Tuning SATcheckers for Bounded ModelChecking A bounded guided
Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Shtrichman Weizmann Institute & IBM (HRL( Weizmann Institute
Basic theory of Bounded Model Checking (BMC( SAT highlights Tuning SAT checkers for BMC Results Weizmann Institute
The Bounded Model Checking Problem: Safety Given a Safety property p : )e. g. AG p : “always signal_a = signal_b(” Is there a state reachable within k cycles, which satisfies p? p p s 0 s 1 p s 2 . . . p sk-1 Weizmann Institute p sk
The Bonded Model Checking Problem: Liveness Given a Liveness property p : )e. g. AGAF p: “always, eventually signal_a = signal_b(” Is there a loop in the first k cycles, that non of its states satisfy p? p p p s 0 s 1 s 2 . . . p sk-1 Weizmann Institute p sk
Reducing the BMC problem to SAT (1/3: ( The reachable states in k steps are captured by: The property p fails in one of the cycles 1. . k: Weizmann Institute
Reducing the BMC problem to SAT (2/3: ( The safety property p is valid up to cycle k iff is unsatisfiable : p p s 0 s 1 p s 2 . . . p sk-1 Weizmann Institute p sk
Reducing the BMC problem to SAT (3/3: ( For Liveness properties, add a disjunction of possible loops : p p p s 0 s 1 s 2 . . . p sk-1 Weizmann Institute p sk
Example: a two bit counter 00 11 01 10 p = AG ( l r. ( k =2 For k = 2, is unsatisfiabe. For k = 4 is satisfiable Weizmann Institute
Traditional Symbolic Model-Checking with BDDs • The reachable state-space is represented by a BDD • The property is evaluated recursively, by iterative fix point computations on the reachable state-space. • The size of the BDD is typically the bottle-neck of Model. Checking. Weizmann Institute
Why SAT? • Smart DFS search - potentially will get faster to a satisfying sequence (counter example( • No exponential space - growth “Satisfiability checking is a ‘luck-based technology”’ Weizmann Institute
The Davis-Putnam procedure Given in CNF: (x, y, z), (-x, y), (-y, z), (-x, -y, -z( Decide() X X X Deduce() X X Weizmann Institute Diagnose()
Decide() criteria: On which variable to split? - satisfies the most clauses (DLIS) - satisfies the shortest clause - only positive or negative (‘pure literal rule’) - most frequent : : Weizmann Institute
Results (Sec(. = * * *exceeds 10, 000 sec. Weizmann Institute
Tuning SAT for BMC (1/3( 1. Use the variable dependency graph for smarter orderings. . 2 Exploit information on ’s structure to restrict the state-space. . 3 Restrict Decide() to a small set of variables. Weizmann Institute
Clashing clouds. . . With general-purpose Decide() strategies , local sets of variables are satisfied a-synchronically ~Pk I 0 Weizmann Institute
General-purpose Vs. tailor-made Decide() strategies. . . : . . . (x = ( y 1 y 2 y 3 )) . . . x =T y 1 = F y 2 = F x =T y 1 = F Backtrack y 3 = T y 2 = F y 3 = T Use ‘s structure to resolve conflicts on a more local level(. . . General purpose Tailor made Weizmann Institute
A k-unfolding of the variable dependency graph . . vars . . . k Weizmann Institute
should satisfy I 0 A head on attack. . . Riding on unreachable states. . . Pk should satisfy Pk I 0 Riding on legal executions. . . Weizmann Institute Pk
A combined heuristic Pk I 0 Trigger BFS with Weizmann Institute
Given an order, guess a value Dynamic decision Constant value Previous value ‘Flat’ computation . . . x 5 = 0 x 2 = 1 y 7 = 0 z 2 = 0 y 3 = 1 Previous value x 7? = x 2 = 0 y 7 = 0 z 2 = 0 y 3 = 1 ‘Flat’ computation Weizmann Institute x 9 = 0
Tuning SAT for BMC (2/3( 1. Use the variable dependency graph for smarter orderings. . 2 Exploit information on ’s structure to restrict the state-space. . 3 Restrict Decide() to a small set of variables. Weizmann Institute
Exploiting ’s structure in AGp formulas ’s structure can be used for adding conflicting clauses: • If x 3=T, y 7 = F, z 5 = T leads to a conflict , then ( x 3 y 7 z 5) is satisfiable iff is satisfiable. • The new clause can be seen as a constraint on the state-space Weizmann Institute
Exploiting ’s structure in AGp formulas • If x 3=T, y 7 = F, z 5 = T leads to a conflict, then so will x 2=T, y 6 = F, z 4 = T • Therefore, we can also add : ) x 2 y 6 z 4) ( x 1 y 5 z 3) ( x 0 y 4 z 2( and. . . ( x 4 y 8 z 6) . . . ( xk-4 yk zk-2( • Yet, is not fully symmetric because of I 0. We first have to check, by simulating an assignment, if the replicated clause indeed leads to a conflict. Weizmann Institute
Tuning SAT for BMC (3/3( 1. Use the variable dependency graph for smarter orderings. . 2 Exploit information on ’s structure to restrict the state-space. . 3 Restrict Decide() to a small set of variables. Weizmann Institute
Restricting Decide() to a smaller set of variables , that uniquely determines the satisfiability of : Model variables (~ 15 % of ’s variables( Input variables (~ 5 % of ’s variables( Less variables to Decide() implies more variables to Deduce() Weizmann Institute
Results (Sec(. = * * *exceeds 10, 000 sec. Weizmann Institute
The Conclusion Many of the (BDD) hard cases can be more efficiently solved with the optimized SAT procedure. Weizmann Institute
- Slides: 27