Conference PaperPDF Available

A State-Space Acyclicity Property for Exponentially Tighter Plan Length Bounds


Abstract and Figures

We investigate compositional bounding of transition system diameters, with application in bounding the lengths of plans. We establish usefully-tight bounds by exploiting acyclicity in state-spaces. We provide mechanised proofs in HOL4 of the validity of our approach. Evaluating our bounds in a range of benchmarks, we demonstrate exponentially tighter upper bounds compared to existing methods. Treating both solv-able and unsolvable benchmark problems, we also demonstrate the utility of our bounds in boosting planner performance. We enhance an existing planning procedure to use our bounds, and demonstrate significant coverage improvements, both compared to the base planner, and also in comparisons with state-of-the-art systems.
Content may be subject to copyright.
A State-Space Acyclicity Property for Exponentially Tighter Plan Length Bounds
Mohammad Abdulaziz1,2and Charles Gretton1,3,4and Michael Norrish1,2
1Australian National University, Canberra, Australia
2Data61 Canberra Research Lab., Canberra, Australia
3HIVERY, Sydney, Australia
4Griffith University, Queensland, Australia
We investigate compositional bounding of transition system
diameters, with application in bounding the lengths of plans.
We establish usefully-tight bounds by exploiting acyclicity in
state-spaces. We provide mechanised proofs in HOL4 of the
validity of our approach. Evaluating our bounds in a range
of benchmarks, we demonstrate exponentially tighter upper
bounds compared to existing methods. Treating both solv-
able and unsolvable benchmark problems, we also demon-
strate the utility of our bounds in boosting planner perfor-
mance. We enhance an existing planning procedure to use our
bounds, and demonstrate significant coverage improvements,
both compared to the base planner, and also in comparisons
with state-of-the-art systems.
Core AI planning tasks are to: find a plan which achieves
the goal in a transition system, or otherwise prove that none
exists. The latter also corresponds to the problem of model-
checking safety properties: proving that unsafe states are
unreachable. Solution methods for these tasks benefit from
knowledge of (sub-)system upper bounds on the lengths of
possible plans. If Nis such a bound, and if a plan exists
achieving the goal—or violating the safety property—then
that plan need not comprise more than Nactions.
Biere et al. (1999) identify the system diameter as a con-
ceptually appealing upper bound. The diameter is the longest
shortest path between any two states. Approximate and ex-
act algorithms have been developed to calculate the diame-
ter given an explicit (e.g. tabular) representation of the sys-
tem. Exact algorithms have worse than quadratic runtimes in
the number of states (Fredman 1976; Alon, Galil, and Mar-
galit 1997; Chan 2010; Yuster 2010), and approximation ap-
proaches have super-linear runtimes (Aingworth et al. 1999;
Roditty and Vassilevska Williams 2013; Chechik et al.
2014; Abboud, Williams, and Wang 2016). Such explicit
calculation of diameters is prohibitively expensive in the set-
tings of planning and model-checking, where systems are
described using factored representations, because the sys-
tems’ explicit representation is usually exponential in the
size of the corresponding factored problem description.
Practical approaches to calculate bounds for problems
described using factored representations are compositional.
Baumgartner, Kuehlmann, and Abraham (2002) and Rinta-
nen and Gretton (2013) developed procedures to composi-
tionally over-approximate the diameter. Abdulaziz, Gretton,
and Norrish (2015) provide a tighter procedure by optimis-
ing the order of compositional operations. In detail, where
problem descriptions exhibit certain exploitable structures,
compositional approaches provide useful approximations of
diameter using little computational effort. The concrete sys-
tem bound is over-approximated, by composing together
bounds for abstract subsystems which are calculated with
relative ease. The subsystems are projections of the con-
crete system, identified according to acyclic structures in
the causal/dependency graph (Williams and Nayak 1997;
Knoblock 1994). For example, consider the hotel key pro-
tocol from (Jackson 2006, p. 185), which provides a domain
that severely challenges state-of-the-art planning procedures
designed to discover when no plan exists. Each room in
the hotel is independent, in the sense that the state of any
room i, and actions affecting it are independent of all rooms
j6=i. Compositional bounds scale linearly with the number
of rooms. The sum of bounds for abstract systems modelling
individual rooms is a bound for the concrete system.
We develop a compositional bounding procedure that
combines exploitation of acyclicity in variable dependency
structures described by Abdulaziz, with a novel ap-
proach to exploiting acyclic state-spaces. This enables the
decomposition of a given system into abstract sub-systems
that are much smaller than what is attainable using state-
of-the-art algorithms. Compared to existing practical ap-
proaches, ours can yield exponentially tighter bounds. A
(sub-)system has an acyclic state-space structure if no state
can be encountered twice during an execution. Although
such acyclicity does not hold for many typical concrete tran-
sition systems, it does occur sufficiently often in the projec-
tions encountered in compositional bounding to be of inter-
est. In the acyclic case, the diameter is bounded by the sum
of the diameters of a series of value-based abstractions we
call snapshots. A snapshot is an abstract subsystem in which
the values of some state variables are fixed. For example, the
hotel protocol is acyclic because each key can only be used
once, for one room, and by one guest. The concrete system
diameter is bound above by the sum of the diameters of each
of the possible subsystems (snapshots) where a particular
key is used to access a particular room.
We experimentally show that our bounding approach sig-
nificantly outperforms—both in the tightness of the bounds
obtained and in the quality of decomposition—existing ap-
proaches. Using the upper bounds computed by that algo-
rithm as horizons for a SAT based planner, we: (i) Prove
the unsolvability of problems that cannot be proven using
the state-of-the-art state-space search planners and mod-
el-checkers. One notable example is the problem of mod-
el-checking the safety of the hotel key protocol. (ii) Sig-
nificantly improve the coverage of the SAT based planner
Madagascar MPby using upper bounds rather than its sim-
ple query strategies (Rintanen 2012).
HOL4 Proofs and Availability Theorem 2, Theorem 4
and Proposition 5 are proven in the interactive theorem
prover HOL4 (Slind and Norrish 2008). All our code, Ho-
tel Key benchmarks, and HOL4 proof scripts will be made
available online in the case of acceptance.
Background and Notations
Compositional bounds are defined on factored transition
systems that are purely characterised in terms of a set of ac-
tions. From actions we can define a set of valid states, and
then approach bounds by considering properties of execu-
tions of actions on valid states. Whereas conventional expo-
sitions in the planning and model-checking literature would
also define initial conditions and goal/safety criteria, here we
omit those features from discussion. Our novel bounds, ex-
isting compositional bounds, and the notion of diameter are
independent of those features.
Definition 1 (States and Actions).A state, x, is a finite map
from variables—i.e., state-characterizing propositions—to
Booleans, i.e. a set of mappings v7→ b. We write D(x)
to denote {v|v7→ bx}, the domain of x. For states
x1and x2, the union, x1]x2, is defined as {v7→ b|
if (v∈ D(x1)) then b=x1(v)else b=x2(v)}.
Note how the state x1takes precedence. An action is a
pair of finite maps, (p, e), where prepresents the precon-
ditions and erepresents the effects. For action π= (p, e),
D(π)≡ D(p)∪ D(e).
Definition 2 (Execution).When an action π(= (p, e)) is
executed at state x, it produces a successor state ex(x, π),
formally defined as ex(x, π) = if p*xthen xelse e]
x. We lift ex to lists of actions ~π, so ex(x, ~π )denotes the
state resulting from successively applying each action from
~π in turn, starting at x, which translates to a path in the
underlying state-space.
We give examples of states and actions using sets of lit-
erals. For example, {a, b}is a state where state variables a
is (maps to) true, and bis false and its domain is {a, b}.
({a, b},{c})is an action that if executed in a state that has a
and b, it sets cto true. D(({a, b},{c})) = {a, b, c}.
Definition 3 (Factored Transition System).A set of actions
δconstitutes a factored transition system.We write D(δ)for
the domain of δ, which is the union of the domains of all the
actions it contains. Where set(~π)is the set of elements from
~π, the set of valid action sequences, δ, is {~π |set(~π)δ}.
The set of valid states, U(δ), is {x| D(x) = D(δ)}. For
states xand x0,x x0denotes that there is a ~π δsuch
that ex(x, ~π) = x0.
Definition 4 (Diameter of δ).The diameter, written d(δ), is
the length of the longest shortest execution, formally:
d(δ) = max
If there is a valid action sequence between any two states,
then there is a valid action sequence between them that is no
longer than the diameter.
Hotel Key Protocol
We now consider the hotel key protocol from (Jackson
2006). Reasoning about safe and unsafe versions of this
protocol is challenging for state-of-the-art AI planners
and model-checkers. For example, (Blanchette and Nipkow
2010) prove a version of the protocol unsafe for an in-
stance with 1room, 2guests and 4keys. The problem be-
comes more challenging for the safe version of the protocol,
where the only feasible approach is using interactive theo-
rem provers, as in (Nipkow 2006).
We describe the factored transition system corresponding
to that protocol. The system models a hotel with Rrooms, G
guests, and Kkeys per room, which guests can use to enter
rooms (Figure 1 shows an example with R= 2,G= 2 and
K= 3). The state characterising propositions are: (i) lkr,k,
reception last issued key kfor room r, for 0< r Rand
(r1)K < k rK; (ii) ckr,k, room rcan be accessed
using key k, for 0< r Rand (r1)k < k rK;
(iii) gkg,k , guest ghas key k, for 0< g G,0< k RK;
and (iv) sr, is an auxiliary variable that means that room
ris “safely” delivered to some guest. The protocol ac-
tions are as follows: (i) guest gcan check-in to room r,
receiving key k({lkr,k1},{gkg,k2,lkr,k2,lkr,k1,sr});
and (ii) where room rwas previously entered us-
ing key k, guest gcan enter room rusing key
k0({gkg,k0,lkr,k },{ckr,k0,ckr,k,sr}). Thus, guests
can retain keys indefinitely, and there is no direct commu-
nication between rooms and reception.
For completeness, we note that this protocol was formu-
lated in the context of checking safety properties. Safety
is violated only if a guest enters a room occupied by an-
other guest. Formally, the safety of this protocol is checked
by querying if there exists a room r, guest gand keys
k6=k0, so that lkr,k0ckr,k gkg,k0sr. The initial
state asserts that guests possess no keys, and the reception
issued the first key for each room, and each room opens
with its first key. Formally, this is represented by asserting
lkr,(r1)Kckr,(r1)Kis true for 1rR, (r1)K <
krK, and that all other state variables are false.
We adopt some shorthand notations in order to pro-
vide examples of concepts in terms of the hotel key pro-
tocol. A variable name is written in upper case to refer
to a particular assignment, where the only variable that is
true is given by the indices. For example, the assignment
{ck1,1,ck1,2,ck1,3}—indicating room 1can be accessed
using key 2—is indicated by writing CK1,2. We refer to sets
of variables by omitting an index term. For example, lk1
indicates the variables {lk1,i |1i3}.
Abstraction and Dependency
Key abstraction concepts for compositional reasoning are
projection and snapshot.
Definition 5 (Projection).Projecting an object (a state x,
an action π, a sequence of actions ~π or a factored represen-
tation δ) on a set of variables vs restricts the domain of the
object or the components of composite objects to vs. Pro-
jection is denoted as xvs ,πvs ,~πvs and δvs for a state,
action, action sequence and factored representation, respec-
tively. However, for action sequences or transition systems,
an action with no effects after projection is dropped entirely.
Example 1. Consider the set of variables ROOM1lk1
ck1∪ {gk1,2,gk1,3,gk2,2,gk2,3}. The variables ROOM1
model system state relevant to the 1st hotel room. Figure 1c
shows the projected system δROOM1.
A snapshot models the system when we fix the assignment
of a subset of the state variables, removing actions whose
preconditions or effects contradict that assignment.
Definition 6 (Snapshot).We write |X|to denote the car-
dinality of the set X. For states xand x0, let agree(x, x0)
denote |D(x)∩ D(x0)|=|xx0|, i.e. a variable that is in
the domains of both xand x0has the same assignment in x
and x0. For δand a state x, the snapshot of δat xis
x≡ {(p, e)|(p, e)δagree(p, x)agree(e, x)}D(δ)\D(x)
Example 2. δROOM 1|
CK1,2is shown in Figure 1d.
Acylicity in variable dependency has been exploited in
previous research by reasoning about dependency (also
called causal) graph from (Williams and Nayak 1997;
Knoblock 1994). We formally describe that graph, review-
ing precisely what is meant by dependency in this setting.
Definition 7 (Dependency).A variable v2is dependent on
v1in δ(written v1v2) iff one of the following statements
holds:1(i) v1is the same as v2, (ii) there is (p, e)δsuch
that v1∈ D(p)and v2∈ D(e), or (iii) there is a (p, e)δ
such that both v1and v2are in D(e). A set of variables vs2
is dependent on vs1in δ(written vs1vs 2) iff all of the
following statements hold: (i) vs1and vs2are disjoint, and
(ii) There are v1vs1and v2vs 2, where v1v2.
Definition 8 (Dependency Graph).GD(δ)is a dependency
graph of δ, if D(δ)are its vertices and {(u, v)|uv
u, v ∈ D(δ)}are its edges. GVS is a lifted dependency graph,
if its vertices are some partition Pof D(δ)and {(vs1,vs 2)|
vs1vs2vs 1,vs 2P}are its edges.
Example 3. Figure 1b shows a dependency graph asso-
ciated with the system from Figure 1a. Let ROOM2
lk2ck2{gk1,5,gk1,6,gk2,5,gk2,6}. Figure 1b depicts
two connected components induced by the sets ROO M1and
ROOM2, respectively. One lifted dependency graph would
have exactly two unconnected vertices, one being a contrac-
tion of the vertices from ROOM1, and the other a contrac-
tion of those from ROOM2. Due to the disconnected struc-
ture of the dependency graph, intuitively the sum of bounds
for δROOM 1and δROOM 2can be used to upper bound the
diameter of the concrete system.
1Our definition is equivalent to those in (Williams and Nayak
1997; Knoblock 1994; Helmert 2006) in the context of AI planning.
; check in to a room (at reception), receiving a new key
; enter a room with new key
Figure 1: (a) shows the actions of a transition system δrep-
resenting the hotel key protocol with 2 rooms, 2 guests and
3 keys per room; room 1 is associated with keys 1–3; room
2 with keys 4–6. (b) is the dependency graph for that sys-
tem. (c) is the projection of the system on an abstraction that
models only the changes related to room 1. (d) is the snap-
shot of δROOM 1on CK1,2, an abstraction that only analyses
the changes related to room 1 when its door recognises key
2 as the current key. (e) and (f) are the dependency graphs of
snapshots that we use for illustrative purposes in the exam-
Exploiting Acyclicity in Dependency
Previous authors exploit acyclicity in the dependency graph,
a structure that is abundant in practice, for compositional
bounding (Baumgartner, Kuehlmann, and Abraham 2002;
Baumgartner and Kuehlmann 2004; Rintanen and Gretton
2013; Abdulaziz, Gretton, and Norrish 2015). We review the
approach from (Abdulaziz, Gretton, and Norrish 2015), that
performs compositional bounding of the sublist diameter.
Definition 9 (Sublist Diameter).Recall that a list ~π0is a
sublist of ~π, written ~π0
·~π, iff all the members of ~π0occur in
the same order in ~π. The sublist diameter, `(δ), is the length
of the longest shortest equivalent sublist to any execution
~π δstarting at any state xU(δ). Formally,
`(δ) = max
·~π |~π0|.
Note, `is an upper bound in the sense d(δ)`(δ).
Compositional techniques compute upper bounds by
composing together bounds for abstract subproblems. To
make these ideas concrete, consider the compositional func-
tion Nsumhbi(δ, GVS ), defined via a recurrence below. The
functional parameter bis used to bound abstract subprob-
lems, GVS is a lifted dependency graph of δused to iden-
tify abstract subproblems, δis the system of interest, and
childrenGVS (vs)≡ {vs2|vs 2∈ GVS vs vs2}.
Definition 10 (Acyclic Dependency Compositional Bound).
Nhbi(vs, δ, GVS) = b(δvs )(1+ X
cchildrenGVS (vs)
Nhbi(c, δ, GVS))
Then, let Nsumhbi(δ, GVS ) = Pvs∈GVS Nhbi(vs , δ, GVS).
Example 4. For GVS from Example 3, we have
Nsumhbi(δ, GVS ) = b(δROOM 1) + b(δROOM 2).
Theorem 1. For an acyclic lifted dependency graph GVS , if
bbounds `, then `(δ)Nsumhbi(δ, GVS ).
The previous theorem suggests appropriate choices of
b. Taking b=`is admissible, while taking bto be the
diameter is problematic, as systems exist where d(δ)>
Nsumhdi(δ, GVS )(see (Abdulaziz, Gretton, and Norrish
2015) for more details). However, in practice one need not
evaluate NP-hard functions, such as `, or the length of the
longest path (a.k.a. recurrence diameter). Instead bcan be
an easier to compute function that is an upper bound on `,
like the state-space cardinality – i.e. we could take b(δ) =
2|D(δ)|, or leverage a more refined cardinality approach as
in Rintanen and Gretton (2013).
Exploiting State-Space Acyclicity
The practical utility of dependency graph based decomposi-
tions (like Nsum) provides a good motivation to pursue other
structures, like state-space acyclicity. In the next example we
show that state-space acyclicity is independent of acyclic-
ity in variable dependency. Thus, methods previously devel-
oped cannot be used to exploit the former in compositional
upper bounding.
Example 5. δck1is acyclic. For example, no state satisfy-
ing CK1,2can be reached from a state satisfying CK1,3. Now
consider δROOM 1from Example 1. The dependency graph of
δROOM1is comprised of one strongly connected component
(SCC). Thus, acyclicity in the assignments of ck1cannot be
exploited in δROOM 1by analysing its dependency graph.
To exploit state-space acyclicity we formalise it as follows.
Definition 11 (Acyclic Transition System).δis acyclic iff
x, x0U(δ).x 6=x0then x6 x0or x06 x.
We now investigate how such acyclicity can be used for
bounding. Let bbe an arbitrary bounding function that sat-
isfies d(δ)b(δ)for any δ. Consider a system δwhere for
some variables vs we have that δvs is acyclic – i.e. the state-
space of δvs forms a directed acyclic graph (DAG). In that
case, we have that d(δ)Smaxhbi(vs , δ), where Smax is a
compositional bounding function defined as follows.
Definition 12 (Acyclic System Compositional Bound).Let-
ting succ(x, δ)≡ {x0| ∃πδ.ex(x, π) = x0},Sis
Shbi(x, vs, δ) = b(δ|
x) + max
x0succ(x,δvs )(Shbi(x0,vs , δ) + 1)
Then, let Smaxhbi(vs , δ) = max
xU(δvs )Shbi(x, vs, δ).
Theorem 2. If δvs is acyclic and bbounds d, then d(δ)
Smaxhbi(vs , δ).
A formal proof is provided in the next section. Sis only
well-defined if δvs is acyclic. We only seek to consider and
interpret Smax in systems δvs where no execution can visit
a state more than once. In that situation Smax calculates the
maximal cost of a traversal through the DAG formed by the
state-space of δvs . Completing that intuition, take the cost
of visiting a state xto be b(δ|
x), and the cost of traversing an
edge between states to be 1. These ideas are made concrete
below, in Example 6. Also, since Smax follows the scheme
of an algorithm that finds the length of the longest path in a
DAG, the runtime of a straightforward implementation of it
is linear in the size of the state-space of δvs and the com-
plexity of computing b.
Example 6. Since δck1is acyclic, and CK1,i U(δck1),
then Shdi(CK1,i,ck1, δ)is well-defined, for i∈ {1,2,3}.
Denoting d(δ|
CK1,i )with d1,i and Shdi(CK1,i,ck1, δ)with
S1,i, we have S1,3=d1,3because succ(CK1,3, δck1) = .
We also have S1,2=d1,2+1+S1,3=d1,2+1+d1,3and
d1,1+d1,2+d1,3+ 2.
In closing, it is worth noting that for the above example,
the dependency graph of δROOM1is comprised of one SCC.
Therefore there is no lifted dependency graph providing fur-
ther decomposition. Indeed, exploiting acyclicity in depen-
dency between variables alone, one cannot further decom-
pose the subproblem δROOM 1. We were able to achieve a
more fine grained decomposition of that component above,
by exploiting state-space acyclicity.
Proof of Theorem 2
A concise statement of our proof requires additional nota-
tions. We use the arrow superscript, ~
l, to indicate that the
variable lis a seuquence. We write [] for the empty sequence,
and h:: ~
lto indicate a sequence with head element hand tail
l. Given two sequences, ~
l1and ~
l2denotes their con-
Proposition 1. If δvs is acyclic and xU(δvs ), if
x0succ(x, δvs ), then b(δ|
x) + 1 + Shbi(x0,vs, δ)
Shbi(x, vs, δ), for a base case function b.
Definition 13 (Subsystem Trace).For a state x, action se-
quence ~π, and set of variables vs , let (x, ~π , vs)be:
(x, [],vs) = []
(x, π :: ~π, vs ) = x0:: (x0, ~π , vs) if xvs 6=x0vs
(x0, ~π, vs) otherwise
where x0=ex(x, π).
Proposition 2. For any x,~π, and vs , if (x, ~π, vs ) = []
then: (i) xvs =ex(x, ~π)vs and (ii) there is ~π0where
ex(x, ~π) = ex(x, ~π0)and |~π0| ≤ d(δ|
xvs ).
Proposition 3. For two states xand x0, a sequence of
states ~x, a set of variables vs , and an action sequence ~π,
if (x, ~π, vs) = x0:: ~x, then there are ~π1,πand ~π2
such that (i) ~π =~π1:: ~π2, (ii) (x, ~π1,vs ) = [],
(iii) ex(ex(x, ~π1), π) = x0, and (iv) ex(x0, ~π2) = ex(x, ~π).
Proposition 4. For any x,~π1,~π2, and vs , we have that
(x, ~π1_~π2,vs ) = (x, ~π1,vs )_∂(ex(x, ~π1), ~π2,vs ).
Lemma 1. For any δand vs where δvs is acyclic, x
U(δ), and ~π δ, there is ~π0such that ex(x, ~π ) = ex(x, ~π0)
and |~π0| ≤ Shdi(xvs ,vs , δ).2
Proof. The proof is by induction on (x, ~π). The base case,
(x, ~π) = [], is trivial. In the step case we have that
(x, ~π) = x0:: ~x and the induction hypothesis: for any
xU(δ), and ~πδif (x, ~π) = ~x then there is ~π0
where ex(x, ~π) = ex(x, ~π0)and |~π0| ≤ Shdi(xvs ).
Since (x, ~π) = x0:: ~x, we have ~π1, π and ~π2satisfy-
ing the conclusions of Proposition 3. Based on conclusion
i, ii, and iii of Proposition 3 and Proposition 4 we have
(x0, ~π2) = ~x. Accordingly, letting x, and ~πfrom the in-
ductive hypothesis be x0, and ~π2, respectively, there is ~π0
such that ex(x0, ~π2) = ex(x, ~π 0
2)and |~π0
2| ≤ Shdi(x0vs ).
From conclusion ii of Proposition 3 and conclusion ii of
Proposition 2 there is ~π0
1where ex(x, ~π1) = ex(x, ~π 0
1| ≤ d(δ|
xvs ). Letting ~π0~π0
1#π:: ~π0
2, from conclu-
sions iii and iv of Proposition 3 and we have ex(x, ~π) =
ex(x, ~π0)and |~π0| ≤ d(δ|
xvs ) + 1 + Shdi(x0vs ).
Lastly, from conclusion i of Proposition 2 and conclu-
sion ii of Proposition 3 we have xvs =ex(x, ~π1)vs =
ex(x, ~π0
1)vs and accordingly ex(xvs , πvs ) = x0vs . Based
on that we have x0vs succ(xvs, δ vs). Then from
Proposition 1 and we have |~π0| ≤ Shdi(xvs ).
Theorem 2 follows from Lemma 1 and Definitions 4 and 12.
Algorithms for Upper Bounds
Theorem 2 suggests the possibility of compositional upper
bounding of the diameter given the presence of acyclicity in
a transition system’s state-space. We now investigate prac-
tical compositional algorithms based on Theorem 2. One
straightforward algorithm is the algorithm PU R.
Theorem 3. If UPBN D bounds d, then d(δ)PUR(δ)
2In the proof, the parameters vs and δ, which are common to
every occurrence of functions and S, are omitted, – e.g. we use
the shorthand Shdi(xvs )for Shdi(xvs ,vs, δ ).
Algorithm 1: PUR (δ)
S=min({SmaxhPU Ri(vs , δ)|vs Ω(δ)}∪∞)
if S=return UPBND(δ)else return S
In PU R,is an oracle that returns a set of strict subsets of
D(δ), where vs Ω(δ)vs is acyclic. Since returns
strict subsets, the snapshot has fewer variables than the con-
crete system and accordingly PU R terminates. In PUR the
function UPBN D provides upper bounds for the diameters
of “base-case” problems – i.e. problems that are not further
decomposed. Given this assumption and Theorem 2, PUR
itself computes valid upper bounds for the diameter of the
whole problem.
A main question for a practical implementation of PUR
is the choice of . The trivial choice of all strict subsets of
D(δ)is impractical. A pragmatic solution which we have
adopted, is to take the situation that elements in D(δ)model
individual assignments in the SAS+ model generated using
Fast-Downward’s preprocessing step (Helmert 2006). Each
element in Ω(δ)then corresponds to a set of elements from
D(δ)that model one multi-valued state variable whose do-
main transition graph is acyclic.
A source of intractability in PUR comes from the min op-
erator. For a full evaluation, Smax is recursively called as
many as |Ω(δ)|!times. In practice we only evaluate Smax on
one arbitrarily chosen element from Ω(δ). Our experimen-
tation never uncovered a problem where a full evaluation of
the min, where computationally feasible, produced a better
bound. A second source of computational expense comes
from the definition of Smax: PUR can be recursively called a
number of times that is linear in the size of the state-space
of δ. This happens if Ω(δ)is a partition of D(δ). Although
this worst case scenario is contrived, in practice Ω(δ)can
cover sufficient elements from D(δ)to render PUR imprac-
tical. This is demonstrated in the following example.
Example 7. For D(δ), Fast-Downward identifies partition
{gk2,2},{gk2,3},{gk2,5}{gk2,6},{s1},{s2}} as SAS+
variable assignments. Let Ω(δ)denote that set, excluding
{s1}and {s2}. Note, vs Ω(δ)we have that δvs is
acyclic. Consequently, we have that PUR(δ)evaluates after
ΠvsΩ(δ)|vs |calls to Smax .
Hybrid Algorithm
We have just observed a situation where PUR can exhibit
a runtime that is linear in the size of the state-space. That
is favourable compared to exact calculations of diameter,
which in our opening remarks we noted to have worse-than-
quadratic runtime. Nevertheless this is unacceptable in our
factored setting, and we now seek to alleviate this computa-
tional burden by applying Smax to abstract sub-systems ob-
tained using projections that motivated Definition 10. Such
abstractions can be significantly smaller than the concrete
systems, thus motivating a hybrid approach that can expo-
nentially reduce bound computation times.
Example 8. Consider applying the approach outlined
in Example 3 to compute PUR only on the abstrac-
tions δROOM 1and δROOM2.PUR(δRO OM1)can be
evaluated in ΠvsΩ(δROOM1)|vs |calls to Smax, where
Ω(δROOM 1)={ck1,lk1,{gk1,2},{gk1,3},{gk2,2},
{gk2,3}}. The same observation can be made for the evalu-
ation time of PUR (δROOM 2). Thus the product expression in
Example 7 is split into a sum if PUR is called on projections.
We now give an upper bounding algorithm, HYB, that
combines exploitation of acyclic variable dependency with
exploitation of acyclicity in state-spaces.
Algorithm 2: HYB (δ)
Compute the dependency graph GD(δ)of δand its SCCs
Compute the lifted dependency graph GVS
if 2≤ |GVS.V |return NsumhHY Bi(δ, GVS)
else if Ω(δ)6=return SmaxhHYB i(ch(Ω(δ)), δ )
else return UPBND(δ)
In HY B,ch is an arbitrary choice function. The termination
of HY B follows from two facts. Firstly, Nsum is only called
if the lifted dependency graph is not trivial, i.e. 2≤ |GVS.V |.
Accordingly Nsum will call HY B on projections with strictly
smaller domains than the concrete system. Secondly, since
returns strict subsets of D(δ),Smax only calls HYB on snap-
shots with strictly smaller domains than the concrete system.
Note that in HY B,Smax is only applied to the given transi-
tion system δif there is no non-trivial projection (i.e.if GD(δ)
has one SCC), and UPBN D is applied only to base-cases.
Also note that GD(δ)is constructed and analysed with every
recursive call to HYB, as snapshotting in earlier calls can re-
move variable dependencies as a result of removing actions,
leading to the breaking of the SCCs in GD(δ), as shown in
Example 9.
Example 9. As shown in Figure 1b, the dependency graph
of δROOM1has a single SCC, and thus not susceptible to
dependency analysis. Taking a snapshot of δROOM 1at the
assignment CK1,2yields a system with one SCC in its de-
pendency graph as well, as shown in Figure 1e. How-
ever, taking the snapshot of δRO OM1|
CK1,2at the assignment
{lk1,1,lk1,2,lk1,3}, denoted by LK1,2, yields a system
with an acyclic dependency graph as shown in Figure 1f.
We prove HY B is sound by proving it is sound for as
tight a base function as possible. Then soundness for using
UPBND as a base function follows. As discussed above, d
cannot be used, because Nsumhdiis not a valid upper bound
on d. However, using the sublist diameter `as a base-case
function is sound. To prove that, we derive the following.
Theorem 4. If δvs is acyclic and bbounds `, then `(δ)
Smaxhbi(vs , δ).
This theorem follows from an argument analogous to that
provided for Theorem 2, taking `to be d. Using this the-
orem, and Theorem 1 in (Abdulaziz, Gretton, and Norrish
2015) the validity of HY B as an upper bound on `(and ac-
cordingly, the diameter) follows.
Proposition 5. If UPBN D bounds `, then `(δ)HYB(δ).
Figure 2: Scatter plot of the bound (horizontal axis) com-
puted by HY B, and the size (i.e. |D(δ)|) of the concrete prob-
lem (vertical).
Figure 3: Scatter plot of the size of the largest base-case (hor-
izontal), and the size of the concrete problem (vertical). Leg-
end is provided in Figure 2.
Empirical Evaluations
We first discuss the practicalities of implementing HYB. Fol-
lowing (Rintanen and Gretton 2013), we take a base-case
Figure 4: Scatter plot of the bounds computed by HYB
(horizontal axis) and the state-of-the-art bounding algorithm
Nsum (vertical). Legend is provided in Figure 2.
Figure 5: Scatter plot of the size (i.e. |D(δ)|) of the largest
base-case using HY B (horizontal axis) and Nsum (vertical).
Legend is provided in Figure 2.
function, UPBN D, which gives the cardinality of the state-
space. This choice is pragmatic, taken in light of the fact
that computation of alternatives, such as recurrence and sub-
list diameters, is NP-hard. To optimise computing Nsum and
Smax, we use memoisation, where we compute Nor Sonce
for every projection or snapshot, respectively, and store it in
Figure 6: Scatter plot of computation time (in seconds) of
HYB (horizontal axis) and Nsum (vertical) for benchmarks.
Legend is provided in Figure 2.
a look-up table. This reduced the bound computation time
by 70% on average. Our evaluation considers problems from
previous International Planning Competitions (IPC), and the
unsolvablity IPC, and open Qualitative Preference Rovers
benchmarks from IPC2006. Below, the latter are referred to
Quality of HYB Bounds
Two measurements related to a compositional upper bound-
ing algorithm are indicative of its quality. First, we seek an
indication of the degree of decompositionality provided by
the algorithm. An indication is provided by comparing the
size of the domain of the concrete problem—i.e. |D(δ)|
with that of the largest base-case. A strong decomposition is
indicated when the domain of the base-case is small relative
to the concrete problem. Second, we seek an approach that
is able to produce bounds that grow sub-exponentiallly with
the size of the problem, when they exist. Thus, we measure
how the upper bounds scale in domains as the size of the
problem instances grow. If the bounds scale gracefully, this
indicates an effective compositional approach.
We report our measurements of the performance of HYB
in these terms. Our experiments were conducted on a uni-
form cluster with time and memory limits of 30minutes
and 4GB, respectively. Figure 3 shows the domain size of
the largest base-case compared to the size of the concrete
problem. IPC domains with instances remarkably suscepti-
ble to decomposition by HYB are: ROV ERS (both solvable
and unsolvable), STORA GE,T PP (both solvable and unsolv-
able), LOGISTICS,NEW OP EN,N OM YS TE RY (both solvable
and over-subscribed), UNS OLVABL E MY ST ERY,V IS ITALL,
problems, the size of the largest base-case is significantly
smaller than the size of the concrete problem, as shown in
Figure 3. One IPC domain that is particularly amenable to
decomposition is the ROV ER S domain, where many of its
instances are decomposed to have largest base-cases mod-
elling a single Boolean state-variable. Also, for domains sus-
ceptible to decomposition, the bounds computed by HY B
grow sub-exponentially with the number of state variables,
as shown in Figure 2. We also note that out of those domains,
EL EVATORS, have linear (or almost linear) growth of the
bounds with the size of the problem.
We also ran HYB on a PDDL (Mcdermott et al. 1998) en-
coding of the hotel key protocol, with the parameters G, k,
and Rranging between 1 and 10 (i.e. 1000 instances of the
protocol). As shown in Figure 3 (and in the examples ear-
lier), this protocol is particularly amenable to decomposition
by HY B. All instances had a largest base-case modelling a
single Boolean state-variable. Additionally, the bounds com-
puted by HY B for this set of benchmarks are constant in the
number of guests G, grow linearly in the number of rooms
R, and quadratically in the number of keys per room K.
Comparison of HYB and Nsum
We compared the performance of the hybrid compositional
bounding algorithm HYB with the state-of-the-art algorithm
we refer to as Nsum. The latter was shown in (Abdulaziz,
Gretton, and Norrish 2015) to dominate other compositional
bounding algorithms. Our experimental cluster and settings
are as above. Our analysis and experimentation shows that
HYB significantly outperforms Nsum , both in terms of de-
composition quality and the tightness of computed bounds.
This is particularly the case for the domains: NE WO PE N,
NE CK. The success of HYB in our experimentation reveals
something of an abundance of problems with acyclicity in
their state-space. Figure 5 indicates that HY B is more suc-
cessful in decomposing problems compared to Nsum, where
the largest base-cases for HY B are smaller than those for
Nsum in 71% of the IPC problems. This observation is rein-
forced, considering that the 1000th largest bound computed
by HY B is 50,534, while the 1000th largest bound computed
by Nsum is more than 106. In the HO TELKE Y domain, the
difference is even more pronounced. The bound computed
by HY B is at most 990 for all the 1000 instances, while for
Nsum only 285 instances have bounds less than 106.
Figure 4 shows the computational cost of this improved
bounding performance. HYB typically required more com-
putation time than Nsum. However, HYB terminated in 60
seconds, or less, for 93% of the benchmarks. Thus, we have
not observed a significant time penalty. We note that the im-
proved decompositionality over Nsum exhibited here has fur-
ther application yet to be explored. Should we take UPBN D
to be a more expensive operator, such as the NP-hard re-
currence or sublist diameters, the stronger decomposition
indicates that UPBN D is invoked for relatively small in-
stances when using HY B compared to Nsum. Thus, comput-
ing UPBN D can be exponentially easier for decompositions
computed by HY B compared to decompositions from Nsum.
Planning with HYB
To evaluate the practical utility of the bounds calculated us-
ing HY B, we take them as the queried horizon using the
MPversion of the SAT-based planner Madagascar (Rinta-
nen 2012). In our experiments we limited the time and mem-
ory for planners to 1 hour (inclusive of bound computation)
and 4GB. The resulting planner proves the safety of 635 in-
stances of the hotel key protocol, where the instance with 9
rooms, 7guests, and 45 keys, takes the longest to prove safe
– it took just under 30 minutes. This is a substantial improve-
ment over the size of instances automatically proven safe in
earlier work. We also ran AI DO S 1 (Seipp et al. ) (unsolvabil-
ity IPC winner) on the hotel key instances and it proved the
safety of only 285 of them, where the instance with 2rooms,
5guests, and 10 keys, took the longest to prove safe – in 17
minutes. For the IPC benchmarks, our planner proved that
53 instances are unsolvable, 27 of which could not be proven
unsolvable by AIDOS 1. The 27 instances are from B OTT LE -
NE CK (7 problems), 3 UN SAT (4 problems), ELEVATOR S (5
problems), and NEWO PE N (11 problems). We also note that
compared to the system from (Rintanen and Gretton 2013),
we are additionally able to close the heretofore open 7th and
8th Qualitative Preference problem from IPC2006. We also
found our bounds useful in solving satisfiable benchmarks.
It allowed MPto solve 162 instances that it could not with
its default query strategy. Those instances are from EL EVA-
TORS (150 problems), DIAGNOSIS (8 problems), ROV ER S (1
problem) and SLIDING-TI LE S (3 problems).
Conclusions and Future Work
The practical incompleteness of SAT based planning and
model-checking algorithms—due to the absence of upper
bounding methods—has for some years been noted as a
significant problem (Clarke et al. 2004). It is perceived as
a deficiency of SAT methods in making comparisons with
state based methods. We have addressed that deficiency by
advancing the compositional approach to computing upper
bounds. Our advance is to exploit state-space acyclicity, giv-
ing significantly finer grained decompositions compared to
previous works. The resulting algorithm is able to achieve
exponentially tighter bounds relative to comparable recent
studies. That benefit comes with the risk of an exponential
explosion in the number of subproblems considered by the
algorithm. The runtime measurements we made experimen-
tally suggest that this theoretical risk is not realised in prac-
tice. Bounds computed using our approach enabled a SAT
based planning system to prove the unsatisfiability of plan-
ning benchmarks (most notably the hotel key protocol) that
severely challenge state-of-the-art state-search based tools.
Future research should investigate bounding using func-
tions that are tighter than the diameter. One such bound is
the radius, which is the longest shortest path from the ini-
tial state to any other state. We conjecture that our analy-
sis shall carry over to that setting. Further study should also
develop compositional bounds using a more sophisticated
base-case function. Base-case functions, such as recurrence
and sublist diameters could yield superior bounds compared
to those we report, however are NP-hard to evaluate. Be-
cause the size of abstractions evaluated in the base-case us-
ing our method are relatively small compared to other com-
positional approaches, one can expect exponentially faster
bounding using such sophisticated base-case functions.
Acknowledgements We would like to thank Dr. Patrik
Haslum and Dr. Alban Grastien for the very useful discus-
sions, suggestions and feedback they gave us, which helped
us produce this work.
Abboud, A.; Williams, V. V.; and Wang, J. 2016. Approx-
imation and fixed parameter subquadratic algorithms for ra-
dius and diameter in sparse graphs. In Proceedings of the
twenty-seventh annual ACM-SIAM symposium on Discrete
Algorithms, 377–391. SIAM.
Abdulaziz, M.; Gretton, C.; and Norrish, M. 2015. Veri-
fied Over-Approximation of the Diameter of Propositionally
Factored Transition Systems. In Interactive Theorem Prov-
ing. Springer. 1–16.
Aingworth, D.; Chekuri, C.; Indyk, P.; and Motwani, R.
1999. Fast estimation of diameter and shortest paths (with-
out matrix multiplication). SIAM Journal on Computing
Alon, N.; Galil, Z.; and Margalit, O. 1997. On the exponent
of the all pairs shortest path problem. Journal of Computer
and System Sciences 54(2):255–262.
Baumgartner, J., and Kuehlmann, A. 2004. Enhanced diam-
eter bounding via structural analysis. In DATE 2004, 16-20
February 2004, Paris, France, 36–41.
Baumgartner, J.; Kuehlmann, A.; and Abraham, J. 2002.
Property checking via structural analysis. In Computer
Aided Verification, 151–165. Springer.
Biere, A.; Cimatti, A.; Clarke, E. M.; and Zhu, Y. 1999.
Symbolic model checking without BDDs. In TACAS, 193–
Blanchette, J. C., and Nipkow, T. 2010. Nitpick: A coun-
terexample generator for higher-order logic based on a rela-
tional model finder. In Interactive Theorem Proving, First
International Conference, ITP 2010, 131–146.
Chan, T. M. 2010. More algorithms for all-pairs short-
est paths in weighted graphs. SIAM Journal on Computing
Chechik, S.; Larkin, D. H.; Roditty, L.; Schoenebeck, G.;
Tarjan, R. E.; and Williams, V. V. 2014. Better approxi-
mation algorithms for the graph diameter. In Proceedings of
the Twenty-Fifth Annual ACM-SIAM Symposium on Discrete
Algorithms, 1041–1052. Society for Industrial and Applied
Clarke, E.; Kroening, D.; Ouaknine, J.; and Strichman, O.
2004. Completeness and complexity of bounded model
checking. In International Workshop on Verification, Model
Checking, and Abstract Interpretation, 85–96. Springer.
Fredman, M. L. 1976. New bounds on the complexity of
the shortest path problem. SIAM Journal on Computing
Helmert, M. 2006. The Fast Downward planning system.
Journal of Artificial Intelligence Research 26:191–246.
Jackson, D. 2006. Software Abstractions: Logic, Language,
and Analysis. MIT Press.
Knoblock, C. A. 1994. Automatically generating abstrac-
tions for planning. Artificial Intelligence 68(2):243–302.
Mcdermott, D.; Ghallab, M.; Howe, A.; Knoblock, C.; Ram,
A.; Veloso, M.; Weld, D.; and Wilkins, D. 1998. PDDL:
The Planning Domain Definition Language. Technical re-
port, CVC TR-98-003/DCS TR-1165, Yale Center for Com-
putational Vision and Control.
Nipkow, T. 2006. Verifying a hotel key card system. In
Barkaoui, K.; Cavalcanti, A.; and Cerone, A., eds., Theoret-
ical Aspects of Computing (ICTAC 2006), volume 4281 of
Lecture Notes in Computer Science. Springer. Invited paper.
Rintanen, J., and Gretton, C. O. 2013. Computing upper
bounds on lengths of transition sequences. In International
Joint Conference on Artificial Intelligence.
Rintanen, J. 2012. Planning as satisfiability: Heuristics. Ar-
tificial Intelligence 193:45–86.
Roditty, L., and Vassilevska Williams, V. 2013. Fast ap-
proximation algorithms for the diameter and radius of sparse
graphs. In Proceedings of the forty-fifth annual ACM sym-
posium on Theory of computing, 515–524. ACM.
Seipp, J.; Pommerening, F.; Sievers, S.; Wehrle, M.;
Fawcett, C.; and Alkhazraji, Y. Fast Downward Aidos.
Slind, K., and Norrish, M. 2008. A brief overview of HOL4.
In Theorem Proving in Higher Order Logics, volume 5170
of LNCS, 28–32. Springer.
Williams, B. C., and Nayak, P. P. 1997. A reactive planner
for a model-based executive. In International Joint Confer-
ence on Artificial Intelligence, 1178–1185. Morgan Kauf-
mann Publishers.
Yuster, R. 2010. Computing the diameter polynomially
faster than APSP. arXiv preprint arXiv:1011.6181.
... Nonetheless, there are structures whose presence in the transition system make it possible to compositionally upper-bound the diameter. We consider compositional algorithms that exploit acyclicity in "state-variable dependencies" [3], and acyclicity in the state space [4]. We find such structures to be abundant in AI planning and verification benchmarks. ...
... Our proofs of the validity of these algorithms are done using the interactive theorem prover HOL4. This work is the first publication of the details of the proof mechanisation work associated with our previous conference papers [3,4]. ...
... We introduced the two other algorithms in [4]. The second compositional algorithm exploits acyclicity in the state space. ...
Full-text available
A completeness threshold is required to guarantee the completeness of planning as satisfiability, and bounded model checking of safety properties. We investigate completeness thresholds related to the diameter of the underlying transition system. A valid threshold, the diameter is the maximum element in the set of lengths of all shortest paths between pairs of states. The diameter is not calculated exactly in our setting, where the transition system is succinctly described using a (propositionally) factored representation. Rather, an upper bound on the diameter is calculated compositionally, by bounding the diameters of small abstract subsystems, and then composing those. We describe our formal verification in HOL4 of compositional algorithms for computing a relatively tight upper bound on the system diameter. Existing compositional algorithms are characterised in terms of the problem structures they exploit, including acyclicity in state-variable dependencies, and acyclicity in the state space. Such algorithms are further distinguished by: (1) whether the bound calculated for abstractions is the diameter, sublist diameter or recurrence diameter, and (2) the “direction” of traversal of the compositional structure, either top-down or bottom-up. As a supplement, we publish our library—now over 14k lines—of HOL4 proof scripts about transition systems. That shall be of use to future related mechanisation efforts, and is carefully designed for compatibility with hybrid systems.
... Nonetheless, there are structures whose presence in the transition system make it possible to compositionally upper-bound the diameter. We consider compositional algorithms that exploit acyclicity in "state-variable dependencies" [3], and acyclic-ity in the state space [4]. We find such structures to be abundant in AI planning and verification benchmarks. ...
... Our proofs of the validity of these algorithms are done using the interactive theorem prover HOL4. This work is the first publication of the details of the proof mechanisation work associated with our previous conference papers, [3] and [4]. ...
... We introduced the two other algorithms in [4]. The second compositional algo- rithm exploits acyclicity in the state space. ...
A completeness threshold is required to guarantee the completeness of planning as satisfiability, and bounded model checking of safety properties. We investigate completeness thresholds related to the diameter of the underlying transition system. A valid threshold, the diameter is the maximum element in the set of lengths of all shortest paths between pairs of states. The diameter is not calculated exactly in our setting, where the transition system is succinctly described using a (proposition-ally) factored representation. Rather, an upper bound on the diameter is calculated compositionally, by bounding the diameters of small abstract subsystems, and then composing those. We describe our formal verification in HOL4 of compositional algorithms for computing a relatively tight upper bound on the system diameter. Existing compo-sitional algorithms are characterised in terms of the problem structures they exploit, including acyclicity in state-variable dependencies, and acyclicity in the state space. Such algorithms are further distinguished by: (i) whether the bound calculated for abstractions is the diameter, sublist diameter or recurrence diameter, and (ii) the "direction" of traversal of the compositional structure, either top-down or bottom-up. As a supplement, we publish our library-now over 14k lines-of HOL4 proof scripts about transition systems. That shall be of use to future related mechanisation efforts, and is carefully designed for compatibility with hybrid systems.
... The initial plans are computed by the planner Fast Downward (Helmert 2006) with the FF heuristic (Hoffmann and Nebel 2001). To compute completeness threshold when there are action with 0-cost, instead of computing the sublist diameter, we use upper bounds computed using previously published methods (Abdulaziz, Gretton, and Norrish 2017;Abdulaziz 2019;Abdulaziz and Berger 2021). The initial plan computation, completeness threshold computation, and the execution of Algorithm 1 are given 1800s timeout and 4GB memory limit. ...
We investigate upper bounds on the length of cost optimal plans that are valid for problems with 0-cost actions. We employ these upper bounds as horizons for a SAT-based encoding of planning with costs. Given an initial upper bound on the cost of the optimal plan, we experimentally show that this SAT-based approach is able to compute plans with better costs, and in many cases it can match the optimal cost. Also, in multiple instances, the approach is successful in proving that a certain cost is the optimal plan cost.
... heuristics Sievers, Wehrle, and Helmert 2014), pattern databases (Culberson and Schaeffer 1996;Edelkamp 2001), SAT-based planning (Rintanen, Heljanko, and Niemelä 2006), or computing upper bounds on plan lengths (Abdulaziz, Gretton, and Norrish 2017). ...
In this paper, we focus on the inference of mutex groups in the lifted (PDDL) representation. We formalize the inference and prove that the most commonly used translator from the Fast Downward (FD) planning system infers a certain subclass of mutex groups, called fact-alternating mutex groups (fam-groups). Based on that, we show that the previously proposed fam-groups-based pruning techniques for the STRIPS representation can be utilized during the grounding process with lifted fam-groups, i.e., before the full STRIPS representation is known. Furthermore, we propose an improved inference algorithm for lifted fam-groups that produces a richer set of fam-groups than the FD translator and we demonstrate a positive impact on the number of pruned operators and overall coverage.
... Baumgartner, Kuehlmann, and Abraham (2002) and Rintanen and Gretton (2013) followed this projection-based approach to develop procedures to compositionally bound the diameter. This was later improved by Abdulaziz, Gretton, and Norrish (2015) and Abdulaziz, Gretton, and Norrish (2017) (we refer to those two papers as AGN1 and AGN2 hereafter). ...
Full-text available
We consider the problem of compositionally computing upper bounds on lengths of plans. Following existing work, our approach is based on a decomposition of state-variable dependency graphs (a.k.a. causal graphs). Tight bounds have been demonstrated previously for problems where key dependencies flow in a single direction—i.e. manipulating variable v1 can disturb the ability to manipulate v2 and not vice versa. We develop a more general bounding approach which allows us to compute useful bounds where dependency flows in both directions. Our approach is practically most useful when combined with earlier approaches, where the computed bounds are substantially improved in a relatively broad variety of problems. When combined with an existing planning procedure, the improved bounds yield coverage improvements for both solvable and unsolvable planning problems.
... A more comprehensive approach to unsolvable planning would be to implement a planner whose soundness and completeness is formally verified. This could be done by verifying SAT encodings for planning problems like Rintanen's [4] and upper bounds on plan lengths like the ones by Abdulaziz et al. [32], [33]. This could then be combined with a verified SAT solver [28] or an existing verified SAT certificate checker [29]. ...
Full-text available
We present an executable formally verified SAT encoding of classical AI planning. We use the theorem prover Isabelle/HOL to perform the verification. We experimentally test the verified encoding and show that it can be used for reasonably sized standard planning benchmarks. We also use it as a reference to test a state-of-the-art SAT-based planner, showing that it sometimes falsely claims that problems have no solutions of certain lengths.
Conference Paper
Full-text available
To guarantee the completeness of bounded model checking (BMC) we require a completeness threshold. The diameter of the Kripke model of the transition system is a valid completeness threshold for BMC of safety properties. The recurrence diameter gives us an upper bound on the diameter for use in practice. Transition systems are usually described using (propositionally) fac-tored representations. Bounds for such lifted representations are calculated in a compositional way, by first identifying and bounding atomic subsystems, and then composing those results according to subsystem dependencies to arrive at a bound for the concrete system. Compositional approaches are invalid when using the diameter to bound atomic subsystems, and valid when using the recurrence diameter. We provide a novel overapproximation of the diameter, called the sub-list diameter, that is tighter than the recurrence diameter. We prove that composi-tional approaches are valid using it to bound atomic subsystems. Those proofs are mechanised in HOL4. We also describe a novel verified compositional bounding technique which provides tighter overall bounds compared to existing bottom-up approaches.
Conference Paper
Full-text available
Nitpick is a counterexample generator for Isabelle/HOL that builds on Kodkod, a SAT-based first-order relational model finder. Nitpick supports unbounded quantification, (co)inductive predicates and datatypes, and (co)recursive functions. Fundamentally a finite model finder, it approximates infinite types by finite subsets. As case studies, we consider a security type system and a hotel key card system. Our experimental results on Isabelle theories and the TPTP library indicate that Nitpick generates more counterexamples than other model finders for higher-order logic, without restrictions on the form of the formulas to falsify.
The diameter is a fundamental graph parameter and its computation is necessary in many applications. The fastest known way to compute the diameter exactly is to solve the All-Pairs Shortest Paths (APSP) problem. In the absence of fast algorithms, attempts were made to seek fast algorithms that approximate the diameter. In a seminal result Aingworth, Chekuri, Indyk and Motwani [SODA'96 and SICOMP'99] designed an algorithm that computes in Õ (n2 + m√n) time an estimate D̃ for the diameter D in directed graphs with nonnega- Tive edge weights, such that [2/3 · D]-(M - I) ≤ D̃ ≤ D, where M is the maximum edge weight in the graph. In recent work, Roditty and Vassilevska W. [STOC 13] gave a Las Vegas algorithm that has the same approximation guarantee but improves the (expected) runtime to Õ (m√;n). Roditty and Vassilevska W. also showed that unless the Strong Exponential Time Hypothesis fails, no O(n2-ε) time algorithm for sparse unweighted undirected graphs can achieve an approximation ratio better than 3/2. Thus their algorithm is essentially tight for sparse unweighted graphs. For weighted graphs however, the approximation guarantee can be meaningless, as M can be arbitrarily large. In this paper we exhibit two algorithms that achieve a genuine 3/2-approximation for the diameter, one running in Õ (m3/2)time, and one running in Õ (mn 2/3 ) time. Furthermore, our algorithms are deterministic, and thus we present the first deterministic (2 - ε)-approximation algorithm for the diameter that takes subquadratic time in sparse graphs. In addition, we address the question of obtaining an additive c-approximation for the diameter, i.e. an estimate D̃ such that D - c ≤ D̃ ≤ D̃. An extremely simple Õ (mn1-ε) time algorithm achieves an additive n ε- Approximation; no better results are known. We show that for any ε > 0, getting an additive nε-approximation algorithm for the diameter running in O (n2-δ) time for any δ > 2ε would falsify the Strong Exponential Time Hypothesis. Thus the simple algorithm is probably essentially tight for sparse graphs, and moreover, obtaining a subquadratic time additive c-approximation for any constant c is unlikely. Finally, we consider the problem of computing the eccentricities of all vertices in an undirected graph, i.e. the largest distance from each vertex. Roditty and Vassilevska W. [STOC 13] show that in Õ(m√n) time, one can compute for each v ∈ V in an undirected graph, an estimate e (v) for the eccentricity ε (v) such that max {R, 2/3 · ε (v)} ≤ e (v) ≤ min {D, 3/2 · ε (v)} where R = minvε (v) is the radius of the graph. Here we improve the approximation guarantee by showing that a variant of the same algorithm can achieve estimates ε' (v) with 3/5 · ε (v) ≤ ε' (v) ≤ ε(v). Copyright
Conference Paper
The diameter and the radius of a graph are fundamental topological parameters that have many important practical applications in real world networks. The fastest combinatorial algorithm for both parameters works by solving the all-pairs shortest paths problem (APSP) and has a running time of ~O(mn) in m-edge, n-node graphs. In a seminal paper, Aingworth, Chekuri, Indyk and Motwani [SODA'96 and SICOMP'99] presented an algorithm that computes in ~O(m√ n + n²) time an estimate D for the diameter D, such that ⌊ 2/3 D ⌋ ≤ ^D ≤ D. Their paper spawned a long line of research on approximate APSP. For the specific problem of diameter approximation, however, no improvement has been achieved in over 15 years. Our paper presents the first improvement over the diameter approximation algorithm of Aingworth et. al, producing an algorithm with the same estimate but with an expected running time of ~O(m√ n). We thus show that for all sparse enough graphs, the diameter can be 3/2-approximated in o(n²) time. Our algorithm is obtained using a surprisingly simple method of neighborhood depth estimation that is strong enough to also approximate, in the same running time, the radius and more generally, all of the eccentricities, i.e. for every node the distance to its furthest node. We also provide strong evidence that our diameter approximation result may be hard to improve. We show that if for some constant ε>0 there is an O(m2-ε) time (3/2-ε)-approximation algorithm for the diameter of undirected unweighted graphs, then there is an O*( (2-δ)ⁿ) time algorithm for CNF-SAT on n variables for constant δ>0, and the strong exponential time hypothesis of [Impagliazzo, Paturi, Zane JCSS'01] is false. Motivated by this negative result, we give several improved diameter approximation algorithms for special cases. We show for instance that for unweighted graphs of constant diameter D not divisible by 3, there is an O(m2-ε) time algorithm that gives a (3/2-ε) approximation for constant ε>0. This is interesting since the diameter approximation problem is hardest to solve for small D.
Reduction to SAT is a very successful approach to solving hard combinatorial problems in Artificial Intelligence and computer science in general. Most commonly, problem instances reduced to SAT are solved with a general-purpose SAT solver. Although there is the obvious possibility of improving the SAT solving process with application-specific heuristics, this has rarely been done successfully.In this work we propose a planning-specific variable selection strategy for SAT solving. The strategy is based on generic principles about properties of plans, and its performance with standard planning benchmarks often substantially improves on generic variable selection heuristics, such as VSIDS, and often lifts it to the same level with other search methods such as explicit state-space search with heuristic search algorithms.
This article presents a completely automated approach to generating abstractions for planning. The abstractions are generated using a tractable, domain-independent algorithm whose only input is the definition of a problem to be solved and whose output is an abstraction hierarchy that is tailored to the particular problem. The algorithm generates abstraction hierarchies by dropping literals from the original problem definition. It forms abstractions that satisfy the ordered monotonicity property, which guarantees that the structure of an abstract solution is not changed in the process of refining it. The algorithm for generating abstractions is implemented in a system called ALPINE, which generates abstractions for a hierarchical version of the PRODIGY problem solver. The abstractions generated by ALPINE are tested in multiple domains on large problem sets and are shown to produce shorter solutions with significantly less search than planning without using abstraction.
Conference Paper
This paper describes a structurally-guided framework for the decom- position of a verification task into subtasks, each solved by a specialized algo- rithm for overall efficiency. Our contributions include the following: (1) a struc- tural algorithm for computing a bound of a state-transition diagram's diameter which, for several classes of netlists, is sufficiently smal l to guarantee complete- ness of a bounded property check; (2) a robust backward unfolding technique for structural target enlargement: from the target states, we perform a series of compose-basedpre-image computations, truncating the search if resource limita- tions are exceeded; (3) similar to frontier simplification i n symbolic reachability analysis, we use induction via don't cares for enhancing the presented target en- largement. In many practical cases, the verification proble m can be discharged by the enlargement process; otherwise, it is passed in simplified form to an ar- bitrary subsequent solution approach. The presented techniques are embedded in a flexible verification framework, allowing arbitrary com binations with other techniques. Extensive experimental results demonstrate the effectiveness of the described methods at solving and simplifying practical verification problems.
Conference Paper
Bounded model checking (BMC) has gained widespread industrial use due to its relative scalability. Its exhaustiveness over all valid input vectors allows it to expose arbitrarily complex design flaws. However, BMC is limited to analyzing only a specific time window, hence will only expose those flaws which manifest within that window and thus cannot readily prove correctness. The diameter of a design has thus become an important concept -- a bounded check of depth equal to the diameter constitutes a complete proof. While the diameter of a design may be exponential in the number of its state elements, in practice it often ranges from tens to a few hundred regardless of design size. Therefore, a powerful diameterover-approximation technique may enable automatic proofs that otherwise would be infeasible. Unfortunately, exact diameter calculation requires exponential resources, and over-approximation techniques may yield exponentially loose bounds. In this paper, we provide a general approach for enabling the use of structural transformations, such as redundancy removal, retiming, and target enlargement, to tighten the bounds obtained by arbitrary diameterapproximation techniques. Numerous experiments demonstrate that this approach may significantly increase the set of designs for which practically useful diameter bounds may be obtained.
Conference Paper
A new generation of reactive, model-based executives are emerging that make extensive use of componentbased declarative models to analyze anomalous situations and generate novel sequences for the internal control of complex autonomous systems. Burton, a generative, model-based planner offers a core element that bridges the gap between current and target states within the reactive loop. Burton is a sound, complete, reactive planner that generates a single control action of a valid plan in average case constant time, and compensates for anomalies at every step. Burton will not generate irreversible, potentially damaging sequences, except to effect repairs. We present model compilation, causal analysis, and online policy construction methods that are key to Burton's performance.