Presentation is loading. Please wait.

Presentation is loading. Please wait.

11.7.2005 Computing Over­Approximations with Bounded Model Checking Daniel Kroening ETH Zürich.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "11.7.2005 Computing Over­Approximations with Bounded Model Checking Daniel Kroening ETH Zürich."— Presentation transcript:

1 11.7.2005 Computing Over­Approximations with Bounded Model Checking Daniel Kroening ETH Zürich

2 11.7.2005 Daniel Kroening 2 Motivation SAT solvers have impressive capacity BMC: unwind transition system to get formula... s0s0 s1s1 s2s2 s k-1 sksk pp p pp p

3 11.7.2005 Daniel Kroening 3 Motivation For safety properties: Refutation only, no proof If we make k “big enough”, we can find all bugs How big is “big enough”? Knowing this bound makes BMC complete

4 11.7.2005 Daniel Kroening 4 Related Work: Making BMC Complete We call such a bound a completeness threshold Getting smallest such CT is as hard as model checking Thus, get over-approximation

5 11.7.2005 Daniel Kroening 5 Related Work: Making BMC Complete Distance between states: length of shortest path between two states Diameter d : maximum distance between two connected states Initialized diameter Id : maximum distance to any reachable state from initial states For safety properties, the initialized diameter is a completeness threshold

6 11.7.2005 Daniel Kroening 6 Related Work: Making BMC Complete Problem: computing diameter dI corresponds to QBF instance Too hard Thus, related work relies on simple paths Simple path: path without loops Initialized recurrence diameter Ird : Longest loop-free path from initial states to any reachable states Id ≤ Ird

7 11.7.2005 Daniel Kroening 7 Related work: Making BMC Complete Computing Ird : Called “simplepath” constraint Becomes UNSAT once k > Ird Requires O(k 2 ) clauses Can be improved to O(k log k) [VMCAI2003]

8 11.7.2005 Daniel Kroening 8 Related work: Making BMC Complete But: recurrence diameter can be much larger than diameter: Reachabillity diameter 1, recurrence diameter n

9 11.7.2005 Daniel Kroening 9 Talk outline Completeness thresholds from structural analysis Abstraction for a small CT Refinement Experiments

10 11.7.2005 Daniel Kroening 10 Structural Analysis Baumgartner/Kuehlmann CAV 2002 “Structure” refers to dependencies between latches

11 11.7.2005 Daniel Kroening 11 Structural Analysis Baumgartner/Kuehlmann CAV 2002 “Structure” refers to dependencies between latches Similar to computing transitive closure LDG

12 11.7.2005 Daniel Kroening 12 Structural Analysis Claim: the diameter adds up in a pipeline Baumgartner/Kuehlmann: many partial circuits that do not have cycles in the LDG Thus, can prove properties with BMC and CT as above More observations like that (e.g., ROMs)

13 11.7.2005 Daniel Kroening 13 Making it useful Real designs have many cycles  Counters  Forwarding  Memories Realistic designs often have diameter > 2 100 Too hard for BMC (and BDDs) Problem: any diameter is way too large to be useful

14 11.7.2005 Daniel Kroening 14 Making it useful Observation:  Abstract models are highly non-deterministic  Thus, have usually very small diameter Idea: Make an abstraction to get a small CT Candidates:  Predicate Reduction  Localization Reduction / Cut-Point-Insertion Warning: CT for abstract model is not a CT for concrete model

15 11.7.2005 Daniel Kroening 15 Automatic Abstraction Refinement Property holds Yes No Bug found BMC Refine Abstract Compute Spurious counterexample [Kurshan et al. ’93] [Clarke et al. ’00] [Ball, Rajamani ’00]

16 11.7.2005 Daniel Kroening 16 Cut-Point Insertion Replaces signal by new primary input Typically done such that a maximal amount of logic and registers are removed

17 11.7.2005 Daniel Kroening 17 Cut-Point Insertion Our approach: Insert cut-point to cut cycles Typically does not remove any logic Abstract model has same number of gates and latches Sole purpose: get small CT Prevents some spurious traces

18 11.7.2005 Daniel Kroening 18 Automatic Abstraction Refinement Property holds Yes No Bug found BMC Refine Abstract Compute Spurious counterexample [Kurshan et al. ’93] [Clarke et al. ’00] [Ball, Rajamani ’00]

19 11.7.2005 Daniel Kroening 19 Structural Analysis Special case: k -bit counter

20 11.7.2005 Daniel Kroening 20 Structural Analysis with Cycles Claim: Circuit with depth-bound  I can be treated as pipeline  I with stages Claim: adding a 1-bit feedback loop at most doubles the diameter Intuitive, but see paper for proof

21 11.7.2005 Daniel Kroening 21 Structural Analysis Q: What is the back-edge? A: Pick one that produces small CT! Bound: (  1 +  2 ) ¢ 2 x where x = min { j, k }

22 11.7.2005 Daniel Kroening 22 Structural Analysis Now can compute CT as follows: 1.Identify inner cycle in the LDG 2.Terminate if no cycle 3.Compute bound for inner cycle (  ) 4.Replace an inner cycle with a pipeline with  stages 5.Repeat

23 11.7.2005 Daniel Kroening 23 Limitations There could be cycles, but no “innermost cycle” Cycles share a component Hope: rare in circuits

24 11.7.2005 Daniel Kroening 24 Automatic Abstraction Refinement Property holds Yes No Bug found BMC Refine Abstract Compute Spurious counterexample [Kurshan et al. ’93] [Clarke et al. ’00] [Ball, Rajamani ’00]

25 11.7.2005 Daniel Kroening 25 Refinement Like McMillan Obtain proof of unsatisfiability of simulation BMC instance Not constrained to abstract counterexample! Examine which signals are important for the fact that there is no error of length k Fewer iterations than counterexample-based refinement

26 11.7.2005 Daniel Kroening 26 Experimental Results

27 11.7.2005 Daniel Kroening 27 Conclusion Structural analysis and abstraction for a complete BMC that is practical Complete model checking based on basic SAT engine only – and no simple paths

28 11.7.2005 Daniel Kroening 28 Open Problem Circuits only so far But verification engineers like INVAR/TRANS style models However: INVAR/TRANS can increase the diameter!

29 11.7.2005 Daniel Kroening 29 Current Projects Arbitrary circuit structures Do this for software Explore effect of other abstraction techniques on CT of abstract model CT and abstractions for full LTL Make use of information of failed proof attempt with abstract model

30 11.7.2005 Daniel Kroening 30 Questions?

Download ppt "11.7.2005 Computing Over­Approximations with Bounded Model Checking Daniel Kroening ETH Zürich."

Similar presentations

Model Checking Base on Interoplation

Model Checking Base on Interoplation
Automated abstraction refinement II Heuristic aspects Ken McMillan Cadence Berkeley Labs.

Automated abstraction refinement II Heuristic aspects Ken McMillan Cadence Berkeley Labs.
The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.

Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.
SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,

SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Towards More Efficient SAT-Based Model Checking Joao Marques-Silva Electronics & Computer Science University of Southampton LAA C&V Workshop, Isaac Newton.

Towards More Efficient SAT-Based Model Checking Joao Marques-Silva Electronics & Computer Science University of Southampton LAA C&V Workshop, Isaac Newton.
BackSpace: Formal Analysis for Post-Silicon Debug Flavio M. de Paula * Marcel Gort *, Alan J. Hu *, Steve Wilton *, Jin Yang + * University of British.

BackSpace: Formal Analysis for Post-Silicon Debug Flavio M. de Paula * Marcel Gort *, Alan J. Hu *, Steve Wilton *, Jin Yang + * University of British.
SAT-based verification: underlying methods Mary Sheeran Chalmers University of Technology and Prover Technology AB.

SAT-based verification: underlying methods Mary Sheeran Chalmers University of Technology and Prover Technology AB.
Possibilistic and probabilistic abstraction-based model checking Michael Huth Computing Imperial College London, United Kingdom.

Possibilistic and probabilistic abstraction-based model checking Michael Huth Computing Imperial College London, United Kingdom.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.

Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.
Weizmann Institute Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Shtrichman Weizmann Institute & IBM (HRL)

Weizmann Institute Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Shtrichman Weizmann Institute & IBM (HRL)
SAT-based Bounded Model Checking

SAT-based Bounded Model Checking
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions.

Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions.
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.

1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.

Similar presentations

Ads by Google