120 likes | 258 Views
Bounded Model Checking. EECS 290A Sequential Logic Synthesis and Verification. Overview. Introduction Computational methods Recent improvements. Philosophy of Model Checking. It is impossible to know whether the specification of a system is correct or complete
E N D
Bounded Model Checking EECS 290A Sequential Logic Synthesis and Verification
Overview • Introduction • Computational methods • Recent improvements
Philosophy of Model Checking • It is impossible to know whether the specification of a system is correct or complete • How can we know whether what we wrote fully captures what we meant? (the problem is nobody knows what we meant :) • It is only possible to check whether the specification satisfies certain properties • We need to provide properties, which describe what we meant • Therefore, model checking looks for some bugs (counter-examples to the properties), rather than to prove that the system is “correct” in general • Equivalence checking can prove correctness-in-general but we need to have the “golden model” (a trustworthy specification)
Brief History of Model Checking • Model checking • The term was coined in 1981 by Clarke and Emerson • The algorithm explicitly enumerated reachable states (limited to a few million states) • Symbolic model checking • The symbolic formulation was introduced by introduced around 1990 (McMillan, Clarke, Burch, Coudert et al) • Motivated by the use of discovery of BDDs in 1986 • It was a break-through to the wide usage of model checking • Bounded model checking (BMC) • Proposed by Biere at al in 1999 • The basic idea is to search for counter-examples of length k • Led to even wider industrial use
BMC in a Nutshell • I is initial state(s); T(si, si+1) is transition relation; P is property • Basen = I0 T0 … Tn-1 Pn • Uniqueness constraints: Uniquen = 0<i<jn(sisj) • The problem is symmetric w.r.t. forward and backward traversal P I
Model Checking as Search • Model checking is a search problem • find an assignment of input variables at each time-frame, which leads to the violation of the property after k frames • If we finished exploring the search space and did not find the violation, the property holds for k frames • If we proved that the property holds for any k, we proved the unbounded case (the subject of future lectures)
BDD package Builds the canonical representation of the problem up to a point Tends to run out of memory SAT solver Explores one branch at a time Tends to run out of time BDDs vs. SAT • Both exhaustively explore the search space
Different Ways of Exploring Search Space BDD approach SAT approach
Other Representations • Truth table • Implemented using bit strings • Convenient for functions up to 5 variables • Useful for functions up to 8 variables • Sums-of-products • Cubes are represented in positional notation • Implemented using bit strings • The main data structure to represent SOPs in Espresso and SIS • Common features • Are explicit in nature • Exploit bit parallelism • Traditionally used in many applications
Use of Functional RepresentationsHistorical Perspective Problem Size +AIG Truth table +BDD +CNF +SOP 1950-1970 1980 1990 2000 Time Period
Recent Improvements to BMC • Combining SAT and BDDs • Aarti Gupta, Malay Ganai, Chao Wang, Zijiang Yang, Pranav Ashar, “Learning from BDDs in SAT-based bounded model checking”, DAC 2003. • Efficient framework for incremental solving • Niklas Een, Niklas Sorensson, “Temporal induction by incremental SAT solving”, Intl. Workshop on BMC 2003. • Improvements to variable ordering and the use of learned clauses • Liang Zhang, Mukul Prasad, Michael Hsiao, "Incremental deductive and inductive reasoning for SAT-based bounded model checking“, ICCAD 2004 • Preprocessing of the transition relation • Andreas Kuehlmann, “Dynamic transition relation simplication”, ICCAD 2004.