A Hybrid SAT-based Decision Procedure for Separation Logic with Uninterpreted Functions

1. A Hybrid SAT-based Decision Procedure for Separation Logic with Uninterpreted Functions Sanjit A. Seshia Joint work with Shuvendu K. Lahiri & Randal E. Bryant Carnegie Mellon University, USA June 2003

2. OK Verification Error Formula Decision Procedure for Decidable Fragment of First-Order Logic Decision Procedure for Decidable Fragment of First-Order Logic Satisfiable/Unsatisfiable Decision Procedure for Decidable Fragment of First-Order Logic Decision Procedures in Formal Verification RTL/ Source Code + Specifi-cation Formal Model + Specifi-cation Abstraction Applications: Out-of-order, Pipelined Microprocessors; Cache Coherence Protocols; Device Drivers; Compiler Validation; …

3. Common Operations x0 x1 p  x x2 ALU x 1 0 ITE(p, x, y) xn-1 y If-then-else Bit-vectors to (unbounded) Integers x x x = < + x = y x < y x +1 Test for equality 1 y y  f Counters Test for ordering Functional units to Uninterpreted Functions a = x Æ b = y ) f(a,b) = f(x,y) Data and Function Abstraction

4. Sufficiently expressive for afore-mentioned applications System property expressed as SUF formula F Efficiently decided via translation to SAT Terms (T )Integer Expressions ITE(F, T1, T2) If-then-else Fun (T1, …, Tk) Function application T + 1 Increment T - 1 Decrement Formulas (F )Boolean Expressions F, F1F2, F1F2 Boolean connectives T1 = T2 Equation T1 < T2 Inequality Pred(T1, …, Tk) Predicate application Separation Logic with Uninterpreted Functions (SUF)

5. Input Formula Input Formula additional clause Approximate Boolean Encoder Satisfiability-preserving Boolean Encoder unsatisfiable First-order Conjunctions SAT Checker Boolean Formula Boolean Formula satisfiable SAT Solver SAT Solver satisfying assignment unsatisfiable satisfiable satisfiable unsatisfiable LAZY ENCODING EAGER ENCODING SAT-based Decision Procedures

6. Talk Outline • SUF  Separation Logic  SAT • Two eager encoding techniques • Pros and cons of each technique • Combining eager encoding techniques • The Hybrid eager encoding technique • Experimental results • Superior performance to lazy encoding methods and non-SAT-based decision procedures • Conclusions

7. Eliminate function and predicate applications using fresh variables and ITE expressions [Bryant, German, Velev, CAV’99] f(x) v1andf(y) ITE(x = y, v1, v2) v Integer variable Formulas (F )Boolean Expressions F, F1F2, F1F2 Boolean connectives T1 = T2 Equation T1 < T2 Inequality Pred(T1, …, Tk) Predicate application Separation Predicate b Boolean variable SUF  Separation Logic Terms (T )Integer Expressions ITE(F, T1, T2) If-then-else Fun (T1, …, Tk) Function application T + 1 Increment T - 1 Decrement

8. Boolean Formula SAT Solver satisfiable/unsatisfiable Eager Boolean Encoding Methods for Separation Logic Separation Logic Formula Small Domain Encoding (SD) Per-Constraint Encoding (EIJ)

9. x x x+1 x+1 h0x1x0i¸h0y1y0iÆh0y1y0i¸h0z1z0iÆh0z1z0i¸ h0x1x0i + 1 y y z z Values increase Small Domain Encoding (SD) [Bryant, Lahiri, Seshia, CAV’02] x ¸ y Æ y ¸ z Æ z ¸ x+1 Observation: To check satisfiability, need to consider all possible relative orderings of finitely-many expressions Can use Boolean encoding of finite range of values • 4 values in this case, so 2-bit encoding

10. e1 x ¸ y y ¸ z e2 e1Æ e2Æ e3 e3 z ¸ x+1 Æ Overall Boolean Encoding e1Æ e2) e4 New Separation Predicate Æ e4 x ¸ z e4): e3 Transitivity Constraints Per-Constraint Encoding (EIJ) [Strichman, Seshia, Bryant, CAV’02] x ¸ y Æ y ¸ z Æ z ¸ x+1

11. Comparing Eager Encoding Methods • Of SD and EIJ encoding methods, which one is better? • Comparison with respect to • Size of resulting Boolean formula • Performance of SAT solver

12. Method Boolean Encoding Size Example: N = 6813 EIJ > 1000000 SD 54465 Size of Boolean Encoding: SD better than EIJ • Let N be size of original separation logic formula • Size of a directed acyclic graph representation • SD encoding size is worst-case O(N2) • EIJ encoding size is worst-case O(2N) • Can generate O(2N) transitivity constraints

13. Impact on SAT problem: SD vs EIJ • Experimentally compared zChaff performance on SD and EIJ encodings of several unsatisfiable formulas • Sample result: EIJ better than SD for zChaff

14. Impact on SAT: Why is EIJ better than SD? • Conjecture: For SD, SAT solver has to “discover” transitivity constraints as conflict clauses • Violation of transitivity constraint might be discovered only after assigning bits of several bit-vectors • EIJ adds all such constraints a priori • Less learning and backtracking required by the SAT solver

15. Eager Encoding Tradeoffs • SD encoding • Polynomial size encoding • Worse for SAT solvers • EIJ encoding • Worst-case exponential size encoding • Better for SAT solvers • Can we automatically select between SD and EIJ based on the input formula?

16. Selection Strategy • Problem: • Computationally hard to estimate number of transitivity constraints • Can we use a different metric? • Idea: Identify feature of the input formula that varies monotonically with run-time of EIJ (but not with run-time of SD) Estimate number of transitivity constraints, C NO YES C > T ? Use SD encoding Use EIJ encoding

17. A Good Formula Feature: Number of Separation Predicates

18. A Good Formula Feature: Number of Separation Predicates

19. Revised Selection Strategy • Easy to count number of separation predicates • Very approximate measure of # of transitivity constraints • Constraints only relate predicates that share variables • Also need to automate setting of threshold T • Statistically estimate from “training” set of benchmarks Count number of separation predicates, m NO YES m > T ? Use SD encoding Use EIJ encoding

20. {u,v} shared {x,y,z} shared Identifying Variable Classes Æ Ç Ç u¸v Æ z¸x+1 u= v-2 y¸z x¸y Assignments to {u,v} are independent of those to {x,y,z}

21. Compute 1. Variable classes based on predicates 2. Number of separation predicates for each class {u,v}, mk {x,y,z}, m1 mk > T ? m1 > T ? YES YES NO NO SD SD EIJ EIJ Encode each class using SD or EIJ based on local decision Encoded Boolean Formula Hybrid Encoding Technique Separation Logic Formula

22. Automatically Selecting a Threshold Value: Intuition EIJ run time increases drastically beyond a certain number of separation predicates

23. Automatically Selecting a Threshold Value using Clustering Cluster total time (Y-axis) values, minimizing variance of each cluster

24. Experimental Evaluation Setup • Compared Hybrid against • SD and EIJ encodings • Cooperating Validity Checker (CVC) based on lazy encoding method [Stump et al.’02] • Stanford Validity Checker (SVC) – non SAT-based [Barrett et al. ’96] • CVC & SVC can handle more expressive logics than SUF • Benchmarks • 49 unsatisfiable SUF formulas • Load-store unit, out-of-order unit, device driver code, compiler validation, DLX pipeline • Threshold value calculated from subset of 16 benchmarks • Worked well for 39 out of the 49 benchmarks • Setup • Used zChaff SAT solver • Imposed timeout of 1800 sec. on total time (Encoding+SAT)

25. Hybrid vs. SD (39/49 benchmarks) Hybrid better SD better

26. Hybrid vs. EIJ (39/49 benchmarks) Hybrid better EIJ better

27. Hybrid vs. Lazy Encoding (CVC) (39/49 benchmarks) Hybrid better CVC better

28. Hybrid vs. Non-SAT-based Procedure (SVC) (39/49 benchmarks) Hybrid better SVC better

29. SD outperforms Hybrid on 10/49 benchmarks Hybrid better SD better

30. Conclusions & Ongoing Work • Hybrid combination of EIJ and SD encodings • is robust to formula variations • outperforms lazy encoding methods (CVC) • outperforms non-SAT-based methods (SVC) • Ongoing & Future work • Alternate estimators for number of transitivity constraints • Threshold setting technique based on clustering applies to other CAD problems too • Combination of lazy and eager encoding techniques might perform well on satisfiable formulas? • More on UCLID project webpage http://www.cs.cmu.edu/~uclid