Two-Phase Quantifier Elimination - Automatic abstraction for bit vectors using decision procedu

The algorithm for quantifier elimination discussed in Chap. 2.2 features the interesting property that it is interruptible. This suggests that it could be applied in case computing the quantifier-free formula is intractable. Approximations may still deliver useful results. However, this property comes at a price. Candidate implicants are computed — in theory, there can be exponentially many of which — and a satisfiability check is then required to filter spurious candidates. The two-phase algorithm presented in this chapter contrasts with the anytime algorithm in that it possesses the “everyone a winner” [183] enumeration property. This means that, rather than enumerating and filtering potential clauses of _{∃X : ϕ, a new clause of} ∃X : ϕ is found on (virtually) each application of a SAT solver. This property is highly desirable, because it couples the computational effort required to compute the quantifier-free version of ϕ with its size.

2.3.1 Worked Example

As before, let ϕ denote a quantifier-free Boolean formula that ranges over sets X and Y of propositional variables. The key idea behind the two-phase method is to first converge onto the set of solutions of the formula_{∃X : ϕ from below using implicants.} The first phase gives a DNF formula Wn

i=1ci equivalent to ∃X : ϕ, followed by a

second phase that converges onto a CNF representation of _{∃X : ϕ from above, based} on Wn

2.3 Two-Phase Quantifier Elimination

Enumerating Implicants

The first step of our method is to enumerate the implicants of ϕ in the projection space. To do so, we first convert ϕ into CNF, for which we introduce a set of Tseitin variables T as before. The T variables are existentially quantified, and the resulting formula ψ in CNF is equisatisfiable to ϕ. Introducing fresh variables ensures that the size of ψ is only a linear multiple of the size of ϕ. As before τ (ψ) refers to the syntactic transformation defined over the variables V = X∪ Y+_{∪ Y}−_{∪ T . Passing}

τ (ψ) to a SAT solver yields a model m1 : V → B, such as:

m1 =    x17→ 1, x2 7→ 0, x3 7→ 1, x47→ 0, x5 7→ 1, x6 7→ 0 y₁+_{7→ 0, y}+₂ _{7→ 0, y}₃+_{7→ 0, y}₄+_{7→ 1, y}+₅ _{7→ 0, y}₆+_{7→ 1} y₁−_{7→ 1, y}−₂ _{7→ 1, y}₃−_{7→ 1, y}₄−_{7→ 0, y}−₅ _{7→ 1, y}₆−_{7→ 0}    The variables in m1∩ (Y+∪ Y−) then define a conjunction of literals, a cube, ρ(m1)

over the variables in Y , which is given as:

ρ(m1) = V{yi| y_i+∈ (m1∩ Y+)} ∧ V{¬yi | y−_i ∈ (m1∩ Y−)}

= (_¬y1∧ ¬y2∧ ¬y3∧ y4∧ ¬y5∧ y6)

The cube ρ(m1) is an implicant of ∃X : ϕ since ρ(m1)|= ∃X : ϕ. It constitutes an

under-approximation of∃X : ϕ since the set of all models of ρ(m1) is a subset of the

set of all models of _{∃X : ϕ. To find another under-approximation, and specifically} one that is not itself entailed by ρ(m1), we augment τ (ψ) with the blocking clause:

β(m1) = W{y−i | y+i ∈ (m1∩ Y+)} ∨ W{yi+| yi−∈ (m1∩ Y−)}

= (y+₁ _{∨ y}₂+_{∨ y}+₃ _{∨ y}₄−_{∨ y}₅+_{∨ y}−₆)

Of course, enumerating implicants in this way dovetails with the advances in incremental SAT. Applying a solver to the augmented formula τ (ψ)0 = τ (ψ)_{∧ β(m}1)

gives another model m2 as follows:

m2 =    x17→ 1, x2 7→ 0, x3 7→ 1, x47→ 0, x5 7→ 1, x6 7→ 0 y₁+_{7→ 0, y}+₂ _{7→ 1, y}₃+_{7→ 0, y}₄+_{7→ 1, y}+₅ _{7→ 0, y}₆+_{7→ 1} y₁−7→ 1, y−2 7→ 0, y3−7→ 1, y4−7→ 0, y−5 7→ 1, y6−7→ 0    The model m2 defines another implicant ρ(m2) = (¬y1∧ y2∧ ¬y3∧ y4∧ ¬y5∧ y6) of

∃X : ϕ, hence ρ(m1)∨ρ(m2)|= ∃X : ϕ. Repeating this strategy to derive implicants

yields an unsatisfiable formula after the fourth step, and thus

W4 i=1ρ(mi) =       

(_¬y1 ∧ ¬y2 ∧ ¬y3 ∧ y4 ∧ ¬y5 ∧ y6) ∨

(¬y1 ∧ y2 ∧ ¬y3 ∧ y4 ∧ ¬y5 ∧ y6) ∨

(y1 ∧ ¬y2 ∧ ¬y3 ∧ y4 ∧ ¬y5 ∧ y6) ∨

2 Existential Quantification as Incremental SAT

satisfies W4

i=1ρ(mi) =∃X : ϕ. However, observe that W4i=1ρ(mi) is in DNF and

also contains redundancies, such as:

ρ(m1)∨ ρ(m2) = (¬y1∧ ¬y3∧ y4∧ ¬y5∧ y6)

Cardinality constraints using sorting networks can — as we have already demon- strated in Chap. 2.1.2 — be used to eliminate such redundancies. Computing implicants using τ`(ψ) rather than τ (ψ) yields a smaller DNF formula, based on

three models m0₁, m0₂, and m0₃:

i=1ρ(m0i) =

  

(_¬y1 ∧ ¬y3 ∧ y4 ∧ ¬y5 ∧ y6) ∨

(y1 ∧ ¬y2 ∧ ¬y3 ∧ y4 ∧ ¬y5 ∧ y6) ∨

(y1 ∧ ¬y2 ∧ y3 ∧ ¬y4 ∧ y5 ∧ ¬y6)

Over-Approximation by Dualization

Recall that we are interested in obtaining CNF, whereas the construction we have presented so far yields formulae in DNF. Direct conversion of a formula in DNF to an equivalent one in CNF may increase the size of the formula exponentially. However, observe that since _{∃X : ϕ =}W3

i=1ρ(m0i), we have:

¬∃X : ϕ = ¬W3

i=1ρ(m0i) =

i=1¬ρ(m0i)

Latter formula can be converted into CNF straightforwardly by pushing negations inward. We can thus reapply the above construction to infer implicants of ¬∃X : ϕ. Given a cube ν such that ν _{|= ¬∃X : ϕ, the contrapositive holds, giving ∃X : ϕ |= ¬ν.} Therefore _{¬ν over-approximates ∃X : ϕ. In order to apply the above method on} the dual of W3

i=1ρ(m0i), we start by negating the formula to give:

¬∃X : ϕ =   

(y1∨ y3∨ ¬y4∨ y5∨ ¬y6) ∧

(_¬y1∨ y2∨ y3∨ ¬y4∨ y5∨ ¬y6) ∧

(_¬y1∨ y2∨ ¬y3∨ y4∨ ¬y5∨ y6)

Denote this formula by ω and apply τ to ω to give:

τ (ω) =    (y−₁ ∨ y3−∨ y4+∨ y+5 ∨ y6+) ∧ (y+₁ _{∨ y}₂−_{∨ y}₃−_{∨ y}+₄ _{∨ y}₅−_{∨ y}+₆) _∧ (y+₁ _{∨ y}₂−_{∨ y}₃+_{∨ y}₄−_{∨ y}₅+_{∨ y}−₆) _{∧ (}V6 i=1¬(yi+∧ y−i ))

We then solve τ1(ω), which is unsatisfiable: ¬W3_i=1ρ(m0i) does not posses implicants

of length 1. Passing τ2(ω) to a SAT solver yields a model m001 as follows:

m00₁ =

y+₁ _{7→ 0, y}₂+_{7→ 1, y}₃+_{7→ 0, y}+₄ _{7→ 0, y}₅+_{7→ 0, y}+₆ _{7→ 0} y−₁ _{7→ 0, y}₂−_{7→ 0, y}₃−_{7→ 0, y}−₄ _{7→ 0, y}₅−_{7→ 0, y}−₆ _{7→ 1}

2.3 Two-Phase Quantifier Elimination

We then extract a cube ρ(m00₁) = (y2∧ ¬y6) from m001. From ρ(m001)|= ¬∃X : ϕ, we

deduce ∃X : ϕ |= ¬ρ(m00

1). Since ρ(m001) is a cube, ¬ρ(m001) clearly is a clause. Thus,

¬ρ(m001) can directly be added to the SAT instance as a blocking clause, denoted

β(m00₁). We add this blocking clause to suppress the cube as before and retrieve a model m00₂ for τ2(ω)∧ β(m001) from the SAT solver:

m00₂ =

y+₁ 7→ 0, y+2 7→ 0, y3+7→ 1, y+4 7→ 0, y5+7→ 0, y6+7→ 1

y−₁ _{7→ 0, y}−₂ _{7→ 0, y}₃−_{7→ 0, y}−₄ _{7→ 0, y}₅−_{7→ 0, y}₆−_{7→ 0}

This model induces a cube ρ(m00₂) = (y3∧ y6). Then, ∃X : ϕ |= ¬ρ(m001)∧ ¬ρ(m002)

and τ2(ω)∧ β(m001)∧ β(m002) is unsatisfiable. We proceed with cubes of length 3 and

solve τ3(ω)∧ β(m001)∧ β(m002), which gives rise to a cube ρ(m003) = (¬y2∧ ¬y5∧ ¬y6).

By adding blocking clauses and enumerating all cubes ρ(m00_i) for i_{∈ {1, . . . , m}, we} could derive a CNF formula Vm

i=1¬ρ(m00i) equivalent to∃X : ϕ.

Relaxed Cubes

However, we can improve on this na¨ıve strategy and produce a denser CNF representation by searching for a shorter sub-cube c0 of ρ(m00₃) which is itself an implicant of ω. The cube c0 that we aim to compute is weaker in the sense that it satisfies:

• vars(c0)_{⊂ vars(ρ(m}00₃)) • sat(ρ(m003))⊂ sat(c0)

Yet, c0 obeys the requirement c0 |= ω. We refer to the computation of such a cube c0

as relaxation or weakening. To do this, let: N = (Y+∪ Y−₎_{\ m}00

= _{y₁+, y−₁, y₂+, y+₃, y₃−, y−₄, y₅+, y+₆_} We then solve τ2(ω) in conjunction with the cube

^{¬y+

i | y+i ∈ N ∩ Y+} ∧^{¬yi−| yi−∈ N ∩ Y−}

which we pass the solver as an assumption. The solver produces a model

m00₄ =

y+₁ 7→ 0, y+2 7→ 0, y3+7→ 0, y+4 7→ 0, y5+7→ 0, y6+7→ 0

y−₁ _{7→ 0, y}−₂ _{7→ 0, y}₃−_{7→ 0, y}−₄ _{7→ 0, y}₅−_{7→ 1, y}₆−_{7→ 1}

which defines ρ(m00₄) = (_¬y5∧ ¬y6); thus¬ρ(m004) = (y5∨ y6)|= ∃X : ϕ. Since

2 Existential Quantification as Incremental SAT

we have m00₃ _{|= m}00₄ and ρ(m₃00)_{|= ρ(m}00₄). We thus discard ρ(m00₃) and proceed with: τ3(ω)∧ β(m001)∧ β(m002)∧ β(m004)

Whenever a fresh cube is discovered, we apply the same strategy to relax it to the most general one that still entails ω. It is interesting to note that an implicant of length ` can be generalized using at most _dlog₂(`)_{e calls to a solver by applying} dichotomic search, although we do not apply this optimization since ` is typically small. Repeatedly applying this generalization scheme, we derive the following minimal (though not unique) CNF representation of _{∃X : ϕ in five more iterations:}

∃X : ϕ =

(_¬y2∨ y6) ∧ (¬y3∨ ¬y6) ∧ (y5∨ y6) ∧ (y3∨ ¬y5) ∧

(y4∨ ¬y6) ∧ (y1∨ y6) ∧ (¬y1∨ ¬y2) ∧ (¬y4∨ y6)

Since the search is exhaustive, this is no longer an over-approximation of the projection, but equivalent to it. Our implementation using MiniSat takes 0.0012s and 0.0009s for the first and second stages of the algorithm, taking 0.0021s overall.

2.3.2 Formal Correctness

To state how to compute an image by enumerating implicants, we formalize the unusual notion of a blocking clause.

Definition 2.4 (Blocking Clause). The map β : CubeX,Y → Cube_∅,Y is defined as:

β(D0) = _{y_i−_{| y}_i−_{∈ D}0_{} ∪ {y}_i+_{| y}_i+_{∈ D}0_}

Theorem 2.1(Correctness). Let ϕ =V{W C | C ∈ F } where F ⊆ ℘(LitV_{) and put}

ϕ0 =_{V{W τ(C) | C ∈ F }. Let D}0₁, . . . , D0_n_{∈ Cube}_∅,Y be a sequence such that • (V D0_k)_{∧ ϕ}0_∧Vk−1

i=1(W β(Di0)) is satisfiable for all 1≤ k ≤ n, and

• ϕ0_∧Vn

i=1(W β(Di0)) is unsatisfiable.

Then, Wn

i=1τ−1(Di0) =∃X : ϕ.

Proof. We prove both statements separately. • Let k ∈ {1, . . . , l}. SinceV D0

k∧ ϕ0∧ (

Vk−1

i=1 β(D0i)) is satisfiable and V Dk0 ∧

ϕ0_{∧ (}Vk−1

i=1 β(D0i))|=V D0k∧ ϕ0, it follows thatV D0k∧ ϕ0 is satisfiable. Hence,

by Cor. 2.1,V τ−1(D0_k)_{|= ∃X : ϕ whence}Wl

In document Automatic abstraction for bit vectors using decision procedures (Page 36-41)