1 / 33

Towards More Efficient SAT-Based Model Checking

Towards More Efficient SAT-Based Model Checking. Joao Marques - Silva Electronics & Computer Science University of Southampton. LAA C&V Workshop, Isaac Newton Institute, Cambridge, May 2006. Motivation. Remarkable improvements made to SAT solvers over the last decade

hyatt-guzman
Download Presentation

Towards More Efficient SAT-Based Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Towards More Efficient SAT-Based Model Checking Joao Marques-Silva Electronics & Computer Science University of Southampton LAA C&V Workshop, Isaac Newton Institute, Cambridge, May 2006

  2. Motivation • Remarkable improvements made to SAT solvers over the last decade • Clause learning; lazy data structures; adaptive branching heuristics; search restarts • Very successful application of SAT in model checking • Bounded and unbounded model checking • Existing (industry motivated) challenges • Ability to handle ever increasing systems • Ability to find deep counterexamples • Ability to prove difficult properties • Lines of research • More efficient SAT solvers (?) • Better uses of SAT technology in SAT-based model checking

  3. Goals of this talk • SAT & SAT-based model checking • Interpolants in SAT-based model checking • Optimizations to the utilization of interpolants

  4. Outline • SAT & SAT-based model checking • Organization of a modern SAT solver • SAT-based bounded model checking (BMC) • Interpolant-based unbounded model checking (UMC) • Improvements to SAT-based model checking • Results & conclusions

  5. Modern SAT algorithms [Davis et al.’62] • Follow the organization of the DPLL algorithm • Backtrack search with unit propagation • Several key techniques are used: • Clause learning [Marques-Silva&Sakallah’96] • Infer new clauses from causes of conflicts • Allows implementing non-chronological backtracking • Exploiting structure of conflicts [Marques-Silva&Sakallah’96] • Identify Unique Implication Points (UIPs) • Dominators in graph of implied assignments • Optimized data structures [Moskewicz et al.’01] • Lazy evaluation of clause state • Adaptive branching heuristics [Moskewicz et al.’01] • Variable branching metrics are affected by number of conflicts • Aging mechanisms for focusing on most recent conflicts • Search restarts [Gomes,Selman&Kautz’98] • Opportunistically restart backtrack search

  6. Evolution of SAT solvers • Remarkable improvements over the last decade

  7. T0 T1 Tk-1 Y0 Y1 Yk I0 Fk Bounded model checking [Biere et al.’99] • Verification of safety properties: Ff • Characteristic functions for representing initial states and transition relation, respectively I0 and T • Resulting Boolean formula: k = I0 Uk Fk • Where: • Interpretation:

  8. Bounded model checking • A possible BMC algorithm: • Given some initial k • While k  user-specified time-bound UB • Generate CNF formula  for I0 Uk Fk • Invoke SAT solver on  • If formula  is satisfiable, then a counterexample within k time steps has been found • Return counterexample • Otherwise, increase k • The BMC algorithm is incomplete • But complete if completeness threshold is known BMC loop

  9. Towards completeness • Unbounded model checking • Utilization of induction • Standard BMC loop • Stop BMC loop for some i, if cannot have loop-free path of size i that can be reached from I0or if cannot have loop-free path of size i that can reach Fk • Maximum unfolding bounded by largest loop-free path • ... • Utilization of interpolants • BMC and Craig interpolants allow SAT-based computation of abstractions of reachable states • Avoid computing exact sets of reachable states • One of the most promising approaches in practice • Maximum unfolding bounded by largest shortest path between any two states [Sheeran et al.’00] [Chauhan et al.’02;Gupta et al.’03] [McMillan’03]

  10. Interpolants [Craig’57] • Given two subsets of clauses A and B, assume A B is unsatisfiable. Then, there exists an interpolant A’ for the pair (A, B) with the following properties: • A implies A’ • A’  B is unsatisfiable • A’ refers only to the common variables of A and B • Example: • A = p  q, B = q  r • A’ = q • Size of interpolants: • Given a resolution refutation of A B, can compute interpolant for the pair (A, B) in linear time on the size of the resolution refutation • SAT solvers can be instructed to output resolution refutation! • Computing interpolants: • Different algorithms can be used • Pudlak’97, McMillan’03 [Pudlak’97] [McMillan’03]

  11.  = (a  b) (¬a  c) (¬b) (¬c) 1 2 3 4 (b  c) (¬b) 2 1 (4) a = 0 c = 0 (c) (¬c)  1 (3) b = 0  Deriving resolution refutations • For unsatisfiable formulas: • Learned clauses capture a resolution refutation from a subset of the original clauses • SAT solvers can be instructed to recreate resolution refutation for unsatisfiable formula [Zhang&Malik’03] (a  b) (¬a  c)

  12. (r Úy) (Ør Úx) (y Úx) (ØyÚ a) (Øy Ú Øa) (Øx) (Øy) (x) ^ Computing interpolants A = (r Ú y)(Ør Úx) B = (ØyÚ a)(Øy Ú Øa)(Øx) • Interpolant is a Boolean circuit that follows structure of resolution refutation • Can map circuit into CNF in linear time and space ^ y x ^ ^ A’ = y + x A implies A’; A’  B is unsatisfiable A’ with variables common toA and B [Tseitin’68; Plaisted&Greenbaum’86]

  13. Abstraction of reachable states • For each iteration of BMC loop, call to SAT solver returns unsat unless counterexample is found • Analysis of resolution refutation yields abstractions of reachable states • Given A and B, and a resolution refutation for A  B, compute Craig interpolant A’: • A = I0 T0implies A’ • A’  B is unsatisfiable • A’ solely represented with state variables • If A holds, then A’ holds • A1 = A’ represents abstraction of states reachable from I0 in 1 time step!

  14. A B Abstraction of states reachable in i time steps T0 T1 Tk-1 Ai-1 Fk A A B B Abstraction of states reachable in 2 time steps Abstraction of states reachable in 1 time step Ai T0 T0 T1 T1 Tk-1 Tk-1 I0 A1 Fk Fk A2 A1 Fixpoint of reachable states • Can iterate computation of interpolants: If Ai  I0 A1  A2  ...  Ai-1, then a fixpoint is reached; all reachable states identified !

  15. If Fk is satisfied from I0, then we have a counterexample! If a fixpoint of the reachable states is identified, then no reachable state can satisfy property ! Calls to SAT solver If A  B is sat, may have abstracted too much; must unfold more time steps Maximum value of k is bounded by largest shortest path between any two states UMC algorithm BMC loop k = 0 repeat if from I0 can satisfy Fk within k steps return reachable R = I0 let A = I0ÙT0, and B = T1ÙT2Ù ... ÙTk-1Ù Fk while A Ù B = false P = unsat_proof(A Ù B) A’ = interpolant(P, A, B) if A’ R, return unreachable R = A’ Ú R A = A’ ÙT0 end while increase k end repeat Fixpoint

  16. Outline • SAT & SAT-based model checking • Improvements to SAT-based model checking • Rescheduling the BMC loop • Can exploit feedback from the fixpoint checking loop • Reusingcomputed interpolants • Interpolants readily available if fixed point condition is based on interpolants • Can envision alternative fixpoint conditions • Results & conclusions

  17. Rescheduling the BMC loop BMC loop k = 0 repeat if from I0 can satisfy Fk within k steps return reachable R = I0 let A = I0ÙT0, and B = T1ÙT2Ù ... ÙTk-1Ù Fk while A Ù B = false P = unsat_proof(A Ù B) A’ = interpolant(P, A, B) if A’ R, return unreachable R = A’ Ú R A = A’ ÙT0 end while increase k end repeat Number of iterations can be used to restrict when to check again the BMC condition ! Fixpoint

  18. Fixpoint while A Ù B = false P = unsat_proof(A Ù B) A’ = interpolant(P, A, B) if A’ R, return unreachable R = A’ Ù R A = A’ ÙT0 end while A2 Ai+1 A1 I0 Rescheduling the BMC loop • Fixpoint checking with i+1 iterations (last iteration is sat): • Checked all states reachable in up to k+i states, with an unfolding of size k; no counterexample was found • Need to check BMC condition only when unfolding of FSM exceeds k+i time steps In general useful if counterexample exists

  19. Interpolant reuse • Boolean formula N is usable for B iff B  N • B satisfiable iff B  N satisfiable • Learnt interpolants can be reused • For requiring states from a set of states • For preventing states from a set of states • A different organization of BMC: [Copty et al.’01]

  20. T0 T1 Tk-1 I0 Fk Can compute (multiple) interpolants Interpolant reuse • Different ways for computing interpolants • Computed interpolants can be direct or inverse • Interpolants can be computed at different time steps • Direct interpolants • Over-approximation of reachable states • Under-approximation of states that do not satisfy failing property • Inverse interpolants • Under-approximation of unreachable states • Over-approximation of states that satisfy failing property

  21. Direct interpolants • Pr,t: • Direct interpolant computed r time steps from I0 and t time steps to Fk • From the initial state, Pr,t, t=k-r: • In general, Pr+u,t:

  22. T0 Tr-1 Tr Tk-t-1 Tk-t Tk-1 I0 Fk Pr,t Pr,t Conditions for interpolant reuse I • Conditions ondirect interpolants: • Pr,t(Yr) is usable for k, with t  0 and r  k • Pr,t(Yk-t) is usable for k, with r  0 and t  k

  23. T0 T1 Tk Y0 Y1 Yk+1 I0 Fk+1 An example I • Standard UMC model checking, with BMC and fixpoint loops • Automaton with unfolding of size k+1 • Fixed point checking for j+1 iterations • Last iteration yields spurious counterexample; j interpolants computed • Interpolants computed at Y1: • P1,k, P2,k, ..., Pj,k • Examples of interpolant reuse: • Pi,k(Yi), 1  i  j, is usable for m, m  k • Pi,k represents over-approximation of the states reachable in i time steps • With unfolding of size k+1, Pi,k(Y1), 1  i  j, is usable for k+1 • Pi,k represents under-approximation of the states that do not satisfy failing property in k time steps • With unfolding of size m  k, Pi,k(Ym-k), 1  i  j, is usable for m

  24. Inverse interpolants • Qr,t: • Reverse interpolant computed r time steps from I0 and t time steps to Fk • From the initial state, Qr,t, t=k-r: • In general, Qr+u,t:

  25. T0 Tr-1 Tr Tk-t-1 Tk-t Tk-1 I0 Fk Qr,t Qr,t Conditions for interpolant reuse II • Conditions on inverse interpolants: • Qr,t(Yk-t) is usable for k, with r  0 and t  k • Qr,t(Yr) is usable for k, with t  0 and r  k

  26. T0 T1 Tk Y0 Y1 Yk+1 I0 Fk+1 An example II • Standard UMC model checking, with BMC and fixpoint loops • Automaton with unfolding of size k+1 • Fixed point checking for j+1 iterations • Last iteration yields spurious counterexample; j interpolants computed • Interpolants computed at Y1: • Q1,k, Q2,k, ..., Qj,k • Examples of interpolant reuse: • Qi,k(Yi), 1  i  j, is usable for m, m  k • Qi,k represents under-approximation of the states unreachable in i time steps • With unfolding of size k+1, Qi,k(Y1), 1  i  j, is usable for k+1 • Qi,k represents over-approximation of the states that satisfy failing property in k time steps • With unfolding of size m  k, Qi,k(Ym-k), 1  i  j, is usable for m

  27. T0 T1 Tk Y0 Y1 Yk+1 I0 Fk+1 An example III • Inverse UMC model checking, with BMC and fixpoint loops • Automaton with unfolding of size k+1 • Fixed point checking for j+1 iterations • Last iteration yields spurious counterexample; j interpolants computed • Interpolants computed at Yk-1: • Qk,1, Qk,2, ..., Qk,j • Examples of interpolant reuse: • Qk,i(Yk), 1  i  j, is usable for m, m  k • Qk,i represents under-approximation of the states unreachable in k time steps • With unfolding of size k+1, Qk,i(Yk+1-i), 1  i  j, is usable for k+1 • Qk,i represents over-approximation of the states that satisfy failing property in i time steps • With unfolding of size m  k, Qk,i(Ym-i), 1  i  j, is usable for m

  28. More on interpolant reuse • All interpolants computed in standard interpolant-based UMC flow can be reused • Easy to integrate with existing interpolant-based UMC flow • Learning and reusing of interpolants can be integrated into any approach for BMC or UMC • Plain BMC algorithm • Different approaches for UMC • Inverse interpolants provide alternative fixpoint condition (from previous slide): • If Qk,i Fk+1  Qk,1   Qk,i-1 is satisfiable, then we have a fixpoint • Potentially interesting; depends on automaton

  29. Outline • SAT & SAT-based model checking • Improvements to SAT-based model checking • Results & conclusions

  30. Results on rescheduling • Evaluated rescheduling on different benchmarks • Specifically designed and industrial examples • Evaluated both the plain UMC algorithm and rescheduling

  31. Experience with reuse • Experimented interpolant reuse on industrial benchmarks • Plain (incomplete) BMC loop • Direct interpolants computed at each step (for last time step) • Interpolants not used for checking fixed point condition • Experience so far: • Search space is reduced • CPU times increase • The problems observed: • Large interpolants • Naive simplifications • Computed solely for search pruning purposes • Ineffective representation • One Reduced Boolean Circuit (RBC) for each interpolant

  32. Conclusions • SAT technology has improved dramatically over the last decade • Key techniques: • Clause learning, optimized data structures, adaptive branching heuristics, search restarts • SAT has been applied to model checking with success • Bounded and unbounded model checking • Described optimizations to the utilization of interpolants in SAT-based model checking • Results preliminary • Rescheduling can allow number of iterations to be significantly reduced • Not significant on industrial benchmarks • Reuse of interpolants reduces amount of search, increases run times

  33. Many challenges • Effectiveness of rescheduling in industrial context? • Can interpolant reuse yield performance gains? • Can we find “good” interpolants to learn and reuse? • E.g. size/depth of interpolant (or CNF representation)

More Related