SAT-based verification: underlying methods

Mary SheeranChalmers University of Technology and

Prover Technology AB

Synchronous Observer

Program Obs

ok

I B

I B

I B

I B

I B

i

I(s0) and path([s0..si]) and B(si)

Satisfying a formula

I B

I B

I B

I B

If system is bad

• Finds a shortest countermodel

• Error trace for debugging

But when can we stop?

I

when

contradictory?

i

Not quite, but

I

when

contradictory

loop-free

i

And symmetrically

when

contradictory

loop-free

B

Algorithm 1

i:= 0

if not Sat I or not Sat

B

then return True

i i

if Sat then return error trace

i := i+1 ;

I B

i

Tighten termination (Alg. 2)

i:= 0

if not Sat or not Sat B

then return True

if Sat then return error trace

i := i+1 ;

I

i

all (not I)

i

all (not B)

I B

i

Avoid iteration from zero (Alg. 3)

i := some constant which can be greater than zero

not (all P)I

i

I all (not I)

i+1

Ball (not B)

i+1

if Sat then return error trace

if not Sat or not Sat

then return True

i:= i+1

Base

I

Base

I

Step

Step

Base

B

Base

B

Step

Step

Complete method

i := some constant which can be greater than zero

not (all P)I

i

I all (not I)

i+1

Ball (not B)

i+1

if Sat then return error trace

if not Sat or not Sat

then return True

i:= i+1

Strengthen

i := some constant which can be greater than zero

not (all P)I

i

I all (not I)

i+1

Ball (not B)

i+1

if Sat then return error trace

if not Sat or not Sat

then return True

i:= i+1

Another way to strengthen

• Invent a lemma, L(s) that we believe to hold in the reachable states

• Prove Q(s) = P(s) and L(s)

• If both P and L hold in the reachable states, this can reduce induction depth

Choosing lemmas?

• Domain knowledge

• Analysis of the program

• Strongest possibility is the characterization of the reachable states

• Van Eijk’s method uses relations between signals as lemmas

Reachability analysis

• Standard approach to safety property verification using Binary Decision Diagrams (BDDs)

• Generate larger and larger subset of the reachable states. Stop when no new states added

• Check whether intersects with bad states

Reachability analysis

• Standard algorithms can be adapted to use a SAT-solver.

• Need to be able to deal with quantifiers in a way that doesn’t just blow up

• A fascinating research area!

References (bounded model checking)

• A. Biere, A. Cimatti, E.M. Clarke, M. Fujita and Y. Zhu. Symbolic model checking using SAT procedures instead of BDDs. In Proc. 36th Design Automation Conference, 1999.

• P. Bjesse, T. Leonard and A. Mokkedem. Finding bugs in an Alpha microprocessor using satisfiability solvers. In Proc. 13th Int. Conf. On Computer Aided Verification, 2001.

References (induction with SAT-solvers)

• M. Sheeran, S. Singh and G. Stålmarck. Checking safety properties using induction and a SAT-solver. In Proc. 3rd Int. Conf. On Formal Methods in Computer Aided Design, LNCS, Springer Verlag, 2000.

• P. Bjesse and K. Claessen. SAT-based verification without state space traversal. In Proc. 3rd Int. Conf. On Formal Methods in Computer Aided Design, LNCS, Springer Verlag, 2000.

References (SAT-based reachability analysis)

• P. A. Abdulla, P. Bjesse and N. Een. Symbolic reachability analysis based on SAT-solvers. In Proc. TACAS’00.

• P. F. Williams, A. Biere, E. M. Clarke and A. Gupta. Combining decision diagrams and SAT procedures for efficient symbolic model checking. In CAV’00.

• A. Gupta, Z. Yang and P. Ashar, SAT-based image computation with application in reachability analysis for verification. In FMCAD’00.

SAT

SAT

ARITH

BMC

IND

RA…

The future?

• Increasingly powerful proof engines

• Integration in system development tools

• Combining different engines or methods (for example BDDs and SAT or interactive and automatic methods)

• Use of formal methods in test pattern generation