Fast LTL Satisfiability Checking by SAT Solvers

Fast LTL Satisfiability Checking by SAT Solvers

Jianwen Li1, Geguang Pu1, Lijun Zhang2, Moshe Y. Vardi3 and Jifeng He1 1Software Engineering, East China Normal University 2State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences 3Computer Science, Rice University

Satisfiability checking for Linear Temporal Logic (LTL) is a fundamental step in checking for possible errors in LTL assertions. Extant LTL satisfiability checkers use a variety of different search procedures. With the sole exception of LTL satisfiability checking based on bounded model checking, which does not provide a complete decision procedure, LTL satisfiability checkers have not taken advantage of the remarkable progress over the past 20 years in Boolean satisfiability solving. In this paper, we propose a new LTL satisfiability-checking framework that is accelerated using a Boolean SAT solver. Our approach is based on the variant of the obligation-set method, which we proposed in earlier work. We describe here heuristics that allow the use of a Boolean SAT solver to analyze the obligations for a given LTL formula. The experimental evaluation indicates that the new approach provides a significant performance advantage.

I Introduction

The satisfiability problem for Linear Temporal Logic (LTL) asks whether a given LTL formula is satisfiable [24]. LTL satisfiability checking plays an important role in checking the consistency of linear temporal specifications that are often used in an early stage of system design [20, 21]. Thus, efficient decision procedures to reason about large LTL formulas are quite desirable in practice.

There have been several approaches proposed to deal with the LTL satisfiability checking problem. The model-checking approach reduces LTL satisfiability to LTL model checking by model checking the negation of the given formula against a universal model. This approach uses either explicit [20] or symbolic [21] model checking. The tableau-based [23] and antichain-based [9] approaches apply an on-the-fly search in the underlying automaton transition system. The temporal-resolution-based method explores the unsatisfiable core using a deductive system [15]. Our own previous work [17], embodied in the Aalta LTL satisfiability checker, follows the automata-based approach and reduces satisfiability checking to emptiness checking of the transition system by adopting two new heuristic techniques, using on-the-fly search and obligation sets.

Previous experimental evaluations across a wide spectrum of benchmarks [20, 21, 22] concluded that none of existing approaches described above dominate others. To establish a high-performance LTL satisfiability checker, we introduced a portfolio LTL solver named Polsat [16], which runs several approaches in parallel, terminating with the fastest thread. By definition, Polsat is the best-performing LTL satisfiability checker (subject to constraints on the number of parallel threads).

An interesting observation in [16] is that the bounded-model-checking (BMC) technique [8] is the fastest on satisfiable formulas, as it leverages the tremendous progress demonstrated by Boolean satisfiability (SAT) solvers over the last 20 years [18]. At the same time, BMC can detect satisfiability, but not unsatisfiability, which means that this approach does not provide a complete decision procedure. Nevertheless, the impressive performance of the BMC-based approach inspired us to explore other possibilities of leveraging SAT solvers in LTL satisfiability checking.

We propose here an LTL satisfiability-checking framework that can be greatly accelerated by using SAT solvers. The key idea here is of using obligation formulas, which are Boolean formulas collecting satisfaction information from the original LTL formula. Intuitively, an LTL formula is satisfiable if the corresponding Boolean obligation formula is satisfiable. Using obligation formulas makes it possible to utilize SAT solving, since it eliminates the temporal information of LTL formula. Based on obligation formulas, we extend the approach proposed in [17] by presenting two novel techniques to accelerate satisfiability checking procedure with SAT solvers. In contrast to the BMC-based approach, our method is both sound and complete, as it can also check unsatisfiable formulas.

To illustrate the efficiency of our new approach, we integrate our implementation, Aalta_v0.2 into Polsat, which also provides a testing environment for LTL solvers. The experiments show that while still no solver dominates across all benchmarks, Aalta_v0.2 is much more competitive with other LTL satisfiability checkers than Aalta_v0.1. More significantly, the performance of Polsat improves dramatically as a result of replacing Aalta_v0.1 by Aalta_v0.2.

Contributions: The three main contributions of the paper are as follows: 1) We extend the concept of obligation set to that of obligation formulas, which enables us to leverage Boolean satisfiability solving in LTL satisfiability solving. 2) We offer two novel SAT-based heuristics to boost the checking of satisfiable and unsatisfiable formulas respectively. 3) We present a new tool, Aalta_v0.2, which is integrated into Polsat and evaluated over large set of benchmark formulas. The experiments show that the new approach is both effective and efficient: the performance of Polsat improves 10-fold in some cases, and an average of 30% to 60% speed-up on random formulas.

Paper Structure: The paper is organized as follows. Section II introduces the preliminaries about LTL and our previous work [17]. Section III provides the theoretical framework of this paper. In Section IV, we describe two techniques, based on SAT solving, to accelerate satisfiability checking respectively for satisfiable and unsatisfiable formulas. The empirical framework is described in Section V. Section VI discusses related work, and finally Section VII concludes the paper.

Ii Preliminaries

Ii-a Linear Temporal Logic

Let be a set of atomic properties. The syntax of LTL formulas is defined by:

where , is an LTL formula. We use the usual abbreviations: , and .

We say is a propositional formula if it does not contain temporal operators. We say is a literal if it is an atomic proposition or its negation. We use to denote the set of literals, lower case letters to denote literals, to denote propositional formulas, and for LTL formulas. In this paper, we consider LTL formulas in negation normal form (NNF) – all negations are pushed in front of atomics. LTL formulas are often interpreted over . Since we consider LTL in NNF, formulas are interpreted on infinite literal sequences .

A trace is an infinite sequence over . For and we use to denote the prefix of up to its -th element, and to denote the suffix of from its -th element. Thus, . The semantics of temporal operators with respect to an infinite trace is given by: iff ; iff ; and

  • iff there exists such that and for all ;

  • iff either for all , or there exists with and for all .

According to the semantics, it holds . Now we define the satisfiability of LTL formulas as follows:

Definition 1 (Satisfiability)

We say is satisfiable if there exists an infinite trace such that .

Ii-B Obligation-Based Satisfiability Checking

This section recalls the fundamental theories on obligation-based satisfiability checking in our previous work [17]. For more details readers can refer to the literature.

Obligation Set The obligation set defined below is the fundamental part of the generalized satisfiability checking in our previous work.

Definition 2 (Obligation Set)

For a formula , we define its obligation set, denoted by , as follows:

  • and ;

  • If is a literal, ;

  • If , ;

  • If , ;

  • If , ;

  • If or , .

For , we refer to it as an obligation of . Moreover, we say is a consistent obligation iff holds, where .

From the definition of obligation above, one can check easily the following theorem is true:

Theorem 1 (Obligation Acceleration [17])

Assume is a consistent obligation. Then, .

Obligation-Based Satisfiability Checking Theorem 1 is sound but not complete. If no consistent obligations are found, we shall then explore the LTL Transition System, which uses the Normal Form defined as follows:

Definition 3 (Normal Form)

The normal form of an LTL formula , denoted as , is a set defined as follows:

  1. if is a propositional formula. If , we define ;

  2. ;

  3. ;

  4. ;

  5. ;

  6. .

Note here let such that the root operator of is not a disjunction, and then is defined as the set of disjuncts of . Now we introduce the LTL transition system:

Definition 4 (LTL Transition System)

Let be the input formula. The labeled transition system is a tuple where:

  1. is the initial state,

  2. is the set of conjunctive formulas over ,

  3. the transition relation is defined by: iff there exists ,

  4. is the smallest set of formulas such that , and implies .

For a strong connected component (SCC) , we use to denote the set of literals that along with . Then we have the following theorem:

Theorem 2 (Obligation-Based Satisfiability Checking [17])

The formula is satisfiable iff there exists a SCC of and a state in such that is a superset of some obligation .

Example 1
  1. Consider the formula : Since in which is obviously a consistent obligation, so is also satisfiable from Theorem 1.

  2. Consider the formula : since which does not contain any consistent obligation, so Theorem 1 is not available. Actually, contains only one state with a self-loop labeling : Thus we cannot find a satisfying Theorem 2, which implies is unsatisfiable.

Iii Satisfiability Checking with Obligation Formula

Iii-a Obligation Formula

The Obligation-based satisfiability checking has been proven more efficiently than traditional model-checking-based approach [17]. However the size of obligation set can be exponential in the number of conjuncts. For example, consider the pattern formula , which obviously is satisfiable. By applying our previous approach, the extra exponential cost must be paid to compute the whole obligation set. We may view the obligation set as a DNF, with each element in obligation set a clause in DNF. It hints that we can replace the obligation set by an obligation formula.

Definition 5 (Obligation Formula)

Given an LTL formula , the corresponding obligation formula, which is denoted as , is defined recursively as follows:

  • and ;

  • If where is a literal, then ;

  • If , then ;

  • If or , then ;

  • If , then ;

  • If , then ;

The obligation formula is virtually a Boolean formula. Compared to the definition of obligation set (Definition 2), the obligation formulas avoid the generation of DNF, and thus avoid the extra exponential cost. It succeeds to reduce the computation of obligation set to the checking on the obligation formula.

The following lemma explains the relationship between the obligation formula and obligation set:

Lemma 1

Given an LTL formula , then , i.e. the DNF of is .

IEEEproof 1

We can prove this lemma by structural induction over :

  1. If or , one can prove easily the lemma holds;

  2. If is a literal, then we know and . Thus is true;

  3. If , then we know and . By induction hypothesis we have holds. So it is also true that ;

  4. If or , then we know and . By induction hypothesis we have holds. So it is also true that ;

  5. If , then we know and . By induction hypothesis we have holds, where . Then it is true that ;

  6. If , then we know and . By induction hypothesis we have holds, where . Then it is true that . The proof is done.

Iii-B Obligation-based Satisfiability Checking Revisited

In this section, we adapt our general checking theorem (Theorem 2) via reducing checking the containment of an obligation to the satisfiability of the corresponding obligation formula. Lemma 2 below shows the reduction first and Theorem 3 tells how to achieve the general checking via the obligation formula. Before that, we introduce the (weak satisfaction relation) operator appeared in the theorem.

Let be a set of literals of , and a propositional formula in NNF. We define in a syntactic way: if is a literal, or then iff , iff and , and iff or . Note needs not to be consistent, e.g., holds according to the definition.

Lemma 2

Given an LTL formula and a literal set , then iff there exists an obligation such that .

IEEEproof 2

According to Lemma 1, is semantically equivalent to the DNF of . Then from Definition 2 we know an obligation in is essentially a clause of the DNF of . And it is obvious that iff there is a clause in the DNF of which satisfies , i.e., . Let and we know is an obligation in . The proof is done.

Theorem 3 (SAT-Based Generalized Satisfiability Checking)

The LTL formula is satisfiable iff there exists a SCC scc and a state in such that .

IEEEproof 3

First according to Lemma 2 we know holds iff there exists an obligation such that . Then from Theorem 2 we can directly conclude this theorem.

In Theorem 3 the set collects all literals along , thus it may be inconsistent. So it is necessary to introduce the notation .

Iv Satisfiability Checking Acceleration

In this section we present accelerating techniques exploiting obligation formulas that are tailored to both satisfiable and unsatisfiable formulas.

Iv-a Acceleration on Satisfiable formulas

Recall that we need to find a consistent obligation in in Theorem 1. Now the problem can be reduced to that of checking whether is satisfiable. The following lemma shows that if is satisfiable then there exists a consistent obligation in .

Lemma 3

For an LTL formula , if is satisfiable, then there exists a consistent obligation .

IEEEproof 4

According to Lemma 1, is semantically equivalent to the DNF of . So every obligation in is actually a clause in the DNF of . And it is apparently true that is satisfiable implies there exists a clause in the DNF of which is satisfiable. Thus is consistent, i.e. . Let and we know that is an consistent obligation in . The proof is done.

From Lemma 3, Theorem 1 can be slightly adapted to obtain our SAT-based obligation acceleration for satisfiable formulas:

Theorem 4 (SAT-Based Obligation Acceleration)

For an LTL formula , if is satisfiable, then is also satisfiable.

Iv-B Acceleration on Unsatisfiable formulas

The previous section proposes a heuristic for checking satisfiability of obligation formulas. In this section we further exploit SAT solvers to develop heuristics for checking unsatisfiable formulas by using the obligation formulas. We first use an example to explain our idea. Consider the formula . One can see that is unsatisfiable. If we look into the formula, must be true in every position from the beginning (position ) in , on the other side, must be false in the position due to : this is obviously a contradiction. Now recall our approach: is unsatisfiable, so Theorem 4 cannot apply. The observation we get here is that there is no positional information for literals in so that we lost the information that and must both be true in position .

For this purpose, we extend the obligation formula for a formula , denoted as , with additional positional information for each literal. Besides the literal itself, the start position and its duration are also recorded in . We denote the alphabet of as , where each consists of three elements:

  • the propositional property (),

  • start position () from which the property must be satisfied. The symbol means the start position is not determined.

  • its duration () where means the duration is just the start position, means the duration is all from the start position; and means the duration is infinitely many from the start position, but not all.

For convenience in the following, we use the notations , , and to represent its corresponding first, second and third elements for . So, if , then , and . We also use the notation () to represent the set of literals appearing in (). Now we give the formal definition of :

Definition 6 (Obligation Formula with Position)

Given an LTL formula , the corresponding obligation formula with position, denoted as , is defined recursively as follows:

  • If : ;

  • If : ;

  • If :

    • if for every it holds that , then ;

    • Otherwise , where is acquired from by setting and for every ;

  • If : ;

  • If : ;

  • If : ;

  • If : ;

where the function updates via the . Explicit rules are listed in Table I.

Literal X U R G
TABLE I: The explicit rules for the function

The operator is a key which causes nondeterminism. So every start position and duration in literals should be updated to and respectively – unless we make sure all literals’ start positions are the same. The first column of Table I shows all possible compositions for literals. The second to fifth columns show the new composition after the corresponding temporal operator acting on the literal. The operator only add 1 to the start position if it is determined, and the operator does not change the original information at all. For the operator it makes every start position undetermined. The operator is distinguished with as it causes the duration. If its nested literal satisfies or , then it will update ; otherwise it updates .

It should be mentioned that is essentially an extended propositional formula whose alphabet is . Definition 6 only involves in the syntactic level of , and its semantics is skipped as we treat an intermediate structure but actually set up the decision procedure on the positional projection formulas created from . The definition is shown below.

So far we have encoded the positional information into the literals and obligation formulas. The following definition provides us a mechanism to project the obligation formula into each position we concern. We try to make the projection loose enough to guarantee the correctness: In the definitions, if the literal is not determined in the projecting position, then we just assign its projection to be .

Definition 7 (Positional Projection on Obligation Formulas)

Given an obligation formula with positions from , its projection under the position , denoted as , is defined recursively as follows:

  • If :

  • If : ;

  • If : .

Informally speaking, keeps the first part of literals whose projection on position is true. For these , it is either holds or and hold. Otherwise the literals are substituted by . So is a pure propositional formula.

For example, consider the formula and thus . Let and and we start from the literals. According to Definition 7 we have , (since ) and for every (since and ). Note also for all , and it is because which is undetermined so that its projection for every position is . Thus, recursively we know that , and etc.

Now the whole framework has been established, and we can conclude the formula is unsatisfiable via finding there is a position which cannot be satisfied in all its models: this is exactly what Theorem 5 below talks about. Before that, Lemma 4 should be introduced at first, which shows the truth of the reverse of Theorem 5. In the lemma, the notation represents the th element of the infinite trace .

Lemma 4

Given an infinite word and an LTL formula , if , then for every position it holds that .

IEEEproof 5

We prove this lemma by structural induction over .

  1. If is a literal, from Definition 6 we know , and from Definition 7 we know and . Since so must hold according to the LTL semantics. For it is obviously true that ;

  2. If , since so according to the LTL semantics. By induction hypothesis, we know that for every . Then according to the rules on operator in Table I, we know that for every . Also we know , so it is apparent that ;

  3. If , then according to the rule on operator in Table I we know that for all . Thus from Definition 7, holds for every . Hence holds for all ;

  4. If , then first we know implies from the LTL semantics on R operator. Thus by induction hypothesis we already have for every . Moreover it is true that according to the rules on operator in Table I, so does for all . Thus it concludes that for every ;

  5. If , then implies that for all . By induction hypothesis, for every and we have the assumption that . Now we consider the possibilities of :

    • If , then from Definition 6 we know . For we have according to Definition 7. And for we know that . Since for every and , so also holds for . Thus for every we have ;

    • If , then from Definition 6 we know . For we have . And holds if . For we know so is always true;

    • If where can be , or , then from Definition 6 we have . Thus according to Definition 7 we know for every . So is always true;

    • Inductively if , then we know and implies and hold for every . By inductive hypothesis we have proven that and for , so also holds. As we know , so it is true that for ;

    • If , then we know and implies or holds for every . By inductive hypothesis we have proven that or for , so also holds. According to Definition 6 if then it is true that for . And if from Definition 6 then we know for every , so holds as well.

    Thus, we prove that holds for every ;

  6. If , then from Definition 6 we know that , and so does for via Definition 7. Also implies and . By induction hypothesis, it holds that and for every . So , which proves that for ;

  7. If , then implies either or holds. Assume that holds. Also according to Definition 6, there are two possibilities on : 1) If , then by induction hypothesis we know that implies for all . Moreover, we can conclude that from Definition 7. Combining the conclusion above we can finally prove for all ; 2) If , then since is updated to for every in and : it causes that and are assigned to according to Definition 7, and so does . Hence it is easy to check that for all . Finally the proof is done.

Lemma 4 directly implies the following theorem for checking unsatisfiable formulas:

Theorem 5 (SAT-Based Unsatisfiable Checking)

Given an LTL formula , if there exists a position such that is unsatisfiable, then is also unsatisfiable.

However, this theorem can only be implemented as a heuristics technique because we cannot check every position of an infinite model in the worst case. On the other hand, it is also not necessary to check the accurate position every time: instead we can find the unsatisfiable position in a more abstract way. To achieve this, we need to introduce a more abstract definition for projection on obligation formulas.

Definition 8 (Abstract Projection on Obligation Formulas)

Given an obligation formula with positions from and a literal set , we define its projection under , denoted as , as follows:

  • : if then , else ;

  • : ;

  • : ;

Informally speaking, is a Boolean formula in which literals not in are replaced by , and those in are replaced by their first elements. The following corollary lists the strategies we apply in our algorithm.

Corollary 1

Given an LTL formula , let , then is unsatisfiable if one of the following conditions is true:

  1. There exists such that