1 / 35

Tuning SAT-checkers for Bounded Model-Checking

Tuning SAT-checkers for Bounded Model-Checking. A bounded guided tour Ofer Strichman Carnegie Mellon University. Model Checking. Given a: Finite transition system M(S, I, r ) A temporal property  The model checking problem: Does M satisfy  ?. Model Checking.

adie
Download Presentation

Tuning SAT-checkers for Bounded Model-Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University

  2. Model Checking • Given a: • Finite transition system M(S, I, r) • A temporal property  • The model checking problem: • Does M satisfy  ?

  3. Model Checking • Temporal properties: • “Always x=y” (G(x=y)) • “Every Send is followed by Ack” (G(Send F Ack)) • “Reset can always be reached” (GFReset) • “From some point on, always switch_on” (FG switch_on) “Safety” properties “Liveness” properties

  4. Advances in Model Checking • Explicit model checking (1980 – ) • Symbolic Model Checking with Binary Decision Diagrams (1991 – ) • Symbolic Bounded Model Checking with SAT solvers (1999 –)

  5. Bounded Model Checking (Biere, Cimatti, Clarke, Zhu, 1999) • A.I. Planning problems: can we reach a desired state in k steps? • Verification of safety properties: can we find a bad state in k steps? • Verification:can we find a counterexample in k steps ?

  6. p p p p p . . . s0 s1 s2 sk-1 sk Bounded Model Checking • Most safety properties can be reduced to “Always p” where p is propositional. • Is there a state reachable within k cycles that satisfies p ?

  7. p p p p p . . . s0 s1 s2 sk-1 sk Reducing the BMC problem to SAT pis preserved up to cycle k iff W(k)is unsatisfiable:

  8. 11 00 10 01 Example: a two bit counter Initial state: Transition: Property:Always(l  r). W(2) is unsatisfiable. W(3) is satisfiable.

  9. Bounded Model Checking • All Linear-time Temporal Logic (LTL) can be checked with BMC • BMC can be applied to software, e.g. C programs (Kroening, Clarke, 2002): • Unwind each loop k times • Represent in Single Assignment Form (SAF) • Solve the resulting bit-vector verification condition

  10. Bounded Model-Checking of software • while() loops are unwinded void f(...) { ... while(cond) { Body; } Rest; }

  11. Bounded Model-Checking of software • while() loops are unwinded void f(...) { ... if(cond) { Body; while(cond) { Body; } } Rest; }

  12. Bounded Model-Checking of software • while() loops are unwinded void f(...) { ... if(cond) { Body; if(cond) { Body; while(cond) { Body; } } } Rest; }

  13. Bounded Model-Checking of software • while() loops are unwinded iteratively • Assertion may be inserted after last iteration: violated if program runs longer than bound permits void f(...) { ... if(cond) { Body; if(cond) { Body; if(cond) { Body; while(cond) { Body; } } } } Rest; }

  14. Bounded Model-Checking of software • while() loops are unwinded iteratively • Assertion my be inserted after last iteration: violated if program runs longer than bound permits void f(...) { ... if(cond) { Body; if(cond) { Body; if(cond) { Body; if(cond) { assert(FALSE); } } } } Rest; }

  15. Bounded Model Checking - First impression… • First experiments with BMC in the industry showed that it is rarely faster than model checkers, unless k is very small. • But: Model checkers enjoyed more than 10 years of R&D….

  16. The Davis-Putnam procedure Given W(k) in CNF: (x,y,z),(x,y),(:y,z),(:x, :y, :z) W Decide() Deduce() ( ~1000)  Diagnose()

  17. 1. Restricting Decide() • Restricting Decide() to a smaller set of variables that uniquely determines the satisfiability of W(k): • Model variables (~ 15 % of W(k)’s variables) • Input variables (~ 5 % of W(k)’s variables) • Less variables to Decide() implies more variables to Deduce()

  18. 2. Variable ordering • For a general CNF formula, Dynamic strategies are typically better: • Most Frequent in unsatisfied clauses (DLCS) • Satisfies the most clauses (DLIS) • Satisfies the most shortest clauses (MOM, JW) • Conflict Driven (VSIDS) : Q: How well do they work with BMC formulas ?

  19. 2. Variable ordering(Abstract dependency graphs) A (CNF) dependency graph D (V,E): A partitioning C1..Cn: An abstract dependency graph D’(V’, E’):

  20. V0 V1 V2 V3 Vk-1 Vk ... C0 C1 C2 C3 Ck-1 Ck 2. Variable ordering(The natural order of W(k)) For W(k) there exists a partition C1..Cn s.t. the abstract dependency graph is linear

  21. 2. Variable ordering With general-purpose Decide() strategies, local sets of variables are satisfied a-synchronically ~Pk I0

  22. W(k) should satisfy  Pk Riding on legal executions... Pk I0 2. Variable ordering(simple static ordering) W(k)should satisfy I0 Pk Riding on unreachable states... I0

  23. 3. Exploiting W(k)’s structure Can this regularity be used to speed up the search ?

  24. 3. Exploiting W(k)’s structure • Conflict clauses is the main mechanism for learning • If (x3=1, y7 = 0, z5 = 1 ) leads to a conflict, add the conflict clause C:( x3  y7  z5)

  25. 3. Exploiting W(k)’s structure(Replicated clauses) • If x3=1, y7 = 0, z5 = 1 leads to a conflict, then so will x2=1, y6 = 0, z4 = 1 • Therefore, we can also add: (x2  y6 z4)  …  (x0  y4 z2) and...(x4  y8 z6)  …  (xk-4  yk zk-2) • Yet, W(k) is not fully symmetric because of I0. • Check whether the clauses that caused the conflict include I0 variables.

  26. 4. Exploiting W(k)’s structure(Reusing clauses) • When can a conflict clause C that was learned while solving W(k) be reused for solving W(k+1)? • Answer: all clauses that together implied C are in W(k) ÅW(k+1) • All clauses except the property are in W(k) Å W(k+1)

  27. Results (Sec.) * * * = exceeds 10,000 sec. )Today, Chaff solves all in 7 minutes…)

  28. Results (sec.)

  29. The Conclusion • The original conclusion (2000): • Many models that cannot be solved by BDD symbolic model checkers, can be solved with the optimized SAT Bounded Model Checker. • The other direction is true as well • Today: BMC with SAT is dominant in finding shallow errors. BDD-based procedures are mainly used for proving their absence.

  30. How big should k be? • For every model M and LTL property there exists k s.t. • The minimal such k is the Completeness Threshold (CT)

  31. d = 2 How big should k be? • Diameterd = longest shortest path from an initial state to any other reachable state. • Recurrence Diameterrd =longest loop-free path. • rd ¸ d rd = 3

  32. p s0 Arbitrary path How big should k be? • Theorem: for Gp properties CT = d

  33. p p p p p s0 How big should k be? • Theorem: for Fp properties CT= rd • Open Problem: The value of CT for general Linear Temporal Logic properties is unknown

  34. LTL model checking • Given M,,construct B • LTL model checking: is y: M £B empty ? • Emptiness checking: is there a path to a loop with an accepting state ? • ! witness to Gtrue with fairness constraint • M ² iff y is empty

  35. LTL Bounded Model Checking • “Unroll” y k times • Find a witness to Gtrue with the fairness constraint f s0

More Related