Faster FDR Counterexample Generation Using SAT-Solving Electronic Communications of the EASST Volume 23 (2009) Proceedings of the Ninth International Workshop on Automated Verification of Critical Systems (AVOCS 2009) Faster FDR Counterexample Generation Using SAT-Solving H. Palikareva, J. Ouaknine and A. W. Roscoe 15 pages Guest Editor: Markus Roggenbach Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122 http://www.easst.org/eceasst/ ECEASST Faster FDR Counterexample Generation Using SAT-Solving H. Palikareva, J. Ouaknine and A. W. Roscoe Oxford University Computing Laboratory, Oxford, UK Abstract: With the flourishing development of efficient SAT-solvers, bounded model checking (BMC) has proven to be an extremely powerful symbolic model checking technique. In this paper, we address the problem of applying BMC to con- current systems involving the interaction of multiple processes running in parallel. We adapt the BMC framework to the context of CSP and FDR yielding bounded refinement checking. Refinement checking reduces to checking for reverse con- tainment of possible behaviours. Therefore, we exploit the SAT-solver to decide bounded language inclusion as opposed to bounded reachability of error states, as in most existing model checkers. We focus on the CSP traces model which is sufficient for verifying safety properties. We present a Boolean encoding of CSP processes resting on FDR’s hybrid two-level approach for calculating the operational seman- tics using supercombinators. We describe our bounded refinement-checking algo- rithm which is based on watchdog transformations and incremental SAT-solving. We have implemented a tool, SymFDR, written in C++ which uses FDR as a shared library for manipulating CSP processes and the state-of-the-art SAT-solver Min- iSAT. Experiments indicate that in some cases, especially for complex combinato- rial problems, SymFDR significantly outperforms FDR. Keywords: CSP, FDR, concurrency, process algebra, Bounded Model Checking, SAT-solving, safety properties 1 Introduction Model checking techniques can be partitioned into those which are symbolic, based on abstract representation of sets of states, and those which are based on explicit examination of individ- ual states. The former generally represent sets of states as formulae in Boolean logic and use techniques such as SAT-solving and BDD manipulation to decide checks. The latter can be en- hanced by techniques such as hierarchical state-space compression and partial-order methods. The main obstacle when applying these approaches in practice is the state-space explosion prob- lem by which the number of states in a system grows exponentially with the number of parallel components and also the number and bit sizes of data values. FDR [Ros94, G+05] is a long-established tool for the refinement checking of CSP [Hoa85, Ros98]. When deciding whether a proposed implementation process Impl refines a normalised specification process Spec, FDR follows algorithms exploring the Cartesian product of the state spaces of Spec and Impl in a way comparable to conventional model checking. Therefore, until now, FDR has followed the explicit model checking approach. There has been, however, some work on the symbolic model checking of CSP [PY96, SLDS08]. 1 / 15 Volume 23 (2009) Faster FDR Counterexample Generation Using SAT-Solving This paper reports our attempts to integrate SAT-based bounded model checking [BCCZ99] into FDR. We show how the same internal structures used in FDR’s two-level representation of state spaces can be translated readily into Boolean logic. Within the scope of this paper, we only consider the translation of trace refinement to SAT checking. The result is a prototype tool SymFDR which, when combined with state-of-the-art SAT- solvers such as MiniSAT [ES03a, EB05], sometimes outperforms FDR by a significant margin when finding counterexamples. We compare the performance of SymFDR with the performance of FDR, FDR used in a non-standard way, PAT [SLD08] and, in some cases, NuSMV [CCG+02], Alloy Analyzer [Jac06] and straight SAT encodings of the problems under consideration. The remainder of the paper is organised as follows. In Section 2, we set out the necessary background on CSP and FDR’s two-level strategy for performing refinement checks. We briefly describe the ideas underlying BMC. In Section 3, we show how to adapt the watchdog approach [RGM+03] to BMC, while in Section 4, we summarise the methods we use to translate FDR’s supercombinator representation of a state machine into input for a SAT-solver. Section 5 gives details of how SymFDR is built on top of this, and Section 6 offers experimental comparisons. 2 Preliminaries 2.1 CSP and FDR In this section, we assume that the reader is familiar with CSP and we therefore give only a brief overview of CSP and FDR. The interested reader is referred to [Ros98]. Furthermore, we restrict our focus exclusively to the traces model, intentionally omitting information about other more expressive models of CSP. 2.1.1 CSP Syntax In this section, we recall the core syntax of CSP. Let Σ be a finite alphabet of (visible) events with τ, X 6∈ Σ. The internal action τ occurs silently and is invisible outside a process. X denotes a successful termination of a process. In what follows, we assume that a ∈ Σ, A ⊆ Σ and B ⊆ Σ X = Σ∪{X}. R ⊆ Σ×Σ denotes a renaming relation on Σ. Definition 1 A CSP process is defined recursively via the following grammar: P := ST OP | SKIP | DIV | x : A → P(x) | P1�P2 | P1 uP2 | P1|| B P2 | P1; P2 | P\A | PJRK | µ P•F(P) CSPM converts core CSP into an ASCII form and adds several further operators and an ex- tensive functional language. SymFDR supports the full CSPM syntax, except that it cannot at present handle scripts using the function chase. 2.1.2 Denotational Semantics CSP supports a hierarchy of several denotational semantic models. Each of them describes a process in terms of the observable behaviours it can exhibit. All denotational models are Proc. AVOCS 2009 2 / 15 ECEASST compositional in the sense that the denotational value of each process can be computed in terms of the denotational values of its subcomponents. In the traces model, a process P is identified with the set of its finite traces, denoted by traces(P). Intuitively, a trace of a process is a sequence of visible actions that the process can perform. The set of traces of a process is non-empty and prefix-closed. There are two different approaches for obtaining the set traces(P) — either by constructing it inductively from the traces of its subcomponents, or by extracting it from the operational semantics. Refer to [Ros98] for the rules underlying the first approach. Since denotational values of processes are rather complex and often infinite, FDR calculates the behaviours of a process from its standard operational representation which is justified by semantic models being congruent to it. The congruence theorems are presented and proven in [Ros98]. 2.1.3 Operational Semantics The operational semantics models CSP processes as labelled transition systems (LTS’s), with nodes denoting processes and labels denoting visible or τ actions. Since the LTS representation is not unique, in terms of the operational semantics, two processes are considered equivalent if they are strongly bisimilar [Ros98]. The operational semantics is calculated by repeatedly applying a set of inference rules, called firing rules. Firing rules provide recipes for constructing an LTS out of a CSP description of a process. The recipes define how processes can evolve by calculating the initial actions available at each node and the possible results after performing each action. The reader is referred to [Ros98] for more information. Extracting Behaviours from Operational Semantics. We now present how behaviours, in our case – traces, can be retrieved from the operational semantics of a process. Formally, a labelled transition system is a quadruple M = 〈S, s0, L, T〉, where S is a finite set of states, s0 ∈ S is the initial state, L is a finite set of labels, T ⊆ S×L×S is the transition relation. For convenience, we write s l→ s′ instead of (s, l, s′) ∈ T . Furthermore, we write s l→ if there exists s′ ∈ S, such that s l→ s′. For s ∈ S and l ∈ L, we define Post(s, l) = {s′ ∈ S|s l→ s′} — the set of direct l-successors of s. M is then is deterministic if, for any s ∈ S and l ∈ L, |Post(s, l)|≤ 1. An execution of M is a finite or an infinite alternating sequence of states and events π = s0l1s1l2 . . . lnsn . . . such that s0 is the initial state and for all i, si li+1→ si+1. Let P be a finite-state process and OSP = 〈SP, sP0 , L P = Στ,X, T P〉 be the LTS underlying the operational semantics of P. We denote by αP the set of all visible events that P can perform, i.e. αP = ΣX. We write Σ∗X to denote the set of finite words over Σ which might end with X, and similarly, (Στ )∗X. For p, q ∈ SP, we use the following notation: • initials(p) = {l ∈ ΣX|p l→}, i.e. initials(p) is the set of visible events that can be commu- nicated from the state p. • for t = 〈xi|0 ≤ i < n〉 ∈ (Στ )∗X, we write p t7−→ q if there exists a sequence of states p0, p1, . . . , pn, such that p0 = p, pn = q and pk xk→ pk+1 for k ∈{0, . . . , n−1}. • for t ∈ Σ∗X, we write p t=⇒ q if there exists t′ ∈ (Στ )∗X, such that p t ′ 7−→ q and t = t′ � ΣX, i.e. t is t′ with all the τ ’s removed. Then, we define traces(P) = {t ∈ Σ∗X|∃q ∈ SP.sP0 t =⇒ q}. 3 / 15 Volume 23 (2009) Faster FDR Counterexample Generation Using SAT-Solving The Two-Level Approach. In fact, FDR exploits a hybrid high-/low- level approach for calcu- lating the operational semantics of a process [Ros08]. Generally, the low level comprises all true recursions, the high level – processes composed by parallel composition, hiding and renaming, although the dividing line is a bit more complex. For each process compiled on the low level, an explicit LTS is produced, following the firing rules. Compiling on the high-level is called supercompiling. It is based on calculating a set of rules for turning a combination of LTS’s into a single LTS, without explicitly constructing it. For most practical examples, the result of supercompilation is a high-level structure. The high-level structure consists of two parts. The first one is a process tree with leaves – low-level compiled LTS’s, and internal nodes – CSP operators such as hiding, renaming or parallel composition. Each node, even if internal, represents a process and is interpreted as an LTS with its behaviours deducible from the behaviours of its children on-the-fly. The second part of the high-level structure is a set of rules mapping actions of a number of leaf processes to an event-outcome of the composite root process [Ros98]. Those rules are called supercombinators. In what follows, we use the notions of supercombinators and rules interchangeably. Within a supercombinator, each process can participate with a visible event, a silent action τ , or not be involved at all. The supercompiler generates the following types of rules [Ros98, RRS+01]: • a rule for a leaf willing to perform a τ which promotes a τ action of the root process • rules using visible actions Note that the visible actions that the leaf processes perform need not be the same if hiding or renaming is involved in the combination being modelled. For example, if P = a → P and Q = b → Q, then if P performs a and Q performs b, P || {a} QJa/bK can perform a, where QJa/bK is the process Q with the event b being renamed to a. Hence, (a, b, a) is a valid rule for the root process P || {a} QJa/bK with leaves P and Q: the first two elements of the rule triple represent the actions of P and Q, respectively, the last element provides the event-outcome of P || {a} QJa/bK . In FDR, at every particular step the leaf processes can be either switched on or switched off. Processes are switched on if they are currently under a CSP operator that makes their actions immediately relevant for the action of the overall system. Processes are switched off if they are under a CSP operator that does not need their actions to deduce the resulting action of the system. For instance, in P1|||P2, both P1 and P2 are switched on. In P1; P2, P2 is switched off until P1 performs X. In a→(P1|||P2), both P1 and P2 are initially switched off until a is communicated. We refer to the different configurations of switched on and switched off leaf processes as formats. In the worst case, there could be exponentially many different formats, but in practice this is rarely the case. In FDR, the set of supercombinators is partitioned with respect to the existing formats. Hence, supercombinators can be viewed as dynamic or static, depending on whether they switch the system to another format after being triggered or not. A state of the root high-level process, also called a configuration, is a tuple of the current states of its leaf processes. When running the root process, FDR computes its initial actions by check- ing which supercombinators are enabled from the current configuration and the current format of the root. A supercombinator might be disabled if not all leaf processes are able to communicate the event they are responsible for within the supercombinator. Hence, the operational semantics Proc. AVOCS 2009 4 / 15 ECEASST ��?>=<89:;s0 τ ~~}} }} }} }} } τ AA AA AA AA A ?>=<89:;s1 a -- ?>=<89:;s2 (a) LT SP ��?>=<89:;s0 b JJ (b) LT SQ || ���� �� �� �� !! BB BB BB BB B P Ja/bK �� Q (c) The root process R Figure 1: Example OS of the root can be considered an implicit LTS, whose transitions can be switched on and off. The states are represented by a pair of a configuration and a format of the root. Transitions are mod- elled by supercombinators. We formalise these notions when describing our Boolean encoding of CSP processes. In this section, we illustrate the two-level approach with a small example. Example 1 Let us consider the process R = P || {a} QJa/bK, where P = a → P u ST OP and Q = b → Q. The process tree of R is presented on Figure 2(c). The explicit LTS machines underlying the semantics of the leaves P and Q are depicted on Figure 2(a) and Figure 2(b), respectively. The root process R contains a single format with two rules — one rule stating that if P performs τ then the entire system performs τ and another rule stating that if P performs a and Q performs b, R can perform a. 2.1.4 Refinement Checking Given two CSP processes Spec and Impl, the refinement check Spec v Impl reduces to check- ing for reverse containment of possible behaviours. For the traces model, Spec vT Impl iff traces(Impl) ⊆ traces(Spec). We briefly outline how FDR carries out the refinement check. Let OSSpec = 〈Ss, ss0, L s, T s〉 and OSImpl = 〈Si, si0, L i, T i〉 be the labelled transition systems representing the operational semantics of Spec and Impl, respectively. As a preprocessing step, FDR normalises OSSpec, so that OSSpec reaches a unique state after any trace. The normalisation procedure requires as a precondition that OSSpec be explicated and therefore S pec sequentialised. Essentially, the normalisation procedure transforms OSSpec into the unique equivalent τ -free deterministic LTS with the fewest possible states (bisimulation-reduced). After normalising OSSpec, FDR traverses the Cartesian product of OSSpec and OSImpl in a breadth-first manner, checking for compatibility of mutually-reachable states. For the traces model, a pair of states (ss, si) is compatible, if initials(si) ⊆ initials(ss). 2.2 Bounded Model Checking SAT-based bounded model checking [BCCZ99] is a symbolic model checking technique consid- ered complementary to BDD-based model checking [BCM+92, McM93]. Bounded model checking focuses on searching for counterexamples of bounded length only. 5 / 15 Volume 23 (2009) Faster FDR Counterexample Generation Using SAT-Solving The underlying idea is to fix a bound k and to unwind the model for k steps, thus considering behaviours and counterexamples of length at most k. In practice, BMC is conducted iteratively by progressively increasing k until either a counterexample is detected or k reaches a precomputed threshold called completeness threshold [CKOS05], which indicates that the model satisfies the specification. It is important to note that without knowing the completeness threshold, the BMC procedure is incomplete. Hence, BMC is mostly suitable for detecting bugs, not for verification (proving absence of bugs). SAT-based BMC [BCCZ99] reduces the model checking problem to a propositional satisfia- bility problem. The idea is to construct a Boolean formula which is satisfiable if and only if there is a counterexample of length k. This formula is fed into a SAT-solver which decides the model checking problem in question and produces a counterexample, if any. Due to the DFS-nature of the SAT decision procedure, this technique allows for a fast detection of counterexamples. 3 Performing Bounded Trace Refinement In this section, we present our iterative bounded refinement checking algorithm. Our approach for establishing trace refinement is based on watchdog transformations [RGM+03]. Our objec- tive is the following. We are given two CSP processes Spec and Impl and an integer k. We aim at checking whether Spec vkT Impl, i.e., whether all executions of the implementation of length at most k agree with the specification. 3.1 Preprocessing Phase Using FDR Our implementation is intended as an alternative back-end for FDR, orthogonal to the standard explicit method of performing trace refinement. Currently, we use a shared library version of FDR for manipulating CSP processes and we mimic FDR up to the point of the final state-space exploration phase. Therefore, SymFDR reuses FDR’s compiler and supercompiler and the data structures underlying the operational semantics. At present, we use FDR to supercompile and normalise Spec and to retrieve LTSSpec represent- ing the operational semantics of Spec. We assume that the implementation Impl comprises the interaction of c sequential processes P1, . . . , Pc running in parallel, possibly using hiding and renaming. We write Impl = P1||P2 . . .||Pc to denote a high-level process Impl with leaf processes P1, . . . , Pc. We use FDR to supercompile Impl and to retrieve both the set of supercombinators and the set {LTSPi|i ∈{1, . . . , c}}. 3.2 Watchdog Refinement Checking Algorithm In a nutshell, the main steps of our algorithm are the following: 1. We transform Spec into a process Watchdog which allows the behaviours of both Spec and Impl. The transformation adds a special state sink to LTSSpec and forces all erroneous traces (traces that do not conform with Spec) to be directed to sink. 2. We construct a process Refinement = Watchdog || αImpl∪αSpec Impl = Watchdog || αImpl∪αSpec (P1||P2 . . .||Pc) Proc. AVOCS 2009 6 / 15 ECEASST 3. We check whether Watchdog can reach its sink state within k steps of the execution of Refinement. The Watchdog Process. The transformation we apply on Spec is performed at the level of LTSSpec. We add a state sink and make LTSSpec total with respect to the alphabet αSpec ∪αImpl. The resulting process Watchdog operationally passes through sink whenever executing a trace that is not allowed by Spec. We allow an execution of Watchdog to contain any number of τ ’s after visiting sink in order to be able to increase the BMC bound by more than 1 at each step. The Refinement Process. The process Refinement = Watchdog || αImpl∪αSpec (P1||P2 . . .||Pc) can be used as an indicator whether Impl can behave in a way incompatible with Spec. Watchdog becomes just one of the sequential leaf processes of Refinement. It is evident then that: 1. Spec vT Impl ⇐⇒ Watchdog never reaches its sink state in any execution of Refinement 2. All executions of Refinement forcing Watchdog to pass through its sink state constitute valid counterexamples of the assertion Spec vT Impl 4 Boolean Encoding of CSP Processes In this section we present our encoding of CSP processes into Boolean formulae. First, we demonstrate how to encode sequential or explicated processes, corresponding to leaf processes in the operational representation. Then, we show how to glue together sequential processes with supercombinators to obtain an encoding of a high-level process. In what follows, we call a high-level process a concurrent system. For the Boolean encoding we use the following notation. dXe(Vars) denotes the Boolean encoding of X with respect to the vector(s) of Boolean variables Vars. 4.1 Encoding a Sequential Process Let P be a finite-state process with alphabet of events Σ. Let OSP = 〈S, s0, L = Στ,X, T〉 be the LTS representing the operational semantics of P. Encoding the Set of States. The basic idea is to enumerate the states in binary and represent them as Boolean functions. Each state s ∈ S is identified by a bit vector b = (b1, . . . , bn) of size n = dlog2 |S|e using an injective encoding encS : S →{0, 1} n . We introduce an ordered vector of n distinct Boolean variables x = (x1, ..., xn). Each variable xi uniquely identifies its corresponding bit bi and, for each s ∈ S, dse(x)|x=b = 1 iff encS(s) = b. We define dIe(x) = ds0e(x). Encoding the Set of Labels. Using the same technique, we introduce an ordered vector y = (y1, ..., ym) of m = dlog2 |L|e distinct Boolean variables for encoding the set of labels L = Σ τ,X. Encoding the Transition Relation. In order to represent the transition relation T , we introduce a copy x′ = (x′1, . . . , x ′ n) of x = (x1, . . . , xn). x serves for representing the source states of transi- tions, x′ – for representing the destination states. Then, for t = (ssrc, l, sdest ) ∈ T , dte(x, y, x′) = dssrce(x)∧dle(y)∧dsdeste(x′). For any s ∈ S, we write dse(x′) to denote dse(x)[x′ ← x], i.e. we represent s with respect to the variables x and then substitute the variables x with x′. The encoding of the entire transition relation is the following: dTe(x, y, x′) = ∨ t∈Tdte(x, y, x′). 7 / 15 Volume 23 (2009) Faster FDR Counterexample Generation Using SAT-Solving Encoding Executions. We can now represent a sequential process P implicitly by the pair of functions 〈dT Pe(x, y, x′),dIPe(x)〉. For a given integer k, we define Paths(P, k) to be the set of all executions s0l1s1l2 . . . lksk of OSP of length k. If flattened to traces, Paths(P, k) might contain traces of P of size less than k if τ ’s are present in the executions. In order to represent Paths(P, k) symbolically, we introduce (k + 1) vectors of n Boolean variables x0, x1 . . . xk and k vectors of m Boolean variables y1, y2 . . . yk. The vectors x0, x1, . . . , xk represent the states s0, s1, . . . , sk, respec- tively. Likewise, the vectors y1, y2, . . . , yk represent the labels of the corresponding transitions. Then dPaths(P, k)e(x0, x1 . . . xk, y1, y2 . . . yk) = dIPe(x0)∧ ∧k−1 i=0 dT Pe(xi, yi+1, xi+1). 4.2 Encoding a Concurrent System Since a high-level root process can be modelled as an LTS, we now show how to encode a concurrent system similarly to a low-level sequential process. A concurrent system is a set of processes running in parallel possibly using renaming and hiding. We denote by Sys(c) the interaction of c sequential processes P1, ..., Pc communicating over sets of events Σ1, ...., Σc, respectively. Let Σ = ∪ci=1Σi, m = dlog2 |Σ τ,X|e. Encoding the Sequential Processes. For i ∈{1, ..., c}, let OPi = 〈Si, si0, L i = Στ,Xi , T i〉 be the LTS representing the operational semantics of Pi. Since Σi ⊆ Σ, we actually consider Li = Στ,X. For each process Pi, let ni = dlog2 |S i|e. In order to represent Si and the transition relation T i, we introduce two copies of ni Boolean variables xi = (xi1, ..., x i ni ) and x i′ = (xi ′ 1 , ..., x i′ ni ). The construction of dT ie(xi, yi, xi′) and dIie(xi) follows the ideas from Section 4.1. As illustrated in Section 4.1, for each process Pi we introduce a vector of m Boolean variables yi = (yi1, ..., y i m) for encoding the set L i = Στ,X symbolically. Thus, each process has its own set of variables for representing the alphabet Στ,X. We introduce an additional vector of Boolean variables y = (y1, ..., ym) for encoding the resulting action of the entire system. Encoding States (Configurations) of the Overall System. Recall that a concurrent system consists of multiple sequential processes running in parallel. A state of the entire system, also called a configuration, is identified by the current states of its sequential components. For- mally, the set of states of the system is a c-ary relation S ⊆ S1 × ...×Sc, the initial state being s0 = (s10, ..., s c 0). Therefore, S can be represented symbolically using the Boolean variables from x1, ..., xc. If s = (s1, ..., sc) ∈ S, then dse(x1, ..., xc) = ∧c i=1(dsie(xi)). For clarity, we denote the set of states of the overall system by Configurations. Supercombinators and Formats. As we mentioned in Section 2.1.3, supercombinators are rules for combining together actions of the individual sequential processes into event-outcomes of the overall system [Ros98]. Within a supercombinator, each process can participate with a visible event, a silent action τ , or not be involved at all. We denote the non-involvement with the symbol ε . For any alphabet Σ, we let Σε = Σ∪{ε}. In addition, the set of supercombinators is partitioned into existing formats, i.e., different configurations of switched on and switched off processes among P1, . . . , Pc. We denote by SC the set of supercombinators and by Formats the set of formats of the concurrent system. Formally, the set of supercombinators can be represented as a (c + 3)-ary relation SC ⊆ Formats×Στ,X,ε1 ×...×Σ τ,X,ε c ×Στ,X×Formats, or more generally SC ⊆ Formats×(Στ,X,ε )c × Σ τ,X×Formats. ( fsrc, a1, ..., ac, a, fdest )∈ SC iff from a certain configuration and a certain format Proc. AVOCS 2009 8 / 15 ECEASST fsrc of the overall system, P1 performs a1, ..., Pc performs ac and the overall system performs a switching to a format fdest . The operational semantics of the concurrent system can be considered an implicit LTS, whose transitions can be switched on and off: • set of states – Formats×Configurations • set of labels – SC • transition relation – T ⊆ (Formats×Configurations)×SC×(Formats×Configurations). If the system is in a given configuration and in a given format, the individual processes transition relations determine if the labels are switched on or off. Formally, ( fi, (s1i , . . . , s c i )) ( fi,a1,...,ac,a, f j )→ ( f j, (s1j , . . . , s c j)) iff ( fi, a1, . . . , ac, a, f j) ∈ SC∧∀ck=1((ak 6= ε ⇒ (s k i , ak, s k j) ∈ T k)∧(ak == ε ⇒ ski = s k j)). Encoding Supercombinators. For a given supercombinator sc = ( fsrc, a1, ..., ac, a, fdest )∈ SC, let Passive(sc) = {i ∈{1,··· , c}|ai = ε , i.e. Pi is not involved in sc}. Let u = (u1, ..., uc) be a vector of (supercombinator-independent) Boolean variables. We denote: lit(ui) = { ui if Pi is not involved ¬ui if Pi performs a visible event or a τ Note that a process might be switched on in a format and still be passive in a certain super- combinator in this format. Hence, we cannot use the format to conclude which processes are passive in a supercombinator. Let f and f ′ be two vectors of dlog2|Formats|e variables for encoding the source and desti- nation format of a rule. Let sc = ( fsrc, a1, ..., ac, a, fdest ) ∈ SC. Then, dsce(y1, ..., yc, y, u, f , f ′) =∧ i /∈Passive(sc)(daie(yi)∧¬ui) ∧ ∧ i∈Passive(sc) ui ∧dae(y)∧d fsrce( f )∧d fdeste( f ′). Hence, in an encoding of a supercombinator, we indicate a passive process Pi just by affirming a single Boolean variable ui. We call ui a trigger. For non-passive processes, we also encode the event that the process performs. The encoding of all supercombinators in all formats now becomes the following: dSCe(y1, ..., yc, y, u, f , f ′) = ∨ sc∈SCdsce(y1, ..., yc, y, u, f , f ′). Encoding a Transition of the Concurrent System. Let for i ∈{1,··· , c}, ψi(xi, xi ′ , yi, ui) := if ui then (xi = xi ′) else dT ie(xi, yi, xi′), where xi = xi′ is the short for ∧ni j=1(x i j ⇔ x i′ j ). The intu- ition behind a ψi is that, if Pi does not participate in a transition of the entire system, i.e. Pi is not involved in a supercombinator, Pi remains in the same state within its own labelled transition system OPi. Otherwise, Pi progresses with respect to its transition relation T i. Expressed as a Boolean formula, ψi ≡ (ui ∧(xi = xi ′))∨(¬ui ∧dT ie(xi, yi, xi ′)). We define a predicate T Sys(c) which is true exactly for the transitions of the overall system: dT Sys(c)e(x1,··· , xc, x1′,··· , xc′, y1,··· , yc, y, u, f , f ′) = = ∧c i=1 ψi(xi, xi ′ , yi, ui)∧dSCe(y1,··· , yc, y, u, f , f ′) Encoding Fixed Length Executions of the Concurrent System. Within the BMC framework, let k be the maximal bound for the length of the counterexamples we are looking for. Then: 9 / 15 Volume 23 (2009) Faster FDR Counterexample Generation Using SAT-Solving dPaths(Sys(c), k)e( // variables for P1 x10, . . . , x 1 k , y 1 1, . . . , y 1 k , u 1 1, . . . , u 1 k // variables for P2 x20, . . . , x 2 k , y 2 1, . . . , y 2 k , u 2 1, . . . , u 2 k . . . . . . // variables for Pc xc0, . . . , x c k, y c 1, . . . , y c k, u c 1, . . . , u c k // variables for the traces of the system y1, . . . , yk, // variables for the formats in the rules f0, . . . , fk) = // processes start from their initial states and the initial format is Format[0]∧c j=1dI je(x j 0) ∧dI fe( f0) ∧ // supercombinators as transitions at each of the k steps∧k i=1dSCe(y1i , . . . , y c i , yi, u 1 i , . . . , u c i , fi−1, fi) ∧ // the idea of the ψ formulas – either transitions or wait, depending on supercombinators∧ j=1,...,c i=1,...,k ((u ji ∧(x j i−1 = x j i ))∨(¬u j i ∧dT je(x ji−1, y j i , x j i ))) = dISys(c)e(x10, . . . , x c 0, f0)∧∧k i=1dT Sys(c)e(x1i−1, . . . , x c i−1, x 1 i , . . . , x c i , y 1 i , . . . , y c i , yi, u 1 i , . . . , u c i , fi−1, fi) 5 Implementation Details In the original version of BMC, the system is unwound step by step until the bound k is reached. Despite the recent advances in SAT-solvers’ learning capabilities and incremental SAT-solving, we have observed that the bottleneck of the bounded refinement procedure is the SAT-solver. Therefore, we allow unfolding a configurable number i of steps of the process Refinement before running the SAT-solver. The SAT-solver is then used to check if Refinement can pass through the sink state in any of its last i unwindings. If yes, we have found a counterexample, otherwise we continue iterating until reaching the configured bound k. We refer to the value of i as SAT- frequency. We believe that this multi-step approach works well because the SAT-solver typically finds it much easier to find a satisfying assignment, if there is any, than to prove unsatisfiability, given CNF formulas with comparable size and structure. We transform the Boolean formulae into equisatisfiable formulas in CNF using the Tseitin Encoding [BKWW08]. For brevity, we skip details about how we exploit the incremental SAT- interface. Currently, SymFDR supports MiniSAT (version 2.0), PicoSAT and ZChaff. For our test cases, we have found MiniSAT to be most efficient and all quoted results use MiniSAT. For our larger test cases, we also observed that MiniSAT finds a counterexample faster if we configure it to keep a smaller number of learned clauses and to restart more frequently. We also implemented adding unit learned clauses explicitly, as suggested in [ES03a]. Using positive polarity in decision heuristics also produced much better results. The current implementation of SymFDR supports refinement checking systems with a single format only. However, we do not anticipate any problems generalising the problem to a multi- format setting. Moreover, most practical cases are also single-format. In addition to the standard refinement check, SymFDR also supports the ”Zig-Zag” temporal induction algorithm [ES03b], which makes BMC complete. However, due to concurrency, the Proc. AVOCS 2009 10 / 15 ECEASST recurrence diameter is too big. Some other approaches that did not scale well include exploiting unary rather than binary encoding, restricting the decision variables to the input ones [Sht00], incorporating PicoSAT’s restarting scheme and phase saving strategy [Bie08] in MiniSAT, etc. 6 Experimental Results In this section, we investigate the performance of SymFDR on a small number of case studies. We compare it to the performance of FDR, FDR used in a non-standard way, PAT [SLD08], and, in some cases, direct SAT encodings, NuSMV [CCG+02] and Alloy Analyzer [Jac06]. All SAT-based experiments use MiniSAT although SymFDR and the direct SAT encoder build upon MiniSAT version 2.0, while Alloy and NuSMV exploit the earlier version 1.14. All tests were performed on a 2.6 GHz PC with 2 MB RAM running Linux, except the test marked with a ∗, which was performed on a 4-MB-RAM PC running Linux, and the tests with PAT, which were performed on a 1.67 GHz PC with 2 MB RAM running Windows. The results are summarised in Table 1, Table 2 and Table 3. The last column titled ] lists the length of counterexamples. FDR-Div. The main search strategy for FDR is BFS [Ros94] because this has the combined advantages of always finding a shortest counterexample and of enabling implementations that work comparatively well on virtual memory. However, the strategy for discovering divergences is based on DFS. In test cases where it is likely that there are a good number of counterexamples, but that all of them occur comparatively deep in the BFS, there is good reason to use a bounded DFS (BDFS) algorithm to search for them, so that only error states reachable in less than some fixed number N of steps are reached. BDFS will quickly get to the depth where counterexamples are expected without needing to enumerate all of the levels where they are not. Provided that the counterexamples have something like a uniform distribution through the order in which the DFS discovers them, we can expect one to be found after searching through approximately S/(C + 1) states, where S is the total number of states and C is the number of counterexamples. FDR does not implement such a strategy directly. It was, however, observed a number of years ago by Roscoe and James Heather that it is possible to use a trick that achieves the same effect using the present version of the tool. That is, arrange (perhaps using a watchdog) a system P′ that performs only up to N events of the target implementation process P and then performs an infinite number of some indicator event when a trace specification is breached. Provided P is itself divergence-free, we then have that P′\Σ can diverge precisely when P violates the specification. FDR searches for this divergence by DFS. This approach is particularly well suited to CSP codings of puzzles, since it is frequently known ab initio how long a counterexample will be, and the usual CSP coding uses the repeatable event done to indicate that the puzzle has been solved. The columns labelled FDR-Div in Table 1 and Table 2 report on the result of using this technique. In several ways this method is more similar to approach of PAT and SymFDR than the usual FDR approach. As is apparent from the experiments, there seems to be a large element of luck in how fast this approach is, possibly based on how close the path followed by the DFS is to a counterexample. PAT. PAT [SLD08] is a model checker of a version of CSP enhanced with shared variables. Despite the BMC attempt [SLDS08], PAT is at present a fully explicit checker. In addition to LTL model checking, PAT supports CSP refinement checking which it performs in a way similar 11 / 15 Volume 23 (2009) Faster FDR Counterexample Generation Using SAT-Solving to FDR although using DFS (instead of BFS), normalisation of the specification on-the-fly and partial-order reductions. In the test cases quoted here, the specification is given as a reachability property on the values of the shared variables. The reachability algorithm is based on DFS and state hashing is applied for compact state-space representation. NuSMV. NuSMV [CCG+02] is a symbolic model checker verifying SMV against CTL prop- erties using BDDs. The BMC framework of NuSMV, which we refer to as NuSMV-BMC, uses specifications written in LTL. Alloy Analyzer. Alloy Analyzer [Jac06] is a fully-automatic tool for finding models of soft- ware systems designed in the lightweight Alloy modelling language. Alloy Analyzer could be considered a BMC checker due to its searching for a model only up to a certain scope and gen- erating the model, if existing, using SAT-solving techniques. Direct SAT Encodings. We believe that experimenting with direct SAT encodings of problems will offer guidance for optimising the translation of CSP to logic. For example, the chess knight test case suggests that a shorter chain of inference for high-level actions might be beneficial. Test Cases. First, we consider the peg solitaire puzzle [Ros98], performing experiments on a chain of soluble boards with increasing level of difficulty. In the initial configuration, the board has all slots but one occupied by pegs. The only allowed move in the game is a peg hopping over another peg and landing on an empty slot. The hopped over peg is then removed from the board. The objective of the game is ending up with a board with a single peg positioned on the slot which had been initially empty. The length of any solution of the puzzle is equal exactly to the number N of pegs on the initial board — a hop event for (N−1) pegs followed by an event done signifying a valid solution of the puzzle. The results are summarised in Table 1. The experiments indicate that for N ≥ 26 SymFDR clearly outperforms FDR. In cases where a counterexample does not exist, FDR’s BFS strategy outperforms the DFS-based tools PAT and SymFDR. Our second test case is the chess knight tour. A knight is placed at position (1, 1) on an empty chess board of size N ×N. The objective is covering all squares of the board by visiting each square exactly once. Similarly to peg solitaire, a solution is generated as a counterexample to a specification asserting that the event done is never communicated. The length of a possible solu- tion is N2 + 1. The results are presented in Table 2. For N = 5, FDR generates a counterexample faster, but for N = 6 already, SymFDR found a solution in approximately 13 minutes, while FDR crashed after an hour and a half of state-space exploration. The third test case — the classical puzzle of towers of Hanoi, aims primarily at comparing SymFDR with other SAT-based bounded checkers such as NuSMV and Alloy Analyzer. The results are summarised in Table 3. NuSMV-BMC and SymFDR seem to be competitive, both outperforming Alloy Analyzer. However, all non-SAT tools — FDR, PAT and NuSMV — are clearly orders of magnitudes more efficient than the SAT-based ones. We can conclude that SymFDR is likely to outperform FDR in large combinatorial problems for which a solution exists, the length of the longest solution is relatively short (growing at most polynomially) and is predictable in advance. In those cases, we can fix the SAT-frequency close to a sizeable divisor of this length and thus spare large SAT overhead. The search space of those problems can be characterised as very wide (with respect to BFS), but relatively shallow — with counterexamples with length up to approximately 50–60. We suspect that problems with multiple solutions also induce good SAT performance. The experiments with the towers of Hanoi suggest that SAT-solving techniques offer advantages up to a certain threshold and weaken afterwards. Proc. AVOCS 2009 12 / 15 ECEASST Table 1: Performance comparison – peg solitaire (] = N) N FDR Time (sec.) SAT ] ] states FDR FDR PAT SymFDR SymFDR freq. checked -Div SAT Total 20 41 703 0 0 6.14 6.92 10.23 10 20 10.82 14.06 20 23 411 976 5 0 2.16 11.21 16.72 12 23 6.62 12.33 23 26 4 048 216 72 0 7.23 27.73 35.16 13 26 15.39 24.66 26 29 28 249 254 581 1 89.93 54.29 65.39 15 29 39.33 49.61 29 32 > 139 000 000 > 11 700 5 8.91 175.05 189.20 16 32 187 000 000∗ 2 640∗ 172.56 186.61 32 35 — — 1 485 399 529.88 548.80 18 35 291.59 309.94 35 38 — — 43 1773.19 1 047.01 1 071.59 19 38 41 — — 4 198.77 1 584.62 1 617.09 41 41 Table 2: Performance comparison – chess knight tour (] = N2 + 1) N FDR Time (sec.) SAT ] ] states FDR FDR PAT Direct SymFDR SymFDR freq. checked -Div SAT SAT Total 5 508 451 3 0.147 0.28 8.5 6.26 8.81 13 26 13.47 16.46 26 6 > 120 000 000 > 4 800 18 9.75 125.3 777.41 785.67 19 37 7 — — — 6.41 1 138 30 515.6 30 544.5 50 50 7 Conclusions and Future Work In this paper we have demonstrated the feasibility of integrating a bounded refinement checker in FDR, and more specifically, exchanging the expensive explicit state-space traversal phase in FDR by a SAT check in SymFDR. On some test cases, such as complex combinatorial prob- lems, SymFDR’s performance is very encouraging, coping with problems that are beyond FDR’s capabilities. In general, though, FDR usually outperforms SymFDR, particularly when a coun- terexample does not exist. We plan to further investigate and try to gain insight about the classes of problems that are tackled more successfully within the BMC framework. We envision several directions for future work. We plan to extend the BMC framework in SymFDR to make it applicable to the stable fail- ures and failures-divergences models as well. This will involve extending the encoding of CSP processes with information about maximal refusals and divergences. 13 / 15 Volume 23 (2009) Faster FDR Counterexample Generation Using SAT-Solving Table 3: Performance comparison – Hanoi towers (] = 2N ) N Time (sec.) SAT ] FDR PAT NuSMV SymFDR Alloy NuSMV-BMC freq. 5 0.198 0.64 0.43 4.92 11.53 2.157 16 32 6 0.202 2.89 0.66 27.26 327.37 34.910 32 64 7 0.164 5.01 0.171 182.68 21 537.27 1 864.75 64 128 8 0.182 27.76 0.292 3 114.05 — 2 218.23 128 256 We intend to implement McMillan’s algorithm combining SAT and interpolation techniques to yield complete unbounded refinement checking [McM03]. This method has proven to be more efficient for positive BMC instances (instances with no counterexamples) than other SAT ap- proaches. The completeness threshold in this case is the reverse depth of the state-space which is smaller than its recurrence diameter, as is the case with temporal induction [ES03b]. Moreover, experimental results have shown that, in practice, the algorithm often converges substantially faster, for bounds considerably smaller than the reverse depth. In addition, the interpolation al- gorithm allows jumping multiple time frames at once and hence allows tuning the SAT-frequency. The BMC framework presented in this paper will be the foundation to build upon. Other avenues for further enhancing FDR’s performance include partial-order reductions [Pel98] and CEGAR [COYC03, CCO+05]. Acknowledgements: We are grateful to D. Kroening and J. Worrell for their comments and P. Armstrong for his help with FDR. The analysis using DFS refinement through divergence checking was inspired by a correspondence several years ago between A. W. Roscoe and J. Heather. The work presented in this paper is supported by grants from EPSRC and US ONR. Bibliography [BCCZ99] A. Biere, A. Cimatti, E. M. Clarke, Y. Zhu. Symbolic Model Checking without BDDs. In TACAS ’99: Proceedings of the 5th International Conference on Tools and Algorithms for Construction and Analysis of Systems. Pp. 193–207. Springer-Verlag, London, UK, 1999. [BCM+92] J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill, L. J. Hwang. Symbolic model check- ing: 1020 states and beyond. Inf. Comput. 98(2):142–170, 1992. [Bie08] A. Biere. PicoSAT Essentials. JSAT 4(2-4):75–97, 2008. [BKWW08] A. Biere, D. Kroening, G. Weissenbacher, C. Wintersteiger. Digitaltechnik. Springer, 2008. [CCG+02] A. Cimatti, E. Clarke, E. Giunchiglia, F. Giunchiglia, M. Pistore, M. Roveri, R. Sebastiani, A. Tacchella. NuSMV Version 2: An OpenSource Tool for Symbolic Model Checking. In Proc. International Conference on Computer-Aided Verification (CAV 2002). LNCS 2404. Springer, Copenhagen, Denmark, July 2002. [CCO+05] S. Chaki, E. M. Clarke, J. Ouaknine, N. Sharygina, N. Sinha. Concurrent software verifica- tion with states, events, and deadlocks. Formal Aspects of Computing 17(4), 2005. Proc. AVOCS 2009 14 / 15 ECEASST [CKOS05] E. Clarke, D. Kroening, J. Ouaknine, O. Strichman. Computational Challenges in Bounded Model Checking. Software Tools for Technology Transfer (STTT) 7(2):174–183, April 2005. [COYC03] S. Chaki, J. Ouaknine, K. Yorav, E. M. Clarke. Automated compositional abstraction refine- ment for concurrent C programs: A two-level approach. In Proc. SoftMC 03. 2003. [EB05] N. Een, A. Biere. Effective preprocessing in sat through variable and clause elimination. In In proc. SAT05, volume 3569 of LNCS. Pp. 61–75. Springer, 2005. [ES03a] N. Een, N. Sorensson. An Extensible SAT-solver. In SAT. 2003. [ES03b] N. Een, N. Sorensson. Temporal Induction by Incremental SAT-solving. In Proceedings of First International Workshop on Bounded Model Checking. ENTCS 4. 2003. [G+05] M. Goldsmith et al. Failures-Divergence Refinement. FDR2 User Manual. Formal Systems (Europe) Ltd., June 2005. doi:http://www.fsel.com/documentation/fdr2/fdr2manual.pdf [Hoa85] C. A. R. Hoare. Communicating Sequential Processes. Communications of the ACM 21:666–677, 1985. [Jac06] D. Jackson. Software Abstractions: Logic, Language, and Analysis. The MIT Press, 2006. [McM93] K. L. McMillan. Symbolic Model Checking: An Approach to the State Explosion Problem. PhD thesis, CMU, 1993. [McM03] K. L. McMillan. Interpolation and SAT-Based Model Checking. In CAV. Pp. 1–13. 2003. [Pel98] D. Peled. Ten Years of Partial Order Reduction. In CAV ’98: Proc. 10th International Con- ference on Computer Aided Verification. Pp. 17–28. Springer-Verlag, London, UK, 1998. [PY96] A. Parashkevov, J. Yantchev. ARC - a tool for efficient refinement and equivalence checking for CSP. In IEEE 2nd International Conference on Algorithm and Architectures for Parallel Processing. 1996. [RGM+03] A. W. Roscoe, M. Goldsmith, N. Moffat, T. Whitworth, I. Zakiuddin. Watchdog transfor- mations for property-oriented model checking. In Proceedings of FME 2003. 2003. http://web.comlab.ox.ac.uk/oucl/work/bill.roscoe/publications/91.pdf [Ros94] A. W. Roscoe. Model-checking CSP. Chapter 21. Prentice-Hall, 1994. http://web.comlab.ox.ac.uk/oucl/work/bill.roscoe/publications/50.ps [Ros98] A. W. Roscoe. The theory and practice of concurrency. Prentice Hall, 1998. http://web.comlab.ox.ac.uk/oucl/work/bill.roscoe/publications/68b.pdf [Ros08] A. W. Roscoe. Lecture notes for the course Advanced Concurrency Tools. Oxford University Computing Laboratory 2008. [RRS+01] A. W. Roscoe, P. Ryan, S. Schneider, M. Goldsmith, G. Lowe. The Modelling and Analysis of Security Protocols. Addison-Wesley, 2001. [Sht00] O. Shtrichman. Tuning SAT Checkers for Bounded Model Checking. In CAV ’00: Proceed- ings of the 12th International Conference on Computer Aided Verification. Pp. 480–494. Springer-Verlag, London, UK, 2000. [SLD08] J. Sun, Y. Liu, J. S. Dong. Model Checking CSP Revisited: Introducing a Process Analysis Toolkit. In ISoLA. Pp. 307–322. 2008. [SLDS08] J. Sun, Y. Liu, J. S. Dong, J. Sun. Bounded Model Checking of Compositional Processes. In Proceedings of the Second IEEE International Symposium on Theoretical Aspects of Soft- ware Engineering. Pp. 23–30. IEEE, 2008. 15 / 15 Volume 23 (2009) http://dx.doi.org/http://www.fsel.com/documentation/fdr2/fdr2manual.pdf http://web.comlab.ox.ac.uk/oucl/work/bill.roscoe/publications/91.pdf http://web.comlab.ox.ac.uk/oucl/work/bill.roscoe/publications/50.ps http://web.comlab.ox.ac.uk/oucl/work/bill.roscoe/publications/68b.pdf Introduction Preliminaries CSP and FDR CSP Syntax Denotational Semantics Operational Semantics Refinement Checking Bounded Model Checking Performing Bounded Trace Refinement Preprocessing Phase Using FDR Watchdog Refinement Checking Algorithm Boolean Encoding of CSP Processes Encoding a Sequential Process Encoding a Concurrent System Implementation Details Experimental Results Conclusions and Future Work