1 / 77

Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking

Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking. G. Cabodi P. Camurati L. Garcia M. Murciano S. Nocco S. Quer Politecnico di Torino Torino, Italy. Outline. Background Motivations Core

rubencook
Download Presentation

Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Trading-offSAT search and Variable Quantifications for effectiveUnbounded Model Checking G. Cabodi P. Camurati L. Garcia M. Murciano S. Nocco S. Quer Politecnico di Torino Torino, Italy

  2. Outline • Background • Motivations • Core • Contribution A: Divide • Contribution B: & Conquer • Contribution C: Integrated Approach (Bwd + ITP) • Experimental Results • Conclusions • Future Works

  3. Background: UMC as a Reachability Problem Initial states Counterexample trace Buggy states

  4. Background: UMC as a Reachability Problem Rfwd Rbwd Initial states Rfwd : Reached from (fix-point) Buggy states Rbwd : Can reach (fix-point)

  5. Background: SAT based UMC • k-induction [Sheeran2000] • All-solution SAT [McMillan2002, Kang2003, Ganai2004] • Circuit based quantification [Williams2000, Abdulla2000] • Abstraction & Refinement • Localization reduction [Kurshan1994] • Predicate abstraction [Clarke2003, Jain2004] • Craig Interpolation [Graig1957, McMillan2003]

  6. Interpolant [Craig1957] • A A' • A' Ù B = 0 • A' refers only to common .variables of A and B • Given A Ù B = 0 • A' = ITP (A, B) Interpolant

  7. Interpolant [Craig1957] • A A' • A' Ù B = 0 • A' refers only to common .variables of A and B • Given A Ù B = 0 • A' = ITP (A, B) • A' can be derived in linear time from the refutation proof of A Ù B [Pudlak1997, Krajicek1997]

  8. Interpolant [Craig1957] • A A' • A' Ù B = 0 • A' refers only to common .variables of A and B • Given A Ù B = 0 • A' = ITP (A, B) A Ù B is UNSAT A B 1 CNF Clauses Resolution graph AND-OR circuit One gate for each graph node Null clause A' = ITP (A,B)

  9. Interpolant [McMillan2003] • Interpolant as Image Operator • Over-approximation • Variable quantification • Works whenever a representation of backward reachable space is given • A  From  T (forward) • B  Paths to failure states (backward) • A'  Over-approximated Image (Img+) • Img+ is called adequate w.r.t. B

  10. Img+ PI V V' T From To

  11. Img+ To+(V') = Img+(From,T) = Approx[(V,PI)From(V)T(V,PI,V')] PI V V' T From To+ To

  12. Img+- Adequate • To+ adequate w.r.t. B when • if To is outside B • then To+ is outside B as well PI V V' T From B To+ To To+ = ITP (From  T, B)

  13. Img+- Adequate Fwd approximate reachable states computed by adequate Img+ do not intersect Bwd reachable states Img+Adq (Ri,T, Rbwd) I B Ri R Img (Ri,T) Rbwd

  14. Img+- k-Adequate WhenRbwditisnotknown itisreplacedbybackwardcircuitunrollingofincreasingdepth k Img+Adq (Ri,T, Rk,bwd) I ≤k B Ri R Img (Ri,T) Rk, bwd

  15. Interpolant Model Checking do Cone = CircuitUnroll (B, T, k) res = FiniteRun (I, T, Cone) k = k + 1 while (res = undecided) FiniteRun (I, T, Cone) if (SAT ( I ΛT ΛCone)) return (reachable) R = I while (true) Img+ = Img+Adq (T, R, Cone) if (Img+ = undefined) return (undecided) if (Img+ R) return (unreachable) R = R νImg+

  16. Interpolant Model Checking Abstraction & Refinement loop do Cone = CircuitUnroll (B, T, k) res = FiniteRun (I, T, Cone) k = k + 1 while (res = undecided) FiniteRun (I, T, Cone) if (SAT ( I ΛT ΛCone)) return (reachable) R = I while (true) Img+ = Img+Adq (T, R, Cone) if (Img+ = undefined) return (undecided) if (Img+ R) return (unreachable) R = R νImg+

  17. Interpolant Model Checking do Cone = CircuitUnroll (B, T, k) res = FiniteRun (I, T, Cone) k = k + 1 while (res = undecided) Approximated Reachability loop FiniteRun (I, T, Cone) if (SAT ( I ΛT ΛCone)) return (reachable) R = I while (true) Img+ = Img+Adq (T, R, Cone) if (Img+ = undefined) return (undecided) if (Img+ R) return (unreachable) R = R νImg+

  18. Interpolant Model Checking do Cone = CircuitUnroll (B, T, k) res = FiniteRun (I, T, Cone) k = k + 1 while (res = undecided) FiniteRun (I, T, Cone) if (SAT ( I ΛT ΛCone)) return (reachable) R = I while (true) Img+ = Img+Adq (T, R, Cone) if (Img+ = undefined) return (undecided) if (Img+ R) return (unreachable) R = R νImg+ Img+ (Ri,T) k-adequate (T, F)

  19. Interpolant Model Checking do Cone = CircuitUnroll (B, T, k) res = FiniteRun (I, T, Cone) k = k + 1 while (res = undecided) Bound increment FiniteRun (I, T, Cone) if (SAT ( I ΛT ΛCone)) return (reachable) R = I while (true) Img+ = Img+Adq (T, R, Cone) if (Img+ = undefined) return (undecided) if (Img+ R) return (unreachable) R = R νImg+ BMC check find a trace (Overapproximated) Fix-point reached

  20. Motivations • Refutation proofs follow SAT solver runs • SAT heuristics do NOT target resolution graph (and unsatisfiable core) minimization • Not unique (depend on SAT heuristics) • Difficult UNSAT instances  Large interpolants • Interpolant circuits need aggressive optimizations (BDD/SAT sweeping + logic synthesis) • Highly redundant • AND-OR circuits (just negations on inputs) are not optimal

  21. Contributions • Partitioned Adequate Image Computation A Divide & Conquer Approach • Across different methods • Compute partial state sets • Use to restrict search space • Within Partitioned Adequate Image (interpolant)

  22. Contributions • Partitioned Adequate Image Computation A Divide & Conquer Approach • Across different methods • Compute partial state sets • Use to restrict search space • Within Partitioned Adequate Image (interpolant) Contribution A/1 State Set View R3 R2 R1 R0 R0 R3 R2 R1 Circuit View 1 0

  23. Contributions • Partitioned Adequate Image Computation A Divide & Conquer Approach • Across different methods • Compute partial state sets • Use to restrict search space • Within Partitioned Adequate Image (interpolant) Contribution A/2 R3 R2 R1 R0 R3 R2 R1 R0 v Partitioned Circuit View R3 R2 R1 R0 Circuit View

  24. Contributions • Partitioned Adequate Image Computation A Divide & Conquer Approach • Across different methods • Compute partial state sets • Use to restrict search space • Within Partitioned Adequate Image (interpolant) Contribution B v v R0 R3 R2 R1 R0 R3 R2 R1 R3 R2 R1 R0 Partitioned Circuit + State Set

  25. Contributions • Backward & Interpolation An integrated Approach • Compute (partial) backward state sets by • Circuit quantification • SAT- enumeration • Check backward fix point (SAT) • Eventually forward interpolant (using partitioned image) Contribution C R3 R2 R1 R0 R3 R2 R1 R0 v Circuit + State View R0 R3 R2 R1 Circuit View

  26. Contribution A/1: Partial Quantification 0 0 LazyE (Cone) G = Cone forall v ∈ PI tmp = v G if (|tmp| < th · |G|) G = tmp return (G) Cone 1 0 v1v0Cone 0 1 1 1 Quantifyvariable ifsize under control otherwise keepunquantified

  27. Contribution A/1: Partial Quantification LazyE (Cone) G = Cone forall v ∈ PI tmp = v G if (|tmp| < th · |G|) G = tmp return (G) v1v0Cone • operator on circuit • byOR-ingcofactors • exponentialblow-up, • unless tight sharing • (by SAT/BDD sweeping) • TryPICone • if (notallquantification • accepted) work notfinished

  28. Contribution A/1: Partial Quantification Adopting BDDs LazyEBDD (Cone) (ConeBdd, CutV, CutF) = AIG2BDD (Cone) G = ANDEBDD (ConeBdd, CutVari, CutFi) if (|G| < th · |Cone|) return (BDD2AIG(G)) else return (Cone) Quantification on BDDs BDD 2 AIG AIG 2 BDD 1 0 1 0 Quantifyvariable ifsize under control otherwisekeep unquantified

  29. Contribution A/1: Partial Quantification Adopting BDDs LazyEBDD (Cone) (ConeBdd, CutV, CutF) = AIG2BDD (Cone) G = ANDEBDD (ConeBdd, CutVari, CutFi) if (|G| < th · |Cone|) return (BDD2AIG(G)) else return (Cone) Quantification on BDDs BDD 2 AIG AIG 2 BDD 1 0 1 0 1 0 1 0 1 0 1 0 BDDs with Cut Points EarlyQuantification Schedule

  30. Contribution A/1: Partial Quantification with Subsetting 0 0 Quantifyvariableifsize under control otherwise set toconstant 0/1 value Cone 1 0 LazyESubset (Cone) G = Cone σ = SAT (Cone) forallv∈ PI tmp = vG if (|tmp| < th · |G|) G = tmp else G = G|Ѡi=σ[vi] return (G) 0 1 1 1

  31. Contribution A/1: Partial Quantification with Subsetting 0 0 Quantifyvariableifsize under control otherwise set toconstant 0/1 value Cone 1 0 LazyESubset (Cone) G = Cone σ = SAT (Cone) forallv∈ PI tmp = vG if (|tmp| < th · |G|) G = tmp else G = G|Ѡi=σ[vi] return (G) 0 1 1 1 Resultis subset of a state set R¯k,bwd Rk,bwd= PICone

  32. Contribution A/1 • Ifwe are veryluckywemovefrom Circuit unrolling (Cone) R0 R3 R2 R1

  33. Contribution A/1 • Ifwe are veryluckywemovefrom Circuit unrolling (Cone) R0 R3 R2 R1 • to State set (Back) R0 R3 R2 R1 1 0

  34. Contribution A/1 • Ifwe are NOT veryluckywemovefrom Circuit unrolling (Cone) R0 R3 R2 R1

  35. Contribution A/1 • Ifwe are NOT veryluckywemovefrom Circuit unrolling (Cone) R0 R3 R2 R1 • to

  36. Contribution A/1 • Ifwe are NOT veryluckywemovefrom Circuit unrolling (Cone) R0 R3 R2 R1 Cone • to Back¯

  37. Contribution A/1 • Ifwe are NOT veryluckywemovefrom Circuit unrolling (Cone) R0 R3 R2 R1 Cone¯ • to v Simplify (Cone, Back¯) (by redundancy removal) Back¯

  38. Contribution A/2: Cone0 v Cone1 Cone = Cone1 v Cone2 v Cone3 v … v Conen

  39. Contribution A/2: Cone0 v Cone1 Cone = Cone1 v Cone2 v Cone3 v … v Conen F V F Circuit unrollings are disjunction ofcircuitunrollings V F V F

  40. Contribution B: How to Conquer Img+Adq(I, T, Cone) Img (I, T) Cone F I T T T T T Ri Img+Adq(I, T, Cone)

  41. Contribution B: How to Conquer Img+Adq(I, T, Cone) = Img+Adq(I, T, Cone1 v Cone2) Disjunction of Cones Img (I, T) Cone F I T T T T T Ri Img+Adq(I, T, Cone)

  42. Contribution B: How to Conquer Img+Adq(I, T, Cone) = Img+Adq(I, T, Cone1 v Cone2) = Img+Adq(I,T,Cone1)  Img+Adq(I,T,Cone2) Conjunction of Images Img (I, T) Cone F I T T T T T Ri Img+Adq(I, T, Cone)

  43. Contribution B: How to Conquer Img+Adq(I, T, Cone) = Img+Adq(I, T, Cone1 v Cone2) = Img+Adq(I,T,Cone1)  Img+Adq(I,T,Cone2) Img (I, T) Cone1 F I T T T T T Ri Cone2 Img+Adq(I, T, Cone)

  44. Contribution B: How to Conquer Img+Adq(I, T, Cone) = Img+Adq(I, T, Cone1 v Cone2) = Img+Adq(I,T,Cone1)  Img+Adq(I,T,Cone2) Img (I, T) Cone1 F I T T T T T Ri Img+Adq(I, T, Cone)

  45. Contribution B: How to Conquer Img+Adq(I, T, Cone) = Img+Adq(I, T, Cone1 v Cone2) = Img+Adq(I,T,Cone1)  Img+Adq(I,T,Cone2) Img (I, T) Cone1 F I T T T T T Ri Img+Adq(I, T, Cone1)

  46. Contribution B: How to Conquer Img+Adq(I, T, Cone) = Img+Adq(I, T, Cone1 v Cone2) = Img+Adq(I,T,Cone1)  Img+Adq(I,T,Cone2) Img (I, T) F I T T T T T Ri Cone2

  47. Contribution B: How to Conquer Img+Adq(I, T, Cone) = Img+Adq(I, T, Cone1 v Cone2) = Img+Adq(I,T,Cone1)  Img+Adq(I,T,Cone2) Img+Adq(I, T, Cone2) Img (I, T) F I T T T T T Ri Cone2

  48. Contribution B: How to Conquer Img+Adq(I, T, Cone) = Img+Adq(I, T, Cone1 v Cone2) = Img+Adq(I,T,Cone1)  Img+Adq(I,T,Cone2) Img+Adq(I, T, Cone2) Img (I, T) F I T T T T T Img+Adq(I, T, Cone) Ri Img+Adq(I, T, Cone1)

  49. Contribution C: Backward + Interpolation IntegratedMC (I, T, F) set initial values do res = undecided Conek = Conek−1(T) if (SAT(I  (Conekv BckR¯ ))) return (reachable) fp = CheckFP (Conek, BckR¯, Cone0..k−1) if (fp = true) return (unreachable) (Conek, BckR¯) = LazyE/BDD/Subset (Conek, BckR¯) if (fp = undecided) Cone¯ = Simplify (Cone, ¬BckR¯) res = FiniteRun2 (I, T, Cone¯, BckR¯) increase bound while (res = undecided)

  50. Contribution C: Backward + Interpolation IntegratedMC (I, T, F) set initialvalues do res = undecided Conek = Conek−1(T) if (SAT(I  (ConekvBckR¯ ))) return (reachable) fp = CheckFP (Conek, BckR¯, Cone0..k−1) if (fp = true) return (unreachable) (Conek, BckR¯) = LazyE/BDD/Subset (Conek, BckR¯) if (fp = undecided) Cone¯ = Simplify (Cone, ¬BckR¯) res = FiniteRun2 (I, T, Cone¯, BckR¯) increasebound while (res = undecided) Loop by Increasing Back Unrolling BMC checks for Cex Backward Reachability Section Interpolant Section

More Related