1. Using Symmetry to Solve Difficult Logic Puzzles Igor Markov University of Michigan, EECS

2. Outline A brief introduction to the field of Electronic Design Automation Integrated circuits, design tools, research challenges Formal verification of digital circuits via SAT-solving (difficult logic puzzles) Exploiting symmetry as a structural property of SAT instances The graph automorphism problem Symmetry-breaking predicates Improvements in SAT-solving

3. portable media center pocket PC Xbox 360 cable TV box RoundTable Zune tablet PC media center PC Laptop PC smart phone portable media center IP phone desktop PC MS Surface Source: Rico Malvar @ Microsoft Research

4. Source: Information Week / CMPNet

5. Why Do We Need So Many Digital ICs? Programmability versus optimization A CPU (runs a program and) performs 1-6 operations per cycle A specialized chip can perform 1000 ops/cycle (1Gbps networking chips, Dolby 7.1, HDTV) Intel CPUs ≤ 4GHz Power versus performance An Intel CPU can burn 30-100 Watts An ARM CPU in a cell phone burns <0.1Watt Specialization and low cost Intel, AMD CPUs cost >$300 iPhone, GPSNav, Wii <$300

6. Designing New Chips Quickly Idea 1: describe ICs in HW descr. languages (HDL) Verilog, SystemVerilog, C, SystemC Idea 2: use software tools to compile HDL into silicon Many intermediate representations, many passes module foo(a, b, c, o1, o2, o3); input a, b, c; output o1, o2, o3; reg o2, o3; assign o1= a & b; always @(a, b, c) o2= a | c; … wire sel, a, b, out; … if (sel) out=a; else out=b; b a sel AND out OR RTL Model Logic Synthesis Gate-level Netlist Place & Route Polygonal layout

7. Logic Synthesis & Physical Optimization Idea 3: use software tools to optimize chips Functional (logic) optimization A*B+A*C  A*(B+C), (A+B)*(A+C)  A+B*C, X  1  X’ (Boolean & polynomial algebras) Physical optimization: gate locations, wire routes, etc (computational geometry, non-convex optimization) Source: IBM

8. After the Design Phase Idea 4: use software tools to verify chips Find bugs or prove that there are no bugs Idea 5: use software tools to optimize test sequences Idea 6: use software to debug chips Localize & diagnose bugs Automatically suggest bug fixes

9. 0 Design error affects results for large numbers

10. 10 0 Check equivalence of output functions + H.Katebi, I.Markov, “Large- scale Boolean Matching” DATE 2010

11. 11 Too many input combinations to simulate 16-bit adder: 2 32 (feasible) 32-bit adder: 2 64 (impractical) Key idea: formulate a theorem:  x F(x)=G(x) Prove it or find a counter-example Use algorithms and software for theorem-proving Further steps Agree on a simple, formal language for theorems Formulate theorems for circuit equivalence-checking Develop algorithms for theorem-proving

12. 12 Miter function M FG (x) = ( F(x)  G(x) ) = ( F(x)  G(x) )  x F(x)  G(x)   x M FG (x)==1 Theorem-proving reduces to search to satisfy M FG (x)==1 – any such solution is a counter-example (bug!) Or prove that such an assignment does not exist, i.e., prove M FG (x) = 0 for all possible assignments Circuit-SAT: satisfy one output of a circuit Find an input combination that produces 1 Or prove that the output is always 0 Boolean SATisfiability (CNF-SAT) M FG (x) is represented in product-of-sums (POS) form, a.k.a conjunctive normal form (CNF) Example: (a+b+c)(a’+b’+d)(b+c)(d’)(b+e)(c+d+e)

13. 13 Clause Positive Literal Negative Literal  ( a +  c ) ( b +  c ) (a +  b’ + c’ )

14. 14 a b c d e g f h?h?  = h [d=(ab)’] [e=(b+c)’] [f=d’] [g=d+e] [h=fg] = h (a +  d)(b +  d)(a’ + b’ + d’) (b’ +  e’)(c’ + e’)(b +  c + e) (d’ +  f’)(d +  f) (d’ +  g)(e’ +  g)(d +  e + g’) (f +  h’)(g +  h’)(f’ +  g’ + h) = h (a +  d)(b +  d)(a’ + b’ + d’) (b’ +  e’)(c’ + e’)(b +  c + e) (d’ +  f’)(d +  f) (d’ +  g)(e’ +  g)(d +  e + g’) (f +  h’)(g +  h’)(f’ +  g’ + h) = h (a +  d)(b +  d)(a’ +  b’ + d’) (b’ +  e’)(c’ + e’)(b +  c + e) (d’ +  f’)(d +  f) (d’ +  g)(e’ +  g)(d +  e + g’) (f +  h’)(g + h’)(f’ +  g’ + h) = h (a +  d)(b +  d)(a’ +  b’ + d’) (b’ + e’)(c’ +  e’)(b +  c + e) (d’ + f’)(d +  f) (d’ +  g)(e’ +  g)(d +  e + g’) (f +  h’)(g +  h’)(f’ +  g’ + h) = h (a +  d)(b +  d)(a’ +  b’ + d’) (b’ +  e’)(c’ +  e’)(b +  c + e) (d’ +  f’)(d +  f) (d’ +  g)(e’ +  g)(d +  e + g’) (f +  h’)(g +  h’)(f’ +  g’ + h) No branching needed in this example Only constraint propagation Linear time In general, branching is needed Worst-case exponential time In practice, often finishes quickly

15. 15 CNF-SAT is NP-complete A polynomial-time algorithm would immediately solve numerous important problems An impossibility proof would also be interesting A general solution to SAT is worth $1M (the first Millennium problem) + fame Practical SAT-solving Dramatic progress in the last 15 years Algorithms and software exist that solve many large SAT instances quickly Some small SAT instances remain difficult

16. SAT Can Capture Logic Puzzles (1) The Pigeonhole Principle (PHP) Need to assign n+1 objects to n slots No two objects can be assigned to the same slot Every object must be assigned to at least one slot Encoding in terms of CNF-SAT n(n+1) indicator variables matching each object with each slot n 2 (n+1) mutual exclusion clauses preventing two objects from being assigned to any one slot (n+1) clauses with n literals ensure that each object is assigned to at least one slot Summary: PHP n ~n 2 variables, ~n 3 clauses, UNSAT

17. SAT Can Capture Logic Puzzles (2) The Pigeonhole Principle arises in numerous applications Trying to multiplex (n+1) signals through n outputs Trying to route (n+1) wires through n channels, etc A competent SAT solver should handle PHP n, shouldn’t it? Relevant observations & (deep) results All leading SAT-solvers rely on resolution (proof technique) All resolution proofs of the pigeonhole principle are exp-sized In practice, runtime on PHP n instances is indeed exponential But … all pigeons are interchangeable and so are all holes ! Order holes, and impose ordering constraints on assignments

18. Speeding up SAT-solving in Practice Key idea: identify structural properties of a given problem instance, then exploit them to speed up the SAT solver Key structural property of problem instances: symmetry Symmetry-breaking in search: if a, b are interchangeable, add the (a’+b) clause to reduce the branching factor Leading-edge SAT solvers are based on branching Challenges Dealing with more complicated symmetries (cycles, negations) Capturing all symmetries efficiently Detecting symmetries quickly Limiting the size of symmetry-breaking predicates

19. Darga, Sakallah, Markov, “Faster Symmetry Discovery using Sparsity of Symmetries,” DAC 2008 http://vlsicad.eecs.umich.edu/BK/SAUCY/

20. CNF inst.Graph symmetries CNF symmetries Pre-processed CNF instance Invoke a generic SAT solver Symmetry-breaking predicates Shatter GraphAuto: nauty or saucy Computational Symmetry-Breaking in SAT Aloul, Markov, Sakallah, “Shatter: Efficient Symmetry-Breaking for Boolean Satisfiability,” DAC 2003

21. Igor Markov / June 30, 200421 To represent the group of all symmetries of a graph Do not list individual symmetries List generating permutations (generators) Elementary group theory proves: If redundant generators are avoided, an N-element group can be represented by at most log 2 (N) generators Guaranteed exponential compression (often better !) E.g., the group S k of all k! permutations of 1..k can be generated by (12) and (123..k) or by (12), (23), (34),…, (k-1 k) To use this guaranteed compression, we rely on algorithms in terms of permutation generators

22. Symmetry (automorphism) of a graph Permutation of vertices that maps edges to edges Additional constraints Vertex colors (labels): integers Every vertex must map into a vertex of same color Computational Graph Automorphism Find generators of a graph’s group of symmetries GraphAuto  NP, and is believed to  P and  NP-complete Algorithms implemented in GAP(GRAPE(NAUTY)) 1 2 1 2 AB DC

23. Permutations of variables that map clauses to clauses E.g., symmetries of (a+b+c)(d+e+f) include (ab), (abc) as well as (ad)(be)(cf) Considering single swaps only is not enough Ditto for variable negations (a  a’) and negations+permutations E.g., symmetries of (a+b+c)(d+e’+f’) include (de’) as well as (ad)(be’)(cf’)

24. CNF formula  colored graph Linear time and space Find graph’s [colored] symmetries Worst-case exponential time Interpret graph symmetries found as symmetries of the CNF formula Permutational symmetries Variable-negation symmetries

25. Clauses: A (x’ + y + z), B (x + y’ + z’), C (y’ + z) Vertices of two colors: clauses and vars One vertex per clause, two per variable Edges of three types: (i) incidence, (ii) consistency, and (iii) 2-literal clauses 1 2 1 2 AB C x x’ y y’ z z’ Symmetry: (x x’)(y z’)(y’ z) 2 2 2 2

26. Consistency edges must map to consistency edges we do not explicitly enforce that previous reductions do  create larger graphs we reduce the input size for GraphAuto by a constant; recall that O(2 n )  O(2 cn ) Must ensure correctness (!) a graph symmetry that maps consistency edges somewhere else is termed spurious spurious symmetries can and do happen

27. Igor Markov / June 30, 200427

28. On all but the synthetic Urquhart instances, symmetry detection with nauty dominates run time Further improvements must come from improved symmetry detection 74.6 31.518.0123.502pipe 82.613.842.4111.43XOR 99.426.030.1725.86ChnlRoute 93.93.450.213.24FPGAroute 88.443.845.0838.76GRoute 39.41.931.170.76Urq 84.40.45 0.07 0.38Hole-n % Sym TotalSearchSym Benchmark

29. nauty works very well on small graphs but fails to scale Runs out of memory on formulas with corresponding graphs having >50,000 vertices saucy improvement #1: sparse representation saucy improvement #2: can use bipartiteness Clause vertices only connected to literals Never connected to each other saucy improvements #3 and #4: algorithmic (e.g., asymptotically faster partition refinement) Further dramatic improvements in saucy 2008, saucy 2010

30. Testcases#VariablesSAT (s)nauty (s)% Symsaucy(s)% Sym s4-4-3-110354218.5388.7428.90.110.05 s4-4-3-29974877.5979.678.30.100.01 s4-4-3-39970884.7875.987.90.090.01 s4-4-3-410714464.46155.3125.10.140.03 s4-4-3-511072134.09101.6343.10.110.08 s4-4-3-6962013.2476.4885.20.100.75 s4-4-3-71036218.2778.9681.20.100.54 s4-4-3-866080.6828.4297.70.068.11 2pipe35750.132.9395.80.0213.33 3pipe100486.4457.5389.90.131.98 4pipe21547153.50523.6477.30.490.32 5pipe38746122.853144.8596.21.651.33 http://vlsicad.eecs.umich.edu/BK/SAUCY/

31. Symmetries can be sparse too, especially the generators In many cases, runtime now grows linearly with #generators Early detection of hopeless branches during search The algorithm now races toward early termination condition Maintain additional state to speed up some tasks: Checking the termination condition Checking that a permutation is a symmetry Backtracking Several other improvements

32. Testcases#Vertices#GeneratorsSaucy 2004Saucy 2.0 5pipe387462390.830.08 6pipe658393462.220.15 7pipe1006684734.800.29 LA43653512852528.390.21 IL81913814999958.800.43 CA167941844439> 30 min0.84 adaptec139396415683966.480.35 adaptec247105421788> 30 min0.47 adaptec380050636289> 30 min0.93 adaptec487880053857> 30 min0.99

33. CNF inst.Graph symmetries CNF symmetries Pre-processed CNF instance Invoke a generic SAT solver Symmetry-breaking predicates Shatter GraphAuto: nauty or saucy Computational Symmetry-Breaking in SAT Aloul, Markov, Sakallah, “Shatter: Efficient Symmetry-Breaking for Boolean Satisfiability,” DAC 2003

34. Let’s solve (x’+y’)(x+y)(x’+y+z)(x+y’+z)(z’) Try x=0  y=1  z=1  violated clause, must backtrack We just repeated similar/same steps twice Branches x=0,y=1 and x=1,y=0 are symmetric Ideas for speed-up Require that (x≤y), i.e., (x’+y) Consider equivalence classes under symmetry Pick 1+ representative for each class, search only the reps. This restricted search is  to original Try x=1  y=0  z=1  violated clause, must backtrack

35. To restrict search Add clauses to the original CNF formula (“symmetry-breaking” clauses) They will pick representatives of classes Our main task is to find those clauses Use only permutations induced by generators Permutation  group of clauses (a “symmetry-breaking” predicate)

36. SBP Classes of symmetric truth assignments SATisfying assignments

37. When adding SBPs, must ensure No solutions are added (trivial) When solutions exist, SBPs should preserve at least one Optimization objective Total runtime of Shatter flow Not the “completeness” of symmetry-breaking – it’s OK to leave multiple symmetric solutions Technique Process each generator from GraphAuto independently Ignore the CNF-SAT instance, initially Concatenate the resulting predicates to the original CNF

38. Input: permutation (usually sparse) Output: clauses that pick representatives of equivalence classes of truth assignments Challenge: ensuring compatibility of SBPs produced for different generators When conjoining SBPs, we must not lose all solutions g1g1 g2g2 g1g1 g2g2

39. Order the variables in the CNF formula Induce a lexicographic ordering on truth assignments 000<001<010<011<100<101<110<111 For each equivalence class, make sure that its lex-smallest element (lex-leader) is selected Theorem: Given a CNF formula , consider its symmetry generators {g i } and build Lex-Leader SBPs {P(g i )}. Then  and  P(g 1 )  P(g 2 )  … are equi-satisfiable. Proof:  No new solutions are added.  If a solution exists, then the lex-smallest solution is preserved.

40. P g (x)= (x ≤ g(x)) Where x is a truth assignment and ≤ is a lex-ordering Prior work (in the field of AI) Defined P g (x), but implemented it using  (n 2 ) CNF clauses Did not account for variable-negation symmetries Conjoined P g (x) for all g  Aut(G) Optimizations & improvements 1. Account for negation symmetries & hybrids 2. Implement P g (x) using O(n) CNF clauses 3. Implement P g (x) using O(supp(g)) CNF clauses 4. Instantiate P g (x) only for generators of Aut(G)

42. Igor Markov / June 30, 200442 Proving the pigeon-hole principle w/o induction A series of SAT instances of growing size Conventional SAT solvers take exponential time Our approach empirically takes polynomial time

43. CNF inst.Graph symmetries CNF symmetries Pre-processed CNF instance Invoke a generic SAT solver Symmetry-breaking predicates Shatter GraphAuto: nauty or saucy Computational Symmetry-Breaking in SAT Aloul, Markov, Sakallah, “Shatter: Efficient Symmetry-Breaking for Boolean Satisfiability,” DAC 2003

44. Igor Markov / June 30, 200444 Does saucy run in poly-time on bounded-degree graphs ? It can probably be extended to do so provably Extend Shatter to save checkable proofs of unsatisfiability using resolution + symmetries Extend saucy to perform canonical labeling of graphs Graph Automorphism in worst-case polynomial time ? Approximate symmetries

45. Igor Markov / June 30, 200445 Source: Univ. Nebraska Lincoln, Chemistry Dept