Understanding and Extending Incremental Determinization for 2QBF
Markus N. Rabe, Leander Tentrup, Cameron Rasmussen, and Sanjit A., Seshia

TL;DR
This paper formalizes and extends incremental determinization for 2QBF, integrating CEGAR and case analysis to improve solver performance, supported by experimental validation.
Contribution
It introduces a formal set of inference rules for incremental determinization and proposes two novel extensions that enhance its effectiveness.
Findings
Extensions significantly improve performance
Formalization aids understanding of algorithm design space
Experimental results validate the improvements
Abstract
Incremental determinization is a recently proposed algorithm for solving quantified Boolean formulas with one quantifier alternation. In this paper, we formalize incremental determinization as a set of inference rules to help understand the design space of similar algorithms. We then present additional inference rules that extend incremental determinization in two ways. The first extension integrates the popular CEGAR principle and the second extension allows us to analyze different cases in isolation. The experimental evaluation demonstrates that the extensions significantly improve the performance.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsFormal Methods in Verification · Logic, programming, and type systems · Machine Learning and Algorithms
11institutetext: 1University of California, Berkeley
2Saarland University
Understanding and Extending Incremental Determinization for 2QBF
Markus N. Rabe1
Leander Tentrup2
Cameron Rasmussen1
Sanjit A. Seshia1
Abstract
Incremental determinization is a recently proposed algorithm for solving quantified Boolean formulas with one quantifier alternation. In this paper, we formalize incremental determinization as a set of inference rules to help understand the design space of similar algorithms. We then present additional inference rules that extend incremental determinization in two ways. The first extension integrates the popular CEGAR principle and the second extension allows us to analyze different cases in isolation. The experimental evaluation demonstrates that the extensions significantly improve the performance.
1 Introduction
Solving quantified Boolean formulas (QBFs) is one of the core challenges in automated reasoning and is particularly important for applications in verification and synthesis. For example, program synthesis with syntax guidance [1, 2] and the synthesis of reactive controllers from LTL specifications has been encoded in QBF [3, 4]. Many of these problems require only formulas with one quantifier alternation (2QBF), which are the focus of this paper.
Algorithms for QBF and program synthesis largely rely on the counterexample-guided inductive synthesis principle (CEGIS) [5], originating in abstraction refinement (CEGAR) [6, 7]. For example, for program synthesis, CEGIS-style algorithms alternate between generating candidate programs and checking them for counter-examples, which allows us to lift arbitrary verification approaches to synthesis algorithms. Unfortunately, this approach often degenerates into a plain guess-and-check loop when counter-examples cannot be generalized effectively. This carries over to the simpler setting of 2QBF. For example, even for a simple formula such as , where and are 32-bit numbers, most QBF algorithms simply enumerate all pairs of assignments. In fact, even the modern QBF solvers diverge on this formula when preprocessing is deactivated.
Recently, Incremental Determinization (ID) has been suggested to overcome this problem [8]. ID represents a departure from the CEGIS approach in that it is structured around identifying which variables have unique Skolem functions. (To prove the truth of a 2QBF we have to find Skolem functions mapping to such that is valid.) After assigning Skolem functions to a few of the existential variables, the propagation procedure determines Skolem functions for other variables that are uniquely implied by that assignment. When the assignment of Skolem functions turns out to be incorrect, ID analyzes the conflict, derives a conflict clause, and backtracks some of the assignements. In other words, ID lifts CDCL to the space of Skolem functions.
ID can solve the simple example given above and shows good performance on various application benchmarks. Yet, the QBF competitions have shown that the relative performance of ID and CEGIS still varies a lot between benchmarks [9]. A third family of QBF solvers, based on the expansion of universal variables [10, 11, 12], shows yet again different performance characteristics and outperforms both ID and CEGIS on some (few) benchmarks. This variety of performance characteristics of different approaches indicates that current QBF solvers could be significantly improved by integrating the different reasoning principles.
In this paper, we first formalize and generalize ID [8] (Section 3). This helps us to disentangle the working principles of the algorithm from implementation-level design choices. Thereby our analysis of ID enables a systematic and principled search for better algorithms for quantified reasoning. To demonstrate the value and flexibility of the formalization, we present two extensions of ID that integrate CEGIS-style inductive reasoning (Section 4) and expansion (Section 5). In the experimental evaluation we demonstrate that both extensions significantly improve the performance compared to plain ID (Section 6).
Related work.
This work is written in the tradition of works such as the Model Evolution Calculus [13], AbstractDPLL [14], MCSAT [15], and recent calculi for QBF [16], which present search algorithms as inference rules to enable the study and extension of these algorithms. ID and the inference rules presented in this paper can be seen as an instantiation of the more general frameworks, such as MCSAT [15] or Abstract Conflict Driven Learning [17].
Like ID, quantified conflict-driven clause learning (QCDCL) lifts CDCL to QBF [18, 19]. The approaches differ in that QCDCL does not reason about functions, but only about values of variables. Fazekas et al. have formalized QCDCL as inference rules [16].
2QBF solvers based on CEGAR/CEGIS search for universal assignments and matching existential assignments using two SAT solvers [20, 21, 5]. There are several generalizations of this approach to QBF with more than one quantifier alternation [22, 23, 24, 25, 26].
2 Preliminaries
Quantified Boolean formulas over a finite set of variables with domain are generated by the following grammar:
[TABLE]
We consider all other logical operations, including implication, XOR, and equality as syntactic sugar with the usual definitions. We abbreviate multiple quantifications using the same quantifier by the quantification over the set of variables , denoted as .
An assignment to a set of variables is a function that maps each variable to either or . Given a propositional formula over variables and an assignment to , we define to be the formula obtained by replacing the variables by their truth value in . By we denote the replacement by multiple assignments for disjoint sets .
A quantifier for binds the variable in its subformula and we assume w.l.o.g. that every variable is bound at most once in any formula. A closed QBF is a formula in which all variables are bound. We define the dependency set of an existentially quantified variable in a formula as the set of universally quantified variables such that ’s subformula is a subformula of ’s subformula . A Skolem function maps assignments to to a truth value. We define the truth of a QBF as the existence of Skolem functions for the existentially quantified variables , such that holds for every , where is the assignment to that the Skolem functions provide for .
A formula is in prenex normal form, if the formula is closed and starts with a sequence of quantifiers followed by a propositional subformula. A formula is in the QBF fragment for if it is closed, in prenex normal form, and has exactly alternations between and quantifiers.
A literal is either a variable , or its negation . Given a set of literals , their disjunction is called a clause and their conjunction is called a cube. We use to denote the literal that is the logical negation of . We denote the variable of a literal by and lift the notion to clauses .
A propositional formula is in conjunctive normal form (CNF), if it is a conjunction of clauses. A prenex QBF is in prenex conjunctive normal form (PCNF) if its propositional subformula is in CNF. Every QBF can be transformed into an equivalent PCNF with size [27].
Resolution
is a well-known proof rule that allows us to merge two clauses as follows. Given two clauses and , we call their resolvent with pivot . The resolution rule states that and imply their resolvent. Resolution is refutationally complete for propositional Boolean formulas, i.e. for every propositional Boolean formula that is equivalent to false we can derive the empty clause.
For quantified Boolean formulas, however, we need additional proof rules. The two most prominent ways to make resolution complete for QBF are to add either universal reduction or universal expansion, leading to the proof systems Q-resolution [28] and Exp-Res [10, 29], respectively.
Universal expansion
eliminates a single universal variable by creating two copies of the subformulas of its quantifier. Let be a QBF in PCNF, where and each are a sequence of quantifiers, and let quantify over variables . Universal expansion yields the equivalent formula , where is a copy of but quantifying over a fresh set of variables instead of . The term denotes the where is replaced by and the variables are replaced by their counterparts in .
Universal reduction
allows us to drop universal variables from clauses when none of the existential variables in that clause may depend on them. Let a clause of a QBF and let be a literal of a universally quantified variable in . Let us further assume that does not occur in . If all existential variables in we have , universal reduction allows us to remove from . The resulting formula is equivalent to the original formula.
Stack.
For convenience, we use a stack data structure to describe the algorithm. Formally, a stack is a finite sequence. Given a stack , we use to denote the -th element of the stack, starting with index 0, and we use to denote concatenation. We use to denote the prefix up to element of . All stacks we consider are stacks of sets. In a slight abuse of notation, we also use stacks as the union of their elements when it is clear from the context. We also introduce an operation specific to stacks of sets : We define to be the stack that results from extending the set on level by element .
2.1 Unique Skolem Functions
Incremental determinization builds on the notion of unique Skolem functions. Let be a 2QBF in PCNF and let be a formula over characterizing the domain of the Skolem functions we are currently interested in. We say that a variable has a unique Skolem function for domain , if for each assignment with there is a unique assignment to such that is satisfiable. In particular, a unique Skolem function is a Skolem function:
Lemma 1
If all existential variables have a unique Skolem function for the full domain , the formula is true.
The semantic characterization of unique Skolem functions above does not help us with the computation of Skolem functions directly. We now introduce a local approximation of unique Skolem functions and show how it can be used as a propagation procedure.
We consider a set of variables with and focus on the subset of clauses that only contain variables in . We further assume that the existential variables in already have unique Skolem functions for in the formula . We now define how to extend by an existential variable . To define a Skolem function for we only consider the clauses with unique consequence , denoted , that contain a literal of and otherwise only literals of variables in . (Note that ). We define that variable has a unique Skolem function relative to for , if for all assignments to satisfying and there is a unique assignment to satisfying .
In order to determine unique Skolem functions relative to a set in practice, we split the definition into the two statements and . Each statement can be checked by a SAT solver and together they imply that variable has a unique Skolem function relative to .
Given a clause with unique consequence , let us call the antecedent of . Further, let be the disjunction of antecedents for the unique consequences containing the literal of . It is clear that whenever is satisfied, needs to be true, and whenever is satisfied, need to be false. We define:
[TABLE]
states that needs to be assigned either true or false for every assignment to in the domain that is consistent with the existing Skolem function definitions . Accordingly, states that does not have to be true and false at the same time (which would indicate a conflict) for any such assignment. Unique Skolem functions relative to a set approximate unique Skolem functions as follows:
Lemma 2
Let the existential variables in have unique Skolem functions for domain and let have a unique Skolem function relative to for domain . Then has a unique Skolem function for domain .
3 Inference Rules for Incremental Determinization
In this section, we develop a nondeterministic algorithm that formalizes and generalizes ID. We describe the algorithm in terms of inference rules that specify how the state of the algorithm can be developed. The state of the algorithm consists of the following elements:
- •
The solver status . The conflict status has two parameters: a clause that is used to compute the learnt clause and the assignment to the universals witnessing the conflict.
- •
A stack of sets of clauses. contains the original and the learnt clauses. for contain temporary clauses introduced by decisions.
- •
A stack of sets of variables. The union of all levels in the stack represent the set of variables that currently have unique Skolem functions and the clauses in represent these Skolem functions. contains the universals and the existentials whose Skolem functions do not depend on decisions.
- •
A formula over characterizing the set of assignments to the universals for which we still need to find a Skolem function.
- •
A formula over variables representing a temporary restriction on the domain of the Skolem functions.
We assume that we are given a 2QBF in PCNF and that all clauses in contain an existential variable. (If contains a non-tautological clause without existential variables, the formula is trivially false by universal reduction.) We define to be the initial state of the algorithm. That is, the clause stack initially has height 1 and contains the clauses of the formula . We initialize as the stack of height 1 containing the universals.
Before we dive into the inference rules, we want to point out that some of the rules in this calculus are not computable in polynomial time. The judgements and require us to solve a SAT problem and are, in general, NP-complete. This is still easier than the 2QBF problem itself (unless NP includes ) and in practice they can be discharged quickly by SAT solvers.
3.1 True QBF
We continue with describing the basic version of ID, consisting of the rules in Fig. 1 and Fig. 2, and first focus on the rules in Fig. 1, which suffice to prove true 2QBFs. Propagate allows us to add a variable to , if it has a unique Skolem function relative to . (The notation means that we add to the last level of the stack.) The judgements and involve the current set of clauses (i.e. the union of all sets of clauses in the sequence ). These checks are restricted to the domain . Both and are true throughout this section; we discuss their use in Section 4 and Section 5.
**Invariant 1. ** All existential variables in have a unique Skolem function for the domain in the formula , where are the clauses in that contain only variables in .
If Propagate identifies all variables to have unique Skolem functions relative to the growing set , we know that they also have unique Skolem functions (Lemma 2). We can then apply Sat to reach the state, representing that the formula has been proven true (Lemma 1).
Lemma 3
ID cannot reach the SAT state for false QBF.
Proof
Let us assume we reached the state for a false 2QBF and prove the statement by way of contradiction. The state can only be reached by the rule Sat and requires . By Invariant 1 all variables have a Skolem function in . Since includes , this Skolem function does not violate any clause in , which means it is indeed a proof. ∎
When Propagate is unable to determine the existence of a unique Skolem function (i.e. for variables where the judgement does not hold) we can use the rule Decide to introduce additional clauses such that holds and propagation can continue. Note that additional clauses make it easier to satisfy and adding the clause (i.e. a unit clause) even ensures that holds for .
Assuming we consider a true 2QBF, we can pick a Skolem function for each existential variable and encode it using Decide. We can simply consider the truth table of in terms of the universal variables and define to be the set of clauses . (Here we interpret the assignment as a conjunction of literals.) These clauses have unique consequence and they guarantee that is deterministic. Further, they guarantee that is , as otherwise would not be a Skolem function, so we can apply Propagate to add to . Repeating this process for every variable let us reach the point where and we can apply Sat to reach the state.
Lemma 4
ID can reach the SAT state for true QBF.
Note that proving the truth of a QBF in this way requires guessing correct Skolem functions for all existentials. In Subsection 3.4 we discuss how termination is guaranteed with a simpler type of decisions.
3.2 False QBF
To disprove false 2QBFs, i.e. formulas that do not have a Skolem function, we need the rules in Fig. 2 in addition to Propagate and Decide from Fig. 1. The state can only be reached via the rule Conflict, which requires that a variable is conflicted, i.e. fails. The Conflict rule stores the assignment to that proves the conflict and it creates the nucleus of the learnt clause . Via Analyze we can then resolve that nucleus with clauses in , which consists of the original clauses and the clauses learnt so far. We are allowed to add the learnt clause back to by applying Learn.
**Invariant 2. ** is equivalent to .
Note that and are propositional formulas over . Their equivalence means that they have the same set of satisfying assignments. We prove Invariant 3.2 together with the next invariant.
**Invariant 3. ** Clause in conflict state is implied by .
Proof
contains initially and is only ever changed by adding clauses through the Learn rule, so holds throughout the computation.
We prove the other direction of Invariant 3.2 and Invariant 3.2 by mutual induction. Initially, consists exactly of the clauses , satisfying Invariant 3.2. The nucleus of the learnt clause is trivially true, so it is implied by any formula, which gives us the base case of Invariant 3.2. Analyze is the only rule modifying , and hence soundness of resolution together with Invariant 3.2 already gives us the induction step for Invariant 3.2 [30]. Since Learn is the only rule changing , Invariant 3.2 implies the induction step of Invariant 3.2. ∎
When adding the learnt clause to we have to make sure that Invariant 1 is preserved. Learn hence requires that we have backtracked far enough with Backtrack, such that at least one of the variables in is not in anymore. In this way, may become part of future Skolem function definitions, but will first have to be checked for causing conflicts by Propagate.
If all variables in are in and the assignment from the conflict violates , we can conclude the formula to be false using Unsat. The soundness of this step follows from the fact that includes an assignment satisfying (i.e. the clauses defining the Skolem functions for ), Invariant 1 and Invariant 3.2.
Lemma 5
ID cannot reach the UNSAT state for true QBF.
We will now show that we can disprove any false QBF. The main difficulty in this proof is to show that from any state we can learn a new clause, i.e. a clause that is semantically different to any clause in , and then return to the state. Since there are only finitely many semantically different clauses over variables , and we cannot terminate in any other way (Lemma 5), we eventually have to find a clause with , which enables us to go to the state.
From the state, we can always add more variables to with Decide and Propagate, until we reach a conflict. (Otherwise we would reach a state where we were able to prove , contradicting Lemma 5.) We only enter a state for a variable , if there are two clauses and with unique consequence such that (see definition of ).
In order to apply Analyze, we need to make sure that and are in . We can guarantee this by restricting Decide as follows: We say a decision for a variable is consistent with the unique consequences in state , if . We can construct such a decision easily by applying Decide only on variables that are not conflicted already (i.e. ) and by defining to be the CNF representation of (i.e. require to be false, unless a unique consequence containing literal applies). It is clear that for this no new conflict for is introduced and hence .
Assuming that all decisions are taken consistent with the unique consequences, we know that when we encounter a conflict for variable , we did not apply Decide for , and hence the clauses and causing the conflict must be in . We can hence apply Analyze twice with clauses and and obtain the learnt clause . Since , the learnt clause is violated by . As refutes by construction, it must satisfy the clauses and learnt clause hence cannot be in . Further, only contains variables that are in , as and were clauses with unique consequence . So, would have been in , if it existed in already, and hence is new. We can either add the new clause to after backtracking, or we can conclude .
Lemma 6
ID can reach the state for false QBF.
The clause learning process considered here only applies one actual resolution step per conflict (). In practice, we probably want to apply multiple resolution steps before applying Learn. It is possible to use the conflicting assignment to (implicitly) construct an implication graph and mimic the clause learning of SAT solvers [8, 31].
3.3 Example
We now discuss the application of the inference rules along the following formula:
[TABLE]
Initially, the state of the algorithm is the tuple . The rule Propagate can be applied to in the initial state, as we are in the state, , and because satisfies the checks and : The antecedents of are and (see clauses in line ). It is easy to check that both nor hold for all assignments to and . The state resulting from the application of Propagate is . (Alternatively, we could apply Decide in the initial state, but deriving unique Skolem functions is generally preferable.)
While Propagate was not applicable to before, it now is, as the increased set made (see clauses in line ). We can thus derive the state .
Now, we ran out of variables to propagate and the only applicable rule is Decide. We arbitrarily choose as our decision variable and arbitrarily introduce a single clause , arriving in the state . In this step we can immediately apply Propagate (consider and the clauses in line ) to add the decision variable to the set and arrive at .
We can now apply Backtrack to undo the last decision, but this would not be productive. Instead identify to be conflicted and we enter a conflict state with Conflict: . To resolve the conflict we apply Analyze twice - once with each of the clauses in line - bringing us into state . We can backtrack one level such that and then apply Learn to enter state .
The rest is simple: we apply Propagate on and take a decision for . As no other variable can depend on we can take an arbitrary decision for that makes deterministic, as long as this does not make conflicted. Finally, we can propagate and then apply to conclude that we have found Skolem functions for all existential variables.
3.4 Termination
So far, we have described sound and nondeterministic algorithms that allow us to prove or disprove any 2QBF. We can easily turn the algorithm in the proof of Lemma 6 into a deterministic algorithm that terminates for both true and false QBF by introducing an arbitrary ordering of variables and assignments: Whenever there is nondeterminism in the application of one of the rules as described in Lemma 6, pick the smallest variable for which one of the rules is applicable. When multiple rules are applicable for that variable, pick them in the order they appear in the figures. When the inference rule allows multiple assignments, pick the smallest. In particular, this guarantees that the existential variables are added to in the arbitrarily picked order, as for any existential not in we can either apply Propagate, Decide, or Conflict.
Restricting Decide to decisions that are consistent with the unique consequences may be unintuitive for true QBF, where we try to find a Skolem function. However, whenever we make the 2QBF false by introducing clauses with Decide, we will eventually go to a conflict state and learn a new clause. Deriving the learnt clause for conflicted variable from two clauses with unique consequence (as described for Lemma 6) means that we push the constraints towards smaller variables in the variable ordering. The learnt clause will thus improve the Skolem function for a smaller variable or cause another conflict for a smaller variable. In the extreme case, we will eventually learn clauses that look like function table entries, as used in Lemma 4, i.e. clauses containing exactly one existential variable. At some point, even with our restriction for Decide, we cannot make a “wrong” decision: The cases for which a variable does not have a clause with unique consequence are either irrelevant for the satisfaction of the 2QBF or our restricted decisions happen to make the right assignment.
In cases where no static ordering of variables is used - as it will be the case in any practical approach - the termination for true QBF is less obvious but follows the same argument: Given enough learnt clauses, the relationships between the variables are dense enough such that even naive decisions suffice.
3.5 Pure literals
The original paper on ID introduces the notion of pure literals for QBF that allows us to propagate a variable even if it is not deterministic, if for a literal of , all clauses that occurs in are either satisfied or is the unique consequence of . The formalization presented in this section allows us to conclude that pure literals are a special case of Decide: We can introduce clauses defining to be of polarity whenever all clauses containing are satisfied by another literal.
That is, we can precisely characterize the minimal set of cases in which has to be of polarity and the decision is guaranteed to never introduce unnecessary conflicts. The same definition cannot be made when occurs in clauses where it is not a unique consequence, as then the clause contains another variable that is not deterministic yet.
3.6 Relation of ID and CDCL
There are some obvious similarities between ID and conflict-driven clause learning (CDCL) for SAT. Both algorithms modify their partial assignments by propagation, decisions, clause learning, and backtracking. The main difference between the algorithms is that, while CDCL solvers maintain a partial assignment of Boolean values to variables, ID maintains a partial assignment of functions to variables (which is represented by the clauses ). We summarized our observations in Fig. 3.
4 Inductive Reasoning
The CEGIS approach to solving a 2QBF is to iterate over assignments and check if there is an assignment such that is valid. Upon every successful iteration we exclude all assignments to for which is a matching assignment. If the space of assignments is exhausted we conclude the formula is true, and if we find an assignment to for which there is no matching assignment, the formula is false [21].
While this approach shows poor performance on some problems, as discussed in the introduction, it is widely popular and has been successfully applied in many cases. In this section we present a way how it can be integrated in ID in an elegant way. The simplicity of the CEGIS approach carries over to our extension of ID - we only need the two additional inference rules in Fig. 4.
We exploit the fact that ID already generates assignments to in its conflict check. Whenever ID is in a conflict state, the rules in Fig. 4 allow us to check if there is an assignment to that together with , which is the part of defining variables in , satisfies . If there is such an assignment , we can let the Skolem functions output for the input . But the output may work for other assignments to , too. The set of all assignments to for which works as an output, is easily characterized by . 111We can actually exploit the Skolem functions that do not depend on decisions and exclude from instead, i.e. the set of assignments to to which the part of that is not in is a solution. InductiveRefinement allows us to exclude the assignments from , which represents the domain (i.e. assignments to ) for which we still need to find a Skolem function.
This gives rise to a new invariant, stating that only includes assignments to for which we know that there is an assignment to satisfying . With this invariant it is clear that Lemma 3 also holds for arbitrary .
**Invariant 4. **
It is easy to check that Propagate preserves Invariant 1 also if and are not . Invariant 3.2 and Invariant 3.2 are unaffected by the rules in this section. To make sure that Lemma 5 is preserved as well, we thus only have to inspect Failed, which is trivially sound.
A portfolio approach?
In principle, we could generate assignments independently from the conflict check of ID. The result would be a portfolio approach that simply executes ID and CEGIS in parallel and takes the result from whichever method terminates first. The idea behind our extension is that conflict assignments are more selective and may thus increase the probability that we hit a refuting assignment to . Also ID may profit from excluding groups of assignments for which frequently cause conflicts. We revisit this question in Section 6.
Example.
We extend the example from Subsection 3.3 from the point where we entered the conflict state . We can apply InductiveRefinement, checking that there is indeed a solution to for the assignment to the universals (e.g. ). Instead of doing the standard conflict analysis as in our previous example, we can apply Learn to add the (useless) clause to without any backtracking. That is, we effectively ignore the conflict and go to state .
There is no assignment to that provokes a conflict for , other than the one we excluded through InductiveRefinement. We can thus take an arbitrary decision for that is consistent with the unique consequences (see Subsection 3.2), Propagate , and then conclude the formula to be true.
5 Expansion
Universal expansion (defined in Section 2) is another fundamental proof rule that deals with universal variables. It has been used in early QBF solvers [10] and has later been integrated in CEGAR-style QBF solvers [32, 26].
One way to look at the expansion of a universal variable is that it introduces a case distinction over the possible values of in the Skolem functions. However, instead of creating a copy of the formula explicitly, which often caused a blowup in required memory, we can reason about the two cases sequentially. The rules in Fig. 5 extend ID by universal expansion in this spirit.
Using Assume we can, at any point, assume that a variable in , i.e. a variable that has a unique Skolem function without any decisions, has a particular value. This is represented by extending by the corresponding literal of , which restricts the domain of the Skolem function that we try to construct for subsequent and checks. Invariant 1 and Lemma 5 already accommodate the case that is not .
When we reach a point where contains all variables, we cannot apply Sat, as that requires to be true. In this case, Invariant 1 only guarantees us that the function we constructed is correct on the domain . We can hence restrict the domain for which we still need to find a Skolem function and strengthen by . In particular, Close maintains Invariant 4. When ends up being equivalent to , Invariant 4 guarantees that the original formula is true. (In this case we can reach the state easily, as we know that from now on every application of Propagate must succeed. 222Technically, we could replace Sat by a rule that allows us to enter the state whenever is , which arguably would be more elegant. But that would require us to introduce the Close rule already for the basic ID inference system.)
Note that Assume does not restrict us to assumptions on single variables. Together with Decide and Propagate it is possible to introduce variables with arbitrary definitions, add them to , and then assume an outcome with the rule Assume.
Example.
Again, we consider the formula from Subsection 3.3. Instead of the reasoning steps described in Subsection 3.3, we start using Assume with literal . Whenever checking or in the following, we will thus restrict ourselves to universal assignments that set to true. It is easy to check that this allows us to propagate not only and , but also . A decision (e.g. ) for allows us to also propagate (this time without potential for conflicts), arriving in state .
We can Close this case concluding that under the assumption we have found a Skolem function. We enter the state which indicates that in the future we only have to consider universal assignments with . Also for the case , we cannot encounter conflicts for this formula. Expansion hence allows us to prove this formula without any conflicts.
6 Experimental Evaluation
We extended the QBF solver CADET [8] by the extensions described in Section 4 and Section 5. We use the CADET-IR and CADET-E to denote the extensions of CADET by inductive reasoning (Section 4) and universal expansion (Section 5), respectively. We also combined both extensions and refer to this version as CADET-IR-E. The experiments in this section evaluate these extensions against the basic version of CADET and against other successful QBF solvers of the recent years, in particular GhostQ [33], RAReQS [32], Qesto [23], DepQBF [19] in version 6, and CAQE [24, 26]. For every solver except CADET and GhostQ, we use Bloqqer [34] in version 031 as preprocessor. For our experiments, we used a machine with a quad-core Intel Xeon processor and of memory. The timeout and memout were set to seconds and . We evaluated the solvers on the benchmark sets of the last competitive evaluation of QBF solvers, QBFEval-2017 [9].
How does inductive reasoning affect the performance?
In Fig. 6 we see that CADET-IR clearly dominates plain CADET. It also dominates all solvers that relied on clause-level CEGAR and Bloqqer (CAQE, Qesto, RAReQS).
Only GhostQ beats CADET-IR and solves 5 more formulas (of 384). A closer look revealed that there are many formulas for which CADET-IR and GhostQ show widely different runtimes hinting at potential for future improvement.
GhostQ is based on the CEGAR principle, but reconstructs a circuit representation from the clauses instead of operating on the clauses directly [33]. This makes GhostQ a representative of QBF solvers working with so called “structured” formulas (i.e. not CNF). CADET, on the other hand, refrains from identifying logic gates in CNF formulas and directly operates with the “unstructured” CNF representation. In the ongoing debate in the QBF community on the best representation of formulas for solving quantified formulas, our experimental findings can thus be interpreted as a tie between the two philosophies.
Is the inductive reasoning extension just a portfolio-approach?
To settle this question, we created a version of CADET-IR, called IR-only, that exclusively applies inductive reasoning by generating assignments to the universals and applying InductiveReasoning. This version of CADET does not learn any clauses, but otherwise uses the same code as CADET-IR. On the QBFEval-2017 benchmark, IR-only and CADET together solved 235 problems within the time limit, while CADET-IR solved 243 problems. That is, even though the combined runtime of CADET and IR-only was twice the runtime of CADET-IR, they solved fewer problems. CADET-IR also uniquely solved 22 problems. This indicates that CADET-IR improves over the portfolio approach.
How does universal expansion affect the performance?
CADET-E clearly dominates plain CADET on QBFEval-2017, but compared to CADET-IR and some of the other QBF solvers, CADET-E shows mediocre performance overall. However, for some subsets of formulas, such as the Hardware Fixpoint formulas shown in Fig. 7, CADET-E dominated CADET, CADET-IR, and all other solvers. We also combined the two extensions of CADET to obtain CADET-IR-E. While this helped to improve the performance on the Hardware Fixpoint formulas even further, it did not change the overall picture on QBFEval-2017.
7 Conclusion
Reasoning in quantified logics is one of the major challenges in computer-aided verification. Incremental Determinization (ID) introduced a new algorithmic principle for reasoning in 2QBF and delivered first promising results [8]. In this work, we formalized and generalized ID to improve the understanding of the algorithm and to enable future research on the topic. The presentation of the algorithm as a set of inference rules has allowed us to disentangle the design choices from the principles of the algorithm (Section 3). Additionally, we have explored two extensions of ID that both significantly improve the performance: The first one integrates the popular CEGAR-style algorithms and Incremental Determinization (Section 4). The second extension integrates a different type of reasoning termed universal expansion (Section 5).
Acknowledgements
We want to thank Martina Seidl, who brought up the idea to formalize ID as inference rules, and Vijay D’Silva, who helped with disentangling the different perspectives on the algorithm. This work was supported in part by NSF grants 1139138, 1528108, 1739816, SRC contract 2638.001, the Intel ADEPT center, and the European Research Council (ERC) Grant OSARES (No. 683300). [36]
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] A. Solar-Lezama, R. M. Rabbah, R. Bodík, and K. Ebcioglu, “Programming by sketching for bit-streaming programs,” in Proceedings of PLDI , 2005, pp. 281–294.
- 2[2] R. Alur, R. Bodik, G. Juniwal, M. M. Martin, M. Raghothaman, S. A. Seshia, R. Singh, A. Solar-Lezama, E. Torlak, and A. Udupa, “Syntax-guided synthesis,” Dependable Software Systems Engineering , vol. 40, pp. 1–25, 2015.
- 3[3] P. Faymonville, B. Finkbeiner, M. N. Rabe, and L. Tentrup, “Encodings of bounded synthesis,” in Proceedings of TACAS , 2017.
- 4[4] R. Bloem, R. Könighofer, and M. Seidl, “SAT-based synthesis methods for safety specs,” in Proceedings of VMCAI , K. L. Mc Millan and X. Rival, Eds. Springer Berlin Heidelberg, 2014, pp. 1–20.
- 5[5] A. Solar-Lezama, L. Tancau, R. Bodík, S. A. Seshia, and V. A. Saraswat, “Combinatorial sketching for finite programs,” in Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS) . ACM Press, October 2006, pp. 404–415.
- 6[6] E. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith, “Counterexample-guided abstraction refinement,” in Proceedings of Computer Aided Verification . Springer Berlin Heidelberg, 2000, pp. 154–169.
- 7[7] S. Jha and S. A. Seshia, “A Theory of Formal Synthesis via Inductive Learning,” Acta Informatica , vol. 54, no. 7, pp. 693–726, 2017.
- 8[8] M. N. Rabe and S. A. Seshia, “Incremental determinization,” in Proceedings of SAT . Berlin, Heidelberg: Springer-Verlag, 2016.
