Extended Resolution Proofs for Conjoining BDDs Carsten - PDF document

2proofsforBDD-basedexistentialquanticationandotherBDDoperations.Thiswilleventuallyallowustogenerateproofsforallthementionedapproaches.Wehavechosenextendedresolutionasaformalismtoexpressourproofs,asitisontheonehandaverypowerfulproofsystemequivalentinstrengthtoextendedFregesystems[24],andontheotherhandsimilartothewell-knownresolutioncalculus[25].Despiteitsstrength,itstillofferssimpleproofchecking:afteraddingachecktoavoidcyclicaldenitions,anordinaryproofcheckerforresolutioncanbeused.Startingwith[26],extendedresolutionhasbeenmainlyasubjectoftheoreticalstud-ies[27,24].Inpracticalapplicationsitdidnotplayanimportantrolesofar.Thismaybeduetothefactthatdirectgenerationof(short)extendedresolutionproofsisveryhard,asthereisnotmuchguidanceonhowtousetheextensionrule.However,when“proofs”aregeneratedbyanothermeans(byBDDcomputationsinourcase),extendedresolu-tionturnsouttobeaconvenientformalismtoconciselyexpressproofs.Weexpectthatawidespectrumofdifferentpropositionaldecisionprocedurescanbeintegratedintoacommonprooflanguageandproofvericationsystemusingextendedresolution.Therestofthispaperisorganizedasfollows:First,wegiveshortintroductionstoextendedresolutionandBDDs.ThenwepresentourmethodtoconstructextendedresolutionproofsoutofBDDconstructions.Thereafter,weportraydetailsofourim-plementationEBDDRESandshowexperimentalresultsobtainedwithit.Finally,weconcludeandgivepossibledirectionsforfuturework.2TheoreticalBackgroundInthispaperwearemainlydealingwithpropositionallogicformulaeinconjunctivenormalform(CNF).AformulaF(overasetofvariablesV)inCNFisaconjunctionofclauses,whereeachclauseisadisjunctionofliterals.Aliteraliseitheravariableoritsnegation.Weusecapitalletters(C;D;:::)todenoteclausesandsmall-caseletterstodenotevariables(a;b;c;:::x;y;:::)andliterals(l;l1;l2;:::).InsteadofwritingaclauseC=(l1_


_lk)asadisjunction,wealternativelywriteitasasetofliterals,i.e.asfl1;:::;lkg,orinanabbreviatedformas(l1:::lk).Foraliterall,wewritelforitscomplement,i.ex=:xand :x=xforavariablex.2.1ExtendedResolutionExtendedresolution(ER)wasproposedbyTseitin[26]asanextensionoftheresolutioncalculus[25].Theresolutioncalculusconsistsofasingleinferencerule,1C_[flgflg_[D C[DandisusedtorefutepropositionallogicformulaeinCNF.HereCandDarearbi-traryclausesandlisaliteral.Arefutationproofisachieved,whentheemptyclause(denotedby)canbederivedbyaseriesofresolutionruleapplications.Extended 1By_[wedenotethedisjointunionoperation,i.e.A_[BisthesameasA[BwiththeadditionalrestrictionthatA\B=;. 4 Algorithm1:BDD-and(a;b) 1:ifa=0orb=0thenreturn02:ifa=1thenreturnbelseifb=1thenreturna3:(x;a0;a1)=decompose(a);(y;b0;b1)=decompose(b)4:ifxythenreturnnew-node(y,BDD-and(a;b0),BDD-and(a;b1))5:ifx=ythenreturnnew-node(x,BDD-and(a0;b0),BDD-and(a1;b1))6:ifx&#x-286;ythenreturnnew-node(x,BDD-and(a0;b),BDD-and(a1;b)) usingBDDoperations(e.g.,BDD-and,BDD-or)forlogicalconnectives.Aswewillneeditinduecourse,wegivetheBDD-andalgorithmexplicitly(Algorithm1).Here,decomposebreaksdownanon-terminalBDDnodeintoitsconstituentcomponents,i.e.itsvariableandcofactors.Thefunctionnew-nodeconstructsanewBDDnodeifitisnotalreadypresent,andotherwisereturnsthealreadyexistentnode.Thecomparisonsinsteps4to6arebasedontheglobalBDDvariableorder. Fig.1.BDDrepresentationofformulax_(y^:z)usingvariableorderingx�y�z.3ProofConstructionWeassumethatwearegivenaformulaFinCNFforwhichwewanttoconstructanERproofthatshowsunsatisabilityofF(i.e.,weshowthat:Fisatautology).InsteadoftryingtoderivesuchaproofdirectlyintheERcalculus—whichcouldbequitehard,astherearemyriadsofwaystointroducenewdenitions—werstconstructaBDDequivalenttoformulaFandthenextractanERproofoutofthisBDDconstruction.TheBDDforformulaFisbuiltgradually(bottom-up)byconjunctivelyaddingmoreandmoreclausestoaninitialBDDrepresentingtheBooleanconstanttrue.StartingwithanorderedsetofclausesS=(C1;:::;Cm)forformulaFS=C1^


^Cm(whichwewanttoproofunsatisable),wethusrstbuildaBDDciforeachclauseCi.ThenweconstructintermediateBDDshicorrespondingtopartialconjunctionsC1^


^Ci,until,bycomputinghm,wehavereachedaBDDforthewholeformula.TheseintermediateBDDscanbecomputedrecursivelybytheequationsh2$c1^c2andhi$hi�1^cifor3im: 5IfhmistheBDDconsistingonlyofthe0-node,weknowthatformulaFSisunsatis-ableandwecanstartbuildinganERproof.ThemethodtoconstructtheERproofworksbyrstintroducingnewpropositionalvariables(thusERisrequired),oneforeachnodeofeachBDDthatoccursduringtheconstructionprocess,i.e.forallciandhi.NewvariablesareintroducedbasedontheShannonexpansionofaBDDnode:foraninternalnodefcontainingvariablexandhavingchildnodesf1andf0,anewvariable(whichwealsocallf),denedbyf$(x?f1:f0)(fxf1)(fxf0)(fxf1)(fxf0)isintroduced.Wehavealsogiventheclausalrepresentationofthedenitionontheright.Terminalnodesarerepresentedbyadditionalvariablesn0andn1denedbyn0$0(n0)andn1$1(n1):Notethatintroducingnewvariablesinthiswaydoesnotproducecyclicdenitions,astheBDDsthemselvesareacyclic.Sobyintroducingvariablesbottom-upfromtheleavesoftheBDDuptothetopnode,wehaveanadmissibleorderingforapplyingtheextensionrule.Withthesedenitions,wecangiveanoutlineoftheERproofwewanttogenerate.Itconsistsofthreeparts:rst,wederiveunitclauses(ci)forthevariablescorrespondingtothetopBDDnodesofeachclause.ThenoutoftherecursiverunsofeachBDD-and-operationwebuildproofsfortheconjunctionshi�1^ci$hi(infact,onlytheimplicationfromlefttorightisrequired).Andnally,wecombinethesepartsintoaproofforhm.Ifhmisthevariablerepresentingthezeronode,i.e.hm=n0,wecanderivetheemptyclausebyanothersingleresolutionstepwiththedeningclauseforn0.WethushavetogenerateERproofsforallofthefollowing:S`ciforall1im(ER-1)S`c1^c2!h2(ER-2a)S`hi�1^ci!hiforall3im(ER-2b)S`hm(ER-3)Foraproofof(ER-1)forsomeiassumethatclauseD=Ciconsistsoftheliterals(l1;:::;lk).WeassumeliteralstobeordereddecreasinglyaccordingtotheBDD'sglobalvariableordering.ThenthenewlyintroducedvariablesforthenodesoftheBDDrepresentationofclauseDaredj$(lj?n1:dj+1)ifljispositive,anddj$(lj?dj+1:n1)ifljisnegative.Weidentifydk+1withn0,andciwithd1here.Thesedenitionsinduce—amongothers—theclauses(djljn1)and(djljdj+1)forall1ik.WethereforeobtainthefollowingERprooffor(d1):First,wederive(dkl1:::lk�1n1)byresolving(l1:::lk)with(dklkn1).Then,iterativelyforj=kdowntoj=2,wederive(dj�1l1:::lj�2n1)from(djl1:::lj�1n1)by(djl1:::lj�1n1)(dj�1lj�1dj) (dj�1l1:::lj�1n1)(dj�1lj�1n1) (dj�1l1:::lj�2n1) 7Booleanconstantsoriff=g.Anon-trivialstepisalsocalleda(cache)line.Stepsandlinesarealsoidentiedwithclauses,wherealine(f;g;h)correspondstotheclause(fgh).WeidentifynodeswithERvariableshere.Denition2(Redundancy).AlineL=(f;g;h)iscalledredundantiff=horg=h,otherwiseitiscalledirredundant.Thenotionofredundancyalsocarriesovertotheclause(fgh)correspondingtolineL.Whenwehavereachedanirredundantstep(fgh),wecancheckwhethertheco-factorclausesoftheassumptions(f0g0h0)and(f1g1h1)ofthestepareredundant.Ifthisisthecase,theproofhastobesimpliedandrecursionstops(inallbutonecase)attheredundantstep.Wenowgivesimpliedproofsthatcontainnotautologicalclausesfortherecursionstepoftheproofs(ER-2a)and(ER-2b).Inwhatfollows,wecallthesub-proofof(fghx)outof(f0g0h0)theleftbranchandthesub-proofof(fghx)outof(f1g1h1)therightbranchoftherecursiveproofstep.R1Iff0=h0,weobtainaprooffortheleftbranch(andanalogouslyforg0=h0andforf1=h1org1=h1ontherightbranch)byresolving(hxh0)and(fxf0)toproduce(fhx).Althoughwehaveprovedastrongerclaimontheleftbranchinthiscase,itcannothappenthatgalsodisappearsontherightbranch,asthiswouldonlybepossibleiff1=h1.Butthenf=hwouldalsoholdandthestep(fgh)wouldalreadyberedundant,contradictingourassumption.T1Iff0=g0(thisisnotatautologicalcase,however)thenh0=f0=g0alsoholds,sothatwearriveatthecaseabove(andsimilarlyforf1=g1).Wecanevenchoosewhichofthedenitions(eitherforforforg)wewanttouse.T2Iff0=1weobtainh0=g0andwecanusetheproofgivenunder(R1)fortheleftbranch(similarforg0=1,f1=1,andg1=1).Iff0=0,wecanusethedenition(fxn0)offand(n0)of0toderivethestronger(fx).Itcannothappenthatf1=0atthesametime(asthenthestepwouldbetrivial),sotheonlypossibilitywherewearereallyleftwithastrongerclausethanthedesired(fgh)occurswhenf0=0andg1=0(orf1=g0=0).Thenwehaveh=0andwecanderive(fg).Inthiscasewejustproceedasincase(H0)below.H0Ifh=0weleth0=h1=0andrecursivelygeneratesub-proofsskippingthedenitionofhbyrule(X1)below.H1Thecaseh=1couldonlyhappeniff=g=1wouldalsohold.Butthenthestepwouldberedundant.Ifh0=1wederivethestronger(hx)byresolving(hxn1)with(n1),andsimilarforh1=1.Itcannothappenthatwehaveh0=h1=1atthesametime,asthiswouldimplyh=1.Thus,ontheotherbranchwealwaysobtainaclauseincludingfandgandthereforethenallyresultingclauseisalways(fgh).X1IfthedecisionvariablexdoesnotoccurinoneorseveraloftheBDDsf,g,orh(i.e.,forexample,iff=f0=f1)therespectiveresolutionstep(s)involvingf,g,orh,canjustbeskipped.Notethatinalldegeneratecasesbesidescases(T2)(onlyforf0=g1=0orf1=g0=0)and(H0)theproofstopsimmediatelyandnorecursivedescenttowards 9Table1.ComparisonoftracegenerationwithMINISATandwithEBDDRES. MINISAT EBDDRES solve trace solve trace tracesize bdd recursivebddand-steps trace resources size resources gen. ASCIIbinary nodes alltriv.linesred.core chk secMB MB secMB sec MBMB 103 103103103103103 sec ph7 00 0 00 0 10 3 201010010 0 ph8 04 1 03 0 31 15 673433033 0 ph9 64 11 03 0 31 8 904545045 0 ph10 444 63 117 1 3010 136 5382702691268 2 ph11 8876 929 113 1 218 35 6703353341333 2 ph12 *- - 228 1 3312 31 11505755741573 3 ph13 *- - 10102 8 26092 850 52302615261422612 20 ph14 *- - 10111 7 20474 166 65543278327623274 18 mutcb8 00 0 04 0 41 23 733737036 0 mutcb9 04 0 05 0 124 64 1939796096 1 mutcb10 04 1 117 1 3512 177 5772892881287 3 mutcb11 14 4 332 2 8929 419 13806916903686 6 mutcb12 84 22 662 5 18864 906 27431372137131368 13 mutcb13 1135 244 15146 12 452155 2040 63983199319883190 30 mutcb14 4918 972 50578 38 1465* 6225 2052010261102602010240 * mutcb15 *- - -* - -- - ----- - mutcb16 *- - -* - -- - ----- - urq35 964 218 228 1 3713 24 12166086080608 3 urq45 *- - -* - -- - ----- - fpga108 00 647 4 13547 186 40872044204332040 11 fpga109 00 344 2 7024 83 22181109110911108 6 fpga1211 00 54874 38 1214* 1312 3378316892168914116850 * add16 00 0 04 0 62 30 1005150149 0 add32 00 0 19 1 248 122 4452232224217 2 add64 04 0 12146 9 338112 1393 589229482944192925 23 add128 04 0 -* - -- - ----- - Therstcolumnliststhenameoftheinstance.Columns2-4containthedataforMINISAT,rstthetimetakentosolvetheinstanceincludingthetimetoproducethetrace,thenthememoryused,andincolumn4thesizeofthegeneratedtrace.ThedataforEBDDREStakesuptherestofthetable.Itissplitintoamoregeneralpartincolumns5-9ontheleft.Therightpartprovidesmoredetailedstatisticsincolumns10-15.TherstcolumninthegeneralpartofEBDDRESshowsthetimetakentosolvetheinstancewithEBDDRESincludingthetimetogenerateanddumpthetrace.Thelatterisshownseparatelyincolumn7.ThememoryusedbyEBDDRES,column6,islinearlyrelatedtothenumberofgeneratedBDDnodesincolumn10andthenumberofgeneratedcachelinesincolumn13.ThenumberofrecursivestepsoftheBDD-andoperationoccursincolumn11.Amongthesestepsmanytrivialbasecasesoccur(column12)andthenumberofcachelinesincolumn13issimplythenumberofnontrivialsteps.Amongthecachelinesseveralredundantlinesoccur(column14)inwhichtheresultisequaltooneofthearguments.Thecoreconsistsofirredundantcachelinesnecessaryfortheproof.Theirnumberislistedinthenexttolastcolumn(column15).Thelastcolumn(column16)showsthetimetakenbythetracecheckertovalidatetheproofgeneratedbyEBDDRES.The*denoteseithertimeout(�1000seconds)oroutofmemory(�1GBmainmemory). 11conjecturethatequivalencereasoningand,moregenerally,GaussianeliminationoverGF(2),caneasilybehandledinthesameway.FinallywewanttothankEugeneGoldbergforveryfruitfuldiscussionsabouttheconnectionbetweenextendedresolutionandBDDs.References1.M.DavisandH.Putnam.Acomputingprocedureforquanticationtheory.JACM,7,1960.2.M.Davis,G.Logemann,andD.Loveland.Amachineprogramfortheorem-proving.Com-municationsoftheACM,5(7),1962.3.J.P.Marques-SilvaandK.A.Sakallah.GRASP—anewsearchalgorithmforsatisability.InProc.ICCAD'96.4.M.Moskewicz,C.Madigan,Y.Zhao,L.Zhang,andS.Malik.Chaff:EngineeringanefcientSATsolver.InProc.DAC'01.5.E.GoldbergandY.Novikov.BerkMin:AfastandrobustSAT-solver.InProc.DATE'02.6.N.E´enandN.S¨orensson.AnextensibleSAT-solver.InProc.SAT'03.7.A.Biere,A.Cimatti,E.Clarke,andY.Zhu.SymbolicmodelcheckingwithoutBDDs.InProc.TACAS'99.8.M.VelevandR.Bryant.EffectiveuseofbooleansatisabilityproceduresintheformalvericationofsuperscalarandVLIWmicroprocessors.J.Symb.Comput.,35(2),2003.9.I.Shlyakhter,R.Seater,D.Jackson,M.Sridharan,andM.Taghdiri.Debuggingovercon-straineddeclarativemodelsusingunsatisablecores.InProc.ASE'03.10.C.Sinz,A.Kaiser,andW.K¨uchlin.Formalmethodsforthevalidationofautomotiveproductcongurationdata.AIEDAM,17(1),2003.11.K.McMillanandN.Amla.Automaticabstractionwithoutcounterexamples.InProc.TACAS'03.12.Y.XieandA.Aiken.Scalableerrordetectionusingbooleansatisability.InProc.POPL'05.13.K.McMillan.InterpolationandSAT-basedmodelchecking.InProc.CAV'03,volume2725ofLNCS.14.L.ZhangandS.Malik.ValidatingSATsolversusinganindependentresolution-basedchecker:Practicalimplementationsandotherapplications.InProc.DATE'03.15.D.MotterandI.Markov.Acompressedbreath-rstsearchforsatisability.InALENEX'02.16.J.Franco,M.Kouril,J.Schlipf,J.Ward,S.Weaver,M.Dranseld,andW.Fleet.SBSAT:astate–based,BDD–basedsatisabilitysolver.InProc.SAT'03.17.R.DamianoandJ.Kukula.CheckingsatisabilityofaconjunctionofBDDs.InDAC'03.18.J.HuangandA.Darwiche.TowardgoodeliminationordersforsymbolicSATsolving.InProc.ICTAI'04.19.G.PanandM.Vardi.Searchvs.symbolictechniquesinsatisabilitysolving.InSAT'04.20.H.-S.Jin,M.Awedh,andF.Somenzi.CirCUs:Ahybridsatisabilitysolver.InProc.SAT'04.21.R.Bryant.Graph-basedalgorithmsforBooleanfunctionmanipulation.IEEETrans.onComp.,35(8),1986.22.T.E.UribeandM.E.Stickel.OrderedbinarydecisiondiagramsandtheDavis-Putnamprocedure.InProc.Intl.Conf.onConstr.inComp.Logics,volume845ofLNCS,1994.23.J.F.GrooteandH.Zantema.Resolutionandbinarydecisiondiagramscannotsimulateeachotherpolynomially.DiscreteAppliedMathematics,130(2),2003.24.A.Urquhart.Thecomplexityofpropositionalproofs.BulletinoftheEATCS,64,1998.25.J.A.Robinson.Amachine-orientedlogicbasedontheresolutionprinciple.JACM,12,1965.26.G.Tseitin.Onthecomplexityofderivationinpropositionalcalculus.InStudiesinCon-structiveMathematicsandMathematicalLogic,1970.