Presentation is loading. Please wait.

Presentation is loading. Please wait.

SAT-Based Model Checking Without Unrolling Aaron R. Bradley.

Published byBrian Moore Modified over 8 years ago

Similar presentations

Presentation on theme: "SAT-Based Model Checking Without Unrolling Aaron R. Bradley."— Presentation transcript:

1 SAT-Based Model Checking Without Unrolling Aaron R. Bradley

2 Outline Introduction to model checking Definitions Algorithm Conclusion References

3 Introduction (1/2) What is model checking? – Objective : verify finite state systems formally. – Model M : finite state transition graph – Formula P : specification (temporal logic) – Check whether all reachable states s of M satisfy P, denoted M,s ╞ P. Model Formula P Model checker True or False Important part of formal verification

4 Introduction (2/2) Types of model checking – BDD based Too large for a great amount of variables Variable ordering is time consuming – SAT based Bounded Model Checking Unbounded Model Checking – Unbounded symbolic model checking – Interpolation-based model checking (ITP) SAT-based model checking without unrolling

5 Outline Introduction to model checking Definitions Algorithm Conclusion References

6 Definitions Finite-state transition system S : (, I( ), T(, ’)) State s : an assignment of. F-state : S ╞ F Clause : a disjunction of literals. Subclause : The set of d’s literals is a subset of c’s. Trace s 0, s 1, s 2,... :, Safety property P( ) : for the system S, P is S-invariant iff only P-states are reachable. not invariant iff a trace s 0,..., s k such that Initial condition transition relation Next state A set of Boolean variables A state that appears in some traces is reachable.

7 F I T s s’ t t’ P F( ) is inductive : (1) initiation (2) consecution F( ) is inductive relative to G( ) : (1) (2) F( ) is inductive strengthening of P : (1) (2) If F is a system  only P-states are reachable  P is F-invariant Definitions F I T s s’ F I s G t t’ F( ) : formula (can be seen as a set of states with variable )

8 Definitions Inductive generalization of a cube s : The process to find a minimal inductive subclause d of ¬ s (inductive relative to G) (1) (2) d is inductive. (3) d doesn’t contain any inductive subclauses. How to find d : 1. down: Let d=c 0 = c, check if ( ), d is inductive. else let d=c 1 = c 0 ∩ ¬ s (s : counterexample), iterate the process… 2. MIC: is inductive but not necessarily minimal. Let d 1 = d (drop some literal), and call down to reduce its size. If it fails, try a different literal until no literal can be dropped. subclause inductive minimal

9 Example (1/3) Find minimal inductive subclause Assume I = {100}, c = {110} Clauses(c) = (xy ¬ z) Clause( ¬ c) = ( ¬ x+ ¬ y+z) down Let d = ¬ c = { 000, 001, 010, 011, 100, 101, 111} = ( ¬ x+ ¬ y+z) Check Let d = d ∩ ¬ s = { 000, 001, 010, 011, 100, 101} = ( ¬ x+ ¬ y) Check 100001010 101000011 110 111 Reachable state Unreachable state Counterexample Initial state Over-approximate

10 Example (2/3) MIC Let d 1 = d (drop ¬ y) = ¬ x call down with Clause( ¬ c) = ( ¬ x+ ¬ y+z) Let d = ¬ x = { 000, 001, 010, 011} Check 100001010 101000011 110 111

11 Example (3/3) MIC Let d 1 = d (drop ¬ x) = ¬ y call down with Clause( ¬ c) = ( ¬ x+ ¬ y+z) Let d = ¬ y = { 000, 001, 100, 101} Check Let d = d ∩ ¬ s = { 000, 100, 101} = ( ¬ y)(x+y+ ¬ z) = ( ¬ y)(x+ ¬ z) Check Let d = d ∩ ¬ s = { 000, 101}  d = ( ¬ x+ ¬ y) is the minimal inductive subclause of c. 100001010 101000011 110 111

12 Outline Introduction to model checking Definitions Algorithm Conclusion References

13 P Algorithm Input: a transition system S and a safety property P. Output: an inductive strengthening (if P is S-invariant) or a counterexample trace (if P is not S-invariant) Core logical data structure The algorithm incrementally refines and extends a sequence of formulas F 0 =I, F 1, F 2,..., F k that are over- approximations of the sets of states reachable in at most 0, 1, 2,..., k steps. They obeys the following properties: – (1) – (2) – (3) – (4) F i+1 Fi Fi I

14 P Computational Flow F 0 = I : the initial state set, check 0 or 1 step violation. F 1 =P : find 2 step violation from I eliminate s by adding clauses( ¬ s) in F i (i= 0~k) to which is inductive relative by ¬ s. if ¬ s is not inductive relative to F1 : (add clauses ¬ s to F1 ) F 2,..., F k that are over-approximations of the sets of states reachable in at most 0, 1, 2,..., k steps. They obeys the following properties: – (1) – (2) – (3) – (4) F i+1 Fi Fi I

15 Block Diagram prove () { obvious violation for k = 1 to … check(k) propagate(k) } Main function: If P is S-invariant, return true check (k) { while s = the state lead to violation i = inductive(s, k) push({i+1, s}, k) } Ensure propagate (k) { for i = 1 to k if c not in F i+1 & add c to F i+1 If F i+1 = F i return true } inductive (s, k) { Find ¬ s is inductive relative to which F i (smallest i), then add minimal subclause of ¬ s to F 0 ~F i+1, return i } F 0 ~F i cannot reach s. F 0 F 1 … F i … F k F k+1 Fk Fk F1 F1 I P s Make s inductive relative to F k, so ¬s¬s ¬s ¬s ¬s¬s¬s ¬s ¬s ¬s ↑ ↑ ↑ ↑ Subclause of ¬ s If i < k-1, F k still contains s s push ({n, s}, k) { While(not all n of states > k) choose min n, if p = predecessor of s m = inductive(p, k) add {m+1, p} to states else m = inductive(s, k) states \ {n, s} U {m+1, s} } F i+1 ~F k cannot reach s.

16 Example (1/4) Example I = {000}, P = ¬ x+ ¬ y+ ¬ z prove() { (0 or 1 step violation) // false initialize // F 0 = {000}, F 1 = F 2 = F 3 =... = P for // k = 1 check (k=1) { while (F 1 will go to ¬ P) // true s = the state lead to violation // s={111} i = inductive (s, k=1) { find ¬ s inductive relative to F 0 eliminate s in F 0, F 1 // F 0 = {000}, F 1 =P\{111} } // i=0 push ({n=1, s=111}, k=1) 000001010 110101100 011 111 prove () { obvious violation for k = 1 to … check(k) propagate(k) } check (k) { while s = the state lead to violation i = inductive(s, k) push({i+1, s}, k) } inductive (s, k) { Find ¬ s is inductive relative to which F i (smallest i), then add minimal subclause of ¬ s to F 0 ~F i+1, return i } ¬P¬P I

17 Example (2/4) Example I = {000}, P = ¬ x+ ¬ y+ ¬ z push ({n=1, s=111}, k=1) { while (not all n > k) { // true, states = {1,111} choose {1, s}, if( ) // true p = predecessor of s // p = {011} m = inductive (p, k=1) { find ¬ p inductive relative to F 1 eliminate s in F 0, F 1, F 2 // F 0 = {000}, F 1 =P\{111,011}, F 2 =P\{011} } // m = 1 add {2, p} to states // states = {1,111}, {2,011} } 000001010 110101100 011 111 push ({n, s}, k) { While(not all n of states > k) choose min n, if p = predecessor of s m = inductive(p, k) add {m+1, p} to states else m = inductive(s, k) states \ {n, s} U {m+1, s} }

18 Example (3/4) Example I = {000}, P = ¬ x+ ¬ y+ ¬ z while (not all n > k) // true, states = {1,111}, {2,011} choose {1, s}, if( ) // false, because F 1 =P\{111,011} m = inductive (s, k=1) { find ¬ s inductive relative to F 1 eliminate s in F 0, F 1, F 2 // F 0 = {000}, F 1 =P\{111,011}, F 2 =P\{111, 011} } // m = 1 states \ {1,s} U {2,s} // states = {2,111}, {2,011} 000001010 110101100 011 111 push ({n, s}, k) { While(not all n of states > k) choose min n, if p = predecessor of s m = inductive(p, k) add {m+1, p} to states else m = inductive(s, k) states \ {n, s} U {m+1, s} }

19 Example (4/4) Example I = {000}, P = ¬ x+ ¬ y+ ¬ z while (not all n > k) // false, states = {2,111}, {2,011} // exit push // F 0 = {000}, F 1 =P\{111,011}, F 2 =P\{111, 011} // F 0 = ¬ x ¬ y ¬ z, F 1 = ¬ y+ ¬ z, F 2 = ¬ y+ ¬ z propagate(1) { for i = 1 for c = ( ¬ y+ ¬ z) if(…) // false if F i+1 = F i return true //true } Prove return true  P is invariant ! (It cannot reach ¬ P state ) 000001010 110101100 011 111 push ({n, s}, k) { While(not all n of states > k) choose min n, if p = predecessor of s m = inductive(p, k) add {m+1, p} to states else m = inductive(s, k) states \ {n, s} U {m+1, s} } prove () { obvious violation for k = 1 to … check(k) propagate(k) } propagate (k) { for i = 1 to k if c not in F i+1 & add c to F i+1 If F i+1 = F i return true}

20 Outline Introduction to model checking Definitions Algorithm Conclusion References

21 Conclusion (1/2) Performance of ic3 in HWMCC’10 – Incremental generation of stepwise-relative inductive clauses is a promising new approach to symbolic model checking. – It is amenable to simple yet effective parallelization. Future work : – How inductive clause generation can be used to accelerate finding counterexamples – Apply the ideas of stepwise-relative inductive generalization to an infinite-state setting.

22 Outline Introduction to model checking Definitions Algorithm Conclusion References

23 Reference Orna Grumberg and Helmut Veith, 25 years of model checking: history, achievements, perspectives

24 Thanks for your attention.

Download ppt "SAT-Based Model Checking Without Unrolling Aaron R. Bradley."

Similar presentations

Model Checking Base on Interoplation

Model Checking Base on Interoplation
The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.

Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Delta Debugging and Model Checkers for fault localization

Delta Debugging and Model Checkers for fault localization
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Dana Nau: Lecture slides for Automated Planning Licensed under the Creative Commons Attribution-NonCommercial-ShareAlike License:

Dana Nau: Lecture slides for Automated Planning Licensed under the Creative Commons Attribution-NonCommercial-ShareAlike License:
Proofs from SAT Solvers Yeting Ge ACSys NYU Nov 20 2007.

Proofs from SAT Solvers Yeting Ge ACSys NYU Nov
1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.

1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.
Aaron Bradley University of Colorado, Boulder

Aaron Bradley University of Colorado, Boulder
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.

© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.
CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.

CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.

Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.

1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.

Similar presentations

Ads by Google