Slide 1

Carnegie Mellon University A View from the Engine Room: Computational Support for Symbolic Model Checking http://www.cs.cmu.edu/~bryant Randal E. Bryant Slide 2 2 25MC Outline Boolean Reasoning as Engine for Model Checking BDDs & SAT An Evaluation of SAT Current capabilities & limitations Making further progress Beyond SAT Enhancing DPLL to do more than find single solution Slide 3 3 25MC The Origins of Symbolic Model Checking 1987 notes by Ken McMillan Backward traversal of Petri net state space Realized that reachability could be performed via symbolic Boolean manipulation Slide 4 4 25MC Role of Boolean Manipulation in MC Contributions of BDDs to Model Checking Separate problem from implementation BDDs provide clean API to model checker Performed well for many examples The Emergence of SAT Initially for bounded model checking [Biere, et al., 96] More recently for full model checking SAT enumeration [McMillan 02] Interpolation-based abstraction-refinement [McMillan 03] Important Point Advances in Boolean manipulation drive progress in model checking Slide 5 5 25MC Recent Progress in SAT Solving Slide 6 6 25MC Conventional Wisdom on SAT BDDs vs. DPLL DPLL better than BDDs for straight SAT Especially problems with large numbers of variables Best Research Strategy is to Keep Refining DPLL Certainly has lead to big improvements!Claim This wisdom is overly simplistic Slide 7 7 25MC Comparing Parity Trees Compare linear chain of XORs to randomly trees Known hard problem for resolution-based SAT solvers 16 n-input trees for different values of n Slide 8 8 25MC Parity: Exhaustive Testing Testing 10 9 cases is no big deal Slide 9 9 25MC Parity: DPLL (ca. 2002 Limmat) Known difficult problem for DPLL Slide 10 10 25MC Parity: DPLL (MiniSAT) Recent SAT solvers have made remarkable progress Slide 11 11 25MC Parity: BDDs Trivial problem for BDDs Slide 12 12 25MC Associativity Testing Typical of arithmetic verification problems Evaluate for different argument word sizes int addL (int x, int y, int z) { return (x+y)+z; } int addR(int x, int y) (int x, int y, int z) { return x+(y+z); } ?=?= int mulL (int x, int y, int z) { return (x*y)*z; } int mulR(int x, int y) (int x, int y, int z) { return x*(y*z); } ?=?= Slide 13 13 25MC Associativity of Addition Easy for BDDs Recent DPLL handle readily Slide 14 14 25MC Associativity of Multiplication BDDs better than DPLL Slide 15 15 25MC Associativity of Multiplication Both worse than exhaustive Slide 16 16 25MC Progress in SAT Research Evolution of DPLL Incremental advances yielding more than incremental improvements Encourages continued incrementingDownside Gene pool of SAT solvers diminishing All use DPLL, nonchronological backtracking, 2-literal watching New approaches must overcome high performance standardClaim We need to be looking beyond incremental changes Slide 17 17 25MC Breaking Free Raise the Bar on Benchmarks Identify challenge benchmarks Examples Arithmetic problems Breaking cryptosystems or secure hashes Combinatorial optimization Parameterize to allow scaling analysis Acknowledge Value of Niche Solvers Dont worry about problems that current solvers handle well Slide 18 18 25MC BDD/DPLL Hybrids Very Different Approaches DPLL: Search for one solution from top down BDDs: Encode all solutions from bottom up Significant Recent Effort BDD preprocessing for SAT solver [Jin & Somenzi, 04] DPLL on ZDD-represented clause sets [Aloul, et al., 01] Satisfy conjunction of BDDs [Damiano & Kukula, 03, Franco et al., 04]Evaluation Incomplete Can help when one approach (BDD / DPLL) much better than other But what about problems that neither does well? Slide 19 19 25MC Beyond SAT Dealing With Quantifiers DPLL as QBF solver has had limited success Strength for BDDs Especially with deep, alternating quantifier nesting E.g., model checkingUnsatisfiability Impressive progress on generating proofs and unsat cores Using scaffolding from DPLL Many applications E.g., refinement steps in model checking No counterpart with BDDs Slide 20 20 25MC Challenge Problem: Quantifier Elimination Core Problem For Model Checking Bit-level: Relational product Predicate abstraction Flanagan & Qadeer, 02, Lahiri, Bryant, Cook, 03Methods BDDs: quantifier elimination Use early quantification DPLL: SAT enumeration Plaisted, 00, Gupta, et al., 00, McMillan 02, Clarke et al., 03 F............ X Y G...... Y G = X F Slide 21 21 25MC Quantifier Elimination Example Example from Predicate Abstraction Lahiri, Bryant, Cook, 03 G = X F Current state variables X Next state variables Y xxxxxx [( x 1 x 2 x 3 x 4 x 5 x 6 ) xxxxxx ( x 1 x 2 x 3 x 4 x 5 x 6 ) ] Current State x 1, x 2, x 3, x 4, x 5, x 6 Transition Constraints xyyyxxy ( x 2 y 2 ) ( y 2 y 1 ) ( x 4 x 6 y 1 ) xyxy x 3 y 4 x 4 y 3 xyxy x 5 y 6 x 6 y 5 Slide 22 22 25MC 101010010101 101010100101 100101101010 x1x1 x2x2 x3x3 x4x4 x5x5 x6x6 y1y1 y2y2 y3y3 y4y4 y5y5 y6y6 101010000101 Set Enumeration Run SAT checker over formula Generate blocking clause for each newly generated element ( y 1 y 2 y 3 y 4 y 5 y 6 ) xxxxxx [( x 1 x 2 x 3 x 4 x 5 x 6 ) xxxxxx ( x 1 x 2 x 3 x 4 x 5 x 6 ) ] xyyyxxy ( x 2 y 2 ) ( y 2 y 1 ) ( x 4 x 6 y 1 ) xyxy x 3 y 4 x 4 y 3 xyxy x 5 y 6 x 6 y 5 Slide 23 23 25MC y1y1 y2y2 y3y3 y4y4 y5y5 y6y6 000101 010101 100101 101010 Compressing Set Representation Disjunct set elements to form BDD Extract prime implicants from BDD Experience: 10X reduction in number of terms BDD Rep. y1y1 y2y2 y3y3 y4y4 y5y5 y6y6 0*0101 *00101 101010 Slide 24 24 25MC SAT Enumeration Observations Performance Better than BDDs when |X| >> |Y| Only have to enumerate for unique assignments to YImprovements Attempt to enlarge solution as enumerate [McMillan 02] Build into DPLL search loop Lahiri, Nieuwenhuis, Oliveras, 06 Handle successful cases similarly to failures Make solver stop before it assigns values to all variables Implemented?Observation Enumerative methods seem inelegant Slide 25 25 25MC Conclusions 25MC = 20OBDD Boolean methods have driven much of the progress in model checking BDDs & SAT SAT Progress Impressive, but still room for improvement Beyond SAT Quantifiers Unsatisfiability Slide 26 Comments?