Weizmann Institute Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Shtrichman Weizmann Institute & IBM-HRL
Weizmann Institute Basic theory of Bounded Model Checking (BMC) SAT highlights Tuning SAT checkers for BMC Results
Weizmann Institute The Bounded Model Checking Problem: Safety Given a Safety property AG p, we check if there a state reachable within k cycles, which satisfies p... s0s0 s1s1 s2s2 s k-1 sksk pp p pp p (Biere, Cimatti, Clarke, Zhu, 1999)
Weizmann Institute Reducing the BMC problem to SAT : p is preserved up to cycle k iff is unsatisfiable:... s0s0 s1s1 s2s2 s k-1 sksk pp p pp p
Weizmann Institute Example : a two bit counter p = AG ( l r). k = For k = 2, is unsatisfiabe. For k = 4 is satisfiable
Weizmann Institute Why SAT? Smart DFS search - potentially will get faster to a satisfying sequence (counter example) No exponential space - growth “Satisfiability checking is a ‘luck-based technology’”
Weizmann Institute Results (Sec.) * * * = exceeds 10,000 sec.
Weizmann Institute Tuning SAT for BMC (1/3) 1. Use the variable dependency graph for smarter orderings. 2. Exploit information on ’s structure to restrict the state-space. 3. Restrict Decide() to a small set of variables.
Weizmann Institute A (CNF) dependency graph D (V,E): A partitioning C 1..C n : Claim:For AGp, there exist a partition C 0..C k s.t. i,j if (C i,C j ) E’ then |i-j| = 1. A clustered dependency graph D’(V’, E’): C0C0 C1C1 C2C2 CkCk C3C3 C k-1 V0V0 V1V1 V2V2 VkVk V3V3 V k-1 Clustered dependency graphs If u C i, v C j and (u,v) E then (C i, C j ) E’...
Weizmann Institute The Davis-Putnam procedure Given in CNF: (x,y,z),(-x,y),(-y,z),(-x,-y,-z) Decide() Deduce() Diagnose() X XX XX
Weizmann Institute Decide() criteria: On which variable to split? - satisfies the most clauses (DLIS) - satisfies the shortest clause - only positive or negative (‘pure literal rule’) - most frequent : :
Weizmann Institute The local effect of assignments 2. AGp: Each clause in contains variables from max. 2 cycles. 1. A ‘chain reaction’ in neighboring variables, due to: (x, y, z)(x, y, u)(x, y, z)(x, y, u) x = F y = T satisfies two clauses (x, y) x = F y = T (2) the decision criteria in Decide() (1) unit clauses in Deduce() Strong Weak
Weizmann Institute Clashing clouds... I0I0 ~Pk~Pk With general-purpose Decide() strategies, local sets of variables are satisfied a-synchronically
Weizmann Institute General-purpose Vs. tailor-made Decide() strategies... :... (x 5 = ( y 4 z 5 u 4 )) ... x 5 = T y 4 = F z 5 = F u 4 = T General purpose Back- track x 5 = T y 4 = F z 5 = F u 4 = T Use ‘s structure to resolve conflicts on a more local level... Tailor made Back- track
Weizmann Institute A head on attack... I0I0 PkPk Riding on unreachable states... should satisfy I 0 I0I0 Riding on legal executions... should satisfy P k PkPk
Weizmann Institute A combined heuristic I0I0 PkPk Trigger BFS with
Weizmann Institute Given an order, guess a value Dynamic decision Constant value Previous value ‘Flat’ computation ... x 5 = 0 x 7 = ? x 9 = 0 ‘Flat’ computationPrevious value x 2 = 1 y 7 = 0 z 2 = 0 y 3 = 1 x 2 = 0 y 7 = 0 z 2 = 0 y 3 = 1
Weizmann Institute Tuning SAT for BMC (2/3) 1. Use the variable dependency graph for smarter orderings. 2. Exploit information on ’s structure to restrict the state-space. 3. Restrict Decide() to a small set of variables.
Weizmann Institute ’s structure can be used for adding conflicting clauses. If x 3 =T, y 7 = F, z 5 = T leads to a conflict, then ( x 3 y 7 z 5 ) is satisfiable iff is satisfiable. The new clause can be seen as a constraint on the search-space conflicting clauses: Exploiting ’s structure in AGp formulas
Weizmann Institute If x 3 =T, y 7 = F, z 5 = T leads to a conflict, then so will x 2 =T, y 6 = F, z 4 = T Therefore, we can also add: ( x 2 y 6 z 4 ) ( x 1 y 5 z 3 ) ( x 0 y 4 z 2 ) and... ( x 4 y 8 z 6 ) ... ( x k-4 y k z k-2 ) Yet, is not fully symmetric because of I 0. We first have to check, by simulating an assignment, if the replicated clause indeed leads to a conflict. Exploiting ’s structure in AGp formulas
Weizmann Institute Tuning SAT for BMC (3/3) 1. Use the variable dependency graph for smarter orderings. 2. Exploit information on ’s structure to restrict the state-space. 3. Restrict Decide() to a small set of variables.
Weizmann Institute Restricting Decide() Restricting Decide() to a smaller set of variables , that uniquely determines the satisfiability of : Model variables (~ 15 % of ’s variables) Input variables (~ 5 % of ’s variables) Less variables to Decide() implies more variables to Deduce()
Weizmann Institute Results (Sec.) * * * = exceeds 10,000 sec.
Weizmann Institute The Conclusion Many of the (BDD) hard cases can be more efficiently solved with the optimized SAT procedure.
Weizmann Institute... s0s0 s1s1 s2s2 s k-1 sksk pp pp pp pp Given a Liveness property p: (e.g. AGAF p: “always, eventually signal_a = signal_b”) Is there a loop in the first k cycles, that non of its states satisfy p ? The Bonded Model Checking Problem: Liveness
Weizmann Institute Traditional Model-Checking with BDDs The reachable state-space is represented by a BDD (We stop ‘adding’ cycles when arriving to a fix-point). The property is evaluated recursively, by iterative fix point computations on the state-space. The size of the BDD is typically the bottle-neck of Model- Checking.
Weizmann Institute Reducing the BMC problem to SAT (3/3): For Liveness properties, add a disjunction of possible loops:... s0s0 s1s1 s2s2 s k-1 sksk pp pp pp pp
Weizmann Institute How big should K be? 1. The Diameter d: for all reachable states s,t, for which t is reachable from s, there exist a path from s to t with at most d-1 intermediate steps. 2. The Recurrence diameter rd: the least number r s.t. at most r consecutive states in a path are different. rd is an upper bound for d, that can be expressed as a propositional formula:
Weizmann Institute If is unsatisfiable, then Ifthen k rd The ‘-diameter’ flag in BMC: And therefor:
Weizmann Institute General SAT... k vars.. AGp
Weizmann Institute Bounded cone of influence: K v u z y x 0123 u 2 - u 5, z 5, y 4 -y 5 are not used 45
Weizmann Institute Bounded cone of influence has Bounded effect: K The portion of variables that B-COI can remove is decreasing when K increases
Weizmann Institute The reachable states in k steps are captured by: The property p fails in one of the cycles 1..k: Reducing the BMC problem to SAT (1/3):
Weizmann Institute A k-unfolding of the variable dependency graph... k vars..
Weizmann Institute VkVk V k-1 V1V1 V0V VkVk V k-1 V1V1 V0V0 1K K K
Weizmann Institute