K. L. McMillan Cadence Berkeley Labs SAT and Model Checking K. L. McMillan Cadence Berkeley Labs
Outline Background SAT-based model checking methods Symbolic Model Checking DPLL-style SAT solvers Bounded Model Checking SAT-based model checking methods K-induction Localization abstraction SAT-based image computation Interpolation Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Model checking Problem definition: Result: Examples: Does every run of a (finite-state) transition system satisfy a given temporal property? Result: Yes No + counterexample Examples: Is every request to this bus arbiter eventually acknowledged? Does this program every dereference a null pointer? Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Transition systems Tuple (S,I,T), where: S is the (finite) set of states I S is the set of initial states T SS is the set of transitions A run of (S,I,T) is S, where: 0I for all i 0, (i ,i+1) T That is, a run is an infinite path in the state graph strating with an initial state Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Linear Temporal Logic (LTL) Augments propostitional logic with temporal operators: Fp = "p is true some time in the future" Gp = "p is true always in the future" pUq = "eventually q until which p" Xp = "p at next time" Examples: G (req F gnt) G (req (req U gnt)) G (gnt req) Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Safety v. Liveness Safety properties Liveness properties "Bad thing never happens" Characterized by bad finite prefixes: an infinite run is bad exactly when it has a bad prefix Liveness properties "Good thing eventually happens" Pure liveness: any finite behavior can be extended to a satisfying run. We will concentrate only on safety properties, but most results generalize to liveness Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Reachability Problem def: Does a transition system have a finite run ending in a state contained in the failure set F? More precisely, does there exist 0...k Sk s.t.: 0 I and k F for all 0 i < k, (i ,i+1) T Using automata-theoretic methods, model checking safety properties reduces to reachability analysis. Given a t.s. M and a property P, we can construct MP and FP such that M satisfies P exactly when FP is not reachable in MP. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
State explosion problem Reachability analysis can be done by BFS or DFS on the state graph. However, |S| is exponential in system size for example 2n, where n is number of registers Impractical to construct the state graph explicitly. Our topic is essentially how to use a SAT solver to tackle this problem. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Symbolic transition systems Tuple (S,I,T), where: S is a signature, I is a formula over S (the initial condition) T is a formula over SS' (the transition condition) States: = S{0,1} A run of (S,I,T) is , where: I[0] for all i 0, T[i ,i+1] Note: T[i ,i+1] means T[i 'i+1] Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Example T is a conjunction of constraits, one per component. T = { g = a Ù b, p = g Ú c, c' = p } g = a Ù b p = g Ú c c' = p a b c p g Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Symbolic Reachability Idea: represent reachable states by a formula ... R R2 R1 I F = I Ú Img(I,C) = R1 Ú Img(R1,C) Essentially a BFS with symbolic representation. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Symbolic reachability, cont. Reachability fixed point: R0 = I Ri+1 = Ri Ú Img(Ri,T) R = È Ri F is reachable iff R Ù F ¹ false Image operator: Img(P,T) = lS'. $ S. (P(V) Ù T(V,V’)) We need a way to eliminate the quantifier, to get us back to an ordinary Boolean formula. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Expansion of quantifiers By definition: $w. p = p<0/w> Ú p<1/w> Thus, we can eliminate quantifiers, at the expense of expansion of the formula. Exponential in number of variables quantified. Helps to keep formulas in canonical form, such as BDD's. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
A two-bit counter Transition system model: S : {b0,b1} I : b0 b1 T : (b'0 = b0) (b'1 = b0 b1) Symbolic reachability analysis: R0 = b0 b1 R1 = R0 Ú (b0 b1 ) R1 = b1 R1 = R0 Ú lS'. ((b'0 = 1) (b'1 = 0)) R1 = R0 Ú lS'. $ S. (b0 b1 Ù (b'0 = b0) (b'1 = b0 b1)) R1 = R0 Ú lS'. $ S. (R0 Ù T) R1 = R0 Ú Img(R0,T) R2 = b1 b0 R3 = 1 R4 = 1 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Representations We require: efficient , and operations compact reduced form (to prevent formula explosion) Binary Decision Diagrams and related forms most commonly used Allows analysis of circuits with perhaps 100 registers and 200 inputs, though performance is unpredictable. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
DPLL-style SAT solvers SATO,GRASP,CHAFF,BERKMIN Objective: Check satisfiability of a CNF formula literal: v or Øv clause: disjunction of literals CNF: conjunction of clauses Approach: Branch: make arbitrary decisions Propagate implication graph Use conflicts to guide inference steps SAT solvers can also generate refutation proofs! Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
The Implication Graph (BCP) (Øa Ú b) Ù (Øb Ú c Ú d) d b a Øc Decisions Assignment: a Ù b Ù Øc Ù d Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Propositional Resolution a Ú b Ú Øc Øa Ú Øc Ú d b Ú Øc Ú d When a conflict occurs, the implication graph is used to guide the resolution of clauses, so that the same conflict will not occur again. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Conflict Clauses (Øa Ú b) Ù (Øb Ú c Ú d) Ù (Øb Ú Ø d) (Øa Ú c) resolve Decisions Conflict! Conflict! d Assignment: a Ù b Ù Øc Ù d Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Conflict Clauses (cont.) Are generated by resolution Are therefore implied by existing clauses Are in conflict in the current assignment Many heuristics are available for determining when to terminate the resolution process (e.g., UIP rule). Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Basic SAT algorithm A = Æ empty clause? y UNSAT n conflict? Deduce conflict clause and backtrack y is A total? Branch: add some literal to A y SAT Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Generating refutations Refutation = a proof of the null clause Record a DAG containing all resolution steps performed during conflict clause generation. When null clause is generated, we can extract a proof of the null clause as a resolution DAG. Original clauses Derived clauses Null clause Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Circuit SAT Can the circuit output be 1? CNF(p) (a Ú Øg) Ù (b Ú Øg) Ù(Øa Ú Øb Ú g) CNF(p) input variables a g (Øg Ú p) Ù (Øc Ú p) Ù(g Ú c Ú Øp) b output variable p c p is satisfiable when the formula CNF(p) Ù p is satisfiable Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Bounded Model Checking BCCZ99 Given A finite transition system M A property P Determine Does M allow a counterexample to P of k transitions of fewer? This problem can be translated to a SAT problem Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Symbolic Models (recall) Transition system described by constraints... T = { g = a Ù b, p = g Ú c, c' = p } g = a Ù b p = g Ú c c' = p a b c p g New notation: Q<n> means "add n primes to the symbols in Q" Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Bounded model checking Biere,et al. TACAS99 Unfold the model k times: U = T<0> Ù T<1> Ù ... Ù T<k-1> a b c p g a b c p g a b c p g ... I<0> F<k> Use SAT solver to check satisfiability of I<0> Ù U Ù F<k> If unsatisfiable: property has no Cex of length k can produce a refutation proof P Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
BMC applications Debugging: Proving properties: Can find counterexamples using a SAT solver Proving properties: Only possible if a bound on the length of the shortest counterexample is known. I.e., we need a diameter bound. The diameter is the maximum lenth of the shortest path between any two states. Worst case is exponential. Obtaining better bounds is sometimes possible, but generally intractable. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Unbounded Model Checking We consider a variety of methods to explioit SAT and BMC for unbounded model checking: K-step induction Abstraction Counterexample-based Non-counterexample-based Exact image computations SAT solver tests for fixed point SAT solver computes image Over-approximate image computations Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
K-induction Induction: k-step induction: SSS2000 P(s0) "i: P(si) Þ P(si+1) "i: P(si) k-step induction: P(s0..k-1) "i: P(si..i+k-1) Þ P(si+k) "i: P(si) Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
K-induction with a SAT solver Recall: Uk = T<0> Ù T<1> Ù ... Ù T<k-1> Two formulas to check: Base case: I<0> Ù Uk-1 Þ P<0>...P<k-1> Induction step: Uk Ù P<0>...P<k-1> Þ P<k> If both are valid, then P always holds. If not, increase k and try again. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Simple path assumption Unfortunately, k-induction is not complete. Some properties not k-inductive for any k. Simple path restriction: There is a path to ØP iff there is a simple path to ØP (path with no repeated states). P P ØP Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Induction over simple paths Let simple(s0..k) be defined as: "i,j in 0..k : (i ¹ j) Þ si ¹ sj k-induction over simple paths: P(s0..k-1) "i: simple(s0..k) Ù P(si..i+k-1) Þ P(si+k) "i: P(si) Must hold for k large enough, since a simple path cannot be unboundedly long. Length of longest simple path is called recurrence diameter. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
...with a SAT solver For simple path restriction, let: Sk = "t=0..k, u=t+1..k: Ø "v in V : vt = vu (where V is the set of state variables). Two formulas to check: Base case: I<0> Ù Uk-1 Þ P<0>...P<k-1> Induction step: Sk Ù Uk Ù P<0>...P<k-1> Þ P<k> If both are valid, then P always holds. If not, increase k and try again. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Termination Termination condition: k is the length of the longest simple path of the form P* ØP This can be exponentially longer than the diameter. example: loadable mod 2N counter where P is (count ¹ 2N-1) diameter = 1 longest simple path = 2N Nice special cases: P is a tautology (k=0) P is inductive invariant (k=1) Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Localization abstraction Kurshan Property: G (c Þ X c) free variable Model: T = { g = a Ù b, p = g Ú c, c' = p } a b c p g Ť A property that can be proved with Ť can be proved with the stronger T. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Constraint granularity Most authors use constraints at "latch" granularity... a b c p g Model: T = { c' = (a Ù b) Ú c } ...however, techniques we will consider can be applied at both "gate" and "latch" granularity. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Localization, cont Ť may refer to fewer state variables than T reduction in the state explosion problem Key issue: how to choose constraints in Ť counterexample-based proof-based Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Algorithm Kurshan Choose initial Ť Model check true, done abstraction Ť true, done Cex Can extend Cex from Ť to T? yes, Cex SAT uses no Add constraints to Ť Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Abstract counterexamples Assume simple safety property: initial condition I and final condition F w.l.o.g., assume I and F are atomic formulas to make this true, add constraints in T: vI Û I vF Û F Abstract variables Ŝ = support(Ť,I,F) Abstract counterexample  is a truth assignment to: { v<t> | v in Ŝ, t in 0..k } where k is the number of steps. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Counterexample extension CGJLV 2000 Abstract counterexample  satisfies: I<0> Ù Ûk Ù F<k> where Ûk = Ť<0> Ù Ť<1> Ù ... Ù Ť<k-1> Find A consistent with Â, satisfying: I<0> Ù Uk Ù F<k> That is, A is any satisfying assignment to:  ٠I<0> Ù Uk Ù F<k> I.e., to extend an abstract counterexample, we just apply it as a constraint in BMC. If unsat, abstract counterexample is "false". Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Abstraction refinement Refinement = adding constraints to Ť to eliminate false counterexamples. Many heuristsics used for this. Too many to cover here. However, recall that a SAT solver can produce a resolution-based refutation in the UNSAT case.... Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Proof-based refinement Recall, to extend abstract Cex Â, we check:  ٠I<0> Ù Uk Ù F<k> If UNSAT, we obtain refutation proof P proof that  cannot be extended to concrete Cex Let E be set of constraints used in proof P: E = { c Î T | some c<i> occurs in P }  cannot be extended to a Cex for E P is the proof of this. Thus, add E to Ť and continue... Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
In other words... The refutation of the formula: Â Ù I<0> Ù Uk Ù F<k> gives us a sufficient set of constraints to rule out the abstract counterexample. We continue ruling out counterexamples until either the abstraction Ť proves the property or we can extend an abstract counterexample to a concrete one. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
CCKSVW approach (FMCAD02) Find the shortest prefix of Cex  that cannot be extended. That is,  ٠I<0> ٠Uk ٠F<k> is feasible for all k < i, but not for k=i. OK OK OK OK NO! s0 s1 s2 ... si-1 si Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
CCKSVW approach cont. Let P be a refutation of  ٠I<0> ٠Ui ٠F<i> Let E be set of constraints used in proof P only on state si-1: E = { c ΠT | c<i-2> occurs in P } OK OK OK OK NO! s0 s1 s2 ... si-1 si add constraints used here Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Weakness of Cex-based approach Arbitrarily chosen abstract Cex may be refutable for many reasons not related to property. Thus, may add irrelevant constraints. To remedy, may try to characterize a set of Cex's rather than just one (e.g., GKM-HFV,TACAS03). Alternative: don't use counterexamples Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Proof-based abstraction MA,TACAS03 Cex? BMC at depth k done No Cex? Use refutation to choose abstraction Increase k MC abstraction True? done False? Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
I<0> Ù Uk Ù F<k> BMC phase Unfold the model k times: Uk = T<0> Ù T<1> Ù ... Ù T<k-1> Use SAT solver to check satisfiability of I<0> Ù Uk Ù F<k> If unsatisfiable: property has no Cex of length k produce a refutation proof P Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Abstraction phase Let Ť be set of constraints used in proof P: Ť = { c Î T | some c<i> occurs in P } Ť admits no counterexample of length k let Ûk = Ť<0> Ù Ť<1> Ù ... Ù Ť<k-1> P is a refutation of I<0> Ù Ûk Ù F<k> Model check property on Ť property true for Ť implies true for T else Cex of length k' > k (why?) restart for k = k' Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Algorithm Cex? BMC done T at depth k No Cex? Refutation P induces abstraction Ť let k = k' Model check Ť True? done Cex of depth k'? Notice: MC counterexample is thrown away! Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Termination Depth k increases at each iteration Eventually k > d, diameter of Ť If k > d, no counterexample is possible In practice, termination uses occurs when k » d/2 Usually, diameter C' << diameter of C Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Weakness of proof-based abs BMC must refute all counterexamples of length k, while in Cex-based, BMC must refute only one (partial) counterexample. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
PicoJavaII benchmarks Hardware Java virtual machine implementation Properties derived from verification of ICU handles cache, instruction prefetch and decode Original abstraction was manual Added neigboring IFU to make problem harder properties ICU IFU Mem, Cache Integer unit No properties can be verified by standard model checking! Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Abstraction results solid = original, gray = manual, open = proof-based abstraction Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Inference SAT solver seems to be very effective at narrowing down the proof to relevant facts. In most cases, it did better than manual abstraction. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Comparing CBA and PBA Apples-apples comparison same SAT solver same model checker only differences are: For CBA previous A' is kept as a constriaint for BMC, C' is cumulative. For PBA previous A' and C' are thrown away each iteration. Note these are my implementations. This says nothing about performance of specific tools! Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Run time comparison Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Abstraction comparison Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Possible explanation Internally, SAT solver is really doing CBA a=0 decision stack = abstract Cex  refutation of  decision heuristic moves proof variables up, into  Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
PBA run-time breakdown solid = BMC time, open = MC time Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
CBA run-time breakdown solid = BMC time, open = MC time Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
IBM GP benchmarks Thanks to Jason Baumgartner Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Compare to K-induction on PicoJava Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
A (fuzzy) hypothesis SAT-based BMC "succeeds" when number of relevant variables is small, and fails otherwise. "success" is BMC for k = diameter of relevant logic Parameterized models allowing no abstraction Model Max state vars German protocol 42 "swap" 21 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Industrial benchmarks Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Implications Most of the time if bounded model checking succeeds, unbounded model checking also succeeds using abstraction. No need to settle for time bounded result Bounded model checking may be applicable only to localizable properties Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Image computation methods Symbolic model checking without BDD's Use SAT solver just for fixed-point detection Abdulla, Bjesse and Een 2000 Williams, Biere, Clarke and Gupta 2000 Adapt SAT solver to compute image directly McMillan, 2002 Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Symbolic model checking Recall: Fixed point characterizaion of CTL: EFp = m. Q p Ú EX Q Reverse image: EXp = $W. p < di / si > input variables transition function state variable Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Syntactic expansion of quantifiers By definition: $w. p = p<0/w> Ú p<1/w> Thus, we can compute reverse image by syntactic expansion and simplification. note: expontential in number of inputs. Fixed-point series: R0 = false Ri+1 = p Ú EX Ri Terminates when Ri+1 Þ Ri (SAT problem) Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Limitations Syntactic quantifier elimination is exponential Method limited to circuits with very few inputs E.g., sequential arithmetic circuits Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Direct image computation Adapt SAT methods for image computation in symbolic model checking Recall: this is essentially quantifier elimination Idea: reduce formula to CNF or DNF Make quantifier elimination easy Essentially, enumerate all satisfying assignments, but in an efficient way (i.e., by covering them with clauses or cubes). Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Circuit Validity Can the circuit output be 0? CNF(p) (a Ú Øg) Ù (b Ú Øg) Ù(Øa Ú Øb Ú g) CNF(p) input variables VI a g (Øg Ú p) Ù (Øc Ú p) Ù(g Ú c Ú Øp) b output variable p c p is valid when the formula CNF(p) Ù Øp is unsatisfiable Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
CNF Characterization Instead of checking validity of p, we now want to derive a CNF formula over the input variables VI that is logically equivalent to the circuit. Idea: each time a satisfying assignment is found, add a new “blocking clause” that rules out this satisfying assignment. The blocking clauses form our characterization of p. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Blocking clauses Blocking clauses must: be implied by p be in conflict in the current assignment involve only input variables (in VI) Can we use conflict clauses as blocking clauses? Not quite... Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
An example a g Want to characterize p in CNF: Test satisfiability of CNF(p) Ù Øp b p c Guess the assignment A = a a Øp Øg Øb Øc Implication graph: Satisfying! Problem: We can’t infer anything from p, because Øp is already a root of the graph. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Alternate implication graph Construct a new implication graph rooted at the input variables. b p c Original a Øb Øc Øg Øp Alternate a Øb Øc a Øp Øg Øb Øc Now we can always generate a conflict clause from p using only input variables. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Blocking clause example Alternate graph (g Ú c Ú Øp) (g Ú c) (b Ú Øg) (b Ú c) We stop when the clause has only inputs Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
CNF characterization algorithm empty clause? y return c n conflict? Deduce y Infer blocking clause c’ from p. Add c’ to f, c. is A total? Branch y Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Universal Quantifier Elimination Given a circuit p, and a subset W of the input variables, we want to compute a CNF formula equivalent to "W.p Idea: Eliminating in CNF formulas is trivial. e.g.: "a. (a Ú b) Ù (Øa Ú Øc Ú d) = (b) Ù (Øc Ú d) ... just push " inside Ù ... Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
" - elimination algorithm A = Æ, c = Æ empty clause? y return c n conflict? Deduce y Infer blocking clause c’ from p. Add "W.c’ to f, c. is A total? Branch y Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
CTL Model Checking with SAT AXp p AXp = "W. p < di / si > input variables transition function state variable Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Recent related work Sheng, Hsiao (DATE 2003) Chauhan, Clarke, Kroenig Uses ATPG methods Chauhan, Clarke, Kroenig Computes forward rather than backward image Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Simplified PicoJavaII benchmarks This method can't handle large numbers of irrelevant variables directly. Like BDD method, it computes exact reachable states. Comparable to BDD methods, not abstraction methods. We compare the method to BDD's for a set of benchmarks in which most of the irrelevant logic is pruned out manually. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Comparison with BDD’s Note low variance in times for BDD based technique. Benchmarks may be biased in favor of BDD’s. BDD’s are better overall. But note relative immaturity of SAT based method Note low correlation between the two methods. SAT based method may be a good alternative when BDD’s fail. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
SAT-based image May provide a good alternative when BDD's fail. Does not take advantage of SAT solver's ability to filter out irrelevant facts, since exact image is computed. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Image over-approximation BMC and Craig interpolation allow us to compute image over-approximatino relative to property. Avoid computing exact image. Maintain SAT solver's advantage of filtering out irrelevant facts. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
A' refers only to common variables of A,B Interpolation (Craig,57) If A Ù B = false, there exists an interpolant A' for (A,B) such that: A Þ A' A' Ù B = false A' refers only to common variables of A,B Example: A = p Ù q, B = Øq Ù r, A' = q New result given a resolution refutation of A ÙB, A' can be derived in linear time. (Pudlak,Krajicek,97) Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Interpolation-based MC Interpolation gives us SAT-based algorithm for over-approximate image computation, using interpolation SAT-only symbolic model checking Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Reachability Is there a path from I to F satisfying transition constraint C? Reachability fixed point: R0 = I Ri+1 = Ri Ú Img(Ri,C) R = È Ri Image operator: Img(P,C) = lV'. $ V. (P Ù C) F is reachable iff R Ù F ¹ false Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
for all P, Img(P,C) implies Img'(P,C) Overapproximation An overapproximate image op. is Img' s.t. for all P, Img(P,C) implies Img'(P,C) Overapprimate reachability: R'0 = I R'i+1 = R'i Ú Img'(R'i,C) R' = È R'i Img' is adequate (w.r.t.) F, when if P cannot reach F, Img’(P,C) cannot reach F If Img' is adequate, then F is reachable iff R' Ù F ¹ false Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Adequate image Img(P,C) Img’(P,C) P F Reached from P Can reach F But how do you get an adequate Img'? Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
k-adequate image operator Img' is k-adequate (w.r.t.) F, when if P cannot reach F, Img’(P,C) cannot reach F within k steps Note, if k > diameter, then k-adequate is equivalent to adequate. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Interpolation-based image Idea -- use unfolding to enforce k-adequacy A = P-1 Ù C-1 B = C0 Ù C1 Ù ... Ù Ck-1 Ù Fk A B P C C C C C C C F t=k t=0 Let Img'(P)0= A', where A' is an interpolant for (A,B)... Img' is k-adequate! Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Huh? A Þ A' A' Ù B = false Hence Img' is k-adequate overapprox. A' t=k t=0 A Þ A' Img(P,C) Þ Img'(P,C) A' Ù B = false Img'(P,C) cannot reach F in k steps Hence Img' is k-adequate overapprox. But note, Img' is partial -- not defined if AÙB is sat. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Intuition A' A B P C C C C C C C F t=k t=0 A' tells is everything the SAT solver deduced about the image of P in proving it can't reach F in k steps. Hence, A' is in some sense an abstraction of the image relative to the property. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Reachability algorithm let k = 0 repeat if I can reach F within k steps, answer reachable R = I while Img'(R,C) Ù F = false R' = Img'(R,C) Ú R if R' = R answer unreachable R = R' end while increase k end repeat Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Termination Since k increases at every iteration, eventually k > d, the diameter, in which case Img' is adequate, and hence we terminate. Notes: don't need to know when k > d in order to terminate often termination occurs with k << d depth bound for earlier method (Sheeran et al '00) is "longest simple path", which can be exponentially longer than diameter Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
PicoJava II Benchmarks Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
vs. k-induction Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
IBM GP benchmarks Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
GP benchmarks - true properties Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Interpolation-based MC Fully SAT-based. Inherits SAT solvers ability to concentrate on facts relevant to a property. Like CBA, PBA, most effective when Very large set of facts is available Only a small subset are relevant to property For true properties, appears to converge for smaller k values. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Conclusion SAT solvers are very effective at ignoring irrelevant facts Can think of decision heuristic as a form of CBA SAT solvers can produce refutations We can exploit in a number of ways: BMC Abstraction for UMC (either CBA or PBA) Abstract image computations using interpolation This makes it possible to model check localizable properties large systems. Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Conclusion cont. Approaches that compute exact images sacrifice this quality of SAT solvers. still useful as alternative to BDD's For non-localizable properties, SAT-based BMC and UMC do not perform well. The capacity of SAT-based UMC is comparable to BMC. no need to settle for bounded results! Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.