Weizmann Institute Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Shtrichman Weizmann Institute & IBM-HRL

Weizmann Institute  Basic theory of Bounded Model Checking (BMC)  SAT highlights  Tuning SAT checkers for BMC  Results

Weizmann Institute The Bounded Model Checking Problem: Safety Given a Safety property AG p, we check if there a state reachable within k cycles, which satisfies  p... s0s0 s1s1 s2s2 s k-1 sksk pp p pp p (Biere, Cimatti, Clarke, Zhu, 1999)

Weizmann Institute Reducing the BMC problem to SAT : p is preserved up to cycle k iff  is unsatisfiable:... s0s0 s1s1 s2s2 s k-1 sksk pp p pp p

Weizmann Institute Example : a two bit counter p = AG (  l   r). k = For k = 2,  is unsatisfiabe. For k = 4  is satisfiable

Weizmann Institute Why SAT? Smart DFS search - potentially will get faster to a satisfying sequence (counter example) No exponential space - growth “Satisfiability checking is a ‘luck-based technology’”

Weizmann Institute Results (Sec.) * * * = exceeds 10,000 sec.

Weizmann Institute Tuning SAT for BMC (1/3) 1. Use the variable dependency graph for smarter orderings. 2. Exploit information on  ’s structure to restrict the state-space. 3. Restrict Decide() to a small set of variables.

Weizmann Institute A (CNF) dependency graph D (V,E): A partitioning C 1..C n : Claim:For AGp, there exist a partition C 0..C k s.t.  i,j if (C i,C j )  E’ then |i-j| = 1. A clustered dependency graph D’(V’, E’): C0C0 C1C1 C2C2 CkCk C3C3 C k-1 V0V0 V1V1 V2V2 VkVk V3V3 V k-1 Clustered dependency graphs If u  C i, v  C j and (u,v)  E then (C i, C j )  E’...

Weizmann Institute The Davis-Putnam procedure Given  in CNF: (x,y,z),(-x,y),(-y,z),(-x,-y,-z) Decide() Deduce() Diagnose()  X XX XX 

Weizmann Institute Decide() criteria: On which variable to split? - satisfies the most clauses (DLIS) - satisfies the shortest clause - only positive or negative (‘pure literal rule’) - most frequent : :

Weizmann Institute The local effect of assignments 2. AGp: Each clause in  contains variables from max. 2 cycles. 1. A ‘chain reaction’ in neighboring variables, due to: (x, y, z)(x, y, u)(x, y, z)(x, y, u) x = F y = T satisfies two clauses (x, y) x = F y = T (2) the decision criteria in Decide() (1) unit clauses in Deduce() Strong Weak

Weizmann Institute Clashing clouds... I0I0 ~Pk~Pk With general-purpose Decide() strategies, local sets of variables are satisfied a-synchronically

Weizmann Institute General-purpose Vs. tailor-made Decide() strategies...  :...  (x 5 = ( y 4  z 5  u 4 )) ... x 5 = T y 4 = F z 5 = F u 4 = T General purpose Back- track x 5 = T y 4 = F z 5 = F u 4 = T Use  ‘s structure to resolve conflicts on a more local level... Tailor made Back- track

Weizmann Institute A head on attack... I0I0 PkPk Riding on unreachable states...  should satisfy I 0 I0I0 Riding on legal executions...  should satisfy  P k PkPk

Weizmann Institute A combined heuristic I0I0 PkPk Trigger BFS with

Weizmann Institute Given an order, guess a value  Dynamic decision  Constant value  Previous value  ‘Flat’ computation ... x 5 = 0 x 7 = ? x 9 = 0 ‘Flat’ computationPrevious value x 2 = 1 y 7 = 0 z 2 = 0 y 3 = 1 x 2 = 0 y 7 = 0 z 2 = 0 y 3 = 1

Weizmann Institute Tuning SAT for BMC (2/3) 1. Use the variable dependency graph for smarter orderings. 2. Exploit information on  ’s structure to restrict the state-space. 3. Restrict Decide() to a small set of variables.

Weizmann Institute  ’s structure can be used for adding conflicting clauses. If x 3 =T, y 7 = F, z 5 = T leads to a conflict, then   (  x 3  y 7   z 5 ) is satisfiable iff  is satisfiable. The new clause can be seen as a constraint on the search-space conflicting clauses: Exploiting  ’s structure in AGp formulas

Weizmann Institute If x 3 =T, y 7 = F, z 5 = T leads to a conflict, then so will x 2 =T, y 6 = F, z 4 = T Therefore, we can also add: (  x 2  y 6   z 4 )  (  x 1  y 5   z 3 )  (  x 0  y 4   z 2 ) and... (  x 4  y 8   z 6 ) ...  (  x k-4  y k   z k-2 ) Yet,  is not fully symmetric because of I 0. We first have to check, by simulating an assignment, if the replicated clause indeed leads to a conflict. Exploiting  ’s structure in AGp formulas

Weizmann Institute Tuning SAT for BMC (3/3) 1. Use the variable dependency graph for smarter orderings. 2. Exploit information on  ’s structure to restrict the state-space. 3. Restrict Decide() to a small set of variables.

Weizmann Institute Restricting Decide() Restricting Decide() to a smaller set of variables , that uniquely determines the satisfiability of  :  Model variables (~ 15 % of  ’s variables)  Input variables (~ 5 % of  ’s variables) Less variables to Decide() implies more variables to Deduce()

Weizmann Institute Results (Sec.) * * * = exceeds 10,000 sec.

Weizmann Institute The Conclusion Many of the (BDD) hard cases can be more efficiently solved with the optimized SAT procedure.

Weizmann Institute... s0s0 s1s1 s2s2 s k-1 sksk pp pp pp pp Given a Liveness property p: (e.g. AGAF p: “always, eventually signal_a = signal_b”) Is there a loop in the first k cycles, that non of its states satisfy p ? The Bonded Model Checking Problem: Liveness

Weizmann Institute Traditional Model-Checking with BDDs The reachable state-space is represented by a BDD (We stop ‘adding’ cycles when arriving to a fix-point). The property is evaluated recursively, by iterative fix point computations on the state-space. The size of the BDD is typically the bottle-neck of Model- Checking.

Weizmann Institute Reducing the BMC problem to SAT (3/3): For Liveness properties, add a disjunction of possible loops:... s0s0 s1s1 s2s2 s k-1 sksk pp pp pp pp

Weizmann Institute How big should K be? 1. The Diameter d: for all reachable states s,t, for which t is reachable from s, there exist a path from s to t with at most d-1 intermediate steps. 2. The Recurrence diameter rd: the least number r s.t. at most r consecutive states in a path are different. rd is an upper bound for d, that can be expressed as a propositional formula:

Weizmann Institute If is unsatisfiable, then Ifthen k  rd The ‘-diameter’ flag in BMC: And therefor:

Weizmann Institute General SAT... k vars.. AGp

Weizmann Institute Bounded cone of influence: K v u z y x 0123 u 2 - u 5, z 5, y 4 -y 5 are not used 45

Weizmann Institute Bounded cone of influence has Bounded effect: K The portion of variables that B-COI can remove is decreasing when K increases

Weizmann Institute The reachable states in k steps are captured by: The property p fails in one of the cycles 1..k: Reducing the BMC problem to SAT (1/3):

Weizmann Institute A k-unfolding of the variable dependency graph... k vars..

Weizmann Institute VkVk V k-1 V1V1 V0V VkVk V k-1 V1V1 V0V0 1K K K

Weizmann Institute