Symbolic Model Checking without BDDs

Lecture Notes in Computer Science, 2000

In this paper we show how to do symbolic model checking using Boolean Expression Diagrams (BEDs), a non-canonical representation for Boolean formulas, instead of Binary Decision Diagrams (BDDs), the traditionally used canonical representation. The method is based on standard fixed point algorithms, combined with BDDs and SAT-solvers to perform satisfiability checking. As a result we are able to model check systems for which standard BDD-based methods fail. For example, we model check a 256 bit shift-and-add multiplier and we are able to find a previously undetected bug in the specification of a 16 bit multiplier. As opposed to Bounded Model Checking (BMC) our method is complete in practice.

2005

In this work we study hybrid approaches to LTL symbolic model checking; that is, approaches that use explicit representations of the property automaton, whose state space is often quite manageable, and symbolic representations of the system, whose state space is typically exceedingly large.

Logic for concurrency and synchronisation, 2003

2015

In automata-theoretic model checking, there are mainly two approaches: explicit and symbolic. In the explicit approach [1], the state-space is constructed explicitly and lazily during exploration (i.e., on-the-fly). The symbolic approach [2] tries to overcome the state-space explosion obstacle by symbolically encoding the state-space in a concise way using decision diagrams. However, this symbolic construction is not performed on-the-fly as in the explicit approach. In order to take advantage of the best of both worlds, hybrid approaches [3, 4, 5] are proposed as combinations of explicit and symbolic approaches. A hybrid approach is usually based on an on-the-fly construction of an explicit graph of symbolic nodes, where each symbolic node encodes a subset of states by means of binary decision diagrams. An alternative to the standard Büchi automaton, called Testing automaton [6] has never been used before for hybrid model checking. In addition, in previous work [7, 8], we have shown that Generalized Testing Automata (TGTA) can outperform the Büchi automata for explicit and symbolic model checking of stutter-invariant LTL properties. In this work, we investigate the use of these TGTA to improve hybrid model checking. We show how traditional hybrid approaches based on Generalized Büchi Automata (TGBA) can be adapted to obtain TGTA-based hybrid approaches. Then, each original approach is experimentally compared against its TGTA variant. The results show that these new variants are statistically more efficient.

Lecture Notes in Computer Science, 1999

We propose an algorithm for LTL model checking based on the classification of the automata and on guided symbolic search. Like most current methods for LTL model checking, our algorithm starts with a tableau construction and uses a model checker for CTL with fairness constraints to prove the existence of fair paths. However, we classify the tableaux according to their structure, and use efficient decision procedures for each class. Guided search applies hints to constrain the transition relation during fixpoint computations. Each fixpoint is thus translated into a sequence of fixpoints that are often much easier to compute than the original one. Our preliminary experimental results suggest that the new algorithm for LTL is quite efficient. In fact, for properties that can be expressed in both CTL and LTL, the algorithm is competitive with the CTL model checking algorithm. This work was supported in part by SRC contract 98-DJ-620.

2005

Abstract This work describes an algorithm of automata construction for LTL safety properties, suitable for bounded model checking. Existing automata construction methods are tailored to BDD-based symbolic model checking. The novelty of our approach is that we construct deterministic automata, unlike the standard approach, which constructs nondeterministic automata. We show that the proposed method has significant advantages for bounded model checking over traditional methods.

Generally concurrent software is harder to find a bug than sequential one. Thus there have been a number of works on formal verification which exhaustively checks all behaviors of concurrent software. Bounded Model Checking (BMC) is widely used in formal verification of concurrent software systems and exhaustively checks whether some errors exist in execution traces of the given system or not within the given limit called as a bound. In this paper, we develop the tool LTS-BMC that accepts both LTS (Labeled Transition System) as a modeling language and FLTL (Fluent Linear Temporal Logic) as a specification language. And the specification is checked against the model using a SAT solver. To translate them into a set of CNF clauses which is the input format to most SAT solvers, we propose efficient CNF encoding techniques and apply to several case studies. As a result, LTS-BMC shows a good performance.

International Journal on Software Tools for Technology Transfer, 2004

In this paper we present efficient symbolic techniques for probabilistic model checking. These have been implemented in PRISM, a tool for the analysis of probabilistic models such as discrete-time Markov chains, continuous-time Markov chains and Markov decision processes using specifications in the probabilistic temporal logics PCTL and CSL. Motivated by the success of model checkers such as SMV which use BDDs (binary decision diagrams), we have developed an implementation of PCTL and CSL model checking based on MTBDDs (multi-terminal BDDs) and BDDs. Existing work in this direction has been hindered by the generally poor performance of MTBDD-based numerical computation, which is often substantially slower than explicit methods using sparse matrices. The focus of this paper is a novel hybrid technique which combines aspects of symbolic and explicit approaches to overcome these performance problems. For typical examples, we achieve a dramatic improvement over the purely symbolic approach. In addition, thanks to the compact model representation using MTBDDs, we can verify systems an order of magnitude larger than with sparse matrices, while almost matching or even beating them for speed.

Lecture Notes in Computer Science, 2004

Symbolic model-checking usually includes two steps: the building of a compact representation of a state graph and the evaluation of the properties of the system upon this data structure. In case of properties expressed with a linear time logic, it appears that the second step is often more time consuming than the first one. In this work, we present a mixed solution which builds an observation graph represented in a non symbolic way but where the nodes are essentially symbolic set of states. Due to the small number of events to be observed in a typical formula, this graph has a very moderate size and thus the complexity time of verification is neglectible w.r.t. the time to build the observation graph. Thus we propose different symbolic implementations for the construction of the nodes of this graph. The evaluations we have done on standard examples show that our method outperforms the pure symbolic methods which makes it attractive.

FM 2006: Formal …, 2006

HORAE is an interactive system which supports composing and reasoning of Timed CSP process descriptions. Timed CSP extends CSP by introducing the capability to quantify temporal aspects of sequencing and synchronization. It is a powerful language to model real-time reactive systems. However, there is no verification tool support for proving critical properties over systems modeled using Timed CSP. HORAE, using Constraint Logic Programming (CLP) as the underlying reasoning support, is capable to prove traditional safety properties and beyond, such as the reachability, deadlock-freeness, timewise refinement relationship, lower or upper bound of variables, and etc.