![Page 1: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/1.jpg)
Hybrid BDD and All-SAT Method for Model
Checking
Orna Grumberg
Joint work with Assaf Schuster and Avi Yadgar
Technion – Israel Institute of Technology
![Page 2: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/2.jpg)
Contribution of this Work
Hybrid All-SAT and BDD model checking Exploit the strength of each method. Avoid drawbacks of both methods.
Dual representation for All-SAT solving Exploit efficient SAT procedures.
bcp(), conflict driven learning. Extract information from the structure of a model.
Simplify and speedup the All-SAT solving process Minimize the representation of solutions.
![Page 3: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/3.jpg)
Model Checking – Pre-image Computation Pre-image(S) – The set of predecessors of
states in S. - state variables, - input variables. - Transition Relation. - set of states.
x
( '( '))
{ | ', ( , , ') '( ')}
pre image S x
x x i Tr x i x S x
'( ')S x
( , , ')Tr x i x
i
![Page 4: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/4.jpg)
Model Checking
Start with the error states.
Iteratively look for states in S0.
*
0
* *
*
P
( ) {
( )
( ) \
}
S
new
while new
if new S
return FALSE
S S new
new Pre Image new S
return TRUE
Checking of a safety property AGp:Input for the algorithm is S0,Tr and P.
![Page 5: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/5.jpg)
Model Checking
Requires operations on sets Union, intersection, and quantification.
Common representation of sets: BDDs Union and intersection - polynomial in the size of
the BDDs. Quantification – exponential in the size of the
BDD. Explosion of intermediate results during pre-image
computation.
![Page 6: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/6.jpg)
All-SAT Pre-image Computation
Each solution describes: A current-state not in . A valid transition. A next-state in new.
We need all the solutions which differ in the assignment to . Represent different current-states.
*
*
( ') \
( ( , , ') ( ') ( ))
pre image new S
All SAT Tr x i x new x S x
x
*S
![Page 7: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/7.jpg)
Model Checking – Hybrid Method
*
0
* *
*
P
( ) {
( )
}
( ) \
S
new
while new
if new S
return FALSE
S S new
return TRUE
new Pre Image new S
Use BDD operations for all but pre-image computation
![Page 8: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/8.jpg)
All-SAT – Blocking Clauses
Find all the satisfying assignments(solutions) of a formula.
Extend the SAT algorithm: Create a clause to block each solution found. Resume search with the new clause added.
Common in All-SAT tools. Direct and simple, natural for the solver. Disadvantage:
Rapid space growth of the solver.
![Page 9: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/9.jpg)
All-SAT – Blocking BDDs [Gupta et al]
A partial assignment A agrees with a BDD B if there is a path from the root of B to the node ‘1’. Values of the nodes in the
path correspond to A. A1: x1=1,x8=0.
A2: x1=0,x5=1
A3: x3=0,x5=0
X3
X5
0 1
X1
0
0
0
1
11
![Page 10: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/10.jpg)
All-SAT – Blocking BDDs
Restrict the search space of a SAT solver by a BDD B. Check if the current partial assignment agrees
with B each time variables from B are assigned. Backtrack if the assignment does not agree.
Use for All-SAT Add each solution to a BDD S. Force agreement with S.
![Page 11: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/11.jpg)
Our Hybrid Pre-image computation Look for all the assignments to which can
be extended to a solution for:
new and S* are given as BDDs. Restrict the search by the BDD of ¬S*. new will be discussed later.
Tr is in CNF. Return a BDD of the solutions
Its negation is used for blocking known solutions.
*( , , ') ( ') ( )Tr x i x new x S x
x
![Page 12: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/12.jpg)
All-SAT Decision Heuristic
Add a graph representation of the transition relation to the All-SAT solver.
Use information from the graph for making decisions in the All-SAT solver. Find sets of solutions instead of single ones. Compute dynamic transition relation. Detect independent sub-problems. Reduce sub-problems to SAT.
![Page 13: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/13.jpg)
Transition Relation Graph (TRG)
x’1
v1
X1 i3
v3
v2
x’2
i1 i2 X2
1 1 2 3
2 2 3
' ( ( ))
( ( ))
x x x i
i x i
2 2 1'x x i
- x’: next-state
- x: current-state
- i: input
- v: intermediate
v3
v2
v1
Partitioned Transition Relation:
![Page 14: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/14.jpg)
Transition Relation Graph
The intermediate variables exists in the CNF representation of Tr.
The operator of a variable is represented by a set of clauses:
3 2 3v x i 3 2 3
3 2
3 3
( )
( )
( )
v x i
v x
v i
![Page 15: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/15.jpg)
TRG – Justification
Assignment to a node can be
justified by its
successors.
x’1
v1=0
X1 X2
v3
v2
x’2
i1 i2 i3
v3=0
![Page 16: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/16.jpg)
All-SAT TRG-Based Decision
Decision i+1
justifies decision i. If not needed –justify a
new root. If all roots are justified –
a solution was found.
x’1=1
v1
X1 i3
v3
v2
x’2=1
i1 i2 X2
v2=1
i2=1 X2=1
Backtrack to change the value of at least one current state
variable. X2=0 i1=1
![Page 17: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/17.jpg)
All-SAT TRG-Based Decision
A solution is a justification of an assignment to the roots. Represents a set of current states. Less instantiations of assignments. Each assignment is instantiated more quickly. Smaller representation of the solutions.
![Page 18: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/18.jpg)
All-SAT TRG-Based Decision
Values of the roots – all the assignments in
*( , , ') ( )( ')Tr x i x S xnew x
( ')new x
x’1
x’2
x’3
x’4
x’4
x’3
x’1
x’2
1 0
x’4=0 x’3=0 x’2=0 x’1=1 x’1=0
TRGnew
![Page 19: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/19.jpg)
All-SAT TRG-Based Decision
A solution is a justification of an assignment to the roots. Represents a set of current states. Less instantiations of assignments. Each assignment is instantiated more quickly. Smaller representation of the solutions.
DFS over the BDD of new Handle sets of assignments from new at once. Avoid repetition of justifications.
![Page 20: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/20.jpg)
All-SAT TRG-Based Decision
Computes sets of current states (justifications) for each subset of new Unlike All-SAT which handles a single assignment
at a time Unlike BDDs that can compute the set of all
current states for new at once
![Page 21: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/21.jpg)
All-SAT optimizations
Independent Roots Determined
statically or dynamically.
Sub-problems can be solved independently.
x’1
v1
X2
v3
v2
x’2
i1 i2 i3 X1 i1=1
x’2=1
![Page 22: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/22.jpg)
All-SAT optimizations
Non-important roots Determined
statically or dynamically.
Reduce sub-problems to SAT.
x’1
X2
v3
v2
x’2
X3 i2 i3 X1
v1
x’2=1
x’2=1
![Page 23: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/23.jpg)
Hybrid Model Checking – Final Notes Dynamic transition relation
Only variables of each path in the BDD of new are justified.
Incremental learning of the All-SAT solver Learning is independent of the current iteration.
*( , , ') ( ') ( )Tr x i x new x S x
![Page 24: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/24.jpg)
Experimental Results Experiments were done on ISCAS89 and
ISCAS99 benchmarks 50~6000 state variables
Compared to a BDD model checker Results are not consistent for all models For each model, one method constantly
performed better than the other. For most models memory requirements is
lower.
![Page 25: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/25.jpg)
Experimental Results
On “good” examples, less time is spent on quantification and more on Boolean operations Quantification is faster
Independent Roots and Non-Important Roots enhance performance.
![Page 26: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/26.jpg)
Speedup
0
0.5
1
1.5
2
2.5
3
37 37 57 74 74 121
228
245
449
490
490
597
735
1452
6642
Number of State Variables
So
lvin
g T
ime
(no
rmal
ized
)
BDD Model Checker
Hybrid Model Checker
![Page 27: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/27.jpg)
Conclusion
Hybrid All-SAT and BDD model checking Exploit the strength of each method. Avoid drawbacks of both methods.
Dual representation All-SAT solving Exploit efficient SAT procedures.
bcp(), conflict driven learning. Extract information from the structure of a model.
Simplify and speedup the All-SAT solving process Minimize the representation of solutions.
![Page 28: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/28.jpg)
Extensions
Parallel All-SAT model checking
Adaptation of All-SAT solver for general All-SAT problems.
Optimizations of the current All-SAT scheme for model checking
![Page 29: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/29.jpg)
Parallel All-SAT Model Checking Distribute the pre-image computation. Split the space of solutions into windows.
A window is represented by a partial assignment to the current-state variables.
A solution is an extension to the partial assignment of the window.
Split the space to as many subspaces as needed for maintaining CPU load balance.
![Page 30: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/30.jpg)
Parallel All-SAT Model Checking
Each node only instantiates solutions in its window.
Split S* according to the window. Reduce the space requirement of a node.
Prefer memory load balance over CPU load balance.
*( , , ') ( ') ( )Tr x i x new x S x
![Page 31: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/31.jpg)
Parallel All-SAT Model Checking
Init
Find solutions in window
Merge new for next iteration.
,
,
*j,i
*,
0
_ ()
0
{
(w , )
_ ( , , )
( )
{ }
( )
} (( ) ( ))
j i
j i
w
j w j i
j
k j
process j
new P
i
do
S get devision from master
new SAT pre image new S w
broadcast new
new receive new from allk j new
inc i
while new new S
![Page 32: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/32.jpg)
Parallel All-SAT Model Checking
Use conflict clauses incrementally.
Share conflict clauses among nodes.
Adapt to grid computation.
![Page 33: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/33.jpg)
TRG for General All-SAT
Extract a ‘circuit-like’ structure from general CNF formulae.
Gain more information about the formulae. Incorporate additional information into the
TRG, according to the type of problem being solved.
![Page 34: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/34.jpg)
TRG for General All-SAT
Extract a ‘circuit-like’ structure from general CNF formulae.
1
2
3 1 2
4 2
3 4 1
( ) ( ) ( )
' ( )
( )
( )
( )
a b c d b c e a d
v a d
v b c
v v v
v v e
v v v
a d c b e
v1
v2
v3
v4
' 1
![Page 35: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/35.jpg)
Optimizations – Early Quantification
in BDD
For a partitioned transition relation and an order f1…fn, define
Order the functions such that fi+1 shares the most current state variables with f1..fi. Group related variables
( '( '))
'( ')}{ | ', ( , , ')pre image S x
S xx x i Tr x i x
1 1 1 1{ | ' [ ' [ ... ' [ '( ')]]]}n n n nx x N x N x N S x
'i i iN x f
![Page 36: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/36.jpg)
Optimizations – Early Quantification
in the Hybrid method Assign and justify the roots of the TRG
(next-state variables) in the order determined by early quantification Order the variables in the BDD new
accordingly
![Page 37: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/37.jpg)
Optimizations – Success Learning
x’1=0
v3=0
v2
v1=0
x’1=0
v3=0
v2=0
v1
Store the set of solutions for a cut.
![Page 38: Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514c6e3550346b0478b4a4e/html5/thumbnails/38.jpg)
The End