The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

Slides:



Advertisements
Similar presentations
Model Checking Base on Interoplation
Advertisements

Automated abstraction refinement II Heuristic aspects Ken McMillan Cadence Berkeley Labs.
Exploiting SAT solvers in unbounded model checking
A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.
Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.
Applications of Craig Interpolation to Model Checking K. L. McMillan Cadence Berkeley Labs.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Dana Nau: Lecture slides for Automated Planning Licensed under the Creative Commons Attribution-NonCommercial-ShareAlike License:
ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 
Proofs from SAT Solvers Yeting Ge ACSys NYU Nov
Methods of Proof Chapter 7, second half.. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound)
CPSC 422, Lecture 21Slide 1 Intelligent Systems (AI-2) Computer Science cpsc422, Lecture 21 Mar, 4, 2015 Slide credit: some slides adapted from Stuart.
Daniel Kroening and Ofer Strichman 1 Decision Procedures An Algorithmic Point of View SAT.
1/30 SAT Solver Changki PSWLAB SAT Solver Daniel Kroening, Ofer Strichman.
Abstract Answer Set Solver. Todolist Print the rules of Fig 1.
Towards More Efficient SAT-Based Model Checking Joao Marques-Silva Electronics & Computer Science University of Southampton LAA C&V Workshop, Isaac Newton.
© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.
Artificial Intelligence Chapter 14. Resolution in the Propositional Calculus Artificial Intelligence Chapter 14. Resolution in the Propositional Calculus.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Proof-based Abstraction Presented by Roman Gershman Ken McMillan, Nina Amla.
1 Boolean Satisfiability in Electronic Design Automation (EDA ) By Kunal P. Ganeshpure.
GRASP-an efficient SAT solver Pankaj Chauhan. 6/19/ : GRASP and Chaff2 What is SAT? Given a propositional formula in CNF, find an assignment.
Search in the semantic domain. Some definitions atomic formula: smallest formula possible (no sub- formulas) literal: atomic formula or negation of an.
Formal Verification Group © Copyright IBM Corporation 2008 IBM Haifa Labs SAT-based unbounded model checking using interpolation Based on a paper “Interpolation.
Last time Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search strategy.
1 Understanding the Power of Clause Learning Ashish Sabharwal, Paul Beame, Henry Kautz University of Washington, Seattle IJCAI ConferenceAug 14, 2003.
Computing Over­Approximations with Bounded Model Checking Daniel Kroening ETH Zürich.
1 Abstraction Refinement for Bounded Model Checking Anubhav Gupta, CMU Ofer Strichman, Technion Highly Jet Lagged.
Artificial Intelligence Chapter 14 Resolution in the Propositional Calculus Artificial Intelligence Chapter 14 Resolution in the Propositional Calculus.
GRASP: A Search Algorithm for Propositional Satisfiability EE878C Homework #2 2002/11/1 KAIST, EECS ICS Lab Lee, Dongsoo.
SAT Solving Presented by Avi Yadgar. The SAT Problem Given a Boolean formula, look for assignment A for such that.  A is a solution for. A partial assignment.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
7/13/2003BMC A SAT-Based Approach to Abstraction Refinement in Model Checking Bing Li, Chao Wang and Fabio Somenzi University of Colorado at Boulder.
Proof Systems KB |- Q iff there is a sequence of wffs D1,..., Dn such that Dn is Q and for each Di in the sequence: a) either Di is in KB or b) Di can.
On Bridging Simulation and Formal Verification Eugene Goldberg Cadence Research Labs (USA) VMCAI-2008, San Francisco, USA.
SAT and SMT solvers Ayrat Khalimov (based on Georg Hofferek‘s slides) AKDV 2014.
SAT-based Model Checking Yakir Vizel Computer Science Department, Technion, Israel Based on slides from K.L. McMillan, A.R. Bradley and Yakir Vizel.
CHAPTERS 7, 8 Oliver Schulte Logical Inference: Through Proof to Truth.
Introduction to Satisfiability Modulo Theories
Unification Algorithm Input: a finite set Σ of simple expressions Output: a mgu for Σ (if Σ is unifiable) 1. Set k = 0 and  0 = . 2. If Σ  k is a singleton,
Lazy Annotation for Program Testing and Verification Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang November 26,
Boolean Satisfiability Present and Future
CPSC 422, Lecture 21Slide 1 Intelligent Systems (AI-2) Computer Science cpsc422, Lecture 21 Oct, 30, 2015 Slide credit: some slides adapted from Stuart.
Nikolaj Bjørner Microsoft Research DTU Winter course January 2 nd 2012 Organized by Flemming Nielson & Hanne Riis Nielson.
Heuristics for Efficient SAT Solving As implemented in GRASP, Chaff and GSAT.
Logic: Proof procedures, soundness and correctness CPSC 322 – Logic 2 Textbook §5.2 March 7, 2011.
CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.
SAT Solving As implemented in - DPLL solvers: GRASP, Chaff and
Answer Extraction To use resolution to answer questions, for example a query of the form  X C(X), we must keep track of the substitutions made during.
Inference in Propositional Logic (and Intro to SAT) CSE 473.
Dana Nau: Lecture slides for Automated Planning Licensed under the Creative Commons Attribution-NonCommercial-ShareAlike License:
Inference and search for the propositional satisfiability problem
Resolution in the Propositional Calculus
Computability and Complexity
Solving Linear Arithmetic with SAT-based MC
Introduction to Software Verification
K. L. McMillan Cadence Berkeley Labs
Complexity 6-1 The Class P Complexity Andrei Bulatov.
Biointelligence Lab School of Computer Sci. & Eng.
Decision Procedures An Algorithmic Point of View
Biointelligence Lab School of Computer Sci. & Eng.
Scalability in Model Checking
Decision heuristics based on an Abstraction/Refinement model
SAT Based Abstraction/Refinement in Model-Checking
GRASP-an efficient SAT solver
Faster Extraction of High-Level Minimal Unsatisfiable Cores
Presentation transcript:

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Overview Some SAT-based model checking methods –Localization abstraction using SAT –Interpolation-based model checking Discuss –When SAT is effective in these applications –Why SAT solvers behave this way –Where are improvements possible?

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Refutations The ability to generate a refutation in the unsatisfiable case is critical to these applications. A DPLL-style solver naturally produces refutions by reolution.

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Conflict Clauses and resolution ( a b) ( b c d) ( b d) a c Decisions b Assignment: a b c d d Conflict! ( b c ) resolve Conflict! ( a c) resolve Conflict!

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Conflict Clauses (cont.) Conflict clause generation is really a way of using failures in the backtracking search to guide resolution. –search guides deduction –deduction guides search Many heuristics are available for determining when to terminate the resolution process (e.g., the 1UIP rule)

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Generating refutations Refutation = a proof of the null clause –Record a DAG containing all resolution steps performed during conflict clause generation. –When null clause is generated, we can extract a proof of the null clause as a resolution DAG. Original clauses Derived clauses Null clause

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Bounded Model Checking Given –A finite transition system M –A property p Determine –Does M allow a counterexample to p of k transitions of fewer? This problem can be translated to a SAT problem BCCZ99

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Models Transition system described by a set of constraints a b cp g Each circuit element is a constraint note: a = a t and a' = a t+1 g = a b p = g c c' = p Model: C = { g = a b, p = g c, c' = p }

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Properties We restrict our attention to safety properties. Characterized by: –Initial condition I –Final condition F (representing "bad" states) A counterexample is a path from a state satisfying I to state satisfying F, where every transition satisfies C.

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Unfolding Unfold the model k times: U k = C 0 C 1... C k-1 a b cp g a b cp g a b cp g... I0I0 FkFk Use SAT solver to check satisfiability of I 0 U k F k A satisfying assignment is a counterexample of k steps

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Localization abstraction Property: G (c X c) a b cp g Model: C = { g = a b, p = g c, c' = p } ' free variable C' property, C C' C property Kurshan

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Localization, cont C' may refer to fewer state variables than C –reduction in the state explosion problem Key issue: how to choose constraints in C' –counterexample-based –proof-based

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Algorithm Model check abstraction C' Choose initial C' Can extend Cex from C'to C? Add constraints to C' true, done Cex yes, Cex no SAT uses Kurshan

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Abstract counterexamples Assume simple safety property: –initial condition I and final condition F –w.l.o.g., assume I and F are atomic formulas to make this true, add constraints in C: v I I v F F Abstract variables V' = support(C',I,F) Abstract counterexample A' is a truth assignment to: { v t | v in V', t in 0..k } where k is the number of steps.

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Counterexample extension Abstract counterexample A' satisfies: I 0 U' k F k where U' k = C' 0 C' 1... C' k-1 Find A consistent with A', satisfying: I 0 U k F k where U k = C 0 C 1... C k-1 That is, A is any satisfying assignment to: A' I 0 U k F k I.e., to extend an abstract counterexample, we just apply it as a constraint in BMC. If unsat, abstract counterexample is "false". CGJLV 2000

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Abstraction refinement Refinement = adding constraints to C' to eliminate false counterexamples. Many heuristsics used for this. –Too many to cover here. –Recall that a SAT solver can produce a resolution- based refutation in the UNSAT case....

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Proof-based refinement Recall, to extend abstract Cex A', we check: A' I 0 U k F k If UNSAT, we obtain refutation proof P –proof that A' cannot be extended to concrete Cex Let E be set of constraints used in proof P: E = { c C | some c i occurs in P } A' cannot be extended to a Cex for E –P is the proof of this. Thus, add E to C' and continue... CCKSVW02

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. In other words... The refutation of the formula: A' I 0 U k F k gives us a sufficient set of constraints to rule out the abstract counterexample. We continue ruling out counterexamples until either the abstraction C' proves the property or we can extend an abstract counterexample to a concrete one.

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Weakness of Cex-based approach Arbitrarily chosen abstract Cex may be refutable for many reasons not related to property. –Thus, may add irrelevant constraints. –May require many iterations –To remedy, may try to characterize a set of Cex's rather than just one (e.g., GKM-HFV,TACAS03). Alternative: don't use counterexamples

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Proof-based abstraction BMC at depth k Cex? done No Cex? Use refutation to choose abstraction MC abstraction done True? False? Increase k MA,TACAS03

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. BMC phase Unfold the model k times: U = C 0 C 1... C k-1 Use SAT solver to check satisfiability of I 0 U F k If unsatisfiable: property has no Cex of length k produce a refutation proof P

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Abstraction phase Let C' be set of constraints used in proof P: C' = { c C | some c i occurs in P } C' admits no counterexample of length k –let U' = C' 0 C' 1... C' k-1 –P is a refutation of I 0 U' F k Model check property on C' –property true for C' implies true for C –else Cex of length k' > k (why?) restart for k = k'

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Algorithm BMC C at depth k Cex? done No Cex? Refutation P induces abstraction C' Model check C' done True? Cex of depth k'? let k = k' Notice: MC counterexample is thrown away!

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Termination Depth k increases at each iteration Eventually k > d, diameter of C' If k > d, no counterexample is possible In practice, termination uses occurs when k d/2 Usually, diameter C' << diameter of C

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Weakness of proof-based abs BMC must refute all counterexamples of length k, while in Cex-based, BMC must refute only one (partial) counterexample. –more stress on the SAT solver with PBA Experimentally... –CBA and PBA behave similarly for smaller circuits –PBA is faster for larger circuits because it terminates in fewer iterations.

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. PicoJavaII benchmarks Hardware Java virtual machine implementation Properties derived from verification of ICU –handles cache, instruction prefetch and decode Original abstraction was manual Added neigboring IFU to make problem harder ICUIFU Mem, Cache Integer unit properties No properties can be verified by standard model checking!

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Abstraction results solid = original, gray = manual, open = proof-based abstraction

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Inference SAT solver seems to be very effective at narrowing down the proof to relevant facts. In most cases, it did better than manual abstraction.

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. A (fuzzy) hypothesis Parameterized models allowing no abstraction SAT-based BMC "succeeds" when number of relevant variables is small, and fails otherwise. "success" is BMC for k = diameter of relevant logic ModelMax state vars German protocol42 "swap"21

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Industrial benchmarks

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Possible explanation Internally, SAT solver is really doing CBA a=0 b=1 c=0 d=1 decision stack = abstract Cex A' refutation of A' decision heuristic moves proof variables up, into A'

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. VSIDS heuristic (CHAFF) Increment variables score when it is used in the proof of a conflict clause Scores decay exponentially with number of decisions

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. VSIDS working set Variables with non-zero score Time (decisions) Working set is solvers localization of the problem

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Working set, cont Size is small and relatively stable When exhausted, decisions become random –Working set is rapidly forgotten, then relearned –Most decisions are made randomly! Cost of irrelevant decisions is low –Decision cost must be proportional to working set size! As a result, the effect of improving the decision heuristic is minimal for this class of problems.

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Interpolation-based MC BMC and Craig interpolation allow us to compute image over-approximation relative to property. –Avoid computing exact image. –Maintain SAT solver's advantage of filtering out irrelevant facts. Exploit it to localize invariants. McM03

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Interpolation If A B = false, there exists an interpolant A' for (A,B) such that: A A' A' B = false A' refers only to common variables of A,B Example: –A = p q, B = q r, A' = q New result –given a resolution refutation of A B, A' can be derived in linear time. (Craig,57) (Pudlak,Krajicek,97)

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Interpolation-based MC Interpolation gives us –SAT-based algorithm for over-approximate image computation, using interpolation –SAT-only symbolic model checking

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Reachability IF R1R1 R2R2... R = I Img(I,C) = R 1 Img(R 1,C) R is the "strongest inductive invariant" Is there a path from I to F satisfying transition constraint C?

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Adequate image PF Img(P,C) Reached from PCan reach F Img(P,C) But how do you get an adequate Img'?

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. k-adequate image operator Image operator is k-adequate (w.r.t.) F, when –if P cannot reach F, image of P cannot reach F within k steps Note, if k > diameter, then k-adequate is equivalent to adequate.

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Interpolation-based image Idea -- use unfolding to enforce k-adequacy A = P -1 C -1 B = C 0 C 1 C k-1 F k P F CCCCCCC AB t=0 t=k Let Image of P = A', where A' is an interpolant for (A,B)... Img' is k-adequate!

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Intuition A' tells is everything the SAT solver deduced about the image of P in proving it can't reach F in k steps. Hence, A' is in some sense an abstraction of the image relative to the property. P F CCCCCCC AB t=0 t=k A'

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Reachability algorithm Increase k until invariant obtained proves the property. Eventually k > d, the diameter, in which case image operator is adequate, hence we terminate. Notes: –don't need to know when k > d in order to terminate –often termination occurs with k << d

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. PicoJava II Benchmarks Reason: terminates for smaller k value

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Interpolation-based MC Fully SAT-based. Exploits SAT solvers ability to concentrate on facts relevant to a property. Like PBA, most effective when –Very large set of facts is available –Only a small subset are relevant to property For true properties, appears to converge for smaller k values than PBA –Very important, because SAT-based BMC performance degrades rapidly with k.

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. Conclusions SAT solvers are very effective at ignoring irrelevant facts –Can think of decision heuristic as a form of CBA Solvers working set is in effect a localization For MC applications, SAT solver performance is tied to number of relevant variables –Performs well if there is a small UNSAT "core" –Performs badly when all variables relevant. Challenge: SAT solvers that are efficient for non-localizable instances!

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. CCKSVW approach (FMCAD02) Find the shortest prefix of Cex A' that cannot be extended. That is, A' I 0 U k F k is feasible for all k < i, but not for k=i. s0s0 s1s1 s2s2 s i-1 sisi... OK NO!

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification. CCKSVW approach cont. Let P be a refutation of A' I 0 U i F i Let E be set of constraints used in proof P only on state s i-1: E = { c C | c i-2 occurs in P } s0s0 s1s1 s2s2 s i-1 sisi... OK NO! add constraints used here

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.