SAT-Based Explicit LTL Reasoning

SAT-Based Explicit LTL Reasoning

Jianwen Li Department of Computer Science, Rice University, USA Shanghai Key Laboratory of Trustworthy Computing, East China Normal University, P. R.China    Shufang Zhu Shanghai Key Laboratory of Trustworthy Computing, East China Normal University, P. R.China    Geguang Pu Shanghai Key Laboratory of Trustworthy Computing, East China Normal University, P. R.China    Moshe Y. Vardi Department of Computer Science, Rice University, USA
Abstract

We present here a new explicit reasoning framework for linear temporal logic (LTL), which is built on top of propositional satisfiability (SAT) solving. As a proof-of-concept of this framework, we describe a new LTL satisfiability algorithm. We implemented the algorithm in a tool, Aalta_v2.0, which is built on top of the Minisat SAT solver. We tested the effectiveness of this approach by demonstrating that Aalta_v2.0 significantly outperforms all existing LTL satisfiability solvers.

1 Introduction

Linear Temporal Logic (LTL) was introduced into program verification in [25]. Since then it has been widely accepted as a language for the specification of ongoing computations [20] and it is a key component in the verification of reactive systems [4, 14]. Explicit temporal reasoning, which involves an explicit construction of temporal transition systems, is a key algorithmic component in this context. For example, explicitly translating LTL formulas to Büchi automata is a key step both in explicit-state model checking [11] and in runtime verification [31]. LTL satisfiability checking, a step that should take place before verification, to assure consistency of temporal requirements, also uses explicit reasoning [26]. These tasks are known to be quite demanding computationally for complex temporal properties [11, 26, 31]. A way to get around this difficulty is to replace explicit reasoning by symbolic reasoning, e.g., as in BDD-based or SAT-based model checking [23, 22], but in many cases the symbolic approach is inefficient [26] or inapplicable [31]. Thus, explicit temporal reasoning remains an indispensable algorithmic tool.

The main approach to explicit temporal reasoning is based on the tableau technique, in which a recursive syntactic decomposition of temporal formulas drives the construction of temporal transition systems. This approach is based on the technique of propositional tableau, whose essence is search via syntactic splitting [6]. This is in contrast to modern propositional satisfiability (SAT) solvers, whose essence is search via semantic splitting [19]. The tableau approach to temporal reasoning underlies both the best LTL-to-automata translator [8] and the best LTL-satisfiability checker [18]. Thus, we have a situation where in the symbolic setting much progress is being attained both by the impressive improvement in the capabilities of modern SAT solvers [19] as well as new SAT-based model-checking algorithms [1, 3], while progress in explicit temporal reasoning is slower and does not fully leverage modern SAT solving. (It should be noted that several LTL satisfiability solvers, including Aalta [17] and ls4 [30] do employ SAT solvers, but they do so as an aid to the main reasoning engine, rather than serve as the main reasoning engine.)

Our main aim in this paper is to study how SAT solving can be fully leveraged in explicit temporal reasoning. The key intuition is that explicit temporal reasoning consists of construction of states and transitions, subject to temporal constraints. Such temporal constraints can be reduced to a sequence of Boolean constraints, which enables the application of SAT solving. This idea underlies the complexity-theoretic analysis in [33], and has been explored in the context of modal logic [12], but not yet in the context of explicit temporal reasoning. Our belief is that SAT solving would prove to be superior to tableau in that context.

We describe in this paper a general framework for SAT-based explicit temporal reasoning. The crux of our approach is a construction of temporal transition system that is based on SAT-solving rather than tableau to construct states and transitions. The obtained transition system can be used for LTL-satisfiability solving, LTL-to-automata translation, and runtime-monitor construction.

As proof of concept for the new framework, we use it to develop a SAT-based algorithm for LTL-satisfiability checking. We also propose several heuristics to speed up the checking by leveraging SAT solvers. We implemented the algorithm and heuristics in an LTL-satisfiability solver Aalta_v2.0. To evaluate its performance, we compared it against Aalta, the existing best-of-breed LTL-satisfiability solver [18, 17], which is tableau-based. We also compare it against NuXmv, a symbolic LTL-satisfiability solver that is based on cutting-edge SAT-based model-checking algorithms [1, 3], which outperforms Aalta. We show that our explicit SAT-based LTL-satisfiability solver outperforms both.

In summary, the contributions in this paper are as follows:

• We propose a SAT-based explicit LTL-reasoning framework.

• We show a successful application of the framework to LTL-satisfiability checking, by designing a novel algorithm and efficient heuristics.

• We compare our new framework for LTL-satisfiability checking with existing approaches. The experimental results demonstrate that our tool significantly outperforms other existing LTL satisfiability solvers.

The paper is organized as follows. Section 2 provides technical background. Section 3 introduces the new SAT-based explicit-reasoning framework. Section 4 describes in detail the application to LTL-satisfiability checking. Section 5 shows the experimental results for LTL-satisfiability checking. Finally Section 6 provides concluding remarks. Missing proofs are in the Appendix.

2 Preliminaries

Linear Temporal Logic (LTL) is considered as an extension of propositional logic, in which temporal connectives (next) and (until) are introduced. Let be a set of atomic properties. The syntax of LTL formulas is defined by:

 ϕ ::= tt∣ff∣a∣¬ϕ | ϕ∧ϕ | ϕ∨ϕ | ϕUϕ | Xϕ

where , is true and is false. We introduce the (release) connectives as the dual of , which means . We also use the usual abbreviations: , and .

We say that is a literal if it is an atomic proposition or its negation. Throughout the paper, we use to denote the set of literals, lower case letters to denote literals, to denote propositional formulas, and for LTL formulas. We consider LTL formulas in negation normal form (NNF), which can be achieved by pushing all negations in front of only atoms. Since we consider LTL in NNF, formulas are interpreted here on infinite literal sequences, whose alphabet is .

A trace is an infinite sequence in . For and we use to denote a prefix of , and to denote a suffix of . Thus, . The semantics of LTL with respect to an infinite trace is given by:

• iff , where is a propositional formula;

• iff ;

• iff there exists such that and for all , ;

• iff for all , it holds or there exists such that .

The closure of an LTL formula , denoted as , is a formula set such that: (1). is in ; (2). is in if or ; (3). are in if , where can be and ; (4). if and is an Until or Release formula. We say each in , which is added via rules (1)-(3), is a subformula of . Note that the standard definition of LTL closure consists only of rules (1)-(3). Rule (4) is added in this paper due to its usage in later sections. Note that the size of is linear in the length of , even with the addition of rule (4).

3 Explicit LTL Reasoning

In this section we introduce the framework of explicit LTL reasoning. To demonstrate clearly both the similarity and difference between our approach and previous ones, we organize this section as follows. We first provide a general definition of temporal transition systems, which underlies both our new approach and previous approach. We then discuss how traditional methods and our new one relate to this framework.

3.1 Temporal Transition System

As argued in [32, 12], the key to efficient modal reasoning is to reason about states and transitions propositionally. We show here how the same approach can be applied to LTL. Unlike modal logic, where there is a clear separation between formulas that talk about the current state and formulas that talk about successor states (the latter are formulas in the scope of or , i.e. G or F in LTL), LTL formulas do not allow for such a clean separation. Achieving such a separation requires some additional work.

We first define propositional satisfiability of LTL formulas.

Definition 1 (Propositional Satisfiability)

For an LTL formula , a propositional assignment for is a set such that

• every literal is either in or its negation is, but not both.

• implies and ,

• implies or ,

• implies or both and . In the former case, that is, , we say that satisfies immediately. In the latter case, we say that postpones .

• implies and either or . In the former case, that is, , we say that satisfies immediately. In the latter case, we say that postpones .

We say that a propositional assignment propositional satisfies , denoted as , if . We say an LTL formula is propositionally satisfiable if there is a propositional assignment for such that .

For example, consider the formula . The set is a propositional assignment that propositionally satisfies . In contrast, the set is not a propositional assignment.

The following theorem shows the relationship between LTL formula and its propositional assignment.

Theorem 3.1

For an LTL formula and an infinite trace , we have that iff there exists a propositional assignment such that propositionally satisfies and .

Since a propositional assignment of LTL formula contains the information for both current and next states, we are ready to define the transition systems of LTL formula.

Definition 2

Given an LTL formula , the transition system is a tuple where

• is the set of states that are propositional assignments for . The trace of a state is , that is, the set of literals in .

• is a set of initial states, where for all .

• is the transition relation, where holds if implies , for all .

A run of is an infinite sequence such that and holds for all .

Every run of induces a trace in . In general, it needs not hold that . This requires an additional condition. Consider an Until formula . Since is a propositional assignment for we either have that satisfies immediately or that it postpones it, and then . If postpones for all , then we say that is stuck in .

Theorem 3.2

Let be a run of . If no Until subformula is stuck at , then . Also, is satisfiable if there is a run of so that no Until subformula is stuck at .

We have now shown that the temporal transition system is intimately related to the satisfiability of . The definition of is, however, rather nonconstructive. In the next subsection we discuss how to construct .

3.2 System Construction

First, we show how one can consider LTL formulas as propositional ones. This requires considering temporal subformulas as propositional atoms. We now define the propositional atoms of LTL formulas.

Definition 3 (Propositional Atoms)

For an LTL formula , we define the set of propositional atoms of , i.e. , as follows:

1. if is an atom, Next, Until or Release formula;

2. if ;

3. if or .

Consider, for example, the formula . Here we have is . Intuitively, the propositional atoms are obtained by treating all temporal subformulas of as atomic propositions. Thus, an LTL formula can be viewed as a propositional formula over .

Definition 4

For an LTL formula , let be considered as a propositional formula over .

We now introduce the neXt Normal Form (XNF) of LTL formulas, which separates the “current” and “next-state” parts of the formula, but costs only linear in the original formula size.

Definition 5 (neXt Normal Form)

An LTL formula is in neXt Normal Form (XNF) if there are no Unitl or Release subformulas of in .

For example, is not in XNF, while is in XNF. Every LTL formula can be converted, with linear in the formula size, to an equivalent formula in XNF.

Theorem 3.3

For an LTL formula , there is an equivalent formula that is in XNF. Furthermore, the cost of the conversion is linear.

Proof

To construct , We can apply the expansion rules and . In detail, we can construct inductively:

1. if is , , a literal or a Next formula ;

2. if ;

3. if ;

4. if ;

5. if .

Since the construction is built on the two expansion rules that preserve the equivalence of formulas, it follows that is logically equivalent to . Note that the conversion map doubles the size of the converted formula , but since the conversion puts Until and Release subformulas in the scope of Next, and the conversion stops when it comes to Next subformulas, the cost is at most linear.∎

We can now state propositional satisfiability of LTL formulas in terms of satisfiability of propositional formulas. That is, by restricting LTL formulas to XNF, a satisfying assignment of , which can be obtained by using a SAT solver, corresponds precisely to a propositional assignment of formula .

Theorem 3.4

For an LTL formula in XNF, if there is a satisfying assignment of , then there is a propositional assignment of that satisfies such that . Conversely, if there is a propositional assignment of that satisfies , then there is a satisfying assignment of such that .

Proof

() Let be a satisfying assignment of . Then let be the set of all formulas such that satisfies . We clearly have that . According to Definition 1 and because is in XNF, we have that is a propositional assignment of that satisfies .

() Let be a propositional assignment of that satisfies . Then let to be the assignment that assign true to precisely when . Again, we clearly have that, . According to Definition 1 and because is in XNF, we have that is a satisfying assignment of .∎

Theorem 3.4 shows that by requiring the formula to be in XNF, we can construct the states of the transition system via computing satisfying assignments of over . Let be a satisfying assignment of and be the related propositional assignment of generated from by Theorem 3.4, the construction is operated as follows:

1. Let ; and let ,

2. Compute for each , where ; and update ;

3. Stop if does not change; else go back to step 2.

The construction first generates initial states (step 1), and then all reachable states from initial ones (step 2); it terminates once no new reachable state can be generated (step 3). So is the set of system states and its size is bounded by .

Our goal here is to show that we can construct the transition system by means of SAT solving. This requires us to refine Theorem 3.2. A key issue in how a propositional assignment handles an Until formula is whether it satisfies it immediately or postpones it. We introduce new propositions that indicate which is the case, and we refine the implementation of ). Given , we introduce a new proposition , and use the following conversion rule: . Thus, is required to be true when the Until is satisfied immediately, and false when the Until is postponed. Now we can state the refinement of Theorem 3.2.

Theorem 3.5

For an LTL formula , is satisfiable iff there is a finite run in such that

1. There are such that ;

2. Let . If , then .

Proof

Suppose first that items 1 and 2 hold. Then the infinite sequence is an infinite run of . It follows from Item 2 that no Until subformula is stuck at . By Theorem 3.2, we have that .

Suppose now that is satisfiable. By Theorem 3.2, there is an infinite run of in which no Until subformula is stuck. Let be such a run. Each is a state of , and the number of states is bounded by . Thus, there must be such that . Let . Since no Until subformula can be stuck at , if , then it is must be that . ∎

The significance of Theorem 3.5 is that it reduces LTL satisfiability checking to searching for a “lasso” in [5]. Item 1 says that we need to search for a prefix followed by a cycle, while Item 2 provides a way to test that no Until subformla gets stuck in the infinite run in which the cycle is repeated infinitely often.

3.3 Related Work

We introduced our SAT-based reasoning approach above, and in this section we discuss the difference between our SAT-based approach and earlier works.

Earlier approach to transition-system construction for LTL formulas, based on tableau [11] and normal form [18], generates the system states explicitly or implicitly via a translation to disjunctive normal form (DNF). In [18], the conversion to DNF is explicit (though various heuristics are used to temper the exponential blow-up) and the states generated correspond to the disjuncts. In tableau-based tools, cf., [11, 7], the construction is based on iterative syntactic splitting in which a state of the form is split to states: and .

The approach proposed here is based on SAT solving, where the states correspond to satisfying assignments. Satisfying assignments are generated via a search process that is guided by semantic splitting. The advantage of using SAT solving rather than syntactic approaches is the impressive progress in the development of heuristics that have evolved to yield highly efficient SAT solving: unit propagation, two-literal watching, back jumping, clause learning, and more, see [19]. Furthermore, SAT solving continues to evolve in an impressive pace, driven by an annual competition. It should be remarked that an analogous debate, between syntactic and semantic approaches, took place in the context of automated test-pattern generation for circuit designs, where, ultimately, the semantic approach has been shown to be superior [16].

Furthermore, relying on SAT solving as the underlying reasoning technology enables us to decouple temporal reasoning from propositional reasoning. Temporal reasoning is accomplished via a search in the transition system, while the construction of the transition system, which requires proposition reasoning using SAT solving.

4 LTL Satisfiability Checking

Given an LTL formula , the satisfiability problem is to ask whether there is an infinite trace such that . In the previous section we introduced a SAT-based LTL-reasoning framework and showed how it can be applied to solve LTL reasoning problems. In this section we use this framework to develop an efficient SAT-based algorithm for LTL satisfiability checking. We design a depth-first-search (DFS) algorithm that constructs the temporal transition system on the fly and searches for a trace per Theorem 3.5. Furthermore, we propose several heuristics to reduce the search space. Due to the limited space, we offer here a high-level description of the algorithms. Details are provided in Appendix C.

4.1 The Main Algorithm

The main algorithm, LTL-CHECK, creates the temporal transition system of the input formula on-the-fly, and searches for a lasso in a DFS manner. Several prior works describe algorithms for DFS lasso search , cf. [5, 18, 28]. Here we focus on the steps that are specialized to our algorithm.

The key idea of LTL-CHECK is to create states and their successors using SAT techniques rather than traditional tableau or expansion techniques. Given the current formula , we first compute its XNF version , and then use a SAT solver to compute the satisfying assignments of . Let be a satisfying assignment for ; from the previous section we know that yields a successor state in . We implement this approach in the function, which we improve later by introducing some heuristics. By enumerating all assignments of we can obtain all successor states of . Note, however that LTL-CHECK runs in the DFS manner, under which only a single state is needed at a time, so additional effort must be taken to maintain history information of the next-state generation for each state .

As soon as LTL-CHECK detects a lasso, it checks whether the lasso is accepting. Previous lasso-search algorithms operate on the Büchi automaton generated from the input formula. In contrast, here we focus directly on the satisfaction of Until subformulas per Theorem 3.5. We use the example below to show the general idea.

Consider the formula . By Theorem 3.3, , where and . Suppose we get from the SAT solver an assignment of . By Theorem 3.4, we create a satisfying assignment that includes all formulas in that are satisfied by , and we get the state . To obtain the next state, we start with , compute and repeat the process. After several steps LTL-CHECK may find a path , where . Now and form a lasso. Let . Both and are in , and also and are in . By Theorem 3.5, is satisfiable.

4.2 Heuristics for State Elimination

While LTL-CHECK uses an efficient SAT solver to compute states of the system in the function, this approach is effective in creating states and their successors, but cannot be used to guide the overall search. To find a satisfying lasso faster, we add heuristics that drive the search towards satisfaction. The key to these heuristics is smartly choosing the next state given by SAT solvers. This can be achieved by adding more constraints to the SAT solver. Experiments show these heuristics are critical to the performance of our LTL-satisfiability tool.

The construction of state in the transition system always starts with formulas. At the beginning, we have the input formula and we take the following steps: (1) Compute ; (2) Call a SAT solver to get an assignment of ; and (3) Derive a state from . Then, to get a successor state, we start with the formula , and repeat steps (1-3). Thus, every state is obtained from some formula , which we call the representative formula. Note that with the possible exception of , all representative formulas are conjunctions. Let be the representative formula of a state ; we say that is an obligation of if is an Until formula. Thus, we associate with the state a set of obligations, which are the Until conjunctive elements of . (The initial state may have obligations if it is a conjunction.) The approach we now describe is to satisfy obligations as early as possible during the search, so that a satisfying lasso is obtained earlier. We now refine the function, and introduce three heuristics via examples.

The function keeps a global obligation set, collecting all obligations so far not satisfied in the search. The obligation set is initialized with the obligations of the initial formula . When an obligation is satisfied (i.e., when is true), is removed from the obligation set. Once the obligation set becomes empty in the search, it is reset to contain obligations of current representative formula . In Fig. 1, we denote the obligation set by . is initialized to , as there is no obligation in . is then reset in the states and , when it becomes empty.

The function runs in the ELIMINATION mode by default, in which it obtains the next state guided by the obligations of current state. For satisfiable formulas, this leads to faster lasso detection. Consider formula . Parts of the temporal transition system are shown in Fig. 1. In the figure, is reset to in state , as these are the obligations of . To drive the search towards early satisfaction of obligations, we obtain a successor of , by applying the SAT solver to the formula , to check whether or can be satisfied immediately. If the returned assignment satisfies , then we get the success state with the representative formulas , and is removed from . Then the next state is with the representative formula , which removes the obligation . since becomes empty, it is reset to the obligations of . Note that in Fig. 1, there should be transitions from to and from to , but they are never traversed under the ELIMINATION mode.

The function runs in the SAT_PURSUING mode when the obligation set becomes empty. In this mode, we want to check whether the next state can be a state that have been visited before and after that visit the obligation set has become empty. In this case, the generated lasso is accepting, by Theorem 3.5. In Fig. 1, the obligation set becomes empty in state . Previously, it has become empty in . Normally, we find a success state for by applying the SAT solver to . To find out if either or can be a successor of , we apply the SAT solver to the formula . Since this formula is satisfiable and indicates a transition from to ( can be assigned true in the assignment), we have found that satisfies . In the figure, the transitions labeled x represent failed attempts to generate the lasso when becomes empty. Although failed attempts have a computational cost, trying to close cycles aggressively does pay off.

The function runs in the CONFLICT_ANALYZE mode if all formulas in the obligation set are postponed in the ELIMINATION mode. The goal of this mode is to eliminate “conflicts” that block immediate satisfaction of obligations. To achieve this, we use a conflict-guided strategy. Consider, for example, the formula . Here the formula is an obligation. We check whether can be satisfied immediately, but it fails. The reason for this failure is the conjunct in , which conflicts with the obligation . We identify this conflict using a minimal unsat core algorithm [21]. To eliminate this conflict, we add the conjunct to , hoping to be able to satisfy the obligation immediately in the next state. When we apply the SAT solver to , we obtain a successor state with the representative formula , again with as an obligation. When we try to satisfy immediately, we fail again, since conflicts with . To block both conflicts, we add as an additional constraint, and apply the SAT solver to . This yields a successor state with the representative formula . Now we are able to satisfy immediately, and we are able to satisfy with the finite path .

As another example, consider the formula . Since is an obligation, we try to satisfy it immediately, but fail. The reason for the failure is that immediate satisfaction of conflicts with the conjunct . In order to try to block this conflict, we add to the conjunct , and apply the SAT solver to . This also fails. Furthermore, by constructing a minimal unsat core, we discover that is unsatisfiable. This indicates that is an “invariant”; that is, if is true in a state then it is also true in its successor. This means that the obligation can never be satisfied, since the conflict can never be removed. Thus, we can conclude that is unsatisfiable without constructing more than one state.

In general, identifying conflicts using minimal unsat cores enables both to find satisfying traces faster, or conclude faster that such traces cannot be found.

5 Experiments on LTL Satisfiability Checking

In this section we discuss the experimental evaluation for LTL satisfiability checking. We first describe the methodology used in experiments and then show the results.

5.1 Experimental Methodologies

The platform used in the experiments is an IBM iDataPlex consisting of 2304 processor cores in 192 Westmere nodes (12 processor cores per node) at 2.83 GHz with 48 GB of RAM per node (4 GB per core), running the 64-bit Redhat 7 operating system. In our experiments, each tool runs on a single core in a single node. We use the Linux command “time” to evaluate the time cost (in seconds) of each experiment. Timeout was set to 60 seconds, and the out-of-time cases are set to cost 60s.

We implemented the satisfiability-checking algorithms introduced in this paper, and named the tool Aalta_v2.0 222It can be downloaded at www.lab205.org/aalta.. We compare Aalta_v2.0 with Aalta_v1.2, which is the latest explicit LTL-satisfiability solver (though it does use some SAT solving for acceleration) [17]. (The SAT engine used in both Aalta_v1.2 and Aalta_v2.0 is Minisat [9].) In the literature, Aalta_v1.2 is shown to outperform other existing explicit LTL solvers, so we omit the comparison with these solvers in this paper. Two resolution-based LTL satisfiability solvers, TRP++ [15] and ls4 [30], are also included in our comparison. (Note ls4 utilizes SAT solving as well.)

As shown in [26], LTL satisfiability checking can be reduced to model checking. While BDD-based model checker were shown to be competitive for LTL satisfiability solving in [26], they were shown later not to be competitive with specialized tools, such as Aalta_v1.2 [18]. We do, however, include in our comparison the model checker NuXmv [2], which integrates the latest SAT-based model checking techniques. It uses Minisat as the SAT engine as well. Although standard bounded model checking (BMC) is not complete for the LTL satisfiability checking, there are techniques to make it complete, for example, incremental bounded model checking (BMC-INC) [13], which is implemented in NuXmv. In addition, NuXmv implements also new SAT-based techniques, IC3 [1], which can handle liveness properties with the K-liveness technique[3]. We included IC3 with K-liveness in our comparison.

To compare with the K-liveness checking algorithm, we ran NuXmv using the command “check_ltlspec_klive -d”. For the BMC-INC comparison, we run NuXmv with the command “check_ltlspec_sbmc_inc -c”. Aalta_v2.0, Aalta_v1.2 and ls4 tools were run using their default parameters, while TRP++ runs with “-sBFS -FSR”. Since the input of TRP++ and ls4 must be in SNF (Separated Normal Form [10]), an SNF generator is required for running these tools. We use the generator TST-translate which belongs to ls4 tool suit.

In the experiments we consider the benchmark suite from [27], referred to as schuppan-collected. This suite collects formulas from several prior works, including [26], and has a total of 7446 formulas (3723 representative formulas and their negations). (Testing also the negation of each formula is in essence a check for validity.) In our experiments, we did not find any inconsistency among the solvers that did not time out.

5.2 Results

The experimental results are shown in Table 1. In the table, the first column lists the different benchmarks in the suite, and the second to eighth columns display the results from different solvers. Each result in a cell of the table is a tuple , where is the total checking time for the corresponding benchmark, and is the number of unsolved formulas due to timeout in the benchmark. Specially the number “0” in the table means all formulas in the given benchmark are solved. Finally, the last row of the table lists the total checking time and number of unsolved formulas for each solver.

The results show that while the tableau-based tool Aalta_v1.2, outperforms ls4 and TRP++, it is outperformed by NuXmv-BMCINC and NuXmv-IC3-Klive, both of which are outperformed by Aalta_v2.0, which is faster by about 6,000 seconds and solves 47 more instances than NuXmv-IC3-Klive.

Our framework is explicit and closest to that is underlaid behind Aalta_v1.2. From the results, Aalta_v2.0 with heuristic outperforms Aalta_v1.2 dramatically, faster by more than 23,000 seconds and solving 371 more instances. One reason is, when Aalta_v1.2 fails it is often due to timeout during the heavy-duty normal-form generation, which Aalta_v2.0 simply avoids (generating XNF is rather lightweight).

Generating the states in a lightweight way, however, is not efficient enough. By running Aalta_v2.0 without heuristics, it cannot perform better than Aalta_v1.2, see the data in column 5 and 7 of Table 1. It can even be worse in some benchmarks such as “/anzu/amba” and “anzu/genbuf”. We can explain the reason via an example. Assume the formula is , the traditional tableau method splits the formula and at most creates two nodes. Under our pure SAT-reasoning framework, however,it may create three nodes which contain or , or . This indicates that the state space generated by SAT solvers may in general be larger than that generated by tableau expansion.

To overcome this challenge, we propose some heuristics by adding specific constraints to SAT solvers, which at the mean time succeeds to reduce the searching space of the overall system. The results shown in column 8 of Table 1 demonstrate the effectiveness of heuristics presented in the paper. For example, the “/trp/N12/” and “/forobots/” benchmarks are mostly unsatisfiable formulas, which Aalta_v1.2 and Aalta_v2.0 with heuristic do not handle well. Yet the unsat-core extraction heuristic, which is described in the CONFLICT_ANALYZE mode of function, enables Aalta_v2.0 with heuristic to solve all these formulas. For satisfiable formulas, the results from “/anzu/amba/” and “/anzu/
genbuf” formulas, which are satisfiable, show the efficiency of the ELIMINATION and SAT_PURSUING heuristics in the function, which are necessary to solve the formulas.

In summary, Aalta_v2.0 with heuristic performed best on satisfiable formulas, solving 6750 instances, followed in order by NuXmv-BMCIMC (6714), NuXmv-IC3-Klive (6700), Aalta_v1.2 (6689), ls4 (6648), and TRP++ (4711). For unsatisfiable formulas, NuXmv-IC3-Klive performs best, solving 620 instances, followed in order by Aalta_v2.0 with heuristic (617), NuXmv-BMCINC (356), ls4 (335), Aalta_v1.2 (309), and TRP++ (307). Detailed statistics are in Appendix D.

Note that NuXmv-IC3-Klive is able to solve more cases than Aalta_v2.0 with heuristic in some benchmarks, such as “/lift” and “/schuppan/phltl” in which unsatisfiable formulas are not handled well enough by Aalta_v2.0. Currently, Aalta_v2.0 requires large number of SAT calls to identify an unsatisfiable core. In future work we plan to use a specialized MUS (minimal unsatisfable core) solver to address this challenge.

6 Concluding Remarks

We described in this paper a SAT-based framework for explicit LTL reasoning. We showed one of its applicaitons to LTL-satisfiability checking, by proposing basic algorithms and efficient heuristics. As proof of concept, we implemented an LTL satisfiability solver, whose performance dominates all similar tools. In Appendix E we demonstrate that our approach can be extended from propositional LTL to assertional LTL, yielding exponential improvement in performance.

Extending the explicit SAT-based approach to other applications of LTL reasoning, is a promising research direction. For example, the standard approach in LTL model checking [34] relies on the translation of LTL formulas to Büchi automata. The transition systems that is used for LTL satisfiability checking can also be used in the translation from LTL to Büchi automata. Current best-of-breed translators, e.g., [8, 11, 7, 29] are tableau-based, and the SAT approach may yield significant performance improvement.

Of course, the ultimate temporal-reasoning task is model checking. Explicit model checkers such as SPIN [14] start with a translation of LTL to Büchi automata, which are then used by the model-checking algorithm. An alternative approach is to construct the automaton on-the-fly using SAT techniques, using the framework developed here. Current symbolic model-checking tools, such as NuXmv, do rely heavily on SAT solvers to implement algorithms such as BMC [13] or IC3 [1]. The success of the SAT-based explicit LTL-reasoning approach for LTL satisfiability checking suggests that this approach may also be successful in SAT-based model checking. This remains a highly intriguing research possibility.

References

• [1] A. Bradley. SAT-based model checking without unrolling. In Ranjit Jhala and David Schmidt, editors, Verification, Model Checking, and Abstract Interpretation, volume 6538 of Lecture Notes in Computer Science, pages 70–87. Springer Berlin Heidelberg, 2011.
• [2] R. Cavada, A. Cimatti, M. Dorigatti, A. Griggio, A. Mariotti, A. Micheli, S. Mover, M. Roveri, and S. Tonetta. The nuxmv symbolic model checker. In CAV, pages 334–342, 2014.
• [3] K. Claessen and N. Sörensson. A liveness checking algorithm that counts. In Gianpiero Cabodi and Satnam Singh, editors, FMCAD, pages 52–59. IEEE, 2012.
• [4] E.M. Clarke, O. Grumberg, and D. Peled. Model Checking. MIT Press, 1999.
• [5] C. Courcoubetis, M.Y. Vardi, P. Wolper, and M. Yannakakis. Memory efficient algorithms for the verification of temporal properties. Formal Methods in System Design, 1:275–288, 1992.
• [6] M. d’Agostino. Tableau methods for classical propositional logic. In Handbook of tableau methods, pages 45–123. Springer, 1999.
• [7] N. Daniele, F. Guinchiglia, and M.Y. Vardi. Improved automata generation for linear temporal logic. In Proc. 11th Int. Conf. on Computer Aided Verification, volume 1633 of Lecture Notes in Computer Science, pages 249–260. Springer, 1999.
• [8] A. Duret-Lutz and D. Poitrenaud. SPOT: An extensible model checking library using transition-based generalized büchi automata. In Proc. 12th Int’l Workshop on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems, pages 76–83. IEEE Computer Society, 2004.
• [9] N. Eén and N. Sörensson. An extensible SAT-solver. In SAT, pages 502–518, 2003.
• [10] M. Fisher. A normal form for temporal logics and its applications in theorem-proving and execution. Journal of Logic and Computation, 7(4):429–456, 1997.
• [11] R. Gerth, D. Peled, M.Y. Vardi, and P. Wolper. Simple on-the-fly automatic verification of linear temporal logic. In P. Dembiski and M. Sredniawa, editors, Protocol Specification, Testing, and Verification, pages 3–18. Chapman & Hall, 1995.
• [12] F. Giunchiglia and R. Sebastiani. Building decision procedures for modal logics from propositional decision procedure - the case study of modal K. In Proc. 13th Int’l Conf. on Automated Deduction, volume 1104 of Lecture Notes in Computer Science, pages 583–597. Springer, 1996.
• [13] K. Heljanko, T. Junttila, and T. Latvala. Incremental and complete bounded model checking for full PLTL. In K. Etessami and S. Rajamani., editors, Computer Aided Verification, volume 3576 of Lecture Notes in Computer Science, pages 98–111. Springer Berlin Heidelberg, 2005.
• [14] G.J. Holzmann. The SPIN Model Checker: Primer and Reference Manual. Addison-Wesley, 2003.
• [15] U. Hustadt and B. Konev. Trp++ 2.0: A temporal resolution prover. In In Proc. CADE-19, LNAI, pages 274–278. Springer, 2003.
• [16] T. Larrabee. Test pattern generation using boolean satisfiability. IEEE Trans. on Computer-Aided Design of Integrated Circuits and Systems, 11(1):4–15, 1992.
• [17] J. Li, G. Pu, L. Zhang, M. Y. Vardi, and J. He. Fast LTL satisfiability checking by SAT solvers. CoRR, abs/1401.5677, 2014.
• [18] J. Li, L. Zhang, G. Pu, M. Vardi, and J. He. LTL satisfibility checking revisited. In The 20th International Symposium on Temporal Representation and Reasoning, pages 91–98, 2013.
• [19] S. Malik and L. Zhang. Boolean satisfiability from theoretical hardness to practical success. Commun. ACM, 52(8):76–82, 2009.
• [20] Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent Systems: Specification. Springer, 1992.
• [21] J. Marques-Silva and I. Lynce. On improving MUS extraction algorithms. In K. Sakallah and L. Simon, editors, Theory and Applications of Satisfiability Testing - SAT 2011, volume 6695 of Lecture Notes in Computer Science, pages 159–173. Springer Berlin Heidelberg, 2011.
• [22] K. McMillan. Interpolation and SAT-based model checking. In Jr. Hunt, WarrenA. and Fabio Somenzi, editors, Computer Aided Verification, volume 2725 of Lecture Notes in Computer Science, pages 1–13. Springer Berlin Heidelberg, 2003.
• [23] K.L. McMillan. Symbolic Model Checking. Kluwer Academic Publishers, 1993.
• [24] L. De Moura and N. Bjørner. Z3: An efficient SMT solver. In Proceedings of the Theory and Practice of Software, 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS’08/ETAPS’08, pages 337–340, Berlin, Heidelberg, 2008. Springer-Verlag.
• [25] A. Pnueli. The temporal logic of programs. In Proc. 18th IEEE Symp. on Foundations of Computer Science, pages 46–57, 1977.
• [26] K.Y. Rozier and M.Y. Vardi. LTL satisfiability checking. Int’l J. on Software Tools for Technology Transfer, 12(2):123–137, 2010.
• [27] V. Schuppan and L. Darmawan. Evaluating LTL satisfiability solvers. In Proceedings of the 9th international conference on Automated technology for verification and analysis, AVTA’11, pages 397–413. Springer-Verlag, 2011.
• [28] S. Schwoon and J. Esparza. A note on on-the-fly verification algorithms. In Proc. 11th Int’l Conf. on Tools and Algorithms for the Construction and Analysis of Systems, Lecture Notes in Computer Science 3440, pages 174–190. Springer, 2005.
• [29] F. Somenzi and R. Bloem. Efficient Büchi automata from LTL formulae. In Proc. 12th Int. Conf. on Computer Aided Verification, volume 1855 of Lecture Notes in Computer Science, pages 248–263. Springer, 2000.
• [30] M. Suda and C. Weidenbach. A PLTL-prover based on labelled superposition with partial model guidance. In Automated Reasoning, volume 7364 of Lecture Notes in Computer Science, pages 537–543. Springer Berlin Heidelberg, 2012.
• [31] D. Tabakov, K.Y. Rozier, and M. Y. Vardi. Optimized temporal monitors for SystemC. Formal Methods in System Design, 41(3):236–268, 2012.
• [32] M. Vardi. On the complexity of epistemic reasoning. In Proceedings of the Fourth Annual Symposium on Logic in Computer Science, pages 243–252, Piscataway, NJ, USA, 1989. IEEE Press.
• [33] M.Y. Vardi. Unified verification theory. In B. Banieqbal, H. Barringer, and A. Pnueli, editors, Proc. Temporal Logic in Specification, volume 398, pages 202–212. Springer, 1989.
• [34] M.Y. Vardi and P. Wolper. An automata-theoretic approach to automatic program verification. In Proc. 1st IEEE Symp. on Logic in Computer Science, pages 332–344, 1986.

Appendix A Proof of Theorem 3.1

Proof

If propositionally satisfies and , then , as .

For the other direction, assume that . Let . Clearly, . It remains to prove that is a propositional assignment, which we show by structural induction.

• For either or , so either or .

• If , then and , so both and .

• If , then or , so either or .

• If , then either , in which case, , or and , in which case and .

• If , then , in which case , and either and , in which case and .

Appendix B Proof of Theorem 3.2

Proof

for the first claim, let be and . Assume that no Until subformua is stuck at . We prove by induction that for . It follows that .

• Trivially, for a literal we have that .

• If , then and . By induction, and , so . The argument for is analogous.

• If , then . By induction, , so

• If , then or both and , which implies that . Since is not stuck at , there is some such that , and for . Using the induction hypothesis and the semantics of Until, it follows that .

• If , then and either or , which implies . It is possible here for to be postponed forever. So for all , we have that either or there exists such that . Using the induction hypothesis and the semantics of Release, it follows that .

It follows that if there is a run of such that no Until subformul is stuck at then is satisfiable.

In the other direction, assume that is satisfiable and there is an infinite trace such that . Let , and let . As in the proof of Theorem 3.1, define . As in the proof of Theorem 3.1, each is a propositional assignment for , and, consequently a state of . Furthermore, the semantics of Next implies that we have for . Furthermore, the semantics of Until ensures that no Until is stuck in the run . ∎

Appendix C Implementation of LTL-Satisfiability Checking Algorithms

c.1 Main checking algorithm

The main algorithm checks the satisfiability of the input formula on the fly. It implements a depth-first search to identify the lasso described in Theorem 3.5. Algorithm 1 shows the details of the main algorithm which is named LTL-CHECK.

In Algorithm 1, the function (in Line 4) is implemented according to Theorem 3.3. It returns the next normal form of . The function takes an input LTL formula and outputs another system state from . We have that , which means that is one of next states of . As mentioned previously, these can be obtained from the assignments of . Another main task of is to return a different state never returned before in every invocation. More details are shown in Algorithm 2.

The main algorithm maintains three global lists: , and , which record visited state, visited assignments and explored states respectively. So, is a next state of (), and is an assignment of . Note explored states are those all of the successors are visited but no satisfying model is found. So explored states are unsatisfiable formulas. The function function (in Line 13) is to check whether the cycle found (containing ) is accepting. It is evaluated according to Theorem 3.5.

At the very beginning CHECK checks whether the formula is or (Line 1-3), in which cases the satisfiability can be determined immediately. Then it computes the next normal form of input formula (Line 4), acquiring a state from (Line 5). If is not existed (Line 6), i.e. is checked unsatisfiable after exploring all its next states, then it is pushed to (Line 25) and LTL-CHECK returns UNSAT (Line 26). Otherwise, LTL-CHECK makes sure that the chosen new next state of is not explored (Line 8-11). Later it checks whether has been visited before (Line 12). If so a cycle has been found and the function is invoked to check whether a satisfying model is found as well (Line 13-15). If this fails then another is required for further checking (Line 23). If is not visited yet, it is pushed into and CHECK is invoked recursively by taking as the new input (Line 17,18). If is checked to be SAT so does , else is popped from (Line 21) and CHECK selects another for further checking (Line 23). One may find the algorithm can terminate as soon as all states from are constructed.

The task of is not only to return a system state for the input formula, but also to guarantee every invoke by taking as input it does not return the state already created. To achieve this, we introduce another set to store all states already created so far for each current formula . Then the assignment of in Algorithm 2 can make the assignment distinguished with those ever created before. Note in Line 1, the expression labeled 1 erases those states already explored, which are shown to be unsatisfiable. And the expression labeled 2 guarantees those assignments that already appeared before cannot be chosen again. By adding these two constraints it avoids SAT solvers to create duplicated assignments. The notation in Line 7 represents the state required is not existed.

However, simply avoidance to generate duplicated states is not efficient enough for checking on a state space that is exponential larger than the original size of input formula. In the following section we present some heuristics to guide SAT solvers to return the assignment we prefer as soon as possible.

c.2 Guided State Generation

Recall our basic reasoning theorem (Theorem 3.5), the principle we judge whether a cycle can form a satisfying model is to check the satisfaction of Until formulas in 333 denotes the set of conjuncts of by taking it as an And formula., where is a state in the cycle. So an intuitive idea to speed up the checking process is to locate such a satisfying cycle as soon as possible. As the satisfying cycle keeps satisfying the satisfaction of Until formulas, we follow this way and always try to ask SAT solvers to return assignments that can satisfy some Until formulas in where is the current state.

We now redesign the function in three modes, which focus on different tasks. The ELIMINATION mode tries to fulfill the satisfaction of Until formulas in a global set, the SAT_PURSUING mode is to pursue a satisfying cycle, and the CONFLICT_ANALYZE mode is to pursue an unsatisfiable core if all Until formulas remained in the set are postponed. The function runs in the ELIMINATION mode by default. The implementation of the ELIMINATION mode is shown in Algorithm 3.

In the ELIMINATION mode a global get is used to keep the Until formulas postponed so far. It is initialized as , which is the set of Until formulas in ( is the input formula). The task of the ELIMINATION mode is to check whether some elements in can be satisfied (Line 5). If becomes empty, the SAT_PURSUING mode is invoked to seek a satisfiable cycle (Line 1,2). If the SAT_PURSUING mode does not succeed, the set is reset to , where is the current state. Then the attempt to satisfy the elements in is invoked again (Line 5). Now if the attempt is successful then is updated and the assignment found is returned to LTL-CHECK and terminates (Line 9,10). Otherwise, it turns into the CONFLICT_ANALYZE mode. Note the two constraints added in Line 5 enables SAT solvers to prune those states which postpone all elements in and whose next states are already explored.

To find a satisfying cycle, the SAT_PURSUING mode tries to check whether there is a visited state whose position in is less or equal than the position where becomes empty in previous time. Specially if becomes empty for the first time then only the initial state can be considered. Line 1 of Algorithm 4 assigns the disjunction of these states to be a constraint . Then line 2 shows the inquiry to SAT solvers to get an assignment whose next state appears before becomes empty in previous time. If the inquiry succeeds, the SAT_PURSUING mode returns the assignment found to LTL-CHECK, and terminates (Line 4). Otherwise the SAT_PURSUING mode turns back to the ELIMINATION mode for further processing (Line 6).

Consider the visited state whose position in is the one before where becomes empty (If becomes empty for the first time, then must be the input formula ). So the cycle formed by the SAT_PURSUING mode succeeds to satisfy all Until formulas in – since is reset to be after and all elements in are satisfied when becomes empty again. Thus according to Theorem 3.5 a satisfying model is found.

c.3 Unsat Core Extraction

It may happen that all elements in are postponed in the ELIMINATION mode. Then the function turns into the CONFLICT_ANALYZE mode, trying to figure out whether 1). is finally satisfied; or 2). is postponed forever. The trivial way to check all reachable states of postpone is proven not efficient due to its large cost, so we must introduce a more clever methodology.

Now let’s dig into the reason why is postponed in . is postponed in iff the formula is unsatisfiable. So there must be a minimal unsat core such that

• is unsatisfiable; and

• for each , is satisfiable.

Note there are already works on computing such minimal unsat core (see [21]), and we can directly apply them here.

Now the task changes to check whether there exists a next state of that can avoid the appearance of , i.e. . We can achieve this via SAT solvers by feeding them the formula . If the formula is satisfiable, then the modeling assignment is the next state that can avoid ; Otherwise, there must be a minimal unsat core to , making is unsatisfiable – as to . Then the task changes to check whether the avoidance of can be achieved in the next state of

This is a recursive process and one can see we may maintain a sequence of minimal unsat cores during computing the next state of . Then the question raises up that if there is no other next state other than itself for current state , how can it terminate the minimal-unsat-core computation?

Let , i.e. the formula which conjuncts and minimal unsat cores from to . Apparently it holds and what we expect more for finding a next state is . Once holds as well, it indicates is the unsat core we want to capture Until formula is postponed forever from . Actually the reason is under this case we can prove that, is unsatisfiable which means will be postponed in all reachable states of .

Assume a next state of is found according to above strategy and a sequence