1 / 24

Deciding separation formulas with SAT

Exploring separation predicates for inequalities, and decision methods using case splitting and Bellman-Ford algorithm, with application to verifying formulas. Options beyond case splitting discussed.

Download Presentation

Deciding separation formulas with SAT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Deciding separation formulas with SAT Ofer Strichman Sanjit A. Seshia Randal E. Bryant School of Computer Science, Carnegie Mellon University

  2. Separation predicates • Predicates of the form x1< x2+ c and x1x2+ c where c is a constant • Also known as ‘difference predicates’ • We will consider x1,x2 as either real or integer variables • Used when proving formulas derived from Timed automata, Scheduling problems, and more • Pratt: “Most inequalities arising in verification are separation predicates”

  3. Case splitting x2 x2 x1 x1 1 1 1 1 1 -3 x3 x3 Deciding separation via case-splitting (1/2)  : x1 < x2 + 1 x2 < x3 + 1 (x3 < x1 -3 x3 < x1 +1) x1 < x2 + 1 x2 < x3 + 1 x3 < x1 +1 x1 < x2 + 1 x2 < x3 + 1 x3 < x1 -3 Theorem [Bellman, 57]: The formula is satisfiable iff the inequality graph does not contain a negative cycle.

  4. 1 5 -4 1 -3 Deciding separation via case-splitting (2/2) Bellman-Ford: Finding whether there is a negative cycle in a graph is polynomial • Overall complexity: O(2|  |), due to case-splitting • Case-splitting is normally the bottleneck of decision procedures • Q: Is there an alternative to case-splitting ?

  5. x1 – x3 < 0 x2 -x3 0 x2-x1 <0 1 0 Difference Decision Diagrams(DDD)(Møller, Lichtenberg, Andersen, Hulgaard, 1999) • Similar to OBDDs, but the nodes are separation predicates • Each path is checked for consistency, using ‘Bellman-Ford’ • Worst case – an exponential no. of such paths ‘Path – reduce’ 1 • Semi-canonical (i.e canonical when  is a tautology or a contradiction) • Under certain conditions on  - fully canonical

  6. ’: x1 x2 1 1 2. Build the joint graph G: 1 -3 x3 Boolean encoding (take 1) : x1 < x2 + 1  x2 < x3 + 1  (x3 < x1 -3  x3 < x1 +1) 1. Encode: 3. Forbid ‘true’ assignment to negative simple cycles in G:

  7. What about negations in ? The unsatisfiable formula : ¬(x1 < x2  x2  x1+1) is reduced to the satisfiable formula: 0 x1 x2 1 Legend: ‘<’ ‘’ Problem: our graph does not consider the polarity of the constraints.

  8. x2 x1 -1 x1 x2 1 -1 1 3 -3 x3 x3 -1 x2 x1 1 -1 -3 1 3 x3 Solution #1: Consider both polarities x2  x1-1 Dual edges: x1 < x2+1 The joint graph:

  9. Solution #2: Eliminate negations 1. Transform to Negation Normal Form (NNF), and eliminate negations by reversing inequality signs 2. Rewrite ‘>’ and ‘’ predicates as ‘<’ and ‘’, e.g. rewrite x1 > x2 + c as x2 < x1 – c Solution #2 results in a smaller number of constraints

  10. Case splitting x1 x1 -3 -3 1 x3 x2 x3 x2 -1 x1 The joint graph G: -3 1 x3 x2 -1 G creates redundant constraints Problem: redundant constraints : (x1 < x2 -3  (x2<x3 –1 x3 < x1 +1))

  11. Solution: Conjunctions Matrices (1/3) • Let dbe the DNF representation of  • We only need to consider cycles that are in one of the clauses of d • Deriving dis exponential. But – • Knowing whether a given set of literals share a clause in dis polynomial, using Conjunctions Matrices

  12.  :l0 (l1(l2  l3)) l0 l1 l2 l3  1 1 1 l0 l1 l2 l3 M: l0  1 0 0  l1 1 0 1 l2 l3 1 0 1 Conjunctions Matrix Conjunctions Matrices (2/3) • Let  be a formula in NNF. • Let liand ljbe two literals in . • The joining operandof liand ljis the lowest joint parent of liand ljin the parse tree of .

  13. x0 x1 : x0 < x1 (x1<x2 (x2 < x3  x3 < x0)) x3 x2 Conjunctions Matrices (3/3) • Claim: A set of literals L={l0,l1…ln}  share a clause in diff for allli,lj L, ij, M[li,lj] =1. • In our case the literals are separation predicates. • The entries in the conjunctions matrix correspond to ‘edges between edges’ • We can now consider only simple cycles that their correspondingMgraph form a clique.

  14. Boolean encoding (take 2) 0. Normalize  (eliminate negations) 1. Encode  (replace each separation predicate with a Boolean var) 2. Build the joint inequality graph G 3. Add a constraint forbidding ‘true’ assignment to negative simple cycles in G that their corresponding Mform a clique.

  15. ..... ..... Compact representation of constraints (1/2) n diamonds  2nsimple cycles. Can we do better than that ? In many cases - yes. How? with variable elimination c2 c1 c1+ c2 c3 c4

  16. c1 x1 x3 c2 c3 x2 x4 c1 + c3 x4 x1 c2 + c3 x4 x2 Compact representation of constraints (2/2) Quantifying out x3: • Worst case exponential no. of constraints • Complexity heavily depends on elimination order • Given a conjunctions matrix M, we add a constraint only if the joining operand of the two constraints is ‘’

  17. Boolean encoding (take 3) 0. Normalize  (eliminate negations) 1. Encode  (replace each separation predicate with a Boolean var) 2. Build the joint inequality graph G 3. Eliminate all variables successively: • e1 and e2 are ingoing and outgoing edges of the eliminated variable, and • M[e1,e2]=1, and • the resulting edge ise3 then add to’ the constraint e1 e2e3 If

  18. Extension to integer variables Given  with integer separation predicates, derive R: • Declare all variables as real • Replace x1<x2 + c and x1x2 + c wherec is not an integer, with x1x2 + c • Replace each predicate x1<x2 + c with x1 x2 + c – 1 Theorem: is satisfiable iffR is satisfiable

  19. Experimental results (1/3) d=2 ..... • n diamonds • Each diamond has 2d edges • Top and bottom paths in each diamond are disjointed. There are 2nconjoined cycles. • By adjusting the weights, we ensured that there is a single satisfying assignment.

  20. Experimental results (2/3) ‘Diamond’ shape formulas • Results in seconds • Using variable elimination (rather than explicit cycle enumeration)

  21. Experimental results (3/3) Symbolic simulation of hardware designs • Results in seconds • Using variable elimination (rather than explicit cycle enumeration)

  22. Discussion and conclusions (1/2) • Procedures based on case-splitting can not scale • SAT methods can also be seen as ‘case-splitting’, but they split the domain, not the formula. As a result: • Pruning is easy • Learning is easy • Guidance is easy (“which case should we start with ?”)

  23. Discussion and conclusions (2/2) • Both the reduction to SAT and solving the SAT instance are exponential • The reduction to SAT is the bottleneck of our procedure, whereas the resulting SAT instances are empirically easy to solve • The total time was shorter in all examples comparing to ICS and DDD’s • The decision procedure has recently been integrated into the theorem prover C-prover and the verification system Uclid

  24. The End

More Related