Here is the outline of this talk. First, I will give a brief introduction into the problem of quantifier elimination and say a few words about our approach.Then I will describe the notion of dependency sequents based on clause redundancy thatour method is based onAfter that I will show an exampe runof our quantifier elimination algorithmon a simple formulaFinally, I will give some experimental results and make conclusions
Quantifier Elimination (QE)Let F be a Boolean CNF formula and X Vars(F).
QE is important in many areas e.g model checking
QE problem: Given X [F ], find a quantifier free CNF formula G
such that G X [F ]
G X [F ] means that Gs = X [Fs]
for every complete assignment s to Vars(F) \ X
Eugene
Let us define the problem we want to solve.Let F be a Boolean CNF formula and X be a subset of variables of FThe QE problem we consider is as follows. Given F formlua where variables of X are existentially quantified, find an equivalent quantifier free CNF formula G. The equivalence between these two formulas is semantic. That is the evaluate to the same value for every complete assignment to non-quantified variables of F. Here G with subscript s speciifes G under assignment s. QE algorithms can be used to solve many other problems in particular model checking.Importantly, the machinery of D-sequents we use for QE can be applied to other problems for example SAT
SAT-based QE Methods
• Enumeration of satisfying assignments: McMillan 2002, Ganai,Gupta, Ashar 2004,
• Computing redundancy of variables Goldberg, Manolios 2012
Eugene
Due to advent of efficient SAT-solvers, many researchers explored the domain of SAT-based methods of QE elimination. Until recently, there have been two kinds of basic QE algorithms. Algorithms of the first kind pioneered by Ken McMillan are based on the idea of enumeration of satisfying assignments.Algorithm of the second kind follow the idea of the Davis-Putnam procedure. Namely quantified variables are eliminated one by one in some order.Despite the obvious progress in SAT-based algorithms for QE, they still have poor scalability.Last year we presented a new algorithm of quantifier elimination based on computation ofredundancy of variables. Some shortcomings of this algorithm I will discuss later
Three Ideas of Our Method
1) Add resolvent-clauses to F until clauses with variables of X ( X-clauses) are redundant in X [H] , H F
Redundancy of X-clause C means X [H] X [H \ {C} ]
2) Use branching to prove redundancy of X-clauses in subspaces and merge results of different branches
3) Compute termination condition: (all X-clauses are redundant in X [H]. This is done by machinery of dependency sequents (D-sequents)
Eugene
In our approach we also consider a SAT-based method of quantifier elimination.Similarly to last year's method, it is based on three ideas. The first idea is to keep adding resolvent clauses to F until all X-clauses become redundant in this formula where F consists of initial clauses and resolvents.Such redundancy means that removing all X-clauses from F results in a semantically equivalent formula. This formula consists of non-quantifed variables and so quantifers can be removed.The second idea is to use the divide and conqure strategy. Namely, we use branching to prove redundancy of X-clauses in subspaces and then merge the results of different branches. The third idea is to identify the moment when all X-clauses become redundant. This is done using the machinery of D-sequents
Clause And Variable Redundancy
A variable v X is redundant in X [F ]
if the clauses of F with v are redundant in X [F ]
D-sequents based on clause redundancy (FMCAD-13)• Clause D-sequents can express redundancy of any subset
of X-clauses • Derivation of termination condition in terms of clause D-
sequents cannot be simulated by variable D-sequents
D-sequents based on redundancy of variables (FMCAD-12)
Eugene
In our last years' paper we introduced D-sequents based on the notion of redundancy of quantified variables. A variable v of X is redundant in quantified F if the clauses of F with variable v are redudnant in quantified F.Developing the machinery of such D-sequents was the main contribution of our FMCAD12 paper.In this talk we consider D-sequents based on clause redundancy that we will refer to as clause D-sequents.Clause D-sequents can express redundancy of any subset of X clauses. Derivation of the termination condition in terms of clause D-sequents cannot be simulated by D-sequents in terms of redundant variables.
Now I am going to introduce the notion meant to fix the problems with resolution
Clause Dependency Sequents (D-sequents)
A clause D-sequent (X [F ] , s) R , where R FX
states that R is redundant in X [Fs] .
Let s be a partial assignment to Vars(F).
Let FX denote the X-clauses of X [F ]
We will call s the conditional part of the D-sequent
Eugene
Let s denote a partial assignment to variables of FLet F with superscript X denote the X-clauses of quantified F.A D-sequent is a record highlighted where R is a set of X-clauses stating that the clauses of R are rendant in quantified formula F in subspace sI will refer to s as the condition part of the D-sequent.
D-Sequent Calculus
Operation Compose
Operation Join
Resolution of clausesInitial clauses
of F
Atomic D-sequents
(X [F ] , ) FX
Eugene
This slide shows the components of D-sequent calculus. As far as QE is concerned the goal is to derive this D-sequent stating the termination condition: that all the X-clauses are redundant in the current quantified formula F unconditionally.To make X-clauses redundant one obviously needs to add some resolvent clauses to the original formula F. But to derive the termination condition on top of resolution one needs the caclulus of D-sequents. It consists of two parts.The first part consists derivation of atomic D-sequents that state redundancy of X-clauses in trivial cases. The second part consists of operations compose and join that produce new D-sequent from existing ones.
Atomic D-sequents
blocked (cannot be resolved
with clauses of Fs)
subsumed by C Fs
Let C be an X-clause of X [F ],
satisfied
by s
Atomic D-sequent (X [F ], s) {C }
is derived when C is
Eugene
Let C be an X-clause of quantified formula F.An atomic D-sequent stating trivial redudancy of C is derived in the following three cases:C is satisfied by assignment sC is subsumed by a clause C' in subspace sC is blocked in subspace s that is it cannot be resolved on a variable
Now I give an example run of our QE algorithm on a simple formula
A Run of DCDS on a Simple Formula
Consider x [F ] where
F = C1 C2 ,
C1= ~y1 x ,
C2= y2 ~x ,
~y1 y2 is a solution to the QE problem i.e.
~y1 y2 x (~y1 x ) (y2 ~x )
Derivation of Clause D-Sequents (DCDS)
Eugene
Our QE algorithm is called DCDS that stands for Derivation of Clause D-sequentsLet quantified formula F consists of two clauses C1 and C3 shown here. Only one variable x is existentially quantified.The solution to this problem is given by clause ~y1 or y2 that is just the resolvent of clauses C1 and C2
Decision Tree Built by DCDS
y1
y2C1 is satisf.
C2 is blocked
x
x [F ],
F = C1 C2 ,
C1= ~y1 x ,
C2= y2 ~x ,
C2 is satisf.
C1 is blocked
C1, C2 are sub-sumed by C3
confl. clause C3 =~y1 y2 is added
0 1
0 1
C3 =~y1 y2 is a solution to QE
Eugene
This slides show the decision tree built by DCDS.The leaves are shown by dotted ovals.Suppose that DCDS branches on variable y1 first.After y1 is assigned value 0, C1 becomes satisfied and C2 becomes blocked. So C1 and C2 are redundant here and DCDS backtracks. Suppose that in the branch y1=1 y2 is then picked for branching. Then in branch y2=0 we get a conflict because C1 and C2 turn into unit clauses x and ~x. At this point a conflict clause C3 is added to F. This clause subsumes C1 and C2 in the current subspace and DCDS backtracks. Finally, in the branch y2=1 clause C2 is satisfied and C1 is blocked and hence they are redundant.
This slides shows derivation of D-sequents for the decision tree of the previous slide.As we saw, in branch y1=0, clauses C1 and C2 become satisfied and blocked so atomic D-sequents S1 and S2 are derived. I use a simplified notation here where we drop quantified formula from the left part of a D-sequent and show only conditional part.D-sequents S1 and S2 state redundancy of clauses C1 and C2 separately. By using composition operation one can build a D-sequent expressing redundancy of C1 and C2 together. Notice that the composition operation is not that simple. More details can be found in the paper.In the branch y1=1 and y2=0 a conflict clause is added which makes C1 and C2 redundant in the current subspace. This fact is expressed by derivation of atomic D-sequents S3 and S4.In the branch y1=1,y2=1 clause C2 is satisfied and C1 is blocked and DCDS derives atomic D-sequents S5 and S6.After that DCDS backtracks. At this point D-sequents S3,S4 are derived in branch y2=0 and S5,S6 are derived in branch y2=1. New D-sequents S7,S8 that do not depend on assignment y2 are derived by a resolution-like operation join.An example is shown on the right where D-sequent S7 is derived by joining S3 and S5 to make variable y2 disappear
Now I am going to describe some experimental results.
Re-using D-sequents
• Current implementation of DCDS lacks a few optimizations
• Most importantly, D-sequents are not re-used
• Parent D-sequents are discarded after a join operation
• Re-using D-sequents should drastically boost performance
eugene
Since DCDS is not a trivial algorithm based so in a sense our top priorirty was to make sure that the algorithm is correct.The current implementation lacks a few important implementation. For example,D-sequents are re-used. Parent D-sequents are discarded after a join operation. We believe that re-using of D-sequents will drastically boost performance. Some discussion of this topic is given in the paper.
Backward Model Checking
Model checker MC-DDS MC-DCDS MC-BDD
Solved 247 258 374
758 benchmarks of HWMCC-10. Time limit is 2,000 s.
• MC-DDS is based on our QE algorithm of FMCAD-12 • MC-DCDS is based on our QE algorithm of FMCAD-
13• MC-BDD is based on PdTrav
We compared three algorithms:
eugene
We used the benchmarks of hardware model checking competition to give some preliminary evaluation. The time limit was set to 2,000 seconds. We compare three algorithms of backward model checking. An algorithm based on our quantifier elimination from the previous FMCAD i.e. using D-sequents based on variable redundancy. An algorithm whose QE based on clause D-sequents and and algorithm using BDDs. The latter was based on PdTrav.As you can see BDDs are still faster which is not surprising taking into account the maturity of this technology and the fact that BDDs do re-use what they learned via subgraph hashing.
Comparison On Benchmarks Solved by MC-DDS or MC-DCDS
Model checker MC-DDS MC-DCDS MC-BDD
Solved 247 258 193
#timeouts 12 1 66
Time for solved by all (s.)
11,293 1,698 9,080
Number of benchmarks is 259
Time limit is 2,000 s.
eugene
This slide shows the performance of the three algorithms on the benchmarks solved only by algorithms based on D-sequents. The pair of data shown in red indicates that there was a significant number of examples (66) where BDDs failed. So there is a noticeable set of benchmarks where D-sequents outperform BDDs even by the current algorithm that can be drastically improved.Notice also the pair of numbers shown in green. They show that D-sequents based on clause redundancy outperform those based on variable redundancy by 7X.
Cactus Plots For Benchmarks Solved by MC-DDS or MC-DCDS
eugene
These plots show the number of benchmarks with respect to time they were solved. Again we consider only benchmarks solved by algorighms based on D-sequents. As you can see on this set of benchmarks they consistently outperformed BDDs.
Conclusions
• We introduced the machinery of clause D-sequents that can be used in many applications
• We showed how it works for quantifier elimination
• A model checker based on clause D-sequents can solve examples that are hard for BDDs
• We are still at the stage where adding a new technique (e.g. re-using D-sequents) can lead to drastic improvements
eugene
We introduce the machinery of D-sequents based on clause redudnancy that can be used in many applications.We show how such D-sequents work in quantifier elimiantion.A model checker based on clause D-sequents can sovle examples that are hard for BDDsWe are still at the stage where adding a new technique can lead to drastic improvements.Some points are not covered in this short talk for examle the discussion of why DCDS is correct. So please read the paper.
