A Scalable Algorithm for Minimal Unsatisfiable Core Extraction Nachum Dershowitz¹ Ziyad Hanna² Alexander Nadel¹, ² 1 Tel-Aviv University 2 Intel SAT’06 Conference, Seattle;
Agenda Introduction Related Work Complete Resolution Refutation (CRR) Algorithm Resolution-Refutation-based Pruning (RRP) Experimental Results
What is unsatisfiable core extraction? Given an unsatisfiable CNF formula: Introduction clause negative literal positive literal F = ( a + b ) ( ¬ b + c ) ( ¬c ) ( ¬a + c ) ( b + c )
An unsat. core is an unsatisfiable subset of its clauses: F = ( a + b ) ( ¬ b + c ) ( ¬c ) ( ¬a + c ) ( b + c ) Introduction What is unsatisfiable core extraction? Given an unsatisfiable CNF formula:
An unsat. core is an unsatisfiable subset of its clauses: F = ( a + b ) ( ¬ b + c ) ( ¬c ) ( ¬a + c ) ( b + c ) Introduction What is unsatisfiable core extraction? Given an unsatisfiable CNF formula: Core is minimal if removal of any clause makes it satisfiable U1 and U3 are minimal U2 is not minimal, since U3 U2
Introduction Our contribution: A Minimal Unsatisfiable Core (MUC) extraction algorithm practical: handles Formal Verification benchmarks faster than MUC algorithms smaller cores than suboptimal methods
Agenda Introduction Related Work Complete Resolution Refutation (CRR) Algorithm Resolution-Refutation-based Pruning (RRP) Experimental Results
Related Work Theoretical algorithms Suboptimal algorithms Adaptive core search (Bruni et al., 2001) AMUSE (Oh et al., 2004) Empty-clause Cone (EC) (Zhang et al., 2003; Goldberg et al., 2003) Algorithms, guaranteeing minimality of the core MUP (Huang, 2005) Naïve
Related Work (Suboptimal) Empty-clause Cone (EC) (Zhang et al. 2003; Goldberg et al. 2003) Modern SAT solvers produce a resolution refutation of given unsatisfiable formula Each conflict clause is a resolvent of initial clauses or previously recorded conflict clauses The empty clause is the last conflict clause Initial clauses, connected to the empty clause, compose the unsatisfiable core
Related Work (Suboptimal) Empty-clause Cone until Fixed Point (EC-fp) (Zhang et. all; 2003) Invoke EC until fixed point is reached EC and EC-fp characteristic Fast and scalable The only algorithms scalable on large benchmarks The resulting cores can still be reduced
Related Work (Naïve-MUC) Naïve MUC For every clause I in formula F Invoke SAT solver on F \ I If F \ I is unsatisfiable I does belong to MUC Remove I from F F is a Minimal Unsatisfiable Core
Agenda Introduction Related Work Complete Resolution Refutation (CRR) Algorithm Resolution-Refutation-based Pruning (RRP) Experimental Results
CRR and Naïve Naïve is the most efficient MUC algorithm on large FV benchmarks CRR can be seen as a refinement of Naïve Always hold a resolution refutation of current unsat. core Check if it is possible to exclude an initial clause I by invoking a SAT solver on both Remaining initial clauses, except I (like Naïve) Conflict clauses, s.t. I was not required to derive them If I can be excluded, a new resolution refutation, not containing I, is constructed
Complete Resolution Refutation (CRR) Algorithm: Resolution Refutation Resolution refutation is a directed acyclic graph (dag) R: R( In Co, E ) Initial clauses - sources of R Conflict clauses, including - the only sink of R Edges – resolution relations between clauses
Complete Resolution Refutation (CRR) Algorithm: Definitions Re(R, I) / Re E (R, I) / Re G (R, I) vertices / edges / sub-graph reachable from I in R UnRe(R, I) – vertices, unreachable from I in R A resolution refutation, containing only clauses, connected to, is non-redundant
CRR by Example bb a c a c c b a b d a d b a d b a b d CRR by example Initial clauses are on the right I1I1 I2I2 I3I3 I4I4 I5I5 I6I6 I7I7 I8I8
CRR by Example bb a c a c c b a b d a d b a d b a d b d a b aa Build non-redundant resolution refutation One initial clause is dropped I2I2 I3I3 I4I4 I5I5 I6I6 I7I7 I8I8 C2C2 C3C3 C4C4 C5C5 C6C6
CRR by Example bb a c a c c b a b d a d b a d b a d b d a b aa Consider clause I 8 for removal I2I2 I3I3 I4I4 I5I5 I6I6 I7I7 I8I8 I2I2 I3I3 I4I4 I5I5 I6I6 I7I7 I8I8 C2C2 C3C3 C4C4 C5C5 C6C6
CRR by Example bb a c a c c b a b d a d b a d b a d b d a b aa UnRe(I 8 ) Consider clause I 8 for removal Invoke SAT solver on I’ = UnRe(I 8 ) I2I2 I3I3 I4I4 I5I5 I6I6 I7I7 I8I8 C2C2 C3C3 C4C4 C5C5 C6C6
CRR by Example bb a c a c c b a b d a d b b d aa Invoke SAT solver on I’ = UnRe(I 8 ) Doesn’t know about resolution relation between clauses I’ 1 I’ 2 I’ 3 I’ 4 I’ 5 I’ 6 I’ 7 I’ 8
CRR by Example bb a c a c c b a b d a d b b d aa The instance is unsatisfiable a b I’ 1 I’ 2 I’ 3 I’ 4 I’ 5 I’ 6 I’ 7 I’ 8 C’ 2 C’ 3 a b C’ 1
CRR by Example bb a c a c c b a b d a d b b d aa A new refutation R’ is composed Re G (I 8 ) is dropped a b I2I2 I3I3 I4I4 I5I5 I6I6 I7I7 C3C3 C5C5 C7C7 C8C8 a b C9C9
CRR by Example bb a c a c c b a b d a d b b d aa Make R’ non-redundant a b I2I2 I3I3 I4I4 I5I5 I6I6 I7I7 C3C3 C5C5 C7C7 C8C8 a b C9C9
CRR by Example bb a c a c c b a b d a d b b d aa Make R’ non-redundant a b I2I2 I3I3 I4I4 I5I5 I6I6 I7I7 C3C3 C5C5 C7C7 C8C8
CRR by Example bb a c a c c b a b d a d b b d aa Consider I 7 for removal a b I2I2 I3I3 I4I4 I5I5 I6I6 I7I7 C3C3 C5C5 C7C7 C8C8 UnRe(I 7 )
I’ 6 I’ 7 CRR by Example bb a c a c c b a b d b d aa UnRe(I 7 ) is satisfiable with a=b=c=d=0 I’ 1 I’ 2 I’ 3 I’ 4 I’ 5
CRR by Example bb a c a c c b a b d a d b b d aa I 7 is marked as belonging to a MUC The refutation is not changed a b I2I2 I3I3 I4I4 I5I5 I6I6 I 7 + C3C3 C5C5 C7C7 C8C8
CRR by Example bb a c a c c b a b d a d b b d aa Every other initial clause also belongs to MUC a b I 2 + I 3 + I 4 + I5 +I5 + I 6 + I 7 + C3C3 C5C5 C7C7 C8C8
Complete Resolution Refutation (CRR) Algorithm 1.Build a resolution refutation R(In Co; E) using a SAT solver 2.Reduce R(In Co; E) to be non-redundant 3.While unmarked clause exists in In 1.I PickUnmarkedClause(In) 2.Invoke a SAT solver on UnRe(R, I) 3.If UnRe(R, I) is satisfiable then 1.Mark I as MUC member 4.else 1.Let R’(In’ Co’; E’) be resolution refutation, built by the solver 2.In In \ {I}; Co (Co Co’) \ Re(R, I); E (E E’) \ Re E (R, I) 3.Reduce R(In Co; E) to be non-redundant 4.Return In
CRR vs. Naïve CRR reuses all relevant conflict clauses No need to re-derive important lemmas CRR may remove a number of initial clauses simultaneously While reducing the resolution refutation to be non- redundant (at each stage of the algorithm)
CRR: More Features CRR can be stopped anytime after the first resolution refutation is constructed Accepts time thresholds There is a place for improvement Work on the heuristic for picking clauses Hold the resolution refutation in-memory, rather than on disk Resolution-Refutation-based Pruning Next
Agenda Introduction Related Work Complete Resolution Refutation (CRR) Algorithm Resolution-Refutation-based Pruning (RRP) Experimental Results
Resolution Refutation-based Pruning For each I, speed-up the examination if I can be removed by Using a certain property of Re G (I) to cut-off the search space for the SAT solver, invoked on UnRe(I)
RRP: Definitions Definitions An assignment falsifies clause I, if every literal of I is 0 under = {a=0; b=0; c=1} falsifies I = a b c We define an i-path in a resolution refutation to be a directed path starting with an initial clause an ending with the empty clause An assignment falsifies an i-path, if it falsifies every clause in the i-path
RRP: Main Theorem Theorem: Let R(I V, E) be a resolution refutation. Let be an assignment. If satisfies UnRe(I), then there exists an i-path, starting with I, falsified by . Note: Re G (I) contains every i-path, starting with I
RRP: Main Theorem by Example There is one i-path, starting with I 7 : {I 7, C 7, C 8 } Any assignment satisfying UnRe(I 7 ) falsifies the clauses I 7,, C 7 and C 8 Must have {a=0; d=0; b=0} Otherwise, would satisfy a vertex cut in R The empty clause is derivable from any vertex cut in R. Contradiction. bb a c a c c b a b d a d b b d aa a b I2I2 I3I3 I4I4 I5I5 I6I6 C3C3 C5C5 C7C7 C8C8 I7I7 UnRe(I 7 ) i-path
RRP: Theorem Application The SAT should check if there is a model to UnRe(I) All the possible models of UnRe(I) must falsify some i-path in Re G (I) Restrict the SAT solver to check only such assignments that falsify some i-path in Re G (I)
RRP Decision heuristic first invokes RRP H function RRP H explores Re G (I) in DFS manner Always is trying to falsify a certain i-path If RRP H returns a literal, it is picked as a decision literal, otherwise A normal decision heuristic is invoked RRP B – a change in backtracking engine The currently visited clause D Re G, initialized to I, is maintained by RRP H and RRP B
RRP H : Decision Heuristic Norm D is not satisfied nor falsified / Return a negation of an unassigned literal from D SatFalse EoT EoP D has a parent / D Par(D) D is satisfied D is falsified All visited / D Par(D) D has an unvisited child / D Child(D) D has no parent D has no children True / Return ?
RRP B : Backtracking Engine On conflict, the solver may need to backtrack in Re G (C) in addition to regular backtracking Let backtracking level (in search space) be bl Denote by mdl(D) the maximal decision level of D’s literals If bl < mdl(D) Let B be the first predecessor of D, such that bl mdl(B) D B
Agenda Introduction Related Work Complete Resolution Refutation (CRR) Algorithm Resolution-Refutation-based Pruning (RRP) Experimental Results
We demonstrate that for benchmark Formal Verification families: Our algorithm runs faster than other algorithms for MUC extraction Our algorithm finds smaller cores compared to the sub-optimal algorithms
Experimental Results We implemented CRR and RRP in a simplified version of the industrial solver Eureka We used 4 Formal Verification families Barrel; Longmult; Fvp-unsat.2.0; Pipe_unsat_1.0 Relative resolution hardness of a resolution refutation R( In Co, E ) is ( | In | + | Co | ) / | In |
Experimental Results: Instances InstVarClsEC R.R. Hrd. 4pipe p_1_o p_2_o p_3_o p_4_o p_k p_k p_k InstVarClsEC R.R. Hrd. barrel barrel barrel barrel longmult longmult longmult longmult
Experimental Results: MUC Algorithms CRR vs. Naive Plain CRR outperforms Naïve on every benchmark CRR+RRP outperforms Naïve on 15/16 benchmarks The speed-up is Usually, between 4 to 10x Sometimes, it is 34x (hardest barrel instance) Sometimes, it is 2.5x (hardest longmult instance)
Experimental Results: MUC Algorithms RRP Impact RRP improves the performance on most instances The greatest speed-up is ~2.5x RRP is usually unhelpful only on longmult family
Experimental Results: MUC Algorithms logmult family case Hard for CRR, even harder for RRP Reason is relative resolution hardness Reaches 14.2 for the hardest longmult instance Varies between on every instance of other families Sizes of cores do not vary much between different MUC algorithms
Experimental Results: Suboptimal Algorithms Next: Compare CRR and CRR+RRP with sub-optimal algorithms EC and EC-fp
Experimental Results: CRR vs. Suboptimal Algorithms CRR+RRP vs. suboptimal algorithms Core sizes Average gain over EC is 30% Average gain over EC-fp is 11% Execution time Usually, EC and EC-fp are orders of magnitude faster, but CRR+RRP is faster than EC-fp on two hardest instances of barrel
Conclusions We presented: Complete Resolution Refutation (CRR) algorithm for Minimal Unsatisfiable Core extraction Resolution-Refutation-based pruning (RRP), enhancing CRR Our algorithm is: Faster than existing MUC algorithms by a factor of 6 (or more) on large problems with non-overly hard resolution proofs Able to find smaller cores than suboptimal algorithms by 11% on average
Thanks!