Download
1 / 74
780 likes | 1.14k Views
SAT-based Model Checking. Yakir Vizel Computer Science Department, Technion, Israel. Based on slides from K.L. McMillan, A.R. Bradley and Yakir Vizel. Outline. Background Symbolic Model Checking DPLL-style SAT solvers Bounded Model Checking SAT-based model checking methods K-induction
E N D
SAT-based Model Checking Yakir Vizel Computer Science Department, Technion, Israel Based on slides from K.L. McMillan, A.R. Bradley and Yakir Vizel
Outline • Background • Symbolic Model Checking • DPLL-style SAT solvers • Bounded Model Checking • SAT-based model checking methods • K-induction • Interpolation • Interpolation Sequence • IC3/PDR • There are more…
Model checking • Problem definition: • Does every run of a (finite-state) transition system satisfy a given temporal property? • Result: • Yes • No + counterexample • Examples: • Is every request to this bus arbiter eventually acknowledged? • Does this program every dereference a null pointer?
Transition systems • Tuple (S,I,T), where: • S is the (finite) set of states • I S is the set of initial states • T SS is the set of transitions • A run of (S,I,T) is S, where: • 0I • for all i 0, (i ,i+1) T • That is, a run is an infinite path in the state graph strating with an initial state
Reachability • Problem def: • Does a transition system have a finite run ending in a state contained in the failure set F? • More precisely, does there exist 0...k Sk s.t.: • 0 I and k F • for all 0 i < k, (i ,i+1) T • Using automata-theoretic methods, model checking safety properties reduces to reachability analysis. • Given a t.s. M and a property P, we can construct MP and FP such that M satisfies P exactly when FP is not reachable in MP.
State explosion problem • Reachability analysis can be done by BFS or DFS on the state graph. • However, |S| is exponential in system size • for example 2n, where n is number of registers • Impractical to construct the state graph explicitly. Our topic is essentially how to use a SAT solver to tackle this problem.
Symbolic transition systems • Tuple (V,I,T), where: • V is a signature (set of variables), • I is a formula over V (the initial condition) • T is a formula over VV' (the transition condition) • States: = V{0,1} (a valuation to V) • A run of (V,I,T) is , where: • I[0] • for all i 0, T[i,i+1] Note: T[i ,i+1] means T[i 'i+1]
g = a Ù b c' = p g a b p c p = g Ú c Example T is a conjunction of constraits, one per component. T = { g = a Ù b, p = g Ú c, c' = p }
R1 R2 ... R Symbolic Reachability Idea: represent reachable states by a formula I F = I Ú Img(I,T) = R1Ú Img(R1,T) Essentially a BFS with symbolic representation.
Symbolic reachability, cont. • Reachability fixed point: R0 = I Ri+1 = RiÚ Img(Ri,T) R = È Ri • F is reachable iff R Ù F ¹ false • Image operator: Img(Q,T) = $ V. (Q(V) Ù T(V,V’)) We need a way to eliminate the quantifier, to get us back to an ordinary Boolean formula.
DPLL-style SAT solvers SATO,GRASP,CHAFF,BERKMIN • Objective: • Check satisfiability of a CNF formula • literal: v or Øv • clause: disjunction of literals • CNF: conjunction of clauses • Approach: • Branch: make arbitrary decisions • Propagate implication graph • Use conflicts to guide inference steps SAT solvers can also generate refutation proofs!
a b Øc d Decisions The Implication Graph (BCP) (Øa Ú b) Ù (Øb Ú c Ú d) Assignment: a Ù b ÙØc Ù d
Propositional Resolution a Ú b ÚØc Øa ÚØc Ú d b ÚØc Ú d When a conflict occurs, the implication graph is used to guide the resolution of clauses, so that the same conflict will not occur again.
resolve (Øb Ú c ) a b Conflict! resolve Conflict! (Øa Ú c) Øc Conflict! Decisions Conflict Clauses (Øa Ú b) Ù (Øb Ú c Ú d) Ù (Øb ÚØ d) d Assignment: a Ù b ÙØc Ù d
Generating refutations • Refutation = a proof of the null clause • Record a DAG containing all resolution steps performed during conflict clause generation. • When null clause is generated, we can extract a proof of the null clause as a resolution DAG. Original clauses Derived clauses Null clause
CNF(p) (a ÚØg) Ù (b ÚØg) Ù(Øa ÚØb Ú g) (Øg Ú p) Ù (Øc Ú p) Ù(g Ú c ÚØp) input variables output variable Circuit SAT Can the circuit output be 1? g a b p c p is satisfiable when the formula CNF(p) Ù p is satisfiable
Bounded Model Checking BCCZ99 • Given • A finite transition system M • A property P • Determine • Does M allow a counterexample to P of k transitions of fewer? This problem can be translated to a SAT problem
g = a Ù b c' = p g a b p c p = g Ú c Symbolic Models (recall) Transition system described by constraints... T = { g = a Ù b, p = g Ú c, c' = p } New notation: Q<n> means "add n primes to the symbols in Q"
... a a a g g g b b b p p p c c c Bounded model checking Biere,et al. TACAS99 • Unfold the model k times: U = T<0>Ù T<1>Ù ... Ù T<k-1> F<k> I<0> • Use SAT solver to check satisfiability of • I<0>Ù U Ù F<k> • If unsatisfiable: • property has no Cex of length k • can produce a refutation proof P
R1 R2 Bounded Model Checking …… I F = I Ú Img(I,T) = R1Ú Img(R1,T) I<0>Ù T<0>Ù T<1> Ù …Ù F<k>
BMC applications • Debugging: • Can find counterexamples using a SAT solver • Proving properties: • Only possible if a bound on the length of the shortest counterexample is known. • I.e., we need a diameter bound. The diameter is the maximum lenth of the shortest path between any two states. • Worst case is exponential. Obtaining better bounds is sometimes possible, but generally intractable.
Unbounded Model Checking • We consider a variety of methods to explioit SAT and BMC for unbounded model checking: • K-step induction • Abstraction • Counterexample-based • Non-counterexample-based • Exact image computations • SAT solver tests for fixed point • SAT solver computes image • Over-approximate image computations
Induction • The simple case: P is an inductive invariant • I => P • P Ù T => P’ • Usually, P is not an inductive invariant • BUT – a stronger inductive invariant R may exist (strengthening) • I => R • R Ù T => R’ • R => P
Induction P R I
K-induction SSS2000 • Induction: P(s0) "i: P(si) Þ P(si+1) "i: P(si) • k-step induction: P(s0..k-1) "i: P(si..i+k-1) Þ P(si+k) "i: P(si)
K-induction with a SAT solver • Recall: Uk = T<0>Ù T<1>Ù ... Ù T<k-1> • Two formulas to check: • Base case: I<0>Ù Uk-1Þ P<0>...P<k-1> • Induction step: UkÙ P<0>...P<k-1>ÞP<k> • If both are valid, then P always holds. • If not, increase k and try again.
Simple path assumption • Unfortunately, k-induction is not complete. • Some properties not k-inductive for any k. • Simple path restriction: • There is a path to ØP iff there is a simple path to ØP (path with no repeated states). P P ØP
Induction over simple paths • Let simple(s0..k) be defined as: • "i,j in 0..k : (i ¹ j) Þ si¹ sj • k-induction over simple paths: P(s0..k-1) "i: simple(s0..k) Ù P(si..i+k-1) Þ P(si+k) "i: P(si) Must hold for k large enough, since a simple path cannot be unboundedly long. Length of longest simple path is called recurrence diameter.
...with a SAT solver • For simple path restriction, let: Sk = "t=0..k, u=t+1..k: Ø"v in V : vt = vu (where V is the set of state variables). • Two formulas to check: • Base case: I<0>Ù Uk-1Þ P<0>...P<k-1> • Induction step: Sk Ù UkÙ P<0>...P<k-1>ÞP<k> • If both are valid, then P always holds. • If not, increase k and try again.
Termination • Termination condition: k is the length of the longest simple path of the form P* ØP • This can be exponentially longer than the diameter. • example: • loadable mod 2N counter where P is (count ¹ 2N-1) • diameter = 1 • longest simple path = 2N • Nice special cases: • P is a tautology (k=0) • P is inductive invariant (k=1)
Image computation methods • Symbolic model checking without BDD's • Use SAT solver just for fixed-point detection • Abdulla, Bjesse and Een 2000 • Williams, Biere, Clarke and Gupta 2000 • Adapt SAT solver to compute image directly • McMillan, 2002
Image over-approximation • BMC and Craig interpolation allow us to compute image over-approximation relative to property. • Avoid computing exact image. • Maintain SAT solver's advantage of filtering out irrelevant facts.
Interpolation (Craig,57) • If A Ù B = false, there exists an interpolant A' for (A,B) such that: A Þ A' A' Ù B = false A' refers only to common variables of A,B • Example: • A = p Ù q, B = Øq Ù r, A' = q • New result • given a resolution refutation of A ÙB, A' can be derived in linear time. (Pudlak,Krajicek,97)
Interpolation-based MC (McMillan,2003) • Interpolation gives us • SAT-based algorithm for over-approximate image computation, using interpolation • SAT-only symbolic model checking
Reachability • Is there a path from I to F satisfying transitions T? • Reachability fixed point: R0 = I Ri+1 = RiÚ Img(Ri,T) R = È Ri • Image operator: Img(Q,T) = $ V. (Q Ù T) • F is reachable iff R Ù F ¹ false
Overapproximation • An overapproximate image op. is Img' s.t. for all Q, Img(Q,T) implies Img'(Q,T) • Overapprimate reachability: R'0 = I R'i+1 = R'iÚ Img'(R'i,T) R' = È R'i • Img' is adequate (w.r.t.) F, when • if Q cannot reach F, Img’(Q,T) cannot reach F • If Img' is adequate, then • F is reachable iff R' Ù F ¹ false
Img’(Q,T) Adequate image Img(Q,T) Q F Reached from Q Can reach F But how do you get an adequate Img'?
k-adequate image operator • Img' is k-adequate (w.r.t.) F, when • if Q cannot reach F, Img’(Q,T) cannot reach F within k steps • Note, if k > diameter, then k-adequate is equivalent to adequate.
Interpolation-based image • Idea -- use unfolding to enforce k-adequacy A = Q Ù T<0> B = T<1>Ù T<2>Ù ... Ù T<k-1>Ù Fk Fk = ¬P<1> ∨ ¬P<2> ∨ … ∨ ¬P<k> A B Q T T T T T T T F t=k t=1 Let Img'(Q)0= A', where A' is an interpolant for (A,B)... Img' is k-adequate!
Huh? A' A B • A Þ A' • Img(Q,T) Þ Img'(Q,T) • A' Ù B = false • Img’(Q,T) cannot reach F in k steps • Hence Img' is k-adequate overapprox. Q T T T T T T T F t=k t=1 But note, Img' is partial -- not defined if AÙB is sat.
F1 F2 k-adequate k …… P I ¬P = I Ú Img’(I,T) = F1Ú Img’(F1,T) …… k
Using Interpolants A1 A2
Using Interpolants (2) A’1 . . .
Analogy To Reachability Analysis R3 R2 R1 I ¬P I A’3 A’1 A’2
Reachability algorithm let k = 0 repeat if I can reach F within k steps, answer reachable R = I while Img'(R,T) Ù F = false R' = Img'(R,T) Ú R if R' = R answer unreachable R = R' end while increase k end repeat
Termination • Since k increases at every iteration, eventually k > d, the diameter, in which case Img' is adequate, and hence we terminate. Notes: • don't need to know when k > d in order to terminate • often termination occurs with k << d
Interpolation-based MC • Fully SAT-based. • Inherits SAT solvers ability to concentrate on facts relevant to a property. • Most effective when • Very large set of facts is available • Only a small subset are relevant to property • For true properties, appears to converge for smaller k values.
Interpolation-Sequence • If A1Ù A2Ù … Ù Ak = false, there exists an interpolation-sequence A’0, A’1,…, A’k+1 for (A1,… ,Ak ) such that: A’0=T and A’k+1=F A’jÙ Aj+1Þ A’j+1 A’j - over common variables of A1,… ,Aj and Aj+1,… ,Ak • A’j equals the interpolant of A=A1Ù … Ù Aj and B=Aj+1Ù… Ù Ak • Given the same resolution graph
Interpolation-Sequence based MC (Vizel and Grumberg,2009) A1 Ak+1 A2 A3 Ak A’1 A’2 A’3 A’k-1 A’k 50 BMC formula partitioned in a different manner:
