Presentation is loading. Please wait.

Presentation is loading. Please wait.

Solving Linear Arithmetic with SAT-based MC

Published byColin Scott Modified over 5 years ago

Similar presentations

Presentation on theme: "Solving Linear Arithmetic with SAT-based MC"β€” Presentation transcript:

1 Solving Linear Arithmetic with SAT-based MC
Yakir Vizel Princeton University Alexander Nadel Intel Development Center Sharad Malik Princeton University FMCAD 2017

2 SMT Formula over a theory T SMT Solver for T SAT UNSAT

3 Reduce to Safety Verification
LIAMC Formula over a theory T Reduce to Safety Verification Model Checker UNSAFE SAFE SMT Solver for T SAT UNSAT

4 Motivation Arithmetic theory, in particular Linear Arithmetic, is needed when reasoning about software/hardware* Software/hardware uses finite representation of integers Usually Integers modulo 2k Yet, BV solvers efficiency is a limiting factor An alternative is LIA solvers More efficient, but less precise as they cannot take overflow into account

5 QF_LIA Defined by the following grammar: Where:
πœ‘βˆ·=π‘‘π‘Ÿπ‘’π‘’ π‘“π‘Žπ‘™π‘ π‘’ 𝑝 Β¬πœ‘ πœ‘βˆ¨πœ‘ πœ‘βˆ§πœ‘ π‘‘π‘’π‘Ÿπ‘šβ‹ˆπ‘‘π‘’π‘Ÿπ‘š π‘‘π‘’π‘Ÿπ‘šβˆ·=𝑐 π‘₯ π‘‘π‘’π‘Ÿπ‘š+π‘‘π‘’π‘Ÿπ‘š|π‘‘π‘’π‘Ÿπ‘šβˆ’π‘‘π‘’π‘Ÿπ‘š|π‘Γ—π‘‘π‘’π‘Ÿπ‘š|π’Šπ’•π’†(πœ‘,π‘‘π‘’π‘Ÿπ‘š,π‘‘π‘’π‘Ÿπ‘š) Where: β‹ˆ ∈{<,≀,>,β‰₯,=} A term can be either in β„€ or β„€ modulo k (bit-vector)

6 Example Consider the following formula where x,y,z are bit-vectors of size 4: πœ‘βˆ·=(𝑧=π‘₯+𝑦)∧(π‘₯>0)∧(𝑦>0)∧(𝑧<0) A traditional BV solver encodes this formula to SAT by means of bit-blasting: A full-adder: FA(a, b, s, ci, co) 𝐹𝐴( π‘₯ 0 , 𝑦 0 , 𝑧 0 , 𝑐 0 𝑖 , 𝑐 0 π‘œ )∧𝐹𝐴( π‘₯ 1 , 𝑦 1 , 𝑧 1 , 𝑐 0 π‘œ , 𝑐 1 π‘œ )∧𝐹𝐴( π‘₯ 2 , 𝑦 2 , 𝑧 2 , 𝑐 1 π‘œ , 𝑐 2 π‘œ )∧𝐹𝐴( π‘₯ 3 , 𝑦 3 , 𝑧 3 , 𝑐 2 π‘œ , 𝑐 3 π‘œ ) ((π‘₯ 3 =0)∧ (π‘₯ 0 ∨ π‘₯ 1 ∨ π‘₯ 2 )) ∧ ((𝑦 3 =0)∧ (𝑦 0 ∨ 𝑦 1 ∨ 𝑦 2 ))∧ (𝑧 3 =1)

7 Example 𝐹𝐴( π‘₯ 0 , 𝑦 0 , 𝑧 0 , 𝑐 0 𝑖 , 𝑐 0 π‘œ )∧𝐹𝐴( π‘₯ 1 , 𝑦 1 , 𝑧 1 , 𝑐 0 π‘œ , 𝑐 1 π‘œ )∧𝐹𝐴( π‘₯ 2 , 𝑦 2 , 𝑧 2 , 𝑐 1 π‘œ , 𝑐 2 π‘œ )∧𝐹𝐴( π‘₯ 3 , 𝑦 3 , 𝑧 3 , 𝑐 2 π‘œ , 𝑐 3 π‘œ ) ((π‘₯ 3 =0)∧ (π‘₯ 0 ∨ π‘₯ 1 ∨ π‘₯ 2 )) ∧ ((𝑦 3 =0)∧ (𝑦 0 ∨ 𝑦 1 ∨ 𝑦 2 ))∧ (𝑧 3 =1) x0 y0 x1 y1 x2 y2 x3 y3 FA FA FA FA z0 z1 z2 z3

8 Reduction to Safety Verification

9 Width ⬌ Time FA x0 y0 x1 y1 x2 y2 x3 y3 z1 z0 z2 z3

10 Width ⬌ Time Treat bit-vectors as streams of bits over time
Starting from the LSB The i-th bit is available at the i-th clock cycle FA xi yi zi co

11 Comparators a = b: bits should be equal at every cycle
Sequential circuit: track all bits up to this point a b x = &

12 Comparators a < b: the sign bit changes at each cycle
Sequential circuit: unsigned comparison ULT: (Β¬a∧b) ⋁ [Β¬(a∧¬b)∧x] Combinational circuit: take care of the sign bit a b x ULT a⋁¬b a∧¬b 1 MUX

13 Reduction to Safety Verification
A formula πœ‘ is translated to a sequential circuit C Assume πœ‘ is a DAG: For each leaf of sort bit-vector/integer create an input terminal For each leaf of sort Boolean, create an uninitialized latch x x’ = x For a leaf of a constant type use a counter The counter determines the cycle For each cycle the value is known a-priori Boolean operations are implemented using their equivalent logical gates Arithmetic operations and comparators The output of C is assigned to true when πœ‘ is satisfiable k cycles correspond to bit-vector of width k

14 Reduction to Safety Verification
Find the maximal number of bits required to represent constants in πœ‘ - kmin πœ‘ is not well defined for k < kmin When creating the property, add a guard wmin wmin is initialized to false and becomes true after kmin cycles The property Bad := wmin∧C.output()

15 Reduction to Safety Verification
A formula πœ‘ is translated to a sequential circuit C Assume πœ‘ is a DAG

16 Using a Model Checker

17 Safety Verification A transition system T=(V, INIT, Tr, Bad)
T is UNSAFE if and only if there exists a path in T from a state in INIT to a state in Bad, or if T is SAFE if and only if there exists a safe inductive invariant Inv s.t. πœ‡ 𝑇,𝑁 :=𝐼𝑁𝐼𝑇( 𝑉 0 )∧ 𝑖=0 π‘βˆ’1 π‘‡π‘Ÿ 𝑉 𝑖 , 𝑉 𝑖+1 βˆ§π΅π‘Žπ‘‘( 𝑉 𝑁 )↛βŠ₯ πΌπ‘πΌπ‘‡βŸΆπΌπ‘›π‘£ 𝐼𝑛𝑣 𝑉 βˆ§π‘‡π‘Ÿ 𝑉, 𝑉 β€² →𝐼𝑛𝑣 𝑉 β€² πΌπ‘›π‘£β†’Β¬π΅π‘Žπ‘‘

18 SAT-based Model Checking (SATMC)
Search for a counterexample for a specific length Bounded Model Checking (BMC) Checking satisfiability of πœ‡(T,N) If a counterexample does not exist, generalize the bounded proof into a candidate Inv Check if Inv is a safe inductive invariant

19 BMC and Traditional BV Solvers
Time correlates to width Unrolling depth therefore correlates to width FA x y z co

20 BMC and Traditional BV Solvers
Time correlates to width Unrolling depth therefore correlates to width FA x0 y0 x1 y1 x2 y2 x3 y3 z1 z0 z2 z3

21 BMC and Traditional BV Solvers
Time correlates to width Unrolling depth therefore correlates to width Similar to bit-blasting BMC ⋍ Eager BV Solver

22 Generalization - UNSAT
If πœ‘ is UNSAT when interpreted over bit-vectors of width k Can we generalize this result for bit-vectors of width N > k?

23 Generalization - UNSAT
If πœ‘ is UNSAT when interpreted over bit-vectors of width k Can we generalize this result for bit-vectors of width N > k? Use the ability of a MC to generalize a bounded proof to an unbounded proof When finding an inductive invariant at depth k: πœ‘ is UNSAT for all N > k πœ‘ is UNSAT over the integers

24 β€œGeneralization” - SAT
If πœ‘ is SAT when interpreted over bit-vectors of width k Can we generalize this result for bit-vectors of width N > k?

25 β€œGeneralization” - SAT
πœ‘βˆ·=(𝑧=π‘₯+𝑦)∧(π‘₯>0)∧(𝑦>0)∧(𝑧<0) For k=2, a satisfying assignment: x=1, y=1, z=-2 x=01, y=01, z=10 For k=3, a satisfying assignment: x=3, y=3, z=-2 x=011, y=011, z=110 For k=4, a satisfying assignment: x=7, y=7, z=-2 x=0111, y=0111, z=1110

26 Extending a satisfying assignment
If πœ‘ is SAT when interpreted over bit-vectors of width k Then, πœ‡(T,k) is satisfiable There exists a counterexample of length N Satisfying assignment πœ‹ Satisfying assignment πœ‹ constraint the first k bits

27 Extending a satisfying assignment
Satisfying assignment πœ‹ constraint the first k bits In the case of Bit-Vectors, try to extend it incrementally πœ‡(T,k+1) ∧ πœ‹ Pay attention to the sign bit In the case of Integers, add the following constraint: Solve with LIA solver π‘£βˆˆπœ‘ 𝑣= 𝑣 βˆ— Γ— 2 π‘˜ + 𝑐 𝑣 ∨ βˆ’π‘£= 𝑣 βˆ— Γ— 2 π‘˜ + 𝑐 𝑣

28 Extending a satisfying assignment
πœ‹ a counterexample of length k

29 Experiments

30 Implementation and Benchmark
Prototype supports all bit-wise operation and the LIA subset of QF_BV Experiments of LIAMC focus on LIA over integers and bit-vectors Implemented on top of ABC and open source SMT-LIB parser Benchmarks – translated all the LIA benchmaks to QF_BV Using varying bit-vector widths: 32, 64, and 128

31 Integers modulo 2k Integers

32

33

34

35

36 Extending Support to QF_BV
Sign/zero extension and extraction can be added (fairly easily) The sequential representation of complex operators depend on the width Multiplication, division, shl, shr Can also be viewed as if one of the operands should be known a-priori Parametrized system Possible solutions Abstraction refinement Hybrid solutions

37 Conclusions A novel decision procedure for an important subset of QF_BV Supiror to state-of-the-art BV solvers on satisfiable instances In theory, can be as good as BV solvers for unsatisfiable instances Currently working on extending the support for QF_BV

Download ppt "Solving Linear Arithmetic with SAT-based MC"

Similar presentations

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.

Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.
Satisfiability modulo the Theory of Bit Vectors

Satisfiability modulo the Theory of Bit Vectors
Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
50.530: Software Engineering

50.530: Software Engineering
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
Satisfiability Modulo Theories (An introduction)

Satisfiability Modulo Theories (An introduction)
SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ β‹€ Β¬ ⋁ β‹€

SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ β‹€ Β¬ ⋁ β‹€
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Verification of Functional Programs in Scala Philippe Suter (joint work w/ Ali Sinan Kâksal and Viktor Kuncak) ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE,

Verification of Functional Programs in Scala Philippe Suter (joint work w/ Ali Sinan Kâksal and Viktor Kuncak) ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE,
Β© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.

Β© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.
Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.

Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Proof-based Abstraction Presented by Roman Gershman Ken McMillan, Nina Amla.

Proof-based Abstraction Presented by Roman Gershman Ken McMillan, Nina Amla.
Department of Electrical and Computer Engineering M.A. Basith, T. Ahmad, A. Rossi *, M. Ciesielski ECE Dept. Univ. Massachusetts, Amherst * Univ. Bretagne.

Department of Electrical and Computer Engineering M.A. Basith, T. Ahmad, A. Rossi *, M. Ciesielski ECE Dept. Univ. Massachusetts, Amherst * Univ. Bretagne.
1 Satisfiability Modulo Theories Sinan Hanay. 2 Boolean Satisfiability (SAT) Is there an assignment to the p 1, p 2, …, p n variables such that  evaluates.

1 Satisfiability Modulo Theories Sinan Hanay. 2 Boolean Satisfiability (SAT) Is there an assignment to the p 1, p 2, …, p n variables such that  evaluates.
IBM Labs in Haifa Software and Verification Technologies Supporting SAT based BMC on Finite Path Models Daniel Geist Mark Ginzburg Yoad Lustig Ishai Rabinovitz.

IBM Labs in Haifa Software and Verification Technologies Supporting SAT based BMC on Finite Path Models Daniel Geist Mark Ginzburg Yoad Lustig Ishai Rabinovitz.
11.7.2005 Computing OverΒ­Approximations with Bounded Model Checking Daniel Kroening ETH ZΓΌrich.

Computing OverΒ­Approximations with Bounded Model Checking Daniel Kroening ETH ZΓΌrich.
1 Abstraction Refinement for Bounded Model Checking Anubhav Gupta, CMU Ofer Strichman, Technion Highly Jet Lagged.

1 Abstraction Refinement for Bounded Model Checking Anubhav Gupta, CMU Ofer Strichman, Technion Highly Jet Lagged.

Similar presentations

Ads by Google