versat: A Verified Modern SAT Solver Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy Computer Science, The University of Iowa, USA
Midwest Verification Day 2011 October 1, 2011
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
Satisfiability Problem (SAT) “Is there a model for the given propositional formula?” I
Model: assignments to the variables that makes the formula true.
I
SAT if the formula has a model
I
UNSAT if the formula has a contradiction (thus, no model)
I
Decidable, but NP-Hard
SAT solver decides the satisfiability of a formula. I
Modern SAT solvers can solve large problems.
I
Smart engineering and heuristics work very well with human formulas.
I
Many applications in automated reasoning and verification.
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
SAT Solver Verification Motivation I
Theoretically: simple specification, sophisticated implementation =⇒ “a challenging work”
I
Practically: SAT solvers are used as trusted backends for verification systems. =⇒ “to increase the level of trust”
Approaches for Verified SAT I
Verify the algorithm: F. Mari´c (2009), N. Shankar (2011)
I
Verify the code: S. Lescuyer (2008) Verify the certificate by a trusted(=small/verified) checker:
I
I I
SAT instance: a model that is found by the solver (easy) UNSAT instance: a refutational proof (execution trace, huge)
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
versat: a Verified SAT Solver Goal: Making a new SAT solver such that I
implements modern SAT techniques and low-level optimizations
I
is verified to produce sound UNSAT answers
Focus on the soundness of UNSAT answers and speed I
SAT certificates have very low overhead to implement and check.
I
Why bother to verify the code for SAT?
I
Speed is more important than a guarantee of termination.
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
The Guru Programming Language Guru is a functional programming language with: I
Dependent type system (for verification) I I
I
supports inductive datatypes and (equality) formula types allows partial functions
Resource type system (for efficient code generation) I I
mutable arrays with constant time access configurable memory management and no garbage collection
Published Papers: I
PLPV(2010) Resource Typing in Guru. Stump and Austin
I
PLPV(2009) Verified Programming in Guru. Stump, et al.
I
PSTT(2009) Deciding Joinability Modulo Ground Equations in Operational Type Theory. Petcher and Stump
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
Specification: Soundness of UNSAT answer Statement of Unsatisfiability I
Model Theoretically: “∀M.M 2 Φ” or “Φ ⊥”
I
Proof Theoretically: “Φ ` ⊥”
I
Solver returns UNSAT when the empty clause is deduced.
The answer type Inductive answer : Fun(F:formula).type := sat : Fun(spec F:formula).
| unsat : Fun(spec F:formula)(spec p:).
I
A value represents a proof of F ` C.
I
spec (specificational) arguments are only for type checking.
I
So, proofs are not generated at run-time.
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
Specification: Inference System The pf type encodes “`res ” (a weaker system than “`”) Inductive pf : Fun(F : formula)(C:clause).type := pf_asm : Fun(F : formula)(C:clause) (u : { (member C F eq_clause) = tt }). | pf_res : Fun(F : formula)(C1 C2 Cr : clause)(l:lit) (d1 : ) (d2 : ) (u : { (is_resolvent Cr C1 C2 l) = tt }).
I
Term constructors are the inference rules.
I
is resolvent is a logical (straightforward) function that determines whether Cr is a resolvent of C1 and C2.
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
Specification: Summary
I
It is an encoding of the propositional logic.
I
This is the only trusted part of versat. The rest of versat is actual implementation and proof.
I
I
I I
to be checked and certified by the G URU compiler.
Size: 259 lines of G URU code (reasonably small) The parser is a part of specification. I I
a trusted interpretation of the benchmark file 145 lines (out of 259 lines)!
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
Implemented Features The least set of features to make “modern”
Engineering: I
Watched Literals
I
Conflict Analysis + Fast Resolution
I
Backjumping and Non-chronological Backtracking
Heuristics: I
Variable Scoring
I
Clause Learning
Summary: I
9884 lines of G URU code and proofs
I
Proved 247 lemmas
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
Conflict Analysis with Fast Resolution C ∨ l D ∨ ¬l Res C ∨D
Data structure: I
For constant time remove operation & duplication removal
Invariants: (u1:{ (u2:{ (u3:{ (u4:{
C2L = (length C2) }) (all_lits_are_assigned T (append C2 C1)) = tt }) (cl_has_all_vars (append C2 C1) T) = tt }) (cl_unique C2) = tt })
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
Example Theorem: Clearing the Look-up Table
Define cl_has_all_vars_implies_clear_vars_like_new : Forall (nv:word) (vt:) (c:clause) (u:{ (cl_valid nv c) = tt }) (r:{ (cl_has_all_vars c vt) = tt }) .{ (clear_vars vt c) = (array_new nv UN) }
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
Results: versat vs. proof checking The Certified Track benchmarks of SAT Competition 2007 I
16 UNSAT benchmarks
I
System: Intel Core 2 Duo 2.40GHz w/ 3GB of memory
I
One hour timeout for solving and checking, individually
Systems versat picosat + RUP picosat + TraceCheck
#Solved 6 14 14
#Certified 6 4 12
Trusted Base: I
versat: G URU compiler + 259 lines of G URU code
I
checker3 (RUP checker): 1,538 lines of C code
I
tracecheck (TraceCheck checker): boolforce library + 2,989 lines of C code
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
Results: versat vs. State-of-the-art Solvers
SAT Race 2008 Test Set 1 I
50 benchmarks
I
System: Intel Xeon X5650 2.67GHz w/ 12GB of memory
I
900 seconds timeout for solving
Systems versat picosat-936 minisat-2.2.0
#Solved 19 46 47
#Timeout 31 4 3
#Error/Wrong 0 0 0
Note: versat solved velev-live-sat-1.0-03 (78MB size, 224,920 variables, 3,596,474 clauses)
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver
Conclusion versat is a new SAT solver written in G URU I
Implemented modern features with low-level data structures.
I
The soundness of UNSAT answer is proved.
I
Can solve and certify modern scale benchmarks
I
Our paper is submiited to VMCAI and under review.
I
Available at http://cs.uiowa.edu/~duoe/
Future Work: I
Implementing state-of-the-art features: CC Minimization, Restarting, Reordering Literals
I
Implement other related tools: RUP checker
Duckki Oe, Aaron Stump, Corey Oliver, Kevin Clancy
versat: A Verified Modern SAT Solver