Carnegie Mellon University SAT-Based Decision Procedures for Linear Arithmetic and Uninterpreted Functions SAT-Based Decision Procedures for Linear Arithmetic and Uninterpreted Functions Randal E. Bryant

– 2 – Decision Procedures in Formal Verification RTL/ Source Code + Specifi- cation Abstraction Verification OK Error Formal Model + Specifi- cation Decision Procedure for Decidable Fragment of First-Order Logic Applications: Out-of-order, Pipelined Microprocessors; Cache Coherence Protocols; Device Drivers; Compiler Validation; …

– 3 – SAT-based Decision Procedures Input Formula Boolean Formula satisfiable unsatisfiable Satisfiability-preserving Boolean Encoder SAT Solver EAGER ENCODING Input Formula Boolean Formula satisfiable unsatisfiable Approximate Boolean Encoder SAT Solver satisfying assignment satisfiable First-order Conjunctions SAT Checker unsatisfiable additional clause LAZY ENCODING

– 4 – Lazy Encoding Characteristics +Can be extended to handle wide variety of theories +Clean & modular design –Does not scale well Number of calls to conjunction checker typically exponential in formula size Each call independent: nothing learned in one call can be exploited by another First-order Conjunctions SAT Checker Uninterpreted Functions Linear Arithmetic Bit Vectors Theory N Theory Combiner

– 5 – Eager Encoding Characteristics –Must encode all information about domain properties into Boolean formula –Some properties can give exponential blowup +Lets SAT solver do all of the work Good Approach for Some Domains Modern SAT solvers have remarkable capacity Good at extracting relevant portions out of very large formulas Learns about formula properties as search proceeds  Focus of this talk Input Formula Boolean Formula satisfiable unsatisfiable Satisfiability-preserving Boolean Encoder SAT Solver

– 6 – x0x0 x1x1 x2x2 x n-1 Data and Function Abstraction ALUALU x  f  Bit-vectors to (unbounded) Integers Functional units to Uninterpreted Functions a = x  b = y  f(a,b) = f(x,y) Common Operations 1010 x y p ITE(p, x, y) If-then-else x y x = y = Test for equality

– 7 – Abstract Modeling of Microprocessor For any Block that Transforms or Evaluates Data: Replace with generic, unspecified function Also view instruction memory as function Reg. File IF/ID Instr Mem +4 PC ID/EX ALUALU EX/WB = = Rd Ra Rb Imm Op Adat Control F1F1 F2F2 F3F3

– 8 – EUF: Equality with Uninterp. Functs Decidable fragment of first order logic Formulas ( F ) Boolean Expressions  F, F 1  F 2, F 1  F 2 Boolean connectives T 1 = T 2 Equation P (T 1, …, T k ) Predicate application Terms ( T ) Integer Expressions ITE(F, T 1, T 2 ) If-then-else Fun (T 1, …, T k ) Function application Functions ( Fun ) Integer  Integer f Uninterpreted function symbol Read, Write Memory operations Predicates ( P ) Integer  Boolean p Uninterpreted predicate symbol

– 9 – EUF Decision Problem Circuit Representation of Formula Truth Values Dashed Lines Model Control Logical connectives Equations Integer Values Solid lines Model Data Uninterpreted functions If-Then-Else operationTask Determine whether formula F is universally valid True for all interpretations of variables and function symbols Often expressed as (un)satisfiability problem »Prove that formula  F is not satisfiable =   f T F T F f T F  = e 1 e 0 x 0 d 0 T F T F T F e 1 e 0 x 0 d 0 =   f f  =

– 10 – =   f T F T F f T F  = e 1 e 0 x 0 d 0 T F T F T F e 1 e 0 x 0 d 0 =   f f  = Finite Model Property for EUF Observation Any formula has limited number of distinct expressions Only property that matters is whether or not different terms are equal x0x0 d0d0 f (x0)f (x0) f (d0)f (d0)

– 11 – Boolean Encoding of Integer Values For Each Expression Either equal to or distinct from each preceding expression Boolean Encoding Use Boolean values to encode integers over small range EUF formula can be translated into propositional logic Logic circuit with multiplexors, comparators, logic gates Tautology iff original formula valid Expression Possible Values Bit Encoding x0x0{0}00 d0d0{0,1}0 b 10 f (x0)f (x0){0,1,2} b 21 b 20 f (d0)f (d0){0,1,2,3} b 31 b 30

– 12 – Some History of EUF Decision Procedures Ackermann, 1954 Quantifier-free decision problem can be decided based on finite instantiations Burch & Dill, CAV ‘94 Automatic decision procedure »Davis-Putnam enumeration »Congruence closure to enforce functional consistency Boolean approaches Goel, et al, CAV ‘98 »Attempted with BDDs, but didn’t get good results Bryant, German, Velev, CAV ‘99 »Could verify microprocessor using BDDs Velev & Bryant, DAC 2001 »Demonstrated power of modern SAT procedures

– 13 – Exploiting Positive Equality Bryant, German, Velev CAV ‘99 First successful use of Boolean methods for EUF Positive Equality Equations that appear in unnegated formExploiting Can greatly reduce number of cases required to show validity Only need to consider maximally diverse interpretations Reduce number of Boolean variables in bit-level encoding

– 14 – Diverse Interpretations: Illustration Task Verify someone’s obscure code for 4X4 array transpose void trans(int a[4][4]) { int t; for (t = 4; t < 15; t++) if (~t&2|| t&8 && ~t&1) { int r = t&0x3; int c = t>>2; int val = a[r][c]; a[r][c] = a[c][r]; a[c][r] = val; } Observation Array elements altered only by copying one to another Just need to make sure right set of copies performed Only operations on array elements

– 15 – Verifying Array Code Test for trans4 trans4 Single Test Adequate Unique value for each possible source element “Maximally Diverse” If a’[r][c] = a[c][r], then must have copied proper value a a’

– 16 – Characteristics of Array Verification Correctness Condition a’[0][0] = a[0][0]  a’[0][1] = a[1][0]  a’[0][2] = a[2][0]  … …  a’[3][2] = a[2][3]  a’[3][3] = a[3][3] Properties All equations are in positive form Worst case test is one that tends to make things unequal Maximally diverse interpretation: use as many different values as possible All maximally diverse interpretations isomorphic Only need to try one to prove all handled correctly

– 17 – Equations in Processor Verification Data TypesEquations Register IdsControl stalling & forwarding Instruction AddressOnly top-level verification condition Program DataOnly top-level verification condition Reg. File IF/ID Instr Mem +4 PC ID/EX ALUALU EX/WB = = Rd Ra Rb Imm Op Adat Control

– 18 – Exploiting Equation Structure Positive Equations In top-level verification condition Can use maximally diverse interpretation Negative Equations PIpeline control logic Between register IDs Operation depends on whether or not two IDs are equal Must use general encoding Encode with Boolean variables All possibility of IDs that match and/or don’t match

– 19 – =   f T F T F f T F  = e 1 e 0 x 0 d 0 T F T F T F e 1 e 0 x 0 d 0 =   f f  = Application of Positive Equality Observation All equations are positive in this formula Can consider single, diverse interpretation for terms x0x0 d0d0 f (x0)f (x0)f (d0)f (d0)

– 20 – ff vf 1 vf 2 Function Elimination: Ackermann’s Method Replace All Function Applications by Integer Variables Introduce new domain variable Enforce functional consistency by global constraints Unclear how to restrict evaluation to diverse interpretations x1x1 x2x2 F ==  

– 21 – fff x1x1 x2x2 x3x3 vf 1 vf 2 TFTF = = = TFTF vf 3 TFTF Function Elimination: ITE Method General Technique Introduce new domain variable Nested ITE structure maintains functional consistency

– 22 – fff x1x1 x2x2 x3x3 5 6 TFTF = = = TFTF 7 TFTF Generating Diverse Encoding Replacing Application Use fixed values rather than variables Application results equal iff arguments equal

– 23 – Benefits of Positive Equality Microprocessor Benchmarks 1xDLX: Single issue, RISC processor 2xDLX-EX-BP: Dual issue processor with exception handling & branch prediction 9VLIW-BP: 9-way VLIW processor with branch predictionMeasurements Using BerkMin SAT solver BenchmarkUsing Pos. Eq.No Pos. Eq 1xDLX buggy0.022 good xDLX-EX-BP buggy415 good15> 24hrs 9VLIW-BP buggy10> 24hrs good224> 24hrs Velev & Bryant, JSC ‘02

– 24 – Revisiting Encoding Techniques Small Domain (SD) Use bit-level encodings of bounded integers Implicitly encode properties of equality logic Per-Constraint Encoding (EIJ) Introduce explicit Boolean variable for each equation Additional transitivity constraints to express properties of equality logic x = y  y = z  z  x  x 1 x 0  =  y 1 y 0    y 1 y 0  =  z 1 z 0    z 1 z 0    x 1 x 0  e xy  e yz   e xz Satisfiable? e yz  e zx  e xy  e xy  e yz  e xz  e xy  e xz  e yz  Transitivity Constraints

– 25 – Per-Constraint Encoding Introduced by Goel et al., CAV ‘98 Exploiting sparse structure by Bryant & Velev, CAV 2000Procedure Initial formula F Want to prove valid Prove that  F is not satisfiable Replace each equation x = y by Boolean variable e xy Gives formula F sat Generate formula expressing transitivity constraints Gives formula F trans Use SAT solver to show that F sat  F trans not satisfiableMotivation Provides SAT solver with more direct representation of underlying problem

– 26 – Graph Interpretation of Transitivity Transitivity Violation Cycle in graph Exactly one edge has e i,j = false  === = == =

– 27 – Exploiting Chords Chord Edge connecting two non- adjacent vertices in cycle Property Sufficient to enforce transitivity constraints for all chord-free cycles If transitivity holds for all chord-free cycles, then holds for arbitrary cycles   

– 28 – Enumerating Chord-Free Cycles Strategy Enumerate chord-free cycles in graph Each cycle of length k yields k transitivity constraints 1 2k Problem Potentially exponential number of chord-free cycles 2 k +k chord-free cycles

– 29 – Adding Chords Strategy Add edges to graph to reduce number of chord-free cycles 1 2k 2 k +k chord-free cycles 2k+1 chord-free cycles Trade-Off Reduces formula size Increases number of relational variables

– 30 – Chordal Graph Definition Every cycle of length > 3 has a chordGoal Add minimum number of edges to make graph chordal Relation to Sparse Gaussian Elimination Choose pivot ordering that minimizes fill-in NP-hard Simple heuristics effective

– 31 – 1xDLX-C Equation Structure Vertices For each v i 13 different register identifiersEdges For each equation Control stalling and forwarding logic 27 relational variables Out of 78 possible

– 32 – Adding Chordal Edges to 1xDLX-C Original 27 relational variables 286 cycles 858 clauses Augmented 33 relational variables 40 cycles 120 clauses

– 33 – 2DLX-CCt Equation Structure Equations Between 25 different register identifiers 143 relational variables Out of 300 possible

– 34 – Adding Chordal Edges to 2xDLX-CCt Original 143 relational variables 2,136 cycles 8,364 clauses Augmented 193 relational variables 858 cycles 2,574 clauses

– 35 – Choosing Encoding Method Comparison Formula length n with m integer variables & function applications Worst-case complexity Per-Constraint Encoding Works Well in Practice Generates slightly larger formulas than small domain Better performance by SAT solver Small DomainPer-Constraint Boolean Variables O(m log m)O(m 2 ) Formula SizeO(n + m 2 log m)O(n + m 3 )

– 36 – Encoding Comparison Benchmarks Superscalar, out-of-order datapath 2–6 instructions issued in parallelMeasurements Using BerkMin SAT solver Issue Width Per-ConstraintSmall Domain VarsClausesTimeVarsClausesTime 21398, , , , , , , , ,243528,9621, ,7383,206 Velev & Bryant, JSC ‘02

– 37 – Extensions Difference logic Predicates of form x ≤ y + C Original logic of UCLID Use integer variables to represent pointers into buffers C =  1 Linear constraints Predicates of from a 1 x 1 + a 2 x 2 + … + a n x n ≤ b Used in applying UCLID to software verification and software security problems

– 38 – Difference Logic Predicates of form x ≤ y + C C generally a small integer Encoding Methods Small domain Range bound n · max |C| Per constraint encoding Variables of form e x,,y C Can have exponential blowup in number of variables Choosing Encoding Method Per constraint better, as long as it doesn’t blow up Predicting blowup Successfully used classifier trained by machine learning (Seshia, Lahiri & Bryant, DAC ’03)

– 39 – Linear Constraints Predicates of from a 1 x 1 + a 2 x 2 + … + a n x n ≤ b Common Case All but k predicates are difference predicates a i = +1, a j = –1, rest = 0 Rest are sparse At most w coefficients nonzero Coefficient values small n #variables w max #non-zero terms k #non-difference constraints b max max |constant| a max max |coefficient|

– 40 – Linear Constraints Small Domain Encoding (Seshia & Bryant, LICS ’04) Find value D such that only need to consider solutions with 0 ≤ x i < D, for all i Bounds on D: Encode as SAT problem with log(D) bits / integer variable Practical for real applications (n+2) ¢ n ¢ (b max  +1) ¢ ( w ¢ a max ) k n #variables w max #non-zero terms k #non-difference constraints b max max |constant| a max max |coefficient|

– 41 – Some Lessons We’ve Learned Preserve Boolean Structure Other approaches require collapsing to conjunctions of predicates Exploit Problem Characteristics Sparseness Tighten bounds and/or reduce number of constraints Polarity structure Positive equality Let SAT Solver Do the Work Eager encoding: provide sufficient set of constraints to prove / disprove formula They are good at digesting large volume of information