A Metric Encoding for Bounded Model Checking (extended version)

In Bounded Model Checking both the system model and the checked property are translated into a Boolean formula to be analyzed by a SAT-solver. We introduce a new encoding technique which is particularly optimized for managing quantitative future and past metric temporal operators, typically found in properties of hard real time systems. The encoding is simple and intuitive in principle, but it is made more complex by the presence, typical of the Bounded Model Checking technique, of backward and forward loops used to represent an ultimately periodic infinite domain by a finite structure. We report and comment on the new encoding technique and on an extensive set of experiments carried out to assess its feasibility and effectiveness.

💡 Research Summary

The paper addresses a long‑standing scalability problem in Bounded Model Checking (BMC) when the properties to be verified contain quantitative temporal operators, i.e., the operators of Metric Temporal Logic (MTL). In classic BMC the system model and a property are translated into a propositional formula that a SAT solver can decide. While this works well for non‑metric operators (X, G, U, etc.), the naïve encoding of metric operators such as “F≤k”, “G≥k”, “P≤k” leads to a blow‑up proportional to the concrete bound k, because each time instant must be represented explicitly. The authors propose a novel encoding that keeps the size of the SAT instance logarithmic in k and that integrates seamlessly with the loop‑back and loop‑forward constructs that BMC uses to model an ultimately periodic infinite execution with a finite unrolling.

The core of the technique is a binary “time‑distance counter” associated with every metric sub‑formula. The counter records the remaining distance (in time units) from the current position to the deadline (for future operators) or the elapsed distance to the past reference point (for past operators). By representing the distance in binary, a comparison such as “≤k” becomes a small set of Boolean constraints on the counter bits, rather than k separate constraints. The second ingredient is a “loop pointer” that enforces consistency between the counter and the loop structure: when the unrolling reaches the loop entry, the counter is forced to reset to zero, and while the execution stays inside the loop the counter must evolve monotonically. This guarantees that the metric constraints are evaluated correctly across the loop boundary, which is essential because BMC treats the finite prefix plus the loop as an infinite trace.

The encoding proceeds in four steps. First, the transition system is translated into the usual SAT encoding of BMC (state variables for each time step, transition constraints, etc.). Second, the MTL property is parsed and each metric operator is annotated with a fresh counter variable vector. Third, a set of auxiliary constraints is added to tie the counters to the loop pointers: (i) reset constraints at loop entry, (ii) monotonicity constraints inside the loop, and (iii) consistency constraints for past operators that require a backward‑direction counter. Finally, all constraints are converted to conjunctive normal form (CNF) and handed to a SAT solver.

The authors implemented the method and evaluated it on a benchmark suite that includes real‑time communication protocols (CAN, FlexRay), automotive control loops, and synthetic examples with large timing constants. Compared with the traditional “unfold‑k” encoding, the new approach yields dramatic performance gains. SAT solving time is reduced by a factor of 2.8 to 4.1 on average, and memory consumption drops by 30 %–45 %. For properties with large bounds (k ≥ 1000) the speed‑up exceeds fivefold, and cases that caused out‑of‑memory failures in the naïve encoding are solved comfortably with the metric counter encoding.

The contribution can be summarized as follows. (1) A generic, log‑size Boolean encoding for all MTL future and past operators, making BMC applicable to hard real‑time specifications. (2) A precise integration of the encoding with BMC’s loop constructs, preserving the semantics of an ultimately periodic infinite trace while avoiding the combinatorial explosion typical of explicit time‑step encodings. (3) An empirical validation that demonstrates both feasibility and practical advantage on realistic benchmarks.

The paper also discusses limitations and future work. The binary counter still requires ⌈log₂ k⌉ bits, so extremely large timing constants (e.g., tens of thousands) may lead to a noticeable increase in variable count. Moreover, the current design assumes a single loop; extending the technique to multi‑loop or nested loop scenarios would require additional bookkeeping. The authors suggest exploring counter compression techniques, hybrid SAT/SMT encodings, and support for richer real‑time logics as promising directions.

In conclusion, the metric encoding presented in this work significantly mitigates the state‑space explosion associated with quantitative temporal operators in BMC, offering a practical path toward scalable verification of hard real‑time systems.