1 / 19

Property-Directed Reachability: SAT-Based Model Checking

Learn about the PDR algorithm developed by Aaron Bradley, incorporating efficient SAT solving tactics by Niklas Een. Discover how PDR simplifies sequential verification, offers novel features, and explores termination criteria for both SAT and UNSAT instances.

Télécharger la présentation

Property-Directed Reachability: SAT-Based Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. PDR: Property Directed ReachabilityAKAic3: SAT-Based Model Checking Without Unrolling Aaron Bradley University of Colorado, Boulder Robert Brayton Niklas Een Alan Mishchenko University of California, Berkeley

  2. Outline • Motivation • Sequential verification is hard (needs new engines!) • Pioneering work of Aaron Bradley • A surprise (3d place) winner at HWMCC’10! • Remarkable features • Efficiently tackles both SAT and UNSAT instances • Lends itself to localization abstraction and parallelism • Conceptually simple, relatively tuning-free • Understanding the algorithm • Pseudo-code… • Experimental results and conclusions

  3. Pioneering Work • Aaron Bradley developed this algorithm after several years of work on “inductive generalization” • Preliminary work (A. R. Bradley and Z. Manna, “Checking safety by inductive generalization of counterexamples to induction”, FMCAD’07) • This work (A. R. Bradley, “k-step relative inductive generalization”, http://arxiv.org/abs/1003.3649) • The original version of the tool to enter HWMCC’10 (ic3, http://ecee.colorado.edu/~bradleya/ic3/) • ic3 won the third place and only lost, by a small margin, to two mature, integrated engines (ABC and PdTRAV)

  4. Efficient Implementation • Niklas Een implemented Aaron Bradley’s algorithm while taking advantage of the strengths of MiniSAT: • Incremental interface • Activation literals to enable/disable clauses • Procedure AnalyzeFinal to compute an UNSAT core in terms of the original assumptions • Resource-driven recycling of the SAT solver • Additionally, Niklas proposed • Ternary simulation for quick cube expansion • New heuristics for inductive generalization • Smart data-structures for clauses and proof obligations • Niklas’ implementation runs faster and proves more properties than the original implementation

  5. PDR: The Main Idea • PDR is a way of computing an inductive invariant that does not overlap with bad states • It is similar to interpolation, but the way of deriving the invariant is different • PDR has better control of the invariant, and this may explain its good performance • Inductive invariant is a Boolean function in terms of register variables, such that • It is true for the initial states • It is inductive (assuming it in one time frame leads to making it true in the next timeframe) State space Bad Invariant Init Reached

  6. PDR: The Main Idea • Construct over-approximations (F0, F1, …, Fk) of states reachable after each time step • Start with F0 = Init, and compute other over-approximations as sets of CNF clauses • Additionally, require that • Semantically (as functions): F0→F1→F2→... →Fk • Syntactically (as clause sets): F1⊇ F2⊇ ... ⊇ Fk

  7. PDR: The Main Idea • Termination criteria • If an over-approximation is inductive, return UNSAT • If a counter-example is found, return SAT • The algorithm constructs over-approximations • in a property directed way • the property is used to decide what clauses to include • with an inductive flavor • induction is used to prove that a clause holds in a frame

  8. PDR: Illustration Time frame Time frame 1 Time frame 0 Property output Primary inputs Comb Logic … Register outputs Register inputs Initial State States where property fails State space of time frame 0 State space of time frame 1 Initial states a1 a2 Bad Bad a3 T Cubes (a1, a2, a3) are covering bad states and not including reached states. The product of their complements is a property-directed over-approximation F1 of reachable states at frame 1.  Init Init Reached

  9. Inductive Generalization • Assume that, at some point, we have the following over-approximations of reached states: (F0, F1, …, Fk) • Suppose we wish to block state s in frame i • We can try to find a clause c, such that c  s and add it to the set of clauses for frame i. • Clause c can be added if it satisfies condition Fi-1∧T→ c • Another possibility is to run a stronger inductive checkFi-1 ∧ c’ ∧ T→ c where c’ is clause c expressed in terms of the current state variables • We can also try to generalize (or strengthen) clause c, by removing literals, as long as the inductive check passes

  10. State space of time frame k-1 (all bad states are blocked by clauses) State space of time frame k (there is a bad state s that needs blocking) a4 a1 a5 s’ a2 Bad Bad S a3 T Pre-image s’ of s  Init Init Reached(k-1) Reached(k-1) Reached(k) Consider the case when s’ is blocked by clauses in frame k-1. We can use inductive generalization to derive a new clause c blocking s in frame k, such that Fk-1∧c’∧T→ c, where Fk-1 is the product of clauses in frame k-1 and T is the transition relation.

  11. State space of time frame k-1 (all bad states are blocked by clauses) State space of time frame k (there is a bad state s that needs blocking) a4 a1 a5 a2 Bad Bad S a3 T s’  Pre-image s’ of s Init Init Reach(k-1) Reach(k-1) Reach(k) Consider the case when s’ is NOT blocked by clauses in frame k-1. In this case, we schedule a proof obligation to block s’ in frame k-1. We treat s’ as a bad state in frame k-1 and try to block it recursively.

  12. Pseudo-code PDR( AIG ) { k = 0; solver[0] = CreateSatSolver( AIG, init_state ); forever { cube = GetBadState( solver[k] ); if ( cube != NULL ) { if ( !BlockState( cube, solver[0], …, solver[k] ) ) return SAT; // found counter-example } else { k = k+1; solver[k] = CreateSatSolver( AIG, not_init ); if ( PushClauses( solver[1], …, solver[k] ) ) return UNSAT; // found inductive invariant } } }

  13. Procedures solver CreateSatSolver( AIG, initialize ) returns a SAT solver with the AIG; optionally initializes it cube GetBadState( solver[k] ) returns a state cube failing property in the k-th frame bool BlockState( cube, solver[0], …, solver[k] ) recursively tries to block cube by adding clauses to solvers returns 1, if the cube could be blocked; 0, otherwise bool PushClauses( solver[0], …, solver[k] ) moves clauses in i-th frame to i+1-th frame, if they hold returns 1, if an inductive invariant is found; 0, otherwise

  14. Remarkable Features • Efficiently tackles both SAT and UNSAT instances • Often finds counter-examples that cannot be found by bounded model checking • Often proves problems that are not proved by interpolation • Amenable to localization abstraction • PDR solver can work in-place and increase its scope on-demand, without traversing all registers and logic gates of the design • Lends itself to parallelism • Each process working on some proof obligations and exchange clauses • Conceptually simple, relatively tuning-free • Unlike, for example, BDD-based reachability that takes lots of time to develop and leaves lots of parameters to tune

  15. Example of Inductive Invariant # Inductive invariant for "hwmcc08\eijkS208" # generated by PDR in ABC on Tue Dec 07 09:36:36 2010 .i 22 .o 1 .p 43 -------------0---1---- 1 -------------1---0---- 1 ------------0-----1--- 1 ------------1-----0--- 1 -----------0-------1-- 1 -----------1-------0-- 1 ----------0-----1----- 1 ----------1-----0----- 1 ---------0-----1------ 1 ---------1-----0------ 1 --------0-----1------- 1 --------1-----0------- 1 -------0-------------1 1 -------0------------1- 1 -------0-----------1-- 1 -------0----------1--- 1 -------1----------0000 1 ------0--------------1 1 ------0-------------1- 1 ------0------------1-- 1 ------0-----------1--- 1 ------1-----------0000 1 -----0---------------1 1 -----0--------------1- 1 -----0-------------1-- 1 -----0------------1--- 1 -----1------------0000 1 ----0----------------1 1 ----0---------------1- 1 ----0--------------1-- 1 ----0-------------1--- 1 ----1-------------0000 1 ---0-------11--------- 1 ---1--------0--------- 1 ---1-------0---------- 1 --0-----------------1- 1 --1-----------------0- 1 -0-------------------1 1 -1-------------------0 1 0-----------------1111 1 1--0------------------ 1 1-0------------------- 1 10-------------------- 1 .e --------0-----1------- 1 --------1-----0------- 1 -------0-------------1 1 -------0------------1- 1 -------0-----------1-- 1 -------0----------1--- 1 -------1----------0000 1 Flop relationships: F8 = F14 F7 = F18 & F19 & F20 & F21

  16. Experiments on Hard Examples(previously unsolved by ABC) Statistics: number of primary inputs (PI), flip-flops (FF), and AIG nodes (AND) Frame: timeframe where inductive invariant or counter-example was found Clauses: the number of clauses in the inductive invariant Time: runtime of PDR, without preprocessing

  17. Conclusion • Presented PDR • pioneering work of Aaron Bradley • efficient implementation by Niklas Een • Explained how it works • Discussed its remarkable features • Future improvements • localization abstraction • temporal decomposition • signal-clauses instead of register-clauses • applications in logic synthesis

More Related