model checking base on interoplation k. l. mcmillan cadence berkeley labs

Model Checking Base onInteroplation

K. L. McMillanCadence Berkeley Labs

Copyright 2002 Cadence Design Systems. Permission is granted to reproduce without modification.

Interpolation

• If A B = false, there exists an interpolant A' for (A,B) such that:

A A'A' B = false

A' refers only to common variables of A,B

• Example: – A = p q, B = q r, A' = q

• Interpolants from proofs– given a resolution refutation of A B,

A' can be derived in linear time.

(Craig,57)

(Pudlak,Krajicek,97)


Interpolation-based MC

• Combining “bounded model checking” and interpolation gives us– A means of over-approximate image computation– Hence, reachability analysis

• Method is complete for systems of finite diameter.

• Modern SAT solvers naturally produce resolution refutations– Leads to fully SAT-based model checking.


Outline

• Computing interpolants• Interpolation-based image computation• Model checking finite state systems


Resolution

• Modern SAT solvers naturally produce refutations for CNF formulas using resolution

• Interpolants can be derived from such refutations in linear time.

(A p) (p B)

(A B)


Example

• Interpolant is a circuit that follows structure of the proof.

A = (b)(b c) B = (c d)(d)

(b) (b c)

(c) (c d)

(d)(d)

c

=c


DPLL SAT solvers

• Given a propositional formula in CNF:– Produce a satisfying assignment– Produce a resolution refutation

Current solvers, like Chaff and BerkMin are highly efficient, especially in the case when there is a small “core” of clauses that are unsatisfiable.


An interpolating SAT solver

SATsolver

(A,B) in CNF

Interpolation

proof

A’


Interpolation-based MC

• Exploit interpolation to compute an over-approximate image operator.– Allows symbolic model checking– Procedure is complete for finite diameter

systems


Modeling

System modeled by a transition constraint

ab cp

g

Each circuit element induces a constraintnote: a = at and a' = at+1

g = a b

p = g c

c' = p

Model:

C = { g = a b, p = g c, c' = p }


Bounded model checking

• Unfold the model k times: U = C0 C1 ... Ck-1

ab

cp

g ab

cp

g ab

cp

g

...I0 Fk

• Use SAT solver to check satisfiability of I0 U Fk

• If unsatisfiable:• property has no Cex of length k• can produce a refutation proof P


Reachability

• Is there a path (of any length) from I to F satisfying transition constraint C?

• Reachability fixed point:R0 = I

Ri+1 = Ri Img(Ri,C)

R = Ri

• Image operator:Img(P,C) = V'. V. (P(V) C(V,V’))

• F is reachable iff R F false


Reachability

I FR1

R2...

R

= I Img(I,C)= R1 Img(R1,C)


Overapproximation

• An overapproximate image op. is Img' s.t.for all P, Img(P,C) implies Img'(P,C)

• Overapprimate reachability:R'0 = I

R'i+1 = R'i Img'(R'i,C)

R' = R'i

• Img' is adequate (w.r.t.) F, when– if P cannot reach F, Img’(P,C) cannot reach F

• If Img' is adequate, then– F is reachable iff R' F false


Adequate image

P F

Img(P,C)

Reached from P Can reach F

Img’(P,C)

But how do you get an adequate Img'?


k-adequate image operator

• Img' is k-adequate (w.r.t.) F, when– if P cannot reach F, Img’(P,C) cannot reach F within k steps

• Note, if k > diameter, then k-adequate is equivalent to adequate.


Interpolation-based image

• Idea -- use unfolding to enforce k-adequacyA = P-1 C-1

B = C0 C1 Ck-1 Fk

P FC C C C C C C

A B

t=0 t=k

Let Img'(P)0= A', where A' is an interpolant for (A,B)...

Img' is k-adequate!


Huh?

• A A'– Img(P,C) Img'(P,C)

• A' B = false– Img'(P,C) cannot reach F in k steps

• Hence Img' is k-adequate overapprox.

P FC C C C C C C

A B

t=0 t=k

A'

Note: if A,B are consistent, then let Img’(P,C) = T.


Intuition

• A' tells is everything the prover deduced about the image of P in proving it can't reach F in k steps.

• Hence, A' is in some sense an abstraction of the image relative to the property.

P FC C C C C C C

A B

t=0 t=k

A'


Reachability algorithm

let k = 0repeat if I can reach F within k steps, answer reachable R = I while Img'(R,C) F = false

R' = Img'(R,C) R if R' = R answer unreachable R = R' end while increase kend repeat


Termination

• Since k increases at every iteration, eventually k > d, the diameter, in which case Img' is adequate, and hence we terminate.

Notes:– don't need to know when k > d in order to

terminate– often termination occurs with k << d– depth bound for earlier method (Sheeran et al

'00) is "longest simple path", which can be exponentially longer than diameter


PicoJava II benchmarks

• Hardware Java virtual machine implementation• Properties derived from verification of ICU

– handles cache, instruction prefetch and decode

• Original abstraction was manual• Added neigboring IFU to make problem harder

– result: many irrelevant facts in problem

ICU IFUMem,Cache

Integerunit

properties


Results

• Benchmarks completed in 1800 s:– Standard model checking: 0/20– Interpolation-based: 19/20

• Reason:– Interpolation method exploits the SAT solver’s

ability to narrow proofs to relevant facts.


v. proof-based abstraction

0.01

0.1

1

10

100

1000

0.01 0.1 1 10 100 1000

Proof-based abstraction (s)

Inte

rpo

latio

n-b

ase

d m

eth

od

(s)

McM,TACAS03


v. proof-based abstraction

0.01

0.1

1

10

100

1000

0.01 0.1 1 10 100 1000

Counterexample-based abstraction (s)

Inte

rpo

latio

n-b

ase

d m

eth

od

(s)

CCKSVW,FMCAD02


v. K-induction

0.01

0.1

1

10

100

1000

0.01 0.1 1 10 100 1000

Interpolation-based (s)

k-in

du

ctio

n (

FM

CA

D0

0)

(s)

SSS, FMCAD00


IBM GP benchmarks

0.01

0.1

1

10

100

1000

0.01 0.1 1 10 100 1000


Inte

rpo

latio

n-b

ase

d m

eth

od

(s)


GP benchmarks - true properties

0.01

0.1

1

10

100

1000

0.01 0.1 1 10 100 1000


Inte

rpo

latio

n-b

ase

d m

eth

od

(s)


Characteristics

• SAT-based methods are effective when– Very large set of facts is available– Only a small subset are relevant to property

• They exploit the SAT solver's ability to narrow the proof to relevant facts– I.e., narrows reachable states approximation to relevant variables.

• Interpolation method exploits this fact to compute abstract image operator.


Infinite-state verification

• Direct approach:– express transition constraint in FOL– example: simple “Bakery” protocol:

ticket0’ > ticket1

ticket1 > ticket0

state1 = NC

NC

C

ticket1’ > ticket0

ticket0 > ticket1

state0 = NC

NC

C

Terminates because diameter is finite, thoughstate space is infinite


Infinite-state verification

• Predicate abstraction approach (Graf,Saïdi,97)– Choose a set of predicates to represent state

• I.e., for bakery: ticket1 > ticket0 and ticket0 > ticket1

– Transform C into a predicate-state transducer– Interpolants are now strictly Boolean

• Convergence guaranteed, but may have false negatives

• Advantages of interpolation approach:– Avoid conversion to a Boolean formula– Avoid building BDD’s!– Strong ability to ignore irrelevant predicates


Conclusion

• SAT solvers have the ability:– to generate refutations for bounded

reachability– to filter out irrelevant facts.

• These abilities can be exploited to generate an abstract image operator, using Craig interpolation.

• This yields a reachability procedure that– is fully SAT-base– operates directly on infinite-state systems– is robust w.r.t. irrelevant facts

model checking base on interoplation k. l. mcmillan cadence berkeley labs

Documents

c slide

c imgp

b slide

cadence design systems

c d d b b c cc c d dd

b b cb

c overapprimate reachability

transition constraint