SATbased Bounded Model Checking

1
SAT-based Bounded Model Checking
2
Formulation of famous problems as SAT k-Coloring
(1/2)
The K-Coloring problem Given an undirected graph
G(V,E) and a natural number k, is there an
assignment color
3
Formulation of famous problems as SAT k-Coloring
(2/2)
xi,j node i is assigned the color j (1 ? i ?
n, 1 ? j ? k) Constraints i) At least one color
to each node (x1,1 ? x1,2 ? x1,k ? ) ii) At
most one color to each node
iii) Coloring constraints
4
Formulation of famous problems as SATBounded
Model Checking
Given a property p (e.g. always signal_a
signal_b) Is there a state reachable within k
cycles, which satisfies ?p ?
p
p
?p
p
p
. . .
s0
s1
s2
sk-1
sk
5
The reachable states in k steps are captured by
Bounded Model Checking safety
The property p fails in one of the cycles 1..k
6
Bounded Model Checking safety
The safety property p is valid up to cycle k iff
W(k) is unsatisfiable
p
p
?p
p
p
. . .
s0
s1
s2
sk-1
sk
7
Example a two bit counter
Bounded Model Checking safety
Initial state I l Æ r
Transition R l (l ? r) Æ r r
Property G (?l ? ?r).
For k 2, W(k) is unsatisfiable. For k 4 W(k)
is satisfiable
8
Bounded Model Checking liveness
The liveness property Fp is valid up to cycle k
iff W(k) is unsatisfiable

?p
p
p
p
p
. . .
s0
s1
s2
sk-1
sk
9
Intels results (2002)
10
Compaqs results (2001)
11
IBMs results (2000)
12
SAT made some progress
13
Bounded Model Checking
14
How big should k be?

• For every finite model M and LTL property ?
  there exists k s.t.
• We call the minimal such k the Completeness
  Threshold (CT)
• Clearly if M ² ? then CT 0
• ? computing CT for a given M ? model checking

15
The Completeness Threshold

• Lets try the following strategy
• Compute CT for an abstraction of M that
  unites all models with certain graph-theoretic
  properties equal to those of M

16
Basic notions

• Diameter D(M) longest shortest path between any
  two reachable states.
• Recurrence Diameter RD(M) longest loop-free
  path between any two reachable states.
• The initialized versions DI(M) and RDI(M)
  start from an initial state.

D(M) 2
RD(M) 3
17
The Completeness Threshold

• Theorem for AGp properties CT DI(M)

18
The Completeness Threshold

• Theorem for AFp properties CT RDI(M)1

• Theorem for an LTL property ? CT ?

19
Why SAT?

• Fundamental problem from theoretical point of
  view
• Numerous applications
• CAD, VLSI
• Optimization
• Bounded Model Checking and other type of formal
  verification
• AI, planning, automated deduction

20
What is SAT?
Given a propositional formula in CNF, find an
assignment to Boolean variables that makes the
formula true
?1 (x2 ? x3) ?2 (?x1 ? ?x4) ?3 (?x2 ?
x4) A x10, x21, x30, x41
SATisfying assignment!
21
A Basic SAT algorithm

• Given ? in CNF (x,y,z),(-x,y),(-y,z),(-x,-y,-z)

Decide()
x0_at_1
z0_at_2
Deduce()
y0_at_2
Resolve_Conflict()
22
A Basic SAT algorithm
Choose the next variable and value. Return False
if all variables are assigned
While (true) if (!Decide()) return (SAT)
while (!Deduce()) if (!Resolve_Conflict())
return (UNSAT)
Apply unit clause rule. Return False if reached
a conflict
Backtrack until no conflict. Return False if
impossible
23
Basic Backtracking Search

• Organize the search in the form of a decision
  tree
• Each node corresponds to a decision
• Depth of the node in the decision tree ? decision
  level
• Notation xv_at_d x is assigned v at decision
  level d

24
Backtracking Search in Action
?1 (x2 ? x3) ?2 (?x1 ? ?x4) ?3 (?x2 ? x4)
x1 1_at_1
? x4 0_at_1
? x2 0_at_1
? x3 1_at_1
? x3 1_at_2
(x1,1), (x2,0), (x3,1) , (x4,0)
(x1,0), (x2,0), (x3,1)
No backtrack in this example, regardless of the
decision!
25
Backtracking Search in Action
Add a clause
?1 (x2 ? x3) ?2 (?x1 ? ?x4) ?3 (?x2 ?
x4) ?4 (?x1 ? x2 ? ?x3)
? x4 0_at_1
? x2 0_at_1
? x3 1_at_1
conflict
26
Decision heuristics DLIS (Dynamic Largest
Individual Sum)

• Choose the variable and value that satisfies the
  maximum number of unsatisfied clauses.
• This requires going through all clauses for each
  decision.

27
Decision heuristicsJeroslow-Wang method

• Compute for every clause w and every variable l
  (in each phase)
• J(l)
• Choose a variable l that maximizes J(l).
• This gives an exponentially higher weight to
  literals in shorter clauses.

28
Decision heuristicsMOM (Maximum Occurrence of
clauses of Minimum size).

• Let f(x) be the of unresolved smallest clauses
  containing x. Choose x that maximizes
• ((f(x) f(!x)) 2k f(x) f(!x)
• k is chosen heuristically.
•  The idea
• Give preference to satisfying small clauses.
• Among those, give preference to balanced
  variables (e.g. f(x) 3, f(!x) 3 is better
  than f(x) 1, f(!x) 5).

29
Decision heuristicsVSIDS (Variable State
Independent Decaying Sum)
1. Each variable in each polarity has a counter
initialized to 0.
2. When a clause is added, the counters are
updated.
3. The unassigned variable with the highest
counter is chosen.
4. Periodically, all the counters are divided by
a constant.
(Implemented in Chaff)
30
Decision heuristicsVSIDS (contd)

• Chaff holds a list of unassigned variables
  sorted by the counter value.
• Updates are needed only when adding conflict
  clauses.
• Thus - decision is made in constant time.

31
Decision heuristicsVSIDS (contd)
VSIDS is a quasi-static strategy - static
because it doesnt depend on current
assignment - dynamic because it gradually
changes. Variables that appear in recent
conflicts have higher priority.
This strategy is a conflict-driven decision
strategy.
..employing this strategy dramatically (i.e. an
order of magnitude) improved performance ...
32
Implication graphs and learning
Current truth assignment x90_at_1 ,x100_at_3,
x110_at_3, x121_at_2, x131_at_2 Current decision
assignment x11_at_6
x100_at_3
?1 (?x1 ? x2) ?2 (?x1 ? x3 ? x9) ?3 (?x2 ?
?x3 ? x4) ?4 (?x4 ? x5 ? x10) ?5 (?x4 ? x6 ?
x11) ?6 (?x5 ? ? x6) ?7 (x1 ? x7 ? ?x12) ?8
(x1? x8) ?9 (?x7 ? ?x8 ? ? x13)
x11_at_6
x90_at_1
x110_at_3
We learn the conflict clause ?10 ( x1 Ç x9 Ç
x11 Ç x10)
33
Implication graph, flipped assignment
?1 (?x1 ? x2) ?2 (?x1 ? x3 ? x9) ?3 (?x2 ?
?x3 ? x4) ?4 (?x4 ? x5 ? x10) ?5 (?x4 ? x6 ?
x11) ?6 (?x5 ? x6) ?7 (x1 ? x7 ? ?x12) ?8
(x1? x8) ?9 (?x7 ? ?x8 ? ? x13) ?10 ( x1 Ç
x9 Ç x11 Ç x10)
x90_at_1
?10
x100_at_3
x10_at_6
?10
?10
x110_at_3
Due to the conflict clause
34
Non-chronological backtracking

Decision level
3

• Which assignments caused
• the conflicts ?
• x9 0_at_1
• x10 0_at_3
• x11 0_at_3
• x12 1_at_2
• x13 1_at_2
• Backtrack to decision level 3

4

5
These assignments Are sufficient for Causing a
conflict.
x1
6


?
?
Non-chronological backtracking
35
Tuning SAT for BMC

• Variable ordering
• Incremental SAT reusability of conflict clauses
  between
• different (yet related) SAT instances.
• III. Replicating Conflict Clauses generation of
  conflict clauses
• 'for free', based on the unique structure
  of BMC invariant
• properties.

36
Static variable ordering
A (CNF) dependency graph D (V,E)
A partitioning C1..Cn
An abstract dependency graph D(V, E)
37
Static variable ordering for BMC (The natural
order of W(k))
For W(k) there exists a partition C1..Cn s.t.
the abstract dependency graph is linear
38
Static variable ordering (A simple static
ordering)
W(k) should satisfy I0
?Pk
Riding on unreachable states...
I0
39
Incremental SAT
Given two CNF formulas (sets of clauses) S1 and
S2, and a conflict clause ? s.t. S1 ?, under
what conditions the following holds S2 is
satisfiable iff S2 ? ? is satisfiable.
40
Incremental SAT
Let ?0 ? S1 ? S2 Claim if ?0 ? then
S1 is satisfiable iff S1 ? ? is satisfiable. S2
is satisfiable iff S2 ? ? is satisfiable.
Thus, if we deduce ? while checking S1, we can
reuse it when checking S2.
41
Incremental SAT for BMC
Testing whether the clauses involved in deducing
? are a subset of ?0 requires marking them in
advance. In the BMC case this is easy
Only one clause in ?(k) is not included in ?(k1)
42
Incremental SAT
1. Mark ?0 , the subset of clauses that are also
contained in subsequent instances. 2. If s
? for some s ? ?0, then add ? to ?0 and mark it
as pervasive.
S1
S2
?0
43
Incremental SAT for BMC
In the gradual process of solving the BMC
problem, we use a list of pervasive clauses
pc-list.
pc-list ? Bool Solve (int k) 1 Generate ?k
and mark ?0 clauses. 2 add pc-list to ?k 3
While solving ?k , if? is deduced by a set of
marked clauses, add it to pc-list. 4 if ?k
is SAT then return SATISFIABLE. else Solve
(k1)
44
Replicated clauses
The BMC invariant formula includes k structurally
similar parts
Can this symmetry be used to speed up the search
?
45
Replicated clauses
Let xk denote variable x in cycle k. Let c(i)
denote the clause c, where every variable in c is
shifted i cycles. For example c (x5 ? ?y2 ?
z7) c(2) (x7 ? ?y4 ? z9) c(-2) (x3 ? ?y0
? z5)
Similarly, s(i) denotes the set of shifted
clauses in the set s, i.e. ?j cj ? s, cj(i) ?s(i).
46
Replicated clauses
Let s be a subset of ?(k)'s clauses, and let ? be
a conflict clause deducible from s, i.e. s ?.
(?x2 ? y5), (x2 ? y5 ? z3 ? w4)
? (y5 ? z3 ? w4)
s
47
Replicated clauses
Conclusion if s(i) ? ?(k) then we can also add
?(i) to ?(k). ?(i) is a new clause that we got
'for free'. We call ?(i) a 'replicated
clause'.
The remaining question is for which i, s(i) ? ?
(k).
48
Replicated clauses
1. While generating ? (k), mark all transition
relation clauses. 2. For every conflict clause
?, if all the clauses in s are marked, then
mark ? as 'replicable'.
. . .
49
Replicated clauses
Given a replicable clause ? and the subset of
clauses s from which it was deduced
. . .
3. Record ls and hs, the lowest and highest cycle
index in s. 4. Add a replicated clause ?(i) for
i in the range -ls .. (k - hs).
50
Example
(?x2 ? y5), (x2 ? y5 ? z3 ? w4)
s
ls 2, hs 5 k 6
? (y5 ? z3 ? w4)
Going right
?(1) (y6 ? z4 ? w5)
Going left
?(-1) (y4 ? z2 ? w3)
?(-2) (y3 ? z1 ? w2)
51
Experimental results (2001)
52
More engineering aspects of SAT solvers
Observation More than 90 of the time SAT
solvers perform Deduction().
Deduction() allocates new implied variables and
conflicts. How can this be done efficiently ?
53
Grasp implements Deduction() with counters
Hold 2 counters for each clause ? val1(? ) -
of negative literals assigned 0 in ?
of positive literals assigned 1 in ?. val0(?)
- of negative literals assigned 1 in ?
of positive literals assigned 0 in ?.
54
Grasp implements Deduction() with counters
? is satisfied iff val1(?) gt 0
? is unsatisfied iff val0(?) ?
? is unit iff val1(?) 0 ? val0(?) ? - 1
? is unresolved iff val1(?) 0 ? val0(?) lt ?
- 1 . .
Every assignment to a variable x results in
updating the counters for all the clauses that
contain x.
Backtracking Same complexity.
55
Chaff implements Deduction() with a pair of
observers

• Observation during Deduction(), we are only
  interested in newly implied variables and
  conflicts.
• These occur only when the number of literals in ?
  with value false is greater than ? - 2
• Conclusion no need to visit a clause unless
  (val0(?) gt ? - 2)
• How can this be implemented ?

56
Chaff implements Deduction() with a pair of
observers

• Define two observers O1(?), O2(?).
• O1(?) and O2(?) point to two distinct ? literals
  which are not false.
• ? becomes unit if updating one observer leads to
  O1(?) O2(?).
• Visit clause ? only if O1(?) or O2(?) become
  false.

57
Chaff implements Deduction() with a pair of
observers
Both observers of an implied clause are on the
highest decision level present in the clause.
Therefore, backtracking will un-assign them
first. Conclusion when backtracking, observers
stay in place.
Backtracking No updating. Complexity constant.
58
Chaff implements Deduction() with a pair of
observers
The choice of observing literals is important.
Best strategy is - the least frequently updated
variables.
The observers method has a learning curve in this
respect 1. The initial observers are chosen
arbitrarily.
2. The process shifts the observers away from
variables that were recently updated (these
variables will most probably be reassigned in
a short time). In our example the next time
v5 is updated, it will point to a
significantly smaller set of clauses.
59
GSAT A different approach to SAT solving
Given a CNF formula ?, choose max_tries and
max_flips
for i 1 to max_tries T randomly
generated truth assignment for j 1 to
max_flips if T satisfies ? return TRUE
choose v s.t. flipping vs value gives largest
increase in the of satisfied
clauses (break ties randomly). T T with
vs assignment flipped.
60
Improvement 1 clause weights
Initial weight of each clause 1 Increase by k
the weight of unsatisfied clauses. Choose v
according to max increase in weight
Clause weights is another example of
conflict-driven decision strategy.
61
Improvement 2 Averaging-in
Q Can we reuse information gathered in previous
tries in order to speed up the search ?
A Yes! Rather than choosing T randomly each
time, repeat good assignments and choose
randomly the rest.
62
Improvement 2 Averaging-in (contd)
Let X1, X2 and X3 be equally wide bit vectors.
Define a function bit_average X1 ? X2 ? X3
as follows b1i b1i b2i
random otherwise (where bji is the i-th bit in
Xj, j ?1,2,3)
b3i
63
Improvement 2 Averaging-in (contd)
Let Tiinit be the initial assignment (T) in cycle
i. Let Tibest be the assignment with highest
of satisfied clauses in cycle i. T1init
random assignment. T2init random assignment.
?i gt 2, Tiinit bit_average(Ti-1best,
Ti-2best)
64
Advanced topics

• More about learning
• Tuning SAT solvers for Bounded-Model Checking
• Incremental satisfiability
• Unsatisfiable core and its use for verification
• From SAT to 0-1 ILP
• From SAT to Quantified Boolean Formulas (QBF)