1 / 24

SAT and Model Checking

SAT and Model Checking. Bounded Model Checking (BMC). Biere, Cimatti, Clarke, Zhu, 1999. A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties: can we find a bad state in k steps? Verification: can we find a counterexample in k steps ?.

tobit
Download Presentation

SAT and Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SAT and Model Checking

  2. Bounded Model Checking (BMC) Biere, Cimatti, Clarke, Zhu, 1999 • A.I. Planning problems: can we reach a desired state in k steps? • Verification of safety properties: can we find a bad state in k steps? • Verification:can we find a counterexample in k steps ?

  3. What is SAT? Given a propositional formula in CNF, find if there exists an assignment to Boolean variables that makes the formula true: literals 1 = (b c) 2 = (a d) 3 = (b d)  = 1 2 3 A = {a=0, b=1, c=0, d=1} clauses SATisfying assignment!

  4. BMC idea Given: transition system M, temporal logic formula f, and user-supplied time bound k Construct propositional formula W(k) that is satisfiable iff f is valid along a path of length k Path of length k: Say f = EF p and k = 2, then What if f = AG p ?

  5. BMC idea (cont’d) AG p means p must hold in every state along any path of length k We take So That means we look for counterexamples

  6. p p p p p . . . s0 s1 s2 sk-1 sk Safety-checking as BMC p is preserved up to k-th transition iff W(k)is unsatisfiable: If satisfiable, satisfying assignment gives counterexample to the safety property.

  7. 11 00 10 01 Example: a two bit counter Initial state: Transition: Safety property:AG W(2) is unsatisfiable. W(3) is satisfiable.

  8. 11 00 10 01 Example: another counter Liveness property:AF Check: EG where W(2) is satisfiable Satisfying assignment gives counterexample to the liveness property

  9. What BMC with SAT Can Do • All LTL • ACTL and ECTL • In principle, all CTL and even mu-calculus • efficient universal quantifier elimination or fixpoint computation is an active area of research

  10. How big should k be? • For every model M and LTL property there exists k s.t. • The minimal such k is the Completeness Threshold (CT)

  11. d = 2 How big should k be? • Diameterd = longest shortest path from an initial state to any other reachable state. • Recurrence Diameterrd =longest loop-free path. • rd ¸ d rd = 3

  12. p s0 Arbitrary path How big should k be? • Theorem: for Gp properties CT = d

  13. p p p p p s0 How big should k be? • Theorem: for Fp properties CT= rd • Open Problem: The value of CT for general Linear Temporal Logic properties is unknown

  14. A basic SAT solver Given  in CNF: (x,y,z),(-x,y),(-y,z),(-x,-y,-z)  Decide() Deduce() X  Resolve_Conflict() X X X X

  15. Basic Algorithm Choose the next variable and value. Return False if all variables are assigned While (true) { if (!Decide()) return (SAT); while (!Deduce()) if (!Resolve_Conflict()) return (UNSAT); } Apply unit clause rule. Return False if reached a conflict Backtrack until no conflict. Return False if impossible

  16. DPLL-style SAT solvers SATO,GRASP,CHAFF,BERKMIN A = Æ empty clause? y UNSAT n conflict? Obtain conflict clause and backtrack y n is A total? y Branch: add some literal to A SAT

  17. a b Øc d Decisions The Implication Graph (Øa Ú b) Ù (Øb Ú c Ú d) Assignment: a Ù b ÙØc Ù d

  18. Resolution a Ú b ÚØc Øa ÚØc Ú d b ÚØc Ú d When a conflict occurs, the implication graph is used to guide the resolution of clauses, so that the same conflict will not occur again.

  19. resolve (Øb Ú c ) a b Conflict! resolve Conflict! (Øa Ú c) Øc Conflict! Decisions Conflict clauses (Øa Ú b) Ù (Øb Ú c Ú d) Ù (Øb ÚØ d) d Assignment: a Ù b ÙØc Ù d

  20. Conflict Clauses (cont.) • Conflict clauses: • Are generated by resolution • Are implied by existing clauses • Are in conflict with the current assignment • Are safely added to the clause set Many heuristics are available for determining when to terminate the resolution process.

  21. Generating refutations • Refutation = a proof of the null clause • Record a DAG containing all resolution steps performed during conflict clause generation. • When null clause is generated, we can extract a proof of the null clause as a resolution DAG. Original clauses Derived clauses Null clause

  22. Unbounded Model Checking • A variety of methods to exploit SAT and BMC for unbounded model checking: • Completeness Threshold • k -induction • Abstraction (refutation proofs useful here) • Exact and over-approximate image computations (refutation proofs useful here) • Use of Craig interpolation

  23. Conclusions: BDDs vs. SAT • Many models that cannot be solved by BDD symbolic model checkers, can be solved with an optimized SAT Bounded Model Checker. • The reverse is true as well. • BMC with SAT is faster at finding shallow errors and giving short counterexamples. • BDD-based procedures are better at proving absence of errors.

  24. Acknowledgements “Exploiting SAT Solvers in Unbounded Model Checking” by K. McMillan, tutorial presented at CAV’03 “Tuning SAT-checkers for Bounded Model Checking” and “Heuristics for Efficient SAT solving” by O. Strichman Slides originally prepared for 2108 by Mihaela Gheorghiu.

More Related