Simultaneous Satisfiability SSAT ISSAT and Applications Emilia Katz

Simultaneous Satisfiability SSAT, ISSAT and Applications Emilia Katz Intel, 07/10/18 (*) Many slides are borrowed from Alex Nadel and Zurab Khasidashvili

Agenda • Problem statement • Simultaneous Satisfiability (aka SSAT) [KNPH HVC’ 05] • Implicative Simultaneous Satisfiability [KN HVC’ 11] • ISSAT as an extension of SSAT • Applications (BMC, Induction, Invariant strengthening)

Problem Statement • Given: • One CNF instance, or several related CNF instances • Several properties (Proof Objectives) • Goal: • Efficient way to verify the properties • In terms of SAT: satisfiability of the instance(s) under negation of each of the assumptions (properties) • Previous way: Incremental SAT • New way: Simultaneous SAT

Previous Approach: Incremental SAT p 1 p 2 Reused learning C 1 C 2 2 SAT-solver invocations • Translate C 1 to CNF formula F • Solve F under the assumption !p 1 • Update F with clause projection of C 2 • Optionally, remove the clause projection of C 1C 2 and the dependent learned clauses • Solve F under the assumption !p 2 What if there is only one C?

SSAT Approach p 1 p 2 C 1 C 2 1 SAT-solver invocation What if there is only one C? • Translate both C 1 and C 2 to CNF formula F • Find the status of both p 1 and p 2 in the same invocation of the SAT solver Why it’s better than checking p 1/p 2?

SSAT: the Algorithm Interface • Input • A combinational formula F (in CNF) • A list of proof objectives (POs) p 1, p 2, …, pn • Output • Each pi is either • falsifiable • A model to F, such that pi = 0, exists (F !pi is SAT) • valid • pi always holds, given F (F !pi is UNSAT) 6

SSAT pseudo algorithm PO 1 PO 2 PO 3 PO 4 Unknown CWPO Falsified Valid 7

SSAT pseudo algorithm (cont) PO 1 PO 2 PO 3 PO 4 !PO 1 Unknown CWPO Falsified Valid 8

SSAT pseudo algorithm (cont) PO 1 PO 2 PO 3 PO 4 !PO 1 Unknown CWPO Falsified Valid Unit clause PO 4 9

SSAT pseudo algorithm (cont) PO 1 PO 2 PO 3 PO 4 !PO 1 Unknown CWPO Falsified Valid 10

SSAT pseudo algorithm (cont) PO 1 PO 2 PO 3 PO 4 !PO 1 Unknown PO 4 CWPO Falsified !PO 1 While working on PO 1, we resolved PO 2 as well Valid Model: {!PO 1, !PO 2, PO 3, PO 4, …. } 11

SSAT pseudo algorithm (cont) PO 1 PO 2 PO 3 PO 4 !PO 1 Unknown PO 4 CWPO Falsified !PO 1 Saved SATsolver call! Valid Model: {!PO 1, !PO 2, PO 3, PO 4, …. } 12

SSAT pseudo algorithm (cont) PO 1 PO 2 PO 3 PO 4 !PO 1 !PO 3 Unknown CWPO Falsified Valid 13

SSAT pseudo algorithm (cont) PO 1 PO 2 PO 3 PO 4 !PO 1 !PO 3 Unknown CWPO Falsified Valid UNSAT PO 3 is valid 14

SSAT important features: The “all watched” principle • When the search is oriented to resolve a currently watched PO, we may falsify or prove other POs as well. 15

SSAT important features: The “one traversal” principle • In SSAT, the search is organized so that in one (partial) traversal we resolve all the POs -- we never revisit the same sub-space again • For example, we will never rediscover the same model (SAT assignment) of CNF C • This is guaranteed by the fact that CWPO was true in all previous models • The conflict clauses prevent the search from re-entering the explored space again • It is safe however to use re-starts 16

How to Boost SSAT? • Take further advantage of reasoning about all the POs at once • Pick all the POs as decision variables and assign them 0 • Fairness: rotate unsolved POs • Set an internal time threshold for an attempt to solve one PO • When the threshold expires: • Move the unsolved PO to the end of unsolved POs list • Switch to another PO

Advantages of SSAT over Incremental SAT • Looks at all the properties at once • One solution can falsify more than one property • May find conflict clauses (lemmas) relevant for solving many POs • Full incrementality is a side effect of SSAT

Implicative SSAT 19

ISSAT: the Algorithm Interface e. g. , FEV instances • Input • A combinational formula F (in CNF) • A list of implicative POs: p 1= x 1↔y 1, p 2= x 2↔y 2 , …, pn= xn↔yn • Output • Each pi is either • falsifiable • A model to F, such that pi = 0, exists (F !pi is SAT) • valid • pi always holds, given F (F !pi is UNSAT) 20

ISSAT Motivation • Special case of SSAT? Yes, but: • Translating x ↔ y into CNF takes 4 clauses • With tens of thousands of candidate equivalences, the extra clauses might cause a significant overhead to the SAT solver • In ISSAT, candidate equivalences are not translated into CNF; instead, they are resolved as part of SAT search, thanks to a special “how-torestart” heuristic 21

ISSAT pseudo algorithm (cont) PO 1 = x 1↔y 1 ; PO 2 = x 2↔y 2 x 1→y 1 → x 1 x 2 → y 2 → x 2 Unknown CWPO Falsified Valid 22

ISSAT pseudo algorithm (cont) x 1→y 1 → x 1 x 2 → y 2 → x 2 Unknown x 1 CWPO Falsified Valid (BCP is implicit ) 23

ISSAT pseudo algorithm (cont) x 1→y 1 → x 1 x 2 → y 2 → x 2 x 1 !y 1 Unknown CWPO Falsified Valid 24

ISSAT pseudo algorithm (cont) x 1→y 1 → x 1 x 2 → y 2 → x 2 x 1 Unknown CWPO Falsified !y 1 Valid Learned unit clause x 2 25

ISSAT pseudo algorithm (cont) x 1→y 1 → x 1 x 2 → y 2 → x 2 x 1 !y 1 Unknown CWPO Falsified Valid 26

ISSAT pseudo algorithm (cont) x 1→y 1 → x 1 x 2 → y 2 → x 2 x 1 !y 1 x 1 Unknown CWPO Falsified Valid 27

ISSAT pseudo algorithm (cont) x 1→y 1 → x 1 x 2 → y 2 → x 2 x 1 !y 1 Unknown CWPO Falsified Valid 28

ISSAT pseudo algorithm (cont) x 1→y 1 → x 1 x 2 → y 2 → x 2 x 1 !y 1 Unknown x 1 CWPO Falsified !y 1 By-product: additional resolved PO Valid Model: {x 1, !y 1, x 2, !y 2, …. } 29

ISSAT pseudo algorithm (cont) x 1→y 1 → x 1 x 2 → y 2 → x 2 x 1 !y 1 Unknown y 1 CWPO Falsified Valid 30

ISSAT pseudo algorithm (cont) x 1→y 1 → x 1 x 2 → y 2 → x 2 x 1 !y 1 Unknown y 1 !x 1 CWPO Falsified Valid 31

ISSAT pseudo algorithm (cont) x 1→y 1 → x 1 x 2 → y 2 → x 2 x 1 !y 1 Unknown y 1 !x 1 CWPO Falsified Valid UNSAT 32

ISSAT Main Principles • ISSAT can be seen as a search heuristic aiming at systematically learning binary clauses • Candidate equivalences are not translated into CNF, but resolved as part of SAT search, thanks to fair “how-to-restart” heuristic • The ‘all watched’ and ‘one traversal’ principles of SSAT remain valid for ISSAT. • PO rotation remains useful. 33

SSAT and ISSAT Applications to Safety properties verification: BMC Induction Learning lemmas (aka invariant strengthening) 34

Applications to BMC 35

Preliminaries: BMC • Given: a transition system M = (V, I, Tr) ; property P ; depth k • Does M have a counterexample of length k for P? • aka path <s 0, …, sk> with P(s 0) … P(sk-1) P(sk) …… P I R 1 R 2 Rk-1 I (s 0) ∧Tr(s 0, s 1) ∧…∧Tr(sk-1, sk)∧ P(sk)

BMC for single property [Biere et al 1999] base(P, k) = I (s 0) path(s 0, …, sk) P(s 0) … P(sk-1) P(sk) path(s 0, …, sk) = Tr(s 0, s 1) … Tr(sk -1, sk) P 0 base(P, k) k 37

BMC for single property [Biere et al 1999] SAT Done P 0 base(P, k) k Bug! 38

BMC for single property [Biere et al 1999] P base(P, k) UNSAT increase k and repeat 0 k k+1 39

BMC with intervals [Fraer et al 2002] base(P, k, m) = I (s 0) path(s 0, …, sk) P(s 0) … P(sk-1) ( P(sk) . . . P(sk+m-1)) P 0 base(P, k, m) k k+m 40

BMC with intervals [Fraer et al 2002] SAT Done P 0 base(P, k, m) k k+m Bug! 41

BMC with intervals [Fraer et al 2002] P base(P, k, m) UNSAT move to next window [k+m, k+2 m-1] 0 k k+m k+2 m 42

In-depth BMC – using SSAT/ISSAT P(sk) ( ) bound k P(sk+1) bound k+1 P(sk+2) bound k+2 . . . P(sk+m-1) 0 bound k+m-1 k k+m 43

Applications to Induction 44

Induction for property P [Sheeran et al 2000] induction (P) { k = some constant ≥ 0; while ( true) { if SAT(BASE(P, k)) return Trace; // report falsified property if UNSAT(STEP(P, k)) return True; // report proven property k++; } } BASE(P, k) = BMC(P, k) STEP(P, k) = loop. Free(k+1) P(s 0) … P(sk) P(sk+1) 45

Induction step for single property [Sheeran et al 2000] P step(P, k) = loop. Free(k+1) P(s 0) … P(sk) P(sk+1) loop. Free(k) = path(s 0, …, sk) ( 0 i <j k (si sj)) 46

Induction step for single property [Sheeran et al 2000] UNSAT Done P step(P, k) 47

Induction step for single property [Sheeran et al 2000] P step(P, k) SAT increase k and continue with base check 48

Induction for Multiple Properties induction (POs) { SSAT/ISSAT: Verify all the POs at all the bounds 0. . k k = some constant ≥ 0; while ( true) { (Unres. POs, False. POs) = BASE_ALG(POs, k); // report falsified properties if (Unres. POs != ) (Unres. POs, True. POs) = STEP_ALG(Unres. POs, k); // report proven properties if (Unres. POs == ) SSAT/ISSAT: Verify break; all the POs at bound POs = Unres. POs; k+1 k++; } } 49

Base with ISSAT (bound k) Same for SSAT, but the POs are single properties, not pairs Call to ISSAT with unrolled circuit Ck and PO pairs P 1 (x 1(sk), y 1 (sk)) P 1 P 2 (x 2(sk), y 2(sk)) P 2 P 3 (x 3(sk), y 3(sk)) P 3 P 4 (x 4(sk), y 4(sk)) P 4 P 5 (x 5(sk), y 5(sk)) P 5 P 6 (x 6(sk), y 6(sk)) P 6 Here Pi(sk) = xi(sk) ↔ yi(sk) FALSE at depth k TRUE till depth k 50

Step with SSAT/ISSAT (bound k) P 1 ( ) P 1 P 2 step+(C, k, 2) P 3 step+(C, k, 3) P 3 P 4 step+(C, k, 4) P 4 P 5 step+(C, k, 5) P 5 P 6 step+(C, k, 6) P 6 P 2 51

Step with ISSAT (bound k) P 1 P 2 step*(C, k, 2) P 2 P 3 step*(C, k, 3) P 3 P 4 step*(C, k, 4) P 4 P 5 step*(C, k, 5) P 5 P 6 step*(C, k, 6) P 6 Further optimization: each “step” property is presented as implication 52

ISSAT Application to Invariant Strengthening ISSAT-based Induction with invariant strengthening 53

Invariant strengthening [van Eijk’ 98, Bjesse & Claessen’ 00] • Goal: find EQ classes over variables in the instance • E. g. , in FEV, find EQ classes of signals in the two compared circuits • If completed, would resolve the FEV problem (compare EQ classes of circuit outputs) • Means: induction-like method, monotonic approximation 54

Invariant strengthening [van Eijk’ 98, Bjesse & Claessen’ 00] bound 0 <s 00, …, s 0 n 0> Initial states <s 01(v), …, s 0 n 0(v)> == <0, 0, …, 0, 0> All literals <s 00(v), …, s 0 n 0(v)> == <0, 0, …, 0, 1> . . . <s 00(v), …, s 0 n 0(v)> == <1, 1, …, 1, 1> Candidate EQ classes (bound 0)

Invariant strengthening [van Eijk’ 98, Bjesse & Claessen’ 00] bound 0 <s 00, …, s 0 n 0> bound 1 <s 10, …, s 1 n 1> States of R 1 <s 01(v), …, s 0 n 0(v)> == <0, 0, …, 0, 0> All literals Candidate EQ classes (bound 1) <s 00(v), …, s 0 n 0(v)> == <0, 0, …, 0, 1> . . . <s 00(v), …, s 0 n 0(v)> == <1, 1, …, 1, 1> 56

Invariant strengthening [van Eijk’ 98, Bjesse & Claessen’ 00] bound 0 <s 00, …, s 0 n 0> bound 1 <s 10, …, s 1 n 1> . . . bound k <sk 0, …, sknk> <s 01(v), …, s 0 n 0(v)> == <0, 0, …, 0, 0> All literals <s 00(v), …, s 0 n 0(v)> == <0, 0, …, 0, 1> . . <s 00(v), …, s 0 n 0(v)> == <1, 1, …, 1, 1> 57

Induction with invariant strengthening for property P [van Eijk’ 98, Bjesse & Claessen’ 00] induction_invariant_strengthening(P, max_depth) { Candidate invariant = P or correctness statement of some EQ class k = 0; POs = create_candidate_invariants() (where P POs) while ( k max_depth ){ (Unres. POs, False. POs) = BASE_ALG(POs, k); // report falsified properties if (Unres. POs != ) (Unres. POs, True. POs) = STEP_ALG(Unres. POs, k); // report proven properties if (Unres. POs == ) break; POs = Unres. POs; k++; } } 58

Experimental Results Summary • SSAT BMC and SSAT induction • outperform the competitors at time of publication • ISSAT BMC: • Deeper bounds on unresolved instances • Performance on resolved instance beaten by ABC BMC 3 • ISSAT inv strengthening + following strategy • ISSAT, followed by interpolation, was the best

Conclusions • We have seen: • Simultaneous SAT algorithm • Implicative Simultaneous SAT algorithm • Their applications in model checking: • BMC • Induction • Invariant strengthening • Experimental results show that ISSAT integration within BMC helps BMC to reach higher bounds, and its integration in invariant strengthening strategies allows proving more properties and faster • SSAT, ISSAT have been used successfully in several different applications at Intel

THANK YOU!

BACKUP

References 1. Z. Khasidashvili, A. Nadel, Implicative Simultaneous Satisfiability and Applications, HVC 2011 2. Z. Khasidashvili, A. Nadel, A. Palti, Z. Hanna. Simultaneous SAT based model checking of safety properties, HVC 2005 3. Sheeran, M. S. Singh, G. St¨almarck. Checking safety properties using induction and a SAT solver, FMCAD 2000 4. van Eijk, C. A. J. Sequential equivalence checking without state space traversal, DATE 1998 5. Bjesse P. , Claessen C. SAT based verification without state space traversal, FMCAD 2000 6. Biere A. , A. Cimatti, E. Clarke, Y. Zhu. Symbolic model checking without BDDs, TACAS 1999

Incremental SAT pseudo algorithm PO 1 PO 2 PO 3 PO 4 Unknown CWPO Falsified Valid 64

Incremental SAT pseudo algorithm (cont) SAT solver call #1 PO 2 PO 3 PO 4 !PO 1 Unknown Current PO Falsified Valid 65

Incremental SAT pseudo algorithm (cont) SAT solver call #1 PO 2 PO 3 PO 4 !PO 1 Unknown Current PO Falsified Valid Unit clause PO 4 66

Incremental SAT pseudo algorithm (cont) SAT solver call #1 PO 2 PO 3 PO 4 !PO 1 PO 4 is resolved, but we don’t know it yet, so it remains unmarked Unknown Current PO Falsified Valid 67

Incremental SAT pseudo algorithm (cont) SAT solver call #1 PO 2 PO 3 PO 4 !PO 1 We are not aware that PO 2 is resolved, and won’t be able to reuse this info Unknown Current PO Falsified Valid Model: {!PO 1, !PO 2, PO 3, PO 4, …. } 68

Incremental SAT pseudo algorithm (cont) SAT solver call #2 PO 1 PO 2 PO 3 PO 4 !PO 2 Unknown Current PO Falsified Valid 69

Incremental SAT pseudo algorithm (cont) SAT solver call #2 PO 1 PO 2 PO 3 PO 4 !PO 2 Unknown Current PO Falsified Valid Model: {!PO 1, !PO 2, PO 3, PO 4, …. } 70

Incremental SAT pseudo algorithm (cont) SAT solver call #3 PO 1 PO 2 PO 3 PO 4 !PO 3 Unknown Current PO Falsified Valid 71

Incremental SAT pseudo algorithm (cont) SAT solver call #3 PO 1 PO 2 PO 3 PO 4 !PO 3 Unknown Current PO Falsified Valid UNSAT PO 3 is valid 72

Incremental SAT pseudo algorithm (cont) PO 1 PO 2 PO 3 PO 4 Unknown Current PO Falsified Valid 73

Incremental SAT pseudo algorithm (cont) No SAT solver call PO 1 PO 2 PO 3 PO 4 Unknown PO 4 has been learned PO 4 is valid Current PO Falsified Valid 74

Detailed Experimental Results SSAT ISSAT 75

SSAT BMC vs competitors property count BMC depth nonincr conj double incr conj SSAT flavors double incr GN incr. GN double incr SSAT 32 50 32. 95 5. 4 536. 3 8. 31 533. 87 8. 14 32 50 32. 85 5. 46 543. 15 8. 42 534. 85 8. 15 3 50 318. 87 108. 54 3041. 72 46. 17 3064. 57 46. 05 3 50 360. 67 464. 32 3760. 78 210. 15 3747. 52 210. 45 3 50 310. 64 367. 93 3653. 52 50. 23 3612. 3 50. 06 3 50 242. 4 231. 59 3337. 25 199. 96 3330. 65 199. 46 8 50 78. 8 30. 69 681. 68 27. 46 685. 82 27. 18 8 50 78. 14 30. 77 680. 2 26. 97 682. 88 26. 91 8 50 18. 53 3. 28 162. 84 9. 98 157. 66 10. 03 8 50 18. 46 3. 35 157. 25 10. 23 157. 69 10. 18 543 15 139. 82 41. 18 51. 26 32. 78 36. 08 18. 91 172 30 145. 75 52. 13 76. 83 40. 5 63. 59 28. 06 1035 3 2478. 61 406. 2 1743. 56 1618. 58 386. 93 229. 28 4256. 49 1750. 84 18426. 34 2289. 74 16994. 41 872. 86 Total run times: 76

SSAT Induction vs competitors # properties nonincr conj double incr GN SSAT flavors double incr SSAT double incr Hybrid Ind 9 189. 57 72. 67 66. 65 35. 05 29. 84 29. 32 9 200. 13 73. 23 61. 72 40. 46 27. 76 29. 09 9 222. 29 66. 11 67. 17 35. 84 26. 06 27. 83 9 246. 51 67. 85 62. 33 37. 22 28. 24 29. 5 9 253 68. 14 59. 55 39. 04 28. 66 30. 13 9 215. 09 70. 25 60. 5 35. 52 26. 7 27. 86 1326. 59 418. 25 377. 92 223. 13 167. 26 173. 73 Total (sec) 77

ISSAT-IBMC vs competitors: Timed-out instances (bound) ISSAT-based BMC with interval 25 Family BMC 10→ BMC 25→ ABCBMC 2 ABCBMC 3 bj 405 393 461 328 462 485 553 bob 674 645 736 427 697 706 710 cmu 137 140 138 150 143 158 174 eij 785 765 846 551 848 585 730 nus 283 301 301 355 225 385 pdt 3393 3504 3963 2957 3983 3430 3673 pj 300 312 331 252 347 404 texas 202 168 176 199 202 Total (bound) 6179 6262 6944 5142 7034 6195 6831

ISSAT-IBMC vs competitors: Resolved instances (time) ABC’s incremental BMC Family BMC 10! BMC 25! ABCBMC 2 ABCBMC 3 bj 215. 8 324. 9 190. 6 341. 4 103. 3 407. 07 51. 08 bob 116. 7 853. 1 648. 9 1622 1176 186. 99 174. 61 cmu 203. 4 21. 1 14. 6 21. 9 17. 3 3. 9 3. 38 eij 678. 2 513. 1 190. 2 1446. 1 141. 4 62. 38 171. 58 nus 2609. 1 747. 5 617 933. 4 883. 8 311. 87 396. 16 pdt 4202 2837. 1 1981. 8 4230. 3 1884. 8 1350. 72 955. 41 pj 513. 2 911. 1 449 829. 4 555. 8 569. 72 940. 1 texas 8. 4 22. 4 142. 1 33. 7 37. 7 25. 67 25. 06 vis 311. 9 238 138. 7 406. 3 147. 6 94. 7 169. 52 8049. 7 5187. 5 12336. 5 5697. 9 4458. 19 3108. 8 Total (cpu 9614. 6 time)

Comparing invariant strengthening algorithms and strategy combinations with induction and interpolation Family 1 Alg. Family 2 Family 3 Family 4 Family 5 Family 6 Family 7 Total time solv time solv inv. ISSAT & interp. 8 132 366 574 39 659 1 142 475 147 513 3775 2983 230 4387 5659 inv. ISSAT 9 132 365 574 36 659 1 142 16 147 512 3775 3686 230 4627 5659 inv. SSAT inv. SATUR 0 & interp. inv. SATUR 0 & induct 6 132 418 574 45 659 1 142 14 147 258 3775 21311 94 132 4345 529 115 659 2 142 221 147 132 10390 532 675 654 1000 140 1000 145 55 3773 26059 217 39186 5593 inv. CONJ 97 3783 659 10 142 61 147 2077 3775 229856 1 237120 5430 4018 128 21171 494 20487 548 38 142 3943 45 4526 3774 19349 217 73535 5348 induction 18020 43 24836 478 52737 185 1000 133 2037 inv. SATUR 1 40 408 interp. 5 11 132 1233 574 283 19 44 2 13 12 1841 3774 131 70159 18 305 683 184 60053 53 752 218 22055 5647 230 7304 5613 187 228845 1341 28 1413 579 80

Comparing strategy combinations on 417 HWMCC'10 problems Algorithm time solv 78106 319 ABC-interpolation 109166 310 inv. ISSAT 133266 296 inv. CONJ 135519 294 inv. SSAT 135774 294 inv. SATUR 0 & interpolation 141619 283 interpolation 144131 282 ABC-scorr & ABC-interpolation 149540 281 inv. SATUR 0 & induction 147645 265 ABC-scorr 146685 242 induction 176056 231 inv. ISSAT & interpolation 81