Bounded Model Checking

Ilham Amezzane 13/04/2007

Satisfiability (SAT)• Given a Boolean function in conjunctive normal form (CNF),

decide whether it is satisfiable.• What is a CNF?

– Conjunction of clauses.– Clauses are the disjunction of literals.

• CNF formula is satisfiable if each clause is satisfiable.• NP-complete problem

5691072621 .......... aaaaaaaaaf

clauses

SAT

• Applications– EDA(Electronic Design Automation)– Bounded Model Checking

• Tools– GRASP, SATO, Chaff ...

SAT Solver Progress 1960 -2010

1

10

100

1000

10000

100000

1960 1970 1980 1990 2000 2010

Year

Vars

How to Solve SAT

• Try all possible assignments to variables.– For n variables you have 2n possible

combinations.– Explodes for even reasonable n.

• Apply some heuristics to generate assignemnts which are likely to satisfy the boolean function.

56972621 .......... aaaaaaaaf

DPLL SAT solver• Most modern SAT solvers are based on

the Davis-Putnam- Logemann-Loveland (DPLL) algorithm (1960,1962), which performs a branching search with backtracking. The DPLL algorithm is sound and complete, i.e., it finds a solution if and only if the formula is satisfiable.

Some Definitions• Unit clause - a clause where all but one of its literals

are false, and the remaining literals are unassigned.• Unit literal - the unassigned literal in a unit clause.• Unit clause rule - if all but one of its literals has been

assigned the value 0, then remaining (unassigned) literal must be assigned to 1 for this clause to be satisfied.

• Decision - a process of assigning a value to a variable (any value).

• Backtracking - a process of reassigning a decision which caused the conflict.

DPLL Algorithm

DPLL Algorithm• decide-next-branch()

– chooses an unassigned branch variable and assigns a value to it.

• deduce() - unit propagation: – If an unassigned variable exists, make a decision about the

variable assignments deductible from this decision using BCP (Boolean Constraint Propagation).

• BCP consists of iterative application of the unit clause rule (which is invoked when a clause becomes a unit clause).

• BCP rule - the last unassigned literal is implied to be true. It avoids the search path where the last literal is also false, since such a path can’t lead to a solution.

– If no conflict is discovered - choose the next var for making a decision, otherwise - resolve conflict by backtracking.

DPLL Algorithm• analyze-conflict()

– Finds out the reason for conflict (occurs when a var is implied to be true as well as false).

• backtrack()– Undo some decisions and their implications.

In other wordsThe initial step consists of some preprocessing, during which it may be discovered that the formula is unsatisfiable.

The outer loop starts by choosing an unassigned variable, and a value to assign to it (decide-next-branch). If no such variable exists, a solution has been found.

Otherwise, the variable assignments deducible from this decision are made (using deduce), through a procedure called Boolean Constraint Propagation (BCP). It typically consists of iterative application of the unit clause rule, which is invoked whenever a clause becomes a unit clause, i.e., all but one of its literals are false and the remaining literal is unassigned. According to the rule, the last unassigned literal is implied to be true – this avoids the search path where the last literal is also false, since such a path cannot lead to a solution.

A conflict occurs when a variable is implied to be true as well as false. If no conflict is discovered during BCP, then the outer loop is repeated, by choosing the next variable for making a decision.

However, if a conflict does occur, backtracking is performed within an inner loop in order to undo some decisions and their implications. If all decisions need to be undone (i.e., the backtracking level blevel is 0), the formula is declared unsatisfiable since the entire search space has been exhausted.

Example• f = a (b + c + d) (b’ + c) (b’ + d) (x’ + y’) (x + z’) (x’ + b’ + y)

(x + b’ + z) (c + d + y’ + z’).– a = 1.

• f = (b + c + d) (b’ + c) (b’ + d) (x’ + y’) (x + z’) (x’ + b’ + y) (x + b’ + z) (c + d + y’ + z’).– Branching variable: b = 1.

• f = c d (x’ + y’) (x + z’) (x’ + y) (x + z) (c + d + y’ + z’).– c = 1, d = 1.

• f = (x’ + y’) (x + z’) (x’ + y) (x + z) (y’ + z’).– Branching variable: x = 1.

• f = y’ y (y’ + z’).– Conflict.

Example contd.• f = (x’ + y’) (x + z’) (x’ + y) (x + z) (y’ + z’).

– Switch the status of most recent variable, i.e., x = 0.

• f = z’ z (y’ + z’).– Still conflict, flip the second most recent variable, i.e., b = 0.

• f = (c + d) (x’ + y’) (x + z’) (c + d + y’ + z’).– Branching variable: x = 1.

• f = (c + d) y’ (c + d + y’ + z’).– y = 0.

• f = (c + d).– Branching variable: c = 1.

• f = 1.

f is satisfiable.

Deduction Algorithm(BCP)• Most of SAT solver spent about 80% of running

time in deduce().• Unit clause

– ( v1 + v2 + ¬v3 ), v1=F, v2=F v3 = F– When can it occur?

• All-but-one literals in a clause are assigned to 0– BCP(Boolean Constraint Propagation)

• How implement?– Keeping counters for each clause.

ZChaff: Branching Heuristics• Decision of branching variable effects the height of

decision tree significantly.– Most occurring literal seems the natural choice.

• Search should be localized.– i.e., after resolving conflicts one should branch the literals which

were causing conflicts.

• Assign each variable a counter, for each additional clause increase the counter of each variable occurring in this clause. At any stage choose the variable with highest counter among undecided variables.– Since each conflict resolution introduces clauses, this strategy

will keep the search localized.

ZChaff: BCP optimization

• For BCP we do not need to check all clauses if they are unit clauses.

• For each clause choose two variables, if at least one of these two is zero, only then this clause can be a unit clause.

• An assignment (x = 1) will convert a non-unit irredundant clause into unit clause only if x’ occurs in the clause. Similar property holds for assignment (x = 0).– Need for an efficient data structure.

Conflict analysisThe original DPLL algorithm used chronological backtracking, i.e., it would backtrack up to the most recent decision, for which the other value of the variable had not been tried.

Modern SAT solvers use conflict analysis technique to analyze the reasons for a conflict. Conflict analysis is used to perform conflict-driven learning and conflict-driven backtracking.

Conflict-driven learning consists of adding conflict clauses to the formula, in order to avoid the same conflict in the future.

Conflict-driven backtracking allows non chronological backtracking, i.e., up to the closest decision which caused the conflict. These techniques greatly improve the performance of the SAT solver on structured problems.

ZChaff: Analyze Conflicts Effectively

• While resolving conflicts one should also add some new clauses to avoid the repetition of same search space exploration.– e.g., if the variables are explored in order a, b,

c, d, e, then we need not to flip the variables in chronological order, as if the conflict was due to variable a, we will end up with repetitive search space.

Reference

zChaff: Matthew W. Moskewicz, Conor F. Madigan,Ying Zhao, Lintao Zhang, Sharad Malik: Chaff: Engineering an Efficient SAT Solver. DAC 2001: 530-535, ACM.

Model Checking• The target of model checking is the

verification of sequential properties of dynamic systems.

• A dynamic system has a state component which changes over time.

• Model checking, in the first place, is only applicable to finite systems.

Model Checking (cont.)• Sequential properties are usually

represented in temporal logic. Formulas of temporal logic try to express system behavior over time.

• There are various variants of temporal logic, such as Linear Temporal Logic (LTL) or Computation Tree Logic (CTL), which usually require dedicated algorithms.

Modelling LanguagesAs a language describing system models we can forexample use:• Petri nets,• labelled transition systems (LTSs) and process• algebras,• Java programs,• UML (unified modelling language) state machines,• Promela language (input language of the Spin model• checker), and• VHDL,Verilog, or SMV languages (mostly for HWdesign).

Some Model Checking Approaches

• Explicit State Model Checking: Tools include Spin,Murj Java Pathfinder Maria, PROD, CPN Tools,CADP, etc.

• BDD based Symbolic Model Checking: Tools include NuSMV 2, VIS, Cadence SMV, etc.

• Bounded Model Checking: Tools include BMC,CMBC, NuSMV 2, VIS, Cadence SMV, etc

Symbolic Model Checking• Method used by most “industrial strength”

model checkers.• Uses Boolean encoding for state machine

and sets of states.• Can handle much larger designs –

hundreds of state variables.• BDDs traditionally used to represent

Boolean functions.

Problems with BDDs• BDDs are a canonical representation. Often become too

large.

• Variable ordering must be uniform along paths.

• Selecting right variable ordering very important for obtaining small BDDs.– Often time consuming or needs manual intervention.– Sometimes, no space efficient variable ordering exists.

Advantages of SAT Procedures

• SAT procedures also operate on Boolean formulas but do not use canonical forms.

• Do not suffer from the potential space explosion of BDDs.

• Different split orderings possible on different branches.

• Very efficient implementations exist.

Bounded Model Checking• Originally presented in the paper: Armin

Biere,Alessandro Cimatti, Edmund M. Clarke, Yunshan Zhu: Symbolic Model Checking without BDDs.TACAS 1999: 193-207, LNCS 1579.

Given a property p: (e.g. “signal_a = signal_b”)

Is there a state reachable in k cycles, which satisfies p ?

. . .s0 s1 s2 sk-1 sk

p p p p p

Bounded Model Checking as SAT

Models and Properties

Basics of Bounded Model Checking

• The basic idea is the following: Encode all theexecutions of the system M of length k into apropositional formula.• Conjunct this formula with a formula which issatisfiable for all executions the system of length kwhich violate the property .• If the formula is satisfiable, acounterexample has been found.• If the formula is unsatisfiable, nocounterexample of length k exists.

Basic Setup• For simplicity first consider the following setup:• As system models we consider systems whosestate vector s consist of n Boolean state variableshs[0], s[1], . . . , s[n−1]i.• We take k+1 copies of the system state vectordenoted by s0, s1, . . . , sk.• Let I(s) be the initial state predicate of thesystem, and T(s, s0) be the transition relationboth expressed as propositional formulas.

Unrolling the Transition Relation

Circuit BMC Unrolling

Circuit BMC Unrolling Solution

Expressing Invariants

Final formula

Reachability Diameter• If the formula is unsatisfiable, we have proved thatthere is no execution of length at most 3 that violatesthe invariant.• Clearly for every finite state system there is somebound d called the reachability diameter such that from the initial state every reachable state isreachable with an execution of at most length d.• By taking d = 2n, where n is the number of state bits,we could guarantee completeness.• Unfortunately computing better approximations of dare computationally hard in the general case.

BMC: Pros and Cons• Boolean formulas can be more compact

than BDDs• Leverages efficient SAT-solver technology• Minimal length counterexamples (often,

not always)• Basic method is incomplete • Not always better than BDD-based

methods or explicit state model checking

References

• Zchaff: A fast SAT solver. 2002. http://bears.ece.ucsb.edu/class/256bd/RCFB256B3450-Zchoff.pdf

• A survey of recent advances in SAT-based formal verification, Mukul Prasad, Armin Biere, Aarti Gupta, in Software Tools for Technology.

• Boolean Satisfiability Solver Performance Comparison. Conclusion. Chaff: VSIDS(Variable State Independent Decaying Sum). http://www.cis.upenn.edu/~lee/02cis640/slides/SAT.ppt