Modulo Theories Manchester 2009 Leonardo de Moura Microsoft Research Symbolic Reasoning Quantifiers in Satisfiability Modulo Theories PSpace complete QBF Undecidable Firstorder logic ID: 1047453
Download Presentation The PPT/PDF document "Quantifiers in Satisfiability" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. Quantifiers in Satisfiability Modulo Theories Manchester 2009Leonardo de MouraMicrosoft Research
2. Symbolic ReasoningQuantifiers in Satisfiability Modulo TheoriesPSpace-complete(QBF)Undecidable(First-order logic)NP-complete(Propositional logic)NEXPTime-complete(EPR)P-time(Equality)Logic is “The Calculus of Computer Science” (Z. Manna).High computational complexity
3. Satisfiability Modulo Theories (SMT)Quantifiers in Satisfiability Modulo TheoriesIs formula F satisfiable modulo theory T ? SMT solvers have specialized algorithms for T
4. Satisfiability Modulo Theories (SMT)Quantifiers in Satisfiability Modulo Theoriesb + 2 = c and f(read(write(a,b,3), c-2) ≠ f(c-b+1)
5. Satisfiability Modulo Theories (SMT)Quantifiers in Satisfiability Modulo TheoriesArithmeticb + 2 = c and f(read(write(a,b,3), c-2) ≠ f(c-b+1)
6. Satisfiability Modulo Theories (SMT)Quantifiers in Satisfiability Modulo TheoriesArithmeticArray Theoryb + 2 = c and f(read(write(a,b,3), c-2) ≠ f(c-b+1)
7. Satisfiability Modulo Theories (SMT)Quantifiers in Satisfiability Modulo TheoriesArithmeticArray TheoryUninterpreted Functionsb + 2 = c and f(read(write(a,b,3), c-2) ≠ f(c-b+1)
8. TheoriesA Theory is a set of sentencesAlternative definition:A Theory is a class of structuresTh(M) is the set of sentences that are true in the structure MQuantifiers in Satisfiability Modulo Theories
9. SMT: Some Applications @ MicrosoftQuantifiers in Satisfiability Modulo TheoriesVCCHyper-VTerminator T-2NModelHAVOCF7SAGEVigilanteSpecExplorer
10. SMT@Microsoft: SolverQuantifiers in Satisfiability Modulo TheoriesZ3 is a new solver developed at Microsoft Research.Development/Research driven by internal customers.Free for academic research.Interfaces:http://research.microsoft.com/projects/z3
11. SMT x First-order proversQuantifiers in Satisfiability Modulo TheoriesT may not have a finite axiomatization
12. SMT x SATQuantifiers in Satisfiability Modulo TheoriesFor some theories, SMT can be reduced to SATbvmul32(a,b) = bvmul32 (b,a)Higher level of abstraction
13. Ground formulasFor most SMT solvers: F is a set of ground formulas Quantifiers in Satisfiability Modulo TheoriesMany ApplicationsBounded Model CheckingTest-Case Generation
14. DPLLM | FQuantifiers in Satisfiability Modulo TheoriesPartial modelSet of clauses
15. DPLLGuessingQuantifiers in Satisfiability Modulo Theories p, q | p q, q r p | p q, q r
16. DPLLDeducingQuantifiers in Satisfiability Modulo Theories p, s| p q, p s p | p q, p s
17. DPLLBacktrackingQuantifiers in Satisfiability Modulo Theories p, s| p q, s q, p q p, s, q | p q, s q, p q
18. Solvers = DPLL + Decision ProceduresEfficient decision procedures for conjunctions of ground atoms.Quantifiers in Satisfiability Modulo Theories a=b, a<5 | a=b f(a)=f(b), a < 5 a > 10Difference LogicBelmann-FordUninterpreted functionsCongruence closureLinear arithmeticSimplexEfficient algorithms
19. Model GenerationHow to represent the model of satisfiable formulae?Functor: Given a model M for TGenerate a model M’ for F (modulo T)Example:F: f(a) = 0 and a > b and f(b) > f(a) + 1Quantifiers in Satisfiability Modulo TheoriesSymbolInterpretationa1b0fite(x=1, 0, 2)M’:
20. Model GenerationHow to represent the model of satisfiable formulae?Functor: Given a model M for TGenerate a model M’ for F (modulo T)Example:F: f(a) = 0 and a > b and f(b) > f(a) + 1Quantifiers in Satisfiability Modulo TheoriesSymbolInterpretationa1b0fite(x=1, 0, 2)Interpretation is given using T-symbolsM’:
21. Model GenerationHow to represent the model of satisfiable formulae?Functor: Given a model M for TGenerate a model M’ for F (modulo T)Example:F: f(a) = 0 and a > b and f(b) > f(a) + 1Quantifiers in Satisfiability Modulo TheoriesSymbolInterpretationa1b0fite(x=1, 0, 2)Non ground term(lambda expression)M’:
22. Model CheckingQuantifiers in Satisfiability Modulo TheoriesSymbolInterpretationa1b0fite(x=1, 0, 2)M’:Is x: f(x) > 0 satisfied by M’? Yes,not (ite(k=1,0,2) > 0) is unsatisfiable
23. Model CheckingSymbolInterpretationa1b0fite(x=1, 0, 2)M’:Is x: f(x) > 0 satisfied by M’? Yes,not (ite(k=1,0,2) > 0) is unsatisfiable Negated quantifier Replaced f by its interpretation Replaced x by fresh constant k
24. Verifying CompilersQuantifiers in Satisfiability Modulo Theoriespre/post conditionsinvariantsand other annotations
25. Verification conditions: StructureBIGand-or tree(ground) Axioms(non-ground)Control & Data Flow
26. Main ChallengeQuantifiers, quantifiers, quantifiers, …Modeling the runtime h,o,f: IsHeap(h) o ≠ null read(h, o, alloc) = t read(h,o, f) = null read(h, read(h,o,f),alloc) = tQuantifiers in Satisfiability Modulo Theories
27. Main ChallengeQuantifiers, quantifiers, quantifiers, …Modeling the runtimeFrame axioms o, f: o ≠ null read(h0, o, alloc) = t read(h1,o,f) = read(h0,o,f) (o,f) M Quantifiers in Satisfiability Modulo Theories
28. Main ChallengeQuantifiers, quantifiers, quantifiers, …Modeling the runtimeFrame axiomsUser provided assertions i,j: i j read(a,i) read(b,j)Quantifiers in Satisfiability Modulo Theories
29. Main ChallengeQuantifiers, quantifiers, quantifiers, …Modeling the runtimeFrame axiomsUser provided assertionsTheoriesx: p(x,x)x,y,z: p(x,y), p(y,z) p(x,z)x,y: p(x,y), p(y,x) x = yQuantifiers in Satisfiability Modulo Theories
30. Main ChallengeQuantifiers, quantifiers, quantifiers, …Modeling the runtimeFrame axiomsUser provided assertionsTheoriesSolver must be fast in satisfiable instances.Quantifiers in Satisfiability Modulo TheoriesWe want to find bugs!
31. Some statisticsGrand challenge: Microsoft Hypervisor70k lines of dense C codeVCs have several MbThousands of non ground clausesDevelopers are willing to wait at most 5 min per VCQuantifiers in Satisfiability Modulo Theories
32. Many ApproachesQuantifiers in Satisfiability Modulo Theories
33. E-matching & Quantifier instantiationQuantifiers in Satisfiability Modulo TheoriesSMT solvers use heuristic quantifier instantiation.E-matching (matching modulo equalities).Example:x: f(g(x)) = x { f(g(x)) }a = g(b), b = c,f(a) c Trigger
34. E-matching & Quantifier instantiationQuantifiers in Satisfiability Modulo TheoriesSMT solvers use heuristic quantifier instantiation.E-matching (matching modulo equalities).Example:x: f(g(x)) = x { f(g(x)) }a = g(b), b = c,f(a) c x=bf(g(b)) = bEqualities and ground terms come from the partial model M
35. E-matching: why do we use it?Quantifiers in Satisfiability Modulo TheoriesIntegrates smoothly with DPLL.Software verification problems are big & shallow.Decides useful theories: ArraysPartial orders…
36. Efficient E-matchingQuantifiers in Satisfiability Modulo TheoriesE-matching is NP-Hard.In practiceProblemIndexing TechniqueFast retrievalE-matching code treesIncremental E-MatchingInverted path index
37. E-matching code treesQuantifiers in Satisfiability Modulo TheoriesTrigger: f(x1, g(x1, a), h(x2), b)Instructions:init(f, 2)check(r4, b, 3)bind(r2, g, r5, 4)compare(r1, r5, 5)check(r6, a, 6)bind(r3, h, r7, 7)yield(r1, r7)CompilerSimilar triggers share several instructions.Combine code sequences in a code tree
38. E-matching: LimitationsQuantifiers in Satisfiability Modulo TheoriesE-matching needs ground seeds.x: p(x),x: not p(x)
39. E-matching: LimitationsQuantifiers in Satisfiability Modulo TheoriesE-matching needs ground seeds.Bad user provided triggers:x: f(g(x))=x { f(g(x)) }g(a) = c,g(b) = c,a bTrigger is too restrictive
40. E-matching: LimitationsQuantifiers in Satisfiability Modulo TheoriesE-matching needs ground seeds.Bad user provided triggers:x: f(g(x))=x { g(x) }g(a) = c,g(b) = c,a bMore “liberal”trigger
41. E-matching: LimitationsQuantifiers in Satisfiability Modulo TheoriesE-matching needs ground seeds.Bad user provided triggers:x: f(g(x))=x { g(x) }g(a) = c,g(b) = c,a b,f(g(a)) = a,f(g(b)) = ba=b
42. E-matching: LimitationsQuantifiers in Satisfiability Modulo TheoriesE-matching needs ground seeds.Bad user provided triggers.It is not refutationally complete.False positives
43. DPLL()Quantifiers in Satisfiability Modulo TheoriesTight integration: DPLL + Saturation solver.BIGand-or tree(ground)Axioms(non-ground)Saturation SolverDPLL + Theories
44. DPLL()Quantifiers in Satisfiability Modulo TheoriesInference rule:DPLL() is parametric.Examples:ResolutionSuperposition calculus…
45. DPLL()Quantifiers in Satisfiability Modulo TheoriesM | FPartial modelSet of clauses
46. DPLL(): Deduce IQuantifiers in Satisfiability Modulo Theoriesp(a) | p(a)q(a), x: p(x)r(x), x: p(x)s(x)
47. DPLL(): Deduce IQuantifiers in Satisfiability Modulo Theoriesp(a) | p(a)q(a), p(x)r(x), p(x)s(x)
48. DPLL(): Deduce IQuantifiers in Satisfiability Modulo Theoriesp(a) | p(a)q(a), p(x)r(x), p(x)s(x)p(a) | p(a)q(a), p(x)r(x), p(x)s(x), r(x)s(x) Resolution
49. Using ground atoms from M:M | FMain issue: backtracking.Hypothetical clauses: H CDPLL(): Deduce IIQuantifiers in Satisfiability Modulo Theories (regular) Clause(hypothesis) Ground literalsTrack literals from M used to derive C
50. DPLL(): Deduce IIQuantifiers in Satisfiability Modulo Theoriesp(a) | p(a)q(a), p(x)r(x)p(a) | p(a)q(a), p(x)r(x), p(a)r(a)p(a), p(x)r(x)r(a)
51. DPLL(): BacktrackingQuantifiers in Satisfiability Modulo Theoriesp(a), r(a) | p(a)q(a), p(a)r(a), p(a)r(a), …
52. DPLL(): BacktrackingQuantifiers in Satisfiability Modulo Theoriesp(a), r(a) | p(a)q(a), p(a)r(a), p(a)r(a), …p(a) is removed from Mp(a) | p(a)q(a), p(a)r(a), …
53. DPLL(): ImprovementQuantifiers in Satisfiability Modulo TheoriesSaturation solver ignores non-unit ground clauses.p(a) | p(a)q(a), p(x)r(x)
54. DPLL(): ImprovementQuantifiers in Satisfiability Modulo TheoriesSaturation solver ignores non-unit ground clauses.It is still refutanionally complete if: has the reduction property.BIGand-or tree(ground)Axioms(non-ground)Saturation SolverDPLL + Theories
55. DPLL +TheoriesSaturationSolverDPLL(): ImprovementQuantifiers in Satisfiability Modulo TheoriesSaturation solver ignores non-unit ground clauses.It is still refutanionally complete if: has the reduction property.Ground literalsGround clauses
56. DPLL(): ProblemQuantifiers in Satisfiability Modulo TheoriesInterpreted symtbols (f(a) > 2), f(x) > 5It is refutationally complete ifInterpreted symbols only occur in ground clausesNon ground clauses are variable inactive“Good” ordering is used
57. Non ground clauses + interpreted symbolsQuantifiers in Satisfiability Modulo TheoriesThere is no sound and refutationally completeprocedure for linear arithmetic + unintepreted function symbols
58. Essentially unintepreted fragmentQuantifiers in Satisfiability Modulo TheoriesUniversal variables only occur as arguments of uninterpreted symbols.x: f(x) + 1 > g(f(x))x,y: f(x+y) = f(x) + f(y)
59. Almost unintepreted fragmentQuantifiers in Satisfiability Modulo TheoriesRelax restriction on the occurrence of universal variables.not (x y)not (x t)f(x + c)x =c t…
60. Complete quantifier instantiationQuantifiers in Satisfiability Modulo TheoriesIf F is in the almost uninterpreted fragmentConvert F into an equisatisfiable (modulo T) set of ground clauses F* F* may be infinite It is a decision procedure if F* is finiteSubsumes EPR, Array Property Fragment, Stratified Vocabularies for Many Sorted Logic
61. Generating F* (for the essentially unintepreted fragment)Quantifiers in Satisfiability Modulo TheoriesF induces a system F of set constraintsSk,i set of ground instances for variable xi in clause CkAf,j set of ground j-th arguments of fj-th argument of f in clause CkSet Constrainta ground term tt Af,jt [x1,…,xn]t [Sk,1,…,Sk,n] Af,jxiSk,i Af,jF* is generated using the least solution of FF* = { Ck [Sk,1,…,Sk,n] | Ck F }
62. Generating F* (for the essentially unintepreted fragment)Quantifiers in Satisfiability Modulo TheoriesF induces a system F of set constraintsSk,i set of ground instances for variable xi in clause CkAf,j set of ground j-th arguments of fj-th argument of f in clause CkSet Constrainta ground term tt Af,jt [x1,…,xn]t [Sk,1,…,Sk,n] Af,jxiSk,i Af,jF* is generated using the least solution of FF* = { Ck [Sk,1,…,Sk,n] | Ck F }We assume the least solution is not empty
63. Generating F*: ExampleQuantifiers in Satisfiability Modulo Theoriesg(x1, x2) = 0 h(x2) = 0,g(f(x1),b) + 1 < f(x1),h(b) = 1, f(a) = 0S1,1= Ag,1 = { f(a) } S1,2= Ag,2 = Ah,1 = {b}S2,1= Af,1= {a}S1,1= Ag,1, S1,2= Ag,2, S1,2= Ah,1S2,1= Af,1, f(S2,1) Ag,1, b Ag,2b Ah,1, a Af,1Least solutionFFg(f(a), b) = 0 h(b) = 0,g(f(a),b) + 1 < f(a),h(b) = 1, f(a) = 0F*
64. Refutationally complete procedureQuantifiers in Satisfiability Modulo TheoriesCompactnessA set F of first order sentences is unsatisifiable iff it contains an unsatisfiable finite subset If we view T as a set of sentencesApply compactness to T F*
65. ExampleQuantifiers in Satisfiability Modulo Theoriesx: f(f(x)) > f(x)x: f(x) < af(0) = 0f(f(0)) > f(0), f(f(f(0))) > f(f(0)), …f(0) < a, f(f(0)) < a, …f(0) = 0Satisfiable if T is Th(Z), but unsatisfiable T is the the class of structures Exp(Z)
66. CEGAR-like loop for quantifiersQuantifiers in Satisfiability Modulo Theories
67. What is the best approach?Quantifiers in Satisfiability Modulo TheoriesThere is no winnerPortfolio of algorithms/techniques
68. Parallel Z3Joint work with Y. Hamadi (MSRC) and C. WintersteigerMulti-core & Multi-node (HPC)Different strategies in parallelCollaborate exchanging lemmasQuantifiers in Satisfiability Modulo Theories
69. ConclusionQuantifiers in Satisfiability Modulo TheoriesSome VCs produced by verifying compilers are very challengingMost VCs contain many non ground formulasZ3 2.0 won all -divisions in SMT-COMP’08 Many challengesMany approaches/algorithmsThank You!