Tuning SATcheckers for Bounded ModelChecking

1
Tuning SAT-checkers for Bounded Model-Checking

• A bounded guided tour
• Ofer Shtrichman
• Weizmann Institute IBM (HRL)

2

• Basic theory of Bounded Model Checking (BMC)
• SAT highlights
• Tuning SAT checkers for BMC
• Results

3
The Bounded Model Checking Problem Safety
Given a Safety property p (e.g. AG p always
signal_a signal_b) Is there a state reachable
within k cycles, which satisfies ?p ?
p
p
?p
p
p
. . .
s0
s1
s2
sk-1
sk
4
The Bonded Model Checking Problem Liveness
Given a Liveness property p (e.g. AGAF p
always, eventually signal_a signal_b) Is
there a loop in the first k cycles, that non of
its states satisfy p ?
p
p
?p
?p
?p
. . .
s0
s1
s2
sk-1
sk
5
The reachable states in k steps are captured by
Reducing the BMC problem to SAT (1/3)
The property p fails in one of the cycles 1..k
6
Reducing the BMC problem to SAT (2/3)
The safety property p is valid up to cycle k iff
? is unsatisfiable
p
p
?p
p
p
. . .
s0
s1
s2
sk-1
sk
7
Reducing the BMC problem to SAT (3/3)
For Liveness properties, add a disjunction of
possible loops
p
p
?p
?p
?p
. . .
s0
s1
s2
sk-1
sk
8
Example a two bit counter
p AG (?l ? ?r). k 2
For k 2, ? is unsatisfiabe. For k 4 ? is
satisfiable
9
Traditional Symbolic Model-Checking with BDDs

• The reachable state-space is represented by a BDD
  
• The property is evaluated recursively, by
  iterative fix point computations on the reachable
  state-space.
• The size of the BDD is typically the bottle-neck
  of Model-Checking.

10
Why SAT?

• Smart DFS search - potentially will get faster to
  a satisfying sequence (counter example)
• No exponential space - growth
• Satisfiability checking is a luck-based
  technology

11
The Davis-Putnam procedure

• Given ? in CNF (x,y,z),(-x,y),(-y,z),(-x,-y,-z)

Decide()
Deduce()
Diagnose()
12
Decide() criteria On which variable to split?
- satisfies the most clauses (DLIS) -
satisfies the shortest clause - only positive or
negative (pure literal rule) - most
frequent
13
Results (Sec.)
exceeds 10,000 sec.
14
Tuning SAT for BMC (1/3)
1. Use the variable dependency graph for smarter
orderings.
2. Exploit information on ?s structure to
restrict the state-space.
3. Restrict Decide() to a small set of variables.
15
Clashing clouds...
With general-purpose Decide() strategies, local
sets of variables are satisfied a-synchronically
Pk
I0
16
General-purpose Vs. tailor-made Decide()
strategies...
? ...? (x ( y1 ? y2 ? y3 )) ? ...
x T y1 F y2 F y3 T
Back- track
General purpose
17
A k-unfolding of the variable dependency graph
18
A head on attack...
? should satisfy I0
?Pk
Riding on unreachable states...
I0
19
A combined heuristic
Pk
I0
Trigger BFS with
20
Given an order, guess a value
? Dynamic decision ? Constant value ? Previous
value ?Flat computation ? ...
x7 ?
x9 0
x5 0
x2 1 y7 0 z2 0 y3 1
x2 0 y7 0 z2 0 y3 1
Flat computation
Previous value
21
Tuning SAT for BMC (2/3)
1. Use the variable dependency graph for smarter
orderings.
2. Exploit information on ?s structure to
restrict the state-space.
3. Restrict Decide() to a small set of variables.
22
Exploiting ?s structure in AGp formulas
?s structure can be used for adding conflicting
clauses.
conflicting clauses

• If x3T, y7 F, z5 T leads to a conflict,
• then ? ? (? x3 ? y7 ? ?z5) is
  satisfiable iff ? is satisfiable.
• The new clause can be seen as a constraint on
  the state-space

23
Exploiting ?s structure in AGp formulas

• If x3T, y7 F, z5 T leads to a conflict,
  then so will
• x2T, y6 F, z4 T
• Therefore, we can also add
• (? x2 ? y6 ? ?z4) ? (? x1 ? y5 ? ?z3) ? (? x0 ?
  y4 ? ?z2)
• and... (? x4 ? y8 ? ?z6) ? ... ? (? xk-4 ? yk
  ? ?zk-2)
• Yet, ? is not fully symmetric because of I0.
• We first have to check, by simulating an
  assignment, if
• the replicated clause indeed leads to a conflict.

24
Tuning SAT for BMC (3/3)
1. Use the variable dependency graph for smarter
orderings.
2. Exploit information on ?s structure to
restrict the state-space.
3. Restrict Decide() to a small set of variables.
25
Restricting Decide()
Restricting Decide() to a smaller set of
variables ?, that uniquely determines the
satisfiability of ?

• Model variables ( 15 of ?s variables)
• Input variables ( 5 of ?s variables)

Less variables to Decide() implies more variables
to Deduce()
26
Results (Sec.)
exceeds 10,000 sec.
27
The Conclusion

• Many of the (BDD) hard cases can be more
  efficiently
• solved with the optimized SAT procedure.

28
How big should K be?
1. The Diameter d for all reachable states s,t,
for which t is reachable from s, there exist a
path from s to t with at most d-1 intermediate
steps.
2. The Recurrence diameter rd the least number r
s.t. at most r consecutive states in a path are
different.
rd is an upper bound for d, that can be expressed
as a propositional formula
29
The -diameter flag in BMC
If then k ? rd
And therefor
If is unsatisfiable, then
30
Bounded cone of influence
x
y
z
u
v
0
1
2
3
4
5
K
u2 - u5, z5, y4-y5 are not used
31
Bounded cone of influence has Bounded effect
K
The portion of variables that B-COI can remove
is decreasing when K increases