sat based approaches for test verification of integrated
play

SAT-based Approaches for Test & Verification of Integrated - PowerPoint PPT Presentation

SAT-based Approaches for Test & Verification of Integrated Circuits (Part II) Albert-Ludwigs-Universitt Freiburg Dr. Tobias Schubert Chair of Computer Architecture Institute of Computer Science Faculty of Engineering


  1. Preliminaries – Temporal Propositional Logic Temporal propositional logic = Propositional logic + Temporal operators Linear temporal operators Path quantifiers They make statements about a single path of the They make statements about computation tree: properties of states: G ϕ : Formula ϕ holds in every state on the A ϕ : Formula ϕ holds on all path (“ globally ” or “ always ”) paths starting in this state (“ for all paths ”) F ϕ : Formula ϕ holds in some state on the path (“ finally ” or “ eventually ”) E ϕ : Formula ϕ holds on some path starting in this X ϕ : Formula ϕ holds in the second state on state (“ there exists a path ”) the path (“ next ”) ϕ U ψ : Formula ϕ holds in every state on the path until a state is reached where ψ holds (“ until ”) VTSA’15 Tobias Schubert – SAT-based Test & Verification 117 / 192

  2. Property/Model Checking in a Nutshell Model M (Kripke Structure) M | = ϕ ! Model Checker Counterexample Property ϕ (Temporal Logic) VTSA’15 Tobias Schubert – SAT-based Test & Verification 118 / 192

  3. Property/Model Checking in a Nutshell s 1 s 2 p q Model M p M , s 0 | = E ( p U q ) ! s 0 s 3 Model Checker ϕ = E ( p U q ) VTSA’15 Tobias Schubert – SAT-based Test & Verification 118 / 192

  4. SAT-based Bounded Model Checking Idea Formulate the existence of paths with certain properties as satisfiability problem Only properties which require the existence of paths Certificate or counterexample depending on context E.g.: Counterexamples for safety and liveness In general, arbitrarily long paths necessary, but this is not possible in SAT! Restriction to finite path lengths ⇒ bounded model checking VTSA’15 Tobias Schubert – SAT-based Test & Verification 119 / 192

  5. Model Checking vs. Bounded Model Checking Given Kripke structure M Temporal formula ϕ “suited for BMC” Maximum unrolling depth k Model Checking M | = ϕ ? Bounded Model Checking M | = k ϕ ? | = k means in this context that from the initial states in M , the outgoing paths are considered only up to a maximum length k VTSA’15 Tobias Schubert – SAT-based Test & Verification 120 / 192

  6. Illustration 2-Bit Counter: Time Frame Expansion 00 11 s 0 rst rst FF FF clk clk 01 10 a b VTSA’15 Tobias Schubert – SAT-based Test & Verification 121 / 192

  7. Illustration 2-Bit Counter: Time Frame Expansion b 0 a 0 00 11 s 0 01 10 b 1 a 1 Let ϕ be a temporal formula and k = 1. M | = 1 ϕ ? VTSA’15 Tobias Schubert – SAT-based Test & Verification 121 / 192

  8. Illustration 2-Bit Counter: Time Frame Expansion b 0 a 0 00 11 s 0 b 1 a 1 01 10 b 2 a 2 Let ϕ be a temporal Formula and k = 2. M | = 2 ϕ ? VTSA’15 Tobias Schubert – SAT-based Test & Verification 121 / 192

  9. Illustration 2-Bit Counter: Time Frame Expansion b 0 a 0 b 1 a 1 00 11 s 0 b 2 a 2 01 10 b 3 a 3 Let ϕ be a temporal Formula and k = 3. M | = 3 ϕ ? VTSA’15 Tobias Schubert – SAT-based Test & Verification 121 / 192

  10. SAT-based Bounded Model Checking General flow 1 Generate a propositional logic formula from the given Kripke structure M , property ϕ , and unrolling depth k , which is satisfiable iff M | = k ϕ 2 Translate the formula generated above into CNF 3 Solve it with a SAT solver CNF satisfiable ⇒ M | = k ϕ ⇒ certificate/counterexample CNF unsatisfiable ⇒ M �| = k ϕ ⇒ no statement can be made regarding M | = ϕ Repeat the steps from 1 to 3 with increasing values for k until either a counterexample is found, or a fixed stopping criterion is met VTSA’15 Tobias Schubert – SAT-based Test & Verification 122 / 192

  11. Construction of the propositional logic formula Definition Let M = ( S , I , R , L ) be a Kripke structure, ϕ a property, and k an unfolding depth. Then the characteristic function � M , ϕ � k corresponding to M , ϕ , and k is defined as � � � k − 1 � � � I ( s 0 ) ∧ R ( s i , s i + 1 ) ∧ ( s j → L ( s j )) ∧ P k ( ϕ ) i = 0 s j ∈ S with I ( s 0 ) : characteristic fct. of the initial states, R ( s i , s i + 1 ) : characteristic fct. of the transition relation, L ( s j ) : characteristic fct. of the label function L , P k ( ϕ ) : characteristic fct. of ϕ at depth k . VTSA’15 Tobias Schubert – SAT-based Test & Verification 123 / 192

  12. Types of Properties – Safety Safety Specify invariants of the system: AG safe BMC-formulation for refuting safety (= proving EF ¬ safe ): k − 1 � I ( s 0 ) ∧ T ( s i , s i + 1 ) ∧¬ safe ( s k ) i = 0 VTSA’15 Tobias Schubert – SAT-based Test & Verification 124 / 192

  13. Types of Properties – Liveness Liveness Specified in temporal logic: AF good Refutation of liveness (= proving EG ¬ good ) requires infinitely long paths! If AF good is violated, there is a “lasso” on which all states satisfy ¬ good BMC-formulation: k k k � � � I ( s 0 ) ∧ T ( s i , s i + 1 ) ∧ ¬ good ( s i ) ∧ ( s l = s k + 1 ) i = 0 i = 0 l = 0 VTSA’15 Tobias Schubert – SAT-based Test & Verification 125 / 192

  14. BMC Example Safety – 2-Bit Counter Requirement: State ( 1 , 1 ) may not reached, or later an overflow will occur, i.e. the following must hold: AG ( ¬ ( b ∧ a )) ⇔ ¬ EF ( b ∧ a ) b a 00 11 01 10 VTSA’15 Tobias Schubert – SAT-based Test & Verification 126 / 192

  15. BMC Example Safety – 2-Bit Counter Requirement: State ( 1 , 1 ) may not reached, or later an overflow will occur, i.e. the following must hold: AG ( ¬ ( b ∧ a )) ⇔ ¬ EF ( b ∧ a ) Possible query: Can one reach ( 1 , 1 ) from the initial state ( 0 , 0 ) in ≤ 2 steps? b a 00 11 01 10 VTSA’15 Tobias Schubert – SAT-based Test & Verification 126 / 192

  16. BMC Example Safety – 2-Bit Counter Requirement: State ( 1 , 1 ) may not reached, or later an overflow will occur, i.e. the following must hold: AG ( ¬ ( b ∧ a )) ⇔ ¬ EF ( b ∧ a ) Possible query: Can one reach ( 1 , 1 ) from the initial state ( 0 , 0 ) in ≤ 2 steps? b a ⇒ M | = 2 ϕ with ϕ = EF ( b ∧ a ) ? ⇒ I ( s 0 ) = ¬ b 0 ∧¬ a 0 00 11 ⇒ R ( s 0 , s 1 ) = ( b 1 ↔ ( b 0 ⊕ a 0 )) ∧ ( a 1 ↔ ¬ a 0 ) ⇒ R ( s 1 , s 2 ) = ( b 2 ↔ ( b 1 ⊕ a 1 )) ∧ ( a 2 ↔ ¬ a 1 ) ⇒ P 2 ( ϕ ) = ( b 0 ∧ a 0 ) ∨ ( b 1 ∧ a 1 ) ∨ ( b 2 ∧ a 2 ) 01 10 ⇒ � M , ϕ � 2 = I ( s 0 ) ∧ R ( s 0 , s 1 ) ∧ R ( s 1 , s 2 ) ∧ P 2 ( ϕ ) ⇒ � M , ϕ � 2 = 0 ⇒ Starting from ( 0 , 0 ) , ( 1 , 1 ) cannot reached in max. 2 steps ⇒ M �| = 2 ϕ ! VTSA’15 Tobias Schubert – SAT-based Test & Verification 126 / 192

  17. BMC Example Safety – 2-Bit Counter Requirement: State ( 1 , 1 ) may not reached, or later an overflow will occur, i.e. the following must hold: AG ( ¬ ( b ∧ a )) ⇔ ¬ EF ( b ∧ a ) Possible query: Can one reach ( 1 , 1 ) from the initial state ( 0 , 0 ) in ≤ 2 steps? b a ⇒ M | = 2 ϕ with ϕ = EF ( b ∧ a ) ? ⇒ I ( s 0 ) = ¬ b 0 ∧¬ a 0 00 11 ⇒ R ( s 0 , s 1 ) = ( b 1 ↔ ( b 0 ⊕ a 0 )) ∧ ( a 1 ↔ ¬ a 0 ) ⇒ R ( s 1 , s 2 ) = ( b 2 ↔ ( b 1 ⊕ a 1 )) ∧ ( a 2 ↔ ¬ a 1 ) ⇒ P 2 ( ϕ ) = ( b 0 ∧ a 0 ) ∨ ( b 1 ∧ a 1 ) ∨ ( b 2 ∧ a 2 ) 01 10 ⇒ � M , ϕ � 2 = I ( s 0 ) ∧ R ( s 0 , s 1 ) ∧ R ( s 1 , s 2 ) ∧ P 2 ( ϕ ) ⇒ � M , ϕ � 2 = 0 ⇒ Starting from ( 0 , 0 ) , ( 1 , 1 ) cannot reached in max. 2 steps ⇒ M �| = 2 ϕ ! But: M �| = AG ( ¬ ( b ∧ a )) ⇔ M �| = ¬ EF ( b ∧ a ) ! VTSA’15 Tobias Schubert – SAT-based Test & Verification 126 / 192

  18. BMC Example Liveness – Modified 2-Bit counter Requirement: State ( 1 , 1 ) must be reachable from every state, i.e. the following must hold: AF ( b ∧ a ) ⇔ ¬ EG ( ¬ ( b ∧ a )) b a 00 11 01 10 VTSA’15 Tobias Schubert – SAT-based Test & Verification 127 / 192

  19. BMC Example Liveness – Modified 2-Bit counter Requirement: State ( 1 , 1 ) must be reachable from every state, i.e. the following must hold: AF ( b ∧ a ) ⇔ ¬ EG ( ¬ ( b ∧ a )) Counterexample exists iff from the initial state ( 0 , 0 ) there exists a b a path of length k that belongs to a cycle, and in no state of this path ( b ∧ a ) holds. Given k = 2 and ϕ = EG ( ¬ ( b ∧ a )) : 00 11 01 10 VTSA’15 Tobias Schubert – SAT-based Test & Verification 127 / 192

  20. BMC Example Liveness – Modified 2-Bit counter Requirement: State ( 1 , 1 ) must be reachable from every state, i.e. the following must hold: AF ( b ∧ a ) ⇔ ¬ EG ( ¬ ( b ∧ a )) Counterexample exists iff from the initial state ( 0 , 0 ) there exists a b a path of length k that belongs to a cycle, and in no state of this path ( b ∧ a ) holds. Given k = 2 and ϕ = EG ( ¬ ( b ∧ a )) : 00 11 ⇒ I ( s 0 ) = ¬ b 0 ∧¬ a 0 ⇒ R ( s i , s i + 1 ) = (( b i + 1 ↔ ( b i ⊕ a i )) ∧ ( a i + 1 ↔ ¬ a i )) ∨ ( b i + 1 ∧¬ a i + 1 ∧ b i ∧¬ a i ) with i = 0 , 1 , 2 ⇒ P 2 ( ϕ ) = ( ¬ b 0 ∨¬ a 0 ) ∧ ( ¬ b 1 ∨¬ a 1 ) ∧ ( ¬ b 2 ∨¬ a 2 ) 01 10 ⇒ [ s 3 ≡ s i ] = ( b 3 ↔ b i ) ∧ ( a 3 ↔ a i ) with i = 0 , 1 , 2 � � � � 2 2 � � ⇒ � M , ϕ � 2 = I ( s 0 ) ∧ R ( s i , s i + 1 ) ∧ [ s 3 ≡ s i ] ∧ P 2 ( ϕ ) i = 0 i = 0 ⇒ � M , ϕ � 2 = ¬ b 0 ∧¬ a 0 ∧¬ b 1 ∧ a 1 ∧ b 2 ∧¬ a 2 ∧ b 3 ∧¬ a 3 ⇒ Counterexample found! VTSA’15 Tobias Schubert – SAT-based Test & Verification 127 / 192

  21. SAT-based Bounded Model Checking BMC can be used to disprove invariants AG ϕ ... by proving EF ¬ ϕ considering paths of length k If paths longer than k are needed for the proof, then BMC fails BMC can be used to disprove liveness properties like AF ϕ ... by proving EG ¬ ϕ considering “lassos” of length k If lassos longer than k are needed for the proof, then BMC fails In the following we restrict ourselves to invariants / safety properties VTSA’15 Tobias Schubert – SAT-based Test & Verification 128 / 192

  22. Usage of BMC to falsify Safety Properties Idea: Restrict system behavior to runs of some given bounded length, i.e. runs with a bounded number of transition steps reachable state set reachable for runs of bounded state set length VTSA’15 Tobias Schubert – SAT-based Test & Verification 129 / 192

  23. Usage of BMC to falsify Safety Properties Idea: If the restricted system is unsafe (i.e. violates some safety property, state invariant) then the original system is unsafe, too unsafe state set reachable state set reachable for runs of bounded state set length VTSA’15 Tobias Schubert – SAT-based Test & Verification 130 / 192

  24. Usage of BMC in the Verification Domain I 0 T 0 , 1 T 1 , 2 T k − 1 ,k ¬ P k ∧ ∧ ∧ . . . ∧ ∧ x 0 x 0 x 1 x 1 x k − 1 ... x k − 1 ... ... 0 · · · n 0 · · · n · · · n 0 s 0 s 1 s 2 s k − 1 s k 0 0 0 0 0 · · · . . . . . . . . . . . . . . . · · · · · · s 2 s k − 1 · · · s 0 s 1 s k r r r r r y 0 y 0 y 1 y 1 y k − 1 ... y k − 1 ... ... 0 m 0 m 0 m Initial state I , transition relation T , property P Iterative unrolling of the system for k = 0 , 1 ,..., K up to a given maximal unrolling depth K k − 1 BMC k = I 0 ∧ � T i , i + 1 ∧¬ P k i = 0 Convert BMC k into CNF by Tseitin transformation and solve it using a SAT solver CNF satisfiable ⇒ Invariant condition P violated after k steps CNF unsatisfiable ⇒ no conclusion, next iteration step VTSA’15 Tobias Schubert – SAT-based Test & Verification 131 / 192

  25. Some Remarks Typically, BMC is used as an efficient means to find errors in a system M , i.e. is there a k > 0 such that we can reach a state violating ϕ for a given invariant AG ϕ ? BMC is really efficient if there is a short error path Without extensions it is not possible to prove that ϕ holds for all reachable states Bounded Model Checking → Model Checking Computing the “radius” of the Kripke structure k-induction Craig interpolation VTSA’15 Tobias Schubert – SAT-based Test & Verification 132 / 192

  26. Observation I 0 T 0 , 1 T 1 , 2 T k − 1 ,k ∧ ∧ ∧ . . . ∧ ∧ ¬ P k x 0 x 0 x 1 x 1 x k − 1 ... x k − 1 ... ... n n n 0 · · · 0 · · · 0 · · · s k − 1 s 0 s 1 s 2 s k 0 0 0 0 0 · · · . . . . . . . . . . . . . . . · · · · · · · · · s 0 s 1 s 2 s k − 1 s k r r r r r y 0 y 0 y 1 y 1 y k − 1 ... y k − 1 ... ... 0 m 0 m m 0 I 0 ∧ T 0 , 1 ∧ T 1 , 2 ∧ ... ∧ T i − 1 , i ∧¬ P i k = i : I 0 ∧ T 0 , 1 ∧ T 1 , 2 ∧ ... ∧ T i − 1 , i ∧ T i , i + 1 ∧¬ P i + 1 k = i + 1 : The main part of the formula remains unchanged ¬ P i has to be removed T i , i + 1 ∧¬ P i + 1 has to be added How to profit from the similarity between those problems? VTSA’15 Tobias Schubert – SAT-based Test & Verification 133 / 192

  27. Incremental SAT Solving In many practical applications – not only in the area of BMC – often several SAT instances are generated to solve a real-world problem Generated SAT instances are often very similar and contain identical subformulas Idea: Instead of constructing and solving each instance separately, the SAT formula is processed incrementally Knowledge learnt so far (conflict clauses, variable activity, ... ) can be re-used in later instances Standard feature of all modern SAT solvers VTSA’15 Tobias Schubert – SAT-based Test & Verification 134 / 192

  28. Incremental SAT Solving Main idea Make use of the knowledge learnt in the previous instance by re-using the learnt conflict clauses Question Is this always allowed? VTSA’15 Tobias Schubert – SAT-based Test & Verification 135 / 192

  29. Incremental SAT Solving Idea: Make use of the knowledge learnt in the previous instance by re-using the learnt conflict clauses. Question: Is this always allowed? Observation If c is a conflict clause for SAT instance A with CNF CNF A , then CNF A ⇒ c If instance B results from A just by adding clauses (i.e. CNF B ⊇ CNF A ), then CNF B ⇒ c holds as well Conflict clauses be may re-used then But what if CNF B ⊇ CNF A does not hold? VTSA’15 Tobias Schubert – SAT-based Test & Verification 136 / 192

  30. Incremental SAT Solving General case: CNF A contains clauses that do not occur in CNF B anymore Now we need for each conflict clause c the information about the set of original clauses it was derived from Remember: Conflict clauses result from original and/or conflict clauses by resolution ( � implication graph) ⇒ Conflict clauses which are derived from original clauses in CNF A \ CNF B are not allowed to be added to CNF B ! VTSA’15 Tobias Schubert – SAT-based Test & Verification 137 / 192

  31. Illustration: Re-using Clauses VTSA’15 Tobias Schubert – SAT-based Test & Verification 138 / 192

  32. Illustration: Re-using Clauses VTSA’15 Tobias Schubert – SAT-based Test & Verification 139 / 192

  33. Illustration: Re-using Clauses VTSA’15 Tobias Schubert – SAT-based Test & Verification 140 / 192

  34. Incremental SAT Solving with Assumptions In general, storing which conflict clause depends on which original clauses is too expensive! Here is the most common approach to solve the problem: Activation variables and assumptions Use “special” new de-activation variables d i For clauses c which should be removable from the clause set, a positive de-activation literal is added: c := c ∪ d i There are only positive occurrences of de-activation variables! Turning c on and off: Turning on by d i = 0 Turning off by d i = 1 VTSA’15 Tobias Schubert – SAT-based Test & Verification 141 / 192

  35. Incremental SAT Solving with Assumptions In general, storing which conflict clause depends on which original clauses is too expensive! Here is the most common approach to solve the problem: Activation variables and assumptions Use “special” new de-activation variables d i For clauses c which should be removable from the clause set, a positive de-activation literal is added: c := c ∪ d i There are only positive occurrences of de-activation variables! Turning c on and off: Turning on by d i = 0 Turning off by d i = 1 Example ϕ = ( a ∨ b ) ∧ ( ¬ c ∨ d ) Initial formula ϕ 0 / ¬ d 0 = ( a ∨ b ) ∧ ( ¬ c ∨ d ) ∧ ( b ∨ d 0 ) incr. step 0 ϕ 1 / d 0 , ¬ d 1 = ( a ∨ b ) ∧ ( ¬ c ∨ d ) ∧ ( b ∨ d 0 ) ∧ ( d ∨ d 1 ) incr. step 1 VTSA’15 Tobias Schubert – SAT-based Test & Verification 141 / 192

  36. Incremental SAT Solving with Assumptions Activation variables and assumptions ... De-activation variables are assigned by assumptions before SAT solving (activating / de-activating clauses) Assumptions can not be changed during SAT solving (Note: Unit clauses and assumptions are not the same!) Important observation: All conflict clauses resulting from c ∪ d i by resolution contain literal d i ⇒ If c ∪ d i is turned off in the next run, i.e., d i is set to 1 by assumption, then all conflict clauses depending on c ∪ d i are turned off as well! VTSA’15 Tobias Schubert – SAT-based Test & Verification 142 / 192

  37. Incremental SAT Solving and BMC I 0 T 0 , 1 T 1 , 2 T k − 1 ,k ¬ P k ∧ ∧ ∧ . . . ∧ ∧ x 0 x 0 x 1 x 1 x k − 1 ... x k − 1 ... ... 0 · · · n 0 · · · n 0 · · · n s k − 1 s 0 s 1 s 2 s k 0 0 0 0 0 · · · . . . . . . . . . . . . . . . · · · · · · s 2 s k − 1 · · · s k s 0 s 1 r r r r r y k − 1 ... y k − 1 y 0 y 0 y 1 y 1 ... ... 0 m 0 m 0 m I 0 ∧ T 0 , 1 ∧ T 1 , 2 ∧ ... ∧ T i − 1 , i ∧¬ P i k = i : I 0 ∧ T 0 , 1 ∧ T 1 , 2 ∧ ... ∧ T i − 1 , i ∧ T i , i + 1 ∧¬ P i + 1 k = i + 1 : Add de-activation literal d i for each clause representing ¬ P i For k = i activate ¬ P i by assumption d i = 0 For k > i de-activate ¬ P i by assumption d i = 1 All knowledge / conflict clauses learnt for k = i can be re-used (except the knowledge depending on ¬ P i ) VTSA’15 Tobias Schubert – SAT-based Test & Verification 143 / 192

  38. Outline Applications Bounded Model / Property Path Compaction Security Issues Checking Automatic Test Pattern Relaxation Hybrid System Verification Test Pattern Generation Combinational Black Box Verification The End Equivalence Checking SAT MaxSAT #SAT QBF DQBF SMT Core Algorithms VTSA’15 Tobias Schubert – SAT-based Test & Verification 144 / 192

  39. Satisfiability Modulo Theory Hybrid Systems Typically, embedded systems are characterized by the combination of discrete and continuous variables iSAT Satisfiability and BMC checker for quantifier-free Boolean combinations of arithmetic constraints over the reals and integers SAT ( ¬ b ∨ ¬ c ) ∧ ( b → sin ( x ) · y < 7 . 2 ) UNSAT iSAT � ∧ ( 2 x − y = 8 ∨ c ) ∧ ( i 2 = 3 j − 5 ) unknown VTSA’15 Tobias Schubert – SAT-based Test & Verification 145 / 192

  40. Satisfiability Modulo Theory – iSAT iSAT Not a “pure” SAT-Modulo-Theory solver arithmetic constraint system Arithmetic consistent: SAT yes / no reasoner explanation Can be seen as a generalization of a SAT solver Branch-and-deduce framework inherited from SAT Deduction rule for clauses Unit propagation Deduction rules for arithmetic operators Interval constraint propagation VTSA’15 Tobias Schubert – SAT-based Test & Verification 146 / 192

  41. Satisfiability Modulo Theory – ICP Interval Constraint Propagation (ICP) h 1 = z 2 , z ∈ [ 3 , 7 ] , h 1 ∈ [ − 2 , 25 ] z ∈ [ 3 , 7 ] ⇒ h 1 ≥ 9 ⇒ h 1 ∈ [ 9 , 25 ] h 1 ∈ [ 9 , 25 ] ⇒ z ≤ 5 ⇒ z ∈ [ 3 , 5 ] VTSA’15 Tobias Schubert – SAT-based Test & Verification 147 / 192

  42. Satisfiability Modulo Theory – BMC Mode of iSAT ¬ b / COUNTEREXAMPLE √ x 3 x := Safety property: CANDIDATE SOLUTION: b (boole): There’s no sequence of @0: [1, 1] @1: [0, 0] x := 2 input values such that @2: [0, 0] b / @3: [0, 0] 3 . 14 ≤ x ≤ 3 . 15 x := x 2 + 1 @4: [1, 1] @5: [1, 1] @6: [1, 1] @7: [0, 0] @8: [0, 0] @9: [1, 1] DECL @10: [0, 0] boole b; @11: [1, 1] float [0.0, 1000.0] x; x (float): INIT @0: [2, 2] – Initial state. @1: [5, 5] x = 2.0; @2: [1.7099, 1,7100] @3: [1.1874, 1,1959] TRANS iSAT @4: [1.0589, 1.0615] – Transition relation. @5: [2.1214, 2.1267] b -> x’ = x ˆ 2 + 1; @6: [5.5013, 5.5114] !b -> x’ = nrt(x, 3); @7: [31.329, 31.3391] @8: [3.1499, 1.1576] TARGET @9: [1.4597, 1.4671] – State(s) to be reached. @10: [3.1307, 3.1402] x >= 3.14 and x <= 3.15; @11: [1.4629,1.4663] @12: [3.1400, 3.1500] VTSA’15 Tobias Schubert – SAT-based Test & Verification 148 / 192

  43. Satisfiability Modulo Theory – iSAT iSAT All acceleration techniques known from modern SAT solvers also apply to arithmetic constraints Conflict-driven learning Non-chronological backtracking 2-watched-literal scheme Restarts Conflict clause deletion Efficient decision heuristics VTSA’15 Tobias Schubert – SAT-based Test & Verification 149 / 192

  44. Satisfiability Modulo Theory – iSAT c 1 : ( ¬ a ∨ ¬ c ∨ d ) • Use Tseitin-style transformation to rewrite input formula into a conjunction of constraints c 2 : ∧ ( ¬ a ∨ ¬ b ∨ c ) ⊲ n -ary disjunctions of bounds (’clauses’) ∧ ( ¬ c ∨ ¬ d ) c 3 : ⊲ Arithmetic constraints having at most one c 4 : ∧ ( b ∨ x ≥ − 2 ) operation symbol c 5 : ∧ ( x ≥ 4 ∨ y ≤ 0 ∨ h 3 ≥ 6 . 2 ) • Boolean variables are regarded as 0-1 integer variables. h 1 = x 2 c 6 : ∧ Allows identification of literals with bounds on Booleans c 7 : ∧ h 2 = − 2 · y b ≡ b ≥ 1 ¬ b ≡ b ≤ 0 c 8 : ∧ h 3 = h 1 + h 2 • Auxiliary variables h 1 , h 2 , h 3 are used for decomposition of complex constraint x 2 − 2 y ≥ 6 . 2. VTSA’15 Tobias Schubert – SAT-based Test & Verification 150 / 192

  45. Satisfiability Modulo Theory – iSAT c 1 : ( ¬ a ∨ ¬ c ∨ d ) DL 1: a ≥ 1 c 2 : ∧ ( ¬ a ∨ ¬ b ∨ c ) ∧ ( ¬ c ∨ ¬ d ) c 3 : c 4 : ∧ ( b ∨ x ≥ − 2 ) c 5 : ∧ ( x ≥ 4 ∨ y ≤ 0 ∨ h 3 ≥ 6 . 2 ) h 1 = x 2 c 6 : ∧ c 7 : ∧ h 2 = − 2 · y c 8 : ∧ h 3 = h 1 + h 2 VTSA’15 Tobias Schubert – SAT-based Test & Verification 150 / 192

  46. Satisfiability Modulo Theory – iSAT c 1 : ( ¬ a ∨ ¬ c ∨ d ) c 1 DL 1: a ≥ 1 c 2 : ∧ ( ¬ a ∨ ¬ b ∨ c ) ∧ ( ¬ c ∨ ¬ d ) b ≥ 1 c ≥ 1 d ≥ 1 c 3 : DL 2: c 2 c 4 : ∧ ( b ∨ x ≥ − 2 ) c 3 d ≤ 0 c 5 : ∧ ( x ≥ 4 ∨ y ≤ 0 ∨ h 3 ≥ 6 . 2 ) h 1 = x 2 c 6 : ∧ c 7 : ∧ h 2 = − 2 · y c 8 : ∧ h 3 = h 1 + h 2 VTSA’15 Tobias Schubert – SAT-based Test & Verification 150 / 192

  47. Satisfiability Modulo Theory – iSAT c 1 : ( ¬ a ∨ ¬ c ∨ d ) c 1 DL 1: a ≥ 1 c 2 : ∧ ( ¬ a ∨ ¬ b ∨ c ) ∧ ( ¬ c ∨ ¬ d ) b ≥ 1 c ≥ 1 d ≥ 1 c 3 : DL 2: c 2 c 4 : ∧ ( b ∨ x ≥ − 2 ) c 3 d ≤ 0 c 5 : ∧ ( x ≥ 4 ∨ y ≤ 0 ∨ h 3 ≥ 6 . 2 ) h 1 = x 2 c 6 : ∧ c 7 : ∧ h 2 = − 2 · y c 8 : ∧ h 3 = h 1 + h 2 c 9 : ∧ ( ¬ a ∨ ¬ c ) VTSA’15 Tobias Schubert – SAT-based Test & Verification 150 / 192

  48. Satisfiability Modulo Theory – iSAT c 1 : ( ¬ a ∨ ¬ c ∨ d ) DL 1: a ≥ 1 c ≤ 0 b ≤ 0 x ≥ − 2 c 9 c 2 c 4 c 2 : ∧ ( ¬ a ∨ ¬ b ∨ c ) ∧ ( ¬ c ∨ ¬ d ) c 3 : c 4 : ∧ ( b ∨ x ≥ − 2 ) c 5 : ∧ ( x ≥ 4 ∨ y ≤ 0 ∨ h 3 ≥ 6 . 2 ) h 1 = x 2 c 6 : ∧ c 7 : ∧ h 2 = − 2 · y c 8 : ∧ h 3 = h 1 + h 2 c 9 : ∧ ( ¬ a ∨ ¬ c ) VTSA’15 Tobias Schubert – SAT-based Test & Verification 150 / 192

  49. Satisfiability Modulo Theory – iSAT c 1 : ( ¬ a ∨ ¬ c ∨ d ) DL 1: a ≥ 1 c ≤ 0 b ≤ 0 x ≥ − 2 c 9 c 2 c 4 c 2 : ∧ ( ¬ a ∨ ¬ b ∨ c ) ∧ ( ¬ c ∨ ¬ d ) y ≥ 4 h 2 ≤ − 8 c 3 : DL 2: c 7 c 4 : ∧ ( b ∨ x ≥ − 2 ) c 5 : ∧ ( x ≥ 4 ∨ y ≤ 0 ∨ h 3 ≥ 6 . 2 ) h 1 = x 2 c 6 : ∧ c 7 : ∧ h 2 = − 2 · y c 8 : ∧ h 3 = h 1 + h 2 c 9 : ∧ ( ¬ a ∨ ¬ c ) VTSA’15 Tobias Schubert – SAT-based Test & Verification 150 / 192

  50. Satisfiability Modulo Theory – iSAT c 1 : ( ¬ a ∨ ¬ c ∨ d ) DL 1: a ≥ 1 c ≤ 0 b ≤ 0 x ≥ − 2 c 9 c 2 c 4 c 2 : ∧ ( ¬ a ∨ ¬ b ∨ c ) ∧ ( ¬ c ∨ ¬ d ) y ≥ 4 h 2 ≤ − 8 c 3 : DL 2: c 7 c 4 : ∧ ( b ∨ x ≥ − 2 ) DL 3: x ≤ 3 h 3 ≥ 6 . 2 h 2 ≥ − 2 . 8 c 5 : ∧ ( x ≥ 4 ∨ y ≤ 0 ∨ h 3 ≥ 6 . 2 ) c 5 h 1 ≤ 9 c 8 h 1 = x 2 c 6 : ∧ c 6 c 7 : ∧ h 2 = − 2 · y c 8 : ∧ h 3 = h 1 + h 2 c 9 : ∧ ( ¬ a ∨ ¬ c ) VTSA’15 Tobias Schubert – SAT-based Test & Verification 150 / 192

  51. Satisfiability Modulo Theory – iSAT c 1 : ( ¬ a ∨ ¬ c ∨ d ) DL 1: a ≥ 1 c ≤ 0 b ≤ 0 x ≥ − 2 c 9 c 2 c 4 c 2 : ∧ ( ¬ a ∨ ¬ b ∨ c ) ∧ ( ¬ c ∨ ¬ d ) y ≥ 4 h 2 ≤ − 8 c 3 : DL 2: c 7 c 4 : ∧ ( b ∨ x ≥ − 2 ) DL 3: x ≤ 3 h 3 ≥ 6 . 2 h 2 ≥ − 2 . 8 c 5 : ∧ ( x ≥ 4 ∨ y ≤ 0 ∨ h 3 ≥ 6 . 2 ) c 5 h 1 ≤ 9 c 8 h 1 = x 2 c 6 : ∧ c 6 c 7 : ∧ h 2 = − 2 · y c 8 : ∧ h 3 = h 1 + h 2 c 9 : ∧ ( ¬ a ∨ ¬ c ) ← Conflict clause = symbolic description c 10 : ∧ ( x < − 2 ∨ y < 4 ∨ x > 3 ) of a rectangular region of the search space which is excluded from future search VTSA’15 Tobias Schubert – SAT-based Test & Verification 150 / 192

  52. Satisfiability Modulo Theory – iSAT c 1 : ( ¬ a ∨ ¬ c ∨ d ) DL 1: a ≥ 1 c ≤ 0 b ≤ 0 x ≥ − 2 c 9 c 2 c 4 c 2 : ∧ ( ¬ a ∨ ¬ b ∨ c ) ∧ ( ¬ c ∨ ¬ d ) y ≥ 4 h 2 ≤ − 8 c 3 : DL 2: c 7 c 4 : ∧ ( b ∨ x ≥ − 2 ) x > 3 h 1 > 9 c 5 : ∧ ( x ≥ 4 ∨ y ≤ 0 ∨ h 3 ≥ 6 . 2 ) c 6 c 10 h 1 = x 2 c 6 : ∧ c 7 : ∧ h 2 = − 2 · y c 8 : ∧ h 3 = h 1 + h 2 c 9 : ∧ ( ¬ a ∨ ¬ c ) c 10 : ∧ ( x < − 2 ∨ y < 4 ∨ x > 3 ) VTSA’15 Tobias Schubert – SAT-based Test & Verification 150 / 192

  53. Satisfiability Modulo Theory – iSAT c 1 : ( ¬ a ∨ ¬ c ∨ d ) DL 1: a ≥ 1 c ≤ 0 b ≤ 0 x ≥ − 2 c 9 c 2 c 4 c 2 : ∧ ( ¬ a ∨ ¬ b ∨ c ) ∧ ( ¬ c ∨ ¬ d ) y ≥ 4 h 2 ≤ − 8 c 3 : DL 2: c 7 c 4 : ∧ ( b ∨ x ≥ − 2 ) x > 3 h 1 > 9 c 5 : ∧ ( x ≥ 4 ∨ y ≤ 0 ∨ h 3 ≥ 6 . 2 ) c 6 c 10 h 1 = x 2 c 6 : ∧ c 7 : ∧ h 2 = − 2 · y • Continue do split and deduce until either c 8 : ∧ h 3 = h 1 + h 2 ⊲ formula turns out to be UNSAT (unresolvable conflict), ⊲ formula turns out to be SAT (point interval), c 9 : ∧ ( ¬ a ∨ ¬ c ) ⊲ solver is left with ‘sufficiently small’ portion of the c 10 : ∧ ( x < − 2 ∨ y < 4 ∨ x > 3 ) search space for which it cannot derive any contradiction. • Avoid infinite splitting and deduction ⊲ Minimal splitting width ⊲ Discard a deduced bound if it yields small progress only VTSA’15 Tobias Schubert – SAT-based Test & Verification 150 / 192

  54. Satisfiability Modulo Theory – iSAT Remarks All variables have to be bounded initially Reliable results due to outward rounding Further features Clever normalization rules Continue search after “unknown” Proof of unsatisfiability Unbounded model checking using interpolants Handling of stochastic constraint systems Parallelization based on message passing VTSA’15 Tobias Schubert – SAT-based Test & Verification 151 / 192

  55. Hybrid System Verification Example: Train Separation in Absolute Braking Distance Part of the forthcoming European Train Control Standard Minimal distance between two trains equals braking distance plus safety margin First train reports position of its end to the second train every 8 seconds Controller of the second train automatically initiates braking to maintain safety margin Top-level view of the Matlab/Simulink model for two trains VTSA’15 Tobias Schubert – SAT-based Test & Verification 152 / 192

  56. Hybrid System Verification Example: Train Separation in Absolute Braking Distance Model of controller and train dynamics Safety property to be checked: Does the controller guarantee that collisions aren’t possible? VTSA’15 Tobias Schubert – SAT-based Test & Verification 153 / 192

  57. Hybrid System Verification Example: Train Separation in Absolute Braking Distance VTSA’15 Tobias Schubert – SAT-based Test & Verification 154 / 192

  58. Hybrid System Verification Example: Train Separation in Absolute Braking Distance VTSA’15 Tobias Schubert – SAT-based Test & Verification 155 / 192

  59. Hybrid System Verification Example: Train Separation in Absolute Braking Distance VTSA’15 Tobias Schubert – SAT-based Test & Verification 156 / 192

  60. Hybrid System Verification Example: Train Separation in Absolute Braking Distance Simulation Error trace found by iSAT From top to bottom positions, accelerations, speeds, and distances of the two trains are shown VTSA’15 Tobias Schubert – SAT-based Test & Verification 157 / 192

  61. Outline Applications Bounded Model / Property Path Compaction Security Issues Checking Automatic Test Pattern Relaxation Hybrid System Verification Test Pattern Generation Combinational Black Box Verification The End Equivalence Checking SAT MaxSAT #SAT QBF DQBF SMT Core Algorithms VTSA’15 Tobias Schubert – SAT-based Test & Verification 158 / 192

  62. MaxSAT in a Nutshell Max-SAT Given a CNF ϕ , find a truth assignment for all variables that satisfies the maximum number of clauses within ϕ Variants of Max-SAT Partial Max-SAT ϕ consists of hard and soft clauses All hard clauses must be satisfied Maximize number of satisfied soft clauses Weighted Max-SAT Weighted Partial Max-SAT VTSA’15 Tobias Schubert – SAT-based Test & Verification 159 / 192

  63. MaxSAT in a Nutshell Solving (Partial) Max-SAT using SAT Algorithms Each soft clause gets extended by a fresh “trigger” variable: ( x 1 ∨ x 2 ) � ( t 1 ∨ x 1 ∨ x 2 ) By construction, after adding trigger variables all soft clauses can be satisfied simultaneously Now, Max-SAT corresponds to minimizing k in ∑ m c = 1 t c ≤ k with m representing the number of soft clauses Encode ∑ m c = 1 t c ≤ k with a bitonic sorting network (unary representation), convert it to CNF, and add it to the formula Solve the Max-SAT problem by using incremental SAT solving, iterating over k VTSA’15 Tobias Schubert – SAT-based Test & Verification 160 / 192

  64. Bitonic Sorting Network Each arrow in the example above represents a comparator (half adder): comp ( x 1 , x 2 , y 1 , y 2 ) ↔ (( y 1 ↔ x 1 ∨ x 2 ) ∧ ( y 2 ↔ x 1 ∧ x 2 )) Using Tseitin encoding each comparator can be modeled with 2 auxiliary variables & 6 clauses VTSA’15 Tobias Schubert – SAT-based Test & Verification 161 / 192

  65. Path Compaction Production of circuits is erroneous Various types and sources of faults Covered here: Small-delay faults General workflow Predefined paths obtained from path analysis tool Sensitize all target paths using as less patterns as possible to reduce overall test overhead Test pattern relaxation Approach SAT-based maximization of sensitized target paths Results Applicable to large industrial circuits Significantly reduced number of test patterns compared to other state-of-the-art approaches VTSA’15 Tobias Schubert – SAT-based Test & Verification 162 / 192

  66. Path Compaction Sensitizable Paths and Small Delay Faults Sensitizable path: Transition from input to output Length of a path according to sum of gate delays The longer the path the higher the detection quality Two-pattern delay test VTSA’15 Tobias Schubert – SAT-based Test & Verification 163 / 192

  67. Path Compaction Sensitizable Paths and Small Delay Faults Small delay faults: Assume additional delay for one gate Output transition too late for clock The longer the path the higher the detection quality Two-pattern delay test VTSA’15 Tobias Schubert – SAT-based Test & Verification 164 / 192

  68. Path Compaction Production of circuits is erroneous Various types and sources of faults Covered here: Small-delay faults General workflow Predefined paths obtained from path analysis tool Sensitize all target paths using as less patterns as possible to reduce overall test overhead Test pattern relaxation Approach SAT-based maximization of sensitized target paths Results Applicable to large industrial circuits Significantly reduced number of test patterns compared to other state-of-the-art approaches VTSA’15 Tobias Schubert – SAT-based Test & Verification 165 / 192

  69. Path Compaction Maximization of Sensitized Target Paths using Partial Max-SAT s P i indicates whether a path p is sensitized or not < s P i ,..., s P n > gets sorted by 1’s and 0’s < SO 1 ,..., SO n > = < 1 ,..., 1 , 0 ,..., 0 > Setting SO i to 1 forces the solver to sensitize at least i paths VTSA’15 Tobias Schubert – SAT-based Test & Verification 166 / 192

  70. Path Compaction Production of circuits is erroneous Various types and sources of faults Covered here: Small-delay faults General workflow Predefined paths obtained from path analysis tool Sensitize all target paths using as less patterns as possible to reduce overall test overhead Test pattern relaxation Approach SAT-based maximization of sensitized target paths Results Applicable to large industrial circuits Significantly reduced number of test patterns compared to other state-of-the-art approaches VTSA’15 Tobias Schubert – SAT-based Test & Verification 167 / 192

  71. Outline Applications Bounded Model / Property Path Compaction Security Issues Checking Automatic Test Pattern Relaxation Hybrid System Verification Test Pattern Generation Combinational Black Box Verification The End Equivalence Checking SAT MaxSAT #SAT QBF DQBF SMT Core Algorithms VTSA’15 Tobias Schubert – SAT-based Test & Verification 168 / 192

  72. QBF in a Nutshell Quantified Boolean Formula (QBF) Extension of SAT where the variables are either universal or existential quantified Example Ψ = ∃ x 1 ∀ x 2 , x 3 ∃ x 4 ,..., x n ϕ ( x 1 ,..., x n ) � �� � � �� � prefix matrix ( CNF ) Semantics (for this particular example) Ψ is satisfied iff there exists one assignment for x 1 such that for every assignment of x 2 and x 3 , there exists one assignment for x 4 ,..., x n , such that ϕ is satisfied VTSA’15 Tobias Schubert – SAT-based Test & Verification 169 / 192

  73. Test Pattern Relaxation using QBF Motivation Parts of the pattern get unspecified (don’t care) � test cube Test properties still hold Reduced overall test overhead Focus of this work: Test cube generation with maximum number of don’t cares � optimal test cube Fault model considered here Again, small-delay Faults VTSA’15 Tobias Schubert – SAT-based Test & Verification 170 / 192

  74. Modeling Don’t Cares with QBF Simulation for B = 0 = 1 = 1 G = 1 = 1 E A = 1 = 0 = 1 F = 1 = 0 B = 1 D = 0 = 0 D = 1 = 1 C = 1 ⇒ F can be set to 1, even if B is unspecified! ⇒ Don’t cares can be represented by ∀ variables ⇒ ∃{ A , C }∀{ B }∃{ D , E , F , G } . ϕ ( A ,..., G ) ∧ ( F ) � �� � � �� � ���� property Prefix Tseitin encoding VTSA’15 Tobias Schubert – SAT-based Test & Verification 171 / 192

  75. Test Pattern Relaxation using QBF Identifying small-delay faults requires two timeframes Test cube with maximum number of unspecified inputs using QBF Quantify unspecified inputs universally, specified ones existentially If a path for small-delay fault is sensitizable: Universally quantified inputs: Excluded from test cube Existential quantified inputs: Test cube But: The quantifier of a variable cannot be changed in QBF ⇒ Unspecified inputs are not known a-priori ⇒ Which inputs have to be quantified universally? VTSA’15 Tobias Schubert – SAT-based Test & Verification 172 / 192

  76. Test Pattern Relaxation using QBF Ψ = ∃ SO 1 ,..., SO n , S 1 ,..., S n , E 1 ,..., E n ∀ A 1 ,..., A n ∃ ... ϕ circ . ∧ ϕ prop . ∧ ϕ mux ∧ ϕ bsn ∧ SO k Dynamic choice of (un-)specified inputs using multiplexers Select input S i switches between specified ( S i = 0 � ∃ E i ) and unspecified ( S i = 1 � ∀ A i ) for any primary input I i Find the maximum number of multiplexer select inputs that can be set to 1 Search for k , such that: Path is sensitizable with k unspecified inputs ( SO k = 1), but not with k + 1 ( SO k + 1 = 0) ⇒ Optimal test cube, i.e., maximum number of don’t cares VTSA’15 Tobias Schubert – SAT-based Test & Verification 173 / 192

  77. Outline Applications Bounded Model / Property Path Compaction Security Issues Checking Automatic Test Pattern Relaxation Hybrid System Verification Test Pattern Generation Combinational Black Box Verification The End Equivalence Checking SAT MaxSAT #SAT QBF DQBF SMT Core Algorithms VTSA’15 Tobias Schubert – SAT-based Test & Verification 174 / 192

  78. Motivation – Equivalence Checking X 1 X 2 I Are implementation and Y 1 Y 2 specification equivalent? Specification ≡ Implementation ≡ 1? Miter VTSA’15 Tobias Schubert – SAT-based Test & Verification 175 / 192

  79. Motivation – Partial Equivalence Checking X 1 X 2 Realizability, i.e. are there implementations of the black BB 1 BB 2 boxes (BBs) such that Y 1 Y 2 Specification implementation and specification are equivalent? ≡ Implementation ≡ 1? Miter VTSA’15 Tobias Schubert – SAT-based Test & Verification 176 / 192

  80. QBF vs. Dependency-QBF (DQBF) X 1 X 2 BB 2 BB 1 Y 1 Y 2 Specification ≡ Implementation ≡ 1? Miter ... Expressible with QBF VTSA’15 Tobias Schubert – SAT-based Test & Verification 177 / 192

  81. QBF vs. Dependency-QBF (DQBF) X 1 X 2 BB 2 BB 1 Y 1 Y 2 Specification ≡ Implementation ≡ 1? Miter ... Expressible with QBF ⇒ Approximation BBs read all inputs VTSA’15 Tobias Schubert – SAT-based Test & Verification 177 / 192

  82. QBF vs. Dependency-QBF (DQBF) X 1 X 2 X 1 X 2 BB 2 BB 1 BB 1 BB 2 Y 1 Y 2 Y 1 Y 2 Specification Specification ≡ ≡ Implementation Implementation ≡ 1? ≡ 1? Miter Miter ... ... Expressible with QBF Expressible with DQBF ⇒ Approximation ⇒ More precise BBs read all inputs BBs read actual inputs VTSA’15 Tobias Schubert – SAT-based Test & Verification 177 / 192

Recommend


More recommend