1 / 41

SAT-based unbounded model checking using interpolation

SAT-based unbounded model checking using interpolation. Based on a paper “ Interpolation and SAT-based Model Checking ” by K.L. McMillan, CAV 2003. Interpolation. (Craig,57). If A Ù B = false, there exists an interpolant A' for (A,B) such that: A Þ A' A' Ù B = false

orly
Download Presentation

SAT-based unbounded model checking using interpolation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SAT-based unbounded model checking using interpolation Based on a paper “Interpolation and SAT-based Model Checking” by K.L. McMillan, CAV 2003.

  2. Interpolation (Craig,57) • If A Ù B = false, there exists an interpolant A' for (A,B) such that: A Þ A' A' Ù B = false A' refers only to common variables of A,B • Example: A = p Ù q, B = Øq Ù r, A' = q • Interpolants from proofs given a resolution refutation (proof of unsatisfiability) of A ÙB, A' can be derived in linear time. (Pudlak,Krajicek,97)

  3. Agenda • Computing interpolants • Interpolation-based image computation • Model checking finite state systems • Optimization techniques

  4. (A Ú p) (Øp Ú B) (A Ú B) p Interpolant from SAT solver • Resolution: • Modern SAT solvers can produce a proof of unsatisifiability for unsatisfiable formulas using resolution • An interpolant may be built from the proof of unsatisfiability in linear time. (A,B) in CNF SAT solver proof Interpolation A’

  5. Proof of unsatisfiability • A proof is a DAG, where • The nodes are clauses • The root is an empty clause • The leaves are original clauses • Every inner node is obtained by a resolution of its two child nodes • An interpolant is build from the proof and it is follows the structure of the proof • Local to A / global literals:Given (A, B) be a pair of clause sets, a variable is global if it appears in both A and B, and local to A if it appears only in A.Given a clause c, g(c) – the disjunction of the global literals in c.

  6. The construction of interpolant • Let (A, B) be a pair of clause sets.Given a proof of unsatisfiability Π for A U B, define p(c) for every node c in the proof as follows: • If c is a leaf, then • If cA then p(c) = g(c) • else p(c)is constant true • else let c1, c2 be child nodes of c, and let v be their pivot variable • If v is local to A, then p(c) = p(c1) Ú p(c2) • else p(c) = p(c1) Ù p(c2) • The Π-interpolant for (A, B) is p(false). • Complexity: O(N + L), where N is the number of nodes, L is the number of literals in the proof.

  7. ^ c (b) (bÚc) ^ (c) (c Ú d) (d) (d) ^ ^ =c Example Interpolant is a circuit that follows structure of the proof. A = { (b), (b Úc) } B = { (c Ú d), (d) } b c d

  8. The correctness of the construction • Definition: a clause interpolation has the form (A,B) c [Φ], where A, B are clause sets, c is a clause and Φ is a formula. It is said to be valid when • AΦÚc \ B, and • B, Φc | B, and • ΦA andΦB Note, when c is empty, Φ is an interpolant for (A,B). • Theorem: (A,B) c [p(c)] is valid.The theorem implies that Π-interpolant for (A, B) is an interpolant for (A,B).

  9. (A,B) c [c | B] (A,B) c [T] c A c B The correctness of the construction – cont. • Proof: by induction on the proof of unsatisfiability structure. • Base – 2 cases: Remember: AΦÚc \ B B, Φc | B ΦA and ΦB

  10. The correctness of the construction – cont. • Induction step – 2 cases: (A, B) l,c1 [Φ1](A, B) l,c2 [Φ2] (A,B) c1, c2 [Φ1 ÚΦ2] Remember: AΦÚc \ B B, Φc | B ΦA and ΦB l B (A, B) l,c1 [Φ1](A, B) l,c2 [Φ2] (A,B) c1, c2 [Φ1 ÙΦ2] l B

  11. Agenda • Computing interpolants • Interpolation-based image computation • Model checking finite state systems • Optimization techniques

  12. ... a a a g g g b b b p p p c c c Bounded model checking • Safety property  F • Unfold the model k times: U = T0ÙT1Ù ...ÙTk-1 Fk I0 • Use SAT solver to check satisfiability of I0Ù U Ù Fk • If unsatisfiable: • property has no Cex of length k • can produce a proof of unsatisfiability P

  13. Reachability • Is there a path (of any length) from I to F satisfying transition constraint T? • Reachability fixed point: R0 = I Ri+1 = Ri ÚImg(Ri) R = È Ri • Image operator: Img(P) = $ V. P(V) Ù T(V,V’) • F is reachable iff R Ù F ¹ false

  14. R1 R2 ... R Reachability I F = I Ú Img(I,T) = R1Ú Img(R1,T)

  15. Overapproximation • An overapprox. image operator is Img' s.t. for all P, Img(P) Þ Img'(P) • Overapproximate reachability: R'0 = I R'i+1 = R'i Ú Img'(R'i) R' = È R'i

  16. Interpolation-based image A = P0 Ù T0 B = T1Ù T2Ù ... Ù Tk-1Ú (F1ÚF2Ú ... ÚFk) A B T0 T1 T2 Tk-2 Tk-1 P0 F1 F2 F3 Fk-2 Fk-1 Fk … t=k t=1 Let A' be an interpolant for (A,B)

  17. Interpolation-based image – cont. • A(s0, s1) Þ A'(s1) A' is Img'(P) (an overapproximate image of P) • A' Ù B = false Img'(P) cannot reach F in k-1 steps A' A B T T T T T T T F F F F F F F P t=k t=1

  18. Intuition • A' tells us everything the solver deduced about the image of P in proving it can't reach F in k steps. • Hence, A' is in some sense an abstraction of the image relative to the property. • This opens a way to overapproximate reachability calculation. A' A B T T T T T T T F F F F F F F P t=k t=1

  19. Agenda • Computing interpolants • Interpolation-based image computation • Model checking finite state systems • Optimization techniques

  20. The fixpoint algorithm If I(s0) Ù F(s0) satisfiable // the basis return FAILED; while (1) Rnew := I, R := false while (RnewR)// the fixpoint condition If RnewÙ T1Ù T2Ù ... Ù Tk-1Ú (F1ÚF2Ú ... ÚFk) unsatisfiable R := R Ú Rnew Rnew := interpolant A’(s1) else // satisfiable If (Rnew = I ) return FAILED else // possible false negative – should increase k R := false, break end while If (RnewR)// fixpoint return PASSED increase k end while UMC (reachability) loop BMC loop

  21. Algorithm Correctness • Clearly, if returns FAILED then we got a bug. • If a fixpoint is reached, then an overapproximation of reachable states does not contain a bug, i.e. the formula passes. • We are left with possible false negatives. When possible false negative, we increase k. Thus, it is enough to see that there exists a (large enough) k for which the algorithm always stops.

  22. Algorithm terminates • Let d be the reverse depth of the model (i.e. the number of real backward steps from the bad states until a fix point), and let k = d+1. • If there is a bug, then we will find it in the first iteration (since k is as long as the shortest path between I and F). • If there is no bug, the formula is unsatisfiable and the interpolant A’ (and Rnew= I Ú A’) cannot reach F in d steps.

  23. Algorithm terminates – cont. • d is the reverse depth Þ Rnewcannot reach F at all. • Thus, the next formula (with Rnew instead of I) will be unsatisfiable as well. • Since R always grows and a model is finite, a fixpoint will be finally reached. • Notes: • don't need to know d in order to terminate • often termination occurs with k << d

  24. Characteristics • SAT-based methods are effective when • Very large set of facts is available • Only a small subset are relevant to property • They exploit the SAT solver's ability to narrow the proof to relevant facts • I.e., narrows reachable states approximation to relevant variables. • Interpolation method exploits this fact to compute abstract image operator.

  25. Agenda • Computing interpolants • Interpolation-based image computation • Model checking finite state systems • Optimization techniques

  26. Incremental SAT solving with interpolation • At each iteration of the inner while loop we check satisfiability of the following formula: RnewÙ T1Ù T2Ù ... Ù Tk-1Ú (F1ÚF2Ú ... ÚFk) • All those formulas differ only by Rnew. • SAT solver can preserve all the clauses that are implied by the common part of the formulas (all but Rnew). • This can potentially save SAT solver time for deducing those clauses again. • Similarly, formulas with different k (the outer while loop) can be solved incrementally.

  27. Checking convergence more efficiently • R – current overapproximate reachable statesA’ – current interpolant • Original convergence check: whether A’  R ? • Recall: A’ is an overapproximate forward step from R • Let R’ be a “real” forward step from R • Let’s check whether R’  R ? • Advantage: the latter formula is more likely to converge earlier(because R’  A’) • Correctness: if R’  R, but A’  R, then A’ \ R’ is unreachable

  28. Minimizing interpolants • Reduce CNF formulas using CNF simplifier • Interpolants are highly redundant boolean expressions • Reduce interpolants using BDD sweeping or SAT sweeping reduction • Minimize unsat core • Unsat core is an unsatisfiable subset of a given unsatisfiable CNF formula (the leaves of the proof) • Unsat core may be computed by a SAT solver, when it founds that a formula is unsatisfiable • Various methods exist for minimizing unsat core, the simplest one is running SAT solver iteratively on previously computed unsat core

  29. Strengthening interpolants • Recall: interpolant is an overapproximationof a forward image of Rnew • There may be different overapproximations • Can we control the quality of overapproximation? • Do we want a finer one or a coarser one?

  30. I F R1 R2 R Example ...

  31. Example – fine overapproximation I F

  32. Example – moderate overapproximation I F

  33. Example – coarse overapproximation I F

  34. Strengthening interpolants • Move local resolutions (‘or’-gates) towards leaves • 2 rewrite rules: (p Úq Ú c1) (p Ú c2) (q Ú c1 Ú c2) (q Úc3) (c1 Ú c2 Úc3) (p Úq Ú c1) (q Úc3) (p Ú c1 Ú c3) (p Ú c2) (c1 Ú c2 Úc3)

  35. (p Úq Ú c1) (q Úc3) (p Úq Ú c2) (q Úc3) (p Ú c1 Ú c3) (p Ú c2 Úc3) (c1 Ú c2 Úc3) Strengthening interpolants – cont. Caution: may cause exponential expansion of the proof! (p Úq Ú c1) (p Úq Ú c2) (q Ú c1 Ú c2) (q Úc3) (c1 Ú c2 Úc3)

  36. a Ú c a Ú c Øa Øa (Øa ) (Øa ) (aÚ b Úc) (aÚ b Úc) d d Ú b (Øb Úd) (Øb Úd) (b Úc) (aÚc Úd) a Ù (c Úd) b (c Úd) a Strengthening interpolant – an example A = {(Øa), (Øb Úd), (aÚ b Úc), …} B = {(a Ú e), (Øc Ú d), …} Ù Ú A’ = d Ú (Øa Ù (a Ú c)) = d Ú (Øa Ù c) A’’ = Øa Ù (d Ú(a Ú c)) = Øa Ù (c Ú d) Move local resolutions toward leaves A’  A’’

  37. a Ú c Øa (Øa ) (aÚ b Úc) d Ù (Øb Úd) (b Úc) a Ú (c Úd) b Approximate interpolant computation Treat inner clauses with pure origin as leaves A = {(Øa), (Øb Úd), (aÚ b Úc), …} B = {(a Ú e), (Øc Ú d), …} A’’ = c Ú d A’ = d Ú (Øa Ù (a Ú c)) = d Ú (Øa Ù c) A’  A’’

  38. Refinement of interpolants • If RnewÙ T1Ù T2Ù ... Ù Tk-1Ú (F1ÚF2Ú ... ÚFk) satisfiable • If (Rnew= I ) • return FAILED • else // possible false negative – should increase k • break Can we avoid the possible false negative?

  39. ? F Refinement of interpolants – cont. • Check whether s1is reachable in one step from Ri-1 • If no – refine Ri by removing s1 from it • Disadvantages: • Removes one false negative at a time • Does not insure removing all false negatives • Complicates the expression of R … I s1 s2 sk R1 Ri-1 Ri

  40. Conclusion • SAT solvers have the ability: • to generate refutations for bounded reachability • to filter out irrelevant facts. • These abilities can be exploited to generate an abstract image operator, using Craig interpolation. • This yields a reachability procedure that • is fully SAT-base • is robust w.r.t. irrelevant facts • Various techniques exist to control size and quality of interpolants

More Related