Runtian ZhouDavidson College Davidson, NC 28035 dazhou@davidson.eduHaoze WuStanford University Stanford, CA 94305 haozewu@stanford.eduHammurabi MendesDavidson College Davidson, NC 28035 hamendes@davidson.eduJonad PulajDavidson College Davidson, NC 28035 jopulaj@davidson.edu
Abstract
Correctness of results returned from mixed-integer linear programming (MILP) solvers is highly desirable, particularly in the context of applications such as hardware verification, compiler optimization, or machine-assisted theorem proving. To this end, VIPR is the first recently proposed certificate format for answers produced by MILP solvers.We design a schema to encode VIPR’s inference rules as Satisfiability Modulo Theories (SMT) instances and show the equivalence of the certificates’ correctness and the satisfiability of the corresponding SMT instances. In addition, we implement this schema with and without parallelization in a checker for VIPR certificates and test the viability of this approach on benchmark instances found in the literature with the cvc5 solver.
Computational mixed-integer linear programing (MILP) is widely considered a successful blend of algorithmic improvement with advancements in hardware and compilers[1], where current state-of-the-art MILP solvers can solve problems with millions of variables and constraints[2].
Demand for MILP solvers is largely driven by applications in industry, hence the underlying numerical computations typically rely on floating-point arithmetic for efficiency. For most such applications, in order to achieve a high degree of numerical stability, floating point computations are combined with numerical error tolerances. However, MILP solvers are also used in experimental mathematics to find counterexamples[3, 4] or provide numerical evidence[5, 6]. In such theorem proving applications, correctness is tantamount and additional safeguards are needed to counter the use of inexact floating-point arithmetic and/or programming or algorithmic errors. The best known example in this case is the verification in Isabelle/HOL of the infeasibility of thousands of linear programs involved in the proof of Kepler’s conjecture [7].
Another set of tools that have been successfully deployed in automated theorem proving tasks are Boolean Satisfiability (SAT) solvers and Satisfiability Modulo Theories (SMT) solvers[8]. For example, SAT solvers have had success in settling a number of long-standing mathematical problems including the Erdos discrepancy conjecture[9], the Boolean Pythagorean triples conjecture[10], and the determination of the fifth Schur number[11]. On the other hand, SMT solvers are increasingly used as subroutines for proof assistants[12, 13] to automatically resolve proof goals. In those applications, SAT/SMT solvers are often required to produce proofs, which can be independently checked by proof checkers to guarantee the correctness of the solver outputs. One theory particularly relevant to MILP is the theory of Linear Real Arithmetic, for which proof production is supported in state-of-the-art SMT solvers such as Z3, cvc5, and MathSAT5.
Although verification of answers returned by MILP solvers is not as well-established as in analogous solvers in the SAT/SMT community, significant steps forward have been made. VIPR is the first, recently proposed branch-and-cut certificate format for MILP instances, designed with simplicity in mind, which is composed of a list of statements that can be sequentially verified using a limited number of inference rules [14, 15]. This certificate format was used in the proof of special cases of Chvátal’s conjecture [16], and in the proof of the 3-sets conjecture[17]. The VIPR certificate format is currently implemented in the latest versions of exact SCIP[18], together with a checker (written in C++) for the corresponding certificates.
The motivation for this work is leveraging advances in SMT solvers for the verification of certificates for MILP instances, in order to provide a viable alternative to the existing checker.Our key observation is that a VIPR certificate is valid if and only if a corresponding quantifier-free SMT formula is satisfiable. To this end, we design a checker for VIPR certificates by encoding the format’s inference rules as SMT instances. As a by-product of our experimental evaluation, we also implement a straightforward transformation from MILP instances to SMT instances. All associated code with this project is freely available on GitHub 111https://github.com/zhoum929/Satisfiability-modulo-theories-for-verifying-MILP-certificates.
In particular, our main contributions are:
•
We describe the logic of transforming VIPR certificates into SMT instances in SMT2 format[20]. In addition, we describe the logic of transforming MILP instances in MPS format[19] into SMT instances in SMT2 format.
•
We show the equivalence of VIPR certificates and the transformed SMT instances, and evaluate the viability of our certificate checker based on benchmarks instances used in the literature[14].
The rest of this paper is organized as follows. Section II presents the logic of transformation from VIPR certificates to SMT instances. Section III proves the equivalence of VIPR certificates and the transformed SMT instances. Section IV presents an evaluation of our design tested on known benchmarks. Section V concludes the paper, and the Appendix contains more proof details of Section III, and the schema of transforming MILP instances into SMT instances.
II Methodology
In this section, we describe the design of the checker for VIPR certificates. At a high level, a VIPR certificate contains two main parts: a system part that describes the original MILP problem (constraints, variable types, etc.) and an inference part that describes the reasoning of the certificate (assumptions and inferenced constraints). As part of our checker design we declare a fixed variable in SMT2 format for each constant (coefficient) specified in the corresponding VIPR certificate, so that the symbolic computation of the inferenced reasoning can be wholly captured in an SMT solver.
When transforming the system part into an SMT instance, we don’t use assert statements to determine whether each constraint of the original MILP instance holds. Instead we encode each coefficient in a given constraint as a fixed variable. Furthermore when transforming the inference part, we also encode every coefficient in each inferenced constraint. Finally, the reasoning part of each inferenced constraint is transformed into several assert statements which check inequalities between constants.
In short, our transformation ensures that SMT solvers are only burdened with the work involved in the symbolic computation of the reasoning of the certificate. Thus we seek to reduce the computational burden of SMT solvers by mainly checking formulas with fixed variables. 222A relatively expensive operation we encode in our checker is Chvátal-Gomory rounding. Since the SMT2 format doesn’t natively provide a rounding operation, we enforce it by encoding several assert statements.
A standard VIPR certificate file contains sections: VAR, INT, CON, RTP, SOL, OBJ, and DER. Figure 1 provides an overview of the logic of transformation from these sections to SMT statements. The VAR and INT sections are transformed into assert and declare-fun statements specifying types of variables in the original MILP problem. The CON section is transformed into assert and declare-fun statements specifying type, rhs (right hand side value), and coefficients of each constraint in the original MILP problem. The SOL section is transformed into assert and declare-fun statements specifying variable assignment in each solution given by the MILP solver, and assert statements verifying that these variable assignments do satisfy the constraints specified in the CON section. The OBJ section is transformed into assert and declare-fun statements specifying the coefficients of each variable in the objection function. The DER section is transformed into assert and declare-fun statements specifying the type, rhs, and coefficients used in each inferenced (derived) constraint and the reasoning of that constraint. In addition, RTP, SOL, OBJ, and DER sections together contribute to the assert statement specifying the lower and upper bounds of the optimum value of the objective function, when they exist.333For further details on the VIPR format, please refer to[14].
In AppendixV-A, we provide additional details with respect to the transformation of each sections of the VIPR certificate. Furthermore, in AppendixV-C we describe a straightforward transformation from MPS to SMT2 format.
III Validity of VIPR transformation
The design of the derivations in the VIPR certificates, which in turn aim to verify the result returned by a MILP solver, is based on well-understood principles in the MILP domain such as the branch-and-cut method and split cuts[14]. The VIPR certificate format “flattens” the associated branch-and-bound tree explored by MILP solvers and renders it into a series of statements (corresponding to lines) that can be verified sequentially.
We provide the reader with a high level idea of our arguments’ structure. Please see AppendixV-B for a full, general proof and all its corresponding details.
Here we assume that the OBJ section begins with which states that the VIPR certificate is verifying a minimization problem. We also assume that the the RTP section begins with where are real numbers, which states that the VIPR certificate is verifying the upperbound of and the lowerbound of for the objective function.
Definition 1.
The part inside the of a line in the DER section is called the reasoning of that line.
Definition 2.
The constraint presented in a line in the DER section is called valid, if it
1.
is an “assumption” (represented by reasoning of );
2.
or, is not an assumption (represented by reasoning other than ) but is implied by rounding and linear combinations of previous constraints. These previous constraints are called the dependencies of this line.
Definition 3.
The DER section begins with the line
DER
followed by lines of derived constraints. The DER section is called valid, if
1.
Each line of the DER section is valid;
2.
The last constraint in the DER section is derived only from the MILP constraints in the CON section.
3.
The last constraint in the DER section proves is an lower bound of the optimum value.
Lemma 1.
The DER section is valid, if and only if the transcribed SMT formula is satisfiable.
Definition 4.
Each line of the SOL section presents a solution, i.e. assignments of values to variables, to the MILP problem. Such a line is called valid if it satisfies all the constraints of the MILP problem presented in the CON section.
Definition 5.
The SOL section begins with the line
SOL
followed by lines of solutions. The SOL section is called valid, if
1.
Each line of the SOL section is valid;
2.
At least one line of the SOL section provides a solution that proves is an upper bound of the optimum value.
Lemma 2.
The SOL section is valid, if and only if the transcribed SMT formula is satisfiable.
Definition 6.
A VIPR certificate is called valid, if its SOL section and DER section are valid.
Note that by definition of SOL and DER being valid, a VIPR certificate being valid means the lower and upper bound of the optimum value presented in the RTP section is verified.
Theorem 1.
A VIPR certificate is valid, if and only if the transcribed SMT formula is satisfiable.
Theorem1 follows from Lemma2 and Lemma1.
IV Experiments
In this section, we evaluate the proposed proof-checking workflow on MILP benchmarks studied by the authors of VIPR[14].We focus on each of the benchmarks that meets the following criterion: 1) a certificate (of either infeasibility or both lower and upper bounds) is produced; 2) the corresponding MPS (i.e., a standard format for MILP problem) file is publicly available. This amounts to 55 benchmarks in total. Following the strategy in the original paper, we partition the benchmark set into “easy” and “hard”, which contain 46 and 9 instances, respectively.
We compare the following four strategies:
1.
Checking the VIPR certificate with the original proof checker[14];
2.
Checking the VIPR certificate by viprsmtchk, the VIPR checker designed by us that transform lines of a VIPR certificate sequentially and check by SMT solver cvc5[22], without parallelization;
3.
Checking the VIPR proof by viprsmtchk with parallelization;
4.
Checking the VIPR certificate by transforming the whole file into an SMT instance and check by SMT solver cvc5. Spefically, two programs are provided: viprtosmt tranforms a VIPR certificate into an SMT instance in SMT2 format, and normalize_num transforms numbers in a SMT2 file into cvc5 format (for instance, encodes as ).
In addition, we also provide a MPS2SMT transformer that converts MPS files into SMT instances. Our programs are all written in C++. We run experiments in Intel Xeon Gold 6226R running at GHz, each with CPUs available (and each CPU supports hyperthreads). Experimental results for Strategy 1,2, and 3 are aggregated in TableII. Experimental results for Strategy 4 are aggregated in TableI.
Test Set
Inst
Easy-all
N/A
Easy-solved
Easy-memout
N/A
Hard-all
N/A
Hard-solved
Hard-memout
N/A
In Table I, the inst column shows the number of tests in each test set. The and columns show the average time (in second) viprtosmt needs to transform VIPR certificates into SMT2 format and the average time cvc5 needs to check the transformed SMT2 file. The and columns show the average size (in MB) of the original VIPR certificate and the transformed SMT2 file. For rows labeled “memout”, it contains tests where cvc5 solver requires more than GB RAM.
We observe that the size ratio between and of each test set does not exhibit significant difference. This implies the transformation from VIPR certificates to SMT2 format generates a linear increase in the file size, as expected. We also observe that benchmarks, all of which have VIPR file size at least MB, cannot be checked with Strategy 4 within space limit of GB, showing the need for sequential transformation as shown in Strategy 2 and 3. For all the test cases solved by cvc5 within the space limit, they give the same results as the results from the C++ checker provided in [14], showing that all VIPR certificates are valid.
Since a VIPR certificate contains all the reasoning to deduce the answer to a MILP problem, it is often much larger than the file containing the original MILP problem (usually encoded in MPS or LP format). As a result, if we transform all the information of a VIPR certificate into an equivalent SMT instance it may simply be too large for an SMT solver to handle directly.
For this reason, we implement a sequential version of the transformation schema in our VIPR checker, which allows SMT solvers to check most VIPR certificates within time and space limit. Specifically, we observe that the validity of each line of the DER section is independent on the lines that directly below it (see formal proof in the AppendixV-B) so its transformation can be encoded independently. Hence we can transform several lines of a VIPR certificate, called a “block”, to an SMT instance, check it with SMT solver, then delete it and transform the next sequential lines of the VIPR file. We use block size to denote the largest number of lines of a VIPR certificate that are checked each time. We also provide an option to check blocks in parallel which further enhances the efficiency of our checker.
Note that the encoding size of different lines in VIPR certificates can be very different. To ensure the SMT solver does not run into memories issues, we also set up a limit for the actual size of blocks: if over statements have been encoded in the current SMT instance, we will close the block immediately after the encoding of the current constraint.
Test Set
Inst
Easy
Hard
In Table II, the and columns show the average time Strategy 1,2, and 3 need to check the transformed SMT instances. Here, is the setup of block size in viprsmtchk : at most lines of the VIPR certificate is encoded in each SMT instance.
As expected, with sequential transformation (Strategy 2 and 3), viprsmtchk is able to check each of the benchmarks and it gives the same results as the C++ checker provided in [14], showing that all VIPR certificates are valid. We also make the observation that, with parallelization (Strategy 3), viprsmtchk could check each of the benchmarks within hours, which is not too far away from the time used by the C++ checker provided in [14] (Strategy 1). We expect this performance gap can be further closed by additional optimizations in our parallelization scheme.
In addition, we test Strategy 2 and 3 on other block sizes () and in all cases, or is the best choice. For more details of these experiments and parallelization, please see AppendixV-D.
We also perform these tests on our program of direct transformation from MILP problems in MPS format to SMT instances in SMT2 format. In comparison to transformation from VIPR certificates, directly transforming MPS format to SMT2 format is much faster, since the major work performed is parsing and no special data structures are needed. For SMT2 files transformed as a whole (non-sequentially) from VIPR certificates of the tests, can be solved by cvc5 in hours. In comparison, for the SMT2 files transformed from MPS format of the tests, only can be solved by cvc5 in hours. As expected, the time needed for an SMT solver to check the SMT2 file transformed from MPS format is often much longer than the time needed for SMT2 files transformed from VIPR certificates.
V Conclusions
In this work we seek to leverage advances in SMT solvers to verify VIPR certificates for MILP solvers. Thus we design a VIPR certificate checker that transforms the logic of the VIPR certificate into an equivalent SMT instance. We test the viability of our checker on benchmark instances, and compare between different implemented strategies. For future directions we seek to introduce further optimizations in our parallel implementation, and possibly leverage SMT solvers’ incremental techniques to improve the efficiency of our approach.
References
[1]R.E. Bixby, “A brief history of linear and mixed-integer programmingcomputation,” Documenta Mathematica, vol. 2012, pp. 107–121, 2012.
[2]T.Koch, T.Berthold, J.Pedersen, and C.Vanaret, “Progress in mathematicalprogramming solvers from 2001 to 2020,” EURO Journal on ComputationalOptimization, vol.10, p. 100031, 2022.
[3]G.Lancia, E.Pippia, and F.Rinaldi, “Using integer programming to search forcounterexamples: A case study,” in International Conference onMathematical Optimization Theory and Operations Research.Springer, 2020, pp. 69–84.
[4]J.Pulaj, “Cutting planes for families implying frankl’s conjecture,”Mathematics of Computation, vol.89, no. 322, pp. 829–857, 2020.
[5]D.Stolee, “A linear programming approach to the manickam-miklos-singhiconjecture,” 2013.
[6]F.Kenter and D.Skipper, “Integer-programming bounds on pebbling numbers ofcartesian-product graphs,” in International Conference onCombinatorial Optimization and Applications.Springer, 2018, pp. 681–695.
[7]T.C. Hales, “A proof of the kepler conjecture,” Annals ofmathematics, pp. 1065–1185, 2005.
[8]L.DeMoura and N.Bjørner, “Satisfiability modulo theories: Anappetizer,” in Brazilian Symposium on Formal Methods.Springer, 2009, pp. 23–36.
[9]B.Konev and A.Lisitsa, “Computer-aided proof of erdős discrepancyproperties,” Artificial Intelligence, vol. 224, pp. 103–118, 2015.
[10]M.J. Heule, O.Kullmann, and V.W. Marek, “Solving and verifying the booleanpythagorean triples problem via cube-and-conquer,” in InternationalConference on Theory and Applications of Satisfiability Testing.Springer, 2016, pp. 228–245.
[11]M.Heule, “Schur number five,” in Proceedings of the AAAI Conference onArtificial Intelligence, vol.32, no.1, 2018.
[12]S.Böhme and T.Nipkow, “Sledgehammer: judgement day,” in AutomatedReasoning: 5th International Joint Conference, IJCAR 2010, Edinburgh, UK,July 16-19, 2010. Proceedings 5.Springer, 2010, pp. 107–121.
[13]B.Ekici, A.Mebsout, C.Tinelli, C.Keller, G.Katz, A.Reynolds, andC.Barrett, “Smtcoq: A plug-in for integrating smt solvers into coq,” inComputer Aiåded Verification: 29th International Conference, CAV 2017,Heidelberg, Germany, July 24-28, 2017, Proceedings, Part II 30.Springer, 2017, pp. 126–133.
[14]K.K. Cheung, A.Gleixner, and D.E. Steffy, “Verifying integer programmingresults,” in Integer Programming and Combinatorial Optimization: 19thInternational Conference, IPCO 2017, Waterloo, ON, Canada, June 26-28, 2017,Proceedings 19.Springer, 2017, pp.148–160.
[15]L.Eifler and A.Gleixner, “Safe and verified gomory mixed integer cuts in arational mip framework,” arXiv preprint arXiv:2303.12365, 2023.
[16]L.Eifler, A.Gleixner, and J.Pulaj, “A safe computational framework forinteger programming applied to chvátal’s conjecture,” ACMTransactions on Mathematical Software (TOMS), vol.48, no.2, pp. 1–12,2022.
[17]J.Pulaj, “Characterizing 3-sets in union-closed families,”Experimental Mathematics, vol.32, no.2, pp. 350–361, 2023.
[18]W.Cook, T.Koch, D.E. Steffy, and K.Wolter, “An exact rationalmixed-integer programming solver,” in Integer Programming andCombinatoral Optimization: 15th International Conference, IPCO 2011, NewYork, NY, USA, June 15-17, 2011. Proceedings 15.Springer, 2011, pp. 104–116.
[19]I.I. Cplex, “V12. 1: User’s manual for cplex,” InternationalBusiness Machines Corporation, vol.46, no.53, p. 157, 2009.
[20]C.Barrett, A.Stump, C.Tinelli etal., “The smt-lib standard: Version2.0,” in Proceedings of the 8th international workshop onsatisfiability modulo theories (Edinburgh, UK), vol.13, 2010, p.14.
[21]L.DeMoura and N.Bjørner, “Z3: An efficient smt solver,” inInternational conference on Tools and Algorithms for the Constructionand Analysis of Systems.Springer,2008, pp. 337–340.
[22]H.Barbosa, C.Barrett, M.Brain, G.Kremer, H.Lachnitt, M.Mann, A.Mohamed,M.Mohamed, A.Niemetz, A.Nötzli etal., “cvc5: A versatile andindustrial-strength smt solver,” in International Conference on Toolsand Algorithms for the Construction and Analysis of Systems.Springer, 2022, pp. 415–442.
Appendix
V-ATransforming VIPR certificates to SMT instances
In this subsection, we provide more details with respect to the transformation of each section of the VIPR certificate (VAR, INT, CON, RTP, SOL, OBJ, and DER). The VAR and INT sections specify the type (real or integer) of variables in the original MILP problem. The type of each integer is encoded as a boolean variable with fixed value, using a declare-fun statement and an assert statement. Let’s take a look at an example of the VAR and INT sections in a VIPR certificate.
VAR 2
x y
INT 1
1
The VAR section shows that the original MILP problem has two variables, and , and our checker will index them starting from . Thus will be interpreted as and as . The INT section shows that only the variable with index is an integer variable. Thus is an integer variable and is a real variable. This information is encoded as:
(declare-fun isintx0 () Bool)
(assert (not isintx0))
(declare-fun isintx1 () Bool)
where isintx0 is a boolean variable representing whether is an integer variable or not. Notice that VIPR does not distinguish boolean variables from integer variables or bound constraints from general constraints.
The OBJ section specifies the coefficients of variables in the objective function. Each coefficient is encoded as a real variable in SMT2 format using a declare-fun statement and an assert statement. Let’s take a look at an example of the OBJ section in a VIPR certificate:
OBJ min
The first number of the second line, , means there is only one variable in the objective function with a non-zero coefficient. The next number, , is the index of this variable. The next number, , is the coefficient of this variable. Thus the original MILP problem is a minimization problem and its objective function is . In SMT2 format, this information is encoded as:
(declare-fun obj0 () Real)
We use set structures in C++ to store the indecees of variables with non-zero coefficients in the objective function.
The RTP section specifies the result of the MILP solver. It either states the system is infeasible, or it gives the upper and lower bounds of the objective function. These information will be stored during the transformation for later use and will not be encoded into SMT2 format directly.
The CON section specifies the constraints in the original MILP problem (including bounds of variables). Here is an example line in the CON constraint:
The first term, CX, is the name of the constraint. Constraints (including original constraints and inferenced constraints) in a VIPR certificate will be given index starting from in the transformation. If this CX is the first line of CON section, then it will be referred to as , meaning the first constraint, and the name CX will be disregarded. The next term, , means is a constraint. In SMT2 format this is encoded as:
(declare-fun cs0 () Real)
(assert (= cs0 1.0))
where specifies the type of the constraint with index . If it is a constraint, is assigned value . If it is a constraint, is assigned value . If it is an constraint, is assigned value . This information will be used later to check the validity of inferenced constraints as linear combinations of other valid constraints.
The next term, , is the right hand side value of this constraint. In SMT2 format, this is encoded as:
(declare-fun crhs0 () Real)
The next term, , means that there are two variables in this constraint with non-zero coefficients. The last four terms mean that has coefficient and has coefficient . In SMT2 format, this is encoded as
(declare-fun c0x0 () Real)
(assert (= c0x0 2.0))
(declare-fun c0x1 () Real)
Thus constraint corresponds to inequality .
So far, we have outlined how the information of the original MILP problem is encoded into SMT2 format by our checker. The last two sections, SOL and DER, contain crucial information for the validity of a VIPR certificate. Together they verify the MILP solver reported result in the RTP section. We will discuss more details of this transformation in the next subsection.
V-BFormal Proof for the Validity of VIPR Transformation
Here is the formal proof of Theorem1. In later discussion, suppose the MILP problem corresponding to the VIPR certificate contains variables: .
Definition 7(Variable Type).
For each , define the type value of , denoted by , as following boolean variable:
This boolean variable are declared and assigned value at the very beginning of the transformed SMT2 file.
Definition 8(Problem Type).
The type of the corresponding MILP problem in a VIPR certificate, denoted by , is defined as the following boolean variable:
Specifically, if is true, then VIPR verifies results of a minimization MILP problem and if is false, then VIPR verifies results of a maximization MILP problem.
Definition 9(Result Type).
The type of results in a VIPR certificate, denoted by , is defined as the following boolean variable:
When , i.e. RTP section begins with “RTP lb ub”, we use real variables and to represent the lower and upper bound of the optimum value, correspondingly. These two variables are declared and assigned value at the very beginning of the transformed SMT2 file. If , then we do not assign value to and as they will be meaningless.
Definition 10(Constraint).
Suppose the MILP problem has variables. A constraint, , in a VIPR certificate is a relationship in one of three forms: , , or , where , is the -dimension vector representing the variables in the MILP problem, and representing the coefficients of variables. Define the sign of , denoted by , as
Indices of constraints are shown as superscript.
Definition 11(Bound Constraint).
Define bound constraint, denoted by (remember is the index of this constraint and contains three parts: , and ), as following:
1.
If OBJ section is of the form
OBJ min
then
(a)
(b)
(c)
for each ,
(d)
for each , ;
2.
If OBJ section is of the form
OBJ max
then
(a)
(b)
(c)
for each ,
(d)
for each , .
Let the second line of the OBJ section be of the form
then the optimum function of the corresponding MILP problem is , where is the vector of variables in the MILP problem. Define , representing the set of indices of variables in the optimum function with possibly non-zero coefficients.
Definition 12(Solution Line).
Let the th line in the SOL section be in the form
Define , representing the set of indices of variables with possibly non-zero assignments in this solution. Specifically, this line represents a vector such that , and , . This line is valid, if it satisfies each constraint in the CON section. If this line is valid, then the optimum function with this assignment gives an upper bound (in a minimization problem) or a lower bound (in a maximization problem) of for the optimum value.
Lemma 3(Solution Line Valid).
A line in the SOL section in the form
name
is valid, if and only if the transformed SMT2 clause is satisfiable.
Proof.
Suppose there are constraints in the CON section. Remember that these constraints are automatically indexed from . Hence, the validity of this line can be encoded with the following logic:
1.
2.
3.
∎
Definition 13(SOL valid).
The SOL section begins with the line
SOL
followed by lines of solutions. The SOL section is valid, if
1.
RTP section states the MILP problem is infeasible and SOL section contains no solution;
2.
or, RTP section gives the upper/lower bounds of the MILP problem, and
(a)
Each line of the SOL section is valid;
(b)
If the MILP is a maximization problem, then at least one line of the SOL section proves the lower bound of the optimum value stated in the RTP section, i.e. s.t. .
(c)
If the MILP is a minimization problem, then at least one line of the SOL section proves the upper bound of the optimum value stated in the RTP section, i.e. s.t. .
Lemma 4(SOL Valid).
The SOL section is valid, if and only if the transcribed SMT formula is satisfiable.
Proof.
The properties in Definition13 can be encoded with the following logic:
1.
2.
(a)
Encoded with Lemma3;
(b)
If , then ,
(c)
else .
∎
Definition 14(Reasoning).
The part insided the of a line in the DER section is called the reasoning of that line. VIPR allows four ways to derive a new constraint in the DER section, represented by four formats of reasoning of a line in the DER section: .
Definition 15(Assumption).
A constraint in the DER section with reasoning of the form
is called an assumption. Assumptions do not need a reason to be true; as the word inplied, we simply “assumes” an assumption to be true when we need to do so.
Definition 16(Set of Assumptions).
Let be a constraint in the DER or CON section. Its set of assumptions, denoted by , is a set where for each , is an assumption.
This set is implicitly inherited from constraints to contraints. In general, VIPR certificate carries the information that if we assumes all the assumptions indexed with are true, then constraints in the CON section imply the current constraint:
1.
If is an assumtion, define .
2.
If is a constraint in the CON section, define .
3.
If is a constraint in the DER section and is not an assumption, please refer to Definition20, Definition22, and Definition23 for details of .
Let be the set of indices of all assumptions in the DER section. Let be a constraint in the DER or CON section. For each , we use a boolean variable to identify whether . Thus,
1.
If is an assumtion, then
(a)
;
(b)
.
2.
If is a constraint in the CON section, then
3.
If is a constraint in the DER section and is not an assumption, please refer to Definition20, Definition22, and Definition23 for specification of ’s.
Definition 17(Disjunction Logic).
Let and be two assumptions in the DER section. We say that and form a disjunction logic, if they satisfy the following properties:
1.
;
2.
For each such that is an integer variable, is an integer;
3.
For each such that is a real variable, ;
4.
Both and are integers;
5.
One of equals , while the other equals ;
6.
If and , then ; If and , then .
Let denote the -dimension vector of variables. These properties guarantee that and are in the form
where and is an integer. Since property 1.,2.,3. guarantee that is an integer, mathematically speaking one of and has to be true.
Lemma 5.
Let and be two constraints in a VIPR certificate. By Definition17, that and form a disjunction logic, can be encoded with the following logic:
1.
2.
3.
4.
, with Lemma8
5.
6.
If , then , else
where the last clause is encoded with the “ite” gate in SMT2 format.
Definition 18(Domination).
Let and be two constraints in a VIPR certificate. We say that dominates ( implies in the following specified forms), if
1.
, and
(a)
and (so is an absurdity and implies everything), or
(b)
and (so is an absurdity and implies everything), or
(c)
and (so is an absurdity and inplies everything);
2.
or, (so LHS of and are the same) and
(a)
, , and (so each of and implies ), or
(b)
, , and (so and are the same), or
(c)
, , and (so each of and implies )
Lemma 6.
Let and be two constraints in a VIPR certificate. By Definition18, dominates if the following clause holds:
1.
(a)
(b)
(c)
2.
(a)
(b)
(c)
This encoding is based on the assumption that each sign value ( and ) can be only one of and . In plain syntax, is encoded as
(and (= ) (= ) (= ) (= )).
Definition 19(DER Line).
A line in the DER section with as the reasoning part has the form
lin
where denote the index of the current constraint and each is the index of a previously specified constraint. Constraints in the VIPR certificate are automatically indexed from by the sequence they appear in the file. Thus, if , then is specified before . This notation helps prevent loop proof. Here, we use to denote the information of the current constraint, consisting of the type of constraint, the right hand side of the constraint, and the coefficients of variables in the left hand side, from which we can declare , and for each .
Reasoning in this form states that is implied by a linear combination of previous constraints. Specifically, it stated that forms a constraint which dominates .
Definition 20(Lin Valid).
A line in the DER section with reasoning of the form
lin
is valid, if
1.
Each of is specified before ;
2.
The linear combination of constraints described in the reasoning, i.e. , forms a constraint;
3.
The constraint formed by this linear combination dominates .
With these properties, we can conclude that is implied by previous constraints . Hence inherits all the assumptions used by :
In SMT logic, this is characterized by
Lemma 7(Lin Valid).
A line in the DER section with reasoning of the form
lin
is valid if and only if the transcribed SMT formula is satisfiable.
Proof.
The three properties in Definition20 can be encoded with SMT2 clauses in the following logic:
1.
In plain syntax, is encoded as
2.
Note that,
(a)
the addition of equalities gives an equality;
(b)
the addition of equalities and “less or equal to” inequalities gives a “less or equal to” inequality;
(c)
the addition of equalities and “greater or equal to” inequalities gives a “greater or equal to” inequality.
Recall we use sign value to represent the type of constraints . Thus, for each ,
(a)
is an equality if ;
(b)
is an “less or equal to” inequality if ;
(c)
is an “greater or equal to” inequality if .
Hence, we can use three bool variables to represent whether the linear combination in the reasoning gives a relation, correspondingly:
Notice that equality implies both “less or equal to” and “greater or equal to”, and in Definition18, we can see that any relations implied by “less or equal to” or “greater or equal to” can be implied by equality. Hence, if , we assume the linear combination in the reasoning forms an equality. Otherwise, we assume it forms an “less or equal to” inequality if is true, and we assume it forms an “greater or equal to” inequality if is true (notice that when , then at most one of and can be true. If , then the linear combination in the reasoning does not form a valid relation. Denote the constraint formed by the linear combination in the reasoning as . Then, what we described can be encoded as
if
else if
else if
else
where is a bool variable that has been assigned in the very beginning. Hence, if cannot be assigned or , i.e. the linear combination in the reasoning does not form a valid relation, then we force the transcribed SMT formula to be unsatisfiable.
In plain syntax, this is encoded with the ite (if then else) gate:
(assert (ite ceqx (= 0.0)
(ite cleqx (= -1.0)
(ite cgeqx (= 1.0)
3.
Clearly, for each , . In plain syntax, this is encoded as
(assert (= (+ (* ) …(* ))))
Similarly, , which is encoded as
In 2. we have computed , so is determined and we can use the schema in Lemma6 to encode property 3.
∎
Lemma 8(Rounding Number).
Let be a real constant. Then, we can express and by real constant and in SMT2 logic. In particular, we will first encode and into integer variables and , and then force and .
To compute , the logic is as following :
1.
Declare as int variable;
2.
;
3.
Declare as real variable;
4.
.
In plain syntax, this is encoded as:
(declare-fun rceilX () Int)
(assert (and ( (to_real rceilX) X)
( (to_real (- rceilX1)) x)))
(declare-fun ceilX () Real)
Similarly, we can compute with the following logic:
1.
Declare as int variable;
2.
;
3.
Declare as real variable;
4.
.
Definition 21(Gomory Cut).
Let be a constraint with variables. We say can be rounded, if
1.
For each such that is an integer variable, is an integer;
2.
For each such that is a real variable, ;
3.
. (Nothing should be done to an equality; we can only do rounding operation for inequalities.)
Specifically, can be rounded to the constraint in the following way:
4.
When :
(a)
;
(b)
;
(c)
.
5.
When :
(a)
;
(b)
;
(c)
.
Lemma 9(Rounding Operation).
Let be a constraint with variables. That can be rounded to , by definition, can be encoded with the following logic:
1.
2.
3.
4.
If , then , else .
Specifically, in 1., the type of each variable can be represented by a bool variable, assigned value when we declare in the SMT2 file. In 4., the rounding of is encoded with Lemma8.
Definition 22(Rnd Valid).
A line in the DER section with reasoning of the form
rnd
is valid, if
1.
Each of is specified before ;
2.
The linear combination of constraints described in the reasoning, i.e. , forms a constraint;
3.
The constraint formed by this linear combination can be rounded by Lemma9 to another constraint, denoted by ;
4.
The constraint dominates .
With these properties, we can conclude that is implied by previous constraints . Hence inherits all the assumptions used by :
In SMT logic, this is characterized by
Lemma 10(Rnd Valid).
A line in the DER section with reasoning of the form
rnd
is valid if and only if the transcribed SMT model is satisfiable.
Proof.
We can encode each of the four properties in Definition22 with SMT logic. Property 3) involves encoding , which is characterized in Lemma9. Property 1), 2), and 4) can be encoded exactly the same way as the three properties in Lemma7.∎
Definition 23(Uns Valid).
A line in the DER section with reasoning of the form
uns
is valid, if
1.
Each of is specified before ;
2.
Each of and dominates ;
3.
is an assumption used by and is an assumption used by (or formally, and );
4.
and form a disjunction logic;
Recall that by Definition16, if we assume all the assumptions indexed with are true, then CON section (which contains original constraints in the MILP problem) implies . Similarly, if we assume all the assumptions indexed with are true, then CON section implies .
Since both and imply , if we assume all the assumptions indexed with , or if we assume all the assumptions indexed with , then CON section implies . By 3) and 4), if we assume all the assumptions indexed with , then CON section implies . This is because one of and has to be true, so if we assume all the assumptions indexed with
then we are actually assuming either all the assumptions indexed with or all the assumptions indexed with .
In SMT logic, this is characterized by
Lemma 11(Uns Valid).
A line in the DER section with reasoning of the form
uns
is valid if and only if the transcribed SMT model is satisfiable.
Proof.
The four properties in Definition23 can be encoded with SMT2 clauses in the following logic:
1.
2.
Encoded by Lemma6;
3.
4.
Encoded by Lemma5.
∎
Definition 24(DER Valid).
Let the last line in the DER section be of the form
The DER section is valid, if
1.
Each line in the DER section is valid;
2.
The set of assumptions of is empty, i.e. ; (This ensures can be implied from the CON section without making any assumptions.)
3.
(a)
If is false, then dominates ; (Notice that is a mathematical absurdity, so this implies is also a mathematical absurdity, i.e. we reach a contradiction from constraints in the CON section.)
(b)
If is true, then dominates . (So the lower bound of a minimization problem, or the upperbound of a maximization problem, is proved.)
Lemma 12(DER Valid).
The DER section is valid, if and only if the transcribed SMT model is satisfiable.
Proof.
The three properties in Definition24 can be encoded with SMT2 clauses in the following logic:
1.
Encoded with Lemma7, Lemma10, and Lemma11;
2.
;
3.
Encoded with Lemma6 and the ite (if-then-else) gate.
∎
Theorem 2(Main).
A VIPR certificate is valid, if and only if the transcribed SMT model is satisfiable.
Proof.
Theorem2 follows from Lemma4 and Lemma12.∎
V-CTransforming MILP instances to SMT instances
For suitable applications in the MILP domain where additional safeguards are warranted, tranforming MILP instances to SMT instances may be advantageous. However, to the best of our knowledge, we are not aware of any such general translation tools that are publicly available.
Two common file formats for MILP problems are the LP file format, which is human-readable and analogous to the algebraic form of linear constraints, and the MPS file format, which is more machine-friendly with higher precision for constraint coefficients. In MPS format, constraints are specified in a matrix, where each column corresponds to a variable and each row corresponds to a constraint. For each variable, its coefficient at each row is specified, otherwise the coefficient is assumed to be zero. In our implementation of the the transformation, we input MILP instances in MPS format and output equivalent SMT instances in SMT2 format.
At a high level, our transformation from MPS format to SMT2 format is straightforward: we use declare-fun statements to declare variables and assert statements to capture constraints or bounds specified in the original MPS file. Although it is likely that further optimizations could improve the performance of our implementation, our simple transformation provides a useful baseline for comparison. It enables us to experimentally examine the advantages of checking the correctness of a VIPR certificate for a MILP instance via an SMT solver versus directly solving the transformed MILP instances via an SMT solver.
MPS files encode most instance information in four sections: ROWS, RHS, COLUMNS, and BOUNDS. The ROWS section specifies the type of each constraint (, , or ). The RHS section specifies the right hand side value of each constraint, which is assumed to be a constant. The COLUMNS section specifies for each variable its corresponding coefficient in each constraint. The BOUNDS section specifies the upper and lower bounds of each variables.
Here is the logic of transformation from these four general sections to SMT formulas. First, each variable specified in the COLUMNS section will be encoded as a declare-fun statement. Furthermore, sections ROWS, RHS and COLUMNS encode information on each constraint in the corresponding MILP problem, and each such constraint is transformed into an assert statement. Finally, sections COLUMNS and BOUNDS encode lower and upper bounds for each variable, and each such bound is transformed into an assert statement.444Our implementation can also handle non-standard statements in MPS format, such as the RANGE section and the INDICATOR section.
V-DBlock Size and Parallelization in Sequential Transformation
In SectionIV, we presented the aggregated statistics of Strategy 2 and 3 (VIPR checking with sequential transformation, with and without parallelization) when the block size (largest number of VIPR lines encoded in each SMT instance) is (). In addition, we tested Strategy 2 and 3 with other block sizes (). We run experiments in Intel Xeon Gold 6226R running at GHz, each with CPUs available (and each CPU supports hyperthreads).
For the sake of explanation, define the set of all tests as , containing all the benchmarks as explained in SectionIV. We define the tests that run for more than minute in the non-parallel sequential version,with block size as ; the ones that run for more than hour as ; and the ones that run for more than hours as . Compared to the non-parallel sequential approach with , the parallel sequential approach with is:
1.
times faster (stdev = ) for tests in ;
2.
times faster (stdev = ) for tests in ;
3.
times faster (stdev = ) for tests in ;
4.
times faster (stdev = ) for tests in .
Maintaining the baseline comparison (non-parallel sequential with ), as we vary block sizes with in the parallel approach,its fastest choice of is:
1.
times faster (stdev = ) for tests in ;
2.
times faster (stdev = ) for tests in ;
3.
times faster (stdev = ) for tests in ;
4.
times faster (stdev = ) for tests in .
For larger problems (those in ), in all cases represents the best block size choice.We also note diminishing returns in increasing the block size: in only of the larger problems, moving from to makes the speedup more than faster.
Address: Apt. 915 481 Sipes Cliff, New Gonzalobury, CO 80176
Phone: +6773780339780
Job: Sales Executive
Hobby: Gaming, Jogging, Rugby, Video gaming, Handball, Ice skating, Web surfing
Introduction: My name is Carmelo Roob, I am a modern, handsome, delightful, comfortable, attractive, vast, good person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.