trading-off sat search and variable quantifications for effective unbounded model checking g....
DESCRIPTION
Background: UMC as a Reachability Problem Counterexample trace Buggy states Initial statesTRANSCRIPT
![Page 1: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/1.jpg)
Trading-offSAT search and Variable Quantifications
for effectiveUnbounded Model Checking
G. Cabodi P. Camurati L. GarciaM. Murciano S. Nocco S. Quer
Politecnico di TorinoTorino, Italy
![Page 2: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/2.jpg)
Background Motivations Core
Contribution A: Divide Contribution B: & Conquer Contribution C: Integrated Approach (Bwd + ITP)
Experimental Results Conclusions Future Works
Outline
![Page 3: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/3.jpg)
Background: UMC as a Reachability Problem
Counterexample traceBuggy statesInitial states
![Page 4: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/4.jpg)
Buggy statesInitial states
Rfwd
Rbwd
Rfwd : Reached from (fix-point): Can reach (fix-point)
Rbwd
Background: UMC as a Reachability Problem
![Page 5: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/5.jpg)
Background: SAT based UMC
k-induction [Sheeran2000] All-solution SAT [McMillan2002, Kang2003,
Ganai2004] Circuit based quantification [Williams2000,
Abdulla2000] Abstraction & Refinement
Localization reduction [Kurshan1994] Predicate abstraction [Clarke2003, Jain2004] Craig Interpolation [Graig1957, McMillan2003]
![Page 6: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/6.jpg)
Interpolant [Craig1957]
Given A B = 0 A' = ITP (A, B)
A A'A' B = 0A' refers only to
common .variables of A and BInterpolant
![Page 7: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/7.jpg)
A' can be derived in linear time from the refutation proof of A B[Pudlak1997, Krajicek1997]
Interpolant [Craig1957]
Given A B = 0 A' = ITP (A, B)
A A'A' B = 0A' refers only to
common .variables of A and B
![Page 8: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/8.jpg)
A B
Resolution graph
AND-OR circuit
1
One gatefor each
graph nodeNull clause A' = ITP (A,B)
ABis UNSAT
CNFClauses
Interpolant [Craig1957]
Given A B = 0 A' = ITP (A, B)
A A'A' B = 0A' refers only to
common .variables of A and B
![Page 9: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/9.jpg)
Interpolant [McMillan2003]
Interpolant as Image Operator Over-approximation Variable quantification
Works whenever a representation of backward reachable space is given A From T (forward) B Paths to failure states (backward) A' Over-approximated Image (Img+)
Img+ is called adequate w.r.t. B
![Page 10: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/10.jpg)
Img+
PIV V'
To
From
T
![Page 11: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/11.jpg)
Img+
PIV V'
To+(V') = Img+(From,T) = Approx[(V,PI)From(V)T(V,PI,V')]
To
From
To+
T
![Page 12: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/12.jpg)
Img+ - Adequate
To+ adequate w.r.t. B whenif To is outside B
then To+ is outside B as well
B
PIV V'
To
From
To+
T
To + = ITP (From T, B)
![Page 13: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/13.jpg)
Fwd approximate reachable statescomputed by adequate Img+
do not intersect Bwd reachable states
RbwdR
I RiB
Img (Ri,T)
Img+ - Adequate
Img+Adq (Ri,T, Rbwd)
![Page 14: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/14.jpg)
R
I RiB≤k
Rk, bwd
Img+ - k-Adequate
Img (Ri,T)
When Rbwd it is not knownit is replaced by backward circuit unrolling of
increasing depth k
Img+Adq (Ri,T, Rk,bwd)
![Page 15: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/15.jpg)
Interpolant Model Checkingdo Cone = CircuitUnroll (B, T, k) res = FiniteRun (I, T, Cone) k = k + 1while (res = undecided)
FiniteRun (I, T, Cone) if (SAT ( I Λ T Λ Cone)) return
(reachable) R = I while (true) Img+ = Img+
Adq (T, R, Cone) if (Img+ = undefined) return
(undecided) if (Img+ R) return (unreachable) R = R ν Img+
![Page 16: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/16.jpg)
Interpolant Model Checkingdo Cone = CircuitUnroll (B, T, k) res = FiniteRun (I, T, Cone) k = k + 1while (res = undecided)
Abstraction & Refinement loop
FiniteRun (I, T, Cone) if (SAT ( I Λ T Λ Cone)) return
(reachable) R = I while (true) Img+ = Img+
Adq (T, R, Cone) if (Img+ = undefined) return
(undecided) if (Img+ R) return (unreachable) R = R ν Img+
![Page 17: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/17.jpg)
Interpolant Model Checkingdo Cone = CircuitUnroll (B, T, k) res = FiniteRun (I, T, Cone) k = k + 1while (res = undecided)
ApproximatedReachability
loop
FiniteRun (I, T, Cone) if (SAT ( I Λ T Λ Cone)) return
(reachable) R = I while (true) Img+ = Img+
Adq (T, R, Cone) if (Img+ = undefined) return
(undecided) if (Img+ R) return (unreachable) R = R ν Img+
![Page 18: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/18.jpg)
Interpolant Model Checkingdo Cone = CircuitUnroll (B, T, k) res = FiniteRun (I, T, Cone) k = k + 1while (res = undecided)
Img+ (Ri,T) k-adequate (T, F)
FiniteRun (I, T, Cone) if (SAT ( I Λ T Λ Cone)) return
(reachable) R = I while (true) Img+ = Img+
Adq (T, R, Cone) if (Img+ = undefined) return
(undecided) if (Img+ R) return (unreachable) R = R ν Img+
![Page 19: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/19.jpg)
Interpolant Model Checkingdo Cone = CircuitUnroll (B, T, k) res = FiniteRun (I, T, Cone) k = k + 1while (res = undecided)
FiniteRun (I, T, Cone) if (SAT ( I Λ T Λ Cone)) return
(reachable) R = I while (true) Img+ = Img+
Adq (T, R, Cone) if (Img+ = undefined) return
(undecided) if (Img+ R) return (unreachable) R = R ν Img+
Bound increment
BMC checkfind a trace
(Overapproximated)Fix-point reached
![Page 20: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/20.jpg)
Motivations
Refutation proofs follow SAT solver runs SAT heuristics do NOT target resolution graph
(and unsatisfiable core) minimization Not unique (depend on SAT heuristics) Difficult UNSAT instances Large interpolants
Interpolant circuits need aggressive optimizations (BDD/SAT sweeping + logic synthesis) Highly redundant AND-OR circuits (just negations on inputs) are
not optimal
![Page 21: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/21.jpg)
Contributions
Partitioned Adequate Image ComputationA Divide & Conquer Approach Across different methods• Compute partial state sets• Use to restrict search space
Within Partitioned Adequate Image (interpolant)
![Page 22: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/22.jpg)
Contributions
Partitioned Adequate Image ComputationA Divide & Conquer Approach Across different methods• Compute partial state sets• Use to restrict search space
Within Partitioned Adequate Image (interpolant)
R3 R2
R1
R0
R3 R2
R1
R0
1 0Circuit View
State Set View
Contribution A/1
![Page 23: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/23.jpg)
Contributions
Partitioned Adequate Image ComputationA Divide & Conquer Approach Across different methods• Compute partial state sets• Use to restrict search space
Within Partitioned Adequate Image (interpolant)
R3 R2
R1
R0
Circuit ViewR3 R2 R1 R0
R3 R2 R1 R0
vPartitionedCircuit View
Contribution A/2
![Page 24: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/24.jpg)
Contributions
Partitioned Adequate Image ComputationA Divide & Conquer Approach Across different methods• Compute partial state sets• Use to restrict search space
Within Partitioned Adequate Image (interpolant)
R3 R2 R1 R0R3 R2 R1 R0v
Partitioned Circuit+
State Set
v R3 R2 R1 R0
Contribution B
![Page 25: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/25.jpg)
Contributions
Backward & InterpolationAn integrated Approach Compute (partial) backward state sets by
• Circuit quantification• SAT- enumeration
Check backward fix point (SAT) Eventually forward interpolant (using partitioned
image)
R3 R2
R1
R0
Circuit View
R3 R2 R1 R0
v
R3 R2 R1 R0Circuit + StateView
Contribution C
![Page 26: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/26.jpg)
LazyE (Cone) G = Cone forall v ∈ PI tmp = v G if (|tmp| < th · |G|) G = tmp return (G)
Contribution A/1: Partial Quantification0
1
0
1
0
0
1
1
Quantify variableif size under control
otherwisekeep unquantified
Cone
v1v0Cone
![Page 27: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/27.jpg)
LazyE (Cone) G = Cone forall v ∈ PI tmp = v G if (|tmp| < th · |G|) G = tmp return (G)
Contribution A/1: Partial Quantification
v1v0Cone
Try PICone if (not all quantification
accepted) work not finished
operator on circuitby OR-ing cofactorsexponential blow-up,unless tight sharing
(by SAT/BDD sweeping)
![Page 28: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/28.jpg)
1 0
AIG 2 BDD
1 0
Quantificationon BDDs BDD 2 AIG
LazyEBDD (Cone) (ConeBdd, CutV, CutF) = AIG2BDD (Cone) G = ANDEBDD (ConeBdd, CutVari, CutFi) if (|G| < th · |Cone|) return (BDD2AIG(G)) else return (Cone)
Contribution A/1: Partial Quantification Adopting BDDs
Quantify variableif size under control
otherwise keepunquantified
![Page 29: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/29.jpg)
1 0
BDD 2 AIG
LazyEBDD (Cone) (ConeBdd, CutV, CutF) = AIG2BDD (Cone) G = ANDEBDD (ConeBdd, CutVari, CutFi) if (|G| < th · |Cone|) return (BDD2AIG(G)) else return (Cone)
Contribution A/1: Partial Quantification Adopting BDDs
Early QuantificationSchedule
1 01 0
1 01 0
1 0
BDDs withCut Points
AIG 2 BDDQuantification
on BDDs
![Page 30: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/30.jpg)
LazyESubset (Cone) G = Cone σ = SAT (Cone) forall v ∈ PI tmp = v G if (|tmp| < th · |G|) G = tmp else G = G|Ѡi=σ[vi]
return (G)
0
1
0
1
0
0
1
1
Contribution A/1: Partial Quantification with Subsetting
Quantify variable if size under controlotherwise set to constant 0/1 valueCone
![Page 31: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/31.jpg)
LazyESubset (Cone) G = Cone σ = SAT (Cone) forall v ∈ PI tmp = v G if (|tmp| < th · |G|) G = tmp else G = G|Ѡi=σ[vi]
return (G)
1
0
1
0
1
1
Contribution A/1: Partial Quantification with Subsetting
Quantify variable if size under controlotherwise set to constant 0/1 value
Result is subset of a state setR¯k,bwd Rk,bwd = PICone
00Cone
![Page 32: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/32.jpg)
Contribution A/1 If we are very lucky we move from
R3 R2 R1
Circuit unrolling(Cone)
R0
![Page 33: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/33.jpg)
R3 R2 R1 R0
Contribution A/1
R3 R2 R1 R0
1 0
If we are very lucky we move from
toState set
(Back)
Circuit unrolling(Cone)
![Page 34: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/34.jpg)
Contribution A/1 If we are NOT very lucky we move from
R3 R2 R1
Circuit unrolling(Cone)
R0
![Page 35: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/35.jpg)
Contribution A/1 If we are NOT very lucky we move from
to
R3 R2 R1
Circuit unrolling(Cone)
R0
![Page 36: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/36.jpg)
Contribution A/1
Cone
Back¯
If we are NOT very lucky we move from
to
R3 R2 R1
Circuit unrolling(Cone)
R0
![Page 37: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/37.jpg)
Contribution A/1
v
Cone¯
Simplify (Cone, Back¯)(by redundancy removal)
If we are NOT very lucky we move from
to
R3 R2 R1
Circuit unrolling(Cone)
R0
Back¯
![Page 38: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/38.jpg)
Contribution A/2: Cone0 v Cone1
Cone = Cone1 v Cone2 v Cone3 v … v Conen
![Page 39: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/39.jpg)
Contribution A/2: Cone0 v Cone1
Cone = Cone1 v Cone2 v Cone3 v … v Conen
F
F
F
F
V
V
V
Circuit unrollingsare disjunction
of circuit unrollings
![Page 40: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/40.jpg)
Contribution B: How to Conquer
I RiFT T TT T
Img+Adq (I, T, Cone)
Img+Adq (I, T, Cone)
Img (I, T)
Cone
![Page 41: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/41.jpg)
Img+Adq (I, T, Cone)
Contribution B: How to Conquer
I RiFT T TT T
Img (I, T)
Disjunction of Cones
Cone
Img+Adq (I, T, Cone) = Img+
Adq (I, T, Cone1 v Cone2)
![Page 42: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/42.jpg)
Img+Adq (I, T, Cone) = Img+
Adq (I, T, Cone1 v Cone2)= Img+
Adq (I,T,Cone1) Img+Adq (I,T,Cone2)
Img+Adq (I, T, Cone)
Contribution B: How to Conquer
I RiFT T TT T
Img (I, T)
Cone
Conjunction of Images
![Page 43: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/43.jpg)
Img+Adq (I, T, Cone) = Img+
Adq (I, T, Cone1 v Cone2)= Img+
Adq (I,T,Cone1) Img+Adq (I,T,Cone2)
Contribution B: How to Conquer
I RiFT T TT T
Img (I, T)
Cone1
Cone2
Img+Adq (I, T, Cone)
![Page 44: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/44.jpg)
Img+Adq (I, T, Cone) = Img+
Adq (I, T, Cone1 v Cone2)= Img+
Adq (I,T,Cone1) Img+Adq (I,T,Cone2)
Contribution B: How to Conquer
I RiFT T TT T
Img (I, T)
Cone1
Img+Adq (I, T, Cone)
![Page 45: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/45.jpg)
Img+Adq (I, T, Cone) = Img+
Adq (I, T, Cone1 v Cone2)= Img+
Adq (I,T,Cone1) Img+Adq (I,T,Cone2)
Contribution B: How to Conquer
I RiFT T TT T
Img (I, T)
Cone1
Img+Adq (I, T, Cone1)
![Page 46: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/46.jpg)
Img+Adq (I, T, Cone) = Img+
Adq (I, T, Cone1 v Cone2)= Img+
Adq (I,T,Cone1) Img+Adq (I,T,Cone2)
Contribution B: How to Conquer
I RiFT T TT T
Img (I, T)
Cone2
![Page 47: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/47.jpg)
Img+Adq (I, T, Cone) = Img+
Adq (I, T, Cone1 v Cone2)= Img+
Adq (I,T,Cone1) Img+Adq (I,T,Cone2)
Contribution B: How to Conquer
I RiFT T TT T
Img (I, T)
Cone2
Img+Adq (I, T, Cone2)
![Page 48: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/48.jpg)
Contribution B: How to Conquer
I RiTT
Img (I, T)
Img+Adq (I, T, Cone)
Img+Adq (I, T, Cone1)
Img+Adq (I, T, Cone) = Img+
Adq (I, T, Cone1 v Cone2)= Img+
Adq (I,T,Cone1) Img+Adq (I,T,Cone2)
Img+Adq (I, T, Cone2)
FT TT
![Page 49: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/49.jpg)
IntegratedMC (I, T, F) set initial values do res = undecided Conek = Conek−1(T) if (SAT(I (Conek v BckR¯ ))) return (reachable) fp = CheckFP (Conek, BckR¯, Cone0..k−1) if (fp = true) return (unreachable) (Conek, BckR¯) = LazyE/BDD/Subset (Conek, BckR¯) if (fp = undecided) Cone¯ = Simplify (Cone, ¬BckR¯) res = FiniteRun2 (I, T, Cone¯, BckR¯) increase bound while (res = undecided)
Contribution C: Backward + Interpolation
![Page 50: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/50.jpg)
BackwardReachability
Section
InterpolantSection
Contribution C: Backward + InterpolationIntegratedMC (I, T, F) set initial values do res = undecided Conek = Conek−1(T) if (SAT(I (Conek v BckR¯ ))) return (reachable) fp = CheckFP (Conek, BckR¯, Cone0..k−1) if (fp = true) return (unreachable) (Conek, BckR¯) = LazyE/BDD/Subset (Conek, BckR¯) if (fp = undecided) Cone¯ = Simplify (Cone, ¬BckR¯) res = FiniteRun2 (I, T, Cone¯, BckR¯) increase bound while (res = undecided)
Loop by Increasing Back UnrollingBMC checks for Cex
![Page 51: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/51.jpg)
Contribution C: Backward + InterpolationIntegratedMC (I, T, F) set initial values do res = undecided Conek = Conek−1(T) if (SAT(I (Conek v BckR¯ ))) return (reachable) fp = CheckFP (Conek, BckR¯, Cone0..k−1) if (fp = true) return (unreachable) (Conek, BckR¯) = LazyE/BDD/Subset (Conek, BckR¯) if (fp = undecided) Cone¯ = Simplify (Cone, ¬BckR¯) res = FiniteRun2 (I, T, Cone¯, BckR¯) increase bound while (res = undecided)
Composition
![Page 52: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/52.jpg)
Contribution C: Backward + InterpolationIntegratedMC (I, T, F) set initial values do res = undecided Conek = Conek−1(T) if (SAT(I (Conek v BckR¯ ))) return (reachable) fp = CheckFP (Conek, BckR¯, Cone0..k−1) if (fp = true) return (unreachable) (Conek, BckR¯) = LazyE/BDD/Subset (Conek, BckR¯) if (fp = undecided) Cone¯ = Simplify (Cone, ¬BckR¯) res = FiniteRun2 (I, T, Cone¯, BckR¯) increase bound while (res = undecided)
I
SAT ? reachable
![Page 53: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/53.jpg)
Contribution C: Backward + InterpolationIntegratedMC (I, T, F) set initial values do res = undecided Conek = Conek−1(T) if (SAT(I (Conek v BckR¯ ))) return (reachable) fp = CheckFP (Conek, BckR¯, Cone0..k−1) if (fp = true) return (unreachable) (Conek, BckR¯) = LazyE/BDD/Subset (Conek, BckR ¯) if (fp = undecided) Cone¯ = Simplify (Cone, ¬BckR¯) res = FiniteRun2 (I, T, Cone¯, BckR¯) increase bound while (res = undecided)
FP ? unreachable
CheckFP =SAT + All Solution SAT
![Page 54: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/54.jpg)
Contribution C: Backward + InterpolationIntegratedMC (I, T, F) set initial values do res = undecided Conek = Conek−1(T) if (SAT(I (Conek v BckR¯ ))) return (reachable) fp = CheckFP (Conek, BckR¯, Cone0..k−1) if (fp = true) return (unreachable) (Conek, BckR¯) = LazyE/BDD/Subset (Conek, BckR¯) if (fp = undecided) Cone¯ = Simplify (Cone, ¬BckR¯) res = FiniteRun2 (I, T, Cone¯, BckR¯) increase bound while (res = undecided)
v
Lazy Circuit Quantification(partial and with subsetting)
![Page 55: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/55.jpg)
Contribution C: Backward + InterpolationIntegratedMC (I, T, F) set initial values do res = undecided Conek = Conek−1(T) if (SAT(I (Conek v BckR¯ ))) return (reachable) fp = CheckFP (Conek, BckR¯, Cone0..k−1) if (fp = true) return (unreachable) (Conek, BckR¯) = LazyE/BDD/Subset (Conek, BckR¯) if (fp = undecided) Cone¯ = Simplify (Cone, ¬BckR¯) res = FiniteRun2 (I, T, Cone¯, BckR¯) increase bound while (res = undecided)
v
False Result (Easy to check)
![Page 56: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/56.jpg)
Contribution C: Backward + InterpolationIntegratedMC (I, T, F) set initial values do res = undecided Conek = Conek−1(T) if (SAT(I (Conek v BckR¯ ))) return (reachable) fp = CheckFP (Conek, BckR¯, Cone0..k−1) if (fp = true) return (unreachable) (Conek, BckR¯) = LazyE/BDD/Subset (Conek, BckR¯) if (fp = undecided) Cone¯ = Simplify (Cone, ¬BckR¯) res = FiniteRun2 (I, T, Cone¯, BckR¯) increase bound while (res = undecided)
vRedundancy removalwith partial state sets
as don’t care
Undecided Result(Hard to check)
![Page 57: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/57.jpg)
Contribution C: Backward + InterpolationIntegratedMC (I, T, F) set initial values do res = undecided Conek = Conek−1(T) if (SAT(I (Conek v BckR¯ ))) return (reachable) fp = CheckFP (Conek, BckR¯, Cone0..k−1) if (fp = true) return (unreachable) (Conek, BckR¯) = LazyE/BDD/Subset (Conek, BckR¯) if (fp = undecided) Cone¯ = Simplify (Cone, ¬BckR¯) res = FiniteRun2 (I, T, Cone¯, BckR¯) increase bound while (res = undecided)
v
Interpolation withpartial state sets as don’t care
Partitioned cones-images
![Page 58: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/58.jpg)
Contribution C: Backward + InterpolationIntegratedMC (I, T, F) set initial values do res = undecided Conek = Conek−1(T) if (SAT(I (Conek v BckR¯ ))) return (reachable) fp = CheckFP (Conek, BckR¯, Cone0..k−1) if (fp = true) return (unreachable) (Conek, BckR¯) = LazyE/BDD/Subset (Conek, BckR¯) if (fp = undecided) Cone¯ = Simplify (Cone, ¬BckR¯) res = FiniteRun2 (I, T, Cone¯, BckR¯) increase bound while (res = undecided)
v
![Page 59: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/59.jpg)
When backward analysis incomplete, do forward interpolants Use partitioned adequate image
Whenever state sets (complete or subset) are computed, keep them
Contribution C: … To Sum up
F
R-k,bwd
Use as don’t carefor next steps
![Page 60: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/60.jpg)
Home made software on top of CUDD and Minisat
Experiments With a Dual Core Pentium, 3 GHz, 3 GB On Model Ckecking Competition Benchmarks plus
some ISCAS, VIS and IBM Results to compare
Standard Interpolant-based Verification (mainly) and others techniques
Presented Algorithm
Experimental Results
![Page 61: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/61.jpg)
Statistics on Partitioning: Two Examples 1 Iteration on eijkbs3271.blif• 37820 10383 11779 7551 6219 4937 3599 2222 1057 357
351 348 351 351 351 351 349 349 348 351 341 346 341 346 12 12 100 3 3 3 3 3 3 3 3 3 3 3 3 5 1 3 3 3 3 3 3 3 3 3 3 3 3 10 96 98 96 98 84 102 99 103 100 100 100 100 100 92 103 100 100 100 92 99 100 334 334 313 313 353 353 1617 9000(over: 1.794527, peak: 0.311449)
1 Iteration on Industrial_D1 (query19.blif)• 106591 14408 13728 13130 12478 11893 11256 9415
8711 6321 5697 4392 3826 2544 125 1 3 346 746 2135 3212 5000 6902 7535 8158 10007 10636(over: 1.619321, peak: 0.135171)
![Page 62: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/62.jpg)
Statistics on Partitioning: Cone Size
11 cones with300000 nodes
![Page 63: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/63.jpg)
Statistics on Partitioning: # Partition
In 19 caseswe partition the cone
in 10 sub-cones
![Page 64: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/64.jpg)
Statistics on Partitioning: Over Size
In 567 casesall partitions were
from 10 to 20% largerthan the original cone
![Page 65: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/65.jpg)
Statistics on Partitioning: Peak Size
In 87 cases the size of the largest partition is 50 - 60% of the original cone
![Page 66: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/66.jpg)
Standard Interpolant vs New Algorithm
![Page 67: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/67.jpg)
Standard Interpolant vs New Algorithm
Time limit: 900 seconds
![Page 68: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/68.jpg)
Standard Interpolant vs New Algorithm
Winning Experiments(below main diagonal)
![Page 69: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/69.jpg)
Standard Interpolant vs New Algorithm
Easy Benchmarks
![Page 70: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/70.jpg)
Standard Interpolant vs New Algorithm
20 Properties not solved before
![Page 71: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/71.jpg)
Termination Obtained by InterpolationModel #PI #FF #Nodes Original Method New Method
Time [s] Method Bound Time [s] Bound intel_006 345 350 3265 195,80 ITP 9 197,72 9intel_024 352 357 5710 6344,47 ITP 15 454,47 15intel_029 559 564 8816 - 620,09 18vis.blackjack-inv 5 103 3979 3359,29 BDD 10 110,02 11nusmv.tcas^3.B 146 169 2914 87,38 ITP 6 37,02 7vis.coherence^3.E 6 29 1214 2439,24 INV 10 236,7 11vis.pm.palu 14 220 2347 - 390,14 5vis.ns31 21 103 3598 606,45 ITP 7 83,75 7vis.ns32 21 103 3598 1004,25 ITP 7 149,92 7IndustrialB1 12 190 3324 - 17,08 17IndustrialB2 12 193 6782 - 154,21 11IndustrialB3 15 309 1592 1341,60 ITP 9 49,76 9IndustrialB4 18 416 5409 - 265,49 5IndustrialB5 18 425 4391 - 457,17 9IndustrialC1 21 116 1098 91,27 BDD 12 98,10 12IndustrialC2 67 351 2021 950,08 ITP 15 98,55 15IndustrialC3 96 359 3692 - 719,24 15IndustrialD1 119 76 1075 478,90 ITP 37 375,25 37IndustrialD2 138 97 2172 7157,35 ITP 35 378,91 35IndustrialD5 96 355 6360 - 507,27 10IndustrialD6 91 353 6348 5408,67 ITP 10 771,49 10
![Page 72: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/72.jpg)
Termination Obtained by InterpolationModel #PI #FF #Nodes Original Method New Method
Time [s] Method Bound Time [s] Bound intel_006 345 350 3265 195,80 ITP 9 197,72 9intel_024 352 357 5710 6344,47 ITP 15 454,47 15intel_029 559 564 8816 - 620,09 18vis.blackjack-inv 5 103 3979 3359,29 BDD 10 110,02 11nusmv.tcas^3.B 146 169 2914 87,38 ITP 6 37,02 7vis.coherence^3.E 6 29 1214 2439,24 INV 10 236,7 11vis.pm.palu 14 220 2347 - 390,14 5vis.ns31 21 103 3598 606,45 ITP 7 83,75 7vis.ns32 21 103 3598 1004,25 ITP 7 149,92 7IndustrialB1 12 190 3324 - 17,08 17IndustrialB2 12 193 6782 - 154,21 11IndustrialB3 15 309 1592 1341,60 ITP 9 49,76 9IndustrialB4 18 416 5409 - 265,49 5IndustrialB5 18 425 4391 - 457,17 9IndustrialC1 21 116 1098 91,27 BDD 12 98,10 12IndustrialC2 67 351 2021 950,08 ITP 15 98,55 15IndustrialC3 96 359 3692 - 719,24 15IndustrialD1 119 76 1075 478,90 ITP 37 375,25 37IndustrialD2 138 97 2172 7157,35 ITP 35 378,91 35IndustrialD5 96 355 6360 - 507,27 10IndustrialD6 91 353 6348 5408,67 ITP 10 771,49 10
Standard Interpolant
Inductive Invariant
BDD-based Reachability
Time limit: 7200 seconds
![Page 73: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/73.jpg)
Termination Obtained with Bwd Reached
Model #PI #FF #Nodes
Original Method New Method
Time [s]
Method
Bound
Time [s]
Bound
vis.vsaR 17 66 2321 1131,25 BDD 12 371,66 6vis.pm.am2901 26 136 2416 1764,57 CBQ 3 83,40 2vis.pm.FPMult 17 215 1347 1865,51 ITP 3 85,49 2vis.feistel 68 296 6821 392,09 INV 15 749,65 13eijk.bs3271 26 305 2546 1391,00 ITP 17 327,33 13eijk.bs6669 83 506 4879 - 132,04 5eijk.bs3384 43 689 3069 - 532,07 7IndustrialA1 5 99 2657 1761,86 ITP 11 71,92 7IndustrialA2 37 250 4521 1192,51 CBQ 7 517,21 4IndustrialA3 51 333 1275 1933,09 CBQ 8 470,07 8IndustrialC4 105 377 5279 - 415,62 19IndustrialC5 138 608 1003 720,15 CBQ 6 315,63 6IndustrialD3 25 88 498 7124,54 ITP 45 25,55 67IndustrialD4 21 116 3879 795,25 ITP 9 103,41 9
![Page 74: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/74.jpg)
Termination Obtained with Bwd Reached
Model #PI #FF #Nodes
Original Method New Method
Time [s]
Method
Bound
Time [s]
Bound
vis.vsaR 17 66 2321 1131,25 BDD 12 371,66 6vis.pm.am2901 26 136 2416 1764,57 CBQ 3 83,40 2vis.pm.FPMult 17 215 1347 1865,51 ITP 3 85,49 2vis.feistel 68 296 6821 392,09 INV 15 749,65 13eijk.bs3271 26 305 2546 1391,00 ITP 17 327,33 13eijk.bs6669 83 506 4879 - 132,04 5eijk.bs3384 43 689 3069 - 532,07 7IndustrialA1 5 99 2657 1761,86 ITP 11 71,92 7IndustrialA2 37 250 4521 1192,51 CBQ 7 517,21 4IndustrialA3 51 333 1275 1933,09 CBQ 8 470,07 8IndustrialC4 105 377 5279 - 415,62 19IndustrialC5 138 608 1003 720,15 CBQ 6 315,63 6IndustrialD3 25 88 498 7124,54 ITP 45 25,55 67IndustrialD4 21 116 3879 795,25 ITP 9 103,41 9
Circuit-basedQuantification
![Page 75: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/75.jpg)
Domain Unbounded Model Checking
Target Improve Interpolant Verification
Method Divide and Conquer (Backward Cone versus
Backward State Sets) Integration of Interpolant and Backward Verification
Conclusions
![Page 76: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/76.jpg)
More tuning for the partitioning procedure More understanding of pros and cons of the
method Better experimental setting and results
analysis
Future Works
![Page 77: Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi…](https://reader035.vdocument.in/reader035/viewer/2022062311/5a4d1bee7f8b9ab0599e529e/html5/thumbnails/77.jpg)
Thank you !