A Concurrency Problem with Exponential DPLL(T ) Proofs

Transcription

1 A Concurrency Problem with Exponential DPLL(T ) Proofs Liana Hadarean 1 Alex Horn 1 Tim King 2 1 University of Oxford 2 Verimag June 5, 2015

2 2 / 27 Outline SAT/SMT-based Verification Techniques for Concurrency DPLL(T ) Lower Bound Proof Complexity Theorem A Concurrency Problem with O(N!)-sized DPLL(T ) Proofs Two State-of-the-art Partial-Order Encodings Experiments Concluding Remarks

3 3 / 27 SAT/SMT-based Verification Techniques SAT/SMT solvers are highly optimized decision procedures: φ SAT UNSAT Using these, state-of-the-art symbolic bounded model checker such as CBMC can find concurrency bugs in, and. CBMC: /* insertion sort ascending order */!! #include <stdio.h>!! thread() {! int n, array[1000], c, d, t;! printf("enter %d integers\n", n);! for (c = 0; c < n; c++) {! scanf("%d", &array[c]);! }! for (c = 1 ; c <= n - 1; c++) {! d = c;! while ( d > 0 && array[d] < array[d-1]) {! t = array[d];! array[d] = array[d-1];! array[d-1] = t;! d--;! }! }! }! thread() { printf( Hi there!\n ); }! Par*al- Order Encoding Φ Input Output

4 4 / 27 The Problem Can we pinpoint the challenges (if any) symbolic partial-order encodings of concurrency pose for SAT/SMT solvers? If yes, what insights can we gain?

5 5 / 27 SMT Solvers built on DPLL(T ) assertions Arrays SAT SAT main main CDCL core UF UF LRA LRA conflicts propagations explanations Bit-vectors

6 6 / 27 Fixed-Alphabet DPLL(T ) Proofs The SMT solvers in our experiments are built on the DPLL(T ) framework. A simplified form of DPLL(T ) with only two rules: Propositional resolution (Res); Learning T -valid clauses over the literals of a fixed alphabet of T -atoms (T -learn).

7 7 / 27 Fixed-Alphabet DPLL(T ) Proofs The SMT solvers in our experiments are built on the DPLL(T ) framework. A simplified form of DPLL(T ) with only two rules: Propositional resolution (Res); Learning T -valid clauses over the literals of a fixed alphabet of T -atoms (T -learn). Example: (x < y x = y) y < x where x, y Z. This formula is T -unsatisfiable where T is QF LIA.

8 8 / 27 Fixed-Alphabet DPLL(T ) Proofs A {}}{{}}{{}}{ Example: ( x < y x = y ) y < x B C

9 9 / 27 Fixed-Alphabet DPLL(T ) Proofs A {}}{{}}{{}}{ Example: ( x < y x = y ) y < x B C ( A B }{{}}{{} ) C }{{} (SAT: Yes) ( ) ( )

10 10 / 27 Fixed-Alphabet DPLL(T ) Proofs A {}}{{}}{{}}{ Example: ( x < y x = y ) y < x B C ( A B ) C }{{}}{{}}{{} (A B) C ( A C) (SAT: Yes) (T -learn) ( )

11 11 / 27 Fixed-Alphabet DPLL(T ) Proofs A {}}{{}}{{}}{ Example: ( x < y x = y ) y < x B C ( A B ) C }{{}}{{}}{{} (A B) C ( A C) (SAT: Yes) (T -learn) ( A B ) C ( A C ) (SAT: Yes) }{{}}{{}}{{}}{{}}{{} (A B) C ( A C) ( B C) (T -learn) (Res)

12 12 / 27 Known Challenges for SMT Solvers φ a 1 a 9 8 i=1 (a i = b i b i = a i+1 ) (a i = c i c i = a i+1 ) b 1 b 2 b 3 b 8 a 1 a 2 a 3 a 4... a 8 a 9 c 1 c 2 c 3 c 8

13 13 / 27 Known Challenges for SMT Solvers φ a 1 a 9 8 i=1 (a i = b i b i = a i+1 ) (a i = c i c i = a i+1 ) b 1 b 2 b 3 b 8 a 1 a 2 a 3 a 4... a 8 a 9 c 1 c 2 c 3 c 8

14 14 / 27 Known Challenges for SMT Solvers φ a 1 a 9 8 i=1 (a i = b i b i = a i+1 ) (a i = c i c i = a i+1 ) b 1 b 2 b 3 b 8 a 1 a 2 a 3 a 4... a 8 a 9 c 1 c 2 c 3 c 8

15 15 / 27 Known Challenges for SMT Solvers φ a 1 a 9 8 i=1 (a i = b i b i = a i+1 ) (a i = c i c i = a i+1 ) b 1 b 2 b 3 b 8 a 1 a 2 a 3 a 4... a 8 a 9 c 1 c 2 c 3 c 8

16 Known Challenges for SMT Solvers φ a 1 a 9 8 i=1 (a i = b i b i = a i+1 ) (a i = c i c i = a i+1 ) b 1 b 2 b 3 b 8 a 1 a 2 a 3 a 4... a 8 a 9 c 1 c 2 c 3 c 8 Note that φ is unsatisfiable because a i = a i+1 for all 1 i 8. But DPLL(T ) cannot learn these equalities and enumerates 2 8 theory conflicts instead, the infamous diamonds problem. 1 1 Bjørner, N., Dutertre, B., de Moura, L.: Accelerating Lemma Learning using Joins - DPLL(Join). In: LPAR (2008) 16 / 27

17 17 / 27 Contributions A general framework for establishing lower bounds on the number of T -conflicts in the fixed-alphabet DPLL(T ) calculus; Proof of factorial lower bound proof complexity for two state-of-the-art symbolic partial-order encodings of a simple, yet challenging concurrency problem; Experiments that confirm our theoretical lower bound Ω(N!) Ω(2 N ) 2 4 6

18 18 / 27 DPLL(T ) Lower Bound Proof Complexity Informally, non-interfering set of critical assignments are propositionally satisfying assignments that contain minimal, disjoint T -conflicts. Theorem Let φ be an unsatisfiable T -formula, and Q be a non-interfering set of critical assignments for φ. Every Fixed-Alphabet-DPLL(T ) proof that φ is UNSAT contains at least Q applications of T -learn. This theorem is a theoretical tool for proving lower bound proof complexity results in the DPLL(T ) framework (as exhibited next).

19 The Concurrency Problem The value at memory location x is initialized to zero, i.e. [x] = 0. Thread T 0 Thread T 1 Thread T N local v 0 := [x] local v 1 := [x] local v... N := [x] assert(v 0 N) [x] := v [x] := v N + 1 Thread T 0 Thread T 1 Thread T N r 0 r 1... w 1 r N w N For N = 2, if restricted to T 1 T 2, we get the following interleavings: (1) r 1 ; w 1 ; r 2 ; w 2 (2) r 1 ; r 2 ; w 1 ; w 2 (3) r 1 ; r 2 ; w 2 ; w 1 (4) r 2 ; r 1 ; w 1 ; w 2 (5) r 2 ; r 1 ; w 2 ; w 1 (6) r 2 ; w 2 ; r 1 ; w 1. In general, we get (2N + 1)! 2 N interleavings for T 0 T 1... T N. 19 / 27

20 20 / 27 Concurrency Problem Encoding We define the following preserved-program order (PPO) for the problem challenge T 0 T 1... T N : w init r 0 r 1... r N w 1... w N Let R {r 0,..., r N } and W {w init, w 0,..., w N }. Our partial-order encodings are parameterized by three theories: T C : clock constraints, e.g. c r c w for r R and w W, T S : selection constraints, e.g. s r = s w for r R and w W, T V : read constraints, e.g. rv r is a unique T V -variable for r R.

21 21 / 27 Cubic-size Encoding of Concurrency Problem Let φ 3 be the O(N 3 ) partial-order encoding of T 0 T 1... T N : c winit c rassert c winit c ri c wi (c w c w c w c w ) s w s w i=1...n w,w } {{ } W,w w } {{ } w W,r R PPO WW[x] (c w c r c r c w ) s w = s r rv rassert > N } {{ } w W,r R RW[x] r R w W } {{ } RF TO [x] } {{ } assert(v 0 N) (s w = s r ) c w c r (s winit = s r ) 0 = rv r } {{ } w,w W,r R RF 3 [x] r R } {{ } RF 3 [x] (s w = s r c w c w ) c r c w } {{ } FR[x] i=1...n,r R (s wi = s r ) rv ri + 1 = rv r } {{ } RF 3 [x]

22 Factorial Lower Bound DPLL(T ) Proof Complexity Theorem (Lower Bound for Cubic Partial-Order Encoding) All Fixed-Alphabet-DPLL(T ) proofs for the problem challenge encoded with φ 3 contain at least N! applications of T -learn. We also have a quadratic-size partial-order encoding. 2 This asymptotically smaller encoding has also at least factorial-sized DPLL(T ) proofs for our challenge problem! 2 Horn and Kroening. On Partial Order Semantics for SAT/SMT-based Symbolic Encodings of Weak Memory Concurrency. In: FORTE / 27

23 23 / 27 Experiments with Two Partial-Order Encodings E 3 and E 2 are partial-order encodings of asymptotically different size, parameterized by three theories T C, T S and T V. We instantiate T C, T S, T V to four configurations: 1. real-clk-int-val : T C = T S = T R and T V = T Z 2. bv-clk-int-val : T C = T S = T BV and T V = T Z 3. real-clk-bv-val : T C = T S = T R and T V = T BV 4. bv-clk-bv-val : T C = T S = T BV and T V = T BV We use the following SMT solvers: Boolector, CVC4, Yices2, Z3. Example: z3-bv-clk-int-val-e 2 denotes experiments with the O(N 2 ) encoding using Z3 where T C = T S = T BV and T V = T Z. We have a total of 56 SMT-LIB benchmarks. Timeout is 1 hour.

24 24 / 27 Experimental Results cvc4-real-clk-int-val-{e 3, E 2 } Number of SAT conflicts N! cvc4-real-clk-bv-val-{e 3, E 2 } cvc4-bv-clk-int-val-{e 3, E 2 } cvc4-bv-clk-bv-val-{e 3, E 2 } z3-real-clk-int-val-{e 3, E 2 } z3-real-clk-bv-val-{e 3, E 2 } z3-bv-clk-int-val-{e 3, E 2 } z3-bv-clk-bv-val-{e 3, E 2 } yices-real-clk-int-val-{e 3, E 2 } Number of threads (N) yices-bv-clk-bv-val-{e 3, E 2 } boolector-bv-clk-bv-val-{e 3, E 2 } Factorial growth of conflicts in fkp2013-unsat benchmark.

25 25 / 27 Concluding Remarks We have studied a simple, yet challenging concurrency problem. Our experiments provide an important diagnostic practice in the development of SMT encodings. The proofs we have manually inspected in CVC4 pinpoint value constraints as culprits. This way, our experiments can guide research into improving the performance of SMT solvers on such benchmarks. The results of our work will shortly be published in SMT 15.

26 26 / 27 Concluding Remarks We have studied a simple, yet challenging concurrency problem. Our experiments provide an important diagnostic practice in the development of SMT encodings. The proofs we have manually inspected in CVC4 pinpoint value constraints as culprits. This way, our experiments can guide research into improving the performance of SMT solvers on such benchmarks. The results of our work will shortly be published in SMT 15. Thank you!

27 27 / 27 SC-relaxed Consistency Encoding Let E be the set of events, be the PPO, val : E T V -terms, guard : E T V -formulas and L be the set of memory locations. PPO {(guard(e) guard(e )) (c e c e ) e, e E: e e } {(cw WW[x] c w c w c w ) s w s w w, w W x w w } RW[x] {c w c r c r c w w W x r R x } RF TO [x] {guard(r) {s w = s r w W x } r R x } RF 3 [x] {(s w = s r ) (guard(w) val(w) = rv r c w c r ) r R x w W x } {(sw FR[x] = s r c w c w guard(w )) (c r c w ) w, w } W x r R x { E 3 RFTO [x] RF 3 [x] FR[x] WW[x] RW[x] x L } PPO RF 2 {(sw } [x] = s r ) (c w = sup r guard(w) val(w) = rv r c w c r ) r R x w W x {(cw } SUP[x] c r guard(w)) (c w sup r ) r R x w W x E 2 { RFTO [x] RF 2 [x] SUP[x] WW[x] RW[x] x L } PPO