Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University
Model Checking Given a: Finite transition system M(S, I, A temporal property The model checking problem: Does M satisfy
Model Checking Temporal properties: “Always x=y ” (G( x=y )) “Every Send is followed by Ack ” (G( Send F A ck )) “ Reset can always be reached” (GF Reset ) “From some point on, always switch_on” (FG switch_on) “Safety” properties “Liveness” properties
Advances in Model Checking Explicit model checking (1980 – ) Symbolic Model Checking with Binary Decision Diagrams (1991 – ) Symbolic Bounded Model Checking with SAT solvers (1999 –)
Bounded Model Checking A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties: can we find a bad state in k steps? Verification: can we find a counterexample in k steps ? (Biere, Cimatti, Clarke, Zhu, 1999)
Bounded Model Checking Most safety properties can be reduced to “Always p” where p is propositional. Is there a state reachable within k cycles that satisfies p ?... s0s0 s1s1 s2s2 s k-1 sksk pp p pp p
Reducing the BMC problem to SAT p is preserved up to cycle k iff (k) is unsatisfiable:... s0s0 s1s1 s2s2 s k-1 sksk pp p pp p
Example: a two bit counter Property: Always ( l r) (2) is unsatisfiable. (3) is satisfiable. Initial state: Transition:
Bounded Model Checking All Linear-time Temporal Logic (LTL) can be checked with BMC BMC can be applied to software, e.g. C programs (Kroening, Clarke, 2002): Unwind each loop k times Represent in Single Assignment Form (SAF) Solve the resulting bit-vector verification condition
Bounded Model-Checking of software while() loops are unwinded void f(...) {... cond while(cond) { Body; Body; } Rest; } void f(...) {... cond while(cond) { Body; Body; } Rest; }
Bounded Model-Checking of software while() loops are unwinded void f(...) {... cond if(cond) { Body; cond while(cond) { Body; Body; } Rest; } void f(...) {... cond if(cond) { Body; cond while(cond) { Body; Body; } Rest; }
Bounded Model-Checking of software while() loops are unwinded void f(...) {... cond if(cond) { Body; cond if(cond) { Body; cond while(cond) { Body; Body; } Rest; } void f(...) {... cond if(cond) { Body; cond if(cond) { Body; cond while(cond) { Body; Body; } Rest; }
Bounded Model-Checking of software while() loops are unwinded iteratively Assertion may be inserted after last iteration: violated if program runs longer than bound permits void f(...) {... cond if(cond) { Body; cond if(cond) { Body; cond if(cond) { Body; Body; cond while(cond) { Body; Body; } Rest; } void f(...) {... cond if(cond) { Body; cond if(cond) { Body; cond if(cond) { Body; Body; cond while(cond) { Body; Body; } Rest; }
Bounded Model-Checking of software while() loops are unwinded iteratively Assertion my be inserted after last iteration: violated if program runs longer than bound permits void f(...) {... cond if(cond) { Body; cond if(cond) { Body; cond if(cond) { Body; Body; cond if(cond) { assert(FALSE); } Rest; } void f(...) {... cond if(cond) { Body; cond if(cond) { Body; cond if(cond) { Body; Body; cond if(cond) { assert(FALSE); } Rest; }
Bounded Model Checking - First impression… First experiments with BMC in the industry showed that it is rarely faster than model checkers, unless k is very small. But: Model checkers enjoyed more than 10 years of R&D….
The Davis-Putnam procedure Given k in CNF: (x,y,z),(x,y),( : y,z),( : x, : y, : z) Decide() Deduce() ( ~1000) Diagnose()
Tuning SAT for BMC 1.Restrict Decide() to a small set of variables 2.Use the variable dependency graph for smarter orderings 3.Exploit (k)’s structure to restrict the state-space: Learn more by exploiting the symmetry of (k) Reuse information between the SAT instances
1. Restricting Decide() Restricting Decide() to a smaller set of variables that uniquely determines the satisfiability of (k): Model variables (~ 15 % of (k)’s variables) Input variables (~ 5 % of (k)’s variables) Less variables to Decide() implies more variables to Deduce()
For a general CNF formula, Dynamic strategies are typically better: Most Frequent in unsatisfied clauses (DLCS) Satisfies the most clauses (DLIS) Satisfies the most shortest clauses (MOM, JW) Conflict Driven (VSIDS) : 2. Variable ordering Q: How well do they work with BMC formulas ?
A (CNF) dependency graph D (V,E): A partitioning C 1..C n : An abstract dependency graph D’(V’, E’): 2. Variable ordering (Abstract dependency graphs)
For (k) there exists a partition C 1..C n s.t. the abstract dependency graph is linear C0C0 C1C1 C2C2 CkCk C3C3 C k-1 V0V0 V1V1 V2V2 VkVk V3V3 V k Variable ordering (The natural order of (k))
I0I0 ~Pk~Pk With general-purpose Decide() strategies, local sets of variables are satisfied a-synchronically 2. Variable ordering
General-purpose Vs. tailor-made Decide() strategies... :... (x 5 = ( y 4 z 5 u 4 )) ... x 5 = T y 4 = F z 5 = F u 4 = T General purpose Back- track x 5 = T y 4 = F z 5 = F u 4 = T Use ‘s structure to resolve conflicts on a more local level... Tailor made Back- track
I0I0 PkPk Riding on unreachable states... k should satisfy I 0 I0I0 Riding on legal executions... (k) should satisfy P k PkPk 2. Variable ordering (simple static ordering)
Given an order, guess a value Dynamic decision Constant value Previous value ‘Flat’ computation ... Previous value x 2 = 1 y 7 = 0 z 2 = 0 y 3 = 1 x 2 = 0 y 7 = 0 z 2 = 0 y 3 = 1
Can this regularity be used to speed up the search ? 3. Exploiting (k)’s structure
Conflict clauses is the main mechanism for learning If (x 3 =1, y 7 = 0, z 5 = 1 ) leads to a conflict, add the conflict clause C: ( x 3 y 7 z 5 )
3. Exploiting (k)’s structure (Replicated clauses) If x 3 =1, y 7 = 0, z 5 = 1 leads to a conflict, then so will x 2 =1, y 6 = 0, z 4 = 1 Therefore, we can also add: ( x 2 y 6 z 4 ) … ( x 0 y 4 z 2 ) and... ( x 4 y 8 z 6 ) … ( x k-4 y k z k-2 ) Yet, (k) is not fully symmetric because of I 0. Check whether the clauses that caused the conflict include I 0 variables.
4. Exploiting (k)’s structure (Reusing clauses) When can a conflict clause C that was learned while solving (k) be reused for solving (k+1)? Answer: all clauses that together implied C are in (k) Å (k+1) All clauses except the property are in (k) Å (k+1)
Results (Sec.) * * * = exceeds 10,000 sec. )Today, Chaff solves all in 7 minutes…)
Results (sec.)
The Conclusion The original conclusion (2000): Many models that cannot be solved by BDD symbolic model checkers, can be solved with the optimized SAT Bounded Model Checker. The other direction is true as well Today: BMC with SAT is dominant in finding shallow errors. BDD-based procedures are mainly used for proving their absence.
How big should k be? For every model M and LTL property there exists k s.t. The minimal such k is the Completeness Threshold (CT)
How big should k be? Diameter d = longest shortest path from an initial state to any other reachable state. Recurrence Diameter rd = longest loop-free path. rd ¸ d d = 2 rd = 3
How big should k be? Theorem: for Gp properties CT = d s0s0 pp Arbitrary path
How big should k be? Theorem: for Fp properties CT= rd s0s0 pp pp pp pp pp Open Problem: The value of CT for general Linear Temporal Logic properties is unknown
The General case Buchi automata B: h S,S 0, ,F,L i S - States S 0 µ S - Initial states µ S £ S - Transition relation F µ S - Accepting set L: S ! 2 AT - Labeling function Let inf(W) be the set of states visited infinite no. of times by a run W B accepts W iff there exists f 2 F s.t. inf(W) Å f ;
The General case Every LTL formula can be represented by a Buchi automaton B
LTL model checking Given M, , construct B LTL model checking: is : M £ B empty ? Emptiness checking: is there a path to a loop with an accepting state ? ! witness to G true with fairness constraint M ² iff is empty
LTL Bounded Model Checking “Unroll” k times Find a witness to Gtrue with the fairness constraint s0s0 f