Model Checking Base on Interoplation

Slides:

Advertisements

Similar presentations

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Advertisements

Automated abstraction refinement II Heuristic aspects Ken McMillan Cadence Berkeley Labs.

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

Exploiting SAT solvers in unbounded model checking

A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.

Consequence Generation, Interpolants, and Invariant Discovery Ken McMillan Cadence Berkeley Labs.

Applications of Craig Interpolation to Model Checking K. L. McMillan Cadence Berkeley Labs.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Automated Theorem Proving

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Completeness and Expressiveness

Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Inference Rules Universal Instantiation Existential Generalization

Algorithmic Software Verification VII. Computation tree logic and bisimulations.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

UIUC CS 497: Section EA Lecture #2 Reasoning in Artificial Intelligence Professor: Eyal Amir Spring Semester 2004.

Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 

Proofs from SAT Solvers Yeting Ge ACSys NYU Nov

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Methods of Proof Chapter 7, second half.. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound)

Interpolants from Z3 proofs Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Towards More Efficient SAT-Based Model Checking Joao Marques-Silva Electronics & Computer Science University of Southampton LAA C&V Workshop, Isaac Newton.

Reduction of Interpolants for Logic Synthesis John Backes Marc Riedel University of Minnesota Dept.

Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

Weizmann Institute Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Shtrichman Weizmann Institute & IBM (HRL)

Proof-based Abstraction Presented by Roman Gershman Ken McMillan, Nina Amla.

Interpolants [Craig 1957] G(y,z) F(x,y)

1 Quantified Formulas Acknowledgement: QBF slides borrowed from S. Malik.

Search in the semantic domain. Some definitions atomic formula: smallest formula possible (no sub- formulas) literal: atomic formula or negation of an.

Formal Verification Group © Copyright IBM Corporation 2008 IBM Haifa Labs SAT-based unbounded model checking using interpolation Based on a paper “Interpolation.

Last time Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search strategy.

1 Abstraction Refinement for Bounded Model Checking Anubhav Gupta, CMU Ofer Strichman, Technion Highly Jet Lagged.

CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.

Daniel Kroening and Ofer Strichman 1 Decision Procedures in First Order Logic Decision Procedures for Equality Logic.

7/13/2003BMC A SAT-Based Approach to Abstraction Refinement in Model Checking Bing Li, Chao Wang and Fabio Somenzi University of Colorado at Boulder.

1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs Small parts by: Brandon Eames ISIS/Vanderbilt.

On Bridging Simulation and Formal Verification Eugene Goldberg Cadence Research Labs (USA) VMCAI-2008, San Francisco, USA.

SAT and SMT solvers Ayrat Khalimov (based on Georg Hofferek‘s slides) AKDV 2014.

SAT-based Model Checking Yakir Vizel Computer Science Department, Technion, Israel Based on slides from K.L. McMillan, A.R. Bradley and Yakir Vizel.

February 18, 2015CS21 Lecture 181 CS21 Decidability and Tractability Lecture 18 February 18, 2015.

Theory of Computation, Feodor F. Dragan, Kent State University 1 NP-Completeness P: is the set of decision problems (or languages) that are solvable in.

Daniel Kroening and Ofer Strichman 1 Decision Procedures An Algorithmic Point of View BDDs.

Unification Algorithm Input: a finite set Σ of simple expressions Output: a mgu for Σ (if Σ is unifiable) 1. Set k = 0 and  0 = . 2. If Σ  k is a singleton,

Lazy Annotation for Program Testing and Verification Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang November 26,

On the Relation between SAT and BDDs for Equivalence Checking Sherief Reda Rolf Drechsler Alex Orailoglu Computer Science & Engineering Dept. University.

Daniel Kroening and Ofer Strichman 1 Decision Procedures An Algorithmic Point of View BDDs.

© Copyright 2008 STI INNSBRUCK Intelligent Systems Propositional Logic.

Planning as Satisfiability (SAT-Plan). SAT-Plan Translate the planning problem into a satisfiability problem for length n of Plan garb 0 (proposition)present.

SAT-Based Model Checking Without Unrolling Aaron R. Bradley.

AN INTERPOLATING THEOREM PROVER K.L. McMillan Cadence Berkley Labs.

1 Propositional Logic Limits The expressive power of propositional logic is limited. The assumption is that everything can be expressed by simple facts.

CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.

Logical Agents Chapter 7. Outline Knowledge-based agents Propositional (Boolean) logic Equivalence, validity, satisfiability Inference rules and theorem.

Proof Methods for Propositional Logic CIS 391 – Intro to Artificial Intelligence.

1 Alan Mishchenko Research Update June-September 2008.

Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi P. Camurati L. Garcia M. Murciano S. Nocco S. Quer.

Knowledge Repn. & Reasoning Lecture #9: Propositional Logic UIUC CS 498: Section EA Professor: Eyal Amir Fall Semester 2005.

2009/6/30 CAV Quantifier Elimination via Functional Composition Jie-Hong Roland Jiang Dept. of Electrical Eng. / Grad. Inst. of Electronics Eng.

Counterexample-Guided Abstraction Refinement By Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith Presented by Yunho Kim Provable Software.

Logical Agents. Outline Knowledge-based agents Logic in general - models and entailment Propositional (Boolean) logic Equivalence, validity, satisfiability.

Efficient Generation of Small Interpolants in CNF (for Model Checking)

Bounded Model Checking

(xy)(yz)(xz)(zy)

Introduction to Software Verification

Lifting Propositional Interpolants to the Word-Level

K. L. McMillan Cadence Berkeley Labs

Introduction to Formal Verification

Presentation transcript:

Model Checking Base on Interoplation K. L. McMillan Cadence Berkeley Labs

A' refers only to common variables of A,B Interpolation (Craig,57) If A Ù B = false, there exists an interpolant A' for (A,B) such that: A Þ A' A' Ù B = false A' refers only to common variables of A,B Example: A = p Ù q, B = Øq Ù r, A' = q Interpolants from proofs given a resolution refutation of A ÙB, A' can be derived in linear time. (Pudlak,Krajicek,97) Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Interpolation-based MC Combining “bounded model checking” and interpolation gives us A means of over-approximate image computation Hence, reachability analysis Method is complete for systems of finite diameter. Modern SAT solvers naturally produce resolution refutations Leads to fully SAT-based model checking. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Outline Computing interpolants Interpolation-based image computation Model checking finite state systems Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Resolution (A Ú p) (Øp Ú B) (A Ú B) Modern SAT solvers naturally produce refutations for CNF formulas using resolution Interpolants can be derived from such refutations in linear time. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Example Interpolant is a circuit that follows structure of the proof. A = (b)(Øb Ú c) B = (Øc Ú d)(Ød) ^ c =c (b) (Øb Ú c) (c) (Øc Ú d) (d) (Ød) ^ Interpolant is a circuit that follows structure of the proof. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

DPLL SAT solvers Given a propositional formula in CNF: Produce a satisfying assignment Produce a resolution refutation Current solvers, like Chaff and BerkMin are highly efficient, especially in the case when there is a small “core” of clauses that are unsatisfiable. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

An interpolating SAT solver (A,B) in CNF SAT solver proof Interpolation A’ Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Interpolation-based MC Exploit interpolation to compute an over-approximate image operator. Allows symbolic model checking Procedure is complete for finite diameter systems Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Modeling System modeled by a transition constraint Model: C = { g = a Ù b, p = g Ú c, c' = p } Each circuit element induces a constraint note: a = at and a' = at+1 g = a Ù b p = g Ú c c' = p a b c p g Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Bounded model checking Unfold the model k times: U = C0 Ù C1 Ù ... Ù Ck-1 a b c p g a b c p g a b c p g ... I0 Fk Use SAT solver to check satisfiability of I0 Ù U Ù Fk If unsatisfiable: property has no Cex of length k can produce a refutation proof P Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Img(P,C) = lV'. $ V. (P(V) Ù C(V,V’)) Reachability Is there a path (of any length) from I to F satisfying transition constraint C? Reachability fixed point: R0 = I Ri+1 = Ri Ú Img(Ri,C) R = È Ri Image operator: Img(P,C) = lV'. $ V. (P(V) Ù C(V,V’)) F is reachable iff R Ù F ¹ false Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Reachability ... R R2 R1 I F = I Ú Img(I,C) = R1 Ú Img(R1,C) Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

for all P, Img(P,C) implies Img'(P,C) Overapproximation An overapproximate image op. is Img' s.t. for all P, Img(P,C) implies Img'(P,C) Overapprimate reachability: R'0 = I R'i+1 = R'i Ú Img'(R'i,C) R' = È R'i Img' is adequate (w.r.t.) F, when if P cannot reach F, Img’(P,C) cannot reach F If Img' is adequate, then F is reachable iff R' Ù F ¹ false Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Adequate image Img(P,C) Img’(P,C) P F Reached from P Can reach F But how do you get an adequate Img'? Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

k-adequate image operator Img' is k-adequate (w.r.t.) F, when if P cannot reach F, Img’(P,C) cannot reach F within k steps Note, if k > diameter, then k-adequate is equivalent to adequate. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Interpolation-based image Idea -- use unfolding to enforce k-adequacy A = P-1 Ù C-1 B = C0 Ù C1 Ù ... Ù Ck-1 Ù Fk A B P C C C C C C C F t=k t=0 Let Img'(P)0= A', where A' is an interpolant for (A,B)... Img' is k-adequate! Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Huh? A Þ A' A' Ù B = false Hence Img' is k-adequate overapprox. A' t=k t=0 A Þ A' Img(P,C) Þ Img'(P,C) A' Ù B = false Img'(P,C) cannot reach F in k steps Hence Img' is k-adequate overapprox. Note: if A,B are consistent, then let Img’(P,C) = T. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Intuition A' A B P C C C C C C C F t=k t=0 A' tells is everything the prover deduced about the image of P in proving it can't reach F in k steps. Hence, A' is in some sense an abstraction of the image relative to the property. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Reachability algorithm let k = 0 repeat if I can reach F within k steps, answer reachable R = I while Img'(R,C) Ù F = false R' = Img'(R,C) Ú R if R' = R answer unreachable R = R' end while increase k end repeat Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Termination Since k increases at every iteration, eventually k > d, the diameter, in which case Img' is adequate, and hence we terminate. Notes: don't need to know when k > d in order to terminate often termination occurs with k << d depth bound for earlier method (Sheeran et al '00) is "longest simple path", which can be exponentially longer than diameter Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

PicoJava II benchmarks Hardware Java virtual machine implementation Properties derived from verification of ICU handles cache, instruction prefetch and decode Original abstraction was manual Added neigboring IFU to make problem harder result: many irrelevant facts in problem properties ICU IFU Mem, Cache Integer unit Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Results Benchmarks completed in 1800 s: Reason: Standard model checking: 0/20 Interpolation-based: 19/20 Reason: Interpolation method exploits the SAT solver’s ability to narrow proofs to relevant facts. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

v. proof-based abstraction McM,TACAS03 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

v. proof-based abstraction CCKSVW,FMCAD02 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

v. K-induction SSS, FMCAD00 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

IBM GP benchmarks Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

GP benchmarks - true properties Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Characteristics SAT-based methods are effective when Very large set of facts is available Only a small subset are relevant to property They exploit the SAT solver's ability to narrow the proof to relevant facts I.e., narrows reachable states approximation to relevant variables. Interpolation method exploits this fact to compute abstract image operator. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Infinite-state verification Direct approach: express transition constraint in FOL example: simple “Bakery” protocol: NC NC ticket0’ > ticket1 ticket1’ > ticket0 ticket1 > ticket0 Ú state1 = NC ticket0 > ticket1 Ú state0 = NC C C Terminates because diameter is finite, though state space is infinite Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Infinite-state verification Predicate abstraction approach (Graf,Saïdi,97) Choose a set of predicates to represent state I.e., for bakery: ticket1 > ticket0 and ticket0 > ticket1 Transform C into a predicate-state transducer Interpolants are now strictly Boolean Convergence guaranteed, but may have false negatives Advantages of interpolation approach: Avoid conversion to a Boolean formula Avoid building BDD’s! Strong ability to ignore irrelevant predicates Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Conclusion SAT solvers have the ability: to generate refutations for bounded reachability to filter out irrelevant facts. These abilities can be exploited to generate an abstract image operator, using Craig interpolation. This yields a reachability procedure that is fully SAT-base operates directly on infinite-state systems is robust w.r.t. irrelevant facts Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.