Efficient BDD Encodings for Partial Order Constraints with Application

Efficient BDD Encodings for Partial Order Constraints with Application to Expert Systems in Software Verification Masahito Kurihara1 and Hisashi Kondo2 1

Hokkaido University, Sapporo, 060-8628, Japan [email protected] 2 Ibaraki University, Hitachi, 316-8511, Japan [email protected]

Abstract. We introduce a class of computational problems called the partial order constraint satisfaction problems (POCSPs) and present three methods for encoding them as binary decision diagrams (BDDs). The first method, which simply augments domain constraints with the transitivity and asymmetry for partial orders, is improved by the second method, which introduces the notion of domain variables to reduce the number of Boolean variables. The third method turns out to be most useful for monotonic domain constraints, because it requires no explicit encoding for the transitivity. We show how those methods are successfully applied to expert systems in a software verification domain.

1 Introduction Binary decision diagrams (BDDs) [1, 3, 18] are graphical, compact representation of Boolean functions, successfully applied in various fields of industrial applications of AI and computer science. For example, they are applied in the field of VLSI design expert systems [10], truth maintenance systems [9], and the reliability analysis of huge and complex plant systems [4]. They also interest the community of automated theorem proving [12]. However, it should be stressed that although this technology is quite general and may seem to be easily applied in various fields, it is known that it essentially contains some computationally hard problems to be solved, depending on the application domains. One of such problems is to determine an appropriate variable order for constructing BDDs. Without good variable orders, the size of the BDDs could exponentially grow too large. For the theoretical computational complexity results, consult [2,14,17] and for some of the heuristic variable ordering methods, see [7,10,11]. Another problem is how to encode the problems at hand as Boolean functions, thus as BDDs. Recently, we have developed the framework of applying BDD technology in the field of development of rule-based programs, but it does not necessarily imply a success in that field: we need heuristics. In this paper, we present some heuristic approaches to this problem and evaluate them through comprehensive experiments on sample rule-based programs taken from practical domains such as hardware diagnosis, software specification, and mathematics. The results show the big difference among those approaches and provide us useful information for optimizing the overall sys-

tems. Such information has been integrated into the expert system for verifying the termination of rule-based programs. In Section 2, the key ideas are described in an abstract setting of partial order constraint satisfaction problems (POCSPs). In Section 3, we present three methods for encoding POCSPs as BDDs. In Section 4, the three methods are applied to the mechanical verification of the termination of rule-based programs. The experimental results show the big difference in efficiency among the methods.

2 Partial Order Constraint Satisfaction Problems A binary decision diagram (BDD)[1,3,18], notation BDD( F ), is a graphical, compact representation of a Boolean function F . It is like a tree except that several vertices may be structurally shared in the graph. Given an assignment of Boolean values (0 or 1) to each variable of F , we can determine the value of the function by following the path from the root to a terminal (0 or 1), branching at each xi -labeled node to either 0- or 1-labelled edge depending on the assigned value for xi . Usually, we fix a linear order (called a variable order) on the set of variables, and for every path from the root to a terminal, we let these variables appear in this ascending order. When the variable order is fixed, the BDD of the given function is uniquely determined. As a result, the satisfiability of a Boolean function can be determined simply by checking if its BDD representation is different from BDD(0). A constraint satisfaction problem (CSP) P =( X , D , C ) consists of a finite set of n variables X = {x1 ,… , xn } , a set of finite domains D = {D1 ,… , Dn } , and a set of constraints C among variables. Each variable xi must take a value from the set Di . Every constraint is associated with some variables and specifies the consistent (allowed) combinations of values for those variables. A solution of P is an assignment of values to all n variables such that it is consistent with all the constraints. In some applications, there is often a need to mechanically determine a partial order that must satisfy some constraints. This motivates the following definition. Definition 1. Let S be a finite set of the elements called symbols. Then a partial order constraint satisfaction problem (POCSP) over S is a CSP PS = ( X , D , C ), where X ={ X fg | f , g ∈ S , f ≠ g } is a set of Boolean variables with the common domain D ={0,1}, and C consists of the three kinds of constraints as follows. − the transitivity constraints: if X fg =1 and X gh =1 then X fh =1 for all combinations ( f , g , h ) of three mutually-distinct symbols; − the asymmetry constraints: either X fg =0 or X gf =0 for all pairs ( f , g ) of distinct symbols; and − the domain constraints C1 … Cm . The POCSP is seen as a problem of determining a partial order > on the set of symbols S under the domain constraints. It is straightforward to encode such a problem as a POCSP. We represent the relationship f > g by an assignment of a Boolean

value to X fg . We let X fg =1 if f > g , and X fg =0 otherwise. The relation > is represented by an assignment of truth values to all the variables in X . Such an assignment represents > . If > is a strict partial order, the assignment must satisfy the transitivity and asymmetry. Together with the domain constraints, we get a POCSP.

3 BDD Encodings for POCSPs We present three methods for encoding POCSPs as Boolean functions, thus as BDDs. The first one is a basic one derived directly from the definition of POCSPs. The second encoding improves it by reducing the number of Boolean variables. When the domain constraints are monotonic, the last encoding can safely remove the transitivity part at the (expectedly small) cost of losing the minimality of the asymmetry. 3.1 Basic Encoding The transitivity and asymmetry of Definition 1 are represented by the following Boolean functions, respectively.

∏

T(X ) =

(X

fg

+ X gh + X fh )

(1)

(X

fg

+ X gf )

(2)

f , g , h∈S , f ≠ g ≠ h ≠ f

A( X ) =

∏

f , g∈S , f ≠ g

We assume that each domain constraint Ci ( i =1, … , m ) is also encoded as a Boolean function Pi ( X ) that takes the value 1 if and only if the assignment to X satisfies Ci . The overall domain constraint is represented by the following function:

(3 )

m

P( X ) =

∏

Pi ( X ) .

i =1

Now we combine the three functions to yield the basic encoding: B ( X ) = (T ⋅ A ⋅ P )( X )

where the right-hand side is a shorthand notation for T ( X ) ⋅ A( X ) ⋅ P ( X ) . Theorem 1. The POCSP has a solution if and only if B ( X ) is satisfiable.

Example 1. Consider a set S = { f , g , h} . Then we have T ( X ) = ( X fg + X gh + X fh ) ⋅ ( X fh + X hg + X fg ) ⋅ ( X gf + X fh + X gh )

⋅( X gh + X hf + X gf ) ⋅ ( X hf + X fg + X hg ) ⋅ ( X hg + X gf + X hf ), A( X ) = ( X fg + X gf ) ⋅ ( X gh + X hg ) ⋅ ( X hf + X fh ).

(4 )

The domain constraints may be given arbitrarily, but for now, assuming that the problem requires that either f > g or h > g , we have P ( X ) = X fg + X hg . 3.2 Encoding with Domain Variables

If the set S contains n symbols, T ( X ) consists of O(n3 ) clauses and tends to be the biggest part of B( X ) . In most cases, however, the set of Boolean variables actually occurring in the domain constraint part P ( X ) tends to be only a small subset of X . We call them domain variables. This motivates the following definitions. Consider a POCSP over S , and let X D be the set of domain variables occurring in P( X ) . Consider a graph G = ( V , E ) with V = S and E = {( f , g ) | X fg ∈ X D } . Each vertex f ∈ V is a symbol of S and each directed edge ( f , g ) ∈ E corresponds to a domain variable X fg . We call G the domain graph. Definition 2 (domain transitivity and asymmetry). Suppose that the domain graph G =( V , E ) contains an edge ( f , g ) ∈ E such that there is a path f = v0 v1 … vn = g from f to g with length n ≥ 2 . Then the domain transitivity condition de-

rived from this path is X fv1 + … + X vn −1g + X fg . The product of such conditions for all edges ( f , g ) ∈ E and for all paths from f to g with length n ≥ 2 is called the domain transitivity for X D . Suppose that G contains a cycle v0 v1 … vn = v0 of length n ≥ 2 . Then the domain asymmetry condition derived from this cycle is X v0v1 + … + X vn −1v0 . The product of such functions for all cycles contained in G is called the domain asymmetry for X D . A path is minimal if it is elementary (i.e., does not contain any vertex twice) and contains no proper subpath that can be replaced by a bypass edge (or chord) in E . A cycle is minimal if it is elementary (i.e., does not contain any vertex twice, except that the start and the end vertices are the same) and contains no subpath that can be replaced by a bypass edge (or chord) in E . The following lemma ensures that we need to enumerate only minimal conditions. Lemma 1. All the domain transitivity and asymmetry conditions are satisfied if all the minimal conditions are satisfied.

The domain transitivity and asymmetry conditions derived only from minimal paths and cycles are denoted by T D ( X D ) and AD ( X D ) , respectively. In practice, the graph G is often sparse, and enumeration of minimal paths and cycles can be performed in practical time and space. Now we introduce the second encoding: B D ( X D ) = (T D ⋅ AD ⋅ P )( X D )

(5 )

where the notation P ( X D ) for P( X ) emphasizes that all the variables occurring in P( X ) are members of X D by definition.

Fig. 1. The domain graph for Example 2

Fig. 2. The BDD for Example 2

Example 2. Let S = { f , g , h, a} and suppose that the domain constraints are encoded as P ( X ) = ( X fg + X gh )( X fh + X hf )( X ga + X ha ) . Then X D consists of 6 variables, and the domain graph is given in Fig. 1. The domain transitivity and asymmetry are given as follows. T D ( X D ) = ( X fg + X gh + X fh )( X gh + X ha + X ga ) AD ( X D ) = X fh + X hf . Note that the cycle f g h f is non-minimal, because there is a bypath edge ( f , h) .

The BDD representation for B D ( X D ) is given in Fig. 2. Theorem 2. B D ( X D ) is satisfiable if and only if B ( X ) is satisfiable.

This theorem implies that we can search for the solution of the POCSP by considering B D ( X D ) instead of B( X ) . Since B D ( X D ) contains only domain Boolean variables, it encodes the POCSP with a smaller number of Boolean variables. This is important when representing the function by the BDD, because its size is likely to grow rapidly (exponentially) as the number of variables increases. 3.3 Encoding without Transitivity for Monotonic Domain Constraints

Since the size of transitivity conditions is often so big even for domain transitivity, it can cause an efficiency problem. We can be more efficient if the domain constraint

P ( X D ) is monotonic. A Boolean function F ( X ) is monotonic if α ≤ α ′ implies F (α ) ≤ F (α ′) , for all assignments α and α ′ . In

particular, we can verify that every Boolean function constructed from the sum and the product (thus containing no negations) is monotonic. In such cases, we can remove the transitivity conditions at the (expectedly small) cost of additional complexity in domain asymmetry. Let A* ( X D ) be the domain asymmetry conditions for X D obtained by considering all minimal cycles plus all non-minimal elementary cycles (that have bypass edges). We introduce the following function as our third encoding: Fig. 3. BDD for Example 3 B* ( X D ) = ( A* ⋅ P )( X D ) .

(6 )

Example 3. Recall Example 2. Since the domain constraint P ( X D ) is monotonic, we can employ the third encoding by considering all cycles to get A* ( X D ) = ( X fh + X hf )( X fg + X gh + X hf ).

The BDD representation for B* ( X D ) is given in Fig. 3. The BDD has 9 nodes, compared with 16 nodes of Fig. 2. When the domain graph contains a relatively small number of non-minimal cycles, the size of the representation for B* ( X D ) is often significantly smaller than B ( X ) and even than B D ( X D ) . B* ( X D ) contains no transitivity conditions. Nevertheless, we can prove the fol-

lowing theorem that ensures that when the domain constraint P ( X D ) is monotonic, we can use this function instead of B ( X ) and B D ( X D ) . Theorem 3. Suppose P ( X D ) is monotonic. Then B* ( X D ) is satisfiable if and only

if B D ( X D ) is satisfiable.

4

Application to Software Verification

4.1 Termination of Rule-Based Programs

Verification of correctness of computer programs is one of the most challenging applications of AI. We present an application of POCSP to verification of the termination property of programs written in a language called term rewriting systems [5,13].

A term refers to an expression constructed from function symbols and term variables. A program R is a set of rewrite rules consisting of a pair of terms l → r specifying that instances of l in a term can be rewritten to the corresponding instance of r . Given a term input from the users, the program uses a pattern matching algorithm to rewrite it repeatedly until one gets an answer term, which is a term that cannot be rewritten any more. A program is terminating if there are no infinite rewrite sequences. Termination is an undecidable property in general, but some sufficient conditions for its verification have been studied. In this paper, we focus on a popular class of such conditions based on precedence. A precedence, denoted by , is a partial order on the set of function symbols. It induces the partial order lpo (called the lexicographic path order, or lpo) on the set of terms. The definition of the lpo is omitted, but all one has to know in this paper is that once you determine the precedence, the lpo is uniquely determined. Theorem 4. If there exists a precedence

such that l

lpo

r for all rewrite rules

l → r of R , then R is terminating. With two terms s and t fixed, the truth of s

lpo

t is uniquely determined by

.

Let Ps,t ( X ) be the Boolean function which takes 1 if s lpo t and takes 0 otherwise, provided the assignment to X represents . Based on the definition of lpo , this

function is defined recursively with respect to term structure as follows. Definition 3. Let s and t be two terms. When s and t are not term variables, we write s = f ( s1 ,… , sm ) and t = g (t1 ,… , tn ) , respectively. Then: ⎧0 if s = t or s ∈ V or (t ∈ V , t ∉ Var ( s )) ⎪1 if ( s ∉ V , t ∈ Var ( s )) or ∃i.s = t i ⎪ ⎪ m P (X ) + X ⋅ n P (X ) fg ∏ j =1 s ,t j ⎪∑ i =1 si ,t Ps ,t ( X ) = ⎨ ⎪ if s ∉ V , t ∉ V , f ≠ g , ∀i.si ≠ t ⎪ m n ⎪∑ i =1 Psi ,t ( X ) + Psk ,tk ( X ) ⋅ ∏ j = k +1 Ps ,t j ( X ) ⎪ if s ∉ V , t ∉ V , f = g , s ≠ t , ∀i.s ≠ t i ⎩

(7 )

where k is the minimal value of i (1 ≤ i ≤ n ) satisfying si ≠ ti ; V is the set of term variables and Var (V ) is the set of term variables contained in s . Example 4. Let s = f (h( x)) and t = g ( x) . Then we have Ps ,t ( X ) = Ph( x ), g ( x ) ( X ) + X fg ⋅ Pf ( h( x )), x ( X ) = [ Px, g ( x ) ( X ) + X hg ⋅ Ph ( x ), x ( X )] + X fg = X hg + X fg .

Given a program R = {li → ri |1 ≤ i ≤ m} , the following Boolean function represents the domain constraints that li lpo ri for all rules in R : m

P ( X ) = ∏ Pli ,ri ( X ). i =1

Let us define the following encoding of POCSP: B ( X ) = (T ⋅ A ⋅ P )( X ). Theorem 5. If B ( X ) is satisfiable, then R is terminating.

Note that P ( X ) is monotonic. Therefore, as discussed in the previous section, the satisfiability of B ( X ) is equivalent to the satisfiability of B* ( X D ) = ( A* ⋅ P)( X D ) . 4.2 Experiments and Comparison

We restrict ourselves to the following three schemes for determining precedences. The random order (RAND) just orders the variables randomly, according to the uniform distribution. The generation order (GO) just orders variables as generated by our BDD generation program. More precisely, it is the order in which we encounter the Boolean variables while expanding Pl ,r ( X ) for each input rule in a depth-first, leftto-right manner according to the definition. The reversed generation order (RGO) is just the orders obtained by reversing GO. We have performed comprehensive experiments on typical sample programs taken from several application domains, including hardware diagnosis, software specification, and mathematics. In this section, we present some results to show how the efficiency is affected by the choice of variable orders. Effects by Variable Orders

We start by fixing our attention to the experimental results for B D ( X D ) . We have selected two particular problems for presenting the results in detail. One is taken from the field of the model-based hardware diagnosis. We refer to this problem as CIRCUIT [8]. The rules have been introduced by directing, from left to right, the 24 equations that specify the behavior of the full adder circuit. The number of domain Boolean variables for this problem is 36. The other problem referred to as SOLITAIRE consists of 28 rules taken from the field of the algebraic specification of software systems [15]. The number of domain Boolean variables for this problem is 46. The results, summarized in Tables 1 and 2, show that the GO and RGO are more efficient than the RAND in both time and space. We recommend the use of RGO, because in most cases it shows the best performance in time and space.

Table 1. Results for circuit

Var order BDD size CPU time

Table 2. Results for solitaire

RAND

GO

39 9533

33 797

RGO

33 70

Var order BDD size CPU time

RAND

1459 2479

GO

398 452

RGO

400 74

Table 3 shows the results for five other problems taken from the domain of mathematics. Those are all the problems given in [16] that contain at least five function symbols and are terminating. The variable order is fixed to RGO. The table includes two new entries for the number of rules and the number of domain variables. We can say that all the problems have been solved efficiently. Table 3. Results for mathematics

Table 4. Results for transitivity removal

No.

12

26

27

29

31

No.

Rules Dom vars BDD size CPU time

9 14 16 1.2

10 18 15 .94

11 17 37 1.4

7 18 34 .35

7 11 15 .10

Rules Dom vars BDD size CPU time

Circuit 24 36 35 6.95

Solitaire 28 46 93 2.62

Effects by Domain Conditions We briefly describe how the domain transitivity and asymmetry on X D result in more efficiency than the ordinary transitivity and asymmetry on X . Indeed, the use

of B D ( X D ) is far better than B ( X ) . This is justified by our experiments in which the use of B ( X ) did not yield a solution of the CIRCUIT problem within 48 hours. Actually, we found that this run required a temporary BDD whose maximum size is 35 times greater than the BDD required for B D ( X D ) . Effects by Transitivity Removal Table 4 shows the results of the experiments in which the previous two sample

problems were solved by using B* ( X D ) in place of B D ( X D ) . We only show the entries for the RGO order. Comparing the CPU time in this table with Tables 1 and 2, we can see that the use of B* ( X D ) is far more efficient than B D ( X D ) .

5

Conclusion

We have presented three methods for encoding POCSPs as BDDs, and applied and evaluated them in the field of software verification. Let us compare our work with two other related works. One is a most simple way based on backtracking [6]. It is well-known that the simple backtracking suffers from inefficiency caused by futile backtracking, rediscovering contradictions, and rediscovering inferences. Actually, the CPU time for computing all solutions for the CIRCUIT and SOLITAIRE problems by the backtracking method was 108 and 2700 seconds, respectively, compared with 70 and 74 seconds by our method. The other work [8] uses a reason maintenance system

to avoid the drawbacks caused by the simple backtracking. It is reported that this method was successful in getting a single solution efficiently. In contrast, our method is effective even if all solutions are sought or if one wants to check that there are no solutions.

Acknowledgement This work was partly supported by JSPS Grant-in-Aid for Scientific Research (B)(15300188) and MPHPT Strategic Information and Communications R&D Promotion Programme.

References 1. Akers, S. B.: Binary decision diagrams, IEEE Trans. Comput., Vol. C-27, 6, 509–516 (1978) 2. Bollig, B. and Wegener, I., Improving the variable ordering of OBDDs is NP-complete, IEEE Trans. on Computers 45, 993–1002 (1996) 3. Bryant, R. E.: Graph-based algorithm for boolean function manipulation, IEEE Trans. Comput., Vol. C-35, 5, 677–691 (1986) 4. Coudert, O. and Madre, J. C.: Towards an interactive fault tree analyser, Proc. IASTED Int. Conf. on Reliability, Quality Control and Risk Assessment (1992) 5. Dershowitz, N. and Jouannaud, J.-P.: Rewrite Systems, in J. van Leeuwen (ed.), Handbook of Theoretical Computer Science, vol. B, North-Holland, 243–320 (1990) 6. Detlefs, D. and Forgaad, R.: A procedure for automatically proving the termination of a set of rewrite rules, Proc. of 1st Conf. on Rewriting Techniques and Applications, Springer, LNCS 202, 255–270 (1985) 7. Fujita, M., Fujisawa, H., and Matsunaga, Y., Variable ordering algorithms for ordered binary decision diagrams and their evaluation, IEEE Trans. on Computer-Aided Design of Integrated Circuits and Systems 12, 6–12 (1993) 8. Kurihara, M., Kondo, H., et al.: Using ATMS to efficiently verify the termination of rewrite rule programs, Intern. Journal of Software Engineering and Knowledge Engineering, Vol.2, 4, 547–565 (1992) 9. Madre, J. C. and Coudert, O.: A logically complete reasoning maintenance system based on a logical constraint solver, Proc. Intern. Joint Conf. on Artificial Intelligence, 294–299 (1991) 10. Malik, S., et al.: Logic verification using binary decision diagrams in a logic synthesis environment, Proc. IEEE Int. Conf. on Computer-Aided Design, 6–9 (1988) 11. Minato, S., Ishiura, N., and Yajima, S., Shared binary decision diagram with attributed edges for efficient Boolean function manipulation, 27th DAC, 52–57 (1990) 12. Moore, J. S.: Introduction to the OBDD algorithm for the ATP community, Journal of Automated Reasoning, Vol.12, 33–45 (1994) 13. Plaisted, D. A.: Equational reasoning and term rewriting systems, in Gabbay, D. M. (ed.), Handbook of Logic in Artificial Intelligence and Logic Programming, 274–364 (1993) 14. Sieling, D., On the existence of polynomial time approximation schemes for OBDD minimization, STACS’98, LNCS 1373, 205–215 (1998) 15. Steinbach, J.: Termination of rewriting : Ph.D thesis, Univ. Kaiserslautern, Germany (1994) 16. Steinbach, J. and Kühler, U.: Check your ordering : termination proofs and open problems, SEKI report SR-90-25(SFB), Univ. Kaiserslautern, Germany (1990) 17. Tani, S., Hamaguchi, K., and Yajima, S., The complexity of the optimal variable ordering problem of a shared binary decision diagram, ISAAC’93, LNCS 762, 389–398 (1993)

18. Wegener, I.: Branching Programs and Binary Decision Diagrams: Theory and Application, Society for Industrial and Applied Mathematics (2000)