Formalization of Abstract State Transition Systems for SAT
FORMALIZATION OF ABSTRACT STATE TRANSITION SYSTEMSFOR SAT
FILIP MARI ´C AND PREDRAG JANI ˇCI ´CFaculty of Mathematics, University of Belgrade, Studentski Trg 16, 11000 Belgrade e-mail address : fi[email protected], [email protected]
Abstract.
We present a formalization of modern SAT solvers and their properties in aform of abstract state transition systems . SAT solving procedures are described as transi-tion relations over states that represent the values of the solver’s global variables. Severaldifferent SAT solvers are formalized, including both the classical DPLL procedure and itsstate-of-the-art successors. The formalization is made within the Isabelle/HOL system andthe total correctness (soundness, termination, completeness) is shown for each presentedsystem (with respect to a simple notion of satisfiability that can be manually checked).The systems are defined in a general way and cover procedures used in a wide range ofmodern SAT solvers. Our formalization builds up on the previous work on state transitionsystems for SAT, but it gives machine-verifiable proofs, somewhat more general specifica-tions, and weaker assumptions that ensure the key correctness properties. The presentedproofs of formal correctness of the transition systems can be used as a key building blockin proving correctness of SAT solvers by using other verification approaches. Introduction
The problem of checking propositional satisfiability (SAT) is one of the central problemsin computer science. It is the problem of deciding if there is a valuation of variables underwhich a given propositional formula (in conjunctive normal form) is true. SAT was the firstproblem that was proved to be NP -complete [Coo71] and it still holds a central position inthe field of computational complexity. SAT solvers, procedures that solve the SAT problem,are successfully used in many practical applications such as electronic design automation,software and hardware verification, artificial intelligence, and operations research.Most state-of-the-art complete SAT solvers are essentially based on a branch and back-track procedure called Davis-Putnam-Logemann-Loveland or the DPLL procedure [DP60,DLL62]. Modern SAT solvers usually also employ (i) several conceptual, high-level algo-rithmic additions to the original DPLL procedure, (ii) smart heuristic components, and (iii)better low-level implementation techniques. Thanks to these, spectacular improvements inthe performance of SAT solvers have been achieved and nowadays SAT solvers can decidesatisfiability of CNF formulae with tens of thousands of variables and millions of clauses. F.3.1, F.4.1.
Key words and phrases: formal verification, SAT solving, abstract state transition systems, Isabelle/HOL.
LOGICAL METHODS l IN COMPUTER SCIENCE DOI:10.2168/LMCS-7 (3:19) 2011 c (cid:13)
F. Mari´c and P. Janiˇci´c CC (cid:13) Creative Commons
F. MARI´C AND P. JANIˇCI´C
The tremendous advance in the SAT solving technology has not been accompaniedwith corresponding theoretical results about the solver correctness. Descriptions of newprocedures and techniques are usually given in terms of implementations, while correctnessarguments are either not given or are given only in outlines. This gap between practicaland theoretical progress needs to be reduced and first steps in that direction have beenmade only recently, leading to the ultimate goal of having modern SAT solvers that areformally proved correct. That goal is vital since SAT solvers are used in applications thatare very sensitive (e.g., software and hardware verification) and their misbehaviour couldbe both financially expensive and dangerous from the aspect of security. Ensuring trustedSAT solving can be achieved by two approaches.One approach for achieving a higher level of confidence in SAT solvers’ results, suc-cessfully used in recent years, is proof-checking [ZM03, GN03, Gel07, WA09, DFMS10].In this approach, solvers are modified so that they output not only sat or unsat answers,but also justification for their claims (models for satisfiable instances and proof objectsfor unsatisfiable instances) that are then checked by independent proof-checkers. Proof-checking is relatively easy to implement, but it has some drawbacks. First, justification forevery solved SAT instance has to be verified separately. Also, generating unsatisfiabilityproofs introduces some overhead to the solver’s running time, proofs are typically large andmay consume gigabytes of storage space, and proof-checking itself can be time consuming[Gel07]. Since proof-checkers have to be trusted, they must be very simple programs so theycan be “verified” by code inspection. On the other hand, in order to be efficient, they mustuse specialized functionality of the underlying operating system which reduces the level oftheir reliability (e.g., the proof checker used in the SAT competitions uses Linux’s mmapfunctionality [Gel07]).The other approach for having trusted solvers’ results is to verify the SAT solver itself,instead of checking each of its claims. This approach is very demanding, since it requiresformal analysis of the complete solver’s behaviour. In addition, whenever the implementa-tion of the solver changes, the correctness proofs must be adapted to reflect the changes.Still, in practice, the core solving procedure is usually stable and stays fixed, while onlyheuristic components frequently change. The most challenging task is usually proving thecorrectness of the core solving procedures, while heuristic components only need to satisfyrelatively simple properties that are easily checked. This approach gives also the followingbenefits: • Although the overheads of generating unsatisfiability proofs during solving are not un-manageable, in many applications they can be avoided if the solver itself is trusted. • Verification of modern SAT solvers could help in better theoretical understanding of howand why they work. A rigorous analysis and verification of modern SAT solvers mayreveal some possible improvements in underlying algorithms and techniques which caninfluence and improve other solvers as well. • Verified SAT solvers can serve as trusted kernel checkers for verifying results of otheruntrusted verifiers such as BDDs, model checkers, and SMT solvers. Also, verification ofsome SAT solver modules (e.g., Boolean constraint propagation) can serve as a basis forcreating both verified and efficient proof-checkers for SAT. Alternatively, proof-checkers could be formally verified by a proof assistant, and then their correctnesswould rely on the correctness of the proof assistant. In some applications, proofs of unsatisfiability are still necessary as they are used, for example, forextracting unsatisfiable cores and interpolants.
ORMALIZATION OF ABSTRACT STATE TRANSITION SYSTEMS FOR SAT 3
State Transition Systems
Rule 1 . . .
Rule n Invariant 1 . . .
Invariant m Termination orderingCorrectness conditionsPropositional Logic
Hoare Style Verification
Correctness conditionsPreconditionsPostconditionsImplementation inimperative language
Shallow Embedding
Correctness conditionsFunction 1 . . .
Function k Invariant 1 . . .
Invariant l Trusted implementation infunctional language
Figure 1: Different approaches for SAT solver verificationIn order to prove correctness of a SAT solver, it has to be formalized in some meta-theoryso its properties can be analyzed in a rigorous mathematical manner. In order to achievethe desired highest level of trust, formalization in a classical “pen-and-paper” fashion is notsatisfactory and, instead, a mechanized and machine-checkable formalization is preferred.The formal specification of a SAT solver can be made in several ways (illustrated in Figure1, each with an appropriate verification paradigm and each having its own advantages anddisadvantages, described in the following text).
Verification of abstract state transition system:
State transition systems are anabstract and purely mathematical way of specifying program behaviour. Using this ap-proach, the SAT solver’s behaviour is modelled by transitions between states that repre-sent the values of the solver’s global variables. Transitions can be made only by followingprecisely defined transition rules. Proving correctness of state transition systems can beperformed by the standard mathematical apparatus. There are state transition systemsdescribing the top-level architecture of the modern DPLL-based SAT solvers (and relatedSMT solvers) [KG07, NOT06] and their correctness has been informally shown.The main advantage of the abstract state transition systems is that they are mathe-matical objects, so it is relatively easy to make their formalization within higher-orderlogic and to formally reason about them. Also, their verification can be a key buildingblock for other verification approaches. Disadvantages are that the transition systemsdo not specify many details present in modern solver implementations and that they arenot directly executable.
Verified implementation within a proof assistant:
A program’s behaviour can bespecified within the higher-order logic of a proof assistant (regarded as a purely functionalprogramming language). This approach is often called shallow embedding into HOL .Specifications may vary from very abstract ones to detailed ones covering most detailspresent in the real SAT solver’s code. The level of details can incrementally be increased(e.g., by using a datatype refinement). Having the specification inside the logic, itscorrectness can be proved again by using the standard mathematical apparatus (mainlyinduction and equational reasoning). Based on the specification, executable functionalprograms can be generated by means of code extraction — the term language of the logicwithin the proof assistant is identified with the term language of the target language andthe verified program correctness is transferred to the exported program, up to simpletransformation rules.
F. MARI´C AND P. JANIˇCI´C
Advantages of using the shallow embedding are that, once the solver is defined withinthe proof assistant, it is possible to verify it directly inside the logic and a formal modelof the operational or denotational semantics of the language is not required. Also, ex-tracted executable code can be trusted with a very high level of confidence. On the otherhand, the approach requires building a fresh implementation of a SAT solver within thelogic. Also, since higher-order logic is a pure functional language, it is unadapted tomodelling imperative data-structures and their destructive updates. Special techniquesmust be used to have mutable data-structures and, consequently, an efficient generatedcode [BKH + Verification of the real implementations:
The most demanding approach for verifyinga SAT solver is to directly verify the full real-world solver code. Since SAT solvers areusually implemented in imperative programming languages, verifying the correctness ofimplementation can be made by using the framework of Hoare logic [Hoa69] — a formalsystem for reasoning about programs written in imperative programming languages. Theprogram behaviour can then be described in terms of preconditions and postconditionsfor pieces of code. Proving the program correctness is made by formulating and prov-ing verification conditions. For instance, Isabelle/HOL provides a formal verificationenvironment for sequential imperative programs ([Sch06]).The main benefit of using the Hoare style verification is that it enables reasoningabout the imperative code, which is the way that most real-world SAT solvers are im-plemented. However, since real code is overwhelmingly complex, simpler approximationsare often made and given in pseudo-programming languages. This can significantly sim-plify the implementation, but leaves a gap between the correctness proof and the realimplementation.In this paper we focus on the first verification approach as it is often suitable to separatethe verification of the abstract algorithms and that of their specific implementations. Inaddition, state transition systems, as the most abstract specifications, cover the widestrange of existing SAT solver implementations. Moreover, the reasoning used in verifyingabstract state transition systems for SAT can serve as a key building block in verificationof more detailed descriptions of SAT solvers using the other two approaches describedabove (as illustrated by Figure 1). Indeed, within our SAT verification project [MJ09], wehave already applied these two approaches [Mar09, Mar10, MJ10], and in both cases thecorrectness arguments were mainly reduced to correctness of the corresponding abstractstate transition systems. These transition systems and their correctness proofs are presentedin this paper for the first time, after they evolved to some extent through application withinthe other two verification approaches.The methodology that we use in this paper for the formalization of SAT solvers viatransition systems is incremental refinement : the formalization begins with a most basicspecification, which is then refined by introducing more advanced techniques, while pre-serving the correctness. This incremental approach proves to be a very natural approachin formalizing complex software systems. It simplifies understanding of the system andreduces the overall verification effort. Each of the following sections describes a separateabstract state transition system. Although, formally viewed, all these systems are indepen-dent, each new system extends the previous one and there are tight connections between A recent example is the L4 verified OS kernel, where a shallowly embedded Haskell specification of thekernel is verified, and then the C code is shown to implement the Haskell specification, yielding a naturalseparation of concepts and issues [Kle10].
ORMALIZATION OF ABSTRACT STATE TRANSITION SYSTEMS FOR SAT 5 them. Therefore, we do not expose each new system from scratch, but only give additionsto the previous one. We end up with a system that rather precisely describes modern SATsolvers, including advanced techniques such as backjumping, learning, conflict analysis, for-getting and restarting. The systems presented are related to existing solvers, their abstractdescriptions and informal correctness proofs.The paper is accompanied by a full formalization developed within the Isabelle/HOLproof assistant. The full version of the paper contains an appendix with informal proofsof all lemmas used. All definitions, lemmas, theorems and proofs of top-level statementsgiven in the paper correspond to their Isabelle counterparts, and here are given in a formaccessible not only to Isabelle users, but to a wider audience.The main challenge in each large formalization task is to define basic relevant notions inappropriate terms, build a relevant theory and a suitable hierarchy of lemmas that facilitatesconstructing top-level proofs. Although in this paper we do not discuss all decisions madein the above directions, the final presented material is supposed to give the main motivatingideas and, implicitly, to illustrate a proof management technology that was used. The mainpurpose of the paper is to give a clear picture of central ideas relevant for verification ofSAT transition systems, hopefully interesting both to SAT developers and to those involvedin formalization of mathematics.The main contributions of this paper are the following. • SAT solving process is introduced by a hierarchical series of abstract transition systems,ending up with the state-of-the-art system. • Formalization and mechanical verification of properties of the abstract transition systemsfor SAT are performed (within this, invariants and well-founded relations relevant fortermination are clearly given; conditions for soundness, completeness, and terminationare clearly separated). Taking advantage of this formalization, different real-world SATsolvers can be verified, using different verification approaches. • First proofs (either informal or formal) of some properties of modern SAT solvers (e.g.,termination condition for frequent restarting) are given, providing deeper understandingof the solving process.The rest of the paper is organized as follows: In Section 2 some background on SAT solving,abstract state transition systems, and especially abstract state transition systems for SAT isgiven. In Section 3 basic definitions and examples of propositional logic and CNF formulaeare given. In Section 4, a system corresponding to basic DPLL search is formalized. InSection 5, that system is modified and backtracking is replaced by more advanced back-jumping. In Section 6, the system is extended by clause learning and forgetting. In Section7 and Section 8 a system with conflict analysis and a system with restarting and forgettingare formalized. In Section 9 we discuss related work and our contributions. In Section 10,final conclusions are drawn. 2.
Background
In this section we give a brief, informal overview of the SAT solving process, abstractstate transition systems and abstract state transition systems for SAT. The paper does The whole presented formalization is available from AFP [Mar08] and, the latest version, from http://argo.matf.bg.ac.rs . The full version of the paper is available from http://argo.matf.bg.ac.rs . F. MARI´C AND P. JANIˇCI´C not intend to be a tutorial on modern DPLL-based SAT solving techniques — the restof the paper contains only some brief explanations and assumes the relevant backgroundknowledge (more details and tutorials on modern SAT solving technology can be found inother sources e.g., [BHMW09, Mar09]).2.1.
SAT Solving.
SAT solvers are decision procedures for the satisfiability problem forpropositional formulae in conjunctive normal form (CNF). State-of-the-art SAT solvers aremainly based on a branch-and-backtrack procedure called DPLL (Davis-Putnam-Logemann-Loveland) [DP60, DLL62] and its modern successors. The original DPLL procedure (shownin Figure 2) combines backtrack search with some basic, but efficient inference rules. function dpll ( F : Formula) : (SAT, UNSAT)beginif F is empty then return SATelse if there is an empty clause in F then return UNSATelse if there is a pure literal l in F then return dpll ( F [ l → ⊤ ] )else if there is a unit clause [ l ] in F then return dpll ( F [ l → ⊤ ] )else beginselect a literal l occurring in F if dpll ( F [ l → ⊤ ] ) = SAT then return SATelse return dpll ( F [ l → ⊥ ] )endend Figure 2: The original DPLL procedureThe search component selects a branching literal l occurring in the formula F , and tries tosatisfy the formula obtained by replacing l with ⊤ and simplifying afterwards. If the sim-plified formula is satisfiable, so is the original formula F . Otherwise, the formula obtainedfrom F by replacing l with ⊥ and by simplifying afterwards is checked for satisfiability andit is satisfiable if and only if the original formula F is satisfiable. This process stops if theformula contains no clauses or if it contains an empty clause. A very important aspect ofthe search process is the strategy for selecting literals for branching — while not importantfor the correctness of the procedure, this strategy can have a crucial impact on efficiency.The simple search procedure is enhanced with several simple inference mechanisms. The unit clause rule is based on the fact that if there is a clause with a single literal present in F , its literal must be true in order to satisfy the formula (so there is no need for branchingon that literal). The pure literal rule is based on the fact that if a literal occurs in theformula, but its opposite literal does not, if the formula is satisfiable, in one of its modelsthat literal is true. These two rules are not necessary for completeness, although they havea significant impact on efficiency. Passing valuations instead of modifying the formula.
In the original DPLL procedure,the formula considered is passed as a function argument, and modified throughout recursivecalls. This is unacceptably inefficient for huge propositional formulae and can be replacedby a procedure that maintains a current (partial) valuation M and, rather than modifyingthe formula, keeps the formula constant and checks its value against the current valuation(see Figure 3). The inference rules used in the original procedure must be adapted to fitthis variant of the algorithm. The unit clause rule then states that if there is a clause in F such that all its literals, except exactly one, are false in M , and that literal is undefined ORMALIZATION OF ABSTRACT STATE TRANSITION SYSTEMS FOR SAT 7 in M , then this literal must be added to M in order to satisfy this clause. The pure literalrule turns out to be too expensive in this context, so modern solvers typically do not use it. function dpll ( M : Valuation) : (SAT, UNSAT)beginif M (cid:15) ¬ F then return UNSATelse if M is total wrt. the variables of F then return SATelse if there is a unit clause (i.e., a clause l ∨ l ∨ . . . ∨ l k in F s.t. l, l / ∈ M , l , . . . , l k ∈ M ) then return dpll ( M ∪ { l } )else beginselect a literal l s.t. l ∈ F , l, l / ∈ M if dpll ( M ∪ { l } ) = SAT then return SATelse return dpll ( M ∪ { l } )endend Figure 3: DPLL procedure with valuation passing
Non-recursive implementation.
To gain efficiency, modern SAT solvers implementDPLL-like procedures in a non-recursive fashion. Instead of passing arguments throughrecursive calls, both the current formula F and the current partial valuation M are kept asglobal objects. The valuation acts as a stack and is called assertion trail . Since the trailrepresents a valuation, it must not contain repeated nor opposite literals (i.e., it is always distinct and consistent ). Literals are added to the stack top ( asserting ) or removed from thestack top ( backtracking ). The search begins with an empty trail. During the solving process,the solver selects literals undefined in the current trail M and asserts them, marking themas decision literals . Decision literals partition the trail into levels , and the level of a literalis the number of decision literals that precede that literal in the trail. After each decision,unit propagation is exhaustively applied and unit literals are asserted to M , but as impliedliterals (since they are not arbitrary decisions). This process repeats until either (i) a clausein F is found which is false in the current trail M (this clause is called a conflict clause )or (ii) all the literals occurring in F are defined in M and no conflict clause is found in F . In the case (i), a conflict reparation (backtracking) procedure must be applied. In thebasic variant of the conflict reparation procedure, the last decision literal l and all literalsafter it are backtracked from M , and the opposite literal of l is asserted, also as an impliedliteral . If there is no decision literal in M when a conflict is detected, then the formula F is unsatisfiable. In the case (ii), the formula is found to be satisfiable and M is its model. Modern DPLL enhancements.
For almost half of a century, DPLL-based SAT proce-dures have undergone various modifications and improvements. Accounts of the evolutionof SAT solvers can be found in recent literature [BHMW09, GKSS07]. Early SAT solversbased on DPLL include Tableau (NTAB), POSIT, 2cl and CSAT, among others. In themid 1990’s, a new generation of solvers such as GRASP [MSS99], SATO [Zha97], Chaff[MMZ + conflict drivenbackjumping , first proposed in the Constraint Satisfaction Problem (CSP) domain [BHZ06].Once a conflict is detected, a conflict analysis procedure finds sequence of decisions (often F. MARI´C AND P. JANIˇCI´C buried deeper in the trail) that eventually led to the current conflict. Conflict analysis canbe described in terms of graphs and the backjump clauses are constructed by traversinga graph called implication graph [MSS99]. The process can also be described in termsof resolution that starts from the conflict clause and continues with clauses that causedunit propagation of literals in that clause [ZM02]. There are several strategies for conflictanalysis, leading to different backjump clauses [BHMW09]. Most conflict analysis strategiesare based on the following scheme:(1) Conflict analysis starts with a conflict clause (i.e., the clause from F detected to befalse in M ). The conflict analysis clause C is set to the conflict clause.(2) Each literal from the current conflict analysis clause C is false in the current trail M and is either a decision literal or a result of a propagation. For each propagated literal l it is possible to find a clause (reason clause) that caused l to be propagated. Thepropagated literals from C are then replaced (it will be said explained ) by remainingliterals from their reason clauses. The process of conflict analysis then continues.The described procedure continues until some termination condition is met, and the back-jump clause is then constructed. Thanks to conflict driven backjumping, a lot of unnecessarywork can be saved compared to the simple backtrack operation. Indeed, the simple back-tracking would have to consider all combinations of values for all decision literals betweenthe backjump point and the last decision, while they are all irrelevant for the particularconflict.The result of conflict analysis is usually a clause that is a logical consequence of F andthat explains a particular conflict that occurred. If this clause was added to F , then thistype of conflict would occur never again during search (even in some other contexts, i.e., insome other parts of the search space). This is why solvers usually perform clause learning and append (redundant) deduced clauses to F . However, if the formula F becomes toolarge, some clauses have to be forgotten . Conflict driven backjumping with clause learningwere first incorporated into a SAT solver in the mid 1990’s by Silva and Sakallah in GRASP[MSS99] and by Bayardo and Schrag in rel _ sat [BS97]. DPLL-based SAT solvers employingconflict driven clause learning are often called CDCL solvers .Another significant improvement is to empty the trail and restart the search from timeto time, in a hope that it would restart in an easier part of the search space. Randomizedrestarts were introduced by Gomes et al. [GSK98] and further developed by Baptista andMarques-Silva [BMS00].One of the most demanding operations during solving is the detection of false and unitclauses. Whenever a literal is asserted, the solver must check F for their presence. To aidthis operation, smart data structures with corresponding implementations are used. Oneof the most advanced ones is the two-watched literal scheme , introduced by Moskewicz etal. in their solver zChaff [MMZ + Abstract State Transition Systems. An abstract state transition system for animperative program consists of a set of states S describing possible values of the program’sglobal variables and a binary transition relation → ⊆ S × S . The transition relation isusually the union of smaller transition relations → i , called the transition rules . If s → i s ′ holds, we say that the rule i has been applied to the state s and the state s ′ has beenobtained. Transition rules are denoted as: ORMALIZATION OF ABSTRACT STATE TRANSITION SYSTEMS FOR SAT 9
Rulename : cond . . . cond k effect Above the line are the conditions cond , . . . , cond k that the state s must meet in orderfor the rule to be applicable and the effect denotes the effect that must be applied to thecomponents of s in order to obtain s ′ .More formally, transition rules can be defined as relations over states: Rulename s s ′ iff φ where φ denotes a formula that describes conditions on s that have to be met and therelationship between s and s ′ .Some states are distinguished as initial states . An initial state usually depends on theprogram input. A state is a final state if no transition rules can be applied. Some states(not necessarily final) are distinguished as the outcome states carrying certain resultinginformation. If a program terminates in a final outcome state, it emits a result determinedby this state. For a decision procedure (such as a SAT solver), there are only two possibleoutcomes: yes ( sat ) or no ( unsat ). A state transition system is considered to be correct ifit has the following properties: Termination: from each initial state s , the execution eventually reaches a final state (i.e.,there are no infinite chains s → s → . . . ). Soundness: the program always gives correct answers, i.e., if the program, starting withan input I from an initial state s , reaches a final outcome state with a result O , then O is the desired result for the input I . Completeness: the program always gives an answer if it terminates, i.e., all final statesare outcome states.2.3.
Abstract State Transition Systems for SAT.
Two transition rule systems thatmodel DPLL-based SAT solvers and related SMT solvers have been published recently.Both systems present a basis of the formalization described in this paper. The system ofKrsti´c and Goel [KG07] gives a more detailed description of some parts of the solving process(particularly the conflict analysis phase) than the one given by Nieuwenhuis, Oliveras andTinelli [NOT06], so we present its rules in Figure 4. In this system, along with the formula F and the trail M , the state of the solver is characterized by the conflict analysis set C that is either a set of literals (i.e., a clause) or the distinguished symbol no cflct . Input tothe system is an arbitrary set of clauses F . The solving starts from a initial state in which F = F , M = [ ], and C = no cflct .The Decide rule selects a literal from a set of decision literals L and asserts it to thetrail as a decision literal. The set L is typically just the set of all literals occurring in theinput formulae. However, in some cases a smaller set can be used (based on some specificknowledge about the encoding of the input formula). Also, there are cases when this set isin fact larger than the set of all variables occurring in the input formula. The
UnitPropag rule asserts a unit literal l to the trail M as an implied literal. Thisreduces the search space since only one valuation for l is considered. For example, the standard DIMACS format for SAT requires specifying the number of variables and theclauses that make the formula, without guarantees that every variable eventually occurs in the formula.
Decide : l ∈ L l, l / ∈ MM := M l d UnitPropag : l ∨ l ∨ . . . ∨ l k ∈ F l , . . . , l k ∈ M l, l / ∈ MM := M l i Conflict : C = no cflct l ∨ . . . ∨ l k ∈ F l , . . . , l k ∈ MC := { l , . . . , l k } Explain : l ∈ C l ∨ l ∨ . . . ∨ l k ∈ F l , . . . , l k ≺ lC := C ∪ { l , . . . , l k } \ { l } Learn : C = { l , . . . , l k } l ∨ . . . ∨ l k / ∈ FF := F ∪ { l ∨ . . . ∨ l k } Backjump : C = { l, l , . . . , l k } l ∨ l ∨ . . . ∨ l k ∈ F level l > m ≥ level l i C := no cflct M := M [ m ] l i Forget : C = no cflct c ∈ F F \ c (cid:15) cF := F \ c Restart : C = no cflct M := M [0] Figure 4: Transition system for SAT solving by Krsti´c and Goel ( l i ≺ l j denotes that theliteral l i precedes l j in M , l d denotes a decision literal, l i an implied literal, level l denotes the decision level of a literal l in M , and M [ m ] denotes the prefix of M up to the level m ).The Conflict rule is applied when a conflict clause is detected. It initializes the conflictanalysis and the reparation procedure, by setting C to the set of literals of the conflictclause. This set is further refined by successive applications of the Explain rule, whichessentially performs a resolution between the clause C and the clause that is the reasonof propagation of its literal l . During the conflict analysis procedure, the clause C can beadded to F by the Learn rule. However, this is usually done only once — when there isexactly one literal in C present at the highest decision level of M . In that case, the Backjump rule can be applied. That resolves the conflict by backtracking the trail to a level (usuallythe lowest possible) such that C becomes unit clause with a unit literal l . In addition, unitpropagation of l is performed.The Forget rule eliminates clauses. Namely, because of the learning process, the numberof clauses in the current formula increases. When it becomes too large, detecting false andunit clauses becomes too demanding, so from time to time, it is preferable to delete from F some clauses that are redundant. Typically, only learnt clauses are forgotten (as they arealways redundant). 3. Underlying Theory
As a framework of our formalization, higher-order logic is used, in a similar way as in thesystem Isabelle/HOL [NPW02]. Formulae and logical connectives of this logic ( ∧ , ∨ , ¬ , −→ , ←→ ) are written in the standard way. Equality is denoted by =. Function applications are ORMALIZATION OF ABSTRACT STATE TRANSITION SYSTEMS FOR SAT 11 written in prefix form, as in f x . . . x n . Existential quantification is denoted by ∃ x. ... and universal quantification by ∀ x. ... .In this section we will introduce definitions necessary for notions of satisfiability andnotions used in SAT solving. Most of the definitions are simple and technical so we givethem in a very dense form. They make the paper self-contained and can be used just forreference.The correctness of the whole formalization effort eventually relies on the definition ofsatisfiable formulae, which is rather straightforward and easily checked by human inspection.3.1. Lists, Multisets, and Relations.
We assume that the notions of ordered pairs, listsand (finite) sets are defined within the theory. Relations and their extensions are usedprimarily in the context of ordering relations and the proofs of termination. We will usestandard syntax and semantics of these types and their operations. However, to aid ourformalization, some additional operations are introduced.
Definition 3.1 (Lists related) . • The first position of an element e in a list l , denoted firstPos e l , is the zero-based indexof the first occurrence of e in l if it occurs in l or the length of l otherwise. • The prefix to an element e of a list l , denoted by prefixTo e l , is the list consisting of allelements of l preceding the first occurrence of e (including e ). • The prefix before an element e of a list l , denoted by prefixBefore e l is the list of allelements of l preceding the first occurrence of e (not including e ). • An element e precedes e in a list l , denoted by e ≺ l e , if both occur in l and the firstposition of e in l is less than the first position of e in l . • A list p is a prefix of a list l (denoted by p ≤ l ) if there exists a list s such that l = p @ s . Definition 3.2 (Multiset) . A multiset over a type X is a function S mapping X to naturalnumbers. A multiset is finite if the set { x | S ( x ) > } is finite. The union of multisets S and T is a function defined as ( S ∪ T )( x ) = S ( x ) + T ( x ). Definition 3.3 (Relations related) . • The composition of two relations ρ and ρ is denoted by ρ ◦ ρ . The n -th degree ofthe relation ρ is denoted by ρ n . The transitive closure of ρ is denoted by ρ + , and thetransitive and reflexive closure of ρ by ρ ∗ . • A relation ≻ is well-founded iff: ∀ P. (( ∀ x. ( ∀ y. x ≻ y −→ P ( y )) −→ P ( x )) −→ ( ∀ x. P ( x ))) • If ≻ is a relation on X , then its lexicographic extension ≻ lex is a relation on lists of X ,defined by: s ≻ lex t iff ( ∃ r. s = t @ r ∧ r = [ ]) ∨ ( ∃ r s ′ t ′ a b. s = r @ a @ s ′ ∧ t = r @ b @ t ′ ∧ a ≻ b ) • If ≻ is a relation on X , then its multiset extension ≻ mult is a relation defined over multisetsover X (denoted by h x , . . . , x n i ). The relation ≻ mult is a transitive closure of the relation ≻ mult , defined by: S ≻ mult S iff ∃ S S ′ s . S = S ∪ h s i ∧ S = S ∪ S ′ ∧∀ s . s ∈ S ′ −→ s ≻ s • Let ≻ x and ≻ y be relations over X and Y . Their lexicographic product , denoted by ≻ x h∗ lex ∗i ≻ y , is a relation ≻ on X × Y such that ( x , y ) ≻ ( x , y ) iff x ≻ x x ∨ ( x = x ∧ y ≻ y y ) • Let ≻ x be a relation on X , and for each x ∈ X let ≻ xy be a relation over Y (i.e., let λ x. ≻ xy be a function mapping X to relations on Y ). Their parametrized lexicographicproduct , denoted by ≻ x h∗ lex p ∗i ≻ xy , is a relation ≻ on X × Y such that ( x , y ) ≻ ( x , y ) iff x ≻ x x ∨ ( x = x ∧ y ≻ x y y ) . Proposition 3.4 (Properties of well-founded relations) . • A relation ≻ is well-founded iff ∀ Q. ( ∃ a ∈ Q ) −→ ( ∃ a min ∈ Q. ( ∀ a ′ . a min ≻ a ′ −→ a ′ / ∈ Q )) • Let f be a function and ≻ a relation such that x ≻ y −→ f x ≻ ′ f y . If ≻ ′ is well-founded,then so is ≻ . • If ≻ is well-founded, then so is ≻ mult . • Let ≻ x be a well-founded relation on X and for each x ∈ X let be ≻ xy a well-foundedrelation. Then ≻ x h∗ lex p ∗i ≻ xy is well-founded. Logic of CNF formulae.Definition 3.5 (Basic types) . Variable natural number
Literal either a positive variable (
Pos vbl ) or a negative variable (
Neg vbl ) Clause a list of literals
Formula a list of clauses
Valuation a list of literals
Trail a list of (
Literal , bool ) pairs For the sake of readability, we will sometimes omit types and use the following namingconvention: literals (i.e., variables of the type
Literal ) are denoted by l (e.g., l, l ′ , l , l , l , . . . ),variables by vbl , clauses by c , formulae by F , valuations by v , and trails by M .Note that, in order to be closer to implementation (and to the standard solver inputformat — DIMACS), clauses and formulae are represented using lists instead of sets (amore detailed discussion on this issue is given in Section 9). Although a trail is not a list ofliterals (but rather a list of ( Literal , bool ) pairs), for simplicity, we will often identify it withits list of underlying literals, and we will treat trails as valuations. In addition, a trail canbe implemented, not only as a list of ( Literal , bool ) pairs but in some other equivalent way.We abuse the notation and overload some symbols. For example, the symbol ∈ denotesboth set membership and list membership, and it is also used to denote that a literal occursin a formula. Symbol vars is also overloaded and denotes the set of variables occurring in aclause, in a formula, or in a valuation. Definition 3.6 (Literals and clauses related) . Note that lexicographic product can be regarded as a special case of parametrized lexicographic product(where a same ≻ y is used for each x ∈ X ). ORMALIZATION OF ABSTRACT STATE TRANSITION SYSTEMS FOR SAT 13 • The opposite literal of a literal l , denoted by l , is defined by: Pos vbl = Neg vbl , Neg vbl = Pos vbl . • A formula F contains a literal l (i.e., a literal l occurs in a formula F ), denoted by l ∈ F ,iff ∃ c. c ∈ F ∧ l ∈ c . • The set of variables that occur in a clause c is denoted by vars c . The set of variables thatoccur in a formula F is denoted by vars F . The set of variables that occur in a valuation v is denoted by vars v . • The resolvent of clauses c and c over the literal l , denoted resolvent c c l is the clause ( c \ l )@( c \ l ). • A clause c is a tautological clause , denoted by clauseTautology c , if it contains both aliteral and its opposite (i.e., ∃ l. l ∈ c ∧ l ∈ c ). • The conversion of a valuation v to a formula is the list h v i that contains all single literalclauses made of literals from v . Definition 3.7 (Semantics) . • A literal l is true in a valuation v , denoted by v (cid:15) l , iff l ∈ v . A clause c is true in avaluation v , denoted by v (cid:15) c , iff ∃ l. l ∈ c ∧ v (cid:15) l . A formula F is true in a valuation v ,denoted by v (cid:15) F , iff ∀ c. c ∈ F ⇒ v (cid:15) c . • A literal l is false in a valuation v , denoted by v (cid:15) ¬ l , iff l ∈ v . A clause c is false in avaluation v , denoted by v (cid:15) ¬ c , iff ∀ l. l ∈ c ⇒ v (cid:15) ¬ l . A formula F is false in a valuation v , denoted by v (cid:15) ¬ F , iff ∃ c. c ∈ F ∧ v (cid:15) ¬ c . • v l ( v c / v F ) denotes that l ( c / F ) is not true in v (then we say that l ( c / F )is unsatisfied in v ). v ¬ l ( v ¬ c / v ¬ F ) denotes that l ( c / F ) is not false in v (thenwe say that l ( c / F ) is unfalsified in v ). Definition 3.8 (Valuations and models) . • A valuation v is inconsistent , denoted by inconsistent v , iff it contains both a literal andits opposite i.e., iff ∃ l. v (cid:15) l ∧ v (cid:15) l . A valuation is consistent , denoted by ( consistent v ),iff it is not inconsistent. • A valuation v is total with respect to a variable set V bl , denoted by total v V bl , iff vars v ⊇ V bl . • A model of a formula F is a consistent valuation under which F is true. A formula F is satisfiable , denoted by sat F , iff it has a model, i.e., ∃ v. consistent v ∧ v (cid:15) F . • A clause c is unit in a valuation v with a unit literal l , denoted by isUnit c l v iff l ∈ c , v l , v ¬ l and v (cid:15) ¬ ( c \ l ) (i.e., ∀ l ′ . l ′ ∈ c ∧ l ′ = l ⇒ v (cid:15) ¬ l ′ ). • A clause c is a reason for propagation of literal l in valuation v , denoted by isReason c l v iff l ∈ c , v (cid:15) l , v (cid:15) ¬ ( c \ l ), and for each literal l ′ ∈ ( c \ l ), the literal l ′ precedes l in v . Note that the symbol (cid:15) ¬ is atomic, i.e., v (cid:15) ¬ F does not correspond to v | = ( ¬ F ), although it would bethe case if all propositional formulae (instead of CNF only) were considered. Definition 3.9 (Entailment and logical equivalence) . • A formula F entails a clause c , denoted by F (cid:15) c , iff c is true in every model of F . A formula F entails a literal l , denoted by F (cid:15) l , iff l is true in every model of F . A formula F entails valuation v , denoted by F (cid:15) v , iff it entails all its literals i.e., ∀ l. l ∈ v ⇒ F (cid:15) l .A formula F entails a formula F , denoted by F (cid:15) F , if every model of F is a modelof F . • Formulae F and F are logically equivalent , denoted by F ≡ F , iff any model of F is amodel of F and vice versa, i.e., iff F (cid:15) F and F (cid:15) F . Definition 3.10 (Trails related) . • For a trail element a , element a denotes the first (Literal) component and isDecision a denotes the second (Boolean) component. For a trail M , elements M denotes the list ofall its elements and decisions M denotes the list of all its marked elements (i.e., of all itsdecision literals). • The last decision literal , denoted by lastDecision M , is the last marked element of the list M , i.e., lastDecision M = last ( decisions M ) . • decisionsTo M l is the list of all marked elements from a trail M that precede thefirst occurrence of the element l , including l if it is marked, i.e., decisionsTo l M = decisions ( prefixTo l M ). • The current level for a trail M , denoted by currentLevel M , is the number of markedliterals in M , i.e., currentLevel M = length ( decisions M ). • The decision level of a literal l in a trail M , denoted by level l M , is the number of markedliterals in the trail that precede the first occurrence of l , including l if it is marked, i.e., level l M = length ( decisionsTo M l ). • prefixToLevel M level is the prefix of a trail M containing all elements of M with levelsless or equal to level . • The prefix before last decision , denoted by prefixBeforeLastDecision M , is a prefix of thetrail M before its last marked element (not including it), • The last asserted literal of a clause c , denoted by lastAssertedLiteral c M , is the literalfrom c that is in M , such that no other literal from c comes after it in M . • The maximal level of a literal in the clause c with respect to a trail M , denoted by maxLevel c M , is the maximum of all levels of literals from c asserted in M . Example 3.11.
A trail M could be [+1 i , − d , +6 i , +5 d , − i , +4 i , − d ]. The symbol +is written instead of the constructor Pos , the symbol − instead of Neg . decisions M =[ − d , +5 d , − d ], lastDecision M = − , decisionsTo M +4 = [ − d , +5 d ], and decisionsTo M -7= [ − d , +5 d , − d ]. level +1 M = 0, level +4 M = 2, level -7 M = 3, currentLevel M = 3, prefixToLevel M i , +2 d , +6 i ]. If c is [+4 , +6 , − lastAssertedLiteral c M = +4 , and maxLevel c M = 2. Note that some of these functions are used only for some trails. For example, prefixBeforeLastDecision M makes sense only for trails that contain at least one decision literal. Nevertheless, these functions are stilldefined as total functions — for example, prefixBeforeLastDecision M equals M if there are no decisionliterals. ORMALIZATION OF ABSTRACT STATE TRANSITION SYSTEMS FOR SAT 15 DPLL Search
In this section we consider a basic transition system that contains only transition rules cor-responding to steps used in the original DPLL procedure: unit propagation, backtracking,and making decisions for branching (described informally in Section 2.1; the pure literalstep is usually not used within modern SAT solvers, so it will be omitted). These rules willbe defined in the form of relations over states, in terms of the logic described in Section3. It will be proved that the system containing these rules is terminating, sound and com-plete. The rules within the system are not ordered and the system is sound, terminating,and complete regardless of any specific ordering. However, it will be obvious that betterperformance is obtained if making decisions is maximally postponed, in the hope that itwill not be necessary.4.1.
States and Rules.
The state of the solver performing the basic DPLL search consistsof the formula F being tested for satisfiability (that remains unchanged) and the trail M (that may change during the solver’s operation). The only parameter to the solver is theset of variables DecVars used for branching. By
Vars we will denote the set of all variablesencountered during solving — these are the variables from the initial formula F and thedecision variables DecVars , i.e.,
Vars = vars F ∪ DecVars . Definition 4.1 (State) . A state of the system is a pair (
M, F ), where M is a trail and F is a formula. A state ([ ] , F ) is an initial state for the input formula F .Transition rules are introduced by the following definition, in the form of relations overstates. Definition 4.2 (Transition rules) . unitPropagate ( M , F ) ( M , F ) iff ∃ c l. c ∈ F ∧ isUnit c l M ∧ M = M @ l i ∧ F = F backtrack ( M , F ) ( M , F ) iff M (cid:15) ¬ F ∧ decisions M = [ ] ∧ M = prefixBeforeLastDecision M @ lastDecision M i ∧ F = F decide ( M , F ) ( M , F ) iff ∃ l. var l ∈ DecVars ∧ l / ∈ M ∧ l / ∈ M ∧ M = M @ l d ∧ F = F As can be seen from the above definition (and in accordance with the description given inSection 2.1), the rule unitPropagate uses a unit clause — a clause with only one literal l undefined in M and with all other literals false in M . Such a clause can be true only if l is true, so this rule extends M by l (as an implied literal). The rule backtrack is appliedwhen F is false in M . Then it is said that a conflict occurred, and clauses from F thatare false in M are called conflict clauses . In that case, the last decision literal l d in M and all literals that succeed it are removed from M , and the obtained prefix is extendedby l i as an implied literal. The rule decide extends the trail by an arbitrary literal l as adecision literal, such that the variable of l belongs to DecVars and neither l nor l occur in M . In that case, we say there is a branching on l .The transition system considered is described by the relation → d , introduced by thefollowing definition. Definition 4.3 ( → d ) . s → d s iff unitPropagate s s ∨ backtrack s s ∨ decide s s Definition 4.4 (Outcome states) . An outcome state is either an accepting state or a re-jecting state .A state is an accepting state if M ¬ F and there is no state ( M ′ , F ′ ) such that decide ( M, F ) ( M ′ , F ′ ) (i.e., there is no literal such that var l ∈ DecVars , l / ∈ M , and l / ∈ M ).A state is a rejecting state if M (cid:15) ¬ F and decisions M = [ ].Note that the condition M ¬ F in the above definition can be replaced by the condition M | = F , but the former is used since its check can be more efficiently implemented. Example 4.5.
Let F = [ [ − , +2], [ − , − , +5 , +7], [ − , − , +5 , − − , +3], [+2 , +4],[ − , − , +7], [ − , − , − − , +6] ]. One possible → d trace is given below.rule M [ ] decide ( l = +1), [+1 d ] unitPropagate ( c = [ − , +2], l = +2) [+1 d , +2 i ] unitPropagate ( c = [ − , +3], l = +3) [+1 d , +2 i , +3 i ] decide ( l = +4) [+1 d , +2 i , +3 i , +4 d ] decide ( l = +5) [+1 d , +2 i , +3 i , +4 d , +5 d ] unitPropagate ( c = [ − , +6], l = +6) [+1 d , +2 i , +3 i , +4 d , +5 d , +6 i ] unitPropagate ( c = [ − , − , +7], l = +7) [+1 d , +2 i , +3 i , +4 d , +5 d , +6 i , +7 i ] backtrack ( M (cid:15) ¬ [ − , − , − d , +2 i , +3 i , +4 d , − i ] unitPropagate ( c = [ − , − , +5 , +7], l = +7) [+1 d , +2 i , +3 i , +4 d , − i , +7 i ] backtrack ( M (cid:15) ¬ [ − , − , +5 , − d , +2 i , +3 i , − i ] decide ( l = +5) [+1 d , +2 i , +3 i , − i , +5 d ] unitPropagate ( c = [ − , +6], l = +6) [+1 d , +2 i , +3 i , − i , +5 d , +6 i ] unitPropagate ( c = [ − , − , +7], l = +7) [+1 d , +2 i , +3 i , − i , +5 d , +6 i , +7 i ] backtrack ( M (cid:15) ¬ [ − , − , − d , +2 i , +3 i , − i , − i ] unitPropagate ( c = [ − , − , +5 , +7], l = +7) [+1 d , +2 i , +3 i , − i , − i , +7 i ] backtrack ( M (cid:15) ¬ [ − , − , +5 , −
7] [ − i ] decide ( l = +2) [ − i , +2 d ] unitPropagate ( c = [ − , +3], l = +3) [ − i , +2 d , +3 i ] decide ( l = +4) [ − i , +2 d , +3 i , +4 d ] decide ( l = +5) [ − i , +2 d , +3 i , +4 d , +5 d ] unitPropagate ( c = [ − , +6], l = +6) [ − i , +2 d , +3 i , +4 d , +5 d , +6 i ] unitPropagate ( c = [ − , − , +7], l = +7) [ − i , +2 d , +3 i , +4 d , +5 d , +6 i , +7 i ] backtrack M (cid:15) ¬ [ − , − , −
7] [ − i , +2 d , +3 i , +4 d , − i ] decide ( l = +6) [ − i , +2 d , +3 i , +4 d , − i , +6 d ] unitPropagate ( c = [ − , − , − l = −
7) [ − i , +2 d , +3 i , +4 d , − i , +6 d , − i ]4.2. Properties.
In order to prove that the presented transition system is terminating,sound, and complete, first, local properties of the transition rules have to be given in theform of certain invariants.
ORMALIZATION OF ABSTRACT STATE TRANSITION SYSTEMS FOR SAT 17
Invariants.
For proving properties of the described transition system, several rele-vant rule invariants will be used (not all of them are used for proving each of soundness,completeness, and termination, but we list them all here for the sake of simplicity).
Inv consistent : consistent MInv distinct : distinct MInv varsM : vars M ⊆ Vars
Inv impliedLits : ∀ l. l ∈ M −→ ( F @ decisionsTo l M ) (cid:15) lInv equiv : F ≡ F Inv varsF : vars F ⊆ Vars
The condition
Inv consistent states that the trail M can potentially be a model of theformula, and Inv distinct requires that it contains no repeating elements. The
Inv impliedLits ensures that any literal l in M is entailed by F with all decision literals that precede l .Notice that the given rules do not change formulae in states, so it trivially holds that F = F , which further implies Inv equiv and
Inv varsF . However, the transition systemsthat follow in the next sections may change formulae, so the above set of invariants ismore appropriate. If only testing satisfiability is considered (and not in building models forsatisfiable formulae), instead of
Inv equiv , it is sufficient to require that F and F are weaklyequivalent (i.e., equisatisfiable).The above conditions are indeed invariants (i.e., they are met for each state during theapplication of the rules), as stated by the following lemma. Lemma 4.6. (1)
In the initial state ([ ] , F ) all the invariants hold. (2) If ( M, F ) → d ( M ′ , F ′ ) and if the invariants are met in the state ( M, F ) , then they aremet in the state ( M ′ , F ′ ) too. (3) If ([ ] , F ) → ∗ d ( M, F ) , then all the invariants hold in the state ( M, F ) . The proof of this lemma considers a number of cases — one for each rule-invariant pair.4.2.2.
Soundness.
Soundness of the given transition system requires that if the system ter-minates in an accepting state, then the input formula is satisfiable, and if the systemterminates in a rejecting state, then the input formula is unsatisfiable.The following lemma ensures soundness for satisfiable input formulae, and the nextone is used for proving soundness for unsatisfiable input formulae (but also in some othercontexts).
Lemma 4.7.
If DecVars ⊇ vars F and if there is an accepting state ( M, F ) such that: (1) consistent M (i.e., Inv consistent holds), (2) F ≡ F (i.e., Inv equiv holds), (3) vars F ⊆ Vars (i.e.,
Inv varsF holds),then the formula F is satisfiable and M is one model (i.e., model M F ). Lemma 4.8.
If there is a state ( M, F ) such that: (1) ∀ l. l ∈ M −→ ( F @ decisionsTo l M ) (cid:15) l (i.e., Inv impliedLits holds), (2) M (cid:15) ¬ F then ¬ ( sat ( F @ decisions M )) . Theorem 4.9 (Soundness for → d ) . If ([ ] , F ) → ∗ d ( M, F ) , then: (1) If DecVars ⊇ vars F and ( M, F ) is an accepting state, then the formula F satisfiableand M is one model (i.e., sat F and model M F ). (2) If ( M, F ) is a rejecting state, then the formula F is unsatisfiable (i.e., ¬ ( sat F ) ).Proof. By Lemma 4.6 all the invariants hold in the state (
M, F ).Let us assume that
DecVars ⊇ vars F and ( M, F ) is an accepting state. Then, byLemma 4.7, the formula is F satisfiable and M is one model.Let us assume that ( M, F ) is a rejecting state. Then M (cid:15) ¬ F and, by Lemma 4.8, ¬ ( sat ( F @ ( decisions M ))). Since ( M, F ) is a rejecting state, it holds that decisions M = [ ],and hence ¬ ( sat F ). From F ≡ F ( Inv equiv ), it follows that ¬ ( sat F ), i.e., the formula F is unsatisfiable.4.2.3. Termination.
Full and precise formalization of termination is very demanding, andtermination proofs given in the literature (e.g., [KG07, NOT06]) are far from detailed formalproofs. For this reason, termination proofs will be presented here in more details, includingauxiliary lemmas used to prove the termination theorem.The described transition system terminates, i.e., for any input formulae F , the system(starting from the initial state ([ ] , F )) will reach a final state in a finite number of steps.In other words, the relation → d is well-founded. This can be proved by constructing a well-founded partial ordering ≻ over trails, such that ( M , F ) → d ( M , F ) implies M ≻ M .In order to reach this goal, several auxiliary orderings are defined.First, a partial ordering over annotated literals ≻ lit and a partial ordering over trails ≻ tr will be introduced and some of their properties will be given within the following lemmas. Definition 4.10 ( ≻ lit ) . l ≻ lit l iff isDecision l ∧ ¬ ( isDecision l ) Lemma 4.11. ≻ lit is transitive and irreflexive. Definition 4.12 ( ≻ tr ) . M ≻ tr M iff M ≻ lexlit M , where ≻ lexlit is a lexicographic extensionof ≻ lit . Lemma 4.13. ≻ tr is transitive, irreflexive, and acyclic (i.e., there is no trail M such that M ≻ +tr M ).For any three trails M , M ′ , and M ′′ it holds that: if M ′ ≻ tr M ′′ , then M @ M ′ ≻ tr M @ M ′′ . The next lemma links relations → d and ≻ tr . Lemma 4.14. If decide ( M , F ) ( M , F ) or unitPropagate ( M , F ) ( M , F ) or backtrack ( M , F ) ( M , F ) , then M ≻ tr M . The relation ≻ tr is not necessarily well-founded (for the elements of the trails rangeover infinite sets), so a restriction ≻ tr | V bl of the relation ≻ tr will be defined such that it iswell-founded, which will lead to the termination proof for the system. Definition 4.15 ( ≻ tr | V bl ) . M ≻ tr | V bl M iff ( distinct M ∧ vars M ⊆ V bl ) ∧ ( distinct M ∧ vars M ⊆ V bl ) ∧ M ≻ tr M Lemma 4.16.
If the set
V bl is finite, then the relation ≻ tr | V bl is a well-founded ordering.
Finally, we prove that the transition system is terminating.
ORMALIZATION OF ABSTRACT STATE TRANSITION SYSTEMS FOR SAT 19
Theorem 4.17 (Termination for → d ) . If the set DecVars is finite, for any formula F , therelation → d is well-founded on the set of states ( M, F ) such that ([ ] , F ) → ∗ d ( M, F ) .Proof. By Proposition 3.4 it suffices to construct a well-founded ordering on the set of states(
M, F ) such that ([ ] , F ) → ∗ d ( M, F ) such that( M , F ) → d ( M , F ) −→ ( M , F ) ≻ ( M , F ) . One such ordering is ≻ defined by: ( M , F ) ≻ ( M , F ) iff M ≻ tr | Vars M . Indeed, since by Lemma 4.16, ≻ tr | Vars is well-founded, by Proposition 3.4 (for a functionmapping (
M, F ) to M ), ≻ is also a well-founded ordering.Let ( M , F ) and ( M , F ) be two states such that ([ ] , F ) → ∗ d ( M , F ) and ( M , F ) → d ( M , F ). By Lemma 4.6 all the invariants hold for ( M , F ). From ( M , F ) → d ( M , F ),by Lemma 4.14, it follows that M ≻ tr M . Moreover, by Lemma 4.6, all the invariantshold also for ( M , F ), so distinct M , vars M ⊆ Vars , distinct M and vars M ⊆ Vars .Ultimately, M ≻ tr | Vars M .4.2.4. Completeness.
Completeness requires that all final states are outcome states.
Theorem 4.18 (Completeness for → d ) . Each final state is either accepting or rejecting.Proof.
Let (
M, F ) be a final state. It holds that either M (cid:15) ¬ F or M ¬ F .If M ¬ F , since there is no state ( M ′ , F ′ ) such that decide ( M, F ) ( M ′ , F ′ ) (as ( M, F )is a final state), there is no literal l such that var l ∈ DecVars , l / ∈ M , and l / ∈ M , so ( M, F )is an accepting state.If M (cid:15) ¬ F , since there is no state ( M ′ , F ′ ) such that backtrack ( M, F ) ( M ′ , F ′ ) (as( M, F ) is a final state), it holds that decisions M = [ ], so ( M, F ) is a rejecting state.Notice that from the proof it is clear that the basic search system consisting only ofthe rules decide and backtrack is complete.4.2.5.
Correctness.
The theorems 4.9, 4.17, and 4.18 directly lead to the theorem aboutcorrectness of the introduced transition system. Theorem 4.19 (Correctness for → d ) . The given transition system is correct, i.e., if allvariables of the input formula belong to the set DecVars, then for any satisfiable inputformula, the system terminates in an accepting state, and for any unsatisfiable formula, thesystem terminates in a rejecting state. Backjumping
In this section, we consider a transition system that replaces naive chronological backtrack-ing by more advanced nonchronological backjumping. Correctness of the system can be proved with a weaker condition. Namely, instead of the conditionthat all variables of the input formula belong to the set
DecVars , it is sufficient that all strong backdoor variables belong to
DecVars [BHMW09], but that weaker condition is not considered here.
States and Rules.
The rules of the new system are given (as in Section 4) in theform of relations over states.
Definition 5.1 (Transition rules) . unitPropagate ( M , F ) ( M , F ) iff ∃ c l. F (cid:15) c ∧ var l ∈ Vars ∧ isUnit c l M ∧ M = M @ l i ∧ F = F backjump ( M , F ) ( M , F ) iff ∃ c l P level . F (cid:15) c ∧ var l ∈ Vars ∧ P = prefixToLevel level M ∧ ≤ level < currentLevel M ∧ isUnit c l P ∧ F = F ∧ M = P @ l i decide ( M , F ) ( M , F ) iff ∃ l. var l ∈ DecVars ∧ l / ∈ M ∧ l / ∈ M ∧ M = M @ l d ∧ F = F In the following, the transition system described by the relation → b defined by theserules will be considered.The key difference between the new transition system and one built over the rules givenin Definition 4.2 is the rule backjump (that replaces the rule backtrack ). The rule decide isthe same as the one given in Definition 4.2, while the rule unitPropagate is slightly modified(i.e., its guard is relaxed).The clause c in the backjump rule is called a backjump clause and the level level is calleda backjump level . The given definition of the backjump rule is very general — it does notspecify how the backjump clause c is constructed and what prefix P (i.e., the level level ) ischosen if there are several options. There are different strategies that specify these choicesand they are required for concrete implementations. The conditions that P is a prefix to alevel (i.e., that P is followed by a decision literal in M ) and that this level is smaller thanthe current level are important only for termination. Soundness can be proved even witha weaker assumption that P is an arbitrary prefix of M . However, usually the shortestpossible prefix P is taken. The backtrack rule can be seen as a special case of the backjump rule. In that special case, the clause c is built of opposites of all decision literals in the trailand P becomes prefixBeforeLastDecision M .Notice that the backjump clause c does not necessarily belong to F but can be anarbitrary logical consequence of it. So, instead of c ∈ F , weaker conditions F (cid:15) c and var l ∈ Vars are used in the backjump rule (the latter condition is important only fortermination). This weaker condition (inspired by the use of SAT engines in SMT solvers)can be used also for the unitPropagate rule and leads from the rule given in Definition 4.2, toits present version (this change is not relevant for the system correctness). The new versionof unitPropagate has much similarities with the backjump rule — the only difference is thatthe backjump rule always asserts the implied literal to a proper prefix of the trail.
Example 5.2.
Let F be the same formula as in Example 4.5. One possible → b trace isgiven below. Note that, unlike in the trace shown in Example 4.5, the decision literal +4is removed from the trail during backjumping, since it was detected to be irrelevant for theconflict, resulting in a shorter trace. The deduction of backjump clauses (e.g., [ − , − , − ORMALIZATION OF ABSTRACT STATE TRANSITION SYSTEMS FOR SAT 21 rule M [ ] decide ( l = +1), [+1 d ] unitPropagate ( c = [ − , +2], l = +2) [+1 d , +2 i ] unitPropagate ( c = [ − , +3], l = +3) [+1 d , +2 i , +3 i ] decide ( l = +4) [+1 d , +2 i , +3 i , +4 d ] decide ( l = +5) [+1 d , +2 i , +3 i , +4 d , +5 d ] unitPropagate ( c = [ − , +6], l = +6) [+1 d , +2 i , +3 i , +4 d , +5 d , +6 i ] unitPropagate ( c = [ − , − , +7], l = +7) [+1 d , +2 i , +3 i , +4 d , +5 d , +6 i , +7 i ] backjump ( c = [ − , − , − l = −
5) [+1 d , +2 i , +3 i , − i ] unitPropagate ( c = [ − , − , +5 , +7], l = +7) [+1 d , +2 i , +3 i , − i , +7 i ] backjump ( c = [ − l = −
1) [ − i ] decide ( l = +2) [ − i , +2 d ] unitPropagate ( c = [ − , +3], l = +3) [ − i , +2 d , +3 i ] decide ( l = +4) [ − i , +2 d , +3 i , +4 d ] decide ( l = +5) [ − i , +2 d , +3 i , +4 d , +5 d ] unitPropagate ( c = [ − , +6], l = +6) [ − i , +2 d , +3 i , +4 d , +5 d , +6 i ] unitPropagate ( c = [ − , − , +7], l = +7) [ − i , +2 d , +3 i , +4 d , +5 d , +6 i , +7 i ] backjump ( c = [ − , − , − − i , +2 d , +3 i , − i ] decide ( l = +4) [ − i , +2 d , +3 i , − i , +4 d ] decide ( l = +6) [ − i , +2 d , +3 i , − i , +4 d , +6 d ] unitPropagate ( c = [ − , − , − l = −
7) [ − i , +2 d , +3 i , − i , +4 d , +6 d , − i ]5.2. Backjump Levels.
In Definition 5.1, for the backjump rule to be applicable, it isrequired that there is a level of the trail such that the backjump clause is unit in the prefixto that level. The following definition gives a stronger condition (used in modern SATsolvers) for a level ensuring applicability of the backjump rule to that level.
Definition 5.3 (Backjump level) . A backjump level for the given backjump clause c (falsein M ) is a level level that is strictly less than the level of the last falsified literal from c ,and greater or equal to the levels of the remaining literals from c : isBackjumpLevel level l c M iff M (cid:15) ¬ c ∧ l = lastAssertedLiteral c M ∧ ≤ level < level l M ∧∀ l ′ . l ′ ∈ c \ l −→ level l ′ M ≤ level Using this definition, the backjump rule can be defined in a more concrete and moreoperational way. backjump ′ ( M , F ) ( M , F ) iff ∃ c l level. F (cid:15) c ∧ var l ∈ Vars ∧ isBackjumpLevel level l c M ∧ M = ( prefixToLevel level M ) @ l i ∧ F = F Notice that, unlike in Definition 5.1, it is required that the backjump clause is false, sothis new rule is applicable only in conflict situations.It still remains unspecified how the clause c is constructed. Also, it is required to checkwhether the clause c is false in the current trail M and implied by the current formula F . In Section 7 it will be shown that if a clause c is built during a conflict analysis process, theseconditions will hold by construction and so it will not be necessary to check them explicitly.Calculating the level of each literal from c (required for the backjump level condition) willalso be avoided.The following lemmas connect the backjump and backjump ’ rules. Lemma 5.4.
If: (1) consistent M (i.e., Inv consistent holds), (2) unique M (i.e., Inv unique holds), (3) isBackjumpLevel level l c M ,then isUnit c l ( prefixToLevel level M ) . Lemma 5.5.
If a state ( M, F ) satisfies the invariants and if backjump ′ ( M, F ) ( M ′ , F ′ ) ,then backjump ( M, F ) ( M ′ , F ′ ) . Because of the very close connection between the relations backjump and backjump ’,we will not explicitly define two different transition relations → b . Most of the correctnessarguments apply to both these relations, and hence only differences will be emphasized.Although there are typically many levels satisfying the backjump level condition, (i.e.,backjumping can be applied for each level between the level of the last falsified literal from c and the levels of the remaining literals from c ), usually it is applied to the lowest possiblelevel, i.e., to the level that is a backjump level such that there is no smaller level that isalso a backjump level. The following definition introduces formally the notion of a minimalbackjump level. Definition 5.6 ( isMinimalBackjumpLevel ) . isMinimalBackjumpLevel level l c M iff isBackjumpLevel level l c M ∧ ( ∀ level ′ < level . ¬ isBackjumpLevel level ′ l c M )Although most solvers use minimal levels when backjumping, this will be formallyrequired only for systems introduced in Section 8.5.3. Properties.
As in Section 4, local properties of the transition rules in the form ofcertain invariants are used in proving properties of the transition system.5.3.1.
Invariants.
The invariants required for proving soundness, termination, and com-pleteness of the new system are the same as the invariants listed in Section 4. So, it isrequired to prove that the rules backjump and the modified unitPropagate preserve all theinvariants. Therefore, Lemma 4.6 has to be updated to address new rules and its proof hasto be modified to reflect the changes in the definition of the transition relation.5.3.2.
Soundness and Termination.
The soundness theorem (Theorem 4.9) has to be up-dated to address the new rules, but its proof remains analogous to the one given in Section4. The termination theorem (Theorem 4.17) also has to be updated, and its proof againremains analogous to the one given in 4. However, in addition to Lemma 4.14, the followinglemma has to be used.
Lemma 5.7. If backjump ( M , F ) ( M , F ) , then M ≻ tr M . ORMALIZATION OF ABSTRACT STATE TRANSITION SYSTEMS FOR SAT 23
This proof relies on the following property of the relation ≻ tr . Lemma 5.8. If M is a trail and P = prefixToLevel level M , such that ≤ level < currentLevel M , then M ≻ tr P @ l i . Completeness and Correctness.
Completeness of the system is proved partly in anal-ogy with the completeness proof of the system described in Section 4, given in Theorem4.18. When (
M, F ) is a final state and M ¬ F , the proof remains the same as for Theorem4.18. When ( M, F ) is a final state and M (cid:15) ¬ F , for the new system it is not trivial that thisstate is a rejecting state (i.e., it is not trivial that decisions M = [ ]). Therefore, it has tobe proved, given that the invariants hold, that if backjumping is not applicable in a conflictsituation (when M (cid:15) ¬ F ), then decisions M = [ ] (i.e., if decisions M = [ ], then backjump ’ isapplicable, and so is backjump ). The proof relies on the fact that a backjump clause may be constructed only of all decision literals. This is the simplest way to construct a backjumpclause c and in this case backjumping degenerates to backtracking. The clause c constructedin this way meets sufficient (but, of course, not necessary) conditions for the applicabilityof backjump’ (and, consequently, by Lemma 5.5, for the applicability of backjump ). Lemma 5.9.
If for a state ( M, F ) it holds that: (1) consistent M (i.e., Inv consistent holds), (2) unique M (i.e., Inv unique holds), (3) ∀ l. l ∈ M −→ F @ ( decisionsTo l M ) (cid:15) l (i.e., Inv impliedLits holds), (4) vars M ⊆ Vars (i.e.,
Inv varsM holds), (5) M (cid:15) ¬ F , (6) decisions M = [ ] ,then there is a state ( M ′ , F ′ ) such that backjump ′ ( M, F ) ( M ′ , F ′ ) . To ensure applicability of Lemma 5.9, the new version of the completeness theorem(Theorem 4.18) requires that the invariants hold in the current state. Since, by Lemma 5.5, backjump ′ ( M, F ) ( M ′ , F ′ ) implies backjump ( M, F ) ( M ′ , F ′ ), the following completenesstheorem holds for both transition systems presented in this section (using the rule backjump’ or the rule backjump ). Theorem 5.10 (Completeness for → b ) . If ([ ] , F ) → ∗ b ( M, F ) , and ( M, F ) is a final state,then ( M, F ) is either accepting or rejecting.Proof. Let (
M, F ) be a final state. By Lemma 4.6, all invariants hold in (
M, F ). Also, itholds that either M (cid:15) ¬ F or M ¬ F .If M ¬ F , since decide is not applicable, ( M, F ) is an accepting state.If M (cid:15) ¬ F , assume that decisions M = [ ]. By Lemma 5.9, there is a state ( M ′ , F ′ )such that backjump ′ ( M, F ) ( M ′ , F ′ ). This contradicts the assumption that ( M, F ) is a finalstate. Therefore, decisions M = [ ], and since M (cid:15) ¬ F , ( M, F ) is a rejecting state.Correctness of the system is a consequence of soundness, termination, and completeness,in analogy with Theorem 4.19. Learning and Forgetting
In this section we briefly describe a system obtained from the system introduced in Section 5by adding two new transition rules. These rules will have a significant role in more complexsystems discussed in the following sections.6.1.
States and Rules.
The relation → b introduced in Section 5 is extended by the twofollowing transition rules (introduced in the form of relations over states). Definition 6.1 (Transition rules) . learn ( M , F ) ( M , F ) iff ∃ c . F (cid:15) c ∧ vars c ⊆ Vars ∧ F = F @ c ∧ M = M forget ( M , F ) ( M , F ) iff ∃ c . F \ c (cid:15) c ∧ F = F \ c ∧ M = M The extended transition system will be denoted by → l . The learn rule is defined very generally. It is not specified how to construct the clause c — typically, only clauses resulting from the conflict analysis process (Section 7) are learnt.This is the only rule so far that changes F , but the condition F (cid:15) c ensures that it alwaysremains logically equivalent to the initial formula F . The condition vars c ⊆ Vars is relevantonly for ensuring termination.The forget rule changes the formula by removing a clause that is implied by all otherclauses (i.e., is redundant). It is also not specified how this clause c is chosen. Example 6.2.
Let F be a formula from Example 4.5. A possible → l trace is given by(note that, unlike in the trace shown in Example 5.2, a clause [ − , − , −
3] is learnt andused afterwards for unit propagation in another part of the search tree, eventually leadingto a shorter trace): rule
M F [ ] F decide ( l = +1), [+1 d ] F unitPropagate ( c = [ − , +2], l = +2) [+1 d , +2 i ] F unitPropagate ( c = [ − , +3], l = +3) [+1 d , +2 i , +3 i ] F decide ( l = +4) [+1 d , +2 i , +3 i , +4 d ] F decide ( l = +5) [+1 d , +2 i , +3 i , +4 d , +5 d ] F unitPropagate ( c = [ − , +6], l = +6) [+1 d , +2 i , +3 i , +4 d , +5 d , +6 i ] F unitPropagate ( c = [ − , − , +7], l = +7) [+1 d , +2 i , +3 i , +4 d , +5 d , +6 i , +7 i ] F backjump ( c = [ − , − , − l = −
5) [+1 d , +2 i , +3 i , − i ] F learn ( c = [ − , − , − d , +2 i , +3 i , − i ] F @ [ − , − , − unitPropagate ( c = [ − , − , +5 , +7], l = +7) [+1 d , +2 i , +3 i , − i , +7 i ] F @ [ − , − , − backjump ( c = [ − l = −
1) [ − i ] F @ [ − , − , − decide ( l = +2) [ − i , +2 d ] F @ [ − , − , − unitPropagate ( c = [ − , +3], l = +3) [ − i , +2 d , +3 i ] F @ [ − , − , − unitPropagate ( c = [ − , − , − l = −
5) [ − i , +2 d , +3 i , − i ] F @ [ − , − , − decide ( l = +4) [ − i , +2 d , +3 i , − i , +4 d ] F @ [ − , − , − decide ( l = +6) [ − i , +2 d , +3 i , − i , +4 d , +6 d ] F @ [ − , − , − unitPropagate ( c = [ − , − , − l = −
7) [ − i , +2 d , +3 i , − i , +4 d , +6 d , − i ] F @ [ − , − , − ORMALIZATION OF ABSTRACT STATE TRANSITION SYSTEMS FOR SAT 25
Properties.
The new set of rules preserves all the invariants given in Section 4.2.1.Indeed, since learn and forget do not change the trail M , all invariants about the trailitself are trivially preserved by these rules. It can be proved that Inv equiv , Inv varsF and
Inv impliedLiterals also hold for the new rules.Since the invariants are preserved in the new system, soundness is proved as in Theorem4.9. Completeness trivially holds, since introducing new rules to a complete system cannotcompromise its completeness. However, the extended system is not terminating since the learn and forget rules can by cyclically applied. Termination could be ensured with someadditional restrictions. Specific learning, forgetting and backjumping strategies that ensuretermination will be defined and discussed in Sections 7 and 8.7.
Conflict Analysis
The backjumping rules, as defined in Section 5, are very general. If backjump clausesfaithfully reflect the current conflict, they typically lead to significant pruning of the searchspace. In this section we will consider a transition system that employs conflict analysis inorder to construct backjump clauses, which can be (in addition) immediately learned (bythe rule learn ).7.1.
States and Rules.
The system with conflict analysis requires extending the definitionof state introduced in Section 4.
Definition 7.1 (State) . A state of the system is a four-tuple (
M, F, C, cflct ), where M isa trail, F is a formula, C is a clause, and cflct is a Boolean variable. A state ([ ] , F , [ ] , ⊥ )is an initial state for the input formula F .Two new transition rules conflict and explain are defined in the form of relations overstates. In addition, the existing rules are updated to map four-tuple states to four-tuplestates. Definition 7.2 (Transition rules) . decide ( M , F , C , cflct ) ( M , F , C , cflct ) iff ∃ l. var l ∈ DecVars ∧ l / ∈ M ∧ l / ∈ M ∧ M = M @ l d ∧ F = F ∧ C = C ∧ cflct = cflct unitPropagate ( M , F , C , cflct ) ( M , F , C , cflct ) iff ∃ c l. F (cid:15) c ∧ var l ∈ vars Vars ∧ isUnit c l M ∧ M = M @ l i ∧ F = F ∧ C = C ∧ cflct = cflct conflict ( M , F , C , cflct ) ( M , F , C , cflct ) iff ∃ c. cflct = ⊥ ∧ F (cid:15) c ∧ M (cid:15) ¬ c ∧ M = M ∧ F = F ∧ C = c ∧ cflct = ⊤ explain ( M , F , C , cflct ) ( M , F , C , cflct ) iff ∃ l c. cflct = ⊤ ∧ l ∈ C ∧ isReason c l M ∧ F (cid:15) c ∧ M = M ∧ F = F ∧ C = resolve C c l ∧ cflct = ⊤ backjump ( M , F , C , cflct ) ( M , F , C , cflct ) iff ∃ l level. cflct = ⊤ ∧ isBackjumpLevel level l C M ∧ M = ( prefixToLevel level M ) @ l i ∧ F = F ∧ C = [ ] ∧ cflct = ⊥ learn ( M , F , C , cflct ) ( M , F , C , cflct ) iff cflct = ⊤ ∧ C / ∈ F M = M ∧ F = F @ C ∧ C = C ∧ cflct = cflct The relation → c is defined as in Definition 4.3, but using the above list of rules. Thedefinition of outcome states also has to be updated. Definition 7.3 (Outcome states) . A state is an accepting state if cflct = ⊥ , M ¬ F andthere is no literal such that var l ∈ DecVars , l / ∈ M and l / ∈ M .A state is a rejecting state if cflct = ⊤ and C = [ ]. Example 7.4.
Let F be a formula from Example 4.5. A possible → c trace (shown up tothe first application of backjump ) is given (due to the lack of space, the F component of thestate is not shown). rule M cf lct C [ ] ⊥ [] decide ( l = +1), [+1 d ] ⊥ [] unitPropagate ( c = [ − , +2], l = +2) [+1 d , +2 i ] ⊥ [] unitPropagate ( c = [ − , +3], l = +3) [+1 d , +2 i , +3 i ] ⊥ [] decide ( l = +4) [+1 d , +2 i , +3 i , +4 d ] ⊥ [] decide ( l = +5) [+1 d , +2 i , +3 i , +4 d , +5 d ] ⊥ [] unitPropagate ( c = [ − , +6], l = +6) [+1 d , +2 i , +3 i , +4 d , +5 d , +6 i ] ⊥ [] unitPropagate ( c = [ − , − , +7], l = +7) [+1 d , +2 i , +3 i , +4 d , +5 d , +6 i , +7 i ] ⊥ [] conflict ( c = [ − , − , − d , +2 i , +3 i , +4 d , +5 d , +6 i , +7 i ] ⊤ [ − , − , − explain ( l = − c = [ − , − , +7]) [+1 d , +2 i , +3 i , +4 d , +5 d , +6 i , +7 i ] ⊤ [ − , − , − , − explain ( l = − c = [ − , +6]) [+1 d , +2 i , +3 i , +4 d , +5 d , +6 i , +7 i ] ⊤ [ − , − , − learn ( c = [ − , − , − d , +2 i , +3 i , +4 d , +5 d , +6 i , +7 i ] ⊤ [ − , − , − backjump ( c = [ − , − , − l = −
5) [+1 d , +2 i , +3 i , − i ] ⊥ [] Unique Implication Points (UIP).
SAT solvers employ different strategies for con-flict analysis. The most widely used is a strategy, relying on a concept of uniqueimplication points (UIP) (often expressed in terms of implication graphs [MSS99]). Infor-mally, a clause c , false in the trail M , satisfies the UIP condition if there is exactly oneliteral in c that is on the highest decision level of M . The UIP condition is very easy tocheck. The strategy requires that the rule explain is always applied to the last literalfalse in M among literals from c , and that backjumping is applied as soon as c satisfies theUIP condition. Definition 7.5 (Unique implication point) . A clause c that is false in M has a uniqueimplication point , denoted by isUIP l c M , if the level of the last literal l from c that is falsein M is strictly greater than the level of the remaining literals from c that are false in M : isUIP l c M iff M (cid:15) ¬ c ∧ l = lastAssertedLiteral c M ∧∀ l ′ . l ′ ∈ c \ l −→ level l ′ M < level l M
ORMALIZATION OF ABSTRACT STATE TRANSITION SYSTEMS FOR SAT 27
The following lemma shows that, if there are decision literals in M , if a clause has aunique implication point, then there is a corresponding backjump level, and consequently,the backjump rule is applicable. Lemma 7.6. If unique M (i.e., Inv unique holds), then isUIP l c M ∧ level l M > ∃ level. isBackjumpLevel level l c M Therefore, the guard isBackjumpLevel level l c M in the definition of the backjump rulecan be replaced by the stronger conditions isUIP l c M and level l M >
0. In that case, thebackjump level level has to be explicitly calculated (as in the proof of the previous lemma).The UIP condition is trivially satisfied when the clause c consists only of opposites ofdecision literals from the trail (a similar construction of c was already used in the proof ofLemma 5.9). Lemma 7.7.
If it holds that: (1) unique M (i.e., Inv unique holds), (2) c ⊆ decisions M , (3) l = lastAssertedLiteral c M ,then isUIP l c M . Properties.
Properties of the new transition system will be again proved using in-variants introduced in Section 4, but they have to be updated to reflect the new definitionof states. In addition, three new invariants will be used.7.3.1.
Invariants.
In addition to the invariants from Section 4, three new invariants areused.
Inv
Cfalse : cflct −→ M (cid:15) ¬ CInv
Centailed : cflct −→ F (cid:15) CInv reasonClauses : ∀ l. l ∈ M ∧ l / ∈ decisions M −→ ∃ c. isReason c l M ∧ F (cid:15) c The first two invariants ensure that during the conflict analysis process, the conflictanalysis clause C is a consequence of F and that C is false in M . The third invariantensures existence of clauses that are reasons of literal propagation (these clauses enableapplication of the explain rule). By the rules unitPropagate and backjump literals are addedto M only as implied literals and in both cases propagation is performed using a clausethat is a reason for propagation, so this clause can be associated to the implied literal, andafterwards used as its reason.Lemma 4.6 again has to be updated to address new rules and its proof has to be modifiedto reflect the changes in the definition of the relation → c .7.3.2. Soundness.
Although the soundness proof for unsatisfiable formulae could be againbased on Lemma 4.8, this time it will be proved in an alternative, simpler way (that doesnot rely on the invariant
Inv impliedLits ), that was not possible in previous sections.
Lemma 7.8.
If there is a rejecting state ( M, F, C, cflct ) such that it holds (1) F ≡ F , (i.e., Inv equiv holds) (2) cflct −→ F (cid:15) C (i.e., Inv
Centailed holds),then F is unsatisfiable (i.e., ¬ ( sat F ) ). Theorem 7.9 (Soundness for → c ) . If ([ ] , F , [ ] , ⊥ ) → ∗ c ( M, F, C, cflct ) , then: (1) If DecVars ⊇ vars F and ( M, F ) is an accepting state, then the formula is F satisfiableand M is its model (i.e., sat F and model M F ). (2) If ( M, F, C, cflct ) is a rejecting state, then the formula F is unsatisfiable (i.e., ¬ ( sat F ) ).Proof. By Lemma 4.6, all the invariants hold in the state (
M, F, C, cflct ).(1) All conditions of Lemma 4.7 are met (adapted to the new defintion of state), so sat F and model M F .(2) All conditions of Lemma 7.8 are met, so ¬ ( sat F ).7.3.3. Termination.
Termination of the system with conflict analysis will be proved by usinga suitable well-founded ordering that is compatible with the relation → c , i.e., an ordering ≻ such that s → c s ′ yields s ≻ s ′ , for any two states s and s ′ . This ordering will be constructedas a lexicographic combination of four simpler orderings, one for each state component.The rules decide , unitPropagate , and backjump change M and no other state components.If a state s is in one of these relations with the state s ′ then M ≻ tr | Vars M ′ (for the ordering ≻ tr | Vars , introduced in Section 4.2.3).The ordering ≻ tr | Vars cannot be used alone for proving termination of the system, sincethe rules conflict , explain , and learn do not change M (and, hence, if a state s is transformedinto a state s ′ by one of these rules, then it does not hold that M ≻ tr | V ars M ′ ). For each ofthese rules, a specific well-founded ordering will be constructed and it will be proved thatthese rules decrease state components with respect to those orderings.The ordering ≻ bool will be used for handling the state component cflct and the rule conflict (the rule explain changes the state component cflct , but also the state component C , so it will be handled by another ordering). Given properties of the ordering ≻ bool areproved trivially. Definition 7.10 ( ≻ bool ) . b ≻ bool b iff b = ⊥ ∧ b = ⊤ . Lemma 7.11. If conflict ( M , F , C , cflct ) ( M , F , C , cflct ) , then cflct ≻ bool cflct . Lemma 7.12.
The ordering ≻ bool is well-founded. An ordering over clauses (that are the third component of the states) should be con-structed such that the rule explain decreases the state component C with respect to thatordering. Informally, after each application of the rule explain , a literal l of the clause C that is (by Inv
Cfalse ) false in M is replaced by several other literals that are again false in M , but for them it holds that their opposite literals precede the literal l in M (since reasonclauses are used). Therefore, the ordering of literals in the trail M defines an ordering ofclauses false in M . The ordering over clauses will be a multiset extension of the relation ≺ M induced by the ordering of literals in M (Definition 3.1). Each explanation step removes aliteral from C and replaces it with several literals that precede it in M . To avoid multipleoccurrences of a literal in C , duplicates are removed. Solvers usually perform this operationexplicitly and maintain the condition that C does not contain duplicates. However, ourordering does not require this restriction and termination is ensured even without it. Definition 7.13 ( ≻ M Cla ) . For a trail M , C ≻ M Cla C iff h remDups C i ≺ mult M h remDups C i . Lemma 7.14.
For any trail M , the ordering ≻ M Cla is well-founded.
ORMALIZATION OF ABSTRACT STATE TRANSITION SYSTEMS FOR SAT 29
The following lemma ensures that each explanation step decreases the conflict clause inthe ordering ≻ M Cla , for the current trail M . This ensures that each application of the explain rule decreases the state with respect to this ordering. Lemma 7.15. If l ∈ C and isReason c l M , then C ≻ M Cla resolve
C c l . Lemma 7.16. If explain ( M, F, C , cflct ) ( M, F, C , cflct ) , then C ≻ M Cla C . The rule learn changes the state component F (i.e., it adds a clause to the formula) andit requires constructing an ordering over formulae. Definition 7.17 ( ≻ C Form ) . For any clause C , F ≻ C Form F iff C / ∈ F ∧ C ∈ F . Lemma 7.18.
For any clause C , the ordering ≻ C Form is well-founded.
By the definition of the learn rule, it holds that
C / ∈ F and C ∈ F , so the followinglemma trivially holds. Lemma 7.19. If learn ( M, F , C, cflct ) ( M, F , C, cflct ) , then F ≻ C Form F . Theorem 7.20 (Termination for → c ) . If the set DecVars is finite, for any formula F , therelation → c is well-founded on the set of states s such that s → ∗ c s , where s is the initialstate for F .Proof. Let ≻ be a (parametrized) lexicographic product (Definition ?), i.e., let ≻ ≡ ≻ tr | Vars h∗ lex ∗i ≻ bool h∗ lex p ∗i (cid:16) λs. ≻ M s Cla (cid:17) h∗ lex p ∗i (cid:16) λs. ≻ C s Form (cid:17) , where M s is the trail in the state s , and C s is the conflict clause in the state s . By Proposition3.4 and Lemmas 4.16, 7.12, 7.14, and 7.18, the relation ≻ is well-founded. If the invari-ants hold in the state ( M , F , C , cflct ) and if ( M , F , C , cflct ) → c ( M , F , C , cflct ),then ( M , cflct , C , F ) ≻ ( M , cflct , C , F ). Indeed, by Lemma 4.14, the rules decide , unitPropagate and backjump decrease M in the ordering, the rule conflict does not change M but (by Lemma 7.11) decreases cflct , the rule explain does not change M nor cflct , but(by Lemma 7.16) decreases C , and the rule learn does not change M , cflct , nor C , but (byLemma 7.19) decreases F .Then the theorem holds by Proposition 3.4 (where f is a permutation mapping ( M, F,C, cflct ) to ( M, cflct , C, F )).7.3.4. Completeness and Correctness.
Completeness requires that all final states are out-come states, and the following two lemmas are used to prove this property.
Lemma 7.21.
If for the state ( M, F, C, cflct ) it holds that: (1) cflct = ⊤ , (2) unique M (i.e., Inv unique holds), (3) cflct −→ M (cid:15) ¬ C (i.e., Inv
Cfalse holds), (4) the rules explain and backjump are not applicable,then the state ( M, F, C, cflct ) is a rejecting state and C = [ ] . Lemma 7.22.
If in the state ( M, F, C, cflct ) it holds that cflct = ⊥ and the rule conflict isnot applicable, then the state ( M, F, C, cflct ) is an accepting state and M ¬ F . Theorem 7.23 (Completeness for → c ) . For any formula F , if ([ ] , F , [ ] , ⊥ ) → ∗ c ( M, F, C, cflct ) ,and if the state ( M, F, C, cflct ) is final, then it is either accepting or rejecting. Proof.
Since the state (
M, F, C, cflct ) is reachable from the initial state, by Lemma 4.6, allthe invariants hold in this state, including unique M (i.e., Inv unique ), and cflct −→ M (cid:15) ¬ C (i.e., Inv
Cfalse ). In the state (
M, F, C, cflct ), it holds that either cflct = ⊤ or cflct = ⊥ . If cflct = ⊥ , since the rule decide is not applicable (as the state is final), by Lemma 7.22, thestate ( M, F, C, cflct ) is a rejecting state. If cflct = ⊤ , since the rule conflict is not applicable(as the state is final) by Lemma 7.21, the state is an accepting state.Correctness of the system is proved in analogy with Theorem 4.19.8. Restarting and Forgetting
In this section we extend the previous system with restarting and forgetting. The mostchallenging task with restarting is to ensure termination.Many solvers use restarting and forgetting schemes that apply restarting with in-creasing periodicity and there are theoretical results ensuring total correctness of these[KG07, NOT06]. However, modern solvers also use aggressive restarting schemes (e.g.,Luby restarts) that apply the restart rule very frequently, but there are no correspondingtheoretical results that ensure termination of these schemes. In this section we will for-mulate a system that allows application of the restart rule after each conflict and showthat this (weakly constrained, hence potentially extremely frequent) scheme also ensurestermination.8.1.
States and Rules.
Unlike previous systems that tend to be as abstract as possible,this system aims to precisely describe the behaviour of modern SAT solvers. For example,only learnt clauses can be forgotten. So, to aid the forget rule, the formula is split to theinitial part F and the learnt clauses Fl . Since the input formula F is fixed it is not apart of state anymore, but rather an input parameter. The new component of the state— the lnt flag — has a role in ensuring termination by preventing applying restart and forget twice without learning a clause in between. In addition, some changes in the rulesensure termination of some variants of the system. Unit propagation is performed eagerly,i.e., decide is not applied when there is a unit clause present. Also, backjumping is alwaysperformed to the minimal backjump level (Definition 5.2). These stronger conditions arevery often obeyed in real SAT solver implementations, and so this system still makes theirfaithful model. Definition 8.1 (State) . A state of the system is a five-tuple ( M, Fl , C, cflct , lnt ), where M is a trail, F l is a formula, C is a clause, and cflct and lnt are Boolean variables. A state([ ] , F , [ ] , ⊥ , ⊥ ) is a initial state for the input formula F . Definition 8.2 (Transition rules) . decide ( M , Fl , C , cflct , lnt ) ( M , Fl , C , cflct , lnt ) iff ∃ l. var l ∈ DecVars ∧ l / ∈ M ∧ l / ∈ M ∧¬ ( ∃ c l. c ∈ F @ Fl ∧ isUnitClause c l M ) ∧ M = M @ l d ∧ Fl = Fl ∧ C = C ∧ cflct = cflct ∧ lnt = lnt unitPropagate ( M , Fl , C , cflct , lnt ) ( M , Fl , C , cflct , lnt ) iff ∃ c l. c ∈ F @ Fl ∧ isUnit c l M ∧ M = M @ l i ∧ Fl = Fl ∧ C = C ∧ cflct = cflct ∧ lnt = lnt ORMALIZATION OF ABSTRACT STATE TRANSITION SYSTEMS FOR SAT 31 conflict ( M , Fl , C , cflct , lnt ) ( M , Fl , C , cflct , lnt ) iff ∃ c. cflct = ⊥ ∧ c ∈ F @ Fl ∧ M (cid:15) ¬ c ∧ M = M ∧ Fl = Fl ∧ C = c ∧ cflct = ⊤ ∧ lnt = lnt explain ( M , Fl , C , cflct , lnt ) ( M , Fl , C , cflct , lnt ) iff ∃ l c. cflct = ⊤ ∧ l ∈ C ∧ isReason mc l M ∧ c ∈ F @ Fl ∧ M = M ∧ Fl = Fl ∧ C = resolve C c l ∧ cflct = ⊤ ∧ lnt = lnt backjumpLearn ( M , Fl , C , cflct , lnt ) ( M , Fl , C , cflct , lnt ) iff ∃ c l level. cflct = ⊤ ∧ isMinimalBackjumpLevel level l C M ∧ M = ( prefixToLevel level M ) @ l i ∧ Fl = Fl @[ C ] ∧ C = [ ] ∧ cflct = ⊥ ∧ lnt = ⊤ forget ( M , Fl , C , cflct , lnt ) ( M , Fl , C , cflct , lnt ) iff ∃ Fc . cflct = ⊥ ∧ lnt = ⊤ Fc ⊆ Fl ∧ ( ∀ c ∈ Fc . ¬ ( ∃ l. isReason c l M )) ∧ Fl = Fl \ Fc ∧ M = M ∧ C = C ∧ cflct = cflct ∧ lnt = ⊥ restart ( M , Fl , C , cflct , lnt ) ( M , Fl , C , cflct , lnt ) iff cflct = ⊥ ∧ lnt = ⊤ ∧ M = prefixToLevel M ∧ Fl = Fl ∧ C = C ∧ cflct = cflct ∧ lnt = ⊥ These rules will be used to formulate three different transition systems. The system → r consists of all rules except restart , the system → f consists of all rules except forget , andthe system → consists of all rules.8.2. Properties.
The structure of the invariants and the proofs of the properties of thesystem are basically similar to those given in Section 7, while the termination proof requiresa number of new insights.8.2.1.
Invariants.
All invariants formulated so far hold, but the formula F , not present inthe new state, has to be replaced by F @ Fl .8.2.2. Termination.
Termination of the system without restarts is proved first.
Theorem 8.3 (Termination for → r ) . If the set DecVars is finite, for any formula F , therelation → r is well-founded on the set of states s such that s → ∗ r s , where s is the initialstate for F .Proof. Let ≻ be a (parametrized) lexicographic product (Definition ?), i.e., let ≻ ≡ ≻ tr | Vars h∗ lex ∗i ≻ bool h∗ lex p ∗i (cid:16) λs. ≻ M s Cla (cid:17) h∗ lex ∗i ≻ bool , where M s is the trail in the state s . By Proposition 3.4 and Lemmas 4.16, 7.12, and 7.14,the relation ≻ is well-founded. If the state ( M , Fl , C , cflct , lnt ) satisfies the invariantsand if ( M , Fl , C , cflct , lnt ) → r ( M , Fl , C , cflct , lnt ) , then ( M , cflct , C , ¬ lnt ) ≻ ( M , cflct , C , ¬ lnt ) . Indeed, by Lemma 4.14 the rules unitPropagate , decide and back-jumpLearn decrease M , the rule conflict does not change M but (by Lemma 7.11) decreases cflct , the rule explain does not change M nor cflct , but (by Lemma 7.16) decreases C , andthe rule forget does not change M , cflct , nor C , but decreases ¬ lnt .From the above, the theorem holds by Proposition 3.4 (for a suitable f ). The termination proof of the system without forgets is more involved. We define a(not necessarily well-founded) ordering of the formulae by inclusion and its restriction withrespect to the set of variables occurring in the formula.
Definition 8.4 ( ≻ Form ⊂ ) . F ≻ Form ⊂ F iff F ⊂ F . Definition 8.5 ( ≻ Form ⊂ | Vbl ) . F ≻ Form ⊂ | Vbl F iff vars F ⊆ Vlb ∧ vars F ⊆ Vbl ∧ F ≻ Form ⊂ F , where F denotes the formula obtained by removing duplicate literals fromclauses and removing duplicate clauses. Lemma 8.6.
If the set Vbl is finite, then the relation ≻ Form ⊂ | Vbl is well-founded.
The following lemma states that if unit propagation is done eagerly and if backjumpingis always performed to the minimal backjump level, then the clauses that are learnt arealways fresh, i.e., they do not belong to the current formula.
Lemma 8.7. If s is an initial state, s → ∗ f s A and backjumpLearn s A s B , where s A =( M A , Fl A , C A , ⊤ , lnt A ) , then C A / ∈ F @ Fl A . Therefore, backjumpLearn increases formula in the inclusion ordering.
Lemma 8.8. If s → f s A and backjumpLearn s A s B for initial state s and states s A and s B , then F @ Fl A ≻ Form ⊂ | V ars F @ Fl B , where F A and F B are formulae in states s A and s B . Theorem 8.9 (Termination for → f ) . If the set DecVars is finite, for any formula F , therelation → f is well-founded on the set of states s such that s → ∗ f s , where s is the initialstate for F .Proof. Let ≻ be a (parametrized) lexicographic product (Definition ?), i.e., let ≻ ≡ ≻ Form ⊂ | Vars h∗ lex ∗i ≻ bool h∗ lex ∗i ≻ tr | Vars h∗ lex ∗i ≻ bool h∗ lex p ∗i (cid:16) λs. ≻ M s Cla (cid:17) , where M s is the trail in the state s . By Proposition 3.4 and Lemmas 4.16, 7.12, 7.14, and 8.6,the relation ≻ is well-founded. If the state ( M , Fl , C , cflct , lnt ) satisfies the invariantsand if ( M , Fl , C , cflct , lnt ) → f ( M , Fl , C , cflct , lnt ) , then ( F , ¬ lnt , M , cflct , C ) ≻ ( F , ¬ lnt , M , cflct , C ) . Indeed, by Lemma 8.8 the rule backjumpLearn decreases F , therule restart does not change F but decreases ¬ lnt , the rules unitPropagate and decide do notchange F and lnt but (by Lemma 4.14) decrease M , the rule conflict does not change F , lnt , nor M but (by Lemma 7.11) decreases cflct , and the rule explain does not change F , lnt , M nor cflct , but (by Lemma 7.16) decreases C .From the above, the theorem holds by Proposition 3.4 (for a suitable f ).If both forget and restart are allowed, then the system is not terminating. Theorem 8.10.
The relation → is not well-founded on the set of states reachable from theinitial state.Proof. Consider the formula [[ − , − , , [ − , − , , [ − , − , − , [ − , − , , [ − , − , , [ − , − , − → is cyclic. ORMALIZATION OF ABSTRACT STATE TRANSITION SYSTEMS FOR SAT 33 rule M Fl lnt [ ] [ ] ⊥ decide , decide [1 d , d ] [ ] ⊥ unitPropagate , unitPropagate [1 d , d , i , i ] [ ] ⊥ conflict , explain , explain , backjumpLearn [1 d , − i ] [[ − , − ⊤ restart [ ] [[ − , − ⊥ decide , decide [5 d , d ] [[ − , − ⊥ unitPropagate , unitPropagate [5 d , d , d , d ] [[ − , − ⊥ conflict , explain , explain , backjumpLearn [5 d , − d ] [[ − , − , [ − , − ⊤ forget [5 d , − i ] [ ] ⊥ decide , decide [5 d , − i , d , d ] [ ] ⊥ unitPropagate , unitPropagate [5 d , − i , d , d , i , i ] [ ] ⊥ conflict , explain , explain , backjumpLearn [5 d , − i , d , − i ] [[ − , − ⊤ restart [ ] [[ − , − ⊥ Therefore, it holds that([ ] , [ ] , [ ] , ⊥ , ⊥ ) → ∗ ([ ] , [[ − , − , [ ] , ⊥ , ⊥ ) → + ([ ] , [[ − , − , [ ] , ⊥ , ⊥ ) . However, if there are additional restrictions on the rule application policy, the systemmay be terminating. Since the number of different states for the input formula F is finite(when duplicate clauses and literals are removed), there is a number n f (dependent on F ) such that there is no chain of rule applications without forget longer than n f ( → f iswell-founded and therefore acyclic, so, on a finite set, there must exist n f such that → n f f isempty). Similarly, there is a number n r (dependent on F ) such that there is no chain ofrule applications without restart longer than n r . So, termination is ensured for any policythat guarantees that there is a point where the application of forget will be forbidden for atleast n f steps or that there is a point where the application of restart will be forbidden forat least n r steps.8.2.3. Soundness, Completeness and Correctness.
Soundness and completeness proofs fromprevious sections hold with minor modifications necessary to adapt them to the new defi-nition of state and rules. The most demanding part is to update Lemma 4.6 and to provethat the new rules maintain the invariants.9.
Related Work and Discussions
The original DPLL procedure [DLL62] has been described in many logic textbooks, alongwith informal proofs of its correctness (e.g., [DSW94]). First steps towards verification ofmodern DPLL-based SAT solvers have been made only recently. Zhang and Malik haveinformally proved correctness of a modern SAT solver [ZM03]. Their proof is very informal,the specification of the solver is given in pseudo-code and it describes only one strategy forapplying rules. The authors of two abstract transition systems for SAT also give correctnessproofs [NOT06, KG07]. These specifications and the proofs are much more formal thanthose given in [ZM03], but they are also not machine-verifiable and are much less rigorousthan the proofs presented in this paper.
In recent years, several machine-verifiable correctness proofs for SAT solvers were con-structed. Lescuyer and Conchon formalized, within Coq, a SAT solver based on the classicalDPLL procedure and its correctness proof [LS08]. They used a deep embedding, so thisapproach enables execution of the SAT solver in Coq and, further, a reflexive tactic. Mari´cand Janiˇci´c formalized a correctness proof for the classical DPLL procedure by shallowembedding into Isabelle/HOL [MJ10]. Shankar and Vaucher formally and mechanicallyverified a high-level description of a modern DPLL-based SAT solver within the systemPVS [SV09]. However, unlike this paper which formalizes abstract descriptions for SAT,they formalize a very specific SAT solver implementation within PVS. Mari´c proved par-tial correctness (termination was not discussed) of an imperative pseudo-code of a modernSAT solver using Hoare logic approach [Mar09] and total correctness of a SAT solver im-plemented in Isabelle/HOL using shallow embedding [Mar10]. Both these formalizationsuse features of the transition systems described in this paper and provide links between thetransition systems and executable implementations of modern SAT solvers. In the formerapproach, the verified specification can be rewritten to an executable code in an imperativeprogramming language while in the latter approach, an executable code in a functionallanguage can be exported from the specification by automatic means [HN10].The transition system discussed in Section 4 corresponds to a non-recursive versionof the classical DPLL procedure. The transition systems and correctness proofs presentedin the later sections are closely related to the systems of Nieuwenhuis et al. [NOT06] andKrsti´c and Goel [KG07]. However, there are some significant differences, both in the levelof precision in the proofs and in the definitions of the rules.Informal (non machine-verifiable) proofs allow authors some degree of imprecision. Forexample, in [NOT06] and [KG07] clauses are defined as “disjunctions of literals” and for-mulae as “conjunctions of clauses”, and this leaves unclear some issues such as whetherduplicates are allowed. The ordering of clauses and literals is considered to be irrelevant —in [KG07] it is said that “clauses containing the same literals in different order are consid-ered equal”, and in [NOT06] it is not explicitly said, but only implied (e.g., clauses in the unitPropagate rule are written as C ∨ l , where M (cid:15) ¬ C and l is undefined in M , and fromthis it is clear that the order of literals must be irrelevant, or otherwise only last literals inclauses could be propagated). Therefore, clauses and formulae are basically defined as setsor multisets of literals. In our formal definition, clauses and formulae are defined as lists.Although a choice whether to use lists, multisets, or sets in these basic definitions might notseem so important, fully formal proofs show that this choice makes a very big difference.Namely, using sets saves much effort in the proof. For example, if formulae may containrepeated clauses, easy termination arguments like “there are finitely many different clausesthat can be learnt” cannot be applied. On the other hand, using sets makes the systemsquite different from real SAT solver implementations — eliminating duplicates from clausesduring solving is possible and cheap, but explicitly maintaining absence of duplicate clausesfrom formulae may be intolerably expensive. It can be proved that maintaining absence ofduplicate clauses can be, under some conditions on the rules, implicitly guaranteed only byeliminating duplicate clauses from formulae during initialization. Solvers typically assumethis complex fact, but it was not proved before for formulae represented by lists, while forsystems using sets this issue is irrelevant. As done in the implementation of our SAT solver ArgoSAT.
ORMALIZATION OF ABSTRACT STATE TRANSITION SYSTEMS FOR SAT 35
The system given in [NOT06] is very close to the system given in Section 5 and laterextended in Section 6. The requirement that the set of decision literals exactly coincideswith the set of literals from the input formula is too strong and is not always present inreal SAT solvers, so it is relaxed in our system and the set
DecVars is introduced (a similartechnique is used in [KG07]). Also, the definition of the backjump rule from [NOT06]requires that there is a false clause in the formula being solved when the rule is applied,but our formal analysis of the proofs shows that this assumption is not required, so it isomitted from Definition 5.1. As already mentioned, the condition that the unit clausesbelong to the formula is also relaxed, and propagating can be performed over arbitraryconsequences of the formula. The invariants used in the proofs and the soundness proofare basically the same in [NOT06] and in this paper, but the amount of details had tobe significantly increased to reach a machine-verifiable proof. Our completeness proof issomewhat simpler. The ordering used in termination proof for the system with backjumpingin [NOT06] expresses a similar idea to ours, but is much more complex. A conflict analysisprocess is not described within the system from [NOT06].The system given in [KG07] is close to the system given in Section 7, with some minordifferences. Namely, in our system, instead of a set of decision literals, the set of decisionvariables is considered. Also, unit, conflict and reason clauses need not be present inthe formula. The conflict set used in [KG07] along with its distinguished value no cflct is here replaced by the conflict flag and a conflict clause (the conflict set is the set ofopposites of literals occurring in our conflict clauses). The underlying reasoning used in twototal correctness proofs is the same, although in [KG07] the invariants are not explicitlyformulated and the proof is monolithic (lemmas are not present) and rather informal.Formalization of termination proofs from both [NOT06] and [KG07] required the great-est effort in the formalization. Although arguments like “between any two applications ofthe rule . . . there must be an occurrence of the rule . . . ”, heavily used in informal termina-tion proofs, could be formalized, we felt that constructing explicit termination orderings ismuch cleaner.In [KG07] termination of systems with restarts is not thoroughly discussed and in[NOT06] it is proved very informally, under a strong condition that the periodicity of restartsis strictly increasing. This is often not the case in many modern SAT solver implementations.In this paper, we have (formally) proved that restarting can be performed very frequently(after each conflict) without compromising total correctness. However, some additionalrequirements (unit propagation must be exhaustive, backjumping must be performed tominimal backjumping levels, and backjump lemmas must always be learnt) are used in theproof, but these are always present in modern SAT solvers. Although the issue has beenaddressed in the literature, we are not aware of a previous proof of termination of frequentrestarting. 10.
Conclusions
We presented a formalization of modern SAT solvers and their properties in the form of abstract state transition systems . Several different SAT solvers are formalized — from theclassical DPLL procedure to its modern successors. The systems are defined in a veryabstract way so they cover a wide range of SAT solving procedures. The formalizationis made within the Isabelle/HOL system and the total correctness properties (soundness,termination, completeness) are shown for each presented system.
Central theorems claim (roughly) that a transition system, i.e., a SAT solver, terminatesand returns an answer yes if and only if the input formula is satisfiable. This whole con-struction boils down to the simple definition of satisfiable formula, which can be confirmedby manual inspection.Our formalization builds up on the previous work on state transition systems for SATand also on correctness arguments for other SAT systems. However, our formalization isthe first that gives machine-verifiable total correctness proofs for systems that are close tomodern SAT solvers. Also, compared to other abstract descriptions, our systems are moregeneral (so can cover a wider range of possible solvers) and require weaker assumptions thatensure the correctness properties. Thanks to the framework of formalized mathematics,we explicitly separated notions of soundness and completeness, and defined all notions andproperties relevant for SAT solving, often neglected to some extent in informal presentations.Our experience in the SAT verification project shows that having imperative softwaremodelled abstractly, in the form of abstract state transition systems, makes the verificationcleaner and more flexible. It can be used as a key building block in proving correctness ofSAT solvers by using other verification approaches which significantly simplifies the overallverification effort.
Acknowledgement
This work was partially supported by the Serbian Ministry of Science grant 174021 and bythe SNF grant SCOPES IZ73Z0 127979/1. We are grateful to Natarajan Shankar for sharingwith us his unpublished manuscript [SV09]. We are also grateful to anonymous reviewersfor very careful reading and for detailed and useful comments on an earlier version of thispaper.
References [BMS00] L. Baptista and J. P. Marques-Silva. Using randomization and learning to solve hard real-worldinstances of satisfiability. In , Singapore, 2000.[BS97] R. J. Jr. Bayardo and R. C. Schrag. Using CSP look-back techniques to solve real-world SATinstances. In , Providence, USA, 1997.[Bie08] A. Biere. PicoSAT Essentials. In
JSAT , vol. 4, pp. 75-97, 2008.[BHMW09] A. Biere, M. Heule, H. van Maaren, and T. Walsh editors.
Handbook of satisfiability , IOS Press,2009.[BHZ06] L. Bordeaux, Y. Hamadi, and L. Zhang. Propositional satisfiability and constraint programming:A comparative survey. In
ACM Surveys , 2006.[BKH +
08] L. Bulwahn, A. Krauss, F. Haftmann, L. Erk¨ok and J. Matthews. Imperative Functional Pro-gramming with Isabelle/HOL. In
TPHOLs 2008 , Montreal, LNCS 5170, 2008.[Coo71] S. A. Cook. The complexity of theorem-proving procedures. In , New York, USA,1971.[DFMS10] A. Darbari, B. Fischer, J. Marques-Silva. Industrial-Strength Certified SAT Solving throughVerified SAT Proof Checking. In
ICTAC , 2010.[DLL62] M. Davis, G. Logemann, and D. Loveland. A machine program for theorem-proving.
Commun.ACM , 5(7), 1962.[DP60] M. Davis and H. Putnam. A computing procedure for quantification theory.
J. ACM , 7(3), 1960.[DSW94] M. Davis, R. Sigal, E. J Weyuker. Computability, Complexity, and Languages: Fundamentalsof Theoretical Computer Science. Morgan Kaufmann Publishers, 1994.[ES04] N. E´en and N. Sorensson. An extensible SAT-solver. in
SAT 04 , 2004.[Gel07] A. Van Gelder. Verifying Propositional Unsatisfiability: Pitfalls to Avoid. In
SAT ’07 , LNCS4501, Lisbon, 2007.
ORMALIZATION OF ABSTRACT STATE TRANSITION SYSTEMS FOR SAT 37 [GKSS07] C P. Gomes, H. Kautz, A. Sabharwal, and B. Selman. Satisfiability solvers. In
Handbook ofKnowledge Representation . Elsevier, 2007.[GN02] E. Goldberg and Y. Novikov. Berkmin: A fast and robust SAT solver. In
Design Automationand Test in Europe (DATE) , 2002.[GN03] E. Goldberg and Y. Novikov. Verification of Proofs of Unsatisfiability for CNF Formulas. In
Design Automation and Test in Europe (DATE) , 2003.[GSK98] C. Gomes, B. Selman, and H. Kautz. Boosting combinatorial search through randomization. In , Madison, WI, USA, 1998.[HN10] F. Haftmann, T. Nipkow. Code Generation via Higher-Order Rewrite Systems. In
FLOPS 2010 ,LNCS 6009, Springer, 2010.[Hoa69] C. A. R. Hoare. An axiomatic basis for computer programming.
Communication of the ACM ,12(10), 1969.[Kle10] G. Klein et al. seL4: formal verification of an operating-system kernel.
Communication of theACM , 53(6), 2010.[KG07] S. Krsti´c and A. Goel. Architecting solvers for SAT modulo theories: Nelson-Oppen with DPLL.In
FroCoS , 2007.[LS08] S. Lescuyer and S. Conchon A Reflexive Formalization of a SAT Solver in Coq. In
TPHOLs’08:Emerging Trends , Montreal, 2008.[Mar08] F. Mari´c, SAT Solver Verification.
The Archive of Formal Proofs, http://afp.sf.net/entries/SATSolverVerification.shtml .[Mar09] F. Mari´c. Formalization and Implementation of SAT solvers.
J. Autom. Reason. , 43(1), 2009.[Mar10] F. Mari´c. Formal Verification of a Modern SAT Solver by shallow embedding into Isabelle/HOL.
Theoretical Computer Science , 411(50), 2010.[MJ09] F. Mari´c and P. Janiˇci´c. SAT Verification Project. In
TPHOLs’09: Emerging Trends , Munich,2009.[MJ10] F. Mari´c and P. Janiˇci´c. Formal Correctness Proof for DPLL Procedure.
Informatica , 21(1),2010.[MSS99] J P. Marques-Silva and K A. Sakallah. Grasp: A new search algorithm for satisfiability. In
International Conference on Computer-Aided Design , 1996.[MMZ +
01] M. W. Moskewicz, C. F. Madigan, Y. Zhao, L. Zhang, and S. Malik. Chaff: Engineering anEfficient SAT Solver. In , 2001.[NOT06] R. Nieuwenhuis, A. Oliveras, and C. Tinelli. Solving SAT and SAT Modulo Theories: froman Abstract Davis-Putnam-Logemann-Loveland Procedure to DPLL(T).
Journal of the ACM ,53(6), 2006.[NPW02] T. Nipkow, L. C. Paulson, and M. Wenzel.
Isabelle/HOL — A Proof Assistant for Higher-OrderLogic , LNCS 2283, Springer, 2002.[Sch06] N. Schirmer.
Verification of Sequential Imperative Programs in Isabelle/HOL . PhD thesis, Tech-nische Universit¨at M¨unchen (2006).[SV09] N. Shankar and M. Vaucher. The mechanical verification of a DPLL-based satisfiability solver.Unpublished manuscript, 2008.[WA09] T. Weber and H. Amjad. Efficiently checking propositional refutations in HOL theorem provers.
J. Applied Logic
CADE-14 , London, UK, 1997.[ZM02] L. Zhang and S. Malik. The quest for efficient boolean satisfiability solvers. In , London,UK, 2002.[ZM03] L. Zhang and S. Malik. Validating SAT solvers using independent resolution-based checker. In
DATE’03 , Washington DC, USA, 2003.[ZMMM01] L. Zhang, C. F. Madigan, M. H. Moskewicz, and S. Malik. Efficient conflict driven learning ina boolean satisfiability solver. In
ICCAD ’01 , Piscataway, USA, 2001.
This work is licensed under the Creative Commons Attribution-NoDerivs License. To viewa copy of this license, visit http://creativecommons.org/licenses/by-nd/2.0/http://creativecommons.org/licenses/by-nd/2.0/