Yakir Vizel1,2
and
Orna Grumberg1
1.
2.
Computer Science Department, The Technion, Haifa, Israel.
Architecture, System Level and Validation Solutions, Intel
Development Center, Haifa, Israel
Formal Methods in Computer Aided Design, Austin, Texas 2009
1

Introduction
 Model checking
 Forward Reachability Analysis
 Bounded Model Checking

Interpolation
 Interpolation
 Interpolation-Sequence


Interpolation-Sequence Based Model
Checking
Experimental Results
Formal Methods in Computer Aided Design, Austin, Texas 2009
2
Formal Methods in Computer Aided Design, Austin, Texas 2009
3

Given a system and a specification, does the
system satisfy the specification.
System
AGq
MC
?

The specification is given in temporal logic – e.g. LTL.
 We deal with specifications of the form AGq.
Formal Methods in Computer Aided Design, Austin, Texas 2009
4
INIT
S1
S2
…… Sn
Formal Methods in Computer Aided Design, Austin, Texas 2009
BAD
¬q
5

Does the system have a counterexample of length
k?
INIT (V0 )  q(V0 )
INIT (V0 )  T (V0 ,V1 )  q(V1 )
INIT (V0 )  T (V0 ,V1 )  T (V1 ,V2 )  q(V2 )
.
.
.
INIT (V0 )  T (V0 ,V1 )  T (V1 ,V2 )    T (Vk 1 ,Vk )  q(Vk )
Formal Methods in Computer Aided Design, Austin, Texas 2009
6
INIT
S1
S2
S3
BAD
¬q
INIT
I1
I2
I3
Formal Methods in Computer Aided Design, Austin, Texas 2009
7
Formal Methods in Computer Aided Design, Austin, Texas 2009
8

Given the following BMC formula.
B
A
INIT (V0 )  T (V0 ,V1 )  T (V1 ,V2 )    T (Vk 1 ,Vk )  q(Vk )
I
A I
I BF
I is over the common var iables of A and B, i.e V1
Formal Methods in Computer Aided Design, Austin, Texas 2009
9

The same BMC formula partitioned in a different
manner:
A2
A1
A3
Ak
Ak+1
INIT (V0 )  T (V0 ,V1 )  T (V1 ,V2 )  T (V2 ,V3 )    T (Vk 1 ,Vk )  q(Vk )
I1
I2
I3 Ik-1
Ik
I 0  T , I k 1  F
I j 1  A j  I j
I j is over the common var iables of A1 ,, A j and A j1 ,, A k 1 , i.e Vj
Formal Methods in Computer Aided Design, Austin, Texas 2009
10

Can easily be computed. For 1 ≤ j < n
 A = A1 …  Aj
 B = Aj+1  …  An
 Ij is the interpolant for the pair (A,B)
Formal Methods in Computer Aided Design, Austin, Texas 2009
11
Formal Methods in Computer Aided Design, Austin, Texas 2009
12
INIT (V0 )  T (V0 ,V1 )  q(V1 )
II1,1
1
INIT (V0 )  T (V0 ,V1 )  T (V1 ,V2 )  q(V2 )
I1,2
I2,2
Formal Methods in Computer Aided Design, Austin, Texas 2009
13



A way to do reachability analysis using a
SAT solver.
Uses the original BMC loop and adds an
inclusion check for full verification.
Similar sets to those computed by
Forward Reachability Analysis but overapproximated.
Formal Methods in Computer Aided Design, Austin, Texas 2009
14


Use BMC to search for bugs.
Partition the checked BMC formula and
extract the interpolation sequence
INIT (V0 )  T (V0 ,V1 )  T (V1 ,V2 )    T (VN 1 , TN )  q(VN )
I1,N
I2,N
IN-1,N
Formal Methods in Computer Aided Design, Austin, Texas 2009
IN,N
15
INIT
S1
S2
S3
BAD
¬q
INIT
II11
I3
II2
2
INIT ((V
V00 )) 
T
T ((V
V00,,V
V11)) 
T
T(q(V
V(1V
V

Tq(V
INIT

V
)22))
(V
) 3 )  q(V3 )
1,,1
2 ,2V
II1,2
1,3
1,1
II2,3
2,2
Formal Methods in Computer Aided Design, Austin, Texas 2009
I3,3
16

The computation itself is different.
 Uses basic interpolation.
 Successive calls to BMC for the same bound.
 Not incremental.

The sets computed are different.
J1
S1
Formal Methods in Computer Aided Design, Austin, Texas 2009
I1
17
Formal Methods in Computer Aided Design, Austin, Texas 2009
18

Experiments were conducted on two
future CPU designs from Intel (two
different architectures/tocks)
Formal Methods in Computer Aided Design, Austin, Texas 2009
19
Formal Methods in Computer Aided Design, Austin, Texas 2009
20
Formal Methods in Computer Aided Design, Austin, Texas 2009
21
Spec
#Vars
Bound
(Ours)
Bound
(M)
#Int
(Ours)
#Int
(M)
#BMC
(Ours)
#BMC
(M)
Time [s]
(Ours)
Time [s]
(M)
F1
3406
16
15
136
80
16
80
970
5518
F2
1753
9
8
45
40
9
40
91
388
F3
1753
16
15
136
94
16
94
473
1901
F4
3406
6
5
21
13
6
13
68
208
F5
1761
2
1
3
2
2
2
5
4
F6
3972
3
1
6
3
3
3
19
14
F7
2197
3
1
6
3
3
3
2544
1340
F8
4894
5
1
15
3
5
3
635
101
Formal Methods in Computer Aided Design, Austin, Texas 2009
22



False properties is always faster.
True properties – results vary. Heavier
properties favor ISB where the easier
favor IB.
Some properties cannot be verified by one
method but can be verified by the other
and vise-versa.
Formal Methods in Computer Aided Design, Austin, Texas 2009
23

A new SAT-based method for unbounded
model checking.
 BMC is used for falsification.
 Simulating forward reachability analysis for
verification.

Method was successfully applied to industrial
sized systems.
Formal Methods in Computer Aided Design, Austin, Texas 2009
24
Thank You!
Formal Methods in Computer Aided Design, Austin, Texas 2009
25