Weizmann Institute Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Shtrichman Weizmann Institute & IBM (HRL)

Weizmann Institute  Basic theory of Bounded Model Checking (BMC)  SAT highlights  Tuning SAT checkers for BMC  Results

Weizmann Institute The Bounded Model Checking Problem: Safety Given a Safety property p: (e.g. AG p : “always signal_a = signal_b”) Is there a state reachable within k cycles, which satisfies  p ?... s0s0 s1s1 s2s2 s k-1 sksk pp p pp p

Weizmann Institute... s0s0 s1s1 s2s2 s k-1 sksk pp pp pp pp Given a Liveness property p: (e.g. AGAF p: “always, eventually signal_a = signal_b”) Is there a loop in the first k cycles, that non of its states satisfy p ? The Bonded Model Checking Problem: Liveness

Weizmann Institute The reachable states in k steps are captured by: The property p fails in one of the cycles 1..k: Reducing the BMC problem to SAT (1/3):

Weizmann Institute Reducing the BMC problem to SAT (2/3): The safety property p is valid up to cycle k iff  is unsatisfiable:... s0s0 s1s1 s2s2 s k-1 sksk pp p pp p

Weizmann Institute Reducing the BMC problem to SAT (3/3): For Liveness properties, add a disjunction of possible loops:... s0s0 s1s1 s2s2 s k-1 sksk pp pp pp pp

Weizmann Institute Example : a two bit counter p = AG (  l   r). k = For k = 2,  is unsatisfiabe. For k = 4  is satisfiable

Weizmann Institute Traditional Symbolic Model-Checking with BDDs The reachable state-space is represented by a BDD The property is evaluated recursively, by iterative fix point computations on the reachable state-space. The size of the BDD is typically the bottle-neck of Model- Checking.

Weizmann Institute Why SAT? Smart DFS search - potentially will get faster to a satisfying sequence (counter example) No exponential space - growth “Satisfiability checking is a ‘luck-based technology’”

Weizmann Institute The Davis-Putnam procedure Given  in CNF: (x,y,z),(-x,y),(-y,z),(-x,-y,-z) Decide() Deduce() Diagnose()  X XX XX 

Weizmann Institute Decide() criteria: On which variable to split? - satisfies the most clauses (DLIS) - satisfies the shortest clause - only positive or negative (‘pure literal rule’) - most frequent : :

Weizmann Institute Results (Sec.) * * * = exceeds 10,000 sec.

Weizmann Institute Tuning SAT for BMC (1/3) 1. Use the variable dependency graph for smarter orderings. 2. Exploit information on  ’s structure to restrict the state-space. 3. Restrict Decide() to a small set of variables.

Weizmann Institute Clashing clouds... I0I0 ~Pk~Pk With general-purpose Decide() strategies, local sets of variables are satisfied a-synchronically

Weizmann Institute General-purpose Vs. tailor-made Decide() strategies...  :...  (x = ( y 1  y 2  y 3 )) ... x = T y 1 = F y 2 = F y 3 = T General purpose Back- track x = T y 1 = F y 2 = F y 3 = T Use  ‘s structure to resolve conflicts on a more local level...) Tailor made Back- track

Weizmann Institute A k-unfolding of the variable dependency graph

Weizmann Institute A head on attack... I0I0 PkPk Riding on unreachable states...  should satisfy I 0 I0I0 Riding on legal executions...  should satisfy  P k PkPk

Weizmann Institute A combined heuristic I0I0 PkPk Trigger BFS with

Weizmann Institute Given an order, guess a value  Dynamic decision  Constant value  Previous value  ‘Flat’ computation ... x 5 = 0 x 7 = ? x 9 = 0 ‘Flat’ computationPrevious value x 2 = 1 y 7 = 0 z 2 = 0 y 3 = 1 x 2 = 0 y 7 = 0 z 2 = 0 y 3 = 1

Weizmann Institute Tuning SAT for BMC (2/3) 1. Use the variable dependency graph for smarter orderings. 2. Exploit information on  ’s structure to restrict the state-space. 3. Restrict Decide() to a small set of variables.

Weizmann Institute  ’s structure can be used for adding conflicting clauses. If x 3 =T, y 7 = F, z 5 = T leads to a conflict, then   (  x 3  y 7   z 5 ) is satisfiable iff  is satisfiable. The new clause can be seen as a constraint on the state-space conflicting clauses: Exploiting  ’s structure in AGp formulas

Weizmann Institute If x 3 =T, y 7 = F, z 5 = T leads to a conflict, then so will x 2 =T, y 6 = F, z 4 = T Therefore, we can also add: (  x 2  y 6   z 4 )  (  x 1  y 5   z 3 )  (  x 0  y 4   z 2 ) and... (  x 4  y 8   z 6 ) ...  (  x k-4  y k   z k-2 ) Yet,  is not fully symmetric because of I 0. We first have to check, by simulating an assignment, if the replicated clause indeed leads to a conflict. Exploiting  ’s structure in AGp formulas

Weizmann Institute Tuning SAT for BMC (3/3) 1. Use the variable dependency graph for smarter orderings. 2. Exploit information on  ’s structure to restrict the state-space. 3. Restrict Decide() to a small set of variables.

Weizmann Institute Restricting Decide() Restricting Decide() to a smaller set of variables , that uniquely determines the satisfiability of  :  Model variables (~ 15 % of  ’s variables)  Input variables (~ 5 % of  ’s variables) Less variables to Decide() implies more variables to Deduce()

Weizmann Institute Results (Sec.) * * * = exceeds 10,000 sec.

Weizmann Institute The Conclusion Many of the (BDD) hard cases can be more efficiently solved with the optimized SAT procedure.

Weizmann Institute How big should K be? 1. The Diameter d: for all reachable states s,t, for which t is reachable from s, there exist a path from s to t with at most d-1 intermediate steps. 2. The Recurrence diameter rd: the least number r s.t. at most r consecutive states in a path are different. rd is an upper bound for d, that can be expressed as a propositional formula:

Weizmann Institute If is unsatisfiable, then Ifthen k  rd The ‘-diameter’ flag in BMC: And therefor:

Weizmann Institute Bounded cone of influence: K v u z y x 0123 u 2 - u 5, z 5, y 4 -y 5 are not used 45

Weizmann Institute Bounded cone of influence has Bounded effect: K The portion of variables that B-COI can remove is decreasing when K increases