From SAT to SMT - PowerPoint Presentation

Slide1

From SAT to SMTA Tutorial

Nikolaj Bjørner

Microsoft Research

Dagstuhl

April 23, 2015Slide2

PlanSMT in a nutshellSMT solving walkthrough by example

Selected Theory solvers

Equalities

Arrays

Arithmetic

Combining SolversSlide3

Is formula



satisfiable

modulo theory T ?

SMT solvers have specialized algorithms for T

Satisfiability Modulo Theories (SMT)Slide4

Arithmetic

Array Theory

Uninterpreted

Functions

Satisfiability

Modulo Theories

(SMT)Slide5

SMT: Basic Architecture

Equality + UF

Arithmetic

Bit-vectors

…

Case AnalysisSlide6

SAT + Theory solvers

Basic Idea

x

 0, y = x + 1, (y > 2  y < 1)

p

1, p2, (p3  p4)

Abstract (aka “naming” atoms)

p

1

 (

x

 0), p

2

 (y = x + 1), p3  (y

> 2), p4  (y < 1)Slide7

SAT + Theory solvers

Basic Idea

x

 0, y = x + 1, (y > 2  y < 1)

p

1, p2, (p3  p4)

Abstract (aka “naming” atoms)

p

1

 (

x

 0), p

2

 (y = x + 1), p3  (y

> 2), p4  (y < 1)

SAT SolverSlide8

SAT + Theory solvers

Basic Idea

x

 0, y = x + 1, (y > 2  y < 1)

p

1, p2, (p3  p4)

Abstract (aka “naming” atoms)

p

1

 (

x

 0), p

2

 (y = x + 1), p3  (y

> 2), p4  (y < 1)

SAT Solver

Assignment

p

1, p2, p3, p4Slide9

SAT + Theory solvers

Basic Idea

x

 0, y = x + 1, (y > 2  y < 1)

p

1, p2, (p3  p4)

Abstract (aka “naming” atoms)

p

1

 (

x

 0), p

2

 (y = x + 1), p3  (y

> 2), p4  (y < 1)

SAT Solver

Assignment

p

1, p2, p3, p4x  0, y = x + 1, (y > 2), y < 1Slide10

SAT + Theory solvers

Basic Idea

x

 0, y = x + 1, (y > 2  y < 1)

p

1, p2, (p3  p4)

Abstract (aka “naming” atoms)

p

1

 (

x

 0), p

2

 (y = x + 1), p3  (y

> 2), p4  (y < 1)

SAT Solver

Assignment

p

1, p2, p3, p4x  0, y = x + 1, (y > 2), y < 1

Theory

SolverUnsatisfiablex  0, y = x + 1, y < 1Slide11

SAT + Theory solvers

Basic Idea

x

 0, y = x + 1, (y > 2  y < 1)

p

1, p2, (p3  p4)

Abstract (aka “naming” atoms)

p

1

 (

x

 0), p

2

 (y = x + 1), p3  (y

> 2), p4  (y < 1)

SAT Solver

Assignment

p

1, p2, p3, p4x  0, y = x + 1, (y > 2), y < 1

Theory

SolverUnsatisfiablex  0, y = x + 1, y < 1

New Lemma

p

1

p

2

p

4Slide12

SAT + Theory solvers

Theory

Solver

Unsatisfiable

x

 0, y = x + 1, y < 1

New Lemma

p

1

p

2

p

4

AKA

Theory conflictSlide13

SAT/SMT solving using DPLL(T)/CDCLSlide14

Proofs

Conflict Clauses

Models

literal assignments

Conflict Resolution

Backjump

Propagate

Mile High:

Modern SAT/SMT searchSlide15

Core Engine in Z3:

Modern DPLL/CDCL

Initialize

Decide

Propagate

Sat

Conflict

Learn

Unsat

Backjump

Resolve

Forget

is a learned clause

Restart

Initialize

Decide

Propagate

Sat

Conflict

Learn

Unsat

Backjump

Resolve

Forget

Restart

[

Nieuwenhuis

,

Oliveras

,

Tinelli

J.ACM 06]

customized

Model

Proof

Conflict

ResolutionSlide16

DPLL(

T

) solver interactionSlide17

MCSat [Jojanovich, de Moura] (Cotton, McMillan

,

Nieuwenhuis, Voronkov

,,…

)SearchTrail: values guessed for sub-termsPropagate values, derive consequencesConflict resolution: Detect, backjump, learnForget, restart, indexing,…

T-Solversx + y + z > 0 -x + y + z < 0 x = 0

y

= 0

Arithmetic

Solver

x + y + z > 0

-x + y + z < 0

x >

0Conflict: z > 0, z < 0

x > 0 is “explained” by the clause

x + y + z > 0

-x + y + z < 0 x = 0y = 0TrailMCSATCraig InterpolantGeneralizationSlide18

Theory SOlversSlide19

Conceptually

Claim

: main approaches search for resolution proofs (+ cutting planes) or model

Eager

vs. Lazy compilation to SAT Integration with SAT solver state machineCompositionality: Each solver by itselfSearch Controlled by SAT Engine vs. Theory SolverSlide20

Equalities and Uninterpreted FUnctionsSlide21

Theory of Equality

a = b, b = c, d = e, b = s, d = t,

a



e

,

c



s

a

b

c

d

e

s

t

a

,b,

c

,

s

d,

e

,t

union

union

f

ind(c) = find(s)Slide22

Theory of Equality

a = b, b = c, d = e, b = s, d = t,

a



e

a

b

c

d

e

s

t

a

,b,

c,s

d,

e

,t

union

union



1



2

M(a) = M(b) =

M(c) = M(s) =



1

M(d) = M(e) =

M(t) =



2Slide23

a = b, b = c, d = e, b = s, d = t,

v

3

 v

4

v

1

 g(d), v

2

 g(e), v

3



f(a, v

1) , v4  f(b,

v2)Congruence Rule:

x1 = y1, …, xn

= yn implies f(x1, …,

xn) = f(y1, …, yn)

a,b,c,sd,e,t

v1

v2v

3

v

4

Theory of Equality: Functions

a = b,

b = c, d = e, b = s, d = t, f(a, g(d))

 f(b, g(e))

“Naming

”

subtermsSlide24

a = b, b = c, d = e, b = s, d = t,

v

3



v

4

v

1

 g(d), v

2

 g(e), v

3 

f(a, v1) , v4

 f(b, v2)

Congruence Rule:x1 = y1

, …, xn = yn implies f(x

1, …, xn) = f(y1, …, yn

)a,b,c,sd,e,t

v1,v

2v3,v4Theory of Equality: Functionsa = b, b = c, d = e, b = s, d = t, f(a, g(d))  f(b, g(e))

“Naming”

subtermsSlide25
Slide26

Approach #1: DPLL(

)

[B, Dutertre, de Moura 08]

Try branch

Try branch

)

Implies

Implies

Collect implied equalities

Collect implied

equalities

Compute the

join

of the two equalities – common equalities are learned

Still potentially O(

) rounds just at base level of search.  Slide27

If

Congruence Rule

repeatedly

learns

Then add lemma

Dynamic Ackerman Reduction

Dynamic

Ackerman Reduction with

Transitivity

If

Equality Transitivity

repeatedly

learns

Then add lemma

Approach #2: simulate

paramodulation

[B,

de

Moura

13, handbook of tractability]Slide28

ArraysSlide29

Arrays

Arrays as applicative maps:

Select:

_[_]:

Extensionality:

Derived operations:

store

K

map

 Slide30

Arrays as Local Theories

Main property:

Array formula

has a model

M iff each array in can be represented as a map with finite range over

 Slide31

Reduction to uninterpreted functions

Use saturation rules to reduce arrays

to the theory of un-interpreted functions

Extract models for arrays as finite graphsSlide32

Closure for store

For every sub-term

For every

in

Terms(

A

dd equation to

:

EUF model of

=> Array Model:

For each array

A

define

where A[

i] occurs in . Slide33

Deciding store

For each array

A

in define

Does M satisfy axioms for

store?

Recall, we added

Thus,

 Slide34

Arrays and EfficiencyAdding axioms for all indices is expensive

Store and extensionality axioms introduce branching

Selectively

add axioms on demand

Boolector: Dual rail propagation to delay adding axioms Z3: relevancy propagationSlide35

ArithmeticSlide36

Some Arithmetical Theories

Presburger

/

Buchi

Arithmetic Integer LinearArithmetic

Mixed Integer LinearArithmeticReal LinearArithmeticReal non-linearArithmetic

Real non-linear

Arithmetic

UTVPI

x + y < 3, x –z <2

Horn Inequalities

3

x + 2y < z + 4

TVPI Differences2x - 3y < 3

Pseudo Booleans

Unit Differences

x – y < 4Slide37

Difference Logic

Chasing negative cycles!

Algorithms based on Bellman-Ford (O(

mn

)).

Slide38

Linear Real ArithmeticSlide39

Efficiently R reduction to CAD

A key idea:

Use partial solution to guide the search

Feasible Region

Extract small core

Dejan

Jojanovich

& Leonardo de Moura, IJCAR 2012

x

= 0.5Slide40

Bit-VectorsSlide41

Bit-vector arithmeticTwo approaches

SAT reduction (

Boolector

,

CVC, MathSAT, STP, , Yices, Z3, …)Circuit encoding of bit-wise predicates.Bit-wise operations as circuitsCircuit encoding of adders, multipliers.Custom modulesSWORD [Wille, Fey, Groe, Eggersgl, Drechsler 07]

Pre-Chaff specialized engine [Huang, Chen 01, Barrett 98]Slide42

Encoding circuits to SAT - addition

1

0

1

0

11

0

1

1

0

0

1

0

0

0

1

0

0

+FAFAFAFAFAFA

out

=

xor

(

x

,

y

,

c

)

c’

= (

x

y

)  (

xc

)  (

yc

)

c[0]

=

0

c’[N-2:0]

=

c[N-1:1]

out

i



xor

(

x

i

,

y

i

,

c

i

)

c

i+1



(

x

i

y

i

)  (

x

i

c

i

)  (

y

i

c

i

)

c

0



0

(

x

i

y

i



c

i



out

i

)  (

out

i



x

i



y

i



c

i

) 

(

x

i



c

i



out

i



yi )  (outi  yi

 ci  xi) (ci  outi  xi  yi )  (outi  xi  ci  yi) (yi  outi  xi  ci )  (outi  xi  yi  ci) (xiyi  ci+1)  (ci+1  xi yi ) (xici  ci+1)  (ci+1  xi ci )  (yici  ci+1)  (ci+1  yi ci )  c0 Slide43

Encoding circuits to SAT - multiplication

Bit-wise operations

Fixed size

FA

a

0b0a0

b

1

a

0

b

2

a0b3

a1b0a

1b1a1b2a2

b0HA

HA

HA

FAFAa2b1a3b0

out

0 out1 out2 out3 O(n2) clausesSAT solving time increases exponentially. Similar for BDDs.

[Bryant, MC25, 08]Brute-force enumeration + evaluation faster for 20 bits.[Matthews, BPR 08]Slide44

1

0

1

0

1

1

0

1

1

0

0

1

0

0

0

1

0

0

+FAFAFAFAFAFA

Bit-vector addition is expressible

As a state machine:

out

=

xor

(

x

,

y

,

c

)

c’

= (

x

y

)(

xc

)  (

yc

)

c[0] = 0

c’[N-2:0] = c[N-1:1]

Large/Parametric size

(set-logic QF_BV)

(

declare-fun x () (_

BitVec

1000000))

(

declare-fun y () (_

BitVec

1000000))

(

assert (distinct (

bvadd

x y) (

bvadd

y x))

Parametric, non-fixed size:

PSPACE complete fragments. [

Pichora

03]

Large fixed-size:

QF_BV, QF_UFBV

are NEXPTIME complete.

[Fröhlich

,

Kovásznai

,

Biere,

SMT’12,13,CSR’13]Slide45

Other TheoriesAlgebraic Data-types

Monoids (strings) and Sequences

Sets, Multi-sets

Monadic Theories, Automata

Aggregates, Cardinalities, #SAT/#SMTConstraint domainsTheories and Quantifiers:QBF, DQBF, EPR, QBV, Horn, Essentially Uninterpreted, Slide46

Combining THeoriesSlide47

Combining Theories

In practice, we need a combination of theories.

b + 2 = c and f(read(write(a,b,3), c-2)) ≠ f(c-b+1)

A theory is a set (potentially infinite) of first-order sentences.

Main questions

:

Is the union of two theories

T1  T2

consistent?

Given a solvers for

T1

and

T2

, how can we build a solver for

T1  T2

?Slide48

A Combination History

1979 Nelson,

Oppen

- Framework

1996

Tinelli

&

Harindi

. N.O Fix

2000 Barrett et.al N.O + Rewriting

2002

Zarba

& Manna. “Nice” Theories

2004

Ghilardi et.al. N.O. Generalized

2007 de Moura & B. Model-based Theory Combination2006 Bruttomesso

et.al. Delayed Theory Combination1984 Shostak. Theory solvers

1996 Cyrluk et.al Shostak Fix #11998 B.

Shostak with Constraints 2001 Rueß & Shankar Shostak Fix #22004 Ranise et.al. N.O + SuperpositionFoundationsEfficiency using rewriting2001: Moskewicz

et.al. Efficient DPLL made guessing cheap… 2013

Jojanovich, 2007 Ganesh, overlapping, polite, shiny, etc.Slide49

Disjoint Theories

Two theories are disjoint if they do not share function/constant and predicate symbols.

= is the only exception.

Example:

The theories of arithmetic and arrays are disjoint.

Arithmetic symbols: {0, -1, 1, -2, 2, …, +, -, *, >, <, ≥, }

Array symbols: { read, write }Slide50

Purification

It is a different name for our “naming”

subterms

procedure.

b + 2 = c, f(read(write(a,b,3), c-2)) ≠ f(c-b+1)

b + 2 = c, v

6

≠ v

7

v

1

 3, v

2

 write(a, b, v

1

), v

3

 c-2, v

4  read(v2, v3),v5  c-b+1, v6  f(v4), v7  f(v5) Slide51

Purification

It is a different name for our “naming”

subterms

procedure.

b + 2 = c, f(read(write(a,b,3), c-2)) ≠ f(c-b+1)

b + 2 = c, v

6

≠ v

7

v

1

 3, v

2

 write(a, b, v

1

), v

3

 c-2, v

4  read(v2, v3),v5  c-b+1, v6  f(v4), v7  f(v5)

b + 2 = c, v1  3, v

3  c-2, v5  c-b+1,v2  write(a, b, v1), v4  read(v2, v3),v6  f(v4

), v7  f(v

5

), v

6

≠ v

7

Slide52

Stably Infinite Theories

A theory is stably infinite if every satisfiable QFF is satisfiable in an infinite model.

EUF and arithmetic are stably infinite.

Bit-vectors are not.Slide53

Important Result

The union of two consistent, disjoint, stably infinite theories is consistent.Slide54

Convexity

A theory

T

is

convex

iff

for all finite sets S of literals and

for all a

1

= b

1

 …  a

n = bn

S implies a1 = b1 …  an

= bn iff S implies ai = bi

for some 1  i  nSlide55

Convexity: Results

Every convex theory with non trivial models is stably infinite.

All

Horn equational

theories are convex.

formulas of the form s

1

≠ r

1

 …  s

n

≠ r

n  t = t’

Linear rational arithmetic is convex.Slide56

Convexity: Negative Results

Linear integer arithmetic is not convex

1  a  2, b = 1, c = 2 implies a = b  a = c

Nonlinear arithmetic

a

2

= 1, b = 1, c = -1 implies a = b  a = c

Theory of bit-vectors

Theory of arrays

c

1

= read(write(a, i, c

2

), j), c

3 = read(a, j) implies c1 = c2  c1 = c

3Slide57

Combination of non-convex theories

EUF is convex (O(n log n))

IDL is non-convex (O(nm))

EUF  IDL is NP-Complete

Reduce 3CNF to

EUF  IDL

For each boolean variable p

i

add 0  a

i

 1

For each clause p

1

 p2  p3

add f(a1, a2, a3) ≠ f(0, 1, 0)Slide58

Nelson-

Oppen

CombinationSlide59

Combining Procedures in PracticeSlide60

Combining Procedures in PracticeSlide61

ExampleSlide62

ExampleSlide63

ExampleSlide64

ExampleSlide65

ExampleSlide66

ExampleSlide67

ExampleSlide68

ExampleSlide69

ExampleSlide70

SummaryMain SMT solvers apply CDCL style refinement search of

models & proofs

.

Efficient SMT solvers rely on

propagation and filters to control theory reasoning (instantiating theory axioms).Combining solvers rely on compositional glue (e.g., by sharing equalities).Slide71

Horn Clauses and State machinesSlide72

mc(x) = x-10 if x > 100

mc

(x) =

mc

(mc(x+11)) if x  100 assert (x ≤ 101  mc(x) = 91)Symbolic model checking as Satisfiability of Horn Clauses



mc

(

)



mc

(

) 

mc()  mc(

) mc() Finds solution for mc Slide73

Program Verification (Safety)

as

Solving fixed-points

as Satisfiability of Horn clausesProgram Verification as SMT[Bjørner, McMillan, Rybalchenko, SMT workshop 2012]

Hilbert Sausage Factory: [Grebenshchikov, Lopes, Popeea, Rybalchenko, PLDI 2012]