versat: A Verified Modern SAT Solver Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy Computer Science, The University of Iowa, USA
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
Satisfiability Problem (SAT) “Is there a model for the given propositional formula?” I
Model: assignments to the variables that makes the formula true.
I
SAT if the formula has a model
I
UNSAT if the formula has a contradiction (thus, no model)
I
Decidable, but NP-Hard
SAT solver decides the satisfiability of a formula. I
Modern SAT solvers can solve large problems.
I
Smart engineering and heuristics work very well with human formulas.
I
Many applications in automated reasoning and verification.
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
SAT Solver Verification Motivation I
Theoretically: simple specification, sophisticated implementation =⇒ “a challenging work”
I
Practically: SAT solvers are used as trusted backends for verification systems. =⇒ “to increase the level of trust”
Two Approaches for Verified SAT I I
Verify the code: mostly written in C/C++, highly optimized Verify the certificate by a trusted(=small/verified) checker: I I
SAT instance: a model that is found by the solver (easy) UNSAT instance: a refutational proof (execution trace, huge)
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
versat: a Verified SAT Solver Goal: Making a new SAT solver such that I
implements modern SAT techniques and low-level optimizations
I
is verified to produce sound UNSAT answers
Focus on the soundness of UNSAT answers and speed I
SAT certificates have very low overhead to implement and check.
I
Why bother to verify the code for SAT?
I
Speed is more important than a guarantee of termination.
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
The Guru Programming Language Guru is a functional programming language with: I
Dependent type system (for verification) I I
I
supports inductive datatypes and (equality) formula types allows partial functions
Resource type system (for efficient code generation) I I
mutable arrays with constant time access configurable memory management and no garbage collection
Published Papers: I
PLPV(2010) Resource Typing in Guru. Stump and Austin
I
PLPV(2009) Verified Programming in Guru. Stump, et al.
I
PSTT(2009) Deciding Joinability Modulo Ground Equations in Operational Type Theory. Petcher and Stump
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
Specification: Overview Summary I
It is an encoding of the propositional logic.
I
This is the only trusted part of versat. The reset of versat are actual implementation and proof.
I
I
I I
to be checked and certified by the G URU compiler.
Size: 259 lines of G URU code (reasonably small) The parser is a part of specification. I I
a trusted interpretation of the benchmark file 145 lines (out of 259 lines)!
The type of the solve function Define clause :=
. Define formula := . Define solve : Fun(F:formula). := ... Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
Specification: Soundness of UNSAT answer Statement of Unsatisfiability I
Model Theoretically: “∀M.M 2 Φ” or “Φ � ⊥”
I
Proof Theoretically: “Φ ` ⊥” (more natural)
I
Solver returns UNSAT when the empty clause is deduced.
The answer type Inductive answer : Fun(F:formula).type := sat : Fun(spec F:formula). | unsat : Fun(spec F:formula)(spec p:).
I
A value represents a proof of F ` C.
I
spec (specificational) arguments are only for type checking.
I
So, proofs are not generated in run-time.
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
Specification: Inference System The pf type encodes “`res ” (a weaker system than “`”) Inductive pf : Fun(F : formula)(C:clause).type := pf_asm : Fun(F : formula)(C:clause) (u : { (member C F eq_clause) = tt }). | pf_res : Fun(F : formula)(C1 C2 Cr : clause)(l:lit) (d1 : ) (d2 : ) (u : { (is_resolvent Cr C1 C2 l) = tt }).
I
Term constructors are the inference rules.
I
is resolvent is a logical (straightforward) function that determines whether Cr is a resolvent of C1 and C2.
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
Implemented Features The least set of features to make “modern”
Engineering: I
Watched Literals
I
Conflict Analysis + Fast Resolution
I
Backjumping and Non-chronological Backtracking
Heuristics: I
Variable Scoring
I
Clause Learning
Summary: I
9884 lines of G URU code and proofs
I
Proved 247 lemmas
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
Efficient Representation of Clauses aclause type: array-based clause and invariants Inductive aclause : Fun(nv:word)(F:formula).type := mk_aclause : Fun(spec nv:word)(spec F:formula) (spec n:word)(l:) (u1:{ (array_in_bounds nv l) = tt }) (spec c:clause)(spec pf_c:) (u2:{ c = (to_cl l) }) . I
aclause stores a clause in the array.
I
array in bounds: all array items are within bounds and the array is null-terminated.
I
to cl interprets a null-terminated array as a list.
I
the interpretation of array is valid in F.
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
Conflict Analysis with Fast Resolution C ∨ l D ∨ ¬l Res C ∨D
Data structure: I
For constant time remove operation & duplication removal
Invariants: (u1:{ (u2:{ (u3:{ (u4:{
C2L = (length C2) }) (all_lits_are_assigned T (append C2 C1)) = tt }) (cl_has_all_vars (append C2 C1) T) = tt }) (cl_unique C2) = tt })
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
Example Theorem: Clearing the Look-up Table
Define cl_has_all_vars_implies_clear_vars_like_new : Forall (nv:word) (vt:) (c:clause) (u:{ (cl_valid nv c) = tt }) (r:{ (cl_has_all_vars c vt) = tt }) .{ (clear_vars vt c) = (array_new nv UN) }
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
Results: versat vs. proof checking The Certified Track benchmarks of SAT Competition 2007 I
16 UNSAT benchmarks
I
System: Intel Core 2 Duo 2.40GHz w/ 3GB of memory
I
One hour timeout for solving and checking, individually
Systems versat picosat + RUP picosat + TraceCheck
#Solved 6 14 14
#Certified 6 4 12
Trusted Base: I
versat: G URU compiler + 259 lines of G URU code
I
checker3 (RUP checker): 1,538 lines of C code
I
tracecheck (TraceCheck checker): boolforce library + 2,989 lines of C code
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
Results: versat vs. State-of-the-art Solvers
SAT Race 2008 Test Set 1 I
50 benchmarks
I
System: Intel Xeon X5650 2.67GHz w/ 12GB of memory
I
900 seconds timeout for solving
Systems versat picosat-936 minisat-2.2.0
#Solved 19 46 47
#Timeout 31 4 3
#Error/Wrong 0 0 0
Note: versat solved velev-live-sat-1.0-03 (78MB size, 224,920 variables, 3,596,474 clauses)
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
Conclusion versat is a new SAT solver written in G URU I
Implemented modern features with low-level data structures.
I
The soundness of UNSAT answer is proved.
I
Can solve and certify modern scale benchmarks
I
Our paper is submiited to VMCAI and under review.
I
Available at http://cs.uiowa.edu/~duoe/
Future Work: I
Implementing state-of-the-art features: CC Minimization, Restarting, Reordering Literals
I
Implement other related tools: RUP checker
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
