SAT-based Bounded Model Checking

Given a property p: (e.g. “always signal_a = signal_b”)

Is there a state reachable within k cycles, which satisfies p ?

. . .s0 s1 s2 sk-1 sk

p p p p p

Formulation of famous problems as SAT:Bounded Model Checking

The reachable states in k steps are captured by:

The property p fails in one of the cycles 1..k:

Bounded Model Checking: safety

The safety property p is valid up to cycle k iff k is unsatisfiable:

. . .s0 s1 s2 sk-1 sk

p p p p p

Bounded Model Checking: safety

Example: a two bit counter

Property: G (l r).

00

01 10

11

For k = 2, k is unsatisfiable. For k = 4 k is satisfiable

Initial state: I: : l Æ : r

Transition: R: l’ = (l r) Æ r’ = : r

Bounded Model Checking: safety

The liveness property Fp is valid up to cycle k iff k is unsatisfiable:

. . .s0 s1 s2 sk-1 sk

:p :p p

Bounded Model Checking : liveness

:p :p

=

Intel’s results (2002)

IBM’s results (2000)

SAT made some progress…

1

10

100

1000

10000

100000

1960 1970 1980 1990 2000 2010

Year

Vars

Bounded Model Checking

k = 0

BMC(M,,k)

yes

k++

k ¸ ?no

Resourcesexceeded

How big should k be?

For every finite model M and LTL property there exists k s.t.

We call the minimal such k the Completeness Threshold (CT)

Clearly if M ² then CT = 0

computing CT for a given M model checking

The Completeness Threshold

Let’s try the following strategy:

Compute CT for an abstraction of M

that

unites all models with certain graph-theoretic properties equal to those of M

Basic notions…

Diameter D(M) = longest shortest path between any two reachable states.

Recurrence Diameter RD(M) = longest loop-free path between any two reachable states.

The initialized versions: DI(M) and RDI(M) start from an initial state.

D(M) = 2

RD(M) = 3

DI(M) =

RDI(M) =

The Completeness Threshold

Theorem: for AGp properties CT = DI(M)

s0

p

Arbitrary path

(For AFp properties this does not hold)pppp

p

The Completeness Threshold

Theorem: for AFp properties CT= RDI(M)+1s0

ppppp

Theorem: for an LTL property CT = ?

What is SAT?

SATisfying assignment!

Given a propositional formula in CNF, find an assignment to Boolean variables that makes the formula true:

1 = (x2 x3)

2 = (x1 x4)

3 = (x2 x4)

A = {x1=0, x2=1, x3=0, x4=1}

1 = (x2 x3)

2 = (x1 x4)

3 = (x2 x4)

A = {x1=0, x2=1, x3=0, x4=1}

Given in CNF: (x,y,z),(-x,y),(-y,z),(-x,-y,-z)

Decide()

Deduce()

Resolve_Conflict()

-xx

-zz-yy

z -z y -y

() ()

(z ),(-z ) ()

(y),(-y,z ),(-y,-z )

()

() ()

(y),(-y)

(y,z ),(-y,z )

X

X X X X

A Basic SAT algorithm

x=0@1

z=0@2

y=0@2

Backtracking Search in Action

1 = (x2 x3)

2 = (x1 x4)

3 = (x2 x4)

1 = (x2 x3)

2 = (x1 x4)

3 = (x2 x4)

x1

x1 = 0@1

{(x1,0), (x2,0), (x3,1)}

x2 x2 = 0@2

{(x1,1), (x2,0), (x3,1) , (x4,0)}

x1 = 1@1

x3 = 1@2

x4 = 0@1 x2 = 0@1

x3 = 1@1

No backtrack in this example, regardless of the decision!

Backtracking Search in Action

1 = (x2 x3)

2 = (x1 x4)

3 = (x2 x4)

4 = (x1 x2 x3)

1 = (x2 x3)

2 = (x1 x4)

3 = (x2 x4)

4 = (x1 x2 x3)

Add a clause

x4 = 0@1

x2 = 0@1

x3 = 1@1

conflict

{(x1,0), (x2,0), (x3,1)}

x2

x2 = 0@2 x3 = 1@2

x1 = 0@1

x1

x1 = 1@1

Choose the variable and value that satisfies the maximum number of unsatisfied clauses.

This requires going through all clauses for each decision.

Decision heuristics DLIS (Dynamic Largest Individual Sum)

Compute for every clause and every variable l (in each phase):

J(l) :=

Choose a variable l that maximizes J(l).

This gives an exponentially higher weight to literals in shorter clauses.

,

||2l

Decision heuristicsJeroslow-Wang method

Implication graphs and learning

1 = (x1 x2)

2 = (x1 x3 x9)

3 = (x2 x3 x4)

4 = (x4 x5 x10)

5 = (x4 x6 x11)

6 = (x5 x6)

7 = (x1 x7 x12)

8 = (x1 x8)

9 = (x7 x8 x13)

1 = (x1 x2)

2 = (x1 x3 x9)

3 = (x2 x3 x4)

4 = (x4 x5 x10)

5 = (x4 x6 x11)

6 = (x5 x6)

7 = (x1 x7 x12)

8 = (x1 x8)

9 = (x7 x8 x13)

Current truth assignment: {x9=0@1 ,x10=0@3, x11=0@3, x12=1@2, x13=1@2}

Current decision assignment: {x1=1@6}

6

6

conflict

x9=0@1

x1=1@6

x10=0@3

x11=0@3

x5=1@64

4

5

5 x6=1@62

2

x3=1@6

1

x2=1@6

3

3

x4=1@6

We learn the conflict clause 10 : (: x1 Ç x9 Ç x11 Ç x10)

Implication graph, flipped assignment

x1=0@6

x11=0@3

x10=0@3

x9=0@1

x7=1@6

x12=1@2

7

7

x8=1@6

8

10

10

10 9

9

’

x13=1@2

9

Due to the conflict clause

1 = (x1 x2)

2 = (x1 x3 x9)

3 = (x2 x3 x4)

4 = (x4 x5 x10)

5 = (x4 x6 x11)

6 = (x5 x6)

7 = (x1 x7 x12)

8 = (x1 x8)

9 = (x7 x8 x13)

10 : (: x1 Ç x9 Ç x11 Ç x10)

1 = (x1 x2)

2 = (x1 x3 x9)

3 = (x2 x3 x4)

4 = (x4 x5 x10)

5 = (x4 x6 x11)

6 = (x5 x6)

7 = (x1 x7 x12)

8 = (x1 x8)

9 = (x7 x8 x13)

10 : (: x1 Ç x9 Ç x11 Ç x10)

Non-chronological backtracking

Non-chronological backtracking

x1

4

5

6

’

Decision level

Which assignments caused the conflicts ? x9= 0@1

x10= 0@3

x11= 0@3

x12= 1@2

x13= 1@2

Backtrack to decision level 3

3

These assignmentsAre sufficient forCausing a conflict.

I. Variable ordering

II. Incremental SAT: reusability of conflict clauses between different (yet related) SAT instances.

III. Replicating Conflict Clauses: generation of conflict clauses 'for free', based on the unique structure of BMC invariant properties.

Tuning SAT for BMC

A (CNF) dependency graph D (V,E):

A partitioning C1..Cn:

An abstract dependency graph D’(V’, E’):

Static variable ordering

For (k) there exists a partition C1..Cn s.t. the abstract dependency graph is linear

C0 C1 C2 CkC3 Ck-1

V0 V1 V2 VkV3 Vk-1

...

Static variable ordering for BMC (The natural order of (k))

I0PkRiding on unreachable states...

k should satisfy I0

I0Riding on legal executions...

(k) should satisfy Pk

Pk

Static variable ordering (A simple static ordering)

Given two CNF formulas (sets of clauses) S1 and S2, and a conflict clause s.t. S1 `, under what conditions the followingholds:

S2 is satisfiable iff S2 is satisfiable.

Incremental SAT

Let 0 S1 S2

Claim: if 0 ` then

Thus, if we deduce while checking S1, we can reuse itwhen checking S2.

0

S1 S2

0 `

Incremental SAT

S1 is satisfiable iff S1 is satisfiable.S2 is satisfiable iff S2 is satisfiable.

Testing whether the clauses involved in deducing are a subset of 0 requires marking them in advance.

In the BMC case this is easy:

Only one clause in (k) is not included in (k+1)

Incremental SAT for BMC

0

S1 S2

1. Mark 0 , the subset of clauses that are also contained in subsequent instances.2. If s ` for some s 0, then add to 0 and mark it as pervasive.

Incremental SAT

The BMC invariant formula includes k structurally similar parts:

Can this symmetry be used to speed up the search ?

Replicated clauses

Let xk denote variable x in cycle k.

Let c(i) denote the clause c, where every variable in c is shifted i cycles.

For example: c = (x5 y2 z7)c(2) = (x7 y4 z9)c(-2) = (x3 y0 z5)

Replicated clauses

Similarly, s(i) denotes the set of shifted clauses in the set s,i.e. j cj s, cj

(i) s(i).

Let s be a subset of (k)'s clauses, and let be a conflict clause deducible from s, i.e. s ` .

(x2 y5), (x2 y5 z3 w4)

=(y5 z3 w4)s =

By substitution, it is also true that s(i) ` (i).

(x2+i y5+i), (x2+i y5+i z3+i w4+i)

(i) =(y5+i z2+i w4+i)s(i) =

Replicated clauses

Conclusion: if s(i) (k) then we can also add (i) to (k).

(i) is a new clause that we got 'for free'.

We call (i) a 'replicated clause'.

The remaining question is: for which i, s(i) (k).

Replicated clauses

1. While generating (k), mark all transition relation clauses.

2. For every conflict clause , if all the clauses in s are marked, then mark as 'replicable'.

.

.

.

Replicated clauses

3. Record ls and hs, the lowest and highest cycle index in s.

4. Add a replicated clause (i) for i in the range -ls .. (k - hs).

Given a replicable clause and the subset of clauses s from which it was deduced:

.

.

.

Replicated clauses

yzw

0 1 2 3 4 5 6

Going right

Going left

= (y5 z3 w4)

(1) = (y6 z4 w5)

(-1) = (y4 z2 w3)

(-2) = (y3 z1 w2)

(x2 y5), (x2 y5 z3 w4)

s = ls = 2, hs = 5k = 6

yzw

0 1 2 3 4 5 6

yzw

0 1 2 3 4 5 6

Example

Design #1 Design #2

Strategy k 27 28 29 30 31 14 15 16 17 18

Normal time 61 102 174 144 14 10 91 192 * *

time 63 77 80 47 16 10 58 155 1.6E4 * I ncremental SAT added

clauses

0 973 1092 1208 1253 0 925 2117 3474 6116

time 48 21 19 44 30 13 48 214 6211 *

replicated 2094 1704 1216 1075 450 5932 5656 7778 1.7E4 * I ncremental + replication

added clauses

0 482 1113 1536 2014 0 3374 5773 9806 1.6E4

Experimental results (2001)