SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint...
-
Upload
madison-martinez -
Category
Documents
-
view
216 -
download
0
Transcript of SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint...
![Page 1: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/1.jpg)
SAT-based Bounded and Unbounded Model Checking
Edmund M. ClarkeCarnegie Mellon University
Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,T. Heyman, D. Kroening, J. Ouaknine, R. Raimi, O. Strichman, and Y. Zhu
![Page 2: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/2.jpg)
Why am I giving this talk?
I have an ulterior motive for this talk.
Second Edition!
Need a chapter on SAT for the second edition.
![Page 3: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/3.jpg)
Outline of Talk
1. Motivation2. Bounded Model Checking3. Complete methods using SAT a. Induction b. Unbounded Model Checking --- with cube enlargement --- with circuit co-factoring --- with interpolants
![Page 4: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/4.jpg)
Outline of Talk
1. Motivation yes2. Bounded Model Checking yes3. Complete methods using SAT a. Induction no b. Unbounded Model Checking --- with cube enlargement yes --- with circuit co-factoring
maybe --- with interpolants no
![Page 5: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/5.jpg)
SAT Solver Progress 1960 -2010
1
10
100
1000
10000
100000
1960 1970 1980 1990 2000 2010
Year
Vars
![Page 6: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/6.jpg)
Model Checking (CE81,QS82)
Specification – temporal logic Model – finite state transition graph Advantages:
Always terminates Automatic Usually fast Can handle partially specified models Counterexample if specification is false
![Page 7: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/7.jpg)
Symbolic Model Checking
Method used by most “industrial strength” model checkers.
Uses Boolean encoding for state machine and sets of states.
Can handle much larger designs – hundreds of state variables.
BDDs traditionally used to represent Boolean functions.
![Page 8: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/8.jpg)
Problems with BDDs
BDDs are a canonical representation. Often become too large.
Variable ordering must be uniform along paths. Selecting right variable ordering very important for
obtaining small BDDs. Often time consuming or needs manual
intervention. Sometimes, no space efficient variable ordering
exists.
This talk describes alternative approaches
to model checking that use SAT procedures.
![Page 9: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/9.jpg)
Advantages of SAT Procedures
SAT procedures also operate on Boolean formulas but do not use canonical forms.
Do not suffer from the potential space explosion of BDDs.
Different split orderings possible on different branches.
Very efficient implementations exist.
![Page 10: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/10.jpg)
Bounded Model Checking
A. Biere, A. Cimatti, E. Clarke, Y. Zhu, Symbolic Model Checking without BDDs, TACAS’99
![Page 11: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/11.jpg)
Given a property p: (e.g. “signal_a = signal_b”)
Is there a state reachable in k cycles, which satisfies p ?
. . .s0 s1 s2 sk-1 sk
p p p p p
Bounded Model Checking as SAT
![Page 12: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/12.jpg)
The reachable states in k steps are captured by:
The property p fails in one of the k steps
Bounded Model Checking: Safety
![Page 13: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/13.jpg)
The safety property p is valid up to step k iff k is unsatisfiable:
. . .s0 s1 s2 sk-1 sk
p p p p p
Bounded Model Checking: Safety
![Page 14: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/14.jpg)
Example: a two bit counter
Property: G (l r).
00
01 10
11
For k = 2, k is unsatisfiable. For k = 3 k is satisfiable
Initial state:I: : l ^ : r
Transition: R: l’ = (l r) ^ r’ = : r
Bounded Model Checking: Safety
![Page 15: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/15.jpg)
There is no counterexample of length k to theLiveness property Fp iff k is unsatisfiable:
. . .s0 s1 s2 sk-1 sk
:p :p p:p :p
=
Bounded Model Checking: Liveness
![Page 16: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/16.jpg)
BMC formula for arbitrary LTL(Standard translation)
Size of resulting formula: O(k|M| + k3||)With sharing of subformulas becomes O(k|M| + k2||)
i l k
![Page 17: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/17.jpg)
A fixpoint based translation
Idea: for lasso-shaped Kripke structures, the semantics of LTL and CTL coincide. Add a formula that isolates a lasso-shaped
path. Use the fixpoint characterization of CTL,
e.g. E[ U ( ^ EX E[ U )
T. Latvala, A. Biere, K. Heljanko, and T. Junttila:
“Simple Bounded LTL Model Checking” FMCAD 04
i k
![Page 18: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/18.jpg)
Overall formula
ModelLTL
formula
bound
Isolate lasso-shaped path
Fixpointformula
![Page 19: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/19.jpg)
Loop constraints
•If li is true then there exists a loop at position i.•At most one li is true.
![Page 20: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/20.jpg)
Fixpoint formula
Size of resulting formula: O(k(|M| + ||))
i k
FalseTrue
j
![Page 21: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/21.jpg)
Generating the BMC formula(Based on the Vardi-Wolper algorithm)
A labeled Büchi automaton is a 5-tupleB=hS, S0 , , L, F i
Acceptance condition: An infinite word w is accepted iff the
execution of w on B passes through a final state an infinite number of times.
states initial
states
transition
relation
final state
s
labels
![Page 22: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/22.jpg)
LTL model checking
Given Transition system M LTL property
1. Translate into a Buchi automaton B
2. Compute product automaton P = M £ B
3. Check if P is empty: Is a fair loop reachable?
s0
![Page 23: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/23.jpg)
Encode all paths ofP that start at an initial state and are k steps long.
Require that at least one path contains a loop. at least one state in the loop is final.
s0
Generating the BMC formula
E. Clarke, D. Kroening, J. Ouaknine, and O. Strichman:
“Computational chalenges in Bounded Model Checking” STTT 05
![Page 24: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/24.jpg)
Generating the BMC formula
s0 sk1slsk
Start from the initial
state
Follow k transition
s
Choose a state where
the loop starts
Require that some state in
the loop is final
![Page 25: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/25.jpg)
Bounded Model Checking
k = 0
BMC(M,,k)
yes
k++
k ¸ CTno
Resourcesexceeded
CT is the completeness threshold
SAT
UnSAT
![Page 26: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/26.jpg)
The Completeness Threshold
Computing CT is as hard as model checking.
Idea: Compute an over-approximation to the actual CT Consider system P as a graph. Compute CT from structure of P.
![Page 27: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/27.jpg)
Basic notions
Diameter D(M) = longest shortest path between any two reachable states.
Recurrence Diameter RD(M) = longest loop-free path between any two reachable states.
The initialized versions: DI(M) and RDI(M) start from an initial state. D(M) = 2
RD(M) = 3
DI(M) =
RDI(M) =
![Page 28: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/28.jpg)
CT for safety properties
Theorem: for AGp properties CT = DI(M)
For AFp properties this does not hold
pppp
DI(M)=3 but CT=4
ps0
· DI(M)
![Page 29: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/29.jpg)
CT for liveness properties
Theorem: for AFp properties CT= RDI(M)+1
s0
ppppp
Theorem: for an LTL property CT = ?
![Page 30: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/30.jpg)
CT for arbitrary LTL properties
Theorem [CKOS 05]
A Completeness Threshold for any LTL property is min(rd
I(P )+1, d I(P )+d (P ))
s0Shortest counterexample
·d I(P )
·d (P )
·rd I(P )
![Page 31: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/31.jpg)
Why take the minimum?
dI(P)+d(P) = 6 rdI(P)+1 = 4
dI(P)+d(P) = 2 rdI(P)+1 = 4
>
<
Example 1
Example 2
![Page 32: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/32.jpg)
Formulation of diameter in QBF
Infeasible to compute the diameter using a poly-time algorithm for shortest paths.
State s is reachable in j steps:
Thus, k is greater or equal to the diameter d if
![Page 33: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/33.jpg)
SAT-based Diameter Computation
M. Mneineh, K. Sakallah,“SAT-based Sequential Depth Computation”,ASPDAC03
1. Check if there is a state s reachable in c steps but not reachable in less than c steps.
2. Increment c, until no state is reachable in c steps.
May enumerate many states in 1.
![Page 34: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/34.jpg)
Recurrence diameter as SAT
Find maximal n that satisfies:
Optimization: Use a sorting network to obtain an ordered permutation of the states [Kroening & Strichman]
com
p &
sw
ap
com
p &
sw
ap
com
p &
sw
ap
s
s
s
s’
s’
s’
O(n)
O(nlogn)
O(n)Now compare only neighboring states
![Page 35: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/35.jpg)
Complexity of BMC: Formula size
Original translation
O(k|M| + k2||) Automata based translation
O(k|M|2| |) Fixpoint based translation
O(k(|M| + ||))
![Page 36: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/36.jpg)
Complexity of BMC
Size of SAT instance is O(k(|M| + ||)) k can become as large as the diameter of
the system, which is exponential in the number of state variables in the worst case.
SAT is exponential time. Therefore, SAT based BMC has doubly
exponential complexity. But LTL model checking is singly
exponential!
![Page 37: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/37.jpg)
Why use SAT based BMC?
Infeasible to represent P explicitly. Identify shallow errors efficiently. In many cases rd(P) and d(P) are not
exponential and can be rather small. E.g. hardware components without
counters
Modern SAT solvers are very successful in practice.
![Page 38: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/38.jpg)
Unbounded Model Checkingusing Cube Enlargement
P. Chauhan, E. Clarke, and D. Kroening: “Using SAT based
Image Computation for Reachability Analysis” CMU-CS-03-151
![Page 39: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/39.jpg)
Reachability analysis
Consider a system with state variables x and inputs i.
S0(x) is the set of initial states. T(x,i,x’) is the transition relation. We want to compute the set of
reachable states Sreach . Iterative process: Compute the states
reachable in 1 step, 2 steps, …
![Page 40: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/40.jpg)
Image computation and Reachability
The set of immediate successors of states S (x) is given by:
The set of all reachable states is the least fixpoint:
![Page 41: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/41.jpg)
Computing Reachability
Si+1 is the set of new states directly reachable from Si
Then Sreach is the union of all Si
![Page 42: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/42.jpg)
SAT based image computation
The transition relation T(x,i,x’) is represented as a CNF formula (a set of clauses). If not already in CNF, it can be converted in
polynomial time. The set of newly reachable states after
each step Si as well as their union Sreach are represented in DNF (a set of cubes). Obviously Sreach is in CNF.
![Page 43: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/43.jpg)
SAT based image computation
Union of sets of cubes
Si+ contains all solutions to
Si(x) T(x, i, x’) Sreach(x)
projected on x’ and renamed to x
![Page 44: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/44.jpg)
The image computation step
Si is in DNF Convert to CNF by introducing new
variables Solve the CNF formula
Si(x) T(x,i, x’) Sreach(x) Solution is a cube d Project d to x’ and rename to x Add d to Sreach(x) and Si+1(x) Repeat until the formula becomes unsat
![Page 45: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/45.jpg)
Efficiency issues
The number of satisfying assignments can be exponential in the number of variables. Therefore two problems:
Enumeration of full assignments is slow. Solution: Cube enlargement
The representation of Sreach and Si can grow too large. Solution: Systematically combine cubes
using an appropriate data structure.
![Page 46: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/46.jpg)
Cube enlargement
SAT solvers like zChaff return complete assignments (minterms).
Partial assignments (cubes) are better, because they represent multiple minterms.
For example, the cube x1 x4 represents 4 minterms:
x1 x2 x3 x4 x1 x2 x3 x4 x1 x2 x3 x4 x1 x2 x3 x4
![Page 47: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/47.jpg)
Efficient cube set representation
Cubes are stored in a hash table of tries. Each trie is associated to a unique subset
of state variables. Whenever a new cube d is inserted, the
corresponding trie is searched for cubes d’ that differ only in one literal.
The merged cube (without the differing literal) is stored instead of d and d’.
![Page 48: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/48.jpg)
Efficient cube set representation
{x, x} {x, x , x} {x, x }
…
Hash table
Hash keys
Tries
{x2, x , x}
New cube: x x x
1. Identify appropriate hash table entry
2. Look for matching cubes3. If match was found, delete
cube and insert merged cube
{x, x , x}
x
x
x
x
x
x
x x
![Page 49: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/49.jpg)
Related work
[Gupta et al, FMCAD 00 and ICCAD 01] Mixed BDD / SAT approach [K. McMillan, CAV 02]
Sets of states represented in CNF CNF clauses stored in ZDDs Conflict analysis for cube enlargement
[H. Kang and I. Park, DAC 03] Offline Espresso to reduce the number of
cubes No cube enlargement
![Page 50: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/50.jpg)
Unbounded Model Checking
using Circuit Cofactoring
M. Ganai, A. Gupta and P. Ashar,“Efficient SAT-based Unbounded Symbolic Model Checking Using Circuit Cofactoring”,
ICCAD 04
![Page 51: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/51.jpg)
SAT-based Image Computation
The SAT-based procedure enumerates all state cube solutions.
Each invocation of the SAT solver generates one new state cube.
A blocking clause representing the negation of the state cube is added at each step.
The main problem is that the required number of steps can be very large.
![Page 52: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/52.jpg)
Main Contribution
Use circuit cofactoring to capture a large set of states at each enumeration step. Less enumeration steps
Use circuit graph simplification to compact the captured states.
Use a Hybrid Sat Solver that works on both OR/INVERTER circuits and CNF.
![Page 53: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/53.jpg)
Definitions
State variables X. Input variables U. Partial assignment X[U !{0,1} . State cube s is the projection of on X . Input cube u is the projection of on U . Minterm m is a complete assignment to
U extending u .
![Page 54: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/54.jpg)
Example
X = x1, x2
U = u1, u2
= x1 ^ :u2
s = x1
u = :u2
m = u1 ^ :u2
![Page 55: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/55.jpg)
Cofactors of Boolean functions
Cofactors of f(v1,…,v,…) with respect to variable v are fv(v1,…,1,…), fv’(v1,…,0,…)
Cofactor of f with respect to cube c, is fc
Obtained by cofactoring f with respect to each literal in c.
Example
![Page 56: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/56.jpg)
Producing larger sets of states
Given a formula f and a satisfying assignment cube s
1. Isolate the “input part” of s and complete it by picking values for unassigned inputs.
2. Cofactor f with respect to the satisfying
input minterm m.
3. Use the function f m obtained in 2, to
represent the set of satisfying states.
![Page 57: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/57.jpg)
Example
u1 and u2 are primary inputs. x1 and x2 are state variables. We want to compute:
9 u1u2 f
![Page 58: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/58.jpg)
Example cont’
The SAT solver returns <u1=1,x2=0> as the first assignment.
Step 1: Complete the input part of the assignment by choosing u2=1 .
Step 2: Cofactor f with respect to the satisfying input minterm m=u1u2. We get:
![Page 59: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/59.jpg)
Example cont’
fm represents more states than the satisfying cube x2’
We needed just one enumeration step to capture the entire solution set
![Page 60: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/60.jpg)
SAT-based existential quantification
The returned value of C should correspond to 9B f(A,B)
![Page 61: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/61.jpg)
C , 9B f(A,B)
C is a union of cofactors of f with respect to B, therefore C ) 9B f(A,B)
When the algorithm terminates f(A,B) ^ :C is unsat, therefore 8B (:f(A,B) _ C) is valid
C contains no variables in B 8B (:f(A,B)) _ C
9 B f(A,B) ) C
![Page 62: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/62.jpg)
Hybrid SAT-solver
Represents original circuit with 2-input OR/INVERTOR gates
Represents learned constraints with CNF
Finds partial satisfying assignments Dynamically removes inactive clauses
![Page 63: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/63.jpg)
Other applications of SAT in formal verification
[D. Kroening, F. Lerda, and E. Clarke TACAS 04] Bounded Model Checking for Software
[G. Audemard, A. Cimatti, A. Kornilowicz, and R. Sebastiani, FORTE 02] Bounded Model Checking for Timed
Systems [H. Jain, D.Kroening, N. Sharigina, E.
Clarke DAC 05] Word level predicate abstraction and
refinement for verifying RTL verilog
![Page 64: SAT-based Bounded and Unbounded Model Checking Edmund M. Clarke Carnegie Mellon University Joint research with C. Bartzis, A. Biere, P. Chauhan, A. Cimatti,](https://reader038.fdocuments.net/reader038/viewer/2022110116/5514c6da550346b0478b4a4a/html5/thumbnails/64.jpg)
For more information …
“A survey of Recent Advances in SAT-based Formal Verification” by Mukul R Prasad, Armin Biere and Aarti Gupta, STTT.