Page 1

An Automata-Theoretic Dynamic Completeness

Criterion for Bounded Model-Checking

Rotem Oshman

Computer Science and Artificial Intelligence Laboratory

Massachusetts Institute of Technology

Abstract. Bounded model-checking is a technique for finding bugs in

very large designs. Bounded model-checking by itself is incomplete: it

can find bugs, but it cannot prove that a system satisfies a specification.

A dynamic completeness criterion can allow bounded model-checking to

prove properties. A dynamic completeness criterion typically searches for

a “beginning” of a bug or bad behavior; if no such “beginning” can be

found, we can conclude that no bug exists, and bounded model-checking

can terminate. Dynamic completeness criteria have been suggested for

several temporal logics, but most are tied to a specific bounded model-

checking encoding, and the ones that are not are based on nondetermin-

istic B¨ uchi automata. In this paper we develop a theoretic framework for

dynamic completeness criteria based on alternating B¨ uchi automata. Our

criterion generalizes and explains several existing dynamic completeness

criteria, and is suitable for both linear-time and universal branching-time

logic. We show that using alternating automata rather than nondeter-

ministic automata can lead to much smaller completeness thresholds.

1Introduction

Bounded model-checking (BMC) is a model-checking method that has gained

popularity due to its ability to handle large industrial designs [4],[5]. Bounded

model-checking is an iterative process in which one searches for a bug of in-

creasing bounded length. In each iteration, one searches for a bug of size k, by

constructing a Boolean formula which is satisfiable iff such a bug exists. A SAT

solver is then used to determine whether or not the formula is satisfiable. If it is,

then a bug has been found; otherwise, one increases the bound k and searches

for a bug of greater size.

There are many BMC encodings for various fragments of linear-time logic

and automata on words; e.g., [4] for LTL, [10] for PLTL, [11] for weak alter-

nating B¨ uchi automata. Many are based, directly or indirectly, on the idea of

constructing a product automaton M × A for the model M in question and an

automaton A which describes all the undesirable behaviors. Any accepting run

of the product automaton M × A corresponds to a bad behavior of the model;

thus, to check if the model contains a bug, we can search for an accepting run of

the product automaton. Using automata as specification mechanisms can lead to

simple and generic encodings. Even encodings based on temporal logic (e.g., [10]

and [12]) can often be viewed as simulating the run of the product automaton,

although they do not construct it directly.

N.D. Jones and M. M¨ uller-Olm (Eds.): VMCAI 2009, LNCS 5403, pp. 275–289, 2009.

c ? Springer-Verlag Berlin Heidelberg 2009

Page 2

276R. Oshman

Bounded model-checking is typically a semi-decision procedure: it is able to

find bugs, but not to provethe correctness of properties. A completeness threshold

is an upper bound on the size of k, such that if no bug has been found when the

bound reaches k, then no bug exists. Thus, if a completeness threshold for the

property and model in question is known, bounded model-checking can halt if

the completeness threshold is reached and no bug was found, and conclude that

the model satisfies the property.

Completeness thresholds can be broadly divided into two classes, although

the division is not clear-cut. Static completeness thresholds ([5], [6]) attempt to

over-approximate the size of the “longest shortest bug” the system can contain.

For example, if a model does not satisfy an invariant p, then there exists a

shortest path from an initial state of the model to a state that does not satisfy

p. A static completeness threshold for invariant properties is therefore given by

the length of the longest shortest path in the model (the diameter).

In contrast, dynamic completeness thresholds are based on a dynamic com-

pleteness criterion, which attempts to determine whether the current bound is

already large enough to allow full exploration of the relevant part of the model.

Dynamic completeness criteria typically check for the existence of a “beginning”

of a counter-example (or bug). If such a beginning of size k cannot be found,

then there cannot exist a counter-example of size greater than k, and there is no

need to increase the bound. For example, the LTL property ϕ = pUq describes

a path in which q holds at some point, and until that point, p holds. Suppose ϕ

describes the bad behaviors of a system. A dynamic completeness criterion for

ϕ might check if there exists a simple (loop-free) path of length k, such that all

states along the path are labeled with p. Such a path represents a “beginning” of

a witness for ϕ. If we cannot find a witness of length k for ϕ, and we cannot find

a simple path of length k as described above, then there cannot exist a witness

of length greater than k for ϕ. Therefore, in this case bounded model-checking

can terminate and conclude that the system contains no path that satisfies ϕ.

The effectiveness of dynamic completeness criteria has been shown in exper-

imental results ([10], [22], [24]). However, designing completeness criteria that

are both sound and effective can be challenging. For instance, the completeness

criterion in [22] contains a subtle flaw: a constraint introduced to cause earlier

termination and increase the effectiveness of the criterion causes the criterion to

be unsound. For details, see [17]. In addition, existing completeness criteria are

often custom-designed to fit one particular encoding. For example, the dynamic

completeness criteria of [22], [18] and [24] are all based on ideas similar to the

ones on which the current paper is based, but they each develop the completeness

criterion anew to fit the particular encoding.

In this work we present an automata-theoretic dynamic completeness crite-

rion for alternating B¨ uchi automata. Our criterion generalizes several existing

completeness criteria by formalizing the notion of a “beginning” of an accepting

computation. The criterion we suggest is independent of a particular encoding;

in addition to serving as a theoretical framework for existing completeness crite-

ria, it can be instantiated to fit automata-based BMC encodings for which there

is currently no dynamic completeness criterion, such as [11].

Page 3

An Automata-Theoretic Dynamic Completeness Criterion277

To our knowledge, the criterion we suggest is the first completeness criterion

that can handle alternating automata. The choice of alternating B¨ uchi automata

as a specification mechanism is motivated by two factors. First, alternating B¨ uchi

automata are powerful enough to express all ω-regular properties. [11] developed

an encoding for weak alternating B¨ uchi automata, and showed that the increased

expression power did not carry significant performance penalties.

The second factor is the succintness of alternating automata. It is well-known

that an alternating automaton can be exponentially smaller than any equiva-

lent nondeterministic automaton [20]. In this paper we show another compelling

reason to use alternating automata as a specification mechanism: they can have

much smaller completeness thresholds than the corresponding nondeterminis-

tic automata. This result is related to, but does not follow directly from, the

exponential gap in the number of states.

In addition to linear-time logic, several BMC encodings and accompanying

completeness criteria have been suggested for universal branching-time logic

([19], [23], [22], [18]). Our completeness criterion is based on automata on infinite

words, which express linear-time properties. However, the criterion is also appli-

cable to universal automata on infinite trees, which express universal branching-

time properties. This is because our criterion is based on the product of the

model and the automaton. The product of a model and a alternating automaton

on infinite trees is an alternating automaton on infinite words [14]; thus, our

dynamic completeness criterion, which is based on alternating automata on infi-

nite words, is applicable to branching-time logic as well. Note, however, that in

a branching-time setting, a B¨ uchi acceptance condition is not expressive enough

to express all ω-regular tree properties. Our criterion can therefore only handle

the alternation-free fragment of universal μ-calculus.

The rest of the paper is organized as follows. In Section 3 we review the

automata-theoretic approach to linear-time logic and define notation and ter-

minology. In Section 4 we present the dynamic completeness criterion and the

resulting completeness threshold. We show that the criterion is sound, and char-

acterize its completeness. In Section 5 we show that there is an exponential

ratio between the completeness thresholds of alternating and nondeterministic

automata. We conclude in Section 6.

2Related Work

In the original work on BMC ([4], [5]), the diameter of the model is suggested

as a completeness threshold for formulas of the form EFp (“p is reachable”). [5]

also shows a pessimistic completeness threshold of |M| × 2|ϕ|for general LTL

formulas ϕ. In [6], tighter completeness thresholds are shown for various classes

of temporal properties, among them the class of all ω-regular properties, based

on automata-theoretic methods. The completeness threshold suggested in [6]

for general ω-regular properties is an over-approximation of the length of the

shortest lasso-shaped accepting run of the product automaton. Our own work is

based on similar ideas; however, the automata we consider are alternating, while

[6] bases its threshold on nondeterministic automata. As we show in Section 5,

using nondeterministic automata as a specification mechanism can increase the

Page 4

278R. Oshman

completeness threshold significantly. In addition, the completeness threshold of

[6] does not take the form of a dynamic completeness criterion which is evaluated

at different bounds to determine whether or not the completeness threshold has

been reached. In [2], the authors apply similar ideas to [6], this time in a form

closer to a dynamic completeness criterion: to check whether the completeness

threshold has been reached, one can check the satisfiability of several Boolean

formulas, which roughly speaking describe the existence of loop-free fragments

of an accepting run in the product automaton. Unlike our own work, the com-

pleteness criteria of [2] check for the existence of both a “beginning” and an

“ending” of an accepting run (forward and backward traversal). However, [2] is

still restricted to nondeterministic automata. In [3], the authors of [2] extend

their termination criterion to generalized nondeterministic B¨ uchi automata, in

which the acceptance criterion can consist of several accepting sets, and show

that using generalized automata can lead to smaller completeness thresholds.

The completeness threshold we suggest in this paper is easily extended to gen-

eralized B¨ uchi automata.

In [10], an incremental encoding is presented for PLTL, along with a dynamic

completeness criterion based on the idea of searching for a “beginning” of a

witness. In an incremental scheme, the encoding is composed of two parts –

a k-invariant part, containing constraints that are retained when the bound

is increased, and a k-dependent part containing constraints that are discarded

when the bound is increased. The formula used in [10] to determine whether

the completeness threshold has been reached is obtained from the formula used

to search for a witness by removing the k-dependent constraints and adding a

simple-path constraint. Removing the k-dependent constraints has the effect of

dropping eventuality requirements (e.g., when searching for a witness for Fp, the

requirement that p be satisfied at some point along the path is a k-dependent

constraint). The completeness formula of [10] is highly specific to the incremental

scheme and the particular encoding used in [10]. Our completeness criterion can

be extended to handle temporal logic with past operators by extending it to

two-way automata on words [21].

Several bounded model-checking encodings have been suggested for universal

branching-time temporal logic [18], [19], [22], [23]. [22] and [18] show accompany-

ing dynamic completeness criteria for their respective encodings, and a dynamic

completeness criterion for the encoding of [19] is presented in [24]. The criteria

of [22], [18] and [24] are again highly encoding-specific, and all use a similar idea

of searching for a “beginning” of a witness.

A related SAT-based technique which can prove properties is temporal in-

duction [7], which can prove invariants. General safety and liveness properties

can be transformed into invariants, but such translations increase the size of the

model and may increase the depth necessary for bounded model-checking.

Our work is also closely related to [8], which discusses extensions of LTL

that can be used to reason about truncated paths. Our notion of a partial run

corresponds to the weak semantics of LTL for truncated paths described in [8],

and can be taken as an automata-theoretic formulation of the weak semantics.

We are interested in investigating this connection.

Page 5

An Automata-Theoretic Dynamic Completeness Criterion279

3Preliminaries

Given a set X, we denote by B+(X) the set of positive Boolean formulas obtained

by applying the connectives ∧ (conjunction) and ∨ (disjunction) to elements of

X, as well as the formulas true and false. We say that a subset Y ⊆ X satisfies

a formula α ∈ B+(X), and denote Y |= α, if the assignment vY, defined by

An alternating B¨ uchi automaton on infinite words is a tuple A = (Σ,Q,q0,

δ,F), where Σ is the automaton’s alphabet, Q is the set of automaton states,

q0∈ Q is the initial state of the automaton, δ : Q × Σ → B+(Q) is a transition

relation, and F ⊆ Q is the set of accepting (or fair) states. A nondeterministic

automaton is an alternating automaton which has only disjunctions in all its

transitions. We use Σωto denote the set of infinite words over the alphabet Σ,

and we use xωto denote the infinite word obtained by iterating the finite word

x infinitely often.

To model the runs of A we use Q-trees. A Q-tree is a pair t = (N,?), where

N ⊆ N∗is a prefix-closed set of tree nodes, and ? : N → Q labels each node

of the tree with an automaton state. The root of the tree is the empty word

ε, and given a node n ∈ N, the set of children of n in the tree is given by

children(n) = {n?| n?= n · i for some i ∈ N}. We denote by |n| the length of

the finite word n, and for an infinite word n we denote |n| = ω. For a tree node

n, the length |n| is also the distance of n from the root of the tree (ε). A branch of

the tree is a maximal sequence n0n1n2... (which can be either finite or infinite),

such that n0= ε, and for all i ≥ 0, ni+1∈ children(ni). If t = (N,?) is a finite

tree, the front of t is defined by front(t) = {n ∈ N | children(n) = ∅}, and the

height of t is the length of the longest branch in t. Note that we measure height

by the number of edges, not the number of nodes.

A run (or run-tree) of an automaton A on an infinite word w = w0w1w2... ∈

Σωis a Q-tree r = (N,?), such that for all n ∈ N, children(n) |= δ(?(n),w|n|).

We say that a run r is accepting if for every branch n0n1n2... of r, some ac-

cepting state q ∈ F appears infinitely often on the branch (that is, ?(ni) = q for

infinitely many values of i). If A has some accepting run on a word w, we say

that A accepts w. The language of A, denoted L(A), is the set of words w ∈ Σω

such that A accepts w. Note that runs can be finite or infinite trees, and even

in an infinite run there can be finite branches. However, finite branches must

always end in a node n such that δ(n,w|n|) = true.

To model programs, we use Kripke structures. Given a set AP of atomic

propositions, a Kripke structure (or model) over AP is a tuple M = (S,s0,R,L),

where S is the state-space of the model, s0∈ S is the initial state, R ⊆ S×S is a

transition relation, and L : S → 2APis a labeling function which assigns to each

model state a set of atomic propositions from AP. A path of M is a maximal

sequence π = s0s1s2... starting at s0, such that for all i ≥ 0, (si,si+1) ∈ R.

The labeling of a path π = s0s1s2... is the word L(π) = L(s0)L(s1)L(s2)....

Two parameters are often used to measure the complexity of a Kripke struc-

ture. The diameter dM of a structure M is the length of the longest shortest

path in M. The recurrence diameter rM is the length of the longest loop-free

path in M. The diameter of a model is no greater than its recurrence diameter,

vY(x) = 1 if x ∈ Y and vY(x) = 0 if x ∈ Y , satisfies the formula α.