View
213
Download
0
Category
Preview:
Citation preview
SAT-based Bounded Model Checking
Given a property p: (e.g. “always signal_a = signal_b”)
Is there a state reachable within k cycles, which satisfies p ?
. . .s0 s1 s2 sk-1 sk
p p p p p
Formulation of famous problems as SAT:Bounded Model Checking
The reachable states in k steps are captured by:
The property p fails in one of the cycles 1..k:
Bounded Model Checking: safety
The safety property p is valid up to cycle k iff k is unsatisfiable:
. . .s0 s1 s2 sk-1 sk
p p p p p
Bounded Model Checking: safety
Example: a two bit counter
Property: G (l r).
00
01 10
11
For k = 2, k is unsatisfiable. For k = 4 k is satisfiable
Initial state: I: : l Æ : r
Transition: R: l’ = (l r) Æ r’ = : r
Bounded Model Checking: safety
The liveness property Fp is valid up to cycle k iff k is unsatisfiable:
. . .s0 s1 s2 sk-1 sk
:p :p p
Bounded Model Checking : liveness
:p :p
=
Intel’s results (2002)
IBM’s results (2000)
SAT made some progress…
1
10
100
1000
10000
100000
1960 1970 1980 1990 2000 2010
Year
Vars
Bounded Model Checking
k = 0
BMC(M,,k)
yes
k++
k ¸ ?no
Resourcesexceeded
How big should k be?
For every finite model M and LTL property there exists k s.t.
We call the minimal such k the Completeness Threshold (CT)
Clearly if M ² then CT = 0
computing CT for a given M model checking
The Completeness Threshold
Let’s try the following strategy:
Compute CT for an abstraction of M
that
unites all models with certain graph-theoretic properties equal to those of M
Basic notions…
Diameter D(M) = longest shortest path between any two reachable states.
Recurrence Diameter RD(M) = longest loop-free path between any two reachable states.
The initialized versions: DI(M) and RDI(M) start from an initial state.
D(M) = 2
RD(M) = 3
DI(M) =
RDI(M) =
The Completeness Threshold
Theorem: for AGp properties CT = DI(M)
s0
p
Arbitrary path
(For AFp properties this does not hold)pppp
p
The Completeness Threshold
Theorem: for AFp properties CT= RDI(M)+1s0
ppppp
Theorem: for an LTL property CT = ?
What is SAT?
SATisfying assignment!
Given a propositional formula in CNF, find an assignment to Boolean variables that makes the formula true:
1 = (x2 x3)
2 = (x1 x4)
3 = (x2 x4)
A = {x1=0, x2=1, x3=0, x4=1}
1 = (x2 x3)
2 = (x1 x4)
3 = (x2 x4)
A = {x1=0, x2=1, x3=0, x4=1}
Given in CNF: (x,y,z),(-x,y),(-y,z),(-x,-y,-z)
Decide()
Deduce()
Resolve_Conflict()
-xx
-zz-yy
z -z y -y
() ()
(z ),(-z ) ()
(y),(-y,z ),(-y,-z )
()
() ()
(y),(-y)
(y,z ),(-y,z )
X
X X X X
A Basic SAT algorithm
x=0@1
z=0@2
y=0@2
Backtracking Search in Action
1 = (x2 x3)
2 = (x1 x4)
3 = (x2 x4)
1 = (x2 x3)
2 = (x1 x4)
3 = (x2 x4)
x1
x1 = 0@1
{(x1,0), (x2,0), (x3,1)}
x2 x2 = 0@2
{(x1,1), (x2,0), (x3,1) , (x4,0)}
x1 = 1@1
x3 = 1@2
x4 = 0@1 x2 = 0@1
x3 = 1@1
No backtrack in this example, regardless of the decision!
Backtracking Search in Action
1 = (x2 x3)
2 = (x1 x4)
3 = (x2 x4)
4 = (x1 x2 x3)
1 = (x2 x3)
2 = (x1 x4)
3 = (x2 x4)
4 = (x1 x2 x3)
Add a clause
x4 = 0@1
x2 = 0@1
x3 = 1@1
conflict
{(x1,0), (x2,0), (x3,1)}
x2
x2 = 0@2 x3 = 1@2
x1 = 0@1
x1
x1 = 1@1
Choose the variable and value that satisfies the maximum number of unsatisfied clauses.
This requires going through all clauses for each decision.
Decision heuristics DLIS (Dynamic Largest Individual Sum)
Compute for every clause and every variable l (in each phase):
J(l) :=
Choose a variable l that maximizes J(l).
This gives an exponentially higher weight to literals in shorter clauses.
,
||2l
Decision heuristicsJeroslow-Wang method
Implication graphs and learning
1 = (x1 x2)
2 = (x1 x3 x9)
3 = (x2 x3 x4)
4 = (x4 x5 x10)
5 = (x4 x6 x11)
6 = (x5 x6)
7 = (x1 x7 x12)
8 = (x1 x8)
9 = (x7 x8 x13)
1 = (x1 x2)
2 = (x1 x3 x9)
3 = (x2 x3 x4)
4 = (x4 x5 x10)
5 = (x4 x6 x11)
6 = (x5 x6)
7 = (x1 x7 x12)
8 = (x1 x8)
9 = (x7 x8 x13)
Current truth assignment: {x9=0@1 ,x10=0@3, x11=0@3, x12=1@2, x13=1@2}
Current decision assignment: {x1=1@6}
6
6
conflict
x9=0@1
x1=1@6
x10=0@3
x11=0@3
x5=1@64
4
5
5 x6=1@62
2
x3=1@6
1
x2=1@6
3
3
x4=1@6
We learn the conflict clause 10 : (: x1 Ç x9 Ç x11 Ç x10)
Implication graph, flipped assignment
x1=0@6
x11=0@3
x10=0@3
x9=0@1
x7=1@6
x12=1@2
7
7
x8=1@6
8
10
10
10 9
9
’
x13=1@2
9
Due to the conflict clause
1 = (x1 x2)
2 = (x1 x3 x9)
3 = (x2 x3 x4)
4 = (x4 x5 x10)
5 = (x4 x6 x11)
6 = (x5 x6)
7 = (x1 x7 x12)
8 = (x1 x8)
9 = (x7 x8 x13)
10 : (: x1 Ç x9 Ç x11 Ç x10)
1 = (x1 x2)
2 = (x1 x3 x9)
3 = (x2 x3 x4)
4 = (x4 x5 x10)
5 = (x4 x6 x11)
6 = (x5 x6)
7 = (x1 x7 x12)
8 = (x1 x8)
9 = (x7 x8 x13)
10 : (: x1 Ç x9 Ç x11 Ç x10)
Non-chronological backtracking
Non-chronological backtracking
x1
4
5
6
’
Decision level
Which assignments caused the conflicts ? x9= 0@1
x10= 0@3
x11= 0@3
x12= 1@2
x13= 1@2
Backtrack to decision level 3
3
These assignmentsAre sufficient forCausing a conflict.
I. Variable ordering
II. Incremental SAT: reusability of conflict clauses between different (yet related) SAT instances.
III. Replicating Conflict Clauses: generation of conflict clauses 'for free', based on the unique structure of BMC invariant properties.
Tuning SAT for BMC
A (CNF) dependency graph D (V,E):
A partitioning C1..Cn:
An abstract dependency graph D’(V’, E’):
Static variable ordering
For (k) there exists a partition C1..Cn s.t. the abstract dependency graph is linear
C0 C1 C2 CkC3 Ck-1
V0 V1 V2 VkV3 Vk-1
...
Static variable ordering for BMC (The natural order of (k))
I0PkRiding on unreachable states...
k should satisfy I0
I0Riding on legal executions...
(k) should satisfy Pk
Pk
Static variable ordering (A simple static ordering)
Given two CNF formulas (sets of clauses) S1 and S2, and a conflict clause s.t. S1 `, under what conditions the followingholds:
S2 is satisfiable iff S2 is satisfiable.
Incremental SAT
Let 0 S1 S2
Claim: if 0 ` then
Thus, if we deduce while checking S1, we can reuse itwhen checking S2.
0
S1 S2
0 `
Incremental SAT
S1 is satisfiable iff S1 is satisfiable.S2 is satisfiable iff S2 is satisfiable.
Testing whether the clauses involved in deducing are a subset of 0 requires marking them in advance.
In the BMC case this is easy:
Only one clause in (k) is not included in (k+1)
Incremental SAT for BMC
0
S1 S2
1. Mark 0 , the subset of clauses that are also contained in subsequent instances.2. If s ` for some s 0, then add to 0 and mark it as pervasive.
Incremental SAT
The BMC invariant formula includes k structurally similar parts:
Can this symmetry be used to speed up the search ?
Replicated clauses
Let xk denote variable x in cycle k.
Let c(i) denote the clause c, where every variable in c is shifted i cycles.
For example: c = (x5 y2 z7)c(2) = (x7 y4 z9)c(-2) = (x3 y0 z5)
Replicated clauses
Similarly, s(i) denotes the set of shifted clauses in the set s,i.e. j cj s, cj
(i) s(i).
Let s be a subset of (k)'s clauses, and let be a conflict clause deducible from s, i.e. s ` .
(x2 y5), (x2 y5 z3 w4)
=(y5 z3 w4)s =
By substitution, it is also true that s(i) ` (i).
(x2+i y5+i), (x2+i y5+i z3+i w4+i)
(i) =(y5+i z2+i w4+i)s(i) =
Replicated clauses
Conclusion: if s(i) (k) then we can also add (i) to (k).
(i) is a new clause that we got 'for free'.
We call (i) a 'replicated clause'.
The remaining question is: for which i, s(i) (k).
Replicated clauses
1. While generating (k), mark all transition relation clauses.
2. For every conflict clause , if all the clauses in s are marked, then mark as 'replicable'.
.
.
.
Replicated clauses
3. Record ls and hs, the lowest and highest cycle index in s.
4. Add a replicated clause (i) for i in the range -ls .. (k - hs).
Given a replicable clause and the subset of clauses s from which it was deduced:
.
.
.
Replicated clauses
yzw
0 1 2 3 4 5 6
Going right
Going left
= (y5 z3 w4)
(1) = (y6 z4 w5)
(-1) = (y4 z2 w3)
(-2) = (y3 z1 w2)
(x2 y5), (x2 y5 z3 w4)
s = ls = 2, hs = 5k = 6
yzw
0 1 2 3 4 5 6
yzw
0 1 2 3 4 5 6
Example
Design #1 Design #2
Strategy k 27 28 29 30 31 14 15 16 17 18
Normal time 61 102 174 144 14 10 91 192 * *
time 63 77 80 47 16 10 58 155 1.6E4 * I ncremental SAT added
clauses
0 973 1092 1208 1253 0 925 2117 3474 6116
time 48 21 19 44 30 13 48 214 6211 *
replicated 2094 1704 1216 1075 450 5932 5656 7778 1.7E4 * I ncremental + replication
added clauses
0 482 1113 1536 2014 0 3374 5773 9806 1.6E4
Experimental results (2001)
Recommended