# Model Checking Base on Interoplation

## Presentation on theme: "Model Checking Base on Interoplation"— Presentation transcript:

Model Checking Base on Interoplation
K. L. McMillan Cadence Berkeley Labs

A' refers only to common variables of A,B
Interpolation (Craig,57) If A Ù B = false, there exists an interpolant A' for (A,B) such that: A Þ A' A' Ù B = false A' refers only to common variables of A,B Example: A = p Ù q, B = Øq Ù r, A' = q Interpolants from proofs given a resolution refutation of A ÙB, A' can be derived in linear time. (Pudlak,Krajicek,97) Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Interpolation-based MC
Combining “bounded model checking” and interpolation gives us A means of over-approximate image computation Hence, reachability analysis Method is complete for systems of finite diameter. Modern SAT solvers naturally produce resolution refutations Leads to fully SAT-based model checking. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Outline Computing interpolants Interpolation-based image computation
Model checking finite state systems Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Resolution (A Ú p) (Øp Ú B) (A Ú B) Modern SAT solvers naturally produce refutations for CNF formulas using resolution Interpolants can be derived from such refutations in linear time. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Example Interpolant is a circuit that follows structure of the proof.
A = (b)(Øb Ú c) B = (Øc Ú d)(Ød) ^ c =c (b) (Øb Ú c) (c) (Øc Ú d) (d) (Ød) ^ Interpolant is a circuit that follows structure of the proof. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

DPLL SAT solvers Given a propositional formula in CNF:
Produce a satisfying assignment Produce a resolution refutation Current solvers, like Chaff and BerkMin are highly efficient, especially in the case when there is a small “core” of clauses that are unsatisfiable. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

An interpolating SAT solver
(A,B) in CNF SAT solver proof Interpolation A’ Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Interpolation-based MC
Exploit interpolation to compute an over-approximate image operator. Allows symbolic model checking Procedure is complete for finite diameter systems Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Modeling System modeled by a transition constraint Model: C = {
g = a Ù b, p = g Ú c, c' = p } Each circuit element induces a constraint note: a = at and a' = at+1 g = a Ù b p = g Ú c c' = p a b c p g Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Bounded model checking
Unfold the model k times: U = C0 Ù C1 Ù ... Ù Ck-1 a b c p g a b c p g a b c p g ... I0 Fk Use SAT solver to check satisfiability of I0 Ù U Ù Fk If unsatisfiable: property has no Cex of length k can produce a refutation proof P Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Img(P,C) = lV'. \$ V. (P(V) Ù C(V,V’))
Reachability Is there a path (of any length) from I to F satisfying transition constraint C? Reachability fixed point: R0 = I Ri+1 = Ri Ú Img(Ri,C) R = È Ri Image operator: Img(P,C) = lV'. \$ V. (P(V) Ù C(V,V’)) F is reachable iff R Ù F ¹ false Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Reachability ... R R2 R1 I F = I Ú Img(I,C) = R1 Ú Img(R1,C)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

for all P, Img(P,C) implies Img'(P,C)
Overapproximation An overapproximate image op. is Img' s.t. for all P, Img(P,C) implies Img'(P,C) Overapprimate reachability: R'0 = I R'i+1 = R'i Ú Img'(R'i,C) R' = È R'i Img' is adequate (w.r.t.) F, when if P cannot reach F, Img’(P,C) cannot reach F If Img' is adequate, then F is reachable iff R' Ù F ¹ false Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Adequate image Img(P,C) Img’(P,C) P F Reached from P Can reach F
But how do you get an adequate Img'? Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Img' is k-adequate (w.r.t.) F, when if P cannot reach F, Img’(P,C) cannot reach F within k steps Note, if k > diameter, then k-adequate is equivalent to adequate. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Interpolation-based image
Idea -- use unfolding to enforce k-adequacy A = P-1 Ù C-1 B = C0 Ù C1 Ù ... Ù Ck-1 Ù Fk A B P C C C C C C C F t=k t=0 Let Img'(P)0= A', where A' is an interpolant for (A,B)... Img' is k-adequate! Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Huh? A Þ A' A' Ù B = false Hence Img' is k-adequate overapprox. A'
t=k t=0 A Þ A' Img(P,C) Þ Img'(P,C) A' Ù B = false Img'(P,C) cannot reach F in k steps Hence Img' is k-adequate overapprox. Note: if A,B are consistent, then let Img’(P,C) = T. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Intuition A' A B P C C C C C C C F t=k t=0 A' tells is everything the prover deduced about the image of P in proving it can't reach F in k steps. Hence, A' is in some sense an abstraction of the image relative to the property. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Reachability algorithm
let k = 0 repeat if I can reach F within k steps, answer reachable R = I while Img'(R,C) Ù F = false R' = Img'(R,C) Ú R if R' = R answer unreachable R = R' end while increase k end repeat Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Termination Since k increases at every iteration, eventually k > d, the diameter, in which case Img' is adequate, and hence we terminate. Notes: don't need to know when k > d in order to terminate often termination occurs with k << d depth bound for earlier method (Sheeran et al '00) is "longest simple path", which can be exponentially longer than diameter Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

PicoJava II benchmarks
Hardware Java virtual machine implementation Properties derived from verification of ICU handles cache, instruction prefetch and decode Original abstraction was manual Added neigboring IFU to make problem harder result: many irrelevant facts in problem properties ICU IFU Mem, Cache Integer unit Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Results Benchmarks completed in 1800 s: Reason:
Standard model checking: 0/20 Interpolation-based: 19/20 Reason: Interpolation method exploits the SAT solver’s ability to narrow proofs to relevant facts. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

v. proof-based abstraction
McM,TACAS03 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

v. proof-based abstraction

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

IBM GP benchmarks Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

GP benchmarks - true properties
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Characteristics SAT-based methods are effective when
Very large set of facts is available Only a small subset are relevant to property They exploit the SAT solver's ability to narrow the proof to relevant facts I.e., narrows reachable states approximation to relevant variables. Interpolation method exploits this fact to compute abstract image operator. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Infinite-state verification
Direct approach: express transition constraint in FOL example: simple “Bakery” protocol: NC NC ticket0’ > ticket1 ticket1’ > ticket0 ticket1 > ticket0 Ú state1 = NC ticket0 > ticket1 Ú state0 = NC C C Terminates because diameter is finite, though state space is infinite Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Infinite-state verification
Predicate abstraction approach (Graf,Saïdi,97) Choose a set of predicates to represent state I.e., for bakery: ticket1 > ticket0 and ticket0 > ticket1 Transform C into a predicate-state transducer Interpolants are now strictly Boolean Convergence guaranteed, but may have false negatives Advantages of interpolation approach: Avoid conversion to a Boolean formula Avoid building BDD’s! Strong ability to ignore irrelevant predicates Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Conclusion SAT solvers have the ability:
to generate refutations for bounded reachability to filter out irrelevant facts. These abilities can be exploited to generate an abstract image operator, using Craig interpolation. This yields a reachability procedure that is fully SAT-base operates directly on infinite-state systems is robust w.r.t. irrelevant facts Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Similar presentations