Download
trading off sat search and variable quantifications for effective unbounded model checking n.
Skip this Video
Loading SlideShow in 5 Seconds..
Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking PowerPoint Presentation
Download Presentation
Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking

Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking

0 Views Download Presentation
Download Presentation

Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Trading-offSAT search and Variable Quantifications for effectiveUnbounded Model Checking G. Cabodi P. Camurati L. Garcia M. Murciano S. Nocco S. Quer Politecnico di Torino Torino, Italy

  2. Outline • Background • Motivations • Core • Contribution A: Divide • Contribution B: & Conquer • Contribution C: Integrated Approach (Bwd + ITP) • Experimental Results • Conclusions • Future Works

  3. Background: UMC as a Reachability Problem Initial states Counterexample trace Buggy states

  4. Background: UMC as a Reachability Problem Rfwd Rbwd Initial states Rfwd : Reached from (fix-point) Buggy states Rbwd : Can reach (fix-point)

  5. Background: SAT based UMC • k-induction [Sheeran2000] • All-solution SAT [McMillan2002, Kang2003, Ganai2004] • Circuit based quantification [Williams2000, Abdulla2000] • Abstraction & Refinement • Localization reduction [Kurshan1994] • Predicate abstraction [Clarke2003, Jain2004] • Craig Interpolation [Graig1957, McMillan2003]

  6. Interpolant [Craig1957] • A A' • A' Ù B = 0 • A' refers only to common .variables of A and B • Given A Ù B = 0 • A' = ITP (A, B) Interpolant

  7. Interpolant [Craig1957] • A A' • A' Ù B = 0 • A' refers only to common .variables of A and B • Given A Ù B = 0 • A' = ITP (A, B) • A' can be derived in linear time from the refutation proof of A Ù B [Pudlak1997, Krajicek1997]

  8. Interpolant [Craig1957] • A A' • A' Ù B = 0 • A' refers only to common .variables of A and B • Given A Ù B = 0 • A' = ITP (A, B) A Ù B is UNSAT A B 1 CNF Clauses Resolution graph AND-OR circuit One gate for each graph node Null clause A' = ITP (A,B)

  9. Interpolant [McMillan2003] • Interpolant as Image Operator • Over-approximation • Variable quantification • Works whenever a representation of backward reachable space is given • A  From  T (forward) • B  Paths to failure states (backward) • A'  Over-approximated Image (Img+) • Img+ is called adequate w.r.t. B

  10. Img+ PI V V' T From To

  11. Img+ To+(V') = Img+(From,T) = Approx[(V,PI)From(V)T(V,PI,V')] PI V V' T From To+ To

  12. Img+- Adequate • To+ adequate w.r.t. B when • if To is outside B • then To+ is outside B as well PI V V' T From B To+ To To+ = ITP (From  T, B)

  13. Img+- Adequate Fwd approximate reachable states computed by adequate Img+ do not intersect Bwd reachable states Img+Adq (Ri,T, Rbwd) I B Ri R Img (Ri,T) Rbwd

  14. Img+- k-Adequate WhenRbwditisnotknown itisreplacedbybackwardcircuitunrollingofincreasingdepth k Img+Adq (Ri,T, Rk,bwd) I ≤k B Ri R Img (Ri,T) Rk, bwd

  15. Interpolant Model Checking do Cone = CircuitUnroll (B, T, k) res = FiniteRun (I, T, Cone) k = k + 1 while (res = undecided) FiniteRun (I, T, Cone) if (SAT ( I ΛT ΛCone)) return (reachable) R = I while (true) Img+ = Img+Adq (T, R, Cone) if (Img+ = undefined) return (undecided) if (Img+ R) return (unreachable) R = R νImg+

  16. Interpolant Model Checking Abstraction & Refinement loop do Cone = CircuitUnroll (B, T, k) res = FiniteRun (I, T, Cone) k = k + 1 while (res = undecided) FiniteRun (I, T, Cone) if (SAT ( I ΛT ΛCone)) return (reachable) R = I while (true) Img+ = Img+Adq (T, R, Cone) if (Img+ = undefined) return (undecided) if (Img+ R) return (unreachable) R = R νImg+

  17. Interpolant Model Checking do Cone = CircuitUnroll (B, T, k) res = FiniteRun (I, T, Cone) k = k + 1 while (res = undecided) Approximated Reachability loop FiniteRun (I, T, Cone) if (SAT ( I ΛT ΛCone)) return (reachable) R = I while (true) Img+ = Img+Adq (T, R, Cone) if (Img+ = undefined) return (undecided) if (Img+ R) return (unreachable) R = R νImg+

  18. Interpolant Model Checking do Cone = CircuitUnroll (B, T, k) res = FiniteRun (I, T, Cone) k = k + 1 while (res = undecided) FiniteRun (I, T, Cone) if (SAT ( I ΛT ΛCone)) return (reachable) R = I while (true) Img+ = Img+Adq (T, R, Cone) if (Img+ = undefined) return (undecided) if (Img+ R) return (unreachable) R = R νImg+ Img+ (Ri,T) k-adequate (T, F)

  19. Interpolant Model Checking do Cone = CircuitUnroll (B, T, k) res = FiniteRun (I, T, Cone) k = k + 1 while (res = undecided) Bound increment FiniteRun (I, T, Cone) if (SAT ( I ΛT ΛCone)) return (reachable) R = I while (true) Img+ = Img+Adq (T, R, Cone) if (Img+ = undefined) return (undecided) if (Img+ R) return (unreachable) R = R νImg+ BMC check find a trace (Overapproximated) Fix-point reached

  20. Motivations • Refutation proofs follow SAT solver runs • SAT heuristics do NOT target resolution graph (and unsatisfiable core) minimization • Not unique (depend on SAT heuristics) • Difficult UNSAT instances  Large interpolants • Interpolant circuits need aggressive optimizations (BDD/SAT sweeping + logic synthesis) • Highly redundant • AND-OR circuits (just negations on inputs) are not optimal

  21. Contributions • Partitioned Adequate Image Computation A Divide & Conquer Approach • Across different methods • Compute partial state sets • Use to restrict search space • Within Partitioned Adequate Image (interpolant)

  22. Contributions • Partitioned Adequate Image Computation A Divide & Conquer Approach • Across different methods • Compute partial state sets • Use to restrict search space • Within Partitioned Adequate Image (interpolant) Contribution A/1 State Set View R3 R2 R1 R0 R0 R3 R2 R1 Circuit View 1 0

  23. Contributions • Partitioned Adequate Image Computation A Divide & Conquer Approach • Across different methods • Compute partial state sets • Use to restrict search space • Within Partitioned Adequate Image (interpolant) Contribution A/2 R3 R2 R1 R0 R3 R2 R1 R0 v Partitioned Circuit View R3 R2 R1 R0 Circuit View

  24. Contributions • Partitioned Adequate Image Computation A Divide & Conquer Approach • Across different methods • Compute partial state sets • Use to restrict search space • Within Partitioned Adequate Image (interpolant) Contribution B v v R0 R3 R2 R1 R0 R3 R2 R1 R3 R2 R1 R0 Partitioned Circuit + State Set

  25. Contributions • Backward & Interpolation An integrated Approach • Compute (partial) backward state sets by • Circuit quantification • SAT- enumeration • Check backward fix point (SAT) • Eventually forward interpolant (using partitioned image) Contribution C R3 R2 R1 R0 R3 R2 R1 R0 v Circuit + State View R0 R3 R2 R1 Circuit View

  26. Contribution A/1: Partial Quantification 0 0 LazyE (Cone) G = Cone forall v ∈ PI tmp = v G if (|tmp| < th · |G|) G = tmp return (G) Cone 1 0 v1v0Cone 0 1 1 1 Quantifyvariable ifsize under control otherwise keepunquantified

  27. Contribution A/1: Partial Quantification LazyE (Cone) G = Cone forall v ∈ PI tmp = v G if (|tmp| < th · |G|) G = tmp return (G) v1v0Cone • operator on circuit • byOR-ingcofactors • exponentialblow-up, • unless tight sharing • (by SAT/BDD sweeping) • TryPICone • if (notallquantification • accepted) work notfinished

  28. Contribution A/1: Partial Quantification Adopting BDDs LazyEBDD (Cone) (ConeBdd, CutV, CutF) = AIG2BDD (Cone) G = ANDEBDD (ConeBdd, CutVari, CutFi) if (|G| < th · |Cone|) return (BDD2AIG(G)) else return (Cone) Quantification on BDDs BDD 2 AIG AIG 2 BDD 1 0 1 0 Quantifyvariable ifsize under control otherwisekeep unquantified

  29. Contribution A/1: Partial Quantification Adopting BDDs LazyEBDD (Cone) (ConeBdd, CutV, CutF) = AIG2BDD (Cone) G = ANDEBDD (ConeBdd, CutVari, CutFi) if (|G| < th · |Cone|) return (BDD2AIG(G)) else return (Cone) Quantification on BDDs BDD 2 AIG AIG 2 BDD 1 0 1 0 1 0 1 0 1 0 1 0 BDDs with Cut Points EarlyQuantification Schedule

  30. Contribution A/1: Partial Quantification with Subsetting 0 0 Quantifyvariableifsize under control otherwise set toconstant 0/1 value Cone 1 0 LazyESubset (Cone) G = Cone σ = SAT (Cone) forallv∈ PI tmp = vG if (|tmp| < th · |G|) G = tmp else G = G|Ѡi=σ[vi] return (G) 0 1 1 1

  31. Contribution A/1: Partial Quantification with Subsetting 0 0 Quantifyvariableifsize under control otherwise set toconstant 0/1 value Cone 1 0 LazyESubset (Cone) G = Cone σ = SAT (Cone) forallv∈ PI tmp = vG if (|tmp| < th · |G|) G = tmp else G = G|Ѡi=σ[vi] return (G) 0 1 1 1 Resultis subset of a state set R¯k,bwd Rk,bwd= PICone

  32. Contribution A/1 • Ifwe are veryluckywemovefrom Circuit unrolling (Cone) R0 R3 R2 R1

  33. Contribution A/1 • Ifwe are veryluckywemovefrom Circuit unrolling (Cone) R0 R3 R2 R1 • to State set (Back) R0 R3 R2 R1 1 0

  34. Contribution A/1 • Ifwe are NOT veryluckywemovefrom Circuit unrolling (Cone) R0 R3 R2 R1

  35. Contribution A/1 • Ifwe are NOT veryluckywemovefrom Circuit unrolling (Cone) R0 R3 R2 R1 • to

  36. Contribution A/1 • Ifwe are NOT veryluckywemovefrom Circuit unrolling (Cone) R0 R3 R2 R1 Cone • to Back¯

  37. Contribution A/1 • Ifwe are NOT veryluckywemovefrom Circuit unrolling (Cone) R0 R3 R2 R1 Cone¯ • to v Simplify (Cone, Back¯) (by redundancy removal) Back¯

  38. Contribution A/2: Cone0 v Cone1 Cone = Cone1 v Cone2 v Cone3 v … v Conen

  39. Contribution A/2: Cone0 v Cone1 Cone = Cone1 v Cone2 v Cone3 v … v Conen F V F Circuit unrollings are disjunction ofcircuitunrollings V F V F

  40. Contribution B: How to Conquer Img+Adq(I, T, Cone) Img (I, T) Cone F I T T T T T Ri Img+Adq(I, T, Cone)

  41. Contribution B: How to Conquer Img+Adq(I, T, Cone) = Img+Adq(I, T, Cone1 v Cone2) Disjunction of Cones Img (I, T) Cone F I T T T T T Ri Img+Adq(I, T, Cone)

  42. Contribution B: How to Conquer Img+Adq(I, T, Cone) = Img+Adq(I, T, Cone1 v Cone2) = Img+Adq(I,T,Cone1)  Img+Adq(I,T,Cone2) Conjunction of Images Img (I, T) Cone F I T T T T T Ri Img+Adq(I, T, Cone)

  43. Contribution B: How to Conquer Img+Adq(I, T, Cone) = Img+Adq(I, T, Cone1 v Cone2) = Img+Adq(I,T,Cone1)  Img+Adq(I,T,Cone2) Img (I, T) Cone1 F I T T T T T Ri Cone2 Img+Adq(I, T, Cone)

  44. Contribution B: How to Conquer Img+Adq(I, T, Cone) = Img+Adq(I, T, Cone1 v Cone2) = Img+Adq(I,T,Cone1)  Img+Adq(I,T,Cone2) Img (I, T) Cone1 F I T T T T T Ri Img+Adq(I, T, Cone)

  45. Contribution B: How to Conquer Img+Adq(I, T, Cone) = Img+Adq(I, T, Cone1 v Cone2) = Img+Adq(I,T,Cone1)  Img+Adq(I,T,Cone2) Img (I, T) Cone1 F I T T T T T Ri Img+Adq(I, T, Cone1)

  46. Contribution B: How to Conquer Img+Adq(I, T, Cone) = Img+Adq(I, T, Cone1 v Cone2) = Img+Adq(I,T,Cone1)  Img+Adq(I,T,Cone2) Img (I, T) F I T T T T T Ri Cone2

  47. Contribution B: How to Conquer Img+Adq(I, T, Cone) = Img+Adq(I, T, Cone1 v Cone2) = Img+Adq(I,T,Cone1)  Img+Adq(I,T,Cone2) Img+Adq(I, T, Cone2) Img (I, T) F I T T T T T Ri Cone2

  48. Contribution B: How to Conquer Img+Adq(I, T, Cone) = Img+Adq(I, T, Cone1 v Cone2) = Img+Adq(I,T,Cone1)  Img+Adq(I,T,Cone2) Img+Adq(I, T, Cone2) Img (I, T) F I T T T T T Img+Adq(I, T, Cone) Ri Img+Adq(I, T, Cone1)

  49. Contribution C: Backward + Interpolation IntegratedMC (I, T, F) set initial values do res = undecided Conek = Conek−1(T) if (SAT(I  (Conekv BckR¯ ))) return (reachable) fp = CheckFP (Conek, BckR¯, Cone0..k−1) if (fp = true) return (unreachable) (Conek, BckR¯) = LazyE/BDD/Subset (Conek, BckR¯) if (fp = undecided) Cone¯ = Simplify (Cone, ¬BckR¯) res = FiniteRun2 (I, T, Cone¯, BckR¯) increase bound while (res = undecided)

  50. Contribution C: Backward + Interpolation IntegratedMC (I, T, F) set initialvalues do res = undecided Conek = Conek−1(T) if (SAT(I  (ConekvBckR¯ ))) return (reachable) fp = CheckFP (Conek, BckR¯, Cone0..k−1) if (fp = true) return (unreachable) (Conek, BckR¯) = LazyE/BDD/Subset (Conek, BckR¯) if (fp = undecided) Cone¯ = Simplify (Cone, ¬BckR¯) res = FiniteRun2 (I, T, Cone¯, BckR¯) increasebound while (res = undecided) Loop by Increasing Back Unrolling BMC checks for Cex Backward Reachability Section Interpolant Section