20100822 satandsmt bruttomesso

SAT and Satisfiability Modulo Theories

Roberto [email protected]

University of Lugano, Switzerland(Universita della Svizzera Italiana)

St.PetersburgSeptember 18, 2010

Roberto Bruttomesso (USI) SAT and SMT St. Petersburg 18/09/10 1 / 32

Outline

1 Introduction

2 SATSAT and SAT-SolversThe DPLL ProcedureThe Enhanced DPLL ProcedureConflict Analysis and Learning

3 SMTFrom SAT to SMTThe Eager ApproachThe Lazy ApproachThe Theory Solver

4 Conclusive Remarks

Efficient Solvers as Core Engines

SATSMT

Theorem Proving

Testing

Automated

Checking

Equiv.Planning

Dependency

Analysis

Security

Bird’s Eye View

efficiency

decidable

undecidable

BDDs SAT−Solvers

SMT−Solvers

First Order Theorem Provers

• SAT is the Boolean Satisfiability Problem

• A set of Boolean variables {a, b, . . .} which may assume values in{⊥,>}

• A set of Boolean operators {∧,∨,¬, . . .} with known semantic (e.g.

> ∧⊥ is ⊥)

• Given a formula ϕ, is there an assignment to the variables such thatϕ evaluates to > ?

• E.g. (a ∨ b) ∧ (¬a ∨ ¬b) is satisfied by the assignment a = >, b = ⊥

• Simple formulation, but enormous relevance in computer science

• “Classical” NP-Complete problem

• A lot of practical problems can be encoded in SAT

> ∧⊥ is ⊥)

The DPLL Procedure

• Remember SAT is NP-Complete

• Still, SAT-Solvers are extremely efficient tools (nowadays), and canhandle (within reasonable time) hundred thousands of variables andclauses∗

• SOTA Solvers are based on the DPLL procedure (Davis PutnamLoveland Longman, ∼1960)

• DPLL assumes the input as a CNF , i.e. a set of clauses , eachclause being a disjuntion of variables or negated variables

(a ∨ ¬b)(c ∨ ¬a ∨ b). . .

The DPLL Procedure

(a ∨ ¬b)(c ∨ ¬a ∨ b). . .

The DPLL Procedure

(a ∨ ¬b)(c ∨ ¬a ∨ b). . .

The DPLL Procedure

(a ∨ ¬b)(c ∨ ¬a ∨ b). . .

The DPLL ProcedureSplitting and Backtracking

(a ∨ b) (¬a ∨ b) (a ∨ ¬b) (¬a ∨ ¬b)

Splitting on a = >

(a ∨ b) (¬a ∨ b) (a ∨ ¬b) (¬a ∨ ¬b)

Splitting on b = >

(a ∨ b) (¬a ∨ b) (a ∨ ¬b) (¬a ∨ ¬b)

b = ⊥

Backtracking on b = ⊥

(a ∨ b) (¬a ∨ b) (a ∨ ¬b) (¬a ∨ ¬b)

b = ⊥

(a ∨ b) (¬a ∨ b) (a ∨ ¬b) (¬a ∨ ¬b)

a = ⊥

b = ⊥

Backtracking on a = ⊥

(a ∨ b) (¬a ∨ b) (a ∨ ¬b) (¬a ∨ ¬b)

a = ⊥

b = ⊥

Splitting on b = >

(a ∨ b) (¬a ∨ b) (a ∨ ¬b) (¬a ∨ ¬b)

a = ⊥

b = ⊥

(a ∨ b) (¬a ∨ b) (a ∨ ¬b) (¬a ∨ ¬b)

b = ⊥

a = ⊥

b = ⊥

Backtracking on b = >

(a ∨ b) (¬a ∨ b) (a ∨ ¬b) (¬a ∨ ¬b)

b = ⊥

a = ⊥

b = ⊥

No more paths to explore: formula unsatisfiable

The Enhanced DPLL Procedure

Enhancements

• Splitting heuristics : choosing the “right” variable to split upon canmake a great difference

• Unit propagation : if a clause has all literals but one to ⊥, assignthe remaining literal to >

• E.g.: the assignment a = >, b = ⊥ in (¬a ∨ b ∨ c) triggers c = >.Otherwise the clause cannot be satisfied

• A set of unit propagations may result in a conflict . E.g. a = >,b = ⊥

(¬a ∨ b ∨ c), (¬a ∨ ¬c)

• Conflict-Driven Clause Learning (mid ’90s): conflict is analyzedand a new (implied) clause is derived and added to the problem.Huge impact on SAT-Solvers performance

Enhancements

• Unit propagation : if a clause has all literals but one to ⊥, assignthe remaining literal to >

• E.g.: the assignment a = >, b = ⊥ in (¬a ∨ b ∨ c) triggers c = >.Otherwise the clause cannot be satisfied

(¬a ∨ b ∨ c), (¬a ∨ ¬c)

Enhancements

• Unit propagation : if a clause has all literals but one to ⊥, assignthe remaining literal to >• E.g.: the assignment a = >, b = ⊥ in (¬a ∨ b ∨ c) triggers c = >.

Otherwise the clause cannot be satisfied

(¬a ∨ b ∨ c), (¬a ∨ ¬c)

Enhancements

Otherwise the clause cannot be satisfied• A set of unit propagations may result in a conflict . E.g. a = >,

b = ⊥(¬a ∨ b ∨ c), (¬a ∨ ¬c)

Enhancements

Otherwise the clause cannot be satisfied• A set of unit propagations may result in a conflict . E.g. a = >,

b = ⊥(¬a ∨ b ∨ c), (¬a ∨ ¬c)

The Enhanced DPLL ProcedureSplitting and Backtracking

(a ∨ b) (¬a ∨ b) (a ∨ ¬b) (¬a ∨ ¬b)

Splitting on a = >

(a ∨ b) (¬a ∨ b) (a ∨ ¬b) (¬a ∨ ¬b)

Unit Propagation on b = >

(a ∨ b) (¬a ∨ b) (a ∨ ¬b) (¬a ∨ ¬b) (¬a)

Conflict analysis: (¬a ∨ b)⊗ (¬a ∨ ¬b)⇒ (¬a)

(a ∨ b) (¬a ∨ b) (a ∨ ¬b) (¬a ∨ ¬b) (¬a)

a = ⊥

Unit Propagation on a = ⊥

(a ∨ b) (¬a ∨ b) (a ∨ ¬b) (¬a ∨ ¬b) (¬a)

a = ⊥

Unit Propagation on b = >

(a ∨ b) (¬a ∨ b) (a ∨ ¬b) (¬a ∨ ¬b) (¬a)

a = ⊥

Conflict without splitting: formula unsatisfiable

The Enhanced DPLL Procedure (simplified)

while( not all variables assigned )

if ( UnitPropagation( ) == CONFLICT ) // DEDUCTION PHASE

level = ConflictAnalysisAndLearning( ) // DIAGNOSE+LEARN PHASE

if ( level == 0 )

return UNSAT

Backtrack( level )

Split( ) // DECIDE PHASE

return SAT

Conflict Analysis and Learning. . . after a shot of UnitPropagation( )

Clause set(¬a ∨ b)(¬a ∨ c ∨ i)(¬b ∨ ¬c ∨ d)(¬d ∨ e ∨ j)(¬d ∨ f ∨ k)(¬e ∨ ¬f )(a ∨ g ∨ ¬l)(a ∨ h)(¬g ∨ ¬h ∨ ¬m)

Assignment Reasoni = ⊥ . . .j = ⊥ . . .k = ⊥ . . .l = > . . .m = > . . .

a = > SPLITb = > (¬a ∨ b)c = > (¬a ∨ c ∨ i)d = > (¬b ∨ ¬c ∨ d)e = > (¬d ∨ e ∨ j)f = > (¬d ∨ f ∨ k)

(¬e ∨ ¬f )

Assignment Reasoni = ⊥ . . .j = ⊥ . . .k = ⊥ . . .l = > . . .m = > . . .a = > SPLIT

b = > (¬a ∨ b)c = > (¬a ∨ c ∨ i)d = > (¬b ∨ ¬c ∨ d)e = > (¬d ∨ e ∨ j)f = > (¬d ∨ f ∨ k)

(¬e ∨ ¬f )

Assignment Reasoni = ⊥ . . .j = ⊥ . . .k = ⊥ . . .l = > . . .m = > . . .a = > SPLITb = > (¬a ∨ b)

c = > (¬a ∨ c ∨ i)d = > (¬b ∨ ¬c ∨ d)e = > (¬d ∨ e ∨ j)f = > (¬d ∨ f ∨ k)

(¬e ∨ ¬f )

Assignment Reasoni = ⊥ . . .j = ⊥ . . .k = ⊥ . . .l = > . . .m = > . . .a = > SPLITb = > (¬a ∨ b)c = > (¬a ∨ c ∨ i)

d = > (¬b ∨ ¬c ∨ d)e = > (¬d ∨ e ∨ j)f = > (¬d ∨ f ∨ k)

(¬e ∨ ¬f )

Assignment Reasoni = ⊥ . . .j = ⊥ . . .k = ⊥ . . .l = > . . .m = > . . .a = > SPLITb = > (¬a ∨ b)c = > (¬a ∨ c ∨ i)d = > (¬b ∨ ¬c ∨ d)

e = > (¬d ∨ e ∨ j)f = > (¬d ∨ f ∨ k)

(¬e ∨ ¬f )

Assignment Reasoni = ⊥ . . .j = ⊥ . . .k = ⊥ . . .l = > . . .m = > . . .a = > SPLITb = > (¬a ∨ b)c = > (¬a ∨ c ∨ i)d = > (¬b ∨ ¬c ∨ d)e = > (¬d ∨ e ∨ j)

f = > (¬d ∨ f ∨ k)

(¬e ∨ ¬f )

Assignment Reasoni = ⊥ . . .j = ⊥ . . .k = ⊥ . . .l = > . . .m = > . . .a = > SPLITb = > (¬a ∨ b)c = > (¬a ∨ c ∨ i)d = > (¬b ∨ ¬c ∨ d)e = > (¬d ∨ e ∨ j)f = > (¬d ∨ f ∨ k)

(¬e ∨ ¬f )

(¬e ∨ ¬f ) (¬d ∨ f ∨ k)f

(¬e ∨ ¬d ∨ k)

(¬e ∨ ¬f ) (¬d ∨ f ∨ k)f

(¬e ∨ ¬d ∨ k) (¬d ∨ e ∨ j)e

(¬d ∨ j ∨ k)

(¬e ∨ ¬f ) (¬d ∨ f ∨ k)f

(¬e ∨ ¬d ∨ k) (¬d ∨ e ∨ j)e

(¬d ∨ j ∨ k) (¬b ∨ ¬c ∨ d)d

(¬b ∨ ¬c ∨ j ∨ k)

(¬e ∨ ¬f ) (¬d ∨ f ∨ k)f

(¬e ∨ ¬d ∨ k) (¬d ∨ e ∨ j)e

(¬d ∨ j ∨ k) (¬b ∨ ¬c ∨ d)d

(¬b ∨ ¬c ∨ j ∨ k) (¬a ∨ c ∨ i)c

(¬b ∨ ¬a ∨ j ∨ k ∨ i)

(¬e ∨ ¬f ) (¬d ∨ f ∨ k)f

(¬e ∨ ¬d ∨ k) (¬d ∨ e ∨ j)e

(¬d ∨ j ∨ k) (¬b ∨ ¬c ∨ d)d

(¬b ∨ ¬c ∨ j ∨ k) (¬a ∨ c ∨ i)c

(¬b ∨ ¬a ∨ j ∨ k ∨ i) (¬a ∨ b)b

(¬a ∨ j ∨ k ∨ i)

Clause set(¬a ∨ b)(¬a ∨ c ∨ i)(¬b ∨ ¬c ∨ d)(¬d ∨ e ∨ j)(¬d ∨ f ∨ k)(¬e ∨ ¬f )(a ∨ g ∨ ¬l)(a ∨ h)(¬g ∨ ¬h ∨ ¬m)(¬a ∨ j ∨ k ∨ i)

Assignment Reasoni = ⊥ . . .j = ⊥ . . .k = ⊥ . . .

a = ⊥ (¬a ∨ j ∨ k ∨ i)

Assignment Reasoni = ⊥ . . .j = ⊥ . . .k = ⊥ . . .a = ⊥ (¬a ∨ j ∨ k ∨ i)

Importance of Learning

• Conflict analysis is important to understand where to backtrack in thesearch

• Learning a clause (a ∨ b ∨ ¬c) prevents the SAT-Solver to search allthe assignments of the form {a = ⊥, b = ⊥, c = >, . . .}

• It is an exponential pruning of the search space ! There are 2n−3

such assignments, where n is the number of variables in the problem

• We can refer to a learnt clause as to a blocking clause .Understanding this mechanism is crucial to understand SMT as well

SMT: Satisfiability Modulo Theories

In SMT we have

• A (decidable) theory T (e.g. linear integer arithmetic), over asignature Σ (e.g. {+,−,≤,=, 0, 1, . . .})

• A set of Boolean variables a, b, . . ., with values in {⊥,>} and a setTheory variables x , y , . . . that may assume values in the domain of

T (e.g. Z)

• A theory atom is a predicate in T (e.g. x + y < 3)

• Given a formula ϕ in T , is there an assignment to the Boolean andTheory variables such that ϕ evaluates to > ?

• E.g. ((x + y = 3 ∨ ¬a) ∧ y ≤ 1), is satisfied, for instance, by theassignment {x = 2, y = 1, a = >}

In SMT we have

T (e.g. Z)

In SMT we have

T (e.g. Z)

In SMT we have

T (e.g. Z)

In SMT we have

T (e.g. Z)

The Eager Approach

• Reduce the SMT problem to a purely SAT problem

• Step 1: compute the Boolean abstraction of the problem

• Step 2: exhaustively add blocking clauses representing theory incompatibilities

• Step 3: send the formula to a SAT-Solver

(x − y ≤ 3 ∨ x − y ≤ −1)(y − z ≤ 5 ∨ y − z ≤ 4)(z − x ≤ −15)

(¬a ∨ ¬c ∨ ¬e)(¬a ∨ ¬d ∨ ¬e). . .(a ∨ ¬b). . .

a ≡ x − y ≤ 3b ≡ x − y ≤ −1c ≡ y − z ≤ 5d ≡ y − z ≤ 4e ≡ z − x ≤ −15

Consider

(a) x − y ≤ 3(c) y − z ≤ 5(e) z − x ≤ −15

0 ≤ −7

i.e. a ∧ c ∧ e is unsatisfiable in T

i.e. (¬a ∨ ¬c ∨ ¬e) is valid in TThe SAT formula is satisfiable iff the originalSMT formula is.

The Eager Approach

(x − y ≤ 3 ∨ x − y ≤ −1)(y − z ≤ 5 ∨ y − z ≤ 4)(z − x ≤ −15)

(¬a ∨ ¬c ∨ ¬e)(¬a ∨ ¬d ∨ ¬e). . .(a ∨ ¬b). . .

Consider

(a) x − y ≤ 3(c) y − z ≤ 5(e) z − x ≤ −15

0 ≤ −7

The Eager Approach

(x − y ≤ 3 ∨ x − y ≤ −1)(y − z ≤ 5 ∨ y − z ≤ 4)(z − x ≤ −15)

(¬a ∨ ¬c ∨ ¬e)(¬a ∨ ¬d ∨ ¬e). . .(a ∨ ¬b). . .

Consider

(a) x − y ≤ 3(c) y − z ≤ 5(e) z − x ≤ −15

0 ≤ −7

The Eager Approach

(x − y ≤ 3 ∨ x − y ≤ −1)(y − z ≤ 5 ∨ y − z ≤ 4)(z − x ≤ −15)

(¬a ∨ ¬c ∨ ¬e)(¬a ∨ ¬d ∨ ¬e). . .(a ∨ ¬b). . .

Consider

(a) x − y ≤ 3(c) y − z ≤ 5(e) z − x ≤ −15

0 ≤ −7

The Eager Approach

(x − y ≤ 3 ∨ x − y ≤ −1)(y − z ≤ 5 ∨ y − z ≤ 4)(z − x ≤ −15)

(¬a ∨ ¬c ∨ ¬e)(¬a ∨ ¬d ∨ ¬e). . .(a ∨ ¬b). . .

Consider

(a) x − y ≤ 3(c) y − z ≤ 5(e) z − x ≤ −15

0 ≤ −7

The Eager Approach

(x − y ≤ 3 ∨ x − y ≤ −1)(y − z ≤ 5 ∨ y − z ≤ 4)(z − x ≤ −15)

(¬a ∨ ¬c ∨ ¬e)(¬a ∨ ¬d ∨ ¬e). . .(a ∨ ¬b). . .

Consider

(a) x − y ≤ 3(c) y − z ≤ 5(e) z − x ≤ −15

0 ≤ −7

The Eager Approach

(a ∨ x − y ≤ −1)(y − z ≤ 5 ∨ y − z ≤ 4)(z − x ≤ −15)

(¬a ∨ ¬c ∨ ¬e)(¬a ∨ ¬d ∨ ¬e). . .(a ∨ ¬b). . .

a ≡ x − y ≤ 3

b ≡ x − y ≤ −1c ≡ y − z ≤ 5d ≡ y − z ≤ 4e ≡ z − x ≤ −15

Consider

(a) x − y ≤ 3(c) y − z ≤ 5(e) z − x ≤ −15

0 ≤ −7

The Eager Approach

(a ∨ x − y ≤ −1)(y − z ≤ 5 ∨ y − z ≤ 4)(z − x ≤ −15)

(¬a ∨ ¬c ∨ ¬e)(¬a ∨ ¬d ∨ ¬e). . .(a ∨ ¬b). . .

a ≡ x − y ≤ 3

b ≡ x − y ≤ −1c ≡ y − z ≤ 5d ≡ y − z ≤ 4e ≡ z − x ≤ −15

Consider

(a) x − y ≤ 3(c) y − z ≤ 5(e) z − x ≤ −15

0 ≤ −7

The Eager Approach

(a ∨ b)(y − z ≤ 5 ∨ y − z ≤ 4)(z − x ≤ −15)

(¬a ∨ ¬c ∨ ¬e)(¬a ∨ ¬d ∨ ¬e). . .(a ∨ ¬b). . .

a ≡ x − y ≤ 3b ≡ x − y ≤ −1

c ≡ y − z ≤ 5d ≡ y − z ≤ 4e ≡ z − x ≤ −15

Consider

(a) x − y ≤ 3(c) y − z ≤ 5(e) z − x ≤ −15

0 ≤ −7

The Eager Approach

(a ∨ b)(c ∨ d)(e)

(¬a ∨ ¬c ∨ ¬e)(¬a ∨ ¬d ∨ ¬e). . .(a ∨ ¬b). . .

Consider

(a) x − y ≤ 3(c) y − z ≤ 5(e) z − x ≤ −15

0 ≤ −7

The Eager Approach

(a ∨ b)(c ∨ d)(e)

(¬a ∨ ¬c ∨ ¬e)(¬a ∨ ¬d ∨ ¬e). . .(a ∨ ¬b). . .

Consider

(a) x − y ≤ 3(c) y − z ≤ 5(e) z − x ≤ −15

0 ≤ −7

The Eager Approach

(a ∨ b)(c ∨ d)(e)(¬a ∨ ¬c ∨ ¬e)

(¬a ∨ ¬d ∨ ¬e). . .(a ∨ ¬b). . .

Consider

(a) x − y ≤ 3(c) y − z ≤ 5(e) z − x ≤ −15

0 ≤ −7

i.e. (¬a ∨ ¬c ∨ ¬e) is valid in T

The SAT formula is satisfiable iff the originalSMT formula is.

The Eager Approach

(a ∨ b)(c ∨ d)(e)(¬a ∨ ¬c ∨ ¬e)(¬a ∨ ¬d ∨ ¬e)

. . .(a ∨ ¬b). . .

Consider

(a) x − y ≤ 3(c) y − z ≤ 5(e) z − x ≤ −15

0 ≤ −7

The Eager Approach

(a ∨ b)(c ∨ d)(e)(¬a ∨ ¬c ∨ ¬e)(¬a ∨ ¬d ∨ ¬e). . .

(a ∨ ¬b). . .

Consider

(a) x − y ≤ 3(c) y − z ≤ 5(e) z − x ≤ −15

0 ≤ −7

The Eager Approach

(a ∨ b)(c ∨ d)(e)(¬a ∨ ¬c ∨ ¬e)(¬a ∨ ¬d ∨ ¬e). . .(a ∨ ¬b). . .

Consider

(a) x − y ≤ 3(c) y − z ≤ 5(e) z − x ≤ −15

0 ≤ −7

The Eager Approach

(a ∨ b)(c ∨ d)(e)(¬a ∨ ¬c ∨ ¬e)(¬a ∨ ¬d ∨ ¬e). . .(a ∨ ¬b). . .

Consider

(a) x − y ≤ 3(c) y − z ≤ 5(e) z − x ≤ −15

0 ≤ −7

i.e. (¬a ∨ ¬c ∨ ¬e) is valid in T

The SAT formula is satisfiable iff the originalSMT formula is.

The Eager ApproachDrawbacks

• Inconsistencies between theory atoms have to be computed upfront

• There are exponentially many potential inconsistencies to test

• However in general only a small subset of all inconsistencies issufficient to determine the satisfiability of an SMT formula

• From eager to lazy: try to add clauses “lazily” to the Booleanabstraction

The Lazy or DPLL(T) approach

((x + y = 3 ∨ ¬a) ∧ y ≤ 1)

• Decision procedures for T are usually available for conjunctionsof constraints. Examples

• Union-find for Equality with Uninterpreted Functions• Simplex algorithm for Linear Rational Arithmetic• . . .

• However disjunction has to be taken into account . . .

• Idea: use a SAT-Solver to enumerate potential propositional

assignments, and use Theory-Solver to check feasibility in T

The Lazy or DPLL(T) approach

((x + y = 3 ∨ ¬a) ∧ y ≤ 1)

• Decision procedures for T are usually available for conjunctionsof constraints. Examples

• Union-find for Equality with Uninterpreted Functions• Simplex algorithm for Linear Rational Arithmetic• . . .

• However disjunction has to be taken into account . . .

• Idea: use a SAT-Solver to enumerate potential propositional

assignments, and use Theory-Solver to check feasibility in T

The Lazy Approach

• Enumerate Boolean combinations of theory atoms and check them w.r.t. the theory T

• Step 1: compute the Boolean abstraction of the problem• Repeat

• Step 2: guess a Boolean assignment

• Step 3: check the assignment w.r.t. T

• Step 4: add a blocking clause if the assignemt is not consistent in T

(x − y ≤ 3 ∨ x − y ≤ −1)(y − z ≤ 5 ∨ y − z ≤ 4)(z − x ≤ −15)

(¬a ∨ ¬c ∨ ¬e)

SAT-Solver Theory-Solver

z − x ≤ −15x − y ≤ 3y − z ≤ 5

The Lazy Approach

• Repeat

(x − y ≤ 3 ∨ x − y ≤ −1)(y − z ≤ 5 ∨ y − z ≤ 4)(z − x ≤ −15)

(¬a ∨ ¬c ∨ ¬e)

z − x ≤ −15x − y ≤ 3y − z ≤ 5

The Lazy Approach

(x − y ≤ 3 ∨ x − y ≤ −1)(y − z ≤ 5 ∨ y − z ≤ 4)(z − x ≤ −15)

(¬a ∨ ¬c ∨ ¬e)

z − x ≤ −15x − y ≤ 3y − z ≤ 5

The Lazy Approach

(x − y ≤ 3 ∨ x − y ≤ −1)(y − z ≤ 5 ∨ y − z ≤ 4)(z − x ≤ −15)

(¬a ∨ ¬c ∨ ¬e)

z − x ≤ −15x − y ≤ 3y − z ≤ 5

The Lazy Approach

(x − y ≤ 3 ∨ x − y ≤ −1)(y − z ≤ 5 ∨ y − z ≤ 4)(z − x ≤ −15)

(¬a ∨ ¬c ∨ ¬e)

z − x ≤ −15x − y ≤ 3y − z ≤ 5

The Lazy Approach

(x − y ≤ 3 ∨ x − y ≤ −1)(y − z ≤ 5 ∨ y − z ≤ 4)(z − x ≤ −15)

(¬a ∨ ¬c ∨ ¬e)

z − x ≤ −15x − y ≤ 3y − z ≤ 5

The Lazy Approach

(a ∨ x − y ≤ −1)(y − z ≤ 5 ∨ y − z ≤ 4)(z − x ≤ −15)

(¬a ∨ ¬c ∨ ¬e)

a ≡ x − y ≤ 3

b ≡ x − y ≤ −1c ≡ y − z ≤ 5d ≡ y − z ≤ 4e ≡ z − x ≤ −15

z − x ≤ −15x − y ≤ 3y − z ≤ 5

The Lazy Approach

(a ∨ x − y ≤ −1)(y − z ≤ 5 ∨ y − z ≤ 4)(z − x ≤ −15)

(¬a ∨ ¬c ∨ ¬e)

a ≡ x − y ≤ 3

b ≡ x − y ≤ −1c ≡ y − z ≤ 5d ≡ y − z ≤ 4e ≡ z − x ≤ −15

z − x ≤ −15x − y ≤ 3y − z ≤ 5

The Lazy Approach

(a ∨ b)(y − z ≤ 5 ∨ y − z ≤ 4)(z − x ≤ −15)

(¬a ∨ ¬c ∨ ¬e)

a ≡ x − y ≤ 3b ≡ x − y ≤ −1

c ≡ y − z ≤ 5d ≡ y − z ≤ 4e ≡ z − x ≤ −15

z − x ≤ −15x − y ≤ 3y − z ≤ 5

The Lazy Approach

(a ∨ b)(c ∨ d)(e)

(¬a ∨ ¬c ∨ ¬e)

z − x ≤ −15x − y ≤ 3y − z ≤ 5

The Lazy Approach

(a ∨ b)(c ∨ d)(e)

(¬a ∨ ¬c ∨ ¬e)

SAT-Solver

Theory-Solver

z − x ≤ −15

x − y ≤ 3y − z ≤ 5

The Lazy Approach

(a ∨ b)(c ∨ d)(e)

(¬a ∨ ¬c ∨ ¬e)

SAT-Solver

Theory-Solver

z − x ≤ −15x − y ≤ 3

y − z ≤ 5�

The Lazy Approach

(a ∨ b)(c ∨ d)(e)

(¬a ∨ ¬c ∨ ¬e)

SAT-Solver

Theory-Solver

z − x ≤ −15x − y ≤ 3y − z ≤ 5

The Lazy Approach

(a ∨ b)(c ∨ d)(e)

(¬a ∨ ¬c ∨ ¬e)

SAT-Solver

Theory-Solver

z − x ≤ −15x − y ≤ 3y − z ≤ 5

The Lazy Approach

(a ∨ b)(c ∨ d)(e)(¬a ∨ ¬c ∨ ¬e)

SAT-Solver

Theory-Solver

z − x ≤ −15x − y ≤ 3y − z ≤ 5

if ( UnitPropagation( ) == CONFLICT ) // DEDUCTION PHASE

if ( level == 0 )

return UNSAT

Backtrack( level )

return SAT

if ( UnitPropagation( ) == CONFLICT // DEDUCTION PHASE

|| CheckTheory( ) == CONFLICT ) // CALLS THEORY SOLVER

if ( level == 0 )

return UNSAT

Backtrack( level )

return SAT

The Theory Solver

• Keeps a set of active constraints, that are received and dropped in astack-based manner

• From time to time checks whether the set is theory-consistent

• The Theory Solver performance is crucial for the overall SMT-Solverperformance

• (Some) Desirable features:

• Incrementality & Backtrackability

• Conflict Producing

• Theory Propagation

The Theory Solver

A Theory Solver for Difference Logics

• In Difference Logic theory atoms are of the form

x − y ≤ c

where x and y are integer or rational variables, and c is a constant

• Useful to encode, for instance, scheduling problems and timedautomata

• The problem of checking satisfiability can be turned into findingnegative cycles in a directed weighted graph

• Each variable is encoded as a node. A constraint x − y ≤ c isencoded into the arc

x − y ≤ c

Example:x − y ≤ 8

y − z ≤ −1x − z ≤ −6z − w ≤ 2w − x ≤ −10w − t ≤ 0t − x ≤ 3

————–0 ≤ −1

3 −10

Example:x − y ≤ 8

y − z ≤ −1x − z ≤ −6z − w ≤ 2w − x ≤ −10w − t ≤ 0t − x ≤ 3

————–0 ≤ −1

3 −10

Incremental Solving

• The ability of solving theory atoms incrementally, is extremelyimportant for efficiency

• The Theory-Solver “receives” theory atoms from the SAT-Solverincrementally. A set of successful theory consistency checks istherefore performed on a growing set of constraints

S0 ⊂ S1 ⊂ . . . ⊂ Sn

• When checking the consistency of Si we want the solver to reuse theeffort of step Si−1

Incremental Solving in Difference Logic

• In Difference Logic incremental consistency check can be performedwith a SSSP algorithm (single source shortest path), such as theBellman-Ford algorithm or its variations

x − y ≤ 8y − z ≤ −1z − x ≤ −6z − w ≤ 2w − x ≤ −9

w − t ≤ 0t − x ≤ −10

x − y ≤ 8y − z ≤ −1z − x ≤ −6z − w ≤ 2w − x ≤ −9

w − t ≤ 0t − x ≤ −10

x − y ≤ 8y − z ≤ −1z − x ≤ −6z − w ≤ 2w − x ≤ −9

w − t ≤ 0t − x ≤ −10

x − y ≤ 8y − z ≤ −1z − x ≤ −6z − w ≤ 2w − x ≤ −9

w − t ≤ 0t − x ≤ −10

x − y ≤ 8y − z ≤ −1z − x ≤ −6z − w ≤ 2w − x ≤ −9

w − t ≤ 0t − x ≤ −10

x − y ≤ 8y − z ≤ −1z − x ≤ −6z − w ≤ 2w − x ≤ −9

w − t ≤ 0t − x ≤ −10

x − y ≤ 8y − z ≤ −1z − x ≤ −6z − w ≤ 2w − x ≤ −9

w − t ≤ 0t − x ≤ −10

x − y ≤ 8y − z ≤ −1z − x ≤ −6z − w ≤ 2w − x ≤ −9

w − t ≤ 0t − x ≤ −10

x − y ≤ 8y − z ≤ −1z − x ≤ −6z − w ≤ 2w − x ≤ −9

w − t ≤ 0t − x ≤ −10

x − y ≤ 8y − z ≤ −1z − x ≤ −6z − w ≤ 2w − x ≤ −9w − t ≤ 0t − x ≤ −10

Retrieving Conflict

• The set of conflicting atoms is usually a small subset of all the set ofatoms under consideration

• The smaller the confict, the better (more search space is pruned away)

• In Difference Logic it is sufficient to keep track of a parentinformation in the graph

x − y ≤ 8y − z ≤ −1z − x ≤ −6z − w ≤ 2w − x ≤ −9w − t ≤ 0t − x ≤ −10

Retrieving Conflict

x − y ≤ 8y − z ≤ −1z − x ≤ −6z − w ≤ 2w − x ≤ −9w − t ≤ 0t − x ≤ −10

Retrieving Conflict

x − y ≤ 8y − z ≤ −1z − x ≤ −6z − w ≤ 2w − x ≤ −9w − t ≤ 0t − x ≤ −10

Theory Propagation

• We use the current state of the Theory Solver to infer the truth ofother theory atoms

• (it is the “theory” counterpart of UnitPropagation for Booleans)

• Suppose we have the following situation:• x − y ≤ 1 and y − z ≤ 2 are both assigned to >• x − z ≤ 5 is part of the initial formula but is currently not assigned a

value by the SAT-Solver

• However we know that (x − y ≤ 1 ∧ y − z ≤ 2)→ (x − z ≤ 5)• (or, in clausal form (¬(x − y ≤ 1) ∨ ¬(y − z ≤ 2) ∨ (x − z ≤ 5)))• Adding the clause to the SAT-Solver will cause the atom (x − z ≤ 5)

to be assigned to >

constraint is not assigned

Theory Propagation

• (it is the “theory” counterpart of UnitPropagation for Booleans)• Suppose we have the following situation:

• x − y ≤ 1 and y − z ≤ 2 are both assigned to >• x − z ≤ 5 is part of the initial formula but is currently not assigned a

value by the SAT-Solver

• However we know that (x − y ≤ 1 ∧ y − z ≤ 2)→ (x − z ≤ 5)• (or, in clausal form (¬(x − y ≤ 1) ∨ ¬(y − z ≤ 2) ∨ (x − z ≤ 5)))• Adding the clause to the SAT-Solver will cause the atom (x − z ≤ 5)

to be assigned to >

Theory Propagation

value by the SAT-Solver• However we know that (x − y ≤ 1 ∧ y − z ≤ 2)→ (x − z ≤ 5)

• (or, in clausal form (¬(x − y ≤ 1) ∨ ¬(y − z ≤ 2) ∨ (x − z ≤ 5)))• Adding the clause to the SAT-Solver will cause the atom (x − z ≤ 5)

to be assigned to >

Theory Propagation

value by the SAT-Solver• However we know that (x − y ≤ 1 ∧ y − z ≤ 2)→ (x − z ≤ 5)• (or, in clausal form (¬(x − y ≤ 1) ∨ ¬(y − z ≤ 2) ∨ (x − z ≤ 5)))

• Adding the clause to the SAT-Solver will cause the atom (x − z ≤ 5)to be assigned to >

Theory Propagation

value by the SAT-Solver• However we know that (x − y ≤ 1 ∧ y − z ≤ 2)→ (x − z ≤ 5)• (or, in clausal form (¬(x − y ≤ 1) ∨ ¬(y − z ≤ 2) ∨ (x − z ≤ 5)))• Adding the clause to the SAT-Solver will cause the atom (x − z ≤ 5)

to be assigned to >

Theory Propagation

value by the SAT-Solver• However we know that (x − y ≤ 1 ∧ y − z ≤ 2)→ (x − z ≤ 5)• (or, in clausal form (¬(x − y ≤ 1) ∨ ¬(y − z ≤ 2) ∨ (x − z ≤ 5)))• Adding the clause to the SAT-Solver will cause the atom (x − z ≤ 5)

to be assigned to >

Summing up

• Lazy SMT is the efficient combination of• SAT-Solving techniques (DPLL procedure)• Decision procedures for decidable first order theories

• Intuitively, the SAT-Solver guesses a particular assignment of theoryatoms

• while the Theory-Solver checks whether the assignment is correct inthe theory

• The Theory-Solver can communicate with SAT by means of clausesthat represent valid statements in the theory

Summing up

The Theory-Solver is required to

• Solve theory atoms incrementally

• Produce conflicts

• Produce theory propagations (deduce thruth value of unassignedtheory atoms, based on the currently assigned ones)

Some theories of interest in Formal Verification

• Equality and Uninterpreted Functions [19, 15]

• Difference Logics [18, 12, 6]

• Linear Rational Arithmetic [6, 16]

• Linear Integer Arithmetic [6, 16]

• Bit-Vectors [17, 2, 7, 11]

• Arrays [4, 2, 14]

• Combination of Theories [15, 5, 9]

Some available SMT-Solvers

• Barcelogic, (Barcelona, Spain) [3]

• CVC3, (NYU, New York, USA) [1]

• MathSAT, (FBK, Trento (Italy) [8]

• OpenSMT, (Lugano, Switzerland) [10]

• Yices, (SRI International, USA)

• Z3, (Microsoft Research, Redmond, USA) [13]

SMT-LIB

• The SMT-LIB (www.smtlib.org) is an initiative that

promotes the collection of SMT benchmarks, and the

definition of a common input language for SMT-Solvers

• The SMT-COMP is an annual competition of SMT-Solvers on

a common set of benchmarks. Usually affiliated with

CAV or CADE conferences (www.smtcomp.org)

C. Barrett and C. Tinelli.CVC3.In CAV’07, 2007.

A. Biere and R. Brummayer.The Boolector SMT Solver.In TACAS, 2009.

M. Bofill, R. Nieuwenhuis, A. Oliveras, E. Rodrıguez Carbonell, andA. Rubio.The Barcelogic SMT Solver.In A. Gupta and S. Malik, editors, CAV’08, volume 5123 of LectureNotes in Computer Science, pages 294–298. Springer, 2008.

M. Bofill, R. Nieuwenhuis, A. Oliveras, E. Rodrguez-Carbonell, andA. Rubio.A Write-Based Solver for SAT Modulo the Theory of Arrays.In FMCAD, pages 101–108, 2008.

M. Bozzano, R. Bruttomesso, A. Cimatti, T. Junttila, S. Ranise,P. van Rossum, and R. Sebastiani.

Efficient Theory Combination via Boolean Search.Information Computation, 204(10):1493–1525, 2006.

M. Bozzano, R. Bruttomesso, A. Cimatti, T. Junttila, P. van Rossum,S. Schulz, and R. Sebastiani.MathSAT: Tight Integration of SAT and Mathematical DecisionProcedures.JAR, 35(1-3):265–293, 2005.

R. Bruttomesso, A. Cimatti, A. Franzen, A. Griggio, Z. Hanna,A. Nadel, A. Palti, and R. Sebastiani.A Lazy and Layered SMT(BV) Solver for Hard Industrial VerificationProblems.In CAV, pages 247–260, 2007.

R. Bruttomesso, A. Cimatti, A. Franzen, A. Griggio, andR. Sebastiani.The MathSAT 4 SMT Solver.In CAV, pages 299–303, 2008.

R. Bruttomesso, A. Cimatti, A. Franzen, A. Griggio, andR. Sebastiani.Delayed theory combination vs. Nelson-Oppen for satisfiability modulotheories: a comparative analysis.Annals of Mathematics and Artificial Intelligence, 2009.

R. Bruttomesso, E. Pek, N. Sharygina, and A. Tsitovich.The OpenSMT Solver.In TACAS, 2010.

R. Bruttomesso and N. Sharygina.A Scalable Decision Procedure for Fixed-Width Bit-Vectors.In ICCAD, 2009.

S. Cotton and O. Maler.Fast and Flexible Difference Constraint Propagation for DPLL(T).In SAT’06, pages 170–183, 2006.

L. de Moura and N. Bjørner.Z3: An Efficient SMT Solver.In TACAS’08, pages 337–340, 2008.

L. de Moura and N. Bjørner.Generalized, Efficient Array Decision Procedures.In FMCAD, 2009.

D. Detlefs, G. Nelson, and J. B. Saxe.Simplify: a theorem prover for program checking.Journal of ACM, 52(3):365–473, 2005.

B. Dutertre and L. M. de Moura.A Fast Linear-Arithmetic Solver for DPLL(T).In CAV’06, pages 81–94, 2006.

V. Ganesh and D. L. Dill.A Decision Procedure for Bit-Vectors and Arrays.In CAV, pages 519–531, 2007.

R. Nieuwenhuis and A. Oliveras.DPLL(T) with Exhaustive Theory Propagation and Its Application toDifference Logic.In CAV’05, pages 321–334, 2005.

R. Nieuwenhuis and A. Oliveras.Proof-Producing Congruence Closure.In RTA’05, pages 453–468, 2005.

20100822 satandsmt bruttomesso

Documents