1

Abstraction Refinement for Bounded Model Checking

Anubhav Gupta, CMUOfer Strichman, Technion

Highly Jet Lagged

2

Bounded Model Checking (BMC) Search for bugs in executions of a

bounded length

Generates a propositional formula that is satisfiable if and only if there is a counterexample of length k

Extremely efficient SAT-solvers are available

3

BMC

SAT

SatUnsat

No

Yes

BUG

NOBUG

IncrementalSolver

BMC - Implementation

4

Abstraction for BDD-based Model Checking

Abstraction

How to identify ?

Model Checking complexity is proportional to BDD size

Smaller BDD

5

Counterexample Guided Abstraction Refinement (CEGAR)

MC

NoPassBUGTRUE

Fail

Yes

6

Inside a SAT-Solver Davis-Putnam-

Logemann-Loveland (DPLL) procedure Decisions Boolean

Constraint Propagation (BCP)

Conflict Analysis, Backtrack Search Tree

7

Decisions Identify a good variable

and assign it a value Many Variable Selection

Heuristics Give preference to

variables that are involved in conflicts

Order is continuously updated

Like abstraction-refinement

These heuristics try to reduce the size of the search tree

8

BCP Identify assignments

implied by unit-clause rule

90% of run-time in solver spent on BCP

Time spent on BCP is proportional to the size of the CNF

9

Conflict Analysis and Backtrack Identify variable

assignments responsible for infeasibility of current search path

Ensures that assignments are locally consistent

Prune away irrelevant parts of the search tree

10

Abstraction for BMC

Abstraction

Smaller CNF

11

Why Abstraction for BMC ?

Variable selection can focus on important variables Solver can ignore local conflicts that

are irrelevant to the property BCP is faster on smaller CNF

How to identify ?

Abstraction

12

CEGAR for BMC

Apply CEGAR to BMC Refinement

SAT-solvers produce proofs of unsatisfiability

Have been used successively for refinement in CEGAR for model checking

Proofs provide an efficient and inexpensive refinement mechanism for CEGAR on BMC

13

Counterexample Guided Bounded Model Checking (CG-BMC)

SAT

Sat

Unsat

No

Yes

BUG

NOBUG SAT

Sat

14

CG-BMC Abstract model: model

that refutes previously seen spurious counterexamples

Forces solver to find full abstract trace before attempting to refute it

Solver is not lost in local conflicts

Most of the BCP is performed on smaller abstract model

Abstract Model

Concrete Model

15

A more robust CG-BMC The following scenario was observed on some

benchmarks: Current abstract model is sufficient to prove the

property Proving the property on abstract model is hard

BMC on abstract model is slow There exists an easier proof using additional

constraints from concrete model BMC on concrete model is faster

CG-BMC gets stuck on abstract model

Solution: Timeouts

16

CG-BMC with Timeouts (CG-BMC-T)

SAT

Sat

Unsat

No

Yes

BUG

NOBUG SAT

Time

Sat

Time

CG-BMC

17

Related Work Refining the SAT decision ordering for bounded

model checking, Wang et al., DAC 2004 Variables in current abstract model are given

preference in variable splitting order Static Method: Always decide first on variables in

abstract model Dynamic Method: Switch to default solver-heuristic

after a threshold number of backtracks Solver works on the whole CNF

BCP is expensive Potential for irrelevant conflicts

18

Our CG-BMC Implementation

SAT

Sat

Unsat

No

Yes

BUG

NOBUG SAT

Sat

IncrementalSolver1

IncrementalSolver2

19

Experiments PicoJava Benchmarks – derived from

compositional verification of ICU (Source: Ken McMillan)

Implementation on top of zChaff Comparison with BMC and Wang et al.

Timeout = 2hrs Max Depth (K) = 60 Measured run-time and number of

backtracks

20

CG-BMC vs. BMC (Run-time)

1

10

100

1000

10000

Circuit

Tim

e(s)

BMC CG-BMC CG-BMC-T

21

CG-BMC vs. BMC (Backtracks)

1

10

100

1000

10000

100000

1000000

Circuit

Bac

ktra

cks

BMC CG-BMC CG-BMC-T

22

CG-BMC vs. Wang et al. (Run-time)

1

10

100

1000

10000

Circuit

Tim

e(s)

Static Dynamic CG-BMC CG-BMC-T

23

CG-BMC vs. Wang et al. (Backtracks)

1

10

100

1000

10000

100000

1000000

Circuit

Bac

ktra

cks

Static Dynamic CG-BMC CG-BMC-T

24

Conclusions

Abstraction refinement makes BMC faster Reduction in number of backtracks Reduction in BCP time

25

Future Work CG-BMC inside a

SAT-solver Abstraction levels for

clauses Ignore clauses in

lower levels until all higher levels are satisfied

Move clauses up (and down) across levels

Application to SAT-solving in general

.

.

.

26

Questions ?