SAT, CSP, and proofs. Ofer Strichman Technion, Haifa. Tutorial HVC 13

Transcription

1 SAT, CSP, and proofs Ofer Strichman Technion, Haifa Tutorial HVC 13 1

2 The grand plan for today Intro: the role of SAT, CSP and proofs in verification SAT how it works, and how it produces proofs CSP - how it works, and how it produces proofs Making proofs smaller 2

3 Why SAT? Example: is (x 1 Æ (x 2 Ç x 1 )) satisfiable? x 1,x 2 B Applications in verification: Formal verification: (Bounded) model checking for hardware [ ] Over a dozen commerncial tools (Bounded) model checking for software [ ] CBMC, SAT-ABS, CLLVM, Satisfiability Modulo Theories (SMT) [ ] e.g. MS Z3 used in dozens of software analysis tools (SymDiff, VCC, Havoc, Spec#, ) 3

4 Why SAT? Example: is (x 1 Æ (x 2 Ç x 1 )) satisfiable? x 1,x 2 B Applications in verification: Simulation: Test generation for hardware Test generation for software via SMT MS-SAGE, KLEE, 4

5 Why CSP (Constraints Satisfaction Problem)? Example: is (AllDiff(x 1,x 2, x 3 ) Ç x 1 < x Æ x 2 > x 3-1 )) satisfiable? x 1,x 2, x 3 [0..10] Z Applications in verification: Formal verification:?? Simulation: test generation for hardware 5

6 Why CSP (Constraints Satisfaction Problem)? Example: is (AllDiff(x 1,x 2, x 3 ) Ç x 1 < x Æ x 2 > x 3-1 )) satisfiable? x 1,x 2, x 3 [0..10] Z A Higher-level modeling language Can lead to an order of magniture smaller model size. Does not matter much in practice Certain constraints can be solved faster than in SAT Some (e.g. all-different ) can be solved directly in P 6

7 SAT and CSP SAT is crawling towards CSP Various SAT solvers now support high-level constraints over Boolean variables: Cripto-minisat supports XOR constraints MiniSat+ supports cardinality constraints CSP is crawling towards SAT: Some solvers support reduction to SAT Solution strategy now mimics SAT 7

8 Why proofs? Traditionally the focus was on finding models No information was given in case of UNSAT As of Chaff ( ) solvers produce proofs Originally just to validate result 8

9 Why proofs? Several killer-applications (SAT): Validate UNSAT results From the proof we can extract an unsat core Used in formal verification [AM03, KKB09, BKOSSB07 ] Uses of the proof itself: Interpolation-based model checking [M03]. Can we foresee usage for proofs in CSP? 9

10 The grand plan for today Intro: the role of SAT, CSP and proofs in verification SAT how it works, and how it produces proofs CSP - how it works, and how it produces proofs Making proofs smaller 10

11 CNF-SAT Conjunctive Normal Form: Conjunction of disjunction of literals. Example: ( x 1 Ç x 2 ) Æ (x 2 Ç x 4 Ç x 1 ) Æ... Polynomial transformation to CNF due to Tseitin (1970) Requires adding auxiliary variables. 11

12 Main steps SAT SAT Decide Variable, value Boolean Constraints Propagation (BCP) infer implied assignments Analyze conflict applies learning computes backtracking level 12

13 About that constraints propagation given ( x 1 Ç x 2 ) Æ (x 2 Ç x 4 Ç x 1 ) Æ... BCP: x 1 = 1 x 2 = 0 x 4 = 1 13

14 SAT essentials 14

15 Implication graphs and learning Current truth assignment: {x 9 =0@1,x 10 =0@3, x 11 =0@3, x 12 =1@2, x 13 =1@2} Current decision assignment: {x 1 =1@6} ω 1 = ( x 1 x 2 ) x 10 =0@3 ω 2 = ( x 1 x 3 x 9 ) x 2 =1@6 ω 4 x 5 =1@6 ω 3 = ( x 2 x 3 x 4 ) ω 4 = ( x 4 x 5 x 10 ) ω 5 = ( x 4 x 6 x 11 ) x 1 =1@6 ω 1 ω 2 ω 3 ω 3 ω 4 x 4 =1@6 ω 5 ω 6 ω 6 κ conflict ω 6 = ( x 5 x 6 ) ω 2 x 3 =1@6 ω 5 x6 =1@6 ω 7 = (x 1 x 7 x 12 ) ω 8 = (x 1 x 8 ) x 9 =0@1 x 11 =0@3 ω 9 = ( x 7 x 8 x 13 ) We learn the conflict clauseω 10 : ( x 1 Ç x 9 Ç x 11 Ç x 10 ) and backtrack to the highest (deepest) dec. level in this clause (6). 15

16 Implication graph, flipped assignment ω 1 = ( x 1 x 2 ) ω 2 = ( x 1 x 3 x 9 ) ω 3 = ( x 2 x 3 x 4 ) ω 4 = ( x 4 x 5 x 10 ) ω 5 = ( x 4 x 6 x 11 ) ω 6 = ( x 5 x 6 ) ω 7 = (x 1 x 7 x 12 ) ω 8 = (x 1 x 8 ) ω 9 = ( x 7 x 8 x 13 ) ω 10 : ( x 1 Ç x 9 Ç x 11 Ç x 10 ) x 10 =0@3 x 9 =0@1 ω 10 x 11 =0@3 ω 10 ω 10 Due to the conflict clause ω 8 x 1 =0@6 ω 7 ω 7 x 12 =1@2 x 8 =1@6 ω 9 x 13 =1@2 ω 9 κ x 7 =1@6 ω 9 We learn the conflict clauseω 11 : ( x 13 Ç x 9 Ç x 10 Ç x 11 Ç x 12 ) and backtrack to the highest (deepest) dec. level in this clause (3). 16

17 Non-chronological backtracking Which assignments caused the conflicts? x 9 = 0@1 x 10 = 0@3 x 11 = 0@3 x 12 = 1@2 x 13 = 1@2 These assignments Are sufficient for Causing a conflict. x Decision level Backtrack to decision level 3 κ κ Nonchronological backtracking 17

18 Learning and resolution Learning of a clause = inference by resolution. To be explained This is the key for producing a machine-checkable proof 18

19 Resolution By example: Formally: 19

20 Resolution proof A proof: (1 3) Æ (-1 2 5) Æ (-1 4) Æ (-1-4) (3 5) (1 3) (-1 2 5) (2 3 5) (1-2) (-1 4) (-1-4) (1 3 5) (-1) (3 5) 20

21 Resolution proof Hyper resolution proof A proof: (1 3) Æ (-1 2 5) Æ (-1 4) Æ (-1-4) (3 5) (1 3) (-1 2 5) (-1 4) (-1-4) (3 5) 21

22 Conflict clauses and resolution Consider the following example: Conflict clause: c 5 : (x 2 Ç x 4 Çx 10 ) We show that c 5 is inferred by resolution from c 1,,c 4 22

23 Conflict clauses and resolution Conflict clause: c 5 : (x 2 Ç x 4 Çx 10 ) BCP order: x 4,x 5,x 6,x 7 T1 = Res(c 4,c 3,x 7 ) = ( x 5 Ç x 6 ) T2 = Res(T1, c 2, x 6 ) = ( x 4 Ç x 5 Ç X 10 ) T3 = Res(T2,c 1,x 5 ) = (x 2 Ç x 4 Ç x 10 ) 23

24 The Resolution-Graph (Hyper) Resolution Graph ω 1 ω 2 ω 2 ω3 ω 3 ω 4 ω 4 ω 5 ω 5 ω 6 ω 6 κ conflict ω 1 ω 2 ω 3 ω 10 can be inferred via resolution from ω 1...ω 6 ω 10 ω 4 ω 11 ω 9 ω 5 ω 10 ω 10 ω 10 ω 8 ω 7 ω9 ω 9 κ conflict ω 6 ω 7 ω 8 ω 9 ω 7 24

25 The resolution graph What is it good for? Example: for computing an Unsatisfiable core [Picture Borrowed from Zhang, Malik SAT 03] 25

26 The grand plan for today Intro: the role of SAT, CSP and proofs in verification SAT how it works, and how it produces proofs CSP - how it works, and how it produces proofs Making proofs smaller 26

27 Main steps SAT and CSP* SAT Decide Variable, value CSP Same Boolean Constraints Propagation (BCP) infer implied assignments Boolean Constraints Propagation (CP) same Analyze conflict Same applies learning computes backtracking level *As implemented in PCS / Michael Veksler 27

28 About that constraints propagation Given x 1, x 2, x 3 [1..3], AllDifferent(x 1, x 2, x 3 ) CP: x 1 = 1 x 2, x 3 [2..3] 28

29 What about CSP proofs? SAT solvers generate proofs: From initial clauses to ( ). Inference is via the binary-resolution rule. Unlike SAT solvers, CSPs: have non-boolean domains, and non-clausal constraints. Can this gap be bridged? The following is based on [SV10] 29

30 Signed CNF 30

31 Signed resolution A binary-resolution rule for signed-cnf: Signed-clauses What about other constraints? e.g. should we just convert CSP to signed CNF? 31

32 Signed resolution Q: should we just convert CSP to signed CNF? A: No, because it is generally inefficient: e.g., x y requires: 32

33 Towards a solution Solution: introduce clauses lazily. Consider a general constraint c, such that: In the context of l 1 Æ l 2 Æ Æ l n, propagation of c implies I : (l 1 Æ l 2 Æ Æ l n Æ c) l 33

34 Towards a solution (l 1 Æ l 2 Æ Æ l n Æ c) l Find an explanation clause e such that: e is not too strong: c e e is strong enough: (l 1 Æl 2 Æ Æ l n Æ e) l 34

35 The structure of a CSP proof 35

36 Explanation rules 36

37 Explanation rules example 1 parameterized m = the value that trigerred the rule 37

38 Explanation rules example 1 38

39 Explanation rules example 2 Instantiate m with max(domain(y)) 39

40 Explanation rules example 2 40

41 Each constraint has its rule 41

42 So this is how the proof looks like 42

43 The grand plan for today Intro: the role of SAT, CSP and proofs in verification SAT how it works, and how it produces proofs CSP - how it works, and how it produces proofs Making proofs smaller 43

44 Minimizing the core The proof is not unique. Different proofs / different cores. Can we find a minimum / minimal / smaller cores/proofs? 44

45 Minimizing the core Core compression Smaller core [ZM03, ] Minimal core [DHN06, ] Min-core-biased search [NRS 13] Proof compression: Exponential-time transformations [GKS 06] Linear time transformations Recycle pivots [BFHSS 08], 45

46 Core compression (smaller core) A basic approach: run until reaching a fixpoint [chaff] initially last_core = ϕ SAT solver core core core == last_core? no last_core = core yes 46

47 Core compression (minimal core) Initially ϕ s clauses are unmarked Return ϕ Remove an unmarked clause c ϕ SAT(ϕ)? yes mark c no ϕ := core 47

48 Proof-compression linear-time transformation / Recycle-pivots Based on the following fact: Every resolution proof can be made regular which means that each pivot appears not more than once on every path. 48

49 Proof-compression linear-time transformation / Recycle-pivots

50 Proof-compression linear-time transformation / Recycle-pivots {2,-1,-2} {2,-1} {2,-1} {2,1} 1 {-2} {2} Reconstruct proof Collect removable literals 50

51 Proof-compression linear-time transformation / Recycle-pivots

52 Proof-compression linear-time transformation / Recycle-pivots Resolution graphs are DAGs So, a node is on more than one path to the empty clause

53 Proof-compression linear-time transformation / Recycle-pivots Resolution graphs are DAGs So, a node is on more than one path to the empty clause

54 Proof-compression linear-time transformation / Recycle-pivots

55 Proof-compression linear-time transformation / Recycle-pivots B A Does A dominate B? Dominance relation can be found in O( E log V ) Problem: need to be updated each time. () 55

56 Proof-compression linear-time transformation / Recycle-pivots Possible solution: Stop propagating information across nodes with more than one child. {2,-1,-2} {2,-1} {2,-1} {2,1} {-2} {2}

57 Proof-compression linear-time transformations /recent advances Recycle pivots with intersection P. Fontaine, S. Merz and B. W.Paleo. Compression of Propositional Resolution Proofs via Partial Regularization. In CADE 11. Local transformation Framework R. Bruttomesso, S.F. Rollini, N. Sharygina, and A. Tsitovich. Flexible Interpolation with Local Proof Transformations. In ICCAD 10. S.F. Rollini, R. Bruttomesso and N. Sharygina. An Efficient and Flexible Approach to Resolution Proof Reduction. In HVC 10. Lower units P. Fontaine, S. Merz and B. W.Paleo. Compression of Propositional Resolution Proofs via Partial Regularization. In CADE 11. Structural hashing S. Cotton. Two Techniques for Minimizing Resolution Proofs. In SAT 10. All implemented in PeRIPLO by S. Rollini. Together they reduce the proof size by ~40%. 57

58 Summary SAT and CSP are not only about finding models They can provide proofs Proofs are important for validation extracting cores various formal-verification techniques Minimizing proofs/cores is a subject for intense research. 58

59 Questions? 59