Model Checking Base onInteroplation

1. Model Checking Base on
Interoplation
K. L. McMillan
Cadence Berkeley Labs

2. Interpolation
• If A ∧ B = false, there exists an interpolant
A' for (A,B) such that:
A ⇒ A'
A' ∧ B = false
A' refers only to common variables of A,B
• Example:
– A = p ∧ q, B = ¬q ∧ r, A' = q
• Interpolants from proofs
– given a resolution refutation of A ∧B,
A' can be derived in linear time.
(Craig,57)
(Pudlak,Krajicek,97)

3. Interpolation-based MC
• Combining “bounded model checking” and
interpolation gives us
– A means of over-approximate image computation
– Hence, reachability analysis
• Method is complete for systems of finite
diameter.
• Modern SAT solvers naturally produce
resolution refutations
– Leads to fully SAT-based model checking.

4. Outline
• Computing interpolants
• Interpolation-based image computation
• Model checking finite state systems

5. Resolution
• Modern SAT solvers naturally produce
refutations for CNF formulas using resolution
• Interpolants can be derived from such
refutations in linear time.
(A ∨ p) (¬p ∨ B)
(A ∨ B)

6. Example
• Interpolant is a circuit that follows structure
of the proof.
A = (b)(¬b ∨ c) B = (¬c ∨ d)(¬d)
(b) (¬b ∨ c)
(c) (¬c ∨ d)
(d)(¬d)
⊥
⊥
⊥
⊥
c
=c

7. DPLL SAT solvers
• Given a propositional formula in CNF:
– Produce a satisfying assignment
– Produce a resolution refutation
Current solvers, like Chaff and BerkMin are highly
efficient, especially in the case when there is a
small “core” of clauses that are unsatisfiable.

8. An interpolating SAT solver
SAT
solver
(A,B) in CNF
Interpolation
proof
A’

9. Interpolation-based MC
• Exploit interpolation to compute an over-
approximate image operator.
– Allows symbolic model checking
– Procedure is complete for finite diameter systems

10. Modeling
System modeled by a transition constraint
a
b cp
g
Each circuit element induces a constraint
note: a = at and a' = at+1
g = a ∧ b
p = g ∨ c
c' = p
Model:
C = {
g = a ∧ b,
p = g ∨ c,
c' = p
}

11. Bounded model checking
• Unfold the model k times:
U = C0 ∧ C1 ∧ ... ∧ Ck-1
a
b
cp
g
a
b
cp
g
a
b
cp
g
...I0
Fk
• Use SAT solver to check satisfiability of
I0 ∧ U ∧ Fk
• If unsatisfiable:
• property has no Cex of length k
• can produce a refutation proof P

12. Reachability
• Is there a path (of any length) from I to F
satisfying transition constraint C?
• Reachability fixed point:
R0 = I
Ri+1 = Ri ∨ Img(Ri,C)
R = ∪ Ri
• Image operator:
Img(P,C) = λV'. ∃ V. (P(V) ∧ C(V,V’))
• F is reachable iff R ∧ F ≠ false

13. Reachability
I F
R1
R2
...
R
= I ∨ Img(I,C)
= R1 ∨ Img(R1,C)

14. Overapproximation
• An overapproximate image op. is Img' s.t.
for all P, Img(P,C) implies Img'(P,C)
• Overapprimate reachability:
R'0 = I
R'i+1 = R'i ∨ Img'(R'i,C)
R' = ∪ R'i
• Img' is adequate (w.r.t.) F, when
– if P cannot reach F, Img’(P,C) cannot reach F
• If Img' is adequate, then
– F is reachable iff R' ∧ F ≠ false

15. Adequate image
P F
Img(P,C)
Reached from P Can reach F
Img’(P,C)
But how do you get an adequate Img'?

16. k-adequate image operator
• Img' is k-adequate (w.r.t.) F, when
– if P cannot reach F,
Img’(P,C) cannot reach F within k steps
• Note, if k > diameter, then k-adequate is
equivalent to adequate.

17. Interpolation-based image
• Idea -- use unfolding to enforce k-adequacy
A = P-1 ∧ C-1
B = C0 ∧ C1 ∧ ... ∧ Ck-1 ∧ Fk
P FC C C C C C C
A B
t=0 t=k
Let Img'(P)0= A',
where A' is an interpolant for (A,B)...
Img' is k-adequate!

18. Huh?
• A ⇒ A'
– Img(P,C) ⇒ Img'(P,C)
• A' ∧ B = false
– Img'(P,C) cannot reach F in k steps
• Hence Img' is k-adequate overapprox.
P FC C C C C C C
A B
t=0 t=k
A'
Note: if A,B are consistent, then let Img’(P,C) = T.

19. Intuition
• A' tells is everything the prover deduced
about the image of P in proving it can't reach
F in k steps.
• Hence, A' is in some sense an abstraction of
the image relative to the property.
P FC C C C C C C
A B
t=0 t=k
A'

20. Reachability algorithm
let k = 0
repeat
if I can reach F within k steps, answer reachable
R = I
while Img'(R,C) ∧ F = false
R' = Img'(R,C) ∨ R
if R' = R answer unreachable
R = R'
end while
increase k
end repeat

21. Termination
• Since k increases at every iteration, eventually
k > d, the diameter, in which case Img' is
adequate, and hence we terminate.
Notes:
– don't need to know when k > d in order to terminate
– often termination occurs with k << d
– depth bound for earlier method (Sheeran et al '00)
is "longest simple path", which can be exponentially
longer than diameter

22. PicoJava II benchmarks
• Hardware Java virtual machine implementation
• Properties derived from verification of ICU
– handles cache, instruction prefetch and decode
• Original abstraction was manual
• Added neigboring IFU to make problem harder
– result: many irrelevant facts in problem
ICU IFU
Mem,
Cache
Integer
unit
properties

23. Results
• Benchmarks completed in 1800 s:
– Standard model checking: 0/20
– Interpolation-based: 19/20
• Reason:
– Interpolation method exploits the SAT solver’s
ability to narrow proofs to relevant facts.

24. v. proof-based abstraction
0.01
0.1
1
10
100
1000
0.01 0.1 1 10 100 1000
Proof-based abstraction (s)
Interpolation-basedmethod(s)
McM,TACAS03

25. v. proof-based abstraction
0.01
0.1
1
10
100
1000
0.01 0.1 1 10 100 1000
Counterexample-based abstraction (s)
Interpolation-basedmethod(s)
CCKSVW,FMCAD02

26. v. K-induction
0.01
0.1
1
10
100
1000
0.01 0.1 1 10 100 1000
Interpolation-based (s)
k-induction(FMCAD00)(s)
SSS, FMCAD00

27. IBM GP benchmarks
0.01
0.1
1
10
100
1000
0.01 0.1 1 10 100 1000
Proof-based abstraction (s)
Interpolation-basedmethod(s)

28. GP benchmarks - true properties
0.01
0.1
1
10
100
1000
0.01 0.1 1 10 100 1000
Proof-based abstraction (s)
Interpolation-basedmethod(s)

29. Characteristics
• SAT-based methods are effective when
– Very large set of facts is available
– Only a small subset are relevant to property
• They exploit the SAT solver's ability to
narrow the proof to relevant facts
– I.e., narrows reachable states approximation to
relevant variables.
• Interpolation method exploits this fact to
compute abstract image operator.

30. Infinite-state verification
• Direct approach:
– express transition constraint in FOL
– example: simple “Bakery” protocol:
ticket0’ > ticket1
ticket1 > ticket0
∨ state1 = NC
NC
C
ticket1’ > ticket0
ticket0 > ticket1
∨ state0 = NC
NC
C
Terminates because diameter is finite, though
state space is infinite

31. Infinite-state verification
• Predicate abstraction approach (Graf,Saïdi,97)
– Choose a set of predicates to represent state
• I.e., for bakery: ticket1 > ticket0 and ticket0 > ticket1
– Transform C into a predicate-state transducer
– Interpolants are now strictly Boolean
• Convergence guaranteed, but may have false negatives
• Advantages of interpolation approach:
– Avoid conversion to a Boolean formula
– Avoid building BDD’s!
– Strong ability to ignore irrelevant predicates

32. Conclusion
• SAT solvers have the ability:
– to generate refutations for bounded reachability
– to filter out irrelevant facts.
• These abilities can be exploited to generate
an abstract image operator, using Craig
interpolation.
• This yields a reachability procedure that
– is fully SAT-base
– operates directly on infinite-state systems
– is robust w.r.t. irrelevant facts