Encoding Techniques, Craig Interpolants and ... - Semantic Scholar

Modeling Techniques

Workflow

Experimental Results

Encoding Techniques, Craig Interpolants and Bounded Model Checking for Incomplete Designs Christian Miller, Stefan Kupferschmid, Matthew Lewis, Bernd Becker

Thirteenth International Conference on Theory and Applications of Satisfiability Testing July 11 - July 14, 2010, Edinburgh 1 / 21

Modeling Techniques

Workflow


Topic: Verification of Incomplete Designs with BMC 4 Compare

Mux

Branch?

ADD

Sign Extend Instr.

PC

Memory

RS RT RD Registers Data

Address M u x

Data

?

Memory M u x

? =

Specification ADD rd , rs, rt ADDI rd , rs, imm

XORI rd , rs, imm

Parts of the circuit are not known (blackbox) → not yet specified → layer of abstraction → error localisation

Non-Realizability Is there a path of length k violating a safety property regardless of the implementation of the blackbox? If so, the property is not realizable. 2 / 21

Modeling Techniques

Workflow


Overview

1

Modeling Techniques

2

Workflow

3


3 / 21

Modeling Techniques

Workflow


Bounded Model Checking for Incomplete Designs .. I0

..

T0,1

..

..

..

..

.. T1,2

..

..

.. ···

..

Tk−1,k

..

¬Pk

Iteratively unfold the system k times. The BMC formula I0 ∧ T0,1 ∧ ... ∧ Tk−1,k ∧ ¬Pk is satisfied iff there exists a counterexample of length k that violates the safety property.

4 / 21

Modeling Techniques

Workflow



..

blackbox

..

.. ..

.. ..

blackbox

..

.. ..

.. ···

..

blackbox

..

.. ..

¬Pk

Iteratively unfold the system k times. The BMC formula I0 ∧ T0,1 ∧ ... ∧ Tk−1,k ∧ ¬Pk is satisfied iff there exists a counterexample of length k that violates the safety property regardless of the implementation of the blackbox.

4 / 21

Modeling Techniques

Workflow



..

blackbox

..

.. ..

.. ..

blackbox

..

.. ..

.. ···

..

blackbox

..

.. ..

¬Pk

Iteratively unfold the system k times. The BMC formula I0 ∧ T0,1 ∧ ... ∧ Tk−1,k ∧ ¬Pk is satisfied iff there exists a counterexample of length k that violates the safety property regardless of the implementation of the blackbox. But how can we model the unknown behavior of the blackbox outputs?

4 / 21

Modeling Techniques

Workflow


Modeling Techniques 01X-modeling: apply the value X to all blackbox outputs .. I0

..

blackbox

..

X X

.. ..

.. ..

blackbox

..

X X

.. ..

.. ···

..

blackbox

..

X X

.. ..

¬Pk

2-valued encoding [Jain 2000] → additional variables (v high , v low )

transformation to CNF [Tseitin 1968] ⇒ SAT problem X may “propagate” to ¬Pk

⇒ limits which problems can be solved 5 / 21

Modeling Techniques

Workflow



..

blackbox

..

X X

.. ..

.. ..

blackbox

..

X X

.. ..

.. ..

···

blackbox

..

X X

x0

¬Pk : (q0 ∧ q1 )

.. ..

¬Pk

x1

blackbox

q0 q1

FF0 FF0

q0′ q1′

5 / 21

Modeling Techniques

Workflow



..

blackbox

..

X X

.. ..

.. ..

blackbox

..

X X

.. ..

.. ..

···

blackbox

..

q1 evaluates to 0 or X

X

..

X

x0

¬Pk : (q0 ∧ q1 )

..

X

¬Pk

x1 X

blackbox X

counterexample not found q0 q1

FF0

?

x0 ∨ X x1 ∧ X

5 / 21

Modeling Techniques

Workflow


Modeling Techniques Zi -modeling: use one ∀-variable for each blackbox output .. I0

..

blackbox

..

Z0,0 Z0,n

.. ..

.. ..

blackbox

..

Z1,0 Z1,n

.. ..

.. ···

..

blackbox

..

Zi,0 Zi,n

.. ..

¬Pk

blackbox outputs are universally quantified (no two-valued encoding necessary) Tseitin transformation prefix generation (see next slide) ⇒ QBF problem more precise ⇒ more faulty incomplete designs can be classified

6 / 21

Modeling Techniques

Workflow



..

blackbox

..

Z0,0 Z0,n

.. ..

.. ..

blackbox

..

Z1,0 Z1,n

.. ..

.. ..

···

blackbox

..

Zi,0 Zi,n

x0

¬Pk : (q0 ∧ q1 )

.. ..

¬Pk

x1

blackbox

q0 q1

FF0 FF0

q0′ q1′

6 / 21

Modeling Techniques

Workflow



..

blackbox

..

Z0,0 Z0,n

.. ..

.. ..

blackbox

..

Z1,0 Z1,n

.. ..

.. ..

···

blackbox

..

~ CNF ∃x0 x1 ∀Z0 Z1 ∃H

Z1 blackbox Z

..

Zi,n

x0

¬Pk : (q0 ∧ q1 )

..

Zi,0

¬Pk

x1 1

0

satisfied for x0 = 1, x1 = 1 q0 q1

FF0 FF1

x 0 ∨ Z0 x1

6 / 21

Modeling Techniques

Workflow


Modeling Techniques Non-uniform quantifier prefix (pref1 ):

∃x0,0 , . . . , xn,0 ∀Z0,0 , . . . , Zm,0 ∃H0 . . . ∃x0,k , . . . , xn,k ∀Z0,k , . . . , Zm,k ∃Hk | {z } | {z }

depth 0

depth k

• inputs can “react” to the values of the blackbox outputs • 2 · (k + 1) quantifier alternations

7 / 21

Modeling Techniques

Workflow


Modeling Techniques Non-uniform quantifier prefix (pref1 ):

∃x0,0 , . . . , xn,0 ∀Z0,0 , . . . , Zm,0 ∃H0 . . . ∃x0,k , . . . , xn,k ∀Z0,k , . . . , Zm,k ∃Hk | {z } | {z }

depth 0

depth k

• inputs can “react” to the values of the blackbox outputs • 2 · (k + 1) quantifier alternations

Uniform quantifier prefix (pref2 ): ∃x0,0 , . . . , xn,k ∀Z0,0 , . . . , Zm,k ∃H0 , . . . , Hk {z } | {z } | {z } | Tseitin primary inputs blackbox outputs depth 0. . . k depth 0. . . k depth 0. . . k

• exactly one input sequence • 2 quantifier alternations • pref2 =⇒ pref1 7 / 21

Modeling Techniques

Workflow


Combination of Modeling Techniques Combined 01X/Zi -modeling .. I0

..

Blackbox

..

X Z0,0 X Z0,m

.. ..

.. ..

Blackbox

..

X Z1,0 X Z1,m

.. ..

.. ···

..

Blackbox

..

X Zk,0 X Zk,m

.. ..

¬Pk

Combine advantages of both modeling techniques: speed of 01X-modeling accuracy of Zi -modeling

8 / 21

Modeling Techniques

Workflow



..

Blackbox

..

X Z0,0 X Z0,m

.. ..

.. ..

Blackbox

..

X Z1,0 X Z1,m

.. ..

.. ···

..

Blackbox

..

X Zk,0 X Zk,m

.. ..

¬Pk

Combine advantages of both modeling techniques: speed of 01X-modeling accuracy of Zi -modeling Use Zi -modeling only where necessary: less ∀-variables

but additional ∃-variables 8 / 21

Modeling Techniques

Workflow



..

Blackbox

..

X Z0,0 X Z0,m

.. ..

.. ..

Blackbox

..

X Z1,0 X Z1,m

.. ..

.. ..

···

Blackbox

..

X Zk,0 X Zk,m

x0

¬Pk : (q0 ∧ q1 ) ~ CNF ∃x0 x1 ∀Z1 ∃H

Z1

.. ..

¬Pk

x1 1

blackbox X

satisfied for x0 = 1, x1 = 1 q0 q1

FF0 FF1

x0 ∨ X x1

8 / 21

Modeling Techniques

Workflow



..

Blackbox

..

X Z0,0 X Z0,m

.. ..

.. ..

Blackbox

..

X Z1,0 X Z1,m

.. ..

.. ···

..

Blackbox

..

X Zk,0 X Zk,m

.. ..

¬Pk

But how can we decide in which way each blackbox output should be modeled?

8 / 21

Modeling Techniques

Workflow


Workflow

incomplete design

invariant

01X-modeling BMC-tool using Craig interpolation based on SAT-solver 01X-hard SAT

identify blackbox outputs to be Zi -modeled based on Craig interpolants or unsat core set of blackbox outputs incomplete invariant design combined 01X/Zi -modeling BMC-tool based on QBF-solver

counterexample found

9 / 21

Modeling Techniques

Workflow


Workflow

incomplete design

invariant




9 / 21

Modeling Techniques

Workflow


01X-Hardness For a 01X-modeled incomplete design,the unsatisfiability of a BMC problem has two possible reasons: there exists no counterexample 01X-modeling is too coarse

10 / 21

Modeling Techniques

Workflow


01X-Hardness For a 01X-modeled incomplete design,the unsatisfiability of a BMC problem has two possible reasons: there exists no counterexample 01X-modeling is too coarse

Definition (01X-hardness) A design is 01X-hard iff the pure 01X-encoded BMC problem is unsatisfiable for all unfoldings. ⇒ prove 01X-hardness using BMC and Craig interpolation [McMillan 2003]

10 / 21

Modeling Techniques

Workflow


BMC and Craig Interpolation I0 ∧ T0,1 ∧ T1,2 ∧ ... ∧ Tk−1,k ∧ ¬Pk | {z } | {z } A

B

Craig interpolant C of A and B over-approximation of the reachable states contains only AB-common variables (here: latches) unsatisfiable in conjunction with B B A

C

11 / 21

Modeling Techniques

Workflow


BMC and Craig Interpolation I0 ∧ T0,1 ∧ T1,2 ∧ ... ∧ Tk−1,k ∧ ¬Pk | {z } | {z } A

B

Craig interpolant C of A and B over-approximation of the reachable states contains only AB-common variables (here: latches) unsatisfiable in conjunction with B B A

C

if a fixed-point of the reachable states reached ⇒ unsatisfiable for every unfolding depth ⇒ 01X-hard

11 / 21

Modeling Techniques

Workflow


Workflow

incomplete design

invariant




12 / 21

Modeling Techniques

Workflow


Heuristics for Identifying Blackbox Outputs How can we decide in which way each blackbox output should be modeled?

13 / 21

Modeling Techniques

Workflow


Heuristics for Identifying Blackbox Outputs How can we decide in which way each blackbox output should be modeled? Exploiting Craig interpolant Analyze last computed Craig interpolant C . Perform cone-of-influence analysis on all latches in C . Model all blackbox outputs influencing these latches using Zi .

13 / 21

Modeling Techniques

Workflow


Heuristics for Identifying Blackbox Outputs How can we decide in which way each blackbox output should be modeled? Exploiting Craig interpolant Analyze last computed Craig interpolant C . Perform cone-of-influence analysis on all latches in C . Model all blackbox outputs influencing these latches using Zi .

Exploiting unsatisfiable core Determine unsatisfiable core at unfolding depth where the fixed-point was found. Blackbox outputs included in this unsatisfiable core directly influence the unsatisfiability of the problem. Model these blackbox outputs using Zi .

13 / 21

Modeling Techniques

Workflow


Exploiting Craig Interpolants x0

x1 AND01X

0 0 0 0 I0

q1h q1l q0h q0l

0 Z1h Z1l 0 Black Box 0 Z0h Z0l 0

h

q′ 1

OR01X

l

q′ 1

AND01X

1 0

h

q′ 0 l

q′ 0 OR01X

T0,1

P1

14 / 21

Modeling Techniques

Workflow


Exploiting Craig Interpolants x0

x1 AND01X

0 0 0 0

q1h q1l q0h q0l


AND01X

l

q′ 1

1 0

h

q′ 0 l

q′ 0 OR01X

I0 |

h

q′ 1

OR01X

P1

T0,1 {z A

}

|

{z B

}

Derived Craig interpolant C = ¬(q 0 h1 ) Z1 has influence on latch in C .

Model Z1 using Zi and Z0 using 01X. 14 / 21

Modeling Techniques

Workflow


Exploiting Unsatisfiable Core x0

x1 AND01X

0 0 0 0 I0

q1h q1l q0h q0l


h

q′ 1

OR01X

l

q′ 1

AND01X

1 0

h

q′ 0 l

q′ 0 OR01X

T0,1

P1

Unsatisfiable core contains variables of blackbox output Z1 . Model Z1 using Zi and Z0 using 01X.

15 / 21

Modeling Techniques

Workflow



Benchmarks: Opensource circuits from opencores.org and acedemia: Double Presision FPU, Configurable Serial UART, PlasmaMIPS 32-bit Processor, and VLIW ALU Compiled with Synopsis using a custom gate library

Testing: AMD Opteron server with 4GB of RAM Compared AIGSolve, QMiraXT, and QuBE

16 / 21

Modeling Techniques

Workflow


Results 01X-Hardness 26 benchmarks / 10 of them 01X-easy selection of remaining 16 01X-hard benchmarks:

benchmark FPU-hc02 FPU-he01 FPU-he02 UART-hc06 qualu32b-h qualu64b-h

fixed-point depth time 33 58.87 32 57.14 49 433.52 121 23.07 4 2.46 2 1.93

CE depth 28 27 27 475 9 9

# detected/total Craig int. unsat-c. 3/141 6/141 139/141 6/141 141/141 34/141 8/16 8/16 2/66 2/66 2/386 2/386

⇒ only small fraction of blackbox outputs is selected to be modeled using Zi 17 / 21

Modeling Techniques

Workflow


Results QBF: exploiting interpolant / unsat core ⇒ reduced number of Zi -modeled blackbox outputs simplifies many problems

all Zi-modeled, non-uniform prefix 600 500

timeout timeout timeout

200

timeout timeout

300


timeout

400

100 0

-h

200

100

100

0

0

timeout timeout

300

timeout timeout

timeout timeout

200

timeout timeout

400

300


500

400 timeout

500

timeout

exploiting unsat core, non-uniform prefix 600

timeout

-h

06

4b

u6 al

hc

2b

T-

u3 al

qu

qu

2

1

e0

-h

AR

U

e0

-h

U FP

U FP 2

c0

-h

U FP

exploiting Craig interpolants, non-uniform prefix 600

-h

-h

4b

u6

al

6

c0

2

2b

u3

al

qu

qu

h T-

e0

1

2

e0

-h

U

AR

U

FP -h

U c0

-h

-h

4b

-h

6

c0

2b

u6

U

FP

FP

al

u3

al

qu

qu

h T-

2

e0

-h 1

e0

-h

U

AR

U

FP

2

c0

-h

U

FP

U

FP

18 / 21

Modeling Techniques

Workflow


Results QBF: non-uniform / uniform prefix

300 200

100

100

0

0

timeout


200

timeout timeout

400

300


500

400 timeout

500

timeout

all Zi-modeled, uniform prefix 600

timeout

all Zi-modeled, non-uniform prefix 600

-h

-h

4b u6

al

06

hc

2

2b u3

al

qu

qu

T-

e0

1

e0

-h

U

AR

U

FP

2

c0

-h

U

FP -h

U

FP

-h

-h

4b u6

al

06

hc

2b u3

al

qu

qu

T-

2

e0

-h 1

e0

-h

U

AR

U

FP

2

c0

-h

U

FP

U

FP

⇒ uniform prefix makes most benchmarks easier to solve

19 / 21

Modeling Techniques

Workflow


Results QBF: worst case scenario / best case scenario worst case scenario

best case scenario

400

300 200

timeout

500

400 timeout

500

timeout

600

timeout

600

300 200

100

100

0

0

-h

-h

4b u6

al

06

hc

2

2b u3

al

qu

qu

T-

e0

1

e0

-h

U

AR

U

FP

2

c0

-h

U

FP -h

U

FP

-h

-h

4b u6

al

06

hc

2b u3

al

qu

qu

T-

2

e0

-h 1

e0

-h

U

AR

U

FP

2

c0

-h

U

FP

U

FP

QBF solvers behave very differently no single QBF solver can solve all benchmarks portfolio of all methods and solvers needed

20 / 21

Modeling Techniques

Workflow


Conclusion indroduced new encoding techniques for incomplete designs 01X/Zi -modeling and combination non-uniform / uniform QBF prefix

implemented a complete verification workflow able to prove 01X-hardness heuristics to select blackbox outputs to model precisely optimized QBF encoding

evaluated workflow on industrial benchmark suite multiple synthesizable industrial circuits compared several state-of-the-art QBF solvers QBF solvers perform well but behave differently

future work other techniques for 01X-hardness definition of Zi -hardness 21 / 21