SBMC: symmetric bounded model checking

This paper deals with systems verification techniques, using Bounded Model Checking (BMC). We present a new approach that combines BMC with symmetry reduction techniques. Our goal is to reduce the number of transition sequences, which can be handled by a SAT solver, used in the resolution of verification problems. In this paper, we generate a reduced model by exploiting the symmetry of the original model,which contains only transition sequences that represent the equivalence classes of the symmetric transition sequences. We consider the construction of a new Boolean formula that manipulates only representative transition sequences. In our technique, we present a method that combines the symmetry reduction technique with BMC for the reduction of the space and time of Model Checking.


INTRODUCTION
The main challenge behind model checking is the state explosion problem. Kupferman et al (2000) describe how the classic methods are unable to check properties on large systems in a reasonable time. Historically, several methods were developed to solve this problem, one can for example change the structure of data being used to encode the system. Thus, in addition to the automata, one can use OBDDs, as Coudert et al (1990);Bruch et al (1992); de Alfaro et al (2000), or encoding in terms of SAT clauses, as McMillan (2003), while Bounded Model Checking techniques unroll the model for a fixed number of steps k, check whether a property violation can occur in k or fewer steps, and encode the restricted model as an instance of SAT. The process can be repeated until all possible violations have been ruled out. In the other hand, symmetry reduction methods exploit symmetry in order to efficiently verify its temporal property. Model checking, as defined in Clarke et al (1999), is the most important technique for verifying systems. The use of BDDs and SAT in symbolic model checking, in McMillan (1993), has led to the success of this technique in the verification of many system designs. However, explicit and BDD-based model checking suffer from the state space explosion problem. In order to solve this, symmetry reduction techniques have been used in symbolic model checking: Emerson et al (1996); Clarke et al (1996Clarke et al ( , 1998; Jha (1996); Barner et al (2002); Emerson et al (2003). In the symmetric system, two states are considered equivalents if they have the same behavior. Many works have applied symmetry based reduction methods for model checking concurrent systems, Vardi (1996); Clarke et al (1993).This method has been shown to be an effective technique in both explicit and symbolic model checking, which exploits the fact that many systems are composed by interchangeable components, and therefore it may be sufficient to consider a smaller version of the symmetrical state space, called the reduced model. The basic idea behind the reduction of symmetry is to partition the state space into equivalence classes and to choose one or more representatives from each equivalence class in the model during model checking. Previous studies have shown reductions in both memory and time consumption when exploiting symmetries in model checking. Symmetry reduction in explicit model checking reduce the state space in the initial model as in Emerson et al (1996). Many works have considered the combination of symmetry reduction with symbolic model checking based on BDD,in Clarke et al (1996); Barner et al (2002); Emerson et al (2003). They construct an orbit relation to generate the reduced model and they choose a unique representative for each orbit. The computation of the orbit relation can be done in polynomial time for certain practical symmetric systems. However, it consumes exponential time in general, Clarke et al (1998). Clarke et al (1996Clarke et al ( , 1998 have also proposed to allow several representatives for each orbit. On the fly representatives have also been proposed in Barner et al (2002), where at each iteration the fixed point calculation, states whose symmetric states are not encountered in the previous iterations are chosen to be the representative of their respective orbits. Thus, it is possible to have several representatives for each orbit. Another way of exploiting symmetry is to translate the description of the symmetric system in the generic form, where the local state variables of symmetrical components are substituted by global counter variables, and then translate the generic representation into corresponding BDD, as in Emerson et al (2003). These translations require modifications to the front-end verification tool which is done obviously. In this paper, we propose a method of symmetry reduction in Bounded Model Checking. First of all by reducing the number of the sequences of the checked model, when adding some clauses which inhibit the effect of the nonrepresentative transitions of their classes of equivalence in order to generate a Boolean formula which represents the system, we also develop an algorithm (Symmetric Bounded Model Checking) which makes possible to check complex symmetrical systems. In this work we will combine the technique of reduction by the method of symmetry and BMC. Our work consists in generating a Boolean formula that holds account only symmetrical sequences of transitions, without the construction of the small-scale model. The model checking problem amounts to solve the satisfiability of this formula. The structure of this paper is as follows: In section 2, we give preliminary definitions. The principle of bounded model checking is detailed in section 3. The section 4 presents the notions of representative states and transitions of a symmetric model, defined with permutation function and equivalence classes. Our contribution, namely the symmetric Bounded model checking is detailed in the section 5, while section 6 gives a proof of its correction. An illustrative example is given at the section 7. Finally, section 8 concludes and outlines future work.

Kripke structures
A Kripke structure is a type of finite state machine, used to represent the behaviour of a system in the Model Checking. It is a graph whose nodes represent the reachable states of the system and whose edges represent state transitions. A labeling function maps each node to a set of properties that hold in the corresponding state. We use transitions system to represent all the possible executions of a given system. Formally, a transition system defined by a Kripke structure as follows: Definition A Kripke structure constructed over a finite set of atomic propositions: AP = {P 1 , P 2 , ...P n } is defined by M = (S, I, R, L) where: S is a set of states, I ⊂ S: set of initial states L : S → 2 AP labelling function which labels each state with atomic propositions that are true in S, and R ⊆ S × S is the transition relation.

LTL : Linear Temporal logic
To specify properties, we use LTL : linear temporal logic in Pnueli (1977); Manna et al (1991). An LTL formula φ is defined over a set of atomic propositions AP, and has the following syntax : 1. ψ ∈ AP is an LTL formula.
The operators are the next-time operator X, the until operator U, and its dual the release operator R. Each formula defines a set of infinite words (models) over 2 AP . Let π ∈ (2 AP ) w be an infinite word. We denote the suffix of a word π = σ 0 σ 1 σ 2 . . . by π i = σ i σ i+1 σ i+2 . . . where σ i ∈ 2 AP , and π i denotes the prefix π i = σ 0 σ 1 . . . σ i . When a formula ψ defines a word π at time i this is denoted π i |= ψ. The set of infinite words defined by a formula ψ is {π ∈ (2 AP ) w | π |= ψ}.

BOUNDED MODEL CHECKING BMC
The success of SAT solvers, described in McMillan (2002McMillan ( , 2003 in Boolean Formula resolution has contributed to the appearance of BMC, in Biere et al (2001) decide the behavior of the path after the k th state, it implies that witnesses are formed from the paths with loops since these paths have a finite length.
Let M be a Kripke structure and f be an LTL formula, we adopt the following notations: There are in the BMC approachs two semantics: a semantic defined in the loop paths and a semantic defined in a path without a loop. Bounded semantics manipulate only prefixes of paths which have a bounded length k.
Definition (Bounded semantics for a path with a loop) Let k ≥ 0 and π be a k−loop. Thus an LTL formula f is valid in a sequence π with bound k (denoted by π |= k f ) iff π |= f . Definition (Bounded semantics for a path without a loop) Let k ≥ 0, and π be a path which is not a If π is not a k-loop, then Gf is not valid along π, in the bounded semantics with a bound k, because f may not satisfy the (k + 1) th state of π. This induces that the duality between G and F does not hold in the bounded semantics.

REPRESENTATIVE STATES AND TRANSITIONS
In the symmetry approach, automorphisms of the global model are exploited. Given a property φ specified in a temporal logic, and a model. Symmetry reduction methods consist of the generation of a model which considers only the representatives of equivalence classes, this model is named a quotient structure, and checks the formula φ on the model using traditional model checking algorithms.
In the rest of this paper, we will define the symmetry group C induced by a Kripke structure M, we introduce the notion of symmetric transition sequences and we give the definition of its representative. The following definitions are useful in the introduction of the process of our method.
Definition [Rintanen (2003)] For a Kripke structure M = (S, I, R, L), a symmetry group C defined over M is a pair σ, τ such that: • σ : S → S is a permutation function defined over S, • τ : R → R is a permutation function defined over R, In the following we define the notion of state sequences and transition sequences in a kripke model M.
Definition Let M = (S, I, R, L) be a kripke structure, π and π two finite state sequences in the model M such that: We say that π and π are two symmetric state sequences if and only if: where σ is a permutation function over states.
Definition Let M = (S, I, R, L) be a kripke structure, π and π are two finite transition sequences in the model M such that: We say that: π and π are two symmetic transition sequences iff: where τ is a permutation function over transitions.
Definition A transition equivalence class of t i denoted by Cl i is a set of transitions that verifies: ∀t ∈ Cl i , t ∈ R and t = τ (t i ).
We . We note that each representative transition must have a common state with the previous one.

Property 4.1 A representative transition denoted by t is a transition that represents its equivalence class and verifies
Remark For i = 1 the transition t 1 is a transition that must begin from an initial state t 1 = (s, s )/s ∈ I and s ∈ S.
In the following we give some definitions that are used in the proof of the equivalence between the two Boolean formula. We will introduce the notion of representative path and non representative path.
Definition Let M = (S, I, R, L) be a kripke structure, and π a finite path in the model M such that: We say that π is a representative transition sequence denoted by π rep if ∀i, Definition Let M = (S, I, R, L) be a kripke structure, and π a finite path in the model M such that: We say that π is a non representative transition sequence denoted by π nrep if ∃i, 1 ≤ i ≤ k, t i / ∈ R (s.t. t i is not the representative of the equivalence classes R).
We define a Boolean function that tests if a transition belongs to the set of representative transitions which detects the non representative transitions and eliminates these sequences of transitions in the new Boolean formula F'. In the following we will give the formal definition of this function: Definition Let R be the set of the transition relation, We define T like a function that is defined over R as follows /T (t) = 1 iff t ∈ R.

Selecting reduced model
In this section we present our algorithm Representative M odel, this algorithm solves two problems induced from the symmetry reduction technique: 1 the construction of representative states and transition sets.

for all
The different steps presented in our algorithm Representative M odel are as follows: • Compute transition equivalence classes of M. In this step, symmetric transition sequences are obtained from their orbits (equivalence classes).
• With the condition i ≤ k, the number of transitions in a path is limited by the bound k. Thus, we are interested only in the equivalence classes that are reachable in k iterations.
• Select one representative transition from each class of Cl i . During this step the algorithm select one representative transition from Cl i verifying the property 4.1.
• Compute R := R ∪ {t} This step allows the construction of the set R that represents the set of transitions which in turn represents the orbit of the transitions. R initially contains ∅.
This algorithm constructs a set of transitions that represent the reduced model by symmetry.
This set is denoted by R. We will work on this set in the generation of the representative transition sequences, for this reason we will generate a new Boolean formula which handles only representative transition sequences: It begins from the set of representative transitions which represent the transitions starting from the initial states, and in each iteration it selects one representative transition t. Model Checking with SAT instances will speed up the process of resolution, this is due to the reduction of the transition sequences.

Transformation of the BMC to the SBMC
In this section we focus on the translation from the problem of BMC to the SBMC. The initial system is then directly modeled by the new Boolean formula F' which does not handle all the transition sequences but only the representative of all the symmetric transition sequences. This translation will speedup the process of searching for counter examples and scales better than the classic approach of Bounded Model Checking. Given a Kripke structure M , an LTL formula f and a bound k, we construct propositionnal formula F' that models only representative transition sequences. Let π rep =t 1 . . . t k be a finite representative transition sequence that forms a representative path. Each transition is represented by a binary codage over a set of variables. The formula F' takes into account these transitions and searchs for an encodage such that F' is satisfiable if and only if π rep is a valid sequence in the model M that satisfies f . This formula F' constructs a path, that is a sequence of states representing sequences of transitions that belong to the representatives of the equivalence classes.
Finally this formula generates the representatives of all symmetric paths satisfying f . The construction of the paths begins from the initial states, and is followed by the research of a valid sequence of the representative transitions that satisfy the LTL formula f to be checked. In this formula F', the state s 0 must be an initial state and the transitions (s i , s i+1 ) must be in R and must be a representative transition (i.e.
In the following we prove that the resolution of the BMC problem can be replaced by our method when the system exhibits structural symmetry in its specification. This technique is called SBMC.

EQUIVALENCE BETWEEN FORMULAS
In the previous section we introduced a new technique called SBMC. This technique is based on BMC and exploits the symmetry of the problem, for generating a new formula F' that handles only transition sequences representing the part of the initial model or the reduced model. The Boolean formula F' adds new clauses that inhibit the fact of symmetric transitions of the initial model. In this following, we establish the equivalence relation between the two Boolean Formulas F and F'. Proposition 6.1 For a Kripke structure M = (S, I, R, L), we have: the formula F that can be generated from the initial model is equivalent to the the formula F' that represents the reduced model M : In the sequel, we prove the equivalence between F and F', which will be proceeded by the two steps: Proof Let M = (S, I, R, L) be a kripke structure, f an LTL formula and k an integer, such that: k ≥ 0. Let us prove that F ⇐⇒ F . Since the formulas F ⇐⇒ F and F ⇒ F ∧ F ⇐ F are equivalent, we will prove the validity of (F ⇒ F ) ∧ (F ⇐ F ) in two steps.
First of all, let us prove the first implication, namely F ⇒ F .
We have:

By substituting [[M ]
] k value within F expression, we obtain: , and we have either: The demonstration of the implication F ⇒ F , is as follows: While replacing F and F', with their respective expressions, we obtain the following statement: , the previous expression will be transformed as follows: , on the previous statement, the later will be written as the follower: k ≡ Now, let us consider the following equivalence: We will obtain the following statement: The transformations between the following formulas are ensured by De Morgan's laws as the sequel: Concerning the second part of the proof F ⇒ F : We have ∀π ∈ M, F (π) ⇒ F (π), which means that if we have F (π) true, F (π) will be eitheir true. In the initial model we have two kind of paths: representative path π rep and non representative path π nrep , this implies that the path π ∈ {π rep , π nrep }.
• if π = π rep then F (π) = F (π), because π is a representative transition sequence both in the initial model and in the reduced model by symmetry.

Proof
The result is trivial due to Theorem 6.3.

CONCLUSION
We have presented in this work a new method, which combines the reduction technique with BMC. This approach consists of the representation of Model Checking problems with a Boolean formula. This formula generates a set of representative transitions, these transition sequences are formed by sequences of representative transitions representing their equivalence classes. Thus, the number of sequences handled, while the model checking of the model, is restricted to representative transition sequences, which have much smaller than the total number of all the transition sequences in the initial model. Therefore, the use of our approach speeds up the process of model checking, this is due to the non treatment of the non representative transition sequences, and to the use of the SAT solvers in the resolution of the problem, which is the search of counter examples of the property to be checked. Thus, we can find a counter example faster than the other techniques. On the one hand, our approach is characterized by the fact that it generates equivalence classes, and choose a representative of these classes. Our method generates a formula which models only representative transitions, without the construction of the reduced model. The problem of the model checking is reduced to the satisfiability of the Boolean formula. As future work we plan to consider the following points: • Extend our approach for timed systems.
• Determine the best bound k by exploiting symmetry.
• Exploit the symmetry of the clauses generated in the Boolean formula before being solved by the SAT