Bounded Model Checking Julien Schmaltz Institute for Computing and Information Sciences Radboud University Nijmegen The Netherlands julien@cs.ru.nl April 15, 2009 J. Schmaltz Bounded Model Checking
Agenda coming lectures ... √ Part I: Linear Time √ Part II: Branching Time √ Part III: Comparison √ Part IV: Binary Decision Diagrams and Symbolic Model Checking √ Part V: The SAL tool Part VI: SAT and Bounded Model Checking Part VII: k -induction, SMT, and disjunctive invariants J. Schmaltz Bounded Model Checking
Agenda for today Part I: SAT Part II: BMC semantics translation to SAT completeness J. Schmaltz Bounded Model Checking
Principles Backtracking,Resolution and DPLL Part I Propositional SAT solvers J. Schmaltz Bounded Model Checking
Principles Backtracking,Resolution and DPLL Principles 1 Backtracking,Resolution and DPLL 2 Backtracking Resolution DPLL basic algorithm Summary J. Schmaltz Bounded Model Checking
Principles Backtracking,Resolution and DPLL Principles: DPLL-style SAT solvers (slides from McMillan’s tutorial at CAV 2003) DPLL = Davis-Putnam-Loveland-Logeman (early 60’s) CHAFF, GRASP, BERKMIN, . . . Objective: check satisfiability of a CNF formula literal: p or ¬ p clause: disjunction of literals CNF: conjunction of clauses Method Branch: make arbitrary decisions Propagate implication graph Use conflicts to guide inference steps J. Schmaltz Bounded Model Checking
Backtracking Principles Resolution Backtracking,Resolution and DPLL DPLL basic algorithm Summary The implication graph Unit Propagation (UP) or Boolean Constraint Propagation (BCP) Consider CNF formula: ( ¬ a ∨ b ) ∧ ( ¬ a ∨ c ∨ d ) a b d Assigment: a ∧ b ∧ ¬ c ∧ d ¬ c decisions J. Schmaltz Bounded Model Checking
Backtracking Principles Resolution Backtracking,Resolution and DPLL DPLL basic algorithm Summary Resolution a ∨ ¬ b ∨ c ¬ a ∨ ¬ b ∨ d ¬ b ∨ c ∨ d Resolution is used to solve conflicts Implication graph used to guide resolution J. Schmaltz Bounded Model Checking
Backtracking Principles Resolution Backtracking,Resolution and DPLL DPLL basic algorithm Summary Conflict clauses (1) ( ¬ a ∨ b ) ∧ ( ¬ b ∨ c ∨ d ) ∧ ( ¬ b ∨ ¬ d ) a b d ¬ c decisions Implication of decisions with first 2 clauses: a ∧ b ∧ ¬ c ∧ d , and then conflict with last clause J. Schmaltz Bounded Model Checking
Backtracking Principles Resolution Backtracking,Resolution and DPLL DPLL basic algorithm Summary Conflict clauses (1) ( ¬ a ∨ b ) ∧ ( ¬ b ∨ c ∨ d ) ∧ ( ¬ b ∨ ¬ d ) Resolve ¬ b ∨ c a b d ¬ c Conflict ! decisions Assigment a ∧ b ∧ ¬ c ∧ d . Resolution with last clause first, conflict with assignment J. Schmaltz Bounded Model Checking
Backtracking Principles Resolution Backtracking,Resolution and DPLL DPLL basic algorithm Summary Conflict clauses (1) ( ¬ a ∨ b ) ∧ ( ¬ b ∨ c ∨ d ) ∧ ( ¬ b ∨ ¬ d ) Resolve ¬ b ∨ c Resolve a b ¬ a ∨ c d ¬ c Conflict ! Conflict !! decisions Assigment a ∧ b ∧ ¬ c ∧ d . Resolution continued and new decision: start with ¬ a and c J. Schmaltz Bounded Model Checking
Backtracking Principles Resolution Backtracking,Resolution and DPLL DPLL basic algorithm Summary Conflict Clauses (2) Generated by resolution Implied by existing clauses In conflict with current assignment Safely added to the clause set Heuristics/Implementations when to stop resolution which clauses should be used for resolution J. Schmaltz Bounded Model Checking
Backtracking Principles Resolution Backtracking,Resolution and DPLL DPLL basic algorithm Summary Basic SAT algorithm CS = { } y Empty UNSAT clause ? Deduce conflict y clause and Conflict ? backtrack All y Branch SAT decided? add literal to CS J. Schmaltz Bounded Model Checking
Backtracking Principles Resolution Backtracking,Resolution and DPLL DPLL basic algorithm Summary Summary(1) SAT is an NP-hard problem Efficient implementations today/clever heuristics which literals to consider (decisions) ordering of propagation (BCP) cache-aware implementations pre-processing learning restarts . . . Every NP problem can be reduced to SAT in polynomial time General solver + tuning can be effective J. Schmaltz Bounded Model Checking
Backtracking Principles Resolution Backtracking,Resolution and DPLL DPLL basic algorithm Summary Summary (2) Industrial applications (PowerPC and Intel’s Pentium 4) SAT-based very good for small depth bugs in large systems Automated test generation SAT on problems with hundreds of thousands of clauses SAT competition J. Schmaltz Bounded Model Checking
Running Example: Mutual Exclusion Definitions and notations Model Checking and Bounded MC Part II Model Checking J. Schmaltz Bounded Model Checking
Running Example: Mutual Exclusion Definitions and notations Model Checking and Bounded MC Running Example: Mutual Exclusion 3 Pseudo-code Kripke model Definitions and notations 4 Model Checking and Bounded MC 5 J. Schmaltz Bounded Model Checking
Running Example: Mutual Exclusion Pseudo-code Definitions and notations Kripke model Model Checking and Bounded MC A simple mutual exclusion (SMUTE) Consider 2 processes competing for a shared resource process A process B forever forever A.pc = 0 B.pc = 0 wait for B.pc = 0 wait for A.pc = 0 A.pc = 1 B.pc = 1 access resource access resource end forever end forever end process end process J. Schmaltz Bounded Model Checking
Running Example: Mutual Exclusion Pseudo-code Definitions and notations Kripke model Model Checking and Bounded MC Kripke Structure for SMUTE 0 1 0 0 1 0 State space: S = { 0 , 1 } 2 State vector: s ∈ S = { 0 , 1 } 2 Transition relation T ⊆ S 2 An (initialized) path: 00, 01, 00, 10, 00, 01, ... 1 1 SMUTE is safe: never 2 processes access the resource simultaneously ( G ¬ ( A . pc = 1 ∧ B . pc = 1)) J. Schmaltz Bounded Model Checking
Running Example: Mutual Exclusion Pseudo-code Definitions and notations Kripke model Model Checking and Bounded MC Kripke Structure for unsafe SMUTE 0 1 0 0 1 0 Path: 00, 01, 11 is a counter-example to safety G ¬ ( A . pc = 1 ∧ B . pc = 1) is false F ( A . pc = 1 ∧ B . pc = 1) is true 1 1 J. Schmaltz Bounded Model Checking
Running Example: Mutual Exclusion Definitions and notations Model Checking and Bounded MC Kripke Structures A Kripke structure M is a quadruple M = � S , I , T , L � S is a set of states, and I a set of initial states T is the transition relation L is the labeling function, L ( s ) = atomic propositions true in s A path π is an infinite sequence of states s 0 , s 1 , s 2 , . . . π i = ( s i , s i +1 , . . . ) denotes suffix starting at position i M | = f means that M satisfies f (later restricted to LTL) J. Schmaltz Bounded Model Checking
Running Example: Mutual Exclusion Definitions and notations Model Checking and Bounded MC Limitations of Model Checking: why bounded ? Model checking suffers from state-space explosion Initial motivation for BMC: leverage advances in SAT solving Idea: restrict search to counter-examples with some length k J. Schmaltz Bounded Model Checking
Principles Semantics Translation to SAT Completeness Part III From BMC to SAT J. Schmaltz Bounded Model Checking
Principles Semantics Translation to SAT Completeness Principles 6 Semantics 7 Translation to SAT 8 Completeness 9 J. Schmaltz Bounded Model Checking
Principles Semantics Translation to SAT Completeness Basic Idea LTL formulas defined over all paths finding counter-examples = exists a contradicting trace for instance, a counter-example to G p ? = witness for F ¬ p ? for commodity we use path-quantifiers M | = A f ≡ M | = ¬ ( E ¬ f ) for now on, we only look at the existential problem ( M | = E f ) Finite paths may represent infinite behaviors paths with loops J. Schmaltz Bounded Model Checking
Principles Semantics Translation to SAT Completeness Two cases for a bounded path Idea: finite paths may say something about infinite behaviors Path without a back loop s i s k Finite behavior up to s k Path with a back loop Infinite behavior s l s i s k Definition ((k,l)-loop) For l ≤ k we call a path π a (k,l)-loop if T ( π ( k ) , π ( l )) and π = u · v ω with u = ( π (0) , . . . , π ( l − 1)) and v = ( π ( l ) , . . . , π ( k )). We call π a k-loop if there exists k ≥ l ≥ 0 for wich π is a (k,l)-loop . J. Schmaltz Bounded Model Checking
Principles Semantics Translation to SAT Completeness Bounded path and witnesses Can a path with no loop be a witness for G p ? Justify. Can a path with no loop be a witness of F p ? Justify. J. Schmaltz Bounded Model Checking
Principles Semantics Translation to SAT Completeness Witnesses for G p : example Let us consider the following k-loop : p p p p p p s l s i s k Thus, it is a witness for G p Let us consider the following path: p p p p s i s k This cannot be a witness for G p , as there might be states after s k that does not satisfy p . J. Schmaltz Bounded Model Checking
Principles Semantics Translation to SAT Completeness Witnesses for F p : example Let us consider the following path: ¬ p ¬ p ¬ p p s i s k Thus, it is a witness for F p J. Schmaltz Bounded Model Checking
Recommend
More recommend
![Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model](https://c.sambuz.com/809780/bounded-model-checking-s.jpg)
