11.7.2005 computing overapproximations with bounded model checking daniel kroening eth zürich
Post on 21-Dec-2015
218 views
TRANSCRIPT
11.7.2005
Computing Over Approximations with Bounded Model Checking
Daniel Kroening
ETH Zürich
11.7.2005 Daniel Kroening 2
Motivation
SAT solvers have impressive capacity
BMC: unwind transition system to get formula
. . .s0 s1 s2 sk-1 sk
p p p p p
11.7.2005 Daniel Kroening 3
Motivation
For safety properties:
Refutation only, no proof
If we make k “big enough”, we can find all bugs
How big is “big enough”?
Knowing this bound makes BMC complete
11.7.2005 Daniel Kroening 4
Related Work: Making BMC Complete
We call such a bound a completeness threshold
Getting smallest such CT is as hard as model checking
Thus, get over-approximation
11.7.2005 Daniel Kroening 5
Related Work: Making BMC Complete
Distance between states:length of shortest path between two states
Diameter d : maximum distance between two connected states
Initialized diameter Id : maximum distance to any reachable state from initial states
For safety properties, the initialized diameter is a completeness threshold
11.7.2005 Daniel Kroening 6
Related Work: Making BMC Complete
Problem: computing diameter dI corresponds to QBF instance
Too hard
Thus, related work relies on simple paths
Simple path: path without loops
Initialized recurrence diameter Ird:Longest loop-free path from initial states to any reachable states
Id ≤ Ird
11.7.2005 Daniel Kroening 7
Related work: Making BMC Complete Computing Ird:
Called “simplepath” constraint
Becomes UNSAT once k>Ird
Requires O(k2) clauses
Can be improved to O(k log k) [VMCAI2003]
11.7.2005 Daniel Kroening 8
Related work: Making BMC Complete But: recurrence diameter can be much larger
than diameter:
Reachabillity diameter 1, recurrence diameter n
11.7.2005 Daniel Kroening 9
Talk outline
Completeness thresholds fromstructural analysis
Abstraction for a small CT
Refinement
Experiments
11.7.2005 Daniel Kroening 10
Structural Analysis
Baumgartner/Kuehlmann CAV 2002
“Structure” refers to dependencies between latches
11.7.2005 Daniel Kroening 11
Structural Analysis
Baumgartner/Kuehlmann CAV 2002
“Structure” refers to dependencies between latches
Similar to computing transitive closure
LDG
11.7.2005 Daniel Kroening 12
Structural Analysis
Claim: the diameter adds up in a pipeline
Baumgartner/Kuehlmann: many partial circuits that do not have cycles in the LDG
Thus, can prove properties with BMC and CTas above
More observations like that (e.g., ROMs)
11.7.2005 Daniel Kroening 13
Making it useful
Real designs have many cycles Counters Forwarding Memories
Realistic designs often have diameter > 2100
Too hard for BMC (and BDDs)
Problem: any diameteris way too large to be useful
11.7.2005 Daniel Kroening 14
Making it useful
Observation: Abstract models are highly non-deterministic Thus, have usually very small diameter
Idea: Make an abstraction to get a small CT
Candidates: Predicate Reduction Localization Reduction / Cut-Point-Insertion
Warning: CT for abstract model is not a CT for concrete model
11.7.2005 Daniel Kroening 15
Automatic Abstraction Refinement
Propertyholds
Yes
No
Bug found
BMC
BMCRefine
AbstractCompute
Spurious counterexample
[Kurshan et al. ’93]
[Clarke et al. ’00][Ball, Rajamani ’00]
11.7.2005 Daniel Kroening 16
Cut-Point Insertion
Replaces signal by new primary input
Typically done such that a maximal amount of logic and registers are removed
11.7.2005 Daniel Kroening 17
Cut-Point Insertion
Our approach: Insert cut-point to cut cycles
Typically does not remove any logic
Abstract model has same number of gates and latches
Sole purpose: get small CT
Prevents some spurious traces
11.7.2005 Daniel Kroening 18
Automatic Abstraction Refinement
Propertyholds
Yes
No
Bug found
BMC
BMCRefine
AbstractCompute
Spurious counterexample
[Kurshan et al. ’93]
[Clarke et al. ’00][Ball, Rajamani ’00]
11.7.2005 Daniel Kroening 19
Structural Analysis
Special case: k-bit counter
11.7.2005 Daniel Kroening 20
Structural Analysis with Cycles
Claim: Circuit with depth-bound I can be treated as pipeline I with stages
Claim: adding a 1-bit feedback loopat most doubles the diameter
Intuitive, but see paper for proof
11.7.2005 Daniel Kroening 21
Structural Analysis
Q: What is the back-edge?
A: Pick one that produces small CT!
Bound: (1+2)¢ 2x
where x=min{j,k}
11.7.2005 Daniel Kroening 22
Structural Analysis
Now can compute CT as follows:1. Identify inner cycle in the LDG2. Terminate if no cycle3. Compute bound for inner cycle ()4. Replace an inner cycle with
a pipeline with stages5. Repeat
11.7.2005 Daniel Kroening 23
Limitations
There could be cycles, but no “innermost cycle”
Cycles share a component
Hope: rare in circuits
11.7.2005 Daniel Kroening 24
Automatic Abstraction Refinement
Propertyholds
Yes
No
Bug found
BMC
BMCRefine
AbstractCompute
Spurious counterexample
[Kurshan et al. ’93]
[Clarke et al. ’00][Ball, Rajamani ’00]
11.7.2005 Daniel Kroening 25
Refinement
Like McMillan
Obtain proof of unsatisfiability of simulation BMC instance
Not constrained to abstract counterexample!
Examine which signals are important for the fact that there is no error of length k
Fewer iterations than counterexample-based refinement
11.7.2005 Daniel Kroening 26
Experimental Results
11.7.2005 Daniel Kroening 27
Conclusion
Structural analysis and abstraction for a complete BMC that is practical
Complete model checking based on basic SAT engine only – and no simple paths
11.7.2005 Daniel Kroening 28
Open Problem
Circuits only so far
But verification engineers like INVAR/TRANS style models
However: INVAR/TRANS can increase the diameter!
11.7.2005 Daniel Kroening 29
Current Projects
Arbitrary circuit structures
Do this for software
Explore effect of other abstraction techniques on CT of abstract model
CT and abstractions for full LTL
Make use of information of failed proof attempt with abstract model
11.7.2005 Daniel Kroening 30
Questions?