multi-domain logic as a tool for program verification implementation issues
DESCRIPTION
Multi-Domain Logic as a Tool for Program Verification Implementation Issues. Tudor Jebelean , Johannes Kepler Unversity Linz Gábor Kusper , Eszterh á zy K á roly College Eger SCSS 2010. Outline. Motivation Intuition Representation Bounded Model Checking - PowerPoint PPT PresentationTRANSCRIPT
Multi-Domain Logic as a Tool for Multi-Domain Logic as a Tool for Program VerificationProgram VerificationImplementation IssuesImplementation Issues
Tudor Jebelean, Johannes Kepler Unversity LinzGábor Kusper, Eszterházy Károly College Eger
SCSS 2010
OutlineOutline
Motivation Intuition Representation Bounded Model Checking Direct Representation in Multi-Domain Logic Test Results Conclusion
MotivationMotivation
We have a Multi-Domain Logic based SAT solver, which is just a normal SAT solver with the basic settings.
This SAT solver can use lots of MDL specific techniques:– Variable Merging– Clustering Propositional Variables– Deletion of Weak Assignments (DoWA)– Dynamic Variable Merging
There are some problem sets which can be solved fast using these techniques, like the Pigeon Hole Problem.
We wanted to check whether Bounded Model Checking belongs to this set of problems or not.
IntuitionIntuition
Lots of short clauses are good!
Generating Generating CNFCNF
Propositional Logic– New variables to
prevent exponential growth
– Less clauses– More variables– Lots of short clauses
Multi-Domain Logic– Merge variables of
some subformulae to prevent exp. growth
– More clauses– Less variables– Lots of short clauses
RepresentationRepresentation
Literal in Multi-Domain LogicLiteral in Multi-Domain Logic
A multi-literal has the form: Sign Set:Multi-Variable
Sign Set: Finite set of symbols which satisfies the literal.
For example: {Apple}:Food
{Cat, Dog}:Pet
{1, A, 3.14}:X
DomainDomain
Each multi-variable has a domain. The domain is the union of sign sets of the multi-var.
Example: ( { Cat, Dog }:Pet OR { Apple }:Food) AND
{ Gopher }:Pet AND { Bread }:Food The domain for Pet is: { Cat, Dog, Gopher } The domain for Food is: { Apple, Bread }
Since only one symbol may be assigned to each multi-variable from its domain, this formula is UNSAT.
Literal RepresentationLiteral Representation
We need N bits to represent a multi-literal, where N is the cardinality of its domain.
Example: ( { Cat, Dog }:Pet OR { Apple }:Food) AND
{ Gopher }:Pet AND { Bread }:Food (110:Pet OR 10:Food) AND 001:Pet AND 01:Food The domain for Pet is: { Cat, Dog, Gopher } The domain for Food is: { Apple, Bread }
Example for Variable mergingExample for Variable merging
Before variable merging: ({1}:Int OR {A}:Char) AND ({2}:Int OR {B}:Char) After: ({1A,1B}:X OR {1A, 2A}:X) AND ({2A, 2B}:X OR {1B, 2B}:X) Since OR on the same multi-variable is UNION on the sign
sets we obtain: {1A,1B, 2A}:X AND {1B, 2A, 2B}:X Since AND on the same multi-variable is INTERSECTION on
the sign sets we obtain: {1B, 2A}:X Note, that a this formula collapsed into a literal!
Boolean Formulae into MDLBoolean Formulae into MDL
We can merge any number of propositional variables. We need 2k bits to represent a Boolean formula with k
propositional variable. The encoding in case of k = 2: { } FALSE {00} ab
{11} ab {00,11} ab{10} ab {00,10} b {10,11} a {00,10,11} ab {01} ab {00,01} a {01,11} b {00,01,11} ab {01,10} ab {00,01,10} ab {01,10,11} ab {00,01,10,11} TRUE
a b0 1 00 0 11 0 01 1 1
Bounded Model CheckingBounded Model Checking
Bounded Model CheckingBounded Model Checking
Bounded Model Checking is one of the most successful formal methods for practical verification of hardware and software.
BMC translate the system to be verified into a boolean formula.
It uses a SAT solver to solve this formula. If the formula is unsatisfiable, then the property is not
true, otherwise it is.
BMC profits from very fast SAT solvers!
Bounded Model CheckingBounded Model Checking
The system to be verified consist of:– a transition system, and – a property to be checked (given in temporal logic).
One has to translate the system into a boolean formula:– the transition system can be translated, but– the property can be translated only up to a certain bound.
The bound is on the number of steps.
That is why this approach is called Bounded Model Checking.
Temporal LogicTemporal Logic
Properties are given in Computation Tree Logic. CTL is built from path quantifiers and temporal operators.
There are two path quantifiers: – A, “for every path” – E, “there exists a path” CTL has four temporal operators: – X p, “p holds at the next time step”. – F p, “p holds at some time step in the future” – G p, “p holds at every time step in the future” – p U q, “p holds until q holds” Note that AG p equivalent to EF not(p).
BMC toolBMC tool
http://www.cs.cmu.edu/~modelcheck/bmc.html– Generates CNF (DIMACS) files out of SMV descriptions
• SMV: Symbolic Model Verifier
But! During the CNF translation it introduces (recursively)
new propositional variables to prevent exponential grow of the formula.
Example: SMV -> FormulaExample: SMV -> Formula
VAR
x[2]
ASSIGN
init(x):= 0;
next(x):=x+1;
SPEC
EF x = 3
bound = 1
( x0 = 0 ) AND
( x1 = x0+1) AND
( x0 = 3 OR
x1 = 3 )
bound = 2
( x0 = 0 ) AND
( x1 = x0+1) AND
( x2 = x1+1) AND
( x0 = 3 OR
x1 = 3 OR
x2 = 3)
Direct Representation in MDLDirect Representation in MDL
Direct Representation in MDLDirect Representation in MDL
{0}:x0
{1,2,3}:x0 {1}:x1
{0,2,3}:x0 {2}:x1
{0,1,3}:x0 {3}:x1
{0,1,2}:x0 {0}:x1
{1,2,3}:x1 {3}:x0
{0,2,3}:x1 {0}:x0
{0,1,3}:x1 {1}:x0
{0,1,2}:x1 {2}:x0
{3}:x0 {3}:x1
{0}:x0
[0]:x0 {1}:x1
[1]:x0 {2}:x1
[2]:x0 {3}:x1
[3]:x0 {0}:x1
[0]:x1 {3}:x0
[1]:x1 {0}:x0
[2]:x1 {1}:x0
[3]:x1 {2}:x0
{3}:x0 {3}:x1
( x0 = 0 ) AND
( x1 = x0+1) AND
( x0 = 3 OR
x1 = 3 )
Test resultsTest results
We tested our Java implementation on MDL instances and on their equivalent SAT problems from the page: http://www.cs.cmu.edu/~modelcheck/bmc/bmc-benchmarks.html
The test results are obtained on a NEC VERSA M370 notebook with Core2 DuoM 2 GHz processor (32 bits) and 1 GB memory.
2-bit counter 2-bit counter
The transition system:– We have a 2-bit counter– The two bits represented by A– The initial state is A=0– Then we count:
0, 1, 2, 3, 0, and so on…
The property to be checked:– The counter will eventually
reach the state 3.– In temporal logic: EF A = 3.– Or equivalently: AG not(A = 3).
0
1 2
3
2-bit counter example 2-bit counter example
BMC file:
VAR
x[2]
ASSIGN
init(x):=0;
next(x):=inc(x);
SPEC
AG x != 3
CNF file:
p cnf 7 15
-1 3 0
-1 2 0
-4 6 0
-4 5 0
7 6 -5 0
7 -6 5 0
-7 6 5 0
-7 -6 -5 0
-5 0
-6 0
-2 -5 0
2 5 0
-3 7 0
3 -7 0
4 1 0
MDL file:
{0}:x0
[0]:x0 {1}:x1
[1]:x0 {2}:x1
[2]:x0 {3}:x1
[3]:x0 {0}:x1
[0]:x1 {3}:x0
[1]:x1 {0}:x0
[2]:x1 {1}:x0
[3]:x1 {2}:x0
{3}:x0 {3}:x1
n-bit counter, all unsatisfiablen-bit counter, all unsatisfiable
n-bit counter, all satisfiablen-bit counter, all satisfiable
n-bit counter, #unit propagations n-bit counter, #unit propagations
Barrel ShifterBarrel Shifter
B0,B1|B2,B3R0,R1|R2,R3
B2,B3|B0,B1R0,R1|R2,R3
The transition system:– We have a 2x2-bit barrel shifter– The initial state is: B=R– R can be any value– A step: shift B by 2 bits
The property to be checked:– invar := (B0 = R0 -> B1 = R1) &
(B0 = R1 -> B1 = R0) &
(B1 = R0 -> B0 = R1) &
(B1 = R1 -> B0 = R0)– AG invar– EF not( invar )
Barrel Shifter Barrel Shifter
BMC file:ASSIGN init(b0) := r0; init(b1) := r1; next(b0) := b1;
next(b1) := b0; next(r0) := r0; next(r1) := r1;SPEC AG(b0=r0 -> b1=r1)&(b0=r1 -> b1=r0)&(b1=r0 -> b0=r1)&(b1=r1 -> b0=r0)
CNF file:
p cnf 17 53
-1 2 0
-1 3 0
-4 5 0
-4 6 0
-7 8 0
-7 9 0
10 -7 0
10 -4 0
10 -1 0
7 4 1 -10 0
MDL file:[0]:b00 [1]:r00
[1]:b00 [0]:r00
[0]:b10 [1]:r10
[1]:b10 [0]:r10
[0]:b00 [0]:b10 [0]:r00 [0]:r10
[0]:b00 [0]:b10 [1]:r00 [1]:r10
[0]:b00 [1]:b10 [0]:r00 [1]:r10
[0]:b00 [1]:b10 [1]:r00 [0]:r10
[1]:b00 [0]:b10 [0]:r00 [1]:r10
[1]:b00 [0]:b10 [1]:r00 [0]:r10
[1]:b00 [1]:b10 [0]:r00 [0]:r10
[1]:b00 [1]:b10 [1]:r00 [1]:r10
Barrel Shifter, running timeBarrel Shifter, running time
ConclusionConclusion
The State Explosion Problem The State Explosion Problem
The state explosion problem is, thatthe number of system states grows exponentially with the number of system components
We cannot heal this problem. We can postpone it by some factor depending on the
word size of our computer.
Generating Generating CNFCNF
Propositional Logic– New variables to
prevent exponential grow
– Less clauses– More variables– Lots of short clauses
Multi-Domain Logic– Merge variables of
some subformulae to prevent exp. grow
– More clauses– Less variables– Lots of short clauses
ConclusionConclusion
On one hand, Multi-Domain Logic can encode Bounded Model Checking problems in a more compact and natural way.
On the other hand, the resulting MDL problems can be solved faster then their boolean versions.
Future workFuture work
We would like to implement – Compiler from SMV (Symbolic Model Verifier) to MDL
Thank you for your attention!Thank you for your attention!