 # Partial Quantifier Elimination By Certificate Clauses

We study a modification of the Quantifier Elimination (QE) problem called Partial QE (PQE) for propositional CNF formulas. In PQE, only a small subset of target clauses is taken out of the scope of quantifiers. The appeal of PQE is that many verification problems, e.g. equivalence checking and model checking, reduce to PQE and, intuitively, the latter should be much easier than QE. One can perform PQE by adding a set of clauses depending only on free variables that make the target clauses redundant. Proving redundancy of a target clause is done by derivation of a "certificate" clause implying the former. This idea is implemented in our PQE algorithm called START. It bears some similarity to a SAT-solver with conflict driven learning. A major difference here is that START backtracks when a target clause is proved redundant in the current subspace (a conflict being just one of backtracking conditions). We experimentally evaluate START on a practical problem. We use this problem to show that PQE can be much easier than QE.

## Authors

##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1 Introduction

Many verification problems reduce to Quantifier Elimination (QE). So, any progress in QE is of great importance. In this paper, we consider propositional CNF formulas with existential quantifiers. Given formula where and are sets of variables, the QE problem is to find a quantifier-free formula such that . Building a practical QE algorithm is hard: in the worst case, finding reduces to solving satisfiability (SAT) problems.

There are at least two ways of making QE easier to solve. First, one can consider only instances of QE where is small. In particular, if , QE reduces to a SAT problem. This line of research featuring efficient verification algorithms based on SAT (e.g.  [2, 27, 6]) has gained great popularity. Another way to address the complexity of QE suggested in  is to perform partial QE (PQE). Given formula , the PQE problem is to find a quantifier-free formula such that . We will say that formula is obtained by taking out of the scope of quantifiers. We will call a solution for the PQE problem above.

The appeal of PQE is threefold. First, in many verification problems, one can replace QE with PQE (see Section 2). Second, intuitively, PQE should be much simpler than QE when is much smaller than . Third, quantifiers give PQE extra semantic power over pure SAT-solving. For instance, an equivalence checker based on PQE  enables construction of short resolution proofs of equivalence for a very broad class of structurally similar circuits. These proofs are based on the notion of clause redundancy111A clause is a disjunction of literals (where a literal of a Boolean variable is either itself or its negation ). So a CNF formula is a conjunction of clauses: . We also consider as the set of clauses . Clause is redundant in if . in a quantified formula and thus cannot be generated by a traditional SAT-solver. In , it is shown that a PQE-solver can compute the reachability diameter and so can turn bounded model checking  into unbounded one (as opposed to a pure SAT-solver).

A solution to the PQE problem can be found using the two observations below. First, (i.e. implies ). So can be obtained by resolving clauses of . Second, . Thus, a formula implied by becomes a solution as soon as makes the clauses of redundant. Note that resolution alone is not sufficient to express redundancy in a quantified formula. Suppose, for instance, that a clause is redundant in . In general, . So, one cannot certify redundancy of by resolving clauses of to derive a clause implying . In [13, 19], we addressed the problem above by the machinery of D-sequents. A D-sequent is a record claiming redundancy of a clause in a specified subspace. The machinery of D-sequents has two flaws. First, the semantics of a D-sequent is complicated, which makes it hard to prove the correctness of an algorithm employing D-sequents. Second, to reuse a D-sequent in different branches of the search tree, one has to keep a lot of contextual information. This makes D-sequent reusing quite expensive.

The contribution of this paper is as follows. First, we show how the problem above can be solved by combining resolution with adding clauses that preserve equisatisfiability rather than equivalence. Then, in the example above, one can always derive a clause implying clause to certify that the latter is redundant in . The clause is called a certificate clause. Importantly, the semantics of certificates is easy and reusing certificate clauses does not require storing any contextual information (as opposed to D-sequents). Second, we implement our approach in a PQE algorithm called

, an abbreviation of Single TARgeT. At any given moment,

proves redundancy222By ”proving a clause redundant” we mean showing that is redundant after adding some new clauses (if necessary). of only one clause (hence the name “single target”). is somewhat similar to a SAT-solver with conflict driven learning. A major difference here is that backtracks as soon as a target clause is proved redundant in the current subspace (even if no conflict occurred). Third, we provide an experimental evaluation of on the problem of computing range reduction (in the context of testing). Range reduction can also be computed by QE. We use and high-quality QE tools like CADET  to show that PQE can be dramatically simpler than QE.

The main body333Some additional information is provided in appendices. of this paper is structured as follows. Section 2 lists some verification problems that reduce to PQE. Basic definitions are provided in Sections 3-4. In Section 5, we give an example of the PQE problem. PQE by computing redundancy is introduced in Section 6. is described in Sections 7-9. Section 10 provides experimental results. Some background is given in Section 11. In Section 12, we make conclusions.

## 2 Some applications of PQE

In this paper, we use a top-down approach to studying PQE. First, we argue the importance of PQE even though no efficient PQE algorithm exists yet. Then we start developing such an algorithm. (A more traditional approach is to proceed in a bottom-up manner. First, a new efficient technique is developed e.g. BDDs  or SAT-solving with clause learning [25, 28] and then new verification tools are built around it.) In this section, we justify our interest in PQE by listing some well-known problems that reduce to PQE. One more such a problem is described in Section 10.

SAT-solving. Let be a formula to check for satisfiability and be a full assignment to . Let and denote the clauses of falsified and satisfied by respectively. Checking the satisfiability of reduces to finding a Boolean constant such that (see  ). is a constant because all variables of are quantified. If , then is unsatisfiable. Otherwise, i.e. if , formula is satisfiable (since satisfies ).

Interpolation. Let be a formula where are sets of variables. Let be a formula such that where . Assume and . Then

is an interpolant

[10, 27]. So, one can view interpolation as a special case of PQE .

Equivalence checking. Let and be single-output combinational circuits to check for equivalence. Here are sets of input and internal variables and is the output variable of . Let specify the predicate such that = 1 iff . Here is a full assignment to , . Let formulas and specify444 Let be a combinational circuit where specify the sets of input, internal and output variables of respectively. A formula specifies the circuit , if every assignment satisfying corresponds to a consistent assignment to the variables of and vice versa. An assignment to the variables of is called consistent if it is consistent for every gate of i.e. the value assigned to the output variable of is implied by the values assigned to the input variables of . circuits and respectively. Let be a formula such that where . If specifies , then and are equivalent. Otherwise, they are inequivalent555There is one very rare exception here (see ). The fact that does not specify may also mean that both and implement the same Boolean constant and hence are equivalent. This possibility can be checked by a few easy SAT calls.  .

Model checking. Let formulas and specify the transition relation and initial states of a system respectively. Here and are sets of variables specifying the present and next states respectively. Let denote the reachability diameter of (i.e. every state of is reachable in at most transitions). Given a number , one can use a PQE solver to check if as follows . Let and and and and . Testing if reduces to checking if i.e. whether is redundant. If so, then and to prove a safety property, it suffices to run bounded model checking . (Namely, it suffices to show that no counterexample of length or less exists.)

## 3 Basic Definitions

In this paper, we consider only propositional CNF formulas. In this section, when we say “formula” without mentioning quantifiers, we mean a quantifier-free formula.

###### Definition 1

Let be a formula and be a subset of variables of . We will refer to as an formula.

###### Definition 2

Let be a formula. denotes the set of variables of and denotes .

###### Definition 3

Let be a set of variables. An assignment to is a mapping where . We will refer to as a full assignment to if . We will denote the set of variables assigned in   as . We will denote as the fact that a) and b) every variable of has the same value in and .

###### Definition 4

Let be a clause, be a formula that may have quantifiers, and be an assignment. if is satisfied by . Otherwise, is the clause obtained from by removing all literals falsified by . denotes the formula obtained from by removing the clauses satisfied by and replacing every clause unsatisfied by with .

###### Definition 5

Let be an formula. A clause of is called an -clause if .

###### Definition 6

Let be formulas that may have quantifiers. We say that are equivalent, written , if for all assignments where , we have .

###### Definition 7

Let be a formula and and . The clauses of are redundant in if . The clauses of are redundant in if .

###### Definition 8

The Quantifier Elimination (QE) problem specified by is to find formula such that .

###### Definition 9

The Partial QE (PQE) problem of taking out of the scope of quantifiers in is to find formula such that . Formula is called a solution to PQE.

###### Remark 1

Note that if is a solution to the PQE problem above and a clause is implied by alone, then is a solution too. So is not redundant in only if at least one clause of is not implied by .

## 4 Implication By Equisatisfiability

The relation of implication can be introduced via that of equivalence. Namely, formula is implied by formula iff . This observation can be used for introducing implication with respect to equisatisfiability. This type of implication is very useful in describing PQE by computing redundancy.

###### Definition 10

Let and be formulas and (and so and are equisatisfiable for every full assignment to ). We will say that is es-implied by with respect to . A clause is called an es-clause with respect to and if it is es-implied by with respect to .

We will use symbols and to denote regular implication and es-implication respectively. Note that if , then with respect to . However, the opposite is not true. We will just say that es-implies without mentioning if the latter is clear from the context or empty.

###### Definition 11

Let clauses , have opposite literals of exactly one variable . Then clauses , are called resolvable on . The clause having all literals of but those of is called the resolvent of , on . The clause is said to be obtained by resolution on .

###### Definition 12

Let be a formula and be a clause. Let be the set of clauses of resolvable with on a variable . Let where satisfy . The clause is called blocked in at with respect to if with respect to . (In particular, is blocked if is an empty set.) This definition modifies that of a blocked clause given in [24, 12].

###### Proposition 1

Let be a formula and be a clause blocked in at with respect to . Then with respect to .

Proofs of the propositions are given in Appendix 0.A.

## 5 A Simple Example Of PQE

In this section, we present an example of PQE by computing clause redundancy. Let be an where , , , , . The set of unquantified variables is . Below, we take out of the scope of quantifiers by proving it redundant.

In subspace , clauses are unit (i.e. one literal is unassigned, the rest are falsified). After assigning , to satisfy , the clause is falsified. By conflict analysis , one derives the conflict clause (obtained by resolving with clauses and ). Adding to makes redundant in subspace . Note that is not redundant in in subspace . Formula is satisfiable in subspace whereas is not. So, one has to add to make redundant in this subspace.

In subspace , is blocked at . ( is resolvable on only with that is satisfied by and hence is redundant in subspace .) So is redundant in formula when . This redundancy can be certified by the clause that implies in subspace . Note that is blocked in formula at (because and are unresolvable on ). So, from Proposition 1 it follows that this formula es-implies with respect to . (The construction of clauses like is described in Subsection 7.4.) Adding is optional because is already redundant in subspace .

By resolving clauses and one derives the clause that implies . The clause serves just as a certificate of the global redundancy of . Thus, like , it does not have to be added to the formula. So, . Since implies , then . So is a solution to our PQE problem.

## 6 PQE By Proving Redundancy

In this section, we generalize the example of Section 5 where redundancy is proved by branching. This generalization also sketches the main idea of , a PQE algorithm described later. Consider the following PQE problem. Given a formula and a clause , find formula such that (where “trg” stands for “target”). By assigning variables of , one eventually reaches a subspace where a clause implying in this subspace can be easily derived (which proves redundant). One can derive two kinds of clauses implying in subspace . (The clauses of both kinds are implied or es-implied by the current formula .) A clause of the first kind is derived using . Such a clause has to be added to the formula to guarantee that is redundant in subspace . A clause of the second kind is derived without using . It just serves as a witness of the redundancy of . So, adding such a clause to the formula is optional.

By resolving clauses implying in different branches one eventually derives a clause such that and . Then . Let denote the clauses to that were obtained using (i.e. clauses of the first kind). Let . Since , then . Let denote the initial version of formula . Formula is obtained from by adding clauses of the second kind. These clauses are es-implied by with and without (see Subsection 7.4). Thus, can be replaced with and so . If all clauses of depend only on , is a solution to the PQE problem at hand. Otherwise, one keeps applying the algorithm above to the -clauses of (one by one) until depends only on .

## 7 Introducing START

In this section, we give a high-level view of the PQE algorithm called (an abbreviation of Single TARgeT). A more detailed description of is presented in the next two sections. A proof of correctness of is given in Appendix 0.C.

### 7.1 Main loop of START

accepts formulas , and set and outputs formula such that . The main loop of is shown in Fig. 1. We use symbol ’’ to separate in/out-parameters and in-parameters. For instance, the line means that are changed by (via adding/removing clauses) whereas the set is not.

runs a while loop that begins with picking an -clause (line 2). We will refer to as the target clause. If has no -clauses, it is the solution returned by (lines 3-5). Otherwise, sets the initial assignment to to and invokes a procedure called PrvRed to prove redundant (line 7). The latter may require adding new clauses to and . In particular, PrvRed may add to new -clauses to prove redundant in later iterations of the loop. PrvRed returns a clause certifying redundancy of (see Subsection 7.3). If is an empty clause, the initial formula is unsatisfiable. In this case, PrvRed returns as a solution (line 8). Otherwise, and contains at least one literal of . Besides, . removes from and begins a new iteration (line 9).

### 7.2 High-level view of PrvRed

The algorithm of PrvRed is similar to that of a SAT-solver . PrvRed makes decision assignments and runs Boolean Constraint Propagation (BCP). In particular, PrvRed uses the notion of a decision level that consists of a decision assignment and the implied assignments derived by BCP. The decision level number 0 is an exception: it consists only of implied assignments. When a backtracking condition is met (e.g. is blocked), PrvRed analyzes the situation and generates a new clause. Then PrvRed backtracks to the lowest decision level where an implied assignment can be derived from the learned clause. (Like a SAT-solver backtracks to the lowest level where the conflict clause is unit.)

However, there are important differences between PrvRed and a SAT-solver. First, the goal of PrvRed is to prove redundant rather than find a satisfying assignment. So, it enjoys a richer set of backtracking conditions. This set is complete i.e. a backtracking condition is always met when assigning variables of . (More details are given in Subsection 8.2 and Appendix 0.C.3.) Second, PrvRed learns both conflict and non-conflict clauses (see the next subsection). The type of derived clause depends on the backtracking condition met during BCP. Third, when becomes unit, PrvRed recursively calls itself to prove redundancy of clauses of resolvable with on the unassigned variable (see Subsection 8.3). Fourth, due to recursive calls, PrvRed backtracks differently from a SAT-solver.

### 7.3 Clauses generated by START

PrvRed backtracks when it is able to generate a clause implying in the current subspace i.e. . We call a certificate clause (or just a certificate for short) because it certifies the redundancy of in subspace666 If satisfies , the latter is redundant in subspace . However,PrvRed never proves redundancy of by making an assignment satisfying its literal. So, we assume here that does not satisfy . . We will refer to as a witness certificate if is derived without using . Then is es-implied by and so, adding to is optional. We will call a participant-certificate if it is derived using clause . In this case, one cannot guarantee that is es-implied (let alone implied) by . So to claim that is redundant in one has to add to .

We will refer to as a conflict certificate for in subspace if is an empty clause. (In this case, trivially implies .) If implies not being empty, it is called a non-conflict certificate. In this case, every literal of where variable is not assigned by is present in .

###### Definition 13

Let certificate state redundancy of clause in a subspace. We will refer to the clause consisting of the literals of that are not in as the conditional of .

If the conditional of is falsified in subspace , then . One can derive an implied assignment from when its conditional is unit like this is done by a SAT-solver when a clause becomes unit (see the example below).

###### Example 1

Let certify redundancy of in subspace i.e. . The conditional of is . Suppose but is unassigned yet. Then the conditional of is unit. Since proves redundant if , one can derive the assignment directing search to a subspace where is not proved redundant yet.

A conflict certificate derived by PrvRed can be either a participant-certificate or a witness-certificate (depending on whether is involved in the conflict at hand). At the same time, all non-conflict certificates generated by PrvRed are witness-certificates. So, PrvRed does not have to store non-conflict certificates by adding them to . On the other hand, storing and reusing non-conflict certificates in different branches of the search tree can dramatically boost the performance of a PQE solver. Nevertheless, for the sake of simplicity, in the current implementation of , the full power of non-conflict certificates is not exploited yet. The PrvRed procedure does not add non-conflict certificates to the formula and so, these certificates are not reused at all (see Subsections 8.1 and 9.3 for more detail). The Recurse procedure does add the non-conflict certificates returned by PrvRed but they are removed from the formula as soon as Recurse terminates.

### 7.4 Generation of a clause implying Ctrg when Ctrg is blocked

Let be blocked in a subspace. Then PrvRed generates a clause implying in this subspace such that with respect to . (The clause is an example of a non-conflict witness-certificate.) This is the only case where builds a clause that, in general, is not implied by the current formula . Below, we denote as .

###### Proposition 2

Let be a formula and be a clause of . Let be blocked in at with respect to in subspace where . Let be the literal of that is in . Let be resolvable with all clauses of with . Let where is the longest clause falsified by . Then in subspace and with respect to .

The clause of Section 5 is an example of a clause built using Proposition 2. One can show that the clause of Proposition 2 is es-implied not only by but by as well (see Appendix 0.A.2). If there is a non-empty set of clauses with literal that are unresolvable with on , one needs to add to extra literals of . Namely, one needs to add a subset of literals of guaranteeing that is also unresolvable on with every clause of unsatisfied by (see Appendix 0.A.1).

## 8 START In More Detail

### 8.1 Description of the PrvRed procedure

The pseudo-code of PrvRed is shown in Fig 2. The objective of PrvRed is to prove the current target clause redundant in the subspace specified by an assignment to . First, PrvRed stores the initial value of that is used later to identify the termination time of PrvRed (line 1).

The main work is done in a while loop that is similar to the main loop of a SAT-solver . The operation of PrvRed in this loop is partitioned into two parts separated by the dotted line. The first part (lines 3-7) starts with picking a new decision assignment and adding it to the assignment queue (lines 3-4). Here and . The variables of are the first to be assigned777 The final goal of PQE is to derive clauses depending only on that make the -clauses of redundant. facilitates achieving this goal by assigning variables of after those of . So, when backtracking, the variables of are resolved out before those of . by PrvRed. So , only if all variables of are assigned. If , then is picked so as to falsify the corresponding literal of . ( is obviously redundant in a subspace where it is satisfied.) Then PrvRed calls the BCP procedure. If no backtracking condition is met in BCP, PrvRed begins a new iteration (lines 6-7). Otherwise, PrvRed goes to the second part of the while loop where it backtracks (since is proved redundant in subspace ). In particular, PrvRed backtracks if BCP returns a clause implying in subspace or a clause falsified by .

PrvRed starts the second part (lines 8-13) with calling the Lrn procedure to generate a certificate (line 8). In the situation described in Subsection 9.4, Lrn also derives an auxiliary certificate . If is a conflict certificate888As mentioned earlier, in the current version of PrvRed, non-conflict certificates are not added to formula ., it is added to the formula (lines 9-10). If Lrn returns , it is also added to the formula because is always a conflict certificate. If a clause of is used in generation of , the latter is added to . Otherwise, is added to . The same rule applies to storing .

After that, PrvRed backtracks (line 11). If PrvRed reaches the subspace , the redundancy of in the required subspace is proved and PrvRed terminates (lines 12). Otherwise, an assignment is derived from or and added to the queue (line 13). This derivation is due to the fact that after backtracking, the conditional of or clause itself become unit (see Subsection 9.3).

### 8.2 Bcp

The main loop of BCP consists of two parts separated by the dotted line in Fig. 3. BCP starts the first part (lines 2-7) with extracting an assignment from the assignment queue (line 2). It can be a decision assignment or one derived999For implied assignments, maintains the same order constraint as for decision ones. Namely, an implied assignment to a variable of is made only if all variables of are already assigned (see Appendix 0.B). from a clause of the original formula or a certificate . If is derived from the target clause , BCP calls Recurse to prove redundancy of clauses that can be resolved with on (line 4). Why and how this is done is explained in Subsection 8.3. BCP processes the unit clause only if all other assignments of the queue have been already made. Calling Recurse modifies so that gets blocked in subspace or a clause falsified by is added. (In either case, is proved redundant in subspace .) If is not derived from , BCP just makes this assignment and updates the queue by checking if new unit clauses have appeared (lines 6-7).

In the second part (lines 8-16), BCP checks the backtracking conditions. First, BCP checks if the queue contains an assignment derived from a clause that satisfies (line 8). The latter means that implies in subspace . If so, BCP terminates returning the backtracking condition ImplTrg (lines 9-10). Otherwise, BCP checks if a clause of is falsified (lines 11-13). If exists, one can make redundant in the current subspace by adding a conflict clause. Otherwise, BCP checks if is blocked (lines 14-16). If so, then an es-clause implying in subspace is generated (see Subsection 7.4). If BCP empties the queue without meeting a backtracking condition, it terminates returning NoBacktr.

### 8.3 The case where Ctrg becomes unit

Now, we describe what PrvRed does when becomes unit. Consider the following example. Let and in the current assignment and not be assigned yet. Since falsifies , a SAT-solver would derive . However, the goal of PrvRed is to prove redundant rather than check if is satisfiable. The fact that is falsified in subspace says nothing about whether it is redundant there.

To address the problem above, recursively calls PrvRed to prove that every clause of that contains the literal and is resolvable with on is redundant in subspace . This results in proving redundancy of in one of two ways. First, a clause falsified in subspace is derived. Adding it to makes redundant in this subspace. Second, PrvRed proves every clause resolvable with on redundant in subspace without generating a clause falsified by . Then is blocked at variable in subspace (see Definition 12) and thus is redundant there.