yet another decision procedure for equality logic (full...

Yet Another Decision Procedure for EqualityLogic (full version)

Orly Meir1 and Ofer Strichman2

1 Computer science department, Technion , Israel. [email protected] Information Systems Engineering, Technion, Israel. [email protected]

Abstract. We introduce a new decision procedure for Equality Logic.The procedure improves on Bryant and Velev’s sparse method [4] fromCAV’00, in which each equality predicate is encoded with a Boolean vari-able, and then a set of transitivity constraints are added to compensatefor the loss of transitivity of equality. We suggest the Reduced Tran-sitivity Constraints (rtc) algorithm, that unlike the sparse method,considers the polarity of each equality predicate, i.e. whether it is anequality or disequality when the given equality formula ϕE is in Nega-tion Normal Form (NNF). Given this information, we build the EqualityGraph corresponding to ϕE with two types of edges, one for each po-larity. We then define the notion of Contradictory Cycles to be cyclesin that graph that the variables corresponding to their edges cannot besimultaneously satisfied due to transitivity of equality. We prove that itis sufficient to add transitivity constraints that only constrain Contradic-tory Cycles, which results in only a small subset of the constraints addedby the sparse method. The formulas we generate are smaller and definea larger solution set, hence are expected to be easier to solve, as indeedour experiments show. Our new decision procedure is now implementedin the uclid verification system.

Keywords: Equality Logic, Decision procedures, Graph algorithms.

1 Introduction

Equality Logic with Uninterpreted Functions is a major decidable theory usedin verification of infinite-state systems. Well-formed expressions in this logic areBoolean combinations of Equality predicates, where the equalities are definedbetween term-variables (variables with some infinite domain) and UninterpretedFunctions. More formally:

Definition 1 (Equality Logic with Uninterpreted Functions). An Equal-ity Logic formula with Uninterpreted Functions is defined by the language:

formula : formula ∨ formula | ¬formula | atom

atom : term = term | Boolean-variableterm : term-variable |function-name(list of terms)

Uninterpreted Functions can be eliminated via either Ackermann’s reduction[1] or Bryant et al.’s reduction [2] (from now on we will say Bryant’s reduction).In both options the Uninterpreted Functions are replaced by new term-variables,and a set of constraints in Equality Logic that guarantee functional consistency,i.e. that two function instances that are instantiated with the same arguments,return the same value. For example, given the two Uninterpreted Functionsf(x), f(y), when applying Ackermann’s reduction, they are replaced by newterm variables f1, f2 respectively, while adding the constraint x = y → f1 = f2.Bryant’s reduction is a little different, in that it replaces each uninterpretedfunction symbol with a case expression, that essentially does the same. Thereare subtle differences between these translations, that are explained later in thispaper.

There are many examples of using Equality Logic and Uninterpreted Func-tions in the literature. Proving equivalence of circuits after custom-design orretiming (a process in which the layout of the circuit is changed in order to im-prove computation speed) is a prominent example [3, 6]. Translation Validation[16], a process in which the input and output of a compiler are proven to be se-mantically equivalent is another example of using this logic. Almost all theoremprovers that we are aware of support this logic, either explicitly or as part oftheir support of more expressive logics.

Related work The importance of this logic led to several suggestions for deci-sion procedures in the last few years, which we will briefly survey here. We willconcentrate only on BDD and SAT-based decision procedures here, which areconsidered to be faster than their predecessors that relied on lazy case-splittingand computing Congruence Closure [18].

The first to suggest a BDD based procedure were Goel et al. in [10]. First,they encode each equality with a new Boolean variable, which results in a formulathat we denote by B (B for Boolean). Then, they build a BDD for B and searchit for a path to the ‘1’ node that does not violate the transitivity of equality. Forexample, given the formula

v1 = v2 ∧ v2 = v3 ∧ ¬(v1 = v3) (1)

they build the BDD for the formula

B = e1,2 ∧ e2,3 ∧ ¬e1,3 (2)

where e1,2, e2,3, e1,3 are new Boolean variables 1. The only path to ‘1’ in theBDD in this case corresponds to the assignment (e1,2 = T, e2,3 = T, e1,3 = F ),which is of course not consistent with the transitivity constraints of the originalformula, and hence discarded. Since there is no other path to ‘1’, the formula isdeclared unsatisfiable.1 ei,j is the Boolean variable that corresponds to the equality predicate vi = vj .

Therefore, ei,j is equivalent to ej,i.

The Range-Allocation method [15], offered by Pnueli et al., suggests to finda small domain for each variable that is sufficient for preserving the satisfiabilityof the formula. That is, if there is no satisfying assignment from these ranges,then there is no satisfying assignment at all. In the case of the formula above, forexample, they find in polynomial time the range v1 ∈ {0}, v2 ∈ {0, 1}, v3 ∈ {0, 1}to be sufficient. In this specific example no range is needed because the formulais unsatisfiable, but since they invest only polynomial time, they cannot detectthat in the general case.

Bryant, German and Velev suggested a related method in [2] called positiveequality. They classify the terms in the formula to positive and general. The termsbelonging to the first class are those that can be replaced with unique constantswithout changing the satisfiability of the formula. For example, given the formulax 6= y, x and y are classified as positive since we can check satisfiability of theformula by replacing them with unique constants, for example 0 and 1. Indeed0 6= 1 is satisfiable as the original formula is. They present a syntactic criterionfor this classification that also handles the more complicated case of nestedUninterpreted Functions. A combination of this idea and the Range Allocationmethod was later suggested by Rodeh and Strichman in [17].

The sparse method and our improvement The most relevant decisionprocedure for this paper is Bryant and Velev’s sparse [4] method. We dedicateSection 2 to the sparse method and variations thereof. In the sparse method,as in Goel et al.’s method, each equality predicate is replaced with a new Booleanvariable, which results in a purely propositional formula that we denote by B(B for Boolean). Transitivity constraints over these Boolean variables are thenconjoined with B, to recover the transitivity of equality that is lost in the Booleanencoding. So, for example, given the formula (1), it is reduced to the Booleanformula B (2), and B is conjoined with the transitivity constraints

e1,2 ∧ e2,3 → e1,3

e1,2 ∧ e1,3 → e2,3

e1,3 ∧ e2,3 → e1,2

The conjoined formula is satisfiable if and only if the original formula is satisfi-able.

In order to decide which constraints are needed, following the sparse method,one needs to build a graph in which each equality predicate is an edge and eachvariable is a vertex. With a simple analysis of this graph the necessary constraintsare derived. This is where our method is different from the sparse method: unlikethe graph considered by the sparse method, the graph we build has two kinds ofedges: one for equalities and one for disequalities, assuming the Equality formulais given to us in Negation Normal Form (NNF) (also known as Positive Form).Given this extra information, about the polarity of each equality predicate, weare able to find a small subset of the constraints that are generated by the sparsemethod, that are still sufficient to preserve correctness. This results in a muchsimpler formula that is easier for SAT to solve, at least in theory.

We base our procedure on a theorem that we state and prove in Section4. The theorem refers to what we call Simple Contradictory Cycles, which aresimple cycles that have exactly one disequality edge. In such cycles, the theoremclaims, we need to prevent an assignment that assigns false to the disequalityedge and true to the rest of the edges. Most importantly, these are the only kindof constraints necessary. The proof of this theorem relies on a certain property ofNNF formulas called monotonicity with respect to satisfiability that we presentin Section 3: if a certain assignment α satisfies an NNF formula ϕE, then everyother assignment α′ satisfies ϕE if it satisfies a superset of the predicates in ϕE

that are satisfied by α. We will describe this property in more detail in Section3. In Section 5 we show an algorithm that computes in polynomial time a set ofconstraints that satisfy the requirements of our theorem. We also show a versionof the algorithm that produces even less constraints, but requires exponentialtime in the worst case. Whether there exists an equivalent algorithm that worksin polynomial time is an open problem. In Section 8 we present experimentalresults. Our new procedure is now embedded in the uclid [5] verification tooland is hence available for usage. We also run our procedure over a set of randominputs. The results of this runs are also presented in Section 8. In Section 9 weconclude the paper and present directions for future research.

2 Reducing Equality Logic to Propositional Logic

We consider the problem of deciding whether an Equality Logic formula ϕE issatisfiable. The following framework is used by both [4] and the current work toreduce this decision problem to the problem of deciding a propositional formula:

1. Let E denote the set of equality predicates appearing in ϕE. Derive a Booleanformula B by replacing each equality predicate (vi = vj) ∈ E with a newBoolean variable ei,j . Encode disequality predicates with negations, e.g.,encode i 6= j with ¬ei,j .

2. Recover the lost transitivity of equality by conjoining B with explicit tran-sitivity constraints jointly denoted by T (T for Transitivity). T is a formulaover B’s variables and, possibly, auxiliary variables.

The Boolean formula B ∧ T should be satisfiable if and only if ϕE is satisfiable.Further, we should be able to construct a satisfying assignment to ϕE from anassignment to the ei,j variables. A straightforward method to build T in a waythat will satisfy these requirements is the following:

For each set of ei,j variables ei1,i2 , ei2,i3 , . . . , eik,i1 in B corresponding to acyclic comparison between variables in ϕE, add k transitivity constraints of theform

(k−1∧

i=1

antecedent-variablei) → (consequence-variable)

where the k variables in this formula constitute exactly our set. For example, inthe constraint:

ei1,i2 ∧ ei2,i3 . . . ∧ eik−1,ik→ ei1,ik

(3)

we chose ei1,ikto be the consequence variable. By choosing each time a different

variable from the set, we get k constraints.A transitivity constraint prevents an assignment that contradicts transitivity

of equality, that is, that k − 1 ei,j variables, 1 ≤ i ≤ k, j = (i + 1 mod k) areassigned true, and the remaining single ei,j variable is assigned false. Theconstraint in Equation 3, for example, prevents an assignment false to ei1,ik

and true to all the other boolean variables.

Example 1. Consider the Equality formula

ϕE : v1 = v2 ∧ v2 = v3 ∧ v1 6= v3

First, we compute B:

B : e1,2 ∧ e2,3 ∧ ¬e1,3

In this case there is only one cyclic comparison of size 3, and therefore T is aconjunction of three transitivity constraints:

T =

(e1,2 ∧ e2,3 → e1,3)∧(e1,2 ∧ e1,3 → e2,3)∧(e2,3 ∧ e1,3 → e1,2)

Thus, B ∧ T is satisfiable if and only if ϕE is satisfiable. utThis straightforward method can lead to an exponential number of constraints.In [4] three different methods to build T are suggested, all of which are betterthan the one suggested above. We need to define Non-Polar Equality Graph inorder to explain these methods.

Definition 2 (Non-Polar Equality Graph). Given an Equality Logic for-mula ϕE, the Non-Polar Equality Graph corresponding to ϕE is an undirectedgraph (V,E) where each node v ∈ V corresponds to a variable in ϕE, and eachedge e ∈ E corresponds to an equality or disequality predicate in ϕE.

The graph is called non-polar to distinguish it from the graph that we will uselater, in which there is a distinction between edges that represent equalities andthose that represent disequalities. We will simply say Equality Graph from nowon in both cases, where the meaning is clear from the context.

The three methods suggested in [4] are:

1. The Dense method introduces a variable ei,j for each pair of variables (i, j) inϕE, regardless whether there is a comparison between them in this formula.T is then a conjunction of all constraints of the form ei,j ∧ ej,k → ei,k for alldistinct values of i, j and k. This yields a formula T that is cubic in n, thenumber of variables in ϕE.

2. The Direct method considers the Non-Polar Equality Graph. It adds k tran-sitivity constraints for every chord-free cycle of size k in this graph (a chordis an edge between two non-adjacent nodes). A proof that this set of con-straints is sufficient can be found in [4]. Since the number of chord-free cyclesin the Equality Graph can be exponential, the formula can grow accordingly.

3. The sparse method is also based on the theorem stating that it is sufficientto add transitivity constraints only to chord-free cycles. A chordal graph, alsoknown as triangulated graph, is a graph in which every cycle of size four ormore has a chord. In such a graph only triangles are chord-free cycles. Everygraph can be made chordal by adding auxiliary edges in linear time. Thesparse method begins by making the graph chordal, while referring to eachadded edge as a new auxiliary ei,j variable. It then adds three transitivityconstraints of the form

(ei,j ∧ ej,k → ei,k)(ei,k ∧ ej,k → ei,j)(ei,j ∧ ei,k → ej,k)

for each triangle (i, j, k).

The sparse method is both theoretically and empirically the better one of thethree, and also our starting point. We will denote the transitivity constraintsgenerated by the sparse method with T S .

Example 2. Figure 1 presents an Equality Graph before and after making itchordal. The added edge e0,6 corresponds to a new auxiliary variable e0,6 thatappears in T S but not in B. After making the graph chordal, it contains 4triangles and hence there are 12 constraints in T S . For example, for the triangle(v1, v2, v3) the constraints are:

e1,2 ∧ e2,3 → e1,3

e1,3 ∧ e2,3 → e1,2

e1,2 ∧ e1,3 → e2,3

Fig. 1. A non-chordal Equality Graph (left) and its chordal version.

ut

We will show an algorithm for constructing a Boolean formula T R (the super-script R is for Reduced) which is, similarly to T S , a conjunction of transitivityconstraints, but contains only a subset of the constraints in T S . T R is not logi-cally equivalent to T S ; it has a larger solution set. Yet it maintains the propertythat B ∧ T R is satisfiable if and only if ϕE is satisfiable, as we will later prove.This means that T R not only has a subset of the constraints of T S , but it alsodefines a less constrained search space (has more solutions than T S). Togetherthese two properties are likely to make the SAT instance easier to solve. Sincethe complexity of both our algorithm and the sparse method are similar, wecan claim dominance over the sparse method, although practically, due to theunpredictability of SAT, such claims are never 100% true. We will describe thismethod in detail starting in the next section.

3 Basic Definitions

We will assume that our Equality formula ϕE is given in Negation Normal Form(NNF), which means that negations are only applied to atoms, or equality pred-icates in our case. Every formula can be transformed to this form in linear timein the size of the formula. To be more accurate, transforming the formula toNNF is not strictly necessary, rather it is only necessary to know the logicalpolarity of each predicate in the formula, that is, whether it would be negatedif the formula was transformed to NNF. This information can be computed bysimply counting the number of negations that nest each predicate. If this num-ber is odd, we say that the polarity of the predicate is negative, and add it to aset that we denote by E 6=. Otherwise, we say that the polarity of the predicateis positive, and add it to a set that we denote by E=. It is possible, of course,that a predicate appears in both sets. Our decision procedure, as the sparsemethod, relies on graph-theoretic concepts. We will also use Equality Graphs,but redefine them so they refer to polarity information. Specifically, each of thesets E=, E6= corresponds in this graph to a different set of edges. We overloadthese notations so they refer both to the set of predicates and to the edges thatrepresent them in the Equality Graph.

Definition 3 (Equality Graph). Given an Equality Logic formula ϕE, theEquality Graph corresponding to ϕE, denoted by GE(ϕE), is an undirected graph(V, E=, E6=) where each node v ∈ V corresponds to a variable in ϕE, and eachedge in E= and E6= corresponds to an equality or disequality from the respectiveequality predicates sets E= and E 6=. By convention E= edges are dashed and E 6=edges are solid.

As before, every edge in the Equality Graph corresponds to a variable ei,j ∈ B.It follows that when we refer to an assignment of an edge, we actually refer toan assignment to its corresponding variable. Also, we will simply write GE todenote an Equality Graph if we do not refer to a specific formula.

Example 3. In Figure 2 we show an Equality Graph GE(ϕE) corresponding tothe non-polar version shown in Figure 1, assuming some Equality Formula ϕE

for which E= : {(v5 = v6), (v6 = v7), (v7 = v0), (v1 = v2), (v2 = v3), (v3 = v4)}and E 6= : {(v0 6= v5), (v0 6= v1), (v1 6= v4), (v1 6= v3)}.

Fig. 2. The Equality Graph GE(ϕE) corresponding to the non-polar version of the samegraph shown in Figure 1.

utWe now define two types of paths in Equality Graphs.

Definition 4 (Equality Path). An Equality Path in an Equality Graph GE

is a path made of E= (dashed) edges. We denote by x =∗ y the fact that x hasan Equality Path to y in GE, where x, y ∈ V .

Definition 5 (Disequality Path). A Disequality Path in an Equality GraphGE is a path made of E= (dashed) edges and a single E6= (solid) edge. We denoteby x 6=∗ y the fact that x has a Disequality Path to y in GE, where x, y ∈ V .

Similarly, we will use a Simple Equality Path and a Simple Disequality Pathwhen the path is required to be loop-free. In Figure 2 it holds, for example,that v0 =∗ v6 due to the simple path v0, v7, v6; v0 6=∗ v6 due to the simple pathv0, v5, v6; and v7 6=∗ v6 due to the simple path v7, v0, v5, v6.

Intuitively, Equality Path between two variables implies that it might berequired to assign both variables an equal value in order to satisfy the formula. ADisequality Path between two variables implies the opposite: it might be requiredto assign different values to these variables in order to satisfy the formula. Forthis reason the case in which both x =∗ y and x 6=∗ y hold in GE(ϕE), requiresspecial attention. We say that the graph, in this case, contains a ContradictoryCycle.

Definition 6 (Contradictory Cycle). A Contradictory Cycle in an EqualityGraph is a cycle with exactly one disequality (solid) edge.

Several characteristics of Contradictory Cycles are: 1) For every pair of nodesx, y in a Contradictory Cycle, it holds that x =∗ y and x 6=∗ y. 2) For every

Contradictory Cycle C, either C is simple or a subset of its edges forms a simpleContradictory Cycle. We will therefore refer only to simple Contradictory Cyclesfrom now on. 3) It is impossible to satisfy simultaneously all the predicates thatcorrespond to edges of a Contradictory Cycle. Further, this is the only type ofsubgraph with this property.

Figure 3 demonstrates characteristic 2: by following the path from the sin-gle solid edge without entering the loop, we complete a simple cycle which iscontradictory as well and is made of a subset of the edges of C.

��

��

��

��

x1 x2

x3

x5

x4

Fig. 3. Dashed edges are E= edges (equalities) and solid edges are E 6= edges (dise-qualities). This figure demonstrates that Contradictory Cycles contain a simple Con-tradictory Cycle: in this case the Contradictory Cycle v1, v5, v2, v3, v5, v4, v1 containsv1, v5, v4, v1 which is contradictory as well.

The reason that we need polarity information is that it allows us to use thefollowing property of NNF formulas.

Theorem 1 (Monotonicity of NNF). Let φ be an NNF formula and α be anassignment such that α |= φ. Let the positive set S of α be the positive literals inφ assigned true and the negative literals in φ assigned false. Every assignmentα′ with a positive set S′ such that S ⊆ S′ satisfies φ as well.

The same theorem was used, for example, in [15]. As an aside, when this theoremis applied to CNF formulas, which are a special case of NNF, it is exactly thesame as the pure literal rule.

4 Main Theorem

The key idea that is formulated by Theorem 2 below and later exploited by ouralgorithm can first be demonstrated by a simple example.

Example 4. For the Equality Graph below (left), the sparse method generatesT S with three transitivity constrains (recall that it generates three constraintsfor each triangle in the graph, regardless of the edges’ polarity). We claim, how-

ever, that the single transitivity constraint T R = (e0,2∧e1,2 → e0,1) is sufficient.

αR αS

e0,1 true truee1,2 true truee0,2 false true

To justify this claim, it is sufficient to show that for every assignment αR thatsatisfies B ∧ T R, there exists an assignment αS that satisfies B ∧ T S . Since this,in turn, implies that ϕE is satisfiable as well, we get that ϕE is satisfiable if andonly if B ∧ T R is satisfiable. Note that the ‘only if’ direction is implied by thefact that we use a subset of the constraints defined by T S .

We are able to construct such an assignment αS because of the monotonicityof NNF (recall that the polarity of the edges in the Equality Graph are accordingto their polarity in the NNF representation of ϕE). There are only two satisfyingassignments to T R that do not satisfy T S . One of these assignments is shownin the αR column in the table to the right of the drawing. The second columnshows a corresponding assignment αS , which clearly satisfies T S . We still need toprove that every formula B that corresponds to the above graph, is still satisfiedby αS if it was satisfied by αR. For example, for B = (¬e0,1 ∨ e1,2 ∨ e0,2),both αR |= B ∧ T R and αS |= B ∧ T S hold. Intuitively, this is guaranteed tobe true because αS is derived from αR by flipping an assignment of a positive(un-negated) predicate (e0,2) from false to true. We can equivalently flip anassignment to a negated predicate (e0,1 in this case) from true to false.

A formalization of this argument requires a reference to the monotonicityof NNF (Theorem 1): Let S and S′ denote the positive sets of αR and αS

respectively. Then in this case S = {e1,2} and S′ = {e1,2, e0,2}. Thus S ⊂ S′ andhence, according to Theorem 1, αR |= B → αS |= B. utWe need several definitions in order to generalize this example into a theorem.

Definition 7 (A constrained Contradictory Cycle). Let C = (es, e1, . . . , en)be a Contradictory Cycle where es is the solid edge. Let ψ be a formula over theBoolean variables in B that encodes the edges of C. C is said to be constrainedin ψ if the assignment (es, e1, . . . , en) ← (F, T, . . . , T ) contradicts ψ.

Recall that we denote by T S the formula that imposes transitivity constraints inthe sparse method, as defined in [4] and described in Section 2. Further, recallthat the sparse method works with chordal graphs, and therefore all constraintsare over triangles. Our method also makes the graph chordal, and the constraintsthat we generate are also over triangles, although we will not use this fact inTheorem 2, in order to make it more general.

Definition 8 (A Reduced Transitivity Constraints function T R). A Re-duced Transitivity Constraints (RTC) function T R is a conjunction of transitiv-ity constraints that maintains these two requirements:

R1 For every assignment αS, αS |= T S → αS |= T R (the solution set of T R

includes all the solutions to T S).R2 T R constrains all the simple Contradictory Cycles in the Equality Graph GE.

R1 implies that T R is less constrained than T S . Consider, for example, a chordalEquality graph in which all edges are solid (disequalities): in such a graph thereare no Contradictory Cycles and hence no constraints are required. In this caseT R = true, while T S includes three transitivity constraints for each triangle.

Theorem 2 (Main). An Equality formula ϕE is satisfiable if and only if B∧T R

is satisfiable.

Proof. (⇒) Due to R1, the proof of this direction is trivial.(⇐) We now prove that if B ∧ T R is satisfiable, then so is B ∧ T S , which

by [4] also implies that ϕE is satisfiable. Our proof strategy is to start from afull assignment αR such that αR |= B ∧ T R and construct an assignment αS forwhich αS |= B ∧ T S holds. We will need the following definitions:

Definition 9 (Transitivity violation of cycles). A simple cycle of size k issaid to be violating transitivity under a full assignment αR if αR assigns exactlyk − 1 of its edges true.

Recall that no cycle can be violating under an assignment that satisfies B ∧T S .On the other hand such cycles can exist under αR, an assignment that satisfiesB ∧ T R.

Although αS and αR are assignments of Boolean values to edges, it is stillconvenient to refer to the vertices that these edges connect, as we do in thefollowing definitions.

Definition 10 (Equal vertices under an assignment). A pair of vertices(vi, vj) is Equal under an assignment α, denoted by vi =∗α vj, if and only if thereis an Equality Path between them that α assigns true to all of its edges.

Definition 11 (Unequal vertices under an assignment). A pair of vertices(vi, vj) is unequal under an assignment α, denoted by vi 6=∗α vj, if and only ifthere is a Disequality Path between them that α assigns true to all of its dashed(equality) edges and false to its single solid (disequality) edge.

These definitions can be demonstrated in Figure 2: consider an assignment αwhich assigns true to e1,2, e2,3 and e3,4, and false to e1,4. Now v1 =∗α v4

because of the path through the Equality Path (v1, v2, v3, v4) and v1 6=∗α v4

because of the Disequality Path (v1, v4).Given a violating cycle C : (eF = (vi0 , vi1), eT1 = (vi1 , vi2), . . . , eTk =

(vik, vi0)) which is respectively assigned by αR (false, true,. . . , true) we

make the following key observations:

O1: The combination of vi0 6=∗αR vi1 , vi1 =∗αR vi2 , . . . , vik=∗αR vi0 implies that

αR satisfies a Contradictory Cycle, which is impossible by definition of αR.Hence at least one of these relations has to be false.

O2: if eF is solid then vi0 6=∗αR vi1 .O3: if eT1 is dashed then vi1 =∗αR vi2 , and the same applies for eT2 . . . eTk: if eTj

is dashed, 1 ≤ j ≤ k, then vij=∗αR vi(j+1 mod k+1)

2.

Again, we demonstrate these observations with the help of Figure 2. The assign-ment αR(e1,2, e2,3, e3,4, e1,4) = (true,true,true, false) is impossible becauseit implies that αR satisfies a Contradictory Cycle. Therefore by O1 at least oneof these assignments is different. Suppose, then, that αR(e1,2, e2,3, e3,4, e1,4) =(false,true,true,true). This is a violating cycle in which (eF , eT1, eT2, eT3) =(e1,2, e2,3, e3,4, e1,4). It is not the case that v1 6=∗αR v2 and by O2 indeed eF (theedge e1,2) is dashed. It is also not the case that v1 =∗αR v4 and indeed by O3 eT3

(the edge e1,4) is solid.Based on these observations at least one of these two conditions must hold,

as we will later prove in Lemma 3:

C1 For some j, not vij =∗αR vij+1 . By observation O3 this implies that eTj issolid.

C2 Otherwise, by observation O1 not vi0 6=∗αR vi1 and consequently, by obser-vation O2, eF must be dashed.

Returning to our example, C1 holds for j = 3 (the edge eT3, which is e1,4)because it is not the case that v1 =∗αR v4, and indeed e1,4 is solid.

The construction of αS is based on these two conditions. Initially, for everyedge e, αS(e) = αR(e). Then, for every violating cycle, we decide whether to flipa true assignment of a solid edge to false, or a false assignment of a dashededge to true, until no such cycles are left. Based on the above observations welater prove that this process terminates and indeed constructs an assignment αS

that satisfies B ∧ T S .

Reconstruct-α1: For every edge e, Let αS(e) = αR(e).2: while true do3: Let C = (eF , eT1, . . . , eTk) be a violating cycle under αR, for which αR(C) =

(false,true, . . . ,true). If there is no such cycle then exit.4: if condition C1 holds then5: αS(eTj) = false . the j from condition C16: else7: if condition C2 holds then8: αS(eF ) = true9: else

10: Abort . Lemma 3 will prove that we never get here

Lemma 1. The reconstruction of αS by Reconstruct-α terminates.

2 To avoid overly complicated notation we will not add the ‘mod k + 1’ from now on

Proof. In each step the flipping makes a violating cycle into a non-violating cycle.Further, Reconstruct-α only flips a true assignments of solid (disequality)edges to false, and a false assignment of dashed (equality) edges to true.Therefore a cycle is never considered twice with the same assignment. Since thereis a finite number of violating assignments to each cycle, the process terminates.

utLemma 2. B is satisfied by αS.

Proof. We only flip assignments of solid (disequality) edges to false, and assign-ments of dashed (equality) edges to true. Due to monotonicity of NNF formulas(see Theorem 1), changing the values in this way preserves satisfiability. utLemma 3. All violating cycles, at each iteration of Reconstruct-α, satisfyone of the two conditions C1 and C2.

Proof. By definition of the two conditions, if a violating cycle does not satisfy anyof them, it means that the current assignment satisfies a Contradictory Cycle. Wenow prove that this is impossible, because it is an invariant of Reconstruct-αthat transitivity of all Contradictory Cycles are not violated.

Assume the reconstruction terminates after n iterations, and denote by αt,1 ≤ t ≤ n the assignment corresponding to the t − th iteration (α1 = αR andαn = αS). We prove that no Contradictory Cycle can be satisfied, by inductionon t. For t = 1 this holds by definition of αR. Now assume this claim is correctfor iteration t, t < n. In iteration t + 1 we may:

– Flip the assignment of eTj = (vij , vij+1) for some 1 ≤ j ≤ k from true tofalse. Recall that we perform this flip only if eTj is solid. Falsely assumethat this flip caused the t+1-th assignment to satisfy a Contradictory CycleC. This means that eTj is the solid edge of C. All other edges in C are dashedand assigned true, and were also assigned true in step t. This means thatvij =∗αt

vij+1 which contradicts the condition to make this assignment.– Flip the assignment of eF = (vi0 , vi1) from false to true. Recall that we

perform this flip only if eF is dashed. Falsely assume that this flip causedthe t+1-th assignment to satisfy a Contradictory Cycle C. This means thatvi0 6=∗αt+1

vi1 and vi0 6=∗αtvi1 due to the path through C. This contradicts

the condition to make this assignment.ut

Lemma 4. In the end of Reconstruct-α, no cycle is violating transitivityunder αS.

Proof. Due to Lemma 3 we know that for every violating cycle one of the twoconditions in the reconstruction holds, and hence the truth value of one of itsedges is flipped, which immediately makes it stop violating transitivity (recallthat by Definition 9 a simple cycle with k vertices is violating transitivity if andonly if exactly k− 1 of its edges are assigned true). Hence, there cannot be anyviolating cycle in the end of this process, which, according to Lemma 1, mustindeed end. ut

The combination of Lemmas 2 and 4 completes the proof that αS |= B∧T S andhence proves Theorem 2. utThe Reconstruct-α algorithm that the proof of Theorem 2 relies on has prac-tical implications, as it suggests a way to find a satisfying assignment to ϕE,given αR such that αR |= B ∧ T R. But Reconstruct-α requires searching forviolating cycles, which may be exponential. With a small amendment, however,we can make it polynomial. Since our graph is chordal, we know that it is possi-ble to satisfy the requirements from T R with triangular transitivity constraints(this is what the sparse method does). So by simply adding this as a require-ment, that is, that all transitivity constraints constituting T R are triangular, weget a polynomial reconstruction algorithm, since we can now only look for vio-lating triangles, instead of violating cycles. Given this amendment, we can applyReconstruct-α in polynomial time, for example by computing two n× n ma-trices (recall that n is the number of variables in ϕE), one for Equality Paths andone for Disequality Paths. In the Equality Paths matrix, a pair (i, j) is marked ifand only if i =∗αR j. Initially, mark all entries (i, j) for which (i = j) ∈ E=. Then,apply a transitive-closure algorithm: for each pair of marked entries (i, j), (j, k),mark (i, k) as well, until convergence. This process can be applied in time cubicin n [8]. The Disequality Paths matrix can be built in a similar way: initiallymark all pairs (i, j) for which (i 6= j) ∈ E6=, and then mark (i, k) for each k suchthat j =∗αR k, until convergence.

5 The Reduced Transitivity Constraints Algorithm

We now introduce an algorithm that generates a formula T R, which satisfies thetwo requirements R1 and R2 that were introduced in the previous section.

The rtc algorithm processes Biconnected Components (BCC) [8] in the givenEquality Graph.

Definition 12 (Maximal Biconnected Component). A Biconnected Com-ponent of an undirected graph is a maximal set of edges such that any two edgesin the set lie on a common simple cycle.

We can focus on BCCs because we only need to constrain cycles, and in particularContradictory Cycles. Each BCC that we consider contains a solid edge es andall the Contradictory Cycles that it is part of. In line 6 of rtc we make the BCCchordal. Since making the graph chordal involves adding edges, prior to this step,in line 5, we add solid edges from GE that can serve as chords. After the graphis chordal we call Generate-constraints, which generates and adds to somelocal cache all the necessary constraints for constraining all the ContradictoryCycles in this BCC with respect to es. When Generate-constraints returns,all the constraints that are in the local cache are added to some global cache.The conjunction of the constraints that are in the global cache by the end of thealgorithm is what rtc returns as T R.

Generate-constraints iterates over all triangles that include the solidedge es ∈ E6= with which it is called first. It then attempts to implicitly expand

rtc (Equality Graph GE(V, E=, E 6=))1: global-cache = ∅2: Set the source of all edges to NULL3: for all es ∈ E 6= do4: Find B(es) = maximal BCC in GE made of es and E= edges;5: Add to B(es) all edges from E 6= that connect vertices in B(es);6: Make the graph B(es) chordal; . (The chords can be either solid or dashed)7: Generate-constraints (B(es), es);8: global-cache = global-cache ∪ local-cache;9: T R = conjunction of all constraints in the global cache;

10: return T R;

Generate-constraints (Equality Graph GE(V, E=, E 6=), edge e ∈ GE)1: for all triangles (e1, e2, e) ∈ GE such that

– e1 ∧ e2 → e is not in the local cache– source(e) 6= e1 ∧ source(e) 6= e2

do2: source(e1) = source(e2) = e;3: Add e1 ∧ e2 → e to the local cache;4: Generate-constraints (GE, e1); . expand e1

5: Generate-constraints (GE, e2); . expand e2

each such triangle to larger cycles that include es. This expansion is done in therecursive calls of Generate-constraints. Given the edge e, which is part of acycle, it tries to make the cycle larger by replacing e with two edges that ‘lean’on this edge, i.e. two edges e1, e2 that together with e form a triangle. This iswhy we refer to this operation as expansion. There has to be an indication inwhich ‘direction’ we can expand the cycle, because otherwise when consideringe.g. e1, we would replace it with e and e2 and enter an infinite loop. For thisreason we maintain the source of each edge. The source of an edge is the edgethat it replaces. In the example above when replacing e with e1, e2, source(e1) =source(e2) = e. So in the next recursive call, where e1 is the considered edge,due to the second condition in line 1 of Generate-constraints, we do notexpand it through the triangle (e, e1, e2).

Each time we replace the given edge e by two other edges e1, e2, we alsoadd a transitivity constraint e1 ∧ e2 → e to the local cache. Informally, one maysee this constraint as enforcing the transitivity of the expanded cycle, by usingthe transitivity enforcement of the smaller cycle. In other words, this constraintguarantees that if the expanded cycle violates transitivity, then so does thesmaller one. Repeating this argument all the way down to triangles, gives usan inductive proof that transitivity is enforced for all cycles. A formal proof ofcorrectness of rtc appears in the next subsection.

Example 5. Figure 4 (left) shows the result of the iterative application of line 4in rtc for each solid edge in the graph shown in Figure 2. By definition, after this

step each BCC contains exactly one solid edge. Figure 4 (right) demonstratesthe application of lines 5 and 6 in rtc: in line 5 we add e1,3, and in line 6 we adde0,6, the only additional chords necessary in order to make all BCCs chordal.The progress of Generate-constraints for this example is shown in Table 1.

Iteration Component edge to source Triangle addedexpand of edge constraint

1 a e0,5 - (e0,5, e5,6, e0,6) e0,6 ∧ e5,6 → e0,5

2 a e0,6 e0,5 (e0,6, e6,7, e0,7) e6,7 ∧ e0,7 → e0,6

3 b e1,4 - (e1,4, e3,4, e1,3) e1,3 ∧ e3,4 → e1,4

4 b e1,3 e1,4 (e1,3, e2,3, e1,2) e1,2 ∧ e2,3 → e1,3

5 c e1,3 - (e1,3, e2,3, e1,2) e1,2 ∧ e2,3 → e1,3

Table 1. The progress of Generate-constraints when given the graph of Figure4 (not including steps where the function returns because the triangle contains thesource of the expanded edge). In line 5 the constraint is already in the global cache,and hence not added again.

The constraints that are generated for this graph are thus:

e0,6 ∧ e5,6 → e0,5

e6,7 ∧ e0,7 → e0,6

e1,3 ∧ e3,4 → e1,4

e1,2 ∧ e2,3 → e1,3

ut

5.1 Correctness of rtc

Lemma 5 (rtc terminates). Algorithm rtc terminates.

Proof. In each step in rtc we are handling a solid edge, and all actions takenin lines 4 - 6 clearly terminate. Falsely assume that Generate-constraints

Fig. 4. The BCCs found in line 4 (left) and after lines 5 and 6 in rtc (right).

Fig. 5. The BCCs shown in Figure 4, after lines 5 and 6 in rtc

calls itself an infinite number of times. At each call, Generate-constraintseither adds a constraint to the local cache if it was not already there, or returnswithout further recursive calls. There is a finite number of possible constraints(only transitivity constraints over triangles), and therefore at some point allconstraints will be in the cache. From that point on, Generate-constraintswill return without further recursive calls, which contradicts our assumption thatit calls itself an infinite number of times. ut

Lemma 6 (T R satisfies requirement R1). The formula T R returned by rtcrespects requirement R1: for every assignment α, α |= T S → α |= T R.

Proof. Since α satisfy T S , it respects transitivity of all cycles in GE(ϕE), andin particular, it respects transitivity constraints of every Contradictory Cycle,and therefore satisfies T R. Note that all the constraints that are added to thecachees are triangular transitivity constraints, and hence in any case we cannotadd constraints that would not be otherwise added to T S (to be more precise,this statement is accurate only if we assume that both methods make the givengraph chordal in exactly the same way). ut

Lemma 7 (T R satisfies requirement R2). The formula T R returned by rtcrespects requirement R2: it constrains all simple Contradictory Cycles in theEquality Graph GE(V, E=, E 6=).

Proof. For each solid edge es, rtc finds B(es), the maximal BCC that containses and other dashed edges from GE. By definition of BCC, B(es) contains allsimple Contradictory Cycles in which es is the solid edge. In line 7 of rtc,Generate-constraints is called with B(es) and es as parameters.

Proposition 1. When Generate-constraints(B(es), es) returns, for everycycle C containing es the following two properties hold:

P1: C is constrained with respect to es (see Definition 7) by the constraints thatare in the local cache.

P2: for every e ∈ C such that e 6= es, a constraint of the form e ∧ e1 → e2 is inthe local cache, such that e1 and e2 are either edges on cycle C or chords init.

Proof. By induction over n, the number of vertices in C.Base case: n = 3. When Generate-constraints is called from within

rtc (and not by a recursive call from Generate-constraints itself), eachtriangle C : (e1, e2, es) that contains es is moved over in the loop in line 1, andthe constraint e1 ∧ e2 → es is added to the local cache at line 3, unless it wasalready in there. This proves both P1 and P2.

Induction step: Suppose the theorem is correct for cycles with size smalleror equal to n, and now consider a cycle C of size n + 1. As we will later provein Proposition 2, the simple cycle C can be divided to a cycle C1 such thates ∈ C1, and a triangle t : (e1, e2, e3), such that e2, e3 ∈ C and e1 is a chord inC (and also the shared edge between C1 and t) (see Figure 6). The inductionassumption holds for C1. Therefore, since e1 is an edge on C1, a constraint of theform e1 ∧ e4 → e5 exists in the local cache, where e4 and e5 are edges or chordsin C1. After adding this constraint, source(e1) is set to e5, and Generate-constraints is called with e1 as its second parameter. The first parameter isthe BCC that contains the cycle C, and in particular, contains edges e2 and e3.Therefore, t is being handled in line 1 in Generate-constraints. As a result,the constraint e2 ∧ e3 → e1 is added to the local cache in line 3 (unless it wasalready there), since neither e2 nor e3 are e1’s source. This proves P2 for C.

Fig. 6. A chordal contradictory cycle C : (es, e6, e7, e2, e3, e4). C can be divided to asmaller cycle C1 : (es, e6, e7, e1, e4) and a triangle t : (e1, e2, e3).

With this additional constraint, we claim that the constraints in the localcache constrain C with respect to es, which means that P1 holds as well. Falselyassume the contrary, i.e. there exists an assignment which satisfies all the con-straints that are in the local cache, that assigns false to es and true to all theother edges in C. Since the constraint e2 ∧ e3 → e1 is in the local cache, e1 mustalso be assigned true by this assignment. Now, every edge, except es, in cycle

C1 is assigned true, which contradicts the fact that C1 is a constrained cyclewith respect to es. ut

In order to complete the proof of Proposition 1, we need to prove the followingProposition as well:

Proposition 2. Let C be a simple cycle, contained in a chordal BCC, and con-tains an edge es. C can be divided to a cycle C1 such that es ∈ C1, and a trianglet : (e1, e2, e3), such that e2, e3 ∈ C and e1 is a chord in C (and also the sharededge between C1 and t).

Proof. We use the following definitions and auxiliary claims:

Definition 13 (Induced Graph). Given two graphs G1(V1, E1) and G2 :(V2, E2), G2 is an Induced Graph of G1 if V2 ⊆ V1 and E2 = {e : (v1, v2)|v1, v2 ∈V2 and e ∈ E1}Claim. Every induced graph of a chordal graph G is chordal.

Proof. Falsely assume that there exists an induced graph G′ that is not chordal.G′ contains at least one cycle with more than 3 edges, which has no chord. Thiscycle also exists in G, in contradiction to the fact that G is chordal. utDefinition 14 (Simplicial Vertex). A vertex v ∈ G is simplicial if the neigh-bors of v form a clique in G.

Claim. Every chordal graph G has a simplicial vertex. If G is not a completegraph, then it has two simplicial vertices that are not adjacent.

For proof see, for example, [11].Every simple cycle C, together with its chords, is an induced graph of the

chordal BCC. Therefore, C is also a chordal graph, according to the first Claimabove. According to the second Claim, If G is not a complete graph, there are2 non-adjacent simplicial vertices in it. If G is a complete graph, then it has atleast 3 vertices which are simplicial. In both cases, there is at least one simplicialvertex v ∈ C, that is not a vertex on es. v is part of two edges on C, e2 = (v, v1)and e3 = (v, v2). Since all v’s neighbors form a clique in the BCC, there is anedge e1 = (v1, v2). C can be divided, therefore, to the cycle C1 = (C\(e2∪e3)∪e1

and the triangle t : (e1, e2, e3).This concludes the proof of Proposition 2, and hence also the proof of Propo-

sition 1. utWe return to the proof of Lemma 7. By Proposition 1, when the call to

Generate-constraints in line 7 returns, all cycles (and in particular, all sim-ple Contradictory Cycles) that contain es are constrained with respect to itby the constraints in the local cache. In line 8 all the constraints in the localcache are added to the global cache. Generate-constraints is called for allsolid edges, therefore, by the end of the algorithm, for every solid edge, all sim-ple Contradictory Cycles that contain it are constrained with respect to it, by

the constraints in the global cache. Since we never remove constraints from theglobal cache, we are guaranteed that T R, which conjoins them in line 9 of rtc,constrains all simple Contradictory Cycles. This concludes the proof of Lemma7. utTheorem 3 (rtc is sound). Algorithm rtc generates a formula T R whichsatisfied requirements R1 and R2 of Theorem 2.

Proof. Implied by Lemmas 6 and 7. ut

5.2 Complexity of rtc and improvements

Lines 4-6 in rtc can all be done in time linear in the size of the graph (includingthe process of finding BCCs [8]). The number of iterations of the main loop in rtcis bounded by the number of solid edges in the graph. Generate-constraints,in each iteration of its main loop, either adds a new constraint or moves tothe next iteration without further recursive calls. Since the number of possibleconstraints is bounded by three times the number of triangles in the graph, thenumber of recursive calls in Generate-constraints is bounded accordingly.

Improvement : To reduce complexity, we only use a global cache, which re-duces the number of added constraints and the overall complexity, since wenever generate the same constraint twice and stop the recursion calls earlier ifwe encounter a constraint that was generated in a previous BCC.

6 An improved algorithm

As mentioned before, reducing the number of transitivity constraints is our maingoal. We have shown that it is enough to constrain only the simple ContradictoryCycles. rtc returns T R, which constrains all Contradictory Cycles, whethersimple or not. Figure 7 shows an example of an Equality Graph for which rtcgenerates redundant constraints. For example, the constraint e0,2∧e0,3 → e2,3 isgenerated after expanding e2,3 although it is not necessary for constraining anysimple Contradictory Cycle.

We suggest another version of rtc, called RTC-exp, which on the onehand generates less constraints, because it only constrains simple Contradic-tory Cycles, but on the other hand can be exponential. We could not finda polynomial algorithm that does the same, although we also did not provethat such an algorithm is not likely to exist, and hence consider this prob-lem as still open. rtc-exp is the same as rtc, the only difference being thatit calls generate-constraints-exp in line 7 instead of calling Generate-constraints. generate-constraints-exp calls a function named expand-cycle-exp, in which the expansion of the cycles is made. Both generate-constraints-exp and expand-cycle-exp appear below. expand-cycle-exprequires as parameter the cycle to expand C. Before expanding C, it checks thatthe expansion generates a simple cycle, and a transitivity constraint is beingadded only if this is the case.

Fig. 7. An Equality Graph for which rtc generates redundant constraints.

Generate-constraints-exp (Equality Graph GE(V, E=, E 6=), edge es ∈ E 6=)1: for all triangles C : (e1, e2, es) ∈ GE do2: if e1 ∧ e2 → es is not in the cache then3: add e1 ∧ e2 → es to the cache4: Expand-cycle-exp(g, C, e1)5: Expand-cycle-exp(g, C, e2)

Boolean Expand-cycle-exp (Equality Graph GE(V, E=, E 6=), cycle C that includeses ∈ E 6=, edge e ∈ C)1: for all triangles (e1, e2, e) ∈ GE do2: if (C \ e) ∪ e1 ∪ e2 is a simple cycle then3: if e1 ∧ e2 → e is not in the cache then4: Add e1 ∧ e2 → e to the cache

. Expand even if the constraint is in the cache5: Expand-cycle-exp(GE, (C \ e) ∪ e1 ∪ e2, e1)6: Expand-cycle-exp(GE, (C \ e) ∪ e1 ∪ e2, e2)

Example 6. We now demonstrate how RTC-exp solves the problem shown inFigure 7. For this example, Generate-constraints-exp is called once withthe arguments (the whole graph, e0,1). Table 2 shows step-by-step the progressfrom that point on. Note how the (redundant) constraint e0,2∧e0,3 → e2,3, which

Iteration edge to Triangle cycle addedexpand constraint

1 e0,1 (e0,1, e1,2, e0,2) (e0,1, e1,2, e0,2) e0,2 ∧ e1,2 → e0,1

2 e1,2 (e1,2, e0,2, e0,1) (e0,1, e0,2, e0,2, e0,1) (*)

3 e1,2 (e1,2, e2,3, e1,3) (e0,1, e0,2, e2,3, e1,3) e1,3 ∧ e2,3 → e1,2

4 e2,3 (e2,3, e1,3, e1,2) (e0,1, e0,2, e1,2, e1,3, e1,3) (*)

5 e2,3 (e2,3, e0,3, e0,2) (e0,1, e0,2, e0,2, e0,3, e1,3) (*)

6 e1,3 (e1,3, e1,2, e2,3) (e0,1, e0,2, e2,3, e2,3, e1,2) (*)

7 e1,3 (e1,3, e0,1, e0,3) (e0,1, e0,2, e2,3, e0,3, e0,1) (*)

8 e0,2 (e0,2, e0,1, e1,2) (e0,1, e0,1, e1,2, e1,2) (*)

9 e0,2 (e0,2, e0,3, e2,3) (e0,1, e0,3, e2,3, e1,2) e0,3 ∧ e2,3 → e0,2

10 e0,3 (e0,3, e2,3, e0,2) (e0,1, e0,2, e2,3, e2,3, e1,2) (*)

11 e0,3 (e0,3, e1,3, e0,1) (e0,1, e0,1, e1,3, e2,3, e1,2) (*)

12 e2,3 (e2,3, e0,3, e0,2) (e0,1, e0,3, e0,3, e2,3, e1,2) (*)

13 e2,3 (e2,3, e1,3, e1,2) (e0,1, e0,3, e1,3, e1,2, e1,2) (*)

Table 2. The progress of generate-constraints-exp and expand-cycle-exp whengiven the graph of Figure 7. (*) The considered cycle is not simple: expand-Cycle-expreturns without adding a constraint.

was added in rtc, is considered in iteration 5 but is not added because it is notpart of a simple cycle. utThe correctness proof for this algorithm is very similar to the correctness proofof rtc. We only need to change the proof of Lemma 1, so it refers to simpleContradictory Cycles. Recall that by Theorem 2 it is sufficient to constrainthese type of cycles. Rather than repeating the proof with small changes, let usgive here general arguments that justify the correctness of RTC-exp.

Lemma 1 refers to arbitrary cycles, and is therefore definitely correct forsimple cycles. The addition of the condition in line 2 of Expand-cycle-expthat requires to consider the triangle (e, e1, e2) only if replacing e by (e1, e2)maintains C simple, corresponds to our more modest requirement to constrainonly simple cycles. The interesting twist is that blocking the expansion of thecycle can potentially lead to skipping necessary constraints in later steps, unlessother changes are made. In particular, note that Expand-cycle-exp continuesto expand in lines 5 and 6 even if the constraint is already in the cache, in contrastto generate-constraints in the original version of the algorithm. The reasonwe need to continue expanding in this case can be demonstrated by the examplebelow. Unfortunately this necessary remedy causes Expand-cycle-exp to beworst-case exponential. Such a case is demonstrated in Figure 10.

Example 7. We now demonstrates the need to continue expanding cycles, even ifthe constraint is already in the cache. Suppose it isn’t the case, meaning, Lines5 and 6 of expand-cycle-exp are inside the ’if’ statement from Line 3 andcycles are expanded only if the constraint is not in the cache, as in the originalversion of generate-constraints. Table 3 shows the progress of Generate-constraints-exp in this case over the Equality Graph shown in Figure 8.


1 e0,1 (e0,1, e1,2, e0,2) (e0,1, e1,2, e0,2) e0,2 ∧ e1,2 → e0,1

2 e1,2 (e1,2, e2,3, e1,3) (e0,1, e0,2, e2,3, e1,3) e1,3 ∧ e2,3 → e1,2

3 e2,3 (e2,3, e3,4, e2,4) (e0,1, e0,2, e2,4, e3,4, e1,3) e2,4 ∧ e3,4 → e2,3

4 e3,4 (e3,4, e4,5, e3,5) (e0,1, e0,2, e2,4, e4,5, e3,5, e1,3) e4,5 ∧ e3,5 → e3,4

5 e4,5 (e4,5, e4,6, e5,6) (e0,1, e0,2, e2,4, e4,6, e5,6, e3,5, e1,3) e4,6 ∧ e5,6 → e4,5

6 e5,6 (e5,6, e3,5, e3,6) (e0,1, e0,2, e2,4, e4,6, e3,6, e3,5, e3,5, e1,3) (*)

Table 3. The progress of Generate-constraints-exp over the graph shown in figure8, in the case of expanding only if the constraint is not in the cache. (*) The constrainte3,5 ∧ e3,6 → e5,6 is not added since the expanded cycle is not simple.

Fig. 8.

Suppose now that this graph has 3 more edges: e1,5, e0,5 and e0,4, as shownin figure 9, and the algorithm continues. When we reach again to the loop inLine 1 of Generate-constraints-exp our algorithm continues as shown inTable 4.

As can be seen from the two tables, the constraint e3,5 ∧ e3,6 → e5,6 is notadded to the cache, even though it is needed in order to constrain the simpleContradictory Cycle (e0,1, e0,4, e4,6, e3,6, e3,5, e1,5). We would have add this con-


1 e0,1 (e0,1, e0,5, e1,5) (e0,1, e0,5, e1,5 e0,5 ∧ e1,5 → e0,1

2 e0,5 (e0,5, e4,5, e0,4) (e0,1, e0,4, e4,5, e1,5) e0,4 ∧ e4,5 → e0,5

3 e4,5 (e4,5, e4,6, e5,6) (e0,1, e0,4, e4,6, e5,6, e1,5) (*)

Table 4. The progress of Generate-constraints-exp over the graph shown in figure9, in the case of expanding only if the constraint is not in the cache. (*) The constrainte4,6∧e5,6 → e4,5 is already in the cache and therefore the function Expand-cycle-expreturns.

Fig. 9.

straint if we wouldn’t have stopped because the constraint e4,6 ∧ e5,6 → e4,5 isalready in the cache. This example shows that we have to continue expandingcycles, even if a constraint is already in the cache, unlike the original versionof generate-constraints. Otherwise, the algorithm does not constrain allsimple Contradictory Cycles, and thus is not correct.

7 Discussion

It is quite intuitive why the formula B∧T R should be easier to solve than B∧T S ,when the original formula ϕE is satisfiable — the solutions space rtc defines ismuch larger. The case where ϕE is unsatisfiable is more complex to analyze. Inthe cases where the Boolean encoding of ϕE, B, is unsatisfiable by itself (withoutadding any transitivity constraints), we expect that the advantage of rtc willnot be seen, and B∧T R will be as hard to solve as B∧T S . In the more interestingcases, where ϕE is unsatisfiable and B is satisfiable, it is less clear which of theformulas is easier to solve. In fact, SAT solvers are frequently faster when the

Fig. 10. A BCC that causes RTC-exp to be exponential in the number of vertices.

input formula contains extra information that further prunes the search space.That might be an advantage of the sparse method over rtc. In practice, as can beseen in the experimental results shown in the next section, rtc is better also inunsatisfiable instances. We speculate that this fact originates from the followingtheorem and conclusions. Let T represent all transitivity constraints that are inT S but not in T R. Then,

Theorem 4 (T preserves satisfiability). If B is satisfiable, then B ∧ T issatisfiable.

Proof. Since B is satisfiable, there is an assignment α s.t α |= B. Let α′ be anassignment derived from α such that:

α′(ei,j) =

true ei,j ∈ E=, ei,j 6∈ E6=false ei,j ∈ E 6=, ei,j 6∈ E=

α(ei,j) Otherwise

We will show that α′ |= B ∧ T . From monotonicity of NNF formulas, it is clearthat α′ |= B. Falsely assume that α′ does not satisfy T , i.e. there is a transitivityconstraint ei,j ∧ ej,k → ei,k in T unsatisfied by α′. This means that ei,j and ej,k

are assigned true and ei,k is assigned false in α′. From α′ definition we knowthat ei,j and ej,k are dashed (or both dashed and solid) and ei,k is solid (or bothsolid and dashed), which means that the triangle ei,j , ej,k, ei,k is a ContradictoryCycle and hence the constraint ei,j ∧ej,k → ei,k must be in T R. This contradictsT ’s definition. ut

Assuming B is satisfiable, by Theorem 4 we know that a proof of unsatisfiabilitymust include T R clauses. Further, from Theorem 2 we know that there must existat least one unsatisfiability proof that does not rely on T at all. Apparently, inpractice, the SAT solver finds this type of proofs, and rarely finds shortcutsthrough T ’s clauses.

8 Experimental Results

uclid benchmarks. Our decision procedure is now integrated in the uclid[5] verification system. uclid is a tool for analyzing the correctness of modelsof hardware and software systems. It can be used to model and verify infinite-state systems with variables of integer, Boolean, function, and array types. Theapplications of uclid explored to date include microprocessor design verifica-tion, analyzing software for security exploits, verification of a compiler throughTranslation Validation and verifying distributed algorithms.

uclid reports to rtc the edges of the Equality Graph corresponding to theverified formula including their polarity, and rtc returns a list of transitivityconstraints. The Boolean encoding (the generation of B), the elimination of Un-interpreted Functions, various simplifications and the application of the PositiveEquality algorithm [2], are all applied by uclid as before. The comparison tothe sparse method of [4], which is also implemented in this tool and fed exactlythe same formula, is therefore fair.

We used all the relevant uclid benchmarks that we are aware of (all of whichhappen to be unsatisfiable). We compared rtc and the sparse method usingthe two different reduction methods of Uninterpreted Functions: Ackermann’sreduction [1] and Bryant’s reduction [2]. This might cause a bias in our results notin our favor: the reduction of Uninterpreted Functions to Equality Logic resultsin Equality Graphs with specific characteristics. In the appendix we explain thedifference between the two reductions and why this influences our results. Herewe will only say that when Bryant’s reduction is used, all edges correspondingto comparisons between arguments of functions are ‘double’, meaning that theyare both solid and dashed. In such a case rtc has no advantage at all, sinceevery cycle is a contradictory cycle. This does not mean that when using thisreduction method rtc is useless: recall that we claim for theoretical dominanceover the sparse method. It only means that the advantage of rtc is going tobe visible if there is a large enough portion of the Equality Graph that is notrelated to the reduction of Uninterpreted Functions, rather to the formula itself.

The SAT-solver we used for both rtc and the sparse method was zChaff(2004 edition) [14]. For each benchmark we show the number of generated tran-sitivity constraints, the time it took zChaff to solve the SAT formula, the runtime of uclid, which includes RTC but not zChaff time and the total run time.Table 5 (top) compares the two algorithms, when uclid uses Bryant’s reductionwith Positive Equality. Indeed, as expected, in this setting the advantage of rtcis hardly visible: the number of constraints is a little smaller comparing to what isgenerated by the sparse method (while the time that takes rtc and the sparsemethod to generate the transitivity constraints is almost identical, with a smalladvantage to the sparse method), and correspondingly the runtime of zChaffis smaller, although not significantly. We once again emphasize that we considerthis as an artifact of the specific benchmarks we found; almost all equalities inthem are associated with the reduction of the Uninterpreted Functions. As fu-ture research we plan to integrate in our implementation the method of Rodehet al. [17] which, while using Bryant’s reduction, not only produces drastically

smaller Equality Graphs, but also does not necessarily require a double edge foreach comparison of function instances. This is expected to mostly neutralize thisside effect of Bryant’s reduction. Table 5 (bottom) compares the two algorithmswhen Ackermann’s reduction is used. Here the advantage of rtc is seen clearly,both in the number of constraints and the overall solving times. In particular,note the reduction from a total of 222,807 constraints to 67,769 constraints.

Benchmark # sparse method rtcset files Constraints uclid zChaff total Constraints uclid zChaff total

TV 9 16719 148.48 1.08 149.56 16083 151.1 0.96 152.06Cache.inv 4 3669 47.28 40.78 88.06 3667 54.26 38.62 92.88

Dlx1c 3 7143 18.34 2.9 21.24 7143 20.04 2.73 22.77Elf 3 4074 27.18 2.08 29.26 4074 28.81 1.83 30.64

OOO 6 7059 26.85 46.42 73.27 7059 29.78 45.08 74.86Pipeline 1 6 0.06 37.29 37.35 6 0.08 36.91 36.99

Total 26 38670 268.19 130.55 398.74 38032 284.07 126.13 410.2

TV 9 103158 1467.76 5.43 1473.19 9946 1385.61 0.69 1386.3Cache.inv 4 5970 48.06 42.39 90.45 5398 54.65 44.14 98.79

Dlx1c 3 46473 368.12 11.45 379.57 11445 350.48 8.88 359.36Elf 5 43374 473.32 28.99 502.31 24033 467.95 28.18 496.13

OOO 6 20205 78.27 29.08 107.35 16068 79.5 24.35 103.85Pipeline 1 96 0.17 46.57 46.74 24 0.18 46.64 46.82

q2 1 3531 30.32 46.33 76.65 855 32.19 35.57 67.76

Total 29 222807 2466.02 210.24 2676.26 67769 2370.56 188.45 2559.01

Table 5. rtc vs. the sparse method using Bryant’s reduction with positive equalities(top) and Ackermann’s reduction (bottom). Each benchmark set corresponds to anumber of benchmark files in the same family. The column ‘uclid’ refers to the totalrunning time of the decision procedure without the SAT solving time.

Random formulas. In another set of experiments we generated hundreds ofrandom formulas and respective Equality Graphs, while keeping the ratio of ver-tices to edges similar to what we found in the real benchmarks (about 1 vertex to4 edges). Each benchmark set was built as follows. Given n vertices, we randomlygenerated 16 different graphs with 4n random edges, and the polarity of eachedge was chosen randomly according to a predefined ratio p. We then generateda random CNF formula B with 16n clauses (each clause with up to 4 literals)in which each literal corresponds to one of the edges. Finally, we generated twoformulas, T S and T R corresponding to the transitivity constraints generated bythe sparse and rtc methods respectively, and sent the concatenation of B witheach of these formulas to three different SAT solvers, HaifaSat [9], Siege v4 [12]and zChaff 2004.

In the results depicted in Table 6 we chose n = 200 (in the uclid benchmarksn was typically a little lower than that). Each set of experiments (corresponding

to one cell in the table) corresponds to the average results over the 16 graphs, anda different ratio p, starting from 1 solid to 10 dashed, and ending with 10 solid to1 dashed. We set the timeout for 600 seconds and added this number in case thesolver timed-out. With siege we occasionally let it run until it terminated (withboth rtc and sparse) without a time limit, just in order to get some informationabout instances that no solver could solve. All instances were satisfiable (in thelow ratio of solid to dashed, namely 1:2 and 1:5 we could not solve any of theinstances with any of the solvers). The conclusions from the table are that (1)in all tested ratios rtc generated less constraints than sparse. As expected,this is more apparent when the ratio is further than 1:1; there are very fewcontradictory cycles in this kind of graphs. (2) with all three SAT solvers it tooklonger to solve B ∧ T S than to solve B ∧ T R.

ratio constraints zChaff HaifaSat siege v4

solid:dashed Sparse RTC Sparse RTC Sparse RTC Sparse RTC

1:10 373068.8 181707.8 581.1 285.6 549.2 257.4 1321.6 506.4

1:5 373068.8 255366.6 600.0 600.0 600.0 600.0 600.0 600.0

1:2 373068.8 308346.5 600.0 600.0 600.0 600.0 600.0 600.0

1:1 373068.8 257852.6 5.2 0.4 5.9 3.0 1.2 0.1

2:1 373068.8 123623.4 0.1 0.01 0.6 0.22 0.01 0.01

5:1 373068.8 493.9 0.1 0.01 0.6 0.01 0.01 0.01

10:1 373068.8 10.3 0.1 0.01 0.6 0.01 0.01 0.01

average 373068.8 161057.3 255.2 212.3 251.0 208.7 360.4 243.8

Table 6. rtc vs. the sparse method in random satisfiable formulas listed by the ratioof solid to dashed edges.

Tables 7 and 8 present another two sets of experiments. In Table 7, thenumber of vertices n ranges from 200 to 500. All the instances were satisfiableand the ratio between solid and dashed edges was 1:1.

Table 8 presents results of unsatisfiable instances with n = 150 and 500 to3000 edges, where each result again averages over 16 different random formulas.The advantage of rtc over sparse is clear in both Table 7 and in Table 8.

As was discussed in Section 7, the advantage of rtc, shown in Table 7 isexpected. The experiments above on uclid benchmarks (which, recall, are allunsatisfiable) and the results from Table 8 show that rtc is also better in unsat-isfiable instances. The possible reason for that is explained in details in Section7.

9 Conclusions and Directions for Future Research

We presented a new decision procedure for Equality Logic, which builds uponand improves previous work by Bryant and Velev in [4, 3]. The new proceduregenerates a set of transitivity constraints that is, at least in theory, easier to solve.

# vertices constraints zChaff HaifaSat siege v4

Sparse RTC Sparse RTC Sparse RTC Sparse RTC

200 381622.5 273138.5 0.3 0.1 9.7 2.0 0.4 0.1

300 1231662 881554 4.6 0.5 4.1 2.7 2.1 0.1

400 3005868.7 2183852.7 3.5 0.9 11.0 7.1 9.6 1.1

500 5452234 3774497.7 2.7 1.7 18.8 10.5 1.0 0.2

Table 7. rtc vs. the sparse method in random graphs with different number ofvertices. The table shows for each number of vertices, the average number of constraintsand the average time it took each SAT solver to solve the corresponding formula.

# edges constraints zChaff HaifaSat siege v4

Sparse RTC Sparse RTC Sparse RTC Sparse RTC

500 110139.0 68663.8 50.7 47.6 101.7 89.0 11.2 10.6

1500 595757.3 590674.5 490.4 447.4 565.4 561.3 131.3 100.4

2000 777153 772019.8 134.8 90.7 118.1 92.2 9.6 9.1

3000 999723.8 998443.8 42 34.9 33 27 5.2 4.2

Table 8. rtc vs. the sparse method in random graphs with 150 vertices and a varyingnumber of edges.

The experiments we conducted show that in most cases it is better in practiceas well, and in any case does not make it worse, at least not in more than a fewseconds. rtc that we presented first does not make full use of Theorem 2, as itconstrains all Contradictory Cycles rather than only the simple ones.

which states that it is sufficient to constrain simple Contradictory Cycles. Itis not able to distinguish between simple and non simple cycles, and hence con-strains all cycles, which leads to redundancy. We also presented a second versionof the algorithm, RTC-exp, which indeed constrains only simple ContradictoryCycles, but with a worst-case exponential price. It is left for future research tofind a polynomial algorithm that does the same, or prove that this problem isinherently hard.

Acknowledgement We are exceptionally grateful to Sanjit Seshia for the manyhours he invested in hooking our procedure to uclid, and for numerous insightfulconversations we had on this and related topics.

References

1. W. Ackermann. Solvable cases of the Decision Problem. Studies in Logic and theFoundations of Mathematics. North-Holland, Amsterdam, 1954.

2. R. Bryant, S. German, and M. Velev. Exploiting positive equality in a logic ofequality with uninterpreted functions. In Proc. 11th Intl. Conference on ComputerAided Verification (CAV’99), 1999.

3. R. Bryant, S. German, and M. Velev. Processor verification using efficient reduc-tions of the logic of uninterpreted functions to propositional logic. ACM Transac-tions on Computational Logic, 2(1):1–41, 2001.

4. R. Bryant and M. Velev. Boolean satisfiability with transitivity constraints. InProc. 12th Intl. Conference on Computer Aided Verification (CAV’00), volume1855 of Lect. Notes in Comp. Sci., 2000.

5. R. E. Bryant, S. K. Lahiri, and S. A. Seshia. Modeling and verifying systems usinga logic of counter arithmetic with lambda expressions and uninterpreted functions.In Proc. 14th Intl. Conference on Computer Aided Verification (CAV’02), 2002.

6. J. R. Burch and D. L. Dill. Automatic verification of pipelined microprocessorcontrol. In Proc. 6th Intl. Conference on Computer Aided Verification (CAV’94),volume 818 of Lect. Notes in Comp. Sci., pages 68–80. Springer-Verlag, 1994.

7. T. Cormen, C. Leiserson, and R. Rivest. Introduction to Algorithms, chapter 26,page 563. MIT press, 2000.

8. T. Cormen, C. Leiserson, and R. Rivest. Introduction to Algorithms, chapter 26,page 495. MIT press, 2000.

9. R. Gershman and O. Strichman. Cost-effective hyper-resolution for preprocessingcnf formulas. In T. Walsh and F. Bacchus, editors, Theory and Applications ofSatisfiability Testing (SAT’05), 2005.

10. A. Goel, K. Sajid, H. Zhou, A. Aziz, and V. Singhal. BDD based procedures for atheory of equality with uninterpreted functions. In A. Hu and M. Vardi, editors,CAV98, volume 1427 of LNCS. Springer-Verlag, 1998.

11. V. Gogate and R. Dechter. A complete anytime algorithm for treewidth. In 20thconference on Uncertainty in artificial intelligence, pages 201 – 208, 2004.

12. L.Ryan. Efficient algorithms for clause-learning SAT solvers. Master’s thesis,Simon Fraser University, 2004.

13. O. Meir and O. Strichman. Yet another decision procedure for equality logic (fullversion), 2005. ie.technion.ac.il/∼ofers/cav05 full.ps.

14. M. Moskewicz, C. Madigan, Y. Zhao, L. Zhang, and S. Malik. Chaff: Engineeringan efficient SAT solver. In Proc. Design Automation Conference (DAC’01), 2001.

15. A. Pnueli, Y. Rodeh, O. Strichman, and M. Siegel. The small model property:How small can it be? Information and computation, 178(1):279–293, Oct. 2002.

16. A. Pnueli, M. Siegel, and O. Shtrichman. Translation validation for synchronouslanguages. In K. Larsen, S. Skyum, and G. Winskel, editors, Proc. 25th Int. Col-loq. Aut. Lang. Prog., volume 1443 of Lect. Notes in Comp. Sci., pages 235–246.Springer-Verlag, 1998.

17. Y. Rodeh and O. Shtrichman. Finite instantiations in equivalence logic with un-interpreted functions. In Computer Aided Verification (CAV), 2001.

18. R. Shostak. An algorithm for reasoning about equality. Communications of theACM, 21(7):583 – 585, July 1978.

A Reduction methods of Uninterpreted Functions

Given k instances of the function f , f(x1) . . . f(xk), Ackermann’s reduction [1]suggest to replace each of these function instances with a term variable, namelyf1 . . . fk. Then, to maintain functional consistency (i.e. when the function isinstantiated with equal arguments, it returns the same value), a constraint ofthe form xi = xj → fi = fj for all 1 ≤ i < j ≤ k is added. This results in anEquality Formula.

Bryant’s reduction [2] is a little different, in that it replaces each Uninter-preted Function symbol with a case expression, that essentially does the same.Given e.g. three function instances f(x1), f(x2) and f(x3), the first is replacedwith a new term variable f1, the second with the expression

(case x1 = x2 : f1

else : f2

)

and the third with

case x1 = x3 : f1

x2 = x3 : f2

else : f3

The advantage of Bryant’s reduction is that it can be combined with the PositiveEquality method [2] and Range allocation [17]. In the context of rtc, however,Bryant’s reduction pauses a problem, because all the equalities on the guardsof the case expressions automatically result in ‘double edges’ (both dashed andsolid). A guard of a case expression, as a guard of an if statement, is evaluated bysubstituting it with a disjunction between two expressions, one of which includesguard and one includes ¬guard, hence the double edge.

yet another decision procedure for equality logic (full...

Documents