deciding separation formulas with sat
DESCRIPTION
Deciding separation formulas with SAT. Ofer Strichman Sanjit A. Seshia Randal E. Bryant School of Computer Science, Carnegie Mellon University. Separation predicates. Predicates of the form x 1 < x 2 + c and x 1 x 2 + c where c is a constant - PowerPoint PPT PresentationTRANSCRIPT
1
Deciding separation formulas with SAT
Ofer Strichman Sanjit A. Seshia Randal E. Bryant
School of Computer Science,
Carnegie Mellon University
2
Separation predicates
Predicates of the form x1< x2 + c and x1 x2 + c where c is a constant
Also known as ‘difference predicates’
We will consider x1, x2 as either real or integer variables
Used when proving formulas derived from Timed automata, Scheduling problems, and more
Pratt: “Most inequalities arising in verification are separation predicates”
3
Deciding separation via case-splitting (1/2)
: x1 < x2 + 1 x2 < x3 + 1 (x3 < x1 -3 x3 < x1 +1)
x1 < x2 + 1 x2 < x3 + 1 x3 < x1 -3 x1 < x2 + 1 x2 < x3 + 1 x3 < x1 +1
x1x2
x3
1
1
-3
x1x2
x3
1
1
1
Theorem [Bellman, 57]: The formula is satisfiable iff the inequality graph does not contain a negative cycle.
Case splitting
4
Deciding separation via case-splitting (2/2)
1
1
-3
5 -4Bellman-Ford: Finding whether there is a negative cycle in a graph is polynomial
Overall complexity: O(2| |), due to case-splitting
Case-splitting is normally the bottleneck of decision procedures
Q: Is there an alternative to case-splitting ?
5
Difference Decision Diagrams(DDD)(Møller, Lichtenberg, Andersen, Hulgaard, 1999)
Similar to BDDs, but the nodes are separation predicates Ordering on variables determines order on predicates Semi-canonical (i.e canonical when is a tautology or a contradiction)
: !(x1 – x3 < 0) x2 - x3 0 !(x2-x1 < 0)
x1 – x3 < 0
x2 - x3 0
x2-x1 < 0
1 0
Each path leading to ‘1’ is checked for consistency with ‘Bellman-Ford’
Worst case – an exponential no. of such paths
6
: x1 < x2 + 1 x2 < x3 + 1 (x3 < x1 -3 x3 < x1 +1)
1. Encode:
2. Build the joint graph G:
x1 x2
x3
1
1
1
-3
3. Forbid ‘true’ assignment to negative simple cycles in G:
Boolean encoding (take 1)
)( ,11,3
,31,3
,13,2
,1
2,1:' eeee )( ,31,3
,13,2
,12,1 eee
)( ,1
1,3
,3
1,3
,1
3,2
,1
2,1 eeee ’:
7
What about negations in ?
The unsatisfiable formula : ¬(x1 < x2 x2 x1+1)
is reduced to the satisfiable formula:
)(:' ,1
1,2
,0
2,1 ee
x1 x2
0
1
Problem: our graph does not consider the polarity of the constraints.
Legend: ‘<’‘’
8
Solution #1: Consider both polarities
Dual edges:
x1 x2
x3
1
1
-3
x1 x2
x3
-1
-1
3
x1x2
x3
1
1
-3
-1
-1
3
The joint graph:
x1 < x2+1 x2 x1-1
9
Solution #2: Eliminate negations
1. Transform to Negation Normal Form (NNF), and
eliminate negations by reversing inequality signs
2. Rewrite ‘>’ and ‘’ predicates as ‘<’ and ‘’, e.g. rewrite x1 > x2 + c as x2 < x1 – c
Solution #2 results in a smaller number of constraints
10
Problem: redundant constraints
: ( x1 < x2 -3 (x2 < x3 –1 x3 < x1 +1))
x1
x3 x2
-3
-1
x1
x3 x2
-31
Case splitting
x1
x3 x2
-31
-1
The joint graph G:
G creates redundant constraints
11
Let d be the DNF representation of
Solution: Conjunctions Matrices (1/3)
We only need to consider cycles that are in one of the clauses of d
Deriving d is exponential. But –
Knowing whether a given set of literals share a clause in d is polynomial, using Conjunctions Matrices
12
Conjunctions Matrices (2/3)
Let be a formula in NNF. Let li and lj be two literals in .
The joining operand of li and lj is the lowest joint parent of li and lj in the parse tree of .
:l0 (l1 (l2 l3))
l0
l1
l2 l3
l0 l1 l2 l3
l0
l1
l2
l3
1 1 1 1 0 0 1 0 1 1 0 1
Conjunctions Matrix
M :
13
Claim: A set of literals L={l0,l1…ln} share a clause in d iff for all li,lj
L, ij, M[li,lj] =1.
: x0 < x1 (x1 < x2 (x2 < x3 x3 < x0))
x0
x3 x2
x1
Conjunctions Matrices (3/3)
In our case the literals are separation predicates. The entries in the conjunctions matrix correspond to ‘edges between edges’
We can now consider only simple cycles that their corresponding M graph form a clique.
14
1. Encode (replace each separation predicate with a Boolean var)
2. Build the joint inequality graph G
3. Add a constraint forbidding ‘true’ assignment to negative simple cycles in G that their corresponding M form a clique.
0. Normalize (eliminate negations)
Boolean encoding (take 2)
15
.....
In many cases - yes.
How? with variable elimination
.....c1
c2
c1+ c2
n diamonds 2n simple cycles.
Can we do better than that ?
c3c4
Compact representation of constraints (1/2)
16
Quantifying out x3:
Worst case exponential no. of constraints
Complexity heavily depends on elimination order
c1c2c3
c1 + c3
c2 + c3
x4
x1
x1
x2
x3
x4
x4 x2
Compact representation of constraints (2/2)
Given a conjunctions matrix M , we add a constraint only if the joining operand of the two constraints is ‘’
17
1. Encode (replace each separation predicate with a Boolean var)
2. Build the joint inequality graph G
3. Eliminate all variables successively: • e1 and e2 are ingoing and outgoing edges of the
eliminated variable, and • M [e1,e2]=1, and• the resulting edge is e3
then add to ’ the constraint e1 e2 e3
0. Normalize (eliminate negations)
Boolean encoding (take 3)
If
18
Extension to integer variables
Given with integer separation predicates, derive R:
Declare all variables as real
Replace x1 < x2 + c and x1 x2 + c where c is not an integer,
with x1 x2 + c
Replace each predicate x1 < x2 + c with x1 x2 + c – 1
Theorem: is satisfiable iff R is satisfiable
19
Experimental results (1/3)
.....
n diamonds
Each diamond has 2d edges
Top and bottom paths in each diamond are disjointed.
There are 2n conjoined cycles.
By adjusting the weights, we ensured that there is a single
satisfying assignment.
d=2
20
Experimental results (2/3)
n d ICS DDDGen. Formula SAT Total
4 2 5.9 <1 < 1 < 1 <15 2 95.1 <1 < 1 < 1 <1
7 4 > 104 16 < 1 < 1 <1
10 5 > 104 > 104 < 1 < 1 <1
25 5 > 104 > 104 < 1 < 1 < 1
50 5 > 104 > 104 2 < 1 2
100 5 > 104 > 104 32 < 1 33
250 5 > 104 > 104 754 1.6 755.6
500 5 > 104 > 104 > 104 > 104
Results in seconds
Using variable elimination (rather than explicit cycle enumeration)
‘Diamond’ shape formulas
21
Experimental results (3/3)
M odel Steps ICS DDDGen. formula SAT Total
Load - 1 < 1 <1 < 1 < 1 <1
store 2 87.1 > 104 < 1 < 1 <1
unit 3 > 104 > 104 90 1 91Out-of- 2 < 1 <1 < 1 < 1 <1
order-unit 3 > 104 5 2.9 < 1 3.9Cache- 1 < 1 <1 < 1 < 1 <1Protocol 2 1.8 2 < 1 < 1 <1
Symbolic simulation of hardware designs
Results in seconds
Using variable elimination (rather than explicit cycle enumeration)
22
Discussion and conclusions (1/2)
Procedures based on case-splitting can not scale
SAT methods can also be seen as ‘case-splitting’, but they split the domain, not the formula. As a result:
Pruning is easy Learning is easy Guidance is easy (“which case should we start with ?”)
23
Discussion and conclusions (2/2)
Both the reduction to SAT and solving the SAT instance are exponential
The reduction to SAT is the bottleneck of our procedure, whereas the resulting SAT instances are empirically easy to solve
The total time was shorter in all examples comparing to ICS and DDD’s
The decision procedure has recently been integrated into the theorem prover C-prover and the verification system Uclid
24
The End