- 122 Views
- Uploaded on
- Presentation posted in: General

SAT Based Abstraction/Refinement in Model-Checking

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

SAT Based Abstraction/Refinement in Model-Checking

Ofer Strichman*

Joint work with

E. Clarke* A. Gupta* J. Kukula**

*Carnegie Mellon University

**Synopsys

I

Add reachable states until reaching a fixed-point

I

Too many states to handle !

h

h

h

h

h

S

S’

Abstraction Function h : S ! S’

- Partition variables into visible(V) and invisible(I) variables.

The abstract model consists of V variables. I variables are made inputs.

The abstraction function maps each state to its projection over V.

x1 x2 x3 x4

0 0 0 0

0 0 0 1

0 0 1 0

0 0 1 1

x1 x2

h

0 0

Group concrete states with identical visible part to a single abstract state.

x1 x2 x3 x4

x1 x2

Abstract

i1 i2

i1 i2 x3 x4

M’ can be computed efficiently if M is in

functional form, e.g. sequential circuits.

I

I

Converse does not hold

- Preservation Theorem

The counterexample may be spurious

Frontier

P

Visible

Invisible

Inputs

Localization

(R. Kurshan, 80’s)

Abstract

Model Check

M, p, h

M’, p

Pass

No Bug

Fail

h’

Refine

Check

Counterexample

Spurious

Real

Bug

Deadend

states

I

I

Bad

States

f

Failure

State

- Problem: Deadend and Bad States are in the same abstract state.
- Solution: Refine abstraction function.
- The sets of Deadend and Bad states should be separated into different abstract states.

h’

h’

h’

h’

h’

h’

h’

Refinement : h’

Abstract

Model Check

M, p, h

M’, p

Pass

No Bug

Fail

h’

Refine

Check

Counterexample

Spurious

Real

Bug

Abstract

Model Check

M, p, h

M’, p

Pass

No Bug

Fail

h’

Refine

Check

Counterexample

Spurious

Real

Bug

- Counterexample : (c1, …,cm)
- Each ci is an assignment to V.

Simulate the counterexample on the concrete model.

Concrete traces corresponding to the counterexample:

(Initial State)

(Unrolled Transition

Relation)

(Restriction of V to

Counterexample)

Abstract

Model Check

M, p, h

M’, p

Pass

No Bug

Fail

h’

Refine

Check

Counterexample

Spurious

Real

Bug

Deadend States

Deadend States

Bad States

1

0

1

0

0 0 1 0

0 1 0

0 1 1 1

0 1 0

1

1

d1

0 1 0

0 1 0 1

I

b1

V

b2

0 1 0 1

0 1 0

0

1

0 0 1 0

0 1 0

0 1 1 1

0 1 0

1

Refinement : Find subset U of I that separates between all pairs of deadend and bad states. Make them visible.

Keep U small !

d1

I

b1

V

b2

The state separation problem

Input: Sets D, B

Output: Minimal U I s.t.:

d D, b B, u U. d(u) b(u)

The refinement h’ is obtained by adding Uto V.

- ILP-based separation
- Minimal separating set.
- Computationally expensive.

- Decision Tree Learning based separation.
- Not optimal.
- Polynomial.

- One constraint per pair of states.
- vi = 1 iff vi is in the separating set.

DB

v1

0

1

{d1,b2}

{d2,b1}

v2

v4

0

1

0

1

B

D

D

B

b2

d1

d2

b1

D

B

Classification:

Separating Set : {v1,v2,v4}

a1

0

1

a2

a5

0

1

0

1

c0

c1

c1

c2

- Input : Set of examples
- Each example is an assignment of values to the attributes.
- Each example has a classification.

- Output : Decision Tree
- Each internal node is a test on an attribute.
- Each leaf corresponds to a classification.

- Attributes : Invisible variables I
- Classifications :‘D’ and ‘B’
- Example Set :DeadendBad
Separating Set : The variables on the nodes of the decision tree.

- For systems of realistic size
- Not possible to generate D and B.
- Expensive to separate D and B.

- Solution:
- Sample D and B
- Infer separating variables from the samples.

- The method is still complete:
- counterexample will eventually be eliminated.

d

b

D

B

- Let (D,B) be the smallest separating set of D and B.
- Q: Can we find it without deriving D and B ?

- A: Search for smallest d,b such that (d,b) = (D,B)

- Direct search towards samples that contain more information.
- How? Find samples not separated by the current separating set (Sep).

Rename all viBto vi’

- Recall:
- D characterizes the deadend states
- B characterizesthe bad states
- D B is unsatisfiable

- Samples that agree on the sep variables:

Run SAT solver

on W(Sep)

Sep = {}

d,b = {}

STOP

unsat

sat

Add samples to

d and b

Compute

Sep:=(d,b)

Sep is the minimal separating set of D and B

Sep

MC

LpSolve

NuSMV

Cadence

SMV

Dec Tree

SAT

Chaff

Property 1

Property 2

Efficient Sampling together with Decision Tree Learning performs best.

Machine Learning techniques are useful in computing good refinements.

(Barner, Geist, Gringauze, CAV’02)

- Check counterexample incrementally (‘layering’).
- Find small set of variables in Sf for which it is impossible to find an assignment consistent with the counterexample.

Frontier

P

Visible

Invisible

Inputs

Localization

(Originally: R. Kurshan, 80’s)

Intel’s refinement heuristic

(Glusman et al., 2002)

- Generate all counterexamples.
- Prioritize variables according to their consistency in the counterexamples.

X1 x2 x3 x4

Abstraction/refinement with conflict analysis

(Chauhan, Clarke, Kukula, Sapra, Veith, Wang, FMCAD 2002)

- Simulate counterexample on concrete model with SAT
- If the instance is unsatisfiable, analyze conflict
- Make visible one of the variables in the clauses that lead to the conflict

Remove clauses gradually, until instance becomes satisfiable.

Choose invisible variables from the removed set.

Abstraction/refinement with conflict analysis

(Chauhan, Clarke, Kukula, Sapra, Veith, Wang, FMCAD 2002)

- Currently: Sometimes we find too many equally ‘good’ refinements to choose from.
- We need more criteria for a good refinement (not just # latches).
- Number of gates, number of clauses
- Distance from property
- Fan-in degree

T

T

T

T ‘

T ‘

T ‘

Currently we restart with a refined transition relation

T ’

T ’

T

T

T

A different approach: restart from the previous state.

- An abstraction/refinement backtrack algorithm
- What intermediate BDD’s should we save ?
- How can BDDs be altered rather than recomputed ?

The End

Initialize SAT solver

with ( or )

“enough samples”/

unsatisfiable

Execute Sat Solver

STOP

satisfiable

sample

Add clause negating

assignment to I in

failure state