Download presentation

Presentation is loading. Please wait.

Published byMadison Martinez Modified over 2 years ago

1
SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti, T. Heyman, D. Kroening, J. Ouaknine, R. Raimi, O. Strichman, and Y. Zhu

2
Why am I giving this talk? I have an ulterior motive for this talk. Second Edition! Need a chapter on SAT for the second edition.

3
Outline of Talk 1. Motivation 2. Bounded Model Checking 3. Complete methods using SAT a. Induction b. Unbounded Model Checking --- with cube enlargement --- with circuit co-factoring --- with interpolants

4
Outline of Talk 1. Motivation yes 2. Bounded Model Checking yes 3. Complete methods using SAT a. Induction no b. Unbounded Model Checking --- with cube enlargement yes --- with circuit co-factoring maybe --- with interpolants no

5
SAT Solver Progress

6
Model Checking (CE81,QS82) Specification – temporal logic Model – finite state transition graph Advantages: Always terminates Automatic Usually fast Can handle partially specified models Counterexample if specification is false

7
Symbolic Model Checking Method used by most industrial strength model checkers. Uses Boolean encoding for state machine and sets of states. Can handle much larger designs – hundreds of state variables. BDDs traditionally used to represent Boolean functions.

8
Problems with BDDs BDDs are a canonical representation. Often become too large. Variable ordering must be uniform along paths. Selecting right variable ordering very important for obtaining small BDDs. Often time consuming or needs manual intervention. Sometimes, no space efficient variable ordering exists. This talk describes alternative approaches to model checking that use SAT procedures.

9
Advantages of SAT Procedures SAT procedures also operate on Boolean formulas but do not use canonical forms. Do not suffer from the potential space explosion of BDDs. Different split orderings possible on different branches. Very efficient implementations exist.

10
Bounded Model Checking A. Biere, A. Cimatti, E. Clarke, Y. Zhu, Symbolic Model Checking without BDDs, TACAS99

11
Given a property p : ( e.g. signal_a = signal_b) Is there a state reachable in k cycles, which satisfies p ?... s0s0 s1s1 s2s2 s k-1 sksk pp p p p Bounded Model Checking as SAT

12
The reachable states in k steps are captured by: The property p fails in one of the k steps Bounded Model Checking: Safety

13
The safety property p is valid up to step k iff k is unsatisfiable:... s0s0 s1s1 s2s2 s k-1 sksk pp p p p Bounded Model Checking: Safety

14
Example: a two bit counter Property: G ( l r ) For k = 2, k is unsatisfiable. For k = 3 k is satisfiable Initial state: I : : l ^ : r Transition: R : l = ( l r ) ^ r = : r Bounded Model Checking: Safety

15
There is no counterexample of length k to the Liveness property F p iff k is unsatisfiable:... s0s0 s1s1 s2s2 s k-1 sksk :p:p :p:p p :p:p :p:p = Bounded Model Checking: Liveness

16
BMC formula for arbitrary LTL ( Standard translation ) Size of resulting formula: O( k | M | + k 3 | |) With sharing of subformulas becomes O( k | M | + k 2 | |) i l k

17
A fixpoint based translation Idea: for lasso-shaped Kripke structures, the semantics of LTL and CTL coincide. Add a formula that isolates a lasso-shaped path. Use the fixpoint characterization of CTL, e.g. E [ U ( ^ EX E [ U ) T. Latvala, A. Biere, K. Heljanko, and T. Junttila: Simple Bounded LTL Model Checking FMCAD 04 i k

18
Overall formula Model LTL formula bound Isolate lasso-shaped path Fixpoint formula

19
Loop constraints If l i is true then there exists a loop at position i. At most one l i is true.

20
Fixpoint formula Size of resulting formula: O( k (| M | + | |)) i k False True j

21
Generating the BMC formula (Based on the Vardi-Wolper algorithm) A labeled Büchi automaton is a 5-tuple B = h S, S 0,, L, F i Acceptance condition: An infinite word w is accepted iff the execution of w on B passes through a final state an infinite number of times. states initial states transition relation final states labels

22
LTL model checking Given Transition system M LTL property 1. Translate into a Buchi automaton B 2. Compute product automaton P = M £ B 3. Check if P is empty: Is a fair loop reachable? s0s0

23
Encode all paths of P that start at an initial state and are k steps long. Require that at least one path contains a loop. at least one state in the loop is final. s0s0 Generating the BMC formula E. Clarke, D. Kroening, J. Ouaknine, and O. Strichman: Computational chalenges in Bounded Model Checking STTT 05

24
Generating the BMC formula s0s0 sk-1sk-1 sl=sksl=sk Start from the initial state Follow k transitions Choose a state where the loop starts Require that some state in the loop is final

25
Bounded Model Checking k = 0 BMC( M,, k ) yes k ++ k ¸ CT no Resources exceeded CT is the completeness threshold SAT UnSAT

26
The Completeness Threshold Computing CT is as hard as model checking. Idea: Compute an over-approximation to the actual CT Consider system P as a graph. Compute CT from structure of P.

27
Basic notions Diameter D ( M ) = longest shortest path between any two reachable states. Recurrence Diameter RD ( M ) = longest loop-free path between any two reachable states. The initialized versions: D I ( M ) and RD I ( M ) start from an initial state. D ( M ) = 2 RD ( M ) = 3 DI(M) =DI(M) = RD I ( M ) =

28
CT for safety properties Theorem: for AG p properties CT = D I ( M ) For AF p properties this does not hold p p p p D I ( M )=3 but CT =4 p s0s0 · D I ( M )

29
CT for liveness properties Theorem: for AF p properties CT = RD I ( M )+1 s0s0 p p p p p Theorem: for an LTL property CT = ?

30
CT for arbitrary LTL properties Theorem [CKOS 05] A Completeness Threshold for any LTL property is min(rd I (P )+1, d I (P )+d (P )) s0s0 Shortest counterexample · d I (P ) · d (P ) · rd I (P )

31
Why take the minimum? d I (P)+d(P) = 6 rd I (P)+1 = 4 d I (P)+d(P) = 2 rd I (P)+1 = 4 > < Example 1 Example 2

32
Formulation of diameter in QBF Infeasible to compute the diameter using a poly-time algorithm for shortest paths. State s is reachable in j steps: Thus, k is greater or equal to the diameter d if

33
SAT-based Diameter Computation M. Mneineh, K. Sakallah,SAT-based Sequential Depth Computation,ASPDAC03 1.Check if there is a state s reachable in c steps but not reachable in less than c steps. 2.Increment c, until no state is reachable in c steps. May enumerate many states in 1.

34
Recurrence diameter as SAT Find maximal n that satisfies: Optimization: Use a sorting network to obtain an ordered permutation of the states [Kroening & Strichman] comp & swap s0s0 s1s1 s2s2 s 0 s 1 s 2 O( n 2 ) O( n log n ) O( n ) Now compare only neighboring states

35
Complexity of BMC: Formula size Original translation O( k | M | + k 2 | |) Automata based translation O( k | M |2 | | ) Fixpoint based translation O( k (| M | + | |))

36
Complexity of BMC Size of SAT instance is O( k (| M | + | |)) k can become as large as the diameter of the system, which is exponential in the number of state variables in the worst case. SAT is exponential time. Therefore, SAT based BMC has doubly exponential complexity. But LTL model checking is singly exponential!

37
Why use SAT based BMC? Infeasible to represent P explicitly. Identify shallow errors efficiently. In many cases rd (P) and d (P) are not exponential and can be rather small. E.g. hardware components without counters Modern SAT solvers are very successful in practice.

38
Unbounded Model Checking using Cube Enlargement P. Chauhan, E. Clarke, and D. Kroening: Using SAT based Image Computation for Reachability Analysis CMU-CS

39
Reachability analysis Consider a system with state variables x and inputs i. S 0 (x) is the set of initial states. T(x,i,x ) is the transition relation. We want to compute the set of reachable states S reach. Iterative process: Compute the states reachable in 1 step, 2 steps, …

40
Image computation and Reachability The set of immediate successors of states S (x) is given by: The set of all reachable states is the least fixpoint:

41
Computing Reachability S i+1 is the set of new states directly reachable from S i Then S reach is the union of all S i

42
SAT based image computation The transition relation T(x,i,x ) is represented as a CNF formula (a set of clauses). If not already in CNF, it can be converted in polynomial time. The set of newly reachable states after each step S i as well as their union S reach are represented in DNF (a set of cubes). Obviously S reach is in CNF.

43
SAT based image computation Union of sets of cubes S i + 1 contains all solutions to S i ( x ) T ( x, i, x ) S reach ( x ) projected on x and renamed to x

44
The image computation step S i is in DNF Convert to CNF by introducing new variables Solve the CNF formula S i (x) T(x,i, x ) S reach (x) Solution is a cube d Project d to x and rename to x Add d to S reach (x) and S i+1 (x) Repeat until the formula becomes unsat

45
Efficiency issues The number of satisfying assignments can be exponential in the number of variables. Therefore two problems: Enumeration of full assignments is slow. Solution: Cube enlargement The representation of S reach and S i can grow too large. Solution: Systematically combine cubes using an appropriate data structure.

46
Cube enlargement SAT solvers like zChaff return complete assignments (minterms). Partial assignments (cubes) are better, because they represent multiple minterms. For example, the cube x1 x4 represents 4 minterms: x1 x2 x3 x4

47
Efficient cube set representation Cubes are stored in a hash table of tries. Each trie is associated to a unique subset of state variables. Whenever a new cube d is inserted, the corresponding trie is searched for cubes d that differ only in one literal. The merged cube (without the differing literal) is stored instead of d and d.

48
Efficient cube set representation {x1, x2}{x1, x2}{x1, x7, x8}{x1, x7, x8}{x2, x4 }{x2, x4 } … Hash table Hash keys Tries {x2, x3, x4}{x2, x3, x4} New cube: x 2 x 3 x 4 1.Identify appropriate hash table entry 2.Look for matching cubes 3.If match was found, delete cube and insert merged cube {x2, x3, x4}{x2, x3, x4} x2x2 x3x3 x 4 x 2 x3x3 x4x4 x 2 x 4

49
Related work [Gupta et al, FMCAD 00 and ICCAD 01] Mixed BDD / SAT approach [K. McMillan, CAV 02] Sets of states represented in CNF CNF clauses stored in ZDDs Conflict analysis for cube enlargement [H. Kang and I. Park, DAC 03] Offline Espresso to reduce the number of cubes No cube enlargement

50
Unbounded Model Checking using Circuit Cofactoring M. Ganai, A. Gupta and P. Ashar, Efficient SAT-based Unbounded Symbolic Model Checking Using Circuit Cofactoring, ICCAD 04

51
SAT-based Image Computation The SAT-based procedure enumerates all state cube solutions. Each invocation of the SAT solver generates one new state cube. A blocking clause representing the negation of the state cube is added at each step. The main problem is that the required number of steps can be very large.

52
Main Contribution Use circuit cofactoring to capture a large set of states at each enumeration step. Less enumeration steps Use circuit graph simplification to compact the captured states. Use a Hybrid Sat Solver that works on both OR/INVERTER circuits and CNF.

53
Definitions State variables X. Input variables U. Partial assignment X [ U ! {0,1}. State cube s is the projection of on X. Input cube u is the projection of on U. Minterm m is a complete assignment to U extending u.

54
Example X = x 1, x 2 U = u 1, u 2 = x 1 ^ : u 2 s = x 1 u = : u 2 m = u 1 ^ : u 2

55
Cofactors of Boolean functions Cofactors of f ( v 1,…, v,…) with respect to variable v are f v ( v 1,…,1,…), f v ( v 1,…,0,…) Cofactor of f with respect to cube c, is f c Obtained by cofactoring f with respect to each literal in c. Example

56
Producing larger sets of states Given a formula f and a satisfying assignment cube s 1. Isolate the input part of s and complete it by picking values for unassigned inputs. 2. Cofactor f with respect to the satisfying input minterm m. 3. Use the function f m obtained in 2, to represent the set of satisfying states.

57
Example u 1 and u 2 are primary inputs. x 1 and x 2 are state variables. We want to compute: 9 u 1 u 2 f

58
Example cont The SAT solver returns as the first assignment. Step 1: Complete the input part of the assignment by choosing u 2 =1. Step 2: Cofactor f with respect to the satisfying input minterm m = u 1 u 2. We get:

59
Example cont f m represents more states than the satisfying cube x 2 We needed just one enumeration step to capture the entire solution set

60
SAT-based existential quantification The returned value of C should correspond to 9 B f ( A, B )

61
C, 9B f(A,B)C, 9B f(A,B) C is a union of cofactors of f with respect to B, therefore C ) 9 B f ( A, B ) When the algorithm terminates f ( A, B ) ^ : C is unsat, therefore 8 B ( : f ( A, B ) _ C ) is valid C contains no variables in B 8 B ( : f ( A, B )) _ C 9 B f ( A, B ) ) C

62
Hybrid SAT-solver Represents original circuit with 2-input OR/INVERTOR gates Represents learned constraints with CNF Finds partial satisfying assignments Dynamically removes inactive clauses

63
Other applications of SAT in formal verification [D. Kroening, F. Lerda, and E. Clarke TACAS 04] Bounded Model Checking for Software [G. Audemard, A. Cimatti, A. Kornilowicz, and R. Sebastiani, FORTE 02] Bounded Model Checking for Timed Systems [H. Jain, D.Kroening, N. Sharigina, E. Clarke DAC 05] Word level predicate abstraction and refinement for verifying RTL verilog

64
For more information … A survey of Recent Advances in SAT-based Formal Verification by Mukul R Prasad, Armin Biere and Aarti Gupta, STTT.

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google