FMCAD’10 Conference

Lugano, Switzerland

October 23, 2010

Boosting Minimal Unsatisfiable Core

Extraction

Alexander Nadel

Intel, Israel

AgendaIntroduction and motivationNew algorithms

◦Generic scheme◦Resolution-based algorithm◦Selector-variable-based algorithm

Related workExperimental resultsConclusion

Unsatisfiable Core ExtractionAn unsatisfiable core (UC) is an

unsatisfiable subset of an unsatisfiable set of constraints

An unsatisfiable core is minimal if removal of any constraint makes it satisfiable (local minima)

This work concentrates on minimal unsatisfiable core extraction for propositional logic

Example Application 1: Proof-based Abstraction Refinement for Model Checking (McMillan et al., TACAS’03; Gupta et al., ICCAD’03)

No BugValidModel Check A

BMC(M,P,k)

Cex C at depth k

BugNo

A A latches/gates in the UNSAT core of BMC(M,P,k)

Inputs: model M, property P Output: does P hold under M?

Abstract model A { }

Spurious?

The UNSAT core is used for refinement The UNSAT core is required in terms of latches/gates

Yes

Turn latches/ gates into free inputs

Example Application 2: Assumption Minimization for Compositional Formal Equivalence Checking (FEC)(Cohen et al., DVCon’10)

FEC verifies the equivalence between the design (RTL) and its implementation (schematics).

The whole design is too large to be verified at once. FEC is done on small sub-blocks, restricted with

assumptions. Assumptions required for the proof of equivalence of

sub-blocks must be proved relative to the driving logic. MUC extraction in terms of assumptions is vital for

feasibility.

Inp

uts

Ou

tpu

ts

Assumption Assertion

Traditional UC Extraction for Practical Needs: the Input

An interesting constraint

The remainder (the rest of the formula)

The user is interested in a MUC in terms of these

constraints

Traditional UC Extraction: Example Input 1

An unrolled latch/gate

The rest of the unrolled circuit

Proof-based abstraction refinement

Traditional UC Extraction: Example Input 1

An assumption

Equivalence between sub-block RTL and implementation

Assumption minimization for FEC

Traditional UC Extraction:Stage 1: Translate to Clauses

An interesting constraint

The remainder (the rest of the formula)

Each small square is a propositional clause, e.g. (a + b’)

Traditional UC Extraction:Stage 2: Extract a Clause-Level UC

An interesting constraint

The remainder (the rest of the formula)

Colored squares belong to the clause-level UC

Traditional UC Extraction:Stage 3: Map the Clause-Level UC Back to the Interesting Constraints

An interesting constraint

The remainder (the rest of the formula)

The UC contains three interesting constraints!

Traditionally, a Clause-Level UC Extractor is the WorkhorseA CNF formula is a conjunction of

clauses, e.g., (a) (b) (b + c) (b’ + c) (a’ + c’)

Clause-level UC extraction: given a CNF formula, extract an unsatisfiable subset of its clauses

A Mismatch between Mainstream Research and the Needs of Real-World Applications

Real-world applications require reducing the number of interesting constraints in the core rather than clauses◦Latches/gates for abstraction refinement◦Assumptions for compositional FEC

The vast majority of existing algorithms for UC extraction are clause-level◦19/21 papers on UC extraction only

consider clause-level UC extraction

Small/Minimal Clause-Level UC Small/Minimal High-Level UC

A small clause-level UC, but the high-level UC is the largest possible:

A large clause-level UC, but the high-level UC is empty:

Contribution of this WorkThis work introduces two highly scalable

algorithms for extracting a single high-level minimal UC◦ These algorithms convincingly outperform the

current state-of-the-art algorithms

The proposed algorithms outperform the state-of-the-art algorithms on large test-cases for clause-level MUC extraction

The algorithms can be used for only reducing the core when resources are limited

AgendaIntroduction and motivationNew algorithms

◦Generic scheme◦Resolution-based algorithm◦Selector-variable-based algorithm

Related workExperimental resultsConclusion

High-Level UC ExtractionGiven:

1. A set of interesting constraints = {R1, R2 , …, Rm }, and

2. The remainder

The set is a high-level UC if is unsatisfiable

Minimality is defined as usual (w.r.t set inclusion)

A Bird's Eye View of the AlgorithmsBoth algorithms are composed of:

◦The approximation stage Find a non-minimal high-level UC

◦The main loop For each interesting constraint R , check

if it belongs to the MUC. Remove superfluous constraints from

In the end is returned as the MUCBoth algorithms take advantage of

incremental SAT solving

S CreateSATInst( = {R1, …, Rm } )

The Skeleton of the New Algorithms

Create an incremental SAT instance from the initial constraints = {R1, …,

Rm } and the remainder .

S CreateSATInst( = {R1, …, Rm } )

The Skeleton of the New Algorithms

MUC {}

MUC will contain the MUC at the end of

algorithm’s execution

Cands ApproxMUC (S, , )

S CreateSATInst( = {R1, …, Rm } )

The Skeleton of the New Algorithms

MUC {}

This function returns a non-minimal high-level UC. Cands contains all the MUC

candidates (that is, interesting constraints) whose status is not yet

determined.

Cands ApproxMUC (S, , )

S CreateSATInst( = {R1, …, Rm } )

RemoveForever (S, \ Cands )

The Skeleton of the New Algorithms

MUC {}

This operation removes all the clauses dependent on \ Cands from

the SAT instance forever

Cands ApproxMUC (S, , )

S CreateSATInst( = {R1, …, Rm } )

RemoveForever (S, \ Cands )

The Skeleton of the New Algorithms

MUC {}

The approximatio

n stage

Cands ApproxMUC (S, , )

Cands is empty?

S CreateSATInst( = {R1, …, Rm } )

RemoveForever (S, \ Cands )

The Skeleton of the New Algorithms

MUC {}

The condition of the main loop of the algorithm. For each remaining MUC

candidate, the loop will check if it belongs to the MUC.

Return MUC

Yes

Cands ApproxMUC (S, , )

Cands is empty?

S CreateSATInst( = {R1, …, Rm } )

Pick Rk Cands ; Cands Cands \ {Rk}

RemoveForever (S, \ Cands )

The Skeleton of the New Algorithms

Return MUC

Yes

MUC {}

No

Pick the removal candidate for the current iteration

Cands ApproxMUC (S, , )

Cands is empty?

S CreateSATInst( = {R1, …, Rm } )

Pick Rk Cands ; Cands Cands \ {Rk}

RemoveForever (S, \ Cands )

The Skeleton of the New Algorithms

Return MUC

Yes

ConditionallyRemove(S, Rk)

MUC {}

No

This operation conditionally removes all the initial and conflict clauses dependent on Rk

from the SAT instance in a way that guarantees that a potential return operation

is easy

Cands ApproxMUC (S, , )

Cands is empty?

S CreateSATInst( = {R1, …, Rm } )

Pick Rk Cands ; Cands Cands \ {Rk}

Solve(S)

RemoveForever (S, \ Cands )

The Skeleton of the New Algorithms

Return MUC

Yes

ConditionallyRemove(S, Rk)

MUC {}

No

Solve the current instance using a SAT

solver

Cands ApproxMUC (S, , )

Cands is empty?

S CreateSATInst( = {R1, …, Rm } )

Pick Rk Cands ; Cands Cands \ {Rk}

Solve(S)

RemoveForever (S, \ Cands )

The Skeleton of the New Algorithms

Return MUC

Yes

ConditionallyRemove(S, Rk)

MUC MUC {Rk} ReturnToInstance(S, Rk}

MUC {}

No

SAT

Rk belongs to the MUC. Return all the initial and conflict

clauses dependent on Rk to the SAT

instance.

Cands ApproxMUC (S, , )

Cands is empty?

S CreateSATInst( = {R1, …, Rm } )

Pick Rk Cands ; Cands Cands \ {Rk}

Solve(S)

RemoveForever (S, \ Cands )

The Skeleton of the New Algorithms

Return MUC

Yes

ConditionallyRemove(S, Rk)

RemoveForever (S, Rk)

MUC MUC {Rk} ReturnToInstance(S, Rk}

MUC {}

No

RemoveForever(S, Other Irrelevant ICs)

SAT

UNSAT

Rk does not belong to the

MUC. Remove all the initial and

conflict clauses dependent on Rk

and possibly other irrelevant

interesting constraints from the SAT instance

forever.

Cands ApproxMUC (S, , )

Cands is empty?

S CreateSATInst( = {R1, …, Rm } )

Pick Rk Cands ; Cands Cands \ {Rk}

Solve(S)

RemoveForever (S, \ Cands )

The Skeleton of the New Algorithms

Return MUC

Yes

ConditionallyRemove(S, Rk)

RemoveForever (S, Rk)

MUC MUC {Rk} ReturnToInstance(S, Rk}

MUC {}

No

RemoveForever(S, Other Irrelevant ICs)

SAT

UNSAT

5 Operations for Implementing the Generic Scheme1. Create a SAT instance2. Approximate a MUCOperations with interesting

constraints:3. Eternal removal4. Conditional removal5. Return

AgendaIntroduction and motivationNew algorithms

◦Generic scheme◦Resolution-based algorithm◦Selector-variable-based algorithm

Related workExperimental resultsConclusion

Resolution RefutationA modern SAT solver is able to

generate a resolution refutation of a given formula◦Generates little overhead on solver’s

run-time

The cone of a clause or a set of clauses in a given resolution refutation is the set of all the reachable clauses

A Resolution Refutation Example

C3 = a C4 = c C1 = b + c C2 = b’ + c C5 = a’ + c’

C6 = c

C7 = a’

C8 =

Input clausesLegend: Derived clauses

Cone({C1, C2})

Implementing the Resolution-based Algorithm We need to implement the following

operations:1. Create a SAT instance2. Approximate a MUC◦Operations with interesting constraints:

3. Eternal removal4. Conditional removal5. Return

The idea is to use cone manipulations

Implementing the Resolution-based Algorithm1. Create a SAT instance2. Approximate a MUCOperations with interesting

constraints:3. Eternal removal4. Conditional removal5. Return

Creating a SAT Instance for the Resolution-based AlgorithmUse the standard Tseitin encoding

◦The constraints are translated to mutually disjoint sets of clauses

Implementing the Resolution-based Algorithm1. Create a SAT instance2. Approximate a MUCOperations with interesting

constraints:3. Eternal removal4. Conditional removal5. Return

Approximating a MUC for the Resolution-based AlgorithmInvoke the SAT solver with a

resolution refutation generator

An interesting constraint belongs to the set of MUC candidates iff its cone contains ◦The cone of an interesting constraint

is the cone of the associated clauses

Implementing the Resolution-based Algorithm1. Create a SAT instance2. Approximate a MUCOperations with interesting

constraints:3. Eternal removal4. Conditional removal5. Return

Operations with Interesting Constraints for the Resolution-based Algorithm

Eternal removal ◦Remove the cone of the interesting

constraint

Conditional removal ◦Make the cone of the interesting constraint

invisible for BCP and clause-based heuristics Remove the clauses from the watch lists Let clause-based heuristic to skip the clauses

Return ◦Undo the conditional removal

AgendaIntroduction and motivationNew algorithms

◦Generic scheme◦Resolution-based algorithm◦Selector-variable-based algorithm

Related workExperimental resultsConclusion

Selector Variable-based High-Level Minimal UC ExtractionThe underlying idea:

◦For each Ri allocate a new selector variable si

◦Add the literal si’ to Ri’s clauses

◦Use the selector literals to turn (cones of) interesting constraints on and off Any clause in the cone of Ri will include si’

cone manipulations are possible without the need to store the resolution derivation!

Selector Variable-based High-Level Minimal UC ExtractionWe use the feature of SAT solving under assumptions ◦N. Een et al., SAT’03◦The solver receives a set of assumptions

{s1, …, sm} along with the CNF formula F

◦ It returns SAT iff F in conjunction with all the assumptions is satisfiable

If the answer is UNSAT, the solver can return the set of assumptions required for the refutation◦N. Een et al., FMCAD’10: presented today◦A very cheap algorithm

Implementing the Selector Variable-based Algorithm1. Create a SAT instance2. Approximate a MUCOperations with interesting

constraints:3. Eternal removal4. Conditional removal5. Return

Implementing the Selector Variable-based Algorithm1. Create a SAT instance2. Approximate a MUCOperations with interesting

constraints:3. Eternal removal4. Conditional removal5. Return

SAT Instance Creation for the Selector Variable-based MethodEach Ri = {R1, R2 , …, Rm }

is translated as follows:◦Generate a set of clauses Clss(Ri) using

Tseitin encoding◦Introduce a fresh selector variable si

◦Add the literal si’ to each clause of Clss(Ri)

The remainder is translated to clauses using Tseitin encoding

Implementing the Selector Variable-based Algorithm1. Create a SAT instance2. Approximate a MUCOperations with interesting

constraints:3. Eternal removal4. Conditional removal5. Return

The Approximation Stage of the Selector-Variable-based MethodInvoke the SAT solver under the

assumptions {s1, …, sm}

Keep (as MUC candidates) all the interesting constraints whose corresponding assumptions are required for the proof

Implementing the Selector-Variable-based Algorithm1. Create a SAT instance2. Approximate a MUCOperations with interesting

constraints:3. Eternal removal4. Conditional removal5. Return

Operations with Interesting ConstraintsEternal removal of Ri

◦Add the unit clause si’ to the instance Makes all the clause dependent on Ri satisfied. They will

be removed by the solver’s interprocessor.

Conditional removal◦Solve under the assumption that si is false and all

selector variables of the other MUC candidates are true

Return of Ri

◦Add the unit clause si to the instance This operation “asserts” Ri

Comparison between Resolution-based and Selector Variable-based Methods

Pros of the selector-variable-based method◦Saves the overhead of maintaining the

resolution derivation◦Saves the overhead of manipulations

with cones◦Simpler to implement

Cons of the selector-variable-based method◦Slows down performance, since the

conflict clauses become much longer

AgendaIntroduction and motivationNew algorithms

◦Generic scheme◦Resolution-based algorithm◦Selector-variable-based algorithm

Related workExperimental resultsConclusion

Related Work: High-Level MUC Extraction CAMUS: explores the duality between MCSs and MUCs

◦ Liffiton et al., J. Autom. Reasoning’08◦ Uses selector-variable-based reasoning◦ Can return any user-given number of high-level MUCs ◦ : no experiments with CAMUS in our paper

We assumed that it can return all MUCs only

◦ : we experimented with CAMUS for this presentation

MUSIC: our work for an industrial conference Cohen et al., DVCon’10 Demonstrates the necessity of the high-level MUC extraction

for industrial needs: assumption minimization for FEC An early version of our resolution-based algorithm is used for

the experiments. Not enough algorithmic detail are provided in the paper We have used this algorithm since 2006 (it was unpublished)

Previous Work on Clause-Level MUC ExtractionCRR + RRP: the resolution-based method

◦ Dershowitz et al., SAT’06; Nadel, PhD thesis’09 ◦ The basis for our resolution-based algorithm◦ The only method shown to scale for large formal

verification instances (up to almost 200k clauses) AMUSE: the first selector-variable-based approach for

MUC extraction◦ Oh et al., DAC’04

MUP : BDD-based algorithm◦ Huang, ASP-DAC’05

MiniUnsat: associated assignment-based method◦ H. Van Maaren et al., SAT’08

AOMUS: local search-based approach◦ Gregoire et al., Constraints’07

AgendaIntroduction and motivationNew algorithms

◦Generic scheme◦Resolution-based algorithm◦Selector-variable-based algorithm

Related workExperimental resultsConclusion

Experimental Results: High-Level MUC Extraction: AlgorithmsAlgorithms evaluated:

◦CAMUS in the following mode: Single MUC extraction Preprocessing: the basic resolution-based

non-minimal UNSAT core extraction

◦MUC-RB: our resolution-based algorithm

◦MUC-SV: our selector-variable-based algorithm

Experimental Results: High-Level MUC Extraction: InstancesThe domain of the instances is proof-

based abstraction refinementGenerated at Intel, publically availableEach interesting constraint is an

unrolled latchSize: 136,878 – 5,136,873 clauses

(1,853,500 on average)The number of interesting constraints:

584 – 4030 (3367 on average)

Experimental Results: High-Level MUC Extraction

0 50 100 150 200 250 300 350 400 450 5000

1000

2000

3000

4000

5000

6000

7000

CAMUS vs. MUC-SV: Run-Time Comparison

MUC-SV

CAMUS

y = x

T/O

Experimental Results: High-Level MUC Extraction

0 50 100 150 200 250 300 350 400 450 5000

50

100

150

200

250

300

350

400

450

500

MUC-RB vs. MUC-SV Run-Time Comparison

MUC-SV

MUC-RB

Experimental Results: Clause-Level MUC ExtractionThe instances:

◦Well-known instances from the formal verification domain

Algorithms evaluated:◦MUC-RB◦MUC-SV◦CRR+RRP◦CAMUS◦AOMUS◦MiniUnsat

Clause-Level MUC Extraction: Run-Time is in Sec.

Instance Clauses T/O MUC-RB MUC-SV CRR+RRP CAMUS AOMUS MiniUnsat

3pipe_k 27405 7200 167 239 469 TO ERR TO

4pipe 80213 7200 1417 2021 3791 TO TO TO

4pipe_1_ooo 74554 7200 1528 4323 2928 TO TO TO

4pipe_2_ooo 82207 7200 2383 4999 4566 TO TO TO

4pipe_3_ooo 89473 7200 2560 5357 4465 TO TO TO

4pipe_4_ooo 96480 7200 2432 6354 5865 TO TO TO

4pipe_k 79489 7200 1426 3097 2938 TO TO TO

barrel5 5383 7200 68 48 115 31 ERR 267

barrel6 8931 7200 348 402 436 223 ERR 1391

barrel7 13765 7200 849 700 1081 1443 ERR 5027

barrel8 20083 7200 4115 5758 4110 5823 ERR TO

longmult4 6069 7200 14 78 12 5 540 227

longmult5 7431 7200 143 642 100 21 ERR 538

longmult6 8853 7200 968 5705 1760 79 TO 1149

longmult7 10335 7200 5099 TO TO 858 TO 2497

32Gb of memory

4Gb of memory

Machines:

AgendaIntroduction and motivationNew algorithms

◦Generic scheme◦Resolution-based algorithm◦Selector-variable-based algorithm

Related workExperimental resultsConclusion

ConclusionWe introduced two algorithms for extracting

a minimal unsatisfiable core (MUC)

Our algorithms can be applied to high-level MUC extraction◦ MUC extraction in terms of user-given interesting

constraints. Critical for applications.

Our algorithms are faster by two order of magnitudes than existing algorithms for high-level MUC extraction◦ They are also faster for clause-level MUC

extraction on large and difficult test-cases

Future WorkGeneralize the algorithms to extract

a user-given number of MUCsOptimize performance

◦ Improve the data structure for storing the resolution derivation

◦Combine the selector-based and resolution-based approaches

◦Study the impact of available resources (CPU, memory, disk) on performance

◦Tune RRP for the newly proposed algorithms

Thanks!