Proof-based Abstraction Presented by Roman Gershman Ken McMillan, Nina Amla

Technion Motivation for this article In the verification world, size DOES matter !

Technion The goal  We want to check LARGE models.  We want to scale beyond the “current” model checking technologies (BDDs).  Off-the-record : it is ironic that the inventor of SMV offers a new way of doing model checking.

Technion Well  We will not completely drop SMV (yet), but we are going to help it using SAT.  On my opinion, this article is a turn-point for us and for McMillan in understanding how to do complete MC using SAT.  At the next lesson – we will see how to do MC using SAT.

Technion  Given  A finite transition system M above states S, initial states I  S and transition T  S  S A propositional property P  Determine  Does M allow a counterexample to P Model checking- in this context Less than 1000 variables (FF)

Technion Symbolic Model Checking  S = I  Prev =   While S != Prev  Prev = S  If (S  ~P   ) then return BUG;  S = S  X’ (S(x’)  T(x’,x))

Technion Set representations  What’s this I, T, P ?  How do they look ? How can we build them ?  Examples of representations :  I is a BDD  I= {(1,0), (1,1), (1,1) } (explicit)  Logic circuits :  X1X1 X2X2 TRUE

Technion Circuits  We will need to know 2 representations today: circuit and CNF.  Both represent closed functions – in form f(x) = TRUE  CNF : ( x 1   x’ 1 )  (  x 1  x’ 1 )  Circuit: ( x 1 &  x’ 1 ) or (  x 1 & x’ 1 ) X1X1 X1X1 TRUE  X’ 1 X’ 1 X 1 ’ = not X 1

Technion Bounded model checking  Given  A finite transition system M(I,T)  A propositional property P  Determine  Does M allow a counterexample to P of k transitions of fewer? Can reach more than FF

Technion The main idea  Apply BMC on a large model.  Perform proof-based abstraction and get a smaller model  Apply a model checking on the small model.

Technion BMC  State vectors {x i } 1 k for each cycle i.  A propositional formula I(x o )  T(x o,x 1 )  …  T(x k-1, x k )  ( : P(x k )) is SAT  property does not hold at cycle k. Program path for K phases Final condition on cycle K

Technion BMC  How do we represent a formula that says “There is a bug at some phase until phase K” ? 

Technion Circuit to CNF translation  Circ2CNF : X y G (  x  g) (  y  g) (x  y   g)

Technion  Solves propositional formulas in CNF format. For example, ( x 1  x 2 )  (  x 3  x 5 ).  Uses resolution-based algorithm DPLL  Resolution rule SAT solver (A  x ) (B   x ) (A  B )

Technion SAT solver-DPLL  While (not empty clause)  decide on some unassigned var;  If (BCP returns conflict) Record a new conflict clause using a resolution Backtrack to satisfy that clause.

Technion SAT solver - BCP  While there is some clause C=( x 1  x 2, …  x n ) under partial assignment {  x 1, …,  x n-1 } AND x n is unassigned  Extend the assignment with x n = TRUE  Set C to be the reason clause of x n.  If all literals of C are FALSE then stop and return C as a conflicting clause.

Technion BCP-Example (  a  b)  (  b  c  d) a cc Decisions b Assignment: a  b   c  d d

Technion BCP-cont.  Each assigned variable is either decision variable or was implied by a reason clause (implicated variable).  Let C(v) be a reason clause for setting literal v=TRUE. Suppose C’(t) is another reason clause (for variable t) that contains  v. Then C and C’ are valid resolution pair on v, i.e. they do not have any other variable with different polarity.

Technion Proof: Falsely assume that there is literal x, s.t. x  C and  x  C’ 1. C’ implied t after C implied v 2. x was FALSE when C implied v. 3. Therefore, C’ contained the satisfied literal  x when implied t, which contradicts to the condition that all its literals but one are falsified. BCP-cont.

Technion SAT solver-DPLL  While (not empty clause)  decide on some unassigned var;  If (BCP returns conflict) Record a new conflict clause using a resolution Backtrack to satisfy that clause.

Technion Resolution algorithm  Set Conf = a conflicting clause from BCP  While a stopping condition did not occur, do: 1. Choose some implied literal v from Conf. 2. Conf = Resolve( Conf, C(v) )

Technion Conflicting intermediate Conflicting Clauses (  a  b)  (  b  c  d)  (  b   d) a cc Decisions b Assignment: a  b   c  d d Conflicting ! (  b  c ) resolve (  a  c) resolve New conflict clause

Technion Resolution algorithm  If we draw binary node for each resolution step, then each run of the resolution algorithm will look like a binary tree in the form of string, i.e. each inner node has a leaf.  The source of the tree is a new conflict clause  Global graph will not look like a tree though. O1O1 O2O2 i1i1 I 1 =Resolve(O 1, O 2 )

Technion Resolution Graph O1O1 O2O2 O3O3 O4O4 O6O6 O7O7 i1i1 c-1 i2i2 i3i3 O5O5 c-2 C-3 i4i4 Binary DAG with intermediate and conflict clauses. Each node in the graph is derived by its descendants Collapsed DAG with multi-degree nodes C-1 C- 3 C-2 O1O1 O2O2 O3O3 O4O4 O5O5 O6O6 O7O7

Technion Resolution Graph  If DPLL finished with UNSAT then the resolution graph of its run will have source node  with an empty clause.  Is it the only source ?  No. There can be many others.  Is it the only source with empty clause ?  Yes. It is implied by terminal condition of DPLL.

Technion Resolution Graph  The whole resolution graph denotes exactly a resolution trace of DPLL. However it is not possible to extract the order of decisions and their values from this graph (DPLL run).  Denote by G F is the resolution graph of the solver’s run on unsatisfiable formula F.  G F is not unique.  Identified by the specific solver (hidden parameter).

Technion Resolution Graph  Let Core(G F )= Descendants(  F )  F.  Core(G F ) is still unsatisfiable formula.  Assumption1: usually Core(G F ) is much smaller than F.  Assumption2: Var(Core(G F )) is much smaller than Var(F).

Technion Applications  Suppose,  T c is circuit representation of the Trans constraint.  Circ2CNF(func, i) translates a circuit to the CNF representation at phase i.  Then  T(x i-1, x i ) = Circ2CNF(T c, i)  Bug at some phase on a path

Technion Abstraction of the problem  Abstract(Tc, Core(F_k)) = {g  Tc |  i  k, Circ2CNF(g, i)  Core(F_k) }  Abstract(Tc, Core(F_k)) is like the inverse image of Core(F_k) with respect to Circ2CNF.

Technion Special effects Tc Fk Circ2CNF Core(F k ) Circ2CNF -1 Abstract(Tc)

Technion Main Algorithm  FiniteRun( M=(I c,T c,P) )  Set k  0  While TRUE If BMC(F k ) = SAT then  return BUG with satisfying assignment else  M’ = Abstract(Core(F k ))  ModelCheck M’  If M’ has an accepting run of length k’ then  Set k  k’  else  return “VALID Property” Can be that k’ < k ? Assumes that M’ is smaller then M

Technion Question What about Liveness ?

Technion Reminder  Using Buchi automaton, we can create a product automaton A : = M x ~P.  Checking liveness is equivalent to checking for emptiness of A.  We need to find an infinite run on which accepting state is crossed infinitely often.

Technion Liveness properties  There is a infinite run on which formula G is infinitely satisfied.  There is a run x 0,…x k, s.t.  T(x i, x i+1 ) is satisfied  I(x o ) is satisfied.  For some 0  m < k, x m = x k  For some m  j  k : G(x j ) is TRUE

Technion Liveness BMC  CNF formula:   Run FiniteRun on this formula the same way.

Technion Optimizations  Cone of Influence  Variable substitutions: (f=q) => replace all occurrences of f by q  Pure variables

Technion Results  20 safety samples – none of them could be solved by MC.  After applying abstraction – 18 were solved by BMC, abstracted and then solved by MC.  2 were stuck during BMC

Technion The next article Hybrid approach (or Proof-based refinement)

Technion The problem  Suppose we have original model M and its abstract buddy.  We want to check the case when is SAT and we have counter-example A for.  We need to check the formula  In case it is SAT, we are done and have real counter- example.  In case it is UNSAT – we want to refine

Technion Proof-based refinement (by Chauhan et al.)  Consider the proof P of.  There is at least one clause in P that is not contained in.  In other words, there is at least one gate in M that is not in, which helps to refute A.

Technion Proof-based refinement  Given proof P, for any set of constraints (gates) Q, we define:  We refine by setting:

Technion Proof-based refinement  Recall that is exactly like the definition of abstract set from the previous paper.  Where is the difference ?

Technion  Proof-based abstraction :  Refinement:

Technion  Hybrid method – heuristic approach to tune between these 2 methods.  The idea to use SAT solver to try and to do refinement of all counter-examples of length k (A=  ) and then to refine with A.

Technion Concretize  Input F k  Decide decisions from A.  Res = SAT_Solve(TimeLimit)  If (Res != TimeOut)  Return Res;  Add A to CNF formula.  Return SAT_Solve(  )

Technion Results  It is compared with CEX approach and pure proof-based abstraction.  It presented as super to CEX and similar to proof-based.

Technion The END & Thank you