Towards More Efficient SAT-Based Model Checking

Joao Marques-SilvaElectronics & Computer Science

University of Southampton

LAA C&V Workshop, Isaac Newton Institute, Cambridge, May 2006

2

Motivation Remarkable improvements made to SAT solvers over the last

decade– Clause learning; lazy data structures; adaptive branching heuristics;

search restarts

Very successful application of SAT in model checking– Bounded and unbounded model checking

Existing (industry motivated) challenges– Ability to handle ever increasing systems– Ability to find deep counterexamples– Ability to prove difficult properties

Lines of research– More efficient SAT solvers (?)– Better uses of SAT technology in SAT-based model checking

3

Goals of this talk SAT & SAT-based model checking

Interpolants in SAT-based model checking

Optimizations to the utilization of interpolants

4

Outline SAT & SAT-based model checking

– Organization of a modern SAT solver– SAT-based bounded model checking (BMC)– Interpolant-based unbounded model checking (UMC)

Improvements to SAT-based model checking

Results & conclusions

5

Modern SAT algorithms Follow the organization of the DPLL algorithm

– Backtrack search with unit propagation

Several key techniques are used:– Clause learning [Marques-Silva&Sakallah’96]

• Infer new clauses from causes of conflicts– Allows implementing non-chronological backtracking

– Exploiting structure of conflicts [Marques-Silva&Sakallah’96]• Identify Unique Implication Points (UIPs)

– Dominators in graph of implied assignments

– Optimized data structures [Moskewicz et al.’01]• Lazy evaluation of clause state

– Adaptive branching heuristics [Moskewicz et al.’01]• Variable branching metrics are affected by number of conflicts• Aging mechanisms for focusing on most recent conflicts

– Search restarts [Gomes,Selman&Kautz’98]• Opportunistically restart backtrack search

[Davis et al.’62]

6

Evolution of SAT solvers Remarkable improvements over the last decade

Instance Posit' 94 Grasp' 96 Chaff'01 Siege'04

ssa2670-136 28.53 0.36 0.02 0.01

bf1355-638 772.45 0.04 0.02 0.01

design_1 >7200 65.35 1.27 0.29

design_3 >7200 9.13 0.52 0.41

f_ind >7200 4663.89 17.91 6.52

splitter_42 >7200 >7200 28.81 4.46

c6288 >7200 >7200 >7200 2847.46

pipe_64_32 >7200 >7200 >7200 >7200

7

Bounded model checking Verification of safety properties: F f

Characteristic functions for representing initial states and transition relation, respectively I0 and T

– Resulting Boolean formula: k = I0 Uk Fk

• Where:

– Interpretation:

i

k

ri1ii

1k

0i00

k YfY,YTYI

[Biere et al.’99]

i

1k

0ik TU

i

k

rik fF 1iii Y,YTT

T0 T1 Tk-1 FkI0

Y0 Y1 Yk

ii Yff

8

Bounded model checking A possible BMC algorithm:

– Given some initial k – While k user-specified time-bound UB

• Generate CNF formula for I0 Uk Fk

• Invoke SAT solver on • If formula is satisfiable, then a counterexample within k

time steps has been found– Return counterexample

• Otherwise, increase k

The BMC algorithm is incomplete– But complete if completeness threshold is known

BMC loop

9

Towards completeness Unbounded model checking

– Utilization of induction

• Standard BMC loop– Stop BMC loop for some i, if cannot have loop-free path of size i that

can be reached from I0 or if cannot have loop-free path of size i that can reach Fk

– Maximum unfolding bounded by largest loop-free path

– ...

– Utilization of interpolants

• BMC and Craig interpolants allow SAT-based computation of abstractions of reachable states

– Avoid computing exact sets of reachable states– One of the most promising approaches in practice

• Maximum unfolding bounded by largest shortest path between any two states

[McMillan’03]

[Sheeran et al.’00]

[Chauhan et al.’02;Gupta et al.’03]

10

Interpolants Given two subsets of clauses A and B, assume A B is

unsatisfiable. Then, there exists an interpolant A’ for the pair (A, B) with the following properties:– A implies A’– A’ B is unsatisfiable– A’ refers only to the common variables of A and B– Example:

• A = p q, B = q r– A’ = q

Size of interpolants:– Given a resolution refutation of A B, can compute interpolant for the

pair (A, B) in linear time on the size of the resolution refutation• SAT solvers can be instructed to output resolution refutation !

Computing interpolants:– Different algorithms can be used

• Pudlak’97, McMillan’03

[Craig’57]

[Pudlak’97]

[McMillan’03]

11

(¬c)(c)

(¬b)(b c)

Deriving resolution refutations For unsatisfiable formulas:

– Learned clauses capture a resolution refutation from a subset of the original clauses

– SAT solvers can be instructed to recreate resolution refutation for unsatisfiable formula

(a b) (¬a c)

[Zhang&Malik’03]

= (a b) (¬a c) (¬b) (¬c)2 3 41

c = 0

b = 0

a = 0

1

1

2

(3)

(4)

12

Computing interpolants

Interpolant is a Boolean circuit that follows structure of resolution refutation– Can map circuit into CNF in linear time and space

[Tseitin’68; Plaisted&Greenbaum’86]

A = (r y)(r x) B = (y a)(ya)(x)

(r y) (r x)

(y x) (y a)

(x) (y)

(ya)

(x)

y x

A’ = y + x

A implies A’; A’ B is unsatisfiableA’ with variables common to A and B

13

Abstraction of reachable states For each iteration of BMC loop, call to SAT solver returns

unsat unless counterexample is found– Analysis of resolution refutation yields abstractions of reachable states

– Given A and B, and a resolution refutation for A B, compute Craig interpolant A’:

• A = I0 T0 implies A’

• A’ B is unsatisfiable

• A’ solely represented with state variables– If A holds, then A’ holds

• A1 = A’ represents abstraction of states reachable from I0 in 1 time step !

k1k1

00

k1k100

FTTB

TIA

BAFTTTI

14

Fixpoint of reachable states Can iterate computation of interpolants:

T0 T1 Tk-1 FkA1

A B

A2

Abstraction of states reachable in 2 time steps

T0 T1 Tk-1 FkAi-1

A B

Ai

Abstraction of states reachable in i time steps

T0 T1 Tk-1 FkI0

A B

A1

Abstraction of states reachable in 1 time step

If Ai I0 A1 A2 ... Ai-1, then a fixpoint is reached; all reachable states identified !

15

If Fk is satisfied from I0, then we have a counterexample !

If a fixpoint of the reachable states is identified, then no reachable state can satisfy property !

If A B is sat, may have abstracted too much; must unfold more time steps

Maximum value of k is bounded by largest shortest path between any two states

UMC algorithmk = 0repeat

if from I0 can satisfy Fk within k stepsreturn reachable

R = I0

let A = I0 T0, and B = T1 T2 Tk-1 Fk

while A B = falseP = unsat_proof(A B)

A’ = interpolant(P, A, B)if A’ R, return unreachableR = A’ RA = A’ T0

end whileincrease k

end repeat

Fixpoint

BMC loop

Calls to SAT solver

16

Outline SAT & SAT-based model checking

Improvements to SAT-based model checking– Rescheduling the BMC loop

• Can exploit feedback from the fixpoint checking loop– Reusing computed interpolants

• Interpolants readily available if fixed point condition is based on interpolants

• Can envision alternative fixpoint conditions

Results & conclusions

17

Rescheduling the BMC loopk = 0repeat

if from I0 can satisfy Fk within k stepsreturn reachable

R = I0

let A = I0 T0, and B = T1 T2 Tk-1 Fk

while A B = falseP = unsat_proof(A B)

A’ = interpolant(P, A, B)if A’ R, return unreachableR = A’ RA = A’ T0

end whileincrease k

end repeat

BMC loop

Number of iterations can be used to restrict when to check again the BMC condition !

Fixpoint

18

Rescheduling the BMC loop

Fixpoint checking with i+1 iterations (last iteration is sat):

Checked all states reachable in up to k+i states, with an unfolding of size k; no counterexample was found

Need to check BMC condition only when unfolding of FSM exceeds k+i time steps

In general useful if counterexample exists

I0 A1 A2 Ai+1

while A B = falseP = unsat_proof(A B)A’ = interpolant(P, A, B)if A’ R, return unreachableR = A’ RA = A’ T0

end while

Fixpoint

19

Interpolant reuse Boolean formula N is usable for B iff B N

– B satisfiable iff B N satisfiable

Learnt interpolants can be reused – For requiring states from a set of states– For preventing states from a set of states

A different organization of BMC:

i

1k

0ik TU

i

k

kik fF

[Copty et al.’01]

20

Interpolant reuse Different ways for computing interpolants

– Computed interpolants can be direct or inverse

– Interpolants can be computed at different time steps

Direct interpolants– Over-approximation of reachable states

– Under-approximation of states that do not satisfy failing property

Inverse interpolants– Under-approximation of unreachable states

– Over-approximation of states that satisfy failing property

T0 T1 Tk-1 FkI0

Can compute (multiple) interpolants

21

Direct interpolants

Pr,t:

– Direct interpolant computed r time steps from I0 and t time steps to Fk

From the initial state, Pr,t, t=k-r:

In general, Pr+u,t:

1r10

k1kr

k1k100

TTIA

FTTB

BAFTTTI

1r1v,u

k1kr

k1k10v,u

TTPA

FTTB

BAFTTTP

22

Conditions for interpolant reuse I Conditions on direct interpolants:

– Pr,t(Yr) is usable for k, with t 0 and r k

– Pr,t(Yk-t) is usable for k, with r 0 and t k

T0I0Tk-1 Fk

Tr-1 Tk-t-1

Pr,t Pr,t

Tr Tk-t

23

An example I Standard UMC model checking, with BMC and fixpoint loops Automaton with unfolding of size k+1

Fixed point checking for j+1 iterations– Last iteration yields spurious counterexample; j interpolants computed

Interpolants computed at Y1:– P1,k, P2,k, ..., Pj,k

Examples of interpolant reuse:– Pi,k(Yi), 1 i j, is usable for m, m k

• Pi,k represents over-approximation of the states reachable in i time steps

– With unfolding of size k+1, Pi,k(Y1), 1 i j, is usable for k+1

• Pi,k represents under-approximation of the states that do not satisfy failing property in k time steps

– With unfolding of size m k, Pi,k(Ym-k), 1 i j, is usable for m

T0 T1 Tk Fk+1I0

Y0 Y1 Yk+1

24

Inverse interpolants

Qr,t:

– Reverse interpolant computed r time steps from I0 and t time steps to Fk

From the initial state, Qr,t, t=k-r:

In general, Qr+u,t:

1r10

k1kr

k1k100

TTIB

FTTA

BAFTTTI

1r1v,u

k1kr

k1k10v,u

TTPB

FTTA

BAFTTTP

25

Conditions for interpolant reuse II Conditions on inverse interpolants:

– Qr,t(Yk-t) is usable for k, with r 0 and t k

– Qr,t(Yr) is usable for k, with t 0 and r k

T0I0Tk-1 Fk

Tr-1 Tk-t-1

Qr,t Qr,t

Tr Tk-t

26

An example II Standard UMC model checking, with BMC and fixpoint loops Automaton with unfolding of size k+1

Fixed point checking for j+1 iterations– Last iteration yields spurious counterexample; j interpolants computed

Interpolants computed at Y1:– Q1,k, Q2,k, ..., Qj,k

Examples of interpolant reuse:– Qi,k(Yi), 1 i j, is usable for m, m k

• Qi,k represents under-approximation of the states unreachable in i time steps

– With unfolding of size k+1, Qi,k(Y1), 1 i j, is usable for k+1

• Qi,k represents over-approximation of the states that satisfy failing property in k time steps

– With unfolding of size m k, Qi,k(Ym-k), 1 i j, is usable for m

T0 T1 Tk Fk+1I0

Y0 Y1 Yk+1

27

An example III Inverse UMC model checking, with BMC and fixpoint loops Automaton with unfolding of size k+1

Fixed point checking for j+1 iterations– Last iteration yields spurious counterexample; j interpolants computed

Interpolants computed at Yk-1:– Qk,1, Qk,2, ..., Qk,j

Examples of interpolant reuse:– Qk,i(Yk), 1 i j, is usable for m, m k

• Qk,i represents under-approximation of the states unreachable in k time steps

– With unfolding of size k+1, Qk,i(Yk+1-i), 1 i j, is usable for k+1

• Qk,i represents over-approximation of the states that satisfy failing property in i time steps

– With unfolding of size m k, Qk,i(Ym-i), 1 i j, is usable for m

T0 T1 Tk Fk+1I0

Y0 Y1 Yk+1

28

More on interpolant reuse All interpolants computed in standard interpolant-based

UMC flow can be reused– Easy to integrate with existing interpolant-based UMC flow

Learning and reusing of interpolants can be integrated into any approach for BMC or UMC– Plain BMC algorithm– Different approaches for UMC

Inverse interpolants provide alternative fixpoint condition (from previous slide):– If Qk,i Fk+1 Qk,1 Qk,i-1 is satisfiable, then we have a

fixpoint• Potentially interesting; depends on automaton

29

Outline SAT & SAT-based model checking

Improvements to SAT-based model checking

Results & conclusions

30

Results on rescheduling Evaluated rescheduling on different benchmarks

– Specifically designed and industrial examples Evaluated both the plain UMC algorithm and rescheduling

Instance No-reschedule Reschedule BMC4-bit counter 0.31 0.095-bit counter 3.86 0.846-bit counter 21.36 10.417-bit counter 1780.68 175.69I12 255.77 272.47I11 75.28 81.89I31 83.51 90.08I32 19.66 14.89I33 17.44 13.09I21 24.93 26.48Total time 2282.8 685.9

31

Experience with reuse Experimented interpolant reuse on industrial benchmarks

– Plain (incomplete) BMC loop

– Direct interpolants computed at each step (for last time step)

• Interpolants not used for checking fixed point condition

Experience so far:– Search space is reduced

– CPU times increase

The problems observed:– Large interpolants

• Naive simplifications

• Computed solely for search pruning purposes

– Ineffective representation

• One Reduced Boolean Circuit (RBC) for each interpolant

32

Conclusions SAT technology has improved dramatically over the last decade

– Key techniques:

• Clause learning, optimized data structures, adaptive branching heuristics, search restarts

SAT has been applied to model checking with success– Bounded and unbounded model checking

Described optimizations to the utilization of interpolants in SAT-based model checking

Results preliminary– Rescheduling can allow number of iterations to be significantly reduced

• Not significant on industrial benchmarks

– Reuse of interpolants reduces amount of search, increases run times

33

Many challenges Effectiveness of rescheduling in industrial context?

Can interpolant reuse yield performance gains?

Can we find “good” interpolants to learn and reuse?– E.g. size/depth of interpolant (or CNF representation)