1. Carnegie Mellon University SAT-Based Decision Procedures for Subsets of First-Order Logic http://www.cs.cmu.edu/~bryant Randal E. Bryant Part I: Equality with Uninterpreted Functions Part I: Equality with Uninterpreted Functions

2. – 2 – Overall Outline Background SAT-based Decision Procedures Part I: Equality with Uninterpreted Functions Translating to propositional formula Exploiting positive equality and sparse transitivity Part II: Separation Logic Restricted form of addition Translating to propositional formula Hybrid encoding techniques

3. – 3 – Decision Procedures in Formal Verification RTL/ Source Code + Specifi- cation Abstraction Verification OK Error Formal Model + Specifi- cation Decision Procedure for Decidable Fragment of First-Order Logic Applications: Out-of-order, Pipelined Microprocessors; Cache Coherence Protocols; Device Drivers; Compiler Validation; …

4. – 4 – SAT-based Decision Procedures Input Formula Boolean Formula satisfiable unsatisfiable Satisfiability-preserving Boolean Encoder SAT Solver EAGER ENCODING Input Formula Boolean Formula satisfiable unsatisfiable Approximate Boolean Encoder SAT Solver satisfying assignment satisfiable First-order Conjunctions SAT Checker unsatisfiable additional clause LAZY ENCODING

5. – 5 – Lazy Encoding Characteristics +Can be extended to handle wide variety of theories +Clean & modular design –Does not scale well Number of calls to conjunction checker typically exponential in formula size Each call independent: nothing learned in one call can be exploited by another First-order Conjunctions SAT Checker Uninterpreted Functions Linear Arithmetic Bit Vectors Theory N Theory Combiner

6. – 6 – Eager Encoding Characteristics –Must encode all information about domain properties into Boolean formula –Some properties can give exponential blowup +Lets SAT solver do all of the work Good Approach for Some Domains Modern SAT solvers have remarkable capacity Good at extracting relevant portions out of very large formulas Learns about formula properties as search proceeds  Focus of this talk Input Formula Boolean Formula satisfiable unsatisfiable Satisfiability-preserving Boolean Encoder SAT Solver

7. – 7 – x0x0 x1x1 x2x2 x n-1 Data and Function Abstraction ALUALU x  f  Bit-vectors to (unbounded) Integers Functional units to Uninterpreted Functions a = x  b = y  f(a,b) = f(x,y) Common Operations 1010 x y p ITE(p, x, y) If-then-else x y x = y = Test for equality

8. – 8 – Abstract Modeling of Microprocessor For any Block that Transforms or Evaluates Data: Replace with generic, unspecified function Also view instruction memory as function Reg. File IF/ID Instr Mem +4 PC ID/EX ALUALU EX/WB = = Rd Ra Rb Imm Op Adat Control F1F1 F2F2 F3F3

9. – 9 – EUF: Equality with Uninterp. Functs Decidable fragment of first order logic Formulas ( F ) Boolean Expressions  F, F 1  F 2, F 1  F 2 Boolean connectives T 1 = T 2 Equation P (T 1, …, T k ) Predicate application Terms ( T ) Integer Expressions ITE(F, T 1, T 2 ) If-then-else Fun (T 1, …, T k ) Function application Functions ( Fun ) Integer  Integer f Uninterpreted function symbol Read, Write Memory operations Predicates ( P ) Integer  Boolean p Uninterpreted predicate symbol

10. – 10 – EUF Decision Problem Circuit Representation of Formula Truth Values Dashed Lines Model Control Logical connectives Equations Integer Values Solid lines Model Data Uninterpreted functions If-Then-Else operationTask Determine whether formula F is universally valid True for all interpretations of variables and function symbols Often expressed as (un)satisfiability problem »Prove that formula  F is not satisfiable

11. – 11 – Finite Model Property for EUF Observation Any formula has limited number of distinct expressions Only property that matters is whether or not different terms are equal x0x0 d0d0 f (x0)f (x0) f (d0)f (d0)

12. – 12 – Boolean Encoding of Integer Values For Each Expression Either equal to or distinct from each preceding expression Boolean Encoding Use Boolean values to encode integers over small range EUF formula can be translated into propositional logic Logic circuit with multiplexors, comparators, logic gates Tautology iff original formula valid Expression Possible Values Bit Encoding x0x0{0}00 d0d0{0,1}0 b 10 f (x0)f (x0){0,1,2} b 21 b 20 f (d0)f (d0){0,1,2,3} b 31 b 30

13. – 13 – Some History of EUF Decision Procedures Ackermann, 1954 Quantifier-free decision problem can be decided based on finite instantiations Burch & Dill, CAV ‘94 Automatic decision procedure »Davis-Putnam enumeration »Congruence closure to enforce functional consistency Boolean approaches Goel, et al, CAV ‘98 »Attempted with BDDs, but didn’t get good results Bryant, German, Velev, CAV ‘99 »Could verify microprocessor using BDDs Velev & Bryant, DAC 2001 »Demonstrated power of modern SAT procedures

14. – 14 – Exploiting Positive Equality Bryant, German, Velev CAV ‘99 First successful use of Boolean methods for EUF Positive Equality Equations that appear in unnegated formExploiting Can greatly reduce number of cases required to show validity Only need to consider maximally diverse interpretations Reduce number of Boolean variables in bit-level encoding

15. – 15 – Diverse Interpretations: Illustration Task Verify someone’s obscure code for 4X4 array transpose void trans(int a[4][4]) { int t; for (t = 4; t < 15; t++) if (~t&2|| t&8 && ~t&1) { int r = t&0x3; int c = t>>2; int val = a[r][c]; a[r][c] = a[c][r]; a[c][r] = val; } Observation Array elements altered only by copying one to another Just need to make sure right set of copies performed Only operations on array elements

16. – 16 – Verifying Array Code Test for trans4 trans4 Single Test Adequate Unique value for each possible source element “Maximally Diverse” If dest[r][c] = src[c][r], then must have copied proper value src dest 0123 4567 891011 12131415 04812 15913 261014 371115

17. – 17 – Characteristics of Array Verification Correctness Condition src[0][0] = dest[0][0]  src[0][1] = dest[1][0]  src[0][2] = dest[2][0]  … …  src[3][2] = dest[2][3]  src[3][3] = dest[3][3] Properties All equations are in positive form Worst case test is one that tends to make things unequal I.e., maximally diverse interpretation All maximally diverse interpretations isomorphic Only need to try one to prove all handled correctly

18. – 18 – Equations in Processor Verification Data TypesEquations Register IdsControl stalling & forwarding Instruction AddressOnly top-level verification condition Program DataOnly top-level verification condition Reg. File IF/ID Instr Mem +4 PC ID/EX ALUALU EX/WB = = Rd Ra Rb Imm Op Adat Control

19. – 19 – Exploiting Equation Structure Positive Equations In top-level verification condition Can use maximally diverse interpretation Negative Equations PIpeline control logic Between register IDs Operation depends on whether or not two IDs are equal Must use general encoding Encode with Boolean variables All possibility of IDs that match and/or don’t match

20. – 20 – Application of Positive Equality Observation All equations are positive in this formula Can consider single, diverse interpretation for terms x0x0 d0d0 f (x0)f (x0)f (d0)f (d0) 5 678 0 1 01 5 6 56 77856 78 56 76 1

21. – 21 – ff vf 1 vf 2 Function Elimination: Ackermann’s Method Replace All Function Applications by Integer Variables Introduce new domain variable Enforce functional consistency by global constraints Unclear how to restrict evaluation to diverse interpretations x1x1 x2x2 F ==  

22. – 22 – fff x1x1 x2x2 x3x3 vf 1 vf 2 TFTF = = = TFTF vf 3 TFTF Function Elimination: ITE Method General Technique Introduce new domain variable Nested ITE structure maintains functional consistency

23. – 23 – fff x1x1 x2x2 x3x3 5 6 TFTF = = = TFTF 7 TFTF Generating Diverse Encoding Replacing Application Use fixed values rather than variables Application results equal iff arguments equal

24. – 24 – Benefits of Positive Equality Microprocessor Benchmarks 1xDLX: Single issue, RISC processor 2xDLX-EX-BP: Dual issue processor with exception handling & branch prediction 9VLIW-BP: 9-way VLIW processor with branch predictionMeasurements Using BerkMin SAT solver BenchmarkUsing Pos. Eq.No Pos. Eq 1xDLX buggy0.022 good0.07229 2xDLX-EX-BP buggy415 good15> 24hrs 9VLIW-BP buggy10> 24hrs good224> 24hrs

25. – 25 – Benefits of Positive Equality Microprocessor Benchmarks 1xDLX: Single issue, RISC processor 2xDLX-EX-BP: Dual issue processor with exception handling & branch prediction 9VLIW-BP: 9-way VLIW processor with branch predictionMeasurements Using BerkMin SAT solver BenchmarkUsing Pos. Eq.No Pos. Eq 1xDLX good0.022 buggy0.07229 2xDLX-EX-BP good415 buggy15> 24hrs 9VLIW-BP good10> 24hrs buggy224> 24hrs Velev & Bryant, JSC ‘02

26. – 26 – Revisiting Encoding Techniques Small Domain (SD) Use bit-level encodings of bounded integers Implicitly encode properties of equality logic Per-Constraint Encoding (EIJ) Introduce explicit Boolean variable for each equation Additional transitivity constraints to express properties of equality logic x = y  y = z  z  x  x 1 x 0  =  y 1 y 0    y 1 y 0  =  z 1 z 0    z 1 z 0    x 1 x 0  e xy  e yz   e xz Satisfiable? e yz  e zx  e xy  e xy  e yz  e xz  e xy  e xz  e yz  Transitivity Constraints

27. – 27 – Per-Constraint Encoding Introduced by Goel et al., CAV ‘98 Exploiting sparse structure by Bryant & Velev, CAV 2000Procedure Initial formula F Want to prove valid Prove that  F is not satisfiable Replace each equation x = y by Boolean variable e xy Gives formula F sat Generate formula expressing transitivity constraints Gives formula F trans Use SAT solver to show that F sat  F trans not satisfiableMotivation Provides SAT solver with more direct representation of underlying problem

28. – 28 – Graph Interpretation of Transitivity Transitivity Violation Cycle in graph Exactly one edge has e i,j = false  === = == =

29. – 29 – Exploiting Chords Chord Edge connecting two non- adjacent vertices in cycle Property Sufficient to enforce transitivity constraints for all chord-free cycles If transitivity holds for all chord-free cycles, then holds for arbitrary cycles   

30. – 30 – Enumerating Chord-Free Cycles Strategy Enumerate chord-free cycles in graph Each cycle of length k yields k transitivity constraints 1 2k Problem Potentially exponential number of chord-free cycles 2 k +k chord-free cycles

31. – 31 – Adding Chords Strategy Add edges to graph to reduce number of chord-free cycles 1 2k 2 k +k chord-free cycles 2k+1 chord-free cycles Trade-Off Reduces formula size Increases number of relational variables

32. – 32 – Chordal Graph Definition Every cycle of length > 3 has a chordGoal Add minimum number of edges to make graph chordal Relation to Sparse Gaussian Elimination Choose pivot ordering that minimizes fill-in NP-hard Simple heuristics effective

33. – 33 – 1xDLX-C Equation Structure Vertices For each v i 13 different register identifiersEdges For each equation Control stalling and forwarding logic 27 relational variables Out of 78 possible

34. – 34 – Adding Chordal Edges to 1xDLX-C Original 27 relational variables 286 cycles 858 clauses Augmented 33 relational variables 40 cycles 120 clauses

35. – 35 – 2DLX-CCt Equation Structure Equations Between 25 different register identifiers 143 relational variables Out of 300 possible

36. – 36 – Adding Chordal Edges to 2xDLX-CCt Original 143 relational variables 2,136 cycles 8,364 clauses Augmented 193 relational variables 858 cycles 2,574 clauses

37. – 37 – Choosing Encoding Method Comparison Formula length n with m integer variables & function applications Worst-case complexity Per-Constraint Encoding Works Well in Practice Generates slightly larger formulas than small domain Better performance by SAT solver Small DomainPer-Constraint Boolean Variables O(m log m)O(m 2 ) Formula SizeO(n + m 2 log m)O(n + m 3 )

38. – 38 – Encoding Comparison Benchmarks Superscalar, out-of-order datapath 2–6 instructions issued in parallelMeasurements Using BerkMin SAT solver Issue Width Per-ConstraintSmall Domain VarsClausesTimeVarsClausesTime 21398,2131.6811,2941.7 330833,270151273,78019 455396,480651948,36299 5857240,89215424915,647255 61,243528,9621,95730426,7383,206 Velev & Bryant, JSC ‘02