Counting Minimal Unsatisﬁable Subsets

. Given an unsatisﬁable Boolean formula F in CNF, an unsat-isﬁable subset of clauses U of F is called Minimal Unsatisﬁable Subset (MUS) if every proper subset of U is satisﬁable. Since MUSes serve as explanations for the unsatisﬁability of F , MUSes ﬁnd applications in a wide variety of domains. The availability of eﬃcient SAT solvers has aided the development of scalable techniques for ﬁnding and enumerating MUSes in the past two decades. Building on the recent developments in the design of scalable model counting techniques for SAT, Bend´ık and Meel initiated the study of MUS counting techniques. They succeeded in designing the ﬁrst approximate MUS counter, AMUSIC , that does not rely on exhaustive MUS enumeration. AMUSIC , however, suﬀers from two shortcomings: the lack of exact estimates and limited scalability due to its reliance on 3-QBF solvers. In this work, we address the two shortcomings of AMUSIC by designing the ﬁrst exact MUS counter, CountMUST , that does not rely on exhaustive enumeration. CountMUST circumvents the need for 3-QBF solvers by reducing the problem of MUS counting to projected model counting. While projected model counting is #NP-hard, the past few years have witnessed the development of scalable projected model counters. An extensive empirical evaluation demonstrates that CountMUST successfully returns MUS count for 1500 instances while AMUSIC and enumeration-based techniques could only handle up to 833 instances.


Introduction
Boolean formulas serve as a primary representation language to model the behaviour of systems and properties. Given an unsatisfiable Boolean formula F in Conjunctive Normal Form (CNF), i.e. a set of clauses F = {f 1 , f 2 , . . . , f n }, a subset U ⊆ F is called Minimal Unsatisfiable Subset (MUS) of F iff U is unsatisfiable and for every f ∈ U , U \ {f } is satisfiable.
These include, e.g., computing the union of all MUSes [45], deciding whether a given clause belongs to an MUS [31], or counting the number of MUSes. Especially, the counting of MUSes found many applications in the domain of diagnosis where the MUS count can be used to compute various inconsistency metrics [25,48,65,49,50,29] for general propositional knowledge bases.
A straightforward, and for many years the only available, approach for counting MUSes is to simply enumerate them. However, there can be up to exponentially many MUSes w.r.t. |F | and hence the complete enumeration is often practically intractable [39,69,9,10]. Inspired by the development of model counting techniques in the context of SAT, which in its nascent stages also depended on complete model enumeration while contemporary techniques often need to explicitly identify just a fraction of models, Bendík and Meel [13] recently initiated an investigation of counting MUSes without their explicit enumeration. In this context, they succeeded by developing a hashing-based approximate counter, AMUSIC [13], that provides the so-called PAC guarantees, also known as (ε, δ)guarantees, wherein the computed answer is within the (1 + ε)-factor of the exact count with confidence at least 1 − δ. AMUSIC reduces the problem of MUS counting to logarithmically many calls to a Σ P 3 oracle (3-QBF solver, in practice) wherein every Σ P 3 query is constructed over a CNF formula conjuncted with XORs.
While AMUSIC achieved its stated goal of avoiding explicit enumeration, its scalability is significantly hampered by its reliance on a 3-QBF solver that can efficiently handle formulas conjuncted with XOR constraints. It is worth highlighting that the scalability of model counting techniques [17,60] in the context of SAT crucially relies on the availability of CryptoMiniSAT [61], a SAT solver with native support for CNF-XOR constraints. Despite significant advances in QBF solving over the years, the scalability remains a formidable challenge for 3-QBF solvers, and even more when XOR constraints are involved. As such, AMUSIC could scale to formulas involving few hundreds of variables and clauses.
In this work, we focus on addressing the scalability of MUS counting techniques. We begin our investigation by focusing on the observation of Bendík and Meel that their technique relied on a Σ P 3 oracle even though the problem of finding an MUS is in F P N P [19,44]. Therefore, a natural direction is to investigate the design of an algorithmic framework that can circumvent reliance on oracles with high complexity. In this context, we rely on the observation of Durand, Hermann, and Koliatis [21] that the complexity of counting problems whose search problems have F P N P complexity tend to be #NP (which contains #P class). Such an observation is timely given the recent surge of interest in designing efficient techniques for projected model counting, which is #NP-hard. Therefore, one wonders: whether it is possible to design a MUS counting technique that can take advantage of projected model counters?
The primary contribution of this paper is an affirmative answer to the above question. We design a new algorithmic framework, CountMUST, that reduces the problem of MUS counting to two projected model counting queries. In particular, CountMUST constructs a wrapper W and its remainder R such that the number of MUSes of F is |W| − |R|, i.e., the wrapper W over-approximates the set of MUSes while the remainder contains the spurious, non-MUS, subsets of F that emerge due to the over-approximation. We encode the wrapper W and the remainder R with Boolean formulas W and R such that the projected model counts for W and R (for a suitable projection set) equal to |W| and |R|, respectively. An interesting (and perhaps surprising) aspect of our CountMUST is that we do not enumerate a single MUS in our process, which is in stark contrast to the design of AMUSIC that relies on the enumeration of a small number of MUSes.
We discuss several strategies to construct wrappers (and their corresponding remainders) that are efficient to compute and are tight over-approximations of the set of MUSes. We conduct a detailed empirical analysis over 2553 instances and observe that CountMUST successfully returns MUS count for 1500 instances while AMUSIC and enumeration-based techniques could only handle up to 833 instances. We observe interesting complementary nature of the exact and approximate MUS counting approaches: the scalability of AMUSIC is often impacted by the number of clauses and appears to be less impacted by the number of MUSes while, on the other hand, the scalability of CountMUST is less impacted by the number of clauses and appears to depend on the number of MUSes.
Finally, our empirical analysis showcases that our wrappers W approximate the set of MUSes very tightly. Motivated by the tightness of our wrappers, we discuss several interesting applications of our framework: approximate MUS counting [13], MUS enumeration [5,40], MUS Sampling, estimation of minimum and maximum MUS cardinality [38,27], and MUS membership testing [31].
The rest of the paper is organized as follows. We introduce preliminaries in Section 2 and discuss related work in Section 3. We then present the primary technical contribution of our work in Section 4. We present the empirical evaluation in Section 5 and then discuss the implications of the tightness of our wrappers in Section 6. We finally conclude in Section 7.

Preliminaries and Problem Definition
A Boolean formula F is built over Boolean values {1, 0} and over a set Vars(F ) of Boolean variables connected via standard logical operators: ∧, ∨, →, ↔, ¬. A literal is either a variable x ∈ Vars(F ) or its negation ¬x; Lits(F ) denotes the set of all literals used in F . Given a set A of variables, a valuation π : A → {1, 0} assigns to each variable its Boolean value. F [π] denotes the formula that emerges from F by substituting every variable x of F that is in the domain of π by π(x); furthermore, trivial simplifications, e.g., G ∨ 0 = G, G ∧ 0 = 0, ¬1 = 0, ¬0 = 1, are applied. Note that if A ⊇ Vars(F ), then F [π] is simplified either to 1 or to 0. In the case when A ⊇ Vars(F ) and F [π] = 1, we call π a model of F and write π |= F ; otherwise, when F [π] = 0, we write π |= F . A formula F is satisfiable if it has a model; otherwise, F is unsatisfiable. We write M F to denote the set of all models of F . Moreover, given a set A ⊆ Vars(F ) of variables, we write M F ↓A to denote the projection of M F on A, and for every π ∈ M F , we write π ↓A to denote the projection of π on A. Finally, given two variable sets, A = {a 1 , . . . , a k } and B = {b 1 , . . . , b k }, such that A ⊆ Vars(F ), we write F [A/B] to denote the formula that originates from F by substituting each variable a i ∈ A by b i ∈ B.
A formula in conjunctive normal form, shortly a CNF formula, is a conjunction of clauses where a clause is a disjunction of literals. When suitable, a CNF formula can also be viewed as a multiset of clauses where a clause is a set of literals; we use the two representations interchangeably based on the context. Throughout the whole text, let us by F = {f 1 , . . . , f n } denote the input CNF formula of interest. Furthermore, capital letters, e.g., S, K, N , or blackboard bold letters, e.g., W, R, are used to denote other formulas, small letters, e.g., f, f 1 , f i , are used to denote clauses, and small letters, e.g., x, x , y, are used to denote variables. Finally, given a set X, P(X) denotes the power-set of X, and |X| denotes the cardinality of X.
Note that the Boolean satisfiability is monotone w.r.t. the (clause) subset inclusion, i.e., all subsets of a satisfiable set of clauses are satisfiable. Consequently, all proper subsets of an MUS are in fact satisfiable, and, dually, all proper supersets of an MSS are unsatisfiable. Also, note that the minimality/maximality concept used here is a set minimality/maximality and not a minimum/maximum cardinality. Consequently, there can be up to |F | |F |/2 MUSes/MCSes/MSSes of F (intuitively, this is the number of pair-wise incomparable subsets of F ; see the Sperner's theorem [62]). We write maximum and minimum MUS to denote an MUS with the maximum and the minimum cardinality, respectively. Note that there can also be exponentially many maximum and minimum MUSes. We write MUS F to denote the set of all MUSes of F , and SS F to denote the set of all satisfiable subsets of F .  In this paper, we are concerned with the following two problems. Name: #MUS Input: A CNF formula F . Output: The number |MUS F | of MUSes of F . Our goal is to solve the #MUS problem, and to do that, we propose a strong subtractive reduction to the proj-#SAT problem.

Related Work
MUS Counting A straight-forward approach to count the MUSes is to simply enumerate them via an MUS enumeration algorithm, e.g. [5,39,52,41,4,8,12,10]. However, since there can be up to exponentially many MUSes w.r.t. |F |, the complete enumeration is often practically intractable. An alternative approach to identify the MUS count is based on a so-called minimal hitting set duality between MUSes and MCSes that states that every MUS is a minimal hitting set of the set of all MCSes [56,32]. Consequently, one can determine the MUS count by first identifying all MCSes and then counting their minimal hitting sets [40]. However, there can be in general up to exponentially many MCSes, which makes this approach also often practically intractable [52,11].
The study of MUS counting without relying on exhaustive enumeration was initiated just recently by Bendík and Meel [13], who proposed an (ε, δ)approximation scheme called AMUSIC. AMUSIC extends a prior hashing-based model counting framework [63,15,18] to MUS counting. Briefly, AMUSIC divides the power-set P(F ) into nCells small cells, then pick one of the cells and count the number inCell of MUSes in the cell, and estimate the overall MUS count as nCells × inCell . The approach requires to perform logarithmically many calls to a Σ P 3 oracle (3-QBF solver) wherein each query consists of a CNF formula conjuncted with XOR constraints. The lack of solvers with native support for such constraints presents the major hindrance to the scalability of AMUSIC.
It is worth remarking on a recent work by Bendík and Meel [14] that focuses on exact counting of maximal satisfiable subsets (MSSes). While MUSes and MSSes are closely related concepts, to the best of our knowledge, there does not exist any efficient reduction from MUS counting to MSS counting, or vice versa. Note that the best known upper-bound on the problem of finding an MUS is FP NP [19], whereas for findind an MSS a tighter upper-bound FP NP [wit, log] is known [44], which suggests that counting MUSes is practically harder than counting MSSes. It would be an interesting question for future work if the counter developed in this work can be employed to perform MSS counting.

Model Counting
The complexity-theoretic study of model counting was initiated by Valiant [67] who showed that proj-#SAT is #P-complete when S = Vars(G). Subsequently, Durand, Hermann, and Koliatis [21] showed that the general problem of proj-#SAT is #NP-hard. A significant conceptual contribution of Durand et al. was to show the importance of subtractive reductions for problems in #NP; this idea has been applied for reductions to projecting counting [14].
Our work relies on the recent progress in the development of efficient projected model counters; in particular, we employ GANAK [59], a state-of-the-art search-based exact model counter; the entry based on GANAK won the projected model counting track in 2020 Model Counting Competition [23]. Search-based model counters build on three core ideas: (1) for a formula G and x ∈ S, we have (3) finally, component caching is employed to cache the components. Consequently, the model count can be often determined by explicitly identifying just a fraction of all models. GANAK is built on top of earlier search-based model counters, sharpSAT [66] and Cachet [58,57].

MUS Counting via a Projected Model Counter
We now gradually introduce several subtractive reductions of the MUS counting problem to the projected model counting, starting with the base idea in Section 4.1, and following with the particular reductions in Sections 4.2-4.11.

Basic MUS Counting Idea
Definition 5 (wrapper and remainder).

Proposition 1. Let W be a wrapper and R its corresponding remainder. Then
Our approach to determine the MUS count |MUS F | consists of the following steps. First, we define a wrapper W and its corresponding remainder R. Subsequently, we encode the wrapper W with a Boolean formula W such that each projected model of W (for a suitable projection set) corresponds to an element of W. Similarly, we construct a Boolean formula R such that each projected model of R corresponds to an element of the remainder R. Finally, we employ a projected model counter to determine the projected model counts of W and R, i.e., |W| and |R|, and hence we obtain the MUS count |MUS F | = |W| − |R|.
In the following, we first describe in Section 4.2 how to build a simple wrapper W 1 and its remainder R 1 and how to encode them via Boolean formulas W 1 and R 1 , respectively. Subsequently, in Sections 4.3-4.11, we propose several additional wrappers (and their remainders) that improve upon the base wrapper W 1 by exploiting various observations about MUSes. Finally, in Section 4.12, we show how to combine the individual wrappers.

W 1 -The Base Wrapper and Its Reminder
Our base wrapper, W 1 , is simply the set of all satisfiable subsets and all MUSes of F , i.e., W 1 = SS F ∪ MUS F . The corresponding remainder R 1 is thus the set SS F of all satisfiable subsets of F . In the following, we describe how to encode the wrapper W 1 and the remainder R 1 via Boolean formulas W 1 and R 1 whose projected models correspond to elements of W 1 and R 1 , respectively.
Let us start with encoding the remainder R 1 = SS F . Given the unsatisfiable formula F = {f 1 , . . . , f n }, we introduce a set A = {a 1 , . . . , a n } of activation variables. Note that every valuation π of A one-to-one maps to an activated subset π A,F of F defined as π A,F = {f i ∈ F | π(a i ) = 1}. Using the activation variables, we build the formula R 1 as follows: Intuitively, if we set a i to 0 then the formula a i → f i is trivially satisfied, and if we set a i to 1 then f i has to be satisfied to satisfy a i → f i . Hence, the models of R 1 projected on A map to satisfiable subsets of F ; formally: Let us note that the concept of activation variables (or alternatively relaxation variables) and the idea behind the formula R 1 is not novel and it appeared also in several MUS/MSS/MCS related studies such as [31,42,14]. However, we are the first who apply it in the context of MUS counting.
To build a formula W 1 that represents the wrapper W 1 = SS F ∪ MUS F , we will proceed similarly, i.e., we build W 1 using the activation variables A in such a way that a valuation π of A is a projected model of W 1 iff π A,F ∈ W 1 . A straightforward approach to encode W 1 is to directly express that we are interested either in satisfiable subsets or MUSes of F . Such an encoding might look as is the formula from Eq. 1 encoding that π A,F is satisfiable and isMUS(A) is a formula encoding that π A,F is an MUS. However, encoding that a set S is an MUS is quite expensive since one has to express that all subsets of S are satisfiable and that S is unsatisfiable (Definition 1). Especially, encoding that a set S is unsatisfiable requires to assume all the exponentially many valuations of Vars(S). Several MUS related studies used various QBF encodings for the property of being an MUS, e.g., [31,13]. In particular, to express that a set S is an MUS, one can use the following, intuitively described, ∀∃-QBF encoding: "for every valuation τ of Vars(S) the valuation τ models ¬S (i.e., S is unsatisfiable) and for every subset S of S there exists a valuation τ of Vars(S ) that satisfies S ". One could convert the ∀∃-QBF encoding into a plain Boolean formula by explicitly enumerating all the possible valuations of Vars(S) and all the subsets of S, however, this yields an exponentially large, and thus intractable, formula. Hence, instead of directly expressing that every element of the wrapper W 1 is either a satisfiable subset or an MUS of F , we propose another approach based on a novel concept of an evidence.
Crucially, we observe the following: Our formula W 1 (Eq. 2) that encodes the wrapper W 1 captures every set A ⊆ F for which there exists an evidence (ρ 1 , . . . , ρ n ). To represent the set A, we use the activation variables A = {a 1 , . . . , a n }. To represent the truth assignments ρ 1 , . . . , ρ n , we introduce variable sets I 1 , . . . , I n where I i is a fresh copy of Vars(F ) for every i ∈ {1, . . . , n}.
Intuitively, let π be a valuation of Vars(W 1 ) and π A, Based on Propositions 2 and 4, we can now employ a projected model counter to obtain the model counts |M W1↓A | and |M R1↓A |, which yields |W 1 | and |R 1 |, and hence also |MUS F | (Proposition 1). However, the concern here is the tractability of obtaining the model counts. There are mainly two criteria that affect the practical tractability of projected model counting. One criterion is the number of projected models, i.e. the cardinality of the wrapper (and the remainder), and the other criterion is the cardinality of the projection set, i.e., |A|. The wrapper W 1 is not very efficient w.r.t. these two criteria. Especially, W 1 contains all satisfiable subsets of F , and there are often exponentially many satisfiable subsets of F w.r.t. |F |. Therefore, in the following, we will present nine additional wrappers, W 2 , . . . , W 10 , and their corresponding remainders. Each of the wrappers captures a property of MUSes that allows us to provide a better description of MUSes, and hence reduce the cardinality of the wrapper and/or the cardinality of the projection set. Similarly as in the case of W 1 , we will use the activation variables A to represent the elements of the wrappers/remainders. Moreover, every of the following wrappers W i will be encoded by a Boolean formula W i such that for every valuation π of A, π ∈ M Wi↓A iff π A,F ∈ W i (and similarly for the remainders).

W 2 -The Intersection of MUSes
Our second wrapper W 2 is based on a simple observation: every MUS of F has to contain the intersection IMUS F of all MUSes of F . Hence, we define the wrapper as W 2 = {N ∈ W 1 | N ⊇ IMUS F } and encode it via W 2 as follows: Proposition 5. For every valuation π of A, π ∈ M W2↓A iff π A,F ∈ W 2 . Consequently, |M W2↓A | = |W 2 |.
The remainder R 2 of W 2 is by Definition 5 the set W 2 ∩ SS F . To build the formula R 2 that encodes R 2 , observe that we already have an encoding for the set W 2 (Eq. 3), and we also have an encoding for the set SS F since SS F = R 1 . Hence, we can build R 2 as a conjunction of the two encodings: Note that this construction of the remainder and the formula that encodes it is purely mechanical and does not involve any specific property of the particular wrapper. Therefore, for every wrapper W i and its encoding W i that are presented in the following sections, we define the reminder as R i = W i ∩ R 1 and encode it as R i = W i ∧ R 1 . Proposition 6 witnesses the soundness of this construction: This section's final question is how to compute the intersection IMUS F . It is well-known that a clause f ∈ F belongs to IMUS F iff F \ {f } is satisfiable (see, e.g., [56,32,40]). Hence, a straightforward way would be to perform such satisfiability check for each f ∈ F , however, that might be very expensive. Fortunately, there has been recently proposed [13] a quite efficient algorithm to compute IMUS F which usually requires only few satisfiability checks, so we implemented that algorithm and use it while building the wrapper.

W 3 -The Union of MUSes
Our next wrapper, W 3 , is very similar to the previous wrapper. Observe that every MUS of F is necessarily a subset of the union UMUS F of all MUSes of F . Consequently, also a weaker observation holds: every MUS of F is a subset of every over-approximation of UMUS F . We define the wrapper as W 3 = {N ∈ W 1 | N ⊆ U } where U is either the exact union UMUS F or its over-approximation (U ⊇ UMUS F ). Details on obtaining U are provided below. The encoding W 3 of W 3 is analogical to W 2 : The computation of the union UMUS F has been examined in two recent studies [45,13] that provided two different approaches for that task. Unfortunately, due to the problem's hardness, both the studies showed that the proposed approaches can usually handle only relatively small input formulas. Namely, the approach from [13] requires O(|F |) calls of a Σ P 2 oracle. Fortunately, it is often possible to cheaply compute a good over-approximation of UMUS F via the concepts of autark variables and a lean kernel. Briefly, a subset V of Vars(F ) is an autark [46] of F iff there exists a valuation χ of V such that for every clause f ∈ F that contains a variable from V it holds that χ |= f . Since a union of two autark sets is also an autark set, there exists a unique maximum autark set [34,33]. The lean kernel K of F is the set of clauses that do not use any variable from the maximum autark set. It has been shown (e.g. [34,33]), that the lean kernel is an over-approximation of UMUS F . Hence, when building the wrapper W 3 , we use the lean kernel K as the over-approximation U of UMUS F , i.e., W 3 = {N ∈ W 1 | N ⊆ K}. There have been proposed several algorithms to compute the lean kernel, e.g. [43,36]; we have implemented the algorithm by Marques-Silva et al. [43] using a MaxSAT solver UWrMaxSat [54] as a back-end.
Few words are in order to the effect of the two wrappers, W 2 and W 3 , on the tractability of the projected model counting. Observe that in both cases (W 2 and W 3 ), we fix values of some variables from the projection set A. Hence, before passing the formulas to the projected model counter, we first propagate the fixed values of A to simplify the formulas. By doing so, we effectively reduce the size of the projection set A by |IMUS F | and |U | = |K|, respectively.
Finally, let us note that the fact that an MUS has to be a subset of the union of all MUSes and a superset of the intersection of all MUSes is well-known and it has been already exploited in various ways in several MUS related studies (see, e.g., [45,11,10]). Especially, the approximate MUS counting algorithm AMUSIC [13] utilizes UMUS F in its preprocessing phase, and IMUS F to simplify 3-QBF queries while searching for MUSes.

W 4 -Minimum MUS Cardinality
Assume we can somehow compute the cardinality of a minimum MUS or at least its lower-bound minMUS. Knowing this number, we define our next wrapper as W 4 = {N ∈ W 1 | |N | ≥ minMUS}. To encode this wrapper via a formula W 4 , we employ a Boolean cardinality constraint atLeast(A, minMUS) expressing that at least minMUS variables from A are set to 1: Proposition 8. For every valuation π of A, π ∈ M W4↓A iff π A,F ∈ W 4 . Consequently, |M W4↓A | = |W 4 |.
There have been proposed several algorithms for computing an MUS with the minimum cardinality, e.g. [27,38,26]. However, since the task of computing a minimum MUS is in FP Σ P 2 [37,27], computing exactly a minimum MUS is too expensive for our scenario (empirically experienced). Instead, we propose an approach for cheaply computing a lower-bound on the minimum MUS cardinality.
Our method is based on a well-known relationship between MUSes and MC-Ses called minimal hitting set duality [56,32]. Given a collection C of sets, a set X is a hitting set of C iff C ∩ X = ∅ for every C ∈ C. Furthermore, a hitting set X of C is minimal if none of its proper subsets is a hitting set. The duality relation states that a set N is an MUS of F iff N is a minimal hitting set of the set MCS F of all MCSes of F . Dually, a set M is an MCS of F iff M is a minimal hitting set of the set MUS F . Consequently, one can identify all the MC-Ses and then compute their minimum minimal hitting set to get an MUS with the minimum cardinality. However, there can be up to exponentially many MC-Ses of F , and thus their complete enumeration is often practically intractable. Our approach to obtain a lower-bound on the minimum MUS cardinality is the following. First, we employ a recent MCS enumeration algorithm RIME [11] to generate a subset M of MCS F . Subsequently, we compute a minimum minimal hitting set of M and use it as the lower-bound minMUS on the minimum MUS cardinality while building the wrapper W 4 . Note that since M ⊆ MCS F , it holds that every hitting set of MCS F is also a hitting set of M, and hence minMUS is indeed a sound lower-bound on the cardinality of a minimum hitting set of MCS F . Let us also briefly describe an algorithm for computing the minimum MUS by Ignatiev et al. [27], since it works on a similar principle as our approach. Their algorithm iteratively maintains a set kMCSes of known MCSes; initially kMCes = ∅. In each iteration, the algorithm computes a minimum minimal hitting set X of kMCSes and checks X for satisfiability. If X is unsatisfiable, then it is guaranteed to be a minimum MUS. Otherwise, X is enlarged to an MSS using a single MSS extraction subroutine, the complement of the MSS (i.e., an MCS) is added to kMCSes, and the algorithm proceeds with a next iteration. Observe that one can also terminate their approach after a given time limit and use the last computed X as a lower-bound on the minimum MUS cardinality. The main difference between our and their approach is that we employ a dedicated MCS enumerator in the first step and then compute just a single minimum minimal hitting set, whereas they alternate single MCS extraction with minimum minimal hitting set computation.

W 5 -Maximum MUS Cardinality
Assuming that we can somehow compute an upper-bound maxMUS on the maximum cardinality of an MUS of F , we define our next wrapper as W 5 = {N ∈ W 1 | |N | ≤ maxMUS}. Similarly as in the case of W 4 , to build the formula W 5 that encodes W 5 , we introduce a Boolean cardinality constraint atMost(A, maxMUS) expressing that at most maxMUS variables from A are set to 1: Proposition 9. For every valuation π of A, π ∈ M W5↓A iff π A,F ∈ W 5 . Consequently, |M W5↓A | = |W 5 |.
We are not aware of any prior work on computing the cardinality of the maximum MUS nor of a reasonable approach for computing at least its upperbound. Hence, we propose a custom approach to compute such an upper-bound maxMUS. The base idea is to exploit our concept of wrappers: Proposition 10. Let W be a wrapper, i.e. W ⊆ MUS F ∪ SS F , A the set of activation variables, and W a formula such that for every valuation π of A, π ∈ M W↓A iff π A,F ∈ W. Furthermore, let maxOnes = max({ones(π) | π ∈ M W↓A }) where ones(π) = |{a i ∈ A | π(a i ) = 1}|. Then maxOnes is an upper-bound on the maximum MUS cardinality.
We use maxOnes as the value maxMUS while constructing wrapper W 5 . Any of the wrappers and its encoding presented in this paper can be used as W and W, respectively. To determine the value maxOnes, we define a partial MaxSAT problem using the formula W ∧ ai∈A a i , where W are the hard clauses and ai∈A a i are the soft clauses. To solve the problem, we employ the MaxSAT solver UWrMaxSat [54].

W 6 -Component Partitioning
It is often the case that the clauses of F can be partitioned into several components, i.e. disjoint subsets of clauses, such that every MUS of F consists only of clauses from a single component. In particular: Definition 7 (components). Given a clause f i ∈ F , the component C(f i ) of f i is the minimal subset of F satisfying: 1. f i ∈ C(f ), and 2. for every l ∈ f i and every f j ∈ F with ¬l ∈ f j , C(f i ) = C(f j ).
There are four components: The wrapper W 6 captures the partition of MUSes into components, and it is defined as W 6 = {N ∈ W 1 | ∀ fi,fj ∈N . C(f i ) = C(f j )} and encoded via W 6 : Proposition 12. For every valuation π of A, π ∈ M W6↓A iff π A,F ∈ W 6 . Consequently, |M W6↓A | = |W 6 |.
To partition the input formula F into individual components, we construct an undirected graph whose vertices are the clauses of F and every two vertices, f i and f j , are connected via an edge iff there exists l ∈ f i such that ¬l ∈ f j . The components of F then correspond to connected components of the graph (which can be identified in linear time w.r.t. the size of F by traversing the graph). Note that a similar flip graph has been used in a study [68] on model rotation and its usage during single MUS extraction.

W 7 -Minimal Hitting Set Duality
We again exploit the minimal hitting set duality between MUSes and MCSes (Section 4.5). Recall that if a set M is an MCS of F then M ∩ N = ∅ for every N ∈ MUS F . We define the wrapper W 7 as {N ∈ W 1 | ∀ M ∈M M ∩ N = ∅} where M is a set of MCSes. To obtain M, we run an MCS enumeration algorithm RIME [11] constrained by a user-defined time limit. The encoding W 7 of W 7 is: Proposition 13. For every valuation π of A, π ∈ M W7↓A iff π A,F ∈ W 7 . Consequently, |M W7↓A | = |W 7 |.

W 8 -Literal Negation Cover
Our next wrapper captures the following observation about MUSes.

Proposition 14.
Let N be an MUS of F , f i ∈ N a clause of N , and l ∈ f i a literal of f i . Then there exists a clause f j ∈ N such that ¬l ∈ f j .

W 9 -Non-Extendable Evidence Models
Assume that N is an MUS and (ρ 1 , . . . , ρ n ) is its evidence. By Definition 6, it holds that ρ i |= N \{f i } for every 1 ≤ i ≤ n. Observe that since N is unsatisfiable, then it is also necessarily the case that ρ i |= ¬f i for every 1 ≤ i ≤ n. Hence, we define our next wrapper, W 9 , as W 9 = {N ∈ W 1 | ∃ρ 1 , . . . , ρ n . ∀ 1≤i≤n . ρ i |= N \ {f i } and ρ i |= ¬f i }. Note that the above-stated property applies universally to every evidence of an MUS, and yet we require in the definition of the wrapper only an existence of one such evidence. The reason is that there can be up to exponentially many evidences for an MUS w.r.t. |Vars(F )| and hence it is intractable to reason about all of them in the Boolean encoding of the wrapper.

W 10 -Enforced Evidence Models
Our final wrapper, W 10 , again builds on the variable valuations ρ 1 , . . . , ρ n that form an evidence of an MUS N of F . In the previous wrapper, W 9 , we have exploited that none of the variable valuations can be a model of N . Here, we express that none of the valuations can be easily modified to be a model of N .
In particular, if f i ∈ N , then by the definition of an evidence, ρ i |= N \ {f i }.
Assume that we pick a literal l ∈ f i and turn ρ i into a valuation ρ i by flipping the assignment to l so that ρ i |= f i . Since N is an MUS (i.e., unsatisfiable), there necessarily exists a clause f j ∈ N such that ρ i |= f j , i.e., f j forces ρ i to satisfy ¬l and hence prevents from flipping ρ i to a model ρ i of the whole N . Formally: Proposition 17. Let N be an MUS, f i ∈ N a clause of N , and ρ i a model of N \ {f i }. Then for every literal l ∈ f i , there exists a clause f j ∈ N such that ¬l ∈ f j and ρ i |= f j \ {¬l}.
Similarly as in the case of W 9 , observe that Proposition 17 applies universally to every evidence of an MUS, however, since there can be exponentially many such evidences, it is expensive to reason about all of them. Hence, in the wrapper, we capture just an existence of such an evidence: Eq. 11 shows the corresponding encoding via W 10 : Proposition 18. For every valuation π of A, π ∈ M W10↓A iff π A,F ∈ W 10 . Consequently, |M W10↓A | = |W 10 |.

Combining Wrappers and Their Remainders
In the previous sections, we have presented multiple wrappers, each of which captures a different property of MUSes. In this section, we show that the individual wrappers can be easily combined and, hence, form wrappers that provide a more accurate description of the set MUS F . Proposition 19. Let A be the set of activation variables, W k and W l wrappers, and R k and R l the remainders of W k and W l . Furthermore, for every m ∈ {k, l}, let W m and R m be formulas such that: for every valuation π of A, π ∈ M W m ↓A iff π A,F ∈ W m , and for every valuation π of A, π ∈ M R m ↓A iff π A,F ∈ R m . Then all the following hold: 1. W k ∩ W l is a wrapper and R k ∩ R l is its reminder.

For every valuation π of
Note that although Proposition 19 discusses only a combination of two wrappers, it can be applied repeatedly on already combined wrappers. Hence, we can combine any subset of the wrappers W 1 , . . . , W 10 we proposed. Also, note that all the formulas W 2 , . . . , W 10 subsume the formula W 1 , and hence if we combine multiple wrappers, we duplicate some clauses. In our implementation, we first remove all the duplicates and apply other straightforward model preserving simplifications before we pass the encoding to a projected model counter.
We have implemented our approach for counting MUSes in a python-based tool 3 , using the projected model counter GANAK [59] to count the models of wrappers and remainders, and also using several auxiliary tools as described above.
We presented 10 base wrappers W 1 , . . . , W 10 and shown how to combine them. Since W 1 is subsumed by all the wrappers W 2 , . . . , W 10 , there are 2 9 combined wrappers. Due to the large number of the combinations, we were able to evaluate only some of them. In particular, we evaluated the combination W 1 ∩· · ·∩W 10 , denoted as Wall, of all wrappers since it provides the most precise description of MUSes. We also evaluated 6 wrappers that emerge from Wall by excluding individual base wrappers or combinations of similar base wrappers, and also the most basic wrapper W 1 . The We also evaluated two contemporary MUS enumerators, MARCO 4 [39] and UNIMUS 5 [10]. Moreover, we evaluated the approximate MUS counter AMU-SIC 6 [13] using its default guarantees, i.e., the provided MUS count estimates are within 1.8 multiplicative factor of the true count with 80% confidence.
Our benchmark suite consists of the 2553 instances previously employed in the prior MUS and MSS literature, including those released by authors of AMU-SIC [13]. The formulas contain from 78 to 1000 clauses and from 40 to 996 variables. The MUS count varies from 1 to 1.7 × 10 9 MUSes.
We focus on three comparison criteria: 1) the number of benchmarks solved by the evaluated tools (i.e. benchmarks where the tools provided the MUS count), 2) the scalability of the tools w.r.t. the number of MUSes in the benchmarks, and 3) we examine the accuracy of our wrappers.
All experiments were run using a time limit of 3600 seconds per benchmark on a Linux machine with AMD 16-Core Processor and 20GB memory limit. When using wrappers W 4 and W 7 , we used a combined limit of 300 seconds (included in the 3600 seconds) and 100000 MCSes for the MCS enumeration while building the wrappers; if both wrappers were used, we run the MCS enumeration just once. Finally, while constructing a combined wrapper of the form W * ∩ W 5 , we used W * to compute the value maxMUS for creating W 5 .

Solved Benchmarks
In Table 1, we show the number of benchmarks that were solved by the individual evaluated tools. The worst performance was achieved by the basic wrapper W1 (W 1 ), which is not surprising since it does not provide a good description of MUSes. AMUSIC solved 623 benchmarks, whereas UNIMUS and MARCO solved 833 and 799 benchmarks, respectively. Except for Wno8910 (and W1), which solved only 1058 benchmarks, all the remaining combined wrappers solved around 1450-1500 benchmarks and hence significantly dominated both AMUSIC and the two MUS enumerators. Maybe surprisingly, Wall that combines all the base wrappers ended up at the third position; the highest number (1500) of solved benchmarks was achieved by Wno5, and the second-highest (1498) by Wno4. Note that Wno5 and Wno4 exclude encoding of the minimum and maximum MUS cardinality via Boolean cardinality constraints. In general, solving Boolean cardinality constraints is often quite hard, and hence even though a presence of the two wrappers might provide a better description of MUSes, the constraints increase the hardness of the generated instances. Fig. 2 compares the time needed to solve the benchmarks by a subset (for a better clarity) of the evaluated tools. A point with coordinates [x, y] means that x benchmarks were solved (by the corresponding tool) within the first y seconds.

Scalability w.r.t the MUS Count
In Fig. 3 On the other hand, AMUSIC relies on repeated calls to a 3-QBF solver whose efficiency highly depends on |F |.

Accuracy of Wrappers
Recall that a wrapper W over-approximates the set MUS F of all MUSes of F , i.e., W ⊇ MUS F (Definition 5), and hence we are interested in measuring the accuracy of the over-approximations. In particular, given a wrapper W and its remainder R constructed over a formula F , we measure the ratio |R| |W| . The range of the ratio is [0, 1); the closer to 0 the more accurate the wrapper is, and especially when |R| |W| = 0, the wrapper exactly captures the set MUS F (i.e., W = MUS F ). We illustrate the ratio |R| |W| achieved by individual wrappers in Fig. 4. A point with coordinates [x, y] expresses that for x percent of benchmarks completed by the corresponding tool, the ratio |R| |W| was at most y. As expected, the ratio achieved by the most basic wrapper W1 (W 1 ) is very high for all the benchmarks, i.e., the wrapper captures MUS F very inaccurately. On the other hand, the other wrappers achieved for a vast majority of benchmarks a very low ratio, i.e., they over-approximate MUS F very tightly. In fact, for 87 percent of benchmarks, the wrappers Wno23, Wno4, Wno5, Wno6, and Wall, achieved the ratio 0, i.e., the wrappers exactly captured the set MUS F . In contrast, the wrappers Wno7 and Wno8910 achieved the ratio 0 for only 68 and 80 percent of benchmarks, which suggest that the use of the corresponding wrappers, W 7 , W 8 , W 9 , and W 10 , is vital for an accurate description of MUS F . Moreover, note that the accuracy of the wrappers highly correlate with the number of solved benchmarks (Table 1), since Wno7 and Wno8910 (and W1) were the least efficient wrappers.

Future Possible Applications of Wrappers and Remainders
Recall that a wrapper W over-approximates the set MUS F of all MUSes of F , i.e., W ⊇ MUS F (Definition 5). Moreover, in Section 5, we empirically witnessed that the best of our wrappers usually over-approximate MUS F very tightly or they even capture it exactly. Consequently, the propositional encodings W and R of a wrapper W and its remainder R, respectively, can very precisely capture the set MUS F . We strongly believe that such an accurate propositional description of MUS F paves the way (and will be thoroughly examined in our future work) to efficiently solve many other MUS related problems including, e.g., the following: Approximate MUS Counting Recall that |MUS F | = |W| − |R|. Assuming that |R| is much smaller than |W| and observing that R ⊆ W, computing |M R↓A | = |R| should be much faster than computing |M W↓A | = |W|. Hence, one could first relatively quickly exactly compute the value |M R↓A |, and then use an approximate model counter to find an estimate w of |M W↓A |. The MUS count |MUS F | can be then approximated as w − |R|. The accuracy of the approximation depends on the approximation guarantees of the model counter (e.g. using ApproxMC4 [18,60], we get the ( , δ)-guarantees provided by AMUSIC). MUS Enumeration Assume a valuation π of the activation variables A and the corresponding activated subset π A,F = {f i ∈ F | π(a i ) = 1} of F . As shown in Section 4, π A,F is an MUS iff π ∈ M W↓A and π ∈ M R↓A . Hence, one can enumerate MUSes by enumerating projected models of W and discarding those that are also projected models of R.

MUS Sampling
To sample an MUS of F , one can iteratively sample an element π of M W↓A until it identifies π such that π ∈ M R↓A , i.e., π A,F is an MUS. Note that while the past decade has witnessed significant progress in the development of projected model sampling approaches [16,22,55] (with various distribution guarantees), we are not aware of any existing MUS sampling technique (with reasonable distribution guarantees). Minimum and Maximum MUS Cardinality As discussed in Section 4.6 (W 5 ), one can over-approximate the maximum MUS cardinality by finding a model π ∈ M W↓A that maximizes the number of variables assigned 1. Similarly, one can under-approximate the minimum MUS cardinality by finding a model π ∈ M W↓A that minimizes the number of variables assigned 1. Intuitively, the smaller |R| is, the more precise approximations can be expected. Moreover, by checking if π ∈ M R↓A , one can actually verify if π A,F is an MUS.

MUS Membership
The MUS membership problem is to decide if a clause f i ∈ F belongs to an MUS of F and it is known to be Σ P 2 -complete [35,37,31]. Contemporary techniques for deciding the problem are mainly based on solving 2-QBF or 3-QBF encodings [31,13]. Our wrapper-based framework allows for an alternative approach: to decide if a clause f i belongs to an MUS of F , one can check if there exists a valuation π of A such that π(a i ) = 1, π ∈ M W↓A , and π ∈ M R↓A . Note that when |R| = 0 or when |R| can be bounded by a constant, this check boils down to a single call of a SAT solver.

Conclusion and Future Work
In this paper, we focused on the problem of MUS counting and proposed the first exact MUS counter, called CountMUST, that does not rely on explicit MUS enumeration. The base idea is to reduce the problem of MUS counting to (two queries of) projected model counting via the framework of wrappers and remainders. The availability of scalable projected model counter, GANAK, allowed CountMUST to scale much better and solve significantly more instances than other existing approaches. Moreover, as discussed in Section 6, the tightness of wrappers and remainders opens up new potential applications ranging from approximating counting, enumeration, membership, and the like.
We also revisit the complementary nature of CountMUST and AMUSIC with respect to the size of instances and the MUS count. The complementary performance opens up opportunities for a portfolio approach that can achieve the best of both of the worlds. Finally, let us note that we are fighting here the chicken and egg nature of the existence of practical applications and scalable algorithmic techniques for problems in automated reasoning. Often the lack of scalable techniques leads to a lack of incentives for end-users to design reductions to practical applications, and vice versa. Even though MUS counting has already many applications in the diagnosis domain [25,48,65,49,50,29], we hope that the availability of CountMUST will break this chicken and egg loop in other areas and enable further investigations into MUS counting applications.