Common use of Bounded Model Checking Clause in Contracts

Bounded Model Checking. The key idea of BMC is to exercise the behavior of a system only up to a certain depth of computations [BCCZ99, CBRZ01, CKOS05]. BMC has been established as a valuable bug-hunting framework for hardware and soft- ware [CKL04], which is motivated by the observation that bugs can often be found after few computation steps if only the right inputs are chosen. How- ever, it has been observed that bounded model checking can also be applied for formal verification if the unrolling depth k of the transition relation is large enough. Precisely, the unrolling depth k has to match the complete- ness threshold c of the system, which can intuitively be described as: If no counterexample of length c or less is found, the specification holds for all (in- finite) executions of the model. Hence, BMC with k c suffices for proving correctness of a system [BCCZ99, Thm. 27]. However, computing the com- pleteness threshold is as least as hard as solving the model checking problem itself [CKOS04, KOS+11]. Consequently, BMC is often used for verification up to a certain bound, without giving an actual correctness guarantee for nonterminating executions of the system.

Bounded Model Checking. ‌ The key idea of BMC is to exercise the behavior of a system only up to a certain depth of computations [BCCZ99, CBRZ01, CKOS05]. BMC has been established as a valuable bug-hunting framework for hardware and soft- ware [CKL04], which is motivated by the observation that bugs can often be found after few computation steps if only the right inputs are chosen. How- ever, it has been observed that bounded model checking can also be applied for formal verification if the unrolling depth k of the transition relation is large enough. Precisely, the the unrolling depth k has to match the complete- ness com- pleteness threshold c of the system, which can intuitively be described as: If no counterexample of length c or less is found, the specification holds for all (in- finiteinfinite) executions of the model. Hence, BMC with k ≥ c suffices for proving correctness of a system [BCCZ99, Thm. 27]. However, computing the com- pleteness completeness threshold is as least as hard as solving the model checking check- ing problem itself [CKOS04, KOS+11]. Consequently, BMC is often used for verification up to a certain bound, without giving an actual correctness guarantee for nonterminating executions of the system.