model checking base oninteroplation
TRANSCRIPT
![Page 1: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/1.jpg)
Model Checking Base onInteroplation
K. L. McMillanCadence Berkeley Labs
![Page 2: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/2.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Interpolation• If A B = false, there exists an interpolant
A' for (A,B) such that:A A'
A' B = falseA' refers only to common variables of A,B
• Example: – A = p q, B = q r, A' = q
• Interpolants from proofs– given a resolution refutation of A B,
A' can be derived in linear time.
(Craig,57)
(Pudlak,Krajicek,97)
![Page 3: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/3.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Interpolation-based MC• Combining “bounded model checking” and interpolation gives us
– A means of over-approximate image computation– Hence, reachability analysis
• Method is complete for systems of finite diameter.
• Modern SAT solvers naturally produce resolution refutations– Leads to fully SAT-based model checking.
![Page 4: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/4.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Outline• Computing interpolants• Interpolation-based image computation• Model checking finite state systems
![Page 5: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/5.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Resolution
• Modern SAT solvers naturally produce refutations for CNF formulas using resolution
• Interpolants can be derived from such refutations in linear time.
(A p) (p B)(A B)
![Page 6: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/6.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Example
• Interpolant is a circuit that follows structure of the proof.
A = (b)(b c) B = (c d)(d)
(b) (b c)
(c) (c d)
(d)(d)
c
=c
![Page 7: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/7.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
DPLL SAT solvers• Given a propositional formula in CNF:
– Produce a satisfying assignment– Produce a resolution refutation
Current solvers, like Chaff and BerkMin are highly efficient, especially in the case when there is a small “core” of clauses that are unsatisfiable.
![Page 8: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/8.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
An interpolating SAT solver
SATsolver
(A,B) in CNF
Interpolationproof
A’
![Page 9: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/9.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Interpolation-based MC • Exploit interpolation to compute an over-
approximate image operator.– Allows symbolic model checking– Procedure is complete for finite diameter
systems
![Page 10: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/10.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
ModelingSystem modeled by a transition constraint
ab cp
g
Each circuit element induces a constraintnote: a = at and a' = at+1
g = a b
p = g c
c' = pModel:
C = { g = a b, p = g c, c' = p }
![Page 11: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/11.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Bounded model checking• Unfold the model k times:
U = C0 C1 ... Ck-1
ab
cpg a
bcp
g ab
cpg
...I0 Fk
• Use SAT solver to check satisfiability of I0 U Fk
• If unsatisfiable:• property has no Cex of length k• can produce a refutation proof P
![Page 12: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/12.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Reachability• Is there a path (of any length) from I to F
satisfying transition constraint C?• Reachability fixed point:
R0 = IRi+1 = Ri Img(Ri,C)
R = Ri
• Image operator:Img(P,C) = V'. V. (P(V) C(V,V’))
• F is reachable iff R F false
![Page 13: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/13.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Reachability
I FR1R2...
R
= I Img(I,C)= R1 Img(R1,C)
![Page 14: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/14.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Overapproximation• An overapproximate image op. is Img' s.t.
for all P, Img(P,C) implies Img'(P,C)• Overapprimate reachability:
R'0 = IR'i+1 = R'i Img'(R'i,C)
R' = R'i• Img' is adequate (w.r.t.) F, when
– if P cannot reach F, Img’(P,C) cannot reach F• If Img' is adequate, then
– F is reachable iff R' F false
![Page 15: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/15.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Adequate image
P F
Img(P,C)
Reached from P Can reach F
Img’(P,C)
But how do you get an adequate Img'?
![Page 16: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/16.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
k-adequate image operator• Img' is k-adequate (w.r.t.) F, when
– if P cannot reach F, Img’(P,C) cannot reach F within k steps
• Note, if k > diameter, then k-adequate is equivalent to adequate.
![Page 17: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/17.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Interpolation-based image• Idea -- use unfolding to enforce k-adequacy
A = P-1 C-1
B = C0 C1 Ck-1 Fk
P FC C C C C C C
A B
t=0 t=k
Let Img'(P)0= A', where A' is an interpolant for (A,B)...
Img' is k-adequate!
![Page 18: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/18.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Huh?
• A A'– Img(P,C) Img'(P,C)
• A' B = false– Img'(P,C) cannot reach F in k steps
• Hence Img' is k-adequate overapprox.
P FC C C C C C C
A B
t=0 t=k
A'
Note: if A,B are consistent, then let Img’(P,C) = T.
![Page 19: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/19.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Intuition
• A' tells is everything the prover deduced about the image of P in proving it can't reach F in k steps.
• Hence, A' is in some sense an abstraction of the image relative to the property.
P FC C C C C C C
A B
t=0 t=k
A'
![Page 20: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/20.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Reachability algorithmlet k = 0repeat if I can reach F within k steps, answer reachable R = I while Img'(R,C) F = false R' = Img'(R,C) R if R' = R answer unreachable R = R' end while increase kend repeat
![Page 21: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/21.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Termination• Since k increases at every iteration,
eventually k > d, the diameter, in which case Img' is adequate, and hence we terminate.
Notes:– don't need to know when k > d in order to
terminate– often termination occurs with k << d– depth bound for earlier method (Sheeran et al
'00) is "longest simple path", which can be exponentially longer than diameter
![Page 22: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/22.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
PicoJava II benchmarks• Hardware Java virtual machine implementation• Properties derived from verification of ICU
– handles cache, instruction prefetch and decode• Original abstraction was manual• Added neigboring IFU to make problem harder
– result: many irrelevant facts in problem
ICU IFUMem,Cache
Integerunit
properties
![Page 23: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/23.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Results• Benchmarks completed in 1800 s:
– Standard model checking: 0/20– Interpolation-based: 19/20
• Reason:– Interpolation method exploits the SAT solver’s
ability to narrow proofs to relevant facts.
![Page 24: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/24.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
v. proof-based abstraction
0.01
0.1
1
10
100
1000
0.01 0.1 1 10 100 1000
Proof-based abstraction (s)
Inte
rpol
atio
n-ba
sed
met
hod
(s)
McM,TACAS03
![Page 25: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/25.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
v. proof-based abstraction
0.01
0.1
1
10
100
1000
0.01 0.1 1 10 100 1000
Counterexample-based abstraction (s)
Inte
rpol
atio
n-ba
sed
met
hod
(s)
CCKSVW,FMCAD02
![Page 26: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/26.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
v. K-induction
0.01
0.1
1
10
100
1000
0.01 0.1 1 10 100 1000
Interpolation-based (s)
k-in
duct
ion
(FM
CA
D00
) (s)
SSS, FMCAD00
![Page 27: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/27.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
IBM GP benchmarks
0.01
0.1
1
10
100
1000
0.01 0.1 1 10 100 1000
Proof-based abstraction (s)
Inte
rpol
atio
n-ba
sed
met
hod
(s)
![Page 28: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/28.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
GP benchmarks - true properties
0.01
0.1
1
10
100
1000
0.01 0.1 1 10 100 1000
Proof-based abstraction (s)
Inte
rpol
atio
n-ba
sed
met
hod
(s)
![Page 29: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/29.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Characteristics• SAT-based methods are effective when
– Very large set of facts is available– Only a small subset are relevant to property
• They exploit the SAT solver's ability to narrow the proof to relevant facts– I.e., narrows reachable states approximation to relevant variables.
• Interpolation method exploits this fact to compute abstract image operator.
![Page 30: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/30.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Infinite-state verification• Direct approach:
– express transition constraint in FOL– example: simple “Bakery” protocol:
ticket0’ > ticket1
ticket1 > ticket0 state1 = NC
NC
C
ticket1’ > ticket0
ticket0 > ticket1 state0 = NC
NC
C
Terminates because diameter is finite, thoughstate space is infinite
![Page 31: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/31.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Infinite-state verification• Predicate abstraction approach (Graf,Saïdi,97)
– Choose a set of predicates to represent state• I.e., for bakery: ticket1 > ticket0 and ticket0 > ticket1
– Transform C into a predicate-state transducer– Interpolants are now strictly Boolean
• Convergence guaranteed, but may have false negatives
• Advantages of interpolation approach:– Avoid conversion to a Boolean formula– Avoid building BDD’s!– Strong ability to ignore irrelevant predicates
![Page 32: Model Checking Base onInteroplation](https://reader035.vdocument.in/reader035/viewer/2022081604/58a05aff1a28ab5c1c8b5c31/html5/thumbnails/32.jpg)
Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.
Conclusion• SAT solvers have the ability:
– to generate refutations for bounded reachability
– to filter out irrelevant facts.• These abilities can be exploited to
generate an abstract image operator, using Craig interpolation.
• This yields a reachability procedure that– is fully SAT-base– operates directly on infinite-state systems– is robust w.r.t. irrelevant facts