Efficient Simplification of SAT Instances from Formal Verification of Microprocessors and Infinite-State Systems Sathiamoorthy Subbarayan Department of Computer Science, University of Bristol, UK
[email protected]
Abstract. Usage of SAT methods in Formal Verification is increasing [1]. Recently several preprocessors for SAT instances have been proposed [2], [3], [4]. Few of them have shown successes in some Formal Verification problems like Bounded Model Checking (BMC) and Equivalence Checking. As far as we know, none of them have been successful in reducing the complexity of microprocessor verification SAT instances. In [5,6], Velev and Bryant have concluded that applying a preprocessor (simplifier) to the CNF formulas resulting from realistic microprocessors is impractical, due to the large number of clauses-hundreds of thousands. In contrast, we show that a recent preprocessor, NiVER [7], results in solving SAT instances from Velev's microprocessor benchmark suite [8] in less time and space. We also explain the reason for the success of NiVER, while other preprocessors fail. We use the average number of implications by unit propagation of literals in the formula to estimate the cost of preprocessing. As far as we know, this paper is the first to estimate the cost of preprocessors and predict the usefulness of them. We also introduce and study a variant of NiVER, LiVER, that allows a limited increase in the formula size. Experimental results show that without NiVER preprocessing, some of the Velev's microprocessor verification SAT instances may not be solved due to huge memory or time requirements. On the experiments conducted so far, in unsatisfiable instances preprocessing resulted in upto 3x speed-up in time and solving few instances, which are otherwise aborted due to huge memory requirements. We also show the effect of preprocessing on SAT instances from UCLID [9] -a verification tool for infinite state systems.
1 Introduction In this paper we investigate the use of simplifiers on SAT instances generated for formal verification of microprocessors. SAT instances from each problem domain have its own structure. The structural information can be exploited to improve the both time and space efficiency of SAT solvers. Few papers have been published describing the adaptation of decision heuristics for BMC SAT instances [10], [11]. Preprocessors can be used to simplify SAT instances. The simplified formula can then be solved by using a SAT Solver. Preprocessing does not guarantee an easier problem for
SAT solvers [12]. Formula simplifiers have been quite successful in few formal verification problems like BMC and equivalence checking [3], [4]. But they have not been successful in microprocessor verification SAT instances, due to different type of structure in those instances. In [5, 6], Velev and Bryant has concluded that microprocessor verification SAT instances are very large and hence simplifiers for them are impractical. But we show that NiVER [7], a recent simplifier helps in solving Velev’s microprocessor SAT instances in less space and time. We also explain the reason why NiVER is successful while others fail. LiVER, a variant of NiVER, which allows a limited increase in the formula size is introduced and the benefit of it is shown using experimental results. The paper is organized as follows. The next section gives an overview of existing simplifiers. Section 3 introduces the NiVER preprocessor in detail. Section 4 explains the reason for the success of NiVER in simplifying SAT instances from microprocessor verification suite. Section 5 presents the experimental results using NiVER. Section 6 introduces LiVER. Section 7 shows experimental results using LiVER. Section 8 concludes the paper.
2 SAT Preprocessors Simplifiers are used to change the CNF formula into a simpler one, which is easier to solve. Pure literal elimination and unit propagation are best known simplification methods used in most of the DPLL based SAT solvers Although several preprocessors to simplify the formula have been published, current state of the art SAT solvers [13],[14] just use these two simplification methods. In [5], a nice comparison of existing simplification methods is done. 2-simplify by Brafman [2], applies unit clause resolution, equivalent variable substitution, and a limited form of hyper resolution. It also generates new implications using binary clause resolution. HypBinRes [3] a preprocessor using hyper binary resolution and equality reduction was presented by Bacchus and Winter. HypBinRes applies all the rules in 2-simplify and also does hyper binary resolution. Simplifiers like HypBinRes and 2-simplify use unit propagation, either explicitly or implicitly, to find new implications and equivalent literals. Recently, in [4] Novikov presented a preprocessor based on local search of Boolean relations. HypBinRes performed poorly on pipe instances, from Velev’s microprocessor verification suite [8]. 2-simplify has shown some improvement on few pipe instances, but the comparison is with zChaff. The new SAT solvers [15, 14] can solve such instances in very small effort that, the time taken by 2-simplify will increase the total time taken to solve the instances. In [4], Novikov has shown results only for 5 simple pipe instances. He also showed improvement with regard to Berkmin SAT solver [14], not Siege SAT solver [15]. For example, Berkmin takes 729 CPU seconds to solve 7pipe instance, while Siege takes just 185 seconds to solve the same instance using the same machine. In this paper we show improvements in comparison with Siege SAT solver.
3 NiVER: Non Increasing Variable Elimination Resolution The original algorithm to solve SAT problem was Variable Elimination Resolution (VER) due to Davis and Putnam (DP) [16]. The procedure eliminates variables one by one, by resolving all the clauses in which they occur. Unfortunately for most of the problem classes the algorithm results in memory explosion and hence not used. So modern SAT solvers are based on DPLL procedure [17], which is a backtracking version of the original DP procedure. NiVER [7] is a special case of DP style resolution, used as a preprocessing step. In some instances, NiVER removes variables having more than 25 occurrences. During preprocessing, for each variable we check whether it can be removed by DP style resolution, without increase in total literal count. If there will be no increase then we eliminate the variable by VER. The algorithm is shown in Figure 1. When a variable is removed by VER, many resolvent clauses have to be added. We discard tautological clauses. The rest are added to the formula. Then, all clauses containing that variable are deleted from the formula. Except checking whether any resolvent is a tautology, NiVER does not do any complex steps like subsumption checking. No other simplification is done. In the present implementation, NiVER does not even check whether any unit clause is present or not. Unlike HypBinRes or 2-simplify, NiVER does not do unit propagation. NiVER(F){ do{ entry=FALSE N=No_of_Variables(F) for(i=1 to N){ Pos_clauses be the set of clauses in F having +ve literal of Variable Vi Neg_clauses be the set of clauses in F having -ve literal of Variable Vi Old_Lit_Count = Sum of No. of literals in every clause where Vi is present F’={} For each clause pos in Pos_clauses and neg in Neg_clauses If(Resolve(pos, neg) NOT a Tautology) F’=F’∪Resolve(pos, neg) New_Lit_Count = Sum of No. of literals in every clause in F’ If(Old_Lit_Count >= New_Lit_Count){ F=F-Pos_clauses-Neg_clauses F=F∪F’ entry=TRUE }//end if }//end for }while(entry) }//end NiVER(F) Fig. 1. The NiVER procedure
In Table 1, we list the number of variables eliminated by NiVER in few SAT instances from [8]. The NiVER software is available at [18]. When NiVER removes variables,
it results in the core of the SAT problem with lesser number of variables. NiVER preserves the satisfiability of the original problem. If the simplified problem is unsatisfiable, then the original is also unsatisfiable. If the simplified problem is satisfiable, the assignment for the variables in the simplified formula is a subset of atleast one of the satisfying assignments of the original problem. For variables removed by NiVER, the satisfying assignment can be obtained by a polynomial procedure, in which we just reverse the way NiVER proceeds. We add variables back in the reverse order they are eliminated. While adding each variable, assignment is made to that variable such that the formula is satisfied. For example, let F be the original formula. Let Cx refers to set of clauses containing literals of variable x. Let Cxr represent the set of clauses obtained by resolving clauses in Cx on variable x. NiVER first eliminates variable a from F, by removing Ca from F and adding Car to F, resulting in new formula Fa. Then NiVER eliminates variable b by deleting Cb from Fa and adding Cbr to Fa, resulting in Fab. Similarly, eliminating c results in Fabc. Now NiVER terminates and let a SAT solver finds satisfying assignment for Fabc, Aabc. Aabc will contain satisfying values for all variables in Fabc. Now add variables in the reverse order they are deleted. First add Cc to Fabc, resulting in Fab. Assign c either value one or value zero, such that Fab is satisfied. One among the assignments will satisfy Fab. Similarly, add Cb and find a value for b and then for a. During preprocessing, just the set of clauses Ca, Cb and Cc should be stored, so that a satisfying assignment can be obtained if the DPLL SAT solver finds a satisfying assignment for the simplified theory. Figure 2 shows an example of variable elimination by NiVER. In the example, among six resolvents, three are discarded as they are tautologies. The variable elimination results in one less variable and two less number of clauses. Positive clauses of variable 140 Negative clauses of variable 140 (-138, 140) (138, 139, -140) (-139,140) (-26, -27, -121, -140, 141) (140, -141) Old_lit_count = 14 Number of clauses deleted = 5 Added Resolvents (-138, -26, -27, -121, 141) (-139, -26, -27, -121, 141) (-141, 138, 139)
Discarded Resolvents (Tautologies) (-139, 138, 139) (-138, 138, 139) (-141, -26, -27, -121,141)
New_lit_count = 13 Number of clauses added = 3 Fig. 2. NiVER Example. Elimination of variable numbered 140 from 8pipe_k instance.
Table 1. Effect of NiVER preprocessing on some SAT instances from [8]. #Vars-org column shows the number of variables in the original instance before preprocessing. #Vars-pre column shows the number of variables after preprocessing. Similarly, the fifth column and sixth column shows the corresponding number of clauses. The seventh column reports the CPU time taken by NiVER preprocessor in seconds on an Athlon1900XP++ machine. '%Rem' column lists the percentage of variables eliminated by NiVER. Benchmark 7pipe 14pipe_k 15pipe_q0_k 12pipe_12_ooo_q0_T0 10pipe_10_ooo 1dlx_c_ex_bp_f_liveness 2dlx_ca_liveness engine_5 engine_6
#Varsorg 23910 184980 277976 144721 67050 24104 115049 18788 45276
#Varspre 22716 174788 179415 101952 63378 22618 109466 17041 40875
%Rem
#Cls-org
#Cls-pre
Time
4 5 35 29 5 6 4 9 9
751118 17597059 10103924 4206416 2862719 339857 2148917 214095 605958
748691 17576659 9903147 4120498 2855265 336805 2136337 210626 597192
0.63 7.9 14.4 3.78 1.93 2.8 20 0.36 0.86
4 Reason for the success of NiVER We analyzed the instances in which simplifiers like 2-simplify and HypBinRes work well and those in which they perform poorly. We introduce a value AveImps, which can be used to predict the usefulness of the preprocessors. AveImps is the average number of implications by per literal in the formula. The procedure to find AveImps is given in the Figure3. A literal is called as failed literal, if unit propagation by assigning the literal value one results in a conflict. If a literal fails, the complementary literal can be assigned the value one, and the formula can be simplified. For every variable we check whether either of it literals is a failed literal. If not then, we find the number of implications when those literals are unit propagated. At the end, we find the average number of implications by each literal, called as AveImps. 2-simplify and other preprocessors like HypBinRes use unit propagation, either explicitly or implicitly, to find implications and equivalent literals. The average number of implications per literal in that formula will estimate the cost of those procedures. The advantage of NiVER is that is does not use unit propagation. It just uses simple resolution to eliminate variables. The high or low value of AveImps does not affect the cost of NiVER. The cost of NiVER just depends upon the number of occurrences of each variable and the size of the clauses in which they occur. The software “GetAveImps” to find AveImps is available at [18]. From Table 2, it can be inferred that SAT instances from Formal Verification of Microprocessors have very high AveImps value. SAT instances from other formal verification methods like BMC and equivalence checking have comparatively very low AveImps value. This is
the reason for the success of preprocessors like 2-simplify and HypBinRes on instances generated from BMC and equivalence checking. As NiVER does not do unit propagation, the cost of NiVER is not affected by the value of AveImps. GetAverageNumberOfImplications(F){ Entry_count=0 Imp_count=0 N=Num_of_Variables(F) For(i=1 to N){ If( (UnitPropogation(F,vi)!=CONFLICT) AND (UnitPropogation(F,v’i)!=CONFLICT) ){ Imp_count=Imp_count+Num_Implications by UnitPropogation(F,vi) Imp_count=Imp_count+Num_Implications by UnitPropogation(F,v’i) Entry_count= Entry_count + 2 } } Average_num_implications=Imp_count/Entry_count Print (AveImps is "Average_num_implications"); }//end GetAverageNumberOfImplications(F) Fig. 3. Procedure to calculate Average Implications per literal
Table 2. Average number of implications by literals in some SAT instances from microprocessor verification [8], infinite state system verification [9], and, other formal verification methods like BMC and equivalence checking from IBM [19], and SAT2002 suite at SATLIB [20]. Microprocessor and Infinite State System Benchmark Ave. Imps 7pipe 744 9vliw_bp_mc 511 15pipe_q0_k 731 12pipe_12_ooo_q0_T0 566 15pipe_15_ooo_q0_T0 883 8pipe_k 1081 14pipe_k 2145 1dlx_c_ex_bp_f_liveness 711 2dlx_ca_liveness 12pipe_bug5 ooo.tag14 cache.inv14
2838 3576 1071 1940
IBM-BMC and SATLIB(SAT2002) Benchmark Ave. Imps ibm-rule20_k80 37 ibm-rule20_k100 37 cnt10 16 c6288 4 fifo8_300 53 fifo8_400 Barrel9 f2clk_40 f2clk_30 Comb3
53 5 28 27 69
ip38 ip50
83 83
Table 3, shows the effect of NiVER and HypBinRes preprocessing on SAT instances from microprocessor verification and industrial model checking. As predicted HypBinRes performs well in instances with low AveImps value, while NiVER performance is not affected by the AveImps value. The time taken by NiVER is almost same in
all the cases. Time taken by HypBinRes is very high for instances with high AveImps value. Table 3. Effect of NiVER and HypBinRes Preprocessing on SAT instances from microprocessor verification [8], infinite state system verification [9], and industrial model checking [18]. The first Siege column lists the CPU time, in seconds, taken by Siege SAT solver to solve the instance. “NiVER+Siege” denotes the columns concerned with experiments using NiVER preprocessor. NiVER column lists the time taken by NiVER preprocessor. The following Siege column lists the time taken to solve the NiVER simplified instances by Siege SAT solver. The total time taken by the preprocessor and solver is listed in the Total column. Similarly values are listed for HypBinRes preprocessing. Experiments were done on an Athlon 1900XP++ machine. Benchmark
Siege
7pipe 9vliw_bp_mc
185 52
ooo.tag14 cnt10 f2clk_40 comb3
15 236 891 550
NiVER+Siege NiVER Siege Total 0.8 176 177 1.26 45 46 2 0.64 1 0.12
4 138 987 657
6 139 988 657
HypBinRes+Siege HypBinRes Siege Total 1109 74 1183 976 38 1014 1703 134 93 2.3
0 0 498 364
1703 134 591 366
5 Experimental Results - using NiVER All the experiments were done using Siege_v4 [15], a complete randomized SAT solver. Random seed parameter of Siege is set to 100. The NiVER preprocessor is available at [14]. Table 4 shows the results obtained on an Athlon1900XP++ machine running Linux with 1GB of memory. Table 5 lists the experiments on an Intel Xeon 2.8 GhZ machine with 2GB of memory, running Linux. Experiments in Table 4 and Table 5 are done with microprocessor verification benchmarks [8]. In pipe_k series listed in Table4, as the size of the problem increases, the benefit of NiVER preprocessing also increases. In pipe_k series, for smaller instances, the results are mixed, but when the instance size increases, there is improvement in both runtime and memory usage due to NiVER. In case of 13pipe_k, NiVER results in decreasing the memory usage by 33%. In case of the next instance in the series, 14pipe_k, without preprocessing the experiment on the problem is aborted due to huge memory requirement. In 9 out of 10 instances in Table4, NiVER preprocessing results in decreasing runtime. The odd one is comparatively very small instance and even then the difference is insignificant.
Table 4. Effect of NiVER preprocessing on microprocessor verification SAT instances [8]. NiVER+Siege column under Time lists the total amount of time taken to solve a NiVER preprocessed instance. Memory usage in megabytes with and without preprocessing are listed in the columns under Memory. Experiments were done on an Athlon1900XP++ machine with 1GB of memory. ‘****’ means abort due to huge memory requirements. Benchmark 7pipe_k 8pipe_k 9pipe_k 10pipe_k 11pipe_k 12pipe_k 13pipe_k 14pipe_k 9pipe_9_ooo Engine_5 1dlx_c_iq40_a
Time (CPU time -seconds) NiVER+Siege Siege 140 131 317 285 254 242 1252 1218 2706 2143 7084 4956 12045 8510 **** 19586 3302 2389 3257 2515 4054 3490
Memory (MB) NiVER+Siege Siege 94 93 152 115 123 121 300 207 433 288 655 406 851 565 **** 711 252 208 87 83 538 334
In case of Table 5, in all but two cases NiVER results in lower runtimes. Even in those two cases the performance degradation is around one percent. In all but one rare case, NiVER results in lower memory usage. Even in that rare case, there is significant improvement in solving time. In both, xpipe_x-ooo_q0_T0 and 9dlx_vliw_at_b_iqx series, as the problem size increases, the benefit of using NiVER increases. In case of 12pipe_12_ooo_q0_T0, NiVER results in 2x speedup in runtime. In case of 15pipe_q0_k, without NiVER preprocessing the memory usage almost doubles. The instances 12pipe_12_ooo_q0_T0, 15pipe_q0_k, and 10pipe_10_ooo are either largest in their corresponding series or hardest among those solvable within a day by an Athlon1900XP++ machine. Overall, Table 4 and Table 5 shows that NiVER simplification
is effective in reducing both runtime and memory usage.
Table 6 reports the results obtained on unsatisfiable instances generated by UCLID [9]- an infinite state system verifier. The four instances in Table 6 are the hardest among 28 formulas in that suite. In case of cache.inv14 NiVER preprocessing results in 3x speed-up of runtime. Memory requirement also decreases by 33% for cache.inv14. In all the cases NiVER results in decreasing both time and space usage. All those instances are solvable within 52 seconds. The benefit of NiVER preprocessing on harder instances generated by UCLID should be very high, as implied by the performance of NiVER on harder instances of microprocessor verification suite. Unfortunately, such instances are not yet publicly available.
Table 5. Effect of NiVER preprocessing on microprocessor verification SAT instances [8]. Refer to Table 4 for legend. Experiments were done on an Intel Xeon 2.8Ghz machine with 2GB of memory. Benchmark 6pipe_6_ooo_q0_T0 11pipe_11_ooo_q0_T0 12pipe_12_ooo_q0_T0 10pipe_10_ooo 15pipe_q0_k 1dlx_c_ex_bp_f_liveness 9dlx_vliw_at_b_iq3 9dlx_vliw_at_b_iq4 9dlx_vliw_at_b_iq5 1dlx_c_iq33_a 1dlx_c_iq35_a 1dlx_c_iq45_a
Time NiVER+Siege 69 17932 43770 23611 7105 3690 1450 4074 10131 1350 2392 6442
Siege 68 21526 90025 23247 10053 5423 1801 4357 10561 1749 2509 8167
Memory NiVER+Siege Siege 40 40 309 232 437 321 359 308 870 480 165 143 138 130 197 175 313 294 314 201 378 249 805 549
Table 6. Effect of NiVER preprocessing on SAT instances by UCLID [9]. Refer to Table 4 for legend. Experiments were done on an Intel Xeon 2.8Ghz machine with 2GB of memory. Benchmark cache.inv14 elf.rf10 ooo.rf10 ooo.tag14
Siege 52 14 47 21
Time NiVER+Siege 18 10 29 9
Siege 30 35 22 25
Memory NiVER+Siege 20 26 17 18
So far, all the experimental results shown are for unsatisfiable instances. Table7 lists the results obtained on satisfiable formulas. The result is mixed. In case of 12pipe_bug10, NiVER preprocessing results in 12x speedup. In 3 out of 5 cases preprocessing increases the runtime. In case of 12pipe_bug9, although NiVER preprocessed instance takes twice the normal solving time, it results in less memory usage. .Mixed result is obvious as satisfiable instances might have many solutions and there is no need to search the entire tree. Once a satisfying assignment is found the search terminates. But in case of unsatisfiable instances, the entire search tree has to be searched and hence NiVER preprocessing results in improved runtimes and memory usage in most of the cases. In case of satisfiable instances, in an unsimplified instance the clause structure and the literal distribution may be such that the decision heuristics in SAT solvers quickly finds a satisfying assignment.
Table 7. Effect of NiVER preprocessing on satisfiable SAT instances from microprocessor verification [8]. Refer to Table 4 for legend. Experiments were done on an Intel Xeon 2.8Ghz machine with 2GB of memory. Benchmark 12pipe_bug1 12pipe_bug4 12pipe_bug5 12pipe_bug9 12pipe_bug10
Time NiVER+Siege 720 722 780 1820 133
Siege 290 240 864 840 1529
Memory NiVER+Siege Siege 215 192 247 187 390 251 380 320 435 182
6 LiVER: Limited Increasing Variable Elimination Resolution NiVER allows no increase in total literal count. After doing experiments with NiVER, we removed the no increase constraint and allowed a limited increase in the total literal count. The new method is called as LiVER, Limited Increasing Variable Elimination Resolution. Table 8. The effect of LiVER preprocessing with k=10. Org-Var column lists the number of variables in original formula. N – refers to NiVER preprocessor. LT refers to LiVER(k=10) preprocessor. %VRem refers to the percentage of variables removed by the preprocessors. Benchmark
OrgVar
7pipe 14pipe_k 15pipe_q0_k 12pipe_12_ooo_q0_T0 10pipe_10_ooo 1dlx_c_ex_bp_f_liveness 2dlx_ca_liveness engine_5 engine_6 1dlx_c_iq52_a 1dlx_c_iq64_a
23910 184980 277976 144721 67050 24104 115049 18788 45276 448735 773005
%VRem N LT 4 6 5 7 35 45 29 37 5 7 6 10 4 7 9 14 9 13 15 22 16 22
Number of Clauses Original N LT 751118 748691 748049 17597059 17576659 17570543 10103924 9903147 9846633 4206416 4120498 4097053 2862719 2855265 2853032 339857 336805 335212 2148917 2136337 2131469 214095 210626 208674 605958 597192 593634 6585490 6443673 6387851 11974186 11717177 11620298
In the algorithm of NiVER (Figure 2) the condition to check that there is no increase in total literal count is changed to “If(Old_Lit_Count+k >= New_Lit_Count)” where k is the allowed increase in the total literal count. We arbitrarily choose k=10 and the effect on preprocessing is shown in Table 8. The LiVER software is available at [18]. The time taken by LiVER(k=10) to preprocess is almost same as that by NiVER. Table 8 shows that LiVER eliminates few more variables than by NiVER. In all cases number of clauses is also lower than that in NiVER preprocessed instance.
7 Experimental Results - using LiVER Table 9 shows experimental results obtained using LiVER(k=10) preprocessor. For the last 3 instances listed in the table, experiments on both the original instances and the NiVER preprocessed instances have to be aborted due to huge memory requirements. But, LiVER(k=10)+Siege is able to solve those instances in the same machine. In many cases LiVER(k=10) performs better than NiVER in simplifying the formula. In all but one instances LiVER results in less memory usage. In case of 15_pipe_q0_k, LiVER(k=10) preprocessing results in 3x speed-up. In all but two instances LiVER gives better runtime than NiVER. LiVER parameter k is arbitrarily chosen as 10. Further experiments should be done to fix a better value. Table 9. Effect of LiVER(k=10) preprocessing on instances from microprocessor verification suite[8]. N+Sie column under Time lists the total amount of time taken to solve NiVER preprocessed instances. Similarly LT+Sie column represents for LiVER(k=10) preprocessed instances. Memory usage in megabytes with and without preprocessing are listed in the columns under Memory. Experiments were done on an Intel Xeon 2.8Ghz machine with 2GB of memory. ‘****’ means abort due to huge memory requirements. Benchmark 15pipe_q0_k 10pipe_10_ooo 1dlx_c_ex_bp_f_liveness 12pipe_12_ooo_q0_T0 1dlx_c_iq33_a 1dlx_c_iq35_a 1dlx_c_iq45_a 1dlx_c_iq52_a 1dlx_c_iq53_a 1dlx_c_iq55_a
Siege 10053 23247 5423 90025 1741 2509 8167 **** **** ****
Time N+Sie 7105 23611 3690 43770 1352 2392 6442 **** **** ****
LT+Sie 3490 21474 3921 57490 1044 1017 5293 24655 11426 23742
Siege 870 359 165 437 314 378 805 **** **** ****
Memory N+Sie LT+Sie 480 395 308 285 150 143 321 293 201 196 249 222 549 477 **** 715 **** 770 **** 901
In case of 1dlx_c_iqxx_a series, LiVER preprocessing results in scaling up the number of solvable instances using the same machine configuration. For instances larger than 1dlx_c_iq55_a, Siege SAT solver refuses to start solving as the number of variables is very high and Siege considers it as an inefficiently encoded instance [21]. When that constraint is relaxed, then larger instances may become solvable by LiVER+Siege combination.
8 Conclusion We have shown that efficient simplifiers will aid in improving the SAT methods for formal verification of even complex designs like microprocessors. We have also shown the reason for the failure of previous simplifiers on microprocessor instances.
Efficient simplification results in SAT solving in less space and time. Further research in fine tuning simplifiers is necessary. Simplifiers will extend the usage of SAT methods in Formal Verification. Velev's Benchmarks are already optimally generated to ease the effort needed by SAT solvers to solve them [22]. Even then NiVER and LiVER are able to show improvements in both time and space requirements. As use of SAT methods in formal verification is on the rise, many problems from different domains of formal verification will be encoded into CNF form for solving by SAT solvers. In each case the structure of the problem should be studied and an optimal way to generate the instances has to found. This effort can be reduced when different simplifiers are in place. After a brief sampling, an appropriate simplifier can be instantly plugged in, to get a simpler formula. LiVER results are more promising than those by NiVER. But careful fine-tuning of the allowable increase should be done for each class of instances before using it.
References [1] A. Biere and W. Kunz, "SAT and ATPG: Boolean Engines for Formal Hardware Verification", ICCAD2002 [2] R. I. Brafman,. “A simplifier for propositional formulas with many binary clauses”, IJCAI 2001, 515–522. [3] F. Bacchus and J. Winter “Effective preprocessing with Hyper-Resolution and Equality Reduction”, SAT 2003 [4] Y. Novikov, "Local Search for Boolean Relations on the Basis of Unit Propagation", Proc. of DATE 2003, p. 810 [5] M.N. Velev, and R.E. Bryant, Effective Use of Boolean Satisfiability Procedures in the Formal Verification of Superscalar and VLIW Microprocessors, 38th Design Automation Conference (DAC '01), June 2001, pp. 226-231 [6] M.N. Velev, and R.E. Bryant, Effective Use of Boolean Satisfiability Procedures in the Formal Verification of Superscalar and VLIW Microprocessors, Journal of Symbolic Computation (JSC), Vol. 35, No. 2 (February 2003), pp. 73-106. [7] S. Sathiamoorthy and D. K. Pradhan, “NiVER: Non Increasing Variable Elimination Procedure for Preprocessing SAT Instances”, submitted for publication. Available on email to:
[email protected] [8] Velev's Microprocessor Verification benchmark suite: http://www.ece.cmu.edu/~mvelev [9] UCLID : http://www-2.cs.cmu.edu/~uclid/ [10]Ofer Shtrichman, "Pruning Techniques for the SAT-based Bounded Model Checking Problem" Proc. of CAV2000 [11]Ohad Shacham, Emmanuel Zarpas, "Tuning the VSIDS Decision Heuristic for Bounded Model Checking", Proc of MTV2003 [12] I.Lynce, and J.P. Marques-Silva, “The Puzzling Role of Simplification in Propositional Satisfiability”, EPIA'01 Workshop on Constraint Satisfaction and Operational Research Techniques for Problem Solving (EPIA-CSOR), Dec 2001 [13] M. Moskewicz; C. Madigan; Y. Zhao; L. Zhang; and S. Malik. , “Chaff: Engineering an efficient sat solver”, DAC 2001 [14] E.Goldberg, Y.Novikov. BerkMin: a Fast and Robust SAT-Solver. DATE-2002,pp. 142149 [15] L. Ryan, “Siege SAT Solver” http://www.cs.sfu.ca/~loryan/personal/
[16] M. Davis and H. Putnam, "A Computing procedure for quantification theory". J. of the ACM,7 1960 [17] M. Davis, G. Logemann, and D. Loveland. “A machine program for theorem proving”. Comm. of ACM, 5(7), 1962 [18] S. Sathiamoorthy, “NiVER SAT Preprocessor” http://www.cs.bris.ac.uk/~sathi/niver.html [19] IBM Formal Verification Benchmarks Library http://www.haifa.il.ibm.com/projects/verification/RB_Homepage/bmcbenchmarks.html [20] SATLIB www.satlib.org [21] L. Ryan, Personal communication. [22] M.N. Velev, Efficient Translation of Boolean Formulas to CNF in Formal Verification of Microprocessors, Proc. of ASP-DAC '04, January 2004
