The algorithm GENERALIZE

Algorithm 3 shows the pseudo code of the algorithmGENERALIZE. It is used to generalize a counterexample, so similar assignments can be considered at the same time. The algorithm receives a clausecas input. The clausecis a negated assignment of values to all variables of the two models. Furthermore, the pre-and post-hypothesish_pre andh_post that were used to generate the assignment are given as well. The return value is a set of clauses C that describes the generalized clauses based onc.

In a first step in line 1, cis modified by removing all irrelevant assignments.

The remaining assignments suffice to cause a counterexample underh_pre and

3.2. OUR INITIAL ALGORITHM NSMC 33

Algorithm 4: REMOVE-DC

input : a clausec that is a negated assignment to all variables and two hypothesesh_preandh_post

output: a generalized clausec

1 V :=Variables(M₁)∪Variables(M₂)

2 J :=∅

3 a:=¬c

4 foreachv∈V do

5 S:=V \(J∪ {v})

6 a:=

ˆ

v∈Svˆ≡a(ˆv)

7 if CheckCex(hpre∧a, hpost, M₁, M₂,Δ) =⊥then

8 J :=J∪ {v}

9 end

10 end

11 return¬

v∈V\Jv≡a(v)

h_post, no matter which values are assigned to the remaining variables.

Next, we check if variables that still have assignments and are different in the counterexample always need to be equal in line 2. If variables are different in a counterexample, the counterexample could be caused by the difference of the variables, meaning that these variables need to be equal. According clauses that describe the equality are added toC.

The last used heuristic checks if variables can be restricted to a certain interval. The clauses that describe a new lower or upper bound are added toC in line 3. Finally,C is returned in line 4.

This specific order of generalization was chosen as each step lessens the effort of the next one. When we remove all irrelevant assignments before checking for equal pairs of variables, we only consider the relevant variables. Checking for irrelevant variables would not generalize further as the value of the irrelevant variables do not matter. Furthermore, when we detect equal variables before checking for intervals, we can use this information for better initial upper or lower bounds as equal variables share the same interval.

During generalization, the functionCheckCexis regularly called. This function receives the same inputs as Check, but checks if all states that fulfill the pre-hypothesis cause a counterexample for at least one possible method call, i.e., either reach a state that does not fulfill the post-hypothesis or generate different outputs.

Removing Don’t-Care Assignments

In the algorithmREMOVE-DC, shown in Algorithm 4, we try to remove assign-ments to don’t-care variables fromc as these are not relevant for the counterex-ample and thus consider similar assignments as well. The inputcis a negated counterexample and as such a negated assignment to all variables. In lines 1 – 3, we initialze the setV with all variables of the two modelsM₁andM₂, the setJ as empty set, and the formulaaas a negation ofc. The setJ will be used to store all irrelevant variables later on. The formulaadescribes the assignment that is negated inc.

34 CHAPTER 3. SYSTEM LEVEL EQUIVALENCE CHECKING Algorithm 5:CHECK-EQUALS

input : a clausec∈C that provides a negated partial assignment to variables, and two hypothesesh_preandh_post

output: a setC of clauses

1 V₁:=Variables(M₁)

2 V₂:=Variables(M₂)

3 a:=¬c

4 C:=∅

5 foreach(v₁, v₂)∈V₁×V₂ do

6 if a(v₁) =a(v₂)then continue

7 if a(v₁) =⊥ora(v₂) =⊥then continue

8 if δ(v₁)=δ(v₂)then continue

9 e:= (v₁≡v₂)

10 if Check(hpre∧e, e, M₁, M₂,Δ) =⊥then

11 C:=C∪ {e}

12 continue

13 end

14 if CheckCex(hpre∧e, hpost, M₁, M₂,Δ) =⊥then

15 C:=C∪ {e}

16 end

17 end

18 returnC

In the loop from lines 4 to 10, we check for each variablev∈V ifvis relevant for the counterexample. Initially, we prepare the setS = V \(J ∪ {v}). As such,S does not contain the variables that have already shown to be irrelevant and does not contain v as well. This enables us to check if the assignments of all other variables suffice to cause a counterexample. We then prepare an according assignment a in line 6. If a together with h_pre suffices to always cause a counterexample,vis added to J in line 8.

As this is a greedy approach, it does not guarantee a minimal set of relevant variables. However, it only takes linear time to compute a usually sufficient solution. This process could be speed up by analyzing the proof that generated the original counterexample like it is done in IC3 [13], an implementation of PDR.

They analyze the proof that generated the counterexample and can directly categorize variables that were not used in the proof as don’t care. In our case, this would entwine our algorithm further with the underlying model checker and would decrease the ability of our algorithm to easily exchange the model checker.

Finally, we return a new negated assignment in line 11, that contains all variables, that are not inJ.

Detecting Equal Variables

Algorithm 5 shows the algorithmCHECK-EQUALS. It checks for variables within the two models that may be required to be equal. As the input, we get a clause cwhich is the result from Algorithm 4 and as such a negated partial assignment, and finally the hypothesesh_pre andh_post. In this algorithm, we want to find clauses that state equality between variables to block more counterexamples.

3.2. OUR INITIAL ALGORITHM NSMC 35 In lines 1 and 2 we get the sets V₁ andV₂ that contain all variables from the first and the second model, respectively. In line 3, we negatec to get the non-negated assignmenta. We initialize the set of clauses C as empty set in line 4.

Next, we check for each pair of variables (v₁, v₂)∈V₁×V₂ if the counterex-ample could be caused by the inequality ofv₁andv₂. First, we check for some requirements in lines 6 – 9 before we consider equality. If the variables are equal in the counterexample, the counterexample cannot be caused by their inequality. Ifv₁or v₂ is not assigned ina, it was detected as irrelevant for the counterexample by the previously executed algorithmREMOVE-DCand as such the inequality is also not relevant. This allows us to skip all checks for equality that contain irrelevant variables and focus our algorithm only on pairs of relevant variables. Finally, when the variables are not equal in the initial state, we cannot add equality toCas the variables are obviously not equal in all reachable states.

Next, we initialize the formula ewhich states that v₁ andv₂ are equal in line 10. The check in line 11 verifies, if all states that fulfill theh_pre∧ecan only reach states wherev₁ ≡v₂. In that case, we can safely add etoC and check for the next pair of variables. Otherwise, we check if all states that fulfill the pre-hypothesis but have different values forv₁andv₂cause counterexamples. In this case, we can also addetoCas we only block states that are unsafe or can break the post-hypothesis.

Finally, in line 19, we return the modified setC.

Limiting Variables to Intervals

The algorithmCHECK-INTERVALS is used to limit variables to certain intervals instead of blocking single values and is shown in Algorithm 6. As in Algorithm 5, we get a negated partial assignmentcand two hypothesesh_pre andh_post as inputs. As output, we return a set of clauses that limits variables to certain intervals to block additional counterexamples.

Initially, we get the assignment athat is negated inc in line 1. For each integer variablev that is assigned ina, we determine the upper bounduand lower boundl according to the pre-hypothesis in lines 5 and 6. The upper and lower bounds are detected by looking for terms within the pre-hypothesis that limit v or variables that are equal to v. While this does not guarantee the optimal bounds that could be deduced from the hypothesis, it is done quickly and suffices for our approach as we merely use these bounds as starting points.

Moreover, when new bounds are learned from this algorithm, they are detected in further iterations.

We try to decreaseuby replacing it witha(v). The valuea(v) must be less than u because the assignment of a needs to fulfill the pre-hypothesis. The decrease is valid if all assignments tov outside of the interval betweenl andval would lead to counterexamples, as checked in lines 8 – 10, or the value ofvin the initial state is within the interval and the value ofvremains within the interval from any state fulfilling the pre-hypothesis after calling any function, as checked in lines 11 – 13. In a next step, we try to increase the lower bound analogously.

This preparatory step is done to consider cases where a(v) lies outside of an optimal interval forv, which is one possibility for a counterexample. In these cases, the interval can be shrinked by a significant amount with only few checks.

Otherwise, these checks will only increase the runtime slightly.

36 CHAPTER 3. SYSTEM LEVEL EQUIVALENCE CHECKING Algorithm 6:CHECK-INTERVALS

input : a clausecwhich is a negated partial assignment and two hypothesesh_preandh_post

output: a setC of clauses

1 a:=¬c

2 V :={v|a(v)=⊥}

3 C:=∅

4 foreachv∈V do

5 l:=lowerBound(v, h_pre)

6 u:=upperBound(v, h_pre)

7 decreaseUp= false

8 if CheckCex(hpre∧(v≥a(v)), hpost, M₁, M₂,Δ) =⊥then

9 decreaseUp= true

10 end

11 if Check(hpre∧(v < a(v), hpost∧(v < a(v)), M₁, M₂,Δ) =⊥then

12 if δ→(v < a(v))thendecreaseUp= true

13 end

14 if decreaseUpthenu:=a(v)

15 //Analogous process for lower bound

16 . . .

17 if increaseLowthenl:=a(v)

18 stop= false

19 while ¬stopdo

20 s:= 1

21 decreaseUp= false

22 if CheckCex(hpre∧(v≥(u−s)), hpost, M₁, M₂,Δ) =⊥then

23 decreaseUp= true

24 end

25 pre:=h_pre∧(l < v <(u−s))

26 post:=h_post∧(l < v <(u−s))

27 if (δ→(v <(u−s)))∧Check(pre,post, M₁, M₂,Δ) =⊥then

28 decreaseUp= true

29 end

30 if decreaseUpthen

31 u:=u−s

32 s:= 2s

33 else

34 if s= 1then

35 s:=^s₂

36 else

37 stop= true

38 C:=C∪ {v < u}

39 h_pre=h_pre∧(v < u)

40 end

41 end

42 end

43 stop= false

44 //Analogous process for lower bound

45 . . .

46 end

47 returnC

3.2. OUR INITIAL ALGORITHM NSMC 37 After using this coarse approach for some initial shrinking of the interval, we try to shrink the intervals even further by decreasing the detected upper bound of the interval and increasing the lower bound. For decreasing the upper bound, we initialize a step size swith 1 in line 20. Then, we check if it is possible to decreaseubysin lines 21 – 29. We use the same checks as before, i.e., checking if all values outside the new interval are counterexamples or it is impossible to leave the interval. When this is possible, we decrease ubys and doublesin lines 31 and 32 and check again with the new values. We doublesto decrease the interval within logarithmic instead of linear time. When the decrease is not possible andsis not 1, we halvesin line 35 and check again. Otherwise, sis 1, meaninguis a valid upper bound, butu−1 is not. Thus, we have detected an optimal upper bound forv, stop the loop in line 37, and add (v < u) toC and the pre-hypothesis in lines 38 and 39. After decreasing u, l is increased analogously. The idea behind starting with small step sizes is to quickly refine existing intervals that are slightly off. For example, if an existing interval is off by one, this is quickly detected by the first decrease.

Im Dokument Formal Verification throughout the Development of Robust Systems (Seite 38-43)