A Hybrid SAT-based Decision Procedure for Separation Logic with Uninterpreted Functions

1
A Hybrid SAT-based Decision Procedure for
Separation Logic with Uninterpreted Functions

• Sanjit A. Seshia
• Joint work with
• Shuvendu K. Lahiri Randal E. Bryant
• Carnegie Mellon University, USA
• June 2003

2
Decision Procedures in Formal Verification
RTL/ Source Code Specifi-cation
Formal Model Specifi-cation
Abstraction
Applications Out-of-order, Pipelined
Microprocessors Cache Coherence Protocols
Device Drivers Compiler Validation
3
Data and Function Abstraction
4
Separation Logic with Uninterpreted Functions
(SUF)

• Sufficiently expressive for afore-mentioned
  applications
• System property expressed as SUF formula F
• Efficiently decided via translation to SAT
• Terms (T ) Integer Expressions
• ITE(F, T1, T2) If-then-else
• Fun (T1, , Tk) Function application
• T 1 Increment
• T - 1 Decrement
• Formulas (F ) Boolean Expressions
• ?F, F1 ? F2, F1 ? F2 Boolean connectives
• T1 T2 Equation
• T1 lt T2 Inequality
• Pred(T1, , Tk) Predicate application

5
SAT-based Decision Procedures
6
Talk Outline

• SUF ? Separation Logic ? SAT
• Two eager encoding techniques
• Pros and cons of each technique
• Combining eager encoding techniques
• The Hybrid eager encoding technique
• Experimental results
• Superior performance to lazy encoding methods and
  non-SAT-based decision procedures
• Conclusions

7
SUF ? Separation Logic

• Eliminate function and predicate applications
  using fresh variables and ITE expressions
  Bryant, German, Velev, CAV99
• f(x) ? v1 and f(y) ? ITE(x y, v1, v2)

Terms (T ) Integer Expressions ITE(F, T1,
T2) If-then-else Fun (T1, , Tk) Function
application T 1 Increment T - 1 Decrement
8
Eager Boolean Encoding Methods for Separation
Logic
Separation Logic Formula
Small Domain Encoding (SD)
Per-Constraint Encoding (EIJ)
9
Small Domain Encoding (SD)
Bryant, Lahiri, Seshia, CAV02
x y Æ y z Æ z x1
Observation To check satisfiability, need to
consider all possible relative orderings of
finitely-many expressions

• Can use Boolean encoding of finite range of
  values
• 4 values in this case, so 2-bit encoding

10
Per-Constraint Encoding (EIJ)
Strichman, Seshia, Bryant, CAV02
x y Æ y z Æ z x1
11
Comparing Eager Encoding Methods

• Of SD and EIJ encoding methods, which one is
  better?
• Comparison with respect to
• Size of resulting Boolean formula
• Performance of SAT solver

12
Size of Boolean Encoding SD better than EIJ

• Let N be size of original separation logic
  formula
• Size of a directed acyclic graph representation
• SD encoding size is worst-case O(N2)
• EIJ encoding size is worst-case O(2N)
• Can generate O(2N) transitivity constraints

13
Impact on SAT problem SD vs EIJ

• Experimentally compared zChaff performance on SD
  and EIJ encodings of several unsatisfiable
  formulas
• Sample result

Method Boolean variables CNF Clauses Conflict Clauses zChaff Time (sec)
EIJ 57211 169387 150 0.56
SD 23112 67699 15811 21.63
EIJ better than SD for zChaff
14
Impact on SAT Why is EIJ better than SD?

• Conjecture For SD, SAT solver has to discover
  transitivity constraints as conflict clauses
• Violation of transitivity constraint might be
  discovered only after assigning bits of several
  bit-vectors
• EIJ adds all such constraints a priori
• Less learning and backtracking required by the
  SAT solver

15
Eager Encoding Tradeoffs

• SD encoding
• Polynomial size encoding
• Worse for SAT solvers
• EIJ encoding
• Worst-case exponential size encoding
• Better for SAT solvers
• Can we automatically select between SD and EIJ
  based on the input formula?

16
Selection Strategy

• Problem
• Computationally hard to estimate number of
  transitivity constraints
• Can we use a different metric?
• Idea Identify feature of the input formula that
  varies monotonically with run-time of EIJ (but
  not with run-time of SD)

Estimate number of transitivity constraints, C
NO
YES
C gt T ?
Use SD encoding
Use EIJ encoding
17
A Good Formula Feature Number of Separation
Predicates
18
A Good Formula Feature Number of Separation
Predicates
19
Revised Selection Strategy

• Easy to count number of separation predicates
• Very approximate measure of of transitivity
  constraints
• Constraints only relate predicates that share
  variables
• Also need to automate setting of threshold T
• Statistically estimate from training set of
  benchmarks

Count number of separation predicates, m
NO
YES
m gt T ?
Use SD encoding
Use EIJ encoding
20
Identifying Variable Classes
Æ
Ç
Ç
u v
Æ
z x1
u v-2
x y
y z
Assignments to u,v are independent of those to
x,y,z
21
Hybrid Encoding Technique
Separation Logic Formula
22
Automatically Selecting a Threshold Value
Intuition
EIJ run time increases drastically beyond a
certain number of separation predicates
23
Automatically Selecting a Threshold Value using
Clustering
Cluster total time (Y-axis) values, minimizing
variance of each cluster
24
Experimental Evaluation Setup

• Compared Hybrid against
• SD and EIJ encodings
• Cooperating Validity Checker (CVC) based on lazy
  encoding method Stump et al.02
• Stanford Validity Checker (SVC) non SAT-based
  Barrett et al. 96
• CVC SVC can handle more expressive logics than
  SUF
• Benchmarks
• 49 unsatisfiable SUF formulas
• Load-store unit, out-of-order unit, device driver
  code, compiler validation, DLX pipeline
• Threshold value calculated from subset of 16
  benchmarks
• Worked well for 39 out of the 49 benchmarks
• Setup
• Used zChaff SAT solver
• Imposed timeout of 1800 sec. on total time
  (EncodingSAT)

25
Hybrid vs. SD (39/49 benchmarks)
Hybrid better
SD better
26
Hybrid vs. EIJ (39/49 benchmarks)
Hybrid better
EIJ better
27
Hybrid vs. Lazy Encoding (CVC) (39/49 benchmarks)
Hybrid better
CVC better
28
Hybrid vs. Non-SAT-based Procedure (SVC) (39/49
benchmarks)
Hybrid better
SVC better
29
SD outperforms Hybrid on 10/49 benchmarks
Hybrid better
SD better
30
Conclusions Ongoing Work

• Hybrid combination of EIJ and SD encodings
• is robust to formula variations
• outperforms lazy encoding methods (CVC)
• outperforms non-SAT-based methods (SVC)
• Ongoing Future work
• Alternate estimators for number of transitivity
  constraints
• Threshold setting technique based on clustering
  applies to other CAD problems too
• Combination of lazy and eager encoding techniques
  might perform well on satisfiable formulas?
• More on UCLID project webpage
  http//www.cs.cmu.edu/uclid

31
Automatically Selecting a Threshold Value Step 1
32
Automatically Selecting a Threshold Value Step 2
Project points onto Y-axis
33
Automatically Selecting a Threshold Value Step 3
Cluster Y-axis points minimizing variance of each
cluster
Clusters
34
Decision Procedures in Verification
RTL/ Source Code Specifi-cation
35
Separation Logic with Uninterpreted Functions
(SUF)

• Model expressed symbolically in terms of abstract
  terms and formulas
• System property expressed as SUF formula F
• Decision procedures check satisfiability of F
• Terms (T ) Integer Expressions
• ITE(F, T1, T2) If-then-else
• Fun (T1, , Tk) Function application
• T 1 Increment
• T - 1 Decrement
• Formulas (F ) Boolean Expressions
• ?F, F1 ? F2, F1 ? F2 Boolean connectives
• T1 T2 Equation
• T1 lt T2 Inequality
• Pred(T1, , Tk) Predicate application