Tuning SATcheckers for Bounded ModelChecking

1
Tuning SAT-checkers for Bounded Model-Checking

• A bounded guided tour
• Ofer Strichman
• Carnegie Mellon University

2
Model Checking

• Given a
• Finite transition system M(S, I, r)
• A temporal property ?
• The model checking problem
• Does M satisfy ? ?

3
Model Checking

• Temporal properties
• Always xy (G(xy))
• Every Send is followed by Ack (G(Send ? F
  Ack))
• Reset can always be reached (GF Reset)
• From some point on, always switch_on (FG
  switch_on)

Safety properties
Liveness properties
4
Advances in Model Checking

• Explicit model checking (1980 )
• Symbolic Model Checking with Binary Decision
  Diagrams (1991 )
• Symbolic Bounded Model Checking with SAT solvers
  (1999 )

5
Bounded Model Checking
(Biere, Cimatti, Clarke, Zhu, 1999)

• A.I. Planning problems can we reach a desired
  state in k steps?
• Verification of safety properties can we find a
  bad state in k steps?
• Verification can we find a counterexample in k
  steps ?

6
Bounded Model Checking

• Most safety properties can be reduced to Always
  p where p is propositional.
• Is there a state reachable within k cycles that
  satisfies ?p ?

7
Reducing the BMC problem to SAT
p is preserved up to cycle k iff W(k) is
unsatisfiable
8
Example a two bit counter
Initial state
Transition
Property Always (?l ? ?r).
W(2) is unsatisfiable. W(3) is satisfiable.
9
Bounded Model Checking

• All Linear-time Temporal Logic (LTL) can be
  checked with BMC
• BMC can be applied to software, e.g. C programs
  (Kroening, Clarke, 2002)
• Unwind each loop k times
• Represent in Single Assignment Form (SAF)
• Solve the resulting bit-vector verification
  condition

10
Bounded Model-Checking of software

• while() loops are unwinded

void f(...) ... while(cond) Body
Rest
11
Bounded Model-Checking of software

• while() loops are unwinded

void f(...) ... if(cond) Body
while(cond) Body Rest
12
Bounded Model-Checking of software

• while() loops are unwinded

void f(...) ... if(cond) Body
if(cond) Body while(cond)
Body Rest
13
Bounded Model-Checking of software

• while() loops are unwinded iteratively
• Assertion may be inserted after last iteration
  violated if program runs longer than bound
  permits

void f(...) ... if(cond) Body
if(cond) Body if(cond)
Body while(cond) Body
Rest
14
Bounded Model-Checking of software

• while() loops are unwinded iteratively
• Assertion my be inserted after last iteration
  violated if program runs longer than bound permits

void f(...) ... if(cond) Body
if(cond) Body if(cond)
Body if(cond)
assert(FALSE)
Rest
15
Bounded Model Checking - First impression

• First experiments with BMC in the industry showed
  that it is rarely faster than model checkers,
  unless k is very small.
• But Model checkers enjoyed more than 10 years of
  RD.

16
The Davis-Putnam procedure

• Given W(k) in CNF (x,y,z),(x,y),(y,z),(x, y,
  z)

W
Decide()
Deduce() ( 1000)
?
Diagnose()
17
Tuning SAT for BMC

• Restrict Decide() to a small set of variables
• Use the variable dependency graph for smarter
  orderings
• Exploit W(k)s structure to restrict the
  state-space
• Learn more by exploiting the symmetry of W(k)
• Reuse information between the SAT instances

18
1. Restricting Decide()

• Restricting Decide() to a smaller set of
  variables that uniquely determines the
  satisfiability of W(k)
• Model variables ( 15 of W(k)s variables)
• Input variables ( 5 of W(k)s variables)
• Less variables to Decide() implies more variables
  to Deduce()

19

2. Variable ordering

• For a general CNF formula, Dynamic strategies are
  typically better
• Most Frequent in unsatisfied clauses (DLCS)
• Satisfies the most clauses (DLIS)
• Satisfies the most shortest clauses (MOM, JW)
• Conflict Driven (VSIDS)

Q How well do they work with BMC formulas ?
20
2. Variable ordering (Abstract dependency
graphs)
A (CNF) dependency graph D (V,E)
A partitioning C1..Cn
An abstract dependency graph D(V, E)
21
2. Variable ordering (The natural order of
W(k))
For W(k) there exists a partition C1..Cn s.t.
the abstract dependency graph is linear
22
2. Variable ordering
With general-purpose Decide() strategies, local
sets of variables are satisfied a-synchronically
Pk
I0
23
General-purpose Vs. tailor-made Decide()
strategies...
? ...? (x5 ( y4 ? z5 ? u4 )) ? ...
x5 T y4 F z5 F u4 T
Back- track
General purpose
24
2. Variable ordering (simple static ordering)
W(k) should satisfy I0
?Pk
Riding on unreachable states...
I0
25
Given an order, guess a value
? Dynamic decision ? Constant value ? Previous
value ?Flat computation ? ...
26
3. Exploiting W(k)s structure
Can this regularity be used to speed up the
search ?
27
3. Exploiting W(k)s structure

• Conflict clauses is the main mechanism for
  learning
• If (x31, y7 0, z5 1 ) leads to a conflict,
  add the conflict clause C (? x3 ? y7 ? ?z5)

28
3. Exploiting W(k)s structure (Replicated
clauses)

• If x31, y7 0, z5 1 leads to a conflict, then
  so will x21, y6 0, z4 1
• Therefore, we can also add (?x2 ? y6 ? ?z4) ?
  ? (?x0 ? y4 ? ?z2) and...(?x4 ? y8 ? ?z6) ? ?
  (?xk-4 ? yk ? ?zk-2)
• Yet, W(k) is not fully symmetric because of I0.
• Check whether the clauses that caused the
  conflict include I0 variables.

29
4. Exploiting W(k)s structure (Reusing
clauses)

• When can a conflict clause C that was learned
  while solving W(k) be reused for solving W(k1)?
• Answer all clauses that together implied C are
  in W(k) Å W(k1)
• All clauses except the property are in W(k) Å
  W(k1)

30
Results (Sec.)
exceeds 10,000 sec.
)Today, Chaff solves all in 7 minutes)
31
Results (sec.)
32
The Conclusion

• The original conclusion (2000)
• Many models that cannot be solved by BDD symbolic
  model checkers, can be solved with the optimized
  SAT Bounded Model Checker.
• The other direction is true as well
• Today BMC with SAT is dominant in finding
  shallow errors. BDD-based procedures are mainly
  used for proving their absence.

33
How big should k be?

• For every model M and LTL property ? there exists
  k s.t.
• The minimal such k is the Completeness Threshold
  (CT)

34
How big should k be?

• Diameter d longest shortest path from an
  initial state to any other reachable state.
• Recurrence Diameter rd longest loop-free path.
• rd d

rd 3
35
How big should k be?

• Theorem for Gp properties CT d

36
How big should k be?

• Theorem for Fp properties CT rd

• Open Problem The value of CT for general Linear
  Temporal Logic properties is unknown

37
The General case

• Buchi automata B hS,S0,r,F,Li
• S - States
• S0 µ S - Initial states
• r µ S S - Transition relation
• F µ S - Accepting set
• L S ! 2AT - Labeling function
• Let inf(W) be the set of states visited infinite
  no. of times by a run W
• B accepts W iff there exists f 2 F s.t. inf(W) Å
  f ¹

38
The General case

• Every LTL formula ? can be represented by a Buchi
  automaton B?

39
LTL model checking

• Given M,?, construct B??
• LTL model checking is y M B?? empty ?
• Emptiness checking is there a path to a loop
  with an accepting state ?
• ! witness to G true with fairness constraint
• M ² ? iff y is empty

40
LTL Bounded Model Checking

• Unroll y k times
• Find a witness to Gtrue with the fairness
  constraint

f
s0
41
(No Transcript)
42
(No Transcript)
43
(No Transcript)