View by Category

Loading...

PPT – SAT-based Bounded and Unbounded Model Checking PowerPoint presentation | free to download - id: 6f4fdc-ZDE0Y

The Adobe Flash plugin is needed to view this content

About This Presentation

Write a Comment

User Comments (0)

Transcript and Presenter's Notes

SAT-based Bounded and Unbounded Model Checking

Edmund M. Clarke Carnegie Mellon University

Joint research with C. Bartzis, A. Biere, P.

Chauhan, A. Cimatti, T. Heyman, D. Kroening, J.

Ouaknine, R. Raimi, O. Strichman, and Y. Zhu

Why am I giving this talk?

I have an ulterior motive for this talk.

Second Edition!

Need a chapter on SAT for the second edition.

Outline of Talk

- 1. Motivation
- 2. Bounded Model Checking
- 3. Complete methods using SAT
- a. Induction
- b. Unbounded Model Checking
- --- with cube enlargement
- --- with circuit co-factoring
- --- with interpolants

Outline of Talk

- 1. Motivation yes
- 2. Bounded Model Checking yes
- 3. Complete methods using SAT
- a. Induction no
- b. Unbounded Model Checking
- --- with cube enlargement yes
- --- with circuit co-factoring yes
- --- with interpolants no

SAT Solver Progress 1960 -2010

Model Checking (CE81,QS82)

- Specification temporal logic
- Model finite state transition graph
- Advantages
- Always terminates
- Automatic
- Usually fast
- Can handle partially specified models
- Counterexample if specification is false

Symbolic Model Checking

- Method used by most industrial strength model

checkers. - Uses Boolean encoding for state machine and sets

of states. - Can handle much larger designs hundreds of

state variables. - BDDs traditionally used to represent Boolean

functions.

Problems with BDDs

- BDDs are a canonical representation. Often become

too large. - Variable ordering must be uniform along paths.
- Selecting right variable ordering very important

for obtaining small BDDs. - Often time consuming or needs manual

intervention. - Sometimes, no space efficient variable ordering

exists. - This talk describes alternative approaches
- to model checking that use SAT procedures.

Advantages of SAT Procedures

- SAT procedures also operate on Boolean formulas

but do not use canonical forms. - Do not suffer from the potential space explosion

of BDDs. - Different split orderings possible on different

branches. - Very efficient implementations exist.

Bounded Model Checking

- A. Biere, A. Cimatti, E. Clarke, Y. Zhu, Symbolic

Model Checking without BDDs, TACAS99

Bounded Model Checking as SAT

Given a property p (e.g. signal_a

signal_b) Is there a state reachable in k

cycles, which satisfies ?p ?

p

p

?p

p

p

. . .

s0

s1

s2

sk-1

sk

The reachable states in k steps are captured by

Bounded Model Checking Safety

The property p fails in one of the k steps

Bounded Model Checking Safety

The safety property p is valid up to step k iff

W(k) is unsatisfiable

p

p

?p

p

p

. . .

s0

s1

s2

sk-1

sk

Example a two bit counter

Bounded Model Checking Safety

Initial state I l r

Transition R l (l ? r) r r

Property G (?l ? ?r).

For k 2, W(k) is unsatisfiable. For k 3 W(k)

is satisfiable

Bounded Model Checking Liveness

There is no counterexample of length k to

the Liveness property Fp iff W(k) is

unsatisfiable

?p

p

p

p

p

. . .

s0

s1

s2

sk-1

sk

BMC formula for arbitrary LTL(Standard

translation)

Size of resulting formula O(kM k3?) With

sharing of subformulas becomes O(kM k2?)

A fixpoint based translation

T. Latvala, A. Biere, K. Heljanko, and T.

Junttila Simple Bounded LTL Model Checking

FMCAD 04

- Idea for lasso-shaped Kripke structures, the

semantics of LTL and CTL coincide. - Add a formula that isolates a lasso-shaped path.
- Use the fixpoint characterization of CTL, e.g.
- E? U ? ? ? (? EX E? U

? )

i

k

Overall formula

Loop constraints

- If li is true then there exists a loop at

position i. - At most one li is true.

Fixpoint formula

k

i

j

False True

Size of resulting formula O(k(M ?))

Generating the BMC formula(Based on the

Vardi-Wolper algorithm)

- A labeled Büchi automaton is a 5-tuple
- BhS, S0 , ?, L, F i
- Acceptance condition
- An infinite word w is accepted iff the

execution of w on B passes through a final state

an infinite number of times.

states

initial states

transition relation

final states

labels

LTL model checking

- Given
- Transition system M
- LTL property ?
- Translate ?? into a Buchi automaton B??
- Compute product automaton P M B ??
- Check if P is empty
- Is a fair loop reachable?

Generating the BMC formula

E. Clarke, D. Kroening, J. Ouaknine, and O.

Strichman Computational chalenges in Bounded

Model Checking STTT 05

- Encode all paths of P that start at an initial

state and are k steps long. - Require that
- at least one path contains a loop.
- at least one state in the loop is final.

Generating the BMC formula

Start from the initial state

Require that some state in the loop is final

Choose a state where the loop starts

Follow k transitions

Bounded Model Checking

k 0

k

UnSAT

no

CT is the completeness threshold

The Completeness Threshold

- Computing CT is as hard as model checking.
- Idea Compute an over-approximation to the actual

CT - Consider system P as a graph.
- Compute CT from structure of P.

Basic notions

- Diameter D(M) longest shortest path between any

two reachable states. - Recurrence Diameter RD(M) longest loop-free

path between any two reachable states. - The initialized versions DI(M) and RDI(M)

start from an initial state.

D(M) 2

RD(M) 3

CT for safety properties

- Theorem for AGp properties CT DI(M)

For AFp properties this does not hold

DI(M)3 but CT4

CT for liveness properties

- Theorem for AFp properties CT RDI(M)1

- Theorem for an LTL property ? CT ?

CT for arbitrary LTL properties

Shortest counterexample

- Theorem CKOS 05
- A Completeness Threshold for any LTL property

? is min(rd I(P )1, d I(P )d (P ))

Why take the minimum?

Example 1

dI(P)d(P) 6 rdI(P)1 4

gt

Example 2

dI(P)d(P) 2 rdI(P)1 4

lt

Formulation of diameter in QBF

Infeasible to compute the diameter using a

poly-time algorithm for shortest paths.

SAT-based Diameter Computation

- M. Mneineh, K. Sakallah,SAT-based Sequential

Depth Computation,ASPDAC03 - Check if there is a state s reachable in c steps

but not reachable in less than c steps. - Increment c, until no state is reachable in c

steps. - May enumerate many states in 1.

Recurrence diameter as SAT

O(n2)

O(nlogn)

O(n)

Complexity of BMC Formula size

- Original translation
- O(kM k2?)
- Automata based translation
- O(kM2? )
- Fixpoint based translation
- O(k(M ?))

Complexity of BMC

- Size of SAT instance is O(k(M ?))
- k can become as large as the diameter of the

system, which is exponential in the number of

state variables in the worst case. - SAT is exponential time.
- Therefore, SAT based BMC has doubly exponential

complexity. - But LTL model checking is singly exponential!

Why use SAT based BMC?

- Infeasible to represent P explicitly.
- Identify shallow errors efficiently.
- In many cases rd(P) and d(P) are not exponential

and can be rather small. - E.g. hardware components without counters
- Modern SAT solvers are very successful in

practice.

Unbounded Model Checkingusing Cube Enlargement

- P. Chauhan, E. Clarke, and D. Kroening Using

SAT based - Image Computation for Reachability Analysis

CMU-CS-03-151

Reachability analysis

- Consider a system with state variables x and

inputs i. - S0(x) is the set of initial states.
- T(x,i,x) is the transition relation.
- We want to compute the set of reachable states

Sreach . - Iterative process Compute the states reachable

in 1 step, 2 steps,

Image computation and Reachability

- The set of immediate successors of states S (x)

is given by - The set of all reachable states is the least

fixpoint

Img(S) 9 x, i. T(x, i, x) Æ S(x)

Computing Reachability

- Si1 is the set of new states directly reachable

from Si - Then Sreach is the union of all Si

SAT based image computation

- The transition relation T(x,i,x) is represented

as a CNF formula (a set of clauses). - If not already in CNF, it can be converted in

polynomial time. - The set of newly reachable states after each step

Si as well as their union Sreach are represented

in DNF (a set of cubes). - Obviously ?Sreach is in CNF.

SAT based image computation

The image computation step

- Si is in DNF
- Convert to CNF by introducing new variables
- Solve the CNF formula
- Si(x) ? T(x,i, x) ? ?Sreach(x)
- Solution is a cube d
- Project d to x and rename to x
- Add d to Sreach(x) and Si1(x)
- Repeat until the formula becomes unsat

Efficiency issues

- The number of satisfying assignments can be

exponential in the number of variables. Therefore

two problems - Enumeration of full assignments is slow.
- Solution Cube enlargement
- The representation of Sreach and Si can grow too

large. - Solution Systematically combine cubes using an

appropriate data structure.

Cube enlargement

- SAT solvers like zChaff return complete

assignments (minterms). - Partial assignments (cubes) are better, because

they represent multiple minterms.

For example, the cube x1 ? x4 represents 4

minterms

x1 ? x2 ? x3 ? x4 x1

? ?x2 ? x3 ? x4 x1 ?

x2 ? ?x3 ? x4 x1 ? ?x2 ?

?x3 ? x4

Efficient cube set representation

- Cubes are stored in a hash table of tries.
- Each trie is associated to a unique subset of

state variables. - Whenever a new cube d is inserted, the

corresponding trie is searched for cubes d that

differ only in one literal. - The merged cube (without the differing literal)

is stored instead of d and d.

Efficient cube set representation

Hash table

x1, x2

x1, x7 , x8

x2, x4

Hash keys

Tries

x2, x3 , x4

- New cube x2 ? ?x3 ? ?x4
- Identify appropriate hash table entry
- Look for matching cubes
- If match was found, delete cube and insert merged

cube

x2

?x2

x3

x3

?x4

x4

x2 ? ?x4

Related work

- Gupta et al, FMCAD 00 and ICCAD 01
- ? Mixed BDD / SAT approach
- K. McMillan, CAV 02
- ? Sets of states represented in CNF
- ? CNF clauses stored in ZDDs
- ? Conflict analysis for cube enlargement
- H. Kang and I. Park, DAC 03
- ? Offline Espresso to reduce the number of cubes
- ? No cube enlargement

Unbounded Model Checking using Circuit

Cofactoring

- M. Ganai, A. Gupta and P. Ashar,
- Efficient SAT-based Unbounded Symbolic Model

Checking Using Circuit Cofactoring, ICCAD 04

SAT-based Image Computation

- The SAT-based procedure enumerates all state cube

solutions. - Each invocation of the SAT solver generates one

new state cube. - A blocking clause representing the negation of

the state cube is added at each step. - The main problem is that the required number of

steps can be very large.

Main Contribution

- Use circuit cofactoring to capture a large set of

states at each enumeration step. - Less enumeration steps
- Use circuit graph simplification to compact the

captured states. - Use a Hybrid Sat Solver that works on both

OR/INVERTER circuits and CNF.

Definitions

- State variables X.
- Input variables U.
- Partial assignment ? XU !0,1 .
- State cube s is the projection of ? on X .
- Input cube u is the projection of ? on U .
- Minterm m is a complete assignment to U extending

u .

Example

- X x1, x2
- U u1, u2
- ? x1 u2
- s x1
- u u2
- m u1 u2

Cofactors of Boolean functions

- Cofactors of f(v1,,v,) with respect to variable

v are fv(v1,,1,), fv(v1,,0,) - Cofactor of f with respect to cube c, is fc
- Obtained by cofactoring f with respect to each

literal in c. - Example

Producing larger sets of states

- Given a formula f and a satisfying assignment

cube s - Isolate the input part of s and complete it by

picking values for unassigned inputs. - Cofactor f with respect to the satisfying input

minterm m. - Use the function f m obtained in 2, to represent

the set of satisfying states.

Example

- u1 and u2 are primary inputs.
- x1 and x2 are state variables.
- We want to compute
- 9 u1u2 f

Example cont

- The SAT solver returns ltu11,x20gt as the first

assignment. - Step 1 Complete the input part of the assignment

by choosing u21 . - Step 2 Cofactor f with respect to the satisfying

input minterm mu1u2. We get

Example cont

- fm represents more states than the satisfying

cube x2 - We needed just one enumeration step to capture

the entire solution set

SAT-based existential quantification

The returned value of C should correspond to 9B

f(A,B)

C , 9B f(A,B)

- C is a union of cofactors of f with respect to B,

therefore - C ) 9B f(A,B)
- When the algorithm terminates
- f(A,B) C is unsat, therefore
- 8B (f(A,B) _ C) is valid
- C contains no variables in B
- 8B (f(A,B)) _ C
- 9 B f(A,B) ) C

Hybrid SAT-solver

- Represents original circuit with 2-input

OR/INVERTOR gates - Represents learned constraints with CNF
- Finds partial satisfying assignments
- Dynamically removes inactive clauses

Other applications of SAT in formal verification

- D. Kroening, F. Lerda, and E. Clarke TACAS 04
- Bounded Model Checking for Software
- G. Audemard, A. Cimatti, A. Kornilowicz, and R.

Sebastiani, FORTE 02 - Bounded Model Checking for Timed Systems
- H. Jain, D.Kroening, N. Sharigina, E. Clarke DAC

05 - Word level predicate abstraction and refinement

for verifying RTL verilog

For more information

- A survey of Recent Advances in SAT-based Formal

Verification by Mukul R Prasad, Armin Biere and

Aarti Gupta, STTT.

About PowerShow.com

PowerShow.com is a leading presentation/slideshow sharing website. Whether your application is business, how-to, education, medicine, school, church, sales, marketing, online training or just for fun, PowerShow.com is a great resource. And, best of all, most of its cool features are free and easy to use.

You can use PowerShow.com to find and download example online PowerPoint ppt presentations on just about any topic you can imagine so you can learn how to improve your own slides and presentations for free. Or use it to find and download high-quality how-to PowerPoint ppt presentations with illustrated or animated slides that will teach you how to do something new, also for free. Or use it to upload your own PowerPoint slides so you can share them with your teachers, class, students, bosses, employees, customers, potential investors or the world. Or use it to create really cool photo slideshows - with 2D and 3D transitions, animation, and your choice of music - that you can share with your Facebook friends or Google+ circles. That's all free as well!

For a small fee you can get the industry's best online privacy or publicly promote your presentations and slide shows with top rankings. But aside from that it's free. We'll even convert your presentations and slide shows into the universal Flash format with all their original multimedia glory, including animation, 2D and 3D transition effects, embedded music or other audio, or even video embedded in slides. All for free. Most of the presentations and slideshows on PowerShow.com are free to view, many are even free to download. (You can choose whether to allow people to download your original PowerPoint presentations and photo slideshows for a fee or free or not at all.) Check out PowerShow.com today - for FREE. There is truly something for everyone!

You can use PowerShow.com to find and download example online PowerPoint ppt presentations on just about any topic you can imagine so you can learn how to improve your own slides and presentations for free. Or use it to find and download high-quality how-to PowerPoint ppt presentations with illustrated or animated slides that will teach you how to do something new, also for free. Or use it to upload your own PowerPoint slides so you can share them with your teachers, class, students, bosses, employees, customers, potential investors or the world. Or use it to create really cool photo slideshows - with 2D and 3D transitions, animation, and your choice of music - that you can share with your Facebook friends or Google+ circles. That's all free as well!

For a small fee you can get the industry's best online privacy or publicly promote your presentations and slide shows with top rankings. But aside from that it's free. We'll even convert your presentations and slide shows into the universal Flash format with all their original multimedia glory, including animation, 2D and 3D transition effects, embedded music or other audio, or even video embedded in slides. All for free. Most of the presentations and slideshows on PowerShow.com are free to view, many are even free to download. (You can choose whether to allow people to download your original PowerPoint presentations and photo slideshows for a fee or free or not at all.) Check out PowerShow.com today - for FREE. There is truly something for everyone!

presentations for free. Or use it to find and download high-quality how-to PowerPoint ppt presentations with illustrated or animated slides that will teach you how to do something new, also for free. Or use it to upload your own PowerPoint slides so you can share them with your teachers, class, students, bosses, employees, customers, potential investors or the world. Or use it to create really cool photo slideshows - with 2D and 3D transitions, animation, and your choice of music - that you can share with your Facebook friends or Google+ circles. That's all free as well!

For a small fee you can get the industry's best online privacy or publicly promote your presentations and slide shows with top rankings. But aside from that it's free. We'll even convert your presentations and slide shows into the universal Flash format with all their original multimedia glory, including animation, 2D and 3D transition effects, embedded music or other audio, or even video embedded in slides. All for free. Most of the presentations and slideshows on PowerShow.com are free to view, many are even free to download. (You can choose whether to allow people to download your original PowerPoint presentations and photo slideshows for a fee or free or not at all.) Check out PowerShow.com today - for FREE. There is truly something for everyone!

For a small fee you can get the industry's best online privacy or publicly promote your presentations and slide shows with top rankings. But aside from that it's free. We'll even convert your presentations and slide shows into the universal Flash format with all their original multimedia glory, including animation, 2D and 3D transition effects, embedded music or other audio, or even video embedded in slides. All for free. Most of the presentations and slideshows on PowerShow.com are free to view, many are even free to download. (You can choose whether to allow people to download your original PowerPoint presentations and photo slideshows for a fee or free or not at all.) Check out PowerShow.com today - for FREE. There is truly something for everyone!

Recommended

«

/ »

Page of

«

/ »

Promoted Presentations

Related Presentations

Page of

Home About Us Terms and Conditions Privacy Policy Contact Us Send Us Feedback

Copyright 2018 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.

Copyright 2018 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.

The PowerPoint PPT presentation: "SAT-based Bounded and Unbounded Model Checking" is the property of its rightful owner.

Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!

Committed to assisting Utexas University and other schools with their online training by sharing educational presentations for free