Computing OverApproximations with Bounded Model Checking Daniel Kroening ETH Zürich
Daniel Kroening 2 Motivation SAT solvers have impressive capacity BMC: unwind transition system to get formula... s0s0 s1s1 s2s2 s k-1 sksk pp p pp p
Daniel Kroening 3 Motivation For safety properties: Refutation only, no proof If we make k “big enough”, we can find all bugs How big is “big enough”? Knowing this bound makes BMC complete
Daniel Kroening 4 Related Work: Making BMC Complete We call such a bound a completeness threshold Getting smallest such CT is as hard as model checking Thus, get over-approximation
Daniel Kroening 5 Related Work: Making BMC Complete Distance between states: length of shortest path between two states Diameter d : maximum distance between two connected states Initialized diameter Id : maximum distance to any reachable state from initial states For safety properties, the initialized diameter is a completeness threshold
Daniel Kroening 6 Related Work: Making BMC Complete Problem: computing diameter dI corresponds to QBF instance Too hard Thus, related work relies on simple paths Simple path: path without loops Initialized recurrence diameter Ird : Longest loop-free path from initial states to any reachable states Id ≤ Ird
Daniel Kroening 7 Related work: Making BMC Complete Computing Ird : Called “simplepath” constraint Becomes UNSAT once k > Ird Requires O(k 2 ) clauses Can be improved to O(k log k) [VMCAI2003]
Daniel Kroening 8 Related work: Making BMC Complete But: recurrence diameter can be much larger than diameter: Reachabillity diameter 1, recurrence diameter n
Daniel Kroening 9 Talk outline Completeness thresholds from structural analysis Abstraction for a small CT Refinement Experiments
Daniel Kroening 10 Structural Analysis Baumgartner/Kuehlmann CAV 2002 “Structure” refers to dependencies between latches
Daniel Kroening 11 Structural Analysis Baumgartner/Kuehlmann CAV 2002 “Structure” refers to dependencies between latches Similar to computing transitive closure LDG
Daniel Kroening 12 Structural Analysis Claim: the diameter adds up in a pipeline Baumgartner/Kuehlmann: many partial circuits that do not have cycles in the LDG Thus, can prove properties with BMC and CT as above More observations like that (e.g., ROMs)
Daniel Kroening 13 Making it useful Real designs have many cycles Counters Forwarding Memories Realistic designs often have diameter > Too hard for BMC (and BDDs) Problem: any diameter is way too large to be useful
Daniel Kroening 14 Making it useful Observation: Abstract models are highly non-deterministic Thus, have usually very small diameter Idea: Make an abstraction to get a small CT Candidates: Predicate Reduction Localization Reduction / Cut-Point-Insertion Warning: CT for abstract model is not a CT for concrete model
Daniel Kroening 15 Automatic Abstraction Refinement Property holds Yes No Bug found BMC Refine Abstract Compute Spurious counterexample [Kurshan et al. ’93] [Clarke et al. ’00] [Ball, Rajamani ’00]
Daniel Kroening 16 Cut-Point Insertion Replaces signal by new primary input Typically done such that a maximal amount of logic and registers are removed
Daniel Kroening 17 Cut-Point Insertion Our approach: Insert cut-point to cut cycles Typically does not remove any logic Abstract model has same number of gates and latches Sole purpose: get small CT Prevents some spurious traces
Daniel Kroening 18 Automatic Abstraction Refinement Property holds Yes No Bug found BMC Refine Abstract Compute Spurious counterexample [Kurshan et al. ’93] [Clarke et al. ’00] [Ball, Rajamani ’00]
Daniel Kroening 19 Structural Analysis Special case: k -bit counter
Daniel Kroening 20 Structural Analysis with Cycles Claim: Circuit with depth-bound I can be treated as pipeline I with stages Claim: adding a 1-bit feedback loop at most doubles the diameter Intuitive, but see paper for proof
Daniel Kroening 21 Structural Analysis Q: What is the back-edge? A: Pick one that produces small CT! Bound: ( 1 + 2 ) ¢ 2 x where x = min { j, k }
Daniel Kroening 22 Structural Analysis Now can compute CT as follows: 1.Identify inner cycle in the LDG 2.Terminate if no cycle 3.Compute bound for inner cycle ( ) 4.Replace an inner cycle with a pipeline with stages 5.Repeat
Daniel Kroening 23 Limitations There could be cycles, but no “innermost cycle” Cycles share a component Hope: rare in circuits
Daniel Kroening 24 Automatic Abstraction Refinement Property holds Yes No Bug found BMC Refine Abstract Compute Spurious counterexample [Kurshan et al. ’93] [Clarke et al. ’00] [Ball, Rajamani ’00]
Daniel Kroening 25 Refinement Like McMillan Obtain proof of unsatisfiability of simulation BMC instance Not constrained to abstract counterexample! Examine which signals are important for the fact that there is no error of length k Fewer iterations than counterexample-based refinement
Daniel Kroening 26 Experimental Results
Daniel Kroening 27 Conclusion Structural analysis and abstraction for a complete BMC that is practical Complete model checking based on basic SAT engine only – and no simple paths
Daniel Kroening 28 Open Problem Circuits only so far But verification engineers like INVAR/TRANS style models However: INVAR/TRANS can increase the diameter!
Daniel Kroening 29 Current Projects Arbitrary circuit structures Do this for software Explore effect of other abstraction techniques on CT of abstract model CT and abstractions for full LTL Make use of information of failed proof attempt with abstract model
Daniel Kroening 30 Questions?