1 Introduction
Many verification problems can be cast as an instance of the Quantifier Elimination (QE) problem or its variations^{1}^{1}1In [5], we introduced Partial QE (PQE) where only a part of the formula is taken out of the scope of quantifiers. The appeal of PQE is twofold. First, many verification problems like equivalence and model checking require partial rather than complete QE [1, 2]. Second, PQE is much simpler to solve than QE. Both QE and PQE benefit from the results of this paper. However, since QE is conceptually simpler than PQE, we picked the former to introduce our new approach to Dsequent reusing. . So any progress in solving the QE problem is of great importance. In this paper, we consider the QE problem for propositional CNF formulas with existential quantifiers. Given formula where and are sets of variables, the QE problem is to find a quantifierfree formula such that . In [3, 4], we introduced a new approach to QE based on the following observation. Let us call a clause^{2}^{2}2A clause is a disjunction of literals. So, a CNF formula is a conjunction of clauses. of an clause if it contains at least one variable of . Solving the QE problem reduces to finding formula implied by that makes the clauses of redundant in (and so holds).
To implement the approach above, we introduced an algorithm called (Derivation of Clause DSequents). is based on the following three ideas. First, branches on variables of to reach a subspace where proving redundancy^{3}^{3}3An clause is said to be redundant in if . In this paper, we use the standard convention of viewing a set of clauses as an alternative way to specify the CNF formula . So, the expression denotes the CNF formula obtained from by removing clause . of clauses (or making them redundant by adding a new clause) is easy. Second, once an clause is proved redundant, stores this fact in the form of a Dependency Sequent (Dsequent). A Dsequent is a record where is an clause of and is an assignment to variables of . This record states that is redundant in in subspace . The third idea of is to use a resolutionlike operation called join to merge the results of branches. This join operation is applied to Dsequents and derived in branches and where is a variable of . The result of this operation is a Dsequent where does not contain variable .
To make more efficient, it is natural to try to reuse a Dsequent in every subspace where (i.e. contains all the assignments of ). However, here one faces the following problem. The definition of Dsequent implies that is also redundant in subspace for formulas logically equvialent to where is a subset of . However, this may not be true for some formulas . Here is a simple example of that. Let formula contain two identical clauses and . Then Dsequents and hold. They state that and are redundant in individually. However, in general, one cannot^{4}^{4}4That is . drop both and from . This means that, say, may not be redundant in despite the fact that .
The problem above prevents from reusing Dsequents. The reason why Dsequents cannot be reused as easily as, say, conflict clauses in SATsolvers [8, 9] is as follows. Redundancy of a clause in a formula is a structural property^{5}^{5}5This is true regardless of whether this formula has quantifiers.. That is the fact that clause is redundant in formula may not hold in a formula logically equivalent to . On the other hand, reusing a conflict clause is based on the fact that is implied by the initial formula and implication is a semantic property. That is is implied by every formula logically equivalent to .
In this paper, we address the problem of reusability of Dsequents. Our approach is based on the following observation. Consider the example above with two identical clauses . The Dsequent requires the presence of clause . This means that is supposed to be proved redundant after . On the contrary, the Dsequent requires the presence of and hence is proved redundant before . So these Dsequents have a conflict in the order of proving redundancy of and .
To be able to identify order conflicts, we modify the definition of Dsequents given in [4]. A new Dsequent is a record where is a subset of . This Dsequent states that the clause is redundant in subspace in every formula where in subspace and . Note that if an clause of is proved redundant and removed from , the Dsequent is not applicable. So one can view as an order constraint stating that applies only if clauses of are proved redundant after . In other words, one can safely reuse in subspace where , if none of the clauses of is proved redundant yet.
The contribution of this paper is as follows. First, we give the necessary definitions and propositions explaining the semantics of Dsequents stating redundancy of clauses^{6}^{6}6In [4], we just give basic definitions. In [6], we do provide a detailed theoretical consideration but it is meant for Dsequents introduced in [3] expressing redundancy of variables rather than clauses. (Sections 2, 3, 4 and 5.) Second, we give a new definition of Dsequents facilitating their reusing (Section 6). We also introduce the notion of consistent Dsequents and show that they can be reused. Third, we revisit definitions of atomic Dsequents (i.e. Dsequents stating trivial cases of redundancy) and the join operation to accommodate the Dsequents of the new kind (Sections 7 and 8). Fourth, we present , a version of that can safely reuse Dsequents (Section 12).
2 Basic Definitions
In this paper, we consider only propositional CNF formulas. In the sequel, when we say “formula” without mentioning quantifiers we mean a quantifierfree CNF formula. We consider true and false as a special kind of clauses. A nonempty clause becomes true when it is satisfied by an assignment i.e. when a literal of is set to true by . A clause becomes false when it is falsified by i.e. when all the literals of are set to false by .
Definition 1
Let be a CNF formula and be a subset of variables of . We will refer to formula as .
Definition 2
Let be an assignment and be a CNF formula. denotes the variables assigned in ; denotes the set of variables of ; denotes .
Definition 3
Let be a clause, be a formula that may have quantifiers, and be an assignment. is true if is satisfied by ; otherwise it is the clause obtained from by removing all literals falsified by . denotes the formula obtained from by replacing with .
Definition 4
Let be formulas that may have quantifiers. We say that are equivalent, written , if for all assignments such that , we have .
Definition 5
The Quantifier Elimination (QE) problem for formula is to find a formula such that .
Remark 1
From now on, we will use and to denote sets of free and quantified variables respectively. We will assume that variables denoted by and are in and respectively. When we use and in a quantifierfree formula we mean that, in the context of QE, the set specifies the quantified variables.
Definition 6
A clause of is called a clause if . Denote by the set of all clauses of .
Definition 7
Let be a CNF formula and (i.e. G is a nonempty subset of clauses of ). The clauses of are redundant in if . The clauses of are redundant in formula if .
Note that implies but the opposite is not true.
3 Clause Redundancy And Boundary Points
In this section, we explain the semantics of QE in terms socalled boundary points.
Definition 8
Given assignment and a formula , we say that is a point of if .
In the sequel, by “assignment” we mean a possibly partial one. To refer to a full assignment we will use the term “point”.
Definition 9
Let be a formula and . A point of is called a boundary point of if a) and b) and c) every clause of falsified by is a clause and d) the previous condition breaks for every proper subset of .
Remark 2
Let be a CNF formula where sets and are interpreted as described in Remark 1. In the context of QE, we will deal exclusively with boundary points that falsify only clauses of and so holds.
Example 1
Let and . Let be a CNF formula of four clauses: , , , . The clauses of falsified by = are and . One can verify that and the set satisfy the four conditions of Definition 9, which makes a boundary point. The set above is not unique. One can easily check that is also a boundary point.
The term “boundary” is justified as follows. Let be a satisfiable CNF formula with at least one clause. Then there always exists a boundary point of , that is different from a satisfying assignment only in value of .
Definition 10
Given a CNF formula and a boundary point of :

is removable in if 1) ; and 2) there is a clause such that a) ; b) ; and c) .

is removable in if is removable in .
In the above definition, notice that is not a boundary point of because falsifies and . So adding clause to eliminates as a boundary point.
Example 2
Let us consider the boundary point = of Example 1. Let denote clause obtained^{7}^{7}7See Definition 13 of the resolution operation. by resolving , and on variables and . Note that set and satisfy the conditions a),b) and c) of Definition 10 for . So is an removable boundary point. After adding to , is not an boundary point any more. Let us consider the point = obtained from by flipping values of and . Both and have the same set of falsified clauses consisting of and . So, like , point is an boundary point. However, no clause implied by and consisting only of variables of is falsified by . So, the latter, is an boundary point that is not removable.
Proposition 1
A boundary point of is removable in , iff one cannot turn into an assignment satisfying by changing only the values of variables of .
The proofs are given in the appendix.
Proposition 2
Let be a CNF formula where (see Definition 6). Let be a nonempty subset of . The set is not redundant in iff there is a boundary point of such that a) every clause falsified by is in and b) is removable in .
Proposition 2 justifies the following strategy of solving the QE problem. Add to a set of clauses that a) are implied by ; b) eliminate every removable boundary point falsifying a subset of clauses of . By dropping all clauses of , one produces a solution to the QE problem.
4 Quantifier Elimination By Branching
In this section, we explain the semantics of QE algorithm called [4] (Derivation of Clause DSequents). A highlevel description of is given in Section 11. is a branching algorithm. Given a formula , branches on variables of until it proves that every clause is redundant in the current subspace. (In case of a conflict, proving clauses of redundant, in general, requires adding to a conflict clause.) Then merges the results obtained in different branches to prove that the clauses are redundant in the entire search space. Below we give propositions justifying the strategy of . Proposition 3 shows how to perform elimination of removable boundary points of in the subspace specified by assignment . This is done by using formula , a “local version” of . Proposition 4 justifies proving redundancy of clauses of incrementally.
Let and be assignments to a set of variables . Since and are sets of value assignments to individual variables of one can apply set operations to them. We will denote by the fact that contains all value assignments of . The assignment consisting of value assignments of and is represented as .
Proposition 3
Let be an and be an assignment to . Let be a boundary point of where and . Then if is removable in it is also removable in .
Remark 3
One cannot reverse Proposition 3: a boundary point may be removable in and not removable in . For instance, if , a boundary point of where is removed from only by adding an empty clause to . So if is satisfiable, is not removable. Yet may be removable in if is unsatisfiable. A ramification of the fact that Proposition 3 is not reversible is discussed in Section 5.
Proposition 4
Let be an and be redundant in . Let an clause of be redundant in . Then is redundant in .
Remark 4
To simplify the notation, we will sometimes use the expression “clause is redundant in in subspace ” instead of saying “clause is redundant in ”.
Proposition 4 shows that one can prove redundancy of, say, a set of clauses in in subspace incrementally. This can be done by a) proving redundancy of in in subspace and c) proving redundancy of in formula in subspace .
5 Virtual redundancy
If a boundary point is removable in , this does not mean that it is removable in (see Remark 3). This fact leads to the following problem. Let and be two assignments to and . Suppose that clause is redundant in in subspace . It is natural to expect that this also holds in the smaller subspace . However, does not imply . In particular, due to this problem, one cannot define the join operation in terms of redundancy specified by Definition 7. To address this issue we introduce the notion of virtual redundancy.
Definition 11
Let be an formula, be an assignment to , and be an clause of . Let be the set of points of such every falsifies only clause and is removable. Clause is called virtually redundant in if one of the two conditions are true.

or

For every , there is an assignment where such that is not removable in . Here is obtained from by removing all value assignments to variables of .
The first condition just means that . We will refer to this type of redundancy (earlier specified by Definition 7) as regular redundancy. Regular redundancy is a special case of virtual redundancy.
Proposition 5
Let be an assignment to and clause be redundant in . Then, for every such that , clause is virtually redundant in .
From now on, when we say that a clause is redundant in we mean that it is at least virtually redundant. Note that, in general, proving virtual redundancy of in subspace can be extremely hard. We avoid this problem by using the notion of virtual of redundancy only if we have already proved that is redundant in a subspace containing subspace . (For instance, we have already proved that is redundant in in subspace where .)
6 Dependency Sequents (Dsequents)
In this section, we give a new definition of Dsequents that is different from that of [4].
Definition 12
Let be an formula. Let be an assignment to and and . A dependency sequent (Dsequent) has the form . It states that clause is redundant in every formula logically equivalent to where . The assignment and formula are called the conditional and order constraint of respectively. We will refer to as a member formula for .
Definition 12 implies that the Dsequent becomes inapplicable if a clause of is removed from . So, is meant to be used in situations where the clauses of are proved redundant after (hence the name “order constraint”). As we mentioned in the introduction, in [4], a Dsequent implies redundancy of clause in and in (some) logically equivalent formulas where . In Definition 12, the set of formulas where is redundant in subspace is specified precisely. We will say that a Dsequent is fragile if contains at least one clause. Such a Dsequent becomes inapplicable if an clause of is proved redundant before . If does not contain clauses, the Dsequent above is called robust. A robust Dsequent is not affected by the order in which clauses are proved redundant.
Remark 5
We will abbreviate Dsequent to if formula is known from the context. We will further reduce to if i.e. if no order constraint is imposed.
There are two ways to produce Dsequents. First, one can generate an “atomic” Dsequent that states a trivial case of redundancy. The three atomic types of Dsequents are presented in Section 7. Second, one can use a pair of existing Dsequents to generate a new one by applying a resolutionlike operation called join (Section 8).
7 Atomic Dsequents
In this section we describe Dsequents called atomic. These Dsequents are generated when redundancy of a clause can be trivially proved. Similarly to [4], we introduce atomic Dsequents of three kinds. However, in contrast to [4], we consider Dsequents specified by Definition 12. In particular, we show that Dsequents of the first kind are robust whereas Dsequents of the second and third kind are fragile.
7.1 Atomic Dsequents of the first kind
Proposition 6
Let be an and and . Let assignment where satisfy . Then Dsequent holds. We will refer to it as an atomic Dsequent of the first kind.
Example 3
Let be an and be a clause of . Since is satisfied by assignments and , Dsequents and hold.
7.2 Atomic Dsequents of the second kind
Proposition 7
Let be an formula and be an assignment to . Let be two clauses of . Let be an clause and imply (i.e. every literal of is in ). Then the Dsequent holds where . We will refer to it as an atomic Dsequent of the second kind.
Example 4
Let be an formula. Let and be clauses of . Let . Since implies , the Dsequent holds. Since is an clause, this Dsequent is fragile.
7.3 Atomic Dsequents of the third kind
To introduce atomic Dsequents of the third kind, we need to make a few definitions.
Definition 13
Let and be clauses having opposite literals of exactly one variable . The clause consisting of all literals of and but those of is called the resolvent of , on . Clause is said to be obtained by resolution on . Clauses , are called resolvable on .
Definition 14
A clause of a CNF formula is called blocked at variable , if no clause of is resolvable with on . The notion of blocked clauses was introduced in [7].
Proposition 8
Let be an formula. Let be an clause of and . Let be the clauses of that can be resolved with on variable . Let ,, be a consistent set^{8}^{8}8We will introduce the notion of a consistent set of Dsequents later, see Definition 19. Consistency of Dsequents in Proposition 8 means that are redundant together in subspace =. So clause is blocked at variable in subspace . of Dsequents. Then Dsequent holds where = and . We will refer to it as an atomic Dsequent of the third kind.
Note that, in general, a Dsequent of the third kind is fragile.
Example 5
Let be an formula. Let be the only clauses of with variable where , , . Note that assignment satisfies clause . So the Dsequent holds. Suppose that Dsequent holds where is a clause of and . From Proposition 8 it follows that Dsequent holds where .
8 Join Operation
In this section, we describe the operation of joining Dsequents that produces a new Dsequent from two parent Dsequents. In contrast to [4], the join operation introduced here is applied to Dsequents with order constraints.
Definition 15
Let and be assignments in which exactly one variable is assigned different values. The assignment consisting of all the value assignments of and but those to is called the resolvent of , on . Assignments , are called resolvable on .
Proposition 9
Let be an formula for which Dsequents and hold. Let , be resolvable on and be the resolvent of and . Let . Then the Dsequent holds.
Definition 16
We will say that the Dsequent of Proposition 9 is produced by joining Dsequents and at .
Remark 6
Note that the Dsequent produced by the join operation has a stronger order constraint than its parent Dsequents. The latter have order constraints and in subspaces and , whereas has the same order constraint in either subspace. Due to this “imprecision” of the join operation, a set of Dsequents with conflicting order constraints can still be correct (see Section 9 and Subsection 11.2).
9 Reusability of Dsequents
To address the problem of Dsequent reusing, we introduce the notion of composability. Informally, a set of Dsequents is composable if the clauses stated redundant individually are also redundant collectively. Robust Dsequents are always composable. So they can be reused in any context like conflict clauses in SATsolvers. However, this is not true for fragile Dsequents. Below, we show that such Dsequents are composable if they are consistent. So it is safe to reuse a fragile Dsequent in a subspace , if it is consistent with the Dsequents already used in subspace .
Definition 17
Assignments and are called compatible if every variable from is assigned the same value.
Definition 18
Let be an . A set of Dsequents ,, is called composable if the clauses are redundant collectively as well. That is holds in subspace where =.
Definition 19
Let be an . A set of Dsequents ,, is called consistent if

every pair of assignments ,, is compatible;

there is a total order over clauses of that satisfies the order constraints of these Dsequents i.e. , holds where .
Proposition 10
Let be an . Let ,, be a consistent set of Dsequents. Then these Dsequents are composable and hence clauses are collectively redundant in in subspace where =.
Remark 7
The fact that Dsequents are inconsistent does not necessarily mean that these Dsequents are not composable. As we mentioned in Remark 6, as far as order constraints are concerned, the join operation is not “precise”. This means that if the Dsequents above are obtained by applying the join operation, their orderinconsistency may be artificial. An example of that is the QE procedure called [4]. As we explain in Subsection 11.2, if one uses the new definition of Dsequents (i.e. Definition 12), the Dsequents produced by are, in general, inconsistent. However, is provably correct [6].
Remark 8
Let be an and be the set of clauses added to by a QEsolver. Let (i.e. the latter is the set of all clauses of ). This QEsolver terminates when the set^{9}^{9}9This set consists of the clauses of that depend only on variables of . is sufficient to derive consistent Dsequents , , , , . From Proposition 10 it follows, that all clauses can be dropped from . The resulting formula consisting of clauses of is logically equivalent to .
10 Two Useful Transformations Of Dsequents
In this section, we describe two transformations that are useful for a QEsolver based on the machinery of Dsequents. Since a QEsolver has to add new clauses once in a while, Dsequents of different branches are, in general, computed with respect to different formulas. In Subsection 10.1, we describe a transformation meant for “aligning” such Dsequents. In Subsection 10.2, we describe a transformation meant for relaxing the order constraint of a Dsequent. In Section 12, this transformation is used to generate a consistent set of Dsequents.
10.1 Dsequent alignment
According to Definition 12, a Dsequent holds with respect to a particular formula . Proposition 11 shows that this Dsequent also holds after adding to implied clauses.
Proposition 11
Let Dsequent hold and be a CNF formula implied by . Then Dsequent holds too.
Proposition 11 is useful in aligning Dsequents derived in different branches. Suppose that is derived in the current branch of the search tree where the last assignment is . Suppose that is derived after flipping the value of from 0 to 1. Here is the set of clauses implied by that has been added to before the second Dsequent was derived. One cannot apply the join operation to these Dsequents because they are computed with respect to different formulas. Proposition 11 allows one to replace with . The latter can be joined with at variable .
10.2 Making a Dsequent more robust
In this subsection, we give two propositions showing how one can make a Dsequent more robust. Proposition 12 introduces a transformation that removes a clause from the order constraint of possibly adding to the latter some other clauses. Proposition 13 describes a scenario where by repeatedly applying this transformation one can remove a clause from the order constraint of without adding any other clauses.
Proposition 12
Let be an . Let and be two Dsequents forming a consistent set (see Definition 19). Let be in . Then Dsequent holds where and .
Proposition 13
Let be an and ,, be consistent Dsequents where , . Assume, for the sake of simplicity, that the numbering order is consistent with the order constraints. Let be in . Then, by repeatedly applying the transformation of Proposition 12, one can produce Dsequent where .
11 Recalling
In [4], we described a QE algorithm called (Derivation of Clause DSequents) that did not reuse Dsequents. We Recall in Subsections 11.1 and 11.2.
11.1 A brief description of
The pseudocode of is given^{10}^{10}10For the sake of simplicity, Figure 1 gives a very abstract view of . For instance, we omit the lines of code where new clauses are generated. Our objective here is just to show the part of where Dsequents are involved. A more detailed description of can be found in [4]. in Fig. 1. uses the old definition of a Dsequent lacking an order constraint. accepts three parameters: formula (denoted as ), the current assignment and the set of active Dsequents . (If an clause of is proved redundant in subspace , this fact is stated by a Dsequent. This Dsequent is called active). returns the final formula (where consists of the initial clauses and derived clauses implied by ) and the set of current active Dsequents. has an active Dsequent for every clause of . The conditional of this Dsequent is a subset of . In the first call of , the initial formula is used and and are empty sets. A solution to the QE problem at hand is obtained by dropping the clauses of the final formula and removing the quantifiers.
starts with examining the clauses whose redundancy is not proved yet. Namely, checks if the redundancy of such clauses can be established by atomic Dsequents (line 1) introduced in Section 7. If all clauses are proved redundant, terminates returning the current formula and the current set of active Dsequents (lines 23). Otherwise, moves to the branching part of the algorithm (lines 49).
Comments
There are no comments yet.