Carnegie Mellon University

SAT-Based Decision SAT-Based Decision Procedures for Subsets of Procedures for Subsets of

First-Order Logic First-Order Logic

http://www.cs.cmu.edu/~bryant

Randal E. Bryant

Part II:Part II:Separation LogicSeparation Logic

– 2 –

Outline

BackgroundBackground SAT-based Decision Procedures

Equality with Uninterpreted FunctionsEquality with Uninterpreted Functions Translating to propositional formula Exploiting positive equality and sparse transitivity

Separation LogicSeparation Logic Translating to propositional formula Hybrid encoding techniques

– 3 –

Suitable for verifying wider class of systemsTerms (T ) Integer Expressions

ITE(F, T1, T2) If-then-elseFun (T1, …, Tk) Function applicationT + 1 IncrementT – 1 Decrement

Formulas (Formulas (F F )) Boolean ExpressionsF, F1 F2, F1 F2 Boolean connectivesT1 = T2 EquationT1 < T2 InequalityPred(T1, …, Tk) Predicate application

Separation Logic with Uninterpreted Functions (SUF)

– 4 –

Eliminate function and predicate applications using fresh Eliminate function and predicate applications using fresh variables and ITE expressions variables and ITE expressions [Bryant, German, Velev, CAV’99][Bryant, German, Velev, CAV’99] f(x) v1 and f(y) ITE(x = y, v1, v2)

SUF Separation Logic

Separation Predicate

Terms (T ) Integer ExpressionsITEITE((FF, , TT11, , TT22)) If-then-elseIf-then-elseFun Fun ((TT11, …, , …, TTkk)) Function applicationFunction applicationTT + 1 + 1 IncrementIncrementT T - 1- 1 DecrementDecrement

v Integer variable

Formulas (Formulas (F F )) Boolean ExpressionsFF, , FF11 FF22, , FF11 FF22 Boolean connectivesBoolean connectivesTT11 = = TT22 EquationEquationTT11 < < TT22 InequalityInequalityPredPred((TT11, …, , …, TTkk)) Predicate applicationPredicate applicationb

Boolean variable

– 5 –

Separation Logic Formula

Per-Constraint Encoding (EIJ)

Small Domain Encoding (SD)

Eager Boolean Encoding Methods for Separation Logic

Boolean Formula

SAT Solver

satisfiable/unsatisfiable

– 6 –

Small Domain Encoding (SD)

x y y z z x+1

Can use Boolean encoding of finite range of valuesCan use Boolean encoding of finite range of values– 4 values in this case, so 2-bit encoding4 values in this case, so 2-bit encoding

Observation: Observation: To check satisfiability, need to consider all possible To check satisfiability, need to consider all possible relativerelative orderings of orderings of finitely-manyfinitely-many expressions expressions

0x1x0 0y1y0 0y1y0 0z1z0 0z1z0 0x1x0 + 1

x x+1y

z

x x+1 y zValues increase

[Bryant, Lahiri, Seshia, CAV’02]

– 7 –

Per-Constraint Encoding (EIJ)

x y y z z x+1

e1 e2 e4

e4 x z

New Separation Predicate

e4 e3

Overall Boolean Encoding

Transitivity Constraints

e1

y z

z x+1

x y

e2

e3

e1 e2 e3

[Strichman, Seshia, Bryant, CAV’02]

– 8 –

Enforcing Transitivity Constraints

Graph Representation of Separation ConstraintsGraph Representation of Separation Constraints Directed multigraph where edges labeled by constants

Fourier-Motzkin EliminationFourier-Motzkin Elimination Eliminate nodes in succession Possibly exponential growth in edges

x

y

zc1 c2

c1 + c2c3c4

c1 + c4

c3 + c2

c3 + c4x

y

c1

x y + c1

– 9 –

Introducing New Predicates

x

y

zc1 c2

c1 + c2c3c4

c1 + c4

c3 + c2

c3 + c4x

y

c1

x y + c1

ee11 x y + c1

ee22 y z + c2

ee33 x z + c1 + c2

ee44 x y + c2

Sample Predicates

ee11 ee22 ee33

Sample Transitivity Constraint

ee44 ee11

Sample Ordering Constraint(for c1 < c2)

– 10 –

Comparing Eager Encoding Methods

Of SD and EIJ encoding methods, which one is better?Of SD and EIJ encoding methods, which one is better?

Comparison with respect toComparison with respect to Size of resulting Boolean formula Performance of SAT solver

– 11 –

Size of Boolean Encoding: SD better than EIJLet Let NN be size of original separation logic formula be size of original separation logic formula

Size of a directed acyclic graph representation

SDSD encoding size is worst-case encoding size is worst-case OO((NN22))

EIJEIJ encoding size is worst-case encoding size is worst-case OO((22NN)) Can generate O(2N) transitivity constraints

> 1000000> 1000000EIJEIJ

5446554465SDSD

Boolean Encoding SizeBoolean Encoding SizeMethodMethodExample: Example: N = N = 68136813

– 12 –

Impact on SAT problem: SD vs EIJ

Experimentally compared zChaff performance on SD and EIJ encodings of several unsatisfiable formulas

Sample result:

EIJ better than SD for zChaff

MethodMethod # Boolean # Boolean variablesvariables

# CNF # CNF Clauses Clauses

# Conflict # Conflict ClausesClauses

zChaff zChaff Time Time (sec)(sec)

EIJEIJ 5721157211 169387169387 150150 0.560.56

SDSD 2311223112 6769967699 1581115811 21.6321.63

– 13 –

Impact on SAT: Why is EIJ better than SD? Conjecture: For SD, SAT solver has to “discover” Conjecture: For SD, SAT solver has to “discover”

transitivity constraints as conflict clausestransitivity constraints as conflict clauses Violation of transitivity constraint might be discovered only

after assigning bits of several bit-vectors

EIJ adds all such constraints a prioriEIJ adds all such constraints a priori Less learning and backtracking required by the SAT solver

– 14 –

Eager Encoding Tradeoffs

SD encodingSD encoding+ Polynomial size encoding Worse for SAT solvers

EIJ encodingEIJ encoding Worst-case exponential size encoding+ Better for SAT solvers

Can we automatically select between SD and EIJ based Can we automatically select between SD and EIJ based on the input formula?on the input formula?

– 15 –

Selection Strategy

Problem:Problem: Computationally hard to

estimate number of transitivity constraints

Can we use a different Can we use a different metric?metric?

Idea: Identify feature of the input formula that varies monotonically with run-time of EIJ (but not with run-time of SD)

Estimate number of transitivity constraints,

C

C > T ?YES NO

Use SD encoding

Use EIJ encoding

Seshia, Lahiri, Bryant, DAC ‘03

– 16 –

A Good Formula Feature: Number of Separation Predicates

– 17 –

A Good Formula Feature: Number of Separation Predicates

– 18 –

Revised Selection Strategy

Easy to count number of Easy to count number of separation predicatesseparation predicates

Very approximate measure of Very approximate measure of # of transitivity constraints# of transitivity constraints

Constraints only relate predicates that share variables

Also need to automate Also need to automate setting of threshold Tsetting of threshold T

Statistically estimate from “training” set of benchmarks

Count number of separation predicates,

m

m > T ?YES NO

Use SD encoding

Use EIJ encoding

– 19 –

{x,y,z} shared

Identifying Variable Classes

z ¸ x+1u ¸ v

u = v-2

{u,v} sharedAssignments to {u,v} are independent of those to

{x,y,z}

Ç

Æ

Æ

Ç

x ¸ y y ¸ z

– 20 –

Hybrid Encoding Technique

Compute 1. Variable classes based on predicates 2. Number of separation predicates for each class

{x,y,z}, m1{u,v},

mk

Encode each class using SD or EIJ based on local decision

Encoded Boolean Formula

Separation Logic Formula

m1 > T ? mk > T ?YESNO YESNO

SD EIJEIJ SD

– 21 –

Automatically Selecting a Threshold Value: Intuition

EIJ run time increases drastically beyond a certain number of separation predicates

– 22 –

Automatically Selecting a Threshold Value using Clustering

Cluster total time (Y-axis) values, minimizing variance of each cluster

– 23 –

Experimental Evaluation SetupCompared Hybrid against Compared Hybrid against

SD and EIJ encodings Cooperating Validity Checker (CVC) based on lazy encoding method

[Stump et al.’02] Stanford Validity Checker (SVC) – non SAT-based [Barrett et al. ’96] CVC & SVC can handle more expressive logics than SUF

BenchmarksBenchmarks 49 unsatisfiable SUF formulas Load-store unit, out-of-order unit, device driver code, compiler

validation, DLX pipeline Threshold value calculated from subset of 16 benchmarks

Worked well for 39 out of the 49 benchmarks

SetupSetup Used zChaff SAT solver Imposed timeout of 1800 sec. on total time (Encoding+SAT)

– 24 –

Hybrid vs. SD (39/49 benchmarks)

Hybrid better

SD better

– 25 –

Hybrid vs. EIJ (39/49 benchmarks)

Hybrid better

EIJ better

– 26 –

Hybrid vs. Lazy Encoding (CVC) (39/49 benchmarks)

CVC better

Hybrid better

– 27 –

Hybrid vs. Non-SAT-based Procedure (SVC) (39/49 benchmarks)

SVC better

Hybrid better

– 28 –

SD outperforms Hybrid on 10/49 benchmarks

SD better

Hybrid better

– 29 –

Conclusions & Ongoing Work

Hybrid combination of EIJ and SD encodings Hybrid combination of EIJ and SD encodings is robust to formula variations outperforms lazy encoding methods (CVC) outperforms non-SAT-based methods (SVC)

Ongoing & Future workOngoing & Future work Alternate estimators for number of transitivity constraints Threshold setting technique based on clustering applies to

other CAD problems too Combination of lazy and eager encoding techniques might

perform well on satisfiable formulas?

More on UCLID project webpage More on UCLID project webpage http://www.cs.cmu.edu/~uclidhttp://www.cs.cmu.edu/~uclid