SAT-based verification temporal induction

Mary Sheeran, Chalmers

## SAT-based verification now hot

- Used here in Sweden since 1989 mostly in safety critical applications (railway control program verification)
- Bounded Model Checking a sensation in 1998
- SAT-based safety property verification in Lava since 1997
- Basic complete temporal induction method described here invented by Stålmarck during a talk on inductive proofs of circuits by Koen Claessen
- SAT-based Induction (engine H) and BMC used in Jasper Gold. Also in IBM SixthSense, at Intel etc.

## Bounded Model Checking (BMC)

- Look for bugs up to a certain length
- Proposed for use with SAT
- Used successfully in large companies, most often for safety properties (Intel, IBM)
- Can be extended to give proofs and not just bugfinding in the particular case of safety properties. (Stålmarck et al discovered this independently of the BMC people.)
- See also work by McMillan on SAT-based unbounded model checking



# Representing circuit behaviour as formulas

 $I(q0,dack) = \neg q0 \land \neg dack$ 

T((q0,dack),(q0',dack'))

$$= (q0' <-> dreq) \land (dack' <-> dreq & (q0 \lor (\neg q0 \land dack)))$$

# Representing circuit behaviour as formulas

 $I(q0,dack) = \neg q0 \land \neg dack$ 

T((q0,dack),(q0',dack'))

$$= (q0' <-> dreq) \land (dack' <-> dreq \& (q0 \lor (\neg q0 \land dack)))$$
new state depends also on input

#### Picturing transition relations

Draw I (s) as



#### Picturing transition relations

Draw I (s) as



Constraint is only on the state holding elements not on inputs

#### Picturing transition relations

Draw I (s) as



Draw T (s,s') as



#### Composing transitions into paths

$$T^{i}(s_{0}, \ldots, s_{i})$$
  
= T(s\_{0}, s\_{1}) \land T(s\_{1}, s\_{2}) \land \ldots \land T(s\_{i-1}, s\_{i})

### Composing transitions into paths

$$T^{i}(s_{0}, s_{i})$$

$$T(s_{0}, s_{1}) \wedge T(s_{1}, s_{2}) \wedge ... \wedge T(s_{i-1}, s_{i})$$



i copies

#### Representing the bad states

#### Similar to use of formula for initial states

 $B(q0,dack) = \neg q0 \land dack$ 

or may be using an observer

#### Drawing the bad states



**B**(s)



# If the corresponding formula is satisfiable, we have a bug already in the initial state!



#### Satisfiable => bug after one step



bug after two steps?



bug after three steps?



bug after four steps?



bug after four steps?

Forumula is  $I(s_0) \wedge T^n(s_0, s_1, s_2, s_3, s_4) \wedge B(s_4)$ 

Call this Base<sub>4</sub> and generalise to Base<sub>i</sub>

Can start with bound n

Choose a bound n If the formula

$$\mathbf{I}(\mathbf{s}_0) \wedge \mathbf{T}^n(\mathbf{s}_0, \dots, \mathbf{s}_n) \wedge (\mathbf{B}(\mathbf{s}_0) \vee \mathbf{B}(\mathbf{s}_1) \vee \dots \vee \mathbf{B}(\mathbf{s}_n))$$

is satisfiable, then there is a bug somewhere in the first n steps through the transition system

#### BMC

Above description covers simple safety properties

Original BMC papers cover more complex properties

Note complete lack of quantifiers! Key point.

### Temporal induction

Start thinking along the same lines









## If system is bad

- Base<sub>0</sub>
- Base<sub>1</sub>
- Base<sub>2</sub>

and so on

- Finds a shortest countermodel
- Error trace for debugging

#### But when can we stop?

when

 $I(s_0) \wedge T^i(s_0, \ldots, s_i)$ 

UNSAT ?

#### Not quite, but

when there is no such path that is loop-free

Extra formulas for loop-free "the unique states condition"

$$U^{k}(s_{0}, \ldots, s_{k}) = \bigwedge_{0 \le i < j \le k} (s_{i} \ne s_{j})$$

Size??

#### States are vectors of bits, so

#### if s=(a,b,c,d) then

$$s_0 \neq s_1$$
 is  $\neg (a_0 <-> a_1) \lor$   
 $\neg (b_0 <-> b_1) \lor$   
 $\neg (c_0 <-> c_1) \lor$   
 $\neg (d_0 <-> d_1)$ 

## We can stop if $I(s_0) \wedge T^i(s_0, ..., s_i) \wedge U^i(s_0, ..., s_i)$



#### is UNSAT



#### is UNSAT

## Only interested in shortest paths

- Don't want to go back to an initial state
- Draw non-initial as





#### is UNSAT



#### is UNSAT



This is a much better choice (may terminate much more quickly)

### Define

$$Base_k = I(s_0) \wedge T^k(s_0, \ldots, s_k) \wedge B(s_k)$$

$$\begin{aligned} \text{Step1}_{k} &= T^{k+1}(s_{0}, \ldots, s_{k+1}) \land U^{k+1}(s_{0}, \ldots, s_{k+1}) \land \\ & \bigwedge \neg B(s_{j}) \land B(s_{k+1}) \\ & \underset{0 \leq j \leq k}{\wedge} \end{aligned}$$

### Define

$$Base_k = I(s_0) \wedge T^k(s_0, \ldots, s_k) \wedge B(s_k)$$

$$\begin{aligned} \text{Step1}_{k} &= T^{k+1}(s_{0}, \ldots, s_{k+1}) \land U^{k+1}(s_{0}, \ldots, s_{k+1}) \land \\ & \bigwedge \neg B(s_{j}) \land B(s_{k+1}) \end{aligned}$$

$$Step2_{k} = T^{k+1}(s_{0}, \ldots, s_{k+1}) \wedge U^{k+1}(s_{0}, \ldots, s_{k+1}) \wedge$$
$$I(s_{0}) \wedge \bigwedge_{1 \leq j \leq k+1} \neg I(s_{j})$$

### Define

$$Base_k = I(s_0) \wedge T^k(s_0, \ldots, s_k) \wedge B(s_k)$$

$$\begin{aligned} \text{Step1}_{k} &= T^{k+1}(s_{0}, \dots, s_{k+1}) \wedge U^{k+1}(s_{0}, \dots, s_{k+1}) \wedge \\ & \bigwedge \neg B(s_{j}) \wedge B(s_{k+1}) \\ \text{Step2}_{k} &= T^{k+1}(s_{0}, \dots, s_{k+1}) \wedge U^{k+1} & \text{Won't be needed if there is only one initial state} \\ & I(s_{0}) \wedge \bigwedge \neg I(s_{j}) & \text{Won't be needed if there is only one initial state} \end{aligned}$$

# Temporal induction (Stålmarck)

i=0
while True do {
 if Sat(Base<sub>i</sub>) return False (and counter example)
 if Unsat(Step1<sub>i</sub>) or Unsat(Step2<sub>i</sub>) return True
 i=i+1
}

# **Temporal induction**

Most presentations consider only the Step1 case but I like to keep things symmetrical

Much overlap between formulas in different iterations. Was part of the inspiration behind the development (here at Chalmers) of the incremental SAT-solver miniSAT (open source, see minisat.se) (see paper by Een and Sörensson in the list later)

In reality need to think hard about what formulas to give the SAT-solver.

# **Temporal induction**

The method is sound and complete (see papers, later slides) Gives the right answer, Gives proof, not just bug-finding

Algorithm given above leads to a shortest counter-example

May also want to take bigger steps and sacrifice this property (though this may make less sense when using an incremental SAT-solver)

The method can be strengthened further. (Still ongoing research)

Definitely met with scepticism initially

To make this easier to see, rewrite

$$\neg Base_k = \neg (I(s_0) \land T^k(s_0, ..., s_k) \land B(s_k))$$

Let  $P = \neg B$  (want to prove that P holds in all reachable states)

Rewrite as

$$(I(s_0) \land T^k(s_0, ..., s_k)) => P(s_k)$$

To make this easier to see, rewrite

$$\neg Base_k = \neg (I(s_0) \land T^k(s_0, ..., s_k) \land B(s_k))$$

Let  $P = \neg B$  (want to prove that P holds in all reachable states)

Rewrite as

Now add facts from previous iterations  $\bigwedge P(s_j) \\ 0 \le j \le k$ 

To make this easier to see, rewrite

$$\neg Base_k = \neg (I(s_0) \land T^k(s_0, ..., s_k) \land B(s_k))$$

Let  $P = \neg B$  (want to prove that P holds in all reachable states)

Rewrite as

$$(I(s_0) \wedge T^k(s_0, \ldots, s_k)) \implies \bigwedge_{0 \le j \le k} P(s_j)$$



Working with the strengthend Step1

$$\neg \operatorname{Step1}_{k} = \neg (\operatorname{T}^{k+1}(s_{0}, \ldots, s_{k+1}) \land \operatorname{U}^{k+1}(s_{0}, \ldots, s_{k+1}) \land \bigwedge \operatorname{P}(s_{j}) \land \neg \operatorname{P}(s_{k+1}))$$

$$(T^{k+1}(s_0, \ldots, s_{k+1}) \wedge U^{k+1}(s_0, \ldots, s_{k+1}) \wedge \bigwedge_{0 \le j \le k} P(s_j)$$
  
=>  $P(s_{k+1})$ 

$$(T^{k+1}(s_0, \dots, s_{k+1}) \land U^{k+1}(s_0, \dots, s_{k+1}) \bigwedge_{0 \le j \le k} \Lambda P(s_j))$$
  
=>  $P(s_{k+1})$   
If P holds in cycles 0 to k  
then it also holds in the next cycle

#### Strengthened induction, depth k

$$(I(s_0) \wedge T^k(s_0, ..., s_k)) = \bigwedge_{0 \le j \le k} P(s_j)$$

$$(T^{k+1}(s_0, ..., s_{k+1}) \land U^{k+1}(s_0, ..., s_{k+1}) \land \bigwedge_{0 \le j \le k} P(s_j))$$
  
=>  $P(s_{k+1})$ 

### Strengthened induction, depth k



## induction, depth k

$$(I(s_0) \wedge T^k(s_0, ..., s_k)) = \sum_{0 \le j \le k} P(s_j)$$

$$(T^{k+1}(s_0, ..., s_{k+1}) \land \qquad \bigwedge P(s_j))$$

$$\Longrightarrow \qquad P(s_{k+1})$$





Some properties are not k-inductive no matter how big you make k



But there is a path from an initial to a bad state if and only if there is such a path without repeated states (loop-free, simple)

So Stålmarck's eureka step was vital and brilliant!

# Symbolic Trajectory Evaluation (STE)





#### STE

We already saw Symbolic Simulation.

Don't just have concrete values (and X) flowing in the circuit. Have BDDs or formulas flowing

A single run of a symbolic simulator checks an STE property requiring many concrete simulations

STE is symbolic simulation plus proof that the consequent holds

# Use of BMC and STE in verifying the Alpha



Aim: to automatically find violations of properties like Same address cannot be in two entries at once that is, bug finding during development

# Reducing the problem

 Initial circuit: 400 inputs, 14 400 latches, 15 pipeline stages



• Reduced model has 10 inputs, 600 latches

### Results

- Real bugs found, from 25 -144 cycles
- SAT-based BMC on 32 bit PC 20 -10k secs.
- Custom SMV on 64 bit Alpha took much longer (but went to larger sizes)
- STE quick to run, but writing specs takes time and expertise
- Promising results in real development

NOTE: Done by Per Bjesse, who used to assist on this course <sup>(C)</sup>. (paper on links page)

# Conclusion

BMC: the work-horse of formal hardware verification

SAT-based temporal induction is also much used

See our tutorial paper for info. on the history and the necessary development of SAT-solvers

Much research now concentrates on raising the level of abstraction at which formal reasoning is done Satisfiability Module Theories (SMT) is the hot topic