1 Deciding separation formulas with SAT Ofer Strichman Sanjit A. Seshia Randal E. Bryant School of Computer Science, Carnegie Mellon University

2 Separation predicates  Predicates of the form x 1 < x 2 + c and x 1  x 2 + c where c is a constant  Also known as ‘difference predicates’  We will consider x 1, x 2 as either real or integer variables  Used when proving formulas derived from Timed automata, Scheduling problems, and more  Pratt: “Most inequalities arising in verification are separation predicates”

3 Deciding separation via case-splitting (1/2)  : x 1 < x  x 2 < x  (x 3 < x 1 -3  x 3 < x 1 +1) x 1 < x  x 2 < x  x 3 < x 1 -3 x 1 < x  x 2 < x  x 3 < x 1 +1 x1x1 x2x2 x3x x1x1 x2x2 x3x Theorem [Bellman, 57]: The formula is satisfiable iff the inequality graph does not contain a negative cycle. Case splitting

4 Deciding separation via case-splitting (2/2) Bellman-Ford: Finding whether there is a negative cycle in a graph is polynomial  Overall complexity: O(2 |  | ), due to case-splitting  Case-splitting is normally the bottleneck of decision procedures  Q: Is there an alternative to case-splitting ?

5 Difference Decision Diagrams(DDD) (Møller, Lichtenberg, Andersen, Hulgaard, 1999)  Similar to BDDs, but the nodes are separation predicates  Ordering on variables determines order on predicates  Semi-canonical (i.e canonical when  is a tautology or a contradiction)  : !(x 1 – x 3 < 0)  x 2 - x 3  0  !(x 2 -x 1 < 0) x 1 – x 3 < 0 x 2 - x 3  0 x 2 -x 1 < 0 10  Each path leading to ‘1’ is checked for consistency with ‘Bellman-Ford’  Worst case – an exponential no. of such paths

6  : x 1 < x  x 2 < x  (x 3 < x 1 -3  x 3 < x 1 +1) 1. Encode: 2. Build the joint graph G: x1x1 x2x2 x3x Forbid ‘true’ assignment to negative simple cycles in G: Boolean encoding (take 1) ’:’:

7 What about negations in  ? The unsatisfiable formula  : ¬(x 1 < x 2  x 2  x 1 +1) is reduced to the satisfiable formula: x1x1 x2x2 0 1 Problem: our graph does not consider the polarity of the constraints. Legend: ‘<’ ‘  ’

8 Solution #1: Consider both polarities Dual edges: x1x1 x2x2 x3x x1x1 x2x2 x3x3 3 x1x1 x2x2 x3x The joint graph: x 1 < x 2 +1 x 2  x 1 -1

9 Solution #2: Eliminate negations 1. Transform  to Negation Normal Form (NNF), and eliminate negations by reversing inequality signs 2. Rewrite ‘>’ and ‘  ’ predicates as ‘<’ and ‘  ’, e.g. rewrite x 1 > x 2 + c as x 2 < x 1 – c Solution #2 results in a smaller number of constraints

10 Problem: redundant constraints  : ( x 1 < x 2 -3  (x 2 < x 3 –1  x 3 < x 1 +1)) x1x1 x3x3 x2x2 -3 x1x1 x3x3 x2x Case splitting x1x1 x3x3 x2x The joint graph G: G creates redundant constraints

11  Let  d be the DNF representation of  Solution: Conjunctions Matrices (1/3)  We only need to consider cycles that are in one of the clauses of  d  Deriving  d is exponential. But –  Knowing whether a given set of literals share a clause in  d is polynomial, using Conjunctions Matrices

12 Conjunctions Matrices (2/3)  Let  be a formula in NNF.  Let l i and l j be two literals in .  The joining operand of l i and l j is the lowest joint parent of l i and l j in the parse tree of .  :l 0  (l 1  (l 2  l 3 ))    l0l0 l1l1 l2l2 l3l3 l 0 l 1 l 2 l 3 l0l1l2l3l0l1l2l Conjunctions Matrix M :M :

13  Claim: A set of literals L={l 0,l 1 …l n }   share a clause in  d iff for all l i,l j  L, i  j, M  [l i,l j ] =1.  : x 0 < x 1  (x 1 < x 2  (x 2 < x 3  x 3 < x 0 )) x0x0 x3x3 x2x2 x1x1 Conjunctions Matrices (3/3)  In our case the literals are separation predicates. The entries in the conjunctions matrix correspond to ‘edges between edges’  We can now consider only simple cycles that their corresponding M  graph form a clique.

14 1. Encode  (replace each separation predicate with a Boolean var) 2. Build the joint inequality graph G 3. Add a constraint forbidding ‘true’ assignment to negative simple cycles in G that their corresponding M  form a clique. 0. Normalize  (eliminate negations) Boolean encoding (take 2)

In many cases - yes. How? with variable elimination..... c1c1 c2c2 c 1+ c 2 n diamonds  2 n simple cycles. Can we do better than that ? c3c3 c4c4 Compact representation of constraints (1/2)

16 Quantifying out x 3:  Worst case exponential no. of constraints  Complexity heavily depends on elimination order c1c1 c2c2 c3c3 c 1 + c 3 c 2 + c 3 x4x4 x1x1 x1x1 x2x2 x3x3 x4x4 x4x4 x2x2 Compact representation of constraints (2/2)  Given a conjunctions matrix M , we add a constraint only if the joining operand of the two constraints is ‘  ’

17 1. Encode  (replace each separation predicate with a Boolean var) 2. Build the joint inequality graph G 3. Eliminate all variables successively: e 1 and e 2 are ingoing and outgoing edges of the eliminated variable, and M  [e 1,e 2 ]=1, and the resulting edge is e 3 then add to  ’ the constraint e 1  e 2  e 3 0. Normalize  (eliminate negations) Boolean encoding (take 3) If

18 Extension to integer variables Given  with integer separation predicates, derive  R :  Declare all variables as real  Replace x 1 < x 2 + c and x 1  x 2 + c where c is not an integer, with x 1  x 2 +  c   Replace each predicate x 1 < x 2 + c with x 1  x 2 + c – 1 Theorem:  is satisfiable iff  R is satisfiable

19 Experimental results (1/3).....  n diamonds  Each diamond has 2d edges  Top and bottom paths in each diamond are disjointed. There are 2 n conjoined cycles.  By adjusting the weights, we ensured that there is a single satisfying assignment. d=2

20 Experimental results (2/3)  Results in seconds  Using variable elimination (rather than explicit cycle enumeration) ‘Diamond’ shape formulas

21 Experimental results (3/3) Symbolic simulation of hardware designs  Results in seconds  Using variable elimination (rather than explicit cycle enumeration)

22 Discussion and conclusions (1/2)  Procedures based on case-splitting can not scale  SAT methods can also be seen as ‘case-splitting’, but they split the domain, not the formula. As a result: Pruning is easy Learning is easy Guidance is easy (“which case should we start with ?”)

23 Discussion and conclusions (2/2)  Both the reduction to SAT and solving the SAT instance are exponential  The reduction to SAT is the bottleneck of our procedure, whereas the resulting SAT instances are empirically easy to solve  The total time was shorter in all examples comparing to ICS and DDD’s  The decision procedure has recently been integrated into the theorem prover C-prover and the verification system Uclid

24 The End

25 Integrated decision procedures in Theorem-Provers All of these theories, except linear arithmetic, have known efficient direct reductions to propositional logic. Thus, reducing linear arithmetic to propositional logic will: 1. Enable integration of theories in the propositional logic level. 2. Potentially be faster than known techniques.

26 A decision procedure for separation theory Separation predicates have the form x > y + c where x,y are real variables, and c is a constant Pratt [73] (/Bellman[57]): Given a set of conjuncted separation predicates  1. Construct the `inequality graph’ 2.  is satisfiable iff there is no cycle with non-negative accumulated weight  : ( x > z +3  z > y –1  y > x+1) x y z 3 1

27 Handling disjunctions through case splitting All previously mentioned algorithms handle disjunctions by splitting the formula. This can be thought of as a two stage process: 1.Convert formula to Disjunctive Normal Form (DNF) 2.Solve each clause separately, until satisfying one of them. (A common improvement: split ‘when needed’) Case splitting is frequently the bottleneck of the procedure

28 So what can be done against case-splitting ? Given a formula , this transformation can be done if  ’ s.t. | =   | =  ’, and  ’ is decidable under a finite domain. When is this possible?  enjoys the ‘Small model property’, or Tailor-made reduction Answer: Split the domain, not the formula.

29 SAT vs. infinite-state decision procedures With finite instantiation (e.g. SAT), we split the domain. Infinite state decision procedures split the formula. So what’s the big difference ?

30 SAT vs. infinite-state decision procedures 1. Pruning. 2. Learning. 3. Guidance (prioritizing internal steps) Three mechanisms, crucial for efficient decision making: SAT has a significant advantage in all three.

31 SAT vs. infinite-state decision procedures (1/4) 1. Pruning SAT: each clause c prunes up to 2 |v|-|c| states. Others: ? (stops when finds a satisfiable clause) y x Backtrack Pruned!. (x  y). |v|=1000, |c| =2 Pruning states

32 SAT vs. infinite-state decision procedures (2/4) 2. Learning SAT: Partial assignments that lead to a conflict are recorded and hence not repeated. Others: (depends on decision procedure) - Adding proved sub-goals as antecedents to new sub-goals - …

33 SAT vs. infinite-state decision procedures (3/4) 3. Guidance (prioritizing internal steps) Guidance requires efficient estimation: Consider  1   2, where  1 is unsat and hard, and  2 is sat and easy. With proper guidance, a theorem prover should start from  2. - How hard it is to solve each sub-formula? - To what extent will it simplify the rest of the proof?

34 SAT vs. infinite-state decision procedures (4/4) 3. Guidance (cont’d) “..To what extent will it simplify the rest of the proof?” SAT: Guidance through decision heuristics (e.g. DLIS). Others: Expression ordering,... (x  y  z) (x  v) (~x  ~z) Estimating simplification by counting literals in each phase

35 This work 1.Separation predicates: 2.Separation predicates for integers: 3.Linear arithmetic: 4.Integer linear arithmetic: Extends the results of Bryant et.al. to a Boolean combination of: This work

36 Reducing separation predicates to propositional logic (4/6) B. Encode predicates and construct a graph (procedure) Let  {>,  } 1. Construct a graph G(V,E), where V = variables in . Each edge e  E is a 4-tuple (from, to, weight, ) 2. Substitute each predicate in  of the form x y+c with a Boolean variable, and add an edge (x,y,c, ) to E

37 x y z 3 1 Reducing separation predicates to propositional logic (3/6)  : ( x > z +3  (z > y –1  y  x+1))  ’: Transitivity constraints   ( )) ( B. Encode + construct graph (example): Separation graph:

38 If total weight is positive, or All edges are ‘  ’ and total weight is equal to 0 then add the constraint: C. Add transitivity constraints for each cycle C Reducing separation predicates to propositional logic (6/6)

39 x y z 3 1 Reducing separation predicates to propositional logic (5/6)  ’: Transitivity constraints   ( )) ( C. Add transitivity constraints for each simple cycle (example):  ’: (((( ))    ( (

40 Some special cases: 1. If the diamonds are ‘balanced’  O(n) constraints..... c1c1 c1c1 c1c1 c1c1 c2c2 c2c2 c2c2 c2c2 2. If there are uniform weights c 1 and c 2, c 1  c 2 on top and bottom paths  O(n 2 ) constraints Compact representation of constraints

41 Integrated decision procedures in Theorem-Provers Deciding a combination of theories is the key for automation in Theorem Provers: Boolean operators, Bit-vector, Sets, Linear-Arithmetic, Uninterpreted functions, More … f(f(x)-f(y)) != f(z) & y 10 Uninterpreted functions Linear Arithmetic Bit-Vector operators Normally, each theory is solved with its own decision procedure And the results are combined (Shostak, Nelson..).