first-order logic (fol) and satisĄability modulo theories
TRANSCRIPT
Logical reasoning and programmingFirst-Order Logic (FOL) and
SatisĄability Modulo Theories (SMT)
Karel Chvalovský
CIIRC CTU
Parts of this presentation are signiĄcantly based on materials fromrecent SAT/SMT Summer Schools and SC2 Summer School.
SatisĄability Modulo Theories (SMT)Ůexample
We would like to know whether the following formula
𝑓(𝑎) = 𝑏 ∧ 𝑓(𝑎) ̸= 𝑏
is satisĄable; that is loosely speaking that there exists aninterpretation satisfying simultaneously both conjuncts.
1 / 31
SatisĄability Modulo Theories (SMT)Ůexample
We would like to know whether the following formula
𝑓(𝑎) = 𝑏 ∧ 𝑓(𝑎) ̸= 𝑏
is satisĄable; that is loosely speaking that there exists aninterpretation satisfying simultaneously both conjuncts.
Clearly, it is unsatisĄable regardless of the meaning of symbols init, because it has a propositional form
𝑝 ∧ ¬𝑝,
where 𝑝 is 𝑓(𝑎) = 𝑏.
1 / 31
SatisĄability Modulo Theories (SMT)Ůexample
We would like to know whether the following formula
(𝑎× (𝑓(𝑏) + 𝑓(𝑐)) = 𝑑) ∧ (𝑏× (𝑓(𝑎) + 𝑓(𝑐)) ̸= 𝑑) ∧ (𝑎 = 𝑏)
is satisĄable.
Do we need to know the interpretations of ×, +, and 𝑓?
2 / 31
SatisĄability Modulo Theories (SMT)Ůexample
We would like to know whether the following formula
(𝑎× (𝑓(𝑏) + 𝑓(𝑐)) = 𝑑) ∧ (𝑏× (𝑓(𝑎) + 𝑓(𝑐)) ̸= 𝑑) ∧ (𝑎 = 𝑏)
is satisĄable.
Do we need to know the interpretations of ×, +, and 𝑓?No, it is unsatisĄable modulo the theory of equality.
2 / 31
SatisĄability Modulo Theories (SMT)Ůexample
We would like to know whether the following formula
(𝑥 = 0 ∨ 𝑥 = 1) ∧ (𝑥+ 𝑦 + 𝑧 ̸= 0) ∧ (𝑓(𝑦) > 𝑓(𝑧))
is satisĄable.
3 / 31
SatisĄability Modulo Theories (SMT)Ůexample
We would like to know whether the following formula
(𝑥 = 0 ∨ 𝑥 = 1) ∧ (𝑥+ 𝑦 + 𝑧 ̸= 0) ∧ (𝑓(𝑦) > 𝑓(𝑧))
is satisĄable.
It is satisĄable in a union of theories called unquantiĄed linear realarithmetic with uninterpreted sort and function symbols(QF_UFLRA):
◮ quantiĄer free (QF),
◮ linear real arithmetic (LRA),
◮ uninterpreted functions (UF).
3 / 31
First-Order Logic (recap)
We moved to First-Order Logic (FOL) and hence we have
◮ logical symbols◮ variablesŮan inĄnite (countable) set denoted Var
◮ quantiĄer symbols ∀ and ∃◮ logical connectives◮ auxiliary symbols Ů parentheses, punctuation symbols, . . .
◮ non-logical symbols accompanied by their arity (the number ofarguments)◮ function symbols
◮ nullary functions are called constants
◮ predicate (ralation) symbols◮ nullary predicate symbols are essentially propositional variables
The logical symbols are Ąxed, but the non-logical symbols form alanguage L.
4 / 31
Variants of FOLThere are various variants of FOL, e.g., they differ in:
Equality
Some symbols like = can be either logical (FOL with equality), ornon-logical (FOL without equality). We will discuss both variants.
Many-sorted language
Sometimes it is convenient (and common in SMT) to talk aboutdifferent types of objects. Hence variables, function and predicatesymbols can be accompanied by simple types.
We can ŞeasilyŤ simulate Ąnitely many sorts by introducing newpredicates so to simplify things, we will use sorts only implicitly.
Example
Instead of having different types of variables for real numbers andintegers, we can say ∀𝑋 ∈ R(∃𝑌 ∈ Z(. . . ) that is a shortcut for∀𝑋(𝑋 ∈ R ⊃ (∃𝑌 (𝑌 ∈ N ∧ (. . . )))). The exact translationdepends on (implicit) quantiĄers!
5 / 31
Terms
The set of all terms in a language L, denoted TermL, is thesmallest set satisfying
◮ every variable (an element of Var) is a term in L,
◮ if 𝑓 is an 𝑛-ary function in L and 𝑡1, . . . , 𝑡𝑛 are terms in L,then 𝑓(𝑡1, . . . , 𝑡𝑛) is a a term in L.
A term 𝑠 is a subtermm of term 𝑡 if 𝑠 is a substring of 𝑡.
Example
𝑋, 𝑐, and 𝑔(𝑎, 𝑔(𝑌 )) are all terms where 𝑋 and 𝑌 are variables,𝑐/0 and 𝑎/0 are nullary functions (constants), and 𝑔/2 and 𝑔/1 arebinary and unary functions, respectively.
6 / 31
Formulae
Let 𝑝 be an 𝑛-ary predicate symbol in L and 𝑡1, . . . , 𝑡𝑛 be terms inL, then 𝑝(𝑡1, . . . , 𝑡𝑛) is an atomic formula (or atom) in L.
In FOL with equality, let 𝑡1 and 𝑡2 be terms in L, then (𝑡1 = 𝑡2) isalso an atomic formula in L.
The set of all formulae in a language L, denoted FmlL, is thesmallest set such that
◮ every atomic formula in L is a formula in L,
◮ if 𝜙 and å are formulae in L, 𝑋 is a variable, then (∀𝑋𝜙),(∃𝑋𝜙), (¬𝜙), (𝜙 ⊃ å), (𝜙 ∧ å), and (𝜙 ∨ å) are formulae1
in L.
A formula å is a subformula of 𝜙 if å is a substring of 𝜙.
We usually write only parentheses that are necessary forunambiguous reading.
1𝜙 ↔ å is a shortcut for (𝜙 → å) ∧ (å → 𝜙).7 / 31
SemanticsWe have formulae (syntactic objects) and we want to assign ameaning (semantics) to them.
The meaning of
◮ logical symbols is Ąxed,◮ non-logical symbols is problem speciĄc.
Example
We want to show that
𝑝(𝑋, 𝑓(𝑌 )) ⊃ ∃𝑍(𝑝(𝑋,𝑍) ∧ 𝑝(𝑍, 𝑓(𝑌 )))
does not hold if
◮ everything is interpreted over Z,
◮ 𝑝/2 is interpreted as < on Z,
◮ 𝑓/1 is interpreted as multiplication by ⊗1, and
◮ the evaluation of 𝑋 and 𝑌 is 1 and ⊗2, respectively.
8 / 31
Semantics
Model (or interpretation)
A model (or interpretation) for a language L, denoted ℳ = (𝐷, 𝑖),consists of a non-empty set 𝐷 (domain) and a function 𝑖(interpretation) on 𝐷 such that
◮ if 𝑓 is an 𝑛-ary function symbol in L, then 𝑖(𝑓) : 𝐷𝑛 ⊃ 𝐷,
◮ if 𝑝 is an 𝑛-ary preditace symbol in L, then 𝑖(𝑝) ⊖ 𝐷𝑛.
EvaluationLet ℳ = (𝐷, 𝑖) be a model for L, an evaluation in ℳ is anyfunction 𝑒 : Var ⊃ 𝐷. Note that 𝑒(𝑋 ↦⊃ 𝑎), for 𝑋 ∈ Var and𝑎 ∈ 𝐷, is the same as 𝑒, but gives 𝑎 to 𝑋.
The value of a term 𝑡 under an evaluation 𝑒 in ℳ = (𝐷, 𝑖),denoted 𝑡ℳ[𝑒], is deĄned recursively
◮ 𝑋ℳ[𝑒] = 𝑒(𝑋), if 𝑋 ∈ Var ,
◮ 𝑓(𝑡1, . . . , 𝑡𝑛)ℳ[𝑒] = 𝑖(𝑓)(𝑡ℳ1 [𝑒], . . . , 𝑡ℳ𝑛 [𝑒]), if 𝑓 is 𝑛-aryfunction symbol.
9 / 31
TarskiŠs deĄnition of truthLet ℳ = (𝐷, 𝑖) be a model for L, 𝑒 be an evaluation in ℳ, thenwe say that a formula 𝜙 is satisĄed in ℳ by 𝑒, denoted ℳ ♣= 𝜙[𝑒],or 𝑒 satisĄes 𝜙 in ℳ, if
◮ ℳ ♣= 𝑝(𝑡1, . . . , 𝑡𝑛)[𝑒] iff (𝑡ℳ1 [𝑒], . . . , 𝑡ℳ𝑛 [𝑒]) ∈ 𝑖(𝑝), where 𝑝 is𝑛-ary predicate symbol in L,
◮ ℳ ♣= (𝑡1 = 𝑡2)[𝑒] iff (𝑡ℳ1 [𝑒], 𝑡ℳ2 [𝑒]) ∈ id𝐷, (in FOL with eq.)
◮ ℳ ♣= (¬å)[𝑒] iff ℳ ̸♣= å[𝑒],
◮ ℳ ♣= (å ⊃ ä)[𝑒] iff ℳ ̸♣= å[𝑒] or ℳ ♣= ä[𝑒],
◮ ℳ ♣= (å ∧ ä)[𝑒] iff ℳ ♣= å[𝑒] and ℳ ♣= ä[𝑒],
◮ ℳ ♣= (å ∨ ä)[𝑒] iff ℳ ♣= å[𝑒] or ℳ ♣= ä[𝑒],
◮ ℳ ♣= (∀𝑋å)[𝑒] iff for every 𝑎 ∈ 𝐷 holds ℳ ♣= å[𝑒(𝑋 ↦⊃ 𝑎)],
◮ ℳ ♣= (∃𝑋å)[𝑒] iff exists 𝑎 ∈ 𝐷 s.t. ℳ ♣= å[𝑒(𝑋 ↦⊃ 𝑎)].
A formula 𝜙 is satisĄable, if there is ℳ and 𝑒 s.t. ℳ ♣= 𝜙[𝑒]. Aset of formulae Γ is satisĄable, if there is ℳ and 𝑒 s.t. ℳ ♣= 𝜙[𝑒],for every 𝜙 ∈ Γ.
10 / 31
Semantic consequence relation
A formula 𝜙 is valid (or holds) in ℳ, denoted ℳ ♣= 𝜙, if 𝜙 issatisĄed in ℳ by any evaluation 𝑒.
A formula 𝜙 follows from (or is a consequence of) a set of formulaΓ, denoted Γ ♣= 𝜙, if and only if for any model ℳ and evaluation𝑒, if for every å ∈ Γ holds ℳ ♣= å[𝑒], then ℳ ♣= 𝜙[𝑒]. We write♣= 𝜙, if Γ = ∅ and say that 𝜙 is valid (or holds).
Γ ♣= 𝜙 iff ∀ℳ∀𝑒(∀å ∈ Γ(ℳ ♣= å[𝑒]) ⇒ ℳ ♣= 𝜙[𝑒])
Note that
Γ ♣= 𝜙 iff Γ ∪ ¶¬𝜙♢ is unsatisĄable.
We say that two formulae 𝜙 and å are (semantically) equivalent,denoted 𝜙 ⊕ å, if ¶𝜙♢ ♣= å and ¶å♢ ♣= 𝜙.
11 / 31
SMT and FOL language
It is common in SMT that we are mainly interested in formulaecontaining no variables (and hence no quatiĄers), they are calledground formulae.
Note that when it comes to satisĄability, uninterpreted constant symbols
behave like free variables; they are not bounded by quantiĄcation (nor
implicitly). However, this can be slightly misleading, because later on all
variables will be implicitly universally quantiĄed.
Strictly speaking, we should talk about expansions of a theory, because we add
new constants into our language, however, we will happily ignore this formal
problem (or we can treat them as free variables).
Example𝜙 = 𝑝(𝑋, 𝑓(𝑎, 𝑌 )) ∧ 𝑞(𝑋,𝑍, 𝑐) is not ground, but 𝜙′ = 𝑝(𝑥, 𝑓(𝑎, 𝑦)) ∧ 𝑞(𝑥, 𝑧, 𝑐)is ground. Moreover, 𝜙 and 𝜙′ are equisatisĄable.
12 / 31
Why are we interested in this fragment of FOL?
For example, say that a compiler produced from
𝑧 = (𝑥1 + 𝑦1) ≤ (𝑥2 + 𝑦2);
the following code
𝑢1 = 𝑥1 + 𝑦1;
𝑢2 = 𝑥2 + 𝑦2;
𝑧 = 𝑢1 ≤ 𝑢2;
So we want to show that this translation is correct by proving
(𝑢1 = 𝑥1 + 𝑦1) ∧ (𝑢2 = 𝑥2 + 𝑦2) ∧ (𝑧 = 𝑢1 ≤ 𝑢2)
⊃ (𝑧 = (𝑥1 + 𝑦1) ≤ (𝑥2 + 𝑦2)).
Clearly, our fragment is sufficient for that.
13 / 31
Interpretations and theories
When we speak about theories, it means that we want to restrictthe interpretation (meaning) of some symbols in the language.
There are two main approaches how to do that
◮ axiomatic Ů we restrict the interpretations indirectly byproviding axioms that have to be satisĄed,◮ e.g., the equality axioms,◮ axioms usually require quantiĄers,
◮ restricting interpretations Ů we allow only such classes ofinterpretations that correspond to our intended meaning,◮ e.g., we say that all the variables range over integers.
Note that some theories do not have appropriate axiomaticsystems.
14 / 31
Theory 𝒯A theory 𝒯 is given by a Ąrst-order language 𝐿.
We say that an interpretation ℳ = (𝐷, 𝑖) for 𝐿 is a𝒯 -interpretation if
◮ ℳ satisĄes all axioms of 𝒯 , or
◮ 𝑖 admits only intended interpretations of 𝒯 .
We say that a formula 𝜙 is
◮ 𝒯 -satisĄable, if ℳ ♣= 𝜙 for a 𝒯 -interpretation ℳ;
◮ 𝒯 -valid, if ℳ ♣= 𝜙 for every 𝒯 -interpretation ℳ.
A set of formulae Γ 𝒯 -entails a formula 𝜙, denoted Γ ♣=𝒯 𝜙, ifevery 𝒯 -interpretation satisfying all formulae in Γ satisĄes also 𝜙.
Example
If 𝒯 is real arithmetic, then 𝐷 are real numbers and 𝑖(⊘), 𝑖(+),. . . have their standard meanings.
15 / 31
SatisĄability Modulo Theories (SMT)
We have a formula that has a propositional structure, butpropositional variables are expressions in a theory 𝒯 .
Example
From
(𝑥 = 0 ∨ 𝑥 = 1) ∧ (𝑥+ 𝑦 + 𝑧 ̸= 0) ∧ (𝑓(𝑦) > 𝑓(𝑧)),
we obtain(𝑝 ∨ 𝑞) ∧ ¬𝑟 ∧ 𝑠,
by so-called propositional abstraction, where 𝑝 is 𝑥 = 0, 𝑞 is 𝑥 = 1,𝑟 is 𝑥+ 𝑦 + 𝑧 = 0, and 𝑠 is 𝑓(𝑦) > 𝑓(𝑧).
16 / 31
Solving SMT
There are two basic approaches how to solve a satisĄability of aformula 𝜙 modulo a theory 𝒯 :
Eager (encode an SMT problem in SAT)
◮ we translate the problem over the theory into anequisatisĄable propositional formula and use a SAT solver,
◮ it is eager, because the SAT solver has access to completetheory information from the beginning,
◮ it requires sophisticated encodings.
Lazy (combine a SAT solver with a decision procedure)
◮ It is very common that we have theory solvers for problemsthat are conjunctions of literals.
17 / 31
Very Lazy SMTexample
¬a = b(x = a ∨ x = b)(y = a ∨ y = b)(z = a ∨ z = b)
¬x = y
x y x a y a
Check with SAT solver
ViewTheory
18 / 31
Very Lazy SMTexample
¬ B1( B2 ∨ B3 )
( B4 ∨ B5 )
( B6 ∨ B7 )
¬ B8
B B B
Check with SAT solver
ViewBoolean
18 / 31
Very Lazy SMTexample
¬ B1( B2 ∨ B3 )
( B4 ∨ B5 )
( B6 ∨ B7 )
¬ B8
B B B
Check with SAT solver
ViewBoolean
18 / 31
Very Lazy SMTexample
¬ B1( B2 ∨ B3 )
( B4 ∨ B5 )
( B6 ∨ B7 )
¬ B8
B B B
Check with SAT solverJ ¬ B1 , ¬ B8 , ¬ B3 , B2 , ¬ B5 , B4 , ¬ B7 , B6 K
ViewBoolean
18 / 31
Very Lazy SMTexample
¬a = b(x = a ∨ x = b)(y = a ∨ y = b)(z = a ∨ z = b)
¬x = y
x y x a y a
Check with SAT solverJ ¬a = b, ¬x = y, ¬x = b, x = a, ¬y = b, y = a, ¬z = b, z = a K
ViewTheory
18 / 31
Very Lazy SMTexample
¬a = b(x = a ∨ x = b)(y = a ∨ y = b)(z = a ∨ z = b)
¬x = y
x y x a y a
Check with SAT solverJ ¬a = b, ¬x = y, ¬x = b, x = a, ¬y = b, y = a, ¬z = b, z = a K
ViewTheory
Check with T-solverx = a ∧ y = a ⇒ x = y
18 / 31
Very Lazy SMTexample
¬a = b(x = a ∨ x = b)(y = a ∨ y = b)(z = a ∨ z = b)
¬x = y(x = y ∨ ¬x = a ∨ ¬y = a)
Check with SAT solverJ ¬a = b, ¬x = y, ¬x = b, x = a, ¬y = b, y = a, ¬z = b, z = a K
ViewTheory
BlockAdd clause
18 / 31
Very Lazy SMTexample
¬ B1( B2 ∨ B3 )
( B4 ∨ B5 )
( B6 ∨ B7 )
¬ B8( B8 ∨ ¬ B2 ∨ ¬ B4 )
Check with SAT solver
ViewBoolean
18 / 31
Very Lazy SMTexample
¬ B1( B2 ∨ B3 )
( B4 ∨ B5 )
( B6 ∨ B7 )
¬ B8( B8 ∨ ¬ B2 ∨ ¬ B4 )
Check with SAT solverJ ¬ B1 , ¬ B8 , ¬ B3 , B2 , ¬ B4 , B5 , ¬ B7 , B6 K
ViewBoolean
18 / 31
Very Lazy SMTexample
¬a = b(x = a ∨ x = b)(y = a ∨ y = b)(z = a ∨ z = b)
¬x = y(x = y ∨ ¬x = a ∨ ¬y = a)
Check with SAT solverJ ¬a = b, ¬x = y, ¬x = b, x = a, ¬y = a, y = b, ¬z = b, z = a K
ViewTheory
18 / 31
Very Lazy SMTexample
¬a = b(x = a ∨ x = b)(y = a ∨ y = b)(z = a ∨ z = b)
¬x = y(x = y ∨ ¬x = a ∨ ¬y = a)
Check with SAT solverJ ¬a = b, ¬x = y, ¬x = b, x = a, ¬y = a, y = b, ¬z = b, z = a K
ViewTheory
Check with T-solverSatisfiable
a, x, z 7→ c1b, y 7→ c2
18 / 31
Lazy approach
Let 𝜙 be a formula and we want to know whether 𝜙 is𝒯 -satisĄable. Let 𝜙′ be a propositional abstraction of 𝜙.
◮ we call a SAT solver on 𝜙′
◮ if 𝜙′ ∈ SAT, then we obtain a set of literals 𝑙′1, . . . , 𝑙′𝑛 in 𝜙′
that satisĄes the formula 𝜙′,◮ we can then ask a 𝒯 -solver, whether the set of corresponding
literals 𝑙1, . . . , 𝑙𝑛 in 𝜙 is satisĄable in 𝒯◮ if it is, then return 𝜙 is satisĄable and provide a model,◮ if it is not, then we can add a new propositional clause
𝑙′1
∨ · · · ∨ 𝑙′𝑛 to 𝜙′ and repeat the whole process with a newpropositional formula,
◮ if 𝜙′ /∈ SAT, then return 𝜙 is unsatisĄable.
19 / 31
DPLL(𝒯 )Ůlazy approach + theory propagationsIt ŞeffectivelyŤ transforms a satisĄability of an arbitraryquantiĄer-free formula over 𝒯 to a satisĄability of a conjunction ofliterals over 𝒯 . In basic lazy approach there is no theory guidance,here 𝒯 -solver guides the search by producing 𝒯 -consequences.
For efficiency reasons we want several things from a solver for 𝒯 :
◮ checks consistency of conjunctions of literals,
◮ computes 𝒯 -propagations (𝒯 -consequences),
◮ pruduces explanations (ideally minimal) of 𝒯 -inconsistenciesand 𝒯 -propagations,
◮ should be incremental and backtrackable,
◮ (generate 𝒯 -atoms and 𝒯 -lemmata).
Although it is called DPLL(𝒯 ), in practice, CDCL is usually usedand hence we want a support for backjumping and conĆicts.Moreover, we want to test already partial assignments not only fullpropositional models for 𝒯 -consistency.
20 / 31
DPLL(T ) - Example
Consider again EUF and the formula:
g(a)=c︸ ︷︷ ︸
1
∧ ( f (g(a)) 6= f (c)︸ ︷︷ ︸
2
∨ g(a)=d︸ ︷︷ ︸
3
) ∧ c 6=d︸︷︷︸
4
/0 || 1, 2∨3, 4 ⇒ (UnitPropagate)
Introduction to SMT – p. 2321 / 31
DPLL(T ) - Example
Consider again EUF and the formula:
g(a)=c︸ ︷︷ ︸
1
∧ ( f (g(a)) 6= f (c)︸ ︷︷ ︸
2
∨ g(a)=d︸ ︷︷ ︸
3
) ∧ c 6=d︸︷︷︸
4
/0 || 1, 2∨3, 4 ⇒ (UnitPropagate)
1 || 1, 2∨3, 4 ⇒ (UnitPropagate)
Introduction to SMT – p. 2321 / 31
DPLL(T ) - Example
Consider again EUF and the formula:
g(a)=c︸ ︷︷ ︸
1
∧ ( f (g(a)) 6= f (c)︸ ︷︷ ︸
2
∨ g(a)=d︸ ︷︷ ︸
3
) ∧ c 6=d︸︷︷︸
4
/0 || 1, 2∨3, 4 ⇒ (UnitPropagate)
1 || 1, 2∨3, 4 ⇒ (UnitPropagate)
1 4 || 1, 2∨3, 4 ⇒ (T-Propagate)
Introduction to SMT – p. 2321 / 31
DPLL(T ) - Example
Consider again EUF and the formula:
g(a)=c︸ ︷︷ ︸
1
∧ ( f (g(a)) 6= f (c)︸ ︷︷ ︸
2
∨ g(a)=d︸ ︷︷ ︸
3
) ∧ c 6=d︸︷︷︸
4
/0 || 1, 2∨3, 4 ⇒ (UnitPropagate)
1 || 1, 2∨3, 4 ⇒ (UnitPropagate)
1 4 || 1, 2∨3, 4 ⇒ (T-Propagate)
1 4 2 || 1, 2∨3, 4 ⇒ (T-Propagate)
Introduction to SMT – p. 2321 / 31
DPLL(T ) - Example
Consider again EUF and the formula:
g(a)=c︸ ︷︷ ︸
1
∧ ( f (g(a)) 6= f (c)︸ ︷︷ ︸
2
∨ g(a)=d︸ ︷︷ ︸
3
) ∧ c 6=d︸︷︷︸
4
/0 || 1, 2∨3, 4 ⇒ (UnitPropagate)
1 || 1, 2∨3, 4 ⇒ (UnitPropagate)
1 4 || 1, 2∨3, 4 ⇒ (T-Propagate)
1 4 2 || 1, 2∨3, 4 ⇒ (T-Propagate)
1 4 2 3 || 1, 2∨3, 4 ⇒ (Fail)
Introduction to SMT – p. 2321 / 31
DPLL(T ) - Example
Consider again EUF and the formula:
g(a)=c︸ ︷︷ ︸
1
∧ ( f (g(a)) 6= f (c)︸ ︷︷ ︸
2
∨ g(a)=d︸ ︷︷ ︸
3
) ∧ c 6=d︸︷︷︸
4
/0 || 1, 2∨3, 4 ⇒ (UnitPropagate)
1 || 1, 2∨3, 4 ⇒ (UnitPropagate)
1 4 || 1, 2∨3, 4 ⇒ (T-Propagate)
1 4 2 || 1, 2∨3, 4 ⇒ (T-Propagate)
1 4 2 3 || 1, 2∨3, 4 ⇒ (Fail)
UNSAT
Introduction to SMT – p. 2321 / 31
DPLL(T) Frameworkgreat but not perfect
a 0<b 0
a 1<b 1b0<a1
b1<a2
a1<c1c 0<
a 1c 1<
a 2a0<c0
a 2<b
2 b2 <a
3
a2 <c
2c 2<
a 3
a0>a3
Example (Diamonds)
a0 > an ∧
n−1∧
k=0
((ak < bk ∧ bk < ak+1) ∨ (ak < ck ∧ ck < ak+1))
22 / 31
DPLL(T) Frameworkgreat but not perfect
a 0<b 0
a 1<b 1
b0<a1
b1<a2
a1<c1
c 0<a 1
c 1<a 2
a0<c0
a 2<b 2 b
2 <a3
a2 <c2
c 2<a 3
a0>a3
Example (Diamonds)
a0 > an ∧
n−1∧
k=0
((ak < bk ∧ bk < ak+1) ∨ (ak < ck ∧ ck < ak+1))
22 / 31
DPLL(T) Frameworkgreat but not perfect
a 0<b 0
a 1<b 1
b0<a1
b1<a2
a1<c1
c 0<a 1
c 1<a 2
a0<c0
a 2<b 2 b
2 <a3
a2 <c2
c 2<a 3
a0>a3
Example (Diamonds)
a0 > an ∧
n−1∧
k=0
((ak < bk ∧ bk < ak+1) ∨ (ak < ck ∧ ck < ak+1))
22 / 31
DPLL(T) Frameworkgreat but not perfect
a 0<b 0
a 1<b 1
b0<a1
b1<a2
a1<c1
c 0<a 1
c 1<a 2
a0<c0
a 2<b 2 b
2 <a3
a2 <c2
c 2<a 3
a0>a3
Example (Diamonds)
a0 > an ∧
n−1∧
k=0
((ak < bk ∧ bk < ak+1) ∨ (ak < ck ∧ ck < ak+1))
22 / 31
DPLL(T) Frameworkgreat but not perfect
a 0<b 0
a 1<b 1
b0<a1
b1<a2
a1<c1
c 0<a 1
c 1<a 2
a0<c0
a 2<b 2 b
2 <a3
a2 <c2
c 2<a 3
a0>a3
Example (Diamonds)
a0 > an ∧
n−1∧
k=0
((ak < bk ∧ bk < ak+1) ∨ (ak < ck ∧ ck < ak+1))
And so on...Exponential enumeration of paths.
22 / 31
DPLL(T) Frameworkgreat but not perfect
a 0<b 0
a 1<b 1
b0<a1
b1<a2
a1<c1
c 0<a 1
c 1<a 2
a0<c0
a 2<b 2 b
2 <a3
a2 <c2
c 2<a 3
a0>a3
a0<a1 a1<a2 a2<a3
Example (Diamonds)
a0 > an ∧
n−1∧
k=0
((ak < bk ∧ bk < ak+1) ∨ (ak < ck ∧ ck < ak+1))
22 / 31
DPLL(T) Frameworktypical architecture
SAT Solver
CDCL
Arithmetic
Bit-Vectors
Uninterpreted
FunctionsCore
Theory Literals Explanations
23 / 31
Various theories and their combinations
It is possible to combine various theories, called logics here, andgive them ŞcanonicalŤ names.
source: SMT-LIB
24 / 31
Uninterpreted functions (UF)
We have literals of the form
𝑠 = 𝑡 and 𝑠 ̸= 𝑡,
where 𝑠 and 𝑡 may contain constants (variables) and functionsymbols. Equality is reĆexive, symmetric, transitive, and satisĄescongruence axioms
∀𝑋1 . . .∀𝑋𝑚∀𝑌1 . . .∀𝑌𝑚(𝑋1 = 𝑌1 ∧ ≤ ≤ ≤ ∧𝑋𝑚 = 𝑌𝑚 ⊃
𝑓(𝑋1, . . . , 𝑋𝑚) = 𝑓(𝑌1, . . . , 𝑌𝑚))
for every 𝑚-ary function symbol 𝑓 . It is sometimes calledfunctional consistency in this context.
(QF_UF) is usually the core of an SMT solver, which is used inother theories. It is decidable in 𝒪(𝑛 log𝑛).
25 / 31
Why no uninterpreted predicate symbols?
The only predicate symbol allowed in (QF_UF) is equality, becauseevery other uninterpreted predicate symbol can be expressed by afresh uninterpreted function
𝑝(𝑡1, . . . , 𝑡𝑚) becomes 𝑓𝑝(𝑡1, . . . , 𝑡𝑚) = ⊤,
¬𝑝(𝑡1, . . . , 𝑡𝑚) becomes 𝑓𝑝(𝑡1, . . . , 𝑡𝑚) ̸= ⊤,
where ⊤ is a new constant and 𝑓𝑝 is a new functional symbol forevery predicate 𝑝 in our original language. Note that 𝑓𝑝 and ⊤ arenot valid arguments of other terms.
Example
𝑝(𝑎) ∨ ¬𝑞(𝑎, 𝑔(𝑎, 𝑏)) becomes 𝑓𝑝(𝑎) = ⊤ ∨ 𝑓𝑞(𝑎, 𝑔(𝑎, 𝑏)) ̸= ⊤.
26 / 31
Producing congruence closureWe have a formula 𝜙
𝑠1 = 𝑡1 ∧ ≤ ≤ ≤ ∧ 𝑠𝑘 = 𝑡𝑘 ∧ 𝑠𝑘+1 ̸= 𝑡𝑘+1 ∧ ≤ ≤ ≤ ∧ 𝑠𝑙 ̸= 𝑡𝑙.
The idea is to produce the congruence closure of
𝑠1 = 𝑡1 ∧ ≤ ≤ ≤ ∧ 𝑠𝑘 = 𝑡𝑘
that is we apply reĆexivity, symmetry, transitivity, and congruenceaxioms as many times as possible.
Then we just check whether any of
𝑠𝑘+1 = 𝑡𝑘+1, . . . , 𝑠𝑙 = 𝑡𝑙
is among them. If this is the case, the problem is unsatisĄable.Otherwise, it is satisĄable.
Example
We want to check 𝑎 = 𝑏 ∧ 𝑓(𝑔(𝑎)) ̸= 𝑓(𝑔(𝑏)).
27 / 31
Producing congruence closure II.
We have a formula 𝜙
𝑠1 = 𝑡1 ∧ ≤ ≤ ≤ ∧ 𝑠𝑘 = 𝑡𝑘 ∧ 𝑠𝑘+1 ̸= 𝑡𝑘+1 ∧ ≤ ≤ ≤ ∧ 𝑠𝑙 ̸= 𝑡𝑙.
Although the congruence closure is in general inĄnite, it issufficient to check only Ąnitely many equalities here, namely theequalities produced from all the subterms occurring in 𝜙.
Example
We want to check 𝑎 = 𝑏 ∧ 𝑓(𝑔(𝑎)) ̸= 𝑓(𝑔(𝑏)). Hence it is sufficientto produce only equalities containing 𝑎, 𝑏, 𝑔(𝑎), 𝑔(𝑏), 𝑓(𝑔(𝑎)), and𝑓(𝑔(𝑏)). It means we get
¶𝑎 = 𝑎, 𝑏 = 𝑏, 𝑎 = 𝑏, 𝑔(𝑎) = 𝑔(𝑎), 𝑔(𝑏) = 𝑔(𝑏), 𝑔(𝑎) = 𝑔(𝑏),
𝑓(𝑔(𝑎)) = 𝑓(𝑔(𝑎)), 𝑓(𝑔(𝑏)) = 𝑓(𝑔(𝑏)), 𝑓(𝑔(𝑎)) = 𝑓(𝑔(𝑏))♢.
Hence it is unsatisĄable, because it contains 𝑓(𝑔(𝑎)) = 𝑓(𝑔(𝑏)).
28 / 31
Producing congruence closure III.We have a formula 𝜙
𝑠1 = 𝑡1 ∧ ≤ ≤ ≤ ∧ 𝑠𝑘 = 𝑡𝑘 ∧ 𝑠𝑘+1 ̸= 𝑡𝑘+1 ∧ ≤ ≤ ≤ ∧ 𝑠𝑙 ̸= 𝑡𝑙.
It is convenient to represent the congruence closure by theequivalence classes of the terms occurring in 𝜙:
◮ each subterm occurring in 𝜙 forms an equivalence class,◮ for every 𝑠𝑖 = 𝑡𝑖 ∈ 𝜙
◮ we merge the equivalance classes containing 𝑠𝑖 and 𝑡𝑖,◮ we apply the congruence axioms (at least one argument is
from the merged class containing 𝑠𝑖 and 𝑡𝑖).
If this leads to new merges, we propagate congruences further(at least one argument is from a newly merged class) as longas possible.
◮ return unsatisĄable if 𝑠𝑗 and 𝑡𝑗 are in the same equivalenceclass for 𝑠𝑗 ̸= 𝑡𝑗 ∈ 𝜙, otherwise return satisĄable.
It is possible to produce an even better representation using DAGs.29 / 31
Example
30 / 31
Example
30 / 31
Example
30 / 31
Example
30 / 31
Example
30 / 31
Example
30 / 31
Example
30 / 31
Example
get_conflict():
30 / 31
Example
get_conflict():
30 / 31
Example
get_conflict():
30 / 31
Example
get_conflict():
30 / 31
Example
get_conflict():
30 / 31
Example
get_conflict():
30 / 31
Example
get_conflict():
30 / 31
Example
get_conflict():
30 / 31
SMT-LIB
Among other things it is a common input and output language forSMT solvers that is described here.
; Integer arithmetic
(set-logic QF_LIA)
(declare-const x Int)
(declare-const y Int)
(assert (= (- x y) (+ x (- y) 1)))
(check-sat)
; unsat
(exit)
31 / 31
Used presentations
The following slides are taken from
◮ 18, 22, and 23 are from Jovanović 2016,
◮ 21 is from Oliveras 2019,
◮ 30 is from Griggio 2015.
31 / 31
Bibliography I
Griggio, Alberto (2015). ŞIntroduction to SMTŤ. SAT/SMTSummer School 2015. url: http:
//www.cs.nyu.edu/~barrett/summerschool/griggio.pdf.Jovanović, Dejan (2016). ŞIntroduction to SatisĄability ModuloTheoriesŤ. SAT/SMT/AR Summer School 2016. url:http://ssa-school-2016.it.uu.se/wp-
content/uploads/2016/06/jovanovic.pdf.Kroening, Daniel and Ofer Strichman (2016). Decision
Procedures - An Algorithmic Point of View, Second Edition.Texts in Theoretical Computer Science. An EATCS Series.Springer. isbn: 978-3-662-50496-3. doi:10.1007/978-3-662-50497-0.Oliveras, Albert (2019). ŞIntroduction to SMTŤ.SAT/SMT/AR Summer School 2019. url:https://alexeyignatiev.github.io/ssa-school-
2019/slides/ao-satsmtar19-slides.pdf.
Bibliography II
Tinelli, Cesare (2017). ŞFoundations of SatisĄability ModuloTheoriesŤ. SC2 Summer School 2017. url: http://www.sc-
square.org/CSA/school/lectures/SCSC-Tinelli.pdf.