Towards a Notion of Unsatisfiable Cores for LTL
Viktor Schuppan
FBK-irst, Via Sommarive 18, 38123 Trento, Italy
schuppan@fbk.eu
Abstract. Unsatisfiable cores, i.e., parts of an unsatisfiable formula that
are themselves unsatisfiable, have important uses in debugging specifi-
cations, speeding up search in model checking or SMT, and generating
certificates of unsatisfiability. While unsatisfiable cores have been well in-
vestigated for Boolean SAT and constraint programming, the notion of
unsatisfiable cores for temporal logics such as LTL has not received much
attention. In this paper we investigate notions of unsatisfiable cores for
LTL that arise from the syntax tree of an LTL formula, from converting
it into a conjunctive normal form, and from proofs of its unsatisfiability.
The resulting notions are more fine-granular than existing ones.
1 Introduction
Temporal logics such as LTL have become a standard formalism to specify re-
quirements for reactive systems [37]. Hence, in recent years methodologies for
property-based design based on temporal logics have been developed (e.g., [1]).
Increasing use of temporal logic requirements in the design process necessi-
tates the availability of efficient validation and debugging methodologies. Vacuity
checking [5, 31] and coverage [12] are complementary approaches developed in
the context of model checking (e.g., [3]) for validating requirements given as tem-
poral logic properties. However, with the exception of [13, 24], both vacuity and
coverage assume presence of both a model and its requirements. Particularly in
early stages of the design process the former might not be available. Satisfiabil-
ity and realizability [38] checking are approaches that can handle requirements
without a model being avaiable. Tool support for both is available (e.g., [8]).
Typically, unsatisfiability of a set of requirements signals presence of a prob-
lem; finding a reason for unsatisfiability can help with the ensuing debugging.
In practice, determining a reason for unsatisfiability of a formula without au-
tomated support is often doomed to fail due to the sheer size of the formula.
Consider, e.g., the EURAILCHECK project that developed a methodology and
a tool for the validation of requirements [18]. Part of the methodology consists of
translating the set of requirements given by a textual specification into a variant
of LTL and subsequent checking for satisfiability; if the requirements are un-
satisfiable, an unsatisfiable subset of them is returned to the user. The textual
specification considered as a feasibility study is a few 100 pages long.
Another application for determining reasons for unsatisfiability are algorithms
that find a solution to a problem in an iterative fashion. They start with a guess
of a solution and check whether that guess is indeed a solution. If not, rather
F. Arbab and M. Sirjani (Eds.): FSEN 2009, LNCS 5961, pp. 129–145, 2010.
c
Springer-Verlag Berlin Heidelberg 2010
130 V. Schuppan
than ruling out only that guess, they determine a reason for that guess not being
a solution and rule out guesses doomed to fail for the same reason. Examples are
verification with CEGAR (e.g., [20]) and SMT (e.g., [47]). Automated support
for determining a reason for unsatisfiability is clearly essential.
Current implementations for satisfiability checking (e.g., [16]) point out rea-
sons for unsatisfiability by returning a part of an unsatisfiable formula that is by
itself unsatisfiable. This is called an unsatisfiable core (UC). However, these UCs
are coarse-grained in the following sense. The input formula is a Boolean com-
bination of temporal logic formulas. When extracting an UC current implemen-
tations do not look inside temporal subformulas: when, e.g., φ =(Gψ) ∧ (Fψ
)
is found to be unsatisfiable, then [16] will return φ as an UC irrespective of the
complexity of ψ and ψ
. Whether the resulting core is inspected for debugging
by a human or used as a filter in a search process by a machine: in either case a
more fine-granular UC will likely make the corresponding task easier.
In this paper we take first steps to overcome the restrictions of UCs for LTL by
investigating more fine-grained notions of UCs for LTL. We start with a notion
based on the syntactic structure of the input formula where entire subformulas
are replaced with 1 (true) or 0 (false) depending on the polarity of the corre-
sponding subformula. We then consider conjunctive normal forms obtained by
structure-preserving clause form translations [36]; the resulting notion of core
is one of a subset of conjuncts. That notion is reused when looking at UCs ex-
tracted from resolution proofs from bounded model checking (BMC) [6] runs. We
finally show how to extract an UC from a tableau proof [25] of unsatisfiability.
All 4 notions can express UCs that are as fine-grained as the one based on the
syntactic formula structure. The notion based on conjunctive normal forms pro-
vides more fine-grained resolution in the temporal dimension, and those based
on BMC and on unsatisfied tableau proofs raise the hope to do even better. At
this point we would like to emphasize the distinction between notions of UCs and
methods to obtain them. While there is some emphasis in this paper on methods
for UC extraction, here we see such methods only as a vehicle to suggest notions
of UCs. We are not aware of similar systematic investigation of the notion of UC
for LTL; for notions of cores for other formalisms, for application of UCs, and
for technically related approaches such as vacuity checking see Sect. 8.
In the next Sect. 2 we state the preliminaries and in Sect. 3 we introduce some
general notions. In Sect.s 4, 5, 6, and 7 we investigate UCs obtained by syntactic
manipulation of parse trees, by taking subsets of conjuncts in conjunctive normal
forms, by extracting resolution proofs from BMC runs, and by extraction from
closed tableaux nodes. Related work is discussed in Sect. 8 before we conclude
in Sect. 9. We do not provide a formalization of some parts and discussion of
some aspects in this extended abstract but instead refer to the full version [41].
2 Preliminaries
In the following we give standard definitions for LTL, see, e.g., [3]. Let IB be the
set of Booleans, IN the naturals, and AP a finite set of atomic propositions.
Towards a Notion of Unsatisfiable Cores for LTL 131
Definition 1 (LTL Syntax). The set of LTL formulas is constructed induc-
tively as follows. Boolean constants 0, 1 ∈ IB and atomic propositions p ∈ AP
are LTL formulas. If ψ, ψ
are LTL formulas, so are ¬ψ, ψ ∨ ψ
, ψ ∧ ψ
, Xψ,
ψUψ
, ψRψ
, Fψ,andGψ.Weuseψ → ψ
as an abbreviation for ¬ψ ∨ ψ
,
ψ ← ψ
for ψ ∨¬ψ
,andψ ↔ ψ
for (ψ → ψ
) ∧ (ψ ← ψ
).
The semantics of LTL formulas is defined on infinite words over the alphabet
2
AP
.Ifπ is an infinite word in (2
AP
)
ω
and i is a position in IN, then π[i] denotes
the letter at the i-th position of π and π[i, ∞] denotes the suffix of π starting
at position i (inclusive). We now inductively define the semantics of an LTL
formula on positions i ∈ IN of a word π ∈ (2
AP
)
ω
:
Definition 2 (LTL Semantics).
(π, i) |=1 (π, i) |=0 (π, i) |= ψUψ
⇔∃i
≥ i.((π, i
) |= ψ
∧∀i ≤ i
<i
. (π, i
) |= ψ)
(π, i) |= p ⇔ p ∈ π[i](π, i) |= ψRψ
⇔∀i
≥ i.((π, i
) |= ψ
∨∃i ≤ i
<i
. (π, i
) |= ψ)
(π, i) |= ¬ψ ⇔ (π, i) |= ψ (π, i) |= Xψ ⇔ (π, i +1)|= ψ
(π, i) |= ψ ∨ ψ
⇔ (π, i) |= ψ or (π, i) |= ψ
(π, i) |= Fψ ⇔∃i
≥ i.(π, i
) |= ψ
(π, i) |= ψ ∧ ψ
⇔ (π, i) |= ψ and (π, i) |= ψ
(π, i) |= Gψ ⇔∀i
≥ i.(π, i
) |= ψ
An infinite word π satisfies aformulaφ iff the formula holds at the beginning of
that word: π |= φ ⇔ (π, 0) |= φ. Then we call π a satisfying assignment to φ.
Definition 3 (Satisfiability). An LTL formula φ is satisfiable if there exists
awordπ that satisfies it: ∃π ∈ (2
AP
)
ω
.π|= φ;itisunsatisfiable otherwise.
Definition 4 (Negation Normal Form). An LTL formula φ is in negation
normal form (NNF) nnf (φ) if negations are applied only to atomic propositions.
Definition 5 (Subformula). Let φ be an LTL formula. The set of subformulas
SF (φ) of φ is defined recursively as follows:
ψ = borψ = pwithb∈ IB , p ∈ AP : SF (ψ)={ψ}
ψ = ◦
1
ψ
with ◦
1
∈{¬, X, F, G} : SF (ψ)={ψ}∪SF (ψ
)
ψ = ψ
◦
2
ψ
with ◦
2
∈{∨, ∧, U, R} : SF (ψ)={ψ}∪SF (ψ
) ∪ SF (ψ
)
Definition 6 (Polarity). Let φ be an LTL formula, let ψ ∈ SF (φ). ψ has
positive polarity (+)inφ if it appears under an even number of negations,
negative polarity (−)otherwise.
We regard LTL formulas as trees, i.e., we don’t take sharing of subformulas into
account. We don’t attempt to simplify formulas before or after UC extraction.
3 Notions and Concepts Related to UCs
In this section we discuss general notions in the context of UCs
1
independently
of the notion of UC used. It is not a goal of this paper to formalize the notions
below towards a general framework of UCs. Instead, in the remainder of this
paper we focus on the case of LTL where instantiations are readily available.
1
Terminology in the literature for these notions is diverse. We settled for the term
“unsatisfiable core”, which is used for such notions, e.g., in the context of Boolean
satisfiability (e.g., [26,48]), SMT (e.g., [14]), and declarative specifications (e.g., [45]).
132 V. Schuppan
UCs, Irreducible UCs, and Least-Cost Irreducible UCs When dealing with UCs
one typically considers an input φ (here: LTL formula) taken from a set of
possible inputs Φ (here: all LTL formulas) and a Boolean-valued function foo
2
:
Φ → IB w i t h foo(φ) = 0 (here: LTL satisfiability). The goal is to derive another
input φ
(the UC) with foo(φ
)=0fromφ s.t. 1. the derivation preserves a
sufficient set of reasons for foo being 0 without adding new reasons, 2. the fact
that foo(φ
) is 0 is easier to see for the user than the fact that foo(φ)is0,and
3. the derivation is such that preservance/non-addition of reasons for foo being
0onφ and φ
can be understood by the user. Typically 1 and 3 are met by
limiting the derivation to some set of operations on inputs that fulfills these
criteria (here: syntactic weakening of LTL formulas). The remaining criterion 2
can be handled by assuming a cost function on inputs where lower cost provides
some reason to hope for easier comprehension by the user (here: see below).
Assuming a set of inputs and a set of operations we can define the following
notions. An input φ
is called a core of an input φ if it is derived by a sequence of
such operations. φ
is an unsatisfiable core if φ
is a core of φ and foo(φ
)=0.φ
is a proper unsatisfiable core if φ
is an unsatisfiable core of φ and is syntactically
different from φ. Finally, φ
is an irreducible unsatisfiable core (IUC) if φ
is an
unsatisfiable core of φ and there is no proper unsatisfiable core of φ
.OftenIUCs
are called minimal UCs and least-cost IUCs minimum UCs.
Cost functions often refer to some size measure of an input as suggested by a
specific notion of core, e.g., the number of conjuncts when inputs are conjunctions
of formulas and foo is satisfiability. We do not consider specific cost functions.
Granularity of a Notion of UC. Clearly, the original input contains at least as
much information as any of its UCs and, in particular, all reasons for being
unsatisfiable. However, our goal when defining notions of UCs is to come up
with derived inputs that make some of these reasons easier to see. Therefore we
use the term granularity of a notion of core as follows. We wish to determine
the relevance of certain aspects of an input to the input being unsatisfiable by
the mere presence or absence of elements in the UC. In other words, we do not
take potential steps of inference by the user into account. Hence, we say that
one notion of core provides finer granularity than another if it provides at least
as much information on the relevance of certain aspects of an input as the other.
Consider, e.g., a notion of UC that takes a set of formulas as input and defines a
core to be a subset of this set without proceeding to modify the member formulas
versus a notion that also modifies the member formulas. Another example is a
notion of UC for LTL that considers relevance of subformulas at certain points
in time versus a notion that only either keeps or discards subformulas.
4 Unsatisfiable Cores via Parse Trees
In this section we consider UCs purely based on the syntactic structure of the
formula. It is easy to see that, as is done, e.g., in some forms of vacuity checking
2
Although we write foo we still say “unsatisfiable” core rather than “unfooable” core.
Towards a Notion of Unsatisfiable Cores for LTL 133
(a) A formula
given as a
parse tree
∧
ψ
ψ
p
∧
p
¬
∧
FG
(b) and its
UC.
∧
1
1
p
∧
p
¬
∧
FG
Fig. 1. Example of an UC via parse tree. Modified parts are marked blue boxed.
[31], replacing an occurrence of a subformula with positive polarity with 1 or
replacing an occurrence of a subformula with negative polarity with 0 will lead to
a weaker formula. This naturally leads to a definition of UC based on parse trees
where replacing occurrences of subformulas corresponds to replacing subtrees.
Consider the following formula φ =(G(p ∧ ψ)) ∧ (F(¬p ∧ ψ
)) whose parse
tree is depicted in Fig. 1 (a). The formula is unsatisfiable independent of the
concrete (and possibly complex) subformulas ψ, ψ
. A corresponding UC with
ψ, ψ
replaced with 1 is φ
=(G(p ∧ 1)) ∧ (F(¬p ∧ 1)), shown in Fig. 1 (b).
Hence, by letting the set of operations to derive a core be replacement of
occurrences of subformulas of φ with 1 (for positive polarity occurrences) or 0
(for negative polarity occurrences), we obtain the notions of core, unsatisfiable
core, proper unsatisfiable core, and irreducible unsatisfiable core via parse tree.
In the example above φ
is both a proper and an IUC of φ.Notethat
(G(p ∧ 1)) ∧ (F(¬p ∧ ψ
)) and (G(p ∧ ψ)) ∧ (F(¬p ∧ 1)) are UCs of φ,too,asis
φ itself (and possibly many more when ψ and ψ
are taken into account).
5 Unsatisfiable Cores via Definitional Conjunctive
Normal Form
Structure preserving translations (e.g., [36]) of formulas into conjunctive nor-
mal form introduce fresh Boolean propositions for (some) subformulas that are
constrained by one or more conjuncts to be 1 (if and) only if the corresponding
subformulas hold in some satisfying assignment. In this paper we use the term
definitional conjunctive normal form (dCNF) to make a clear distinction from
the conjunctive normal form used in Boolean satisfiability (SAT), which we de-
note CNF. dCNF is often a preferred representation of formulas as it’s typically
easy to convert a formula into dCNF, the expansion in formula size is moder-
ate, and the result is frequently amenable to resolution. Most important in the
context of this paper, dCNFs yield a straightforward and most commonly used
notion of core in the form of a (possibly constrained) subset of conjuncts.
5.1 Basic Form
Below we define the basic version of dCNF. It is well-known that φ and dCNF (φ)
are equisatisfiable.
