Deciding separation formulas with SAT

1
Deciding separation formulas with SAT

• Ofer Strichman Sanjit A. Seshia Randal E.
  Bryant
• School of Computer Science,
• Carnegie Mellon University

2
Separation predicates

• Predicates of the form x1lt x2 c and x1 ? x2 c
  where c is a constant
• Also known as difference predicates
• We will consider x1, x2 as either real or integer
  variables

• Used when proving formulas derived from Timed
  automata, Scheduling problems, and more
• Pratt Most inequalities arising in verification
  are separation predicates

3
Deciding separation via case-splitting (1/2)
? x1 lt x2 1 ? x2 lt x3 1 ? (x3 lt x1 -3 ? x3
lt x1 1)
x1 lt x2 1 ? x2 lt x3 1 ? x3 lt x1 1
x1 lt x2 1 ? x2 lt x3 1 ? x3 lt x1 -3
Theorem Bellman, 57 The formula is satisfiable
iff the inequality graph does not contain a
negative cycle.
4
Deciding separation via case-splitting (2/2)
Bellman-Ford Finding whether there is a
negative cycle in a graph is polynomial

• Overall complexity O(2 ? ), due to
  case-splitting
• Case-splitting is normally the bottleneck of
  decision procedures

• Q Is there an alternative to case-splitting ?

5
Difference Decision Diagrams(DDD)(Møller,
Lichtenberg, Andersen, Hulgaard, 1999)

• Similar to BDDs, but the nodes are separation
  predicates
• Ordering on variables determines order on
  predicates
• Semi-canonical (i.e canonical when ? is a
  tautology or a contradiction)

? !(x1 x3 lt 0) ? x2 - x3 ? 0 ? !(x2-x1 lt 0)

• Each path leading to 1 is checked for
  consistency with Bellman-Ford
• Worst case an exponential no. of such paths

6
Boolean encoding (take 1)
? x1 lt x2 1 ? x2 lt x3 1 ? (x3 lt x1 -3 ? x3 lt
x1 1)
1. Encode
3. Forbid true assignment to negative simple
cycles in G
7
What about negations in ? ?
The unsatisfiable formula ? (x1 lt x2 ? x2 ?
x11) is reduced to the satisfiable formula
0
x1
x2
1
Legend lt ?
Problem our graph does not consider the polarity
of the constraints.
8
Solution 1 Consider both polarities
x2 ? x1-1
Dual edges
x1 lt x21
The joint graph
9
Solution 2 Eliminate negations
1. Transform ? to Negation Normal Form (NNF), and
eliminate negations by reversing inequality
signs 2. Rewrite gt and ? predicates as lt
and ?, e.g. rewrite x1 gt x2 c as x2 lt x1
c
Solution 2 results in a smaller number of
constraints
10
Problem redundant constraints
? ( x1 lt x2 -3 ? (x2 lt x3 1 ? x3 lt x1 1))
11
Solution Conjunctions Matrices (1/3)

• Let ?d be the DNF representation of ?

• We only need to consider cycles that are in one
  of the clauses of ?d

• Deriving ?d is exponential. But

• Knowing whether a given set of literals share a
  clause in ?d is polynomial, using Conjunctions
  Matrices

12
Conjunctions Matrices (2/3)

• Let ? be a formula in NNF.
• Let li and lj be two literals in ?.
• The joining operand of li and lj is the lowest
  joint parent of li and lj in the parse tree of ?.

13
Conjunctions Matrices (3/3)

• Claim A set of literals Ll0,l1ln ? ? share a
  clause in ?d iff for all li,lj ?L, i?j, M?li,lj
  1.

• In our case the literals are separation
  predicates.
• The entries in the conjunctions matrix correspond
  to edges between edges

• We can now consider only simple cycles that their
  corresponding M? graph form a clique.

14
Boolean encoding (take 2)
0. Normalize ? (eliminate negations)
1. Encode ? (replace each separation predicate
with a Boolean var)
2. Build the joint inequality graph G
3. Add a constraint forbidding true assignment
to negative simple cycles in G that their
corresponding M? form a clique.
15
Compact representation of constraints (1/2)
n diamonds ? 2n simple cycles. Can we do better
than that ?
In many cases - yes. How? with variable
elimination
c2
c1
c1 c2
c3
c4
16
Compact representation of constraints (2/2)
Quantifying out x3

• Worst case exponential no. of constraints
• Complexity heavily depends on elimination order

• Given a conjunctions matrix M? , we add a
  constraint only if the joining operand of the two
  constraints is ?

17
Boolean encoding (take 3)
0. Normalize ? (eliminate negations)
1. Encode ? (replace each separation predicate
with a Boolean var)
2. Build the joint inequality graph G

• 3. Eliminate all variables successively
• e1 and e2 are ingoing and outgoing edges of the
  eliminated variable, and
• M? e1,e21, and
• the resulting edge is e3
• then add to ? the constraint e1 ? e2 ?e3

If
18
Extension to integer variables
Given ? with integer separation predicates,
derive ?R

• Declare all variables as real
• Replace x1 lt x2 c and x1 ? x2 c where c is
  not an integer,
• with x1 ? x2 ?c?
• Replace each predicate x1 lt x2 c with x1 ? x2
  c 1

Theorem ? is satisfiable iff ?R is satisfiable
19
Experimental results (1/3)
d2
.....

• n diamonds
• Each diamond has 2d edges
• Top and bottom paths in each diamond are
  disjointed.
• There are 2n conjoined cycles.
• By adjusting the weights, we ensured that there
  is a single satisfying assignment.

20
Experimental results (2/3)
Diamond shape formulas

• Results in seconds
• Using variable elimination (rather than explicit
  cycle enumeration)

21
Experimental results (3/3)
Symbolic simulation of hardware designs

• Results in seconds
• Using variable elimination (rather than explicit
  cycle enumeration)

22
Discussion and conclusions (1/2)

• Procedures based on case-splitting can not scale
• SAT methods can also be seen as case-splitting,
  but they split the domain, not the formula. As a
  result
• Pruning is easy
• Learning is easy
• Guidance is easy (which case should we start
  with ?)

23
Discussion and conclusions (2/2)

• Both the reduction to SAT and solving the SAT
  instance are exponential

• The reduction to SAT is the bottleneck of our
  procedure, whereas the resulting SAT instances
  are empirically easy to solve

• The total time was shorter in all examples
  comparing to ICS and DDDs

• The decision procedure has recently been
  integrated into the theorem prover C-prover and
  the verification system Uclid

24
The End
25
Integrated decision procedures in Theorem-Provers
All of these theories, except linear arithmetic,
have known efficient direct reductions to
propositional logic.
Thus, reducing linear arithmetic to propositional
logic will 1. Enable integration of theories in
the propositional logic level. 2. Potentially
be faster than known techniques.
26
A decision procedure for separation theory
Separation predicates have the form x gt y
c where x,y are real variables, and c is a
constant
Pratt 73 (/Bellman57) Given a set of
conjuncted separation predicates ? 1. Construct
the inequality graph 2. ? is satisfiable iff
there is no cycle with non-negative
accumulated weight
? ( x gt z 3 ? z gt y 1 ? y gt x1)
27
Handling disjunctions through case splitting

• All previously mentioned algorithms handle
  disjunctions
• by splitting the formula.
• This can be thought of as a two stage process
• Convert formula to Disjunctive Normal Form (DNF)
• Solve each clause separately, until satisfying
  one of them.

(A common improvement split when needed)
Case splitting is frequently the bottleneck of
the procedure
28
So what can be done against case-splitting ?
Answer Split the domain, not the formula.
Given a formula ?, this transformation can be
done if ?? s.t. ? ? ?, and ? is
decidable under a finite domain.

• When is this possible?
• ? enjoys the Small model property, or
• Tailor-made reduction

29
SAT vs. infinite-state decision procedures
With finite instantiation (e.g. SAT), we split
the domain. Infinite state decision procedures
split the formula. So whats the big
difference ?
30
SAT vs. infinite-state decision procedures
Three mechanisms, crucial for efficient decision
making
SAT has a significant advantage in all three.
31
SAT vs. infinite-state decision procedures (1/4)
1. Pruning
SAT each clause c prunes up to 2v-c states.
v1000, c 2 Pruning 2998 states
Others ? (stops when finds a satisfiable clause)
32
SAT vs. infinite-state decision procedures (2/4)
2. Learning
SAT Partial assignments that lead to a conflict
are recorded and hence not repeated.
Others (depends on decision procedure) -
Adding proved sub-goals as antecedents to new
sub-goals -
33
SAT vs. infinite-state decision procedures (3/4)
3. Guidance (prioritizing internal steps)
Consider ?1? ?2, where ?1 is unsat and hard, and
?2 is sat and easy.
With proper guidance, a theorem prover should
start from ?2.
Guidance requires efficient estimation
- How hard it is to solve each sub-formula?
- To what extent will it simplify the rest of the
proof?
34
SAT vs. infinite-state decision procedures (4/4)
3. Guidance (contd)
..To what extent will it simplify the rest of
the proof?
SAT Guidance through decision heuristics (e.g.
DLIS).
(x ? y ? z) (x ? v) (x ? z)
Estimating simplification by counting literals
in each phase
Others Expression ordering, ...
35
This work
Extends the results of Bryant et.al. to a Boolean
combination of

• Separation predicates
• Separation predicates for integers
• Linear arithmetic
• Integer linear arithmetic

This work
36
Reducing separation predicates to propositional
logic (4/6)
B. Encode predicates and construct a graph
(procedure)
37
Reducing separation predicates to propositional
logic (3/6)
B. Encode construct graph (example)
? ( x gt z 3 ? (z gt y 1 ? y ? x1))
Transitivity constraints
?
(
))
?
?
?
(
Separation graph
38
Reducing separation predicates to propositional
logic (6/6)
C. Add transitivity constraints for each cycle C
If total weight is positive, or All edges are
? and total weight is equal to 0 then add the
constraint
39
Reducing separation predicates to propositional
logic (5/6)
C. Add transitivity constraints for each simple
cycle (example)
Transitivity constraints
))
?
?
?
(
(
?
(?(
))
))
?
?
(
?
(
?
?
?
40
Compact representation of constraints
Some special cases
1. If the diamonds are balanced ? O(n)
constraints
2. If there are uniform weights c1 and c2, c1 ?c2
on top and bottom paths ? O(n2) constraints
41
Integrated decision procedures in Theorem-Provers
Deciding a combination of theories is the key for
automation in Theorem Provers Boolean
operators, Bit-vector, Sets, Linear-Arithmetic,
Uninterpreted functions, More
Bit-Vector operators
Linear Arithmetic
Uninterpreted functions
f(f(x)-f(y)) ! f(z) y ltx 2 b 3 gt 10
Normally, each theory is solved with its own
decision procedure And the results are combined
(Shostak, Nelson..).