Weizmann Institute

Tuning SAT-checkers for Bounded Model-Checking

A bounded guided tour

Ofer Shtrichman

Weizmann Institute & IBM (HRL)

Weizmann Institute

Basic theory of Bounded Model Checking (BMC)

SAT highlights

Tuning SAT checkers for BMC

Results

Weizmann Institute

The Bounded Model Checking Problem: Safety

Given a Safety property p: (e.g. AG p : “always signal_a = signal_b”)

Is there a state reachable within k cycles, which satisfies p ?

. . .s0 s1 s2 sk-1 sk

p p p p p

Weizmann Institute

. . .s0 s1 s2 sk-1 sk

p p p p p

Given a Liveness property p: (e.g. AGAF p: “always, eventually signal_a = signal_b”)

Is there a loop in the first k cycles, that non of its states satisfy p ?

The Bonded Model Checking Problem: Liveness

Weizmann Institute

The reachable states in k steps are captured by:

M I s s s s s s sk k k: ( ) ( , ) ( , ) ... ( , ) 0 0 1 1 2 1

The property p fails in one of the cycles 1..k:

f p p pk k: ... 1 2

Reducing the BMC problem to SAT (1/3):

Weizmann Institute

Reducing the BMC problem to SAT (2/3):

: ( , )I s s pi

k

i ii

k

i00

1

10

=

The safety property p is valid up to cycle k iff is unsatisfiable:

. . .s0 s1 s2 sk-1 sk

p p p p p

Weizmann Institute

Reducing the BMC problem to SAT (3/3):

For Liveness properties, add a disjunction of possible loops:

: ( , ) ( ( , ) )I s s s s pi

k

i il

k

k lj l

k

00

1

10

=

. . .s0 s1 s2 sk-1 sk

p p p p p

Weizmann Institute

Example: a two bit counter

( , ):s s l l r r ri i i i i i i 1 1 1

p = AG (l r).k = 2

00

01 10

11

: ( )( )( )( )

FHG

IKJ

FHGG

IKJJl r

l l r r rl l r r r

l rl rl r

0 01 0 0 1 0

2 1 1 2 1

0 0

1 1

2 2

I l r0 0 0:

For k = 2, is unsatisfiabe. For k = 4 is satisfiable

Weizmann Institute

Traditional Symbolic Model-Checking with BDDs

• The reachable state-space is represented by a BDD

• The property is evaluated recursively, by iterative fix point computations on the reachable state-space.

• The size of the BDD is typically the bottle-neck of Model-Checking.

Weizmann Institute

Why SAT?

• Smart DFS search - potentially will get faster to a satisfying sequence (counter example)

• No exponential space - growth

“Satisfiability checking is a ‘luck-based technology’”

Weizmann Institute

The Davis-Putnam procedure

Given in CNF: (x,y,z),(-x,y),(-y,z),(-x,-y,-z)

Decide()

Deduce()

Diagnose()

-xx

-zz-yy

z -z y -y

() ()

(z ),(-z ) ()

(y),(-y,z ),(-y,-z )

()

() ()

(y),(-y)

(y,z ),(-y,z )

X

X X X X

Weizmann Institute

Decide() criteria: On which variable to split?

- satisfies the most clauses (DLIS)- satisfies the shortest clause- only positive or negative (‘pure literal rule’)- most frequent

::

Weizmann Institute

Results (Sec.)

Design # k RB1 RB2 Grasp1 18 7 6 2822 5 70 8 1.13 14 597 375 764 24 690 261 5105 12 803 184 246 22 * * * 356 * * *7 9 * * * 2671 108 35 * * * * * * 63179 38 * * * * * * 903510 31 * * * * * * * * *

11 32 152 60 * * *12 31 1419 1126 * * *13 14 * * * 3626 * * *

* * * = exceeds 10,000 sec.

Weizmann Institute

Tuning SAT for BMC (1/3)

1. Use the variable dependency graph for smarter orderings.

2. Exploit information on ’s structure to restrict the state-space.

3. Restrict Decide() to a small set of variables.

Weizmann Institute

Clashing clouds...

I0~Pk

With general-purpose Decide() strategies, local sets of variables are satisfied a-synchronically

v v5 6..

v15

v2

Weizmann Institute

General-purpose Vs. tailor-made Decide() strategies...

: ... (x = ( y1 y2 y3 )) ...

x = Ty1 = F

y2 = F

y3 = T

General purpose

Back-track

x = Ty1 = Fy2 = F

y3 = T

Use ‘s structure to resolve conflicts on a more local level...)

Tailor made

Back-track

Weizmann Institute

A k-unfolding of the variable dependency graph

. . .

. . .

. . .

. . .

k

vars

v0

v1

v2 . . . .

v f v vi i i ( , )1

Weizmann Institute

A head on attack...

I0PkRiding on unreachable states...

should satisfy I0

I0Riding on legal executions...

should satisfy Pk

Pk

Weizmann Institute

A combined heuristic

I0Pk

Trigger BFS with pi

i k0..

Weizmann Institute

Given an order, guess a value

Dynamic decision Constant value

Previous value ‘Flat’ computation

...

x5 = 0x7 = ?

x9 = 0

‘Flat’ computation Previous value

x2 = 1y7 = 0z2 = 0y3 = 1

x2 = 0y7 = 0z2 = 0y3 = 1

Weizmann Institute

Tuning SAT for BMC (2/3)

1. Use the variable dependency graph for smarter orderings.

2. Exploit information on ’s structure to restrict the state-space.

3. Restrict Decide() to a small set of variables.

Weizmann Institute

: ( , )I s s pi

k

i ii

k

i00

1

10

=

’s structure can be used for adding conflicting clauses.

•If x3=T, y7 = F, z5 = T leads to a conflict, then ( x3 y7 z5) is satisfiable iff is satisfiable.

• The new clause can be seen as a constraint on the state-space

conflicting clauses:

Exploiting ’s structure in AGp formulas

Weizmann Institute

• If x3=T, y7 = F, z5 = T leads to a conflict, then so will x2=T, y6 = F, z4 = T

• Therefore, we can also add: ( x2 y6 z4) ( x1 y5 z3) ( x0 y4 z2)and... ( x4 y8 z6) ... ( xk-4 yk zk-2)

• Yet, is not fully symmetric because of I0. We first have to check, by simulating an assignment, if the replicated clause indeed leads to a conflict.

Exploiting ’s structure in AGp formulas

Weizmann Institute

Tuning SAT for BMC (3/3)

1. Use the variable dependency graph for smarter orderings.

2. Exploit information on ’s structure to restrict the state-space.

3. Restrict Decide() to a small set of variables.

Weizmann Institute

Restricting Decide()

Restricting Decide() to a smaller set of variables , thatuniquely determines the satisfiability of :

Model variables (~ 15 % of ’s variables)

Input variables (~ 5 % of ’s variables)

Less variables to Decide() implies more variables to Deduce()

Weizmann Institute

Results (Sec.)# k RB2 Grasp Rep SM c SM f SM(k-1)1 18 6 282 115 3 57 202 5 8 1.1 1.1 0.8 1.1 0.43 14 375 76 52 3 2069 9344 24 261 510 225 12 27 265 12 184 24 24 2 2 16 22 356 * * * * * * 18 16 287 9 2671 10 10 2 1.8 1.38 35 * * * 6317 2870 20 338 309 38 * * * 9035 * * * 25 277 23010 31 * * * * * * 9910 312 22 1061

11 32 60 * * * * * * * * * * * * * * *12 31 1126 * * * * * * * * * * * * * * *13 14 3626 * * * * * * * * * * * * * * *

* * * = exceeds 10,000 sec.

Weizmann Institute

The Conclusion

Many of the (BDD) hard cases can be more efficiently

solved with the optimized SAT procedure.