tuning sat-checkers for bounded model-checking
DESCRIPTION
Tuning SAT-checkers for Bounded Model-Checking. A bounded guided tour Ofer Shtrichman Weizmann Institute & IBM (HRL). Basic theory of Bounded Model Checking (BMC) SAT highlights Tuning SAT checkers for BMC Results. The Bounded Model Checking Problem: Safety. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/1.jpg)
Weizmann Institute
Tuning SAT-checkers for Bounded Model-Checking
A bounded guided tour
Ofer Shtrichman
Weizmann Institute & IBM (HRL)
![Page 2: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/2.jpg)
Weizmann Institute
Basic theory of Bounded Model Checking (BMC)
SAT highlights
Tuning SAT checkers for BMC
Results
![Page 3: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/3.jpg)
Weizmann Institute
The Bounded Model Checking Problem: Safety
Given a Safety property p: (e.g. AG p : “always signal_a = signal_b”)
Is there a state reachable within k cycles, which satisfies p ?
. . .s0 s1 s2 sk-1 sk
p p p p p
![Page 4: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/4.jpg)
Weizmann Institute
. . .s0 s1 s2 sk-1 sk
p p p p p
Given a Liveness property p: (e.g. AGAF p: “always, eventually signal_a = signal_b”)
Is there a loop in the first k cycles, that non of its states satisfy p ?
The Bonded Model Checking Problem: Liveness
![Page 5: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/5.jpg)
Weizmann Institute
The reachable states in k steps are captured by:
M I s s s s s s sk k k: ( ) ( , ) ( , ) ... ( , ) 0 0 1 1 2 1
The property p fails in one of the cycles 1..k:
f p p pk k: ... 1 2
Reducing the BMC problem to SAT (1/3):
![Page 6: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/6.jpg)
Weizmann Institute
Reducing the BMC problem to SAT (2/3):
: ( , )I s s pi
k
i ii
k
i00
1
10
=
The safety property p is valid up to cycle k iff is unsatisfiable:
. . .s0 s1 s2 sk-1 sk
p p p p p
![Page 7: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/7.jpg)
Weizmann Institute
Reducing the BMC problem to SAT (3/3):
For Liveness properties, add a disjunction of possible loops:
: ( , ) ( ( , ) )I s s s s pi
k
i il
k
k lj l
k
00
1
10
=
. . .s0 s1 s2 sk-1 sk
p p p p p
![Page 8: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/8.jpg)
Weizmann Institute
Example: a two bit counter
( , ):s s l l r r ri i i i i i i 1 1 1
p = AG (l r).k = 2
00
01 10
11
: ( )( )( )( )
FHG
IKJ
FHGG
IKJJl r
l l r r rl l r r r
l rl rl r
0 01 0 0 1 0
2 1 1 2 1
0 0
1 1
2 2
I l r0 0 0:
For k = 2, is unsatisfiabe. For k = 4 is satisfiable
![Page 9: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/9.jpg)
Weizmann Institute
Traditional Symbolic Model-Checking with BDDs
• The reachable state-space is represented by a BDD
• The property is evaluated recursively, by iterative fix point computations on the reachable state-space.
• The size of the BDD is typically the bottle-neck of Model-Checking.
![Page 10: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/10.jpg)
Weizmann Institute
Why SAT?
• Smart DFS search - potentially will get faster to a satisfying sequence (counter example)
• No exponential space - growth
“Satisfiability checking is a ‘luck-based technology’”
![Page 11: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/11.jpg)
Weizmann Institute
The Davis-Putnam procedure
Given in CNF: (x,y,z),(-x,y),(-y,z),(-x,-y,-z)
Decide()
Deduce()
Diagnose()
-xx
-zz-yy
z -z y -y
() ()
(z ),(-z ) ()
(y),(-y,z ),(-y,-z )
()
() ()
(y),(-y)
(y,z ),(-y,z )
X
X X X X
![Page 12: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/12.jpg)
Weizmann Institute
Decide() criteria: On which variable to split?
- satisfies the most clauses (DLIS)- satisfies the shortest clause- only positive or negative (‘pure literal rule’)- most frequent
::
![Page 13: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/13.jpg)
Weizmann Institute
Results (Sec.)
Design # k RB1 RB2 Grasp1 18 7 6 2822 5 70 8 1.13 14 597 375 764 24 690 261 5105 12 803 184 246 22 * * * 356 * * *7 9 * * * 2671 108 35 * * * * * * 63179 38 * * * * * * 903510 31 * * * * * * * * *
11 32 152 60 * * *12 31 1419 1126 * * *13 14 * * * 3626 * * *
* * * = exceeds 10,000 sec.
![Page 14: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/14.jpg)
Weizmann Institute
Tuning SAT for BMC (1/3)
1. Use the variable dependency graph for smarter orderings.
2. Exploit information on ’s structure to restrict the state-space.
3. Restrict Decide() to a small set of variables.
![Page 15: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/15.jpg)
Weizmann Institute
Clashing clouds...
I0~Pk
With general-purpose Decide() strategies, local sets of variables are satisfied a-synchronically
v v5 6..
v15
v2
![Page 16: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/16.jpg)
Weizmann Institute
General-purpose Vs. tailor-made Decide() strategies...
: ... (x = ( y1 y2 y3 )) ...
x = Ty1 = F
y2 = F
y3 = T
General purpose
Back-track
x = Ty1 = Fy2 = F
y3 = T
Use ‘s structure to resolve conflicts on a more local level...)
Tailor made
Back-track
![Page 17: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/17.jpg)
Weizmann Institute
A k-unfolding of the variable dependency graph
. . .
. . .
. . .
. . .
k
vars
v0
v1
v2 . . . .
v f v vi i i ( , )1
![Page 18: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/18.jpg)
Weizmann Institute
A head on attack...
I0PkRiding on unreachable states...
should satisfy I0
I0Riding on legal executions...
should satisfy Pk
Pk
![Page 19: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/19.jpg)
Weizmann Institute
A combined heuristic
I0Pk
Trigger BFS with pi
i k0..
![Page 20: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/20.jpg)
Weizmann Institute
Given an order, guess a value
Dynamic decision Constant value
Previous value ‘Flat’ computation
...
x5 = 0x7 = ?
x9 = 0
‘Flat’ computation Previous value
x2 = 1y7 = 0z2 = 0y3 = 1
x2 = 0y7 = 0z2 = 0y3 = 1
![Page 21: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/21.jpg)
Weizmann Institute
Tuning SAT for BMC (2/3)
1. Use the variable dependency graph for smarter orderings.
2. Exploit information on ’s structure to restrict the state-space.
3. Restrict Decide() to a small set of variables.
![Page 22: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/22.jpg)
Weizmann Institute
: ( , )I s s pi
k
i ii
k
i00
1
10
=
’s structure can be used for adding conflicting clauses.
•If x3=T, y7 = F, z5 = T leads to a conflict, then ( x3 y7 z5) is satisfiable iff is satisfiable.
• The new clause can be seen as a constraint on the state-space
conflicting clauses:
Exploiting ’s structure in AGp formulas
![Page 23: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/23.jpg)
Weizmann Institute
• If x3=T, y7 = F, z5 = T leads to a conflict, then so will x2=T, y6 = F, z4 = T
• Therefore, we can also add: ( x2 y6 z4) ( x1 y5 z3) ( x0 y4 z2)and... ( x4 y8 z6) ... ( xk-4 yk zk-2)
• Yet, is not fully symmetric because of I0. We first have to check, by simulating an assignment, if the replicated clause indeed leads to a conflict.
Exploiting ’s structure in AGp formulas
![Page 24: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/24.jpg)
Weizmann Institute
Tuning SAT for BMC (3/3)
1. Use the variable dependency graph for smarter orderings.
2. Exploit information on ’s structure to restrict the state-space.
3. Restrict Decide() to a small set of variables.
![Page 25: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/25.jpg)
Weizmann Institute
Restricting Decide()
Restricting Decide() to a smaller set of variables , thatuniquely determines the satisfiability of :
Model variables (~ 15 % of ’s variables)
Input variables (~ 5 % of ’s variables)
Less variables to Decide() implies more variables to Deduce()
![Page 26: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/26.jpg)
Weizmann Institute
Results (Sec.)# k RB2 Grasp Rep SM c SM f SM(k-1)1 18 6 282 115 3 57 202 5 8 1.1 1.1 0.8 1.1 0.43 14 375 76 52 3 2069 9344 24 261 510 225 12 27 265 12 184 24 24 2 2 16 22 356 * * * * * * 18 16 287 9 2671 10 10 2 1.8 1.38 35 * * * 6317 2870 20 338 309 38 * * * 9035 * * * 25 277 23010 31 * * * * * * 9910 312 22 1061
11 32 60 * * * * * * * * * * * * * * *12 31 1126 * * * * * * * * * * * * * * *13 14 3626 * * * * * * * * * * * * * * *
* * * = exceeds 10,000 sec.
![Page 27: Tuning SAT-checkers for Bounded Model-Checking](https://reader035.vdocuments.us/reader035/viewer/2022062409/568150a7550346895dbeb0a1/html5/thumbnails/27.jpg)
Weizmann Institute
The Conclusion
Many of the (BDD) hard cases can be more efficiently
solved with the optimized SAT procedure.