Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.

There are copies: 1
Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.

Similar presentations


Presentation on theme: "Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs."— Presentation transcript:

1 Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs

2 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Overview We will examine the performance of two SAT- based abstraction methods –Counterexample-based abstraction –Proof-based abstraction This tells us something about –The nature of decision heuristics in SAT solvers –The strengths are weaknesses of SAT solvers for bounded model checking and related applications.

3 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Outline Background: SAT and BMC Localization abstraction –Cex-based –Proof-based Performance study –what it tells us about SAT

4 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. DPLL-style SAT solvers Objective: –Check satisfiability of a CNF formula literal: v or v clause: disjunction of literals CNF: conjunction of clauses Approach: –Branch: make arbitrary decisions –Propagate implication graph –Use conflicts to guide inference steps SATO,GRASP,CHAFF,BERKMIN

5 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. The Implication Graph (BCP) ( a b) ( b c d) a c Decisions b Assignment: a b c d d

6 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Resolution a b c a c d b c d When a conflict occurs, the implication graph is used to guide the resolution of clauses, so that the same conflict will not occur again.

7 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Conflict Clauses ( a b) ( b c d) ( b d) a c Decisions b Assignment: a b c d d Conflict! ( b c ) resolve Conflict! ( a c) resolve Conflict!

8 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Conflict Clauses (cont.) Conflict clauses: –Are generated by resolution –Are implied by existing clauses –Are in conflict in the current assignment –Are safely added to the clause set Many heuristics are available for determining when to terminate the resolution process.

9 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Basic SAT algorithm A = empty clause? y UNSAT conflict? Deduce conflict clause and backtrack y n is A total? y SAT Branch: add some literal to A

10 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Generating refutations Refutation = a proof of the null clause –Record a DAG containing all resolution steps performed during conflict clause generation. –When null clause is generated, we can extract a proof of the null clause as a resolution DAG. Original clauses Derived clauses Null clause

11 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Circuit SAT a b c p g Can the circuit output be 1? input variables output variable (a g) (b g) ( a b g) ( g p) ( c p) (g c p) CNF(p) p is satisfiable when the formula CNF(p) p is satisfiable

12 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Bounded Model Checking Given –A finite transition system M –A property p Determine –Does M allow a counterexample to p of k transitions of fewer? This problem can be translated to a SAT problem BCCZ99

13 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Models Transition system described by a set of constraints a b cp g Each circuit element is a constraint note: a = a t and a' = a t+1 g = a b p = g c c' = p Model: C = { g = a b, p = g c, c' = p }

14 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Properties We restrict our attention to safety properties. Characterized by: –Initial condition I –Final condition F (representing "bad" states) A counterexample is a path from a state satisfying I to state satisfying F, where every transition satisfies C.

15 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Unfolding Unfold the model k times: U k = C 0 C 1... C k-1 a b cp g a b cp g a b cp g... I0I0 FkFk Use SAT solver to check satisfiability of I 0 U k F k A satisfying assignment is a counterexample of k steps

16 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. BMC applications Debugging: –Can find counterexamples using a SAT solver Proving properties: –Only possible if a bound on the length of the shortest counterexample is known. I.e., we need a diameter bound. The diameter is the maximum lenth of the shortest path between any two states. –Worst case is exponential. Obtaining better bounds is sometimes possible, but generally intractable.

17 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Localization abstraction Property: G (c X c) a b cp g Model: C = { g = a b, p = g c, c' = p } ' free variable C' property, C C' C property Kurshan

18 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Constraint granularity a b cp g Model: C = { c' = (a b) c } Most authors use constraints at "latch" granularity......however, techniques we will consider can be applied at both "gate" and "latch" granularity.

19 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Localization, cont C' may refer to fewer state variables than C –reduction in the state explosion problem Key issue: how to choose constraints in C' –counterexample-based –proof-based

20 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Algorithm Model check abstraction C' Choose initial C' Can extend Cex from C'to C? Add constraints to C' true, done Cex yes, Cex no SAT uses Kurshan

21 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Abstract counterexamples Assume simple safety property: –initial condition I and final condition F –w.l.o.g., assume I and F are atomic formulas to make this true, add constraints in C: v I I v F F Abstract variables V' = support(C',I,F) Abstract counterexample A' is a truth assignment to: { v t | v in V', t in 0..k } where k is the number of steps.

22 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Counterexample extension Abstract counterexample A' satisfies: I 0 U' k F k where U' k = C' 0 C' 1... C' k-1 Find A consistent with A', satisfying: I 0 U k F k where U k = C 0 C 1... C k-1 That is, A is any satisfying assignment to: A' I 0 U k F k I.e., to extend an abstract counterexample, we just apply it as a constraint in BMC. If unsat, abstract counterexample is "false". CGJLV 2000

23 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Abstraction refinement Refinement = adding constraints to C' to eliminate false counterexamples. Many heuristsics used for this. –Too many to cover here. –Recall that a SAT solver can produce a resolution- based refutation in the UNSAT case....

24 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Proof-based refinement Recall, to extend abstract Cex A', we check: A' I 0 U k F k If UNSAT, we obtain refutation proof P –proof that A' cannot be extended to concrete Cex Let E be set of constraints used in proof P: E = { c C | some c i occurs in P } A' cannot be extended to a Cex for E –P is the proof of this. Thus, add E to C' and continue...

25 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. In other words... The refutation of the formula: A' I 0 U k F k gives us a sufficient set of constraints to rule out the abstract counterexample. We continue ruling out counterexamples until either the abstraction C' proves the property or we can extend an abstract counterexample to a concrete one.

26 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. CCKSVW approach (FMCAD02) Find the shortest prefix of Cex A' that cannot be extended. That is, A' I 0 U k F k is feasible for all k < i, but not for k=i. s0s0 s1s1 s2s2 s i-1 sisi... OK NO!

27 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. CCKSVW approach cont. Let P be a refutation of A' I 0 U i F i Let E be set of constraints used in proof P only on state s i-1: E = { c C | c i-2 occurs in P } s0s0 s1s1 s2s2 s i-1 sisi... OK NO! add constraints used here

28 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Weakness of Cex-based approach Arbitrarily chosen abstract Cex may be refutable for many reasons not related to property. –Thus, may add irrelevant constraints. –To remedy, may try to characterize a set of Cex's rather than just one (e.g., GKM-HFV,TACAS03). Alternative: don't use counterexamples

29 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Proof-based abstraction BMC at depth k Cex? done No Cex? Use refutation to choose abstraction MC abstraction done True? False? Increase k MA,TACAS03

30 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. BMC phase Unfold the model k times: U = C 0 C 1... C k-1 Use SAT solver to check satisfiability of I 0 U F k If unsatisfiable: property has no Cex of length k produce a refutation proof P

31 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Abstraction phase Let C' be set of constraints used in proof P: C' = { c C | some c i occurs in P } C' admits no counterexample of length k –let U' = C' 0 C' 1... C' k-1 –P is a refutation of I 0 U' F k Model check property on C' –property true for C' implies true for C –else Cex of length k' > k (why?) restart for k = k'

32 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Algorithm BMC C at depth k Cex? done No Cex? Refutation P induces abstraction C' Model check C' done True? Cex of depth k'? let k = k' Notice: MC counterexample is thrown away!

33 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Termination Depth k increases at each iteration Eventually k > d, diameter of C' If k > d, no counterexample is possible In practice, termination uses occurs when k d/2 Usually, diameter C' << diameter of C

34 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Weakness of proof-based abs BMC must refute all counterexamples of length k, while in Cex-based, BMC must refute only one (partial) counterexample.

35 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. PicoJavaII benchmarks Hardware Java virtual machine implementation Properties derived from verification of ICU –handles cache, instruction prefetch and decode Original abstraction was manual Added neigboring IFU to make problem harder ICUIFU Mem, Cache Integer unit properties No properties can be verified by standard model checking!

36 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Abstraction results solid = original, gray = manual, open = proof-based abstraction

37 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Inference SAT solver seems to be very effective at narrowing down the proof to relevant facts. In most cases, it did better than manual abstraction.

38 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Comparing CBA and PBA Apples-apples comparison –same SAT solver –same model checker –only differences are: For CBA previous A' is kept as a constriaint for BMC, C' is cumulative. For PBA previous A' and C' are thrown away each iteration. Note these are my implementations. This says nothing about performance of specific tools!

39 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Run time comparison

40 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Abstraction comparison

41 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Possible explanation Internally, SAT solver is really doing CBA a=0 b=1 c=0 d=1 decision stack = abstract Cex A' refutation of A' decision heuristic moves proof variables up, into A'

42 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. PBA run-time breakdown solid = BMC time, open = MC time

43 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. CBA run-time breakdown solid = BMC time, open = MC time

44 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. A (fuzzy) hypothesis Parameterized models allowing no abstraction SAT-based BMC "succeeds" when number of relevant variables is small, and fails otherwise. "success" is BMC for k = diameter of relevant logic ModelMax state vars German protocol42 "swap"21

45 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Industrial benchmarks

46 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Implications for model checking Most of the time if bounded model checking succeeds, unbounded model checking also succeeds using abstraction. No need to settle for time bounded result

47 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Conclusions SAT solvers are very effective at ignoring irrelevant facts –Can think of decision heuristic as a form of CBA implications for improving heuristics? –Hence very similar performance of CBA and PBA for localization abstraction SAT solver performance is tied to number of relevant variables –Performs well if there is a small UNSAT "core" –Performs badly when all variables relevant.


Download ppt "Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs."

Similar presentations


Ads by Google