Deductive Methods, Bounded Model Checking

Similar documents
Finite Model Generation for Isabelle/HOL Using a SAT Solver

PROPOSITIONAL LOGIC (2)

Boolean Functions (Formulas) and Propositional Logic

Symbolic Methods. The finite-state case. Martin Fränzle. Carl von Ossietzky Universität FK II, Dpt. Informatik Abt.

Motivation. CS389L: Automated Logical Reasoning. Lecture 17: SMT Solvers and the DPPL(T ) Framework. SMT solvers. The Basic Idea.

Normal Forms for Boolean Expressions

Formally Certified Satisfiability Solving

EECS 219C: Formal Methods Boolean Satisfiability Solving. Sanjit A. Seshia EECS, UC Berkeley

SAT Solver. CS 680 Formal Methods Jeremy Johnson

Satisfiability (SAT) Applications. Extensions/Related Problems. An Aside: Example Proof by Machine. Annual Competitions 12/3/2008

Satisfiability. Michail G. Lagoudakis. Department of Computer Science Duke University Durham, NC SATISFIABILITY

Decision Procedures in the Theory of Bit-Vectors

EECS 219C: Computer-Aided Verification Boolean Satisfiability Solving. Sanjit A. Seshia EECS, UC Berkeley

CAV Verification Mentoring Workshop 2017 SMT Solving

Lecture Notes on Real-world SMT

4.1 Review - the DPLL procedure

Boolean Representations and Combinatorial Equivalence

DPLL(Γ+T): a new style of reasoning for program checking

CSE 20 DISCRETE MATH. Fall

Improving Coq Propositional Reasoning Using a Lazy CNF Conversion

Decision Procedures. An Algorithmic Point of View. Decision Procedures for Propositional Logic. D. Kroening O. Strichman.

1.4 Normal Forms. We define conjunctions of formulas as follows: and analogously disjunctions: Literals and Clauses

The Barcelogic SMT Solver

Symbolic and Concolic Execution of Programs

CSE 20 DISCRETE MATH. Winter

Nenofar: A Negation Normal Form SMT Solver

Dipartimento di Elettronica Informazione e Bioingegneria. Cognitive Robotics. SATplan. Act1. Pre1. Fact. G. Gini Act2

Complete Instantiation of Quantified Formulas in Satisfiability Modulo Theories. ACSys Seminar

SAT Solvers. Ranjit Jhala, UC San Diego. April 9, 2013

Planning as Search. Progression. Partial-Order causal link: UCPOP. Node. World State. Partial Plans World States. Regress Action.

SMT-Based Bounded Model Checking for Embedded ANSI-C Software. Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva

Yices 1.0: An Efficient SMT Solver

Computer-Aided Program Design

Minimum Satisfying Assignments for SMT. Işıl Dillig, Tom Dillig Ken McMillan Alex Aiken College of William & Mary Microsoft Research Stanford U.

URBiVA: Uniform Reduction to Bit-Vector Arithmetic

Solving 3-SAT. Radboud University Nijmegen. Bachelor Thesis. Supervisors: Henk Barendregt Alexandra Silva. Author: Peter Maandag s

Propositional Calculus: Boolean Algebra and Simplification. CS 270: Mathematical Foundations of Computer Science Jeremy Johnson

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

Massively Parallel Seesaw Search for MAX-SAT

Definition: A context-free grammar (CFG) is a 4- tuple. variables = nonterminals, terminals, rules = productions,,

QuteSat. A Robust Circuit-Based SAT Solver for Complex Circuit Structure. Chung-Yang (Ric) Huang National Taiwan University

NP and computational intractability. Kleinberg and Tardos, chapter 8

Interpolant based Decision Procedure for Quantifier-Free Presburger Arithmetic

An Improved Separation of Regular Resolution from Pool Resolution and Clause Learning

Lecture 2: Symbolic Model Checking With SAT

Lemmas on Demand for the Extensional Theory of Arrays

OpenSMT2: An SMT Solver for Multi-Core and Cloud Computing

DPLL(T ):Fast Decision Procedures

Encoding The Lexicographic Ordering Constraint in Satisfiability Modulo Theories

SAT/SMT summer school 2015 Introduction to SMT

A Pearl on SAT Solving in Prolog (extended abstract)

SAT and Termination. Nao Hirokawa. Japan Advanced Institute of Science and Technology. SAT and Termination 1/41

HySAT. what you can use it for how it works example from application domain final remarks. Christian Herde /12

Lost in translation. Leonardo de Moura Microsoft Research. how easy problems become hard due to bad encodings. Vampire Workshop 2015

Encoding First Order Proofs in SMT

An Alldifferent Constraint Solver in SMT

Integration of SMT Solvers with ITPs There and Back Again

Chapter 2 PRELIMINARIES

Automated Theorem Proving and Proof Checking

Generating Small Countermodels. Andrew Reynolds Intel August 30, 2012

Formalization of Incremental Simplex Algorithm by Stepwise Refinement

Foundations of AI. 9. Predicate Logic. Syntax and Semantics, Normal Forms, Herbrand Expansion, Resolution

The Design and Implementation of the Model Constructing Satisfiability Calculus

Logic: TD as search, Datalog (variables)

CODE ANALYSIS CARPENTRY

Applications of Logic in Software Engineering. CS402, Spring 2016 Shin Yoo

Satisfiability Checking with Difference Constraints

[Draft. Please do not distribute] Online Proof-Producing Decision Procedure for Mixed-Integer Linear Arithmetic

An Introduction to Satisfiability Modulo Theories

NP-Completeness. Algorithms

Automated Theorem Proving: DPLL and Simplex

Efficient Circuit to CNF Conversion

2SAT Andreas Klappenecker

[Ch 6] Set Theory. 1. Basic Concepts and Definitions. 400 lecture note #4. 1) Basics

Integrating a SAT Solver with Isabelle/HOL

Foundations of AI. 8. Satisfiability and Model Construction. Davis-Putnam, Phase Transitions, GSAT and GWSAT. Wolfram Burgard & Bernhard Nebel

An SMT-Based Approach to Motion Planning for Multiple Robots with Complex Constraints

Symbolic Execution as DPLL Modulo Theories

To prove something about all Boolean expressions, we will need the following induction principle: Axiom 7.1 (Induction over Boolean expressions):

Lemmas on Demand for Lambdas

To prove something about all Boolean expressions, we will need the following induction principle: Axiom 7.1 (Induction over Boolean expressions):

Evaluation of SAT like Proof Techniques for Formal Verification of Word Level Circuits

Decision Procedures in First Order Logic

NP-Completeness of 3SAT, 1-IN-3SAT and MAX 2SAT

SMT-LIB for HOL. Daniel Kroening Philipp Rümmer Georg Weissenbacher Oxford University Computing Laboratory. ITP Workshop MSR Cambridge 25 August 2009

Mixed Integer Linear Programming

An SMT-based approach to Weak Controllability for Disjunctive Temporal Problems with Uncertainty

Multi Domain Logic and its Applications to SAT

An Introduction to SAT Solvers

Constraint Programming

Decision Procedures for Equality Logic. Daniel Kroening and Ofer Strichman 1

BITCOIN MINING IN A SAT FRAMEWORK

Example: Map coloring

Heuristic Backtracking Algorithms for SAT

Cuts from Proofs: A Complete and Practical Technique for Solving Linear Inequalities over Integers

DM841 DISCRETE OPTIMIZATION. Part 2 Heuristics. Satisfiability. Marco Chiarandini

Combinational Equivalence Checking

Efficient SMT Solving for Hardware Model Checking

Satisfiability Modulo Theories. DPLL solves Satisfiability fine on some problems but not others

On Resolution Proofs for Combinational Equivalence Checking

Transcription:

Deductive Methods, Bounded Model Checking http://d3s.mff.cuni.cz Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics

Deductive methods Pavel Parízek Deductive Methods, Bounded Model Checking 2

If you want to know more... Decision Procedures and Verification (NAIL094) Lecturer: Martin Blicha, D3S http://d3s.mff.cuni.cz/teaching/decision_procedures/ D. Kroening and O. Strichman. Decision Procedures: An Algorithmic Point of View. Springer, 2008. Pavel Parízek Deductive Methods, Bounded Model Checking 3

Pavel Parízek Deductive Methods, Bounded Model Checking 4 Basic terminology (reminder) Logic formula syntax, semantics Propositional logic First-order logic Predicates Quantifiers Assignment Partial assignment Satisfiability Validity (tautology)

Pavel Parízek Deductive Methods, Bounded Model Checking 5 Relation between satisfiability and validity φ is valid φ is satisfiable φ is valid φ is satisfiable!φ is unsatisfiable!φ is not valid

Pavel Parízek Deductive Methods, Bounded Model Checking 6 Normal forms Negation normal form (NNF) syntax:!,, & and variables Negation only for variables Example: (a (b &!c)) & (!d) Conjunctive normal form (CNF) NNF as a conjunction of disjunctions Example: (a b!c) & (!d) & (e!f) Disjunctive normal form (DNF) NNF as a disjunction of conjunctions Example: (a & b &!c) (!d) (e &!f)

Getting the normal forms De Morgan s law Distributive law Q: Is there a problem with conversion? Pavel Parízek Deductive Methods, Bounded Model Checking 7

Pavel Parízek Deductive Methods, Bounded Model Checking 8 Getting the normal forms Transformation into an equivalent formula in CNF or DNF Problem: exponential blow-up of the size Remedy: creating equisatisfiable formula

Equisatisfiability Equisatisfiable formulas φ, ψ both satisfiable or both unsatisfiable Examples φ:!(a b) ψ: a &!b φ: a b ψ: (a n) & (!n b) φ: a & b &!c ψ: true φ:!a b ψ: false???????? Pavel Parízek Deductive Methods, Bounded Model Checking 9

Equisatisfiability Equisatisfiable formulas φ, ψ both satisfiable or both unsatisfiable Examples φ:!(a b) ψ: a &!b φ: a b ψ: (a n) & (!n b) φ: a & b &!c ψ: true φ:!a b ψ: false EQ, ES ES ES Pavel Parízek Deductive Methods, Bounded Model Checking 10

Equisatisfiability Tseitin s encoding Widely used algorithm for transforming a given propositional formula φ into an equisatisfiable formula φ in CNF with linear growth only Practice: various optimizations applied Pavel Parízek Deductive Methods, Bounded Model Checking 11

SAT solving Pavel Parízek Deductive Methods, Bounded Model Checking 12

Pavel Parízek Deductive Methods, Bounded Model Checking 13 SAT solving Goal Decide whether a given propositional formula φ in CNF is satisfiable Possible answers Satisfiable + assignment (values, model) Unsatisfiable + core (subset of clauses) Satisfiable formula φ there exists a partial assignment satisfying all clauses in φ

Pavel Parízek Deductive Methods, Bounded Model Checking 14 SAT solving Naive brute force solution Trying all possible assignments Systematic traversal of a binary tree DPLL (Davis-Putnam-Loveland-Logemann) Motivation: partial assignment can imply values of other variables in the given formula Example: from (!a b), v = { a 1 } we get { b 1 } Approach: iterative deduction Inferring value of a particular variable Basic algorithm used in modern SAT solvers (with many additional optimizations) DPLL-based SAT solving

SAT solving: optimizations Adding learned clauses (implied) Non-chronological backtracking Choice of the branching variable Various heuristics on the best choice exist Restarts When it takes too long, restart the solver and use other seeds for heuristic functions Pavel Parízek Deductive Methods, Bounded Model Checking 15

Pavel Parízek Deductive Methods, Bounded Model Checking 16 SAT solving Problem size: 10K 1M variables Typical input formulas have structure Worse for random instances Hard instances exist (of course) Tools are getting better all the time Reason: industry demand, annual competitions http://www.satcompetition.org/ Other approaches Stochastic search (random walk) Quickly finds solution for satisfiable instances Ordered binary decision diagrams

Propositional logic: semantic X proof Semantic domain Goal: find satisfying assignment for ϕ We know that: ϕ ϕ Proof domain Goal: derive the proof axioms, inference rules Pavel Parízek Deductive Methods, Bounded Model Checking 17

Resolution Input: CNF formula φ (a set of clauses) Goal: derive empty clause (false) Iterative process Choose two suitable clauses from the set Requirement: they must have complementary literals r,!r Apply resolution step on these clauses (p1... pn r), (q1... qn!r) (p1... pn q1... qn) Add the newly derived clause into the set Repeat until we derive false (or fail/stop) Pavel Parízek Deductive Methods, Bounded Model Checking 18

Resolution Equivalent statements 1) CNF formula φ is unsatisfiable 2) We can derive empty clause using resolution on the clauses from φ Resolution used in practice Checking validity of a first-order logic formula Proof-by-contradiction Add negation of the conjecture into the set Pavel Parízek Deductive Methods, Bounded Model Checking 19

SAT solving and propositional logic SAT looks very good, but we need more For program verification, full theorem proving,... First-order logic (predicate logic) Interesting theories Linear integer arithmetic (N, Z) Data structures (arrays, bit vectors) Pavel Parízek Deductive Methods, Bounded Model Checking 20

Decision procedure Pavel Parízek Deductive Methods, Bounded Model Checking 21

Decision procedure Algorithm that Always terminates Outputs: YES/NO Decision procedure for a particular theory T Always terminates and provides a correct answer for every formula of T Goal: checking validity of logic formulas Pavel Parízek Deductive Methods, Bounded Model Checking 22

Interesting theories Equality logic With uninterpreted functions Linear arithmetic Integer Rational Difference logic Arrays Bit vectors Pavel Parízek Deductive Methods, Bounded Model Checking 23

Pavel Parízek Deductive Methods, Bounded Model Checking 24 Equality logic Syntax Atomic formulas term = term true false Terms variable constant Deciding validity of an equality logic formula is NP-complete problem Polynomial algorithm exists for the conjunctive fragment (uses only & and )

Pavel Parízek Deductive Methods, Bounded Model Checking 25 Equality logic with uninterpreted functions Syntax Atomic formulas term = term predicate(term,..., term) true false Terms variable constant function(term,..., term) Semantics No implicit meaning of functions and predicates a1 = b1 &... & an = bn f(a1,...,an) = f(b1,...,bn) Decision procedure Transform into an equisatisfiable formula in equality logic

Pavel Parízek Deductive Methods, Bounded Model Checking 26 Equality logic with uninterpreted functions Purpose: abstraction Full formula function semantics defined using axioms Uninterpreted symbols just equality between arguments φ EUF φ False answers possible Example: add(1,2)!= add(2,1) in EUF Formula with UF easier to decide than the full formula

Pavel Parízek Deductive Methods, Bounded Model Checking 27 Linear arithmetic Syntax Atomic formulas term = term term < term term term true false Terms variable constant constant variable term + term Example: (3x + 2y 5z) & (2x 2y = 0) Arithmetic without multiplication Presburger arithmetic Decision procedure General case (full theory): 2 2O(n) Conjunctive fragment over Q Linear programming: Simplex method (EXP), Ellipsoid method (P) Conjunctive fragment over Z Integer linear programming (NP-complete)

Pavel Parízek Deductive Methods, Bounded Model Checking 28 Difference logic Syntax Atomic formulas variable variable < constant variable variable constant true false Operators:!, &,, Example: (x y < 3) & (y z -4) & (z x 1) Decision procedure Conjunctive fragment polynomial for Qand Z

Pavel Parízek Deductive Methods, Bounded Model Checking 29 Data structures Array theory Function symbols select(a,i) // read, a[i] store(a,i,e) // update, a[i] = e Axiom read-over-write select(store(a,i,e),i) = e Bit vectors Motivation: precise computer arithmetic (overflows,...) Reasoning about individual bits in a finite vector (array) Syntax: operators bitwise-and, bitwise-or, bitwise-xor Decision procedure Typically flattened into a large instance of SAT Many clever optimizations (encoding)

Combining theories Goal Formulas that combine multiple theories Example: linear arithmetic + arrays Decision procedures Combined under specific constraints Nelson-Oppen method Pavel Parízek Deductive Methods, Bounded Model Checking 30

Decision procedures: summary Decision procedures Typically work for conjunctive fragments of the respective theories But we still need more Formulas with arbitrary boolean structure and interesting theories (linear arithmetic, arrays) Pavel Parízek Deductive Methods, Bounded Model Checking 31

Satisfiability Modulo Theory (SMT) Pavel Parízek Deductive Methods, Bounded Model Checking 32

Satisfiability Modulo Theory (SMT) Goal Decide satisfiability of a quantifier-free formula that involves constructs of specific theories Idea Using combination of a SAT solver and a decision procedure (DP) for a conjunctive fragment of the respective theory Pavel Parízek Deductive Methods, Bounded Model Checking 33

Approaches to SMT Naive use of a SAT solver 1. Extract boolean skeleton of the given formula φ 2. Run the SAT solver on the boolean skeleton a) unsatisfiable the input formula is unsatisfiable b) satisfiable we get a satisfying assignment v 3. Run the DP on the formula derived from the satisfying assignment v a) satisfiable the input formula is satisfiable b) unsatisfiable add the blocking clause for v to the boolean skeleton and continue with the step 2 Pavel Parízek Deductive Methods, Bounded Model Checking 34

Approaches to SMT DPLL(T)-based SMT solving Eagerness: DPLL asks DP for partial assignments during traversal Benefit: earlier conflict discovery Updating the set of clauses given to DP on-the-fly iteration (add), backtracking (remove) Theory-based learning DP can identify clauses valid/invalid in the given theory T Pavel Parízek Deductive Methods, Bounded Model Checking 35

Pavel Parízek Deductive Methods, Bounded Model Checking 36 SMT solving in practice Available SMT solvers Z3, CVC4, Yices, MathSAT 5, OpenSMT,... SMT-LIB v2 Defines common input format Big library of SMT problems http://www.smt-lib.org/ SMT-COMP Competition of SMT solvers http://smtcomp.org

SMT solving in practice Current state Good performance Highly automated Many applications Drawbacks Restricted to specific theories and domains (Q, Z) Very limited support for quantifiers (mostly ) Much less powerful than full theorem proving Pavel Parízek Deductive Methods, Bounded Model Checking 37

Pavel Parízek Deductive Methods, Bounded Model Checking 38 Theorem proving Input Theory T: set of axioms General formula φ in predicate logic Goal Decide validity of the formula φ in T Semantic domain: show unsatisfiable negation Proof domain: prove φ from the axioms of T Very powerful Interactive Partially automated Tools: PVS, Isabelle/HOL

Pavel Parízek Deductive Methods, Bounded Model Checking 39 Deductive methods: closing remarks Approaches DPLL-based SAT solving Decision procedures DPLL(T)-based SMT solving Formulas Propositional logic (boolean) Predicate logic with theories Equality with uninterpreted functions Linear arithmetic (difference logic) Data structures (arrays, bit vectors) Applications in program verification

Bounded model checking Pavel Parízek Deductive Methods, Bounded Model Checking 40

Pavel Parízek Deductive Methods, Bounded Model Checking 41 Bounded model checking Goal: Exploring traces with bounded length Options: fixed integer value K, iteratively increasing Still remember preemption bounding for threads? Approach Encoding bounded program state space and properties into a logic formula φ Find property violations by checking satisfiability of φ Challenge Encoding program behavior into the formula φ

Pavel Parízek Deductive Methods, Bounded Model Checking 42 Program state space Program P = (S, T, INIT) S is a set of program states Predicates about values of program variables Program counter (PC) INIT S is a set of initial states T S S is a transition relation Single transition Updates program counter and some variables Relating old and new values (x, x, pc, pc ) Example: x = 2, x = x + 1, pc = 5, pc = pc + 1

Transition relation (pc = 1) (x = x + 2y) (pc = pc + 1) (pc = 2) (x = 0) (pc = pc + 6)......... (pc = N) (x = x - y + 5) (pc = pc + 1) Pavel Parízek Deductive Methods, Bounded Model Checking 43

Pavel Parízek Deductive Methods, Bounded Model Checking 44 Traces with bounded length Transition relation unfolded at most K times Fresh copies of program variables (x, x,..., x (K) ) used for each unfolding of the transition relation Example INIT: x = 0, pc = 1 T(K): ( ((pc = 1) (x = x + 2y) (pc = pc + 1))......... ((pc (K-1) = 1) (x (K) = x (K-1) + 2y (K-1) ) (pc (K) = pc (K-1) + 1))......... ) Specific consequences Bounded number of loop iterations (unrolling)

Pavel Parízek Deductive Methods, Bounded Model Checking 45 Encoding program behavior in logic Large formula INIT(s 0 ) ( i=0..k-1 T(s i, s i +1) ) ( i=0..k p(s i ) ) Represents all possible executions of the program with the length bounded by K

BMC: verification procedure 1) Derive formula representing the state space 2) Run the SAT/SMT solver on the formula in CNF 3) Interpret verification results Satisfying assignment we get a counterexample with the length K Unsatisfiable formula no property violations in program executions of the length K Pavel Parízek Deductive Methods, Bounded Model Checking 46

Pavel Parízek Deductive Methods, Bounded Model Checking 47 BMC: technical challenges Encoding program in a mainstream language into a logic formula heap, allocation, pointers, threads, synchronization Example: dynamic heap Use predicate logic with array theory (select, store) Array element access a[i] Separate variables for the element a[i] and the index i Pointer access (*p) Separate variables for dereference *p and the pointer p Transitions defined properly

Pavel Parízek Deductive Methods, Bounded Model Checking 48 Further reading D. Kroening and O. Strichman. Decision Procedures: An Algorithmic Point of View. Springer, 2008. A. Biere, A. Cimatti, E. Clarke, O. Strichman, and Y. Zhu. Bounded Model Checking. Advanced in Computers, 58, 2003

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback