Presentation is loading. Please wait.

Presentation is loading. Please wait.

Proof-based Abstraction Presented by Roman Gershman Ken McMillan, Nina Amla.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Proof-based Abstraction Presented by Roman Gershman Ken McMillan, Nina Amla."— Presentation transcript:

1 Proof-based Abstraction Presented by Roman Gershman Ken McMillan, Nina Amla

2 Technion Motivation for this article In the verification world, size DOES matter !

3 Technion The goal  We want to check LARGE models.  We want to scale beyond the “current” model checking technologies (BDDs).  Off-the-record : it is ironic that the inventor of SMV offers a new way of doing model checking.

4 Technion Well  We will not completely drop SMV (yet), but we are going to help it using SAT.  On my opinion, this article is a turn-point for us and for McMillan in understanding how to do complete MC using SAT.  At the next lesson – we will see how to do MC using SAT.

5 Technion  Given  A finite transition system M above states S, initial states I  S and transition T  S  S A propositional property P  Determine  Does M allow a counterexample to P Model checking- in this context Less than 1000 variables (FF)

6 Technion Symbolic Model Checking  S = I  Prev =   While S != Prev  Prev = S  If (S  ~P   ) then return BUG;  S = S  X’ (S(x’)  T(x’,x))

7 Technion Set representations  What’s this I, T, P ?  How do they look ? How can we build them ?  Examples of representations :  I is a BDD  I= {(1,0), (1,1), (1,1) } (explicit)  Logic circuits :  X1X1 X2X2 TRUE

8 Technion Circuits  We will need to know 2 representations today: circuit and CNF.  Both represent closed functions – in form f(x) = TRUE  CNF : ( x 1   x’ 1 )  (  x 1  x’ 1 )  Circuit: ( x 1 &  x’ 1 ) or (  x 1 & x’ 1 ) X1X1 X1X1 TRUE  X’ 1 X’ 1 X 1 ’ = not X 1

9 Technion Bounded model checking  Given  A finite transition system M(I,T)  A propositional property P  Determine  Does M allow a counterexample to P of k transitions of fewer? Can reach more than 10000 FF

10 Technion The main idea  Apply BMC on a large model.  Perform proof-based abstraction and get a smaller model  Apply a model checking on the small model.

11 Technion BMC  State vectors {x i } 1 k for each cycle i.  A propositional formula I(x o )  T(x o,x 1 )  …  T(x k-1, x k )  ( : P(x k )) is SAT  property does not hold at cycle k. Program path for K phases Final condition on cycle K

12 Technion BMC  How do we represent a formula that says “There is a bug at some phase until phase K” ? 

13 Technion Circuit to CNF translation  Circ2CNF : X y G (  x  g) (  y  g) (x  y   g)

14 Technion  Solves propositional formulas in CNF format. For example, ( x 1  x 2 )  (  x 3  x 5 ).  Uses resolution-based algorithm DPLL  Resolution rule SAT solver (A  x ) (B   x ) (A  B )

15 Technion SAT solver-DPLL  While (not empty clause)  decide on some unassigned var;  If (BCP returns conflict) Record a new conflict clause using a resolution Backtrack to satisfy that clause.

16 Technion SAT solver - BCP  While there is some clause C=( x 1  x 2, …  x n ) under partial assignment {  x 1, …,  x n-1 } AND x n is unassigned  Extend the assignment with x n = TRUE  Set C to be the reason clause of x n.  If all literals of C are FALSE then stop and return C as a conflicting clause.

17 Technion BCP-Example (  a  b)  (  b  c  d) a cc Decisions b Assignment: a  b   c  d d

18 Technion BCP-cont.  Each assigned variable is either decision variable or was implied by a reason clause (implicated variable).  Let C(v) be a reason clause for setting literal v=TRUE. Suppose C’(t) is another reason clause (for variable t) that contains  v. Then C and C’ are valid resolution pair on v, i.e. they do not have any other variable with different polarity.

19 Technion Proof: Falsely assume that there is literal x, s.t. x  C and  x  C’ 1. C’ implied t after C implied v 2. x was FALSE when C implied v. 3. Therefore, C’ contained the satisfied literal  x when implied t, which contradicts to the condition that all its literals but one are falsified. BCP-cont.

20 Technion SAT solver-DPLL  While (not empty clause)  decide on some unassigned var;  If (BCP returns conflict) Record a new conflict clause using a resolution Backtrack to satisfy that clause.

21 Technion Resolution algorithm  Set Conf = a conflicting clause from BCP  While a stopping condition did not occur, do: 1. Choose some implied literal v from Conf. 2. Conf = Resolve( Conf, C(v) )

22 Technion Conflicting intermediate Conflicting Clauses (  a  b)  (  b  c  d)  (  b   d) a cc Decisions b Assignment: a  b   c  d d Conflicting ! (  b  c ) resolve (  a  c) resolve New conflict clause

23 Technion Resolution algorithm  If we draw binary node for each resolution step, then each run of the resolution algorithm will look like a binary tree in the form of string, i.e. each inner node has a leaf.  The source of the tree is a new conflict clause  Global graph will not look like a tree though. O1O1 O2O2 i1i1 I 1 =Resolve(O 1, O 2 )

24 Technion Resolution Graph O1O1 O2O2 O3O3 O4O4 O6O6 O7O7 i1i1 c-1 i2i2 i3i3 O5O5 c-2 C-3 i4i4 Binary DAG with intermediate and conflict clauses. Each node in the graph is derived by its descendants Collapsed DAG with multi-degree nodes C-1 C- 3 C-2 O1O1 O2O2 O3O3 O4O4 O5O5 O6O6 O7O7

25 Technion Resolution Graph  If DPLL finished with UNSAT then the resolution graph of its run will have source node  with an empty clause.  Is it the only source ?  No. There can be many others.  Is it the only source with empty clause ?  Yes. It is implied by terminal condition of DPLL.

26 Technion Resolution Graph  The whole resolution graph denotes exactly a resolution trace of DPLL. However it is not possible to extract the order of decisions and their values from this graph (DPLL run).  Denote by G F is the resolution graph of the solver’s run on unsatisfiable formula F.  G F is not unique.  Identified by the specific solver (hidden parameter).

27 Technion Resolution Graph  Let Core(G F )= Descendants(  F )  F.  Core(G F ) is still unsatisfiable formula.  Assumption1: usually Core(G F ) is much smaller than F.  Assumption2: Var(Core(G F )) is much smaller than Var(F).

28 Technion Applications  Suppose,  T c is circuit representation of the Trans constraint.  Circ2CNF(func, i) translates a circuit to the CNF representation at phase i.  Then  T(x i-1, x i ) = Circ2CNF(T c, i)  Bug at some phase on a path

29 Technion Abstraction of the problem  Abstract(Tc, Core(F_k)) = {g  Tc |  i  k, Circ2CNF(g, i)  Core(F_k) }  Abstract(Tc, Core(F_k)) is like the inverse image of Core(F_k) with respect to Circ2CNF.

30 Technion Special effects Tc Fk Circ2CNF Core(F k ) Circ2CNF -1 Abstract(Tc)

31 Technion Main Algorithm  FiniteRun( M=(I c,T c,P) )  Set k  0  While TRUE If BMC(F k ) = SAT then  return BUG with satisfying assignment else  M’ = Abstract(Core(F k ))  ModelCheck M’  If M’ has an accepting run of length k’ then  Set k  k’  else  return “VALID Property” Can be that k’ < k ? Assumes that M’ is smaller then M

32 Technion Question What about Liveness ?

33 Technion Reminder  Using Buchi automaton, we can create a product automaton A : = M x ~P.  Checking liveness is equivalent to checking for emptiness of A.  We need to find an infinite run on which accepting state is crossed infinitely often.

34 Technion Liveness properties  There is a infinite run on which formula G is infinitely satisfied.  There is a run x 0,…x k, s.t.  T(x i, x i+1 ) is satisfied  I(x o ) is satisfied.  For some 0  m < k, x m = x k  For some m  j  k : G(x j ) is TRUE

35 Technion Liveness BMC  CNF formula:   Run FiniteRun on this formula the same way.

36 Technion Optimizations  Cone of Influence  Variable substitutions: (f=q) => replace all occurrences of f by q  Pure variables

37 Technion Results  20 safety samples – none of them could be solved by MC.  After applying abstraction – 18 were solved by BMC, abstracted and then solved by MC.  2 were stuck during BMC

38 Technion The next article Hybrid approach (or Proof-based refinement)

39 Technion The problem  Suppose we have original model M and its abstract buddy.  We want to check the case when is SAT and we have counter-example A for.  We need to check the formula  In case it is SAT, we are done and have real counter- example.  In case it is UNSAT – we want to refine

40 Technion Proof-based refinement (by Chauhan et al.)  Consider the proof P of.  There is at least one clause in P that is not contained in.  In other words, there is at least one gate in M that is not in, which helps to refute A.

41 Technion Proof-based refinement  Given proof P, for any set of constraints (gates) Q, we define:  We refine by setting:

42 Technion Proof-based refinement  Recall that is exactly like the definition of abstract set from the previous paper.  Where is the difference ?

43 Technion  Proof-based abstraction :  Refinement:

44 Technion  Hybrid method – heuristic approach to tune between these 2 methods.  The idea to use SAT solver to try and to do refinement of all counter-examples of length k (A=  ) and then to refine with A.

45 Technion Concretize  Input F k  Decide decisions from A.  Res = SAT_Solve(TimeLimit)  If (Res != TimeOut)  Return Res;  Add A to CNF formula.  Return SAT_Solve(  )

46 Technion Results  It is compared with CEX approach and pure proof-based abstraction.  It presented as super to CEX and similar to proof-based.

47 Technion The END & Thank you

Download ppt "Proof-based Abstraction Presented by Roman Gershman Ken McMillan, Nina Amla."

Similar presentations

Model Checking Base on Interoplation

Model Checking Base on Interoplation
Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Automated abstraction refinement II Heuristic aspects Ken McMillan Cadence Berkeley Labs.

Automated abstraction refinement II Heuristic aspects Ken McMillan Cadence Berkeley Labs.
The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.

Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.
Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.
SLD-resolution Introduction Most general unifiers SLD-resolution

SLD-resolution Introduction Most general unifiers SLD-resolution
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
UIUC CS 497: Section EA Lecture #2 Reasoning in Artificial Intelligence Professor: Eyal Amir Spring Semester 2004.

UIUC CS 497: Section EA Lecture #2 Reasoning in Artificial Intelligence Professor: Eyal Amir Spring Semester 2004.
Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 

Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 
Proofs from SAT Solvers Yeting Ge ACSys NYU Nov 20 2007.

Proofs from SAT Solvers Yeting Ge ACSys NYU Nov
Daniel Kroening and Ofer Strichman 1 Decision Procedures An Algorithmic Point of View SAT.

Daniel Kroening and Ofer Strichman 1 Decision Procedures An Algorithmic Point of View SAT.
1/30 SAT Solver Changki PSWLAB SAT Solver Daniel Kroening, Ofer Strichman.

1/30 SAT Solver Changki PSWLAB SAT Solver Daniel Kroening, Ofer Strichman.
Reduction of Interpolants for Logic Synthesis John Backes Marc Riedel University of Minnesota Dept.

Reduction of Interpolants for Logic Synthesis John Backes Marc Riedel University of Minnesota Dept.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.

Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.

Similar presentations

Ads by Google