Dingbao Xie,Lei Bu,Xuandong Li

DOI: https://doi.org/10.1109/RTSS.2014.22

2014-01-01

Abstract:The behavior space of real time hybrid systems is very complex and hence expensive to conduct the classical full state space model checking. Compared to the classical model checking, bounded model checking (BMC) is much cheaper to conduct and has better scalability. This work presents a technique that can derive, in some cases, a proof of unbounded reach ability argument of Linear Hybrid Automata (LHA) from a BMC procedure. During BMC of LHA, typical procedures can discover sets of unsatisfiable constraint cores, a.k.a. UC or IIS, in the constraint set according to the bounded continuous state space of LHA. Currently, such unsatisfiable constraints are only fed back to the constraint set to accelerate the BMC solving. In this paper, we propose that such unsatisfiable constraint core can be exploited to give general unbounded verification result of the system model. As each constraint can be mapped back to certain semantical elements of the system model, the unsatisfiable constraint cores can be mapped back into path segments, which are not feasible, in the graph structure of the LHA model. Clearly, if all the potential paths to reach the target location in the graph structure have to go through such infeasible path segments, the target location is not reachable in general, not only in the given bound. Based on this observation, we propose to encode the infeasible path segments as linear temporal logic (LTL) formulas, and present the graph structure, the discrete part, of the LHA model as a transition system. Then, we can take advantage of the mature off-the-shelf LTL model checking techniques to verify whether there exists a path to reach the target location without touching any detected IIS path segment in the graph structure of the LHA model. We implement this technique into a bounded LHA checker BACH. The experiments show that most of the benchmarks can be verified by the enhanced BACH with a clearly better performance and scalability.

Dingbao Xie,Wen Xiong,Lei Bu,Xuandong Li

DOI: https://doi.org/10.1109/TC.2016.2604308

IF: 3.183

2017-01-01

IEEE Transactions on Computers

Abstract:Reachability analysis of linear hybrid automata (LHA) is an important problem. Classical model checking (CMC) technique is not scalable and not guaranteed to terminate. On the other hand, bounded model checking (BMC) is more cost-effective to conduct but can not guarantee the safety beyond the bound. In this paper, we seek to bridge the gap between BMC and CMC for reachability analysis of LHA. During BMC of LHA, typical procedures can discover sets of unsatisfiable constraint cores, which can be mapped back to path segments in the graph structure of LHA. If every path connecting the initial and target location has to go through such infeasible path segment, the target location is entirely not reachable. Based on this characteristic, we propose a LTL model checking based approach to check whether the target location is blocked. To further optimize the performance, we propose an automata based solution to check the LTL specification incrementally and adopt an on-the-fly algorithm to check the accepting condition to avoid an explicit construction of product automata.

Dingbao Xie,Lei Bu,Jianhua Zhao,Xuandong Li

DOI: https://doi.org/10.1007/s10703-014-0210-3

2014-01-01

Formal Methods in System Design

Abstract:As discrete jumps and continuous flows tangle in the behavior of linear hybrid automata (LHA), the bounded model checking (BMC) for reachability of LHA is a challenging problem. Current works try to handle this problem by encoding all the discrete and continuous behaviors in the bound into a set of SMT formulas which can then be solved by SMT solvers. However, when the system size is large, the object SMT problem could be huge and difficult to solve. Instead of encoding everything into one constraint set, this paper proposes a SAT–LP–IIS joint-directed solution to conduct the BMC for reachability of LHA in a layered way. First, the bounded graph structure of LHA is encoded into a propositional formula set, and solved by SAT solvers to find potential paths which can reach the target location on the graph. Then, the feasibility of certain path is encoded into a set of linear constraints which can then be solved by linear programming (LP) efficiently. If the path is not feasible, irreducible infeasible set (IIS) technique is deployed to locate an infeasible path segment which will be fed to the SAT solver to accelerate the enumerating process. Experiments show that by this SAT–LP–IIS joint-directed solution, the memory usage of the BMC of LHA is well-controlled and the performance outperforms the state-of-the-art SMT-style competitors significantly.

Lei Bu,You Li,Linzhang Wang,Xuandong Li

DOI: https://doi.org/10.1109/FMCAD.2008.ECP.13

2008-01-01

Abstract:Hybrid automata are well studied formal models for hybrid systems with both discrete and continuous state changes. However, the analysis of hybrid automata is quite difficult. Even for the simple class of linear hybrid automata, the reachability problem is undecidable. In the author's previous work, for linear hybrid automata we proposed a linear programming based approach to check one path at a time while the length of the path and the size of the automaton being checked can be large enough to handle problems of practical interest. Based on this approach, in this paper we present a prototype tool BACH to perform bounded reachability checking of linear hybrid automata. The experiment data shows that BACH has good performance and scalability, and supports our belief that BACH could become a powerful assistant to design engineers for the reachability analysis of linear hybrid automata.

Lei Bu,You Li,Linzhang Wang,Xin Chen,Xuandong Li

DOI: https://doi.org/10.1109/date.2010.5457051

2010-01-01

Abstract:Existing reachability analysis techniques are easy to fail when applied to large compositional linear hybrid systems, since their memory usages rise up quickly with the increase of systems' size. To address this problem, we propose a tool BACH 2 that adopts a path-oriented method for bounded reachability analysis of compositional linear hybrid systems. For each component, a path is selected and all selected paths compose a path set for reachability analysis. Each path is independently encoded to a set of constraints while synchronization controls are encoded as a set of constraints too. By merging all the constraints into one set, the path-oriented reachability problem of a path set can be transformed to the feasibility problem of this resulting linear constraint set, which can be solved by linear programming efficiently. Based on this path-oriented method, BACH 2 adopts a shared label sequence guided depth first search (SLS-DFS) method to perform bounded reachability analysis of compositional linear hybrid system, where all potential path sets within the bound limit are identified and verified one by one. By this means, since only the structure of a system and the recently visited one path in each component need to be stored in memory, memory consumption of BACH 2 is very small at runtime. As a result, BACH 2 enables the verification of extremely large systems, as is demonstrated in our experiments.

Lei Bu,You Li,Linzhang Wang,Xuandong Li

2008-01-01

Abstract:Hybrid automata are well studied formal models for hybrid systems with both discrete and continuous state changes. However, the analysis of hybrid automata is quite difficult. Even for the simple class of linear hybrid automata, the reachability problem is undecidable. In the author's previous work, for linear hybrid automata we proposed a linear programming based approach to check one path at a time while the length of the path and the size of the automaton being checked can be large enough to handle problems of practical interest. Based on this approach, in this paper we present a prototype tool BACH to perform bounded reachability checking of linear hybrid automata. The experiment data shows that BACH has good performance and scalability, and supports our belief that BACH could become a powerful assistant to design engineers for the reachability analysis of linear hybrid automata.

Yuming Wu,Lei Bu,Jiawan Wang,Xinyue Ren,Wen Xiong,Xuandong Li

DOI: https://doi.org/10.1007/978-3-030-94583-1_23

2022-01-01

Abstract:Due to the tangling of discrete and continuous behavior and the compositional state space explosion, bounded model checking (BMC) of compositional linear hybrid automata (CLHA) is a very challenging task. In this paper, we propose a mixed semantics guided layered method to handle this problem in a divide-and-conquer manner. Specifically, we first enumerate candidate compositional paths in the discrete layer of CLHA through the classical step semantics. Then, we remove all stutter transitions in the candidate paths to cover all interleaving cases, and check the reachability of the generalized paths in the continuous level through the shallow semantics. We only handle one shallow compositional path at a time, so that the memory usage in the checking can be well controlled. Besides, we propose two optimization methods to tailor infeasible paths to further improve the efficiency of our approach. We implement these techniques into an LHA reachability checker called BACH. The experimental results show that our method outperforms state-of-the-art tools significantly in the aspects of efficiency and scalability.

Lei Bu,Xuandong Li

DOI: https://doi.org/10.1007/s10009-010-0163-9

2010-01-01

International Journal on Software Tools for Technology Transfer

Abstract:The existing techniques for reachability analysis of linear hybrid systems do not scale well to the problem size of practical interest. The performance of existing techniques is even worse for reachability analysis of a composition of several linear hybrid automata. In this paper, we present an efficient path-oriented approach to bounded reachability analysis of composed systems modeled by linear hybrid automata with synchronization events. It is suitable for analyzing systems with many components by selecting critical paths, while this task was quite insurmountable before because of the state explosion problem. This group of paths will be transformed to a group of linear constraints, which can be solved by a linear programming solver efficiently. This approach of symbolic execution of paths allows design engineers to check important paths, and accordingly increase the faith in the correctness of the system. This approach is implemented into a prototype tool Bounded reAchability CHecker (BACH). The experimental data show that both the path length and the number of participant automata in a system checked using BACH can scale up greatly to satisfy practical requirements.

Shujun Deng,Weimin Wu,Jinian Bian

DOI: https://doi.org/10.1007/978-3-540-72863-4_31

2007-01-01

Abstract:Bounded Model Checking (BMC) based on SAT is a complementary technique to BDD-based Symbolic Model Checking, and it is useful for finding counterexamples of minimum length. However, for model checking of large real world systems, BMC is still limited by the state explosion problem, thus abstraction is essential. In this paper, BMC is implemented on a higher abstraction level - Register Transfer Level (RTL) within an abstraction framework of symbolic trajectory evaluation and hybrid three-valued SAT solving. An efficient SAT solver for RTL circuits is presented, and it is modified into a three-valued solver for the cooperative BMC application. The experimental results comparing with the ordinary BMC without abstraction show the efficiency of our method.

Tzu-Han Hsu,César Sánchez,Sarai Sheinvald,Borzoo Bonakdarpour

DOI: https://doi.org/10.48550/arXiv.2301.06209

2023-01-26

Abstract:Bounded model checking (BMC) is an effective technique for hunting bugs by incrementally exploring the state space of a system. To reason about infinite traces through a finite structure and to ultimately obtain completeness, BMC incorporates loop conditions that revisit previously observed states. This paper focuses on developing loop conditions for BMC of HyperLTL- a temporal logic for hyperproperties that allows expressing important policies for security and consistency in concurrent systems, etc. Loop conditions for HyperLTL are more complicated than for LTL, as different traces may loop inconsistently in unrelated moments. Existing BMC approaches for HyperLTL only considered linear unrollings without any looping capability, which precludes both finding small infinite traces and obtaining a complete technique. We investigate loop conditions for HyperLTL BMC, where the HyperLTL formula can contain up to one quantifier alternation. We first present a general complete automata-based technique which is based on bounds of maximum unrollings. Then, we introduce alternative simulation-based algorithms that allow exploiting short loops effectively, generating SAT queries whose satisfiability guarantees the outcome of the original model checking problem. We also report empirical evaluation of the prototype implementation of our BMC techniques using Z3py.

Logic in Computer Science

Lei Bu,Yang Yang,Xuandong Li

DOI: https://doi.org/10.1007/978-3-642-34188-5_7

2011-01-01

Abstract:In the authors’ previous work, we proposed a linear programming (LP) based approach to check the reachability specification along one abstract path in a linear hybrid automaton (LHA) at a time by translating the reachability problem into the satisfiability problem of a linear constraint set. Then a depth-first-search (DFS) is deployed on the graph structure of the LHA to check all the paths with length in the threshold to answer the question of bounded reachability.

Florian Frohn,Jürgen Giesl

2024-08-09

Abstract:Bounded Model Checking (BMC) is a powerful technique for proving unsafety. However, finding deep counterexamples that require a large bound is challenging for BMC. On the other hand, acceleration techniques compute "shortcuts" that "compress" many execution steps into a single one. In this paper, we tightly integrate acceleration techniques into SMT-based bounded model checking. By adding suitable "shortcuts" on the fly, our approach can quickly detect deep counterexamples. Moreover, using so-called blocking clauses, our approach can prove safety of examples where BMC diverges. An empirical comparison with other state-of-the-art techniques shows that our approach is highly competitive for proving unsafety, and orthogonal to existing techniques for proving safety.

Logic in Computer Science

Xuandong Li,Sumit Jha Aanand,Lei Bu

DOI: https://doi.org/10.1016/j.entcs.2006.12.023

2007-01-01

Electronic Notes in Theoretical Computer Science

Abstract:The existing techniques for reachability analysis of linear hybrid automata do not scale well to problem sizes of practical interest. Instead of developing a tool to perform reachability check on all the paths of a linear hybrid automaton, a complementary approach is to develop an efficient path-oriented tool to check one path at a time where the length of the path being checked can be made very large and the size of the automaton can be made large enough to handle problems of practical interest. This approach of symbolic execution of paths can be used by design engineers to check important paths and thereby, increase the faith in the correctness of the system. Unlike simple testing, each path in our framework represents a dense set of possible trajectories of the system being analyzed. In this paper, we develop the linear programming based techniques towards an efficient path-oriented tool for the bounded reachability analysis of linear hybrid systems.

Zhou Conghua,Tao Zhihong,Ding Decheng,Wang Lifu

IF: 1.019

2006-01-01

Chinese Journal of Electronics

Abstract:Bounded model checking (BMC) has been recently introduced as an efficient verification method for reactive systems. Propositional satisfiability (SAT)-based bounded model checking methods consists in searching for a counter- example of a particular length and generating a propositional formula that is satisfiable iff such a counterexample exists. Until now, SAT-based bounded model checking only concerns with universal properties. In this paper we focus on bounded model checking for Computation tree logic (CTL). We present how quantified Boolean decision procedures like Davis & Putnam Procedure can replaces Binary decision diagrams (BDDs). Our basic idea is to decide the validation of a CTL formula phi in finite executions of a system and reduce the validation to a Quantified Boolean formula (QBF) psi which is satisfiable if and only if phi is valid in finite executions of the system. QBF solvers based on Davis & Putnam Procedure do not blow up in space. Therefore, our new technique avoids the space blow up of BDDs, and sometimes speeds up the verification.

Luan V. Nguyen,Wesam Haddad,Taylor T. Johnson

DOI: https://doi.org/10.4204/EPTCS.361.4

2022-07-14

Abstract:Satisfiability Modulo Theories (SMT) solvers have been successfully applied to solve many problems in formal verification such as bounded model checking (BMC) for many classes of systems from integrated circuits to cyber-physical systems. Typically, BMC is performed by checking satisfiability of a possibly long, but quantifier-free formula. However, BMC problems can naturally be encoded as quantified formulas over the number of BMC steps. In this approach, we then use decision procedures supporting quantifiers to check satisfiability of these quantified formulas. This approach has previously been applied to perform BMC using a Quantified Boolean Formula (QBF) encoding for purely discrete systems, and then discharges the QBF checks using QBF solvers. In this paper, we present a new quantified encoding of BMC for rectangular hybrid automata (RHA), which requires using more general logics due to the real (dense) time and real-valued state variables modeling continuous states. We have implemented a preliminary experimental prototype of the method using the HyST model transformation tool to generate the quantified BMC (QBMC) queries for the Z3 SMT solver. We describe experimental results on several timed and hybrid automata benchmarks, such as the Fischer and Lynch-Shavit mutual exclusion algorithms. We compare our approach to quantifier-free BMC approaches, such as those in the dReach tool that uses the dReal SMT solver, and the HyComp tool built on top of nuXmv that uses the MathSAT SMT solver. Based on our promising experimental results, QBMC may in the future be an effective and scalable analysis approach for RHA and other classes of hybrid automata as further improvements are made in quantifier handling in SMT solvers such as Z3.

Logic in Computer Science,Formal Languages and Automata Theory,Symbolic Computation

Debao Sang,Jing Liu,Haiying Sun,Jin Xu,Jiexiang Kang

DOI: https://doi.org/10.1109/qrs57517.2022.00046

2022-01-01

Abstract:Bounded Model Checking (BMC) has been found promising in finding deep vulnerabilities in industry designs and scaling well with design sizes. However, the parallelisation of BMC is challenging, due to the propositional satisfiability (SAT) problem and satisfiability modulo theories problem solving being hard to parallelise. In this paper, we propose a novel approach to perform BMC based on the mathematical model of probe machine, which is the first approach to employ probe machine to accelerate BMC, particularly it can solve SAT formulas in full parallel. We introduce the workflow of the algorithm and explain in detail the process of mapping BMC to the probe machine. A method is provided to prove the correctness of the algorithm and to analyze its time complexity. We develop a model checker called BMC2PROBE based on our approach and explain the framework and memory management of the tool. The experiment results are discussed, which prove the feasibility and effectiveness of our approach.

Tzu-Han Hsu,Cesar Sanchez,Borzoo Bonakdarpour

DOI: https://doi.org/10.48550/arXiv.2009.08907

2020-10-16

Abstract:Hyperproperties are properties of systems that relate multiple computation traces, including security and concurrency properties. This paper introduces a bounded model checking (BMC) algorithm for hyperproperties expressed in HyperLTL, which - to the best of our knowledge - is the first such algorithm. Just as the classic BMC technique for LTL primarily aims at finding bugs, our approach also targets identifying counterexamples. BMC for LTL is reduced to SAT solving, because LTL describes a property via inspecting individual traces. HyperLTL allows explicit and simultaneous quantification over traces and describes properties that involves multiple traces and, hence, our BMC approach naturally reduces to QBF solving. We report on successful and efficient model checking, implemented in a tool called HyperQube, of a rich set of experiments on a variety of case studies, including security, concurrent data structures, path planning for robots, and testing.

Formal Languages and Automata Theory,Cryptography and Security

Yuesheng Zhu,Deke Yu

DOI: https://doi.org/10.2991/iccnce.2013.70

2013-01-01

Abstract:Model checking is one of main formal verification methods that are used in the process of circuit design and verification. However, there is a problem of state memory explosion in traditional model checking methods. Bounded model checking (BMC), in which the Davis-Putnam-Logemann-Loveland (DPLL) algorithm based Satisfiability (SAT) solver is used to verify the circuits, can avoid this problem, whereas, its efficiency depends on the performance of the solver. Hybrid SAT solver combines the advantages of the completeness of DPLL and the fast solving property of stochastic local search algorithm, e.g. WalkSAT, and is proved to be an efficient improving way. However, it is noted that the noise parameter in WalkSAT could affect the solver's overall performance. In this paper, an adaptive noise mechanism is proposed to integrate with the hybrid algorithm framework to further improve the solver's performance. Our experimental results have shown that the designed hybrid solver with adaptive noise performs well in BMC instances and some other circuits.

Devleena Ghosh,Sumana Ghosh,Ansuman Banerjee,Raj Kumar Gajavelly,Sudhakar Surendran

DOI: https://doi.org/10.1145/3675168

IF: 1.447

2024-07-02

ACM Transactions on Design Automation of Electronic Systems

Abstract:In recent times, Bounded Model Checking (BMC) engines have gained wide prominence in formal verification. Different BMC engines exist, differing in their optimization, representations and solving mechanisms used to represent and navigate the underlying state transition of the given design to be verified. The objective of this paper is to examine if combinations of BMC engines can help to combine their strengths. We propose an approach that can create a sequencing of BMC engines that can reach better depth in formal verification, as opposed to executing them alone for a specified time. Our approach uses machine learning, specifically, the Multi-Armed Bandit paradigm of reinforcement learning, to predict the best-performing BMC engine for a given unrolling depth of the underlying circuit design. We evaluate our approach on a set of benchmark designs from the Hardware Model Checking Competition (HWMCC) benchmarks and show that it outperforms the state-of-the-art BMC engines in terms of the depth reached or time taken to deduce a property violation. The synthesized BMC engine sequences reach better depths than HWMCC results and the state-of-the-art technique, super_deep, for more than 80% of the cases. It also outperforms single engine runs for more than 92% of the cases where a property violation is not found within a given time duration. For designs where property violations are found within the given time duration, the synthesized sequences found the property violation in a lesser time than HWMCC for all the designs and outperformed both super_deep and single engine runs for more than 87% of the designs.

computer science, software engineering, hardware & architecture

Dingbao XIE,Yuexiang ZHOU,Lei BU,Linzhang WANG,Xuandong LI

DOI: https://doi.org/10.1360/N112016-00042

2017-01-01

Abstract:Hybrid systems include both discrete and continuous behavior and are widely used to model control systems.The reachability analysis of its unsafe state is an important method for guaranteeing the safety of a system.However,the current techniques do not scale well to the problems of practical interest.Due to the synchronization of components and the combinatorial explosion of state space,the reachability analysis of compositional linear hybrid system is extremely complex.In order to reduce the complexity,a path-oriented approach was proposed in a previous work,which conducted bounded reachability analysis of a compositional linear hybrid system.By enumerating and verifying each potential path one by one,the size of the problem that can be solved will be increased substantially.This path-oriented approach will become quite inefficient due to a sharp increase in the number of candidate paths when analyzing complex systems.The path explosion problem in model checking is also famous.To solve this problem,we propose a state-space reduction technique,which accelerates the verification process.We propose a method to locate the cause of infeasibility,when a composed infeasible path segment after a path set is proved to be infeasible.As we can simply falsify a path set that contains a composed infeasible path segment,the number of candidate paths can be reduced significantly.Furthermore,to avoid such composed path segments efficiently,we propose an approach based on satisfiability modulo theories (SMT),to traverse the bounded graph structure of the composed linear hybrid system.The results of the experiment show that the performance of the path-oriented bounded reachability analysis can be optimized significantly and that the overall performance of the proposed approach is better than that of the state-of-the-art competitor.