Date post: | 18-Dec-2015 |
Category: |
Documents |
View: | 214 times |
Download: | 1 times |
Weizmann Institute
Tuning SAT-checkers for Bounded Model-Checking
A bounded guided tour
Ofer Shtrichman
Weizmann Institute & IBM (HRL)
Weizmann Institute
Basic theory of Bounded Model Checking (BMC)
SAT highlights
Tuning SAT checkers for BMC
Results
Weizmann Institute
The Bounded Model Checking Problem: Safety
Given a Safety property p: (e.g. AG p : “always signal_a = signal_b”)
Is there a state reachable within k cycles, which satisfies p ?
. . .s0 s1 s2 sk-1 sk
p p p p p
Weizmann Institute
. . .s0 s1 s2 sk-1 sk
p p p p p
Given a Liveness property p: (e.g. AGAF p: “always, eventually signal_a = signal_b”)
Is there a loop in the first k cycles, that non of its states satisfy p ?
The Bonded Model Checking Problem: Liveness
Weizmann Institute
The reachable states in k steps are captured by:
M I s s s s s s sk k k: ( ) ( , ) ( , ) ... ( , ) 0 0 1 1 2 1
The property p fails in one of the cycles 1..k:
f p p pk k: ... 1 2
Reducing the BMC problem to SAT (1/3):
Weizmann Institute
Reducing the BMC problem to SAT (2/3):
: ( , )I s s pi
k
i ii
k
i00
1
10
=
The safety property p is valid up to cycle k iff is unsatisfiable:
. . .s0 s1 s2 sk-1 sk
p p p p p
Weizmann Institute
Reducing the BMC problem to SAT (3/3):
For Liveness properties, add a disjunction of possible loops:
: ( , ) ( ( , ) )I s s s s pi
k
i il
k
k lj l
k
00
1
10
=
. . .s0 s1 s2 sk-1 sk
p p p p p
Weizmann Institute
Example: a two bit counter
( , ):s s l l r r ri i i i i i i 1 1 1
p = AG (l r).k = 2
00
01 10
11
: ( )( )( )( )
FHG
IKJ
FHGG
IKJJl r
l l r r rl l r r r
l rl rl r
0 01 0 0 1 0
2 1 1 2 1
0 0
1 1
2 2
I l r0 0 0:
For k = 2, is unsatisfiabe. For k = 4 is satisfiable
Weizmann Institute
Traditional Symbolic Model-Checking with BDDs
• The reachable state-space is represented by a BDD
• The property is evaluated recursively, by iterative fix point computations on the reachable state-space.
• The size of the BDD is typically the bottle-neck of Model-Checking.
Weizmann Institute
Why SAT?
• Smart DFS search - potentially will get faster to a satisfying sequence (counter example)
• No exponential space - growth
“Satisfiability checking is a ‘luck-based technology’”
Weizmann Institute
The Davis-Putnam procedure
Given in CNF: (x,y,z),(-x,y),(-y,z),(-x,-y,-z)
Decide()
Deduce()
Diagnose()
-xx
-zz-yy
z -z y -y
() ()
(z ),(-z ) ()
(y),(-y,z ),(-y,-z )
()
() ()
(y),(-y)
(y,z ),(-y,z )
X
X X X X
Weizmann Institute
Decide() criteria: On which variable to split?
- satisfies the most clauses (DLIS)- satisfies the shortest clause- only positive or negative (‘pure literal rule’)- most frequent
::
Weizmann Institute
Results (Sec.)
Design # k RB1 RB2 Grasp1 18 7 6 2822 5 70 8 1.13 14 597 375 764 24 690 261 5105 12 803 184 246 22 * * * 356 * * *7 9 * * * 2671 108 35 * * * * * * 63179 38 * * * * * * 903510 31 * * * * * * * * *
11 32 152 60 * * *12 31 1419 1126 * * *13 14 * * * 3626 * * *
* * * = exceeds 10,000 sec.
Weizmann Institute
Tuning SAT for BMC (1/3)
1. Use the variable dependency graph for smarter orderings.
2. Exploit information on ’s structure to restrict the state-space.
3. Restrict Decide() to a small set of variables.
Weizmann Institute
Clashing clouds...
I0~Pk
With general-purpose Decide() strategies, local sets of variables are satisfied a-synchronically
v v5 6..
v15
v2
Weizmann Institute
General-purpose Vs. tailor-made Decide() strategies...
: ... (x = ( y1 y2 y3 )) ...
x = Ty1 = F
y2 = F
y3 = T
General purpose
Back-track
x = Ty1 = Fy2 = F
y3 = T
Use ‘s structure to resolve conflicts on a more local level...)
Tailor made
Back-track
Weizmann Institute
A k-unfolding of the variable dependency graph
. . .
. . .
. . .
. . .
k
vars
v0
v1
v2 . . . .
v f v vi i i ( , )1
Weizmann Institute
A head on attack...
I0PkRiding on unreachable states...
should satisfy I0
I0Riding on legal executions...
should satisfy Pk
Pk
Weizmann Institute
A combined heuristic
I0Pk
Trigger BFS with pi
i k0..
Weizmann Institute
Given an order, guess a value
Dynamic decision Constant value
Previous value ‘Flat’ computation
...
x5 = 0x7 = ?
x9 = 0
‘Flat’ computation Previous value
x2 = 1y7 = 0z2 = 0y3 = 1
x2 = 0y7 = 0z2 = 0y3 = 1
Weizmann Institute
Tuning SAT for BMC (2/3)
1. Use the variable dependency graph for smarter orderings.
2. Exploit information on ’s structure to restrict the state-space.
3. Restrict Decide() to a small set of variables.
Weizmann Institute
: ( , )I s s pi
k
i ii
k
i00
1
10
=
’s structure can be used for adding conflicting clauses.
•If x3=T, y7 = F, z5 = T leads to a conflict, then ( x3 y7 z5) is satisfiable iff is satisfiable.
• The new clause can be seen as a constraint on the state-space
conflicting clauses:
Exploiting ’s structure in AGp formulas
Weizmann Institute
• If x3=T, y7 = F, z5 = T leads to a conflict, then so will x2=T, y6 = F, z4 = T
• Therefore, we can also add: ( x2 y6 z4) ( x1 y5 z3) ( x0 y4 z2)and... ( x4 y8 z6) ... ( xk-4 yk zk-2)
• Yet, is not fully symmetric because of I0. We first have to check, by simulating an assignment, if the replicated clause indeed leads to a conflict.
Exploiting ’s structure in AGp formulas
Weizmann Institute
Tuning SAT for BMC (3/3)
1. Use the variable dependency graph for smarter orderings.
2. Exploit information on ’s structure to restrict the state-space.
3. Restrict Decide() to a small set of variables.
Weizmann Institute
Restricting Decide()
Restricting Decide() to a smaller set of variables , thatuniquely determines the satisfiability of :
Model variables (~ 15 % of ’s variables)
Input variables (~ 5 % of ’s variables)
Less variables to Decide() implies more variables to Deduce()
Weizmann Institute
Results (Sec.)# k RB2 Grasp Rep SM c SM f SM(k-1)1 18 6 282 115 3 57 202 5 8 1.1 1.1 0.8 1.1 0.43 14 375 76 52 3 2069 9344 24 261 510 225 12 27 265 12 184 24 24 2 2 16 22 356 * * * * * * 18 16 287 9 2671 10 10 2 1.8 1.38 35 * * * 6317 2870 20 338 309 38 * * * 9035 * * * 25 277 23010 31 * * * * * * 9910 312 22 1061
11 32 60 * * * * * * * * * * * * * * *12 31 1126 * * * * * * * * * * * * * * *13 14 3626 * * * * * * * * * * * * * * *
* * * = exceeds 10,000 sec.
Weizmann Institute
The Conclusion
Many of the (BDD) hard cases can be more efficiently
solved with the optimized SAT procedure.