SAT/SMT seminar 18/02/2018 Computing multiple MUSes (Minimal Unsatisfiable Subformulas) and MSISes (Minimal Safe Inductive Subsets) Alexander Ivrii IBM

Part I : MUSes

Motivation Given an unsatisfiable CNF formula: A MUS provides an insight on unsatisfiability Different MUSes provide different insights Commonly studied problems: Find a single MUS Find a smallest-size MUS Find all MUSes Find many MUSes

First, what about a single MUS? There is a lot of research on this topic (don’t want to go in detail…)

Brief History of MUS enumeration CAMUS: “Compute All Minimal Unsatisfiable Subsets” (pronounced as “ka-moo”, named after Albert Camus) Liffiton & Sakallah: “On finding all minimally unsatisfiable subformulas”, SAT’2005 Liffiton & Sakallah: “Algorithms for computing minimal unsatisfiable subsets of constraints”, JAR’2008 MARCO [eMUS]: “Mapping Regions of Constraint sets” (named after Marco Polo) Liffiton & Malik: “Enumerating infeasibility: Finding multiple MUSes quickly”, CPAIOR’2013 Previti & Marques-Silva: “Partial MUS enumeration”, AAAI’2013 Liffiton & Previti & Malik & Marques-Silva: “Fast, flexible MUS enumeration”, Constraints’2016

MUSes, MCSes, MSSes Let F be an unsatisfiable CNF formula A subset U of F is a minimal unsatisfiable subset (MUS) if U is unsatisfiable and for every C  U, U\C is satisfiable A subset S of F is a minimal correction subset (MCS) if F \ S is satisfiable and for every C  M, F \ (M\C) is unsatisfiable A subset S of F is a maximal satisfiable subset (MSS) if S is satisfiable and for every C  F\S, SC is unsatisfiable Example: C = { (a), (a), (a  b), (b) } MUSes: { (a), (a) }, { (a), (a  b), (b) } MCSes: { (a) }, { (a), (b) }, { (a), (a  b) } MSSes: { (a), (a  b), (b) }, { (a), (a  b) }, { (a), (b) }

Dualities MCSes and MSSes are complementary: S is an MSS if and only if F \ S is an MCS MCSes and MUSes satisfy the hitting set duality: U is an MUS of F if and only if U is a minimal hitting set of the set of all MCSes of F S is an MCS of F if and only if S is a minimal hitting set of the set of all MUSes of F (Idea: every MUS U of F must intersect every MCS S of F, and vice versa)

Power Set Lattice

CAMUS Operates in two stages: Computes all MCSes of F using a SAT-based algorithm Computes all MUSes of F using the hitting set duality

CAMUS Computing all MCSes of F Introduce activation variables that allow to turn clauses on and off Find all MCSes of size 1 “can you turn off one clause, so that the formula becomes SAT”? Find all MCSes of size 2 “can you turn off two clauses, so that the formula becomes SAT” ? … Each time an MCS is found, it is blocked

CAMUS – execution

CAMUS – remarks A significant shortcoming of CAMUS is that computing all MCSes may be intractable: There may be exponentially many of them! However, after the first stage succeeds, CAMUS is great: For computing a smallest-sized MUS For enumerating all MUSes Many optimizations exist

MARCO Directly explores the power set lattice Enumerates both MUSes and MCSes

MARCO Works by repeatedly:

MARCO – execution

MARCO – execution And so on … Until the full power set lattice is explored

MARCO – remarks By forcing getUnexplored to produce maximal (resp. minimal) models, one can bias the algorithm towards more eager production of MUSes (resp. MCSes) Great for finding MUSes right away Easily extended to other domains Many optimizations exist

Part II : MSISes (This is a part of joint work with Ryan Berryhill that we have submitted to SAT’18)

Motivation In model checking: we are given a problem (Init, Tr, Bad) want to know if there is a path from an initial state to a bad state that satisfies the transition relation If such a path exists, model checkers may produce counterexamples If such a path does not exist, model checkers may produce proofs, in the form of safe inductive invariants

Motivation A recent trend is to produce simple inductive invariants, represented as conjunctions of clauses (= in CNF) Smaller proofs give better insight on why the model checking problem is SAFE Different proofs may provide different insights This leads to problems: given a model checking problem (Init, Tr, Bad), and safe inductive invariant F in CNF Find a single MSIS of F Find a smallest-size MSIS of F Find all MSISes of F Find many MSISes of F In what follows, are are only removing clauses (= weakening the proof)

What about a single MSIS? Or why it is not so simple?

Basic MSIS algorithm The main idea: for each clause in the invariant: Tentatively remove this clause Iteratively remove clauses that are no longer implied (both from premises and conclusions), until: Either a smaller safe inductive invariant is obtained (we can restrict to this smaller invariant), Or the property itself is no longer implied (restore all removed clauses) More optimized algorithms are possible

Support Sets and Collapse Sets Let (Init, Tr, Bad), be a model checking problem, F be a safe inductive invariant in CNF, and C  F be a clause. A subset U of F is a support set for C if TrCUC’ is unsatisfiable. A minimal support set is defined in an obvious way. A subset S of F is a collapse set for C if F\S is not a support set for C. A minimal collapse set is defined in an obvious way. Support sets explain why C is an MSIS and are analogous to MUSes. Collapse sets prevent C from being in MSIS and are analogous to MCSes. Slightly abusing notation, we also define support/collapse sets for Bad as related to safety (rather than inductiveness)

CAMSIS – adapting CAMUS to exploring MSISes Operates in two stages: For each clause C  F (including Bad) Computes all collapse sets for C This is exactly as computing all MCSes for the unsatisfiable formula TrCFC’, but the minimization needs to be done only over clauses of F Uses “hitting set duality” with “a twist”: If G is an MSIS of F, and CG, then G has a non-empty intersection with each collapse set of C. We use a dedicated SAT-solver for enumerating and blocking all solutions. Again, we can obtain the solutions (MSISes) ordered by size (smallest-to-largest)

CAMSIS – adapting CAMUS to exploring MSISes

Adapting MARCO to exploring MSISes On its surface, MARCO (as used for enumerating MUSes) heavily exploits the monotonicity of the predicate p, where “p(U) = 1 iff U is unsatisfiable” In particular, when U is an MUS of F, then BlockUp blocks all supersets of U But in our case the naïve predicate “p0(U) = 1 iff U is a safe inductive subset of F” is not monotone… However, the predicate “p1(U) = 1 iff U contains an MSIS of F” is monotone And minimal subsets satisfying p1 coincide with minimal subsets satisfying p0 This allows to apply MARCO directly for computing MSISes, but with slightly different implementations of shrink and grow procedures

CAMSIS and MARCO – remarks Experimentally (minimizing invariants for hardware model checking problems): For CAMSIS the main bottleneck is computing all collapse sets If this stage succeeds, computing a smallest-sized MSIS and enumerating all MSISes is generally easy On the other hand, MARCO is great for producing many MSISes quickly Non-surprisingly, these observations are very similar to observations regarding MUS enumeration

Thank you!