Towards More Efficient SAT-Based Model Checking
Joao Marques-SilvaElectronics & Computer Science
University of Southampton
LAA C&V Workshop, Isaac Newton Institute, Cambridge, May 2006
2
Motivation Remarkable improvements made to SAT solvers over the last
decade– Clause learning; lazy data structures; adaptive branching heuristics;
search restarts
Very successful application of SAT in model checking– Bounded and unbounded model checking
Existing (industry motivated) challenges– Ability to handle ever increasing systems– Ability to find deep counterexamples– Ability to prove difficult properties
Lines of research– More efficient SAT solvers (?)– Better uses of SAT technology in SAT-based model checking
3
Goals of this talk SAT & SAT-based model checking
Interpolants in SAT-based model checking
Optimizations to the utilization of interpolants
4
Outline SAT & SAT-based model checking
– Organization of a modern SAT solver– SAT-based bounded model checking (BMC)– Interpolant-based unbounded model checking (UMC)
Improvements to SAT-based model checking
Results & conclusions
5
Modern SAT algorithms Follow the organization of the DPLL algorithm
– Backtrack search with unit propagation
Several key techniques are used:– Clause learning [Marques-Silva&Sakallah’96]
• Infer new clauses from causes of conflicts– Allows implementing non-chronological backtracking
– Exploiting structure of conflicts [Marques-Silva&Sakallah’96]• Identify Unique Implication Points (UIPs)
– Dominators in graph of implied assignments
– Optimized data structures [Moskewicz et al.’01]• Lazy evaluation of clause state
– Adaptive branching heuristics [Moskewicz et al.’01]• Variable branching metrics are affected by number of conflicts• Aging mechanisms for focusing on most recent conflicts
– Search restarts [Gomes,Selman&Kautz’98]• Opportunistically restart backtrack search
[Davis et al.’62]
6
Evolution of SAT solvers Remarkable improvements over the last decade
Instance Posit' 94 Grasp' 96 Chaff'01 Siege'04
ssa2670-136 28.53 0.36 0.02 0.01
bf1355-638 772.45 0.04 0.02 0.01
design_1 >7200 65.35 1.27 0.29
design_3 >7200 9.13 0.52 0.41
f_ind >7200 4663.89 17.91 6.52
splitter_42 >7200 >7200 28.81 4.46
c6288 >7200 >7200 >7200 2847.46
pipe_64_32 >7200 >7200 >7200 >7200
7
Bounded model checking Verification of safety properties: F f
Characteristic functions for representing initial states and transition relation, respectively I0 and T
– Resulting Boolean formula: k = I0 Uk Fk
• Where:
– Interpretation:
i
k
ri1ii
1k
0i00
k YfY,YTYI
[Biere et al.’99]
i
1k
0ik TU
i
k
rik fF 1iii Y,YTT
T0 T1 Tk-1 FkI0
Y0 Y1 Yk
ii Yff
8
Bounded model checking A possible BMC algorithm:
– Given some initial k – While k user-specified time-bound UB
• Generate CNF formula for I0 Uk Fk
• Invoke SAT solver on • If formula is satisfiable, then a counterexample within k
time steps has been found– Return counterexample
• Otherwise, increase k
The BMC algorithm is incomplete– But complete if completeness threshold is known
BMC loop
9
Towards completeness Unbounded model checking
– Utilization of induction
• Standard BMC loop– Stop BMC loop for some i, if cannot have loop-free path of size i that
can be reached from I0 or if cannot have loop-free path of size i that can reach Fk
– Maximum unfolding bounded by largest loop-free path
– ...
– Utilization of interpolants
• BMC and Craig interpolants allow SAT-based computation of abstractions of reachable states
– Avoid computing exact sets of reachable states– One of the most promising approaches in practice
• Maximum unfolding bounded by largest shortest path between any two states
[McMillan’03]
[Sheeran et al.’00]
[Chauhan et al.’02;Gupta et al.’03]
10
Interpolants Given two subsets of clauses A and B, assume A B is
unsatisfiable. Then, there exists an interpolant A’ for the pair (A, B) with the following properties:– A implies A’– A’ B is unsatisfiable– A’ refers only to the common variables of A and B– Example:
• A = p q, B = q r– A’ = q
Size of interpolants:– Given a resolution refutation of A B, can compute interpolant for the
pair (A, B) in linear time on the size of the resolution refutation• SAT solvers can be instructed to output resolution refutation !
Computing interpolants:– Different algorithms can be used
• Pudlak’97, McMillan’03
[Craig’57]
[Pudlak’97]
[McMillan’03]
11
(¬c)(c)
(¬b)(b c)
Deriving resolution refutations For unsatisfiable formulas:
– Learned clauses capture a resolution refutation from a subset of the original clauses
– SAT solvers can be instructed to recreate resolution refutation for unsatisfiable formula
(a b) (¬a c)
[Zhang&Malik’03]
= (a b) (¬a c) (¬b) (¬c)2 3 41
c = 0
b = 0
a = 0
1
1
2
(3)
(4)
12
Computing interpolants
Interpolant is a Boolean circuit that follows structure of resolution refutation– Can map circuit into CNF in linear time and space
[Tseitin’68; Plaisted&Greenbaum’86]
A = (r y)(r x) B = (y a)(ya)(x)
(r y) (r x)
(y x) (y a)
(x) (y)
(ya)
(x)
y x
A’ = y + x
A implies A’; A’ B is unsatisfiableA’ with variables common to A and B
13
Abstraction of reachable states For each iteration of BMC loop, call to SAT solver returns
unsat unless counterexample is found– Analysis of resolution refutation yields abstractions of reachable states
– Given A and B, and a resolution refutation for A B, compute Craig interpolant A’:
• A = I0 T0 implies A’
• A’ B is unsatisfiable
• A’ solely represented with state variables– If A holds, then A’ holds
• A1 = A’ represents abstraction of states reachable from I0 in 1 time step !
k1k1
00
k1k100
FTTB
TIA
BAFTTTI
14
Fixpoint of reachable states Can iterate computation of interpolants:
T0 T1 Tk-1 FkA1
A B
A2
Abstraction of states reachable in 2 time steps
T0 T1 Tk-1 FkAi-1
A B
Ai
Abstraction of states reachable in i time steps
T0 T1 Tk-1 FkI0
A B
A1
Abstraction of states reachable in 1 time step
If Ai I0 A1 A2 ... Ai-1, then a fixpoint is reached; all reachable states identified !
15
If Fk is satisfied from I0, then we have a counterexample !
If a fixpoint of the reachable states is identified, then no reachable state can satisfy property !
If A B is sat, may have abstracted too much; must unfold more time steps
Maximum value of k is bounded by largest shortest path between any two states
UMC algorithmk = 0repeat
if from I0 can satisfy Fk within k stepsreturn reachable
R = I0
let A = I0 T0, and B = T1 T2 Tk-1 Fk
while A B = falseP = unsat_proof(A B)
A’ = interpolant(P, A, B)if A’ R, return unreachableR = A’ RA = A’ T0
end whileincrease k
end repeat
Fixpoint
BMC loop
Calls to SAT solver
16
Outline SAT & SAT-based model checking
Improvements to SAT-based model checking– Rescheduling the BMC loop
• Can exploit feedback from the fixpoint checking loop– Reusing computed interpolants
• Interpolants readily available if fixed point condition is based on interpolants
• Can envision alternative fixpoint conditions
Results & conclusions
17
Rescheduling the BMC loopk = 0repeat
if from I0 can satisfy Fk within k stepsreturn reachable
R = I0
let A = I0 T0, and B = T1 T2 Tk-1 Fk
while A B = falseP = unsat_proof(A B)
A’ = interpolant(P, A, B)if A’ R, return unreachableR = A’ RA = A’ T0
end whileincrease k
end repeat
BMC loop
Number of iterations can be used to restrict when to check again the BMC condition !
Fixpoint
18
Rescheduling the BMC loop
Fixpoint checking with i+1 iterations (last iteration is sat):
Checked all states reachable in up to k+i states, with an unfolding of size k; no counterexample was found
Need to check BMC condition only when unfolding of FSM exceeds k+i time steps
In general useful if counterexample exists
I0 A1 A2 Ai+1
while A B = falseP = unsat_proof(A B)A’ = interpolant(P, A, B)if A’ R, return unreachableR = A’ RA = A’ T0
end while
Fixpoint
19
Interpolant reuse Boolean formula N is usable for B iff B N
– B satisfiable iff B N satisfiable
Learnt interpolants can be reused – For requiring states from a set of states– For preventing states from a set of states
A different organization of BMC:
i
1k
0ik TU
i
k
kik fF
[Copty et al.’01]
20
Interpolant reuse Different ways for computing interpolants
– Computed interpolants can be direct or inverse
– Interpolants can be computed at different time steps
Direct interpolants– Over-approximation of reachable states
– Under-approximation of states that do not satisfy failing property
Inverse interpolants– Under-approximation of unreachable states
– Over-approximation of states that satisfy failing property
T0 T1 Tk-1 FkI0
Can compute (multiple) interpolants
21
Direct interpolants
Pr,t:
– Direct interpolant computed r time steps from I0 and t time steps to Fk
From the initial state, Pr,t, t=k-r:
In general, Pr+u,t:
1r10
k1kr
k1k100
TTIA
FTTB
BAFTTTI
1r1v,u
k1kr
k1k10v,u
TTPA
FTTB
BAFTTTP
22
Conditions for interpolant reuse I Conditions on direct interpolants:
– Pr,t(Yr) is usable for k, with t 0 and r k
– Pr,t(Yk-t) is usable for k, with r 0 and t k
T0I0Tk-1 Fk
Tr-1 Tk-t-1
Pr,t Pr,t
Tr Tk-t
23
An example I Standard UMC model checking, with BMC and fixpoint loops Automaton with unfolding of size k+1
Fixed point checking for j+1 iterations– Last iteration yields spurious counterexample; j interpolants computed
Interpolants computed at Y1:– P1,k, P2,k, ..., Pj,k
Examples of interpolant reuse:– Pi,k(Yi), 1 i j, is usable for m, m k
• Pi,k represents over-approximation of the states reachable in i time steps
– With unfolding of size k+1, Pi,k(Y1), 1 i j, is usable for k+1
• Pi,k represents under-approximation of the states that do not satisfy failing property in k time steps
– With unfolding of size m k, Pi,k(Ym-k), 1 i j, is usable for m
T0 T1 Tk Fk+1I0
Y0 Y1 Yk+1
24
Inverse interpolants
Qr,t:
– Reverse interpolant computed r time steps from I0 and t time steps to Fk
From the initial state, Qr,t, t=k-r:
In general, Qr+u,t:
1r10
k1kr
k1k100
TTIB
FTTA
BAFTTTI
1r1v,u
k1kr
k1k10v,u
TTPB
FTTA
BAFTTTP
25
Conditions for interpolant reuse II Conditions on inverse interpolants:
– Qr,t(Yk-t) is usable for k, with r 0 and t k
– Qr,t(Yr) is usable for k, with t 0 and r k
T0I0Tk-1 Fk
Tr-1 Tk-t-1
Qr,t Qr,t
Tr Tk-t
26
An example II Standard UMC model checking, with BMC and fixpoint loops Automaton with unfolding of size k+1
Fixed point checking for j+1 iterations– Last iteration yields spurious counterexample; j interpolants computed
Interpolants computed at Y1:– Q1,k, Q2,k, ..., Qj,k
Examples of interpolant reuse:– Qi,k(Yi), 1 i j, is usable for m, m k
• Qi,k represents under-approximation of the states unreachable in i time steps
– With unfolding of size k+1, Qi,k(Y1), 1 i j, is usable for k+1
• Qi,k represents over-approximation of the states that satisfy failing property in k time steps
– With unfolding of size m k, Qi,k(Ym-k), 1 i j, is usable for m
T0 T1 Tk Fk+1I0
Y0 Y1 Yk+1
27
An example III Inverse UMC model checking, with BMC and fixpoint loops Automaton with unfolding of size k+1
Fixed point checking for j+1 iterations– Last iteration yields spurious counterexample; j interpolants computed
Interpolants computed at Yk-1:– Qk,1, Qk,2, ..., Qk,j
Examples of interpolant reuse:– Qk,i(Yk), 1 i j, is usable for m, m k
• Qk,i represents under-approximation of the states unreachable in k time steps
– With unfolding of size k+1, Qk,i(Yk+1-i), 1 i j, is usable for k+1
• Qk,i represents over-approximation of the states that satisfy failing property in i time steps
– With unfolding of size m k, Qk,i(Ym-i), 1 i j, is usable for m
T0 T1 Tk Fk+1I0
Y0 Y1 Yk+1
28
More on interpolant reuse All interpolants computed in standard interpolant-based
UMC flow can be reused– Easy to integrate with existing interpolant-based UMC flow
Learning and reusing of interpolants can be integrated into any approach for BMC or UMC– Plain BMC algorithm– Different approaches for UMC
Inverse interpolants provide alternative fixpoint condition (from previous slide):– If Qk,i Fk+1 Qk,1 Qk,i-1 is satisfiable, then we have a
fixpoint• Potentially interesting; depends on automaton
29
Outline SAT & SAT-based model checking
Improvements to SAT-based model checking
Results & conclusions
30
Results on rescheduling Evaluated rescheduling on different benchmarks
– Specifically designed and industrial examples Evaluated both the plain UMC algorithm and rescheduling
Instance No-reschedule Reschedule BMC4-bit counter 0.31 0.095-bit counter 3.86 0.846-bit counter 21.36 10.417-bit counter 1780.68 175.69I12 255.77 272.47I11 75.28 81.89I31 83.51 90.08I32 19.66 14.89I33 17.44 13.09I21 24.93 26.48Total time 2282.8 685.9
31
Experience with reuse Experimented interpolant reuse on industrial benchmarks
– Plain (incomplete) BMC loop
– Direct interpolants computed at each step (for last time step)
• Interpolants not used for checking fixed point condition
Experience so far:– Search space is reduced
– CPU times increase
The problems observed:– Large interpolants
• Naive simplifications
• Computed solely for search pruning purposes
– Ineffective representation
• One Reduced Boolean Circuit (RBC) for each interpolant
32
Conclusions SAT technology has improved dramatically over the last decade
– Key techniques:
• Clause learning, optimized data structures, adaptive branching heuristics, search restarts
SAT has been applied to model checking with success– Bounded and unbounded model checking
Described optimizations to the utilization of interpolants in SAT-based model checking
Results preliminary– Rescheduling can allow number of iterations to be significantly reduced
• Not significant on industrial benchmarks
– Reuse of interpolants reduces amount of search, increases run times
33
Many challenges Effectiveness of rescheduling in industrial context?
Can interpolant reuse yield performance gains?
Can we find “good” interpolants to learn and reuse?– E.g. size/depth of interpolant (or CNF representation)