solving difficult instances of boolean satisfiability in...

IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 22, NO. 9, SEPTEMBER 2003 1117

Solving Difficult Instances of Boolean Satisfiabilityin the Presence of Symmetry

Fadi A. Aloul, Student Member, IEEE, Arathi Ramani, Igor L. Markov, and Karem A. Sakallah, Fellow, IEEE

Abstract—Research in algorithms for Boolean satisfiability(SAT) and their implementations (Goldberg and Novikov, 2002),(Moskewicz et al., 2001), (Silva and Sakallah, 1999) has recentlyoutpaced benchmarking efforts. Most of the classic DIMACSbenchmarks (ftp:dimacs.rutgers.edu/pub/challenge/sat/bench-marks/cnf) can now be solved in seconds on commodity PCs. Morerecent benchmarks (Velev and Bryant, 2001) take longer to solvedue to their large size, but are still solved in minutes. Yet, relativelysmall and difficult SAT instances must exist ifP = NP. Tothis end, our paper articulates SAT instances that are unusuallydifficult for their size, including satisfiable instances derivedfrom very large scale integration (VLSI) routing problems. Withan efficient implementation to solve the graph automorphismproblem (McKay, 1990), (Soicher, 1993), (Spitznagel, 1994), weshow that in structured SAT instances, difficulty may be associatedwith large numbers of symmetries. We point out that a previouslypublished symmetry extraction mechanism (Crawford et al., 1996)based on a reduction to the graph automorphism problem oftenproduces many spurious symmetries. Our paper contributestwo new reductions to graph automorphism, which extract allcorrect symmetries found previously (Crawford et al., 1996) aswell as phase-shift symmetries not found earlier. The correctnessof our reductions is rigorously proven, and they are evaluatedempirically. We also formulate an improved construction ofsymmetry-breaking clauses in terms of permutation cycles andpropose to use only generators of symmetries in this process. Theseideas are implemented in a fully automated flow that first extractssymmetries from a given SAT instance, preprocesses it by addingsymmetry-breaking clauses, and then calls a state-of-the-artbacktrack SAT solver. Significant speed-ups are shown on manybenchmarks versus direct application of the solver. In an attemptto further improve the practicality of our approach, we proposea scheme for fast “opportunistic” symmetry extraction and alsoshow that considerations of symmetry may lead to more efficientreductions to SAT in the VLSI routing domain.

Index Terms—Backtrack search, clause learning, conjunctivenormal form (CNF), graph automorphism, logic simplification,satisfiability (SAT), symmetries.

I. INTRODUCTION

BOOLEAN satisfiability (SAT) is a pivotal problem incomputer science with numerous applications that range

from microprocessor verification [60] to field programmable

Manuscript received September 6, 2002; revised December 11, 2002. Thiswork was supported in part by the DARPA/MARCO Gigascale Silicon ResearchCenter, in part by an Agere Systems/SRC Research fellowship, and in part bya fellowship from the ACM/IEEE Design Automation Conference. This paperwas previously presented at the ACM/IEEE Design Automation Conference,New Orleans, LA, in June 2002. This paper was recommended by AssociateEditor J. H. Kukula.

The authors are with the Department of Electrical Engineering and ComputerScience, University of Michigan, Ann Arbor, MI 48109-2122 USA (e-mail:[email protected]; [email protected]; [email protected];[email protected]).

Digital Object Identifier 10.1109/TCAD.2003.816218

gate array (FPGA) layout [46]. A one million dollar prize isoffered by the Clay Institute for Mathematical Sciences for acomplete, polynomial-time SAT solver or a proof that such analgorithm does not exist (the P-versus-NP problem). Addition-ally, industrial applications motivate intensive research in SATalgorithms that quickly solve real-life instances. The funda-mental framework for state-of-the-art SAT algorithms was laidout in the 1960s, but a number of recent improvements in al-gorithms and implementation techniques [45], [50] have led toperformance breakthroughs. Most DIMACS challenge bench-marks [22] from the early 1990s are now solved in seconds oncommodity PCs. Recently posted SAT benchmarks [60] takesomewhat longer to solve (minutes), but that is primarily due totheir enormous size (50 MB+ files, etc.). With the exception ofartificially constructed families of benchmarks, it appears thatSAT can be solved in polynomial time “for practical purposes.”It is well known that the dominant backtrack solvers, such asGRASP [50], CHAFF [45], and BerkMin [11] do not performwell on randomly created 3-SAT instances with clausesper variable [52]. However, such instances are not common inpractical applications because they have little structure. Therelative ease of structured instances from certain applicationswas explained [9], [47], and generic ways to exploit certaintypes of structure were proposed [2].

A. Difficult SAT Benchmarks

Our paper addresses both benchmarking and algorithmicaspects of SAT research. Given the excellent performance ofexisting SAT solvers, there is no room for improvement oneasy benchmarks, and we focus instead on difficult instances.Since the work of Haken and Urquhart [58] on lower boundsfor resolution and backtracking algorithms for SAT, severalinstance families have been known to require exponentialtime for Davis–Putnam [20] and Davis–Logemann–Loveland[21] (DP/DLL) solvers and their derivatives. For example, arecent lower bound for the pigeonhole problem is [7]where is the number of holes. The pigeonhole problem canbe quickly solved by induction, but the proof system behindbacktrack solvers (resolution) is rather restrictive and doesnot allow polynomial-sized proofs for pigeonhole instances.Short proofs without induction exist if the use of symmetryis allowed [32], [59]. Another family of difficult instanceswas constructed by Tseitin and Urquhart in terms of expandergraphs and, unlike the pigeonhole instances, can accommodateconsiderable randomness [57], [58]. Solving these instancestakes a long time using modern SAT solvers such as CHAFFand BerkMin (see Tables IV and V), but their relevance toapplication domains (e.g., electronic design automation (EDA)

0278-0070/03$17.00 © 2003 IEEE

1118 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 22, NO. 9, SEPTEMBER 2003

and software verification) is not clear. While lower bounds forSAT are often proven for unsatisfiable instances, it remains tobe seen whether practical satisfiable instances can be difficultfor the best solvers. To this end, the work in [1] contributedconstructions of artificial randomly generated difficult satisfi-able instances.

Our paper demonstrates EDA-related SAT instances, bothsatisfiable and unsatisfiable, that are very difficult for their size.Observe that an easy instance of any size can be made difficultby adding a small difficult instance to it and connecting the twoby inconsequential clauses to defeat partitioning.

B. Relevance of Graph Automorphism to SAT

Over many years, empirical algorithms research in many do-mains identified a number of fundamental problem formula-tions, such as Boolean satisfiability, and mustered significant ef-forts to solve them efficiently. State of the art is gauged by opti-mized solver implementations (“engines”). Performance break-throughs are often due to novel algorithmic ideas, leaner im-plementations, or the ability to apply a highly optimized enginein a novel way. In this paper, we observe that graph automor-phism engines can be applied to the satisfiability problem in cer-tain cases. Additionally, we think that there may be significantroom for future improvement given that: 1) the graph automor-phism problem is not thought to be NP-complete, thus, poten-tially easier than SAT and 2) much less new research was donein recent years on the analysis and design of high-performanceengines for graph automorphism (such work includes [40] and[44]). To be precise, in this paper, we will be dealing with thecolored variant of the graph automorphism problem that can beeasily extended to hypergraphs.

Besides complexity-theoretic connections between variantsof Boolean satisfiability, symmetries, and the hypergraph auto-morphism problem [4], [38], several pre-2000 publications sug-gested that “breaking symmetries” in conjunctive normal form(CNF) formulas can speed up SAT solvers [8], [13], [14], [18],[19], [40]. Symmetries of a CNF formula include clause-pre-serving permutations of variables. Such permutations may in-volve arbitrarily many variables at once, e.g., a complete cyclicshift. In this paper, we do not address permutations that changethe CNF formula but leave unchanged the Boolean function itrepresents.1 However, if such symmetries are found by othertechniques [30], our proposed methods can process them in thesame way as symmetries of the CNF formula. Similarly, manyof the publications we cite do not deal with symmetry extrac-tion, but rather assume that symmetries of the Boolean functionare given. Using this assumption, two main directions were ex-plored: 1) preprocessing the original CNF formula by addingsymmetry-breaking clauses that do not affect satisfiability butspeed up search [19] and 2) extending SAT solvers, particularlythose based on backtracking, to dynamically use symmetriesduring the search process [6], [14], [35], [48]. In this paper, wepursue the preprocessing approach due to its simplicity, but willoutline how our techniques can be applied within a backtrackingsolver for increased efficiency.

1Such permutations can be called “semantic” symmetries, in contrast withthe narrower class of “syntactic” symmetries that leave the CNF formula un-changed.

C. Empirical Efficiency Challenges

Most prior work on symmetries in SAT predates recent break-throughs in SAT solvers and typically uses several carefully con-structed instances to illustrate their approaches or do not showconvincing empirical results at all. For example, Crawfordetal. suggest in [19] that symmetry-based techniques allow thepigeonhole instances to be solved in polynomial time, but theirempirical data [19, Fig. 3] do not support this suggestion. In thecourse of more recent work [35], [54], specific families of CNFformulas with extremely high numbers of symmetries were suc-cessfully attacked. Yet, it remains unclear whether the perfor-mance of leading edge SAT solvers can be improved, via theuse of symmetries, on large CNF families of practical signif-icance. In principle, the overhead due to symmetry extractionand usage may outweigh the benefits, and it remains to be seenwhether useful CNF formulas have many symmetries. Pólya(1937), Erdös, and Rényi (1963) proved that a random graph on

vertices hasno symmetrieswith probability[5, p. 1461]. This claim can be extended to CNF formulas,

but structured real-world instances may have richer symmetries.Indeed, Boolean functions arising in the design of hardware sys-tems often have many symmetries [10], [30], and the overallnumber of functions of variables with nontrivial symmetriesgrows double, exponentially. On the other hand, for a functionwith exponentially many symmetries, trying to explicitly useall symmetries may defeat the purpose of speeding up search[19]. Despite these pitfalls, symmetry-based approaches havebeen useful in model checking [16], [24], [28], nonstandard SATsolvers [25], hardware verification [40], software verification[12], logic synthesis [10], [31] and DSP algorithms [23]. Someresearchers limited the notion of symmetry to swaps of variables[23] or subsets of variables [31] to achieve efficiency. Other au-thors [10], [48] limited the notion of symmetry to negations ofsingle variables or subsets of variables and referred to those re-stricted classes asautosymmetriesor phase-shift symmetries.

D. Our Contributions

In this paper, we study and fully automate a flow that startswith a CNF formula in the DIMACS format and finds all of itssymmetries within a very general class, including all permuta-tional symmetries, variable negations, and their compositions.In this flow, all symmetries are first captured implicitly, in termsof irredundant group generators, which always guarantees ex-ponential compression. The CNF formula is then preprocessedby adding symmetry-breaking clauses that do not affect satisfi-ability. A black-box SAT solver is subsequently applied to thepreprocessed CNF instance to produce the final answer; any sat-isfying assignment to this instance is (or corresponds to) a sat-isfying assignment of the original instance, and if the prepro-cessed instance is unsatisfiable then so is the original instance.The flow is illustrated in Fig. 1.

We propose new techniques for symmetry extraction and em-pirically compare them with previously proposed constructions.We also propose a novel construction of symmetry-breakingclauses, which is much more economical than that in [19]. Also,it directly applies to the compressed representation of all sym-metries in the format produced by graph-automorphism soft-ware [42], [43], [55], [56].

ALOUL et al.: SOLVING DIFFICULT INSTANCES OF BOOLEAN SATISFIABILITY 1119

Fig. 1. Preprocessing-based flow for symmetry breaking studied in this paper.Our construction of symmetry-breaking predicates improves upon that from[19].

Our empirical results show significant overall performanceimprovements on CNF instances arising in EDA applications,as well as on highly randomized, provably difficult Urquhartbenchmarks [58] that are related to Tseitin formulas [57] usedto prove lower bounds on the size of resolution proofs. Two ex-tensions are proposed to speed up symmetry extraction. One isopportunistic symmetry extraction, where only some symme-tries are found. The other extension pursues domain-specificsymmetries and leads to improvements of SAT formulationsby adding domain-specific symmetry-breaking clauses. Thus,generic symmetry extraction is avoided by creating symmetry-less SAT instances that can be solved quickly.

The remaining material is organized as follows. Symmetryextraction is described in Section II and symmetry-breaking inSection III. Section IV discusses constructions of SAT bench-marks. Our empirical results are presented in Section V and fur-ther extensions in Section VI. Section VII concludes our paperand discusses our future directions.

II. SYMMETRY EXTRACTION

In general, a symmetry of a discrete object is a reversibletransformation of its components that leaves the object un-changed. This can be taken as an informal definition, and morerigorous definitions will be given below for specific structures.Examples include permutations of graph vertices that mapedges into edges, rotations of a spatial solid, e.g., a cylinder,that preserve its shape, as well as the negation of the variable

in the Boolean formula , since the formula and the

function it represents are unaffected by this transformation. Thediscrete objects considered in our paper have only finitely manysymmetries. Unlike previous work in the field, we consider,extract, represent, and use several types of symmetries andtheir compositions, including permutational symmetries andvariable negations in CNF formulas, sometimes called “phasechanges” or “autosymmetries.”

A. Representing and Manipulating Symmetries

Every discrete object has at least one symmetry—the“do-nothing” permutation. It is easy to see that compositionof two symmetries is a symmetry, and that composition withthe do-nothing permutation does not change a symmetry.The composition of symmetries is associative, and everysymmetry has an inverse. However, the composition operationis often not commutative. An example is given by the sixpermutational symmetries of an equilateral triangle: 1) thedo-nothing symmetry; 2) three vertex swaps; and 3) two cyclicrotations—counterclockwise and clockwise.

Definition 2.1.1 (From Abstract Algebra):A group is a setwith a binary operation (“multiplication”) defined on it that hasthe following three properties:

• the operation is associative, i.e.,;

• there is aunit element such that;

• for every there is a uniqueinverse suchthat .

A subgroupis a subset of a group that is closed under the groupoperation (and is, therefore, a group itself).

For example, integers form a group with respect to the ad-dition operation (0 is the unit element) and positive rationalsform a group with respect to the multiplication operator (1/1is the unit element). Group Theory [26] is a major branch ofabstract algebra [27] and its development in the nineteenth cen-tury was motivated by groups of symmetries. Such diverse areasas the Galois theory describing solvability of polynomial equa-tions, the periodic table of chemical elements, and Special Rel-ativity involve analyses of groups of symmetries. In this paper,we will only deal with groups of symmetries whose elementscan be thought of as permutations of finite sets. This obviouslyrestricts us to finite groups. A permutation can be representedby cycles, e.g., (23)(567) represents a permutation on a set of atleast seven marks (elements). This permutation swaps marks 2and 3, cyclically permutes marks 5, 6, and 7 in that order, andleaves unchanged all other marks, e.g., 1 and 4.

Computational group theory (CGT), which started around1911, is one of the oldest and most developed branches of com-putational algebra [53]. The flourishing of CGT began in the1960s and great strides were made in the 1990s with the devel-opment of the GAP package (“Groups, Algebra and Program-ming”) [56]. A major source of efficiency in CGT comes fromthe notion ofirredundant sets of generatorsof a group.

Definition 2.1.2: A set of generatorsconsists of group ele-ments such that any other group element can be composed ofgenerators and their inverses. A generator isredundantif it canbe expressed in terms of other generators. Anirredundant setof generators,by definition, does not contain redundant gener-ators.


(Lagrange) Theorem 2.1.3 (from Elementary Group Theory)[26], [27]: The size of any subgroup of any finite groupmust divide the size of .

Corollary 2.1.4: For any group with elements, anyirredundant set of generators containsat most elements.

Proof: Observe that any proper subgroup must be at leasttwice as small compared to the group. Given a set ofirredun-dant generators , consider a chain of subgroupsfor , where is generated by . By con-struction, is a proper subgroup of , and as such mustbe at least twice as small. Therefore, the size of mustbe at least .

For example, the permutations on marks can be gener-ated by and or by . Thus,representing groups by sets of irredundant generatorsalwaysensures exponential compression. CGT provides efficient algo-rithms (due to Sims, Knuth, Babai, and others) for manipulatinggroups represented by sets of generators, without decompres-sion. Therefore, an intelligent algorithm for symmetry extrac-tion may return a small set of generators rather than list all sym-metries.

Definition 2.1.5: A mapping : between twogroups is ahomomorphismif and only if for any and

, we have , where and aregroup operations in and , respectively. A homomorphismfor which an inverse mapping exists that is also a homomor-phism, is called anisomorphism.If an isomorphism existsbetween and , the two groups are calledisomorphic.Anisomorphism of a group with itself is calledautomorphismofthat group and can be thought of as a symmetry of the group.

Automorphisms can be composed, and form a group underthis operation.

It is easy to see that if is a homomorphism, then. An isomorphism cannot map two different group ele-

ments to one. Additionally, the notion of isomorphism definesan equivalence relation and is useful to compare groups formallydefined over different sets. In simple terms, isomorphic groupshave “the same structure.” Therefore, when looking for a groupof symmetries of some objects, it may be convenient to find anisomorphic group instead. Since groups are often described bysets of generators, it is important to know that isomorphismspreserve such descriptions.

Theorem 2.1.6: Any group isomorphism maps sets of gener-ators to sets of generators, and maps irredundant sets of gener-ators to irredundant sets of generators.

Proof: If any element can be written as a productof elements of a generating set or their inverses

, then a homomorphism: will preserve suchexpressions in : . Sinceevery isomorphism has an inverse, any element canbe mapped back to , where its preimage can be decomposedinto a product and then mapped back to. This constructs adecomposition of into a product of the images of elements ofa generating set in and their inverses.

Now, consider a pair of sets of generators that are mapped toeach other by an isomorphism, they must have the same cardi-nality. Assume that one of them has a redundant element thatcan be expressed in terms of remaining elements. Since such anexpression is preserved by an isomorphism, the image of thiselement must be redundant in the other set of generators.

B. Colored Automorphism Problems

Combinatorial objects are commonly represented by graphs.Therefore, we study symmetries of graphs first.

Definition 2.2.1: Given two graphs, anisomorphismis a1-to-1 mapping between the vertex sets of the two graphs thatmaps edges to edges. Given a graph, asymmetry(also called anautomorphism) is a permutation of its vertices that maps edgesto edges. In the case of directed graphs, edge orientations mustbe preserved.

Definition 2.2.2: In the graphautomorphismproblem, oneseeks all symmetries of a given graph, e.g., in terms of groupgenerators. Thedecision versionof this problem tests for thepresence of nontrivial automorphisms.

It is known that all graphs, except for an exponentiallysmall family, haveno symmetries[5, p. 1461]. No generalworst-case polynomial-time algorithms are known for thisproblem, but it is commonly believed not to be NP-complete[33]. Polynomial-time algorithms are available in many specialcases [5, p. 1511], in particular for graphs of bounded degrees[37], [3]. Observe that graphs of bounded degree arise inmany practical applications because the objects involved (logicgates in VLSI chips, facts stored in knowledge bases, etc.)are interconnected sparsely. In contrast, Boolean Satisfiabilityinstances of bounded degree, e.g., 3-SAT, are known to beNP-complete and 3-SAT instances may be quite difficult inpractice even if every literal participates in only several clauses[52]. Generic algorithms for the graph automorphism problem[42] are based on linear-time partition refinement passes,followed by backtrack search. A simple version of partitionrefinement completes in three passes and does not requirefollow-up backtracking for all but an exponentially smallfamily of graphs [5, p. 1513]. However, exponential worst caseshave been constructed even for very sophisticated versions[42], both theoretically and empirically [44].

The graph automorphism problem may be constrained byvertex labels—symmetries must map each vertex into a vertexwith the same label. Label constraints are computationally easyand can be formally reduced to plain graph automorphism. La-bels are often expressed by integers and called colors (no re-lation to graph coloring). Another extension is to coloredhy-pergraphs—symmetries must map hyperedges to hyperedges(of the same cardinality because no two vertices can map toone). The colored hypergraph automorphism problem reducesto the colored graph automorphism via the bipartite graph of thehypergraph. This graph contains a vertex for each hypergraphvertex and hyperedge, and connects them with edges accordingto the hypergraph’s incidence relation. Graph vertices in the hy-peredge part are painted with a new color, and other verticesretain their original colors.

Brendan McKay implemented a practical algorithm for graphautomorphism [42] in a software package called NAUTY [43],which has been continually improved for the last 20 years.2

NAUTY has been integrated into the CGT system GAP [56]by means of the GRAPE package [55]. This integration enablesefficient group-theoretic operations on the results returned byNAUTY and facilitates some of our proposed algorithms. In

2NAUTY version 2.0 was released in 2001.


1998, Mankuet al. [40] claimed speed-ups over a pre-2.0 ver-sion of NAUTY in the context of hardware verification. How-ever, their code is not generic (built into a larger system) andis no longer supported. Finally, we observe that the run-time ofexisting graph automorphism programs, e.g., NAUTY, typicallyincreases with growing numbers of vertices and symmetry gen-erators found, but may decrease with growing numbers of vertexcolors and, sometimes, graph edges.

C. CNF Symmetries via Graph Automorphism

The problem of extracting symmetries of a CNF formula isreduced to the colored graph automorphism problem. The mainidea behind such reductions is to find a colored graph whosesymmetry group is isomorphic to the symmetry group of theCNF formula. Related constructions are described in [18] and[19] for permutational symmetries, and we draw upon them inour work. Consider a CNF formula with variables andclauses, of which, are binary and have two or more lit-erals (clauses with fewer than two literals can be removed bypreprocessing). In quotations, the word “theories” refers to CNFformulas. From [18, p. 3]:

Now consider reducing symmetry extraction to graphisomorphism. We show the mapping for propositional the-ories (…). First note that we can “type” the nodes in thegraphs, and only allow isomorphisms which preserve type(…), without increasing the difficulty of the isomorphismproblem. We use five types of nodes: nodes for positive lit-erals, nodes for negative literals,inversenodes, nodes forclauses andgoal nodes. We first link (the node for) eachliteral to an inverse node and then link this inverse nodeto (the node for) . These links ensure that any graph iso-morphism preserves negation. We then create a node foreach clause and link it to the literals appearing in the clause.These links force graph isomorphisms to map clauses toclauses. Finally, recall that we are required to find awhichmaps to . To force this we create two copies of the graphfor the theory. In the first we givethe typegoaland in thesecond we give the typegoal. This typing forces any iso-morphism between the two graphs to mapto . One canthen show that an isomorphism between the graphs existsif and only if the theory contains a simple symmetry map-ping to .The author then concludes that thedecision versionof the

CNF symmetry detection problem is polynomial-time solvableif the length of the longest clause and the number of occurrencesof the most common literal are bounded by a constant. That isbecause the degree of graph vertices is bounded by that constant,in which case, the graph automorphism problem is poly-timesolvable [5], [37]. If applied literally, the proposed constructiononly addresses symmetries that mapto for particular and, rather than arbitrary symmetries. In order to find even a single

nontrivial symmetry, one may need to traverse all pairs. Thus,no isomorphism of symmetry groups is claimed in [18], andno empirical results are reported. Additionally, we observe thatfor a formula with variables and clauses, this constructionproduces a graph with vertices. Given that run-timeof graph automorphism programs, e.g., NAUTY, grows super-

linearly in terms of the number of vertices, more economicalconstructions (see below) can significantly reduce run-time.

Despite being impractical, the construction from [18] was ap-parently the first to introduce fundamental elements, now usedby more competitive constructions, including ours. We empha-size as particularly important:

• the modeling of variables by pairs of positive-literal andnegative-literal vertices;

• the modeling of each clause by a vertex connected to re-spective literal vertices by edges;

• connecting positive- and negative-literal vertices to en-force Boolean consistency.

Additional useful elements were introduced in [19, p. 7]:

The input theory is converted into a graph such that theautomorphisms of the graph are exactly the symmetriesof the theory. This is done using the construction in[Crawford, 1992]. There are three “colors” of vertices inthis graph: vertices representing positive literals, thoserepresenting negative literals, and those representingclauses. Graph automorphisms are constrained to alwaysmap nodes to other nodes of the same color. We also addedges from each literal to each clause that it appears in.These edges (together with the node colorings) guaranteethat automorphisms of the graph are the symmetries of thetheory.Footnote 5: For efficiency we special-case binaryclauses by representing with a link directly from

to (instead of creating a node for the binary clauseand linking and to it). This is important becausesome of the instances we consider have a huge number ofbinary clauses and some of the algorithms that follow arequadratic, or worse, in the number of nodes.The reference [Crawford, 1992] in this quotation is the same

as reference [18] in our paper, but the construction appears dif-ferent from that cited above.3 In fact, this formulation seemsto omit the enforcement of Boolean consistency. This leads tothe generation of many spurious symmetries. For example, theformula ( ) has two symmetries: 1) the do-nothing sym-metry and 2) the transposition (). The graph built by the aboveprocedure has two positive-literal vertices, two negative-literalvertices and one clausal vertex connected to the positive-literalvertices by two edges. Since no negative literals are used, therespective vertices are disconnected and can be mapped to eachother even if positive-literal vertices are fixed. There are foursymmetries. One of them is the swap (transposition) ofandwith and fixed. It violates Boolean consistency. Notably, in[19], this construction is described in Section VII on empiricalresults, next to a discussion of pigeonhole and-queens bench-marks. However, it produces spurious symmetries even whenapplied to pigeonhole benchmarks, starting with hole-2.

On the positive side, this construction produces a graph withvertices—a marked improvement over [18]. We also

found very useful in practice the idea to model each binaryclause by one edge rather than by one vertex and two edges.The proposed construction can be corrected by adding, for each

3Both papers [18] and [19] are downloadable [Online] from http://cite-seer.nj.nec.com/cs and also from http://www.cirl.uoregon.edu/crawford/pa-pers/papers.html .


variable, a vertex of color 4 and connecting it to the positive-and negative-literal vertices for the same variable (these nodeswere calledinversenodes in [18]). We implemented this cor-rected version, and report empirical results for it. Similar to [18],the reduction from [19] and its corrected version cannot findphase-shift symmetries because it colors positive and negativeliterals with different colors.

In this paper, we propose several reductions of CNF sym-metry extraction to graph automorphism, all of which allowextracting phase-shift symmetries and their compositions withpermutational symmetries. One of our constructions produces

vertices and never finds spurious symmetries, but re-quires double edges that are not supported by the graph auto-morphism software NAUTY [43] used in our experiments. An-other proposed construction producesvertices and never finds spurious symmetries. The third con-struction produces vertices, is implementable withNAUTY, produces no spurious symmetries on our benchmarks,and allows a trivial check for spurious symmetries in general.Since this construction is often the fastest in practice, we char-acterize CNF formulas on which it produces spurious symme-tries and show how spurious symmetries can be removed.

We first preprocess a given CNF formula to remove anyclauses with fewer than two literals. If there is an empty clause,the formula is immediately declared unsatisfiable and thesearch for the symmetries of the formula becomes pointless. Ifthere are one-literal clauses, they can be eliminated in lineartime by repeatedly 1) recording implied truth assignments[clause implies , clause implies ]; 2)eliminating the one-literal clauses; 3) substituting the impliedvalues of relevant variables, thus eliminating the variables; and4) simplifying each affected clause independently. This processwill either prove the original formula satisfiable/unsatisfiable,or result in a smaller formula where every clause has at leasttwo literals.

Given a CNF formula where every clause contains at least twoliterals, we represent every variable by two vertices that corre-spond to its positive and negative literals. We represent everynonbinary clause by a single vertex, and connect that vertex tothe vertices representing literals in that clause. Binary clausesare represented by double edges connecting their respective lit-erals. Clausal vertices are painted color 1 and literal verticeswith color 2. Since vertices representing positive and negativeliterals in our graph are of the same color, we need to ensureBoolean consistency and mate vertices of opposite literals bysingle edges. Observe that no symmetry can map a single edge toa double edge, thus, there is no risk of mapping a Boolean con-sistency edge to a binary-clause edge. This construction resultsin a graph with vertices. It corrects the reduction from[19] without increasing vertex counts and has the added advan-tage of extracting phase-shift symmetries (subsets of negatedvariables, e.g., ) and their compositions with permuta-tional symmetries. We refer to this construction as 2EDGES.

Unfortunately, the graph automorphism program NAUTY[43] used in our experiments cannot represent double edges.Therefore, we must seek another mechanism to distinguishBoolean consistency edges from binary-clause edges. Astraightforward solution is to split every Boolean consistency

Fig. 2. CNF formula with three clauses—A, B, andC,—and three variablesis converted into a bicolored graph for symmetry extraction purposes. Thetwo-literal clauseC is represented by one edge (double-line) while largerclausesA and B are represented, each, by a vertex and three edges. Anysymmetry must mapC 7! C, and therefore, this instance has only onenontrivial symmetry(1�1)(2�3)(�23)(AB).

edge into two edges by an added vertex of color 3 (one peredge). Alternatively, we can split binary-clause edges, whichin some cases may be a better option. In fact, we can splitthe less numerous of the two types of edges, which yields

vertices. Because three colors areused, this construction is referred to as MIN3C.

A far less obvious solution isnot to make an explicit distinc-tion between the two types of edges, but represent both Booleanconsistency and binary clauses by single edges. Since we firstdescribed this construction at the 2002 Design Automation Con-ference, we refer to it as DAC’02. Fig. 2 shows an example. Ingeneral, there are vertices, but the analysis of this con-struction is far more complex than that of the constructions de-scribed above. However, our efforts are justified by the often-su-perior empirical performance of this construction. Before weproceed with formal results, let us articulate the correspondencebetween 1) the variables and clauses in a given CNF formula and2) the vertices and edges of the bicolored graph we build. Everyvariable corresponds to exactly two vertices of color 2. Everyvertex of color 2 corresponds to a variable, and every vertex ofcolor 1 corresponds to a clause. Every clause with more than twoliterals corresponds to a vertex of color 1, and every two-literalclause corresponds to an edge between two vertices of color 2.There are no edges connecting vertices of color 1, but everyvertex of color 2 is connected to that of its complement literalby an edge, and there can be edges connecting pairs of verticesof different colors.

Definition 2.3.1: A circular chain of implicationsover thevariables is a set of binary clauses equivalentto , wherefor each from , or .

Observe that the clause is equivalent toand also to . In terms of specific values, we

have and .For each , one of the two possible values of triggers animplication sequence, and, thus, unambiguously determines thevalues of all literals involved. In the remaining case, none ofthe variables assume the value that triggers an implication in thecircular chain. Therefore, a circular chain of implications allowsonly two satisfying solutions.

Theorem 2.3.2: Assume that a given CNF formula does notcontain a circular chain of implications over any subset of its


variables. Then, with respect to the proposed construction ofthe colored graph from a CNF formula, the symmetries of theformula correspond one-to-one to the symmetries of the graph.

The practicality of the assumption is discussed after Corollary2.3.4 as follows.

Proof: It is not hard to see that every permutational sym-metry of the initial formula (i.e., a permutation of variables thatmaps clauses to clauses) corresponds to a colored symmetry ofthe bicolored graph we built. Such a graph symmetry will mapvertices to vertices of the same color and edges to edges. Inparticular, if maps to , then maps to and the edgemaps to the edge . Edges between vertices of color 2 will al-ways map to edges between vertices of color 2, and the samecan be said about edges between vertices of different colors.Phase-shift symmetries of the original formula also correspondto colored graph symmetries. For example, will induce aswap between the verticesand , leaving the edge in placeand swapping any existing edgesand for a clausal vertex. An immediate consequence is that every composition of per-

mutational and phase-shift symmetries of the original formulacorrespond to a colored graph symmetry. For example, ifissymmetric to , then and so that the edge mapsto .

Our next observation is that given a colored graph sym-metry that corresponds to some CNF symmetry, we canalways uniquely reconstruct the CNF symmetry as long asthe correspondence between variables and vertices of color 2is available. This is also shown by first considering purelypermutational symmetries, then phase-shift symmetries, andthen their compositions. A graph symmetry that correspondsto a permutational CNF symmetry must map positive-literalvertices to other such. Therefore, we can restrict the graphsymmetry to this subset of vertices, thus producing a permuta-tion of CNF variables. A graph symmetry that corresponds to aphase-shift CNF symmetry must either preserve a given literalvertex or map it to the complement-literal vertex, preservingthe edge between them. Therefore, a list of positive-literalvertices that are not preserved uniquely identifies a phase-shiftCNF symmetry. To reconstruct a CNF symmetry that is acomposition of permutations and phase-shifts, we distinguish1) positive-literal vertices that map to positive-literal verticesfrom 2) positive-literal vertices that map to negative-literal ver-tices. In each case, a given CNF variable is mapped to anothervariable, possibly with a follow-up negation. By ignoring thefollow-up negations, we reconstruct the purely permutationalcomponent of the CNF symmetry. The phase-shift component,i.e., variables to be negated before the permutation is applied,can be reconstructed by listing positive-literal vertices that mapto negative-literal vertices.4

Perhaps, the least trivial property of the proposed reductionto graph automorphism is that every colored symmetry of thegraph corresponds to a symmetry of the original formula. Toprove this, we show that the reconstruction procedure from theprevious paragraph can be successfully applied to any coloredgraph symmetry. A vertex permutation is a colored symmetry

4If one should perform negationsafter the permutation is applied, then thenegative-literal vertices that map to positive-literal vertices should be listed.

if and only if 1) vertices are mapped to vertices of the samecolor and 2) edges are mapped to edges. This is consistent withCNF symmetries’ mapping variables to variables and clauseswith more than two literals to such clauses. However, it is moredifficult to prove Boolean consistency, i.e.,

, where and areliterals. This is easy in the absence of2-literal clauses because all edges connecting vertices of color2 are Boolean consistency edges of the form. Since everysuch edge can only map to another such edge, leaveno choice for but to map to because is the only edgethat connects to another vertex of color 2. This simple proofalso applies if the two-literal clauses are represented by vertices,rather than by edges as in Fig. 2.

The difficulty in the general case is due to our modeling oftwo-literal clauses by edges that connect vertices of color 2.Such edges may potentially map to Boolean consistency edges,and our task is to prove such a mapping impossible.

We first present the following lemma.Lemma 2.3.3:Let be a perfect matching on

a finite vertex set and let its edges be colored red. Letbe some graph on . Let its edges be colored

green, where . Let be the graph onformed by taking the disjoint union of edge setsand . In

other words, , where .If has no cycles with edges of alternating colors, thenevery

automorphism of mustpreserve the color of every edge.Proof: Suppose is an automorphism of under which,

w.l.o.g., a red edge maps to a green edge. Since the rededges form a perfect matching, the green edgemust shareeach of its end points with exactly one red edge. Let these beand , respectively. Since maps to , there must be two dis-tinct edges, each of which sharesexactlyone end point with ,to map into and under . Furthermore, these two edgesmust be green edges, since red edges cannot share end pointswith other red edges. Call these edgesand . We now havetwo paths of alternating colors, and . An edge in is the

-image (of opposite color) of the corresponding edge in

and must share their other end points (that are not sharedwith ) with two red edges, say and . In turn, images of

and must be green edges and extending from theterminals of the path . In effect, we have extended pathsand to

Repeating the foregoing argument forand and continuingin this manner, we can “grow” paths of alternating colors

and

By the finiteness of , one of the paths must eventually closeon itself (when the two edges extending the current path turn out


to be the same). This will give us a cycle of alternating colors,thus contradicting the hypothesis.

The proof of Theorem 2.3.2 is concluded as follows. Considerthe graph representationof a CNF formula that includesonlythe vertices representing literals, Boolean consistency edges,and edges representing binary clauses. (We do not consider ver-tices representing nonbinary clauses and edges connecting lit-eral vertices to them since we have already shown that they donot produce spurious symmetries). In this graph, Boolean con-sistency edges correspond to the red edges in Lemma 2.2.3, andbinary clause edges correspond to the green edges. It is clear thatthe Boolean consistency edges form a perfect matching, sincethey cover all vertices, and each vertex is covered by exactlyone edge.

Finally, we observe that a cycle of alternating edges in theabove graph corresponds to a circular chain of implicationsin the CNF formula. A cycle of alternating edges is equivalentto the following clauses:

Since any clause of the form is true, we can eliminate allsuch clauses, and the resulting formula is the following circularchain of implications:

We have, thus, proved that a spurious symmetry (mapping aclausal edge to a Boolean consistency edge) is possibleif andonly if a circular chain of implications exists. This is a contra-diction.

The 2 EDGES reduction avoids spurious symmetries alto-gether by connecting positive-literal vertices to negative-literalvertices with double edges.

Theorem 2.3.4: Under the assumption of Theorem 2.3.2, thesymmetry groups of the CNF formula and the bicolored graphare isomorphic.

Since a one-to-one homomorphism must be an isomor-phism, one only needs to verify that the one-to-one mappingconstructed in the proof of Theorem 2.3.2 is a homomorphism.

Corollary 2.3.5: Under the assumption of Theorem 2.3.2,sets of symmetry generators of the bicolored graph correspondone-to-one to sets of symmetry generators of the CNF formula.

In terms of practicality, we observe that failure of the assump-tion in Theorems 2.3.2 and 2.3.4 implies that in every satisfyingassignment, the variables involved in the circular chain of impli-cations can assume one of two different sets of values (models).We illustrate this by using the CNF formula ,which allows only two models (000 and 111) but has six sym-metries (do-nothing, two three-cycles, and three variable swapscombined with negation of all variables). Yet, the graph pro-duced by our construction is a hexagon having 12 symmetries(the so-calleddihedral group [26], [27]). Half of those arespurious as explained in Fig. 3.

From the practical standpoint, we note the following.

• Circular chains of implications do not arise in standardSAT models from many application domains. For ex-ample, they do not appear in equivalence checking of

Fig. 3. Illustration of spurious symmetries: A CNF formula and its graph.Boolean consistency edges are shown by double lines, but are indistinguishablefrom other edges by graph automorphism software NAUTY which cannothandle double-edges. Therefore, the graph has 12 symmetries: 6 rotationsand 6 axial flips. Only 6 of them—3 rotations and 3 flips—preserve Booleanconsistency edges and correspond to symmetries of the CNF formula. Theremaining 6 symmetries are spurious (the first three spurious symmetriesshown are rotations and the remaining three are axial flips).

combinational circuits because combinational circuits aredirected acyclic graphs.

• The presence of circular chains of implications does notinvalidate our construction. As can be seen from the proofof Theorem 2.3.2, the only potential problem is spuriousgraph symmetries that do not correspond to any CNF sym-metries. Since any application of Theorem 2.3.2 must con-vert symmetry generators returned by a graph automor-phism problem into CNF symmetries, any spurious sym-metry generators can be identified with minimal compu-tational effort and minimal programming overhead.

• If some, but not all, symmetry generators are spurious,the nonspurious generators are still useful for symmetrybreaking, while spurious generators can be discarded (thisapproach may not be ideal because spurious symmetriescan generate nonspurious ones).

• Since the product of nonspurious symmetries cannot bespurious, there can be no spurious symmetries at all if noneof the symmetry generators are spurious. In other words,if spurious symmetries exist, at least one generator mustbe spurious.

• Once a spurious symmetry generator is found, a circularchain of implications can be identified in linear time alongthe lines of analysis in the proof of Theorem 2.3.2. Sinceevery circular chain of implications implies two sets ofvalues for variables involved, circular chains of implica-tions can beremovedby introducing one Boolean variableto represent the two sets of values (old variables get elim-inated).

• In applications where many spurious symmetries are ex-pected and can slow down symmetry extraction, circularchains of implications can be identified in linear timebe-fore symmetry extraction, using depth-first search on a di-rected graph of binary clauses.

While the correctness of representing binary clauses withedges (Theorem 2.3.2) appears much harder to prove comparedto the correctness of graph reductions proposed earlier, ourconstruction reduces the number of vertices in the graph by thenumber of binary clauses in the CNF instance. Application-de-rived CNF instances typically have a significant proportion ofbinary clauses, and our construction DAC’02 leads to nontrivialrun-time savings in practice. Table I summarizes the mainproperties of various reductions of CNF symmetry extraction


TABLE ICOMPARING REDUCTIONS OFCNF SYMMETRY EXTRACTION TO GRAPH AUTOMORPHISM. V IS THENUMBER OFVARIABLES IN THE ORIGINAL CNF INSTANCE,C

IS THE NUMBER OF CLAUSES, C IS THE NUMBER OF BINARY CLAUSES, C = C � C . THE 2� EDGES REDUCTION IS NOT PRACTICAL WITH

NAUTY BECAUSE NAUTY DOES NOT SUPPORTDOUBLE EDGES IN GRAPHS. CNF INSTANCES FORWHICH THE DAC’02 REDUCTION

FINDS SPURIOUSSYMMETRIES ARE CHARACTERIZED IN THEOREM 2.3.2

to graph automorphism. Additionally, we empirically compareMIN3C, DAC’02, the reduction from [19], and a correctedversion of that reduction. In the corrected version, to ensureBoolean consistency, we add one extra node of color 4 for eachvariable and two edges connecting that node to the positive andnegative literals of that variable.

Our testbed includes five sets of difficult benchmarks withnontrivial symmetries:

1) the hole-n benchmark set, available within the DIMACScollection [22];

2) randomized benchmarks Urq proposed by Urquhart [58],based on parity checks and expander graphs;

3) randomized benchmarks grout derived in this paper in thecontext of global grid-based routing for VLSI;

4) benchmarks FPGA derived in this paper in the context ofdetailed routing for field-programmable gate arrays;

5) recent benchmarks from the microprocessor verificationdomain [60].

Descriptions of all benchmark sets except for the Urq and mi-croprocessor verification sets are given in Section IV. Our im-plementation of symmetry extraction uses the program NAUTY[43] version 2.0, shipped with the GAP package [56] version 4,release 3. Table II compares sizes of graphs produced by fourconstructions. We make the following observations.

• Because all of our benchmarks contain more binaryclauses than variables, MIN3C generates exactly as manyvertices and edges as the corrected version of the reduc-tion from [19]. However, MIN3C produces one color lessand extracts phase-shift symmetries.

• Graphs produced by MIN3C always have more verticesthan those produced by DAC’02.

• DAC’02 and [19] produce graphs with the same numbersof vertices, but DAC’02 generates more edges because itensures Boolean consistency.

Table III compares symmetry extraction run-time and therounded number of symmetries (sizes of symmetry groups)discovered with each reduction. All run-times are recorded ona Linux workstation with a 1.2-GHz AMD Athlon and 1 GB ofDDR RAM.

Several entries of the table with sizes of symmetry groups canbe verified independently. For example, the number of symme-

tries in hole-n benchmarks is because the symmetrygroup is the Cartesian product of (holes can be permutedarbitrarily) and (pigeons can be permuted arbitrarily). For

, this yields 203 212 800, which rounds off to . Fur-thermore, we make the following observations.

• Except for the second (Urq) and the last (microprocessorverification) benchmark sets, the reduction from [19] pro-duces more symmetries than other reductions. This is be-cause it does not enforce Boolean consistency, and findsspurious symmetries. Urq benchmarks do not have permu-tational symmetries, as checked by the corrected versionof [19]. The reduction from [19] cannot extract phase-shiftsymmetries.

• Except for the second and the last benchmark sets, thereductions MIN3C, DAC’02, and corrected [19] find thesame numbers of symmetries. In particular, those threereductions produce correct numbers of symmetries forhole-n instances. This is consistent with the reductionfrom [19] being erroneous, as it discovers many spurioussymmetries. In fact, the uncorrected [19] does not finishwithin the specified time limit on the FPGA instances,probably because it detects large numbers of spurioussymmetries.

• Except for the second (Urq) benchmark set, the run-timesof MIN3C and corrected [19] are comparable. This is ex-pected because they generate equal numbers of verticesand edges, differing only in the number of colors. The run-times for Urq benchmarks are different because MIN3Cleads to the discovery of more symmetries.

• DAC’02 is generally the fastest reduction. No other reduc-tion generates fewer vertices, and DAC’02 does not dis-cover any spurious symmetries on given benchmarks asits results always agree with MIN3C.

We explicitly verified that the symmetries discovered byMIN3C and DAC’02, but not by the two versions of [19],are phase-shift symmetries and their compositions with per-mutational symmetries. An implementation of the DAC’02reduction is available in our software package Shatter that tar-gets symmetry extraction and symmetry breaking for SAT. Thispackage can be downloaded from http://gigascale.org/book-shelf/Slots/shatter/ .


TABLE IICOMPARISON OFREDUCTIONS IN TERMS OFSIZES OFGRAPHSPRODUCED

III. SYMMETRY BREAKING

Symmetries induce equivalence classes on the set of truth as-signments (in group theory, they are calledorbits). Specifically,given a satisfying (unsatisfying) truth assignment, all other truthassignments to which it can be mapped by symmetries, mustalso be satisfying (unsatisfying). Therefore, for a complete SATsolver it suffices to reason about one representative from eachsuch class. This restriction can be implemented by selectingunique representatives from every equivalence class and addingclauses that are only satisfied by those representatives. Anearlier construction of such symmetry-breaking clauses [19] isbased on a given ordering of variables. Its main ideas are 1) toorder all elements from the solution space lexicographicallyand 2) to select the lexicographically smallest element fromeach equivalence class as its representative.

A. Previous Work

The lex-leader symmetry-breaking predicates describedby Crawford et al. in [19] are built for a given group ofpermutational symmetries. Such predicates are conjunctionsof smaller predicates for individual symmetries. Below, letbe the number of variables and be the lex-leader sym-metry-breaking predicate for the group. Boolean variables

are traversed according to the original ordering

(1)

(2)

(3)

Example: Consider the formula, from [19]. This formula has two symmetries, and the

do-nothing symmetry. We compute for ac-cording to the equations above.

For in (3), the null predicate istrue. Also, since , we have .

For , .For , .

and are tautologies, therefore, we haveas the symmetry-breaking predicate for this

formula. Computing these predicates for the do-nothing for-mula also results in a set of tautologies which can be removedby simplification. However, we note here thatno generalsimplification procedureis discussed in [19], so any lex-leaderpredicates derived from the equations above would have to beexplicitly pruned to resolve tautologies. The constructions wepropose require no simplification and use fewer clauses thanthe construction from [19] without simplification.

Theorem 3.1.1 [19]: For a group acting on truth assign-ments, the truth assignments that satisfy are the lexi-cographically smallest representatives from each class of truthassignments that can be mapped to each other by symmetriesfrom .


TABLE IIICOMPARISON OFREDUCTIONS IN TERMS OF SYMMETRY EXTRACTION RUNTIME AND ROUNDED NUMBERS OF DISCOVERED

SYMMETRIES. RUNTIMES ARE IN SECONDS ON A1.2-GHZ AMD A THLON WITH LINUX

Each is then expressed in the CNF form usingauxiliary variables

(4)

Due to clauses of growing size, CNF expressions for eachhave literals, which may be prohibitively expen-

sive even for one permutation with say, 9000 variables (seeTable IV). Also, for different may contain redundantclauses. To prune redundant clauses, the authors propose theconcept of a symmetry tree, but it does not always prevent re-dundant clauses and is itself not always prunable to polynomialsize [19].5

The need for more efficient, and also partial sym-metry-breaking has been understood for some time [19], [39],[41], but no satisfactory generic approaches have been proposedthat can be fully automated. In a recent paper [39], Luks andRoy show that, even for an Abelian (commutative) symmetrygroup and a given ordering of variables, full lex-leader sym-metry-breaking predicates can be exponentially large. Thisdrawback can be avoided by reordering variables, which allowspolynomial-sized full lex-leader symmetry-breaking predicatesfor Abelian symmetry groups. However, the construction in

5In the special case of the symmetry groupS , according to [19], thesymmetry-breaking predicate produced using a symmetry tree has size�(n ).Techniques proposed in our paper generate a linear-sized predicate.

[39] is not practical and is rather used for an existence proof.Also, it does not address non-Abelian groups.

B. Using Symmetry Generators

In this paper, we explore partial symmetry breaking, i.e., wedo not require that symmetry-breaking predicates be satisfiedby lex-leaders only (but we do require that all lex-leaders satisfysymmetry-breaking predicates). Like other authors, we computesymmetry-breaking clauses on a per-symmetry basis, but con-sider only irredundant sets of symmetry generators (returned bygraph automorphism programs), and not the entire symmetrygroup . This idea was used in [19] in the context of pigeonholeinstances. By breaking generator symmetries only, one doesnot necessarily break all symmetries. However, one can oftenachieve significant pruning because an irredundant set of gener-ators contains “maximally independent” symmetries—none ofthem can be expressed in terms of others. The following ex-ample suggested to us by Eugene Goldberg of Cadence BerkeleyLabs shows that symmetry-breaking by generators is not com-plete in some cases.

Consider a formula with four Boolean variables, , ,and that can be permuted arbitrarily, e.g., .The symmetry group, , can be given by the two generators

and . Assume that, in each equiva-lence class of truth assignments under those symmetries, we se-lect the lexicographically smallest element with respect to theoriginal order of variables, i.e., is the most significant bit.The Boolean cube is split into five equivalence classes by the


TABLE IVCHAFF RUN-TIME ON ORIGINAL SAT INSTANCESIS COMPARED TO THECOMBINED RUN-TIME OF SYMMETRY EXTRACTION AND CHAFF ON INSTANCES WITH

SYMMETRY-BREAKING CLAUSES ADDED. THE RIGHTMOST COLUMN ALSO SHOWS PURE SEARCH SPEED-UP (THAT DOESNOT TAKE SYMMETRY EXTRACTION

INTO ACCOUNT). THE FULL NAME OF BENCHMARK 2DLX_CA_MC IS 2DLX_CA_MC_EX_BP_F. THE NUMBERS OFSYMMETRY GENERATORS AND

MAX CYCLES USED PER GENERATOR (10 OR ALL) ARE SHOWN. THE BENCHMARKS WE GENERATED FORTHESE EXPERIMENTS

ARE AVAILABLE AT HTTP ://GIGASCALE.ORG/BOOKSHELF/SLOTS/SATBENCH

action of because the number of 1’s in truth assignmentsis invariant under permutational symmetries. In particular, theequivalence class of the truth assignment 0101 has six elements,and the smallest element is 0011. However, if we build sym-metry-breaking predicates using and only, 0101 will sat-isfy them because and

. Thus, such symmetry-breaking predicates selectmore than one representative from some equivalence classes.Moreover, conjoining symmetry-breaking predicates forpowersof generators does not help in this case because ,

, , and .Interestingly, for the symmetry group , GAP/GRAPE/

NAUTY do not produce the two generators used in the above

example. They produce the following set of three generators:(12), (23), and (34). Our construction proposed below generatesthe symmetry-breaking clauses , , and

, which admit only five truth assignments: 0000,0001, 0011, 0111, and 1111—one from each equivalence classunder . This analysis shows that the particular choice of irre-dundant generating sets is important for symmetry-breaking. Inour experience, GAP/GRAPE/NAUTY often produce “lucky”sets of generators that lead to fuller symmetry breaking. Ourfuture research will attempt to explain why that is happening.

As shown by our experiments in Section V below, symmetrybreaking by generators offers an attractive tradeoff betweeneffective pruning and small overhead. However, we would


like to articulate an important pitfall in this direction. Firstly,adding symmetry-breaking predicates should not change thesatisfiability of the original CNF instance. This is ensured bythe fact that symmetry-breaking predicates are satisfied byat least one truth assignment from each class of symmetrictruth assignments. The lex-leader predicates described aboveare satisfied by lexicographically smallest truth assignmentsbecause all are. The pitfall lies in the possibility toconjoin symmetry-breaking predicates that are satisfied bynonlex-leader representatives of classes of symmetric truthassignments. A conjunction of such predicates may be unsat-isfiable and, thus, unusable as a symmetry-breaking predicate.Therefore, in this paper, we adhere to lex-leader predicates.

C. Using Cycles of Permutations

Our construction is formulated in terms of cycles of a permu-tation. This is convenient because the output of graph automor-phism programs is expressed in cycle notation. We observe thatin overwhelmingly many instances all generators have two cy-cles only. Even in rare cases when three cycles were present, twocycles dominated by far. Another important observation aboutthe output of graph automorphism programs is that collectionsof two cycles returned on the output are sorted according to thegiven variable ordering. Therefore, we can apply the Crawfordconstruction in (2) and (3) to individual cycles and further opti-mize it for two cycles. In particular, for the variable swapthe construction in [19] produces one additional variable and sixsymmetry-breaking clauses. Our construction below producesonly one clause.

Single Cycles:First, observe that if the cycle is a sym-metry, whenever there is a satisfying assignment with ,

, there should be a symmetric (equivalent) satisfying as-signment with , and other variables unchanged. Toallow only the first assignment, we add the symmetry-breakingclause , which can also be interpreted as . Simi-larly, to “break” a cycle of length three , we add

, i.e., . To make sure that the lexicographicallysmallest representatives of symmetric truth assignments satisfyour predicates, one has to choose an ordering of all variablesat the beginning, and always use thesign consistently withthat ordering. When , we get the cycle and it canbe broken in two ways. In terms of the original CNF instance,the value of can be fixed arbitrarily, and this can be expressedby a single one-literal symmetry-breaking clause: or .The construction in [19] does not address such phase-shift sym-metries and never results in one-literal clauses. Our paper ad-dresses arbitrary compositions of phase-shift and permutationalsymmetries.

In general, longer cycles require more complex symmetry-breaking clauses, but apparently one can always improve on theconstruction from [19]. A particular difficulty with cycles oflength is that they cannot, in general, be ordered accordingto a given ordering of variables. For example, the cycle (1324)can be written as (3241), (2413), or (4132), but none of theserepresentations are ordered. Therefore, we are not consideringlonger cycles in this paper (and they do not appear useful forsymmetry breaking on our benchmarks).

Multiple Cycles: While single-literal symmetry-breakingclauses are most efficient (they reduce the solution space by50%), they are associated with variables whose values donot affect satisfiability. After such variables are found andeliminated, other symmetries may remain. Indeed, we canproduce symmetry-breaking clauses from any one two cycle orthree-cycle of any symmetry. Yet, clauses of the formachieve no pruning when . A key idea in that case, similarto that in [19], is to process another cycle, but only if .In fact, this is similar to (3), except that we now operate oncycles and do not need to involveall variables, which candramatically reduce the size of symmetry-breaking clauses.Specifically, when building a symmetry-breaking predicatefor the symmetry , we first add , then

, then , etc. Inthe spirit of (4), we introduce one additional variable per cycleto indicate the equality of all variables in the cycle. A sampleclause with new variables looks like .This construction is given only for permutations with two andthree cycles.

Both (3) and our construction essentially perform a lexico-graphic comparison between the tested truth assignment and itssymmetric image. The former operates on bits; the latter on cy-cles. In practice, this often leads to very large reductions in thenumber of generated clauses. As a result of the bitwise compar-ison, lexicographically smallest truth assignments are identifiedif single-bit comparisons are performed according to the globalordering of variables. However, in the context of cyclewise com-parison, the situation is more complex. We only assert that alexicographic comparison is performed when 1) each cycle is atwo cycle; 2) each cycle is ordered according to the global or-dering of variables; and 3) cycles are ordered lexicographically(which is equivalent to ordering them by the first element sincethey must be disjoint). Any chain of two cycles can be broughtto this form by sorting.

Theorem 3.3.1: Consider an arbitrary single permutationconsisting of two cycles only. Apply the proposed constructionof symmetry-breaking predicates, including the sorting of cy-cles and elements within each cycle. All resulting CNF clausesare satisfied by lexicographically smallest representatives ofclasses of truth assignments that are symmetric under the givenpermutation. No other truth assignments satisfy all of thoseclauses.

Proof: Note that variables not involved in any cycles canbe skipped during a lexicographic comparison of a truth assign-ment to its image under the given permutation. Our constructionskips such variables. The rest of the proof employs inductionon the number of cycles. In the base case , the lex-icographic comparison always returns true, and no clauses aregenerated. For an added cycle where precedes, we notethat the clause , also known as , lexicographicallycompares the partial assignmentsand . In other words, thetest checks that the value ofin the current truth assign-ment is to the value of in the symmetric assignment. If thevalues are different, the overall comparison is finished. Other-wise, the comparison shifts to the least variable unseen before(which may be ordered before or after) and its image underthe permutation. This corresponds to considering the next twocycle. We would like to articulate that our construction does not


require variables in two cycles to be pairwise-adjacent in thevariable ordering.

Since the square of the permutation is the identity, the classesof symmetric truth assignments consist of one or two elementsonly. The clauses we consider are satisfied by a given assign-ment if and only if (by construction) the image of this assign-ment is not lexicographically smaller than the assignment itself.Therefore, all clauses are satisfied by 1) one-element classes and2) the smaller elements of all two-element classes.

In our experiments, most generators returned by graph auto-morphism software consist of two cycles only. For rare bench-marks, some generators have small numbers of cycles of otherlengths, typically three-cycles. It turns out that three-cycles canbe ignored without violating the correctness of the symmetry-breaking procedure.

Theorem 3.3.2: Consider a single permutation having 1) cy-cles of length two, 2) cycles of odd lengths, and no other cycles.If the proposed construction of symmetry-breaking clauses isapplied to two cycles only, the resulting clauses must be satis-fied by all lex-leader truth assignments, and potentially othertruth assignments.

Proof: Consider the product (or the least common mul-tiple) of all odd cycle lengths. Theth power of the given per-mutation has the same two cycles, but no other cycles. Sinceit is also a symmetry, Theorem 3.3.1 applies. Moreover, anylex-leader truth assignment with respect to the original permu-tation (i.e., cannot be improved by applying the permutation orits powers) is also a lex-leader with respect to theth power.

D. Further Improvements

In practice, the run-time for constructing symmetry-breakingclauses is often dwarfed by symmetry extraction run-time.Yet, with every cycle processed, we add larger and largerclauses. Large clauses that do not affect satisfiability rarelyimprove run-time of SAT solvers, so we optionally limitsymmetry-breaking clauses to the first ten cycles of everysymmetry. For the price of incomplete symmetry extraction,this technique considerably reduces the overhead of sym-metry-breaking clauses. Based on Theorem 3.3.1, we make thefollowing observation.

Observation 3.4.1: Consider a variant of the proposed con-struction of symmetry-breaking predicates (SBPs) for permu-tations with two cycles only. After cycles are sorted, only thefirst cycles are considered and the remaining cycles ignored.The clauses produced by this reduced construction are all satis-fied by lex-leader truth assignments, but other truth assignmentsmay satisfy those clauses. Choosing two cycles at random maylead to inconsistent SBPs.

The reduced construction achieves less pruning than the fullconstruction using all cycles, but its overhead is smaller. In ourexperiments, the reduced construction performed better. To fur-ther reduce overhead, a backtrack SAT solver can dynamicallycheck for conditions of the form .However, this paper discusses only preprocessing methods.

IV. DIFFICULT SAT INSTANCES

Thepigeonhole principleasserts that pigeons cannot beassigned to holes as long as 1) two pigeons are not assigned to

(a) (b)

Fig. 4. Construction of difficult SAT instances. (a) Two switchboxes incommon FPGA architectures and (b) similarN -by-M switchboxes are used tobuild hard satisfiable instances. Four connections are sought betweena, b, c,andd ande, f , g, andh in (a). Crosses correspond to input connections matedto channels, and every solid dot indicates the absence of a link.

the same hole and 2) every pigeon must be assigned to one hole.These constraints can be expressed in terms of Booleanvariables: is interpreted as the indicator of assignment of pi-geon to hole . The first family of clauses consists of

mutual exclusions , . The secondfamily consists of -literal clauses —one forevery pigeon . The pigeonhole principle then asserts that thosetwo families of clauses cannot be satisfied simultaneously. How-ever, its easy proof by induction is beyond the capabilities ofbacktrack SAT-solvers that typically operate within the resolu-tion proof system.

The pigeonhole instances hole-n described above are prov-ably difficult for backtrack SAT solvers tied to resolution [7]and empirically difficult for the leading-edge implementationCHAFF as shown in Table IV. However, they are often treatedas artificial in the EDA literature. Below, we derive equivalentinstances from the domain of detailed routingfor FPGAs and generalize them in two ways: (un-satisfiable) and (satisfiable). We also give random-ized constructions of difficult global routing instances grout.

A. FPGA Routing Instances

The pigeonhole principle is directly related to routing becauseit can be interpreted as the impossibility of routing connec-tions through channels. As one can imagine, trying to make

connections through channels is typical for FPGA routing,and in some cases . We encode such instances in terms of

FPGA switchboxes that mate input connections tochannels. A switchbox can connect any given input to any onechannel, but no two inputs can be connected to the same channel,and every input must be connected to some channel. The state ofan FPGA switchbox is described by an matrix of binaryvariables and, similar to the encoding of the pigeonhole prin-ciple above, is subject to two families of constraints. These con-straints are violated if and only if there are fewer channels thaninputs. We put two switchboxes on both sides of a batch of

channels, which produces variables (see [46] for detailsof SAT formulations). Fig. 4(a), which illustrates our construc-tion, shows two 4 3 FPGA switchboxes connected to threehorizontal channels. Four connections are sought between 1),, , and on the left and 2) , , , and on the right. Crosses

represent input connections mated to channels, and every dot in-dicates the absence of a link. Empirical results in Table IV areshown for six routing configurations (chnl) in which one triesto route (a) 11, 12, or 13 connections through ten tracks, and(b) 12, 13, or 20 connections through 11 tracks. These instancesare extremely difficult for the leading-edge SAT solver CHAFF[45] and also have many symmetries. They can appear as subin-


TABLE VRUN-TIME OF THE BERKMIN (VERSION56), SATZ, AND JERUSAT SOLVERS [11], [34], [29], ON SAMPLE SAT INSTANCES: ORIGINAL AND WITH

SYMMETRY-BREAKING PREDICATESADDED

stances in larger routing instances, and such subinstances maybe difficult to find.

From the benchmarking point of view, it is natural to expectunsatisfiableinstances among the most difficult to solve. In-deed, randomized restarts used by CHAFF [45] typically allowit to avoid difficult regions of the search space and to quicklyfind satisfying solutions if they exist. However, our secondconstruction is designed to create difficultsatisfiableinstancesthat trap even the best solvers in hopeless regions of theirsolution space for a long time before a satisfying solution canbe found. The main idea is to create a satisfiable instance witha large number of hard-to-avoid unsatisfiable subinstances. Ifthe number of unsatisfiable branches is much larger than thenumber of satisfiable branches, then random restart will keepon jumping from one unsatisfiable branch to another for a longtime. Solvers without random restarts also will need to provethe unsatisfiability of many branches.

Our second construction produces routing a number of wiresthrough four FPGA switchboxes of the type used in the firstconstruction. The rightmost switchbox in the configuration inFig. 4(b) has several redundant outgoing tracks that are dividedinto two channels. Each channel is connected to a smallerswitchbox with an insufficient number of outgoing tracks. Thetwo groups of tracks that leave the smaller switchboxes areconnected to the leftmost switchbox. When routing connec-tions through tracks right to left, connections must be splitbetween switchboxes subject to the throughput constraints ofswitchboxes. However, to an SAT solver, the throughput con-straints are obscured by the pigeonhole principle. SAT solversfirst partition the connections between the two channels andbacktrack from every partition that does not lead to a satisfyingassignment. If the capacities of the two channels leading tothe smaller switchboxes are greater than the throughput ofthose switchboxes, an overwhelming majority of partitions willlead to unsatisfiable pigeonhole instances. On average, at leastseveral such instances must be solved before a good partition isfound. Empirical results for these satisfiable instances (FPGA)in Table IV show that they are difficult for CHAFF. We observethat these instances become harder when the difference betweenthe throughput of the small switchboxes and the capacities ofthe channels that lead to them is increased. This is consistentwith our observations for the unsatisfiable instances.Conceivably, some SAT-solvers may order variables related tothe leftmost switchbox first and find satisfying assignmentsfaster than CHAFF. This is consistent with our empirical datafor the BerkMin solver [11] in Table V. However, the config-

Fig. 5. Construction of difficult SAT instances (global routing).

uration of switchboxes in Fig. 4(b) can be further modified togenerate more difficult benchmarks. Specifically, one can addthree new switchboxes on the left which are copies of existingthree switchboxes on the right. The overall configuration willthen be symmetric about the vertical axis passing through thecurrently leftmost switchbox in Fig. 4(b).

B. Global Routing Instances

We propose a new construction of difficult randomizedsatis-fiable instances unrelated to pigeonholes. They express routingtwo-pin connections in a grid with edge-capacity constraints.To ensure that an instance is satisfiable but difficult, we userandomized flooding. Namely, we create a routing configura-tion by adding shortest possible routes while unused routing re-sources (edge capacities) remain. Shortest routes are created bybreadth-first-search between pairs of randomly chosen grid cellsor, if that fails, by finding a maximal shortest route starting ata given grid cell with unused routing resources. After a routingconfiguration is created, routes are erased and their end-pointsare used to formulate an SAT instance.

Our SAT encoding of routing instances has two components.One deals withroute definitionand captures possible ways toroute each connection. The other addressescapacity constraintsand restricts the number of connections that can be routed acrossa grid cell boundary.

Route Definition Constraints:Routes are specified in termsof edges across cell boundaries in a grid. For each connection,we consider routing tracks across each cell boundary on thegrid. In the SAT formulation, each track (for a given connec-tion) is treated as a variable. Fig. 5(a) illustrates routing tracksin a 3 3 grid. Consider a two-terminal connection fromto

. Horizontal tracks for connectionare labeled , whereand are the row and column indices of the cell whose boundarythe track crosses. Vertical tracks are labeled . In Fig. 5(a),let the points marked and be the terminals of some two-ter-minal connection. The SAT formulation proceeds as follows.


For every connection, we add groups of clauses correspondingto individual grid cells.

For each of the two terminals, we add a clause consisting ofpositive literals of variables of all tracks to which the terminalcan connect. For example, we add the clause forthe terminal marked in Fig. 5(a) because any route for thisconnection must pass through or . In the general case,we also need to add [binary] mutual exclusion clauses ensuringthat only one of the incident tracks is actually taken. For theterminal , this produces only one clause . For theterminal , this produces three clauses

.We now consider every grid cell other than the terminals. Ei-

ther noneor two of its boundary edges must be selected. Thisis enforced as follows. Observe that a given cell may have two,three, or four boundaries with tracks passing through them. Onlytwo track variables, label them and , are involved when“corner” grid cells are considered. In this case, we add clauses

. In the case of three or four track variables(“border” grid cells or “internal” grid cells, respectively), weadd two types of clauses. First, for every variable, we addthe constraint , which can be captured by oneclause and says that if one boundary edge is se-lected, then another must be selected as well. The second typeof clauses prohibits selecting three or four boundary edges. Inthe case of three variables, , and , we add .For four variables , , , and , we add

As an illustration, we apply this procedure to the grid cell(1,2) in Fig. 5(a) and produce

The correctness of the general construction can be proven bythe following argument. First, any given connection, interpretedas a truth assignment, satisfies those constraints. Now assume anarbitrary satisfying assignment and show that, topologically, itis a valid connection. Start at a terminal. Exactly one track mustbe taken toward a neighboring grid cell. If that cell is a terminal,we are done. Else, exactly one track must be taken to a cell notvisited before. The same argument shows that if a partial routeis not completed, it can be extended by one track. Since there isonly a finite number of grid cells, the route must be completedsooner or later.

When the layout is notobstructed, the above construction canbe applied to all grid cells in an arbitrary order. However, if sometracks are removed or if certain grid cells are not available forrouting, some grid cells may be unreachable from the terminals.Since no routes can pass through unreachable grid cells, theycan be ignored when an SAT instance is constructed. We per-form this optimization by traversing grid cells by a breadth-firstsearch. Once a terminal is enqueued, our algorithm enters aloop that dequeues one grid cell, marks it visited, adds relevantclauses, and enqueues unvisited adjacent grid cells. The algo-rithm finishes when the queue is empty. If the other terminalwas not visited in the process, no routes connect the two termi-nals.

Capacity Constraints:Each edge of a grid cell boundary hasa capacity associated with it to restrict the number of connec-tions that can be routed through it. The capacity limits are in-tended to prevent routing congestion. Ifis the capacity limitfor an edge of a grid cell, we include variables per edge foreach connection. In other words, each connection can be routedthrough one of the tracks across a cell boundary as shown inFig. 5(b).

Consider two connectionsand . Consider horizontal tracksfor each connection , and for some row and column. Let and be the extra

variables introduced in the SAT formulation for the horizontaltrack in question. Then clearly, for any ,

, and also . Clauses ofthis form are added to the SAT instance. Another restriction isthat a route cannot pass through two tracks in the same channel(the edge of a grid cell), i.e., if for some, , if

is true, then for all , , , .These clauses are also added. Finally, two connections cannotbe routed through the same track, i.e., for all, ,

for all , where represents another con-nection.

We created ten routing configurations by randomly floodinga 3 3 routing grid with connections subject to edge capacityconstraints of 3. Then we applied the SAT encoding above. Thedifficulty of these randomly generated benchmarks varies, andwe only report empirical results for the five most difficult in-stances (grout in Table IV).

V. EFFECT OFBREAKING SYMMETRIES

Our computational experiments were performed on PCs with1.2-GHz AMD Athlon processors and 1 GB of RAM. All codeswere compiled with g++ 2.95.4 -O3 and ran on Debian Linux.The SAT solver used was CHAFF (MCHAFF version) [45].In addition to the instances described in Section IV ( andFPGA) and (grout), Table IV lists six standard pigeonhole in-stances (hole), five families of artificially constructed random-ized Urquhart benchmarks (Urq) [58], and seven recent bench-marks from the microprocessor verification domain [60].

CHAFF run-times in Table IV are averages of 20 independentstarts because CHAFF uses randomization internally and resultsof different runs may vary significantly. All runs not completedin 1000 s were aborted and did not contribute to averages. Thepercent of time-outs is shown for each instance.

To extract symmetries from a CNF formula, we convert itinto a colored graph as outlined in Section II. Those graphsare subsequently processed by the NAUTY program [42], [43].For each run, the result is a list of permutation generators ofthe group of symmetries, specified by their cycles. For eachSAT instance, Table IV lists NAUTY run-time in seconds ex-cluding I/O, the total number of symmetries and the numberof permutation generators. Those symmetry-extraction imple-mentations are deterministic and are not affected by reorderingof vertices in the input graph. For some benchmarks, we builtsymmetry-breaking clauses for only ten cycles per symmetry.The first ten cycles typically capture most of the speed-up pro-vided by “breaking” a given symmetry. After new clauses wereadded, the preprocessed CNF instance was solved with CHAFF.


(a) (b)

Fig. 6. Plots of symmetry extraction time againstC � n and Chaff run-time againstC � n for pigeonhole instances (wheren is the number of holes).

Table IV lists CHAFF run-times for each instance. BecauseCHAFF run-time on a given instance fluctuates from run to run,we report the averages of 20 independent runs for each instance.Preprocessed CNFs never timed out in our experiments.

The last column in Table IV shows the relative speed-upratios due to the use of symmetry-breaking clauses. For a givenCNF instance, the first number is the ratio of 1) the CHAFFrun-time on original instance and 2) the total run-time of sym-metry extraction and CHAFF on preprocessed instances. Thesecond number is produced similarly, except that symmetryextraction run-time is ignored. This is the maximal possiblespeed-up if symmetries are found instantaneously or providedas domain-specific knowledge. We make the following obser-vations.

1) The proposed SAT instances are only a fraction of the sizeof recent microprocessor verification benchmarks [60],but are more difficult to solve.

2) Some difficult SAT instances have astronomical num-bers of symmetries; this includes the randomized Urq andgrout benchmarks.

3) Symmetry-breaking clauses often speed-up the best avail-able SAT solver CHAFF [45].

4) Symmetry-breaking clauses typically do not slow downCHAFF and often speed it up, even when few symmetriesare present.

5) Either CHAFF or symmetry extraction may be a bottle-neck.

6) Among the instances, the hardest to solve was therouting of 20 connections through 11 tracks. Addingextra unrouted connections consistently increased diffi-culty. That is somewhat counterintuitive.

Not to limit our results to a single SAT-solver (CHAFF), weran similar experiments with the BerkMin (version 56), Satz,and Jerusat solvers [11], [29], [34]. Representative results are

shown in Table V where solver run-times are compared withand without symmetry-breaking predicates added. BerkMinsolves the grout, FPGA, and microprocessor verificationbenchmark sets faster than CHAFF, but other benchmark setsare harder for BerkMin. JeruSAT solves the Urq benchmarksfaster than both BerkMin and CHAFF, and is also fasterthan CHAFF on the grout instances. Satz is slower than allthree other solvers on these benchmarks. Symmetry-breakingreduces run-time in most cases, for all solvers. In similarexperiments with GRASP [50], all of our benchmarks aresolved faster with the help of symmetry-breaking predicates,even if symmetry-extraction time is charged for.

Additionally, to support our claim that some families of SATinstances can be solved in polynomial time with symmetrybreaking, we present the data in Fig. 6, which shows run-timesfor symmetry extraction (GAP) and SAT solving (CHAFF) oninstances of the pigeonhole problem, plotted against a polyno-mial function of the number of holes (scaled by a constant).Fig. 6(a) shows GAP run-times (solid line) against(dashed line), for some constant . Fig. 6(b) shows CHAFFrun-times (solid line) against . (dashed line), whereis the number of holes in a particular instance of the pigeonholeproblem. The figure indicates that both symmetry-extractionand SAT solving run-times appear to exhibit polynomialgrowth.

VI. OPPORTUNISTICSYMMETRY EXTRACTION

The use of symmetry-breaking clauses does not require ex-tractingall symmetries. In fact, an algorithm that does not guar-antee extracting all symmetries may finish sooner. Some sym-metries may be found using domain-specific knowledge, andthen symmetry-breaking clauses can be added during the cre-ation of SAT instances.


Fig. 7. Window-based opportunistic symmetry extraction for a CNF instancewith ten variables and four clauses. Vertical dashed lines capture the window towhich search for symmetries is limited. Each clause that includes literals fromboth within and beyond the window are represented by vertices of unique colors(dashed boxes). Symmetries are only allowed to permute vertices within thecurrent window, therefore, vertices and edges beyond the current window arenot included in the graph for window-based symmetry extraction. This reducesthe size of graph automorphism problems.

A. Window-Based Symmetry Extraction

We observed that a variable would sometimes be symmetricto another variable connected by a clause (one hop) or througha chain of two clauses (two hops). When this is not true for allsymmetries of a CNF formula, many symmetries may be com-posable from permutation generators of that kind. We, there-fore, focus on “local” symmetries that permute small subsets ofvariables and fix all other variables.6 We define the subsets bysliding a window of fixed size along a given linear ordering ofthe variables—either the original variable ordering of the CNFformula or the connectivity-based MINCE ordering [2]. For awindow, we consider the left and right cuts, as in Fig. 7. To findsymmetries local to a given window, the standard constructionof colored graph is applied to clauses and literals that are entirelyinside the window. Eachcut clauseis represented by a vertex ofa unique color that is connected to literals inside the window.Vertices beyond the current window are ignored. To argue thatthe proposed construction is correct, i.e., does not add spurioussymmetries, we consider the followingrecoloringprocess.

Definition 6.1.1: Given a colored graph and a subset ofits vertices, change the color of each vertex into a uniquecolor—one new color per vertex. This process is calledrecol-oring of a given set of vertices.The following lemma showshow to restrict the set of symmetries of a colored graph. Thiscan be done, e.g., with the purpose of accelerating symmetryextraction for the price of losing some symmetries.

Lemma 6.1.2: Given a colored graph, consider an arbi-trary recoloring of an arbitrarily-chosen subset of its vertices.Call the resulting graph . Then the following claims hold.

a) Every symmetry of is a symmetry of , and must mapeach recolored vertex to itself;

6The complexity of such a restricted version of the graph automorphismproblem was studied in [36].

b) Symmetries of form a subgroup in the group of sym-metries ;7

c) The choice of new (unique) colors does not affect the sym-metry group .

While reducing the number of symmetries can, in principle,be consistent with smaller symmetry extraction run-times, mostgraph automorphism programs are most sensitive to the numberof vertices in the input graph rather than to the number of sym-metries. The following lemma shows how to reduce the vertexset of the graph in the context of Lemma 6.1.2.

Lemma 6.1.3: Given a colored graph, consider an arbi-trary recoloring of an arbitrarily-chosen subset of its vertices.Call the recolored graph . Consider a nonempty subsetof recolored vertices such that each of them is adjacent to recol-ored vertices only (if such a subset exists). Remove all vertices in

from together with all incident edges. Then, the symme-tries of the remaining colored graph are in one-to-one cor-respondence with the symmetries of, in fact the two groupsof symmetries are isomorphic.

Proof: Every symmetry of maps every vertex fromto itself by Lemma 6.1.2(a). Therefore, every such symmetrygives rise to a symmetry of . Vice versa, every symmetryof can be unambiguously extended to a symmetry ofby mapping every vertex from to itself. This constructionrestores every symmetry of mapped to a symmetry of .

Lemma 6.1.3 reduces the number of vertices under the as-sumption that set exists—the larger , the greater the re-duction. Constructively finding remains an open problem.

Lemma 6.1.4: Given a colored graph and an arbitraryedge-cut in it, pick one of the partitions and recolor all verticesin it. Then the set of vertices in that partition that are not incidentto any edges in the cut can play the role of setin Lemma 6.1.3.

Observe that colored graph from Lemma 6.1.3 may stillcontain a large number of recolored vertices. This may be unde-sirable because the total number of vertices in is limited bythe scalability of available symmetry extraction software, andnontrivial symmetries of do not involve recolored vertices.Indeed, recolored vertices are included into the vertex set of

, thus, potentially slowing down symmetry extraction pro-grams or at least increasing memory usage.8 Therefore, this con-struction can be improved by minimizing the number of verticesincident to cut edges, e.g., by minimizing the size of the cut it-self.

Another concern about restricting symmetry extraction alongthe lines of Lemmas 6.1.2–6.1.4 is that one should apply it sev-eral times, with different sets of vertices recolored. This waymore symmetries can be extracted. Indeed, if the size ofis limited by a constant, then the number of calls to symmetryextraction software should grow at least linearly so that everyvertex in be “given an opportunity” to map elsewhere.

The concerns mentioned above can be addressed in the con-text of window-based symmetry extraction. We first order CNFvariables by representing the CNF as a hypergraph (clausescorrespond to hyperedges) and heuristically finding a min-cut

7This subgroup is thestabilizer[26], [27] of the set of recolored vertices inthe symmetry group ofG.

8NAUTY maintains the input graph in a dense adjacency matrix.


TABLE VIRESULTS FORWINDOW-BASED SYMMETRY EXTRACTION. LABELING IS IDENTICAL TO THAT OF TABLE IV. TYPICALLY ALL OR A LARGE

FRACTION OF ALL SYMMETRIES ARE DISCOVERED, COMPARED TODATA IN TABLE IV

linear arrangement of those vertices using recursive balancedbisection [2]. We then consider cuts along the resulting variableordering, and those cuts are relatively small by construction.Note that cuts in Lemma 6.1.4 correspond to pairs of cuts ina given variable ordering as shown by vertical dashed lines inFig. 7. Furthermore, in window-based symmetry extractiononly clausal vertices can be recolored, therefore, min-cut lineararrangement naturally minimizes the number of recoloredvertices.

We concatenate lists of permutation generators producedfor different windows, consider the group generated by allthose and use GAP [56] to produce an irredundant list ofgenerators of this “global” group. Symmetry-breaking clausesare constructed from those generators. Observe that whenapplying symmetry extraction to a given window, we can onlyfind symmetries that permute variables in that window only.Therefore, potentially more symmetries can be found if win-dows are allowed to overlap. On the other hand, if overlaps areallowed some symmetries may be found in multiple windows.Thus, producing symmetry-breaking clauses independentlyfrom each window and concatenating them may cause consid-erable redundancy. This is why we call GAP if windows areallowed to overlap. The tradeoff between run-time, incompletesymmetry extraction and redundancy among windows dependson their overlap. Similarly, the window size affects the tradeoffbetween run time and incomplete symmetry extraction. Weobserve good empirical performance with windows of size1000. Results in Table VI show that our window-based tech-nique found all or a significant portion of all symmetries forthe microprocessor verification benchmarks [60] in a fractionof the run time spent by complete symmetry extraction If arandomized variable ordering is used, one could combine localpermutation generators found for different orderings.

B. Improving SAT Formulations

One way to reduce the run-time of symmetry extraction is tolearn how to extract (or predict) symmetries from domain-spe-cific knowledge. Given the well-understood structure and sym-metries of the hole, , and FPGA benchmarks, we evalu-ated this approach on (randomized) grout benchmarks. We no-ticed that permuted variables in many cases correspond to neigh-boring tracks, e.g., if two connections are routed in parallelthrough several grid cells, there is considerable freedom (sym-metry) in track assignment. To break this symmetry, we added

clauses that preserve the relative order of tracks taken by everypair of connections routed through the same two edges of agrid cell. In other words, if one connection is routed throughtrack 2 when entering the cell, and another connection is routedthrough track 3 when entering the cell, then the connectionsare allowed to leave the cell through tracks 2 and 3, respec-tively, 1 and 2 respectively, or 1 and 3 respectively. Such con-straints speed-up CHAFF: each grout instance is now solvedin 0.50–0.80 s versus 19–45 s. More dramatic speed-ups areachieved for grout instances built with larger routing grids. Evenif we apply symmetry extraction to modified instances, it com-pletes much faster than on original instances because no symme-tries are found. It may also be possible to add domain-specificsymmetry-breaking clauses to SAT instances from [60] and im-prove CHAFF run-time according to results in Table IV.

VII. CONCLUSION

Our paper addresses solving difficult instances of Boolean(CNF) satisfiability that exhibit structural symmetries. Whilethe utility of our approach on easy instances is not clear at thismoment, the difficulty of domain-specific classes of CNF-SATinstances is often known, and adequate SAT algorithms can bechosen. Otherwise, several SAT solvers can be executed in par-allel until one of them finishes. On a single processor, this maybuy exponential speed-ups at the cost of a constant-factor slow-down. Therefore, our focus on difficult instances is well justi-fied. Additionally, our experiments identify a number of difficultinstances whose difficulty is apparently due to symmetries andthe redundant search caused by them.

We describe an automated flow that finds symmetries ingiven CNF instances and uses them to speed up the SATsearch. This flow includes symmetry extraction, preprocessingof given CNF instances, and an application of an existingstate-of-art SAT solver. When compared to the SAT solveralone, applied to given CNF instances without preprocessing,our flow dramatically speeds up the solution of two well-knownprovably difficult benchmark families—pigeonhole problemsand Urquhart benchmarks. Notably, methods proposed in aprevious work [19] cannot find any nontrivial symmetries inUrquhart (Urq) benchmarks.

We offer constructions of realistic satisfiable and unsatisfi-able SAT instances, arising in routing applications, that are un-usually difficult for their size. Unlike most existing SAT bench-


marks, our benchmark families enable studies of the asymptoticperformance of SAT solvers.

Since symmetry extraction is a bottleneck, we speed it upusing opportunistic approaches. In one, we only look for sym-metries that permute small groups of variables, determined bysliding a fixed-sized window along a given variable ordering.The second approach attempts to improve the construction ofSAT instances by identifying symmetries in domain-specificterms. We find astronomically many symmetries in randomizedUrq and grout benchmarks. This refutes a conventional-wisdomargument claiming that significant randomization destroys sym-metries. We explain symmetries in grout benchmarks and breakthem using domain-specific knowledge.

Our proposed flow does not require source code modifica-tions in SAT solvers and should work with most backtrack SATsolvers. We successfully validated our flow with CHAFF [45],BerkMin [11], Satz [34] and JeruSAT [29] solvers. Experimentsperformed with publicly available versions of WalkSAT [51]indicate that symmetry-breaking clauses do not improve run-times, and even make them worse. This was observed by othersand is the focus of ongoing work by Preswitch [49] as well asKautz and Selman.

We stress that the proposed flow may not be useful on SATbenchmarks that 1) are easy or 2) do not have symmetries. Manydifficult SAT instances do not have symmetries [17]. On theother hand, many DIMACS benchmarks [22] have large num-bers of symmetries, but are easy and can be solved faster thantheir symmetries can be found by existing methods.

Our ongoing research seeks: 1) faster symmetry extraction,e.g., via incomplete algorithms; 2) finding [some] semanticsymmetries that are not necessarily syntactic; 3) more efficientconstructions of symmetry-breaking clauses; and 4) the use ofpartial/conditional symmetries. The latter were already shownuseful in BDD-based model checking [24], SAT-solvers basedon backtracking [14], [35] and more general constraint-satis-faction solvers [6].

ACKNOWLEDGMENT

The authors wish to thank S. V. Lokam of the ElectricalEngineering and Computer Science Department, University ofMichigan, Ann Arbor, for Lemma 2.3.3.

REFERENCES

[1] D. Achlioptas, C. P. Gomes, H. A. Kautz, and B. Selman, “Generatingsatisfiable problem instances,” inProc. AAAI, 2000, pp. 256–261.

[2] F. Aloul, I. Markov, and K. Sakallah, “Faster SAT and smaller BDD’s viacommon structure,” inProc. Int. Conf. Computer-Aided Design, 2001,pp. 443–448.

[3] L. Babai and E. M. Luks, “Canonical labeling of graphs,” inProc. Symp.Theory Comput., 1983, pp. 171–183.

[4] L. Babai, R. Beals, and P. Takácsi-Nagy, “Symmetry and complexity,”in Proc. Symp. Theory Comp., 1992, pp. 438–449.

[5] L. Babai, “Automorphism groups, isomorphism, reconstruction,” inHandbook of Combinatorics, R. L. Graham, M. Grötschel, and L.Lovász, Eds. Cambridge, MA: MIT Press, 1995, vol. 2, ch. 27, pp.1447–1541.

[6] R. Backofen and S. Will, “Excluding symmetries in constraint-basedsearch,” inProc. Int. Conf. Principles and Practice Constraint Pro-gram., vol. 1713, Lecture Notes in Computer Science, 1999, pp. 73–87.

[7] P. Beame, R. Karp, T. Pitassi, and M. Saks, “The efficiency of resolutionand Davis-Putnam procedure,” SIAM J. Comput., vol. 31, no. 4, pp.1048–1075, to be published.

[8] B. Benhamou and L. Sais, “Tractability through symmetries in propo-sitional calculus,”J. Automation Reasoning, vol. 12, no. 1, pp. 89–102,1994.

[9] C. Berman, “Circuit width, register allocation, and ordered binary de-cision diagrams,”IEEE Trans. Computer-Aided Design, vol. 10, pp.1059–1066, Aug. 1991.

[10] A. Bernasconi, V. Ciriani, F. Luccio, and L. Pagli, “Fast three-level logicminimization based on autosymmetry,” inProc. Design AutomationConf., 2002, pp. 425–430.

[11] E. Goldberg and Y. Novikov, “BerkMin: A fast and robust SAT solver,”in Proc. Design, Automation Test Eur., 2002, pp. 142–149.

[12] D. Bosnacki, D. Dams, and L. Holenderski, “A heuristic for symmetryreductions with scalarsets,” inProc. Int. Symp. Formal Methods for In-creasing Software Productivity, Lecture Notes in Computer Science,2001, pp. 518–533.

[13] L. Brisoux, E. Gregoire, and L. Sais, “Improving backtrack search forSAT by means of redundancy,” inProc. Int. Symp. Foundations Intell.Syst., Warsaw, Poland, 1999, pp. 301–309.

[14] C. A. Brown, L. Finkelstein, and P. W. Purdom, “Backtrack searchingin the presence of symmetry,” inProc. 6th Int. Conf. Applied Algebra,Algebraic Algorithms and Error Correcting Codes, T. Mora, Ed., 1988,pp. 99–110.

[15] V. Chvatal and E. Szemeredi, “Many hard examples for resolution,”J.ACM, vol. 35, no. 4, pp. 759–768, 1988.

[16] E. M. Clarkeet al., “Symmetry reductions in model checking,” inProc.Int. Conf. Computer-Aided Verification, A. J. Hu and M. Y. Vardi, Eds.,1998, pp. 159–171.

[17] S. A. Cook and D. G. Mitchell, “Finding hard instances of the satisfi-ability problem: A survey,” inSatisfiability Problem: Theory and Ap-plications, 1997, vol. 25, DIMACS Series in Discr. Math. and Theor.Comp. Sci, pp. 1–17.

[18] J. Crawford, “A theoretical analysis of reasoning by symmetry in first-order logic,” in Proc. AAAI Workshop Tractable Reasoning, 10th Nat.Conf. Artif. Intell., San Jose, CA, 1992.

[19] J. Crawford, M. Ginsberg, E. Luks, and A. Roy, “Symmetry-breakingpredicates for search problems,” inProc. 5th Int. Conf. PrinciplesKnowledge Representation Reasoning, Cambridge, MA, 1996, pp.148–159.

[20] M. Davis and H. Putnam, “A computing procedure for quantificationtheory,”J. ACM, vol. 7, no. 3, pp. 201–215, 1960.

[21] M. Davis, G. Logemann, and D. Loveland, “A machine program fortheorem proving,”J. ACM, vol. 7, no. 5, pp. 394–397, 1962.

[22] DIMACS Boolean Satisfiability Challenge Benchmarks [Online]. Avail-able: ftp://dimacs.rutgers.edu/pub/challenge/sat/benchmarks/cnf

[23] C. A. J. van Eijk, E. T. A. F. Jacobs, B. Mesman, and A. H. Timmer,“Identification and exploration of symmetries in DSP algorithms,” inProc. Design Automation Test in Eur., Mar. 1999, pp. 602–608.

[24] E. A. Emerson and R. J. Trefler, “From asymmetry to full symmetry:New techniques for symmetry reduction in model checking,” inProf.Conf. Correct Hardware Design and Verification Methods, vol. 1703,Lecture Notes on Comp. Sci., 1999, pp. 142–156.

[25] E. Goldberg, “Testing satisfiability of CNF formulas by computing astable set of points,” in Proc. CADE, July 2002, pp. 161–180.

[26] M. Hall Jr.,The Theory of Groups. New York: Macmillan, 1959.[27] T. W. Hungerford, “Algebra,” inGraduate Texts in Mathematics. New

York: Springer-Verlag, 1973, vol. 73.[28] C. N. Ip and D. L. Dill, “Better verification through symmetry,”Proc.

Formal Methods Syst. Design, vol. 9, no. 1–2, pp. 41–75, 1996.[29] A. Nadel. JeruSAT Satisfiability Solver. [Online]. Available:

http://www.geocities.com/alikn78/[30] V. Kravets and K. Sakallah, “Generalized symmetries of boolean func-

tions,” in Proc. Int. Conf. Computer-Aided Design, 2000, pp. 526–532.[31] , “Constructive library-aware synthesis using symmetries,” inProc.

Int. Conf. Design Automation Test Eur., 2001, pp. 208–213.[32] B. Krishnamurthy, “Short proofs for tricky formulas,”Acta Informatica,

vol. 22, pp. 327–337, 1985.[33] J. Köbler, U. Schöning, and J. Torán, “Graph isomorphism is low for

PP,”Computat. Complex., vol. 2, no. 4, pp. 301–330, 1992.[34] C. M. Li and Anbulagan, “Look-ahead versus look-back for satisfiability

problems,” inProc. 3rd Int. Conf. Principles Practice Constraint Pro-gram., LNCS 1330, Schloss Hagenberg, Austria, 1997, pp. 342–356.

[35] C. M. Li, B. Jurkowiak, and P. W. Purdom, “Integrating symmetrybreaking into a DLL procedure,” inIntl. Symp. on Boolean Satisfiability(SAT), Cincinnatti, OH, 2002, pp. 149–155.

[36] A. Lozano and V. Raghavan, “On the Complexity of Moving Verticesin a Graph,” Univ. Politéchnica de Catalunya, Barcelona, Spain, LSI-98–30-R, 1998.


[37] E. Luks, “Isomorphism of graphs of bounded valence can be tested inpolynomial time,” Proc. IEEE Symp. Foundations Comput. Sci., pp.42–49, 1980.

[38] , “Hypergraph isomorphism and structural equivalence of booleanfunctions,” inProc. Symp. Theory Comput., 1999, pp. 652–658.

[39] E. Luks and A. Roy, “Symmetry breaking in constraint satisfaction,” inProc. Int. Conf. Artif. Intell. Math., Ft. Lauderdale, Florida, Jan 2–4,2002.

[40] G. S. Manku, R. Hojati, and R. Brayton, “Structural symmetry andmodel checking,” inProc. Int. Conf. Computer-Aided Verification,1998, pp. 159–171.

[41] I. McDonald and B. Smith, “Partial Symmetry Breaking,”,APES-49–2002, 2002.

[42] B. D. McKay, “Practical graph isomorphism,” inProc. Congressus Nu-merantium, vol. 30, 1981, pp. 45–87.

[43] , “Nauty User’s Guide,” Comput. Sci. Dept., Australian Nat. Univ.,Canberra, TR-CS-90–02, 1.5 ed., 1990.

[44] T. Miyazaki, “The complexity of Mckay’s canonical labeling algo-rithm,” in Proc. Groups Computat. II , Workshop Groups Computat.,DIMACS Series on Discrete Math. Theor. Comput. Sci., L. Finkelsteinand W. M. Kantor, Eds., 1996.

[45] M. Moskewicz, C. Madigan, Y. Zhao, L. Zhang, and S. Malik, “CHAFF:Engineering an efficient SAT solver,” inProc. Design Automation Conf.,2001, pp. 530–535.

[46] G. Nam, F. Aloul, K. Sakallah, and R. Rutenbar, “A comparative studyof two boolean formulations of FPGA detailed routing constraints,” inProc. Int. Conf. Physical Design, 2001, pp. 222–227.

[47] M. Prasad, P. Chong, and K. Keutzer, “Why is ATPG easy?,” inProc.Design Automation Conf., 1999, pp. 22–28.

[48] M. Prasad, E. Goldberg, and R. Brayton, “Using problem symmetry insearch based satisfiabiliy problems,” inProc. Design Automation TestEur., 2002, pp. 134–142.

[49] S. Preswitch, “Supersymmetric modeling for local search,” in Proc.SymCon, Sept. 2002.

[50] J. P. M. Silva and K. A. Sakallah, “GRASP: A new search algorithm forsatisfiability,” IEEE Trans. Comput., vol. 48, pp. 506–521, May 1999.

[51] B. Selman, H. A. Kautz, and B. Cohen, “Noise strategies for improvinglocal search,” inProc. Nat. Conf. Artif. Intell., 1994, pp. 337–343.

[52] B. Selman, D. Mitchell, and H. Levesque, “Generating hard satisfiabilityproblems,”Artif. Intell., vol. 81, no. 1–2, pp. 17–29, 1996.

[53] A. Seress, “An introduction to computational group theory,”NoticesAmer. Math. Soc., vol. 44, no. 6, pp. 671–679, 1997.

[54] B. M. Smith, K. E. Petrie, and I. P. Gent, “Models and SymmetryBreaking for Peaceable Armies of Queens,”, APES-50–2002, 2002.

[55] L. H. Soicher, “GRAPE: A system for computing with graphs andgroups,” inGroups and Computation, L. Finkelstein and W. M. Kantor,Eds., 1993, vol. 11, DIMACS Ser. in Discr. Math. Theor. Comp. Sci.,pp. 287–291.

[56] E. L. Spitznagel, “Review of mathematical software, GAP,”NoticesAmer. Math. Soc., vol. 41, no. 7, pp. 780–782, 1994.

[57] G. S. Tseitin, “On the complexity of derivation in propositional cal-culus,” inStudies in Constructive Mathematics and Mathematical Logic,Part 2. New York–London: Consultants Bureau, 1968, pp. 115–125.

[58] A. Urquhart, “Hard examples for resolution,”J. ACM, vol. 24, no. 1, pp.209–219, 1987.

[59] , The Symmetry Rule in Propositional Logic, 1996.[60] M. N. Velev and R. E. Bryant, “Effective use of boolean satisfiability

procedures in the formal verification of superscalar and VLIW micro-processors,” inProc. Design Automation Conf., 2001, pp. 226–231.

Fadi A. Aloul (S’02) received the B.S. degree inelectrical engineering (summa cum laude) fromLawrence Technological University, Southfield, MI,in 1997 and the M.S. and Ph.D. degrees in computerscience and engineering from the University ofMichigan, Ann Arbor, in 1999 and 2003, respec-tively.

He is currently a Post-Doc Research Fellow at theUniversity of Michigan. His research interests are inthe areas of computer-aided design, verification, andBoolean satisfiability.

Dr. Aloul is currently the AV Chair of the 2003 International Workshop onLogic Synthesis (IWLS). He is also serving on the technical committee of theInternational Workshop on Logic Synthesis, the International Conference onTheory and Applications of Satisfiability Testing, and the International Work-shop on Soft Constraints. He has received a number of awards, including theAgere/SRC research fellowship, GANN fellowship, and the LTU presidentialscholarship.

Arathi Ramani received the B.S. degree incomputer engineering, from Thadomal ShahaniEngineering College, affiliated with the Universityof Mumbai, India, in 1999 and the M.S. degree incomputer engineering in 2002 from the Universityof Michigan, Ann Arbor, where she is currentlypersuing the Ph.D. degree.

Her interests are in algorithms for combinatorialoptimization and their applications to electronic de-sign automation.

Igor L. Markov received the M.S. degree in mathe-matics and the Ph.D. degree in computer science fromthe University of California, Los Angeles (UCLA).

He is an Assistant Professor of Electrical Engi-neering and Computer Science at the University ofMichigan, Ann Arbor. His interests are in quantumcomputing and in combinatorial optimizationwith applications to the design and verification ofintegrated circuits. His contributions include theCapo circuit placer and quantum circuit simulatorQuIDDPro. He has co-authored more than 50

publications.Prof. Markov is serving on the technical program committees at the these fora:

Design, Automation, and Test in Europe Conference, the International Sym-posium on Physical Design, the International Conference on Computer-AidedDesign, the Great Lakes Symposium on Very Large Scale Integration, the Inter-national Workshop on System-Level Interconnect Prediction, the InternationalWorkshop on Logic and Synthesis, and the International Workshop on Sym-metries in Contraint-Satisfaction Problems in 2003. He received the Best Ph.D.Student Award from the Department of Computer Science, UCLA in 2000.

Karem A. Sakallah (S’76–M’81–SM’92–F’98) re-ceived the B.E. degree in electrical engineering fromthe American University of Beirut, Beirut, Lebanon,and the M.S.E.E. and Ph.D. degrees in electrical andcomputer engineering from Carnegie Mellon Univer-sity, Pittsburgh, PA, in 1975, 1977, and 1981, respec-tively.

In 1981, he was a Visiting Assistant Professor inthe Department of Electrical Engineering, CarnegieMellon University. From 1982 to 1988, he was withthe Semiconductor Engineering Computer-Aided

Design Group at Digital Equipment Corporation, Hudson, MA, where heheaded the Analysis and Simulation Advanced Development Team. SinceSeptember 1988, he has been a Professor of Electrical Engineering andComputer Science at the University of Michigan, Ann Arbor. From September1994 to March 1995, he was with the Cadence Berkeley Laboratory, Berkeley,CA, on a six-month sabbatical leave. He has authored or co-authored morethan 150 papers and has presented seminars and tutorials at many professionalmeetings and various industrial sites. His research interests include the area ofcomputer-aided design with emphasis on simulation, timing verification andoptimal clocking, logic and layout synthesis, Boolean satisfiability, and designverification.

Dr. Sakallah was an Associate Editor of the IEEE TRANSACTIONS ON

COMPUTER-AIDED DESIGN OFINTEGRATEDCIRCUITS AND SYSTEMSfrom 1995to 1997, and has served on the Program Committees of the International Con-ference on Computer-Aided Design, Design Automation Conference, and theInternational Conference of Computer Design as well as and numerous otherworkshops. He is currently an Associate Editor of the IEEE TRANSACTIONS

ON COMPUTERS. He is a Member of the Associate of Computing Machinery(ACM) and Sigma Xi.

solving difficult instances of boolean satisfiability in...

Documents