Interpolation-Sequence Based Model Checking PowerPoint Presentation

Interpolation-Sequence Based Model Checking

### Interpolation-Sequence Based Model Checking

Yakir Vizel1,2

and

Orna Grumberg1

Computer Science Department, The Technion, Haifa, Israel.

Architecture, System Level and Validation Solutions, Intel Development Center, Haifa, Israel

Formal Methods in Computer Aided Design, Austin, Texas 2009

Outline

- Introduction
- Model checking
- Forward Reachability Analysis
- Bounded Model Checking

- Interpolation
- Interpolation
- Interpolation-Sequence

- Interpolation-Sequence Based Model Checking
- Experimental Results

Introduction

Model Checking

- Given a system and a specification, does the system satisfy the specification.

System

AGq

MC

?

- The specification is given in temporal logic – e.g. LTL.
- We deal with specifications of the form AGq.

Forward Reachability Analysis

…… Sn

S2

BAD ¬q

S1

INIT

Bounded Model Checking

- Does the system have a counterexample of length k?

.

.

.

A Bit of Intuition

S3

S2

S1

INIT

BAD ¬q

I3

I1

I2

INIT

Interpolation

Interpolation In The Context of Model Checking

- Given the following BMC formula.

A

B

I

Interpolation-Sequence

- The same BMC formula partitioned in a different manner:

A1

Ak+1

A2

A3

Ak

I1

I2

I3

Ik-1

Ik

Interpolation-Sequence (2)

- Can easily be computed. For 1 ≤ j < n
- A = A1Ù … Ù Aj
- B = Aj+1 Ù … Ù An
- Ijis the interpolant for the pair (A,B)

Interpolation-Sequence Based Model Checking

Using Interpolation-Sequence

I1,1

I1

I1,2

I2,2

Combining Interpolation-Sequence and BMC

- A way to do reachability analysis using a SAT solver.
- Uses the original BMC loop and adds an inclusion check for full verification.
- Similar sets to those computed by Forward Reachability Analysis but over-approximated.

Computing Reachable States with a SAT Solver

- Use BMC to search for bugs.
- Partition the checked BMC formula and extract the interpolation sequence

I1,N

IN-1,N

IN,N

I2,N

The Analogy to Forward Reachability Analysis

S3

S2

S1

INIT

BAD ¬q

I3

I2

I1

I1

I2

INIT

I1,3

I2,3

I3,3

I1,1

I1,2

I2,2

McMillan’s Method

- The computation itself is different.
- Uses basic interpolation.
- Successive calls to BMC for the same bound.
- Not incremental.

- The sets computed are different.

J1

I1

S1

Experimental Results

Experimental Results

- Experiments were conducted on two future CPU designs from Intel (two different architectures/tocks)

Experimental Results - Falsification

Experimental Results - Verification

Experiments Results - Analysis

Analysis

- False properties is always faster.
- True properties – results vary. Heavier properties favor ISB where the easier favor IB.
- Some properties cannot be verified by one method but can be verified by the other and vise-versa.

Conclusions

- A new SAT-based method for unbounded model checking.
- BMC is used for falsification.
- Simulating forward reachability analysis for verification.

- Method was successfully applied to industrial sized systems.

