1. SAT-based Bounded Model Checking

2. Formulation of famous problems as SAT: k-Coloring (1/2)
The K-Coloring problem:
Given an undirected graph G(V,E) and a natural number k, is there an assignment color:

3. Formulation of famous problems as SAT: k-Coloring (2/2)
xi,j = node i is assigned the ‘color’ j (1  i  n, 1  j  k)
Constraints:
i) At least one color to each node: (x1,1  x1,2  … x1,k  …)
ii) At most one color to each node:
iii) Coloring constraints:

4. Formulation of famous problems as SAT: Bounded Model Checking
Given a property p: (e.g. “always signal_a = signal_b”)
Is there a state reachable within k cycles, which satisfies p ? p p p p p
. . . s0 s1 s2
sk-1 sk

5. The reachable states in k steps are captured by:
Bounded Model Checking: safety
The reachable states in k steps are captured by:
The property p fails in one of the cycles 1..k:

6. Bounded Model Checking: safety
The safety property p is valid up to cycle k iff W(k) is
unsatisfiable: p p p p p
. . . s0 s1 s2
sk-1 sk

7. Example: a two bit counter
Bounded Model Checking: safety
Example: a two bit counter
Initial state: I: : l Æ : r 00 01 10 11
Transition: R: l’ = (l  r) Æ
r’ = : r
Property: G (l  r).
For k = 2, W(k) is unsatisfiable. For k = 4 W(k) is satisfiable

8. Bounded Model Checking : liveness
The liveness property Fp is valid up to cycle k iff W(k) is
unsatisfiable: = :p :p :p p :p
. . . s0 s1 s2
sk-1 sk

9. Intel’s results (2002)

10. Compaq’s results (2001)

11. IBM’s results (2000)

12. SAT made some progress…

13. Bounded Model Checking
Resources
exceeded
k = 0
BMC(M,f,k)
k++
k ¸ ? no
yes

14. How big should k be?
For every finite model M and LTL property  there exists k s.t.
We call the minimal such k the Completeness Threshold (CT)
Clearly if M ²  then CT = 0
 computing CT for a given M  model checking
Change \varphi

15. The Completeness Threshold
Let’s try the following strategy:
Compute CT for an abstraction of M that unites all models with certain graph-theoretic properties equal to those of M

16. Basic notions…
Diameter D(M) = longest shortest path between any two reachable states.
Recurrence Diameter RD(M) = longest loop-free path between any two reachable states.
The initialized versions: DI(M) and RDI(M) start from an initial state.
DI(M) =
RDI(M) =
D(M) = 2
RD(M) = 3

17. The Completeness Threshold
Arbitrary path
Theorem: for AGp properties CT = DI(M)
(For AFp properties this does not hold) p p

18. The Completeness Threshold
Theorem: for AFp properties CT= RDI(M)+1
Theorem: for an LTL property  CT = ?

19. Why SAT? Fundamental problem from theoretical point of view
Numerous applications:
CAD, VLSI
Optimization
Bounded Model Checking and other type of formal verification
AI, planning, automated deduction

20. SATisfying assignment!
What is SAT?
Given a propositional formula in CNF, find an assignment to Boolean variables that makes the formula true:
1 = (x2  x3)
2 = (x1  x4)
3 = (x2  x4)
A = {x1=0, x2=1, x3=0, x4=1}
SATisfying assignment!

21. A Basic SAT algorithm  Decide() Deduce() X  Resolve_Conflict()
Given  in CNF: (x,y,z),(-x,y),(-y,z),(-x,-y,-z)  X 
Decide()
Deduce()
Resolve_Conflict()

22. A Basic SAT algorithm While (true) { if (!Decide()) return (SAT);
Choose the next
variable and value.
Return False if all
variables are assigned
While (true) {
if (!Decide()) return (SAT);
while (!Deduce())
if (!Resolve_Conflict()) return (UNSAT); }
Apply unit clause rule.
Return False if reached
a conflict
Backtrack until
no conflict.
Return False if impossible

23. Basic Backtracking Search
Organize the search in the form of a decision tree
Each node corresponds to a decision
Depth of the node in the decision tree  decision level
Notation: x is assigned v at decision level d

24. Backtracking Search in Action
1 = (x2  x3)
2 = (x1  x4)
3 = (x2  x4) x1
x1 = x2
x2 =
x1 =
 x4 =
 x2 =
Say which step is which.
 x3 =
 x3 =
{(x1,1), (x2,0), (x3,1) , (x4,0)}
{(x1,0), (x2,0), (x3,1)}
No backtrack in this example, regardless of the decision!

25. Backtracking Search in Action
Add a clause
1 = (x2  x3)
2 = (x1  x4)
3 = (x2  x4)
4 = (x1  x2  x3) x1
x1 =
x1 =
 x4 =
{(x1,0), (x2,0), (x3,1)} x2
x2 =
 x3 =
 x2 =
 x3 =
conflict

26. Decision heuristics DLIS (Dynamic Largest Individual Sum)
Choose the variable and value that satisfies the maximum number of unsatisfied clauses.
This requires going through all clauses for each decision.

27. Decision heuristics Jeroslow-Wang method
Compute for every clause w and every variable l (in each phase):
J(l) :=
Choose a variable l that maximizes J(l).
This gives an exponentially higher weight to literals in shorter clauses.

28. Decision heuristics MOM (Maximum Occurrence of clauses of Minimum size).
Let f*(x) be the # of unresolved smallest clauses containing x. Choose x that maximizes:
((f*(x) + f*(!x)) * 2k + f*(x) * f*(!x)
k is chosen heuristically.
 The idea:
Give preference to satisfying small clauses.
Among those, give preference to balanced variables (e.g. f*(x) = 3, f*(!x) = 3 is better than f*(x) = 1, f*(!x) = 5).

29. Decision heuristics VSIDS (Variable State Independent Decaying Sum)
1. Each variable in each polarity has a counter initialized to 0.
2. When a clause is added, the counters are updated.
3. The unassigned variable with the highest counter is chosen.
4. Periodically, all the counters are divided by a constant.
(Implemented in Chaff)

30. Decision heuristics VSIDS (cont’d)
Chaff holds a list of unassigned variables sorted by the counter value.
Updates are needed only when adding conflict clauses.
Thus - decision is made in constant time.

31. Decision heuristics VSIDS (cont’d)
VSIDS is a ‘quasi-static’ strategy:
- static because it doesn’t depend on current assignment
- dynamic because it gradually changes. Variables that appear
in recent conflicts have higher priority.
This strategy is a conflict-driven decision strategy.
“..employing this strategy dramatically (i.e. an order
of magnitude) improved performance ... “

32. Implication graphs and learning
Current truth assignment:
Current decision assignment:
1 = (x1  x2)
2 = (x1  x3  x9)
3 = (x2  x3  x4)
4 = (x4  x5  x10)
5 = (x4  x6  x11)
6 = (x5   x6)
7 = (x1  x7  x12)
8 = (x1 x8)
9 = (x7  x8   x13) 4 1 3 6 
conflict 2 5
We learn the conflict clause 10 : (: x1 Ç x9 Ç x11 Ç x10)

33. Implication graph, flipped assignment
1 = (x1  x2)
2 = (x1  x3  x9)
3 = (x2  x3  x4)
4 = (x4  x5  x10)
5 = (x4  x6  x11)
6 = (x5  x6)
7 = (x1  x7  x12)
8 = (x1 x8)
9 = (x7  x8   x13)
10 : (: x1 Ç x9 Ç x11 Ç x10) 9 ’ 8
10
10 7
10
Due to the conflict clause

34. Non-chronological backtracking3
Decision level
Which assignments caused
the conflicts ?
x9=
x10=
x11=
x12=
x13=
Backtrack to decision level 3 4 5
These assignments
Are sufficient for
Causing a conflict. x1 6  ’
Non-chronological
backtracking

35. Tuning SAT for BMC Variable ordering
Incremental SAT: reusability of conflict clauses between
different (yet related) SAT instances.
III. Replicating Conflict Clauses: generation of conflict clauses
'for free', based on the unique structure of BMC invariant
properties.

36. Static variable ordering
A (CNF) dependency graph D (V,E):
A partitioning C1..Cn:
An abstract dependency graph D’(V’, E’):

37. Static variable ordering for BMC (The natural order of W(k))
For W(k) there exists a partition C1..Cn s.t. the abstract dependency graph is linear C0 C1 C2 Ck C3
Ck-1 V0 V1 V2 Vk V3
Vk-1
...

38. Static variable ordering (A simple static ordering)
W(k) should
satisfy I0 I0
Riding on unreachable states...
Pk I0
Riding on legal executions...
W(k) should
satisfy  Pk
Pk

39. Incremental SAT
Given two CNF formulas (sets of clauses) S1 and S2, and a
conflict clause  s.t. S1 `, under what conditions the following
holds:
S2 is satisfiable iff S2   is satisfiable.

40. Incremental SAT 0 S1 S2 0 `  Let 0  S1  S2 Claim: if 0 `  then
S1 is satisfiable iff S1   is satisfiable.
S2 is satisfiable iff S2   is satisfiable.
Thus, if we deduce  while checking S1, we can reuse it
when checking S2.

41. Only one clause in (k) is not included in (k+1)
Incremental SAT for BMC
Testing whether the clauses involved in deducing  are a subset
of 0 requires marking them in advance.
In the BMC case this is easy:
Only one clause in (k) is not included in (k+1)

42. Incremental SAT
1. Mark 0 , the subset of clauses that are also contained in
subsequent instances.
2. If s `  for some s  0, then add  to 0 and mark it as
pervasive. S1 S2 0

43. Incremental SAT for BMC
In the gradual process of solving the BMC problem, we use a
list of pervasive clauses pc-list.
pc-list = 
Bool Solve (int k) {
1: Generate k and mark 0 clauses.
2: add pc-list to k
3: While solving k , if is deduced by a set of marked clauses, add it to pc-list.
4: if k is SAT then return SATISFIABLE.
else Solve (k+1); }

44. Replicated clauses
The BMC invariant formula includes k structurally similar parts:
Can this symmetry be used to speed up the search ?

45. Replicated clauses Let xk denote variable x in cycle k.
Let c(i) denote the clause c, where every variable in c is
shifted i cycles.
For example: c = (x5  y2  z7)
c(2) = (x7  y4  z9)
c(-2) = (x3  y0  z5)
Similarly, s(i) denotes the set of shifted clauses in the set s,
i.e. j cj  s, cj(i) s(i).

46. Replicated clauses
Let s be a subset of (k)'s clauses, and let  be a conflict clause
deducible from s, i.e. s ` .
(x2  y5),
(x2  y5  z3  w4)
 =(y5  z3  w4)
s =
By substitution, it is also true that s(i) ` (i).
(x2+i  y5+i),
(x2+i  y5+i  z3+i  w4+i)
(i) =(y5+i  z2+i  w4+i)
s(i) =

47. Replicated clauses
Conclusion: if s(i)  (k) then we can also add (i) to (k).
(i) is a new clause that we got 'for free'.
We call (i) a 'replicated clause'.
The remaining question is: for which i, s(i)   (k).

48. Replicated clauses
1. While generating  (k), mark all transition relation clauses.
2. For every conflict clause , if all the clauses in s are marked,
then mark  as 'replicable'. .

49. Replicated clauses
Given a replicable clause  and the subset of clauses s from which
it was deduced: .
3. Record ls and hs, the lowest and highest cycle index in s.
4. Add a replicated clause (i) for i in the range -ls .. (k - hs).

50. Example (x2  y5), (x2  y5  z3  w4) s = ls = 2, hs = 5 k = 6
Going right
(1) = (y6  z4  w5)
Going left
(-1) = (y4  z2  w3)
(-2) = (y3  z1  w2)

51. Experimental results (2001)

52. More engineering aspects of SAT solvers
Observation: More than 90% of the time SAT solvers perform
Deduction().
Deduction() allocates new implied variables and conflicts.
How can this be done efficiently ?

53. Grasp implements Deduction() with counters
Hold 2 counters for each clause :
val1( ) - # of negative literals assigned 0 in  +
# of positive literals assigned 1 in .
val0() - # of negative literals assigned 1 in  +
# of positive literals assigned 0 in .

54. Grasp implements Deduction() with counters
 is satisfied iff val1() > 0
 is unsatisfied iff val0() = ||
 is unit iff val1() = 0  val0() = || - 1
 is unresolved iff val1() = 0  val0() < || - 1 .
Every assignment to a variable x results in updating the counters
for all the clauses that contain x.
Backtracking: Same complexity.

55. Chaff implements Deduction() with a pair of observers
Observation: during Deduction(), we are only interested in newly implied variables and conflicts.
These occur only when the number of literals in  with value ‘false’ is greater than || - 2
Conclusion: no need to visit a clause unless (val0() > || - 2)
How can this be implemented ?

56. Chaff implements Deduction() with a pair of observers
Define two ‘observers’: O1(), O2().
O1() and O2() point to two distinct  literals which are not ‘false’.
 becomes unit if updating one observer leads to O1() = O2().
Visit clause  only if O1() or O2() become ‘false’.

57. Chaff implements Deduction() with a pair of observers
V[5]=0, v[4]= 0
Unit clause
Backtrack
v[4] = v[5]= X
v[1] = 1
Both observers of an implied clause are on the highest decision level present in the clause. Therefore, backtracking will un-assign them first.
Conclusion: when backtracking, observers stay in place.
Backtracking: No updating. Complexity = constant.

58. Chaff implements Deduction() with a pair of observers
The choice of observing literals is important.
Best strategy is - the least frequently updated variables.
The observers method has a learning curve in this respect:
1. The initial observers are chosen arbitrarily.
2. The process shifts the observers away from variables that were recently updated (these variables will most probably be reassigned in a short time).
In our example: the next time v[5] is updated, it will point to a
significantly smaller set of clauses.

59. GSAT: A different approach to SAT solving
Given a CNF formula , choose max_tries and max_flips
for i = 1 to max_tries {
T := randomly generated truth assignment
for j = 1 to max_flips {
if T satisfies  return TRUE
choose v s.t. flipping v’s value gives largest increase in
the # of satisfied clauses (break ties randomly).
T := T with v’s assignment flipped. } }

60. Improvement # 1: clause weights
Initial weight of each clause: 1
Increase by k the weight of unsatisfied clauses.
Choose v according to max increase in weight
Clause weights is another example of conflict-driven decision
strategy.

61. Improvement # 2: Averaging-in
Q: Can we reuse information gathered in previous tries in order
to speed up the search ?
A: Yes! Rather than choosing T randomly each time, repeat
‘good assignments’ and choose randomly the rest.

62. Improvement # 2: Averaging-in (cont’d)
Let X1, X2 and X3 be equally wide bit vectors.
Define a function bit_average : X1  X2  X3
as follows:
b1i b1i = b2i
random otherwise
(where bji is the i-th bit in Xj, j {1,2,3})
b3i :=

63. Improvement # 2: Averaging-in (cont’d)
Let Tiinit be the initial assignment (T) in cycle i.
Let Tibest be the assignment with highest # of satisfied clauses in
cycle i.
T1init := random assignment.
T2init := random assignment.
i > 2, Tiinit := bit_average(Ti-1best, Ti-2best)

64. Advanced topics More about learning
Tuning SAT solvers for Bounded-Model Checking
Incremental satisfiability
Unsatisfiable core and its use for verification
From SAT to 0-1 ILP
From SAT to Quantified Boolean Formulas (QBF)