Proof-based Abstraction

Presented by Roman Gershman

Ken McMillan, Nina Amla

TechnionTechnion

Motivation for this article

In the verification world,size DOES matter !

TechnionTechnion

The goal

We want to check LARGE models.

We want to scale beyond the “current” model checking technologies (BDDs).

Off-the-record : it is ironic that the inventor of SMV offers a new way of doing model checking.

TechnionTechnion

Well

We will not completely drop SMV (yet),but we are going to help it using SAT.

On my opinion, this article is a turn-point for us and for McMillan in understanding how to do complete MC using SAT.

At the next lesson – we will see how to do MCusing SAT.

TechnionTechnion

Given A finite transition system M above states S, initial

states I S and transition T SSA propositional property P

Determine Does M allow a counterexample to P

Model checking- in this context

Less than 1000

variables (FF)

TechnionTechnion

Symbolic Model Checking

S = I Prev = While S != Prev

Prev = S If (S~P ) then return BUG; S = S X’ (S(x’) T(x’,x))

TechnionTechnion

Set representations

What’s this I, T, P ? How do they look ? How can we build them

?

Examples of representations : I is a BDD I= {(1,0) , (1,1), (1,1) } (explicit) Logic circuits :

X1

X2

TRUE

TechnionTechnion

Circuits

We will need to know 2 representations today:circuit and CNF.

Both represent closed functions – in form f(x) = TRUE

CNF : ( x1 x’1 ) ( x1 x’1 )

Circuit: ( x1 & x’1 ) or ( x1 & x’1 )

X1

X1

TRUEX’1

X’1

X1’ = not X1

TechnionTechnion

Bounded model checking

Given A finite transition system M(I,T) A propositional property P

Determine Does M allow a counterexample to P

of k transitions of fewer?

Can reach more than 10000 FF

TechnionTechnion

The main idea

Apply BMC on a large model.

Perform proof-based abstraction and geta smaller model

Apply a model checking on the small model.

TechnionTechnion

BMC

State vectors {xi}1k for each cycle i.

A propositional formulaI(xo)T(xo,x1) … T(xk-1, xk) (:P(xk))

is SAT property does not hold at cycle k.

Program path for K phases Final condition on cycle K

TechnionTechnion

BMC

How do we represent a formula that says “There is a bug at some phase until phase K” ?

TechnionTechnion

Circuit to CNF translation

Circ2CNF :

X

yG

( x g) ( y g) (x y g)

TechnionTechnion

Solves propositional formulas in CNF format. For example, ( x1 x2 ) ( x3 x5 ).

Uses resolution-based algorithm DPLL Resolution rule

SAT solver

(A x ) (B x ) (A B )

TechnionTechnion

SAT solver-DPLL

While (not empty clause) decide on some unassigned var; If (BCP returns conflict)

Record a new conflict clause using a resolution Backtrack to satisfy that clause.

TechnionTechnion

SAT solver - BCP

While there is some clause C=( x1 x2, … xn) under partial assignment { x1, …, xn-1 }AND xn is unassigned Extend the assignment with xn = TRUE

Set C to be the reason clause of xn.

If all literals of C are FALSE then stop and return C as a conflicting clause.

TechnionTechnion

BCP-Example(a b) (b c d)

a

c

Decisions

b

Assignment: a b c d

d

TechnionTechnion

BCP-cont.

Each assigned variable is either decision variable or was implied by a reason clause (implicated variable).

Let C(v) be a reason clause for setting literal

v=TRUE. Suppose C’(t) is another reason clause (for variable t) that contains v. Then C and C’ are valid resolution pair on v, i.e. they do not have any other variable with different polarity.

TechnionTechnion

Proof: Falsely assume that there is literal x,s.t. xC and xC’

1. C’ implied t after C implied v

2. x was FALSE when C implied v.

3. Therefore, C’ contained the satisfied literal x when implied t, which contradicts to the condition that all its literals but one are falsified.

BCP-cont.

TechnionTechnion

SAT solver-DPLL

While (not empty clause) decide on some unassigned var; If (BCP returns conflict)

Record a new conflict clause using a resolution Backtrack to satisfy that clause.

TechnionTechnion

Resolution algorithm

Set Conf = a conflicting clause from BCP While a stopping condition did not occur,

do:1. Choose some implied literal v from Conf .

2. Conf = Resolve( Conf, C(v) )

TechnionTechnion

Conflicting intermediate

Conflicting Clauses(a b) (b c d) (b d)

a

c

Decisions

b

Assignment: a b c d

d

Conflicting !

(b c )

resolve

(a c)

resolve

New conflict clause

TechnionTechnion

Resolution algorithm

If we draw binary node for each resolution step, then each runof the resolution algorithm will look like a binary tree in the form of string, i.e. each inner node has a leaf.

The source of the tree is a new conflict clause

Global graph will not look like a tree though.

O1 O2

i1

I1=Resolve(O1, O2)

TechnionTechnion

Resolution Graph

O1 O2

O3O4

O6

O7

i1

c-1

i2

i3

O5

c-2

C-3

i4

Binary DAG with intermediate and conflict clauses.

Each node in the graph is derived by its descendants

Collapsed DAG with multi-degree nodes

C-1

C-3

C-2

O1 O2 O3 O4O5 O6

O7

TechnionTechnion

Resolution Graph

If DPLL finished with UNSATthen the resolution graph of its run will have source node with an empty clause.

Is it the only source ? No. There can be many others.

Is it the only source with empty clause ? Yes. It is implied by terminal condition of DPLL.

TechnionTechnion

Resolution Graph

The whole resolution graph denotes exactly a resolution trace of DPLL. However it is not possible to extract the order of decisions and their values from this graph (DPLL run).

Denote by GF is the resolution graph of the solver’s run on unsatisfiable formula F. GF is not unique. Identified by the specific solver (hidden parameter).

TechnionTechnion

Resolution Graph

Let Core(GF)= Descendants(F)F.

Core(GF) is still unsatisfiable formula.

Assumption1: usually Core(GF) is much smaller than F.

Assumption2: Var(Core(GF)) is much smaller than Var(F).

TechnionTechnion

Applications

Suppose, Tc is circuit representation of the Trans constraint. Circ2CNF(func, i) translates a circuit to the CNF

representation at phase i. Then

T(xi-1, xi) = Circ2CNF(Tc, i)

Bug at some phase on a

path

TechnionTechnion

Abstraction of the problem

Abstract(Tc, Core(F_k)) = {g Tc | ik, Circ2CNF(g, i) Core(F_k) }

Abstract(Tc, Core(F_k)) is like the inverse image of Core(F_k) with respect to Circ2CNF.

TechnionTechnion

Special effects

Tc

FkCirc2CNF

Core(Fk)

Circ2CNF -1

Abstract(Tc)

TechnionTechnion

Main Algorithm

FiniteRun( M=(Ic,Tc,P) ) Set k 0 While TRUE

If BMC(Fk) = SAT then return BUG with satisfying assignment

else M’ = Abstract(Core(Fk)) ModelCheck M’ If M’ has an accepting run of length k’ then

Set k k’ else

return “VALID Property”

Can be that k’ < k ?

Assumes that M’ is smaller

then M

TechnionTechnion

Question

What about Liveness ?

TechnionTechnion

Reminder

Using Buchi automaton, we can create a product automaton A : = M x ~P.

Checking liveness is equivalent to checking for emptiness of A.

We need to find an infinite run on which accepting state is crossed infinitely often.

TechnionTechnion

Liveness properties

There is a infinite run on which formula G is infinitely satisfied.

There is a run x0,…xk, s.t. T(xi, xi+1) is satisfied

I(xo) is satisfied.

For some 0 m < k, xm = xk

For some m j k : G(xj) is TRUE

TechnionTechnion

Liveness BMC

CNF formula:

Run FiniteRun on this formula the same way.

TechnionTechnion

Optimizations

Cone of Influence Variable substitutions:

(f=q) => replace all occurrences of f by q

Pure variables

TechnionTechnion

Results

20 safety samples – none of them could be solved by MC.

After applying abstraction – 18 were solved by BMC, abstracted and then solved by MC.

2 were stuck during BMC

TechnionTechnion

The next article

Hybrid approach(or Proof-based refinement)

TechnionTechnion

The problem

Suppose we have original model M and its abstract buddy .

We want to check the case when is SAT and we have counter-example A for .

We need to check the formula In case it is SAT, we are done and have real counter-

example. In case it is UNSAT – we want to refine

TechnionTechnion

Proof-based refinement (by Chauhan et al.)

Consider the proof P of . There is at least one clause in P that is not

contained in . In other words, there is at least one gate in

M that is not in , which helps to refute A.

TechnionTechnion

Proof-based refinement

Given proof P, for any set of constraints (gates) Q, we define:

We refine by setting:

TechnionTechnion

Proof-based refinement

Recall that

is exactly like the definition of abstract set from the previous paper.

Where is the difference ?

TechnionTechnion

Proof-based abstraction :

Refinement:

TechnionTechnion

Hybrid method – heuristic approach to tune between these 2 methods.

The idea to use SAT solver to try and to dorefinement of all counter-examples of length k (A= ) and then to refine with A.

TechnionTechnion

Concretize

Input Fk

Decide decisions from A. Res = SAT_Solve(TimeLimit) If (Res != TimeOut)

Return Res; Add A to CNF formula. Return SAT_Solve()

TechnionTechnion

Results

It is compared with CEX approach and pure proof-based abstraction.

It presented as super to CEX and similar to proof-based.

TechnionTechnion

The END&

Thank you