480 likes | 632 Views
Proof-based Abstraction. Ken McMillan, Nina Amla. Presented by Roman Gershman. Motivation for this article. In the verification world, size DOES matter !. The goal. We want to check LARGE models. We want to scale beyond the “current” model checking technologies (BDDs).
E N D
Proof-based Abstraction Ken McMillan, Nina Amla Presented by Roman Gershman
Motivation for this article In the verification world,size DOES matter !
The goal • We want to check LARGE models. • We want to scale beyond the “current” model checking technologies (BDDs). • Off-the-record : it is ironic that the inventor of SMV offers a new way of doing model checking.
Well • We will not completely drop SMV (yet),but we are going to help it using SAT. • On my opinion, this article is a turn-point for us and for McMillan in understanding how to do complete MC using SAT. • At the next lesson – we will see how to do MCusing SAT.
Model checking- in this context • Given • A finite transition system M above states S, initial states I S and transition T SSA propositional property P • Determine • Does M allow a counterexample to P Less than 1000 variables (FF)
Symbolic Model Checking • S = I • Prev = • While S != Prev • Prev = S • If (S~P ) then return BUG; • S = S X’ (S(x’) T(x’,x))
Set representations • What’s this I, T, P ? • How do they look ? How can we build them ? • Examples of representations : • I is a BDD • I= {(1,0) , (1,1), (1,1) } (explicit) • Logic circuits : X1 TRUE X2
X1 X’1 TRUE X1 X’1 Circuits • We will need to know 2 representations today:circuit and CNF. • Both represent closed functions – in formf(x) = TRUE • CNF : ( x1 x’1 ) ( x1 x’1 ) • Circuit: ( x1 & x’1 ) or ( x1 & x’1 ) X1’ = not X1
Bounded model checking • Given • A finite transition system M(I,T) • A propositional property P • Determine • Does M allow a counterexample to Pof k transitions of fewer? Can reach more than 10000 FF
The main idea • Apply BMC on a large model. • Perform proof-based abstraction and geta smaller model • Apply a model checking on the small model.
Final condition on cycle K Program path for K phases BMC • State vectors {xi}1k for each cycle i. • A propositional formulaI(xo)T(xo,x1) … T(xk-1, xk) (:P(xk))is SAT property does not hold at cycle k.
BMC • How do we represent a formula that says “There is a bug at some phase until phase K” ?
X G ( x g) ( y g) (x y g) y Circuit to CNF translation • Circ2CNF :
(A x ) (B x ) (AB ) SAT solver • Solves propositional formulas in CNF format. For example, ( x1 x2 ) ( x3 x5 ). • Uses resolution-based algorithm DPLL • Resolution rule
SAT solver-DPLL • While (not empty clause) • decide on some unassigned var; • If (BCP returns conflict) • Record a new conflict clause using a resolution • Backtrack to satisfy that clause.
SAT solver - BCP • While there is some clause C=( x1 x2, … xn) under partial assignment { x1, …, xn-1 }AND xn is unassigned • Extend the assignment with xn = TRUE • Set C to be the reason clause of xn. • If all literals of C are FALSE then stop and return C as a conflicting clause.
a b Øc d Decisions BCP-Example (Øa Ú b) Ù (Øb Ú c Ú d) Assignment: a Ù b ÙØc Ù d
BCP-cont. • Each assigned variable is either decision variable or was implied by a reason clause (implicated variable). • Let C(v) be a reason clause for setting literal v=TRUE. Suppose C’(t) is another reason clause (for variable t) that contains v. Then C and C’ are valid resolution pair on v, i.e. they do not have any other variable with different polarity.
BCP-cont. Proof: Falsely assume that there is literal x,s.t. xC and xC’ • C’ implied t after C implied v • x was FALSE when C implied v. • Therefore, C’ contained the satisfied literal x when implied t, which contradicts to the condition that all its literals but one are falsified.
SAT solver-DPLL • While (not empty clause) • decide on some unassigned var; • If (BCP returns conflict) • Record a new conflict clause using a resolution • Backtrack to satisfy that clause.
Resolution algorithm • Set Conf = a conflicting clause from BCP • While a stopping condition did not occur, do: • Choose some implied literal v from Conf . • Conf = Resolve( Conf, C(v) )
resolve (Øb Ú c ) a b Conflicting ! resolve Conflicting intermediate (Øa Ú c) Øc New conflict clause Decisions Conflicting Clauses (Øa Ú b) Ù (Øb Ú c Ú d) Ù (Øb ÚØ d) d Assignment: a Ù b ÙØc Ù d
Resolution algorithm • If we draw binary node for each resolution step, then each runof the resolution algorithm will look like a binary tree in the form of string, i.e. each inner node has a leaf. • The source of the tree is a new conflict clause • Global graph will not look like a tree though. I1=Resolve(O1, O2) i1 O1 O2
Collapsed DAG with multi-degree nodes C-3 i4 C-3 c-2 O7 c-1 i3 C-2 C-1 O6 i2 O5 i1 O4 O3 O7 O1 O2 O5 O3 O4 O6 O1 O2 Resolution Graph Binary DAG with intermediate and conflict clauses. Each node in the graph is derived by its descendants
Resolution Graph • If DPLL finished with UNSATthen the resolution graph of its run will have source node with an empty clause. • Is it the only source ? • No. There can be many others. • Is it the only source with empty clause ? • Yes. It is implied by terminal condition of DPLL.
Resolution Graph • The whole resolution graph denotes exactly a resolution trace of DPLL. However it is not possible to extract the order of decisions and their values from this graph (DPLL run). • Denote by GF is the resolution graph of the solver’s run on unsatisfiable formula F. • GF is not unique. • Identified by the specific solver (hidden parameter).
Resolution Graph • Let Core(GF)= Descendants(F) F. • Core(GF) is still unsatisfiable formula. • Assumption1: usually Core(GF) is much smaller than F. • Assumption2: Var(Core(GF)) is much smaller than Var(F).
Applications • Suppose, • Tc is circuit representation of the Trans constraint. • Circ2CNF(func, i) translates a circuit to the CNF representation at phase i. • Then • T(xi-1, xi) = Circ2CNF(Tc, i) Bug at some phase on a path
Abstraction of the problem • Abstract(Tc, Core(F_k)) = {g Tc | ik, Circ2CNF(g, i) Core(F_k) } • Abstract(Tc, Core(F_k)) is like the inverse image of Core(F_k) with respect to Circ2CNF.
Special effects Fk Circ2CNF Tc Core(Fk) Abstract(Tc) Circ2CNF -1
Main Algorithm • FiniteRun( M=(Ic,Tc,P) ) • Set k 0 • While TRUE • If BMC(Fk) = SAT then • return BUG with satisfying assignment • else • M’ = Abstract(Core(Fk)) • ModelCheck M’ • If M’ has an accepting run of length k’ then • Set k k’ • else • return “VALID Property” Assumes that M’ is smaller then M Can be that k’ < k ?
Question What about Liveness ?
Reminder • Using Buchi automaton, we can create a product automaton A : = M x ~P. • Checking liveness is equivalent to checking for emptiness of A. • We need to find an infinite run on which accepting state is crossed infinitely often.
Liveness properties • There is a infinite run on which formula G is infinitely satisfied. • There is a run x0,…xk, s.t. • T(xi, xi+1) is satisfied • I(xo) is satisfied. • For some 0 m < k, xm = xk • For some m j k : G(xj) is TRUE
Liveness BMC • CNF formula: • Run FiniteRun on this formula the same way.
Optimizations • Cone of Influence • Variable substitutions:(f=q) => replace all occurrences of f by q • Pure variables
Results • 20 safety samples – none of them could be solved by MC. • After applying abstraction – 18 were solved by BMC, abstracted and then solved by MC. • 2 were stuck during BMC
The next article Hybrid approach (or Proof-based refinement)
The problem • Suppose we have original model M and its abstract buddy . • We want to check the case when is SAT and we have counter-example A for . • We need to check the formula • In case it is SAT, we are done and have real counter-example. • In case it is UNSAT – we want to refine
Proof-based refinement (by Chauhan et al.) • Consider the proof P of . • There is at least one clause in P that is not contained in . • In other words, there is at least one gate in M that is not in , which helps to refute A.
Proof-based refinement • Given proof P, for any set of constraints (gates) Q, we define: • We refine by setting:
Proof-based refinement • Recall thatis exactly like the definition of abstract set from the previous paper. • Where is the difference ?
Proof-based abstraction : • Refinement:
Hybrid method – heuristic approach to tune between these 2 methods. • The idea to use SAT solver to try and to dorefinement of all counter-examples of length k (A= ) and then to refine with A.
Concretize • Input Fk • Decide decisions from A. • Res = SAT_Solve(TimeLimit) • If (Res != TimeOut) • Return Res; • Add A to CNF formula. • Return SAT_Solve()
Results • It is compared with CEX approach and pure proof-based abstraction. • It presented as super to CEX and similar to proof-based.
The END & Thank you