Clause Forms Generated by Bounded Model Checking

Daniel Sheridan, Toby WalshArtificial Intelligence Group,

Department of Computer Science,University of York,

York, England. YO DD

{djs,tw}@cs.york.ac.uk

Introduction

Model checking is a method of verifying the behaviour ofa dynamic system, comparing an implementation againsta modal logic (typically, CTL) specification. A typicalapplication is in the field of hardware verification, wherea model checking tool can find bugs in hardware designslong before a product enters the testing phase.

Bounded model checking (BMC) (Biere et al., 1999)was proposed as a solution to some of the problems ofconventional BDD-based symbolic model checking suchas space explosion by introducing a temporal bound. Theproblem can then be encoded as a Boolean formula; theoutput of a BMC tool is a conjunction of state transitionfunctions and state verification functions. Certain modaloperators can be handled by including a check for loopsin the state transitions.

The formulas produced by BMC tools may be usedas the input to Boolean satisfiability (SAT) checkers, andthis has influenced renewed interest in the performance ofSAT procedures on highly structured problems (for exam-ple, Shtrichman (2000)).

As the specification is encoded as part of the Booleanformula, the size of the formula depends on the size ofthe specification, while it influences only the time com-plexity of BDD methods. The size of the encoding is alsorelated to the bound size, possibly exponentially, makingthe correct choice of bound vital.

By analysing how CTL operations influence the num-ber of clauses, we hope to find an indication of the diffi-culty of the SAT problems produced by BMC. We use themethods from Nonnengart et al. (1998) in predicting thesize of the clause form conversion of a Boolean formulato determine the size of the output from a BMC tool. Wepresent the first steps in doing this, initially for the case ofnon-nested operators, and show how subformula renam-ings can reduce the expected size of the clause form.

Encoding Model Checking

The first stage in the translation of a CTL formula is tonegate it, and attempt to convert it to existential form;Biere et al. (1999) deals only with LTL, finding a coun-

f [[f ]]0k l[[f ]]0kG f1 false

∧k

j=0f1(sj)

F f1

∨k

j=0f1(sj)

∨k

j=0f1(sj)

X f1 f1(s1) f1(s1)

f1 U f2

∨k

j=0(f2(sj)

∨k

j=0(f2(sj)

∧∧j−1

n=i (f1(sn))) ∧∧j−1

n=i (f1(sn)))

f1 R f2

∨k

j=0(f1(sj)

∧k

j=0f2(sj)

∧∧j

n=i (f2(sn))) ∨∨k

j=0(f1(sj)

∧∧j

n=i (f2(sn)))

Table 1: Optimised encodings for non-nested operations

terexample at the point where the LTL formula fails tohold.

We use [[f ]]ki to denote the translation of a model check-ing problem with bound k, starting from state number i;where the path under consideration is a k-loop, startingfrom position l, we write l[[f ]]ki .

The general translation of a model checking problem1

is given by the following formula (where Lk =∨k

l=0 lLk):

[[M, f ]]k := [[M ]]k ∧

(

(

¬Lk ∧ [[f ]]0k)

∨

k∨

l=0

(

lLk ∧ l[[f ]]0k)

)

For the specifications consisting of one CTL operatorwith propositional arguments, the translations are givenin Table 1.

Several features are clear: no translation depends onthe value of l, so l[[f ]]0k may be moved outside of the dis-junction, which in turn may be replaced by Lk. Where theloop and non-loop translations are the same, the L termsare cancelled. Specifically, this occurs for LTL operatorsF,X and U (corresponding to AG,AX and A[R] in thespecification), implying that, given a choice, these oper-ators are preferred. For G (corresponding to AF), thenon-loop translation is empty, and can be eliminated. Fi-nally, exploiting the similarity between the loop and non-loop cases for A[U] improves this case. We now see threecases for the general translation:

1This comes from definition 15 in Biere et al. (1999)

1

φ p(φ) p(φ)¬φ1 p(φ1) p(φ1)

φ1 ∧ φ2 p(φ1) + p(φ2) p(φ1)p(φ2)φ1 ∨ φ2 p(φ1)p(φ2) p(φ1) + p(φ2)φ1 ⇒ φ2 p(φ1)p(φ2) p(φ1) + p(φ2)

Table 2: p(φ): the number of clauses produced

No non-loop part (AF) : [[M ]]k ∧∨k

l=0 lLk ∧ l[[f ]]0k

Identical loop and non-loop parts (AG,AX and A[R]):[[M ]]k ∧ l[[f ]]0k

Differing loop and non-loop parts (A[U]): Observing

l[[f1 R f2]]0

k =∧k

j=0f2(sj) ∨ [[f1 R f2]]

0

k, the gen-eral translation becomes [[M ]]k∧

(

[[f ]]0k ∨ Lk

)

∧l[[f ]]0k

Encoding Sizes

The number of clauses produced by a formula φ is givenby p(φ), and for ¬φ by p(φ) (Table 2).

The size of a translation does not depend on variablenames, so the state parameters can be disregarded, leadingto the simplified sizes for each LTL operator in Table 3.

The number of clauses produced by the general for-mula is

(

p(Lk) + p(

[[f ]]0k))

(

k∏

l=0

(

p(lLk) + p(

l[[f ]]0k))

)

This may be rewritten for each of the three cases above,taking the cancelling into consideration.

No non-loop part (AF) : p ([[M ]]k) + p(Lk) + p(l[[f ]]0k)

Identical loop and non-loop parts (AG,AX and A[R]):p ([[M ]]k) + p(l[[f ]]0k)

Differing loop and non-loop parts (A[U]): p ([[M ]]k)+p(Lk) p([[f ]]0k) + p(l[[f ]]0k)

Renaming for A[U]

The translation for A[U] is the most problematic, as it in-cludes a product of two product terms ([[f ]]0k and Lk), thus

f p(l[[f ]]ik)G f1 kp(f1)F f1 (p(f1))

k

X f1 p(f1)

f1 U f2 p(f2)∏k

j=1(p(f2) + j p(f1))

f1 R f2 [1]∏k

j=0(p(f1) + j (p(f2)))

f1 R f2 [2] k p(f2)∏k

j=0(p(f1) + j (p(f2)))

[1] non-loop translation [2] loop translation

Table 3: Encoding sizes for non-nested operations

giving it a translation size far in excess of other operators.However, by renaming Lk and [[f ]]0k using variables λ andρ we hope to reduce the problem.

Since these two subformulæ are used only in positiveforms (that is, with polarity of 1 as discussed in Nonnen-gart et al. (1998)) the definitions of the variables may begiven by λ ⇒ Lk and ρ ⇒ [[f ]]0k, and so the translation isreduced to

[[M ]]k ∧ (λ ∨ ρ) ∧

k∧

j=0

f2(sj) ∨ ρ

∧ (λ ⇒ Lk) ∧ (ρ ⇒ [[f ]]0k) (1)

Though this formula appears longer, much of the com-plexity in converting to clause form has been eliminated.The size of this translation is

p ([[M ]]k) + 1 + k p(f2) + p(Lk) + p([[f ]]0k),

which shows the elimination of the product term, and alsohow the size of l[[f R g]]0k, originally a product, has beenconverted into a sum.

Conclusion

We have conjectured a technique in determining the qual-ity of an encoding, and shown that subformula renamingin addition to careful simplification can successfully re-duce the size of a clause form encoding of a model check-ing problem. Hopefully, by applying similar techniques tonested CTL operations, we will be able to deduce a morespace efficient encoding in general. Further analysis re-mains to be done on the improvements to the time spentin the SAT checker (if any) to be made by performing re-namings of this type.

Acknowledgements

My gratitude goes to Alan Frisch, for proof reading andchecking this paper.

ReferencesArmin Biere, Alessandro Cimatti, Edmund Clarke, and Yunshan

Zhu. Symbolic model checking without BDDs. In W.R.Cleaveland, editor, Tools and Algorithms for the Construc-tion and Analysis of Systems. 5th International Conference,TACAS’99, volume 1579 of Lecture Notes in Computer Sci-ence. Springer-Verlag Inc., July 1999.

Andreas Nonnengart, Georg Rock, and Christoph Weidenbach.On generating small clause normal forms. In Claude Kirch-ner and Helene Kirchner, editors, Automated Deduction —CADE-15 International Conference, LNAI 1421, pages 397–411. Springer, 1998.

Ofer Shtrichman. Tuning SAT checkers for bounded modelchecking. In Proceedings of the 12th International Confer-ence on Computer Aided Verification (CAV’00), volume 1855of Lecture Notes in Computer Science. Springer-Verlag Inc.,2000.