In this chapter we have presented LPSup, a new resolution-based calculus for Linear Temporal Logic (LTL). The main idea behind LPSup is to interpret an LTL formula as a set of purely propositional problems over an infinite signature and to use labeled clauses to finitely represent reasoning within these problems. This enables us to lift PSup, a well understood calculus for propositional logic to the temporal setting and to formally transfer its favorable features such as ordering restrictions on inferences and abstract redundancy concept along the way to LPSup. We described a saturation decision procedure based on LPSup and explained how it can be extended to build models for satisfiable inputs in a straightforward way.
We uncovered a connection between our formula normal form and B¨uchi automata which lead us to propose an alternative semantics for the operation of LPSup. In the light of this semantics, the saturation process can be seen as a symbolic computation of the preimage operation on sets of graph vertexes represented in CNF. This observation, in addition to being of independent interest, allows us to easily expose the relation of LPSup to other approaches to LTL satisfiability checking.
Finally, we studied the relation between LPSup and its closest relative, the Clausal Temporal Resolution (CTR) calculus by Fisher et al. (2001). Although the underlying principles behind the two calculi are different, the ensuing procedures can be almost aligned on the computational level. Theoretical analysis favors CTR, whose worst case complexity is better than that of LPSup by an exponential factor. On the other hand, our experiments indicate that in practice, LPSup is able to outperform CTR on many examples. Moreover, unlike LPSup, CTR cannot be easily extended to perform model construction.
3.1 Introduction
In this chapter we describe a new algorithm for LTL satisfiability checking. We call the algorithm LS4 as a pseudo-acronym for Labeled Superposition for LTL with partial model guidance. As the name suggests, LS4 can be seen as a continuation and extension of our work on the LPSup calculus developed in Chapter 2. The main difference is that instead of relying on saturation, LS4 constructs a partial model on the fly and uses it to effectively guide the selection of inferences. As we will show, this idea leads to a very successful algorithm both for finding full LTL models and for showing unsatisfiability.
Let us start our exposition here by explaining partial model guidance in more detail. Partial model guidance
In Chapter 2 we have presented a simple algorithm (Algorithm 2.3 in Section 2.3.4) for building models of sets of labeled clauses saturated by LPSup. The algorithm concep- tually reduces the labeled clause input to a set of purely propositional clauses over an infinite signature and then employes the standard model operator for propositional logic (Definition 2.3).
It considers individual propositional variables in a prescribed order and incrementally constructs a partial valuation V , which eventually becomes the desired model. In each step the considered variable p is set to true if and only if there is a productive clause for p, i.e. a clause C∨ p such that all its literals except for p are already assigned a value in V and the value makes them false: V 6|= C. In this situation, setting p to true is the “last chance” for the clause to become satisfied in the constructed valuation.
Because the propositional clause set is saturated and does not contain the empty clause (as follows from Theorem 2.3), the algorithm cannot reach a “conflict”, which means it cannot arrive to a situation in which setting p to true because of a productive clause C∨ p would make another clause D ∨ ¬p inevitably false in the constructed valuation. This is what the completeness theorem for PSup (Theorem 2.1) tells us. In other words, for a saturated set of clauses the model construction is backtrack free.
However, saturation is an expensive process and may compute more than what is actually needed. The proof of Theorem 2.1 gives us a hint on what resolution inferences are the essential ones for deriving the potential empty clause. They involve a productive clause C∨ p and a clause D ∨ ¬p false in the currently constructed valuation V , as in the imagined conflict situation above. When we resolve these two clauses on the variable p we obtain a conclusion C∨D, which is smaller than the two premises and necessarily also false in V . Thus such an inference reduces the conflict to a smaller clause. By resetting
Table 3.1: Comparing superposition-based model building with CDCL
model operator CDCL
variable ordering fixed beforehand dynamic; based on heuristics
variable polarity defaults to 0 based on heuristics
implied assignments productive clause forces 1 via unit propagation resolution inferences reduce the minimal false clause derive the learned clause
reductions based on abstract redundancy (pre/in-processing)
V to a state before the truth status of C ∨ D would be determined, we may discover that this new clause now becomes productive and a subsequent update of V will make it true. In the opposite case (if the last unassigned literal of C∨ D is not positive), the conflict cascades further.
The just outlined principle for selecting inferences guided by the current partial val- uation is the key idea behind LS4. It drives the algorithm forward to build the partial valuation greedily and only to perform an inference when addressing an immediate con- flict. The overhead connected with maintaining the valuation is by far compensated by that fact that we do not need to fully saturate the given clause set.
SAT solver inside
Instead of directly building our algorithm on the above model guidance idea, we exploit a connection (Weidenbach) between the propositional model operator and the Con- flict Driven Clause Learning (CDCL) algorithm for propositional satisfiability checking (Marques-Silva et al., 2009). Weidenbach shows that CDCL, an algorithm which powers the current state-of-the-art SAT solvers, is closely related to the superposition model building framework. This means that we can obtain the benefits of model guidance by employing a modern CDCL SAT solver as an underlying inference engine.
The CDCL algorithm advances the well known DPLL procedure for propositional satisfiability (Davis et al., 1962) by a non-chronological backtracking scheme based on conflict analysis and clause learning (Marques-Silva and Sakallah, 1999; Bayardo and Schrag, 1997). The algorithm constructs a partial valuation V by alternating between deciding a value for a unassigned variable and exhaustively applying the unit propagation rule. Unit propagation extends the partial valuation further by setting an unassigned literal l to true whenever there is a clause C ∨ l such that V 6|= C. A conflict arises when this process reaches a point where a clause D has all literals assigned to false. By analyzing the conflict and the propagations which lead to it, the algorithm can derive a clause summarizing which decisions contributed to the conflict. The clause is then learned and the algorithm backtracks the partial assignment to a state where the conflict inducing decision can be repaired. Interestingly, the clause learning procedure can be defined by a sequence of resolution inferences between the conflict clause and the clauses that triggered the relevant propagations (Beame et al., 2004).
operator and CDCL (see also Table 3.1). Both approaches incrementally construct a partial valuation. While the model operator follows a fixed ordering for assigning values to variables and prefers setting them to false unless there is a productive clause, CDCL is more flexible both in the order of assigning the variables and in choosing their polarity and typically relies in this respect on heuristics. On the other hand, a closer look reveals that the definition of a productive clause follows from the same principle as the unit propagation rule. Moreover, the way conflicts are dealt with and new clauses derived is essentially equivalent in both approaches. It applies the resolution inference to the conflict clause and backtracks the partial model to a point where the conflicting assignment can be revised. Lastly, we note that CDCL per se does not employ any reductions. However, redundant clauses are typically removed during independent preprocessing (e.g., E´en and Biere, 2005) or in-processing (J¨arvisalo et al., 2012) stages. In what follows, we will describe LS4 as an algorithm that uses a CDCL SAT solver as a subroutine. We will, however, draw on the connection to the model operator to strengthen our intuition on what the computation means from the perspective of LPSup. Step-by-step construction
LS4 attempts to show satisfiability of a given Temporal Satisfiability Task (TST) by iter- atively constructing a partial model until a full, ultimately periodic model is discovered. The partial model is a finite sequence of valuations over the basic signature Σ, which we informally refer to as worlds. In each iteration, the algorithm prepares and poses a query to the underlying SAT solver, to find out whether the current partial model can be extended by one more world. If the query is satisfiable, a new world is extracted from the satisfying assignment and the partial model is extended. In the opposite case, a new clause is learned from the solver and the last world of the partial model is removed. LS4 backtracks over the last world, because that world (by construction) does not satisfy the new clause, which must hold (again by construction) at that particular position in the final model. In the following iteration, the new clause will help to guide the extension of the updated partial model in the right direction.
We see that LS4 manipulates the partial model with a granularity corresponding to individual worlds. This is achieved by forming the query for the SAT solver over the joint signature Σ∪ Σ0. The algorithm uses the lower part of the signature to encode the
current last world, it supplies the step clauses to the query to relate the last world to the potential new world, and asserts all additional constraints on the new world as clauses over the primed variables. Thus, in the satisfiable case, the new world is to be extracted from the Σ0-part of the satisfying assignment.
The current last world is encoded into the query using a mechanism of solving under assumptions. This is a natural extension of the standard interface provided by any SAT solver based on the CDCL algorithm and has been first introduced by E´en and S¨orensson (2003a) in their solver Minisat. Assumptions are literals supplied as additional one-time constraints to the solving function. If a model is found, it is required to satisfy these literals. Additionally, in the unsatisfiable case the solver is able to return a subset of those assumptions that were actually used for showing the inconsistency. The new clause
I G G G block 0 block 1 block 2
. . .
Figure 3.1: Illustrating blocks in LS4: The first world of block 0 satisfies the initial clauses I, the last world of every block satisfies the goal clauses G. The grayed part represents the current partial model.
to be learned by LS4 is computed by collecting negations of the used assumptions. As such, the new clause is automatically false in the current last world and so backtracking follows.
By relying on the mechanism of assumptions, the model guidance paradigm is effec- tively split onto two levels. It is applied by CDCL on the level of individual variables within each call to the SAT solver and by LS4 itself on the level of whole worlds between the individual calls. The mechanism of assumptions connects the two levels seamlessly, preserving the overall efficiency, but allowing LS4 to treat the inner workings of the SAT solver in a black-box manner, such that only the clauses learned on the “macroscopic” level of worlds need to be explicitly registered and processed by the algorithm.
Dealing with the goal clauses
To construct a full model for the given TST, LS4 needs to ensure that the goal clauses are satisfied infinitely many times. Unlike Algorithm 2.3, which relies on a previous saturation and picks a rank (K, L) in advance using the completeness theorem of LPSup (Theorem 2.3), LS4 does not have any prior information about the indexes were the goal clauses could be satisfied in the final model. Instead of explicitly looking for a rank and constructing a (K, L)-model, the strategy of LS4 is to greedily assume that every new world along the model sequence could be a goal world, i.e. a world that satisfies the goal clauses, and to update this assumption only when it leads to a conflict.
In more detail, we imagine that the model sequence constructed by LS4 is separated into consecutive blocks of worlds, such that the last world of every block is meant to be a goal world (see Figure 3.1). When the partial model grows to the end of the last block, LS4 allocates a new block of length one and places it at the end of the sequence. This means that it creates a new requirement for satisfying the goal clauses positioned at the immediate next index. When, on the other hand, the current configuration of blocks becomes inconsistent, the algorithm extends the last block by adding one more world to it, thus changing the distance between the last block’s goal world and the other goal worlds. This is the smallest update to the configuration of blocks that can help to dismiss the inconsistency.
Detecting unsatisfiability
Most of the clauses LS4 learns from unsuccessful extensions of the partial model corre- spond to labeled clauses of LPSup. As will be explained in detail in Section 3.2, LS4 relies on so called marker literals to track dependencies between the learned clauses. For
instance, a clause depending on the goal clauses corresponds to a (∗, k)-clause of LPSup. The exact value of k follows in LS4 implicitly from the distance between the index where the clause is learned and the respective goal world.
Inconsistencies are manifested as empty clauses. Like in LPSup, there are several kinds of empty clauses and while deriving an unconditional empty clause immediately signals unsatisfiability of the input, a conditional empty clause only implies inconsistency of the current assumption about the configuration the goal worlds and blocks. As already explained, the latter case triggers update of the configuration and the model construction is resumed. What must ensured, however, is that the algorithm does not keep deriving conditional empty clauses indefinitely when the input is unsatisfiable.
To prevent this from happening, LS4 follows the same strategy as LPSup. It organizes the equivalent of (∗, k)-clauses into layers and checks for a repetition whenever a new layer clause is derived. Depending on the situation, detected repetition may either already signal overall unsatisfiability, or it at least triggers the Leap inference. Leaped clauses globally strengthen the goal formula which forces a backtrack of the partial model from an unpromising part of the search space and ensures overall progress.
Chapter overview
In the following sections we describe the workings of LS4 in full detail. First we explain how to use the mechanism of SAT solving under assumptions to build models in a step- by-step fashion (Section 3.2.1) and how to utilize so called marker literals for tracking dependencies in derivations (Section 3.2.2). We then start the actual presentation of LS4 by declaring the global variables and stating the main invariants maintained by the algorithm (Section 3.3.1). We proceed by giving a detailed pseudocode (Section 3.3.2) and close by correctness (Section 3.3.3) and termination (Section 3.3.4) proofs. The latter proof implicitly entails a doubly-exponential worse case running time estimate for the algorithm.
We have implemented LS4 (Section 3.4.1) and compared it to alternative approaches to LTL satisfiability on a large set of benchmarks. Our experiments show (Section 3.4.2) that our implementation of LS4 is one of the strongest LTL satisfiability checker cur- rently available. We close the chapter by discussing the relation of LS4 to saturation with LPSup (Section 3.5.1), to other SAT-based LTL checkers (Section 3.5.2), and to algorithms recently developed for model checking hardware circuits (Section 3.5.3).
This chapter is based on our earlier publication (Suda and Weidenbach, 2012a), but has been thoroughly revised and notably extended.