Verifying Clausal Proofs, DRUPing and Interpolants SAT/SMT Seminar Yael Meller April 23rd 2017

Outline Validating unsat claim of SAT solver Resolution proof Clausal proof (RUP)1 DRUP- Optimized clausal proof2 Extracting interpolants from clausal proofs3 Extracting “simpler” interpolants3 Verification of Proofs of Unsatisfiability for CNF Formulas Evgueni Goldberg andYakov Novikov, DATE 2003 Trimming while Checking Clausal Proofs Marijn Heule, Warren Hunt and Nathan Wetzler, FMCAD 2013 Druping for Interpolants Arie Gurfinkel and Yakir Vizel, FMCAD 2014

Check satisfiability of a CNF formula Basic steps: CDCL SAT Solvers Check satisfiability of a CNF formula Basic steps: Arbitrary decisions for un-assigned variables Propagate values (BCP) Analyze conflicts, learn clauses, and change decisions If UnSAT, SAT solvers can generate refutation proofs and unsat core Some uses of the above: validate unsatisfiability claim extract interpolants

Refutation Proof – Validate UnSAT claim Goal: Validate the SAT solver. I.e., check, based on the output of the solver, that the solver’s result is correct Easy to check given a counterexample Harder to validate an UnSAT claim Two methods for validating UnSAT claim: Resolution proof Clausal proof

Resolution step: (a,b), (c, b)  (a,c) Resolution proof: A DAG that tracks resolution steps leading from the original clauses to the empty clause Roots – original clauses Intermediate nodes – derived clauses

Resolution Proof Resolution proof for: F=(a1,g1,g2),(a1,g1,g3),(a1,g2,g3,g4),(a1,g2),(a1,g4),(g2,g3),(g3),(g1) g3 g3 g2 g2,g3 a1 a1,g2,g3 g4 a1,g2,g3 g2,g4 g1 a1 a1,g1,g2 a1,g1,g3 a1,g2,g3,g4 a1,g2 a1,g4 g2,g3 g3 g1

Resolution from Conflict Clause The Resolution proof can be constructed during clause learning

Resolution from Conflict Clause The Resolution proof is constructed when a clause is learnt F = a  (a  b)  (b  c  d)  (b  d) (a  c) (b  c ) (c) d a b b c Decision d a Learnt clause

Resolution proof - pros and cons: Easy to validate Hard to obtain Can be huge in size

Consider the clauses learnt by the SAT solver: Clausal Proof Consider the clauses learnt by the SAT solver: Given a formula F, and a sequence of learnt clauses (C1,….,Cn) where Cn is the empty clause – check that indeed F derives the learnt clauses.

Verification of Proofs of Unsatisfiablity for CNF Formulas Goldberg and Novikov, DATE 2003

Main observation: each learnt clause can be validated using BCP Clausal Proof Goldberg and Novikov, “Verification of proofs of unsatisfiablity for CNF formulas”, DATE 2003 Let F be a formula, and let <C1,….,Cn> be a sequence of learnt clauses where Cn is the empty clause. Main observation: each learnt clause can be validated using BCP If prior to learning clause C the CNF is F’, then if BCP(F’,C) derives a conflict, then F’C Clausal proof: validate the leant clauses using the simple bcp procedure

The clausal proof: <(g2,g3), (g3), ()> Clausal Proof - Example Goldberg and Novikov, “Verification of proofs of unsatisfiablity for CNF formulas”, DATE 2003 CNF original formula: F=(a1,g1,g2),(a1,g1,g3),(a1,g2,g3,g4),(a1,g2),(a1,g4),(g2,g3),(g3),(g1) The clausal proof: <(g2,g3), (g3), ()> BCP(F,(g2,g3)): apply unit propagation (UP) on g2 and g3 a1 g1 Clause is false - conflict BCP((F,(g2,g3)), (g3)) BCP (F,(g2,g3),g3), true) a1,g1,g2 a1,g1,g3 a1,g2,g3,g4 a1,g2 a1,g4 g2,g3 g3 g1

CNF original formula: F, The learnt clauses: <C1,C2,….,Cn> Clausal Proof Goldberg and Novikov, “Verification of proofs of unsatisfiablity for CNF formulas”, DATE 2003 CNF original formula: F, The learnt clauses: <C1,C2,….,Cn> For every i in (1,…,n): Execute BCP((F,C1,….,Ci-1), Ci) If did not reach a conflict, then proof is invalid. Important note: all learnt clauses are part of the proof. I.e., we cannot ignore learnt clauses that were deleted

CNF original formula: F, The learnt clauses: <C1,C2,….,Cn> Clausal Proof Goldberg and Novikov, “Verification of proofs of unsatisfiablity for CNF formulas”, DATE 2003 CNF original formula: F, The learnt clauses: <C1,C2,….,Cn> For every i in (1,…,n): Execute BCP((F,C1,….,Ci-1), Ci) If did not reach a conflict, then proof is invalid. validate learnt clauses in the reverse order that they were learnt (RUP – reverse unit propagation) Can mark clauses that were used in the BCP checks. If we reach an unmarked clause – we can skip it. Produces unsat core

CNF original formula: F, The learnt clauses: <C1,C2,….,Cn> Clausal Proof Goldberg and Novikov, “Verification of proofs of unsatisfiablity for CNF formulas”, DATE 2003 CNF original formula: F, The learnt clauses: <C1,C2,….,Cn> For every i from n to 1: Mark Cn If Ci is marked: execute BCP((F,C1,….,Ci-1), Ci) and mark touched clauses If did not reach a conflict, then proof is invalid. validate learnt clauses in the reverse order that they were learnt (RUP – reverse unit propagation) Can mark clauses that were used in the BCP checks. If we reach an unmarked clause – we can skip it. Produces unsat core

Resolution proof - pros and cons: Clausal Proof vs. Resolution Proof Goldberg and Novikov, “Verification of proofs of unsatisfiablity for CNF formulas”, DATE 2003 Resolution proof - pros and cons: Easy to validate Hard to obtain Can be huge in size Clausal Proof - pros and cons: Emitted with low overhead Much smaller than resolution proof Relatively expensive to validate (need to trust the bcp..)

Trimming while Checking Clausal Proofs Heule, Hunt and Wetzler, FMCAD 2013

CNF original formula: F, The clausal proof: <C1,C2,….,Cn> Optimizations on validating clausal proofs Heule, Hunt and Wetzler, “Trimming while Checking Clausal Proofs”, FMCAD 2013 CNF original formula: F, The clausal proof: <C1,C2,….,Cn> For every i from n to 1: Execute BCP((F,C1,….,Ci-1), Ci) If did not reach a conflict, then proof is invalid. Forward checking: validate each learnt clause in the order that they were learnt. Easy to parallelize. Can start when a clause is learnt. May check clauses that are not required to validate the proof

DRUP – extends a clausal proof by tracking deleted clauses: Optimizations on validating clausal proofs Heule, Hunt and Wetzler, “Trimming while Checking Clausal Proofs”, FMCAD 2013 What about deleted learnt clauses? RUP assumes all learnt clauses are in the clausal proof. DRUP – extends a clausal proof by tracking deleted clauses: The clausal proof is now <C1,C2,C3,C1d,C4,….,C3d,….,Cn> For every i from n to 1: Execute BCP((F,AC), Ci) where AC includes all the non-deleted clauses from C1,…..,Ci-1 If did not reach a conflict, then proof is invalid.

Summary up to now Validating Check unsat claim of SAT solver Resolution proof Resolution is constructed during conflict learning Clausal proof (RUP) DRUP- Optimized clausal proof

DRUPing for Interpolants Gurfinkel and Vizel, FMCAD 2014

Given an unsatisfiable pair (A,B) of propositional formulas Interpolants Given an unsatisfiable pair (A,B) of propositional formulas A(X,Y)  B(Y,Z) is unsatisfiable There exists a formula I (the interpolant of (A,B)) such that: A I I  B is unsatisfiable I is over the common variables of A and B

A B Interpolants A-local variables: a1 Global variables: g1, g2, g3, g4 A B a1,g1,g2 a1,g1,g3 a1,g2,g3,g4 a1,g2 a1,g4 g2,g3 g3 g1,g4

Let (A,B) be an unsatisfiable pair of propositional formulas Calculating Interpolants from Resolution Proofs McMillan, “Interpolation and SAT-Based Model Checking”, CAV 2003 Let (A,B) be an unsatisfiable pair of propositional formulas For a clause C, g(C) denotes the disjunction of the shared variables in C. Given a proof of unsatisfiability for (A,B), define itp(C) for every node C in the proof as follows: If C is a root, then If CA then itp(C) = g(C) Else itp(C) is constant TRUE else let C1 and C2 be the antecedents of C, and let v be their resolution variable If v is local to A, then itp(C) = itp(C1)  itp(C2) Else itp(C) = itp(C1)  itp(C2) The interpolant for (A,B) is itp().

Interpolants from Resolution Proofs g3 g3 g2 g2,g3 a1 a1,g2,g3 g4 a1,g2,g3 g2,g4 g1 a1 a1,g1,g2 a1,g1,g3 a1,g2,g3,g4 a1,g2 a1,g4 g2,g3 g3 g1,g4

Interpolants from Resolution Proofs The interpolant on F is I I I g3 g3 I = [(g1  g2)  (g1  g3)]  [(g2  g3  g4)  (g2  g4)] g2 g2,g3 a1 (g2  g3  g4)  (g2  g4) a1,g2,g3 g4 (g1  g2)  (g1  g3) g2  g4 a1,g2,g3 g2,g4 g1 a1 g1  g2 g1  g3 g2  g3  g4 g2 g4 T T a1,g1,g2 a1,g1,g3 a1,g2,g3,g4 a1,g2 a1,g4 g2,g3 g3 g1,g4

Extracting interpolants is efficient, given a resolution proof Extracting interpolants from clausal proofs Gurfinkel and Vizel, “DRUPing for Interpolants”, FMCAD 2014 Extracting interpolants is efficient, given a resolution proof Drawback: the SAT solver has to log the resolution proof Extra time and memory for such logging Proof is not targeted for “best” interpolant Main idea: extract interpolants from a DRUP proof instead of a resolution proof

Extracting interpolants from clausal proofs Gurfinkel and Vizel, “DRUPing for Interpolants”, FMCAD 2014 CNF SAT Clausal Proof BCP DRUP* core proof BCP + Learning Replay Interpolant

Main idea: execute 2 phases: Extracting interpolants from clausal proofs Gurfinkel and Vizel, “DRUPing for Interpolants”, FMCAD 2014 The DRUP process traverses the resolution graph top-down, where the interpolation calculation is done bottom-up. Intuitively, we should construct the interpolants as part of the forward checking Main idea: execute 2 phases: Phase 1: Create a core proof via DRUP (i.e., find the relevant learnt clauses) Phase 2: Replay the proof forward and construct the interpolant

Replaying for Interpolation Calculation Gurfinkel and Vizel, “DRUPing for Interpolants”, FMCAD 2014 Input: CNF original formula: F with unsat core marked Core learnt clauses from the DRUP proof: <C1,C2,….,Cn> For every i from 1 to n: Execute BCP((F,C1,….,Ci-1), Ci) Replicate conflict learning to construct the resolution tree and incrementally calculate the interpolant

The DRUP proof: <(g2,g3), (g3), ()> Execute BCP(F, (g2,g3)). Extracting interpolants from clausal proofs Gurfinkel and Vizel, “DRUPing for Interpolants”, FMCAD 2014 CNF original formula: F=(a1,g1,g2),(a1,g1,g3),(a1,g2,g3,g4),(a1,g2),(a1,g4),(g2,g3),(g3),(g1,g4) The DRUP proof: <(g2,g3), (g3), ()> Execute BCP(F, (g2,g3)). Reach Conflict Construct resolution g2,g3 a1 a1,g2,g3 g1 a1,g1,g2 a1,g1,g3 a1,g2,g3,g4 a1,g2 a1,g4 g2,g3 g3 g1,g4

The DRUP proof: <(g2,g3), (g3), ()> Extracting interpolants from clausal proofs Gurfinkel and Vizel, “DRUPing for Interpolants”, FMCAD 2014 CNF original formula: F=(a1,g1,g2),(a1,g1,g3),(a1,g2,g3,g4),(a1,g2),(a1,g4),(g2,g3),(g3),(g1) The DRUP proof: <(g2,g3), (g3), ()> [(g1  g2)  (g1  g3)]  g2 g2,g3 a1 (g1  g2)  (g1  g3) a1,g2,g3 g1 g1  g2 g1  g3 g2 g2  g3  g4 g4 a1,g1,g2 a1,g1,g3 a1,g2,g3,g4 a1,g2 a1,g4 g2,g3 g3 g1,g4

The DRUP proof: <(g2,g3), (g3), ()> Extracting interpolants from clausal proofs Gurfinkel and Vizel, “DRUPing for Interpolants”, FMCAD 2014 CNF original formula: F=(a1,g1,g2),(a1,g1,g3),(a1,g2,g3,g4),(a1,g2),(a1,g4),(g2,g3),(g3),(g1) The DRUP proof: <(g2,g3), (g3), ()> Execute BCP((F,(g2,g3)), g3) Reach Conflict Construct resolution I g3 g2 I=[(g1  g2)  (g1  g3)]  g2 g2,g3 g1  g2 g1  g3 g2  g3  g4 g2 g4 T a1,g1,g2 a1,g1,g3 a1,g2,g3,g4 a1,g2 a1,g4 g2,g3 g3 g1,g4

The DRUP proof: <(g2,g3), (g3), ()> Extracting interpolants from clausal proofs Gurfinkel and Vizel, “DRUPing for Interpolants”, FMCAD 2014 CNF original formula: F=(a1,g1,g2),(a1,g1,g3),(a1,g2,g3,g4),(a1,g2),(a1,g4),(g2,g3),(g3),(g1) The DRUP proof: <(g2,g3), (g3), ()> Execute BCP((F,(g2,g3),g3), true) Reach Conflict Construct resolution I I g3 g3 I=[(g1  g2)  (g1  g3)]  g2 g2,g3 g1  g2 g1  g3 g2  g3  g4 g2 g4 T T a1,g1,g2 a1,g1,g3 a1,g2,g3,g4 a1,g2 a1,g4 g2,g3 g3 g1,g4

Extracting interpolants from clausal proofs Gurfinkel and Vizel, “DRUPing for Interpolants”, FMCAD 2014 CNF SAT Clausal Proof BCP DRUP* core proof BCP + Learning Replay Interpolant

Main idea: Algorithm for calculating a “simpler” interpolant Finding “better” Interpolants Gurfinkel and Vizel, “DRUPing for Interpolants”, FMCAD 2014 Observation: the BCP process influences the interpolant found. Different BCPs will produce different interpolants. The clausal proof presents a set of different resolutions. Huele at al. optimize BCP for minimal core Gurfinkel and Vizel optimize BCP for simpler interpolant Main idea: Algorithm for calculating a “simpler” interpolant an interpolant that is “more” CNF-like a1,g1,g2 a1,g1,g3 a1,g2,g3,g4 a1,g2 a1,g4 g2,g3 g3 g2,g3 a1,g2,g3 g2,g4 a1,g2,g3 g1 a1 g4

Given an unsatisfiable pair (A,B) of propositional formulas Shared Derivable Clauses Gurfinkel and Vizel, “DRUPing for Interpolants”, FMCAD 2014 Given an unsatisfiable pair (A,B) of propositional formulas A clause C is shared-derivable iff C is over the common variables of A,B C is derived using only A clauses Or, A  C

Input: a resolution proof of unsatisfiability of (A,B) Partial CNF Interpolants Gurfinkel and Vizel, “DRUPing for Interpolants”, FMCAD 2014 Input: a resolution proof of unsatisfiability of (A,B) Find shared-derivable clauses in the proof and Log them as a CNF formula g Treat them as B clauses during the computation Interpolant is itp() Ù g

Interpolants from Resolution Proofs Gurfinkel and Vizel, “DRUPing for Interpolants”, FMCAD 2014 I = (g2  g3)  (g2 g4) … I = (g2  g3)  (g2 g4) T g3 g3 T g2 g2,g3 a1 (g2  g3  g4) a1,g2,g3 g4 (g1  g2)  (g1  g3) T a1,g2,g3 g2,g4 g1 a1 g1  g2 g1  g3 g2  g3  g4 g2 g4 T T a1,g1,g2 a1,g1,g3 a1,g2,g3,g4 a1,g2 a1,g4 g2,g3 g3 g1,g4

The algorithm and proof address sequence interpolants Partial CNF Interpolants Gurfinkel and Vizel, “DRUPing for Interpolants”, FMCAD 2014 When combined with DRUP+Replay, the bcp during Replay is aimed at favoring shared derivable clauses Correctness is proved by induction on the graph that for every node C in the graph the following holds: itp(C)g(C) B  C|vars(B) A(itp(C)C|vars(A))  g(C) The algorithm and proof address sequence interpolants

Summary Validating unsat claim of SAT solver Resolution proof Clausal proof (RUP1 and DRUP2) Extracting interpolants from clausal proofs3 Extracting more CNF-like interpolants3 Verification of Proofs of Unsatisfiability for CNF Formulas Evgueni Goldberg andYakov Novikov, DATE 2003 Trimming while Checking Clausal Proofs Marijn Heule, Warren Hunt and Nathan Wetzler, FMCAD 2013 Druping for Interpolants Arie Gurfinkel and Yakir Vizel, FMCAD 2014