7. SAT-Based Model-Checking Fachgebiet Rechnersysteme1

Transcription

1 7. SAT-Based Model-Checking Fachgebiet Rechnersysteme 7. SAT-Based Model-Checking 7. SAT-Based Model-Checking 3 Content Temporal property 7. Bounded Model-Checking (BMC) (IPC) Sequential circuit Model- Checker SAT-Checker Y N Counter-example 7. SAT-Based Model-Checking 2 As a rule of thumb, OBDD-based symbolic modelcheckers are able to cope with systems of flipflops (~ states) Direct application of OBDD-based symbolic model-checking to large circuits is not possible Current solutions: () SAT-based model-checking (Bounded and Interval Model-Checking) (2) Employ induction (3) Build abstract models with fewer storage elements 7. SAT-Based Model-Checking 4 7. Bounded Model-Checking (BMC) Bounded Model-Checking (BMC Biere et al FMCAD'98/ Bounded Model Checking (BMC, Biere et al. FMCAD 98/ DAC'99) The size of the SAT formula of a circuit is proportional to the size of the circuit Unfolding a circuit n-times allows to check if a property is violated for n time steps

2 7. SAT-Based Model-Checking 5 7. Bounded Model-Checking Example: We want to check that the two flipflops and are never at the same point of time, i.e., G((*)) in the circuit it below We consider only a bounded number of n time steps We "unfold" the circuit n times and check if the property is violated at one of the n time instances 7. SAT-Based Model-Checking 7 7. Bounded Model-Checking Unfolding 3 times: i f Initial state f i f i f i 2 f (*) i f Error at t= Error at t= Error at t=2 Error at t=3 If this output is unsatisfiable then the property holds 7. SAT-Based Model-Checking 6 7. Bounded Model-Checking What does "unfolding" mean? i f Initial state f i f i f i 2 f 7. SAT-Based Model-Checking 8 7. Bounded Model-Checking Unfolding 3 times: i f Initial state i i i 2 (*) t If this output is unsatisfiable then the property holds Replication of circuit

3 7. SAT-Based Model-Checking 9 7. Bounded Model-Checking Initial i f state contradiction contradiction i i i 2 contradiction (*) contradiction If this output is unsatisfiable then the property holds 7. SAT-Based Model-Checking 7. Bounded Model-Checking Formally, we use again the notation T(S, I, S') for the transition-relation We introduce n+ copies S i, S' i and I i of the old/new state t variables and of the input variables, respectively, with i n We observe that we have always S' i = S i+ for the unfolded transition relation with i < n Hence, The transition-relation for time-step i is T(S i, I i, S i+ ) Unrolling the circuit it n-times means to build the formula: Init(S )*T(S, I, S )*T(S, I, S 2 )*... *T(S n-, I n-, S n ) where Init characterizes the initial state 7. SAT-Based Model-Checking 7. Bounded Model-Checking Note that We used "fresh" input variables i, i, i 2 at each step of unrolling We consider "open" systems where the inputs may assume any value at each point of time The property would be violated immediately if we started with arbitrary intial states 7. SAT-Based Model-Checking 2 7. Bounded Model-Checking In order to check if a state-property p, i.e., a property involving only state-variables, is violated at one or several time-steps i, i n, we have to consider the term: (p(s ) + p(s ) p(s n )) As a result, the property is violated at some time-step i, i n, if the following formula is satisfiable: Init(S )*T(S, I, S )*T(S, I, S 2 )*... *T(S n-, I n-, S n )* (p(s ) + p(s ) p(s n )) If the formula is unsatisfiable then we know that the property p holds for the first n+ time steps

4 7. SAT-Based Model-Checking 3 7. Bounded Model-Checking The bound n is given by the user How big should n be selected? The Diameter d of a transition system: Determine the length of all the shortest paths from the initial states to any other state The diameter is the maximum of these values It is the minimum number of steps required for reaching all reachable states Example: d = 2 / r s / / / / / / / 7. SAT-Based Model-Checking 5 7. Bounded Model-Checking What about the verification of liveness-properties F(p)? A counter-example of a liveness-property F(p) is obviously an infinite path where p does not hold There must be a loop of states in the unfolded circuit! How to introduce the detection of loops into the technique? After some steps, the same state is visited, i.e., all flipflops assume the same value again p p p p p p 7. SAT-Based Model-Checking 4 7. Bounded Model-Checking For the verification of safety-properties G(p), n = d is sufficient But: d 2 n In many practical applications, d ~ There exist computationally hard methods to calculate d for a transition system BMC useful for debugging 7. SAT-Based Model-Checking 6 7. Bounded Model-Checking Unfolding once: i f Initial can not loop in state contradiction initial state f i f F() If this output were satisfiable then we had a counterexample

5 7. SAT-Based Model-Checking 7 7. Bounded Model-Checking Unfolding 3 times: Initial i state f i f i f i 2 f f F() 7. SAT-Based Model-Checking 9 7. Bounded Model-Checking Another loop: Initial i state f i f i f i 2 f f F() 7. SAT-Based Model-Checking 8 7. Bounded Model-Checking With a constant input value i =, = is obviously not reachable The result corresponds to the following state diagram: p p p In general, we have to consider all possible loops, e.g., also the following loop: 7. SAT-Based Model-Checking 2 7. Bounded Model-Checking In the general case, we have to consider loops of arbitrary length: Init(S )*T(S )T(S, I, S )*T(S )T(S, I, S 2 )*... *T(S n-, I n-, S n )* p(s )*p(s )*... *p(s n )* ((S n S ) + (S n S ) (S n S n- )) p p p etc.

6 7. SAT-Based Model-Checking 2 7. Bounded Model-Checking How big should n be in the case of liveness-properties? The Recurrence Diameter r of a transition system: The length of the longest loop-free path starting from the initial state Example: r = 2 / We have d r r s / / / / / / / 7. SAT-Based Model-Checking Bounded Model-Checking Summary: The violation of a property is implemented by means of a network of gates A SAT formula is generated from the unfolded circuit If the generated formula is unsatisfiable, it only means that there are no failure traces of length n! No guarantee that there are no errors for cases > n! Effective for showing the presence of bugs 7. SAT-Based Model-Checking Bounded Model-Checking r can be calculated by the following procedure: r is the smallest integer so that T(S, I, S )*T(S, I, S 2 )*... *T(S r, I r, S r+ ) ((S r+ S ) + (S r+ S ) (S r+ S r )) ("for each path s, s,..., s r+ longer than r, state s r+ has been visited before") However, for general properties, i.e., not pure safety or liveness properties the upper bound for unrolling ist still an open problem 7. SAT-Based Model-Checking 24 In principle, BMC is a complete method for proving properties (i.e., if the property holds it can be proven by means of BMC) if the bound n used for unrolling is "sufficiently large" However, for general properties, i.e., not pure safety or liveness properties, determining the upper bound for unrolling is still an open problem The upper bound may also become very large In contrast, Interval Model-Checking (IMC) or Interval Property Checking (IPC) is a powerful method which gives a sufficient condition for a property to hold IPC was developed for the proof of properties involving a time-window (interval) of fixed, finite length

7 7. SAT-Based Model-Checking 25 IPC unrolls the circuit in the same manner as BMC The circuit is unrolled as many times as it is given by the time-interval of the property The circuit is not unrolled from the initial state! IPC ignores the issue of reachabilty In many applications, implications or general properties within a time-interval of fixed length are very common 7. SAT-Based Model-Checking 27 The time-bounded property p we want to prove involves the state and input variables at different time-points,..., n of the time interval p is typically not a state-property t t Formally, we use again n+ copies of S i and I i of the state variables and of the input variables, respectively Generally, such a property p holds for all initializable paths if t Assumption Commitment t+n t: Init(S )*T(S )T(S, I, S )*...*T(S t-, I t-, S t )* T(S t, I t, S t+ )*...*T(S t+n-, I t+n-, S t+n ) p(s t,..., S t+n, I t,..., I t+n ) (i) Time-interval (or t: Init*T t *T n p for short) is a tautology 7. SAT-Based Model-Checking 26 Such properties are typical for many engineering specifications, e.g., timing-diagrams: 7. SAT-Based Model-Checking 28 Interval property-checking unrolls the circuit according to the size of the time-window involved in the property T(S t t, I t, S t+) )*T(S t+,, I t+, S t+2) )*... *T(S t+n-, I t+n-, S t+n) ) p(s t,..., S t+n, I t,..., I t+n ) (or T n p for short) We do not restrict S t to the initial state! The paths characterized by the formula above are legal virtual, i.e., possibly non- initializable iti paths Source: AMBA AHB Cycle Level Interface

8 7. SAT-Based Model-Checking 29 Example: prove that if f = at point t of time then = at point t+2 assume: at t: f = ''; prove: at t+2: = ''; f t t+2 7. SAT-Based Model-Checking 3 assume: at t: t t+ t+2 prove: f = ; at t+2: f i 2 i 3 = ; i f Represents the implication assume prove f t = t+2 = If this output is unsatisfiable then the property holds 7. SAT-Based Model-Checking 3 assume: at t: t t+ t+2 prove: f = ; at t+2: f i 2 f i 3 f = ; 7. SAT-Based Model-Checking 32 assume: at t: t t+ t+2 prove: f = ; at t+2: f i 2 i 3 = ; CVE f t = t+2 = f t = t+2 =

9 7. SAT-Based Model-Checking 33 v w Anfangszustand c i c i c i c v y w i v y w i v y w i 2 v y w i 3 i c v y w c y T 3 P x 7. SAT-Based Model-Checking 35 Proof: (a) Consider a path of length n+ starting in the initial state Init(S ), i.e., t=. The unsatisfiability of Init(S )*T(S, I, S )*...*T(S n-, I n-, S n )*p(s,..., S n, I,..., I n ) follows directly from the unsatisfiability of (iii). x x x x x P t 2 T 3 T 4 T 7. SAT-Based Model-Checking 34 Theorem: If the formula T(S t, I t, S t+ )*...*T(S t+n-, I t+n-, S t+n ) p(s t,..., S t+n, I t,..., I t+n ) (ii) (or T n p for short) is a tautology or if, equivalently, T(S t, I t, S t+ )*...*T(S t+n-, I t+n-, S t+n ) * p(s t,..., S t+n, I t,..., I t+n ) (iii) is unsatisfiable then p holds for all initializable paths of the system 7. SAT-Based Model-Checking 36 (b) An initializable path of arbitrary length t+: Init(S )*T(S, I, S )*...*T(S t-, I t-, S t ) adds an additional restriction "in front of" (ii): Init(S )*T(S, I, S )*...*T(S t-, I t-, S t )* T(S t, I t, S t+ )*...*T(S t+n-, I t+n-, S t+n )* p(s t,..., S t+n, I t,..., I t+n ) (iv) A i th ti fi bilit f ll f th Again, the unsatisfiability follows from the unsatisfiability of (iii).

10 7. SAT-Based Model-Checking 37 In many situations, IPC leads to an efficient proof of properties of complex designs However, the proof-procedure (iii) of IPC suffers from a false-negative problem: If (iii) is unsatisfiable then so is (iv) as we have shown If (iii) is satisfiable (indicating that the property does not hold) and produces a counter-example then (iv) might actually be unsatisfiable (indicating that the property holds) due to the additional restrictions to initializable paths Such a false-negative counter-example is called a spurious counter-example 7. SAT-Based Model-Checking 39 Solutions of the problem of spurious counter-examples will be given in Section 7.4 As a prerequisite, the concept of invariants will be introduced and discussed in the next Section 7. SAT-Based Model-Checking 38 Example: The following state-diagram is an autonomous 3-step counter which "counts" -... The state is the initial state. The state is unreachable. To prove the correct operation of the 3-step counter, we may want to prove that the values of the flipflops are repeated after 3 time steps, thus f t = f t+3 and t = t+3. However, for the property t = t+3 we get the counter-example if we ignore the unreachability of state. 7. SAT-Based Model-Checking 4 Remark: CVE The idea of Interval Property-Checking was originally developed by the CVE (Circuit Verification Environment) team at Siemens. The tool was further developed under the name "Gateprop" at Infineon Technologies, and is now commercialized by OneSpin Solutions, Munich f

11 7. SAT-Based Model-Checking 4 One way to overcome the problem of spurious counterexamples in IPC is - as we will discuss in Section to employ invariants of a system An invariant v of a system is a state-property, i.e., a property which refers to the state-variables at only one time-point a state-property which holds on all initializable paths, i.e., holds for all reachable states of a system: 7. SAT-Based Model-Checking 43 Example : s t s6 as well as (s t s4)*(s t s5)*(s t s6) are invariants ("to be not in state s6 invariantly holds for all the reachable states s, s, s2 and s3") Viewed as a characteristic ti function of the set of states, the invariants correspond to supersets of the set of reachable states (s t s4)*(s t s5)*(s t s6) t: Init(S )*T(S, I, S )*...*T(S t-, I t-, S t ) v(s t ) s s s2 s3 (or t: Init*T t v for short) state-variable s s4 s5 s6 s7 s t s6 7. SAT-Based Model-Checking 42 Since an invariant v holds for all reachable states it can be viewed as a characteristic function of a superset of the reachable states 7. SAT-Based Model-Checking 44 Example 2: In the following design *) a main state-machine controls a second state-machine (a counter). If the left statemachine is in state s t =, then the counter is always in state c t =. So we have the invariant: s t = c t =. - start= c= start= c s= s s= s s= s= s state-variable s * ) This example was inspired by the dissertation of M.D. Nguyen "System-on-Chip Protocol Compliance Verification Using Interval Property Checking", TU Kaiserslautern 28 s state-variable c

12 7. SAT-Based Model-Checking 45 To view the invariant as a characteristic function of a set of states, we observe that the complete state-space consists of 3*4 = 2 states, where 6 states are reachable: 7. SAT-Based Model-Checking 47 A particular important class of invariants can be proven by a simple induction-step in the time-dimension: the inductive invariants A property p is called an Inductive Invariant iff the following holds: reachable states p p t p t+ Induction basis Induction step t: p t state-variables s/c Rationale: assume that we have proven the induction basis and step, but t: p t does not hold. Then there is a smallest t+ > with p t+ = and p t =. Hence, p t p t+ = = which is a contradiction to the induction step. 7. SAT-Based Model-Checking 46 Viewed as a characteristic function of a set of states, the invariant [s t = c t =] = [s t + c t =] characterizes a superset of the reachable states: c t = 7. SAT-Based Model-Checking 48 There are several techniques to check the induction step p t p t+ In the forward direction, we check that all successor states t reachable from p, S(p) are included d in p, i.e., S(p) p t t+ reachable states Reasoning at t+ S(p) s t p p state-variables s/c

13 7. SAT-Based Model-Checking SAT-Based Model-Checking 5 p The forward direction is the somewhat more intuitive way of looking at induction: the set of all successor states of the p-states has to be a subset of the p-states t t+ S(p) p Example: p-states = {s,s,s2,s3} successor states of p-states S(p) = {s,s,s2,s3} p Hence, being not in s4 is an inductive invariant s s s2 s3 s4 Induction can also be used to try to prove G-type properties of CTL or LTL For instance, if p is an inductive invariant then AG(p) holds Note that we need only one AX-step to prove the AG property! There are, however, many properties q so that AG(q) holds, i.e., q is a general invariant, but q is not an inductive invariant (the bad news) This means that the induction step p AX(p) may fail and the model-checker produces a spurious counter-example if AG(p) actually holds p being an inductive invariant is sufficient, but not necessary for AG(p) There are techniques to improve the situation: 7. SAT-Based Model-Checking 5 Following the backward direction, we check that all p-states belong to those states from which p is unavoidable in the next state, formally: p AX(p) AX(p) Reasoning at t p t t+ p 7. SAT-Based Model-Checking 52 "Strong" and "weak" assumptions Assume we are able to prove that v k is a tautology Then p v k holds for arbitrary yp! Proof: [(v k) (p v k)] = [(v k) p v k] = More informal: if "if it rains then there are clouds" holds then "if it is Thursday and it rains then there are clouds" holds, too p v is a "stronger" assumption (= makes more restrictions) than v

14 7. SAT-Based Model-Checking 53 strong The strongest assumption is (we can deduce everything), the weakest assumption is (nothing can be deduced from ) We have thus the ordering:... p v... v... weak 7. SAT-Based Model-Checking 55. Example: Try to prove AG(s6), i.e., s6 is not reachable Trying s6 t s6 t+ (the induction step) yields the counter-example s5 t, s6 t+ P must be made "stronger", in the example: s4 t * s5 t *s6 t s4 t+ *s5 t+ *s6 t+ holds Hence, AG(s6) but also AG(s5) and AG(s4) s4*s5*s6 s s s2 s3 s4 s5 s6 s7 s6 7. SAT-Based Model-Checking 54 Assume that we can prove that a product p q is an inductive invariant Then p holds globally, i.e., AG(p) (and AG(q) as well) since t: [p(t) q(t)] (t)] implies t: p(t) Thus, if we can not successfully show that p is an inductive invariant, we can make p stronger and try the product p q But how to find a appropriate q which makes p q an inductive invariant? v can often be determined d by means of a counter-example 7. SAT-Based Model-Checking This example employs IPC. Obviously, the induction step p t p t+ can easily be proven by unrolling the circuit just twice. Example: Try to prove G((*)) )) for the following system by showing that (*) is an inductive invariant: i f

15 7. SAT-Based Model-Checking 57 There exists a counterexample! t t+ f f i 2 If this output t is unsatisfiable - then the property holds (*)t+ (*) t i f (*) is not an inductive invariant! 7. SAT-Based Model-Checking 59 contradiction - - t t+ f f Try: (*) t *(*) t i 2 If this output is unsatisfiable then the property holds (*) t+ *(*) t+ 7. SAT-Based Model-Checking Example (cont'd): so we get the counter-example * which is spurious since and can never be at the same point of time. So we strengthen the original property (*) ) by means of the negated counterexample (we try to prove that (*) is an inductive invariant, too). 7. SAT-Based Model-Checking 6 t t+ f - contradiction i 2 f - i f Try: (*)*(*) t If this output is unsatisfiable then the property holds (*)*(*) t+

16 7. SAT-Based Model-Checking 6 The addition of one counter-example may lead to another counter-example and so on... In complex situations, the efficient strengthening th of an invariant i is still an open problem 7. SAT-Based Model-Checking 63 Can this be better than the -step induction schema p t p t+? S(s6) s6 gives the spurious counter-example s5, s6 S(S(S(s6))) s6 holds! S(s6) s s s2 s3 s4 s5 s6 s7 s6 7. SAT-Based Model-Checking 62 Since spurious counter-examples for inductive invariants are caused by unreachable states, induction can also be used in the form of k-step induction for a bounded model- checker as follows (Sheeran et al. FMCAD'2) 7. SAT-Based Model-Checking 64 Can this be better than the -step induction schema p t p t+? S(s6) s6 gives the spurious counter-example s5, s6 S(S(S(s6))) s6 holds! p... p k p t... p t+k p t+k+ t: p t S(S(s6)) S(s6) s s s2 s3 s4 s5 s6 s7 s6

17 7. SAT-Based Model-Checking 65 Can this be better than the -step induction schema p t p t+? S(s6) s6 gives the spurious counter-example s5, s6 S(S(S(s6))) s6 holds! S(S(S(s6))) S(S(s6)) S(s6) 7. SAT-Based Model-Checking 67 The following example shows the successful application of 2-step induction to the proof of G(*) in a previous example using IPC we prove (*) t *(*) t+ (*) t+2 this avoids the spurious counter-example of -step induction: s s s2 s3 i f s4 s5 s6 s7 s6 7. SAT-Based Model-Checking 66 Formally, we have to check the induction basis by proving that Init(S )*T(S, I, S )*T(S, I, S 2 )*... *T(S k-, I k-, S k )* [p(s )+p(s )+... +p(s k )] is unsatisfiable, and the induction step by proving that T(S, I, S )*T(S, I, S 2 )*... *T(S k-, I k-, S k )*T(S k, I k, S k+ )* is unsatisfiable p(s )*p(s )*... *p(s k )*p(s k+ ) 7. SAT-Based Model-Checking t f i t+ t+2 f f i 2 If this output t is unsatisfiable - - then the property holds (*) t+2 (*) t (*) t+ i f

18 7. SAT-Based Model-Checking 69 In the examples above, the "end of the unreachable states", where no unreachable predecessors were left, was reached within a finite number of steps This is not the case anymore if loops are involved... The loop-problem: s s s2 s3 S(s6) 7. SAT-Based Model-Checking 7 One way to overcome the problem of spurious counterexamples in IPC is to employ invariants of a system Since spurious counter-examples are caused by unreachable states and since invariants restrict the set of unreachable states it is intuitively clear that an invariant as an additional constraint may prevent spurious counterexamples We will discuss this procedure by means of a running example which hwas introduced d in the previous Section. S(s6) s4 s5 s6 s7 s6 7. SAT-Based Model-Checking 7 Since loops in the unrolled circuits are problematic, an additional term enforcing different states at each step is added to increase the efficiency of the approach: [(S S )*(S S 2 )*... *(S S k+ )* (S S 2 )*(S S 3 )*...*(S S k+ )*... (S k S k+ )]* T(S, I, S )*T(S, I, S 2 )*... *T(S k-, I k-, S k )*T(S k, I k, S k+ )* p(s )*p(s )*... *p(s k )*p(s k+ ) Increases the size of the formula quadratically in k 7. SAT-Based Model-Checking 72 The problem of spurious counter-examples in IPC is prevalent in the verification of systems consisting of interacting finite-state machines (fsm's), e.g., implementations of bus-protocols In the following example, a main fsm (left) controls a second fsm (a counter) s start= - c= start= c state-variable s s= s= s s= s= s state-variable c s

19 7. SAT-Based Model-Checking 73 We want to prove that with s= and start= at point t of time, we have again s= after exactly 6 time points: 7. SAT-Based Model-Checking 75 The path corresponding to the property to be proven: s t = * start t t = s t+6 = (I) s t = * start t = s t+6 = start= s - c= start= c s= s= s s= s= s start= state-variable s s state-variable c state-variables s/c 7. SAT-Based Model-Checking 74 The following slides show the state-space, the path corresponding to the property to be proven, and the path corresponding to a spurious counter-example The complete state-space space consists of 3*4 = 2 states, 6 states are reachable: 7. SAT-Based Model-Checking 76 Unfortunately, we get a counter-example: if the system started in state s t = and c t = then we have 6 time points later s t+6 =! However, we observe (by inspection of the design) that s t = and c t = is an unreachable state since c t = is possible only with s t =. Typically, we modify the property (I) and add an additional constraint c t = to the assumption of the property: c t = * s t = * start t = s t+6 = (II) Property (II) will now be verified successfully by IPC state-variables s/c

20 7. SAT-Based Model-Checking 77 The path of the spurious counter-example: s t = * start t = s t+6 = start= start= 7. SAT-Based Model-Checking 79 Our solution will be to employ an invariant v and try to prove T n (v p) (III) rather than the original IPC-proof T n p (see (ii) and (iii) in Section 7.2). If (III) holds then p holds globallay, too (a proof will be given below) Intuitively, this is reasonable since we require that p holds only for those states characterized by v and v, as an invariant, includes all reachable states t and excludes some unreachable ones state-variables s/c 7. SAT-Based Model-Checking 78 The procedure above rises a couple of questions: Our original interest was to prove (I) and not (II). Are we allowed to infer the truth of (I) from the proof of (II)? What additional constraints should we add to the original assumption of the property? c t = was only one possible example if we added as an assumption then we could prove everything! The answer will be that (I) in fact holds. However, the additional constraint c t = must satisfy certain properties which have to be validated Basically, an invariant will be employed The invariant has to be checked This will be formally discussed in the following slides 7. SAT-Based Model-Checking 8 Example (see Section 7.2): The following state-diagram is an autonomous 3-step counter which "counts" -... The state is the initial state. The state is unreachable. To prove the correct operation of the 3-step counter, we may want to prove that the values of the flipflops are repeated after 3 time steps, thus f t = f t+3 and t = t+3. However, for the property t = t+3 we get the counter-example if we ignore the unreachability of state. f

21 7. SAT-Based Model-Checking 8 In the example, an invariant v is (f t * t ) ("state is not reachable") According to (III), we prove (f t * t ) ( t = t+3 ) and do not get a counter-example anymore However, in order to be sure that we do not exclude actual counter-examples we are obliged to prove that (f t * t ) holds for all initializable paths, i.e., that state is unreachable. This can be done, for instance, by induction 7. SAT-Based Model-Checking 83 In many cases, the property p is of the form p = a c. Since v p = v (a c) = v + a + c = v*a c we can replace (III) in such situations by the proof of: T n (v*a c) We "strengthen" the assumption a by the invariant v (IV) f 7. SAT-Based Model-Checking 82 A formal proof of T n (v p) (III) means the following: Show that t: Init*T t *T n p (p holds globally, see (i) in Section 7.2) follows from t: Init*T t v (v is an invariant) i and T n (v p) (III). The problem is of the form: Prove the tautology of (M v)*(n (v p)) (M*N p) where M ~ Init*T t and N ~ T n for some fixed t and n. Applying the definition of the implication-operator and demorgan's-law we obtain equivalently: [(M + v)*(n + v + p)] + M + N + p = Mv + Nvp + M + N + p which is tautologically true. 7. SAT-Based Model-Checking 84 In addition, the invariant v itself is often of the form part of the assumption (pa) additional constraint (ac) e.g., s t = c t = where part of the assumption is implied by the original assumption a, a pa =, e.g., s t =*start t = s t = is a tautology In this case, we can simply build the conjunction of the original assumption and the additional constraint: according to (IV), we have to prove v*a c assuming a pa =, we have a*pa = v is of the form pa ac, hence v*a c becomes: (pa ac)*a c = pa*a + ac*a c = ac*a c We simply build the and of the original assumption and the additional constraint, e.g., c t =*s t =*start t = s t+6 =.

22 7. SAT-Based Model-Checking 85 In the example of the interacting fsm's above, we wanted to show the original property (I): s t = * start t = s t+6 = Building the product of the invariant s t = c t = or s t + c t = and the assumption of (I), we obtain (s t + c t =) * s t = * start t = s t+6 = which can be simplified to (II): c t = * s t = * start t = s t+6 = 7. SAT-Based Model-Checking 87 Proving the invariance property of s t + c t = we may use induction, i.e., we try to prove the induction step s t + c t = s t+ + c t+ = Unfortunately, we get a counter-example example caused by the transitions shown below: c= reachable states We conclude that (II) in fact proves (I) for the system However, we are obliged to prove that s t + c t = is actually an invariant! s state-variables s/c 7. SAT-Based Model-Checking SAT-Based Model-Checking 88 The transitions in the state-diagram; s t + c t = c= reachable states s - start= c= start= c s= s s= s s= s= s state-variables s/c state-variable s s state-variable c

23 7. SAT-Based Model-Checking 89 We employ an additional invariant s t = c t = or s t + c t = and are finally able to prove by induction: [s t + c t =]*[s t + c t =]* [s t+ + c t+ =]*[s t+ + c t+ =] Note that [s t + c t =]*[s t + c t =] characterizes exactly the reachable states c= reachable states s 7. SAT-Based Model-Checking 9 3 concepts of abstraction to obtain a simpler system-model: Exact abstraction Ad-hoc abstraction Conservative abstraction Temporal property Abstract model Model- Checker N Y? s state-variables s/c Sequential circuit (concrete model) counter example spurious or not? 7. SAT-Based Model-Checking 9 A summary of what we have proven so far: t: s t = c t = and t: s t = c t = are invariants and hold for the (reachable states of the) system although we were not able to prove, e.g., t: s t = c t = simply by induction! The original property s t =*start t = s t+6 = holds for the (reachable states of the) system although we had to strengthen the assumption to c t =*s t =*start t = s t+6 = for technical reasons, i.e., to cope with the reachability issues of IPC 7. SAT-Based Model-Checking 92 Exact abstraction If the property holds in the abstract model, it holds in the concrete model as well If the property does not hold in the abstract model, it does not hold in the concrete model Currently, there are no fully automated techniques for exact abstractions

24 7. SAT-Based Model-Checking 93 Ad-hoc simplifications Build (manually) a simpler model, e.g., of a C program Check properties p on the simplified model If the property holds, it can not be made clear that the property holds in the concrete (original) model! If the property does not hold it has to be checked if the property does not hold in the original model Main application: error detection Model-checking discovers other types of bugs than simulation of single cases 7. SAT-Based Model-Checking 95 ACTL-based conservative abstraction ACTL is a restriction of CTL to the A-operators AX, AF, and AG The negation is restricted to literals Otherwise we could back-introduce the E- operators, e.g., by means of EG( p) AF( p) This also excludes operators like exor and implication! For instance, p AX ( AF ( p )) is a ACTL formula 7. SAT-Based Model-Checking 94 Conservative abstraction () If the property holds in the abstract model, it holds in the concrete model as well (2) If the property does not hold in the abstract model, a counter-example is generated; it has to be checked in the concrete model if the counter-example is spurious or not If the counter-example is a counter-example in the concrete model as well then, of course, the property is violated and we are finished If not, the abstract model has to be refined on the basis of the counter-example and the procedure has to be repeated This technique is called CEGAR (Counter Example Guided Abstraction Refinement) 7. SAT-Based Model-Checking 96 ACTL formulas enjoy many interesting properties Example: ACTL supports compositional model-checking: Assume that a temporal property p of a subsystem is proven The subsystem is embedded into a bigger system, i.e., composed with other subsystems Is the proven property still valid? System Subsystem 2 Subsystem 3 Subsystem 4 Subsystem

25 7. SAT-Based Model-Checking 97 Problem: The inputs of the subsystem are "free" and unrestricted All input sequences are possible If the subsystem is connected with other subsystems, some sequences may be excluded Certain execution paths may not be possible anymore Certain properties may not be valid anymore! All possible paths 7. SAT-Based Model-Checking 99 The rest of this Section discusses similar abstraction techniques which are particularly useful if IPC (Section 7.2) based on SAT-checking is applied EF(p) The environment restricts the execution paths to this subset p 7. SAT-Based Model-Checking SAT-Based Model-Checking Properties specified as ACTL formulas remain valid if a subsystem is embedded into some environment ACTL formulas check properties for all paths; a restriction ti does not invalidate the property Assume that a Boolean expression f(x, y,..., y n ) is unsatisfiable, i.e., f=. Then certainly the two cofactors w.r.t. x are both unsatisfiable, i.e., f(, y,..., y n )= and f(, y,..., y n )= (*) Assume that we replace the variable x with a function g(z,..., z n ) (the support of g does not have to be distinct from the support of f). In terms of circuits this means that we connect the input x of f with some additional circuit implementing g: x y y n... f... z z n g y... y n f

26 7. SAT-Based Model-Checking The substitution of g for x is expressed by g*f(, y,..., y n ) + g*f(, y,..., y n ) This expression is also unsatisfiable since both cofactors are due to (*) As a result, if we check a property of a circuit by demonstrating unsatisfiability of an output f where a partial circuit is replaced by a free input, then the property holds also for the original circuit However, if the property does not hold we do not know if the property is also violated in the original circuit z... z n g x y... y n f 7. SAT-Based Model-Checking 3 Introduction of free inputs can also be directly applied to the IPC procedure This will be illustrated by means of the following 4-bit shift-register i t example for e= the input d and the 4 registers are shifted down d e for e= the shift-register is unchanged (the flipflops are reloaded) f 7. SAT-Based Model-Checking 2 A generalization of this technique is called black-boxing: Some part p of a system, for instance, a combinational multiplier, is replaced by a "black-box", i.e., the outputs t of p are replaced by free inputs A conservative abstraction... p... System 7. SAT-Based Model-Checking 4 We want to prove the obvious property that the content of flipflop at point t+4 of time is equal to the value of the input d at point t of time, if the input e is at points t,..., t+3 of time: e t *e t+ *e t+2 *e t+3 ( t+4 d t ) Negating the property yields: e t *e t+ *e t+2 *e t+3 *( t+4 d t ) d e We have to prove that this f expression is unsatisfiable

27 7. SAT-Based Model-Checking 5 Unfolding 4 times and adding the property yields: 7. SAT-Based Model-Checking 7 Cone-of-influence reduction is a standard technique: d e d e d 2 e 2 d 3 e 3 e t *e t+ *e t+2 *e t+3 d e e e 2 e 3 f f f f f Results in a smaller SAT-instance = f = f 7. SAT-Based Model-Checking 6 Cone-of-influence reduction is a standard technique: d e d e d 2 e 2 d 3 e 3 7. SAT-Based Model-Checking 8 However, we can cut away even more circuits: d e e e 2 e 3 = f = f

28 7. SAT-Based Model-Checking 9 Problems: Where to introduce cut-points ("switches")? How to determine which switches should be closed if the proof fails? 7. SAT-Based Model-Checking The switches are closed according to the counter-examples d e e e 2 e 3 Free input gives a counter example - = f 7. SAT-Based Model-Checking "Switches" are introduced at the ouputs of the flipflops 7. SAT-Based Model-Checking 2 The switches are closed according to the counter-examples d e e e 2 e 3 d e e e 2 e 3 Free input gives a 2nd counter example - = f - = f

29 7. SAT-Based Model-Checking 3 Finally, a contradiction is found: d e e e 2 e = f 7. SAT-Based Model-Checking 4 Remark: The CEGAR idea is due to Clarke et al. CAV'2. The combination of CEGAR and incomplete BMC was developed by I. Schäfer in his dissertation at TUD. The shift-register example is taken from his dissertation.