1 / 40

SAT-based Bounded Model Checking

SAT-based Bounded Model Checking. Formulation of famous problems as SAT: Bounded Model Checking. Given a property p : (e.g. “ always signal_a = signal_b”) Is there a state reachable within k cycles, which satisfies  p ?. p. p.  p. p. p. s 0. s 1. s 2. s k -1. s k.

celine
Download Presentation

SAT-based Bounded Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SAT-based Bounded Model Checking

  2. Formulation of famous problems as SAT:Bounded Model Checking Given a property p: (e.g. “always signal_a = signal_b”) Is there a state reachable within k cycles, which satisfies p ? p p p p p . . . s0 s1 s2 sk-1 sk

  3. Bounded Model Checking: safety The reachable states in k steps are captured by: The property p fails in one of the cycles 1..k:

  4. Bounded Model Checking: safety The safety property pis valid up to cycle k iff W(k)is unsatisfiable: p p p p p . . . s0 s1 s2 sk-1 sk

  5. 11 00 10 01 Bounded Model Checking: safety Example: a two bit counter Initial state: I: :lÆ:r Transition: R: l’ = (lr) Æ r’ = :r Property:G(l  r). For k = 2, W(k) is unsatisfiable. For k = 4 W(k) is satisfiable

  6. Bounded Model Checking : liveness The liveness property Fpis valid up to cycle k iff W(k)is unsatisfiable: = p :p :p :p :p . . . s0 s1 s2 sk-1 sk

  7. Intel’s results (2002)

  8. IBM’s results (2000)

  9. SAT made some progress…

  10. Resources exceeded k = 0 BMC(M,f,k) k++ yes no k¸? Bounded Model Checking

  11. How big should k be? • For every finite model Mand LTL property there exists k s.t. • We call the minimal such k the Completeness Threshold(CT) • Clearly ifM²thenCT = 0 •  computing CT for a given Mmodel checking

  12. The Completeness Threshold Let’s try the following strategy: Compute CT for an abstraction of Mthat unites all models with certain graph-theoretic properties equal to those of M

  13. DI(M)= RDI(M)= Basic notions… • DiameterD(M)=longest shortest path between any two reachable states. • Recurrence DiameterRD(M)=longest loop-free path between any two reachable states. • The initialized versions:DI(M) and RDI(M)start from an initial state. D(M) = 2 RD(M) = 3

  14. p s0 Arbitrary path p p p p p (For AFp properties this does not hold) The Completeness Threshold • Theorem: for AGp properties CT = DI(M)

  15. p p p p p s0 The Completeness Threshold • Theorem: for AFp properties CT= RDI(M)+1 • Theorem: for an LTL property CT = ?

  16. What is SAT? Given a propositional formula in CNF, find an assignment to Boolean variables that makes the formula true: 1 = (x2  x3) 2 = (x1  x4) 3 = (x2  x4) A = {x1=0, x2=1, x3=0, x4=1} SATisfying assignment!

  17. X  X X X X A Basic SAT algorithm Given  in CNF: (x,y,z),(-x,y),(-y,z),(-x,-y,-z) Decide() x=0@1 z=0@2 Deduce() y=0@2 Resolve_Conflict()

  18. x1 x1 = 0@1 x2 x2 = 0@2 Backtracking Search in Action 1 = (x2  x3) 2 = (x1  x4) 3 = (x2  x4) x1 = 1@1  x4 = 0@1  x2 = 0@1  x3 = 1@1  x3 = 1@2 {(x1,1), (x2,0), (x3,1) , (x4,0)} {(x1,0), (x2,0), (x3,1)} No backtrack in this example, regardless of the decision!

  19. x1 x1 = 0@1 x1 = 1@1 x2 x2 = 0@2  x3 = 1@2 {(x1,0), (x2,0), (x3,1)} Backtracking Search in Action Add a clause 1 = (x2  x3) 2 = (x1  x4) 3 = (x2  x4) 4 = (x1  x2  x3)  x4 = 0@1  x2 = 0@1  x3 = 1@1 conflict

  20. Decision heuristicsDLIS (Dynamic Largest Individual Sum) • Choose the variable and value that satisfies the maximum number of unsatisfied clauses. • This requires going through all clauses for each decision.

  21. Decision heuristicsJeroslow-Wang method Compute for every clause w and every variable l(in each phase): • J(l) := • Choose a variable l that maximizes J(l). • This gives an exponentially higher weight to literals in shorter clauses.

  22. 4 x2=1@6 x5=1@6 1 4 3 6 x4=1@6  conflict 6 3 2 5 2 5 x6=1@6 x3=1@6 Implication graphs and learning Current truth assignment: {x9=0@1 ,x10=0@3, x11=0@3, x12=1@2, x13=1@2} Current decision assignment: {x1=1@6} x10=0@3 1 = (x1  x2) 2 = (x1  x3  x9) 3 = (x2  x3  x4) 4 = (x4  x5  x10) 5 = (x4  x6  x11) 6 = (x5   x6) 7 = (x1  x7  x12) 8 = (x1 x8) 9 = (x7  x8   x13) x1=1@6 x9=0@1 x11=0@3 We learn the conflict clause10 : (: x1Ç x9Ç x11Ç x10)

  23. x13=1@2 x8=1@6 9 8 9 ’ 9 7 x7=1@6 7 x12=1@2 Implication graph, flipped assignment 1 = (x1  x2) 2 = (x1  x3  x9) 3 = (x2  x3  x4) 4 = (x4  x5  x10) 5 = (x4  x6  x11) 6 = (x5  x6) 7 = (x1  x7  x12) 8 = (x1 x8) 9 = (x7  x8   x13) 10 : (: x1Ç x9Ç x11Ç x10) x9=0@1 10 x10=0@3 x1=0@6 10 10 x11=0@3 Due to theconflict clause

  24. Non-chronological backtracking 3 Decision level Which assignments caused the conflicts ? x9= 0@1 x10= 0@3 x11= 0@3 x12= 1@2 x13= 1@2 Backtrack to decision level 3 4 5 These assignments Are sufficient for Causing a conflict. x1 6  ’ Non-chronological backtracking

  25. Tuning SAT for BMC • Variable ordering • Incremental SAT: reusability of conflict clauses between • different (yet related) SAT instances. • III. Replicating Conflict Clauses: generation of conflict clauses • 'for free', based on the unique structure of BMC invariant • properties.

  26. Static variable ordering A (CNF) dependency graph D (V,E): A partitioning C1..Cn: An abstract dependency graph D’(V’, E’):

  27. V0 V1 V2 V3 Vk-1 Vk ... C0 C1 C2 C3 Ck-1 Ck Static variable ordering for BMC(The natural order of W(k)) For W(k) there exists a partition C1..Cn s.t. the abstract dependency graph is linear

  28. W(k) should satisfy  Pk Riding on legal executions... Pk I0 Static variable ordering(A simple static ordering) W(k)should satisfy I0 Pk Riding on unreachable states... I0

  29. Incremental SAT Given two CNF formulas (sets of clauses) S1 and S2, and a conflict clause  s.t. S1`, under what conditions the following holds: S2 is satisfiable iff S2  is satisfiable.

  30. S1 S2 0` 0 Incremental SAT Let 0 S1  S2 Claim: if 0` then S1 is satisfiable iff S1 is satisfiable. S2 is satisfiable iff S2 is satisfiable. Thus, if we deduce  while checking S1, we can reuse it when checking S2.

  31. Incremental SAT for BMC Testing whether the clauses involved in deducing  are a subset of 0 requires marking them in advance. In the BMC case this is easy: Only one clause in (k) is not included in (k+1)

  32. Incremental SAT 1. Mark 0,the subset of clauses that are also contained in subsequent instances. 2. If s` for some s  0,then add  to0 and mark it as pervasive. S1 S2 0

  33. Replicated clauses The BMC invariant formula includes k structurally similar parts: Can this symmetry be used to speed up the search ?

  34. Replicated clauses Let xkdenote variable x in cycle k. Let c(i)denote the clause c, where every variable in c is shifted i cycles. For example: c = (x5y2 z7) c(2) = (x7y4 z9) c(-2) = (x3y0 z5) Similarly, s(i) denotes the set of shifted clauses in the set s, i.e. j cjs, cj(i)s(i).

  35. By substitution, it is also true that s(i)`(i). (x2+i y5+i), (x2+i y5+i z3+i  w4+i) (i) =(y5+i z2+i  w4+i) s(i) = Replicated clauses Let s be a subset of (k)'s clauses, and let  be a conflict clause deducible from s, i.e. s`. (x2 y5), (x2 y5 z3  w4)  =(y5 z3  w4) s =

  36. Replicated clauses Conclusion: if s(i)(k) then we can also add (i) to (k). (i) is a new clause that we got 'for free'. We call (i) a 'replicated clause'. The remaining question is: for which i,s(i) (k).

  37. Replicated clauses 1. While generating  (k), mark all transition relation clauses. 2. For every conflict clause , if all the clauses in s are marked, then mark  as 'replicable'. . . .

  38. Replicated clauses Given a replicable clause  and the subset of clauses s from which it was deduced: . . . 3.Recordls and hs, the lowest and highest cycle index in s. 4. Add a replicated clause (i) for i in the range -ls .. (k - hs).

  39. Example (x2 y5), (x2 y5 z3  w4) s = ls = 2, hs = 5 k = 6  = (y5 z3 w4) Going right (1)= (y6 z4 w5) Going left (-1)= (y4 z2 w3) (-2)= (y3 z1 w2)

  40. Experimental results (2001)

More Related