1 / 26

Abstraction Refinement for Bounded Model Checking

Abstraction Refinement for Bounded Model Checking. Highly Jet Lagged. Anubhav Gupta, CMU Ofer Strichman, Technion. Bounded Model Checking (BMC). Search for bugs in executions of a bounded length

sonja
Télécharger la présentation

Abstraction Refinement for Bounded Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Abstraction Refinement for Bounded Model Checking Highly Jet Lagged Anubhav Gupta, CMU Ofer Strichman, Technion

  2. Bounded Model Checking (BMC) • Search for bugs in executions of a bounded length • Generates a propositional formula that is satisfiable if and only if there is a counterexample of length k • Extremely efficient SAT-solvers are available

  3. SAT BMC BMC - Implementation Incremental Solver Yes NO BUG No BUG Unsat Sat

  4. How to identify ? Abstraction for BDD-based Model Checking Abstraction Model Checking complexity is proportional to BDD size Smaller BDD

  5. MC Counterexample Guided Abstraction Refinement (CEGAR) BUG TRUE No Fail Pass Yes

  6. Inside a SAT-Solver • Davis-Putnam-Logemann-Loveland (DPLL) procedure • Decisions • Boolean Constraint Propagation (BCP) • Conflict Analysis, Backtrack Search Tree

  7. Decisions • Identify a goodvariable and assign it a value • Many Variable Selection Heuristics • Give preference to variables that are involved in conflicts • Order is continuously updated • Like abstraction-refinement • These heuristics try to reduce the size of the search tree

  8. BCP • Identify assignments implied by unit-clause rule • 90% of run-time in solver spent on BCP • Time spent on BCP is proportional to the size of the CNF

  9. Conflict Analysis and Backtrack • Identify variable assignments responsible for infeasibility of current search path • Ensures that assignments are locally consistent • Prune away irrelevant parts of the search tree

  10. Abstraction for BMC Abstraction Smaller CNF

  11. How to identify ? Why Abstraction for BMC ? • Variable selection can focus on important variables • Solver can ignore local conflicts that are irrelevant to the property • BCP is faster on smaller CNF Abstraction

  12. CEGAR for BMC • Apply CEGAR to BMC • Refinement • SAT-solvers produce proofs of unsatisfiability • Have been used successively for refinement in CEGAR for model checking • Proofs provide an efficient and inexpensive refinement mechanism for CEGAR on BMC

  13. SAT SAT Counterexample Guided Bounded Model Checking (CG-BMC) Yes NO BUG No BUG Sat Sat Unsat

  14. CG-BMC • Abstract model: model that refutes previously seen spurious counterexamples • Forces solver to find full abstract trace before attempting to refute it • Solver is not lost in local conflicts • Most of the BCP is performed on smaller abstract model Abstract Model Concrete Model

  15. A more robust CG-BMC • The following scenario was observed on some benchmarks: • Current abstract model is sufficient to prove the property • Proving the property on abstract model is hard • BMC on abstract model is slow • There exists an easier proof using additional constraints from concrete model • BMC on concrete model is faster • CG-BMC gets stuck on abstract model • Solution: Timeouts

  16. SAT SAT CG-BMC with Timeouts (CG-BMC-T) CG-BMC Yes Time NO BUG No BUG Sat Sat Time Unsat

  17. Related Work • Refining the SAT decision ordering for bounded model checking, Wang et al., DAC 2004 • Variables in current abstract model are given preference in variable splitting order • Static Method: Always decide first on variables in abstract model • Dynamic Method: Switch to default solver-heuristic after a threshold number of backtracks • Solver works on the whole CNF • BCP is expensive • Potential for irrelevant conflicts

  18. SAT SAT Our CG-BMC Implementation Incremental Solver1 Incremental Solver2 Yes NO BUG No BUG Sat Sat Unsat

  19. Experiments • PicoJava Benchmarks – derived from compositional verification of ICU (Source: Ken McMillan) • Implementation on top of zChaff • Comparison with BMC and Wang et al. • Timeout = 2hrs • Max Depth (K) = 60 • Measured run-time and number of backtracks

  20. CG-BMC vs. BMC (Run-time)

  21. CG-BMC vs. BMC (Backtracks)

  22. CG-BMC vs. Wang et al. (Run-time)

  23. CG-BMC vs. Wang et al. (Backtracks)

  24. Conclusions • Abstraction refinement makes BMC faster • Reduction in number of backtracks • Reduction in BCP time

  25. Future Work • CG-BMC inside a SAT-solver • Abstraction levels for clauses • Ignore clauses in lower levels until all higher levels are satisfied • Move clauses up (and down) across levels • Application to SAT-solving in general . . .

  26. Questions ?

More Related