Towards More Efficient SATBased Model Checking

1
Towards More Efficient SAT-Based Model Checking

• Joao Marques-Silva
• Electronics Computer Science
• University of Southampton

LAA CV Workshop, Isaac Newton Institute,
Cambridge, May 2006
2
Motivation

• Remarkable improvements made to SAT solvers over
  the last decade
• Clause learning lazy data structures adaptive
  branching heuristics search restarts
• Very successful application of SAT in model
  checking
• Bounded and unbounded model checking
• Existing (industry motivated) challenges
• Ability to handle ever increasing systems
• Ability to find deep counterexamples
• Ability to prove difficult properties
• Lines of research
• More efficient SAT solvers (?)
• Better uses of SAT technology in SAT-based model
  checking

3
Goals of this talk

• SAT SAT-based model checking
• Interpolants in SAT-based model checking
• Optimizations to the utilization of interpolants

4
Outline

• SAT SAT-based model checking
• Organization of a modern SAT solver
• SAT-based bounded model checking (BMC)
• Interpolant-based unbounded model checking (UMC)
• Improvements to SAT-based model checking
• Results conclusions

5
Modern SAT algorithms
Davis et al.62

• Follow the organization of the DPLL algorithm
• Backtrack search with unit propagation
• Several key techniques are used
• Clause learning Marques-SilvaSakallah96
• Infer new clauses from causes of conflicts
• Allows implementing non-chronological
  backtracking
• Exploiting structure of conflicts Marques-SilvaS
  akallah96
• Identify Unique Implication Points (UIPs)
• Dominators in graph of implied assignments
• Optimized data structures Moskewicz et al.01
• Lazy evaluation of clause state
• Adaptive branching heuristics Moskewicz et
  al.01
• Variable branching metrics are affected by number
  of conflicts
• Aging mechanisms for focusing on most recent
  conflicts
• Search restarts Gomes,SelmanKautz98
• Opportunistically restart backtrack search

6
Evolution of SAT solvers

• Remarkable improvements over the last decade

7
Bounded model checking
Biere et al.99

• Verification of safety properties F f
• Characteristic functions for representing initial
  states and transition relation, respectively I0
  and T
• Resulting Boolean formula ?k I0 ? Uk ? Fk
• Where
• Interpretation

8
Bounded model checking

• A possible BMC algorithm
• Given some initial k
• While k ? user-specified time-bound UB
• Generate CNF formula ? for I0 ? Uk ? Fk
• Invoke SAT solver on ?
• If formula ? is satisfiable, then a
  counterexample within k time steps has been found
• Return counterexample
• Otherwise, increase k
• The BMC algorithm is incomplete
• But complete if completeness threshold is known

BMC loop
9
Towards completeness

• Unbounded model checking
• Utilization of induction
• Standard BMC loop
• Stop BMC loop for some i, if cannot have
  loop-free path of size i that can be reached from
  I0 or if cannot have loop-free path of size i
  that can reach Fk
• Maximum unfolding bounded by largest loop-free
  path
• ...
• Utilization of interpolants
• BMC and Craig interpolants allow SAT-based
  computation of abstractions of reachable states
• Avoid computing exact sets of reachable states
• One of the most promising approaches in practice
• Maximum unfolding bounded by largest shortest
  path between any two states

Sheeran et al.00
Chauhan et al.02Gupta et al.03
McMillan03
10
Interpolants
Craig57

• Given two subsets of clauses A and B, assume A??
  B is unsatisfiable. Then, there exists an
  interpolant A for the pair (A, B) with the
  following properties
• A implies A
• A ? B is unsatisfiable
• A refers only to the common variables of A and B
• Example
• A p ? q, B ?q ? r
• A q
• Size of interpolants
• Given a resolution refutation of A?? B, can
  compute interpolant for the pair (A, B) in linear
  time on the size of the resolution refutation
• SAT solvers can be instructed to output
  resolution refutation !
• Computing interpolants
• Different algorithms can be used
• Pudlak97, McMillan03

Pudlak97
McMillan03
11
Deriving resolution refutations

• For unsatisfiable formulas
• Learned clauses capture a resolution refutation
  from a subset of the original clauses
• SAT solvers can be instructed to recreate
  resolution refutation for unsatisfiable formula

ZhangMalik03
(a ? b)
(a ? c)
12
Computing interpolants
A (r Ú y)(Ør Ú x)
B (Øy Ú a)(Øy Ú Øa)(Øx)
y
x



A y x
A implies A A ? B is unsatisfiable A with
variables common to A and B

• Interpolant is a Boolean circuit that follows
  structure of resolution refutation
• Can map circuit into CNF in linear time and space

Tseitin68 PlaistedGreenbaum86
13
Abstraction of reachable states

• For each iteration of BMC loop, call to SAT
  solver returns unsat unless counterexample is
  found
• Analysis of resolution refutation yields
  abstractions of reachable states
• Given A and B, and a resolution refutation for A
  ? B, compute Craig interpolant A
• A I0 ? T0 implies A
• A ? B is unsatisfiable
• A solely represented with state variables
• If A holds, then A holds
• A1 A represents abstraction of states
  reachable from I0 in 1 time step !

14
Fixpoint of reachable states

• Can iterate computation of interpolants

If Ai ? I0 ? A1 ? A2 ? ... ? Ai-1, then a
fixpoint is reached all reachable states
identified !
15
UMC algorithm

• k 0
• repeat
• if from I0 can satisfy Fk within k steps
• return reachable
• R I0
• let A I0 Ù T0, and B T1 Ù T2 Ù ... Ù Tk-1 Ù
  Fk
• while A Ù B false
• P unsat_proof(A Ù B)
• A interpolant(P, A, B)
• if A ? R, return unreachable
• R A Ú R
• A A Ù T0
• end while
• increase k
• end repeat

BMC loop
Fixpoint
16
Outline

• SAT SAT-based model checking
• Improvements to SAT-based model checking
• Rescheduling the BMC loop
• Can exploit feedback from the fixpoint checking
  loop
• Reusing computed interpolants
• Interpolants readily available if fixed point
  condition is based on interpolants
• Can envision alternative fixpoint conditions
• Results conclusions

17
Rescheduling the BMC loop

• k 0
• repeat
• if from I0 can satisfy Fk within k steps
• return reachable
• R I0
• let A I0 Ù T0, and B T1 Ù T2 Ù ... Ù Tk-1 Ù
  Fk
• while A Ù B false
• P unsat_proof(A Ù B)
• A interpolant(P, A, B)
• if A ? R, return unreachable
• R A Ú R
• A A Ù T0
• end while
• increase k
• end repeat

BMC loop
Number of iterations can be used to restrict when
to check again the BMC condition !
Fixpoint
18
Rescheduling the BMC loop

• Fixpoint checking with i1 iterations (last
  iteration is sat)
• Checked all states reachable in up to ki states,
  with an unfolding of size k no counterexample
  was found
• Need to check BMC condition only when unfolding
  of FSM exceeds ki time steps
• In general useful if counterexample exists

19
Interpolant reuse

• Boolean formula N is usable for B iff B ? N
• B satisfiable iff B ? N satisfiable
• Learnt interpolants can be reused
• For requiring states from a set of states
• For preventing states from a set of states
• A different organization of BMC

Copty et al.01
20
Interpolant reuse

• Different ways for computing interpolants
• Computed interpolants can be direct or inverse
• Interpolants can be computed at different time
  steps
• Direct interpolants
• Over-approximation of reachable states
• Under-approximation of states that do not satisfy
  failing property
• Inverse interpolants
• Under-approximation of unreachable states
• Over-approximation of states that satisfy failing
  property

21
Direct interpolants

• Pr,t
• Direct interpolant computed r time steps from I0
  and t time steps to Fk
• From the initial state, Pr,t, tk-r
• In general, Pru,t

22
Conditions for interpolant reuse I

• Conditions on direct interpolants
• Pr,t(Yr) is usable for ?k, with t ? 0 and r ? k
• ?Pr,t(Yk-t) is usable for ?k, with r ? 0 and t ? k

23
An example I

• Standard UMC model checking, with BMC and
  fixpoint loops
• Automaton with unfolding of size k1
• Fixed point checking for j1 iterations
• Last iteration yields spurious counterexample j
  interpolants computed
• Interpolants computed at Y1
• P1,k, P2,k, ..., Pj,k
• Examples of interpolant reuse
• Pi,k(Yi), 1 ? i ? j, is usable for ?m, m ? k
• Pi,k represents over-approximation of the states
  reachable in i time steps
• With unfolding of size k1, ?Pi,k(Y1), 1 ? i ? j,
  is usable for ?k1
• Pi,k represents under-approximation of the states
  that do not satisfy failing property in k time
  steps
• With unfolding of size m ? k, ?Pi,k(Ym-k), 1 ? i
  ? j, is usable for ?m

24
Inverse interpolants

• Qr,t
• Reverse interpolant computed r time steps from I0
  and t time steps to Fk
• From the initial state, Qr,t, tk-r
• In general, Qru,t

25
Conditions for interpolant reuse II

• Conditions on inverse interpolants
• Qr,t(Yk-t) is usable for ?k, with r ? 0 and t ? k
• ?Qr,t(Yr) is usable for ?k, with t ? 0 and r ? k

26
An example II

• Standard UMC model checking, with BMC and
  fixpoint loops
• Automaton with unfolding of size k1
• Fixed point checking for j1 iterations
• Last iteration yields spurious counterexample j
  interpolants computed
• Interpolants computed at Y1
• Q1,k, Q2,k, ..., Qj,k
• Examples of interpolant reuse
• ?Qi,k(Yi), 1 ? i ? j, is usable for ?m, m ? k
• Qi,k represents under-approximation of the states
  unreachable in i time steps
• With unfolding of size k1, Qi,k(Y1), 1 ? i ? j,
  is usable for ?k1
• Qi,k represents over-approximation of the states
  that satisfy failing property in k time steps
• With unfolding of size m ? k, Qi,k(Ym-k), 1 ? i ?
  j, is usable for ?m

27
An example III

• Inverse UMC model checking, with BMC and fixpoint
  loops
• Automaton with unfolding of size k1
• Fixed point checking for j1 iterations
• Last iteration yields spurious counterexample j
  interpolants computed
• Interpolants computed at Yk-1
• Qk,1, Qk,2, ..., Qk,j
• Examples of interpolant reuse
• ?Qk,i(Yk), 1 ? i ? j, is usable for ?m, m ? k
• Qk,i represents under-approximation of the states
  unreachable in k time steps
• With unfolding of size k1, Qk,i(Yk1-i), 1 ? i ?
  j, is usable for ?k1
• Qk,i represents over-approximation of the states
  that satisfy failing property in i time steps
• With unfolding of size m ? k, Qk,i(Ym-i), 1 ? i ?
  j, is usable for ?m

28
More on interpolant reuse

• All interpolants computed in standard
  interpolant-based UMC flow can be reused
• Easy to integrate with existing interpolant-based
  UMC flow
• Learning and reusing of interpolants can be
  integrated into any approach for BMC or UMC
• Plain BMC algorithm
• Different approaches for UMC
• Inverse interpolants provide alternative fixpoint
  condition (from previous slide)
• If Qk,i ? Fk1 ? Qk,1 ? ? ? Qk,i-1 is
  satisfiable, then we have a fixpoint
• Potentially interesting depends on automaton

29
Outline

• SAT SAT-based model checking
• Improvements to SAT-based model checking
• Results conclusions

30
Results on rescheduling

• Evaluated rescheduling on different benchmarks
• Specifically designed and industrial examples
• Evaluated both the plain UMC algorithm and
  rescheduling

31
Experience with reuse

• Experimented interpolant reuse on industrial
  benchmarks
• Plain (incomplete) BMC loop
• Direct interpolants computed at each step (for
  last time step)
• Interpolants not used for checking fixed point
  condition
• Experience so far
• Search space is reduced
• CPU times increase
• The problems observed
• Large interpolants
• Naive simplifications
• Computed solely for search pruning purposes
• Ineffective representation
• One Reduced Boolean Circuit (RBC) for each
  interpolant

32
Conclusions

• SAT technology has improved dramatically over the
  last decade
• Key techniques
• Clause learning, optimized data structures,
  adaptive branching heuristics, search restarts
• SAT has been applied to model checking with
  success
• Bounded and unbounded model checking
• Described optimizations to the utilization of
  interpolants in SAT-based model checking
• Results preliminary
• Rescheduling can allow number of iterations to be
  significantly reduced
• Not significant on industrial benchmarks
• Reuse of interpolants reduces amount of search,
  increases run times

33
Many challenges

• Effectiveness of rescheduling in industrial
  context?
• Can interpolant reuse yield performance gains?
• Can we find good interpolants to learn and
  reuse?
• E.g. size/depth of interpolant (or CNF
  representation)