2. DPLL-style SAT solvers
Copyright 2002 Cadence Design Systems. Permission • Objective:
SATO,GRASP,CHAFF,BERKMIN
– Check satisfiability of a CNF formula
• literal: v or Øv
• clause: disjunction of literals
• CNF: conjunction of clauses
• Approach:
– Branch: make arbitrary decisions
– Propagate implication graph
– Use conflicts to guide inference steps
3. The Implication Graph (BCP)
(Øa Ú b) Ù (Øb Ú c Ú d)
a
b
Øc
d
Decisions
Assignment: a Ù b Ù Øc Ù d
Copyright 2002 Cadence Design Systems. Permission
4. Copyright 2002 Cadence Design Systems. Permission Resolution
a Ú b Ú Øc Øa Ú Øc Ú d
b Ú Øc Ú d
When a conflict occurs, the implication graph is
used to guide the resolution of clauses, so that the
same conflict will not occur again.
5. Conflict Clauses
(Øa Ú b) Ù (Øb Ú c Ú d) Ù (Øb Ú Ø d)
Copyright 2002 Cadence Design Systems. Permission a
Øc
Decisions
b
Assignment: a Ù b Ù Øc Ù d
d
Conflict!
(Øb Ú c )
resolve
Conflict!
(Øa Ú c)
resolve
Conflict!
6. Conflict Clauses (cont.)
Copyright 2002 Cadence Design Systems. Permission • Conflict clauses:
– Are generated by resolution
– Are implied by existing clauses
– Are in conflict in the current assignment
– Are safely added to the clause set
Many heuristics are available for determining
when to terminate the resolution process.
7. Basic SAT algorithm
A = Æ
empty
y
clause?
UNSAT
conflict?
Copyright 2002 Cadence Design Systems. Permission Deduce conflict
clause and
backtrack
y
n
is A
total?
y
SAT
Branch:
add some literal
to A
8. Generating refutations
Copyright 2002 Cadence Design Systems. Permission • Refutation = a proof of the null clause
– Record a DAG containing all resolution steps
performed during conflict clause generation.
– When null clause is generated, we can extract a
proof of the null clause as a resolution DAG.
Original clauses
Derived clauses
Null clause
9. Circuit SAT
Copyright 2002 Cadence Design Systems. Permission Can the circuit output be 1?
(a Ú Øg) Ù (b Ú Øg)
Ù(Øa Ú Øb Ú g)
g
a
b
c p
input
variables output
variable
CNF(p)
(Øg Ú p) Ù (Øc Ú p)
Ù(g Ú c Ú Øp)
p is satisfiable when the
formula CNF(p) Ù p
is satisfiable
10. Bounded Model Checking
Copyright 2002 Cadence Design Systems. Permission • Given
– A finite transition system M
– A property p
• Determine
BCCZ99
– Does M allow a counterexample to p of k transitions
of fewer?
This problem can be translated to a SAT problem
11. Copyright 2002 Cadence Design Systems. Permission Models
Transition system described by a set of
constraints
g = a Ù b
g
c' = p
a
b p c
p = g Ú c
Model:
C = {
Each circuit element is a constraint
note: a = at and a' = at+1
g = a Ù b,
p = g Ú c,
c' = p
}
12. Copyright 2002 Cadence Design Systems. Permission Properties
• We restrict our attention to safety
properties.
• Characterized by:
– Initial condition I
– Final condition F (representing "bad" states)
• A counterexample is a path from a state
satisfying I to state satisfying F, where every
transition satisfies C.
13. Copyright 2002 Cadence Design Systems. Permission Unfolding
• Unfold the model k times:
Uk = C0 Ù C1 Ù ... Ù Ck-1
a
b
g a
I b
... g F0 p c
k
• Use SAT solver to check satisfiability of
g a
p c
b
p c
I0 Ù Uk Ù Fk
• A satisfying assignment is a counterexample
of k steps
14. BMC applications
Copyright 2002 Cadence Design Systems. Permission • Debugging:
– Can find counterexamples using a SAT solver
• Proving properties:
– Only possible if a bound on the length of the
shortest counterexample is known.
• I.e., we need a diameter bound. The diameter is the
maximum lenth of the shortest path between any two
states.
– Worst case is exponential. Obtaining better bounds
is sometimes possible, but generally intractable.
15. Unbounded Model Checking
Copyright 2002 Cadence Design Systems. Permission • We consider a variety of methods to explioit
SAT and BMC for unbounded model checking:
– K-step induction
– Abstraction
• Counterexample-based
• Non-counterexample-based
– Exact image computations
• SAT solver tests for fixed point
• SAT solver computes image
– Over-approximate image computations
17. K-induction with a SAT solver
Copyright 2002 Cadence Design Systems. Permission • Recall:
Uk = C0 Ù C1 Ù ... Ù Ck-1
• Two formulas to check:
– Base case:
I0 Ù Uk-1 Þ P0...Pk-1
– Induction step:
Uk Ù P0...Pk-1 Þ Pk
• If both are valid, then P always holds.
• If not, increase k and try again.
18. Simple path assumption
Copyright 2002 Cadence Design Systems. Permission • Unfortunately, k-induction is not complete.
– Some properties not k-inductive for any k.
P P ØP
• Simple path restriction:
– There is a path to ØP iff there is a simple path to
ØP (path with no repeated states).
19. Induction over simple paths
Copyright 2002 Cadence Design Systems. Permission • Let simple(s0..k) be defined as:
i,j in 0..k : (i ¹ j) Þ si ¹ sj
• k-induction over simple paths:
P(s0..k-1)
i: simple(s0..k) Ù P(si..i+k-1) Þ P(si+k)
i: P(si)
Must hold for k large enough, since a simple path cannot be
unboundedly long. Length of longest simple path is called
recurrence diameter.
20. ...with a SAT solver
Copyright 2002 Cadence Design Systems. Permission • For simple path restriction, let:
Sk = t=0..k, t'=t+1..k: Ø v in V : vt = vt'
(where V is the set of state variables).
• Two formulas to check:
– Base case:
I0 Ù Uk-1 Þ P0...Pk-1
– Induction step:
Sk Ù Uk Ù P0...Pk-1 Þ Pk
• If both are valid, then P always holds.
• If not, increase k and try again.
21. Copyright 2002 Cadence Design Systems. Permission Termination
• Termination condition:
k is the length of the longest simple path of the form
P* ØP
• This can be exponentially longer than the
diameter.
– example:
• loadable mod 2N counter where P is (count ¹ 2N-1)
• diameter = 1
• longest simple path = 2N
• Nice special cases:
– P is a tautology (k=0)
– P is inductive invariant (k=1)
22. Localization abstraction
Copyright 2002 Cadence Design Systems. Permission • Property: G (c Þ X c)
g
a
b p c
Model:
C = {
g = a Ù b,
p = g Ú c,
c' = p
}
'
free variable
C'Þ property, C Þ C'
C Þ property
Kurshan
23. Constraint granularity
Copyright 2002 Cadence Design Systems. Permission Most authors use constraints at latch granularity...
g Model:
a
b p c
C = {
c' = (a Ù b) Ú c
}
...however, techniques we will consider can be applied at
both gate and latch granularity.
24. Localization, cont
Copyright 2002 Cadence Design Systems. Permission • C' may refer to fewer state variables than C
– reduction in the state explosion problem
• Key issue: how to choose constraints in C'
– counterexample-based
– proof-based
25. Algorithm
Choose initial C'
Model check
true, done
abstraction C'
Cex
Can extend Cex
yes, Cex
from C'to C?
no
Add constraints
to C'
Copyright 2002 Cadence Design Systems. Permission SAT uses
Kurshan
26. Abstract counterexamples
Copyright 2002 Cadence Design Systems. Permission • Assume simple safety property:
– initial condition I and final condition F
– w.l.o.g., assume I and F are atomic formulas
• to make this true, add constraints in C:
vI Û I vF Û F
• Abstract variables V' = support(C',I,F)
• Abstract counterexample A' is a truth
assignment to:
{ vt | v in V', t in 0..k }
where k is the number of steps.
27. Counterexample extension
CGJLV 2000
Copyright 2002 Cadence Design Systems. Permission • Abstract counterexample A' satisfies:
I0 Ù U'k Ù Fk where U'k = C'0 Ù C'1 Ù ... Ù C'k-1
• Find A consistent with A', satisfying:
I0 Ù Uk Ù Fk where Uk = C0 Ù C1 Ù ... Ù Ck-1
• That is, A is any satisfying assignment to:
A' Ù I0 Ù Uk Ù F I.e., to extend an absktract counterexample, we just
apply it as a constraint in BMC. If unsat, abstract
counterexample is false.
28. Abstraction refinement
Copyright 2002 Cadence Design Systems. Permission • Refinement = adding constraints to C' to
eliminate false counterexamples.
• Many heuristsics used for this.
– Too many to cover here.
– Recall that a SAT solver can produce a resolution-based
refutation in the UNSAT case....
29. Proof-based refinement
Copyright 2002 Cadence Design Systems. Permission • Recall, to extend abstract Cex A', we check:
A' Ù I0 Ù Uk Ù Fk
• If UNSAT, we obtain refutation proof P
– proof that A' cannot be extended to concrete Cex
• Let E be set of constraints used in proof P:
E = { c Î C | some ci occurs in P }
• A' cannot be extended to a Cex for E
– P is the proof of this. Thus, add E to C' and continue...
30. In other words...
Copyright 2002 Cadence Design Systems. Permission The refutation of the formula:
A' Ù I0 Ù Uk Ù Fk
gives us a sufficient set of constraints to rule
out the abstract counterexample.
We continue ruling out counterexamples until either the
abstraction C' proves the property or we can extend an
abstract counterexample to a concrete one.
31. CCKSVW approach (FMCAD02)
Copyright 2002 Cadence Design Systems. Permission • Find the shortest prefix of Cex A' that
cannot be extended.
OK OK OK OK NO!
s0 s1 s2 si-1 si ...
• That is,
A' Ù I0 Ù Uk Ù Fk
is feasible for all k i, but not for k=i.
32. CCKSVW approach cont.
Copyright 2002 Cadence Design Systems. Permission • Let P be a refutation of
A' Ù I0 Ù Ui Ù Fi
• Let E be set of constraints used in proof P
only on state si-1:
E = { c Î C | ci-2 occurs in P }
OK OK OK OK NO!
s0 s1 s2 si-1 si ...
add constraints used here
33. Weakness of Cex-based approach
Copyright 2002 Cadence Design Systems. Permission • Arbitrarily chosen abstract Cex may be
refutable for many reasons not related to
property.
– Thus, may add irrelevant constraints.
– To remedy, may try to characterize a set of Cex's
rather than just one (e.g., GKM-HFV,TACAS03).
Alternative: don't use counterexamples
34. Proof-based abstraction
Cex?
BMC
done
at depth k
No Cex?
Use refutation to
choose abstraction
True?
MC abstraction done
False?
Copyright 2002 Cadence Design Systems. Permission Increase k
MA,TACAS03
35. BMC phase
Copyright 2002 Cadence Design Systems. Permission • Unfold the model k times:
U = C0 Ù C1 Ù ... Ù Ck-1
• Use SAT solver to check satisfiability of
I0 Ù U Ù Fk
• If unsatisfiable:
• property has no Cex of length k
• produce a refutation proof P
36. Abstraction phase
Copyright 2002 Cadence Design Systems. Permission • Let C' be set of constraints used in proof P:
C' = { c Î C | some ci occurs in P }
• C' admits no counterexample of length k
– let U' = C'0 Ù C'1 Ù ... Ù C'k-1
– P is a refutation of I0 Ù U' Ù Fk
• Model check property on C'
– property true for C' implies true for C
– else Cex of length k' k (why?)
• restart for k = k'
37. Algorithm
Cex?
BMC
done
C at depth k
No Cex?
Refutation P induces
abstraction C'
True?
Model check C' done
Cex of depth k'?
Copyright 2002 Cadence Design Systems. Permission let k = k'
Notice: MC counterexample is thrown away!
38. Copyright 2002 Cadence Design Systems. Permission Termination
• Depth k increases at each iteration
• Eventually k d, diameter of C'
• If k d, no counterexample is possible
In practice, termination uses occurs when k » d/2
Usually, diameter C' diameter of C
39. Weakness of proof-based abs
Copyright 2002 Cadence Design Systems. Permission • BMC must refute all counterexamples of
length k, while in Cex-based, BMC must refute
only one (partial) counterexample.
40. PicoJavaII benchmarks
Copyright 2002 Cadence Design Systems. Permission • Hardware Java virtual machine implementation
• Properties derived from verification of ICU
– handles cache, instruction prefetch and decode
• Original abstraction was manual
• Added neigboring IFU to make problem harder
ICU IFU
Mem,
Cache
Integer
unit
properties
No properties can be verified by standard model checking!
42. Copyright 2002 Cadence Design Systems. Permission Inference
• SAT solver seems to be very effective at
narrowing down the proof to relevant facts.
In most cases, it did better than manual abstraction.
43. Comparing CBA and PBA
Copyright 2002 Cadence Design Systems. Permission • Apples-apples comparison
– same SAT solver
– same model checker
– only differences are:
• For CBA previous A' is kept as a constriaint for BMC, C' is
cumulative.
• For PBA previous A' and C' are thrown away each
iteration.
Note these are my implementations. This says nothing
about performance of specific tools!
46. Possible explanation
Copyright 2002 Cadence Design Systems. Permission • Internally, SAT solver is really doing CBA
a=0
b=1
c=0
d=1
decision stack
= abstract Cex A'
refutation of A'
decision heuristic
moves proof variables
up, into A'
47. PBA run-time breakdown
Copyright 2002 Cadence Design Systems. Permission 100%
50%
0%
solid = BMC time, open = MC time
48. CBA run-time breakdown
Copyright 2002 Cadence Design Systems. Permission 100%
50%
0%
solid = BMC time, open = MC time
49. IBM GP benchmarks
Thanks to Jason Baumgartner
Copyright 2002 Cadence Design Systems. Permission 1000
100
10
1
0.1
0.01
0.01 0.1 1 10 100 1000
Proof-based abstraction
Baumgartner et al.
50. Compare to K-induction on PicoJava
1000
100
10
1
0.1
0.01
0.01 0.1 1 10 100 1000
Proof-based abstraction (s)
Copyright 2002 Cadence Design Systems. Permission k-induction (FMCAD00) (s)
51. A (fuzzy) hypothesis
Copyright 2002 Cadence Design Systems. Permission SAT-based BMC succeeds when number of
relevant variables is small, and fails otherwise.
success is BMC for k = diameter of relevant logic
• Parameterized models allowing no abstraction
Model Max state vars
German protocol 42
swap 21
53. Copyright 2002 Cadence Design Systems. Permission Implications
• Most of the time if bounded model checking
succeeds, unbounded model checking also
succeeds using abstraction.
• No need to settle for time bounded result
• Bounded model checking may be applicable only
to localizable properties
54. Image computation methods
Copyright 2002 Cadence Design Systems. Permission • Symbolic model checking without BDD's
– Use SAT solver just for fixed-point detection
• Abdulla, Bjesse and Een 2000
• Williams, Biere, Clarke and Gupta 2000
– Adapt SAT solver to compute image directly
• McMillan, 2002
55. Symbolic model checking
Copyright 2002 Cadence Design Systems. Permission • Recall: Fixed point characterizaion of CTL:
EFp = m. Q p Ú EX Q
• Reverse image:
EXp = $W. p di / si
state variable
input variables transition function
56. Syntactic expansion of
quantifiers
Copyright 2002 Cadence Design Systems. Permission • By definition:
$w. p = p0/w Ú p1/w
• Thus, we can compute reverse image by
syntactic expansion and simplification.
– note: expontential in number of inputs.
• Fixed-point series:
R0 = false
Ri+1 = p Ú EX Ri
Terminates when Ri+1 Þ Ri
(SAT problem)
57. Copyright 2002 Cadence Design Systems. Permission Limitations
• Syntactic quantifier elimination is exponential
– Method limited to circuits with very few inputs
– E.g., sequential arithmetic circuits
58. Direct image computation
Copyright 2002 Cadence Design Systems. Permission • Adapt SAT methods for image computation in
symbolic model checking
– Recall: this is essentially quantifier elimination
• Idea: reduce formula to CNF or DNF
– Make quantifier elimination easy
– Essentially, enumerate all satisfying assignments,
but in an efficient way (i.e., by covering them with
clauses or cubes).
59. Circuit Validity
Copyright 2002 Cadence Design Systems. Permission Can the circuit output be 0?
(a Ú Øg) Ù (b Ú Øg)
Ù(Øa Ú Øb Ú g)
g
a
b
c p
input
variables
VI
output
variable
CNF(p)
(Øg Ú p) Ù (Øc Ú p)
Ù(g Ú c Ú Øp)
p is valid when the
formula CNF(p) Ù Øp
is unsatisfiable
60. CNF Characterization
Copyright 2002 Cadence Design Systems. Permission Instead of checking validity of p, we now want
to derive a CNF formula over the input variables
VI that is logically equivalent to the circuit.
Idea: each time a satisfying assignment is
found, add a new “blocking clause” that rules
out this satisfying assignment.
The blocking clauses form our characterization
of p.
61. Blocking clauses
Copyright 2002 Cadence Design Systems. Permission • Blocking clauses must:
– be implied by p
– be in conflict in the current assignment
– involve only input variables (in VI)
Can we use conflict clauses as
blocking clauses?
Not quite...
62. An example
Copyright 2002 Cadence Design Systems. Permission g Want to characterize p in CNF:
a
b
c p
•Test satisfiability of CNF(p) Ù Øp
Guess the assignment A = a
Implication graph:
a
Øp
Øg
Øb
Øc
Satisfying!
Problem:
We can’t infer anything
from p, because Øp is
already a root of the
graph.
63. Alternate implication graph
a
Øb
Øc
Copyright 2002 Cadence Design Systems. Permission a
b
c p
a
Øp
Øg
Øb
Øc
Construct a new implication graph
rooted at the input variables.
Now we can always generate a conflict clause
from p using only input variables.
g
Original
Øg
Øp
Alternate
64. Blocking clause example
g
Copyright 2002 Cadence Design Systems. Permission a
b
c p
Alternate graph
a
Øb
Øc
Øg
Øp
(g Ú c Ú Øp)
p
(g Ú c)
(b Ú Øg)
(b Ú c)
We stop when the clause has only inputs
65. CNF characterization algorithm
A = Æ, c = Æ
empty
y return
clause?
c
n
y
Deduce conflict?
Infer blocking
clause c’ from p.
is A
y
Branch Add c’ to f, c.
total?
Copyright 2002 Cadence Design Systems. Permission
66. Universal Quantifier Elimination
Given
• a circuit p, and
• a subset W of the input variables,
we want to compute a CNF formula equivalent to
W.p
Idea: Eliminating in CNF formulas is trivial.
e.g.: a. (a Ú b) Ù (Øa Ú Øc Ú d) = (b) Ù (Øc Ú d)
... just push inside Ù ...
Copyright 2002 Cadence Design Systems. Permission
67. - elimination algorithm
A = Æ, c = Æ
empty
y return
clause?
c
n
y
Copyright 2002 Cadence Design Systems. Permission Deduce conflict?
is A
total?
y
Infer blocking
clause c’ from p.
Branch Add W.c’ to f, c.
68. CTL Model Checking with SAT
AXp p
AXp = W. p d/ s
i i state variable
input variables transition function
Copyright 2002 Cadence Design Systems. Permission
69. Recent related work
Copyright 2002 Cadence Design Systems. Permission • Sheng, Hsiao (DATE 2003)
– Uses ATPG methods
• Chauhan, Clarke, Kroenig
– Computes forward rather than backward image
70. Simplified PicoJavaII
benchmarks
Copyright 2002 Cadence Design Systems. Permission • This method can't handle large numbers of
irrelevant variables directly.
– Like BDD method, it computes exact reachable
states.
– Comparable to BDD methods, not abstraction
methods.
• We compare the method to BDD's for a set of
benchmarks in which most of the irrelevant
logic is pruned out manually.
71. Note low correlation
between the two methods.
SAT based method may
be a good alternative
when BDD’s fail.
Copyright 2002 Cadence Design Systems. Permission 10000
1000
100
10
1
0.1
0.01
0.01 0.1 1 10 100 1000 10000
Run time of BDD-based method (s)
Run time of SAT-based method (s)
Comparison with BDD’s
Note low variance in
times for BDD based
technique.
Benchmarks may be
biased in favor of BDD’s.
BDD’s are better overall.
But note relative
immaturity of SAT
based method
72. SAT-based image
Copyright 2002 Cadence Design Systems. Permission • May provide a good alternative when BDD's
fail.
• Does not take advantage of SAT solver's
ability to filter out irrelevant facts, since
exact image is computed.
73. Image over-approximation
Copyright 2002 Cadence Design Systems. Permission • BMC and Craig interpolation allow us to
compute image over-approximatino relative to
property.
– Avoid computing exact image.
– Maintain SAT solver's advantage of filtering out
irrelevant facts.
74. Copyright 2002 Cadence Design Systems. Permission Interpolation
• If A Ù B = false, there exists an interpolant
A' for (A,B) such that:
A Þ A'
A' Ù B = false
A' refers only to common variables of A,B
• Example:
– A = p Ù q, B = Øq Ù r, A' = q
• New result
– given a resolution refutation of A ÙB,
A' can be derived in linear time.
(Craig,57)
(Pudlak,Krajicek,97)
75. Interpolation-based MC
Copyright 2002 Cadence Design Systems. Permission • Interpolation gives us
– SAT-based algorithm for over-approximate image
computation, using interpolation
– SAT-only symbolic model checking
76. Copyright 2002 Cadence Design Systems. Permission Reachability
• Is there a path from I to F satisfying
transition constraint C?
• Reachability fixed point:
R0 = I
Ri+1 = Ri Ú Img(Ri,C)
R = È Ri
• Image operator:
Img(P,C) = lV'. $ V. (P Ù C)
• F is reachable iff R Ù F ¹ false
77. Copyright 2002 Cadence Design Systems. Permission Overapproximation
• An overapproximate image op. is Img' s.t.
for all P, Img(P,C) implies Img'(P,C)
• Overapprimate reachability:
R'0 = I
R'i+1 = R'i Ú Img'(R'i,C)
R' = È R'i
• Img' is adequate (w.r.t.) F, when
– if P cannot reach F, Img’(P,C) cannot reach F
• If Img' is adequate, then
– F is reachable iff R' Ù F ¹ false
78. Adequate image
Copyright 2002 Cadence Design Systems. Permission Img(P,C)
P F
Img’(P,C)
Reached from P Can reach F
But how do you get an adequate Img'?
79. k-adequate image operator
Copyright 2002 Cadence Design Systems. Permission • Img' is k-adequate (w.r.t.) F, when
– if P cannot reach F,
Img’(P,C) cannot reach F within k steps
• Note, if k diameter, then k-adequate is
equivalent to adequate.
80. Interpolation-based image
Copyright 2002 Cadence Design Systems. Permission • Idea -- use unfolding to enforce k-adequacy
A = P-1 Ù C-1
B = C0 Ù C1 Ù ... Ù Ck-1 Ù Fk
A B
P C C C C C C C F
t=0 t=k
Let Img'(P)0= A',
where A' is an interpolant for (A,B)...
Img' is k-adequate!
81. Copyright 2002 Cadence Design Systems. Permission Huh?
A'
A B
P C C C C C C C F
• A Þ A'
t=0 t=k
– Img(P,C) Þ Img'(P,C)
• A' Ù B = false
– Img'(P,C) cannot reach F in k steps
• Hence Img' is k-adequate overapprox.
But note, Img' is partial -- not defined if AÙB is sat.
82. Copyright 2002 Cadence Design Systems. Permission Intuition
A'
A B
P C C C C C C C F
t=0 t=k
• A' tells is everything the SAT solver deduced
about the image of P in proving it can't reach
F in k steps.
• Hence, A' is in some sense an abstraction of
the image relative to the property.
83. Reachability algorithm
Copyright 2002 Cadence Design Systems. Permission let k = 0
repeat
if I can reach F within k steps, answer reachable
R = I
while Img'(R,C) Ù F = false
R' = Img'(R,C) Ú R
if R' = R answer unreachable
R = R'
end while
increase k
end repeat
84. Copyright 2002 Cadence Design Systems. Permission Termination
• Since k increases at every iteration, eventually
k d, the diameter, in which case Img' is
adequate, and hence we terminate.
Notes:
– don't need to know when k d in order to terminate
– often termination occurs with k d
– depth bound for earlier method (Sheeran et al '00)
is longest simple path, which can be exponentially
longer than diameter
85. PicoJava II Benchmarks
Copyright 2002 Cadence Design Systems. Permission 1000
100
10
1
0.1
0.01
0.01 0.1 1 10 100 1000
Proof-based abstraction (s)
Interpolation-based method (s)
86. vs. k-induction
Copyright 2002 Cadence Design Systems. Permission 1000
100
10
1
0.1
0.01
0.01 0.1 1 10 100 1000
Interpolation-based (s)
k-induction (FMCAD00) (s)
87. IBM GP benchmarks
Copyright 2002 Cadence Design Systems. Permission 1000
100
10
1
0.1
0.01
0.01 0.1 1 10 100 1000
Proof-based abstraction (s)
Interpolation-based method (s)
88. GP benchmarks - true properties
1000
100
10
1
0.1
0.01
0.01 0.1 1 10 100 1000
Proof-based abstraction (s)
Copyright 2002 Cadence Design Systems. Permission Interpolation-based method (s)
89. Interpolation-based MC
Copyright 2002 Cadence Design Systems. Permission • Fully SAT-based.
• Inherits SAT solvers ability to concentrate on
facts relevant to a property.
• Like CBA, PBA, most effective when
– Very large set of facts is available
– Only a small subset are relevant to property
• For true properties, appears to converge for
smaller k values.
90. Copyright 2002 Cadence Design Systems. Permission Conclusion
• SAT solvers are very effective at ignoring
irrelevant facts
– Can think of decision heuristic as a form of CBA
• SAT solvers can produce refutations
• We can exploit in a number of ways:
– BMC
– Abstraction for UMC (either CBA or PBA)
– Abstract image computations using interpolation
This makes it possible to model check localizable
properties large systems.
91. Conclusion cont.
Copyright 2002 Cadence Design Systems. Permission • Approaches that compute exact images
sacrifice this quality of SAT solvers.
– still useful as alternative to BDD's
• For non-localizable properties, SAT-based
BMC and UMC do not perform well.
• The capacity of SAT-based UMC is
comparable to BMC.
– no need to settle for bounded results!
