Presentation is loading. Please wait.

Presentation is loading. Please wait.

Formal Verification Group © Copyright IBM Corporation 2008 IBM Haifa Labs SAT-based unbounded model checking using interpolation Based on a paper “Interpolation.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Formal Verification Group © Copyright IBM Corporation 2008 IBM Haifa Labs SAT-based unbounded model checking using interpolation Based on a paper “Interpolation."— Presentation transcript:

1 Formal Verification Group © Copyright IBM Corporation 2008 IBM Haifa Labs SAT-based unbounded model checking using interpolation Based on a paper “Interpolation and SAT-based Model Checking” by K.L. McMillan, CAV 2003.

2 Formal Verification Group Interpolation  If A  B = false, there exists an interpolant A' for (A,B) such that: A  A' A'  B = false A' refers only to common variables of A,B  Example: A = p  q, B =  q  r, A' = q  Interpolants from proofs given a resolution refutation (proof of unsatisfiability) of A   B, A' can be derived in linear time. (Pudlak,Krajicek,97) (Craig,57)

3 Formal Verification Group Agenda  Computing interpolants  Interpolation-based image computation  Model checking finite state systems  Optimization techniques

4 Formal Verification Group Interpolant from SAT solver  Resolution:  Modern SAT solvers can produce a proof of unsatisifiability for unsatisfiable formulas using resolution  An interpolant may be built from the proof of unsatisfiability in linear time. SAT solver (A,B) in CNF Interpolation proof A’ (A  p) (  p  B) (A  B) p

5 Formal Verification Group Proof of unsatisfiability  A proof is a DAG, where  The nodes are clauses  The root is an empty clause  The leaves are original clauses  Every inner node is obtained by a resolution of its two child nodes  An interpolant is build from the proof and it is follows the structure of the proof  Local to A / global literals: Given (A, B) be a pair of clause sets, a variable is global if it appears in both A and B, and local to A if it appears only in A. Given a clause c, g(c) – the disjunction of the global literals in c.

6 Formal Verification Group The construction of interpolant  Let (A, B) be a pair of clause sets. Given a proof of unsatisfiability Π for A U B, define p(c) for every node c in the proof as follows:  If c is a leaf, then If c  A then p(c) = g(c) else p(c) is constant true  else let c1, c2 be child nodes of c, and let v be their pivot variable If v is local to A, then p(c) = p(c1)  p(c2) else p(c) = p(c1)  p(c2)  The Π-interpolant for (A, B) is p(false).  Complexity: O(N + L), where N is the number of nodes, L is the number of literals in the proof.

7 Formal Verification Group Example Interpolant is a circuit that follows structure of the proof. A = { (b), (  b  c) } B = { (  c  d), (  d) } (b)(b  c)(b  c) (c)(c)(  c  d) (d)(d)(  d)  =c    c b c d

8 Formal Verification Group The correctness of the construction  Definition: a clause interpolation has the form (A,B)   c  [Φ], where A, B are clause sets, c is a clause and Φ is a formula. It is said to be valid when 1.A  Φ   c \ B , and 2.B, Φ   c | B , and 3.Φ  A and Φ  B Note, when c is empty, Φ is an interpolant for (A,B).  Theorem: (A,B)   c  [p(c)] is valid. The theorem implies that Π-interpolant for (A, B) is an interpolant for (A,B).

9 Formal Verification Group  Proof: by induction on the proof of unsatisfiability structure.  Base – 2 cases: The correctness of the construction – cont. (A,B)   c  [c | B]  c   A (A,B)   c  [T]  c   B Remember: 1.A  Φ   c \ B  2.B, Φ   c | B  3.Φ  A and Φ  B

10 Formal Verification Group The correctness of the construction – cont.  Induction step – 2 cases: Remember: 1.A  Φ   c \ B  2.B, Φ   c | B  3.Φ  A and Φ  B (A, B)   l,c1  [Φ1] (A, B)   l,c2  [Φ2] (A,B)   c1, c2  [Φ1  Φ2] l  B (A, B)   l,c1  [Φ1] (A, B)   l,c2  [Φ2] (A,B)   c1, c2  [Φ1  Φ2] l  B

11 Formal Verification Group Agenda  Computing interpolants  Interpolation-based image computation  Model checking finite state systems  Optimization techniques

12 Formal Verification Group Bounded model checking  Safety property  F  Unfold the model k times: U = T 0  T 1 ...  T k-1 a b cp g a b cp g a b cp g... I0I0 FkFk  Use SAT solver to check satisfiability of I 0  U  F k  If unsatisfiable:  property has no Cex of length k  can produce a proof of unsatisfiability P

13 Formal Verification Group Reachability  Is there a path (of any length) from I to F satisfying transition constraint T?  Reachability fixed point: R 0 = I R i+1 = R i  Img(R i ) R =  R i  Image operator: Img(P) =  V. P(V)  T(V,V’)  F is reachable iff R  F  false

14 Formal Verification Group Reachability IF R1R1 R2R2... R = I  Img(I,T) = R 1  Img(R 1,T)

15 Formal Verification Group Overapproximation  An overapprox. image operator is Img' s.t. for all P, Img(P)  Img'(P)  Overapproximate reachability: R' 0 = I R' i+1 = R' i  Img'(R' i ) R' =  R' i

16 Formal Verification Group Interpolation-based image A = P 0  T 0 B = T 1  T 2 ...  T k-1  (F 1  F 2 ...  F k ) P0P0 FkFk T0T0 T1T1 T2T2 T k-2 T k-1 AB t=1 t=k Let A' be an interpolant for (A,B) F k-1 F k-2 F3F3 F2F2 F1F1 …

17 Formal Verification Group Interpolation-based image – cont.  A(s 0, s 1 )  A'(s 1 ) A' is Img'(P) (an overapproximate image of P )  A'  B = false Img'(P) cannot reach F in k-1 steps P F TTTTTTT AB t=1 t=k FFFFFF A'

18 Formal Verification Group Intuition  A' tells us everything the solver deduced about the image of P in proving it can't reach F in k steps.  Hence, A' is in some sense an abstraction of the image relative to the property.  This opens a way to overapproximate reachability calculation. P F TTTTTTT AB t=1 t=k FFFFFF A'

19 Formal Verification Group Agenda  Computing interpolants  Interpolation-based image computation  Model checking finite state systems  Optimization techniques

20 Formal Verification Group If I(s 0 )  F(s 0 ) satisfiable // the basis return FAILED; while (1) R new := I, R := false while (R new  R) // the fixpoint condition If R new  T 1  T 2 ...  T k-1  (F 1  F 2 ...  F k ) unsatisfiable R := R  R new R new := interpolant A’(s1) else // satisfiable If (R new = I ) return FAILED else // possible false negative – should increase k R := false, break end while If (R new  R) // fixpoint return PASSED increase k end while The fixpoint algorithm BMC loop UMC (reachability) loop

21 Formal Verification Group Algorithm Correctness  Clearly, if returns FAILED then we got a bug.  If a fixpoint is reached, then an overapproximation of reachable states does not contain a bug, i.e. the formula passes.  We are left with possible false negatives. When possible false negative, we increase k. Thus, it is enough to see that there exists a (large enough) k for which the algorithm always stops.

22 Formal Verification Group Algorithm terminates  Let d be the reverse depth of the model (i.e. the number of real backward steps from the bad states until a fix point), and let k = d+1.  If there is a bug, then we will find it in the first iteration (since k is as long as the shortest path between I and F).  If there is no bug, the formula is unsatisfiable and the interpolant A’ (and R new = I  A’) cannot reach F in d steps.

23 Formal Verification Group Algorithm terminates – cont.  d is the reverse depth  R new cannot reach F at all.  Thus, the next formula (with R new instead of I) will be unsatisfiable as well.  Since R always grows and a model is finite, a fixpoint will be finally reached.  Notes:  don't need to know d in order to terminate  often termination occurs with k << d

24 Formal Verification Group Characteristics  SAT-based methods are effective when  Very large set of facts is available  Only a small subset are relevant to property  They exploit the SAT solver's ability to narrow the proof to relevant facts  I.e., narrows reachable states approximation to relevant variables.  Interpolation method exploits this fact to compute abstract image operator.

25 Formal Verification Group Agenda  Computing interpolants  Interpolation-based image computation  Model checking finite state systems  Optimization techniques

26 Formal Verification Group Incremental SAT solving with interpolation  At each iteration of the inner while loop we check satisfiability of the following formula: R new  T 1  T 2 ...  T k-1  (F 1  F 2 ...  F k )  All those formulas differ only by R new.  SAT solver can preserve all the clauses that are implied by the common part of the formulas (all but R new ).  This can potentially save SAT solver time for deducing those clauses again.  Similarly, formulas with different k (the outer while loop) can be solved incrementally.

27 Formal Verification Group Checking convergence more efficiently  R – current overapproximate reachable states A’ – current interpolant  Original convergence check: whether A’  R ?  Recall: A’ is an overapproximate forward step from R  Let R’ be a “real” forward step from R  Let’s check whether R’  R ?  Advantage: the latter formula is more likely to converge earlier (because R’  A’ )  Correctness: if R’  R, but A’  R, then A’ \ R’ is unreachable

28 Formal Verification Group Minimizing interpolants  Reduce CNF formulas using CNF simplifier  Interpolants are highly redundant boolean expressions  Reduce interpolants using BDD sweeping or SAT sweeping reduction  Minimize unsat core  Unsat core is an unsatisfiable subset of a given unsatisfiable CNF formula (the leaves of the proof)  Unsat core may be computed by a SAT solver, when it founds that a formula is unsatisfiable  Various methods exist for minimizing unsat core, the simplest one is running SAT solver iteratively on previously computed unsat core

29 Formal Verification Group Strengthening interpolants  Recall: interpolant is an overapproximation of a forward image of R new  There may be different overapproximations  Can we control the quality of overapproximation?  Do we want a finer one or a coarser one?

30 Formal Verification Group R2R2 Example IF R1R1... R

31 Formal Verification Group Example – fine overapproximation IF

32 Formal Verification Group Example – moderate overapproximation IF

33 Formal Verification Group Example – coarse overapproximation IF

34 Formal Verification Group Strengthening interpolants  Move local resolutions (‘or’-gates) towards leaves  2 rewrite rules: (p   q  c1) (  p  c2) (  q  c1  c2) (q  c3) (c1  c2  c3) (p   q  c1) (q  c3) (p  c1  c3) (  p  c2) (c1  c2  c3)

35 Formal Verification Group Strengthening interpolants – cont. Caution: may cause exponential expansion of the proof! (p   q  c1) (  p   q  c2) (  q  c1  c2) (q  c3) (c1  c2  c3) (p   q  c1) (q  c3) (  p   q  c2) (q  c3) (p  c1  c3) (  p  c2  c3) (c1  c2  c3)

36 Formal Verification Group (a  b  c) a  c Strengthening interpolant – an example A = {(  a), (  b  d), (a  b  c), …} B = {(a  e), (  c  d), …} (b  c) (c  d) a b A’ = d  (  a  (a  c)) = d  (  a  c) A’’ =  a  (d  (a  c)) =  a  (c  d) A’  A’’ (  b  d) d (  a ) aa (a  b  c) a  c   (c  d) a  (a  c  d) b  (  b  d) d (  a ) aa Move local resolutions toward leaves

37 Formal Verification Group Approximate interpolant computation A = {(  a), (  b  d), (a  b  c), …} B = {(a  e), (  c  d), …} A’ = d  (  a  (a  c)) = d  (  a  c) A’’ = c  d A’  A’’ (a  b  c) a  c (b  c) (c  d) a b (  b  d) d (  a ) aa   Treat inner clauses with pure origin as leaves

38 Formal Verification Group Refinement of interpolants If R new  T 1  T 2 ...  T k-1  (F 1  F 2 ...  F k ) satisfiable If (R new = I ) return FAILED else // possible false negative – should increase k break Can we avoid the possible false negative?

39 Formal Verification Group s1s1 Check whether s 1 is reachable in one step from R i-1 If no – refine R i by removing s 1 from it Disadvantages: – Removes one false negative at a time – Does not insure removing all false negatives – Complicates the expression of R Refinement of interpolants – cont. I R1R1 RiRi F R i-1 … s2s2 sksk ?

40 Formal Verification Group Conclusion  SAT solvers have the ability:  to generate refutations for bounded reachability  to filter out irrelevant facts.  These abilities can be exploited to generate an abstract image operator, using Craig interpolation.  This yields a reachability procedure that  is fully SAT-base  is robust w.r.t. irrelevant facts  Various techniques exist to control size and quality of interpolants

41 Formal Verification Group

Download ppt "Formal Verification Group © Copyright IBM Corporation 2008 IBM Haifa Labs SAT-based unbounded model checking using interpolation Based on a paper “Interpolation."

Similar presentations

Model Checking Base on Interoplation

Model Checking Base on Interoplation
Automated abstraction refinement II Heuristic aspects Ken McMillan Cadence Berkeley Labs.

Automated abstraction refinement II Heuristic aspects Ken McMillan Cadence Berkeley Labs.
The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.

Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.
Applications of Craig Interpolation to Model Checking K. L. McMillan Cadence Berkeley Labs.

Applications of Craig Interpolation to Model Checking K. L. McMillan Cadence Berkeley Labs.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 

Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 
Proofs from SAT Solvers Yeting Ge ACSys NYU Nov 20 2007.

Proofs from SAT Solvers Yeting Ge ACSys NYU Nov
Methods of Proof Chapter 7, second half.. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound)

Methods of Proof Chapter 7, second half.. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound)
Methods of Proof Chapter 7, Part II. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound) generation.

Methods of Proof Chapter 7, Part II. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound) generation.
Aaron Bradley University of Colorado, Boulder

Aaron Bradley University of Colorado, Boulder
Logic Concepts Lecture Module 11.

Logic Concepts Lecture Module 11.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Towards More Efficient SAT-Based Model Checking Joao Marques-Silva Electronics & Computer Science University of Southampton LAA C&V Workshop, Isaac Newton.

Towards More Efficient SAT-Based Model Checking Joao Marques-Silva Electronics & Computer Science University of Southampton LAA C&V Workshop, Isaac Newton.

Similar presentations

Ads by Google