an introduction to smt solvers - open-do.org · an introduction to smt solvers johannes kanig...
TRANSCRIPT
An Introduction to SMT Solvers
Johannes Kanig
INRIA, LRI, ProVal team
2 juin 2010
AdaCore
Contents
Introduction
Overview
SMT SolversEquality ReasoningArithmeticCombination of TheoriesSatis�abilityCombining SAT and the TheoriesMatching
Looking Elsewhere
Conclusion
Automated Theorem Proving
Who does prove Theorems today?
I Mathematicians
I Hardware veri�cation
I Software veri�cation
Automation of proofs
I Makes life easier for mathematicians
I Makes it possible to state (and prove) thousands of tinytheorems
I Makes large-scale veri�cation of hardware and softwareaccessible and more reliable
The ProVal Team
Main Topic: Program proof
I Speci�cation languages
I Computing proof obligations (formulas that imply thecorrectness of the program)
I Proving proof obligations
Tools (Why Platform)
I Caduceus, Krakatoa: C/Java frontends
I Jessie: Common intermediate language
I Why: Obtain proof obligations from programs
I Alt-Ergo: Automated prover (SMT Solver)
The Why platform
C/Java Programs ML-like Programs
Jessie Coq Who Pangolin
Why Pangoline
Z3 Alt-Ergo Coq
A logical formula . . .
sorted(t, i , j) =
∀k1, k2 : int . i ≤ k1 ∧ k1 ≤ k2 ∧ k2 ≤ j ⇒ t[k1] ≤ t[k2]
. . . as seen by an SMT solver
sorted(t, i , j) =
∀k1, k2 : int
⇓
i ≤ k1
∧
k1 ≤ k2
∧
k2 ≤ j
⇒
t[k1] ≤ t[k2]
Instantiation
Logic reasoning
Theory reasoning (here: Arithmetic)
Satis�ability Modulo Theories
SMT provers divide the problem in three parts
I The theory part: equality reasoning, arithmetic reasoning, . . .
I The satis�ability part: deals with logical connectors∧ , ∨ , ⇒, ¬,. . .
I The instantiation of quanti�ed axioms
We will look at each of the three parts in turn
The di�erent parts of an SMT solver
Theory 1
(Arithmetic)
...
Theory n
↔
Union-Find(Equality)
↔Congruence Closure
(Congruence)
↔ Sat-Solver∧,∨,⇒,⇔ ↔ Instantiation
∀∃
A more detailed example
Hypotheses
I H1 : a > 0
I H2 : ∀xy .x ≥ y → max(x , y) = x
GoalG : f (max(a, 0)) = f (a)
Solved by an SMT Solver (1)
Negate the Goal
H1 ∧ H2 → G becomes H1 ∧ H2 ∧ ¬G
Launch Sat-SolverAssume H1, H2 and ¬G and try to derive a contradiction
I Assume the inequality a > 0
I Register the lemma: ∀xy .x ≥ y → max(x , y) = x
I Assume the inequality f (max(a, 0)) 6= f (a)
I Currently no contradiction!
InstantiationSpecialize the lemma by applying it to a and 0 and replace →:a ≥ 0→ max(a, 0) = a ⇔ a < 0 ∨ max(a, 0) = a
Solved by an SMT Solver (2)
Split the disjunction
First assume a < 0, then assume ¬(a < 0), try to �nd acontradiction in both cases
Assuming a < 0
Direct contradiction with H1 (using knowledge about the symbols< and ≥)
Assuming ¬(a < 0)
I It follows max(a, 0) = a
I Deduce f (max(a, 0)) = f (a)
I Contradiction with ¬G
We have obtained a contradiction in all cases, the negated formulais unsatis�able, that means the input formula is valid!
Equality Reasoning
Theory 1
(Arithmetic)
...
Theory n
↔
Union-Find(Equality)
↔Congruence Closure
(Congruence)
↔ Sat-Solver∧,∨,⇒,⇔ ↔ Instantiation
∀∃
Equality reasoning - The problem
Termst ::= c | f (t1, · · · , tn)
Givena list of equations t = t ′
We want to knowDoes the equation t1
?= t2 follow?
Using the axioms
Re�exivity t = t
Symmetry t1 = t2 → t2 = t1
Transitivity t1 = t2 ∧ t2 = t3 → t1 = t3
Congruence t1 = t2 → f (t1) = f (t2)
Example
Given
I f 2(a) = f (f (a)) = a
I f 5(a) = f (f (f (f (f (a))))) = a
We want to prove
f (a) = a
Proof
1. f 5(a) = f 3(a) (Congruence)
2. f 2(a) = f 3(a) = a (Transitivity, Symmetry)
3. f 3(a) = f (f 2(a)) = f (a) (Congruence)
4. f (a) = a (Transitivity of (2) and (3))
Disjoint Sets
I Goal: deal with the �rst three axioms e�ciently
I Idea: put all terms into disjoint sets
I When two terms are in the same set, they are equal
I Initial state: every term is in his own set:
t1 t2 t3 t4 t5
I After treating t1 = t3 and t2 = t5:
t1 t3 t2 t5 t4
I After treating t1 = t2:
t1 t2 t3 t5 t4
I Deciding t?= t ′ amounts to checking if t, t ′ are in the same set
Union-Find (1975)I Represent each set by a tree with upward pointers:
t2
t4
t3
t1
I The root is the representativeI Operation �nd to �nd the representative of any term: just
follow the arrowsI Operation union to treat an equality: simply point one root to
the other
t2
t4
t3
t1
+t6
t5= t2
t4
t3
t6
t5
t1
Two important optimizations
I Keep trees small: let point root of smaller tree to root oflarger tree
I Path compression: ��atten� trees, each time we are searchingfor a root r starting from t, let t point directly to r afterwards
I Result: Algorithm is quasi-linear (optimal)
I Incrementality: we can add equations one by one, interleave
equations t1 = t2 with queries t1?= t2
Inequalities t1 6= t2
I Simply maintain the information that two sets of terms mustbe di�erent
I Merging sets for which an inequality was registered leads to aninconsistency
Congruence Closure (1980)I Deal with the fourth axiom: Congruence
∀xy .x = y → f (x) = f (y)
for any function symbol fI Solution: represent a term by a directed acyclic graph (DAG)
with sharing. Example: f (f (a, b), b)
a
f
b
f
I Add an equivalence relation to this graph (using union-�nd):
a
f
b
f
represents f (f (a, b), b) = a
Finding new equalities
I Build a reverse dictionary mapping nodes to their fathers:
a 7→ f (a, b), g(a)
b 7→ f (a, b)
I Two new operations: �nd and merge.
merge(t1,t2) =
union(t1,t2);
F1,F2 = fathers(t1), fathers(t2);
for each x in F1, y in F2 do
if congruent(x,y) then merge(x,y);
done
Congruence Closure � Example
Given
I f 2(a) = f (f (a)) = a
I f 5(a) = f (f (f (f (f (a))))) = a
a
f
f
f
f
f
f(a) = a
Congruence Closure � Example
Given
I f 2(a) = f (f (a)) = a
I f 5(a) = f (f (f (f (f (a))))) = a
a
f
f
f
f
f
f(a) = a
Congruence Closure � Example
Given
I f 2(a) = f (f (a)) = a
I f 5(a) = f (f (f (f (f (a))))) = a
a
f
f
f
f
f
f(a) = a
Congruence Closure � Example
Given
I f 2(a) = f (f (a)) = a
I f 5(a) = f (f (f (f (f (a))))) = a
a
f
f
f
f
f
f(a) = a
Congruence Closure � Example
Given
I f 2(a) = f (f (a)) = a
I f 5(a) = f (f (f (f (f (a))))) = a
a
f
f
f
f
f
f(a) = a
Theory Reasoning (Arithmetic)
Theory 1
(Arithmetic)
...
Theory n
↔
Union-Find(Equality)
↔Congruence Closure
(Congruence)
↔ Sat-Solver∧,∨,⇒,⇔ ↔ Instantiation
∀∃
Arithmetic reasoning
Arithmetic
I Interprets the function symbols +, −, ×, ÷, and thearithmetic constants
I But also the relation symbols ≤, <, ≥, >
There are a few algorithms to deal with Linear Arithmetic
I Gauss Elimination (Equality only)
I Fourier-Motzkin
I Simplex Algorithm
We will look more closely at these methods
Gauss Elimination
Goal: deal with equalities in linear arithmetics
I Transform term into sums of monomials:∑k
i ci ti
I When treating an equality between such polynomes
k∑i
ci ti =k∑j
di si
isolate a monomial, say, t1, and build the equation
t1 =k∑j
di
c1si −
k∑i 6=1
ci
c1ti
Fourier-Motzkin Algorithm (1)Goal: deal with inequalities in linear arithmetics
basic notions
I An inequality C in canonical form:
n∑i=1
aixi ≤ a0 ai ∈ Q
I Note αC the multiplication of an inequation with a coe�cientα:
n∑i=1
αaixi ≤ αa0
I Note C1 + C2 the addition of two inequations :
n∑i=1
(ai + bi )xi ≤ a0 + b0
Fourier-Motzkin Algorithm (2)
Set I = {C1 · · ·Cn} the starting set of inequations. Each step of thealgorithm will eliminate a variable from the set of the equations.
I Let I+ (I−) be the set of equations where x appears withpositive (negative) coe�cient
I Compute
Ix =⋃
C∈I−,D∈I+βC + αD αx ∈ C ,−βx ∈ D
I Let I0 the set of inequations in I without x
I Replace I par I ′ = I0 ∪ Ix
I In particular, if x appears only with coe�cients of the samesign in I , suppress all inequations where x appears
I When I does not contain variables any more, either we havesatis�able inequalities (like 1 ≤ 2) or an inconsistency
Fourier-Motzkin Algorithm (3)
I Complexity: double exponential
I Not incremental
I Still behaves well in practice
I Can be easily extended to deduce equations between terms
Simplex Algorithm (1947)
I Initially designed to solve the optimization problem:
maximize ~c · ~xsubject to A~x ≤ ~b ~x ≥ ~0
I Complexity: exponential (polynomial in practice)
I incremental variants exist
Combination of Theories
Theory 1
(Arithmetic)
...
Theory n
↔
Union-Find(Equality)
↔Congruence Closure
(Congruence)
↔ Sat-Solver∧,∨,⇒,⇔ ↔ Instantiation
∀∃
Combination of Theories
We have seen di�erent decision procedures for di�erent theories:
I The theory of uninterpreted function symbols (CongruenceClosure)
I Linear arithmetics (Fourier-Motzkin, Simplex)
Other decision procedures exist:
I For the theory of pairs (or lists): nil and cons
I The theory of arrays: get and set
I The theory of bitvectors: get, append, shift
How do they work together?
Nelson Oppen Combination � 1980 (1)
Consider a term with symbols from multiple theories:
car(cons(cons(x , y) + (car(x)− car(x)), y + 0))
Variable abstractionIntroduce variables to build pure terms and equations betweenvariables:
car
cons
+
−
+
0
car
cons
+
cons
x y
−
car
x
car
x
+
0 y
z1 = car(x)
z2 = cons(x , y)
z3 = z2 + (z1 − z1)
z4 = y + 0
z5 = car(cons(z3, z4))
Nelson Oppen Combination (2)
First step
Transform the problem into n pure problems and a set of equationsbetween auxiliary variables, using variable abstraction
Second step
I Run each decision procedure independently on its pureequations
I Communicate newly discovered equalities to the other decisionprocedures
Shostak Combination � 1978 (1)
Characteristics
I avoids costly equality propagation in Nelson-Oppen
I Requires a solver instead of a decision procedure: a solvertakes an equation t1 = t2 and returns a substitution xi 7→ ti
I Requires a canonizer, putting terms of the theory in normalform (sum of monomials, . . . )
I Restriction: applies only to theories of equality (inequalities inlinear arithmetic not well supported)
Shostak Combination (2)
I Maintain a table mapping terms to their representatives (forexample using an E-Graph with Union-�nd)Terms Representatives
t1 r1t2 r1t3 r2
I When treating an equation a = b, call the solver on a and b,obtain a substitution σ and apply this substitution to allrepresentatives. Finally, canonize all representatives.
Shostak vs. Nelson-Oppen
Comparison
I Shostak supposedly faster (is it in practice?)
I It's harder to write a solver than it is to write a decisionprocedure
I Shostak works well in the case of Congruence Closure + othertheory
I It is still active research to combine more than just one theorywith CC in the Shostak framework
I Most solvers use a Nelson-Oppen like Approach
I Alt-Ergo uses a modi�ed Shostak-like Approach
Theories in SMT solvers: Summary
I SMT solvers use Congruence Closure and various decisionprocedures for the �Theory part� of SMT
I SMT solvers are generally complete and terminating forconjunctions of atoms in this fragment of the theory
I If they don't prove the goal, it's wrong!
Beware
I non-linear arithmetic is undecidable
I on integer arithmetics, many provers use incomplete (butfaster) heuristics
Satis�ability
Theory 1
(Arithmetic)
...
Theory n
↔
Union-Find(Equality)
↔Congruence Closure
(Congruence)
↔ Sat-Solver∧,∨,⇒,⇔ ↔ Instantiation
∀∃
Satis�ability
We have seen . . .
I How to decide if a conjunction of equalities and inequalities isinconsistent
But what about the other connectors?
I Negation, disjunction, implication, equivalence
This is the work of a SAT-solver
A new input language
Atoms
I Formulas whose structure a SAT-solver will not look at
I Typically, equalities / inequalities, predicates
I Examples: x = 0, x ≤ f (x) + 3, even(t)
LiteralAn atom, with or without negation sign ¬
Conjunctive Normal form (CNF)
I A formula in CNF is a conjunction of disjunctions:
(a ∨ b ∨ ¬b) ∧ (b ∨ c) ∧ (¬c ∨ d ∨ e)
I The disjunctions are called clauses
I This is the input language of a SAT solver
Sat Solvers
Sat Solvers
I Decide if a formula in CNF is satis�able
I In a satis�able formula one can assign a truth value to eachatom so that the formula becomes true
I Such an assignment is called a model
I This problem is NP-complete
Putting formulas in CNF
We won't talk about it here, we just mention. . .
I That the naive way of doing it leads to a formula that isexponentially bigger than the original one
I There are smarter ways of doing it that produce a CNF linearin the size of the original formula, but the formula is still muchbigger
I One can do the conversion lazily, during the execution of theSAT algorithm (makes the algorithm more complicated)
DPLL (1)
The DPLL method
I Invented by Davis, Putnam (1960) and Davis, Logemann,Loveland(1962)
I Is an intelligent exhaustive search of a model for the inputformula
A Unit Clause
I Is a clause which consists of a single literal
I This literal must be true if the formula is satis�able
DPLL (2)
Boolean Constraint Propagation (BCP)
I Search for a unit clause and assume the corresponding literal lto be true
I Each literal of the form ¬l is removed
I Each clause which contains l (positively) is removed
I Repeat
Case splitting
I Choose an arbitrary literal l occurring in the formula
I Try to �nd a model where l is true
I If there is none, try to �nd a model where ¬l is true(backtracking)
I If there is none either, the formula is unsatis�able
DPLL (3)
The algorithm
I As long as there are unit clauses, do BCP (simplify currentformula)
I If there are no unit clauses, do a case split
I if the current formula contains the empty clause, it isunsatis�able; backtrack
The algorithm as inference rules
AxiomΓ ` ∆, ∅
UnitΓ, l ` ∆
Γ ` ∆, lElim
Γ, l ` ∆
Γ, l ` ∆, l ∨ C
ReduceΓ ` ∆,C
Γ, l ` ∆,¬l ∨ CSplit
Γ, l ` ∆ Γ,¬l ` ∆
Γ ` ∆
DPLL(4)
I DPLL is correct and complete
I Choice of the splitting variable is very important
I There are many heuristics to choose it
Check for the validity of a formula using DPLL
I Negate the input formula
I Search for a model of this formula (DPLL)
I If there is none, the formula is valid
I Otherwise the discovered model is a counterexample
Combining SAT and the theories
Theory 1
(Arithmetic)
...
Theory n
↔
Union-Find(Equality)
↔Congruence Closure
(Congruence)
↔ Sat-Solver∧,∨,⇒,⇔ ↔ Instantiation
∀∃
SAT and the Theory working together
The General Idea
I SAT decomposes the logical structure of the formula
I Each assumed literal is given to the appropriate theory
I which one? consider t.[i − 1] = x + y
I A con�ict can be detected in two ways:I The SAT: We have found the empty clauseI The Theory: We have derived an absurd statement in some
(combination of) theories
x = x + 1
DPLL � Backjumping
Optimisation
I Reconsider the Split rule:
SplitΓ, l ` ∆ Γ,¬l ` ∆
Γ ` ∆
I Backtracking to ¬l not always needed!I When l is not involved in the inconsistency in the left branch,
then one does not need to check the branch of ¬l
Collaboration needed
I The SAT must be able to explain con�icts
I The Theory must be able to explain con�icts
Instantiation
Theory 1
(Arithmetic)
...
Theory n
↔
Union-Find(Equality)
↔Congruence Closure
(Congruence)
↔ Sat-Solver∧,∨,⇒,⇔ ↔ Instantiation
∀∃
Dealing with quanti�ers
Example
Axiom A : ∀x : int.f (g(x), 0) = 0
I Potentially, for any term t of integer type, add f (g(t), 0) = 0to the knowledge base
I Where do the terms t come from?
I Usually, the nodes of the E-graph are considered (the set ofground terms)
I This is incomplete (a proof may require to invent a new term)
I Problem: taking all terms of integer type to instantiate axiomA is too much
Triggers (1)
Restricting the set of terms to consider
I Idea: do not allow instantiation of all terms of the right type
I Add a trigger, a term of a certain form to the axiom:
I Axiom A : ∀x : int[g(x)].f (g(x), 0) = 0
I Instantiate x only with terms t for which ground term g(t)exists
I This is an heuristics (even more incomplete)
I Triggers can be given by the user, or computed by the prover
Triggers (2)
Matching
I Given a term t with variables and a ground term t ′, try to �nda substitution σ for the variables in t such that tσ = t ′
I This substitution is used to instantiate the entire axiom
Considerations
I A trigger can consist of several terms
I The trigger term(s) should contain all variables of the axiom
I The process of comparing the ground terms with the trigger iscalled matching
I A large trigger is more restrictive than a small trigger: Weinstantiate less (which is good), but we may miss necessaryinstantiations
I A variable as trigger is as good (as bad) as no trigger
E-Matching
Use the E-Graph to enhance matching
I Use the equality information of the E-graph to match moreterms
I Example: The E-graph of f (a) = a actually describes alsof (f (a)) and f (f (f (a))) . . .
a
f
I A trigger of the form f (a) can be instantiated by any f n(a)
Skolemization
What to do with existential quanti�ers?
I We can eliminate them using Skolemization
I An axiom ∃x .P(x) becomes P(c) for a fresh Skolem constantc
I If quanti�ers are nested:
∀x∃y .P(x , y)
becomes∀x .P(x , f (x))
for a fresh Skolem function f
The Big Picture (1)
I Take a �rst-order formula as input
I Negate it � try to prove that the negation is unsatis�able
I Eliminate Existentials (Skolemization)
I Compute triggers (if not given) for quanti�ers
I Put it in CNF (or do it lazily)
I Run the SAT solver on the CNF
I Every assumed atom is given to the theories
I Inconsistencies can be detected byI the SAT: an empty clause presentI the theory: set of assumed literals is inconsistent wrt. the
theory
I At some point (when? how often?), do Matching toinstantiate axioms, obtain new terms and new facts
The Big Picture (2)I SMT provers are generally complete over the SAT + theory
part (with restrictions)I SMT provers are incomplete over the matching/instantiation
part
SMTLib, SMTComp
I There is a common input format accepted by most SMTsolvers: SMTLib
I SMT provers: Alt-Ergo, Z3, Yices, CVC3 (all with quanti�ersand theories), MathSat, Boolector (without quanti�ers)
I There is an annual competition with many di�erent categories:with/without quanti�ers, arithmetics, bit-vectors, arrays,. . .
I 2009 winner: mostly Yices (in categories without quanti�ers)and CVC3 (in categories with quanti�ers)
I in a few categories, 2008 winner Z3 was actually faster (butnot o�cially part of 2009 competition)
Resolution based provers (1)
Uni�cationGeneralization of Matching: Given two terms t1 and t2 bothcontaining variables, �nd a substitution σ such that t1σ = t2σ.
Resolution rule
ResolutionC1 ∨ l1 C2 ∨ ¬l2 σ = unif (l1, l2)
C1σ ∨ C2σ
Example
Resolution¬P(x) ∨ Q(x) P(a) σ = [x 7→ a]
Q(a)
Resolution based provers (2)
Algorithm
I Just as SMT solvers, negate formula, skolemize and put inCNF
I Now, using the Resolution rule, derive new clauses
I When encountering the empty clause, the initial formula wasvalid
TPTP Competition
I Participants: Vampire, Spass, E, . . .
I Recent winners of various categories: Vampire, Waldmeister
Resolution based provers (3) - Comparison
Advantages
I Resolution is complete for �rst-order logic
I It implements a semi-decision procedure:I If the formula is valid, the algorithm eventually stops, with the
right answerI If the formula is invalid, it may run forever
I Resolution is much better at proving complex theoremswithout arithmetic reasoning
Disadvantages
I Integrating equality reasoning is di�cult, but has beenmastered: Superposition, Paramodulation
I Integration of arithmetic or other theories is currently out ofreach of the state of the art
Tableau based provers (Zenon)
Tableau method
I Do not transform formula into CNF, but do negate it
I Apply rules to formula to build a refutation tree
I Rules for conjunction and disjunction:
A ∧ B
A
B
A ∨ B
A B
I If a branch contains a contradiction (A and ¬A, x 6= x , False,. . . ), it is closed
I When all branches are closed, the negated formula isunsatis�able
I Prominent prover in this class: Zenon
I It is the only prover that produces a machine-checkable proof
I Tableau method generally considered to be slower thanresolution
I No good support for linear arithmetic, other theories
Conclusion
SMT provers . . .
I Divide the input formula into a theory part, a propositionalpart, and lemmas
I Are complete wrt. the propositional part, and selected theories
I Are incomplete in general
I The combination of decision procedures, but also thecombination of the SAT solver and the theories are the mainchallenges of SMT