sat-based unbounded model checking using interpolation
DESCRIPTION
SAT-based unbounded model checking using interpolation. Based on a paper “ Interpolation and SAT-based Model Checking ” by K.L. McMillan, CAV 2003. Interpolation. (Craig,57). If A Ù B = false, there exists an interpolant A' for (A,B) such that: A Þ A' A' Ù B = false - PowerPoint PPT PresentationTRANSCRIPT
Formal Verification Group
© Copyright IBM Corporation 2008
IBM Haifa Labs
SAT-based unbounded model checking using interpolation
Based on a paper “Interpolation and SAT-based Model Checking” by K.L. McMillan, CAV 2003.
Formal Verification Group
Interpolation If A B = false, there exists an interpolant A' for (A,B) such that:
A A'A' B = false
A' refers only to common variables of A,B Example:
A = p q, B = q r, A' = q Interpolants from proofs
given a resolution refutation (proof of unsatisfiability) of A B, A' can be derived in linear time.
(Pudlak,Krajicek,97)
(Craig,57)
Formal Verification Group
Agenda
Computing interpolants Interpolation-based image computation Model checking finite state systems Optimization techniques
Formal Verification Group
Interpolant from SAT solver
Resolution:
Modern SAT solvers can produce a proof of unsatisifiability for unsatisfiable formulas using resolution
An interpolant may be built from the proof of unsatisfiability in linear time.
SATsolver
(A,B) in CNF
Interpolationproof
A’
(A p) (p B)(A B) p
Formal Verification Group
Proof of unsatisfiability A proof is a DAG, where
The nodes are clauses The root is an empty clause The leaves are original clauses Every inner node is obtained by a resolution of its two child nodes
An interpolant is build from the proof and it is follows the structure of the proof
Local to A / global literals:Given (A, B) be a pair of clause sets, a variable is global if it appears in both A and B, and local to A if it appears only in A.Given a clause c, g(c) – the disjunction of the global literals in c.
Formal Verification Group
The construction of interpolant Let (A, B) be a pair of clause sets.
Given a proof of unsatisfiability Π for A U B, define p(c) for every node c in the proof as follows: If c is a leaf, then
• If cA then p(c) = g(c) • else p(c) is constant true
else let c1, c2 be child nodes of c, and let v be their pivot variable• If v is local to A, then p(c) = p(c1) p(c2)• else p(c) = p(c1) p(c2)
The Π-interpolant for (A, B) is p(false). Complexity: O(N + L), where N is the number of nodes, L is the number of literals in the proof.
Formal Verification Group
Example
Interpolant is a circuit that follows structure of the proof.
A = { (b), (b c) } B = { (c d), (d) }
(b) (b c)
(c) (c d)
(d)(d)
=c
c
b
c
d
Formal Verification Group
The correctness of the construction Definition: a clause interpolation has the form
(A,B) c [Φ], where A, B are clause sets, c is a clause and Φ is a formula. It is said to be valid when
1. A Φ c \ B, and2. B, Φ c | B, and3. Φ A and Φ B
Note, when c is empty, Φ is an interpolant for (A,B). Theorem: (A,B) c [p(c)] is valid.
The theorem implies that Π-interpolant for (A, B) is an interpolant for (A,B).
Formal Verification Group
Proof: by induction on the proof of unsatisfiability structure. Base – 2 cases:
The correctness of the construction – cont.
(A,B) c [c | B] c A
(A,B) c [T] c B
Remember:
1. A Φ c \ B
2. B, Φ c | B
3. Φ A and Φ B
Formal Verification Group
The correctness of the construction – cont. Induction step – 2 cases:
Remember:
1. A Φ c \ B
2. B, Φ c | B
3. Φ A and Φ B
(A, B) l,c1 [Φ1](A, B) l,c2 [Φ2](A,B) c1, c2 [Φ1 Φ2] l B
(A, B) l,c1 [Φ1](A, B) l,c2 [Φ2](A,B) c1, c2 [Φ1 Φ2] l B
Formal Verification Group
Agenda
Computing interpolants Interpolation-based image computation Model checking finite state systems Optimization techniques
Formal Verification Group
Bounded model checking Safety property F Unfold the model k times:
U = T0 T1 ... Tk-1ab
cpg a
bcp
g ab
cpg
...I0 Fk
Use SAT solver to check satisfiability of I0 U Fk
If unsatisfiable: property has no Cex of length k can produce a proof of unsatisfiability P
Formal Verification Group
Reachability Is there a path (of any length) from I to F satisfying transition
constraint T? Reachability fixed point:
R0 = IRi+1 = Ri Img(Ri)
R = Ri
Image operator:Img(P) = V. P(V) T(V,V’)
F is reachable iff R F false
Formal Verification Group
Reachability
I FR1R2...
R
= I Img(I,T)= R1 Img(R1,T)
Formal Verification Group
Overapproximation
An overapprox. image operator is Img' s.t.for all P, Img(P) Img'(P)
Overapproximate reachability:R'0 = I
R'i+1 = R'i Img'(R'i)R' = R'i
Formal Verification Group
Interpolation-based image
A = P0T0
B = T1 T2 ... Tk-1 (F1F2... Fk)
P0 FkT0 T1 T2 Tk-2 Tk-1
A B
t=1 t=k
Let A' be an interpolant for (A,B)
Fk-1Fk-2F3F2F1
…
Formal Verification Group
Interpolation-based image – cont.
A(s0, s1) A'(s1)
A' is Img'(P) (an overapproximate image of P) A' B = false
Img'(P) cannot reach F in k-1 steps
P FT T T T T T T
A B
t=1 t=k
FFFFFF
A'
Formal Verification Group
Intuition
A' tells us everything the solver deduced about the image of P in proving it can't reach F in k steps.
Hence, A' is in some sense an abstraction of the image relative to the property.
This opens a way to overapproximate reachability calculation.
P FT T T T T T T
A B
t=1 t=k
FFFFFF
A'
Formal Verification Group
Agenda
Computing interpolants Interpolation-based image computation Model checking finite state systems Optimization techniques
Formal Verification Group
If I(s0) F(s0) satisfiable // the basisreturn FAILED;
while (1)Rnew := I, R := falsewhile (Rnew R) // the fixpoint condition
If Rnew T1 T2 ... Tk-1 (F1F2... Fk) unsatisfiable R := R Ú Rnew
Rnew := interpolant A’(s1)else // satisfiable
If (Rnew = I ) return FAILEDelse // possible false negative – should increase k R := false, break
end whileIf (Rnew R) // fixpoint
return PASSEDincrease k
end while
The fixpoint algorithmB
MC
loop
UM
C (r
each
abili
ty) l
oop
Formal Verification Group
Algorithm Correctness
Clearly, if returns FAILED then we got a bug. If a fixpoint is reached, then an overapproximation of
reachable states does not contain a bug, i.e. the formula passes.
We are left with possible false negatives. When possible false negative, we increase k. Thus, it is enough to see that there exists a (large enough) k for which the algorithm always stops.
Formal Verification Group
Algorithm terminates
Let d be the reverse depth of the model (i.e. the number of real backward steps from the bad states until a fix point), and let k = d+1.
If there is a bug, then we will find it in the first iteration (since k is as long as the shortest path between I and F).
If there is no bug, the formula is unsatisfiable and the interpolant A’ (and Rnew= I Ú A’) cannot reach F in d steps.
Formal Verification Group
Algorithm terminates – cont.
d is the reverse depth Rnew cannot reach F at all. Thus, the next formula (with Rnew instead of I) will be
unsatisfiable as well. Since R always grows and a model is finite, a fixpoint will be
finally reached. Notes:
don't need to know d in order to terminate often termination occurs with k << d
Formal Verification Group
Characteristics SAT-based methods are effective when
Very large set of facts is available Only a small subset are relevant to property
They exploit the SAT solver's ability to narrow the proof to relevant facts I.e., narrows reachable states approximation to relevant variables.
Interpolation method exploits this fact to compute abstract image operator.
Formal Verification Group
Agenda
Computing interpolants Interpolation-based image computation Model checking finite state systems Optimization techniques
Formal Verification Group
Incremental SAT solving with interpolation At each iteration of the inner while loop we check
satisfiability of the following formula: Rnew T1 T2 ... Tk-1 (F1F2... Fk)
All those formulas differ only by Rnew. SAT solver can preserve all the clauses that are implied by
the common part of the formulas (all but Rnew). This can potentially save SAT solver time for deducing those
clauses again. Similarly, formulas with different k (the outer while loop) can
be solved incrementally.
Formal Verification Group
Checking convergence more efficiently R – current overapproximate reachable states
A’ – current interpolant Original convergence check: whether A’ R ? Recall: A’ is an overapproximate forward step from R Let R’ be a “real” forward step from R Let’s check whether R’ R ? Advantage: the latter formula is more likely to converge earlier
(because R’ A’) Correctness:
if R’ R, but A’ R, then A’ \ R’ is unreachable
Formal Verification Group
Minimizing interpolants Reduce CNF formulas using CNF simplifier Interpolants are highly redundant boolean expressions
Reduce interpolants using BDD sweeping or SAT sweeping reduction
Minimize unsat core Unsat core is an unsatisfiable subset of a given unsatisfiable CNF
formula (the leaves of the proof) Unsat core may be computed by a SAT solver, when it founds that a
formula is unsatisfiable Various methods exist for minimizing unsat core, the simplest one is
running SAT solver iteratively on previously computed unsat core
Formal Verification Group
Strengthening interpolants Recall: interpolant is an overapproximation of a forward
image of Rnew There may be different overapproximations Can we control the quality of overapproximation? Do we want a finer one or a coarser one?
Formal Verification Group
R2
Example
I FR1
...
R
Formal Verification Group
Example – fine overapproximation
I F
Formal Verification Group
Example – moderate overapproximation
I F
Formal Verification Group
Example – coarse overapproximation
I F
Formal Verification Group
Strengthening interpolants Move local resolutions (‘or’-gates) towards leaves 2 rewrite rules:
(p q c1) (p c2) (q c1 c2) (q c3) (c1 c2 c3)
(p q c1) (q c3) (p c1 c3) (p c2) (c1 c2 c3)
Formal Verification Group
Strengthening interpolants – cont.
Caution: may cause exponential expansion of the proof!
(p q c1) (p q c2) (q c1 c2) (q c3) (c1 c2 c3)
(p q c1) (q c3) (p q c2) (q c3) (p c1 c3) (p c2 c3) (c1 c2 c3)
Formal Verification Group
(a b c)a c
Strengthening interpolant – an exampleA = {(a), (b d), (a b c), …} B = {(a e), (c d), …}
(b c)
(c d)
a
b
A’ = d (a (a c)) = d (a c)A’’ = a (d (a c)) = a (c d)A’ A’’
(b d)d
( a )a
(a b c)a c
(c d) a
(a c d) b(b d)
d( a )
a
Move local resolutions toward leaves
Formal Verification Group
Approximate interpolant computationA = {(a), (b d), (a b c), …} B = {(a e), (c d), …}
A’ = d (a (a c)) = d (a c) A’’ = c d
A’ A’’
(a b c)a c
(b c)
(c d)
a
b
(b d)d
( a )a
Treat inner clauseswith pure originas leaves
Formal Verification Group
Refinement of interpolants
If Rnew T1 T2 ... Tk-1 (F1F2... Fk) satisfiableIf (Rnew = I )
return FAILEDelse // possible false negative – should increase k
break
Can we avoid the possible false negative?
Formal Verification Group
s1
• Check whether s1 is reachable in one step from Ri-1
• If no – refine Ri by removing s1 from it
• Disadvantages:
–Removes one false negative at a time
–Does not insure removing all false negatives
–Complicates the expression of R
Refinement of interpolants – cont.
I R1Ri
FRi-1
… s2 sk?
Formal Verification Group
Conclusion SAT solvers have the ability:
to generate refutations for bounded reachability to filter out irrelevant facts.
These abilities can be exploited to generate an abstract image operator, using Craig interpolation.
This yields a reachability procedure that is fully SAT-base is robust w.r.t. irrelevant facts
Various techniques exist to control size and quality of interpolants
Formal Verification Group