Keywords

1 Motivation

The Boolean satisfiability problem (SAT) and its variants have played an important role in the development of all parts of computer science. From the theoretical perspective, it plays a fundamental role in the theory of NP-completeness [4]. From the practical point of view, it has found several applications in fields like model checking [16] and combinatorial search [10]. The applications SAT has found in industry have brought along interesting consequences. On the one hand, it has spurred the development of an entire ecosystem of related software, from preprocessors to software to verify proofs of unsatisfiability. On the other hand, it has increased the complexity of SAT solvers themselves as they are used to tackle larger instances with intricate structures. The fact that SAT solvers are becoming more complex while at the same time being used in more mission-critical scenarios has sparked interest in the verification of SAT solvers [3, 11, 15]. Nevertheless, industrial applications usually depend not only on the SAT solver employed to find satisfying assignments (models) of the generated instances but also on preprocessing and postprocessing tools. For instance, most SAT solvers available accept the input formula in DIMACS formatFootnote 1, which assumes the input is in conjunctive normal form (CNF), so depending on the application, a CNF transformation may be needed as a preprocessing step, introducing a new trust issue.

The particular type of preprocessing tool we focus on in this paper is symmetry breaking tools. Symmetry breaking has been identified as a crucial step towards using SAT solvers successfully in combinatorial search [9]. Symmetries in a given instance of the SAT problem may arise from several sources, some of them domain-specific and some of them at the syntactic level. The seminal work by Crawford [5, 6] addressed syntactic symmetry in CNF formulas by interpreting these as graphs and using the automorphism group of such graphs to identify syntactic symmetry. These symmetries are broken by appending symmetry breaking clauses to the input formula. Aloul et al. [1] later improved the original construction to be able to detect phase-shifts symmetries (symmetries that map a literal to its negation). Aloul et al. [2] exploited the recursive nature of the symmetry breaking predicates formulated in this technique to reduce the size of the symmetry breaking clauses added to the input formula and made their work available as the widely successful tool Shatter. More recently, Devriendt et al. [7] improved the symmetry breaking clauses added by Shatter and added another technique for symmetry breaking detection, namely row interchangeability, making these available in the BreakID tool. The idea of detecting syntactic symmetries through a graph representation of the input formula has also found its way into the related paradigms of Answer Set Programming (ASP) and model expansion [8]. This brief overview, although by no means thorough, is enough to make the argument that by using today’s tools in syntactic symmetry breaking we are leveraging decades of work. At the heart of this work is the concept introduced by Crawford [5, 6], still present in modern tools: the representation of a Boolean formula as a graph whose automorphisms correspond to syntactic symmetries in the input formula. Thus formalizing this idea would be a step towards formalizing state-of-the-art tools.

In this paper we explore the formalization in the Prototype Verification System (PVS) [13] of the graph construction by Crawford [5, 6] and the verification of the fundamental property linking the automorphisms of this graph with symmetric assignments of the variables. Our formalization is based on the graph theory from NASA’s PVS libraryFootnote 2. We believe this formalization is an interesting undertaking because it requires us to go beyond the mere formalization of CNF formulas and transformations at the formula level. We need to jump out of the realm of CNF formulas into the language of graphs and then back to CNF formulas.

The rest of this paper is organized as follows. Crawford’s symmetry breaking method is defined in detail in Sect. 2. Section 3 then delves into the details of our formalization and some of the proof techniques used to verify the main theorems of Crawford’s approach to syntactic symmetry breaking. We discuss some directions for future research and conclude in Sect. 4.

2 Main Theorem

In this section we lay out the fundamentals of Crawford’s approach to syntactic symmetry breaking, which we then formalize in Sect. 3. The first concept we define is that of a CNF formula:

Definition 1

(CNF Formula). A CNF Clause is a set of literals (variables and their negations). A CNF Formula is a set of CNF clauses.

For simplicity, we identify variables with natural numbers. Thus an assignment of variables can be defined as a function from the natural numbers to the Boolean domain. Alternatively, one could define an assignment as a function from the set of variables in a formula to the Boolean domain, but this has interesting implications which we discuss briefly in Sect. 4. Regardless of the choice of representation of assignments, these can naturally be extended to an assignment of literals in the obvious way.

Definition 2

An assignment \(\sigma \) models a formula F if for every clause \(C\in F\) there exists a literal \(l\in C\) such that \(\sigma \) assigns True to l.

Definition 3

(Graph Representation). The graph representation of a CNF formula F is a vertex-colored undirected graph \(G_F\) whose set of vertices is the union of the clauses of F in one color and the literals of F in another color. The set of edges is defined as: (a) the set of edges between a literal l and its negation \(\overline{l}\) and (b) the set of edges between a clause C and the literals \(l\in C\).

Fig. 1.
figure 1

The graph corresponding to the CNF formula \((x_1\vee x_2)\wedge (x_1\vee \overline{x_3})\). Vertex colors are represented by different node shapes.

Full size image

Figure 1 shows what the graph \(G_F\) would be for a formula \(F=(x_1\vee x_2)\wedge (x_1\vee \overline{x_3})\). Recall that the automorphisms of a graph are the vertex permutations that preserve the set of edges. In our particular case, since we deal with vertex-colored graphs, we only consider color-preserving automorphisms (i.e., automorphisms that map vertices to vertices of the same color). Since literal vertices will be mapped to literal vertices, the automorphisms of \(G_F\) naturally induce a permutation of the literals of F. The main theorem behind Crawford’s method for syntactic symmetry breaking is the following.

Theorem 1

Given a formula F and a color-preserving automorphism \(\phi \) of \(G_F\), an assignment \(\sigma \) models a formula F if and only if the assignment \(\sigma \circ \phi \) models F.

Notice that Theorem 1 can be easily stated if we allow for an abuse of notation and consider \(\phi \) both a permutation of the vertices of \(G_F\) and a permutation of literals. In fact, a closer look at the composition \(\sigma \circ \phi \) reveals that we are both recasting \(\sigma \) as an assignment of literals (as explained above) and \(\phi \) as a permutation of literals. This will prove somewhat problematic in Sect. 3, since PVS will require us to make these casts explicit, thus increasing the complexity of the proofs.

Theorem 1 in itself does not break symmetries in CNF formulas. In order to use Theorem 1 for symmetry breaking, one can look at lexicographical orderings of assignments. Fix an ordering of the literals of F (say, \(l_1,l_2,\ldots ,l_n\)) and let \(\pi \) be a permutation of these. We define the symmetry breaking predicate \(P(\pi )\) as follows: \(P_1(\pi )=l_1\le \pi (l_1)\), \(P_i(\pi )=\left( \bigwedge \limits _{j=1}^{i-1} l_j\equiv \pi (l_j)\right) \rightarrow (l_i\le \pi (l_i))\) for \(i>1\), and \(P(\pi )=\bigwedge \limits _{i=1}^n P_i(\pi )\). Predicate \(P(\pi )\) imposes a lexicographical order between two assignments since only one of them will satisfy \(P(\pi )\). Since, by Theorem 1, it is true that for any satisfying assignment \(\sigma \) and any automorphism \(\phi \) both \(\sigma \) and \(\sigma \circ \phi \) satisfy F, \(P(\phi )\) allows us to prefer \(\sigma \) over \(\sigma \circ \phi \) if \(\sigma \) is less or equal to \(\sigma \circ \phi \) in lexicographical order. If F is satisfiable, such an assignment exists because \(P(\pi )\) is a total order over the satisfying assignments of F. By adding symmetry breaking predicates we are able to reduce the number of satisfying assignments to search for while preserving satisfiability.

Theorem 2

Given a formula F and a color-preserving automorphism \(\phi \) of \(G_F\), F is satisfiable if and only if \((F)\wedge P(\phi )\) is satisfiable.

One can in fact add symmetry breaking predicates for any number of automorphisms while preserving satisfiability: observe that the lexicographical minimum of the set of models of F is by definition less or equal to all of its permutations, thus it satisfies all possible symmetry breaking predicates. This version of Theorem 2 is the one we formalize in the next section.

3 Formalizing Crawford’s Symmetry Breaking

We begin our formalization by defining a new datatype for literals with constructors for positive and negative literals. The type CNFClause is then defined as an alias for a finite set of literals, and the type CNFFormula is in turn defined as a finite set of clauses.

figure a

We define some natural operations over literals and assignments, namely the neg function which returns the negation of a literal, and the litval function which takes a literal l and an assignment a and returns the Boolean value assigned to l under a. We omit the definition of these for the sake of space. We define the models predicate indicating an assignment models a formula and the SAT predicate indicating a satisfying assignment exists for the input formula.

figure b

Next, we define the vertex datatype, the type of the vertices of our graph. A vertex can be a literal vertex or a clause vertex so our datatype has a constructor for each.

figure c

We are now prepared to define the functions that will extract the vertices that are used to build the graph of a formula. These are essentially formula_lits which collects all the literals that appear in a formula, lit_vertices which maps a set of literals to a set of literal vertices, and clause_vertices which maps CNF formulas to sets of clause vertices.

figure d

We also define functions to generate the edges of the graph \(G_F\). We take a similar approach as with the vertices of \(G_F\), defining functions that output different sets of edges. The function connect_lits takes a set of natural numbers (variables, in our domain) and generates a set of edges connecting the positive and negative literals of those variables. The connect_clauses function connects the clauses of a CNF formula to the literals they contain. From Definition 3 it follows that the set of edges of \(G_F\) is the union of the output of these functions.

figure e

With the definitions above we are finally ready to define what the graph of a formula F is and prove a type-correctness condition (TCC) generated by PVS. The TCC generated asks us to prove that if an edge is in the union of the sets connect_lits(formula_vars(F)) and connect_clauses(F), then both of the members of the edge are in the union of lit_vertices(formula_lits(F)) and clause_vertices(F).

figure f

A fundamental property of this graph is that a literal l is a member of a clause C of a formula F if and only if the edge \(\{C,l\}\) is in the set of edges of the graph. We prove this property as a separate lemma.

figure g

The next concept we need to formalize is that of automorphisms. In particular, for our application we need to define color-preserving automorphisms. Notice that our definition of a vertex does not explicitly allow for us to specify a color, but the separate constructors naturally induce a coloring on the vertex datatype. We leverage the induced coloring of vertices by using the ord function in PVS [14]. An overload of this function which assigns a natural number to each constructor of an abstract datatype is automatically generated by PVS when a new abstract datatype is defined. We start by defining the concept of a (color-preserving) vertex permutation, which is a nonempty type dependent on a graph. We define them as bijective functions from the set of vertices to itself such that vertices of the graph are mapped to vertices of the graph and the color of the vertex is preserved.

figure h

We now define an operation permute_edges on graphs which generates a new set of edges using a vertex permutation of the graph. It will then allow us to define automorphisms as the nonempty type of vertex permutations for which this operation preserves the set of edges.

figure i

A fundamental property that follows from the structure of \(G_F\) and the fact that automorphisms preserve the set of edges is the following:

Lemma 1

If \(\phi \) is an automorphism of \(G_F\), then for any literal l in F, \(\phi \) maps \(\overline{l}\) to \(\overline{\phi (l)}\).

Proof

\(\phi (l)\) is a literal from the formula, so \(\{\phi (l),\overline{\phi (l)}\}\) is an edge of \(G_F\) and there must exist vertices x, y in \(G_F\) such that \(\{\phi (l),\overline{\phi (l)}\}=\{\phi (x),\phi (y)\}\). One of x or y, say x, must be l because \(\phi \) is injective, and that forces y to be \(\overline{l}\) since \(\phi \) is color preserving and the only edges connecting literals to literals connect every literal to its negation.\(\blacksquare \)

We show the formalization of Lemma 1 below, where we can see how the abuse of notation throughout our informal proof of the lemma (using \(\phi \) as both a permutation of the vertices of \(G_F\) as well as a permutation of literals) is made explicit and causes some clutter. Nevertheless, it is worth noting it could be worse: since phi is of type [vertex->vertex], the expression phi(litvertex(l)) could in principle be a clausevertex, in which case we would not be able to use the l accessor. Instead of flagging this as an issue, PVS will formulate a type-correctness condition (TCC) asking to prove that phi(litvertex(l)) is a litvertex, which is easy to show from the fact that phi is color-preserving. We include the generated TCC below. An important issue to point out is that, despite the fact that Lemma 1 is fairly straightforward, proving the mapped_lit_neg lemma required laborious case analysis.

figure j

The last piece we need to formalize before stating and proving Theorem 1 is the notion of permuting an assignment. The crucial property of this operation is that, if l is a literal of a formula F, the value of \(\phi (l)\) under an assignment \(\sigma \) is the value of l under the assignment \(\sigma \circ \phi \). We have intentionally given a provocatively simple description of this property which seems to go without saying. In reality, the description is making use of some notation overloading that we cannot obviate when formalizing this property in PVS: \(\phi \) is a vertex permutation, so a composition of \(\phi \) with \(\sigma \) is impossible—not even if we consider \(\sigma \) as an assignment of literals, which is another overloading we employ in our description. Because of all the overloading that is needed to express this property, we state it as a lemma whose proof actually requires rather heavy case analysis.

figure k

We are finally ready to state and prove Theorem 1. We can in fact state a weaker version of this theorem: that if \(\sigma \) models F and \(\phi \) is an automorphism of \(G_F\), then \(a\circ \phi \) models F. We can then use that theorem and the fact that \(\phi ^{-1}\) is an automorphism of \(G_F\) as well to prove Theorem 1. As mentioned before, the proof relies heavily on the graph_clause_lit lemma. It also uses the permute_assignment_preserves lemma and the fact that, since an automorphism is injective and maps the set of vertices of \(G_F\) to itself, its inverse also maps the set of vertices of \(G_F\) to itself.

figure l

We now focus on defining a total order over the assignments of a formula. This proved to be tricky given our choice of defining assignments as functions from the natural numbers to the Boolean domain. We define a relation assignment_leq between two assignments \(\sigma _1\) and \(\sigma _2\) which depends on a list of variables. This relation essentially says that \(\sigma _1\) is lexicographical less or equal to \(\sigma _2\) over the given list of variables. Notice that the list of variables induces an order over the variables. There are a number of ways to define this relation, we chose to define it in a recursive fashion which will facilitate proofs by induction.

figure m

On the other hand, it will sometimes be helpful to work with an explicit definition of what this recursive function means. This will be particularly helpful later on to prove that there is a lexicographical minimum model for any satisfiable formula. In order to work with this alternative formulation, we define a predicate over natural numbers assignments_differ which depends on two assignments \(\sigma _1\) and \(\sigma _2\) stating that these two assignments differ on a given number. We then prove an equivalence between the recursive definition of assignment_leq and the property that if the two assignments \(\sigma _1\) and \(\sigma _2\) differ over a list of variables and \(\sigma _1\) is less or equal to \(\sigma _2\), then \(\sigma _1\) assigns False to the first variable where they both differ.

figure n

Notice that assignment_leq as defined is not a total order over assignments. In order to use this definition as a total order, we need to consider a restricted version assignment_leq_restricted which also depends on a list of variables but is defined over functions that assign specifically those variables in the list. This definition uses the extend function in PVS to extend the assignments over a list of variables to assignments of natural numbers in order to define this restricted predicate in terms of assignment_leq.

figure o

We mention in passing that the assignment_leq_restricted_total_order lemma was the most challenging lemma to prove in the entire specification.

We now need a way to encode the symmetry breaking predicate \(P(\pi )\) described in Sect. 2 as a CNF formula. The standard way to do this is to use auxiliary variables \(e_i\equiv (l_i=\pi (l_i))\) which would lead to an encoding of the predicates that is quadratic in the number of variables in the formula. While implementing this in a procedural fashion is straightforward, implementing it in a functional fashion in a way that lends itself to proving properties about the encoding is more involved. We opted for an alternative approach: expressing the \(P(\pi )\) predicate entirely in terms of the variables of F without employing auxiliary variables. A way to do this is to notice that predicates of the type \(\left( \bigwedge \limits _{j=1}^{i-1}(l_{i-1}\equiv \phi (l_{i-1}))\right) \rightarrow (l_i\rightarrow \pi (l_i))\) are equivalent to \(\left( \bigvee \limits _{j=1}^{i-1}((\overline{l_i}\wedge \pi (l_i))\vee (l_i\wedge \overline{\pi (l_i)}))\right) \vee (l_i\rightarrow \pi (l_i))\) and \(\bigvee \limits _{j=1}^{i-1}((\overline{l_i}\wedge \pi (l_i))\vee (l_i\wedge \overline{\pi (l_i)}))\) is in disjunctive normal form (DNF). Then we can employ a brute-force transformation from DNF to CNF which, although adding a number of clauses that is exponential in the number of variables in the formula, is theoretically simple enough to fit our purposes. We implement this transformation in a recursive function add_symbreaking_predicates_dnf_helper but we omit its definition here for the sake of clarity. We do, however, present the lemma formalizing the main property of this function, namely, that an assignment models the formula output by the add_symbreaking_predicates_dnf_helper if and only if there is a literal i in the list of variables for which a assigns different values to \(l_i\) and \(\phi (l_i)\).

figure p

In order to build the predicate \(P(\pi )\) we process the list of variables as follows: Let the head of the list be the variable v, and let \(l_v\) be the positive literal of v. We take the output of add_symbreaking_predicates_dnf_helper applied to the rest of the list and add \(\overline{l_v}\) and \(\phi (l_v)\) to each clause, then repeat the same procedure for the rest of the list.

figure q

Notice the procedure above imposes a lexicographical order of the variables in the list using the reverse of the order induced by the list, as stated in the following lemma.

figure r

We define another function that takes a list of automorphisms of the formula graph of F and adds symmetry breaking predicates for all of them. We also prove a simple lemma stating a model \(\sigma \) of the formula output by such function will be less or equal to \(\sigma \circ \phi \) for every automorphism \(\phi \) in the list.

figure s

Finally, we prove (a list version of) Theorem 2. The fact that F is satisfiable if the formula together with the symmetry breaking predicates is satisfiable follows easily from the fact that F is a subset of that formula (see the base case of the reduce function call above). The interesting part of this proof is providing a model that will satisfy all the symmetry breaking predicates given that F is satisfiable. We provide the extension of the lexicographical minimum of the set of satisfying assignments of the variables of the formula as a witness. In order to do this, PVS will ask us to prove (a) that the set of satisfying assignments of the variables of F is non-empty, (b) that assignment_leq_restricted is in fact a total order over assignments of the variables of F, and (c) that the lexicographical minimum satisfies all the symmetry breaking predicates appended to F. Part (a) is true because the restriction of the witness to the satisfiability of F belongs to the set, part (b) is true by lemma assignment_leq_restricted_total_order, and part (c) follows from Theorem 1.

figure t

This concludes our formalization of symmetry breaking for Boolean formulas in CNF. The complete development of our formalization, which consists of 61 formulas at the time of this writing, is available onlineFootnote 3.

4 Conclusion and Future Work

We presented the formalization in PVS of the syntactic symmetry breaking technique for Boolean formulas in conjunctive normal form (CNF) introduced by Crawford [5, 6]. We discussed the main components of our formalization and the challenges we faced formulating and proving them.

There are several directions for future work that could stem from this work. One relatively simple improvement would be to specify and prove properties for an encoding of the symmetry breaking predicate \(P(\pi )\) that uses auxiliary variables and adds a number of clauses that is polynomial in the number of variables of the formula. Our choice of representing assignments as functions from natural numbers to the Boolean domain would allow for using auxiliary variables without affecting the proof of symbreaking. This would bring our formalization closer to the actual implementations available in tools like shatter [2].

Related to the extension discussed above, an interesting direction for future work would be to obtain executable code out of this formalization and compare it to the performance of tools like shatter [2] and BreakID [7]. PVSioFootnote 4 [12] could in principle help in this task, yet one big roadblock in using it for our purpose is that basic functions related to finite sets (like adding elements to the set and calculating set unions) are, to the best of our knowledge, not supported by default. Adding support for these would be a major improvement towards being able to run our specification and compare it to the CNF symmetry breaking tools available in the industry.