1 Introduction

Efficient tools for deciding the satisfiability of Boolean formulas (SAT solvers) are the core technology in many verification and synthesis approaches [49]. However, verification and synthesis problems are often beyond the complexity class NP as captured by SAT, requiring more powerful formalisms like quantified Boolean formulas (QBFs) [7]. QBFs extend propositional formulas by universal and existential quantifiers over Boolean variables [34] resulting in a decision problem that is PSPACE-complete. Applications from verification and synthesis [10, 15, 16, 20, 22, 26], realizability checking [21], bounded model checking [18, 52], and planning [19, 44] motivate the quest for efficient QBF solvers (see [45] for a survey).

Unlike for SAT, where conflict-driven clause learning (CDCL) is the single dominant solving approach for practical problems, two dominant approaches exist for QBF solving. On one hand, CDCL has been successfully extended to QCDCL that enables clause and cube learning [23, 37, 51]. On the other hand, variable expansion has become very popular. In short, expansion-based solvers eliminate one kind of variables by assigning them truth values and solve the resulting propositional formula with a SAT solver. For QBFs with one quantifier alternation (2QBF), a natural approach is to use two SAT solvers: one that deals with the existentially quantified variables and another one that deals with the universally quantified variables. For generalizing this SAT-based approach to QBFs with an arbitrary number of quantifier alternations, expansion is recursively applied per quantifier block, requiring multiple SAT solvers realizing a counter-example guided extraction approach (CEGAR) [17]. As noted by Rabe and Tentrup [42], these CEGAR-based approaches show poor performance for formulas with many quantifier alternations in general.

We also propose an approach that is guided by counter-examples, but that deals with quantifier alternations in a different manner than available CEGAR approaches. Inspired by Counterexample-Guided Inductive Synthesis (CEGIS), we present a novel solving algorithm based on non-recursive expansion for QBFs with arbitrary quantifier prefixes using only two SAT solvers. In short, CEGIS is a generic framework initially devised in the context of syntax-guided synthesis [1]. It involves the interaction between two components:

  • The learner generates candidate solutions that are consistent with all currently found counterexamples or—if it does not find such a candidate solution—it has shown that the problem does not have a solution, i.e., it is unsatisfiable.

  • The verifier provides, given a candidate solution to a problem, a counterexample that disproves it, or it correctly proves that the candidate solution is indeed a valid solution.

We adopt the CEGIS paradigm for QBF solving as follows. Our approach instantiates all variables of the same kind (either the universal variables or the existential variables) at once with a candidate solution/counterexample and passes the resulting propositional abstraction of the QBF to a SAT solver. If the SAT solver finds the formula to be unsatisfiable, the truth value of the original QBF is decided, otherwise the model returned by the SAT solver is used as candidate solution/counter example for refining the propositional abstraction. In theory (i.e., from a proof complexity perspective), our approach of non-recursive expansion is equivalent to approaches that apply recursive expansion since both non-recursive and recursive expansion rely on the \(\forall \)Exp+Res proof system [6]. However, the non-recursive expansion has practical implications such as a modified search strategy. That is, the use of recursive or non-recursive expansion results in different search strategies for the proof. With respect to proof search, there is an analogy to, e.g., implementations of resolution-based CDCL SAT solvers that employ different search heuristics.

In addition to the new algorithm, we also implemented a hybrid approach that combines clause learning with non-recursive expansion-based solving for exploiting the power of QCDCL. Our experiments indicate that this hybrid approach performs very well, especially on formulas with multiple quantifier alternations.

This paper is structured as follows. After a review of related work in the next section, we introduce the necessary preliminaries in Sect. 3. After a short recapitulation of expansion in Sect. 4, our novel non-recursive expansion-based algorithm is presented in Sect. 5. The relation between our solving approach and \(\forall \)Exp+Res is explained in Sect. 6. Implementation details are discussed in Sect. 7 together with a short discussion of the hybrid approach. In Sect. 8 we compare our approach to state-of-the-art solvers.

This paper is an extended version of [9]. Besides a careful revision of the text, it contains more examples and illustrations, as well as an additional chapter relating our new solving approach to the \(\forall \)Exp+Res proof system. Furthermore, we added comprehensive experiments on the benchmark set used in QBFEval 2018.

2 Related work

Already the early QBF solvers Qubos [3] and Quantor [3] incorporate selective quantifier expansion for eliminating one kind of quantification to reduce the given QBF to a propositional formula. Qubos heuristically chooses which kind of quantifier to eliminate. If universal quantifiers are eliminated, subformulas of the form \(\forall x.\phi \) are replaced by \(\phi [x/\top ] \wedge \phi [x/\bot ]\). Dually, subformulas of the form \(\exists x.\phi \) are replaced by \(\phi [x/\top ] \vee \phi [x/\bot ]\). For handling the blow-up, Qubos implements several simplification techniques. Qubos does not require the input QBF to be in prenex conjunctive normal form (PCNF), but it is able to process formulas of arbitrary structure. Even more, the expansion of existential variables destroys any PCNF structure. Quantor, in contrast, preserves the PCNF structure by expanding universal variables only. In both cases, the resulting propositional formula is then solved by calling a SAT solver once. Over 15 years ago, Qubos and Quantor impressively demonstrated the power of expanding universal variables but also showed its enormous memory consumption. As a pragmatic compromise, bounded universal expansion was introduced for efficient preprocessing [13, 24, 25, 50].

The first approach which uses two alternating SAT solvers A and B for solving 2QBF, i.e., QBFs of the form \(\forall U \exists E.\phi \), was presented in [43]. Solver A is initialized with \(\phi \), B with the empty formula. Both propositional formulas are incrementally refined with satisfying assignments found by the other solver. If A finds its formula unsatisfiable, then the QBF is false. Otherwise, the negation of the universal part of the satisfying assignment is passed to solver B. If solver B finds its formula unsatisfiable, then the QBF is true. Otherwise, the existential part of the satisfying assignment is passed to solver A. Janota and Marques-Silva generalized the idea of alternating SAT solvers [33] such that one solver deals with the existentially quantified variables and one solver deals with the universally quantified variables exclusively. Solver A gets instantiations of \(\phi \) in which the universal variables are assigned, and solver B gets instantiations of \(\lnot \phi \) in which the existential variables are assigned. The satisfying assignment found by one solver is used to obtain a new instantiation for the other. This loop is repeated until one solver returns unsatisfiable. This approach realizes a natural application of the counter-example guided abstraction refinement (CEGAR) paradigm [17]. A detailed survey on 2QBF solving is given in [4].

A significant advancement of expansion-based solving for QBF with an arbitrary number of quantifier alternations was made with the solver RAReQS [28, 29], which recursively applies the previously discussed 2QBF approach [33] for each quantifier alternation. The approach turned out to be highly competitive.Footnote 1 For formalizing this solving approach the calculus \(\forall \)Exp+Res was introduced [6], and proof-theoretical investigations revealed the orthogonal strength of \(\forall \)Exp+Res and Q-resolution [35], the QBF variant of the resolution calculus that forms the basis for QCDCL-based solvers. Research on the proof complexity of QBF has identified an exponential separation between Q-resolution and the \(\forall \)Exp+Res system. There are families of QBFs for which any Q-resolution proof has exponential size, in contrast to \(\forall \)Exp+Res proofs of polynomial size, and vice versa. Hence these two systems have orthogonal strength.

Recent work successfully combines machine learning with this CEGAR approach [27]. Motivated by the success of expansion-based QBF solving, several other approaches [12, 32, 42, 46,47,48] have been presented that are based on levelised SAT solving, i.e., one SAT solver is responsible for the variables of one quantifier block. In this paper, we also introduce a solving approach that is based upon propositional abstraction but considers the whole quantifier prefix at once.

3 Preliminaries

The QBFs considered in this paper are in prenex normal form \(\varPi .\phi \) where \(\varPi \) is a quantifier prefix \(Q_1x_1Q_2x_2\ldots Q_nx_n\) over the set of variables \(X = \{x_1,\ldots ,x_n\}\) with \(Q_i \in \{\forall , \exists \}\) and \(x_i \ne x_j\) for \(i \ne j\). The propositional formula \(\phi \) contains only variables from X. Unless stated otherwise, we do not make any assumptions on the structure of \(\phi \). Sometimes \(\varPi .\phi \) is in prenex conjunctive normal form (PCNF), i.e., \(\varPi \) is a prefix as introduced before and \(\phi \) is a conjunction of clauses. A clause is a disjunction of literals, and a literal is a variable or the negation of a variable. The prefix imposes the order \(<_\varPi \) on the elements of X such that \(x_i <_\varPi x_j\) if \(i < j\). By \(U_\varPi \) (\(E_\varPi \)) we denote the set of universally (existentially) quantified variables of the prefix \(\varPi \). If clear from the context we omit the subscript \(\varPi \). We assume the standard semantics of QBF. A QBF consisting of only the syntactic truth constant \(\bot \) (\(\top \)) is false (true). A QBF \(\forall x\varPi .\phi \) is true if \(\varPi .\phi [x \leftarrow \top ]\) and \(\varPi .\phi [x \leftarrow \bot ]\) are both true, where \(\phi [x \leftarrow t]\) is the substitution of each occurrence of x by t in \(\phi \). A QBF \(\exists x\varPi .\phi \) is true if \(\varPi .\phi [x \leftarrow \top ]\) or \(\varPi .\phi [x \leftarrow \bot ]\) is true.

Given a set X of variables, we call a total function \(\sigma :X \rightarrow \{\top ,\bot ,\epsilon \}\) an assignment for X. If there is an \(x\in X\) with \(\sigma (x) = \epsilon \) then \(\sigma \) is a partial assignment, otherwise \(\sigma \) is a full assignment of X. Informally, \(\sigma (x) = \epsilon \) means that \(\sigma \) does not assign a truth value to variable x. A restriction \(\sigma |_Y:Y\rightarrow \{\top ,\bot ,\epsilon \}\) of assignment \(\sigma :X \rightarrow \{\top ,\bot ,\epsilon \}\) to \(Y \subseteq X\) is defined by \(\sigma |_Y(x) = \sigma (x)\) if \(x \in Y\), otherwise \(\sigma |_Y(x) = \epsilon \). By \(\varSigma _X\) we denote the set of all full assignments \(\sigma :X\rightarrow \{\top ,\bot \}\). Let \(\phi \) be a propositional formula over X. By \(\sigma (\phi )\) we denote the application of assignment \(\sigma :X \rightarrow \{\top ,\bot ,\epsilon \}\) on \(\phi \), i.e., \(\sigma (\phi )\) is the formula obtained by replacing variables \(x \in X\) by \(\sigma (x)\) if \(\sigma (x) \in \{\top ,\bot \}\) and performing standard propositional simplifications. Let \(\phi , \psi \) be propositional formulas over the set of variables X. If for every full assignment \(\sigma \in \varSigma _X\), \(\sigma (\phi ) = \sigma (\psi )\) then \(\phi \) and \(\psi \) are equivalent. Let \(\tau :X\rightarrow \{\top ,\bot ,\epsilon \}\) and \(\sigma :Y\rightarrow \{\top ,\bot ,\epsilon \}\) be assignments such that for every \(x \in X \cap Y\), \(\tau (x) = \sigma (x)\) if \(\tau (x) \not = \epsilon \) and \(\sigma (x) \not = \epsilon \). Then the composite assignment of \(\sigma \) and \(\tau \) is denoted by \(\sigma \tau :X\cup Y \rightarrow \{\top ,\bot ,\epsilon \}\) and for every propositional formula \(\phi \) over \(X \cup Y\), it holds that \(\sigma \tau (\phi ) = \tau \sigma (\phi ) = \sigma (\tau (\phi )) = \tau (\sigma (\phi ))\). Furthermore, we use the equality \(\sigma \sigma = \sigma \) for any assignment \(\sigma \).

Example 1

Let \(\sigma :X\rightarrow \{\top ,\bot ,\epsilon \}\) be an assignment over variables \(\{a, b, x, y\}\) defined by \(\sigma (a) = \top \), \(\sigma (b) = \epsilon \), \(\sigma (x) = \top \), and \(\sigma (y) = \epsilon \). The restriction \(\tau = \sigma |_Y\) of \(\sigma \) to \(Y = \{x, y\}\) is given by \(\tau (a) = \epsilon \), \(\tau (b) = \epsilon \), \(\tau (x) = \top \), \(\tau (y) = \epsilon \). For the propositional formula \(\phi = (x \vee a \vee y) \wedge (\lnot x \vee \lnot a \vee y) \wedge (\lnot y \vee b)\), the application of \(\sigma \) and \(\tau \) on \(\phi \) gives us \(\sigma (\phi ) = y \wedge (\lnot y \vee b)\) and \(\tau (\phi ) = (\lnot a \vee y) \wedge (\lnot y \vee b)\).

4 Expansion

In the following, we introduce the notation and terminology used for describing expansion-based QBF solving in general, and the algorithm introduced in the next section in particular. We first define the notion of instantiation that is inspired by the axiom rule of the calculus \(\forall \)Exp+Res [31] which is introduced in Sect. 6.

Definition 1

Let \(\varPi .\phi \) be a QBF with prefix \(\varPi = Q_1x_1\ldots Q_nx_n\) over the set of variables \(X = \{x_1,\ldots ,x_n\}\) and \(\sigma :Y \rightarrow \{\top ,\bot ,\epsilon \}\) with \(Y \subseteq X\) an assignment. If \(Y \subset X\), we extend the domain of \(\sigma \) to X by setting \(\sigma (x) = \epsilon \) if \(x \in X\) but \(x \not \in Y\). The instantiation of \(\phi \) by \(\sigma \), denoted by \(\phi ^\sigma \), is obtained from \(\phi \) as follows:

  1. 1.

    All variables \(x \in X\) with \(\sigma (x) \ne \epsilon \) are set to \(\sigma (x)\);

  2. 2.

    All variables \(x \in X\) with \(\sigma (x) = \epsilon \) are replaced by \(x^\omega \) where annotation \(\omega \) is uniquely defined by the sequence \(\sigma (x_{k_1})\sigma (x_{k_2})\ldots \sigma (x_{k_m})\) such that the set formed from the variables \(x_{k_i}\) contains all variables of X with \(x_{k_i} <_\varPi x\) and \(\sigma (x_{k_i}) \ne \epsilon \). Furthermore, \(x_{k_i} <_\varPi x_{k_j}\) if \(k_i < k_j\);

  3. 3.

    All truth constants occurring in the formula (not in the annotations) are eliminated by standard simplification rules.

If we instantiate a QBF \(\varPi .\phi \) with the full assignment \(\sigma :U_\varPi \rightarrow \{\top , \bot \}\) of the universal variables, we obtain a propositional formula that contains only (possibly annotated) variables from \(E_\varPi \). The dual holds for the instantiation by a full assignment \(\sigma :E_\varPi \rightarrow \{\top , \bot \}\) of the existential variables.

Example 2

Given the QBF \(\forall a \exists x \forall b \exists y .\phi \) with \(\phi = ( (x \vee a \vee y) \wedge (\lnot x \vee \lnot a \vee y) \wedge (\lnot y \vee b))\). Then \( U = \{a, b\}\) and \(E = \{x, y\}\). Let \(\sigma :U\rightarrow \{\top ,\bot ,\epsilon \}\) be defined by \(\sigma (a) = \top \) and \(\sigma (b) = \bot \). Then \(\phi ^\sigma = (\lnot x^{\top } \vee y^{\top \bot }) \wedge \lnot y^{\top \bot }\). Further, let \(\tau :E\rightarrow \{\top ,\bot ,\epsilon \}\) with \(\tau (x) = \bot \) and \(\tau (y) = \bot \). Then \(\phi ^\tau = a\). Note that a is not annotated because it occurs in the first quantifier block.

Sometimes we want to remove the annotations from an assignment or an instantiated formula. Therefore, we introduce the following notation. Let \(\phi ^\sigma \) be an instantiation by assignment \(\sigma :X\rightarrow \{\top ,\bot ,\epsilon \}\) and \(X^\sigma \) the set of annotated variables. If we have an assignment \(\tau :X^\sigma \rightarrow \{\top ,\bot , \epsilon \}\), then we define \(\tau ^{-\sigma }:X\rightarrow \{\top ,\bot ,\epsilon \}\) by \(\tau ^{-\sigma }(x) = \tau (x^\sigma )\) for \(x^\sigma \in X^\sigma \). If we have an instantiated formula \(\phi ^\sigma \), then \((\phi ^\sigma )^{-\sigma }\) is the formula obtained by replacing every annotated variable \(x^\sigma \in X^\sigma \) by x. In general, \((\phi ^\sigma )^{-\sigma } \ne \phi \).

Example 3

Reconsider the propositional formula \(\phi \) and assignments \(\sigma , \tau \) from Example 2 above. Then \((\phi ^\sigma )^{-\sigma } = ((\lnot x^{\top } \vee y^{\top \bot }) \wedge \lnot y^{\top \bot })^{-\sigma } = (\lnot x \vee y) \wedge \lnot y\). Furthermore, \((\phi ^\tau )^{-\tau } = (a)^{-\tau } = a\).

Lemma 1

Let \(\varPi .\phi \) be a QBF with variables X and \(\sigma :X\rightarrow \{\top ,\bot ,\epsilon \}\) be a partial assignment. Then \((\phi ^\sigma )^{-\sigma }\) and \(\sigma (\phi )\) are equivalent.

Proof

By induction over the formula structure. For the base case let \(\phi = x\) with \(x \in X\). If \(\sigma (x) = \epsilon \), then \(\sigma (\phi ) = x\), \(\phi ^\sigma = x^\omega \), and \((\phi ^\sigma )^{-\sigma } = x\). Otherwise, \(\phi ^\sigma = \sigma (x)\). Obviously, \(\sigma (\phi ) = \sigma (x) = (\sigma (x))^{-\sigma } \in \{\top ,\bot \}\). The induction step naturally follows from the semantics of the logical connectives. \(\square \)

Finally, we specify the semantics of a QBF in terms of universal and existential expansion on which expansion-based QBF solving is founded.

Lemma 2

Let \(\varPhi = \varPi .\phi \) be a QBF with universal variables U. There is a set of assignments \(A \subseteq \varSigma _U\) with \(\bigwedge _{\alpha \in A}\phi ^\alpha \) is unsatisfiable if and only if \(\varPhi \) is false.

The lemma above has a dual version for true QBFs. This duality plays a prominent role in our novel solving algorithm.

Lemma 3

Let \(\varPhi = \varPi .\phi \) be a QBF with existential variables E. There is a set of assignments \(S \subseteq \varSigma _E\) with \(\bigvee _{\sigma \in S}\phi ^\sigma \) is valid if and only if \(\varPhi \) is true.

Fig. 1
figure 1

Non-Recursive Expansion-Based Algorithm

Full size image

5 A non-recursive algorithm for expansion-based QBF solving

The pseudo-code in Fig. 1 summarizes the basic idea of our novel approach for solving the QBF \(\varPi .\phi \) with universal variables U and existential variables E.

First, an arbitrary assignment \(\alpha _0\) for the universal variables is selected in Line 1. The instantiation \(\phi ^{\alpha _0}\) is handed over to a SAT solver. If \(\phi ^{\alpha _0}\) is unsatisfiable, then \(\varPi .\phi \) is false and the algorithm returns. Otherwise, \(\tau :E^{\alpha _0}\rightarrow \{\top ,\bot \}\) is a satisfying assignment of \(\phi ^{\alpha _0}\). Let \(\sigma _1\) denote the assignment \(\tau ^{-{\alpha _0}}\). Then \({\alpha _0}\sigma _1\) is a satisfying assignment of \(\phi \).

Next, the propositional formula \(\lnot \phi ^{\sigma _1}\) is handed over to a SAT solver for checking the validity of \(\phi ^{\sigma _1}\). If \(\lnot \phi ^{\sigma _1}\) is unsatisfiable, then \(\varPi .\phi \) is true and the algorithm returns. If \(\lnot \phi ^{\sigma _1}\) is satisfiable, then \(\rho :U^{\sigma _1}\rightarrow \{\top ,\bot \}\) is a satisfying assignment of \(\lnot \phi ^{\sigma _1}\). Let \(\alpha _1\) denote the assignment \(\rho ^{-\sigma _1}\). Then \(\alpha _1\sigma _1\) is a satisfying assignment for \(\lnot \phi \). The following lemma shows that \(\alpha _0\) and \(\alpha _1\) are different.

Lemma 4

Let \(\varPi .\phi \) be a QBF with universal variables U and existential variables E. Further, let \(\alpha :U\rightarrow \{\top ,\bot \}\) be an assignment such that the instantiation \(\phi ^\alpha \) is satisfiable and has the satisfying assignment \(\tau :E^\alpha \rightarrow \{\top ,\bot \}\). Let \(\sigma :E \rightarrow \{\top ,\bot \}\) with \(\sigma = \tau ^{-\alpha }\). Then \(\alpha \) falsifies \((\lnot \phi ^\sigma )^{-\sigma }\).

Proof

Since \(\phi ^\alpha \) is satisfied by \(\tau \), \(\phi \) is satisfied by the composite assignment \(\alpha \tau ^{-\alpha } = \alpha \sigma \), and therefore \(\lnot \phi \) is falsified by \(\alpha \sigma \). Then \(\alpha \) falsifies \(\sigma (\lnot \phi )\). According to Lemma 1\(\sigma (\lnot \phi )\) is equivalent to \((\lnot \phi ^\sigma )^{-\sigma }\). Then \(\alpha \) also falsifies \((\lnot \phi ^\sigma )^{-\sigma }\). \(\square \)

In the next round of the algorithm, the propositional formula \(\phi ^{\alpha _0} \wedge \phi ^{\alpha _1}\) is handed over to a SAT solver. If this formula is unsatisfiable, \(\varPi .\phi \) is false and the algorithm returns. Otherwise, it is satisfiable under some assignment \(\tau :E^{\alpha _0} \cup E^{\alpha _1} \rightarrow \{\top ,\bot \}\), then at least one new assignment \(\sigma _2:E\rightarrow \{\top ,\bot \}\) with \(\sigma _2 \ne \sigma _1\) can be extracted from \(\tau |_{E^{\alpha _i}}\) with \(0 \le i \le 1\). This assignment is then used for obtaining a new propositional formula \(\phi ^{\sigma _1} \vee \phi ^{\sigma _2}\). To show the validity of this formula, its negation is passed to a SAT solver. If this formula is unsatisfiable, \(\varPi .\phi \) is true and the algorithm returns. Otherwise, it is satisfiable under the assignment \(\rho :U^{\sigma _1} \cup U^{\sigma _2} \rightarrow \{\top ,\bot \}\). A new assignment \(\alpha _2:U \rightarrow \{\top , \bot \}\) with \(\alpha _2 \ne \alpha _1 \ne \alpha _0\) is obtained from \(\rho |_{A^{\sigma _i}}\) with \(1 \le i \le 2\). This assignment is then used in the next round of the algorithm. In this way, the propositional formulas \(\bigwedge _{\alpha \in \varSigma _U}\phi ^\alpha \) and \(\bigvee _{\sigma \in \varSigma _E}\phi ^\sigma \) are generated. If \(\bigwedge _{\alpha \in A}\phi ^\alpha \) is unsatisfiable for some \(A \subseteq \varSigma _U\), by Lemma 2\(\varPi .\phi \) is false. Dually, if \(\bigvee _{\sigma \in S}\phi ^\sigma \) is valid for some \(S \subseteq \varSigma _E\), by Lemma 3\(\varPi .\phi \) is true. The algorithm iteratively extends the sets A and S by adding parts of satisfying assignments of \(\phi \) to S and parts of falsifying assignments to A. In particular, A is extended by assignments of the universal variables and S is extended by assignments of the existential variables. The order in which assignments are considered depends on the used SAT solver.

Example 4

We show how to solve the QBF \(\forall a\exists x\forall b \exists y.\phi \) with \(E=\{x,y\}\), \(U=\{a,b\}\), and \(\phi = ((a \vee x \vee y) \wedge (\lnot a \vee \lnot x \vee y) \wedge (b \vee \lnot y))\) with the algorithm presented above. This formula can be solved in two iterations:

Init: We start with some random assignment \(\alpha _0:U \rightarrow \{\top ,\bot \}\), for example with \(\alpha _0(a) = \top \) and \(\alpha _0(b) = \bot \).

Iteration 1: The formula \(\phi ^{\alpha _0} = (\lnot x^\top \vee y^{\top \bot }) \wedge \lnot y^{\top \bot }\) is passed to a SAT solver and found satisfiable under the assignment \(\tau :E^{\alpha _0}\rightarrow \{\top ,\bot \}\) with \(\tau (x^\top ) = \bot \) and \(\tau (y^{\top \bot }) = \bot \). By removing the variable annotations we get assignment \(\sigma _1 = (\tau |_{E^{\alpha _0}})^{-\alpha _0}\), where \(\sigma _1:E\rightarrow \{\top ,\bot \}\) with \(\sigma _1(x) = \bot \) and \(\sigma _1(y) = \bot \). Based on this assignment we obtain \(\phi ^{\sigma _1} = a\). The formula \(\lnot \phi ^{\sigma _1}\) is passed to a SAT solver. It is satisfiable and has the satisfying assignment \(\rho :U^{\sigma _1}\rightarrow \{\top ,\bot \}\) with \(\rho (a) = \bot \) and \(\rho (b^\bot ) = \top \), which we then reduce to \(\alpha _1 = (\rho |_{U^{\sigma _1}})^{-\sigma _1}\) where \(\alpha _1:U\rightarrow \{\top ,\bot \}\) with \(\alpha _1(a) = \bot \) and \(\alpha _1(b) = \top \).

Iteration 2: The formula \(\phi ^{\alpha _0} \wedge \phi ^{\alpha _1} = (\lnot x^\top \vee y^{\top \bot }) \wedge \lnot y^{\top \bot } \wedge (x^\bot \vee y^{\bot \top }) \) is passed to a SAT solver in the second iteration. It is satisfiable and one satisfying assignment is \(\tau :E^{\alpha _0} \cup E^{\alpha _1} \rightarrow \{\top ,\bot \}\) with \(\tau (x^\top ) = \bot , \tau (x^\bot ) = \top , \tau (y^{\top \bot }) = \bot , \tau (y^{\bot \top }) = \bot \). From \(\tau \), we can extract the assignment \(\sigma _2 = (\tau |_{E^{\alpha _1}})^{-\alpha _1}\) where \(\sigma _2:E\rightarrow \{\top ,\bot \}\) with \(\sigma _2(x) = \top \) and \(\sigma _2(y) = \bot \). Note that for any choice of \(\tau \), \(\sigma _2 \ne \sigma _1\). Next, we construct \(\phi ^{\sigma _1} \vee \phi ^{\sigma _2} = a \vee \lnot a\). This formula is a tautology, so its negation that is passed to a SAT solver is unsatisfiable, hence \(\varPi .\phi \) is true.

Fig. 2
figure 2

Expansion trees relating the assignments found during solving the QBF \(\forall a\exists x \forall b \exists y.\phi \) in Example 5, with initial assignment \(\alpha _0(a) = \bot , \alpha _0(b) = \bot \). The assignments shown in the leaves of the trees satisfy (left trees) or falsify (right trees) \(\phi \)

Full size image

The soundness of our algorithm immediately follows from Lemmas 2 and 3 : the algorithm returns false (true) if, in some iteration i, it finds that the current partial expansion \(\bigwedge _{\alpha \in A_{i-1}}\phi ^\alpha \) (respectively \(\bigwedge _{\sigma \in S_i}\lnot \phi ^\sigma \)) is unsatisfiable.

Theorem 1

The algorithm shown in Fig. 1 is sound.

For showing that the algorithm also terminates, we argue that sets \(A_i\) and \(S_i\) increase in iteration \(i+1\). To this end, we have to relate the variables of the QBF, the annotated variables as well as their assignments. Before we give the proof, we first consider another example in which we illustrate how the different assignments are related.

Example 5

We show one possible run of the algorithm presented above for the QBF \(\varPhi := \forall a\exists x\forall b \exists y.\phi \) with

$$\begin{aligned} \phi := (a \wedge b \wedge \lnot x \wedge \lnot y) \vee (\lnot a \wedge x \wedge (b \leftrightarrow y)) \end{aligned}$$

and how it iteratively generates the sets \(\varSigma _U\) and \(\varSigma _E\). Figure 2 shows the expansion trees that are implicitly built during the search. An expansion tree relates the variables of the partial expansion of \(\varPhi \) constructed from \(A_i\) (left column) and \(S_i\) (right column). Solid edges indicate that the variable on the top has been set by an assignment from \(A_i\) or \(S_i\), and dotted edges indicate that the variable has to be assigned a value by the SAT solver. The order of the (annotated) variables in the expansion tree respects the order of the (original) variables in the prefix.

Init: For the initialization of \(A_0\), an arbitrary assignment \(\alpha _0:U \rightarrow \{\top ,\bot \}\) is chosen. Let \(\alpha _0(a) = \bot \) and \(\alpha _0(b) = \bot \).

Iteration 1: \(\phi ^{\alpha _0} := x^\bot \wedge \lnot y^{\bot \bot }\) is satisfiable. Assignment \(\sigma _1:E \rightarrow \{\top ,\bot \}\), with \(\sigma _1(x) = \top \) and \(\sigma _1(y) = \bot \), is extracted from model \(\tau :E^{\alpha _1} \rightarrow \{\top ,\bot \}\) and added to \(S_1\). Now \(\phi ^{\sigma _1} := \lnot a \wedge \lnot b^{\top }\) is checked for validity. Assignment \(\alpha _1:U \rightarrow \{\top , \bot \}\), with \(\alpha _1(a) = \bot \) and \(\alpha _1(b) = \top \), obtained from counter-example \(\rho :U^{\sigma _1} \rightarrow \{ \top ,\bot \} \) is added to \(A_1\).

Iteration 2: Next, \(\phi ^{\alpha _0} \wedge \phi ^{\alpha _1}\) with \(\phi ^{\alpha _1} := x^\bot \wedge y^{\bot \top }\) is checked. From model \(\tau :E^{\alpha _0} \cup E^{\alpha _1} \rightarrow \{\top ,\bot \}\), again \(\sigma _1\) can be extracted for \(\phi ^{\alpha _0}\). For \(\phi ^{\alpha _1}\) a new assignment \(\sigma _2\) which is not in \(S_1\) is found and added to \(S_2\). In particular, we get \(\sigma _2:E \rightarrow \{\top ,\bot \}\) with \(\sigma _2(x) = \top \) and \(\sigma _2(y) = \top \). When the validity of \(\phi ^{\sigma _1} \vee \phi ^{\sigma _2}\) with \( \phi ^{\sigma _2} := \lnot a \wedge b^{\top }\) is checked, we get a counter-example \(\rho :U^{\sigma _1} \cup U^{\sigma _2} \rightarrow \{\top ,\bot \}\), from which \(\alpha _2 :U \rightarrow \{\top ,\bot \}\), with \(\alpha _2(a) = \top \) and \(\alpha _2(b) = \top \), can be extracted. Assignment \(\alpha _2\) is added to \(A_2\) leading to a new path in the left expansion tree (Iteration 3 in Fig. 2).

Iteration 3: Next, \(\phi ^{\alpha _0} \wedge \phi ^{\alpha _1} \wedge \phi ^{\alpha _2}\) with \( \phi ^{\alpha _2} := \lnot x^\top \wedge \lnot y^{\top \top }\) is checked. From model \(\tau :E^{\alpha _0} \cup E^{\alpha _1} \cup E^{\alpha _2} \rightarrow \{\top ,\bot \}\), \(\sigma _3 :E \rightarrow \{\top ,\bot \}\) is extracted, satisfying \(\phi ^{\alpha _2}\). This assignment is different from both \(\sigma _1\) and \(\sigma _2\): \(\sigma _3(x) = \bot \) and \(\sigma _3(y) = \bot \). This again results in a new branch of the expansion tree (see left expansion tree of Iteration 4 in Fig. 2). The resulting formula \(\phi ^{\sigma _1} \vee \phi ^{\sigma _2} \vee \phi ^{\sigma _3}\) with \(\phi ^{\sigma _3} := a \wedge b^\bot \) is not valid, and from the counter-example \(\rho :U^{\sigma _1} \cup U^{\sigma _2} \cup U^{\sigma _3} \rightarrow \{\top , \bot \}\) we get \(\alpha _3 :U \rightarrow \{\top ,\bot \}\) with \(\alpha _3(a) = \top \) and \(\alpha _3(b) = \bot \).

Iteration 4: Finally, the full expansion \(\phi ^{\alpha _0} \wedge \phi ^{\alpha _1} \wedge \phi ^{\alpha _2} \wedge \phi ^{\alpha _3}\) with \(\phi ^{\alpha _3} := \bot \) is not satisfiable, meaning that the original formula \(\forall a\exists x\forall b \exists y.\phi \) is false.

In the example above we saw that new assignments are generated in each iteration because \(A_i\) and \(S_i\) build models and counter-models of \(\phi \). The following definition formalizes the relationship between \(A_i\) and \(S_i\).

Definition 2

Let \(\varPi .\phi \) be a QBF over universally quantified variables U and existentially quantified variables E. Further, let \(A \subseteq \{ \alpha \mid \alpha :U \mapsto \{\top , \bot \}\Delta \}\) and \(S \subseteq \{ \sigma \mid \sigma :E \mapsto \{\top , \bot \}\Delta \}\). If for every assignment \(\sigma \in S\), there exists an assignment \(\alpha \in A\) such that \(\alpha \sigma (\lnot \phi )\) is true, then we say that A completes S. If for every assignment \(\alpha \in A\), there exists an assignment \(\sigma \in S\) such that \(\alpha \sigma (\phi )\) is true, then we say that S completes A.

We now show that \(S_{i}\) completes \(A_{i-1}\) and \(A_{i}\) completes \(S_{i}\) if the algorithm does not terminate in iteration i because of the unsatisfiability of the respective expansion.

Lemma 5

Let \(\varPi .\phi \) be a QBF over universally quantified variables U and existentially quantified variables E. Further, let \(A_{i-1}\) and \(A_i\) with \(A_{i-1} \subseteq A_i\) be two sets of full assignments to the universal variables and let \(S_{i}\) be a set of full assignments to the existential variables obtained by iteration i during an execution of the algorithm shown in Fig. 1.

  1. (1)

    If \(\bigwedge _{\alpha \in A_{i-1}}\phi ^\alpha \) is satisfiable, then \(S_{i}\) completes \(A_{i-1}\), i.e., for every \(\mu \in A_{i-1}\), there is an assignment \(\nu \in S_i\) such that \(\mu \nu (\phi )\) is true.

  2. (2)

    If \(\bigwedge _{\sigma \in S_i}\lnot \phi ^\sigma \) is satisfiable, then \(A_i\) completes \(S_i\), i.e., for every \(\nu \in S_i\), there is an assignment \(\mu \in A_{i}\) such that \(\nu \mu (\lnot \phi )\) is true.

Proof

By contradiction. For (1), assume there is an assignment \(\mu \in A_{i-1}\) such that there is no assignment \(\nu \in S_i\) with \(\mu \nu (\phi )\) is true. By assumption \(\bigwedge _{\alpha \in A_{i-1}}\phi ^\alpha \) is satisfiable, so there is a satisfying assignment \(\tau \) with \(\tau |_{E^{\mu }}(\phi ^{\mu })\) is true. Then also \(\mu (\tau |_{E^{\mu }})^{-\mu }(\phi )\) is true. But \((\tau |_{E^{\mu }})^{-\mu } \in S_i\). For (2), assume that there is an assignment \(\mu \in S_i\) such that there is no \(\nu \in A_i\) with \(\mu \nu (\lnot \phi )\) is true. The rest of the argument is similar as in (1). \(\square \)

Next, we show that the addition of new assignments \(A'\) to a set A of universal assignments forces a set S of existential assignments to increase if some completion criteria hold.

Lemma 6

Let \(\varPhi = \varPi .\phi \) be a QBF over universally quantified variables U and existentially quantified variables E. Further, let \(A \cup A'\) be a set of universal assignments such that \(A \cap A' = \emptyset \) and \(A' \not = \emptyset \). Let S be a set of existential assignments and assume that \(\bigwedge _{\sigma \in S}\lnot \phi ^\sigma \) has the satisfying assignment \(\rho \), \(A' \subseteq \{(\rho |_{U^\sigma })^{-\sigma } \mid \sigma \in S\}\).

If S completes A, and \(A \cup A'\) completes S, and \(\bigwedge _{\alpha \in A\cup A'}\phi ^\alpha \) evaluates to true under assignment \(\tau \), then there exists an assignment \(\nu \in \{(\tau |_{E^\alpha })^{-\alpha } \mid \alpha \in A \cup A'\}\) with \(\nu \not \in S\).

Proof

By induction over the number of variables in \(\varPi \).

Base Case. Assume that \(\varPhi \) has only one variable, i.e., \(\varPi = Qx\). Note that \(|A'| = 1\) because x is outermost in the prefix and \(A'\) is obtained from sub-assignments of \(\rho \). If \(Q = \forall \), then the elements of A are full assignments of \(\phi \), and S is either empty, or it contains the empty assignment \(\omega :\emptyset \mapsto \{\top , \bot \}\). Let \(A' = \{\mu \}\). If S is empty, so is A (because S has to complete A). If \(\tau \) is a satisfying assignment of \(\phi ^\mu \), then \(\nu = \tau = \omega \) is the empty assignment and \(\nu \not \in S\). Otherwise, \(\omega \in S\). If there is an assignment \(\alpha \in A\), then \(\phi ^\alpha \wedge \phi ^\mu \) is a full expansion of \(\varPhi \). If this full expansion is true, then \(\lnot \phi \) is unsatisfiable. Otherwise, \(\phi ^\alpha \wedge \phi ^\mu \) is unsatisfiable. In both cases, the necessary preconditions for the lemma are not fulfilled. If \(A = \emptyset \), then \(\mu \omega (\lnot \phi )\) is true. Then \(\phi ^\mu \) is unsatisfiable, again violating a precondition. If \(Q = \exists \), then \(\mu = \omega \) and \(A = \emptyset \). If \(S = \emptyset \) and \(\phi ^\omega = \phi \) has the satisfying assignment \(\tau \), then \(\nu = \tau \) and \(\nu \not \in S\). Otherwise, if there is an assignment \(\sigma \in S\), then \(\omega \sigma (\lnot \phi )\) is true, because \(A \cup \{\mu \} = \{\omega \}\) completes S. Hence, if assignment \(\tau \) satisfies \(\phi ^\mu \), then \(\nu = \tau \), so \(\nu \not \in S\).

Induction Step. Assume the lemma holds for QBFs with n variables. We show that it also holds for QBFs with \(n+1\) variables. Let \(\varPhi = Qx\varPi .\phi \) be a QBF over existential variables E and universal variables U with \(\varPi = Q_1x_1\ldots Q_nx_n\) and \(A \cup A'\) and S be as required (S completes A, \(A \cup A'\) completes S, \(\bigwedge _{\alpha \in A \cup A'}\phi ^\alpha \) has a satisfying assignment \(\tau \), and \(\bigwedge _{\sigma \in S}\lnot \phi ^\sigma \) has a satisfying assignment \(\rho \) from which \(A'\) is obtained).

If \(Q = \forall \), then all assignments \(\alpha \in A'\) assign the same value t to x, i.e., \(\alpha (x) = t\), because these assignments are extracted from assignment \(\rho \) and since x is the outermost variable of the prefix of \(\varPhi \), \(\rho (x) = t\). Further, let \(A^t = \{ \alpha \in A \mid \alpha (x) = t\}\). It is easy to argue that for \(\varPi .\phi [x \leftarrow t]\) together with the assignment sets \(A^t \cup A'\) and S the induction hypothesis applies, i.e., there is an assignment \(\nu \not \in S\) with \(\nu \in \{(\tau ' |_{E^\alpha })^{-\alpha } \mid \alpha \in A^t \cup A'\}\) where \(\tau '\) is the part of \(\tau \) that satisfies \(\bigwedge _{\alpha \in A^t \cup A'}(\phi [x \leftarrow t])^\alpha \). Obviously, \(\nu \in \{(\tau |_{E^\alpha })^{-\alpha } \mid \alpha \in A \cup A'\}\).

If \(Q = \exists \), assume that \(\tau (x) = t\). Let \(\{ \sigma \in S \mid \sigma (x) = t\} \subseteq S^t \subseteq S\), and let \(A^t \subseteq A\) such that the induction hypothesis applies to \(\varPi .\phi [x \leftarrow t]\), \(A^t \cup A'\), and \(S^t\). Let \(\tau ^t\) be those sub-assignments of \(\tau \) that satisfy \(\bigwedge _{\alpha \in A^t}\phi ^\alpha \). Then there is an assignment \(\nu \) that can be extracted from \(\tau ^t\) with \(\nu \not \in S^t\). Since \(\nu (x) = t\), \(\nu \not \in S\). This concludes the proof. \(\square \)

This property also holds in the other direction, i.e., adding a set \(S'\) of new assignments to S will force the set A to increase.

Lemma 7

Let \(\varPhi = \varPi .\phi \) be a QBF over universally quantified variables U and existentially quantified variables E. Further, let \(S \cup S'\) be a set of existential assignments such that \(S \cap S' = \emptyset \), \(S' \not = \emptyset \), let A be a set of universal assignments, \(\bigwedge _{\alpha \in A}\phi ^\alpha \) has the satisfying assignment \(\tau \), \(S' \subseteq \{(\tau |_{E^\alpha })^{-\alpha } \mid \alpha \in A\}\).

If A completes S and \(S \cup S'\) completes A and \(\bigwedge _{\sigma \in S\cup S'}\lnot \phi ^\sigma \) evaluates to true under assignment \(\rho \), then there exists an assignment \(\nu \in \{(\rho |_{U^\sigma })^{-\sigma } \mid \sigma \in S \cup S'\}\) with \(\nu \not \in A\).

Proof

The proof is analogous to the proof of Lemma 6. \(\square \)

Now that we have identified the relations between the sets of universal and existential assignments, we use them to show that the algorithm from Fig. 1 terminates.

Theorem 2

The algorithm shown in Fig. 1 terminates for any QBF \(\varPhi = \varPi .\phi \).

Proof

By induction over the number of iterations i, we argue that sets \(A_{i-1} \subset A_i\) and \(S_{i-1} \subset S_i\).

Base Case. Let \(i = 1\) and \(A_0 = \{\alpha _0\}\). \(S_0 \subset S_1\), because \(S_0 = \emptyset \) and \(\sigma _1 \in S_1\) is a satisfying assignment of \(\phi ^{\alpha _0}\) (if \(\phi ^{\alpha _0}\) is unsatisfiable, the algorithm terminates). \(A_0 \subset A_1\) directly follows from Lemma 4.

Induction Step. For \(i > 1\), we argue that \(S_i \subset S_{i+1}\). By induction hypothesis the theorem holds for iteration i, i.e., \(A_i = A_{i-1} \cup A'\) with \(A_{i-1} \cap A' = \emptyset \) and \(A' \not = \emptyset \) and \(S_i = S_{i-1} \cup S'\) with \(S_{i-1} \cap S' = \emptyset \) and \(S' \not = \emptyset \). Because of Lemma 5, \(S_{i}\) completes \(A_{i-1}\), and \(A_{i}\) completes \(S_i\). Furthermore, if \(\bigwedge _{\sigma \in S_i}\lnot \phi ^\sigma \) is satisfiable under some assignment \(\rho \) (otherwise the algorithm would terminate), by construction \(A' \subseteq \{(\rho |_{U^\sigma })^{-\sigma } \mid \sigma \in S_i\}\). Hence, Lemma 6 applies and if \(\bigwedge _{\alpha \in A_i}\phi ^\alpha \) is satisfiable under some assignment \(\tau \) (otherwise the algorithm would immediately terminate), then there is an assignment \(\nu \in \{(\tau |_{E^\alpha })^{-\alpha } \mid \alpha \in A_i\}\) with \(\nu \not \in S_i\).

The argument for \(A_i \subset A_{i+1}\) is similar and uses the property shown in Lemma 7. \(\square \)

Note that the algorithm presented above does not make any assumptions on the formula structure, i.e., for a QBF \(\varPi .\phi \) it is not required that \(\phi \) is in conjunctive normal form. Without any modification, our algorithm also works on formulas in PCNF—as SAT solvers typically process formulas in CNF only, we focus on this representation for the rest of the paper.

Fig. 3
figure 3

The rules of the \(\forall \)Exp+Res [6, 30, 31]

Full size image

6 Relation to the \(\forall \)Exp+Res calculus

The \(\forall \)Exp+Res calculus [6, 30, 31] yields the theoretical foundation of our algorithm for refuting a formula \(\varPi .\phi \) in PCNF with universal variables U and existential variables E. The \(\forall \)Exp+Res calculus consists of the two rules shown in Fig. 3. Given an assignment \(\tau :U_\varPi \rightarrow \{\top , \bot \}\) of the universal variables \(U_\varPi \) and a clause occurring in a QBF \(\varPi .\phi \), then the axiom rule instantiates C such that all universal literals u are assigned value \(\tau (u)\) and the remaining existential literals l are annotated by \([\tau ]\), i.e., by those universals that precede the variable of l in the prefix. In the notation introduced before, we can write the axiom rule by

figure a

Note that only clauses that do not contain \(\tau (l) = \top \) are of interest for a refutation proof. Further, any occurrences of \(\bot \) are omitted in the proof.

The resolution rule corresponds exactly to propositional resolution, i.e., the annotated variables are seen as propositional variables. Resolution between two clauses is only possible, if one contains a literal \(x^\sigma \) and the other clause contains a literal \(\lnot x^\tau \) and \(\sigma = \tau \), i.e., the pivot literals must have the same annotation. Note that we represent clauses as sets of literals.

A derivation in \(\forall \)Exp+Res is a sequence of clauses where each clause is either obtained by the axiom rule or derived from previously derived clauses by the application of the resolution rule. A refutation of a PCNF \(\varPi .\phi \) is a derivation of the empty clause. The application of the axiom rule instantiates the universal variables of one clause of \(\phi \). If enough of these instantiations can be found in order to derive the empty clause by the application of the resolution rule, the QBF \(\varPi .\phi \) is false.

Fig. 4
figure 4

\(\forall \)Exp+Res proof of \(\exists x\forall a \exists y.((x \vee a \vee y) \wedge (\lnot x \vee \lnot y) \wedge (\lnot x \vee \lnot a \vee y) \wedge (\lnot y))\)

Full size image

Our algorithm presented in Fig. 1 does not instantiate selected clauses of the input formula, but all clauses of the matrix \(\phi \) at once using a particular assignment of the universal variables. Hence, when the SAT solver finds \(\psi _\forall = \bigwedge _{\alpha \in A_i}\phi ^\alpha \) unsatisfiable for some \(A_i\), not necessarily all clauses of \(\psi _\forall \) are required to derive the empty clause via resolution, but only one minimal unsatisfiable core of \(\psi _\forall \), i.e., a subset of the clauses such that the removal of any clause would make this formula satisfiable. This observation leads us to the following proposition.

Proposition 1

Let \(\varPi .\phi \) be a false QBF. Further, let \(\psi _\forall = \bigwedge _{\alpha \in A_i}\phi ^\alpha \) be obtained by the application of the algorithm in Fig. 1. Further, let \(\psi _\forall '\) be a minimal unsatisfiable core of \(\psi _\forall \). Then there is a \(\forall \)Exp+Res refutation such that all clauses that are introduced by the axiom rule occur in \(\psi _\forall '\).

Example 6

Consider the false QBF

$$\begin{aligned} \exists x\forall a \exists y.((x \vee a \vee y) \wedge (\lnot x \vee \lnot y) \wedge (\lnot x \vee \lnot a \vee y) \wedge (\lnot y)). \end{aligned}$$

When fully expanding universal a, we obtain the propositional formula

$$\begin{aligned} ((\lnot x \vee \lnot y^\top ) \wedge (\lnot x \vee y^\top ) \wedge (\lnot y^\top ) \wedge (x \vee y^\bot ) \wedge (\lnot x \vee \lnot y^\bot ) \wedge (\lnot y^\bot )). \end{aligned}$$

For proving unsatisfiability of this formula, it is enough to consider the formula \(((\lnot x \vee y^\top ) \wedge (\lnot y^\top ) \wedge (x \vee y^\bot ) \wedge (\lnot y^\bot )).\) The corresponding \(\forall \)Exp+Res proof is shown in Fig. 4. Since existential variable x occurs outermost in the prefix, it is not annotated during the applications of the axiom rule.

Currently our implementation supports the generation of refutation proofs for false formulas and checking them for correctness. In consequence, we are now able to efficiently check the correctness of the solving results for false formulas, because the correctness check is linear in the proof size. For such proofs, we designed a novel proof format, because to best of our knowledge recent QBF solvers implementing expansion-based approaches do not support any proof generation.

Conceptually, proof generation for true QBFs works dually: instead of refuting a set of clauses, a set of cubes (conjunctions of literals) is shown to be valid. For this purpose, the resolution rule has to be modified to operate on cubes instead of clauses. In practice, however, SAT solvers are used that operate on clauses, hence an extra transformation step introducing fresh variables is required. This is currently not supported by our checker and is subject to future work.

7 Implementation

The algorithm described in Sect. 5 is realized in the solver IjtihadFootnote 2 The most recent version of Ijtihad is available at

https://extgit.iaik.tugraz.at/scos/ijtihad

The solver is implemented in C++ and currently processes formulas in PCNF available in the QDIMACS format. For accessing SAT solvers, Ijtihad uses the IPASIR interface [5], which makes changing the SAT solver very easy. The SAT solver used in all of our experiments is Glucose [2]. Although the base implementation does reasonably well, we have realized various optimizations to make Ijtihad even more viable in practice. Some of them are discussed in the following.

Fig. 5
figure 5

Set sizes and time consumed during SAT calls for solved instances from QBFEVAL’17 preprocessed by Bloqqer

Full size image

For solving a QBF \(\varPi .\phi \), the basic algorithm shown in Fig. 1 adds instantiations of \(\phi \) to \(\psi _\forall = \bigwedge _{\alpha \in A_{i-1}}\phi ^\alpha \) and \(\psi _\exists = \bigwedge _{\sigma \in S_{i}}\lnot \phi ^\sigma \) in each iteration i until the formula is decided. The calls to the SAT solver in Line 5 and Line 8 are done incrementally, i.e., we create two instances of the SAT solver and provide them with the clauses stemming from new instantiations of \(\phi \) at each iteration. For simplicity, we omit indices of sets A and S and refer to an arbitrary iteration of the execution of the algorithm in the following discussion.

Figure 5 relates set sizes of A and S as well as the accumulated time that one SAT solver needs to solve \(\psi _\forall \) with the time the other SAT solver needs to solve \(\psi _\exists \) for the formulas of the PCNF track of QBFEVAL’17 (preprocessed with Bloqqer [8]). In this paper, we also distinguish between true and false formulas. In Fig. 5a we see that for true formulas, set S tends to be larger than A, while for false instances the picture is less clear. Figure 5b shows the overall time needed for solving \(\psi _\forall \) (y-axis) and \(\psi _\exists \) (x-axis). In almost all cases, the solver that handles \(\psi _\forall \) needs more time than the solver that handles \(\psi _\exists \). This may be founded on the observation that many QBFs have considerably more existential variables than universal variables [39], hence the instantiations added to \(\psi _\forall \) are much larger than the instantiations added to \(\psi _\exists \).

In Line 1 of Fig. 1, the set of universal assignments \(A\) is initialized with one arbitrary assignment \(\alpha _0\). Obviously, the set \(A\) may also be initialized with multiple assignments. In our current implementation, we initialize \(A\) with the assignments that set the variables of one universal quantifier block to \(\bot \) and the variables of all other universal quantifier blocks to \(\top \). The impact of various initialization heuristics remains to be investigated in future work.

In Line 7 and Line 10 our algorithm increases the size of \(S\) and \(A\) in each iteration of the main loop, as argued in Theorem 2. In the worst case, this leads to an exponential increase in space consumption. Although we detect shared clauses among the instantiations, that alone is not enough to significantly reduce the space consumption. However, some of the assignments found in an earlier iteration could become obsolete after better assignments were found. It is therefore beneficial to empty either \(S\) or \(A\) and then reconstruct them from \(\psi _\forall \) and \(\psi _\exists \), similarly to what is done in Line 7 and Line 10. We evaluated several heuristics for scheduling these set resets, and we found that resetting periodically and close to the memory limit works best. The regular resetting of one set has a similar effect as restarts in SAT solvers, and we observed a considerable improvement in performance, especially in terms of memory consumption. Our implementation periodically resets the set \(A\), since experiments indicate that the resulting formula \(\psi _\forall \) is much harder to solve than \(\psi _\exists \) as seen in Fig. 5b. Besides the aforementioned imbalance between universal and existential variables, it is also likely due to the structure of \(\psi _\exists \) which is a conjunction of formulas in disjunctive normal form. Note that this reset of A does not affect the termination argument presented in Theorem 2, since the sets A and S still complete each other.

Finally, we extended the presented approach with orthogonal reasoning techniques like QCDCL [23] for exploiting the different strengths of \(\forall \)Exp+Res and Q-resolution, yielding a hybrid solver that smoothly integrates both solving paradigms. To this end, we implemented the prototypical solver called Heretic which pursues the following idea: The main loop of the algorithm shown in Fig. 1 (Lines 4-12) is extended in a sequential portfolio style such that a QCDCL solver is periodically called. After each call, all clauses that were learned through QCDCL are added to \(\varPi .\varPhi \), making them available in further iterations. These new clauses potentially exclude assignments that would otherwise be possible and that could result in more iterations of the main loop.

The solver Heretic extends Ijtihad by additional invocations of the QCDCL solver DepQBF [38]. About every 30 seconds, DepQBF is called and run for about 30 seconds. The learned clauses are obtained via the API of DepQBF. Leveraging learned cubes is subject to future work.

8 Evaluation

We evaluate non-recursive expansion as implemented in our solvers Ijtihad and its hybrid variant Heretic on the benchmarks from the PCNF track of the QBFEVAL’18 competition. All experiments were carried out on a cluster of Intel Xeon CPUs (E5-2650v4, 2.20 GHz) running Ubuntu 16.04.1 with a CPU time limit of 1800 seconds and a memory limit of 7 GB. We considered the following top-performing solvers from QBFEVAL’18: Qute [41], Rev-Qfun [27], RAReQS [28], CAQE [42, 47], DynQBF [14], GhostQ [28, 36], DepQBF [38], QESTO [32], and QSTS [11, 12]. Our experiments are based on original benchmarks without preprocessing and benchmarks preprocessed using QRATPre + [40], HQSpre [50], and Bloqqer [8, 25] with a timeout of one hour.

The tables in the left column of Fig. 6 show the total numbers of solved instances (S), solved unsatisfiable (\(\bot \)) and satisfiable ones (\(\top \)), and total CPU time including timeouts. The plots in the right column of Fig. 6 visualize the runtimes of the respective solvers. In the first row, the results without any preprocessing are shown. Our solver Heretic is ranked third solving the most false formulas of all solvers. If the preprocessor QRATPre + is applied, Heretic is ranked second. Only CAQE solves more formula instances. Also with the other two preprocessors, CAQE seems to be the solver that benefits most from the additional preprocessing step. In general, preprocessing has a considerable impact on the number of solved instances. With preprocessing enabled, Heretic solves up to 142 more formulas than without preprocessing. Also Ijtihad strongly benefits from preprocessing: alone it solves 151 formulas, and with a preprocessor it solves up to 229 formulas.

Notably Heretic, despite its simple design, significantly outperforms Ijtihad on the QBFEVAL’18 benchmark set. Moreover, Heretic is ranked third and second on preprocessed instances and thus is on par with state-of-the-art solvers. On the considered benchmark set, the gap in solved instances between RAReQS and Heretic is considerably smaller than the one between RAReQS and Ijtihad.

Fig. 6
figure 6

Results for the full QBFEval 2018 benchmark set with the application of different preprocessors

Full size image

A direct comparison of our solver Heretic with RAReQS is shown in Fig. 7a. Unlike our solver, RAReQS is based on a recursive implementation of expansion. While the plot looks very balanced for the whole benchmark set, the picture changes for formulas with four or more quantifier blocks, i.e., three or more quantifier alternations (see Fig. 7b and below).

Fig. 7
figure 7

Scatter plots of the run times of Heretic and RAReQS on original instances (related to Tablexxxxx 6a) and on instances having four or more quantifier blocks (related to Table 8a)

Full size image
Fig. 8
figure 8

Results for the full QBFEval 2018 benchmark set with the application of different preprocessors such that the formulas have at least four quantifier blocks

Full size image

On such formulas with many quantifier blocks, the strength of Heretic becomes apparent, cf. [39]. As shown in Tables 8a, 8c and 8e, Heretic outperforms all other solvers on original instances and on instances with preprocessing by QRATPre + and Bloqqer. The only exception are instances preprocessed by HQSpre (Table 8g).

Moreover, on entire benchmark sets without and with preprocessing (Tables 6a, 6c, 6e, and 6g), Heretic significantly outperforms both DepQBF and Ijtihad. These results indicate the potential of combining the orthogonal proof systems \(\forall \)Exp+Res as implemented in Ijtihad and Q-resolution as implemented in DepQBF in a hybrid solver like Heretic.

Table 1 Statistics related to Tables 6a, 6c, 6e, and 6g: pairwise comparison of RAReQS (R), Ijtihad (I), Heretic (H), and DepQBF (D) by instances without (N) and with preprocessing by \(\textsf {Bloqqer} \) (B), HQSpre (HQ), and QRATPre + (Q) that were solved by only one solver of the considered pair (<, >) or by both (\(=\))
Full size table

Although RAReQS outperforms both Ijtihad and Heretic on instances preprocessed by Bloqqer (Table 6e) RAReQS failed to solve certain instances that were solved by Ijtihad or Heretic. Table 1 shows related statistics. E.g., on instances preprocessed by HQSpre (row “HQ”), 258 instances were solved by both RAReQS and Heretic (column “R vs. H), 34 only by RAReQS, and 39 only by Heretic. Summing up these numbers yields a total of 331 solved instances (more than any individual solver in Table 6g) that could have been solved by a hypothetical solver combining RAReQS and Heretic. This observation underlines the strength of expansion in general and, in particular, of the hybrid approach implemented in Heretic. Heretic solved a significant amount of instances not solved by RAReQS, and it clearly outperformed Ijtihad and DepQBF on all benchmarks (columns “I vs. H” and “D vs. H”).

9 Conclusion

We presented a novel non-recursive algorithm for expansion-based QBF solving that uses only two SAT solvers for incrementally refining the propositional abstraction and the negated propositional abstraction of a QBF. We gave a concise proof of termination and soundness and demonstrated with several experiments that our prototype compares well with the state of the art. In addition to non-recursive expansion, we also studied the impact of combining Q-resolution and \(\forall \)Exp+Res in a hybrid approach. To this end, we coupled a QCDCL solver and non-recursive expansion to make clauses derived by the QCDCL solver available to the expansion solver. Experimental results indicated that the hybrid approach significantly outperforms our implementation of non-recursive expansion indicating the potential of combining expansion-based approaches with Q-resolution which gives rise to an exciting direction of future work. Further, our current implementation supports only formulas in conjunctive normal form while in theory, our approach does not make any assumptions on the structure of the propositional part of the QBF. We also plan to investigate how this formula structure can be exploited for efficiently processing the negation of the formula.