Download - SAT-based Bounded Model Checking
![Page 1: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/1.jpg)
SAT-based Bounded Model Checking
![Page 2: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/2.jpg)
Given a property p: (e.g. “always signal_a = signal_b”)
Is there a state reachable within k cycles, which satisfies p ?
. . .s0 s1 s2 sk-1 sk
p p p p p
Formulation of famous problems as SAT:Bounded Model Checking
![Page 3: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/3.jpg)
The reachable states in k steps are captured by:
The property p fails in one of the cycles 1..k:
Bounded Model Checking: safety
![Page 4: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/4.jpg)
The safety property p is valid up to cycle k iff k is unsatisfiable:
. . .s0 s1 s2 sk-1 sk
p p p p p
Bounded Model Checking: safety
![Page 5: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/5.jpg)
Example: a two bit counter
Property: G (l r).
00
01 10
11
For k = 2, k is unsatisfiable. For k = 4 k is satisfiable
Initial state: I: : l Æ : r
Transition: R: l’ = (l r) Æ r’ = : r
Bounded Model Checking: safety
![Page 6: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/6.jpg)
The liveness property Fp is valid up to cycle k iff k is unsatisfiable:
. . .s0 s1 s2 sk-1 sk
:p :p p
Bounded Model Checking : liveness
:p :p
=
![Page 7: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/7.jpg)
Intel’s results (2002)
![Page 8: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/8.jpg)
IBM’s results (2000)
![Page 9: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/9.jpg)
SAT made some progress…
1
10
100
1000
10000
100000
1960 1970 1980 1990 2000 2010
Year
Vars
![Page 10: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/10.jpg)
Bounded Model Checking
k = 0
BMC(M,,k)
yes
k++
k ¸ ?no
Resourcesexceeded
![Page 11: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/11.jpg)
How big should k be?
For every finite model M and LTL property there exists k s.t.
We call the minimal such k the Completeness Threshold (CT)
Clearly if M ² then CT = 0
computing CT for a given M model checking
![Page 12: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/12.jpg)
The Completeness Threshold
Let’s try the following strategy:
Compute CT for an abstraction of M
that
unites all models with certain graph-theoretic properties equal to those of M
![Page 13: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/13.jpg)
Basic notions…
Diameter D(M) = longest shortest path between any two reachable states.
Recurrence Diameter RD(M) = longest loop-free path between any two reachable states.
The initialized versions: DI(M) and RDI(M) start from an initial state.
D(M) = 2
RD(M) = 3
DI(M) =
RDI(M) =
![Page 14: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/14.jpg)
The Completeness Threshold
Theorem: for AGp properties CT = DI(M)
s0
p
Arbitrary path
(For AFp properties this does not hold)pppp
p
![Page 15: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/15.jpg)
The Completeness Threshold
Theorem: for AFp properties CT= RDI(M)+1s0
ppppp
Theorem: for an LTL property CT = ?
![Page 16: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/16.jpg)
What is SAT?
SATisfying assignment!
Given a propositional formula in CNF, find an assignment to Boolean variables that makes the formula true:
1 = (x2 x3)
2 = (x1 x4)
3 = (x2 x4)
A = {x1=0, x2=1, x3=0, x4=1}
1 = (x2 x3)
2 = (x1 x4)
3 = (x2 x4)
A = {x1=0, x2=1, x3=0, x4=1}
![Page 17: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/17.jpg)
Given in CNF: (x,y,z),(-x,y),(-y,z),(-x,-y,-z)
Decide()
Deduce()
Resolve_Conflict()
-xx
-zz-yy
z -z y -y
() ()
(z ),(-z ) ()
(y),(-y,z ),(-y,-z )
()
() ()
(y),(-y)
(y,z ),(-y,z )
X
X X X X
A Basic SAT algorithm
x=0@1
z=0@2
y=0@2
![Page 18: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/18.jpg)
Backtracking Search in Action
1 = (x2 x3)
2 = (x1 x4)
3 = (x2 x4)
1 = (x2 x3)
2 = (x1 x4)
3 = (x2 x4)
x1
x1 = 0@1
{(x1,0), (x2,0), (x3,1)}
x2 x2 = 0@2
{(x1,1), (x2,0), (x3,1) , (x4,0)}
x1 = 1@1
x3 = 1@2
x4 = 0@1 x2 = 0@1
x3 = 1@1
No backtrack in this example, regardless of the decision!
![Page 19: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/19.jpg)
Backtracking Search in Action
1 = (x2 x3)
2 = (x1 x4)
3 = (x2 x4)
4 = (x1 x2 x3)
1 = (x2 x3)
2 = (x1 x4)
3 = (x2 x4)
4 = (x1 x2 x3)
Add a clause
x4 = 0@1
x2 = 0@1
x3 = 1@1
conflict
{(x1,0), (x2,0), (x3,1)}
x2
x2 = 0@2 x3 = 1@2
x1 = 0@1
x1
x1 = 1@1
![Page 20: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/20.jpg)
Choose the variable and value that satisfies the maximum number of unsatisfied clauses.
This requires going through all clauses for each decision.
Decision heuristics DLIS (Dynamic Largest Individual Sum)
![Page 21: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/21.jpg)
Compute for every clause and every variable l (in each phase):
J(l) :=
Choose a variable l that maximizes J(l).
This gives an exponentially higher weight to literals in shorter clauses.
,
||2l
Decision heuristicsJeroslow-Wang method
![Page 22: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/22.jpg)
Implication graphs and learning
1 = (x1 x2)
2 = (x1 x3 x9)
3 = (x2 x3 x4)
4 = (x4 x5 x10)
5 = (x4 x6 x11)
6 = (x5 x6)
7 = (x1 x7 x12)
8 = (x1 x8)
9 = (x7 x8 x13)
1 = (x1 x2)
2 = (x1 x3 x9)
3 = (x2 x3 x4)
4 = (x4 x5 x10)
5 = (x4 x6 x11)
6 = (x5 x6)
7 = (x1 x7 x12)
8 = (x1 x8)
9 = (x7 x8 x13)
Current truth assignment: {x9=0@1 ,x10=0@3, x11=0@3, x12=1@2, x13=1@2}
Current decision assignment: {x1=1@6}
6
6
conflict
x9=0@1
x1=1@6
x10=0@3
x11=0@3
x5=1@64
4
5
5 x6=1@62
2
x3=1@6
1
x2=1@6
3
3
x4=1@6
We learn the conflict clause 10 : (: x1 Ç x9 Ç x11 Ç x10)
![Page 23: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/23.jpg)
Implication graph, flipped assignment
x1=0@6
x11=0@3
x10=0@3
x9=0@1
x7=1@6
x12=1@2
7
7
x8=1@6
8
10
10
10 9
9
’
x13=1@2
9
Due to the conflict clause
1 = (x1 x2)
2 = (x1 x3 x9)
3 = (x2 x3 x4)
4 = (x4 x5 x10)
5 = (x4 x6 x11)
6 = (x5 x6)
7 = (x1 x7 x12)
8 = (x1 x8)
9 = (x7 x8 x13)
10 : (: x1 Ç x9 Ç x11 Ç x10)
1 = (x1 x2)
2 = (x1 x3 x9)
3 = (x2 x3 x4)
4 = (x4 x5 x10)
5 = (x4 x6 x11)
6 = (x5 x6)
7 = (x1 x7 x12)
8 = (x1 x8)
9 = (x7 x8 x13)
10 : (: x1 Ç x9 Ç x11 Ç x10)
![Page 24: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/24.jpg)
Non-chronological backtracking
Non-chronological backtracking
x1
4
5
6
’
Decision level
Which assignments caused the conflicts ? x9= 0@1
x10= 0@3
x11= 0@3
x12= 1@2
x13= 1@2
Backtrack to decision level 3
3
These assignmentsAre sufficient forCausing a conflict.
![Page 25: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/25.jpg)
I. Variable ordering
II. Incremental SAT: reusability of conflict clauses between different (yet related) SAT instances.
III. Replicating Conflict Clauses: generation of conflict clauses 'for free', based on the unique structure of BMC invariant properties.
Tuning SAT for BMC
![Page 26: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/26.jpg)
A (CNF) dependency graph D (V,E):
A partitioning C1..Cn:
An abstract dependency graph D’(V’, E’):
Static variable ordering
![Page 27: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/27.jpg)
For (k) there exists a partition C1..Cn s.t. the abstract dependency graph is linear
C0 C1 C2 CkC3 Ck-1
V0 V1 V2 VkV3 Vk-1
...
Static variable ordering for BMC (The natural order of (k))
![Page 28: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/28.jpg)
I0PkRiding on unreachable states...
k should satisfy I0
I0Riding on legal executions...
(k) should satisfy Pk
Pk
Static variable ordering (A simple static ordering)
![Page 29: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/29.jpg)
Given two CNF formulas (sets of clauses) S1 and S2, and a conflict clause s.t. S1 `, under what conditions the followingholds:
S2 is satisfiable iff S2 is satisfiable.
Incremental SAT
![Page 30: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/30.jpg)
Let 0 S1 S2
Claim: if 0 ` then
Thus, if we deduce while checking S1, we can reuse itwhen checking S2.
0
S1 S2
0 `
Incremental SAT
S1 is satisfiable iff S1 is satisfiable.S2 is satisfiable iff S2 is satisfiable.
![Page 31: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/31.jpg)
Testing whether the clauses involved in deducing are a subset of 0 requires marking them in advance.
In the BMC case this is easy:
Only one clause in (k) is not included in (k+1)
Incremental SAT for BMC
![Page 32: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/32.jpg)
0
S1 S2
1. Mark 0 , the subset of clauses that are also contained in subsequent instances.2. If s ` for some s 0, then add to 0 and mark it as pervasive.
Incremental SAT
![Page 33: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/33.jpg)
The BMC invariant formula includes k structurally similar parts:
Can this symmetry be used to speed up the search ?
Replicated clauses
![Page 34: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/34.jpg)
Let xk denote variable x in cycle k.
Let c(i) denote the clause c, where every variable in c is shifted i cycles.
For example: c = (x5 y2 z7)c(2) = (x7 y4 z9)c(-2) = (x3 y0 z5)
Replicated clauses
Similarly, s(i) denotes the set of shifted clauses in the set s,i.e. j cj s, cj
(i) s(i).
![Page 35: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/35.jpg)
Let s be a subset of (k)'s clauses, and let be a conflict clause deducible from s, i.e. s ` .
(x2 y5), (x2 y5 z3 w4)
=(y5 z3 w4)s =
By substitution, it is also true that s(i) ` (i).
(x2+i y5+i), (x2+i y5+i z3+i w4+i)
(i) =(y5+i z2+i w4+i)s(i) =
Replicated clauses
![Page 36: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/36.jpg)
Conclusion: if s(i) (k) then we can also add (i) to (k).
(i) is a new clause that we got 'for free'.
We call (i) a 'replicated clause'.
The remaining question is: for which i, s(i) (k).
Replicated clauses
![Page 37: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/37.jpg)
1. While generating (k), mark all transition relation clauses.
2. For every conflict clause , if all the clauses in s are marked, then mark as 'replicable'.
.
.
.
Replicated clauses
![Page 38: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/38.jpg)
3. Record ls and hs, the lowest and highest cycle index in s.
4. Add a replicated clause (i) for i in the range -ls .. (k - hs).
Given a replicable clause and the subset of clauses s from which it was deduced:
.
.
.
Replicated clauses
![Page 39: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/39.jpg)
yzw
0 1 2 3 4 5 6
Going right
Going left
= (y5 z3 w4)
(1) = (y6 z4 w5)
(-1) = (y4 z2 w3)
(-2) = (y3 z1 w2)
(x2 y5), (x2 y5 z3 w4)
s = ls = 2, hs = 5k = 6
yzw
0 1 2 3 4 5 6
yzw
0 1 2 3 4 5 6
Example
![Page 40: SAT-based Bounded Model Checking](https://reader036.vdocuments.us/reader036/viewer/2022081513/56814049550346895dabbbd6/html5/thumbnails/40.jpg)
Design #1 Design #2
Strategy k 27 28 29 30 31 14 15 16 17 18
Normal time 61 102 174 144 14 10 91 192 * *
time 63 77 80 47 16 10 58 155 1.6E4 * I ncremental SAT added
clauses
0 973 1092 1208 1253 0 925 2117 3474 6116
time 48 21 19 44 30 13 48 214 6211 *
replicated 2094 1704 1216 1075 450 5932 5656 7778 1.7E4 * I ncremental + replication
added clauses
0 482 1113 1536 2014 0 3374 5773 9806 1.6E4
Experimental results (2001)