multi-domain logic as a tool for program verification implementation issues
DESCRIPTION
Multi-Domain Logic as a Tool for Program Verification Implementation Issues. Tudor Jebelean , Johannes Kepler Unversity Linz Gábor Kusper , Eszterh á zy K á roly College Eger SCSS 2010. Outline. Motivation Intuition Representation Bounded Model Checking - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/1.jpg)
Multi-Domain Logic as a Tool for Multi-Domain Logic as a Tool for Program VerificationProgram VerificationImplementation IssuesImplementation Issues
Tudor Jebelean, Johannes Kepler Unversity LinzGábor Kusper, Eszterházy Károly College Eger
SCSS 2010
![Page 2: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/2.jpg)
OutlineOutline
Motivation Intuition Representation Bounded Model Checking Direct Representation in Multi-Domain Logic Test Results Conclusion
![Page 3: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/3.jpg)
MotivationMotivation
We have a Multi-Domain Logic based SAT solver, which is just a normal SAT solver with the basic settings.
This SAT solver can use lots of MDL specific techniques:– Variable Merging– Clustering Propositional Variables– Deletion of Weak Assignments (DoWA)– Dynamic Variable Merging
There are some problem sets which can be solved fast using these techniques, like the Pigeon Hole Problem.
We wanted to check whether Bounded Model Checking belongs to this set of problems or not.
![Page 4: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/4.jpg)
![Page 5: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/5.jpg)
IntuitionIntuition
Lots of short clauses are good!
![Page 6: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/6.jpg)
Generating Generating CNFCNF
Propositional Logic– New variables to
prevent exponential growth
– Less clauses– More variables– Lots of short clauses
Multi-Domain Logic– Merge variables of
some subformulae to prevent exp. growth
– More clauses– Less variables– Lots of short clauses
![Page 7: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/7.jpg)
RepresentationRepresentation
![Page 8: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/8.jpg)
Literal in Multi-Domain LogicLiteral in Multi-Domain Logic
A multi-literal has the form: Sign Set:Multi-Variable
Sign Set: Finite set of symbols which satisfies the literal.
For example: {Apple}:Food
{Cat, Dog}:Pet
{1, A, 3.14}:X
![Page 9: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/9.jpg)
DomainDomain
Each multi-variable has a domain. The domain is the union of sign sets of the multi-var.
Example: ( { Cat, Dog }:Pet OR { Apple }:Food) AND
{ Gopher }:Pet AND { Bread }:Food The domain for Pet is: { Cat, Dog, Gopher } The domain for Food is: { Apple, Bread }
Since only one symbol may be assigned to each multi-variable from its domain, this formula is UNSAT.
![Page 10: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/10.jpg)
Literal RepresentationLiteral Representation
We need N bits to represent a multi-literal, where N is the cardinality of its domain.
Example: ( { Cat, Dog }:Pet OR { Apple }:Food) AND
{ Gopher }:Pet AND { Bread }:Food (110:Pet OR 10:Food) AND 001:Pet AND 01:Food The domain for Pet is: { Cat, Dog, Gopher } The domain for Food is: { Apple, Bread }
![Page 11: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/11.jpg)
Example for Variable mergingExample for Variable merging
Before variable merging: ({1}:Int OR {A}:Char) AND ({2}:Int OR {B}:Char) After: ({1A,1B}:X OR {1A, 2A}:X) AND ({2A, 2B}:X OR {1B, 2B}:X) Since OR on the same multi-variable is UNION on the sign
sets we obtain: {1A,1B, 2A}:X AND {1B, 2A, 2B}:X Since AND on the same multi-variable is INTERSECTION on
the sign sets we obtain: {1B, 2A}:X Note, that a this formula collapsed into a literal!
![Page 12: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/12.jpg)
Boolean Formulae into MDLBoolean Formulae into MDL
We can merge any number of propositional variables. We need 2k bits to represent a Boolean formula with k
propositional variable. The encoding in case of k = 2: { } FALSE {00} ab
{11} ab {00,11} ab{10} ab {00,10} b {10,11} a {00,10,11} ab {01} ab {00,01} a {01,11} b {00,01,11} ab {01,10} ab {00,01,10} ab {01,10,11} ab {00,01,10,11} TRUE
a b0 1 00 0 11 0 01 1 1
![Page 13: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/13.jpg)
Bounded Model CheckingBounded Model Checking
![Page 14: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/14.jpg)
Bounded Model CheckingBounded Model Checking
Bounded Model Checking is one of the most successful formal methods for practical verification of hardware and software.
BMC translate the system to be verified into a boolean formula.
It uses a SAT solver to solve this formula. If the formula is unsatisfiable, then the property is not
true, otherwise it is.
BMC profits from very fast SAT solvers!
![Page 15: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/15.jpg)
Bounded Model CheckingBounded Model Checking
The system to be verified consist of:– a transition system, and – a property to be checked (given in temporal logic).
One has to translate the system into a boolean formula:– the transition system can be translated, but– the property can be translated only up to a certain bound.
The bound is on the number of steps.
That is why this approach is called Bounded Model Checking.
![Page 16: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/16.jpg)
Temporal LogicTemporal Logic
Properties are given in Computation Tree Logic. CTL is built from path quantifiers and temporal operators.
There are two path quantifiers: – A, “for every path” – E, “there exists a path” CTL has four temporal operators: – X p, “p holds at the next time step”. – F p, “p holds at some time step in the future” – G p, “p holds at every time step in the future” – p U q, “p holds until q holds” Note that AG p equivalent to EF not(p).
![Page 17: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/17.jpg)
BMC toolBMC tool
http://www.cs.cmu.edu/~modelcheck/bmc.html– Generates CNF (DIMACS) files out of SMV descriptions
• SMV: Symbolic Model Verifier
But! During the CNF translation it introduces (recursively)
new propositional variables to prevent exponential grow of the formula.
![Page 18: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/18.jpg)
Example: SMV -> FormulaExample: SMV -> Formula
VAR
x[2]
ASSIGN
init(x):= 0;
next(x):=x+1;
SPEC
EF x = 3
bound = 1
( x0 = 0 ) AND
( x1 = x0+1) AND
( x0 = 3 OR
x1 = 3 )
bound = 2
( x0 = 0 ) AND
( x1 = x0+1) AND
( x2 = x1+1) AND
( x0 = 3 OR
x1 = 3 OR
x2 = 3)
![Page 19: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/19.jpg)
Direct Representation in MDLDirect Representation in MDL
![Page 20: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/20.jpg)
Direct Representation in MDLDirect Representation in MDL
{0}:x0
{1,2,3}:x0 {1}:x1
{0,2,3}:x0 {2}:x1
{0,1,3}:x0 {3}:x1
{0,1,2}:x0 {0}:x1
{1,2,3}:x1 {3}:x0
{0,2,3}:x1 {0}:x0
{0,1,3}:x1 {1}:x0
{0,1,2}:x1 {2}:x0
{3}:x0 {3}:x1
{0}:x0
[0]:x0 {1}:x1
[1]:x0 {2}:x1
[2]:x0 {3}:x1
[3]:x0 {0}:x1
[0]:x1 {3}:x0
[1]:x1 {0}:x0
[2]:x1 {1}:x0
[3]:x1 {2}:x0
{3}:x0 {3}:x1
( x0 = 0 ) AND
( x1 = x0+1) AND
( x0 = 3 OR
x1 = 3 )
![Page 21: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/21.jpg)
Test resultsTest results
We tested our Java implementation on MDL instances and on their equivalent SAT problems from the page: http://www.cs.cmu.edu/~modelcheck/bmc/bmc-benchmarks.html
The test results are obtained on a NEC VERSA M370 notebook with Core2 DuoM 2 GHz processor (32 bits) and 1 GB memory.
![Page 22: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/22.jpg)
2-bit counter 2-bit counter
The transition system:– We have a 2-bit counter– The two bits represented by A– The initial state is A=0– Then we count:
0, 1, 2, 3, 0, and so on…
The property to be checked:– The counter will eventually
reach the state 3.– In temporal logic: EF A = 3.– Or equivalently: AG not(A = 3).
0
1 2
3
![Page 23: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/23.jpg)
2-bit counter example 2-bit counter example
BMC file:
VAR
x[2]
ASSIGN
init(x):=0;
next(x):=inc(x);
SPEC
AG x != 3
CNF file:
p cnf 7 15
-1 3 0
-1 2 0
-4 6 0
-4 5 0
7 6 -5 0
7 -6 5 0
-7 6 5 0
-7 -6 -5 0
-5 0
-6 0
-2 -5 0
2 5 0
-3 7 0
3 -7 0
4 1 0
MDL file:
{0}:x0
[0]:x0 {1}:x1
[1]:x0 {2}:x1
[2]:x0 {3}:x1
[3]:x0 {0}:x1
[0]:x1 {3}:x0
[1]:x1 {0}:x0
[2]:x1 {1}:x0
[3]:x1 {2}:x0
{3}:x0 {3}:x1
![Page 24: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/24.jpg)
n-bit counter, all unsatisfiablen-bit counter, all unsatisfiable
![Page 25: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/25.jpg)
n-bit counter, all satisfiablen-bit counter, all satisfiable
![Page 26: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/26.jpg)
n-bit counter, #unit propagations n-bit counter, #unit propagations
![Page 27: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/27.jpg)
Barrel ShifterBarrel Shifter
B0,B1|B2,B3R0,R1|R2,R3
B2,B3|B0,B1R0,R1|R2,R3
The transition system:– We have a 2x2-bit barrel shifter– The initial state is: B=R– R can be any value– A step: shift B by 2 bits
The property to be checked:– invar := (B0 = R0 -> B1 = R1) &
(B0 = R1 -> B1 = R0) &
(B1 = R0 -> B0 = R1) &
(B1 = R1 -> B0 = R0)– AG invar– EF not( invar )
![Page 28: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/28.jpg)
Barrel Shifter Barrel Shifter
BMC file:ASSIGN init(b0) := r0; init(b1) := r1; next(b0) := b1;
next(b1) := b0; next(r0) := r0; next(r1) := r1;SPEC AG(b0=r0 -> b1=r1)&(b0=r1 -> b1=r0)&(b1=r0 -> b0=r1)&(b1=r1 -> b0=r0)
CNF file:
p cnf 17 53
-1 2 0
-1 3 0
-4 5 0
-4 6 0
-7 8 0
-7 9 0
10 -7 0
10 -4 0
10 -1 0
7 4 1 -10 0
MDL file:[0]:b00 [1]:r00
[1]:b00 [0]:r00
[0]:b10 [1]:r10
[1]:b10 [0]:r10
[0]:b00 [0]:b10 [0]:r00 [0]:r10
[0]:b00 [0]:b10 [1]:r00 [1]:r10
[0]:b00 [1]:b10 [0]:r00 [1]:r10
[0]:b00 [1]:b10 [1]:r00 [0]:r10
[1]:b00 [0]:b10 [0]:r00 [1]:r10
[1]:b00 [0]:b10 [1]:r00 [0]:r10
[1]:b00 [1]:b10 [0]:r00 [0]:r10
[1]:b00 [1]:b10 [1]:r00 [1]:r10
![Page 29: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/29.jpg)
Barrel Shifter, running timeBarrel Shifter, running time
![Page 30: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/30.jpg)
ConclusionConclusion
![Page 31: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/31.jpg)
The State Explosion Problem The State Explosion Problem
The state explosion problem is, thatthe number of system states grows exponentially with the number of system components
We cannot heal this problem. We can postpone it by some factor depending on the
word size of our computer.
![Page 32: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/32.jpg)
Generating Generating CNFCNF
Propositional Logic– New variables to
prevent exponential grow
– Less clauses– More variables– Lots of short clauses
Multi-Domain Logic– Merge variables of
some subformulae to prevent exp. grow
– More clauses– Less variables– Lots of short clauses
![Page 33: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/33.jpg)
ConclusionConclusion
On one hand, Multi-Domain Logic can encode Bounded Model Checking problems in a more compact and natural way.
On the other hand, the resulting MDL problems can be solved faster then their boolean versions.
![Page 34: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/34.jpg)
Future workFuture work
We would like to implement – Compiler from SMV (Symbolic Model Verifier) to MDL
![Page 35: Multi-Domain Logic as a Tool for Program Verification Implementation Issues](https://reader035.vdocuments.mx/reader035/viewer/2022062423/56814df9550346895dbb6601/html5/thumbnails/35.jpg)
Thank you for your attention!Thank you for your attention!