Presentation is loading. Please wait.

Presentation is loading. Please wait.

SAT/SMT seminar 18/02/2018 Computing multiple MUSes (Minimal Unsatisfiable Subformulas) and MSISes (Minimal Safe Inductive Subsets) Alexander Ivrii IBM.

Published byNickolas Poole Modified over 5 years ago

Similar presentations

Presentation on theme: "SAT/SMT seminar 18/02/2018 Computing multiple MUSes (Minimal Unsatisfiable Subformulas) and MSISes (Minimal Safe Inductive Subsets) Alexander Ivrii IBM."— Presentation transcript:

1 SAT/SMT seminar 18/02/2018 Computing multiple MUSes (Minimal Unsatisfiable Subformulas) and MSISes (Minimal Safe Inductive Subsets) Alexander Ivrii IBM

2 Part I : MUSes

3 Motivation Given an unsatisfiable CNF formula:
A MUS provides an insight on unsatisfiability Different MUSes provide different insights Commonly studied problems: Find a single MUS Find a smallest-size MUS Find all MUSes Find many MUSes

4 First, what about a single MUS?
There is a lot of research on this topic (don’t want to go in detail…)

5 Brief History of MUS enumeration
CAMUS: “Compute All Minimal Unsatisfiable Subsets” (pronounced as “ka-moo”, named after Albert Camus) Liffiton & Sakallah: “On finding all minimally unsatisfiable subformulas”, SAT’2005 Liffiton & Sakallah: “Algorithms for computing minimal unsatisfiable subsets of constraints”, JAR’2008 MARCO [eMUS]: “Mapping Regions of Constraint sets” (named after Marco Polo) Liffiton & Malik: “Enumerating infeasibility: Finding multiple MUSes quickly”, CPAIOR’2013 Previti & Marques-Silva: “Partial MUS enumeration”, AAAI’2013 Liffiton & Previti & Malik & Marques-Silva: “Fast, flexible MUS enumeration”, Constraints’2016

6 MUSes, MCSes, MSSes Let F be an unsatisfiable CNF formula
A subset U of F is a minimal unsatisfiable subset (MUS) if U is unsatisfiable and for every C  U, U\C is satisfiable A subset S of F is a minimal correction subset (MCS) if F \ S is satisfiable and for every C  M, F \ (M\C) is unsatisfiable A subset S of F is a maximal satisfiable subset (MSS) if S is satisfiable and for every C  F\S, SC is unsatisfiable Example: C = { (a), (a), (a  b), (b) } MUSes: { (a), (a) }, { (a), (a  b), (b) } MCSes: { (a) }, { (a), (b) }, { (a), (a  b) } MSSes: { (a), (a  b), (b) }, { (a), (a  b) }, { (a), (b) }

7 Dualities MCSes and MSSes are complementary: S is an MSS if and only if F \ S is an MCS MCSes and MUSes satisfy the hitting set duality: U is an MUS of F if and only if U is a minimal hitting set of the set of all MCSes of F S is an MCS of F if and only if S is a minimal hitting set of the set of all MUSes of F (Idea: every MUS U of F must intersect every MCS S of F, and vice versa)

8 Power Set Lattice

9 CAMUS Operates in two stages:
Computes all MCSes of F using a SAT-based algorithm Computes all MUSes of F using the hitting set duality

10 CAMUS Computing all MCSes of F
Introduce activation variables that allow to turn clauses on and off Find all MCSes of size 1 “can you turn off one clause, so that the formula becomes SAT”? Find all MCSes of size 2 “can you turn off two clauses, so that the formula becomes SAT” ? … Each time an MCS is found, it is blocked

11 CAMUS – execution

12 CAMUS – remarks A significant shortcoming of CAMUS is that computing all MCSes may be intractable: There may be exponentially many of them! However, after the first stage succeeds, CAMUS is great: For computing a smallest-sized MUS For enumerating all MUSes Many optimizations exist

13 MARCO Directly explores the power set lattice
Enumerates both MUSes and MCSes

14 MARCO Works by repeatedly:

15 MARCO – execution

16 MARCO – execution And so on …
Until the full power set lattice is explored

17 MARCO – remarks By forcing getUnexplored to produce maximal (resp. minimal) models, one can bias the algorithm towards more eager production of MUSes (resp. MCSes) Great for finding MUSes right away Easily extended to other domains Many optimizations exist

18 Part II : MSISes (This is a part of joint work with Ryan Berryhill that we have submitted to SAT’18)

19 Motivation In model checking: we are given a problem (Init, Tr, Bad)
want to know if there is a path from an initial state to a bad state that satisfies the transition relation If such a path exists, model checkers may produce counterexamples If such a path does not exist, model checkers may produce proofs, in the form of safe inductive invariants

20 Motivation A recent trend is to produce simple inductive invariants, represented as conjunctions of clauses (= in CNF) Smaller proofs give better insight on why the model checking problem is SAFE Different proofs may provide different insights This leads to problems: given a model checking problem (Init, Tr, Bad), and safe inductive invariant F in CNF Find a single MSIS of F Find a smallest-size MSIS of F Find all MSISes of F Find many MSISes of F In what follows, are are only removing clauses (= weakening the proof)

21 What about a single MSIS? Or why it is not so simple?

22 Basic MSIS algorithm The main idea: for each clause in the invariant:
Tentatively remove this clause Iteratively remove clauses that are no longer implied (both from premises and conclusions), until: Either a smaller safe inductive invariant is obtained (we can restrict to this smaller invariant), Or the property itself is no longer implied (restore all removed clauses) More optimized algorithms are possible

23 Support Sets and Collapse Sets
Let (Init, Tr, Bad), be a model checking problem, F be a safe inductive invariant in CNF, and C  F be a clause. A subset U of F is a support set for C if TrCUC’ is unsatisfiable. A minimal support set is defined in an obvious way. A subset S of F is a collapse set for C if F\S is not a support set for C. A minimal collapse set is defined in an obvious way. Support sets explain why C is an MSIS and are analogous to MUSes. Collapse sets prevent C from being in MSIS and are analogous to MCSes. Slightly abusing notation, we also define support/collapse sets for Bad as related to safety (rather than inductiveness)

24 CAMSIS – adapting CAMUS to exploring MSISes
Operates in two stages: For each clause C  F (including Bad) Computes all collapse sets for C This is exactly as computing all MCSes for the unsatisfiable formula TrCFC’, but the minimization needs to be done only over clauses of F Uses “hitting set duality” with “a twist”: If G is an MSIS of F, and CG, then G has a non-empty intersection with each collapse set of C. We use a dedicated SAT-solver for enumerating and blocking all solutions. Again, we can obtain the solutions (MSISes) ordered by size (smallest-to-largest)

25 CAMSIS – adapting CAMUS to exploring MSISes

26 Adapting MARCO to exploring MSISes
On its surface, MARCO (as used for enumerating MUSes) heavily exploits the monotonicity of the predicate p, where “p(U) = 1 iff U is unsatisfiable” In particular, when U is an MUS of F, then BlockUp blocks all supersets of U But in our case the naïve predicate “p0(U) = 1 iff U is a safe inductive subset of F” is not monotone… However, the predicate “p1(U) = 1 iff U contains an MSIS of F” is monotone And minimal subsets satisfying p1 coincide with minimal subsets satisfying p0 This allows to apply MARCO directly for computing MSISes, but with slightly different implementations of shrink and grow procedures

27 CAMSIS and MARCO – remarks
Experimentally (minimizing invariants for hardware model checking problems): For CAMSIS the main bottleneck is computing all collapse sets If this stage succeeds, computing a smallest-sized MSIS and enumerating all MSISes is generally easy On the other hand, MARCO is great for producing many MSISes quickly Non-surprisingly, these observations are very similar to observations regarding MUS enumeration

28 Thank you!

Download ppt "SAT/SMT seminar 18/02/2018 Computing multiple MUSes (Minimal Unsatisfiable Subformulas) and MSISes (Minimal Safe Inductive Subsets) Alexander Ivrii IBM."

Similar presentations

Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.

Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.
Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.
Inference of progress properties for (multi party) sessions Mario Coppo (Universita’ di Torino) joint work with Mariangiola Dezani, Nobuko Yoshida Lisbon,

Inference of progress properties for (multi party) sessions Mario Coppo (Universita’ di Torino) joint work with Mariangiola Dezani, Nobuko Yoshida Lisbon,
Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 

Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 
Theory of Computing Lecture 18 MAS 714 Hartmut Klauck.

Theory of Computing Lecture 18 MAS 714 Hartmut Klauck.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Searching for Autarkies to Trim Unsatisfiable Clause Sets Mark H. Liffiton and Karem A. Sakallah University of Michigan {liffiton,

Searching for Autarkies to Trim Unsatisfiable Clause Sets Mark H. Liffiton and Karem A. Sakallah University of Michigan {liffiton,
Presented by Ed Clarke Slides borrowed from P. Chauhan and C. Bartzis

Presented by Ed Clarke Slides borrowed from P. Chauhan and C. Bartzis
GRASP SAT solver Presented by Constantinos Bartzis Slides borrowed from Pankaj Chauhan J. Marques-Silva and K. Sakallah.

GRASP SAT solver Presented by Constantinos Bartzis Slides borrowed from Pankaj Chauhan J. Marques-Silva and K. Sakallah.
Search in the semantic domain. Some definitions atomic formula: smallest formula possible (no sub- formulas) literal: atomic formula or negation of an.

Search in the semantic domain. Some definitions atomic formula: smallest formula possible (no sub- formulas) literal: atomic formula or negation of an.
Identifying Conflicts in Overconstrained Temporal Problems Mark H. Liffiton, Michael D. Moffitt, Martha E. Pollack, and Karem A. Sakallah University of.

Identifying Conflicts in Overconstrained Temporal Problems Mark H. Liffiton, Michael D. Moffitt, Martha E. Pollack, and Karem A. Sakallah University of.
Last time Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search strategy.

Last time Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search strategy.
11.7.2005 Computing Over­Approximations with Bounded Model Checking Daniel Kroening ETH Zürich.

Computing Over­Approximations with Bounded Model Checking Daniel Kroening ETH Zürich.
1 Completeness and Complexity of Bounded Model Checking.

1 Completeness and Complexity of Bounded Model Checking.
1 Automatic Refinement and Vacuity Detection for Symbolic Trajectory Evaluation Orna Grumberg Technion Haifa, Israel Joint work with Rachel Tzoref.

1 Automatic Refinement and Vacuity Detection for Symbolic Trajectory Evaluation Orna Grumberg Technion Haifa, Israel Joint work with Rachel Tzoref.
Solvers for the Problem of Boolean Satisfiability (SAT) Will Klieber 15-414 Aug 31, 2011 TexPoint fonts used in EMF. Read the TexPoint manual before you.

Solvers for the Problem of Boolean Satisfiability (SAT) Will Klieber Aug 31, 2011 TexPoint fonts used in EMF. Read the TexPoint manual before you.
Incremental formal verification of hardware Hana Chockler Alexander Ivrii Arie Matsliah Shiri Moran Ziv Nevo IBM Research - Haifa.

Incremental formal verification of hardware Hana Chockler Alexander Ivrii Arie Matsliah Shiri Moran Ziv Nevo IBM Research - Haifa.
On Finding All Minimally Unsatisfiable Subformulas Mark Liffiton and Karem Sakallah University of Michigan {liffiton, June 21, 2005.

On Finding All Minimally Unsatisfiable Subformulas Mark Liffiton and Karem Sakallah University of Michigan {liffiton, June 21, 2005.
SAT 2009 Ashish Sabharwal Backdoors in the Context of Learning (short paper) Bistra Dilkina, Carla P. Gomes, Ashish Sabharwal Cornell University SAT-09.

SAT 2009 Ashish Sabharwal Backdoors in the Context of Learning (short paper) Bistra Dilkina, Carla P. Gomes, Ashish Sabharwal Cornell University SAT-09.

Similar presentations

Ads by Google