1 / 35

Multi-Domain Logic as a Tool for Program Verification Implementation Issues

Multi-Domain Logic as a Tool for Program Verification Implementation Issues. Tudor Jebelean , Johannes Kepler Unversity Linz Gábor Kusper , Eszterh á zy K á roly College Eger SCSS 2010. Outline. Motivation Intuition Representation Bounded Model Checking

sorena
Download Presentation

Multi-Domain Logic as a Tool for Program Verification Implementation Issues

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Multi-Domain Logic as a Tool for Program VerificationImplementation Issues Tudor Jebelean, Johannes Kepler Unversity Linz Gábor Kusper, Eszterházy Károly College Eger SCSS 2010

  2. Outline • Motivation • Intuition • Representation • Bounded Model Checking • Direct Representation in Multi-Domain Logic • Test Results • Conclusion

  3. Motivation • We have a Multi-Domain Logic based SAT solver, which is just a normal SAT solver with the basic settings. • This SAT solver can use lots of MDL specific techniques: • Variable Merging • Clustering Propositional Variables • Deletion of Weak Assignments (DoWA) • Dynamic Variable Merging • There are some problem sets which can be solved fast using these techniques, like the Pigeon Hole Problem. • We wanted to check whether Bounded Model Checking belongs to this set of problems or not.

  4. Intuition Lots of short clauses are good! 

  5. Generating CNF • Propositional Logic • New variables to prevent exponential growth • Less clauses • More variables • Lots of short clauses • Multi-Domain Logic • Merge variables of some subformulae to prevent exp. growth • More clauses • Less variables • Lots of short clauses

  6. Representation

  7. Literal in Multi-Domain Logic • A multi-literal has the form: Sign Set:Multi-Variable • Sign Set: Finite set of symbols which satisfies the literal. • For example: {Apple}:Food {Cat, Dog}:Pet {1, A, 3.14}:X

  8. Domain • Each multi-variable has a domain. • The domain is the union of sign sets of the multi-var. • Example: • ( { Cat, Dog }:PetOR { Apple }:Food) AND { Gopher }:PetAND {Bread}:Food • The domain for Pet is: { Cat, Dog, Gopher } • The domain for Food is: { Apple, Bread } • Since only one symbol may be assigned to each multi-variable from its domain, this formula is UNSAT.

  9. Literal Representation • We need N bits to represent a multi-literal, where • N is the cardinality of its domain. • Example: • ( { Cat, Dog }:PetOR { Apple }:Food) AND{ Gopher }:Pet AND {Bread}:Food • (110:PetOR10:Food) AND 001:Pet AND 01:Food • The domain for Pet is: { Cat, Dog, Gopher } • The domain for Food is: { Apple, Bread }

  10. Example for Variable merging • Before variable merging: • ({1}:IntOR {A}:Char)AND ({2}:IntOR {B}:Char) • After: • ({1A,1B}:XOR{1A, 2A}:X) AND ({2A, 2B}:XOR {1B, 2B}:X) • Since OR on the same multi-variable is UNION on the sign sets we obtain: • {1A,1B, 2A}:XAND {1B, 2A, 2B}:X • Since AND on the same multi-variable is INTERSECTION on the sign sets we obtain: • {1B, 2A}:X • Note, that a this formula collapsed into a literal!

  11. Boolean Formulae into MDL • We can merge any number of propositional variables. • We need 2k bits to represent a Boolean formula with k propositional variable. • The encoding in case of k = 2: • { } FALSE{00}ab{11} ab {00,11} ab{10} ab {00,10} b{10,11} a {00,10,11} ab{01} ab {00,01} a{01,11} b {00,01,11} ab{01,10} ab {00,01,10} ab{01,10,11} ab {00,01,10,11} TRUE a  b 0 1 0 0 0 1 1 0 0 1 1 1

  12. Bounded Model Checking

  13. Bounded Model Checking • Bounded Model Checking is one of the most successful formal methods for practical verification of hardware and software. • BMC translate the system to be verified into a boolean formula. • It uses a SAT solver to solve this formula. • If the formula is unsatisfiable, then the property is not true, otherwise it is. • BMC profits from very fast SAT solvers!

  14. Bounded Model Checking • The system to be verified consist of: • a transition system, and • a property to be checked (given in temporal logic). • One has to translate the system into a boolean formula: • the transition system can be translated, but • the property can be translated only up to a certain bound. • The bound is on the number of steps. • That is why this approach is called Bounded Model Checking.

  15. Temporal Logic • Properties are given in Computation Tree Logic. • CTL is built from path quantifiers and temporal operators. There are two path quantifiers: • – A, “for every path” • – E, “there exists a path” • CTL has four temporal operators: • – X p, “p holds at the next time step”. • – F p, “p holds at some time step in the future” • – G p, “p holds at every time step in the future” • – p U q, “p holds until q holds” • Note that AG p equivalent to EF not(p).

  16. BMC tool • http://www.cs.cmu.edu/~modelcheck/bmc.html • Generates CNF (DIMACS) files out of SMV descriptions • SMV: Symbolic Model Verifier • But! • During the CNF translation it introduces (recursively) new propositional variables to prevent exponential grow of the formula.

  17. Example: SMV -> Formula bound = 2 ( x0 = 0 ) AND ( x1 = x0+1) AND ( x2 = x1+1) AND ( x0 = 3 OR x1 = 3 OR x2 = 3) VAR x[2] ASSIGN init(x):= 0; next(x):=x+1; SPEC EF x = 3 bound = 1 ( x0 = 0 )AND ( x1 = x0+1) AND ( x0 = 3 OR x1 = 3 )

  18. Direct Representation in MDL

  19. Direct Representation in MDL {0}:x0 {1,2,3}:x0 {1}:x1 {0,2,3}:x0 {2}:x1 {0,1,3}:x0 {3}:x1 {0,1,2}:x0 {0}:x1 {1,2,3}:x1 {3}:x0 {0,2,3}:x1 {0}:x0 {0,1,3}:x1 {1}:x0 {0,1,2}:x1 {2}:x0 {3}:x0 {3}:x1 {0}:x0 [0]:x0 {1}:x1 [1]:x0 {2}:x1 [2]:x0 {3}:x1 [3]:x0 {0}:x1 [0]:x1 {3}:x0 [1]:x1 {0}:x0 [2]:x1 {1}:x0 [3]:x1 {2}:x0 {3}:x0 {3}:x1 ( x0 = 0 ) AND ( x1 = x0+1) AND ( x0 = 3 OR x1 = 3 )

  20. Test results We tested our Java implementation on MDL instances and on their equivalent SAT problems from the page: http://www.cs.cmu.edu/~modelcheck/bmc/bmc-benchmarks.html The test results are obtained on a NEC VERSA M370 notebook with Core2 DuoM 2 GHz processor (32 bits) and 1 GB memory.

  21. 2-bit counter • The transition system: • We have a 2-bit counter • The two bits represented by A • The initial state is A=0 • Then we count: 0, 1, 2, 3, 0, and so on… • The property to be checked: • The counter will eventually reach the state 3. • In temporal logic: EF A = 3. • Or equivalently: AG not(A = 3). 0 3 1 2

  22. 2-bit counter example CNF file: p cnf 7 15 -1 3 0 -1 2 0 -4 6 0 -4 5 0 7 6 -5 0 7 -6 5 0 -7 6 5 0 -7 -6 -5 0 -5 0 -6 0 -2 -5 0 2 5 0 -3 7 0 3 -7 0 4 1 0 MDL file: {0}:x0 [0]:x0 {1}:x1 [1]:x0 {2}:x1 [2]:x0 {3}:x1 [3]:x0 {0}:x1 [0]:x1 {3}:x0 [1]:x1 {0}:x0 [2]:x1 {1}:x0 [3]:x1 {2}:x0 {3}:x0 {3}:x1 BMC file: VAR x[2] ASSIGN init(x):=0; next(x):=inc(x); SPEC AG x != 3

  23. n-bit counter, all unsatisfiable

  24. n-bit counter, all satisfiable

  25. n-bit counter, #unit propagations

  26. Barrel Shifter • The transition system: • We have a 2x2-bit barrel shifter • The initial state is: B=R • R can be any value • A step: shift B by 2 bits • The property to be checked: • invar := (B0 = R0 -> B1 = R1) & (B0 = R1 -> B1 = R0) & (B1 = R0 -> B0 = R1) & (B1 = R1 -> B0 = R0) • AGinvar • EF not( invar ) B0,B1|B2,B3 R0,R1|R2,R3 B2,B3|B0,B1 R0,R1|R2,R3

  27. Barrel Shifter CNF file: p cnf 17 53 -1 2 0 -1 3 0 -4 5 0 -4 6 0 -7 8 0 -7 9 0 10 -7 0 10 -4 0 10 -1 0 7 4 1 -10 0 MDL file: [0]:b00 [1]:r00 [1]:b00 [0]:r00 [0]:b10 [1]:r10 [1]:b10 [0]:r10 [0]:b00 [0]:b10 [0]:r00 [0]:r10 [0]:b00 [0]:b10 [1]:r00 [1]:r10 [0]:b00 [1]:b10 [0]:r00 [1]:r10 [0]:b00 [1]:b10 [1]:r00 [0]:r10 [1]:b00 [0]:b10 [0]:r00 [1]:r10 [1]:b00 [0]:b10 [1]:r00 [0]:r10 [1]:b00 [1]:b10 [0]:r00 [0]:r10 [1]:b00 [1]:b10 [1]:r00 [1]:r10 BMC file: ASSIGN init(b0) := r0; init(b1) := r1; next(b0) := b1; next(b1) := b0; next(r0) := r0; next(r1) := r1; SPEC AG (b0=r0 -> b1=r1)& (b0=r1 -> b1=r0)& (b1=r0 -> b0=r1)& (b1=r1 -> b0=r0)

  28. Barrel Shifter, running time

  29. Conclusion

  30. The State Explosion Problem • The state explosion problem is, thatthe number of system states grows exponentially withthe number of system components • We cannot heal this problem. • We can postpone it by some factor depending on the word size of our computer.

  31. Generating CNF • Propositional Logic • New variables to prevent exponential grow • Less clauses • More variables • Lots of short clauses • Multi-Domain Logic • Merge variables of some subformulae to prevent exp. grow • More clauses • Less variables • Lots of short clauses

  32. Conclusion • On one hand, Multi-Domain Logic can encode Bounded Model Checking problems in a more compact and natural way. • On the other hand, the resulting MDL problems can be solved faster then their boolean versions.

  33. Future work • We would like to implement • Compiler from SMV (Symbolic Model Verifier) to MDL

  34. Thank you for your attention!

More Related