Proof reconstruction in conflict-driven satisfiability 1 Maria Paola - - PowerPoint PPT Presentation

proof reconstruction in conflict driven
SMART_READER_LITE
LIVE PREVIEW

Proof reconstruction in conflict-driven satisfiability 1 Maria Paola - - PowerPoint PPT Presentation

Aug 18, 2023 100 likes •394 views

The big picture Proof-carrying CDSAT Discussion Proof reconstruction in conflict-driven satisfiability 1 Maria Paola Bonacina Dipartimento di Informatica Universit` a degli Studi di Verona Verona, Italy, EU Schlo Dagstuhl Seminar # 19371:

slide-1
SLIDE 1

The big picture Proof-carrying CDSAT Discussion

Proof reconstruction in conflict-driven satisfiability1

Maria Paola Bonacina

Dipartimento di Informatica Universit` a degli Studi di Verona Verona, Italy, EU

Schloß Dagstuhl Seminar # 19371: “Deduction beyond satisfiability” Schloß Dagstuhl, near Wadern, Germany, EU September 2019 1Based on joint work with S. Graham-Lengrand and N. Shankar Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-2
SLIDE 2

The big picture Proof-carrying CDSAT Discussion

The big picture Proof-carrying CDSAT Discussion

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-3
SLIDE 3

The big picture Proof-carrying CDSAT Discussion

Proof reconstruction

◮ Beyond sat / unsat / don’t know answers ◮ Extract proof from final state of refutation

◮ Proof checking ◮ Proof communication

◮ Issues: size, useability of proofs in all reasoning paradigms ◮ This talk: proof reconstruction in CDSAT

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-4
SLIDE 4

The big picture Proof-carrying CDSAT Discussion

What is CDSAT

◮ Problems from applications: decide T -satisfiability for T = n

k=1 Tk

◮ Disjoint theories and quantifier-free formulas ◮ A general paradigm named CDSAT (Conflict-Driven SATisfiability):

◮ Conflict-driven reasoning in T ◮ By combining Tk-inference systems: theory modules I1, . . . , In ◮ Proof reconstruction assuming the Ik’s produce proofs

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-5
SLIDE 5

The big picture Proof-carrying CDSAT Discussion

Conflict-driven satisfiability

◮ Procedure to determine satisfiability of a formula ◮ Build candidate model ◮ Assignments + propagation through formulas ◮ Conflict btw model and formula: explain by inferences ◮ Learn generated lemma to avoid repetition ◮ Solve conflict by fixing model to satisfy learned lemma ◮ Nontrivial inferences on demand to respond to conflicts ◮ If unsat, the proof is made of these nontrivial inferences CDSAT does this for a generic union T = n

k=1 Tk

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-6
SLIDE 6

The big picture Proof-carrying CDSAT Discussion

Conflict-driven propositional satisfiability

◮ CDCL (Conflict-Driven Clause Learning) procedure for SAT

◮ Build candidate propositional model ◮ Assignments to propositional variables + BCP ◮ Explain conflicts by propositional resolution ◮ Learn resolvents made of input atoms ◮ Resolution on demand to respond to conflicts ◮ If unsat, proof by resolution

◮ CDSAT: propositional logic as theory Bool ◮ CDSAT reduces to CDCL if T = Bool ◮ Conflict-driven procedures for other theories: first-order assignments + new atoms

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-7
SLIDE 7

The big picture Proof-carrying CDSAT Discussion

Standard theory combination: not conflict-driven

◮ Equality-sharing method (aka Nelson-Oppen scheme) combines Tk-sat procedures as black-boxes that

◮ Exchange entailed (disjunctions of) equalities between shared variables ◮ Build arrangement that tells which shared variables are equal

◮ A Tk-sat procedure could be conflict-driven, not the combination scheme ◮ Tk-deduction viewed as single inference: Tk-proof as black-box No conflict-driven Tk-sat procedure: CDSAT emulates equality sharing as it accommodates also black-box procedures

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-8
SLIDE 8

The big picture Proof-carrying CDSAT Discussion

From sets of literals to formulas

DPLL(T ) aka CDCL(T ) with T = n

k=1 Tk

◮ CDCL builds candidate propositional model M ◮ Satellite Tk-satisfiability procedures

◮ Combined by equality sharing as black-boxes ◮ Signal T -conflicts in M and contribute T -lemmas

◮ Conflict-driven inferences: only propositional (resolution) ◮ Proof by resolution with black-box Tk-subproofs CDCL only conflict-driven procedure: CDSAT reduces to CDCL(T ) with equality sharing

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-9
SLIDE 9

The big picture Proof-carrying CDSAT Discussion

Conflict-driven reasoning from sets of literals to formulas

◮ MCSAT (Model-Constructing SATisfiability)

◮ Integrates CDCL and one model-constructing conflict-driven T -sat procedure (theory plugin) ◮ CDCL and the T -plugin cooperate in model construction ◮ Both propositional and T -reasoning are conflict-driven

◮ CDSAT generalizes MCSAT to generic T = n

k=1 Tk

◮ CDSAT reduces to MCSAT if there are CDCL and one conflict-driven model-constructing T -sat procedure

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-10
SLIDE 10

The big picture Proof-carrying CDSAT Discussion

CDSAT: Conflict-driven reasoning from a theory to many

◮ Conflict-driven behavior and black-box integration are at odds: each conflict-driven Tk-sat procedure needs to access the trail, post assignments, perform inferences, explain Tk-conflicts, export lemmas on a par with CDCL ◮ Key abstraction in CDSAT: open the black-boxes, pull out the Tk-inference systems used to explain Tk-conflicts, and combine them as theory modules in a conflict-driven way ◮ All theory modules contribute directly to the proof: resolution + black-box Tk-subproofs is not enough

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-11
SLIDE 11

The big picture Proof-carrying CDSAT Discussion

More about CDSAT

◮ SMA: Satisfiability Modulo theories and Assignments (allows first-order assignments such as t ← 3 in input) ◮ If Tk has no conflict-driven Tk-sat procedure: black-box inference rule L1, . . . , Lm ⊢k⊥ invokes the Tk-procedure to detect Tk-unsat ◮ CDSAT is sound, terminating, and complete under suitable hypotheses

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-12
SLIDE 12

The big picture Proof-carrying CDSAT Discussion

Trail for proof-carrying CDSAT

◮ Sequence of assignments: decision or justified assignment ◮ Decision: either Boolean or first-order; opens the next level ◮ Justified assignment: justification + deduction proof term ◮ Justification of A: set H of assignments that appear before A ◮ Input assignment (H = ∅): proof term in(A) ◮ Due to inference H ⊢k A: proof term from Ik ◮ Due to lemma learning: proof term for the lemma

◮ Level of A: max among those of the elements of H ◮ A justified assignment of level 5 may appear after a decision of level 6: late propagation; a trail is not a stack

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-13
SLIDE 13

The big picture Proof-carrying CDSAT Discussion

Proof-carrying CDSAT transition system

◮ Trail rules: Decide, Deduce, Fail, ConflictSolve ◮ Apply to the trail Γ ◮ Conflict state rules: UndoClear, Resolve, UndoDecide, Learn ◮ Apply to trail Γ, conflict H, conflict proof term c: Γ; H; c ◮ Conflict: unsatisfiable assignment, H ⊆ Γ ◮ Conflict proof term: proof term for H ⊢⊥

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-14
SLIDE 14

The big picture Proof-carrying CDSAT Discussion

The CDSAT transition system: Decide

Decide: Γ − → Γ, ?(u ← c) adds decision ?(u ← c) if u ← c is an acceptable Tk-assignment for Ik in Γk: ◮ Γk does not already assign a Tk-value to u ◮ u ← c first-order: it does not happen J ∪ {u←c} ⊢k L where J ⊆ Γk and ¯ L ∈ Γk ◮ u is relevant to Tk: either u occurs in Γk and Tk has Tk-values for its sort;

  • r u is an equality whose sides occur in Γk,

Tk has their sort, but not Tk-values

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-15
SLIDE 15

The big picture Proof-carrying CDSAT Discussion

The proof-carrying CDSAT transition system: Deduce

Deduce: Γ − → Γ, J⊢L ◮ Adds justified assignment J⊢L

◮ J ⊢k L, for some k, 1 ≤ k ≤ n, J ⊆ Γ, and L ∈ Γ ◮ L ∈ Γ

◮ Tk-module produces Tk-proof coerced into CDSAT deduction proof term ◮ Both Tk-propagation and explanation of Tk-conflicts

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-16
SLIDE 16

The big picture Proof-carrying CDSAT Discussion

Proof-carrying CDSAT: Fail and ConflictSolve

◮ J ⊢k L, for some k, 1 ≤ k ≤ n, J ⊆ Γ, L ∈ Γ ◮ L ∈ Γ: J ∪ {L} is a conflict ◮ If d is a deduction proof term for J ⊢ L cfl(d, L) is a conflict proof term for J ∪ {L} ⊢⊥ ◮ If levelΓ(J ∪ {L}) = 0 Fail: Γ − → unsat(c) returns conflict proof term c as Γ; J ∪ {L}; cfl(d, L) = ⇒∗ Γ; ∅; c ◮ If levelΓ(J ∪ {L}) > 0 ConflictSolve: Γ − → Γ′ solves the conflict as Γ; J ∪ {L}; cfl(d, L) = ⇒∗ Γ′

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-17
SLIDE 17

The big picture Proof-carrying CDSAT Discussion

The proof-carrying CDSAT transition system: UndoClear

The conflict contains a first-order assignment that stands out as its level is maximum in the conflict: UndoClear: Γ; E ⊎ {A}; c = ⇒ Γ≤m−1 ◮ A is a first-order decision of level m > levelΓ(E) ◮ Removes A and all assignments of level ≥ m ◮ Γ≤m−1: the restriction of trail Γ to its elements of level at most m−1

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-18
SLIDE 18

The big picture Proof-carrying CDSAT Discussion

Example: Deduce as explanation + UndoClear

Γ = −2x − y < 0, x + y < 0, x < −1 (level 0)

  • 1. Decide y←0 (level 1)
  • 2. LRA-conflict: {−2·x−y <0, x <−1, y←0}
  • 3. Explanation by FM-resolution:

{−y<2·x, 2·x< − 2} ⊢LRA −y< − 2

  • 4. Deduce places −y < −2 on the trail (late propagation: level 0)
  • 5. Evaluation: y←0 ⊢LRA −y< − 2
  • 6. LRA-conflict: {y←0, −y < −2}
  • 7. UndoClear removes y←0 resulting in

Γ = −2x − y < 0, x + y < 0, x < −1, −y < −2

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-19
SLIDE 19

The big picture Proof-carrying CDSAT Discussion

Explanation of conflicts in CDSAT

◮ Explanation of a Tk-conflict by Ik-inferences encapsulated as Deduce steps: CDSAT not in conflict state ◮ Until the conflict surfaces as a Boolean conflict: J ⊢k L and L ∈ Γ J ∪ {L} is a conflict ◮ CDSAT switches to conflict state Γ; H; c ◮ Explanation of conflict H by replacing justified assignments in H with their justifications: Resolve transition rule

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-20
SLIDE 20

The big picture Proof-carrying CDSAT Discussion

The proof-carrying CDSAT transition system: Resolve

Resolve: Γ; E ⊎ {A}; c = ⇒ Γ; E ∪ H; res(d, A.c) ◮ A is a justified assignment H⊢A ◮ Replace A by its justification H ◮ If d is a deduction proof term for H ⊢ A and c is a conflict proof term for E ⊎ {A} ⊢⊥ res(d, A.c) is a conflict proof term for E ∪ H ⊢⊥

◮ A can be a Boolean or a first-order assignment ◮ If A is first-order, it comes from the input (H = ∅ and d is in(A)): Resolve removes it from the conflict (not from the trail)

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-21
SLIDE 21

The big picture Proof-carrying CDSAT Discussion

Example of Resolve

Γ0 includes: (¬L4∨L5), (¬L2∨¬L4∨¬L5) (level 0)

  • 1. Decide: A1 (level 1)
  • 2. Decide: L2 (level 2)
  • 3. Decide: A3 (level 3)
  • 4. Decide: L4 (level 4)
  • 5. Deduce: L5 with justification {¬L4∨L5, L4} (level 4)
  • 6. Conflict: {¬L2∨¬L4∨¬L5, L2, L4, L5}

¬L2∨¬L4∨¬L5 is the CDCL conflict clause

  • 7. Resolve: {¬L2∨¬L4∨¬L5, L2, L4, ¬L4∨L5}

¬L2∨¬L4 is the CDCL conflict clause, resolvent from the previous

  • ne and ¬L4∨L5

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-22
SLIDE 22

The big picture Proof-carrying CDSAT Discussion

The CDSAT transition system: Resolve again

Resolve: Γ; E ⊎ {A}; c = ⇒ Γ; E ∪ H; res(d, A.c) ◮ A is a justified assignment H⊢A ◮ Replace A by its justification H ◮ Provided H does not contain a first-order decision A′ that stands out as its level is maximum in the conflict (levelΓ(A′) = levelΓ(E ⊎ {A})) ◮ Avoiding a Resolve–UndoClear–Decide loop ◮ And what if there is such an A′? UndoDecide rule

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-23
SLIDE 23

The big picture Proof-carrying CDSAT Discussion

The proof-carrying CDSAT transition system: UndoDecide

UndoDecide: Γ; E ⊎ {L}; c = ⇒ Γ≤m−1, ?L ◮ L is a Boolean justified assignment H⊢L such that

◮ H contains a first-order decision A′ ◮ levelΓ(A′) = levelΓ(L) = levelΓ(E) = m

◮ UndoDecide removes A′ and decides L ◮ A′ is first-order and cannot be flipped (first-order decisions do not have complement) ◮ The Boolean L that depends on A′ can be flipped

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-24
SLIDE 24

The big picture Proof-carrying CDSAT Discussion

Example of UndoDecide

Γ = x > 1 ∨ y < 0, x < −1 ∨ y > 0 (level 0)

  • 1. Decide: x←0 (level 1)
  • 2. Deduce: (x > 1) ← false (level 1)

(x < −1)←false (level 1) y < 0 (level 1) y > 0 (level 1)

  • 3. LRA-conflict: {y<0, y>0}
  • 4. Resolve: {x > 1 ∨ y < 0, x < −1 ∨ y > 0, (x > 1)←false,

(x < −1)←false}

  • 5. UndoDecide: x > 1 (level 1)

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-25
SLIDE 25

The big picture Proof-carrying CDSAT Discussion

The CDSAT transition system: Learn

Learn: Γ; E ⊎ H; c = ⇒ Γ≤m, E⊢F ◮ H contains only Boolean assignments: H as L1 ∧ . . . ∧ Lk ◮ Since E ⊎ H | =⊥, it is E | = L1 ∨ . . . ∨ Lk ◮ Learned lemma: F = L1 ∨ . . . ∨ Lk (clausal form of H) ◮ Provided F ∈ Γ, F ∈ Γ ◮ Choice of level where to backjump to: levelΓ(E) ≤ m < levelΓ(H) ◮ If c is a conflict proof term for E ⊎ H ⊢⊥ lem(H.c) is a deduction proof term for E ⊢ F

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-26
SLIDE 26

The big picture Proof-carrying CDSAT Discussion

Examples of learning and backjumping by Learn

Conflict: {¬L2∨¬L4∨¬L5, L2, L4, ¬L4∨L5} ◮ Learn with H = {L2, L4}: learns the first assertion clause ¬L2∨¬L4 with justification {¬L2∨¬L4∨¬L5, ¬L4∨L5} (level 0) ◮ With destination level m = 0: restart from (¬L4∨L5), (¬L2∨¬L4∨¬L5), (¬L2∨¬L4) ◮ With destination level m = 2:

◮ Backjump to (¬L4∨L5), (¬L2∨¬L4∨¬L5), A1, L2, (¬L2∨¬L4) ◮ Deduce: ¬L4 with justification {¬L2∨¬L4, L2}

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-27
SLIDE 27

The big picture Proof-carrying CDSAT Discussion

Proof (re)construction in CDSAT

◮ Proof objects in memory (checkable by proof checker):

◮ The CDSAT proof terms as proofs ◮ From CDSAT proof terms to proofs in different formats (e.g., resolution)

◮ LCF style as in ITP (correct by construction)

◮ Trusted kernel of primitives

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability

slide-28
SLIDE 28

The big picture Proof-carrying CDSAT Discussion

Current and future work

◮ Eos: first CDSAT-based SMT/SMA prototype solver

(by Giulio Mazzi at U. Verona)

◮ CDSAT search plans: both global and local issues

◮ Heuristic strategies to make decisions, prioritize theory inferences, control lemma learning ◮ Efficient techniques to detect the applicability of theory inference rules and the acceptability of assignments

◮ More theory modules (e.g., real arithmetic) ◮ Unions of non-disjoint theories ◮ Formulas with quantifiers

Maria Paola Bonacina Proof reconstruction in conflict-driven satisfiability