TTriggered Clause Pushing for IC3
Martin Suda
Max-Planck-Institut f¨ur Informatik, Saarbr¨ucken, GermanySaarland University, Saarbr¨ucken, GermanyCharles University, Prague, Czech Republic
Abstract —We propose an improvement of the famous IC3algorithm for model checking safety properties of finite statesystems. We collect models computed by the SAT-solver duringthe clause propagation phase of the algorithm and use them aswitnesses for why the respective clauses could not be pushedforward. It only makes sense to recheck a particular clausefor pushing when its witnessing model falsifies a newly addedclause. Since this trigger test is both computationally cheap andsufficiently precise, we can afford to keep clauses pushed as faras possible at all times. Experiments indicate that this strategyconsiderably improves IC3’s performance.
I. I
NTRODUCTION
IC3 [1] is one of the strongest bit-level safety modelchecking algorithms currently known. Its highly focused rea-soning guided by the property being analyzed results inremarkable performance in proving safety complemented bya unique ability to find deep counterexamples. By leveragingthe power of modern incremental SAT-solvers IC3 carefullyupdates clausal reachability information while maintaining asurprisingly small memory footprint.Since its discovery by Aaron Bradley in 2010, IC3 hasdrawn attention of many researchers. It has been extendedto deal with liveness properties [2], applied to incrementalverification [3], and generalized to model checking software[4]. An inspiring paper by E´en et al. [5] presents a detailedaccount of an efficient implementation of IC3 and advocatesthe importance of studying the algorithm further.In this paper we focus on the so-called propagation phase ofthe algorithm, where the clauses learned so far are inspected tocheck whether they could yield an inductive invariant provingthe property. This is done by attempting to “push” individualclauses forward in an operation involving a specific query toa SAT-solver. Normally, if the query is satisfiable, the clausecannot be pushed and the derived model is thrown away. Wepropose to keep the model instead and use it as a witness forwhy the clause cannot be pushed. The key observation is thatit only makes sense to repeat the expensive SAT-solver callwhen the witness has been subsumed by another clause.Being equipped with this cheap trigger test allows us toincorporate clause propagation directly into the main loopof the algorithm. A clause is pushed forward as soon asits context becomes strong enough to make the above queryunsatisfiable. This provides IC3 with a better guidance andenables immediate detection of convergence to the invariant.Our experiments show that using the witnesses pays off inpractice. Moreover, they provide opportunity for further refine- ments of the algorithm. We present a new clause minimizationheuristics aimed at subsuming as many witnesses as possible.The rest of the paper is structured as follows. After fixingthe terminology in Section II, we give an overview of IC3in Section III. Triggered pushing is explained in detail inSection IV and incorporated into the overall algorithm inSection V. We also show there how exhaustive subsumptioncan be performed efficiently in IC3, which may be of inde-pendent interest. We presents our experiments in Section VIand conclude in Section VII with final remarks.II. P
RELIMINARIES
We assume the system to be verified is modeled as a finitestate machine (FSM). A FMS M = (cid:104) X, I, P, T (cid:105) is describedby a finite set of Boolean state variables X , such that eachassignment s ∈ { , } X corresponds to a state of M , furtherby sets of initial I ⊆ { , } X and property P ⊆ { , } X states, and by a transition relation T ⊆ { , } X × { , } X .States not satisfying the property P are referred to as bad states. A path in M is a sequence s , . . . , s k of states, suchthat (cid:104) s i , s i +1 (cid:105) ∈ T for every ≤ i < k . The model checkingalgorithm establishes whether there exists a path from an initialstate to a bad state. The system is deemed safe if no such counterexample path exists. Safety may be shown by providingan inductive invariant proving P , which is a formula ϕ , suchthat I ⇒ ϕ , ϕ ∧ T ⇒ ϕ (cid:48) , and ϕ ⇒ P . Here we use theconvention that priming a formula means interpreting it overthe next state variables.A literal is a state variable or its negation. A consistentconjunction of literals is referred to as a cube and a disjunctionas a clause . A set of clauses stands for their conjunction. Statesof the FSM naturally correspond to cubes mentioning everyvariable from X . The FSM is assumed to be symbolicallyrepresented in a such way that allows us to employ a SAT-solver for answering queries about it.III. O VERVIEW OF
IC3The IC3 algorithm can be seen as a hybrid between ex-plicit and symbolic approach to model checking. It explicitlyconstructs a path, starting from a bad state and extendingit backwards towards an initial state. At the same time,it maintains symbolic stepwise approximating reachabilityinformation, which is locally refined whenever the current Due to space limitations, some aspects of the algorithm could not bepresented in full detail. If necessary, we recommend the reader to consult theoriginal work [1] or the paper [5], from which we adopt some of the notation. a r X i v : . [ c s . L O ] J u l lgorithm IC3 (FSM M = (cid:104) X, I, P, T (cid:105) ) L ← I ; foreach j > L j ← ∅ for k = 0 , , . . . do /* Recursive path construction / blocking */ while SAT ?[ L k ∧ ¬ P ] do extract state s from the model Q ← {(cid:104) s, k (cid:105)} while Q not empty do pop some (cid:104) s, i (cid:105) from Q with minimal i if i = 0 then return COUNTEREXAMPLE if SAT ?[ L i − ∧ T ∧ s (cid:48) ] then extract a predecessor state t from the model Q ← Q ∪ {(cid:104) t, i − (cid:105) , (cid:104) s, i (cid:105)} else extract the used assumptions s (cid:48) ⊆ s (cid:48) foreach ≤ j ≤ i : L j ← L j ∪ {¬ s } if i < k then Q ← Q ∪ {(cid:104) s, i + 1 (cid:105)} /* Clause propagation */ for i = 0 , . . . , k and foreach c ∈ L i \ L i +1 do if not SAT ?[ L i ∧ T ∧ ¬ c (cid:48) ] then L i +1 ← L i +1 ∪ { c } if L i = L i +1 then return SAFE
Fig. 1.
High-level description of IC3.
Some features of the algorithm notrelevant for our presentation have been omitted. Please consult [1] on how tostrengthen the query on line 11 with induction and [5] on how to generalizestates on lines 5 and 12 with ternary simulation. path cannot be extended further. The reachability informationguides the path construction, and is also bound to eventuallyconverge to a proof of safety, if no full path exists.Specifically, IC3 maintains a sequence of sets of clauses L , L , . . . , which we call layers . Layers are updated in aniterative manner, such that they satisfy the following proper-ties: 1) L ≡ I , 2) L i ⊇ L i +1 and thus L i ⇒ L i +1 for every i , 3) L i +1 is an overapproximation of the image of L i forevery i , 4) at the end of iteration k of the algorithm thereis no bad state satisfying L k . It follows that on successfultermination of iteration k , IC3 will have established that thereis no counterexample path of length k or less.Let us now have a look at the pseudocode of IC3 inFig. 1. We see that initially L is identified with I andall the other layers are empty. Each iteration then comprisestwo phases: a blocking phase and a propagation phase. The blocking phase maintains a set Q , working as a priority queue,of so-called proof obligations , pairs of the form (cid:104) s, i (cid:105) , where s is a state that can reach a bad state and i is an index.Successfully blocking a proof obligation (cid:104) s, i (cid:105) amounts toshowing that s cannot reach an initial state in at most i steps. We assume here that I has a feasible description as a set of clauses over X . Indeed, it is typically translated into a set of unit clauses. Minor changesare needed (see [5]) to accommodate to the general case. Such information is recorded as a new clause strengtheningthe layer L i . Deriving this clause may require first recursivelyblocking other obligations, corresponding to predecessor statesof s , and strengthening the previous layers.The blocking phase of iteration k starts by using a SAT-solver to pick a bad state s satisfying L k (lines 4 and 5).Then the set Q is initialized for blocking the obligation (cid:104) s, k (cid:105) (line 6). The inner loop (starting at line 7) processes individualobligations picking first those that are estimated to be closer toan initial state (line 8). An obligation with i = 0 means a fullcounterexample path has been constructed and the algorithmterminates (line 10). If the SAT-solver query on line 11 returnsSAT, we extract a predecessor state t known to satisfy L i − .This signifies progress in extending the current path from s to t , or, equivalently, a current failure to block the obligation (cid:104) s, i (cid:105) . Both the new obligation (cid:104) t, i − (cid:105) to be worked onnext and the current are stored in Q (line 13). If, on theother hand, the above call returns UNSAT, we assume thesolver provides us with a subset s of the state assumptions s that were needed in the proof (line 15). This corresponds togeneralizing the reason for why the obligation was blocked.The obtained subset s understood as a cube, becomes a clausewhen negated by which the algorithm strengthens the layers L , . . . , L i (line 16). Finally, the blocked obligation (cid:104) s, i (cid:105) may be rescheduled by one step (lines 17, 18). Let us now turn to the propagation phase, which followsnext (starting on line 21). It scans the layer clauses one byone and checks with the help of a SAT-solver call (line 22)for each c ∈ L i \ L i +1 whether it can be “pushed” to strengthena layer with a higher index. The clause is successfully pushedforward when the solver returns UNSAT, having proved that L i ∧ T ⇒ c (cid:48) . If it is detected during propagation thattwo neighboring layers have been made identical (line 24),the algorithm terminates reporting that no counterexample ispossible (line 25). The justification for this conclusion followsfrom the four properties of layers mentioned earlier. Therepeating layer L i , in fact, forms an inductive invariant whichproves the system to be safe.IV. T RIGGERED C LAUSE P USHING
There are several reasons for why the clause propagationphase is an important part of IC3. First, it is an opportunity toinsert clauses into the till now empty layer L k +1 before thestart of iteration k + 1 . Sometimes, thanks to pushed clauses,iterations pass off without actually entering the blockingloop. Second, it generally strengthens the layers which thenprovide better guidance for path construction or, equivalently,a stronger context for obligation blocking. Finally, and mostimportantly, clause propagation is the place where the algo-rithm’s convergence to an inductive invariant is detected. For efficiency, s should be as small as possible to provide for a goodgeneralization. For correctness, s must not intersect I . This can always beachieved, since at this point the state s is never an initial state. These two lines are not needed for correctness, but they substantiallyimprove IC3’s performance. When left out, the set Q operates as a stack andforces IC3 to find counterexamples of minimal length. or these reasons it could be advantageous to perform clausepropagation more often than just once per iteration. Thereis, however, a non-trivial computational cost connected withpropagation, and so it can only pay off to run it again when thelayers have changed sufficiently since it was last performed.Here we show how to detect on a per clause basis that apreviously failed pushing attempt should be reconsidered. Thiswill allow us to come up with a version of IC3, where all theclauses are pushed as far as possible at all times.Consider a clause c ∈ L i \ L i +1 that could not be pushedforward. This means the query on line 22 of the pseudocode inFig. 1 returned SAT. We may now inspect the model computedby the SAT-solver and extract a state w c which satisfies L i and from which there is a transition to a state satisfying ¬ c .Notice that as long as w c remains to satisfy L i during thepotential strengthenings of the layer, the query in questioncannot become UNSAT. The state w c , therefore, represents a witness for why c cannot be pushed forward from L i to L i +1 .But how do we efficiently recognize whether w c still satis-fies L i after a new clause d has been added to L i ? The answeris: via subsumption! It is only when d ⊆ ¬ w c (here we againuse that negation of a cube is a clause) that w c ceases to be awitness, because it does not satisfy the strengthened L i . Nowwe may directly retry the pushing query of line 22 and eitherdiscover a new witness or finally push the clause c to L i +1 .It may seem expensive to perform the subsumption testagainst every witness whenever a new clause is derived. Note,however, that efficient implementations of IC3 already usesubsumption routinely to test each new clause against all otherclauses (subsumed clauses can be removed which helps to keepthe layers small) and that by also considering the witnesses,one per each clause, the overhead is at most doubled. In thenext section we explain how to exploit the semantic relationbetween the individual layers to potentially reduce this cost.V. IC3 WITH SUBSUMPTION AND TRIGGERED PUSHING
It has been observed that IC3 often derives a clause c tobe inserted into layer L i while L i already contains a weakerclause d ⊇ c . Bradley [1] proposes to remove such clausesduring propagation; the implementation described in [5] ismore eager and clears layers via subsumption each time anew clause is derived. Removing subsumed clauses pays off,because they do not bring any additional information onlymake the layers unnecessarily large.Once subsumption is implemented for reducing layers itcan also be used for pruning proof obligations. Indeed, byconstruction, the clause c learned while blocking an obligation (cid:104) s, i (cid:105) satisfies c ⊆ ¬ s , but may also subsume other obligations (cid:104) t, i (cid:105) currently on Q . These can be directly rescheduled toindex i + 1 , each saving us one SAT-solver call.Now we describe how to organize the data structures of IC3such that 1) subsumption by newly derived clauses can be usedto prune layers and obligations, 2) clause pushing triggered bysubsuming a witness is integrated into the blocking phase tokeep clauses pushed as far as possible at all times. ∆ : clauses O : obligations h∗ , i R : push requests W : witnesses bb ∆ : clauses O : obligations h∗ , i R : push requests W : witnesses bb bbbbbb bb Fig. 2.
Organizing the data structures of IC3 with triggered pushing.
A bi-directional link is maintained between a clause and its witness / push request.
To avoid duplicating clauses we use the delta encoding oflayers proposed in [5]. A delta layer ∆ i consist of clausesappearing last in L i . Thus ∆ i = L i \ L i +1 and L i = (cid:83) j ≥ i ∆ j .Each layer clause c is either associated with its witness w c ora push request is stored for it, which means it will need tobe considered for pushing. Finally, instead of using a priorityqueue, we explicitly separate proof obligations into sets O i based on their index. The whole situation is depicted in Fig. 2.The algorithm now works as follows. It picks the smallestindex i such that there is either an obligation in O i or a requestin R i . If both sets are non empty, obligations are picked first. Handling a proof obligation corresponds to asking the queryfrom line 11 in Fig. 1 and either creates a new obligation orderives a new clause to be added to ∆ i . Similarly, handlinga push request corresponds to the query of line 22 and eithergenerates a new witness, which is stored to W i , or pushes theclause from ∆ i to ∆ i +1 . In both cases a new clause may beadded to a layer, which is where subsumption comes into play.When a clause c is added into ∆ i we put a push requestfor it into R i and then do the following: 1) we removeall the clauses from ∆ i subsumed by c (along with theirwitnesses or associated push requests), 2) we remove thesubsumed witnesses from W i and insert push requests for therespective clauses into R i , 3) we reschedule the subsumedproof obligations from O i to O i +1 . If the clause c waspushed to ∆ i from ∆ i − , we are done. If, on the otherhand, c was derived during blocking, it formally strengthenedall L , . . . , L i . We, therefore, continue towards lower indicesperforming 1) and 2) for j = i − , i − , . . . A key observationis that the iteration can be stopped as soon as the clause c isitself subsumed by some clause d from ∆ j . Since layers of lowindex are stronger than those further on, the iteration typicallyterminates way before reaching j = 0 . This way a lot of timespent on futile subsumption tests can be saved.VI. E XPERIMENT
To experimentally evaluate the benefit of the presented tech-nique we implemented both the standard IC3 algorithm andits variation extended with triggered pushing and compared First, by blocking obligations from O i we strenghten L i . Then weconsider the requests from R i . If a clause is successfully pushed to L i +1 it may subsume obligations waiting in O i +1 . The sets O j of proof obligations are empty for j < i at this point. p r ob l e m s s o l v ed timeout (seconds) IC3IC3 + TPIC3 + TP + WDM Fig. 3. Comparing original IC3 to a version with triggered pushing (TP) andto one further enhanced by witness directed minimization (WDM). them on the benchmarks from the Hardware Model CheckingCompetition of 2012. Since most of the code is shared bythe two implementations the results should directly reflect therelative improvement caused by triggered pushing which isexpected to carry over to other implementations.Our code is built on top of the SAT-solver Minisat [6]version 2.2. We transform the circuit to CNF using thePlaisted-Greenbaum encoding [7] which is then simplified byvariable elimination [8]. The obligation queue and layers areorganized as described in Section V. We found it advantageousin this setup to allocate a new solver instance for every timeindex. That way, the solvers corresponding to strong layers oflow indices are not polluted by the weaker clauses derivedfurther on. Clauses, as well as states of proof obligationsand witnesses, are stored sorted which enables a linear passsubsumption test. The test is, however, only started if theinputs pass a pre-filter based on precomputed signatures [8].Before we present our experimental results let us explainone further enhancement of IC3 which is readily availableonce the witnesses for pushing are maintained. Recall thatwhen a proof obligation is succcessfully blocked a set of usedassumptions is extracted from the SAT-solver. It is importantfor efficiency that this set be as small as possible. That is whythis set is usually explicitly minimized by removing individualliterals and checking whether the respective query remainsUNSAT. It has been observed [1] that the order in whichliterals are tried for removal affects the quality of the finalresult. Here we propose a heuristical order aimed at subsumingwitnesses and thus evoking pushing: a particular literal ispreferred for removal when there is a high number of witnessesof the respective layer that would not be subsumed if the literalremained in the learned clause. The idea is that early removalsare easier then later ones and so with this order we try to keepthe chance of subsuming a witness by the learned clause high. See http://fmv.jku.at/hwmcc12/. ∼ suda/triggered.html. We call the technique witness directed minimization (WDM).Let us finally have a look at Fig. 3, which compares theperformance of the original IC3, a version with triggered push-ing, and a version further extended with WDM. (The first twoversions use a random literal order for clause minimization.)We ran the versions separately on our servers with 3.16 GHzXeon CPU, 16 GB RAM, and Debian 6.0. The timeout was setto 900 seconds per problem. In the end original IC3 solved 45problems (19 SAT and 26 UNSAT), a version with triggeredpushing 54 (18 SAT and 36 UNSAT), and the one withWDM 56 problems (18 SAT and 38 UNSAT). This clearlydemonstrates that triggered pushing considerably improves theperformance of IC3. VII. D
ISCUSSION
Out of curiosity, we performed the above experiment with aversion of IC3 completely without clause propagation whereconvergence is detected when a delta layer becomes emptydue to subsumption. This version solved 19 problems (15 SATand 4 UNSAT). This experimentally confirms that clause prop-agation is an important phase during which IC3 strengthensits layers to provide better guidance for subsequent iterationsand, more importantly, establishes whether convergence to aninductive invariant has occurred.It this paper we have shown how the power of clausepropagation can be directly incorporated into the main loop ofIC3 rendering its benefits continuous. This is done by lever-aging witnesses, states extracted from failed clause pushingattempts, which would normally be thrown away. Maintainingthe witnesses provides new opportunities for directing IC3towards the invariant, as exemplified by the witness directedminimization technique we proposed. We believe the witnessescould also be used as a theoretical tool for a deeper under-standing of the remarkable performance of IC3 in general.R
EFERENCES[1] A. R. Bradley, “SAT-based model checking without unrolling,” in
VMCAI ,ser. Lecture Notes in Computer Science, R. Jhala and D. A. Schmidt, Eds.,vol. 6538. Springer, 2011, pp. 70–87.[2] A. R. Bradley, F. Somenzi, Z. Hassan, and Y. Zhang, “An incrementalapproach to model checking progress properties,” in
FMCAD , P. Bjesseand A. Slobodov´a, Eds. FMCAD Inc., 2011, pp. 144–153.[3] H. Chockler, A. Ivrii, A. Matsliah, S. Moran, and Z. Nevo, “Incrementalformal verification of hardware,” in
FMCAD , P. Bjesse and A. Slobodov´a,Eds. FMCAD Inc., 2011, pp. 135–143.[4] A. Cimatti and A. Griggio, “Software model checking via IC3,” in
CAV ,ser. Lecture Notes in Computer Science, P. Madhusudan and S. A. Seshia,Eds., vol. 7358. Springer, 2012, pp. 277–293.[5] N. E´en, A. Mishchenko, and R. K. Brayton, “Efficient implementation ofproperty directed reachability,” in
FMCAD , P. Bjesse and A. Slobodov´a,Eds. FMCAD Inc., 2011, pp. 125–134.[6] N. E´en and N. S¨orensson, “An extensible SAT-solver,” in
SAT , ser. LectureNotes in Computer Science, E. Giunchiglia and A. Tacchella, Eds., vol.2919. Springer, 2003, pp. 502–518.[7] D. A. Plaisted and S. Greenbaum, “A structure-preserving clause formtranslation,”
J. Symb. Comput. , vol. 2, no. 3, pp. 293–304, 1986.[8] N. E´en and A. Biere, “Effective preprocessing in SAT through variableand clause elimination,” in