1 Satisfiability modulo the Theory of Bit Vectors Alessandro Cimatti IRST, Trento, Italy [email protected]oint work with R. Bruttomesso, A. Franzen, A. Griggio, R. Sebastian e gratefully acknowledge support from the Academic Research Program of Intel
55
Embed
1 Satisfiability modulo the Theory of Bit Vectors Alessandro Cimatti IRST, Trento, Italy [email protected] Joint work with R. Bruttomesso, A. Franzen,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
• Efficient solving– leverage availability of structural information– hopefully retaining efficiency of boolean SAT
5
Satisfiability Modulo Theory
• Satisfiability: – is there a truth-assignment to boolean
variables – and a valuation to individual variables – such that formula evaluates to true?
• Standard semantics for FOL• Assignment to individual variables
– Induces truth values to atoms
• Truth assignment to boolean atoms• Induced value to whole formula
6
Propositionalstructure
TA TA TA TA
P P P
x y z w x x y z w x
+ - + - + - + -+ - + -
8
Eager Approach to SMT
• Main idea: compilation to SAT– STEP1: Theory part compiled to equisatisfiable
pure SAT problem– STEP2: run propositional SAT solver
9
Propositionalstructure
TA TA TA TA
P P P
x y z w x x y z w x
10
P P PTA TA TA TA
Lifted theory Propositionalstructure
11
The Lazy approach
• Ingredients– a boolean SAT solver – a theory solver
• The boolean solver is modified to enumerate boolean (partial) models
• The theory solver is used to Check for theory consistency
12
Propositionalstructure
TA TA TA TA
P P P
x y z w x x y z w x
TA TA TA TA
13
MathSAT: intuitions• Two ingredients: boolean search and theory reasoning
– find boolean model• theory atoms treated as boolean atoms• truth values to boolean and theory atoms• model propositionally satisfies the formula
– check consistency wrt theory• set of constraints induced by truth values to theory atoms• existence of values to theory variables
• Example: (P v (x = 3)) & (Q v (x – y < 1)) & (y < 2) & (P xor Q)
• Boolean model– !P, (x = 3), Q, (x – y < 1), (y < 2)– Check (x = 3), (x – y < 1), (y < 2)– Theory contradiction!
• Another boolean model– P , !(x = 3) , !Q, (x – y < 1), (y < 2)– Check !(x = 3), (x – y < 1), (y < 2)– Consistent: e.g. x := 0, y := 0
14
TSAT!
Boolean SAT: search spaceP
• The DPLL procedure• Incremental construction of satisfying assignment• Backtrack/backjump on conflict• Learn reason for conflict• Splitting heuristics
Q
R
S
S
R
T
Q
S
T
R
15
MathSAT: approach
• DPLL-based enumeration of boolean models– Retain all propositional optimizations
• Conflict-directed backjumping, learning
– No overhead if no theory reasoning• Tight integration between
RTmp0 = d;RTmp1 = RTmp0 << 1;RTmp2 = c + RTmp1;RTmp3 = RTmp2 << 1;RTmp4 = b + RTmp3;RTmp5 = RTmp4 << 1;ROut = a + RTmp5;
a + ((b + ((c + (d<<1)) <<1)) <<1)
input a, b, c, d : reg[N];
I.e. LOut = ROut ?
20
Fixed Width Bit Vectors• Constants
– 0b00001111, 0xFFFF, …
• Variables– valued over BitVectors of corresponding width– implicit restriction to finite domain
• Function symbols– selection: x[15:0]– concatenation: y :: z– bitwise operators: x && y, z || w, …– arithmetic operators: x + y, z * w, … – shifting: x << 2, y >> 3
– (LOut.1 != ROut.1) or … or (LOut.N != ROut.N)• LTmp1 = 2 * b
– formula in 2N vars, conjunction of N iffs• LTmp2 = LTmp0 + LTmp1
– formula relating 3N vars– possibly additional vars required (e.g. carries)
• N = 16 bits?– 13 secs
• N = 32 bits?– 170 secs
• “But obviously N = 64 bits!”– stopped after 2h CPU time
Scalabilitywith respect
to N???
30
Bit-Blasting: Pros and Conses
• Bottlenecks– dependency on word width– “wrong” level of abstraction
• boolean synthesis of arithmetic circuits• assignments are pervasive• conflicts are very fine grained
– e.g. discover x < y
• Advantages– let the SAT solver do all the work
• and nowadays SAT solvers are tough nuts to crack– amalgamation of the decision process
• no distinction between control and data• conflicts can be as fine grained as possible
– built-in capability to generate “new atoms”
31
Enhancements to BitBlasting
• Tuning SAT solver on structural information– e.g. splitting heuristic for adders
• Preprocessing + SAT [GBD05]– rewrite and normalize bit vector terms – bit blasting to SAT
32
SMT(BV) via reduction to SMT(LA)
33
From BV to LIA• RTL-Datapath Verification using Integer Linear Programming
[BD01]• BV constants as integers
– 0b32_1111 as 15• BV variables as integer valued variables, with range constraints
– reg x [31:0] as x in range [0, 2^32)• Assignments treated as equality, e.g. x = y• Arithmetic, e.g. z = x + y
– Linear arithmetic? not quite! BV Arithmetic is modulo 2^N– z = x + y - 2^N s, with z in [0, 2^N)
• Concatenation: x :: y as 2^n x + y• Selection: relational encoding (based on integrity)
– x[23:16] as xm, where– x = 2^24 xh + 2^16 xm + xl,
xl in [0, 2^16), xm in [0, 2^8), xl in [0, 2^8) • Bitwise operators
– based on selection of individual bits
• SOLVER– the omega test
34
From SMT(BV) into SMT(LIA)
• Generalizes [BD01] to deal with boolean structure
• Eager encoding into SMT(LIA)
• Unfortunately, not very efficient• More precisely, a failure
35
Retrospective Analysis• Crazy approach?
– Arithmetic• Linear arithmetic? not quite! BV Arithmetic is modulo 2^N
– Selection and Concatenation• an easy problem becomes expensive!
– Bitwise operators• HARD!!!
• Available solvers not adequate– integers with infinite precision– reasoning with integers may be hard (e.g. BnB within real relaxation)
• Functional dependencies are lost!
• A clear culprit: static encoding– depending on control flow, same signal is split in different parts– z = if P then x[7:0] :: y[3:0] else x[5:2] :: y[10:3]
• x, y and also z are split more than needed• the notion of “maximal chunk” depends on P !!!
36
SMT(BV) via online BV reasoning
37
A lazy approach
• Based on standard MathSAT schema– DPLL-based model enumeation– Dedicated Solver for Bit vectors
• The encoding leverages information resulting from decisions– Given values to control variables, the data path
is easier to deal with (e.g. maximal chunks are bigger)
• Layering in the theory solver– equality reasoning– limited simplification rules– full blown bit vector solver only at the end
38
BV solver
The architecture
Boolean enumeration
EUF reasoning
BV rewriter LIAencoding
39
Rewriting rules
• evaluation of constant terms– 0b8_01010101[4:2] becomes 0b3_101
• rules for equality– x = y and Phi(x) becomes Phi(y)– based on congruence closure
• splitting concatenations– (x :: y) = z becomes x = z[h_n] && y == z[l_n]
• “pigeon-hole” rules– from (x != 0 & x != 1 & x != 2 & x < 3) derive
false
41
BV rewriter
• Rules are applied until– fix point reached– contradiction found
• Implementation based on EUF reasoner– rules as merges between eq classes
• Open issues– incrementality/backtrackability– selective rule activation– conflic set reconstruction
• When it fails …
42
LIA encoding (the last hope)
• LIA encoding– idenfication of maximal slices– “purification”: separating out arithmetic and
BW by introduction of additional variables
• NB: on resulting problems– LIA encoding always superior to bit blasting!!!– cfr [DB01]
43
Status of Implementation
• Implementation still in prototypical state• “Does a lot of stupid things”
– conflict minimization by deletion filtering– checking that conflict are in fact minimal– unnecessary calls to LA for SAT clusters– calling LA solver implemented as dump on file,
and run external MathSAT– huge conflict sets
44
A very very preliminary evaluation
45
Competitors
• Run against MiniSAT 1.14– ~ winner of SAT competition in 2005
• KEY REMARK: – boolean methods are very mature
• A good reason for giving up?
46
Test benches
• 74 benchmarks from industrial partner– would have been ideal for SMT-COMP
• QF_UFBV32
• Unfortunately– can not be disclosed– “will have to be destroyed after the
collaboration”– hopefully our lives will be spared
47
48
49
Conclusions
• A “market need” for SMT(BV) solvers• Bit Blasting: tough competitors• After a failure, …• Preliminary results are encouraging
• Future challenges– optimize BV solver– better conflict sets– tackle some RTL verification cases– extension to memories
50
A small digression on QF_UFBV32 at SMT-COMP
51
QF_UFBV[32] at SMT-COMP
• the MathSAT you will see there IS NOT the one I described
• We currently have no results for QF_UFBV
• Easy benchmarks:– QF_UFBV[32] not particularly “SMT”– the boolean component is nearly missing– the BV part is “easily” solvable by bit blasting
• We entered SMT-COMP QF_UFBV32– MathSAT based on BIT BLASTING to SAT– NuSMV based on bit blasting to BDDs
52
QF_UFBV: Bit Blasting to SAT
• Preprocessing based on– Ackerman’s elimination of function symbols– rewriting simplification– bit blasting
• Core: call SAT solver underlying MathSAT– every SAT problem in < 0.3 secs– most UNSAT within seconds– a handful of hard ones between 300 and 500
secs
53
BDDs (???) on SMT-COMP tests
• Even NuSMV entered SMT-COMP• Ackerman’s elimination of functional symbols• Rewriting preprocessor• Core solver
– based on BDDs– conjunctively partitioned problem– structural BDD-based ordering (bit interleaving)– (almost) no dynamic reordering– affinity-based clustering, threshold 100 nodes– early quantification
• Seems to work well both on SAT and UNSAT instances
54
RESULTS
• first STP• then YICES• then NuSMV• then CVC3 (but no results on two samples)• then MathSAT BITBLASTING