EPR-Based Bounded Model Checking at Word Level Christoph Sticksel The University of Iowa September 21, 2012 Joint work with Moshe Emmer, Zurab Khasidashvili Intel Development Center, Haifa Konstantin Korovin, Andrei Voronkov The University of Manchester 1 Christoph Sticksel EPR-Based Bounded Model Checking at Word Level
A Word Level Design clock circuit wren memory rden rddata[63:0] wrdata[63:0] m outp[63:0] u cacheline[63:0] x rdaddr[5:0] = wraddr[5:0] sel Typical word level components: bit-vectors, memories, and addresses 2 Christoph Sticksel EPR-Based Bounded Model Checking at Word Level
Bounded Model Checking (BMC) ◮ System model with state variables in ¯ x ◮ Initial state I , transition relation T , and (safety) property P ◮ Verify safety property by stepwise unrolling the transition I (¯ x 0 ) ∧ T (¯ x 0 , ¯ x 1 ) ∧ T (¯ x 1 , ¯ x 2 ) ∧ · · · ∧ T (¯ x n − 1 , ¯ x n ) | = P (¯ x n ) ◮ Solve one SAT problem on each unrolling ◮ Counterexample if property is violated Bottlenecks in SAT-based BMC ◮ Unrolling creates copies of the transition relation . ◮ Word level components have to be encoded bit-wise for SAT. Our contribution: move to higher level of abstraction. 1. Avoid unrolling the transition relation, and 2. succinctly encode word level components with into EPR. 3 Christoph Sticksel EPR-Based Bounded Model Checking at Word Level
Bounded Model Checking (BMC) ◮ System model with state variables in ¯ x ◮ Initial state I , transition relation T , and (safety) property P ◮ Verify safety property by stepwise unrolling the transition I (¯ x 0 ) ∧ T (¯ x 0 , ¯ x 1 ) ∧ T (¯ x 1 , ¯ x 2 ) ∧ · · · ∧ T (¯ x n − 1 , ¯ x n ) | = P (¯ x n ) ◮ Solve one SAT problem on each unrolling ◮ Counterexample if property is violated Bottlenecks in SAT-based BMC ◮ Unrolling creates copies of the transition relation . ◮ Word level components have to be encoded bit-wise for SAT. Our contribution: move to higher level of abstraction. 1. Avoid unrolling the transition relation, and 2. succinctly encode word level components with into EPR. 3 Christoph Sticksel EPR-Based Bounded Model Checking at Word Level
Bounded Model Checking (BMC) ◮ System model with state variables in ¯ x ◮ Initial state I , transition relation T , and (safety) property P ◮ Verify safety property by stepwise unrolling the transition I (¯ x 0 ) ∧ T (¯ x 0 , ¯ x 1 ) ∧ T (¯ x 1 , ¯ x 2 ) ∧ · · · ∧ T (¯ x n − 1 , ¯ x n ) | = P (¯ x n ) ◮ Solve one SAT problem on each unrolling ◮ Counterexample if property is violated Bottlenecks in SAT-based BMC ◮ Unrolling creates copies of the transition relation . ◮ Word level components have to be encoded bit-wise for SAT. Our contribution: move to higher level of abstraction. 1. Avoid unrolling the transition relation, and 2. succinctly encode word level components with into EPR. 3 Christoph Sticksel EPR-Based Bounded Model Checking at Word Level
Effectively Propositional Reasoning (EPR) ◮ First-order logic ∃ ∗ ∀ ∗ formulas without function symbols ◮ No Skolem functions in CNF ◮ Aka. Bernays-Sch¨ onfinkel or Function-free Clause Logic ◮ Decidable by instantiation-based methods ◮ Efficient solvers, e.g. iProver ◮ Important for applications ◮ SAT encoding: many isomorphic or nearly isomorphic subsets ◮ EPR resolution proofs can be exponentially shorter than propositional resolution proofs. 4 Christoph Sticksel EPR-Based Bounded Model Checking at Word Level
Effectively Propositional Reasoning (EPR) ◮ First-order logic ∃ ∗ ∀ ∗ formulas without function symbols ◮ No Skolem functions in CNF ◮ Aka. Bernays-Sch¨ onfinkel or Function-free Clause Logic ◮ Decidable by instantiation-based methods ◮ Efficient solvers, e.g. iProver ◮ Important for applications ◮ SAT encoding: many isomorphic or nearly isomorphic subsets ◮ EPR resolution proofs can be exponentially shorter than propositional resolution proofs. 4 Christoph Sticksel EPR-Based Bounded Model Checking at Word Level
Effectively Propositional Reasoning (EPR) ◮ First-order logic ∃ ∗ ∀ ∗ formulas without function symbols ◮ No Skolem functions in CNF ◮ Aka. Bernays-Sch¨ onfinkel or Function-free Clause Logic ◮ Decidable by instantiation-based methods ◮ Efficient solvers, e.g. iProver ◮ Important for applications ◮ SAT encoding: many isomorphic or nearly isomorphic subsets ◮ EPR resolution proofs can be exponentially shorter than propositional resolution proofs. 4 Christoph Sticksel EPR-Based Bounded Model Checking at Word Level
Encoding BMC in EPR The BMC problem I (¯ x 0 ) ∧ T (¯ x 0 , ¯ x 1 ) ∧ T (¯ x 1 , ¯ x 2 ) ∧ · · · ∧ T (¯ x n − 1 , ¯ x n ) | = P (¯ x n ) is dominated by T (¯ x i , ¯ x i +1 ) terms for large n . Idea [Navarro-Perez, Voronkov 2007] ◮ Introduce a symbolic constant s i for each bound, ◮ instead of a state variable p use a predicate p ( s i ), and ◮ quantify over predicates p ( x ) instead of unrolling. 5 Christoph Sticksel EPR-Based Bounded Model Checking at Word Level
Encoding BMC in EPR The BMC problem I (¯ x 0 ) ∧ T (¯ x 0 , ¯ x 1 ) ∧ T (¯ x 1 , ¯ x 2 ) ∧ · · · ∧ T (¯ x n − 1 , ¯ x n ) | = P (¯ x n ) is dominated by T (¯ x i , ¯ x i +1 ) terms for large n . Idea [Navarro-Perez, Voronkov 2007] ◮ Introduce a symbolic constant s i for each bound, ◮ instead of a state variable p use a predicate p ( s i ), and ◮ quantify over predicates p ( x ) instead of unrolling. 5 Christoph Sticksel EPR-Based Bounded Model Checking at Word Level
Translating BMC into EPR Preliminaries: ◮ Transition relation T (¯ x , ¯ x ′ ) contains current state symbols x ′ . in ¯ x and next state symbols in ¯ ◮ Initial state constraint I ( x ) and property P ( x ) only contain current state symbols . 6 Christoph Sticksel EPR-Based Bounded Model Checking at Word Level
Translating BMC into EPR Let S and S ′ be fresh variables p t ( S , B (¯ r )) if p is a current state symbol r )) def B ( p (¯ = p t ( S ′ , B (¯ r )) if p is a next state symbol p ( B (¯ r )) otherwise Let s 1 , . . . , s n be new constants and next be a new binary predicate, then the n -step unrolling is B ( I )[ S �→ s 0 ] ∀ S ∀ S ′ (next( S , S ′ ) → B ( T )) B ( P )[ S �→ s n ] next( s 0 , s 1 ) ∧ · · · ∧ next( s n − 1 , s n ) 6 Christoph Sticksel EPR-Based Bounded Model Checking at Word Level
Encoding Word Level Components Relational encoding [Khasidashvili, Kinanah, Voronkov 2009] Predicate representation Bit-vector wrdata ( S , B ): Boolean value of bit B in state S Memory mem ( S , A , B ): Boolean value of bit at row A , column B in state S Functional representation Bit-vector wraddrFunc ( S ): bit-vector value in state S Bit-index bitindex i : i -th bit in a bit-vector mem ( S , rdaddrFunc ( S ) , bitindex 5 ) Dimension of bit-vectors and memories is abstract 7 Christoph Sticksel EPR-Based Bounded Model Checking at Word Level
Encoding Word Level Components Relational encoding [Khasidashvili, Kinanah, Voronkov 2009] Predicate representation Bit-vector wrdata ( S , B ): Boolean value of bit B in state S Memory mem ( S , A , B ): Boolean value of bit at row A , column B in state S Functional representation Bit-vector wraddrFunc ( S ): bit-vector value in state S Bit-index bitindex i : i -th bit in a bit-vector mem ( S , rdaddrFunc ( S ) , bitindex 5 ) Dimension of bit-vectors and memories is abstract 7 Christoph Sticksel EPR-Based Bounded Model Checking at Word Level
Axiomatizing the Relational Encoding wraddrFunc ( S ) = rdaddrFunc ( S ) ↔ ∀ B (less 6 ( B ) → ( wraddr ( S , B ) ↔ rdaddr ( S , B ))) less k ( x ) ↔ ( x = bitindex 0 ∨ · · · ∨ x = bitindex k − 1 ) less k (bitindex j ) if j < k ¬ less k (bitindex j ) otherwise wraddrFunc ( S ) = rdaddrFunc ( S ) ↔ ∀ B (range [0 , 6] ( B ) → ( wraddr ( S , B ) ↔ rdaddr ( S , B ))) range [ m , k ] ( x ) ↔ ( x = bitindex m ∨ · · · ∨ x = bitindex k ) 8 Christoph Sticksel EPR-Based Bounded Model Checking at Word Level
Axiomatizing the Relational Encoding wraddrFunc ( S ) = rdaddrFunc ( S ) ↔ ∀ B (less 6 ( B ) → ( wraddr ( S , B ) ↔ rdaddr ( S , B ))) less k ( x ) ↔ ( x = bitindex 0 ∨ · · · ∨ x = bitindex k − 1 ) less k (bitindex j ) if j < k ¬ less k (bitindex j ) otherwise wraddrFunc ( S ) = rdaddrFunc ( S ) ↔ ∀ B (range [0 , 6] ( B ) → ( wraddr ( S , B ) ↔ rdaddr ( S , B ))) range [ m , k ] ( x ) ↔ ( x = bitindex m ∨ · · · ∨ x = bitindex k ) 8 Christoph Sticksel EPR-Based Bounded Model Checking at Word Level
Back to EPR: Address Unrolling (1) (akin to EPR-based finite model finding [Baumgartner, Fuchs, de Nivelle, Tinelli 2007]) Add clauses assoc rdaddr ( s 0 , rdaddr 0 ) ∧ · · · ∧ assoc rdaddr ( s n , rdaddr n ) and turn Φ[ rdaddrFunc ( x )] into ∀ y assoc rdaddr ( x , y ) → Φ[ y ] . 9 Christoph Sticksel EPR-Based Bounded Model Checking at Word Level
Back to EPR: Address Unrolling (2) val( b , i ) represents the value of bit-vector b at index i addr k ( x ) is true iff x is a bit-vector of length k Equality between bit-vectors: ∀ x ∀ y (addr k ( x ) ∧ addr k ( y ) → ( x = y ↔ ∀ B (range [0 , k − 1] ( B ) → (val( x , B ) ↔ val( y , B ))))) Not yet in EPR: ↔ results in ∀ 2 ∃ prefix Again: turn Skolem function into Skolem predicate 10 Christoph Sticksel EPR-Based Bounded Model Checking at Word Level
Recommend
More recommend
![Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model](https://c.sambuz.com/809780/bounded-model-checking-s.jpg)
