Model checking based on interpolation
Model Checking Base on
Interoplation
K. L. McMillan
Cadence Berkeley Labs
Interpolation
(Craig,57)
• If A B = false, there exists an interpolant
A' for (A,B) such that:
A A'
A' B = false
A' refers only to common variables of A,B
• Example:
– A = p q, B = q r, A' = q
• Interpolants from proofs
– given a resolution refutation of A B,
A' can be derived in linear time.
(Pudlak,Krajicek,97)
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
Interpolation-based MC
• Combining “bounded model checking” and interpolation gives us
– A means of over-approximate image computation
– Hence, reachability analysis
• Method is complete for systems of finite diameter.
• Modern SAT solvers naturally produce resolution refutations
– Leads to fully SAT-based model checking.
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
Outline
• Computing interpolants
• Interpolation-based image computation
• Model checking finite state systems
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
Resolution
(A p) ( p B)
(A B)
• Modern SAT solvers naturally produce refutations for CNF formulas using resolution
• Interpolants can be derived from such refutations in linear time.
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
A = (b)( b c )
(b) ( b c )
Example
^
B = ( c d)( d) c
^
( c ) ( c d)
^
( d) ( d )
^
=c
• Interpolant is a circuit that follows structure of the proof.
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
DPLL SAT solvers
• Given a propositional formula in CNF:
– Produce a satisfying assignment
– Produce a resolution refutation
Current solvers, like Chaff and BerkMin are highly efficient, especially in the case when there is a small
“core” of clauses that are unsatisfiable.
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
An interpolating SAT solver
(A,B) in CNF
SAT solver proof
Interpolation
A’
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
Interpolation-based MC
• Exploit interpolation to compute an overapproximate image operator.
– Allows symbolic model checking
– Procedure is complete for finite diameter systems
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
Modeling
System modeled by a transition constraint a b g = a b g p = g c p c' = p c
Model:
C = {
} g = a b, p = g c, c' = p
Each circuit element induces a constraint note: a = a t and a' = a t+1
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
Bounded model checking
• Unfold the model k times:
U = C
0
C
1
... C k-1
I
0 a b g p c a b g p c
...
a b g p c
F k
• Use SAT solver to check satisfiability of
I
0
U F k
• If unsatisfiable:
• property has no Cex of length k
• can produce a refutation proof P
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
Reachability
• Is there a path (of any length) from I to F satisfying transition constraint C?
• Reachability fixed point:
R i+1
= R i
R
0
= I
Img(R
R = R i i
,C)
• Image operator:
Img(P,C) = l V'. $ V. (P(V) C(V,V’))
• F is reachable iff R F false
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
Reachability
I
R
1
= I Img(I,C)
R
2
= R
...
1
R
Img(R
1
,C)
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
F
Overapproximation
• An overapproximate image op. is Img' s.t.
for all P, Img(P,C) implies Img'(P,C)
• Overapprimate reachability:
R' i+1
R'
0
= R' i
= I
Img'(R'
R' = R' i i
,C)
• Img' is adequate (w.r.t.) F, when
– if P cannot reach F, Img’(P,C) cannot reach F
• If Img' is adequate, then
– F is reachable iff R' F false
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
Adequate image
Img(P,C)
P
Img’(P,C)
F
Reached from P Can reach F
But how do you get an adequate Img'?
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
k-adequate image operator
• Img' is k-adequate (w.r.t.) F, when
– if P cannot reach F,
Img’(P,C) cannot reach F within k steps
• Note, if k > diameter, then k-adequate is equivalent to adequate.
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
Interpolation-based image
• Idea -- use unfolding to enforce k-adequacy
A = P
-1
B = C
0
C
-1
C
1
C k-1
F k
A B
P C C C C C C C F t=0 t=k
Let Img'(P)
0
= A', where A' is an interpolant for (A,B)...
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
Img' is k-adequate!
A
P C
A'
C
Huh?
B
C C C C C F t=0
• A A'
– Img(P,C) Img'(P,C)
• A' B = false
– Img'(P,C) cannot reach F in k steps
• Hence Img' is k-adequate overapprox.
t=k
Note: if A,B are consistent, then let Img’(P,C) = T.
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
A
P C
A'
C t=0
C
Intuition
B
C C C C F t=k
• A' tells is everything the prover deduced about the image of P in proving it can't reach
F in k steps.
• Hence, A' is in some sense an abstraction of the image relative to the property.
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
Reachability algorithm
let k = 0 repeat if I can reach F within k steps, answer reachable
R = I while Img'(R,C) F = false
R' = Img'(R,C) R if R' = R answer unreachable
R = R' end while increase k end repeat
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
Termination
• Since k increases at every iteration, eventually k > d, the diameter, in which case
Img' is adequate, and hence we terminate.
Notes:
– don't need to know when k > d in order to terminate
– often termination occurs with k << d
– depth bound for earlier method (Sheeran et al '00) is "longest simple path", which can be exponentially longer than diameter
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
PicoJava II benchmarks
• Hardware Java virtual machine implementation
• Properties derived from verification of ICU
– handles cache, instruction prefetch and decode
• Original abstraction was manual
• Added neigboring IFU to make problem harder
– result: many irrelevant facts in problem properties
Mem,
Cache
ICU IFU
Integer unit
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
Results
• Benchmarks completed in 1800 s:
– Standard model checking: 0/20
– Interpolation-based: 19/20
• Reason:
– Interpolation method exploits the SAT solver’s ability to narrow proofs to relevant facts.
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
v. proof-based abstraction
McM,TACAS03
1000
100
10
1
0.1
0.01
0.01
0.1
1 10 100 1000
Proof-based abstraction (s)
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
v. proof-based abstraction
CCKSVW,FMCAD02
1000
100
10
1
0.1
0.01
0.01
0.1
1 10 100 1000
Counterexample-based abstraction (s)
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
v. K-induction
SSS, FMCAD00
1000
100
10
1
0.1
0.01
0.01
0.1
1 10
Interpolation-based (s)
100 1000
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
1000
IBM GP benchmarks
100
10
1
0.1
0.01
0.01
0.1
1 10 100 1000
Proof-based abstraction (s)
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
GP benchmarks - true properties
1000
100
10
1
0.1
0.01
0.01
0.1
1 10 100 1000
Proof-based abstraction (s)
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
Characteristics
• SAT-based methods are effective when
– Very large set of facts is available
– Only a small subset are relevant to property
• They exploit the SAT solver's ability to narrow the proof to relevant facts
– I.e., narrows reachable states approximation to relevant variables.
• Interpolation method exploits this fact to compute abstract image operator.
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
Infinite-state verification
• Direct approach:
– express transition constraint in FOL
– example: simple “Bakery” protocol:
NC ticket
0
’ > ticket
1 ticket
1
> ticket
state
1
= NC
0
C
NC ticket
1
’ > ticket
0 ticket
0
state
0
> ticket
1
= NC
C
Terminates because diameter is finite, though state space is infinite
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
Infinite-state verification
• Predicate abstraction approach (Graf,Saïdi,97)
– Choose a set of predicates to represent state
• I.e., for bakery: ticket
1
> ticket
0 and ticket
0
> ticket
1
– Transform C into a predicate-state transducer
– Interpolants are now strictly Boolean
• Convergence guaranteed, but may have false negatives
• Advantages of interpolation approach:
– Avoid conversion to a Boolean formula
– Avoid building BDD’s!
– Strong ability to ignore irrelevant predicates
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
Conclusion
• SAT solvers have the ability:
– to generate refutations for bounded reachability
– to filter out irrelevant facts.
• These abilities can be exploited to generate an abstract image operator, using Craig interpolation.
• This yields a reachability procedure that
– is fully SAT-base
– operates directly on infinite-state systems
– is robust w.r.t. irrelevant facts
Copyright 2002 Cadence Design Systems.
Permission is granted to reproduce without
