh tokens alike.
Thus for reachability from the initial state the so
called recurrence diameter (to be deﬁned later) for
processes is never worse for processes than for
steps, but can sometimes even be better.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 102/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Model Checking LTL-X
One can also do model checking of the temporal
logic LTL-X with step semantics. (Extension to allow
also processes to be used is work in progress.)
LTL-X is the subset of LTL where the next-time
operator X has been removed. This restriction of the
logic is often done also with other partial order
methods.
First one has to identify all visible transitions of the
net, which can modify the truth value of some atomic
proposition in the formula.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 103/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Model Checking LTL-X (cnt.)
All of the visible transitions are made to conﬂict with
each other by adding a new marked place v to the
net, and adding a bidirectional arc from each visible
transition to v.
If the is deadlock free, one can additionally require
that the last step Sk is non-empty to disallow illegal
counterexamples by inﬁnite sequences of idling.
If the net can deadlock, the solution is more subtle,
and we refer to our paper on the subject:
Keijo Heljanko, Ilkka Niemelä:
Bounded LTL model checking with stable models.
TPLP 3(4-5): 519-550 (2003), Cambridge University
Press.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 104/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Steps and AI Planning
In AI planning papers a step like optimisation to
decrease the needed bounds was already used.
Henry A. Kautz, Bart Selman: Pushing the Envelope:
Planning, Propositional Logic and Stochastic Search.
AAAI/IAAI, Vol. 2 1996: 1194-1201.
Rintanen et al. discuss SAT encodings of the step
semantics and its generalisations for AI planning in:
Jussi Rintanen, Keijo Heljanko, Ilkka Niemelä:
Parallel Encodings of Classical Planning as
Satisﬁability. JELIA 2004: 307-319, LNCS 3229.
The sizes of the encodings mentioned above are
quadratic in the number of planning operator
instances.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 105/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Steps and AI Planning
There is a SAT encoding that is linear in the number
of planning operator instances described in:
Rintanen, J., Heljanko, K., and Niemelä, I.:
Planning as Satisﬁability: Parallel Plans and
Algorithms for Plan Search. Technical report 216,
Institute of Computer Science at Freiburg University,
2005.
The paper mentioned above contains state-of-the-art
CNF translations for AI planning by Jussi Rintanen.
The STRIPS planning formalism used is a
generalisation of 1-bounded P/T-nets. (A journal
submission of an extended version of the paper
above been accepted.)
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 106/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Other Semantics for BMC
The paper by Rintanen et al. also contains a
generalisation of step executions, which allows a set
of transitions S to be ﬁred as a step if at least one
interleaving of S is executable.
Other new and efﬁcient non-standard execution
semantics for BMC of asynchronous systems have
been presented in: Toni Jussila.
On bounded model checking of asynchronous
systems. Research Report A97, Helsinki University
of Technology, Laboratory for Theoretical Computer
Science, Espoo, Finland, October 2005. Doctoral
dissertation.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 107/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Other Semantics for BMC
One more approach is presented in: Shougo Ogata,
Tatsuhiro Tsuchiya, Tohru Kikuno:
SAT-Based Veriﬁcation of Safe Petri Nets. ATVA
2004: 79-92, LNCS 3299.
All of the above semantics preserve the set of
reachable states.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 108/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Process References
The process normal form we use is basically the
Foata normal form from the theory of Mazurkiewicz
traces. See for example: Diekert, V. and Métivier, Y.:
Partial Commutation and Traces, Handbook of formal
languages, Vol. 3, pp. 457–534, Springer, 1997.
For more on process semantics see for example:
Best, E. and Fernández, C.: Nonsequential
Processes: A Petri Net View, EATCS monographs on
Theoretical Computer Science, Vol. 13, Springer,
1988.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 109/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Steps and Processes for LTSs
Next we describe how to transfer the step and
process semantics to systems composed of a
synchronisation of labelled transition systems (LTSs).
The encoding to be presented has been published in:
Toni Jussila, Keijo Heljanko, Ilkka Niemelä:
BMC via on-the-ﬂy determinization. STTT 7(2):
89-101 (2005).
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 110/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Intuition: LTS Semantics
We use the standard synchronisation construction for
LTSs (see the paper mentioned in the previous slide
for details): The system consists of n LTSs
L1,L2,...,Ln composed as L = L1
f
L2
f
···
f
Ln.
Each LTS has its own alphabet. The system L can
make a move with a letter a iff every LTS with a in its
alphabet is able to perform it.
When a is performed, every LTS with a in its alphabet
moves, while the others do not change their state.
In addition, each LTS can make local t-labelled
moves at will, during which the other components of
the system do not change their state.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 111/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Alternative Semantics
Next we show by using a running example what the
state spaces induced by the presented alternative
semantics for LTSs are.
Thanks to Toni Jussila for allowing the use of Figures
from his Thesis in the following slides.
Toni Jussila.
On bounded model checking of asynchronous
systems. Research Report A97, Helsinki University
of Technology, Laboratory for Theoretical Computer
Science, Espoo, Finland, October 2005. Doctoral
dissertation.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 112/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
LTSs: Running Example
a
t a c c
d d
a
s10
s0
s4 s5
s9
s1
s6 s7
s2 s3
s8
s11
The complete system is L = L1
f
L2
f
L3
f
L4.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 113/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
LTSs: Interleaving Semantics
The interleaving semantics is as expected:
t a
a t a
a t a
c
d
c
d
c
d
c
d
hs0,s1,s2,s3i hs4,s1,s2,s3i hs9,s6,s2,s3i hs5,s6,s2,s3i
hs5,s6,s7,s8i
hs5,s6,s10,s11i
a
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 114/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
LTSs: Step Semantics
In step semantics two synchronisations are independent
if they occur in disjoint sets of LTSs:
hs0,s1,s2,s3i hs4,s1,s2,s3i hs9,s6,s2,s3i hs5,s6,s2,s3i
hs5,s6,s7,s8i
hs5,s6,s10,s11i
hs9,s6,s10,s11i
ha,a,e,ei ht,e,e,ei ha,a,e,ei
ha,a,e,ei
ha,a,e,ei
ht,e,e,ei
ht,e,e,ei
ha,a,e,ei
ha,a,e,ei
ha,a,c,ci
ha,a,d,di
ha,a,c,ci
ha,a,d,di
he,e,d,di
he,e,c,ci he,e,c,ci
he,e,d,di
he,e,c,ci he,e,c,ci
he,e,d,di he,e,d,di
ht,e,c,ci
ht,e,d,di
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 115/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
LTSs: Process Semantics
In the process case a synchronisation can happen at step
Si iff at least one participant of it was active at step Si−1:
hs0,s1,s2,s3i hs4,s1,s2,s3i hs9,s6,s2,s3i hs5,s6,s2,s3i
hs5,s6,s7,s8i
hs5,s6,s10,s11i
hs9,s6,s10,s11i
ha,a,e,ei ht,e,e,ei ha,a,e,ei
ha,a,e,ei
he,e,d,di
he,e,c,ci
he,e,d,di he,e,d,di
ht,e,c,ci ha,a,c,ci
ha,a,d,di
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 116/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Symbolic Subset Construction
The FSA subset construction can be used to
determinise nondeterministic state machines
symbolically inside BMC.
The tricky part is the correct handling of the t-moves.
By doing this, the number of executions through the
statespace of the system is further reduced.
It has also other applications: One can, for example,
create a BMC encoding that accepts all words not in
the language of L. This has uses, for example, in
reﬁnement checking of two products of LTSs.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 117/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
LTSs: Determinised Interleaving
Interleaving combined with determinising each
component symbolically during BMC:
h{s0,s4},{s1},{s2},{s4}i
c c
d d
a
a
a
h{s0,s4},{s1},{s7},{s8}i
h{s5,s9},{s6},{s2},{s4}i
h{s5,s9},{s6},{s7},{s8}i
h{s5,s9},{s6},{s10},{s11}i h{s0,s4},{s1},{s10},{s11}i
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 118/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
LTSs: Determinised Step
Steps combined with determinising each component
symbolically during BMC:
h{s0,s4},{s1},{s2},{s4}i
h{s0,s4},{s1},{s7},{s8}i
h{s5,s9},{s6},{s2},{s4}i
h{s5,s9},{s6},{s7},{s8}i
h{s5,s9},{s6},{s10},{s11}i h{s0,s4},{s1},{s10},{s11}i ha,a,e,ei
ha,a,e,ei
he,e,c,ci he,e,c,ci
he,e,d,di he,e,d,di
ha,a,e,ei
ha,a,c,ci
ha,a,d,di
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 119/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
LTSs: Determinised Process
Processes combined with determinising each component
symbolically during BMC:
h{s0,s4},{s1},{s2},{s4}i
h{s0,s4},{s1},{s7},{s8}i
h{s5,s9},{s6},{s2},{s4}i
h{s5,s9},{s6},{s7},{s8}i
h{s5,s9},{s6},{s10},{s11}i h{s0,s4},{s1},{s10},{s11}i
ha,a,e,ei
he,e,c,ci
he,e,d,di he,e,d,di
ha,a,c,ci
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 120/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Determinisation Discussion
The determinised versions preserve the language
over the alphabet of L.
The t-moves do not contribute to the bound needed.
The input variables needed for the determinised
versions are: one input variable for each symbol in
the alphabet of L per time step.
Thus the determinised version of the encoding can
be very attactive for small alphabets.
The reachability of local states is preserved.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 121/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Determinisation Discussion (cnt.)
Global state predicates such as deadlock freedom
need to be evaluated by guessing a representative
ﬁnal state from the set of ﬁnal states reached, see
the paper for details.
Explicit state determinisation of components can be
a viable alternative in many cases, however, there is
the potential for an exponential size blowup.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 122/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
LTS Encoding
In the following we present by using a running
example few of the main ideas of the encoding of the
determinised process executions.
See the STTT paper or Toni Jussila’s Thesis for more
details.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 123/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Technical Restriction
For technical reasons, we add the following
constraint on component LTSs:
If a component LTS contains a loop consisting of
t-transitions only, the loop must be a self-loop.
(Easy to assure by pre-processing LTSs to ones
fulﬁlling the condition using a linear-time
algorithm based on Tarjan’s MSCC algorithm.)
Without the above restriction the encoding becomes
unsound! (It would become a cyclic circuit.)
Also the sets of initial states are extended to contain
all states reachable from the initial state of each
component by using only t-moves.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 124/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Running Example for LTS Encoding
L1: s0ˇ
d L2: s4ˇ
d
¶
¶
¶ ¶ /
l1,a
S
S
S S w
l2,a
N
l3,a ?
l5,a
d s1 d s2 d s5
S
S
S S w
t
¶
¶
¶ ¶ /
t
¼
l4,b
?
l6,b
d s3 d s6
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 125/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Translation Predicates
Gate Description
ex(a,t) Action a is executed at time t, input gate.
in(s,t) Execution is in state s at time t.
sc(L,t) Component L is scheduled at time t.
ex(l,t) Transition l is executed at time t.
uv(L,t) Unique visible transition from L at time t.
enok(a,t) Execution of action a implies that it is enabled at time t.
en(a,t) Action a is enabled at time t.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 126/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Progress of Control Flow
µ´
¶³
∨ in(s3,t +1)
©©©©©©©© © *
H H H H H H H H H Y
6
µ´
¶³
∧
µ´
¶³
∨
µ´
¶³
∨
S S o
6 £
£
£
£ £ ± ¶ ¶ 7 S S o ¶ ¶ 7 S S o
µ´
¶³
in(s1,t +1)
µ´
¶³
in(s2,t +1)
µ´
¶³
ex(l3,t)
µ´
¶³
ex(l4,t)
µ´
¶³
in(s3,t)
µ´
¶³
¬
µ´
¶³
sc(L1,t)
We stay in a state if the component is not scheduled.
A state can be entered either by t-edges or by ﬁring
of incoming transitions.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 127/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Scheduling (left), Execution (right)
µ´
¶³
∨ sc(L1,t)
¢
¢
¢
¢ ¢ ¸
A
A
A
A A K
µ´
¶³
ex(a,t)
µ´
¶³
ex(b,t)
µ´
¶³
ex(l6,t) ∧
¢
¢
¢
¢ ¢ ¸
A
A
A
A A K
µ´
¶³
ex(b,t)
µ´
¶³
in(s5,t)
A component is scheduled iff one of the actions in its
alphabet ﬁres.
A transition is always executed if we are in its source
state and the action it is labeled with is ﬁred.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 128/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Unique visible (left), Noidle (right)
µ´
¶³
[0,1] uv(L1,t) >
¢
¢
¢
¢ ¢ ¸
A
A
A
A A K
µ´
¶³
ex(a,t)
µ´
¶³
ex(b,t)
µ´
¶³
∨ ni(t) >
¢
¢
¢
¢ ¢ ¸
A
A
A
A A K
µ´
¶³
ex(a,t)
µ´
¶³
ex(b,t)
The uv(L1,t) gate disallows more than one action
from the alphabet of L1 at each step.
The use of non-idling constraint ni(t) is a slight
variation to the P/T-net encoding. Here we disallow
idling time steps.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 129/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Enabledness, Synchronisation
µ´
¶³
→ enok(a,t) >
¢
¢
¢
¢ ¢ ¸
A
A
A
A A K
µ´
¶³
ex(a,t)
µ´
¶³
∧
¢
¢
¢
¢ ¢ ¸
A
A
A
A A K
µ´
¶³
en(a,L1,t)
µ´
¶³
en(a,L2,t)
µ´
¶³
∨ en(a,L1,t)
6
µ´
¶³
in(s0,t)
µ´
¶³
> → pr(b,2)
¢
¢
¢
¢ ¢ ¸
A
A
A
A A K
µ´
¶³
ex(b,2)
µ´
¶³
∨
¢
¢
¢
¢ ¢ ¸
A
A
A
A A K
µ´
¶³
sc(L0,1)
µ´
¶³
sc(L1,1)
The two circuits on the left ensure that all
components are able to perform the synchronisation
on action a. The circuit on the right enforces the
process constraint when synchronising on action b.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 130/131AB HELSINKI UNIVERSITY OF TECHNOLOGY
Laboratory for Theoretical Computer Science
Conclusions of Tutorial part 1
Bounded model checking (BMC) is an efﬁcient way
of implementing symbolic model checking.
It alleviates the state explosion by representing the
state space implicitly as a propositional formula.
It leverages efﬁcient SAT-solver technology.
The choice between different transition relation
encodings has been often overlooked in BMC
literature.
The performance differences between different
transition relation encodings are very signiﬁcant, at
least for asynchronous systems BMC.
Advanced Tutorial on Bounded Model Checking at ACSD’06 - ATPN’06, Keijo Heljanko and Tommi Junttila – 131/131