A Verified SAT Solver Framework with Learn, Forget, Restart, and Incrementality

2.1 Sledgehammer

The Sledgehammer subsystem [7, 48] integrates automatic theorem provers in Isabelle/HOL, including CVC4, E, LEO-II, Satallax, SPASS, Vampire, veriT, and Z3. Upon invocation, it heuristically selects relevant lemmas from the thousands available in loaded libraries, translates them along with the current proof obligation to SMT-LIB or TPTP, and invokes the automatic provers. In case of success, the machine-generated proof is translated to an Isar proof that can be inserted into the formal development, so that the external provers do not need to be trusted.

Sledgehammer is part of most Isabelle users’ workflow, and we invoke it dozens of times a day (according to the log files it produces). For example, while formalizing some results that depend on multisets, we found ourselves needing the basic property

Open image in new window

where A and B are finite multisets, \(\cup \) denotes union defined such that for each element x, the multiplicity of x in \(A \cup B\) is the maximum of the multiplicities of x in A and B, \(\cap \) denotes intersection, and Open image in new window denotes cardinality. This lemma was not available in Isabelle’s underdeveloped multiset library, so we invoked Sledgehammer. Within 30 s, the tool came back with a brief proof text invoking a suitable tactic with a list of ten lemmas from the library, which we could insert into our formalization:

Open image in new window

The generated proof refers to 10 library lemmas by name and applies the metis search tactic.

2.2 Isar

Without Sledgehammer, proving the above property could easily have taken 5–15 min. A manual proof, expressed in Isar’s declarative style, might look like this:

Open image in new window

The Open image in new window function returns the multiplicity of an element in a multiset. The \(\uplus \) operator denotes the disjoint union operation—for each element, it computes the sum of the multiplicities in the operands (as opposed to the maximum for \(\cup \)).

In Isar proofs, intermediate properties are introduced using Open image in new window and proved using a tactic such as simp and auto. Proof blocks ( Open image in new window \(\;\ldots \;\) Open image in new window ) can be nested. The advantage of Isar proofs over one-line metis proofs is that we can follow and understand the steps. However, for lemmas about multisets and other background theories, we are usually content if we can get a proof automatic and carry on with formalizing the more interesting foreground theory.

2.3 Locales

Isabelle locales are a convenient mechanism for structuring large proofs. A locale fixes types, constants, and assumptions within a specified scope. A schematic example follows:

Open image in new window

The definition of locale Open image in new window implicitly fixes a type Open image in new window , explicitly fixes a constant Open image in new window whose type Open image in new window may depend on Open image in new window , and states an assumption Open image in new window over Open image in new window and  Open image in new window . Definitions made within the locale may depend on Open image in new window and Open image in new window , and lemmas proved within the locale may additionally depend on Open image in new window . A single locale can introduce several types, constants, and assumptions. Seen from the outside, the lemmas proved in Open image in new window are polymorphic in type variable Open image in new window , universally quantified over Open image in new window , and conditional on Open image in new window .

Locales support inheritance, union, and embedding. To embed Open image in new window into Open image in new window , or make Open image in new window a sublocale of Open image in new window , we must recast an instance of Open image in new window into an instance of Open image in new window , by providing, in the context of Open image in new window , definitions of the types and constants of Open image in new window together with proofs of Open image in new window ’s assumptions. The command

Open image in new window

emits the proof obligation Open image in new window , where \(\upsilon \) and Open image in new window may depend on types and constants available in Open image in new window . After the proof, all the lemmas proved in Open image in new window become available in Open image in new window , with Open image in new window and  Open image in new window instantiated with \(\upsilon \) and  Open image in new window .

2.4 Refinement Framework

The Refinement Framework [30] provides definitions, lemmas, and tools that assist in the verification of functional and imperative programs via stepwise refinement [59]. The framework defines a programming language that is built on top of a nondeterminism monad. A program is a function that returns an object of type Open image in new window :

Open image in new window

The Isabelle syntax is similar to that of Standard ML and other typed functional programming languages: The type is freely generated by its two constructors, Open image in new window and Open image in new window . The set X in Open image in new window specifies the possible values that can be returned. The return statement is defined as a constant Open image in new window and specifies a single value, whereas Open image in new window indicates that an unspecified positive number is returned. The simplest program is a semantic specification of the possible outputs, encapsulated in a Open image in new window constructor. The following example is a nonexecutable specification of the function that subtracts 1 from every element of the list Open image in new window (with \(0 - 1\) defined as 0 on natural numbers):

Open image in new window

Program refinement uses the same source and target language. The refinement relation \(\le \) is defined by Open image in new window and Open image in new window for all r. For example, the concrete program Open image in new window refines (\(\le \)) the abstract program Open image in new window , meaning that all concrete behaviors are possible in the abstract version. The bottom element Open image in new window is an unrefinable program; the top element Open image in new window represents a run-time failure (e.g., a failed assertion) or divergence.

Refinement can be used to change the program’s data structures and algorithms, towards a more deterministic and usually more efficient program for which executable code can be generated. For example, we can refine the previous specification to a program that uses a ‘while’ loop:

Open image in new window

The program relies on the following constructs:

• The ‘do’ construct is a convenient Haskell-inspired syntax for expressing monadic computations (here, on the nondeterminism monad).

• The Open image in new window combinator takes a condition, a loop body, and a start value. In our example, the loop’s state is a pair of the form Open image in new window . The Open image in new window subscript in the combinator’s name indicates that the loop must not diverge. Totality is necessary for code generation.

• The Open image in new window statement takes an assertion that must always be true when the statement is executed.

• The Open image in new window operation returns the \((i + 1)\)st element of Open image in new window , and Open image in new window replaces the \((i + 1)\)st element by y.

To prove the refinement lemma Open image in new window , we can use the refine_vcg proof method provided by the Refinement Framework. This method heuristically aligns the statements of the two programs and generates proof obligations, which are passed to the user. If the abstract program has the form Open image in new window or Open image in new window , as is the case here, refine_vcg applies Hoare-logic-style rules to generate the verification conditions. For our example, two of the resulting proof obligations correspond to the termination of the ‘while’ loop and the correctness of the assertion. We can use the measure Open image in new window to prove termination.

In a refinement step, we can also change the types. For our small program, if we assume that the natural numbers in the list are all nonzero, we can replace them by integers and use the subtraction operation on integers (for which \(0 - 1 = -1 \not = 0\)). The program remains syntactically identical except for the type annotation:

Open image in new window

We want to establish the following relation: If all elements in Open image in new window are nonzero and the elements of Open image in new window are positionwise numerically equal to those of Open image in new window , then any list of integers returned by Open image in new window is positionwise numerically equal to some list returned by Open image in new window . The framework lets us express preconditions and connections between types using higher-order relations called relators:

Open image in new window

The relation Open image in new window relates natural numbers with their integer counterparts (e.g., Open image in new window ). The syntax of relators mimics that of types; for example, if R is the relation for Open image in new window , then Open image in new window is the relation for Open image in new window , and Open image in new window is the relation for Open image in new window . The ternary relator \([p]\,R \rightarrow S\), for functions Open image in new window , lifts the relations R and S for Open image in new window and Open image in new window under precondition p.

The Imperative HOL library [14] defines a heap monad that can express imperative programs with side effects. On top of Imperative HOL, a separation logic, with assertion type Open image in new window , can be used to express relations Open image in new window between plain values, of type Open image in new window , and data structures on the heap, of type Open image in new window . For example, Open image in new window relates lists of Open image in new window elements with mutable arrays of Open image in new window elements, where Open image in new window is used to relate the elements. The relation between the ! operator on lists and its heap-based counterpart Open image in new window can be expressed as follows:

Open image in new window

The arguments’ relations are annotated with \(^{\mathrm {k}}\) (“keep”) or \(^{\mathrm {d}}\) (“destroy”) superscripts that indicate whether the previous value can still be accessed after the operation has been performed. Reading an array leaves it unchanged, whereas updating it destroys the old array.

The Sepref tool automates the transition from the nondeterminism monad to the heap monad. It keeps track of the values that are destroyed and ensures that they are not used later in the program. Given a suitable source program, it can automatically generate the target program and prove the corresponding refinement lemma automatically. The main difficulty is that some low-level operations have side conditions, which we must explicitly discharge by adding assertions at the right points in the source program to guide Sepref.

The following command generates a heap program called Open image in new window from the source program Open image in new window :

Open image in new window

The generated array-based program is

Open image in new window

The end-to-end refinement theorem, obtained by composing the refinement lemmas, is

Open image in new window

3.1 Propositional Logic

The DPLL and CDCL calculi distinguish between literals whose truth value has been decided arbitrarily and those that are entailed by the current decisions; for the latter, it is sometimes useful to know which clause entails it. To capture this information, we introduce a type of annotated literals, parameterized by a type Open image in new window of propositional variables and a type Open image in new window of clauses:

Open image in new window

The simpler calculi do not use Open image in new window ; they take Open image in new window , a singleton type whose unique value is (). Informally, we write A, \(\lnot \,A\), and \(L^\dag \) for positive, negative, and decision literals, and we write \(L^C\) (with Open image in new window ) or simply L (if Open image in new window or if the clause C is irrelevant) for propagated literals. The unary minus operator is used to negate a literal, with \(- (\lnot \,A) = A\).

As is customary in the literature [1, 57], clauses are represented by multisets, ignoring the order of literals but not repetitions. A Open image in new window is a (finite) multiset over Open image in new window . Clauses are often stored in sets or multisets of clauses. To ease reading, we write clauses using logical symbols (e.g., \(\bot \), L, and \(C \vee D\) for \(\emptyset \), \(\{L\}\), and \(C \uplus D\)). Given a clause C, we write \(\lnot \,C\) for the formula that corresponds to the clause’s negation.

Given a set or multiset I of literals, \(I \vDash C\) is true if and only if C and I share a literal. This is lifted to sets and multisets of clauses or formulas: Open image in new window . A set or multiset is satisfiable if there exists a consistent set or multiset of literals I such that \(I \vDash N\). Finally, Open image in new window These notations are also extended to formulas.

3.2 DPLL with Backjumping

Nieuwenhuis et al. present CDCL as a set of transition rules on states. A state is a pair Open image in new window , where M is the trail and N is the multiset of clauses to satisfy. In a slight abuse of terminology, we will refer to the multiset of clauses as the “clause set.” The trail is a list of annotated literals that represents the partial model under construction. The empty list is written Open image in new window . Somewhat nonstandardly, but in accordance with Isabelle conventions for lists, the trail grows on the left: Adding a literal L to M results in the new trail \(L \cdot M\), where Open image in new window . The concatenation of two lists is written \(M \mathbin {@} M'\). To lighten the notation, we often build lists from elements and other lists by simple juxtaposition, writing \(M L M'\) for \(M \mathbin {@} L \cdot M'\).

The core of the CDCL calculus is defined as a transition relation Open image in new window , an extension of classical DPLL [17] with nonchronological backtracking, or backjumping. The Open image in new window part of the name refers to Nieuwenhuis, Oliveras, and Tinelli. The calculus consists of three rules, starting from an initial state Open image in new window . In the following, we abuse notation, implicitly converting \(\vDash \)’s first operand from a list to a set and ignoring annotations on literals:

• Open image in new window Open image in new window

  if N contains a clause \(C\vee L\) such that \(M \vDash \lnot \, C\) and L is undefined in M (i.e., neither \(M \vDash L\) nor \(M \vDash - L\))

• Open image in new window Open image in new window

  if the atom of L occurs in N and is undefined in M

• Open image in new window Open image in new window

  if N contains a conflicting clause C (i.e., \(M'L^\dag M\vDash \lnot \, C\)) and there exists a clause \(C'\vee L'\) such that \(N\vDash C'\vee L'\), \(M \vDash \lnot \, C'\), and \(L'\) is undefined in M but occurs in N or in \(M'L^\dag \)

The Open image in new window rule is more general than necessary for capturing DPLL, where it suffices to negate the leftmost decision literal. The general rule can also express nonchronological backjumping, if \(C'\vee L'\) is a new clause derived from N (but not necessarily in N).

We represented the calculus as an inductive predicate. For the sake of modularity, we formalized the rules individually as their own predicates and combined them to obtain Open image in new window :

Open image in new window

Since there is no call to Open image in new window in the assumptions, we could also have used a plain Open image in new window here, but the Open image in new window command provides convenient introduction and elimination rules. The predicate operates on states of type Open image in new window . To allow for refinements, this type is kept as a parameter of the calculus, using a locale that abstracts over it and that provides basic operations to manipulate states:

Open image in new window

where Open image in new window converts an abstract state of type Open image in new window to a pair (M, N). Inside the locale, states are compared extensionally: Open image in new window is true if the two states have identical trails and clause sets (i.e., if Open image in new window ). This comparison ignores any other fields that may be present in concrete instantiations of the abstract state type Open image in new window .

Each calculus rule is defined in its own locale, based on Open image in new window and parameterized by additional side conditions. Complex calculi are built by inheriting and instantiating locales providing the desired rules. For example, the following locale provides the predicate corresponding to the Open image in new window rule, phrased in terms of an abstract DPLL state:

Open image in new window

Following a common idiom, the Open image in new window calculus is distributed over two locales: The first locale, Open image in new window Open image in new window , defines the Open image in new window calculus; the second locale, Open image in new window , extends it with an assumption expressing a structural invariant over Open image in new window that is instantiated when proving concrete properties later. This cannot be achieved with a single locale, because definitions may not precede assumptions.

Termination is proved by exhibiting a well-founded relation \(\prec \) such that Open image in new window whenever Open image in new window . Let Open image in new window and Open image in new window with the decompositions

$$\begin{aligned} M&= \smash {M_n L_n^\dag \cdots M_1 L_1^\dag M_0}&M'&= \smash {M'_{n'} \smash {L'}_{\!\!n\smash {'}}^\dag \cdots M'_1 \smash {L'}_{\!\!\!1}^\dag M'_0} \end{aligned}$$

where the trail segments \(M_0,\ldots ,M_n,M'_0,\ldots ,M'_{n\smash {'}}\) contain no decision literals. Let V be the number of distinct variables occurring in the initial clause set N. Now, let \(\nu \,M = V - \left| M\right| \), indicating the number of unassigned variables in the trail M. Nieuwenhuis et al. define \(\prec \) such that Open image in new window if

1. (1)

   there exists an index \(i \le n, n'\) such that \([\nu \, M'_0,\, \cdots ,\, \nu \, M'_{i-1}] = [\nu \, M_0,\, \cdots ,\, \nu \, M_{i-1}]\) and \(\nu \,M'_i < \nu \,M_i\); or

    
2. (2)

   \([\nu \, M_0,\, \cdots ,\, \nu \, M_{n}]\) is a strict prefix of \([\nu \, M'_0,\, \cdots ,\, \nu \, M'_{n'}]\).

    

This order is not to be confused with the lexicographic order: We have Open image in new window by condition (2), whereas Open image in new window . Yet the authors justify well-foundedness by appealing to the well-foundedness of Open image in new window on bounded lists over finite alphabets. In our proof, we clarify and simplify matters by mapping states Open image in new window to lists \(\bigl [\left| M_0\right| , \cdots ,\left| M_n\right| \bigr ]\), without appealing to \(\nu \). Using the standard lexicographic order, states become larger with each transition:

Open image in new window

The lists corresponding to possible states are bounded by the list \([V, \dots , V]\) consisting of V occurrences of V,  thereby delimiting a finite domain \(D = \{[k_1,\ldots ,k_n] \mid k_1,\cdots ,k_n,n \le V\}\). We take \(\prec \) to be the restriction of Open image in new window to D. A variant of this approach is to encode lists into a measure Open image in new window and let Open image in new window , building on the well-foundedness of > over bounded sets of natural numbers.

A final state is a state from which no transitions are possible. Given a relation Open image in new window , we write Open image in new window for the right-restriction of its reflexive transitive closure to final states (i.e., Open image in new window if and only if Open image in new window ).

We first prove structural invariants on arbitrary states Open image in new window reachable from Open image in new window , namely: (1) each variable occurs at most once in \(M'\); (2) if \(M' = M_2 L M_1\) where L is propagated, then \(M_1, N \vDash L\). From these invariants, together with the constraint that Open image in new window is a final state, it is easy to prove the theorem.

3.3 Classical DPLL

The locale machinery allows us to derive a classical DPLL calculus from DPLL with backjumping. We call this calculus Open image in new window . It is achieved through a Open image in new window locale that restricts the Backjump rule so that it performs only chronological backtracking:

• Open image in new window Open image in new window

  if N contains a conflicting clause and \(M'\) contains no decision literals

Because of the locale parameters, Open image in new window is strictly speaking a family of calculi.

The Open image in new window rule depends on two clauses: a conflict clause C and a clause \(C'\vee L'\) that justifies the propagation of \(L'\!.\) The conflict clause is specified by Open image in new window . As for \(C'\vee L'\), given a trail \(M'L^\dag M\) decomposable as \(M_nL^\dag M_{n-1}L_{n\smash {-1}}^\dag \cdots M_1 L_1^ \dag M_0\) where \(M_0,\cdots ,M_n\) contain no decision literals, we can take \(C' = -L_1\vee \cdots \vee -L_{n-1}\).

Consequently, the inclusion Open image in new window holds. In Isabelle, this is expressed as a locale instantiation: Open image in new window is made a sublocale of Open image in new window , with a side condition restricting the application of the Open image in new window rule. The partial correctness and termination theorems are inherited from the base locale. Open image in new window instantiates the abstract state type Open image in new window with a concrete type of pairs. By discharging the locale assumptions emerging with the Open image in new window command, we also verify that these assumptions are consistent. Roughly:

Open image in new window

If a conflict cannot be resolved by backtracking, we would like to have the option of stopping even if some variables are undefined. A state Open image in new window is conclusive if \(M \vDash N\) or if N contains a conflicting clause and M contains no decision literals. For Open image in new window , all final states are conclusive, but not all conclusive states are final.

The theorem does not require stopping at the first conclusive state. In an implementation, testing \(M\vDash N\) can be expensive, so a solver might fail to notice that a state is conclusive and continue for some time. In the worst case, it will stop in a final state—which is guaranteed to exist by Theorem 1. In practice, instead of testing whether \(M\vDash N\), implementations typically apply the rules until every literal is set. When N is satisfiable, this produces a total model.

3.4 The CDCL Calculus

The abstract CDCL calculus extends Open image in new window with a pair of rules for learning new lemmas and forgetting old ones:

• Open image in new window Open image in new window    if \(N\vDash C\) and each atom of C is in N or M

• Open image in new window Open image in new window    if \(N\vDash C\)   

In practice, the Open image in new window rule is normally applied to clauses built exclusively from atoms in M, because the learned clause is false in M. This property eventually guarantees that the learned clause is not redundant (e.g., it is not already contained in N).

We call this calculus Open image in new window . In general, Open image in new window does not terminate, because it is possible to learn and forget the same clause infinitely often. But for some instantiations of the parameters with suitable restrictions on Open image in new window and Open image in new window , the calculus always terminates.

In many SAT solvers, the only clauses that are ever learned are the ones used for backtracking. If we restrict the learning so that it is always done immediately before backjumping, we can be sure that some progress will be made between a Open image in new window and the next Open image in new window or Open image in new window . This idea is captured by the following combined rule:

• Open image in new window Open image in new window

  if Open image in new window , L, Open image in new window , M, Open image in new window , N satisfy Open image in new window ’s side conditions

The calculus variant that performs this rule instead of Open image in new window and Open image in new window is called Open image in new window . Because a single Open image in new window transition corresponds to two transitions in Open image in new window , the inclusion Open image in new window does not hold. Instead, we have Open image in new window . Each step of Open image in new window corresponds to a single step in Open image in new window or a two-step sequence consisting of Open image in new window followed by Open image in new window .

3.5 Restarts

Modern SAT solvers rely on a dynamic decision literal heuristic. They periodically restart the proof search to apply the effects of a changed heuristic. This helps the calculus focus on a part of the initial clauses where it can make progress. Upon a restart, some learned clauses may be removed, and the trail is reset to  Open image in new window . Since our calculus has a Open image in new window rule, the Open image in new window rule needs only to clear the trail. Adding Open image in new window to Open image in new window yields Open image in new window . However, this calculus does not terminate, because Open image in new window can be applied infinitely often.

Open image in new window

A working strategy is to gradually increase the number of transitions between successive restarts. This is formalized via a locale parameterized by a base calculus Open image in new window and an unbounded function  Open image in new window . Nieuwenhuis et al. require f to be strictly increasing, but unboundedness is sufficient.

The extended calculus Open image in new window operates on states of the form Open image in new window , where Open image in new window is a state in the base calculus and n counts the number of restarts. To simplify the presentation, we assume that bases states Open image in new window are pairs (M, N). The calculus Open image in new window starts in the state Open image in new window and consists of two rules:

• Open image in new window Open image in new window    if Open image in new window and \(m \ge f\>n\)

• Open image in new window Open image in new window    if Open image in new window

The symbol Open image in new window represents the base calculus Open image in new window transition relation, and Open image in new window denotes an m-step transition in Open image in new window . The Open image in new window in Open image in new window reminds us that we count the number of transitions; in Sect. 4.5, we will review an alternative strategy based on the number of conflicts or learned clauses. Termination relies on a measure \(\mu _V\) associated with Open image in new window that may not increase from restart to restart: If Open image in new window , then Open image in new window . The measure may depend on V,  the number of variables occurring in the problem.

We instantiated the locale parameter Open image in new window with Open image in new window and f with the Luby sequence (\(1, 1, 2, 1, 1, 2, 4, \cdots \)) [35], with the restriction that no clause containing duplicate literals is ever learned, thereby bounding the number of learnable clauses and hence the number of transitions taken by  Open image in new window .

Figure 1a summarizes the syntactic dependencies between the calculi reviewed in this section. An arrow Open image in new window indicates that Open image in new window is defined in terms of Open image in new window . Figure 1b presents the refinements between the calculi. An arrow Open image in new window indicates that we proved Open image in new window or some stronger result—either by locale embedding ( Open image in new window ) or by simulating Open image in new window ’s behavior in terms of Open image in new window .

4.1 The New DPLL Calculus

Independently from the previous section, we formalized DPLL as described in Open image in new window . The calculus operates on states (M, N), where M is the trail and N is the initial clause set. It consists of three rules:

• Open image in new window Open image in new window    if \(C\vee L \in N \uplus U\), \(M \vDash \lnot \, C\), and L is undefined in M

• Open image in new window Open image in new window    if L is undefined in M and occurs in N

• Open image in new window Open image in new window

  if N contains a conflicting clause and \(M'\) contains no decision literals

Open image in new window performs chronological backtracking: It undoes the last decision and picks the opposite choice. Conclusive states for Open image in new window are defined as for Open image in new window (Sect. 3.3).

The termination and partial correctness proofs given by Weidenbach depart from Nieuwenhuis et al. We also formalized them:

Termination is proved by exhibiting a well-founded relation that includes Open image in new window . Let V be the number of distinct variables occurring in the clause set N. The weight \(\nu \,L\) of a literal L is 2 if L is a decision literal and 1 otherwise. The measure is

Open image in new window

Lists are compared using the lexicographic order, which is well founded because there are finitely many literals and all lists have the same length. It is easy to check that the measure decreases with each transition:

Open image in new window

The proof is analogous to the proof of Theorem 2. Some lemmas are shared between both proofs. Moreover, we can link Weidenbach’s DPLL calculus with the version we derived from Open image in new window in Sect. 3.3:

This provides another way to establish Theorems 6 and 7. Conversely, the simple measure that appears in the above termination proof can also be used to establish the termination of the more general Open image in new window calculus (Theorem 1).

4.2 The New CDCL Calculus

The Open image in new window calculus operates on states Open image in new window , where M is the trail; N and U are the sets of initial and learned clauses, respectively; and D is a conflict clause, or the distinguished clause \(\top \) if no conflict has been detected.

In the trail M,  each decision literal L is marked as such (\(L^\dag \)—i.e., Open image in new window ), and each propagated literal L is annotated with the clause C that caused its propagation (\(L^C\)—i.e., Open image in new window ). The level of a literal L in M is the number of decision literals to the right of the atom of L in M, or 0 if the atom is undefined. The level of a clause is the highest level of any of its literals, with 0 for \(\bot \), and the level of a state is the maximum level (i.e., the number of decision literals). The calculus assumes that N contains no clauses with duplicate literals and never produces clauses containing duplicates.

The calculus starts in a state Open image in new window . The following rules apply as long as no conflict has been detected:

• Open image in new window Open image in new window

  if \(C\vee L \in N \uplus U\), \(M \vDash \lnot \, C\), and L is undefined in M

• Open image in new window Open image in new window    if L is undefined in M and occurs in N

• Open image in new window Open image in new window    if \(D \in N \uplus U\) and \(M \vDash \lnot \, D\)

• Open image in new window Open image in new window    if \(M \not \vDash N\)

• Open image in new window Open image in new window    if \(M \not \vDash N\) and M contains no literal \(L^C\)

The Open image in new window and Open image in new window rules generalize their Open image in new window counterparts. Once a conflict clause has been detected and stored in the state, the following rules cooperate to reduce it and backtrack, exploring a first unique implication point [6, Chapter 3]:

• Open image in new window Open image in new window    if \(D \notin \{\bot ,\top \}\) and \(-L\) does not occur in D

• Open image in new window Open image in new window

  if D has the same level as the current state

• Open image in new window Open image in new window

  if L has the level of the current state, D has a lower level, and K and D have the same level

Exhaustive application of these three rule corresponds to a single step by the combined learning and nonchronological backjumping rule Open image in new window from Open image in new window . The Open image in new window rule is even more general and can be used to express learned clause minimization [54].

In Open image in new window , \(C \cup D\) is the same as \(C \vee D\) (i.e., \(C \uplus D\)), except that it keeps only one copy of the literals that belong to both C and D. When performing propagations and processing conflict clauses, the calculus relies on the invariant that clauses never contain duplicate literals. Several other structural invariants hold on all states reachable from an initial state, including the following: The clause annotating a propagated literal of the trail is a member of \(N \uplus U.\) Some of the invariants were not mentioned in the textbook (e.g., whenever \(L^C\) occurs in the trail, L is a literal of C). Formalization helped develop a better understanding of the data structure and clarify the book.

Like Open image in new window , Open image in new window has a notion of conclusive state. A state Open image in new window is conclusive if \(D = \top \) and \(M\vDash N\) or if \(D = \bot \) and N is unsatisfiable. The calculus always terminates, but without a suitable strategy, it can block in an inconclusive state. At the end of the following derivation, neither Open image in new window nor Open image in new window can process the conflict further:

Open image in new window

4.3 A Reasonable Strategy

To prove correctness, we assume a reasonable strategy: Open image in new window and Open image in new window are preferred over Open image in new window ; Open image in new window and Open image in new window are not applied. (We will lift the restriction on Open image in new window and Open image in new window in Sect. 4.5.) The resulting calculus, Open image in new window , refines Open image in new window with the assumption that derivations are produced by a reasonable strategy. This assumption is enough to ensure that the calculus can backjump after detecting a nontrivial conflict clause other than \(\bot \). The crucial invariant is the existence of a literal with the highest level in any conflict, so that Open image in new window can be applied. The textbook suggests preferring Open image in new window to Open image in new window and Open image in new window to the other rules. While this makes sense in an implementation, it is not needed for any of our metatheoretical results.

Once a conflict clause has been stored in the state, the clause is first reduced by a chain of Open image in new window and Open image in new window transitions. Then, there are two scenarios: (1) the conflict is solved by a Open image in new window , at which point the calculus may resume propagating and deciding literals; (2) the reduced conflict is \(\bot \), meaning that N is unsatisfiable—i.e., for unsatisfiable clause sets, the calculus generates a resolution refutation.

The Open image in new window calculus is designed to have respectable complexity bounds. One of the reasons for this is that the same clause cannot be learned twice:

The formalization of this theorem posed some challenges. The informal proof in Open image in new window is as follows (with slightly adapted notations):

Proof  By contradiction. Assume CDCL learns the same clause twice, i.e., it reaches a state Open image in new window where Open image in new window is applicable and Open image in new window More precisely, the state has the form Open image in new window where the \(K_i\), \(i>1\) are propagated literals that do not occur complemented in D, as otherwise D cannot be of level i. Furthermore, one of the \(K_i\) is the complement of L. But now, because Open image in new window is false in Open image in new window and Open image in new window instead of deciding Open image in new window the literal L should be propagated by a reasonable strategy. A contradiction. Note that none of the \(K_i\) can be annotated with Open image in new window . \(\square \)

Many details are missing. To find the contradiction, we must show that there exists a state in the derivation with the trail \(M_2K^\dag M_1\), and such that \(D\vee L \in N \uplus U.\) The textbook does not explain why such a state is guaranteed to exist. Moreover, inductive reasoning is hidden under the ellipsis notation (\(K_n\cdots K_2\)). Such a high-level proof might be suitable for humans, but the details are needed in Isabelle, and Sledgehammer alone cannot fill in such large gaps, especially if induction is needed. The first version of the formal proof was over 700 lines long and is among the most difficult proofs we carried out.

We later refactored the proof. Following the book, each transition in Open image in new window was normalized by applying Open image in new window and Open image in new window exhaustively. For example, we defined Open image in new window so that Open image in new window if Open image in new window and Open image in new window cannot be applied to Open image in new window and Open image in new window for some state T. However, normalization is not necessary. It is simpler to define Open image in new window as Open image in new window , with the same condition on Open image in new window as before. This change shortened the proof by about 200 lines. In a subsequent refactoring, we further departed from the book: We proved the invariant that all propagations have been performed before deciding a new literal. The core argument (“the literal L should be propagated by a reasonable strategy”) remains the same, but we do not have to reason about past transitions to argue about the existence of an earlier state. The invariant also makes it possible to generalize the statement of Theorem 10: We can start from any state that satisfies the invariant, not only from an initial state. The final version of the proof is 250 lines long.

Using Theorem 10 and assuming that only backjumping has a cost, we get a complexity of \(\mathrm {O}(3^V)\), where V is the number of different propositional variables. If Open image in new window is always preferred over Open image in new window , the learned clause is never redundant in the sense of ordered resolution [57], yielding a complexity bound of \(\mathrm {O}(2^V)\). We have not formalized this yet.

In Open image in new window , and in our formalization, Theorem 10 is also used to establish the termination of Open image in new window . However, the argument for the termination of Open image in new window also applies to Open image in new window irrespective of the strategy, a stronger result. To lift this result, we must show that Open image in new window refines Open image in new window .

4.4 Connection with Abstract CDCL

It is interesting to show that Open image in new window refines Open image in new window , to establish beyond doubt that Open image in new window is a CDCL calculus and to lift the termination proof and any other general results about Open image in new window . The states are easy to connect: We interpret a Open image in new window tuple Open image in new window as a Open image in new window pair Open image in new window , ignoring C.

The main difficulty is to relate the low-level conflict-related Open image in new window rules to their high-level counterparts. Our solution is to introduce an intermediate calculus, called Open image in new window , that combines consecutive low-level transitions into a single transition. This calculus refines both Open image in new window and Open image in new window and is sufficiently similar to Open image in new window so that we can transfer termination and other properties from Open image in new window to Open image in new window through it.

Whenever the Open image in new window calculus performs a low-level sequence of transitions of the form Open image in new window , the Open image in new window calculus performs a single transition of a new rule that subsumes all four low-level rules:

• Open image in new window Open image in new window

  if Open image in new window

When simulating Open image in new window in terms of Open image in new window , two interesting scenarios arise. First, Open image in new window ’s behavior may comprise a backjump: The rule can be simulated using Open image in new window ’s Open image in new window rule. The second scenario arises when the conflict clause is reduced to \(\bot \), leading to a conclusive final state. Then, Open image in new window has no counterpart in Open image in new window . The two calculi are related as follows: If Open image in new window , either Open image in new window or Open image in new window is a conclusive state. Since Open image in new window is well founded, so is Open image in new window . This implies that Open image in new window without Open image in new window terminates.

Since Open image in new window is mostly a rephrasing of Open image in new window , it makes sense to restrict it to a reasonable strategy that prefers Open image in new window and Open image in new window over Open image in new window , yielding Open image in new window . The two strategy-restricted calculi have the same end-to-end behavior:

Open image in new window

4.5 A Strategy with Restart and Forget

We could use the same strategy for restarts as in Sect. 3.5, but we prefer to exploit Theorem 10, which asserts that no relearning is possible. Since only finitely many different duplicate-free clauses can ever be learned, it is sufficient to increase the number of learned clauses between two restarts to ensure termination. This criterion is the norm in modern SAT solvers. The lower bound on the number of learned clauses is given by an unbounded function Open image in new window . In addition, we allow an arbitrary subset of the learned clauses to be forgotten upon a restart but otherwise forbid Open image in new window . The calculus Open image in new window that realizes these ideas is defined by the two rules

• Open image in new window Open image in new window

  if Open image in new window and Open image in new window

• Open image in new window Open image in new window    if Open image in new window

We formally proved that Open image in new window is totally correct. Figure 2 summarizes the situation, following the conventions of Fig. 1.

Open image in new window

4.6 Incremental Solving

SMT solvers combine a SAT solver with theory solvers (e.g., for uninterpreted functions and linear arithmetic). The main loop runs the SAT solver on a clause set. If the SAT solver answers “unsatisfiable,” the SMT solver is done; otherwise, the main loop asks the theory solvers to provide further, theory-motivated clauses to exclude the current candidate model and force the SAT solver to search for another one. This design crucially relies on incremental SAT solving: The possibility of adding new clauses to the clause set C of a conclusive satisfiable state and of continuing from there.

As a step towards formalizing SMT, we designed a calculus Open image in new window that provides incremental solving on top of Open image in new window :

• Open image in new window \(_{\,C}\) Open image in new window

  if \(M \not \vDash \lnot \, C\) and Open image in new window

• Open image in new window \(_{\,C}\) Open image in new window

  if \(L M \vDash \lnot \, C\), \(-L \in C\), \(M'\) contains no literal of C, and

  Open image in new window

We first run the Open image in new window calculus on a clause set N, as usual. If N is satisfiable, we can add a nonempty, duplicate-free clause C to the set of clauses and apply one of the two above rules. These rules adjust the state and relaunch Open image in new window .

The key is to prove that the structural invariants that hold for Open image in new window still hold after adding the new clause to the state. Then the proof is easy because we can reuse the invariants we have already proved about Open image in new window .

6.1 The Two-Watched-Literal Scheme

For each literal L, the clauses that contain a watched L are chained together in a list (typically a linked list). When a literal L becomes true, the solver needs only to iterate through the list associated with \(-L\) to find candidates for propagation or conflict. For each candidate clause, there are four possibilities:

1. 1.

   If some of the unwatched literals are not false, we restore the invariant by updating the clause: We start watching one of the non-false unwatched literals instead of \(-L\).

    
2. 2.
   Otherwise, we consider the clause’s other watched literal:

   1. 2.1.

      If it is not set, we can propagate it.

       
   2. 2.2.

      If it is false, we have found a conflict.

       
   3. 2.3.

      If it is true, there is nothing to do.

       
    

Open image in new window

In Open image in new window , a weaker invariant is used, inspired by MiniSat [18]:

• (\(\beta \)) A watched literal may be false only if the other watched literal is true or all the unwatched literals are false.

This invariant is easier to establish than (\(\alpha \)): If the other watched literal is true, there is nothing to do, regardless of the truth value of the unwatched literals. The four-step procedure above can easily be adapted, by pulling step 2.3 to the front.

6.2 The CDCL Calculus with Watched Literals

CDCL with the 2WL data structure is defined as an abstract calculus Open image in new window that refines Open image in new window . Nonunit clauses are represented as Open image in new window , where Open image in new window is the multiset of watched literals (of cardinality 2) and Open image in new window the multiset of unwatched literals. Unit clauses are represented as singleton multisets. The state must also keep track of pending updates. States have the form Open image in new window , where

• M is the trail;

• N is the initial nonunit clause set in 2WL format;

• U is the learned nonunit clause set in 2WL format;

• D is a conflict clause or \(\top \);

• Open image in new window is the initial unit clause set;

• Open image in new window is the learned unit clause set;

• Open image in new window is a multiset of literal–clause pairs (L, C) indicating that clause C must be updated with respect to literal L;

• Q is a set of literals for which further updates are pending.

Open image in new window and Open image in new window do not influence the calculus; they are ghost components that are useful for connecting a 2WL state to the format expected by Open image in new window :

Open image in new window

The Open image in new window function converts a 2WL clause set to a standard clause set.

The first two rules of Open image in new window have direct counterparts in Open image in new window :

• Open image in new window Open image in new window

  Open image in new window

  if Open image in new window , \(L'\) is not set in M, and Open image in new window

• Open image in new window Open image in new window

  if Open image in new window , \(-L' \in M\), and Open image in new window

For both rules, the side condition Open image in new window is necessary because invariant (\(\beta \)) is not required to hold for C while a (L, C) update is pending.

The next rules manipulate the state’s 2WL-specific components, without affecting the state’s semantics as seen through Open image in new window :

• Open image in new window Open image in new window

  if Open image in new window , and \(N'\) and \(U'\) are obtained from N and U by replacing Open image in new window with Open image in new window

• Open image in new window Open image in new window

  if Open image in new window and \(L' \in M\)

• Open image in new window Open image in new window

  Open image in new window

As in Open image in new window , propagations and conflicts are preferred over decisions. This is achieved by checking that Open image in new window and \( Q \) are empty when making a decision:

• Open image in new window Open image in new window

      if L is not defined in M and appears in N

The restriction on Open image in new window is enough to ensure that the reasonable strategy is applied in Open image in new window . Open image in new window and Open image in new window are as before, except that they also preserve the 2WL-specific components of the state. The Open image in new window rule is replaced by two rules, because of the distinction between unit and nonunit clauses:

• Open image in new window Open image in new window

  Open image in new window

  if \(D \ne \bot \) and L satisfies the conditions on Open image in new window

• Open image in new window Open image in new window

  Open image in new window    if L satisfies the conditions on Open image in new window

Open image in new window refines Open image in new window in the following sense:

Open image in new window refines Open image in new window ’s end-to-end behavior and produces final states that are also final states for Open image in new window . We can apply Theorem 9 to establish partial correctness.

6.3 Derivation of an Executable List-Based Program

The next step is to refine the calculus with watched literals to an executable program. The state is a tuple Open image in new window , where Open image in new window is a list (instead of a set) of clauses containing first n initial nonunit clauses followed by the learned nonunit clauses, where clauses are represented as lists of literals starting with the watched ones; M uses indices in Open image in new window to represent clause annotations; and Open image in new window uses indices in Open image in new window to represent clauses. The D, Open image in new window , Open image in new window , and Q components are as before.

The program’s main loop invokes functions that implement specific rules or set of rules. The function for Open image in new window , Open image in new window , Open image in new window , and Open image in new window is presented below:

Open image in new window

The values Open image in new window , Open image in new window , and Open image in new window correspond to positive, negative, and undefined polarity, respectively. As we refine the program, we must provide additional invariants for the data structure—for example, indices in Open image in new window are valid and Open image in new window is a valid index. The assertion corresponding to the latter, Open image in new window , is not shown above, but it is needed for code generation.

The main loop is called Open image in new window . Although it imposes an order on rule applications, it is not fully deterministic—for example, it does not specify which literal to choose in Open image in new window . The following theorem connects it to the Open image in new window calculus:

Theorem 14

(Refinement [20, Open image in new window ]) If Open image in new window is a well-formed state and invariant (\(\gamma \)) holds for all clauses occurring in its Open image in new window component, then

Open image in new window

where Open image in new window translates program states to Open image in new window states.

The state returned by the program is final for Open image in new window , which means by Theorem 13 that it is also final for Open image in new window . We conclude that the program is a partially correct implementation of Open image in new window . In addition, since the specification always specifies a non- Open image in new window result, the program always terminates normally.

In a further refinement step not presented here, we extend the state with watch lists that map from a literal to the clauses that are watched, instead of recalculating them each time. The watch lists are modeled by a function Open image in new window such that Open image in new window and update it in when required.

6.4 Generation of Imperative Code

To be complete in a practical sense, an executable SAT solver must first initialize the 2WL data structure, run the Open image in new window calculus, and return “satisfiable” (with a model) or “unsatisfiable,” depending on whether a conflict has been found. The initialization step is necessary not only to run the program on actual problems but also to ensure that it is possible to create a 2WL state that satisfies invariant (\(\gamma \)) for any input.

Before we can generate imperative code, we must first eliminate the remaining nondeterminism, notably the choice of literal in Open image in new window . We implement the variable-move-to-front heuristic [5]. During initialization, we create a list containing all the literals. This list is used to initialize the doubly linked list needed by the heuristic. We also extract the maximal atom in the list to allocate the list of the polarity-checking optimization (Sect. 6.5) with the correct length.

Second, we must specify the data structures to use the generated code. Lists of clauses are refined to resizable arrays of nonresizable arrays. The dynamic aspect is required for adding learned clauses. Within a clause, only the order of literals needs to change. We had to formalize the data structure ourselves; for technical reasons, the resizable arrays from the Imperative Collection Framework [29, 31] cannot contain arrays. We were able to reuse some of the theorems proved on the separation logic level.

We used Sepref to refine the code of the SAT solver, including initialization. We restrict the type of the atoms Open image in new window to natural numbers Open image in new window . In our first version, we also used (unbounded) natural number to literals in the generated code: The literals Open image in new window and Open image in new window are encoded by the numbers \(2\cdot i\) and \(2\cdot i +1\), respectively. However, the extraction of an atom from the literals (the integer division by 2) was inefficient in Standard ML. Therefore, we changed our representation to 32-bits unsigned integers (so only \(2^{31}\) atoms are allowed). The extraction of atoms now becomes bit-shifting.

The end-to-end refinement theorem, relating a semantic satisfiability check on the input problem ( Open image in new window that returns Open image in new window if unsatisfiable) to the Imperative HOL heap code ( Open image in new window ), is stated below, where the Open image in new window relation refines a multiset of multisets of literals to a list of lists of 32-bit unsigned integers, and the Open image in new window relation refines the model that is returned as a list of literals.

Theorem 15

(End-to-End Correctness [20, Open image in new window ])

The following refinement relation holds:

Open image in new window

6.5 Fast Polarity Checking

The imperative code described in the previous subsection suffers from a crippling inefficiency: The solver often needs to compute the polarity of a literal, and currently this is achieved by traversing the trail M, which may be very large. In practice, solvers employ a map from atoms to their current polarity.

Using stepwise refinement, we integrate this optimization into the imperative data structure used for the trail. This refinement step is isolated from the rest of the development, which only relies on its final result: a more efficient implementation of the trail and its operations. As Lammich observed elsewhere [32], this kind of modularity is invaluable when designing complex data structures.

Since the atoms are natural numbers, we enrich the trail data structure with a list of polarities (of type Open image in new window ), such that the \((i + 1)\)st element gives the polarity of atom i. The new Open image in new window function is defined as follows:

Open image in new window

Given \(N_1\) the set of all valid literals (i.e., the positive and negative version of all atoms that appear in the problem), the refinement relation between the trail with the list of polarities and the simple trail is defined as follows:

Open image in new window

This invariant ensures that the list Open image in new window is long enough and contains the polarities. We can link the new polarity function to the simpler one. If Open image in new window , then

Open image in new window

In a subsequent refinement step, we use Sepref to implement the list of polarities by an array, and atoms are mapped to 32-bits unsigned integers ( Open image in new window ), as in Sect. 6.4. Accordingly, we define two auxiliary relations:

• The relation Open image in new window refines a literal with natural number atoms by a literal encoded as a 32-bit unsigned integer.

• The relation Open image in new window refines the trail data structure to use an array of polarities (instead of a list) and annotated literals of type Open image in new window , using the 32-bit representation of literals. The clause indices of type Open image in new window remain unbounded unsigned integers.

Sepref generates the imperative program Open image in new window and derives the following refinement theorem:

Open image in new window

The precondition, in square brackets, ensures that we can only take the polarity of a literal that is within bounds. The term after the arrow is the refinement for the result, which is trivial here because the data structure for polarities remains Open image in new window .

Composing the refinement steps (1) and (2) yields the theorem

Open image in new window

where Open image in new window combines the two refinement relations for trails Open image in new window and Open image in new window . The precondition Open image in new window is a consequence of \(L \in N_1\) and the invariant Open image in new window . If we invoke Sepref now and discharge Open image in new window ’s preconditions, all occurrences of the unoptimized Open image in new window function are be replaced by Open image in new window . After adapting the initialization to allocate the array for Open image in new window of the correct size, we can prove end-to-end correctness as before with respect to the optimized code (cf. Theorem 15).