1 / 38

Carnegie Mellon University

SAT-Based Decision Procedures for Subsets of First-Order Logic. Part I: Equality with Uninterpreted Functions. Randal E. Bryant. Carnegie Mellon University. http://www.cs.cmu.edu/~bryant. Overall Outline. Background SAT-based Decision Procedures

chloe-foley
Télécharger la présentation

Carnegie Mellon University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SAT-Based Decision Procedures for Subsets of First-Order Logic Part I: Equality with Uninterpreted Functions Randal E. Bryant Carnegie Mellon University http://www.cs.cmu.edu/~bryant

  2. Overall Outline • Background • SAT-based Decision Procedures • Part I: Equality with Uninterpreted Functions • Translating to propositional formula • Exploiting positive equality and sparse transitivity • Part II: Separation Logic • Restricted form of addition • Translating to propositional formula • Hybrid encoding techniques

  3. OK Verification Error Decision Procedure for Decidable Fragment of First-Order Logic Decision Procedure for Decidable Fragment of First-Order Logic Decision Procedures in Formal Verification RTL/ Source Code + Specifi-cation Formal Model + Specifi-cation Abstraction Applications: Out-of-order, Pipelined Microprocessors; Cache Coherence Protocols; Device Drivers; Compiler Validation; …

  4. Input Formula Input Formula additional clause unsatisfiable Approximate Boolean Encoder Satisfiability-preserving Boolean Encoder First-order Conjunctions SAT Checker Boolean Formula Boolean Formula satisfiable SAT Solver SAT Solver satisfying assignment satisfiable unsatisfiable satisfiable unsatisfiable LAZY ENCODING EAGER ENCODING SAT-based Decision Procedures

  5. Uninterpreted Functions Linear Arithmetic Theory Combiner Bit Vectors • • • First-order Conjunctions SAT Checker Theory N Lazy Encoding Characteristics • Can be extended to handle wide variety of theories • Clean & modular design • Does not scale well • Number of calls to conjunction checker typically exponential in formula size • Each call independent: nothing learned in one call can be exploited by another

  6. Input Formula Satisfiability-preserving Boolean Encoder Boolean Formula SAT Solver unsatisfiable satisfiable Eager Encoding Characteristics • Must encode all information about domain properties into Boolean formula • Some properties can give exponential blowup • Lets SAT solver do all of the work Good Approach for Some Domains • Modern SAT solvers have remarkable capacity • Good at extracting relevant portions out of very large formulas • Learns about formula properties as search proceeds • Focus of this talk

  7. Common Operations x0 x1 p  x x2 ALU x 1 0 ITE(p, x, y) xn-1 y If-then-else Bit-vectors to (unbounded) Integers x = x = y Test for equality y  f Functional units to Uninterpreted Functions a = x b = y  f(a,b) = f(x,y) Data and Function Abstraction

  8. IF/ID ID/EX EX/WB PC Control Control Op Instr Mem Rd Ra = Adat Reg. File ALU Imm +4 = Rb Abstract Modeling of Microprocessor • For any Block that Transforms or Evaluates Data: • Replace with generic, unspecified function • Also view instruction memory as function F3 F2 F1

  9. EUF: Equality with Uninterp. Functs • Decidable fragment of first order logic • Formulas (F ) Boolean Expressions F, F1F2, F1F2 Boolean connectives T1 = T2 Equation P (T1, …, Tk) Predicate application • Terms (T ) Integer Expressions ITE(F, T1, T2) If-then-else Fun (T1, …, Tk) Function application • Functions (Fun) Integer  Integer f Uninterpreted function symbol Read, Write Memory operations • Predicates (P) Integer  Boolean p Uninterpreted predicate symbol

  10. e 1 f T F Ù e Ø 0 = x f 0 T Ú = F T F d 0 EUF Decision Problem • Circuit Representation of Formula • Truth Values • Dashed Lines • Model Control • Logical connectives • Equations • Integer Values • Solid lines • Model Data • Uninterpreted functions • If-Then-Else operation • Task • Determine whether formula F is universally valid • True for all interpretations of variables and function symbols • Often expressed as (un)satisfiability problem • Prove that formula F is not satisfiable

  11. e 1 f T x0 d0 f(x0) f(d0) F Ù e Ø 0 = x f 0 T Ú = F T F d 0 Finite Model Property for EUF • Observation • Any formula has limited number of distinct expressions • Only property that matters is whether or not different terms are equal

  12. Boolean Encoding of Integer Values • For Each Expression • Either equal to or distinct from each preceding expression • Boolean Encoding • Use Boolean values to encode integers over small range • EUF formula can be translated into propositional logic • Logic circuit with multiplexors, comparators, logic gates • Tautology iff original formula valid

  13. Some History of EUF Decision Procedures • Ackermann, 1954 • Quantifier-free decision problem can be decided based on finite instantiations • Burch & Dill, CAV ‘94 • Automatic decision procedure • Davis-Putnam enumeration • Congruence closure to enforce functional consistency • Boolean approaches • Goel, et al, CAV ‘98 • Attempted with BDDs, but didn’t get good results • Bryant, German, Velev, CAV ‘99 • Could verify microprocessor using BDDs • Velev & Bryant, DAC 2001 • Demonstrated power of modern SAT procedures

  14. Exploiting Positive Equality • Bryant, German, Velev CAV ‘99 • First successful use of Boolean methods for EUF • Positive Equality • Equations that appear in unnegated form • Exploiting • Can greatly reduce number of cases required to show validity • Only need to consider maximally diverse interpretations • Reduce number of Boolean variables in bit-level encoding

  15. Diverse Interpretations: Illustration • Task • Verify someone’s obscure code for 4X4 array transpose void trans(int a[4][4]) { int t; for (t = 4; t < 15; t++) if (~t&2|| t&8 && ~t&1) { int r = t&0x3; int c = t>>2; int val = a[r][c]; a[r][c] = a[c][r]; a[c][r] = val; } } Only operations on array elements Observation • Array elements altered only by copying one to another • Just need to make sure right set of copies performed

  16. Verifying Array Code • Test for trans4 dest src trans4 Single Test Adequate • Unique value for each possible source element • “Maximally Diverse” • If dest[r][c]=src[c][r], then must have copied proper value

  17. Characteristics of Array Verification • Correctness Condition • src[0][0] = dest[0][0]  src[0][1] = dest[1][0]  • src[0][2] = dest[2][0]  … • …  • src[3][2] = dest[2][3]  src[3][3] = dest[3][3] • Properties • All equations are in positive form • Worst case test is one that tends to make things unequal • I.e., maximally diverse interpretation • All maximally diverse interpretations isomorphic • Only need to try one to prove all handled correctly

  18. IF/ID ID/EX EX/WB PC Control Control Op Instr Mem Rd Ra = Adat Reg. File ALU Imm +4 = Rb Equations in Processor Verification • Data Types Equations • Register Ids Control stalling & forwarding • Instruction Address Only top-level verification condition • Program Data Only top-level verification condition

  19. Exploiting Equation Structure • Positive Equations • In top-level verification condition • Can use maximally diverse interpretation • Negative Equations • PIpeline control logic • Between register IDs • Operation depends on whether or not two IDs are equal • Must use general encoding • Encode with Boolean variables • All possibility of IDs that match and/or don’t match

  20. e 5 6 7 8 1 f T F 7 Ù 5 e Ø 0 = 0 x 5 5 6 6 f 0 T Ú 1 6 7 7 6 8 = F T 0 7 5 8 6 1 F d 0 Application of Positive Equality • Observation • All equations are positive in this formula • Can consider single, diverse interpretation for terms x0 d0 f(x0) f(d0) 1

  21. = F x1 vf1  = vf2 x2 f f Function Elimination: Ackermann’s Method • Replace All Function Applications by Integer Variables • Introduce new domain variable • Enforce functional consistency by global constraints • Unclear how to restrict evaluation to diverse interpretations

  22. f vf1 x1 = f x2 T F vf2 = = x3 f T F T F vf3 Function Elimination: ITE Method • General Technique • Introduce new domain variable • Nested ITE structure maintains functional consistency

  23. f 5 x1 = f x2 T F 6 = = x3 f T F T F 7 Generating Diverse Encoding • Replacing Application • Use fixed values rather than variables • Application results equal iff arguments equal

  24. Benefits of Positive Equality • Microprocessor Benchmarks • 1xDLX: Single issue, RISC processor • 2xDLX-EX-BP: Dual issue processor with exception handling & branch prediction • 9VLIW-BP: 9-way VLIW processor with branch prediction • Measurements • Using BerkMin SAT solver

  25. Benefits of Positive Equality Velev & Bryant, JSC ‘02 • Microprocessor Benchmarks • 1xDLX: Single issue, RISC processor • 2xDLX-EX-BP: Dual issue processor with exception handling & branch prediction • 9VLIW-BP: 9-way VLIW processor with branch prediction • Measurements • Using BerkMin SAT solver

  26. Transitivity Constraints eyz ezx exy exy eyz exz exy exz eyz  Revisiting Encoding Techniques x = y  y = z  z  x Satisfiable? • Small Domain (SD) • Use bit-level encodings of bounded integers • Implicitly encode properties of equality logic • Per-Constraint Encoding (EIJ) • Introduce explicit Boolean variable for each equation • Additional transitivity constraints to express properties of equality logic x1x0=y1y0y1y0=z1z0z1z0x1x0 exy eyzexz

  27. Per-Constraint Encoding • Introduced by Goel et al., CAV ‘98 • Exploiting sparse structure by Bryant & Velev, CAV 2000 • Procedure • Initial formula F • Want to prove valid • Prove that F is not satisfiable • Replace each equation x = y by Boolean variable exy • Gives formula Fsat • Generate formula expressing transitivity constraints • Gives formula Ftrans • Use SAT solver to show that Fsat Ftrans not satisfiable • Motivation • Provides SAT solver with more direct representation of underlying problem

  28. = =  = = = = = Graph Interpretation of Transitivity • Transitivity Violation • Cycle in graph • Exactly one edge has ei,j= false

  29.   Exploiting Chords • Chord • Edge connecting two non-adjacent vertices in cycle Property • Sufficient to enforce transitivity constraints for all chord-free cycles • If transitivity holds for all chord-free cycles, then holds for arbitrary cycles

  30. Enumerating Chord-Free Cycles • Strategy • Enumerate chord-free cycles in graph • Each cycle of length k yields k transitivity constraints Problem • Potentially exponential number of chord-free cycles 1 2 k • • • 2k+k chord-free cycles • • •

  31. 2k+1 chord-free cycles Adding Chords • Strategy • Add edges to graph to reduce number of chord-free cycles 1 2 k • • • 2k+k chord-free cycles • • • Trade-Off • Reduces formula size • Increases number of relational variables

  32. Chordal Graph • Definition • Every cycle of length > 3 has a chord • Goal • Add minimum number of edges to make graph chordal • Relation to Sparse Gaussian Elimination • Choose pivot ordering that minimizes fill-in • NP-hard • Simple heuristics effective

  33. 1xDLX-C Equation Structure • Vertices • For each vi • 13 different register identifiers • Edges • For each equation • Control stalling and forwarding logic • 27 relational variables • Out of 78 possible

  34. Original 27 relational variables 286 cycles 858 clauses Augmented 33 relational variables 40 cycles 120 clauses Adding Chordal Edges to 1xDLX-C

  35. 2DLX-CCt Equation Structure • Equations • Between 25 different register identifiers • 143 relational variables • Out of 300 possible

  36. Original 143 relational variables 2,136 cycles 8,364 clauses Augmented 193 relational variables 858 cycles 2,574 clauses Adding Chordal Edges to 2xDLX-CCt

  37. Choosing Encoding Method • Comparison • Formula length n with m integer variables & function applications • Worst-case complexity • Per-Constraint Encoding Works Well in Practice • Generates slightly larger formulas than small domain • Better performance by SAT solver

  38. Encoding Comparison Velev & Bryant, JSC ‘02 • Benchmarks • Superscalar, out-of-order datapath • 2–6 instructions issued in parallel • Measurements • Using BerkMin SAT solver

More Related