Bounded model checking (BMC) verifies temporal properties by unrolling the transition relation of a system up to a fixed depth k and encoding the resulting verification problem as a Boolean satisfiability (SAT) or satisfiability modulo theories (SMT) formula. If the formula is satisfiable, a counterexample of length at most k exists; if unsatisfiable, the property holds for all executions of that length. BMC leverages the extraordinary power of modern SAT/SMT solvers, which can handle formulas with millions of variables, to find deep bugs that BDD-based symbolic model checking cannot reach due to state space explosion. While BMC is inherently incomplete (bounded depth), techniques like k-induction and interpolation-based abstraction extend it toward completeness.
Classical model checking, as introduced by Clarke and Emerson, computes the set of all reachable states and checks whether a temporal property holds throughout. The standard implementation uses BDDs (Binary Decision Diagrams) to represent state sets symbolically, avoiding explicit enumeration. While BDD-based methods are complete -- they give a definitive yes/no answer -- they often fail on large systems because BDD size can explode exponentially, with performance highly sensitive to variable ordering. Bounded model checking (BMC), introduced by Biere, Cimatti, Clarke, and Zhu in 1999, takes a fundamentally different approach: instead of computing all reachable states, it asks a bounded question -- does a counterexample of length at most k exist?
The BMC encoding is elegant. Create Boolean variables representing the system state at each time step 0 through k. Assert that step 0 satisfies the initial condition, each consecutive pair of steps satisfies the transition relation, and at least one step violates the property. The conjunction of these constraints is a propositional formula: if SAT, the satisfying assignment is a concrete counterexample trace; if UNSAT, no violation exists within k steps. The formula size grows linearly in k and in the size of the transition relation, making it feasible to unroll systems for hundreds or thousands of steps. Modern CDCL SAT solvers (MiniSat, CaDiCaL, Kissat) exploit the structure of these formulas through unit propagation, conflict-driven learning, and restarts, routinely handling millions of variables.
For software verification, BMC extends naturally to SMT (Satisfiability Modulo Theories). Instead of encoding everything as bare Boolean variables, the formula uses richer theories: linear integer arithmetic for loop counters, bitvector arithmetic for machine integers, arrays for memory, and uninterpreted functions for abstractions. SMT solvers like Z3, CVC5, and MathSAT integrate theory-specific solvers with the CDCL framework, handling the richer formulas that arise from software models. Tools like CBMC (C Bounded Model Checker) translate C programs directly into BMC formulas, unrolling loops up to a bound and encoding each statement's semantics as SMT constraints.
The main limitation of BMC is incompleteness: an UNSAT result at depth k only proves safety up to k steps, not for all executions. Two techniques address this. K-induction adds an induction step: if no counterexample exists in k steps from any state (not just initial states) and the property held for the previous k-1 steps, then the property holds universally. When k-induction succeeds, it provides a complete proof of unbounded safety. Craig interpolation extracts an overapproximation of the reachable states from BMC unsatisfiability proofs. The interpolant is implied by the first few transitions, inconsistent with property violations, and uses only state variables (not time-step indices). Iteratively computing interpolants and checking for a fixed point yields complete verification: if the overapproximation stabilizes without including any bad states, the property holds for all reachable states. McMillan's interpolation-based model checking (2003) combines the scalability of SAT solving with the completeness of reachability analysis, representing one of the most significant advances in practical verification.
BMC has had enormous practical impact. In hardware verification, it is the standard first-pass technique at Intel, AMD, and other semiconductor companies, finding bugs in processor designs that BDD-based methods miss due to state explosion. In software verification, CBMC and similar tools find buffer overflows, integer overflows, and assertion violations in C/C++ code. The HWMCC (Hardware Model Checking Competition) and SV-COMP (Software Verification Competition) benchmarks consistently show SAT/SMT-based techniques outperforming BDD-based methods on industrial instances. The success of BMC exemplifies a broader trend in formal methods: leveraging the remarkable empirical performance of SAT/SMT solvers to solve verification problems that are theoretically intractable (SAT is NP-complete) but structured enough to be tractable in practice.
No topics depend on this one yet.