sat-based model checking without unrolling aaron r. bradley

SAT-Based Model Checking SAT-Based Model Checking Without UnrollingWithout Unrolling

Aaron R. BradleyAaron R. Bradley

Outline

• Introduction to model checking• Definitions• Algorithm• Conclusion• References

Introduction (1/2)

Model

Formula P

Modelchecker

True or False

Important part of formal verification

Introduction (2/2)• Types of model checking

– BDD based• Too large for a great amount of variables• Variable ordering is time consuming

– SAT based• Bounded Model Checking• Unbounded Model Checking

– Unbounded symbolic model checking– Interpolation-based model checking (ITP)

• SAT-based model checking without unrolling

Outline


Definitions

• Finite-state transition system S : ( , I( ), T( , ’))• State s : an assignment of .

F-state : S F╞• Clause : a disjunction of literals.

Subclause : The set of d’s literals is a subset of c’s.

• Trace s0, s1, s2, ... : ,• Safety property P( ) : for the system S,

P is S-invariant iff only P-states are reachable. not invariant iff a trace s0, ..., sk such that

x

Initial conditiontransition relation

x x x

Next state

x 321 xxxs

cd )( 31 xxc

x

A set of Boolean variables

cxd 1

A state that appears in some traces is reachable.

FI

Ts

s’t

t’

P

• F( ) is inductive : (1) initiation (2) consecution•F( ) is inductive relative to G( ) :

(1)(2)

•F( ) is inductive strengthening of P :(1)(2)If F is a system only P-states are

reachable P is F-invariant

Definitions

FI

Ts

s’x

FIs

s’G

t

t’xx

x

F( ) : formula (can be seen as a set of states with variable )x

x

Definitions

• Inductive generalization of a cube s : The process to find a minimal inductive subclause d of ￢ s (inductive relative to G)(1) (2) d is inductive. (3) d doesn’t contain any inductive subclauses.

• How to find d :1. down: Let d=c0 = c, check if ( ), d is inductive.

else let d=c1 = c0∩ ￢ s (s : counterexample), iterate the process… 2. MIC: is inductive but not necessarily minimal. Let d1 = d (drop some literal), and call down to reduce its size.

If it fails, try a different literal until no literal can be dropped.

sd ', dTddI

', dTdGdI

cd

subclause

inductive

minimal

Example (1/3)

• Find minimal inductive subclause• Assume I = {100}, c = {110}

Clauses(c) = (xy ￢ z) Clause( ￢ c) = ( ￢ x+ ￢ y+z)

• downLet d = ￢ c = { 000, 001, 010, 011, 100, 101, 111} = ( ￢ x+ ￢ y+z)Check

Let d = d ∩ ￢ s = { 000, 001, 010, 011, 100, 101} = ( ￢ x+ ￢ y)Check

100 001 010

101000011

110

111

Reachable state

Unreachable state

Counterexample

Initial state

)'()()()(

FdTdTzyxzyxdIdI

dexit would{111}s mplecounterexaa is there

)'()()()(

TdTdTyxzyxdIdI

dreturn

cd

Over-approximate

Example (2/3)

• MIC Let d1 = d (drop ￢ y) = ￢ x

call down with Clause( ￢ c) = ( ￢ x+ ￢ y+z) Let d = ￢ x = { 000, 001, 010, 011}Check

100 001 010

101000011

110

111

)'()()()(

FdTdFxzyxdIdI

Falsereturn

Example (3/3)

• MIC• Let d1 = d (drop ￢ x) = ￢ y

call down with Clause( ￢ c) = ( ￢ x+ ￢ y+z) Let d = ￢ y = { 000, 001, 100, 101}Check

Let d = d ∩ ￢ s = { 000, 100, 101} = ( ￢ y)(x+y+ ￢ z) = ( ￢ y)(x+ ￢ z) Check

Let d = d ∩ ￢ s = { 000, 101} • d = ( ￢ x+ ￢ y) is the minimal inductive subclause of c.

100 001 010

101000011

110

111

)'()()()(

FdTdTyzyxdIdI


)'())(()()(

FdTdTzxyzyxdIdI


FdI )( Falsereturn

Outline


P

• Input: a transition system S and a safety property P.• Output: an inductive strengthening (if P is S-invariant) or a counterexample trace (if P is not S-invariant)• Core logical data structure

The algorithm incrementally refines and extends a sequence of formulas F0=I, F1, F2, . . . , Fk that are over-approximations of the sets of states reachable in at most 0, 1, 2, . . . , k steps. They obeys the following properties:– (1) – (2) – (3)– (4)

Fi+1

Fi

I

P

• F0 = I : the initial state set, check 0 or 1 step violation.• F1 =P : find 2 step violation from I eliminate s by adding clauses( ￢ s) in Fi (i= 0~k) to which is inductive

relative by ￢ s. if ￢ s is not inductive relative to F1 :

(add clauses ￢ s to F1 )• F2, . . . , Fk that are over-approximations of the sets of states reachable

in at most 0, 1, 2, . . . , k steps. They obeys the following properties:– (1) – (2) – (3)– (4)

Fi+1

Fi

I

'1 PTsF

'1 sTsF

prove () { obvious violation for k = 1 to … check(k) propagate(k)}

Main function: If P is S-invariant, return true

PFk 1

check (k) { while s = the state lead to violation i = inductive(s, k) push({i+1, s}, k)}

Ensure

PTFk

)( iFclausesc

'cTFi

F0~Fi cannot reach s.

F0 F1 … Fi … Fk Fk+1

Fk

F1

I

PsMake s inductive relative to Fk, so

￢ s ￢ s ￢ s ￢ s ￢ s ↑ ↑ ↑ ↑Subclause of ￢ s

If i < k-1, Fk still contains s

s

Fi+1~Fk cannot reach s.

'sTFn

sTp

• Example I = {000}, P = ￢ x+ ￢ y+ ￢ zprove() { (0 or 1 step violation) // false

initialize // F0 = {000}, F1 = F2 = F3 = ... = P for // k = 1

check (k=1) { while (F1 will go to ￢ P) // true

s = the state lead to violation // s={111}

i = inductive (s, k=1) { find ￢ s inductive relative to F0

eliminate s in F0, F1 // F0 = {000}, F1=P\{111}

} // i=0 push ({n=1, s=111}, k=1)

000 001 010

110101100

011

111


check (k) { while s = the state lead to violation i = inductive(s, k) push({i+1, s}, k)}

PTFk

inductive (s, k) { Find ￢ s is inductive relative to which Fi

(smallest i), then add minimal subclause of ￢ s to F0~Fi+1, return i}

￢ P

I

• Example I = {000}, P = ￢ x+ ￢ y+ ￢ z push ({n=1, s=111}, k=1) {

while (not all n > k) { // true, states = {1,111} choose {1, s}, if( ) // true p = predecessor of s // p = {011}

m = inductive (p, k=1) { find ￢ p inductive relative to F1

eliminate s in F0, F1, F2 // F0 = {000}, F1=P\{111,011}, F2=P\{011} } // m = 1 add {2, p} to states // states = {1,111}, {2,011}

}

000 001 010

110101100

011

111

push ({n, s}, k) { While(not all n of states > k) choose min n, if p = predecessor of s m = inductive(p, k) add {m+1, p} to stateselse m = inductive(s, k) states \ {n, s} U {m+1, s} }

'sTFn

sTp 'sTFn

• Example I = {000}, P = ￢ x+ ￢ y+ ￢ z while (not all n > k) // true, states = {1,111}, {2,011} choose {1, s}, if( ) // false, because F1=P\{111,011}

m = inductive (s, k=1) { find ￢ s inductive relative to F1

eliminate s in F0, F1, F2 // F0 = {000}, F1=P\{111,011}, F2=P\{111, 011} } // m = 1

states \ {1,s} U {2,s} // states = {2,111}, {2,011}

000 001 010

110101100

011

111


'sTFn

sTp 'sTFn

• Example I = {000}, P = ￢ x+ ￢ y+ ￢ z while (not all n > k) // false, states = {2,111}, {2,011} // exit push // F0 = {000}, F1=P\{111,011}, F2=P\{111, 011} // F0 = ￢ x ￢ y ￢ z, F1 = ￢ y+ ￢ z, F2 = ￢ y+ ￢ z

propagate(1) { for i = 1 for c = ( ￢ y+ ￢ z) if(…) // false if Fi+1 = Fi return true //true }

Prove return true P is invariant ! (It cannot reach ￢ P state )

000 001 010

110101100

011

111


'sTFn

sTp


propagate (k) { for i = 1 to k if c not in Fi+1 & add c to Fi+1

If Fi+1 = Fi return true}

)( iFclausesc

'cTFi

Outline


Conclusion (1/2)• Performance of ic3 in HWMCC’10

– Incremental generation of stepwise-relative inductive clauses is a promising new approach to symbolic model checking.

– It is amenable to simple yet effective parallelization.

• Future work : – How inductive clause generation can be used to

accelerate finding counterexamples– Apply the ideas of stepwise-relative inductive

generalization to an infinite-state setting.

Outline


Reference• Orna Grumberg and Helmut Veith , 25 years of model

checking: history, achievements, perspectives

Thanks for your attention.

sat-based model checking without unrolling aaron r. bradley

Documents