SAT-based Bounded and Unbounded Model Checking - PowerPoint PPT Presentation

About This Presentation

Title:

SAT-based Bounded and Unbounded Model Checking

Description:

SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti, – PowerPoint PPT presentation

Number of Views:165

Avg rating:3.0/5.0

Slides: 65

Provided by: utexasEdu

Learn more at: https://www.cs.utexas.edu

Category:

more less

Transcript and Presenter's Notes

Title: SAT-based Bounded and Unbounded Model Checking

1
SAT-based Bounded and Unbounded Model Checking
Edmund M. Clarke Carnegie Mellon University
Joint research with C. Bartzis, A. Biere, P.
Chauhan, A. Cimatti, T. Heyman, D. Kroening, J.
Ouaknine, R. Raimi, O. Strichman, and Y. Zhu
2
Why am I giving this talk?
I have an ulterior motive for this talk.
Second Edition!
Need a chapter on SAT for the second edition.
3
Outline of Talk

1. Motivation
2. Bounded Model Checking
3. Complete methods using SAT
a. Induction
b. Unbounded Model Checking
--- with cube enlargement
--- with circuit co-factoring
--- with interpolants

4
Outline of Talk

1. Motivation yes
2. Bounded Model Checking yes
3. Complete methods using SAT
a. Induction no
b. Unbounded Model Checking
--- with cube enlargement yes
--- with circuit co-factoring yes
--- with interpolants no

5
SAT Solver Progress 1960 -2010
6
Model Checking (CE81,QS82)

Specification temporal logic
Model finite state transition graph
Advantages
Always terminates
Automatic
Usually fast
Can handle partially specified models
Counterexample if specification is false

7
Symbolic Model Checking

Method used by most industrial strength model
checkers.
Uses Boolean encoding for state machine and sets
of states.
Can handle much larger designs hundreds of
state variables.
BDDs traditionally used to represent Boolean
functions.

8
Problems with BDDs

BDDs are a canonical representation. Often become
too large.
Variable ordering must be uniform along paths.
Selecting right variable ordering very important
for obtaining small BDDs.
Often time consuming or needs manual
intervention.
Sometimes, no space efficient variable ordering
exists.
This talk describes alternative approaches
to model checking that use SAT procedures.

9
Advantages of SAT Procedures

SAT procedures also operate on Boolean formulas
but do not use canonical forms.
Do not suffer from the potential space explosion
of BDDs.
Different split orderings possible on different
branches.
Very efficient implementations exist.

10
Bounded Model Checking

A. Biere, A. Cimatti, E. Clarke, Y. Zhu, Symbolic
Model Checking without BDDs, TACAS99

11
Bounded Model Checking as SAT
Given a property p (e.g. signal_a
signal_b) Is there a state reachable in k
cycles, which satisfies ?p ?
p
p
?p
p
p
. . .
s0
s1
s2
sk-1
sk
12
The reachable states in k steps are captured by
Bounded Model Checking Safety
The property p fails in one of the k steps
13
Bounded Model Checking Safety
The safety property p is valid up to step k iff
W(k) is unsatisfiable
p
p
?p
p
p
. . .
s0
s1
s2
sk-1
sk
14
Example a two bit counter
Bounded Model Checking Safety
Initial state I l r
Transition R l (l ? r) r r
Property G (?l ? ?r).
For k 2, W(k) is unsatisfiable. For k 3 W(k)
is satisfiable
15
Bounded Model Checking Liveness
There is no counterexample of length k to
the Liveness property Fp iff W(k) is
unsatisfiable

?p
p
p
p
p
. . .
s0
s1
s2
sk-1
sk
16
BMC formula for arbitrary LTL(Standard
translation)
Size of resulting formula O(kM k3?) With
sharing of subformulas becomes O(kM k2?)
17
A fixpoint based translation
T. Latvala, A. Biere, K. Heljanko, and T.
Junttila Simple Bounded LTL Model Checking
FMCAD 04

Idea for lasso-shaped Kripke structures, the
semantics of LTL and CTL coincide.
Add a formula that isolates a lasso-shaped path.
Use the fixpoint characterization of CTL, e.g.
E? U ? ? ? (? EX E? U
? )

i
k
18
Overall formula
19
Loop constraints

If li is true then there exists a loop at
position i.
At most one li is true.

20
Fixpoint formula
k
i
j
False True
Size of resulting formula O(k(M ?))
21
Generating the BMC formula(Based on the
Vardi-Wolper algorithm)

A labeled Büchi automaton is a 5-tuple
BhS, S0 , ?, L, F i
Acceptance condition
An infinite word w is accepted iff the
execution of w on B passes through a final state
an infinite number of times.

states
initial states
transition relation
final states
labels
22
LTL model checking

Given
Transition system M
LTL property ?
Translate ?? into a Buchi automaton B??
Compute product automaton P M B ??
Check if P is empty
Is a fair loop reachable?

23
Generating the BMC formula
E. Clarke, D. Kroening, J. Ouaknine, and O.
Strichman Computational chalenges in Bounded
Model Checking STTT 05

Encode all paths of P that start at an initial
state and are k steps long.
Require that
at least one path contains a loop.
at least one state in the loop is final.

24
Generating the BMC formula
Start from the initial state
Require that some state in the loop is final
Choose a state where the loop starts
Follow k transitions
25
Bounded Model Checking
k 0
k
UnSAT
no
CT is the completeness threshold
26
The Completeness Threshold

Computing CT is as hard as model checking.
Idea Compute an over-approximation to the actual
CT
Consider system P as a graph.
Compute CT from structure of P.

27
Basic notions

Diameter D(M) longest shortest path between any
two reachable states.
Recurrence Diameter RD(M) longest loop-free
path between any two reachable states.
The initialized versions DI(M) and RDI(M)
start from an initial state.

D(M) 2
RD(M) 3
28
CT for safety properties

Theorem for AGp properties CT DI(M)

For AFp properties this does not hold
DI(M)3 but CT4
29
CT for liveness properties

Theorem for AFp properties CT RDI(M)1

Theorem for an LTL property ? CT ?

30
CT for arbitrary LTL properties
Shortest counterexample

Theorem CKOS 05
A Completeness Threshold for any LTL property
? is min(rd I(P )1, d I(P )d (P ))

31
Why take the minimum?
Example 1
dI(P)d(P) 6 rdI(P)1 4
gt
Example 2
dI(P)d(P) 2 rdI(P)1 4
lt
32
Formulation of diameter in QBF
Infeasible to compute the diameter using a
poly-time algorithm for shortest paths.
33
SAT-based Diameter Computation

M. Mneineh, K. Sakallah,SAT-based Sequential
Depth Computation,ASPDAC03
Check if there is a state s reachable in c steps
but not reachable in less than c steps.
Increment c, until no state is reachable in c
steps.
May enumerate many states in 1.

34
Recurrence diameter as SAT
O(n2)
O(nlogn)
O(n)
35
Complexity of BMC Formula size

Original translation
O(kM k2?)
Automata based translation
O(kM2? )
Fixpoint based translation
O(k(M ?))

36
Complexity of BMC

Size of SAT instance is O(k(M ?))
k can become as large as the diameter of the
system, which is exponential in the number of
state variables in the worst case.
SAT is exponential time.
Therefore, SAT based BMC has doubly exponential
complexity.
But LTL model checking is singly exponential!

37
Why use SAT based BMC?

Infeasible to represent P explicitly.
Identify shallow errors efficiently.
In many cases rd(P) and d(P) are not exponential
and can be rather small.
E.g. hardware components without counters
Modern SAT solvers are very successful in
practice.

38
Unbounded Model Checkingusing Cube Enlargement

P. Chauhan, E. Clarke, and D. Kroening Using
SAT based
Image Computation for Reachability Analysis
CMU-CS-03-151

39
Reachability analysis

Consider a system with state variables x and
inputs i.
S0(x) is the set of initial states.
T(x,i,x) is the transition relation.
We want to compute the set of reachable states
Sreach .
Iterative process Compute the states reachable
in 1 step, 2 steps,

40
Image computation and Reachability

The set of immediate successors of states S (x)
is given by
The set of all reachable states is the least
fixpoint

Img(S) 9 x, i. T(x, i, x) Æ S(x)
41
Computing Reachability

Si1 is the set of new states directly reachable
from Si
Then Sreach is the union of all Si

42
SAT based image computation

The transition relation T(x,i,x) is represented
as a CNF formula (a set of clauses).
If not already in CNF, it can be converted in
polynomial time.
The set of newly reachable states after each step
Si as well as their union Sreach are represented
in DNF (a set of cubes).
Obviously ?Sreach is in CNF.

43
SAT based image computation
44
The image computation step

Si is in DNF
Convert to CNF by introducing new variables
Solve the CNF formula
Si(x) ? T(x,i, x) ? ?Sreach(x)
Solution is a cube d
Project d to x and rename to x
Add d to Sreach(x) and Si1(x)
Repeat until the formula becomes unsat

45
Efficiency issues

The number of satisfying assignments can be
exponential in the number of variables. Therefore
two problems
Enumeration of full assignments is slow.
Solution Cube enlargement
The representation of Sreach and Si can grow too
large.
Solution Systematically combine cubes using an
appropriate data structure.

46
Cube enlargement

SAT solvers like zChaff return complete
assignments (minterms).
Partial assignments (cubes) are better, because
they represent multiple minterms.

For example, the cube x1 ? x4 represents 4
minterms
x1 ? x2 ? x3 ? x4 x1
? ?x2 ? x3 ? x4 x1 ?
x2 ? ?x3 ? x4 x1 ? ?x2 ?
?x3 ? x4
47
Efficient cube set representation

Cubes are stored in a hash table of tries.
Each trie is associated to a unique subset of
state variables.
Whenever a new cube d is inserted, the
corresponding trie is searched for cubes d that
differ only in one literal.
The merged cube (without the differing literal)
is stored instead of d and d.

48
Efficient cube set representation
Hash table
x1, x2
x1, x7 , x8
x2, x4
Hash keys

Tries
x2, x3 , x4

New cube x2 ? ?x3 ? ?x4
Identify appropriate hash table entry
Look for matching cubes
If match was found, delete cube and insert merged
cube

x2
?x2
x3
x3
?x4
x4
x2 ? ?x4
49
Related work

Gupta et al, FMCAD 00 and ICCAD 01
? Mixed BDD / SAT approach
K. McMillan, CAV 02
? Sets of states represented in CNF
? CNF clauses stored in ZDDs
? Conflict analysis for cube enlargement
H. Kang and I. Park, DAC 03
? Offline Espresso to reduce the number of cubes
? No cube enlargement

50
Unbounded Model Checking using Circuit
Cofactoring

M. Ganai, A. Gupta and P. Ashar,
Efficient SAT-based Unbounded Symbolic Model
Checking Using Circuit Cofactoring, ICCAD 04

51
SAT-based Image Computation

The SAT-based procedure enumerates all state cube
solutions.
Each invocation of the SAT solver generates one
new state cube.
A blocking clause representing the negation of
the state cube is added at each step.
The main problem is that the required number of
steps can be very large.

52
Main Contribution

Use circuit cofactoring to capture a large set of
states at each enumeration step.
Less enumeration steps
Use circuit graph simplification to compact the
captured states.
Use a Hybrid Sat Solver that works on both
OR/INVERTER circuits and CNF.

53
Definitions

State variables X.
Input variables U.
Partial assignment ? XU !0,1 .
State cube s is the projection of ? on X .
Input cube u is the projection of ? on U .
Minterm m is a complete assignment to U extending
u .

54
Example

X x1, x2
U u1, u2
? x1 u2
s x1
u u2
m u1 u2

55
Cofactors of Boolean functions

Cofactors of f(v1,,v,) with respect to variable
v are fv(v1,,1,), fv(v1,,0,)
Cofactor of f with respect to cube c, is fc
Obtained by cofactoring f with respect to each
literal in c.
Example

56
Producing larger sets of states

Given a formula f and a satisfying assignment
cube s
Isolate the input part of s and complete it by
picking values for unassigned inputs.
Cofactor f with respect to the satisfying input
minterm m.
Use the function f m obtained in 2, to represent
the set of satisfying states.

57
Example