Abstraction Refinement for Bounded Model Checking
26
1 Abstraction Refinement for Bounded Model Checking Anubhav Gupta, CMU Ofer Strichman, Technion Highly Jet Lagged
description
Abstraction Refinement for Bounded Model Checking. Highly Jet Lagged. Anubhav Gupta, CMU Ofer Strichman, Technion. Bounded Model Checking (BMC). Search for bugs in executions of a bounded length - PowerPoint PPT Presentation
Transcript of Abstraction Refinement for Bounded Model Checking
1
Abstraction Refinement for Bounded Model Checking
Anubhav Gupta, CMUOfer Strichman, Technion
Highly Jet Lagged
2
Bounded Model Checking (BMC) Search for bugs in executions of a
bounded length
Generates a propositional formula that is satisfiable if and only if there is a counterexample of length k
Extremely efficient SAT-solvers are available
3
BMC
SAT
SatUnsat
No
Yes
BUG
NOBUG
IncrementalSolver
BMC - Implementation
4
Abstraction for BDD-based Model Checking
Abstraction
How to identify ?
Model Checking complexity is proportional to BDD size
Smaller BDD
5
Counterexample Guided Abstraction Refinement (CEGAR)
MC
NoPassBUGTRUE
Fail
Yes
6
Inside a SAT-Solver Davis-Putnam-
Logemann-Loveland (DPLL) procedure Decisions Boolean
Constraint Propagation (BCP)
Conflict Analysis, Backtrack Search Tree
7
Decisions Identify a good variable
and assign it a value Many Variable Selection
Heuristics Give preference to
variables that are involved in conflicts
Order is continuously updated
Like abstraction-refinement
These heuristics try to reduce the size of the search tree
8
BCP Identify assignments
implied by unit-clause rule
90% of run-time in solver spent on BCP
Time spent on BCP is proportional to the size of the CNF
9
Conflict Analysis and Backtrack Identify variable
assignments responsible for infeasibility of current search path
Ensures that assignments are locally consistent
Prune away irrelevant parts of the search tree
10
Abstraction for BMC
Abstraction
Smaller CNF
11
Why Abstraction for BMC ?
Variable selection can focus on important variables Solver can ignore local conflicts that
are irrelevant to the property BCP is faster on smaller CNF
How to identify ?
Abstraction
12
CEGAR for BMC
Apply CEGAR to BMC Refinement
SAT-solvers produce proofs of unsatisfiability
Have been used successively for refinement in CEGAR for model checking
Proofs provide an efficient and inexpensive refinement mechanism for CEGAR on BMC
13
Counterexample Guided Bounded Model Checking (CG-BMC)
SAT
Sat
Unsat
No
Yes
BUG
NOBUG SAT
Sat
14
CG-BMC Abstract model: model
that refutes previously seen spurious counterexamples
Forces solver to find full abstract trace before attempting to refute it
Solver is not lost in local conflicts
Most of the BCP is performed on smaller abstract model
Abstract Model
Concrete Model
15
A more robust CG-BMC The following scenario was observed on some
benchmarks: Current abstract model is sufficient to prove the
property Proving the property on abstract model is hard
BMC on abstract model is slow There exists an easier proof using additional
constraints from concrete model BMC on concrete model is faster
CG-BMC gets stuck on abstract model
Solution: Timeouts
16
CG-BMC with Timeouts (CG-BMC-T)
SAT
Sat
Unsat
No
Yes
BUG
NOBUG SAT
Time
Sat
Time
CG-BMC
17
Related Work Refining the SAT decision ordering for bounded
model checking, Wang et al., DAC 2004 Variables in current abstract model are given
preference in variable splitting order Static Method: Always decide first on variables in
abstract model Dynamic Method: Switch to default solver-heuristic
after a threshold number of backtracks Solver works on the whole CNF
BCP is expensive Potential for irrelevant conflicts
18
Our CG-BMC Implementation
SAT
Sat
Unsat
No
Yes
BUG
NOBUG SAT
Sat
IncrementalSolver1
IncrementalSolver2
19
Experiments PicoJava Benchmarks – derived from
compositional verification of ICU (Source: Ken McMillan)
Implementation on top of zChaff Comparison with BMC and Wang et al.
Timeout = 2hrs Max Depth (K) = 60 Measured run-time and number of
backtracks
20
CG-BMC vs. BMC (Run-time)
1
10
100
1000
10000
Circuit
Tim
e(s)
BMC CG-BMC CG-BMC-T
21
CG-BMC vs. BMC (Backtracks)
1
10
100
1000
10000
100000
1000000
Circuit
Bac
ktra
cks
BMC CG-BMC CG-BMC-T
22
CG-BMC vs. Wang et al. (Run-time)
1
10
100
1000
10000
Circuit
Tim
e(s)
Static Dynamic CG-BMC CG-BMC-T
23
CG-BMC vs. Wang et al. (Backtracks)
1
10
100
1000
10000
100000
1000000
Circuit
Bac
ktra
cks
Static Dynamic CG-BMC CG-BMC-T
24
Conclusions
Abstraction refinement makes BMC faster Reduction in number of backtracks Reduction in BCP time
25
Future Work CG-BMC inside a
SAT-solver Abstraction levels for
clauses Ignore clauses in
lower levels until all higher levels are satisfied
Move clauses up (and down) across levels
Application to SAT-solving in general
.
.
.
26
Questions ?
![Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]](https://static.fdocuments.in/doc/165x107/56649d405503460f94a1aa02/thread-modular-abstraction-refinement-tom-henzinger-ranjit-jhala-rupak-majumdar.jpg)
![Research Article Compositional Abstraction Refinement for ...of state explosion in concurrent model checking, especially in conjunction with abstraction. e work in [ , ]pro-posed an](https://static.fdocuments.in/doc/165x107/6103fcc92c99d430a32a767e/research-article-compositional-abstraction-refinement-for-of-state-explosion.jpg)