sat-based unbounded model checking using interpolation

Formal Verification Group

© Copyright IBM Corporation 2008

IBM Haifa Labs

SAT-based unbounded model checking using interpolation

Based on a paper “Interpolation and SAT-based Model Checking” by K.L. McMillan, CAV 2003.


Interpolation If A B = false, there exists an interpolant A' for (A,B) such that:

A A'A' B = false

A' refers only to common variables of A,B Example:

A = p q, B = q r, A' = q Interpolants from proofs

given a resolution refutation (proof of unsatisfiability) of A B, A' can be derived in linear time.

(Pudlak,Krajicek,97)

(Craig,57)


Agenda

Computing interpolants Interpolation-based image computation Model checking finite state systems Optimization techniques


Interpolant from SAT solver

Resolution:

Modern SAT solvers can produce a proof of unsatisifiability for unsatisfiable formulas using resolution

An interpolant may be built from the proof of unsatisfiability in linear time.

SATsolver

(A,B) in CNF

Interpolationproof

A’

(A p) (p B)(A B) p


Proof of unsatisfiability A proof is a DAG, where

The nodes are clauses The root is an empty clause The leaves are original clauses Every inner node is obtained by a resolution of its two child nodes

An interpolant is build from the proof and it is follows the structure of the proof

Local to A / global literals:Given (A, B) be a pair of clause sets, a variable is global if it appears in both A and B, and local to A if it appears only in A.Given a clause c, g(c) – the disjunction of the global literals in c.


The construction of interpolant Let (A, B) be a pair of clause sets.

Given a proof of unsatisfiability Π for A U B, define p(c) for every node c in the proof as follows: If c is a leaf, then

• If cA then p(c) = g(c) • else p(c) is constant true

else let c1, c2 be child nodes of c, and let v be their pivot variable• If v is local to A, then p(c) = p(c1) p(c2)• else p(c) = p(c1) p(c2)

The Π-interpolant for (A, B) is p(false). Complexity: O(N + L), where N is the number of nodes, L is the number of literals in the proof.


Example

Interpolant is a circuit that follows structure of the proof.

A = { (b), (b c) } B = { (c d), (d) }

(b) (b c)

(c) (c d)

(d)(d)

=c

c

b

c

d


The correctness of the construction Definition: a clause interpolation has the form

(A,B) c [Φ], where A, B are clause sets, c is a clause and Φ is a formula. It is said to be valid when

1. A Φ c \ B, and2. B, Φ c | B, and3. Φ A and Φ B

Note, when c is empty, Φ is an interpolant for (A,B). Theorem: (A,B) c [p(c)] is valid.

The theorem implies that Π-interpolant for (A, B) is an interpolant for (A,B).


Proof: by induction on the proof of unsatisfiability structure. Base – 2 cases:

The correctness of the construction – cont.

(A,B) c [c | B] c A

(A,B) c [T] c B

Remember:

1. A Φ c \ B

2. B, Φ c | B

3. Φ A and Φ B


The correctness of the construction – cont. Induction step – 2 cases:

Remember:

1. A Φ c \ B

2. B, Φ c | B

3. Φ A and Φ B

(A, B) l,c1 [Φ1](A, B) l,c2 [Φ2](A,B) c1, c2 [Φ1 Φ2] l B

(A, B) l,c1 [Φ1](A, B) l,c2 [Φ2](A,B) c1, c2 [Φ1 Φ2] l B


Agenda



Bounded model checking Safety property F Unfold the model k times:

U = T0 T1 ... Tk-1ab

cpg a

bcp

g ab

cpg

...I0 Fk

Use SAT solver to check satisfiability of I0 U Fk

If unsatisfiable: property has no Cex of length k can produce a proof of unsatisfiability P


Reachability Is there a path (of any length) from I to F satisfying transition

constraint T? Reachability fixed point:

R0 = IRi+1 = Ri Img(Ri)

R = Ri

Image operator:Img(P) = V. P(V) T(V,V’)

F is reachable iff R F false


Reachability

I FR1R2...

R

= I Img(I,T)= R1 Img(R1,T)


Overapproximation

An overapprox. image operator is Img' s.t.for all P, Img(P) Img'(P)

Overapproximate reachability:R'0 = I

R'i+1 = R'i Img'(R'i)R' = R'i


Interpolation-based image

A = P0T0

B = T1 T2 ... Tk-1 (F1F2... Fk)

P0 FkT0 T1 T2 Tk-2 Tk-1

A B

t=1 t=k

Let A' be an interpolant for (A,B)

Fk-1Fk-2F3F2F1

…


Interpolation-based image – cont.

A(s0, s1) A'(s1)

A' is Img'(P) (an overapproximate image of P) A' B = false

Img'(P) cannot reach F in k-1 steps

P FT T T T T T T

A B

t=1 t=k

FFFFFF

A'


Intuition

A' tells us everything the solver deduced about the image of P in proving it can't reach F in k steps.

Hence, A' is in some sense an abstraction of the image relative to the property.

This opens a way to overapproximate reachability calculation.

P FT T T T T T T

A B

t=1 t=k

FFFFFF

A'


Agenda



If I(s0) F(s0) satisfiable // the basisreturn FAILED;

while (1)Rnew := I, R := falsewhile (Rnew R) // the fixpoint condition

If Rnew T1 T2 ... Tk-1 (F1F2... Fk) unsatisfiable R := R Ú Rnew

Rnew := interpolant A’(s1)else // satisfiable

If (Rnew = I ) return FAILEDelse // possible false negative – should increase k R := false, break

end whileIf (Rnew R) // fixpoint

return PASSEDincrease k

end while

The fixpoint algorithmB

MC

loop

UM

C (r

each

abili

ty) l

oop


Algorithm Correctness

Clearly, if returns FAILED then we got a bug. If a fixpoint is reached, then an overapproximation of

reachable states does not contain a bug, i.e. the formula passes.

We are left with possible false negatives. When possible false negative, we increase k. Thus, it is enough to see that there exists a (large enough) k for which the algorithm always stops.


Algorithm terminates

Let d be the reverse depth of the model (i.e. the number of real backward steps from the bad states until a fix point), and let k = d+1.

If there is a bug, then we will find it in the first iteration (since k is as long as the shortest path between I and F).

If there is no bug, the formula is unsatisfiable and the interpolant A’ (and Rnew= I Ú A’) cannot reach F in d steps.


Algorithm terminates – cont.

d is the reverse depth Rnew cannot reach F at all. Thus, the next formula (with Rnew instead of I) will be

unsatisfiable as well. Since R always grows and a model is finite, a fixpoint will be

finally reached. Notes:

don't need to know d in order to terminate often termination occurs with k << d


Characteristics SAT-based methods are effective when

Very large set of facts is available Only a small subset are relevant to property

They exploit the SAT solver's ability to narrow the proof to relevant facts I.e., narrows reachable states approximation to relevant variables.

Interpolation method exploits this fact to compute abstract image operator.


Agenda



Incremental SAT solving with interpolation At each iteration of the inner while loop we check

satisfiability of the following formula: Rnew T1 T2 ... Tk-1 (F1F2... Fk)

All those formulas differ only by Rnew. SAT solver can preserve all the clauses that are implied by

the common part of the formulas (all but Rnew). This can potentially save SAT solver time for deducing those

clauses again. Similarly, formulas with different k (the outer while loop) can

be solved incrementally.


Checking convergence more efficiently R – current overapproximate reachable states

A’ – current interpolant Original convergence check: whether A’ R ? Recall: A’ is an overapproximate forward step from R Let R’ be a “real” forward step from R Let’s check whether R’ R ? Advantage: the latter formula is more likely to converge earlier

(because R’ A’) Correctness:

if R’ R, but A’ R, then A’ \ R’ is unreachable


Minimizing interpolants Reduce CNF formulas using CNF simplifier Interpolants are highly redundant boolean expressions

Reduce interpolants using BDD sweeping or SAT sweeping reduction

Minimize unsat core Unsat core is an unsatisfiable subset of a given unsatisfiable CNF

formula (the leaves of the proof) Unsat core may be computed by a SAT solver, when it founds that a

formula is unsatisfiable Various methods exist for minimizing unsat core, the simplest one is

running SAT solver iteratively on previously computed unsat core


Strengthening interpolants Recall: interpolant is an overapproximation of a forward

image of Rnew There may be different overapproximations Can we control the quality of overapproximation? Do we want a finer one or a coarser one?


R2

Example

I FR1

...

R


Example – fine overapproximation

I F


Example – moderate overapproximation

I F


Example – coarse overapproximation

I F


Strengthening interpolants Move local resolutions (‘or’-gates) towards leaves 2 rewrite rules:

(p q c1) (p c2) (q c1 c2) (q c3) (c1 c2 c3)

(p q c1) (q c3) (p c1 c3) (p c2) (c1 c2 c3)


Strengthening interpolants – cont.

Caution: may cause exponential expansion of the proof!

(p q c1) (p q c2) (q c1 c2) (q c3) (c1 c2 c3)

(p q c1) (q c3) (p q c2) (q c3) (p c1 c3) (p c2 c3) (c1 c2 c3)


(a b c)a c

Strengthening interpolant – an exampleA = {(a), (b d), (a b c), …} B = {(a e), (c d), …}

(b c)

(c d)

a

b

A’ = d (a (a c)) = d (a c)A’’ = a (d (a c)) = a (c d)A’ A’’

(b d)d

( a )a

(a b c)a c

(c d) a

(a c d) b(b d)

d( a )

a

Move local resolutions toward leaves


Approximate interpolant computationA = {(a), (b d), (a b c), …} B = {(a e), (c d), …}

A’ = d (a (a c)) = d (a c) A’’ = c d

A’ A’’

(a b c)a c

(b c)

(c d)

a

b

(b d)d

( a )a

Treat inner clauseswith pure originas leaves


Refinement of interpolants

If Rnew T1 T2 ... Tk-1 (F1F2... Fk) satisfiableIf (Rnew = I )

return FAILEDelse // possible false negative – should increase k

break

Can we avoid the possible false negative?


s1

• Check whether s1 is reachable in one step from Ri-1

• If no – refine Ri by removing s1 from it

• Disadvantages:

–Removes one false negative at a time

–Does not insure removing all false negatives

–Complicates the expression of R

Refinement of interpolants – cont.

I R1Ri

FRi-1

… s2 sk?


Conclusion SAT solvers have the ability:

to generate refutations for bounded reachability to filter out irrelevant facts.

These abilities can be exploited to generate an abstract image operator, using Craig interpolation.

This yields a reachability procedure that is fully SAT-base is robust w.r.t. irrelevant facts

Various techniques exist to control size and quality of interpolants

sat-based unbounded model checking using interpolation

Documents