Post on 21-Dec-2015
1
Abstraction Refinement for Bounded Model Checking
Anubhav Gupta, CMUOfer Strichman, Technion
Highly Jet Lagged
2
Bounded Model Checking (BMC) Search for bugs in executions of a
bounded length
Generates a propositional formula that is satisfiable if and only if there is a counterexample of length k
Extremely efficient SAT-solvers are available
4
Abstraction for BDD-based Model Checking
Abstraction
How to identify ?
Model Checking complexity is proportional to BDD size
Smaller BDD
6
Inside a SAT-Solver Davis-Putnam-
Logemann-Loveland (DPLL) procedure Decisions Boolean
Constraint Propagation (BCP)
Conflict Analysis, Backtrack Search Tree
7
Decisions Identify a good variable
and assign it a value Many Variable Selection
Heuristics Give preference to
variables that are involved in conflicts
Order is continuously updated
Like abstraction-refinement
These heuristics try to reduce the size of the search tree
8
BCP Identify assignments
implied by unit-clause rule
90% of run-time in solver spent on BCP
Time spent on BCP is proportional to the size of the CNF
9
Conflict Analysis and Backtrack Identify variable
assignments responsible for infeasibility of current search path
Ensures that assignments are locally consistent
Prune away irrelevant parts of the search tree
11
Why Abstraction for BMC ?
Variable selection can focus on important variables Solver can ignore local conflicts that
are irrelevant to the property BCP is faster on smaller CNF
How to identify ?
Abstraction
12
CEGAR for BMC
Apply CEGAR to BMC Refinement
SAT-solvers produce proofs of unsatisfiability
Have been used successively for refinement in CEGAR for model checking
Proofs provide an efficient and inexpensive refinement mechanism for CEGAR on BMC
14
CG-BMC Abstract model: model
that refutes previously seen spurious counterexamples
Forces solver to find full abstract trace before attempting to refute it
Solver is not lost in local conflicts
Most of the BCP is performed on smaller abstract model
Abstract Model
Concrete Model
15
A more robust CG-BMC The following scenario was observed on some
benchmarks: Current abstract model is sufficient to prove the
property Proving the property on abstract model is hard
BMC on abstract model is slow There exists an easier proof using additional
constraints from concrete model BMC on concrete model is faster
CG-BMC gets stuck on abstract model
Solution: Timeouts
17
Related Work Refining the SAT decision ordering for bounded
model checking, Wang et al., DAC 2004 Variables in current abstract model are given
preference in variable splitting order Static Method: Always decide first on variables in
abstract model Dynamic Method: Switch to default solver-heuristic
after a threshold number of backtracks Solver works on the whole CNF
BCP is expensive Potential for irrelevant conflicts
18
Our CG-BMC Implementation
SAT
Sat
Unsat
No
Yes
BUG
NOBUG SAT
Sat
IncrementalSolver1
IncrementalSolver2
19
Experiments PicoJava Benchmarks – derived from
compositional verification of ICU (Source: Ken McMillan)
Implementation on top of zChaff Comparison with BMC and Wang et al.
Timeout = 2hrs Max Depth (K) = 60 Measured run-time and number of
backtracks
21
CG-BMC vs. BMC (Backtracks)
1
10
100
1000
10000
100000
1000000
Circuit
Bac
ktra
cks
BMC CG-BMC CG-BMC-T
22
CG-BMC vs. Wang et al. (Run-time)
1
10
100
1000
10000
Circuit
Tim
e(s)
Static Dynamic CG-BMC CG-BMC-T
23
CG-BMC vs. Wang et al. (Backtracks)
1
10
100
1000
10000
100000
1000000
Circuit
Bac
ktra
cks
Static Dynamic CG-BMC CG-BMC-T
24
Conclusions
Abstraction refinement makes BMC faster Reduction in number of backtracks Reduction in BCP time
25
Future Work CG-BMC inside a
SAT-solver Abstraction levels for
clauses Ignore clauses in
lower levels until all higher levels are satisfied
Move clauses up (and down) across levels
Application to SAT-solving in general
.
.
.