Presentation is loading. Please wait.

Presentation is loading. Please wait.

SAT-based verification in brief Mary Sheeran, Chalmers.

Published byPrimrose Norris Modified over 7 years ago

Similar presentations

Presentation on theme: "SAT-based verification in brief Mary Sheeran, Chalmers."— Presentation transcript:

1 SAT-based verification in brief Mary Sheeran, Chalmers

2 SAT-based verification now hot Used here in Sweden since 1989 mostly in safety critical applications (railway control program verification) Bounded Model Checking a sensation in 1998 SAT-based safety property verification in Lava since 1997 Basic complete induction method described here invented by Stålmarck during a talk on inductive proofs of circuits by Koen Claessen

3 Bounded Model Checking (BMC) Look for bugs up to a certain length Proposed for use with SAT Used successfully in large companies, most often for safety properties (Motorola, Intel, Compaq, IBM) Can be extended to give proofs and not just bug- finding in the particular case of safety properties. (Stålmarck et al discovered this independently of the BMC people.)

4 and or dreq q0 dack 0 0

5 View circuit as transition system (dreq, q0, dack)  (dreq’, q0’, dack’) q0’ = dreq & dack’ = dreq & (q0 + (  q0 & dack))

6 000 100 110 111 001 101 010 011

7 Initial states 000 100 110 111 001 101 010 011

8 Representing transition relation as formula I(dreq,q0,dack) =  q0 &  dack s = (dreq,q0,dack) T(dreq,q0,dack,dreq’,q0’,dack’) = q0’ dreq & dack’ dreq & (q0 + (  q0 & dack))

9 Composing transitions into paths path([s0..si]) = T(s0,s1) & T(s1,s2) &... & T(s(i-1),si)

10 Representing the bad states Similar to use of formula for initial states B(dreq,q0,dack) = dreq &  q0 & dack

11 Transition system usually from circuit and observer F Prop ok

12 B(x,y,...,ok,x’,y’,...,ok’) =  ok’ Here, viewing ok as part of the state. Can also treat it specially as the only output. No major difference.

13 IB i I(s 0 ) and path([s 0..s i ]) and B(s i ) Satisfying a formula

14 IB I B IB IB

15 If system is bad Finds a shortest countermodel Error trace for debugging

16 But when can we stop? I when contradictory? i

17 Not quite, but I when contradictory loop-free i

18 And symmetrically when contradictory loop-free B

19 Extra formulas for loop-free loop-free([s0,s1,..., si]) = s0 ≠ s1 & s0 ≠ s2 &.... s(i-1) ≠ si size??

20 States are vectors of bits, so if s=(a,b,c,d) then s0 ≠ s1 is  (a0 a1) +  (b0 b1) +  (c0 c1) +  (d0 d1)

21 A complete method i:= 0 if not Sat I ornot Sat B then return True i i if Sat then return error trace i := i+1 ; I B i

22 Another presentation Borrowed from a presentation by Ken McMillan (about a paper I have written). See Ken’s home page for lots of good stuff! See http://www-cad.eecs.berkeley.edu/~kenmcmil/cav03.ppt That presentation is Copyright 2002 Cadence Design Systems

23 k-induction induction: SSS2000 P(s 0 )  i : P(s i )  P(s i+1 )  i : P(s i ) Induction with depth k: P(s 0..k-1 )  i : P(s i..i+k-1 )  P(s i+k )  i : P(s i )

24 k-induction with a SAT solver Two formulas to check: –Base case: I(s0)  path([s 0,..s k-1 ])  P(s 0 )...P(s k-1 ) –Induction step: path([s 0,..s k ])  P(s 0 )...P(s k-1 )  P(s k ) If both are valid, then P always holds. If not, increase k and try again. Note: this is a forwards view of the problem

25 Simple path assumption Unfortunately, k-induction is not complete. –Some properties not k-inductive for any k. Simple path restriction: –There is a path to  P iff there is a simple path to  P (path with no repeated states). PP PP

26 Induction over simple paths Let simple(s 0..k ) be defined as:  i,j in 0..k : (i  j)  s i  s j k-induction over simple paths: P(s 0..k-1 )  i : simple(s 0..k )  P(s i..i+k-1 )  P(s i+k )  i : P(s i ) Must hold for k large enough, since a simple path cannot be unboundedly long. Length of longest simple path is called recurrence diameter.

27 Back to previous view i:= 0 if not Sat I ornot Sat B then return True i i if Sat then return error trace i := i+1 ; I B i

28 Avoid iteration from zero and tighten termination i := some constant which can be greater than zero not (all (not B)) I i I all (not I) i+1 Ball (not B) i+1 if Sat then return error trace if not Sator not Sat then return True i:= i+1

29 Complete Method i := some constant which can be greater than zero not (all (not B)) I i I all (not I) i+1 Ball (not B) i+1 if Sat then return error trace if not Sator not Sat then return True i:= i+1

30 Strengthen i := some constant which can be greater than zero not (all (not B)) I i I all (not I) i+1 Ball (not B) i+1 if Sat then return error trace if not Sator not Sat then return True i:= i+1

31 Another way to strengthen Invent a lemma, L(s) that we believe to hold in the reachable states Prove P´(s) = P(s) and L(s) If both P and L hold in the reachable states, this can reduce induction depth

32 Choosing lemmas? Domain knowledge Analysis of the program Strongest possibility is the characterization of the reachable states Van Eijk’s method uses relations between signals as lemmas

33 Symbolic Trajectory Evaluation (STE) a b c d [a is v, ¤, c is not v, ¤ ] [¤, ¤, ¤, d is true ] consequent antecedent

34 Symbolic simulation Don’t just have concrete values (and X) flowing in the circuit Have BDDs or formulas flowing A single run of a symbolic simulator checks an STE property requiring many concrete simulations STE is symbolic simulation plus proof that the consequent holds

35 Use of BMC and STE at Compaq merge buffer Fake load queue Backend tag module Fake CBOX Fake store queue Aim: to automatically find violations of properties like Same address cannot be in two entries at once that is, bug finding during development

36 Reducing the problem Initial circuit: 400 inputs, 14 400 latches, 15 pipeline stages Reduced model has 10 inputs, 600 latches Symmetry reduction Transactor writing Simplification circuit reduced model

37 Results Real bugs found, from 25 -144 cycles SAT-based BMC on 32 bit PC 20 -10k secs. Custom SMV on 64 bit Alpha took much longer (but goes to larger sizes) STE quick to run, but writing specs takes time and expertise Promising results in real development NOTE: Bjesse will lecture next friday

38 Future Trends Improved proof engines and analysis tools Design methods and coding rules that make necessary proofs easier Integration of methods Modular verification Combining test and formal verification (ATPG) Greater emphasis on design chains

39 References (bounded model checking) A. Biere, A. Cimatti, E.M. Clarke, M. Fujita and Y. Zhu. Symbolic model checking using SAT procedures instead of BDDs. In Proc. 36th Design Automation Conference, 1999. P. Bjesse, T. Leonard and A. Mokkedem. Finding bugs in an Alpha microprocessor using satisfiability solvers. In Proc. 13th Int. Conf. On Computer Aided Verification, 2001.

40 References (safety property checking with SAT-solvers) M. Sheeran, S. Singh and G. Stålmarck. Checking safety properties using induction and a SAT-solver. In Proc. 3rd Int. Conf. On Formal Methods in Computer Aided Design, LNCS, Springer Verlag, 2000. P. Bjesse and K. Claessen. SAT-based verification without state space traversal. In Proc. 3rd Int. Conf. On Formal Methods in Computer Aided Design, LNCS, Springer Verlag, 2000.

Download ppt "SAT-based verification in brief Mary Sheeran, Chalmers."

Similar presentations

Model Checking Base on Interoplation

Model Checking Base on Interoplation
The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.

Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Delta Debugging and Model Checkers for fault localization

Delta Debugging and Model Checkers for fault localization
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
SAT-based verification: underlying methods Mary Sheeran Chalmers University of Technology and Prover Technology AB.

SAT-based verification: underlying methods Mary Sheeran Chalmers University of Technology and Prover Technology AB.
© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.

© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.

Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.
Weizmann Institute Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Shtrichman Weizmann Institute & IBM (HRL)

Weizmann Institute Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Shtrichman Weizmann Institute & IBM (HRL)
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
1 Completeness and Complexity of Bounded Model Checking Ed Clarke Daniel Kroening Joel Ouaknine Carnegie Mellon University, Pittsburgh, USA Ofer Strichman.

1 Completeness and Complexity of Bounded Model Checking Ed Clarke Daniel Kroening Joel Ouaknine Carnegie Mellon University, Pittsburgh, USA Ofer Strichman.
ECE 667 - Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.

ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.

Similar presentations

Ads by Google