![Page 1: Abstraction Refinement for Bounded Model Checking](https://reader035.vdocuments.site/reader035/viewer/2022062410/5681599b550346895dc6e4e4/html5/thumbnails/1.jpg)
1
Abstraction Refinement for Bounded Model Checking
Anubhav Gupta, CMUOfer Strichman, Technion
Highly Jet Lagged
![Page 2: Abstraction Refinement for Bounded Model Checking](https://reader035.vdocuments.site/reader035/viewer/2022062410/5681599b550346895dc6e4e4/html5/thumbnails/2.jpg)
2
Bounded Model Checking (BMC) Search for bugs in executions of a
bounded length
Generates a propositional formula that is satisfiable if and only if there is a counterexample of length k
Extremely efficient SAT-solvers are available
![Page 3: Abstraction Refinement for Bounded Model Checking](https://reader035.vdocuments.site/reader035/viewer/2022062410/5681599b550346895dc6e4e4/html5/thumbnails/3.jpg)
3
BMC
SAT
SatUnsat
No
Yes
BUG
NOBUG
IncrementalSolver
BMC - Implementation
![Page 4: Abstraction Refinement for Bounded Model Checking](https://reader035.vdocuments.site/reader035/viewer/2022062410/5681599b550346895dc6e4e4/html5/thumbnails/4.jpg)
4
Abstraction for BDD-based Model Checking
Abstraction
How to identify ?
Model Checking complexity is proportional to BDD size
Smaller BDD
![Page 5: Abstraction Refinement for Bounded Model Checking](https://reader035.vdocuments.site/reader035/viewer/2022062410/5681599b550346895dc6e4e4/html5/thumbnails/5.jpg)
5
Counterexample Guided Abstraction Refinement (CEGAR)
MC
NoPassBUGTRUE
Fail
Yes
![Page 6: Abstraction Refinement for Bounded Model Checking](https://reader035.vdocuments.site/reader035/viewer/2022062410/5681599b550346895dc6e4e4/html5/thumbnails/6.jpg)
6
Inside a SAT-Solver Davis-Putnam-
Logemann-Loveland (DPLL) procedure Decisions Boolean
Constraint Propagation (BCP)
Conflict Analysis, Backtrack Search Tree
![Page 7: Abstraction Refinement for Bounded Model Checking](https://reader035.vdocuments.site/reader035/viewer/2022062410/5681599b550346895dc6e4e4/html5/thumbnails/7.jpg)
7
Decisions Identify a good variable
and assign it a value Many Variable Selection
Heuristics Give preference to
variables that are involved in conflicts
Order is continuously updated
Like abstraction-refinement
These heuristics try to reduce the size of the search tree
![Page 8: Abstraction Refinement for Bounded Model Checking](https://reader035.vdocuments.site/reader035/viewer/2022062410/5681599b550346895dc6e4e4/html5/thumbnails/8.jpg)
8
BCP Identify assignments
implied by unit-clause rule
90% of run-time in solver spent on BCP
Time spent on BCP is proportional to the size of the CNF
![Page 9: Abstraction Refinement for Bounded Model Checking](https://reader035.vdocuments.site/reader035/viewer/2022062410/5681599b550346895dc6e4e4/html5/thumbnails/9.jpg)
9
Conflict Analysis and Backtrack Identify variable
assignments responsible for infeasibility of current search path
Ensures that assignments are locally consistent
Prune away irrelevant parts of the search tree
![Page 10: Abstraction Refinement for Bounded Model Checking](https://reader035.vdocuments.site/reader035/viewer/2022062410/5681599b550346895dc6e4e4/html5/thumbnails/10.jpg)
10
Abstraction for BMC
Abstraction
Smaller CNF
![Page 11: Abstraction Refinement for Bounded Model Checking](https://reader035.vdocuments.site/reader035/viewer/2022062410/5681599b550346895dc6e4e4/html5/thumbnails/11.jpg)
11
Why Abstraction for BMC ?
Variable selection can focus on important variables Solver can ignore local conflicts that
are irrelevant to the property BCP is faster on smaller CNF
How to identify ?
Abstraction
![Page 12: Abstraction Refinement for Bounded Model Checking](https://reader035.vdocuments.site/reader035/viewer/2022062410/5681599b550346895dc6e4e4/html5/thumbnails/12.jpg)
12
CEGAR for BMC
Apply CEGAR to BMC Refinement
SAT-solvers produce proofs of unsatisfiability
Have been used successively for refinement in CEGAR for model checking
Proofs provide an efficient and inexpensive refinement mechanism for CEGAR on BMC
![Page 13: Abstraction Refinement for Bounded Model Checking](https://reader035.vdocuments.site/reader035/viewer/2022062410/5681599b550346895dc6e4e4/html5/thumbnails/13.jpg)
13
Counterexample Guided Bounded Model Checking (CG-BMC)
SAT
Sat
Unsat
No
Yes
BUG
NOBUG SAT
Sat
![Page 14: Abstraction Refinement for Bounded Model Checking](https://reader035.vdocuments.site/reader035/viewer/2022062410/5681599b550346895dc6e4e4/html5/thumbnails/14.jpg)
14
CG-BMC Abstract model: model
that refutes previously seen spurious counterexamples
Forces solver to find full abstract trace before attempting to refute it
Solver is not lost in local conflicts
Most of the BCP is performed on smaller abstract model
Abstract Model
Concrete Model
![Page 15: Abstraction Refinement for Bounded Model Checking](https://reader035.vdocuments.site/reader035/viewer/2022062410/5681599b550346895dc6e4e4/html5/thumbnails/15.jpg)
15
A more robust CG-BMC The following scenario was observed on some
benchmarks: Current abstract model is sufficient to prove the
property Proving the property on abstract model is hard
BMC on abstract model is slow There exists an easier proof using additional
constraints from concrete model BMC on concrete model is faster
CG-BMC gets stuck on abstract model
Solution: Timeouts
![Page 16: Abstraction Refinement for Bounded Model Checking](https://reader035.vdocuments.site/reader035/viewer/2022062410/5681599b550346895dc6e4e4/html5/thumbnails/16.jpg)
16
CG-BMC with Timeouts (CG-BMC-T)
SAT
Sat
Unsat
No
Yes
BUG
NOBUG SAT
Time
Sat
Time
CG-BMC
![Page 17: Abstraction Refinement for Bounded Model Checking](https://reader035.vdocuments.site/reader035/viewer/2022062410/5681599b550346895dc6e4e4/html5/thumbnails/17.jpg)
17
Related Work Refining the SAT decision ordering for bounded
model checking, Wang et al., DAC 2004 Variables in current abstract model are given
preference in variable splitting order Static Method: Always decide first on variables in
abstract model Dynamic Method: Switch to default solver-heuristic
after a threshold number of backtracks Solver works on the whole CNF
BCP is expensive Potential for irrelevant conflicts
![Page 18: Abstraction Refinement for Bounded Model Checking](https://reader035.vdocuments.site/reader035/viewer/2022062410/5681599b550346895dc6e4e4/html5/thumbnails/18.jpg)
18
Our CG-BMC Implementation
SAT
Sat
Unsat
No
Yes
BUG
NOBUG SAT
Sat
IncrementalSolver1
IncrementalSolver2
![Page 19: Abstraction Refinement for Bounded Model Checking](https://reader035.vdocuments.site/reader035/viewer/2022062410/5681599b550346895dc6e4e4/html5/thumbnails/19.jpg)
19
Experiments PicoJava Benchmarks – derived from
compositional verification of ICU (Source: Ken McMillan)
Implementation on top of zChaff Comparison with BMC and Wang et al.
Timeout = 2hrs Max Depth (K) = 60 Measured run-time and number of
backtracks
![Page 20: Abstraction Refinement for Bounded Model Checking](https://reader035.vdocuments.site/reader035/viewer/2022062410/5681599b550346895dc6e4e4/html5/thumbnails/20.jpg)
20
CG-BMC vs. BMC (Run-time)
1
10
100
1000
10000
Circuit
Tim
e(s)
BMC CG-BMC CG-BMC-T
![Page 21: Abstraction Refinement for Bounded Model Checking](https://reader035.vdocuments.site/reader035/viewer/2022062410/5681599b550346895dc6e4e4/html5/thumbnails/21.jpg)
21
CG-BMC vs. BMC (Backtracks)
1
10
100
1000
10000
100000
1000000
Circuit
Bac
ktra
cks
BMC CG-BMC CG-BMC-T
![Page 22: Abstraction Refinement for Bounded Model Checking](https://reader035.vdocuments.site/reader035/viewer/2022062410/5681599b550346895dc6e4e4/html5/thumbnails/22.jpg)
22
CG-BMC vs. Wang et al. (Run-time)
1
10
100
1000
10000
Circuit
Tim
e(s)
Static Dynamic CG-BMC CG-BMC-T
![Page 23: Abstraction Refinement for Bounded Model Checking](https://reader035.vdocuments.site/reader035/viewer/2022062410/5681599b550346895dc6e4e4/html5/thumbnails/23.jpg)
23
CG-BMC vs. Wang et al. (Backtracks)
1
10
100
1000
10000
100000
1000000
Circuit
Bac
ktra
cks
Static Dynamic CG-BMC CG-BMC-T
![Page 24: Abstraction Refinement for Bounded Model Checking](https://reader035.vdocuments.site/reader035/viewer/2022062410/5681599b550346895dc6e4e4/html5/thumbnails/24.jpg)
24
Conclusions
Abstraction refinement makes BMC faster Reduction in number of backtracks Reduction in BCP time
![Page 25: Abstraction Refinement for Bounded Model Checking](https://reader035.vdocuments.site/reader035/viewer/2022062410/5681599b550346895dc6e4e4/html5/thumbnails/25.jpg)
25
Future Work CG-BMC inside a
SAT-solver Abstraction levels for
clauses Ignore clauses in
lower levels until all higher levels are satisfied
Move clauses up (and down) across levels
Application to SAT-solving in general
.
.
.
![Page 26: Abstraction Refinement for Bounded Model Checking](https://reader035.vdocuments.site/reader035/viewer/2022062410/5681599b550346895dc6e4e4/html5/thumbnails/26.jpg)
26
Questions ?