An Introduction to Satisfjability Modulo Theories Philipp Rmmer - - PowerPoint PPT Presentation

an introduction to satisfjability modulo theories
SMART_READER_LITE
LIVE PREVIEW

An Introduction to Satisfjability Modulo Theories Philipp Rmmer - - PowerPoint PPT Presentation

Dec 08, 2023 10 likes •421 views

An Introduction to Satisfjability Modulo Theories Philipp Rmmer Uppsala University Philipp.Ruemmer@it.uu.se February 11, 2020 1/41 Outline From theory ... From DPLL to DPLL(T) Slides courtesy of Alberto Griggio,

slide-1
SLIDE 1

1/41

An Introduction to Satisfjability Modulo Theories

Philipp Rümmer Uppsala University

Philipp.Ruemmer@it.uu.se

February 11, 2020

slide-2
SLIDE 2

2/41

Outline

  • From theory ...
  • From DPLL to DPLL(T)
  • Slides courtesy of Alberto Griggio,

http://www.cs.nyu.edu/~barrett/summerschool/griggio.pdf

  • … to practice
  • SMT-LIB and some common theories
  • http://rise4fun.com/z3
  • http://logicrunch.it.uu.se:4096/~wv/princess/
slide-3
SLIDE 3

3/41

Typical Applications of SMT

  • Deductive verifjcation
  • Correctness of contracts, invariants
  • Testing, symbolic execution
  • Path feasibility
  • Bounded model checking
  • Reachability of errors within k steps
  • Model checking
  • Finite-state abstraction of programs
slide-4
SLIDE 4

4/41

Broader Applications

i = 0; x = j; while (i < 50) { i++; x++; } if (j == 0) assert (x >= 50);

slide-5
SLIDE 5

5/41

ATP and SMT

slide-6
SLIDE 6

6/41

ATP and SMT

”Big Engines

  • f Proof”

ATP: Classical methods: Resolution, Superposition, Tableaux, Model Evolution, etc.

slide-7
SLIDE 7

7/41

ATP and SMT

”Big Engines

  • f Proof”

“little engines”

ATP: Classical methods: Resolution, Superposition, Tableaux, Model Evolution, etc. SMT: Collaborative meth.: Propositional → SAT

  • Lin. arithmetic

→ Simplex Functions → EUF ...

slide-8
SLIDE 8

8/41

ATP and SMT

”Big Engines

  • f Proof”

“little engines”

ATP: Classical methods: Resolution, Superposition, Tableaux, Model Evolution, etc. SMT: Collaborative meth.: Propositional → SAT

  • Lin. arithmetic

→ Simplex Functions → EUF ...

?

slide-9
SLIDE 9

9/41

We know how to …

Solve Boolean formulas effjciently:

  • DPLL, CDLL
  • Implemented in SAT solvers

Solve conjunctive constr. effjciently:

  • Linear arithmetic: LP, ILP, MIP
  • Finite domains:

CP, local search

  • etc.
slide-10
SLIDE 10

10/41

We know how to …

Solve Boolean formulas effjciently:

  • DPLL, CDLL
  • Implemented in SAT solvers

Solve conjunctive constr. effjciently:

  • Linear arithmetic: LP, ILP, MIP
  • Finite domains:

CP, local search

  • etc.

???

slide-11
SLIDE 11

11/41

Example!

slide-12
SLIDE 12

12/41

SAT and SMT

Def.: SAT Solver Input: Propositional formula C in n variables Output: C sat + satisfying assignment (model) C unsat [+ Proof] Def.: SAT Modulo Theories Solver Input: First-order formula C in n variables and theories T1, …, Tm Output: C sat + satisfying assignment (model) C unsat [+ Proof]

slide-13
SLIDE 13

13/41

SAT and SMT

Def.: SAT Solver Input: Propositional formula C in n variables Output: C sat + satisfying assignment (model) C unsat [+ Proof] Def.: SAT Modulo Theories Solver Input: First-order formula C in n variables and theories T1, …, Tm Output: C sat + satisfying assignment (model) C unsat [+ Proof] Also called a solution

slide-14
SLIDE 14

14/41

Some SMT solvers

  • Z3
  • CVC4
  • MathSAT
  • Yices
  • OpenSMT
  • Boolector
  • SMTInterpol
slide-15
SLIDE 15

15

SMT in Uppsala

Princess Z3 UppSAT mcBV Norn ePrincess Ostrich Ostrich+ TRAU Sloth Z3-TRAU TRAU+

slide-16
SLIDE 16

16

SMT in Uppsala

Princess Z3 UppSAT mcBV Norn ePrincess

General-purpose

Just contributing ... Ostrich Ostrich+ TRAU Sloth Z3-TRAU TRAU+

slide-17
SLIDE 17

17

SMT in Uppsala

Princess Z3 UppSAT mcBV Norn ePrincess Ostrich Ostrich+ TRAU Sloth Z3-TRAU TRAU+

String solvers

slide-18
SLIDE 18

18

SMT in Uppsala

Princess Z3 UppSAT mcBV Norn ePrincess Ostrich Ostrich+ TRAU Sloth Z3-TRAU TRAU+

First-order

slide-19
SLIDE 19

19

SMT in Uppsala

Princess Z3 UppSAT mcBV Norn ePrincess

Low-level machine arithmetic

Ostrich Ostrich+ TRAU Sloth Z3-TRAU TRAU+

slide-20
SLIDE 20

20/41

Typical Architecture

Queries Answer (model, proof)

Verifjer, model checker, etc. SAT/SMT solver

slide-21
SLIDE 21

21/41

slide-22
SLIDE 22

22/41

SMT-LIB

  • Standardised interface for SMT solvers,

supported by most tools

  • Rich set of features, many theories
  • Comes with a large library of

benchmarks; yearly competition SMT-COMP → Organiser until 2018: Tjark Weber!

  • http://www.smtlib.org
slide-23
SLIDE 23

23/41

Tutorial ...

slide-24
SLIDE 24

24/41

Tutorial ...

  • Every 32bit number x that is a power of

2 has the property that x & (x – 1) == 0 (and vice versa)

slide-25
SLIDE 25

25/41

Important SMT-LIB commands

  • (set-logic QF_BV)

(set-option …)

  • (declare-const b (_ BitVec 8))

(declare-fun f ((x (_ BitVec 2))) Bool)

  • (assert (= b #b10100011))
  • (check-sat)
  • (get-value (b)), (get-model)
  • (get-unsat-core)
  • (push 1), (pop 1)
  • (reset), (exit)
slide-26
SLIDE 26

26/41

Important SMT-LIB commands

  • (set-logic QF_BV)

(set-option …)

  • (declare-const b (_ BitVec 8))

(declare-fun f ((x (_ BitVec 2))) Bool)

  • (assert (= b #b10100011))
  • (check-sat)
  • (get-value (b)), (get-model)
  • (get-unsat-core)
  • (push 1), (pop 1)
  • (reset), (exit)

Z3, and many solvers don't care ...

slide-27
SLIDE 27

27/41

Important SMT-LIB commands

  • (set-logic QF_BV)

(set-option …)

  • (declare-const b (_ BitVec 8))

(declare-fun f ((x (_ BitVec 2))) Bool)

  • (assert (= b #b10100011))
  • (check-sat)
  • (get-value (b)), (get-model)
  • (get-unsat-core)
  • (push 1), (pop 1)
  • (reset), (exit)

Z3, and many solvers don't care ... In CP or MIP, this would be called assume or constraint

slide-28
SLIDE 28

28/41

The assertion stack

  • Holds both assertions and declarations,

but no options

  • Important for incremental use of solver
  • (push n) → add n new frames to

the stack

  • (pop n)

→ pop n frames from the stack

slide-29
SLIDE 29

29/41

General SMT-LIB constructors

  • (and …), (or …), (not …), (=> …)
  • (= b c)
  • (ite (= b c) #b101 #b011)
  • (let ((a #b001) (b #b010)) (= a b))
  • (exists ((x (_ BitVec 2))) (= #b101 x))

(forall …)

  • (! (= b c) :named X)
slide-30
SLIDE 30

30/41

Main SMT-LIB Bit-vector ops.

http://smtlib.cs.uiowa.edu/logics-all.shtml#QF_BV

  • (_ BitVec 8)
  • #b1010, #xff2a, (_ bv42 32)
  • (= (concat #b1010 #b0011) #b10100011)
  • (= ((_ extract 1 3) #b10100011) #b010)
  • Unary: bvnot, bvneg
  • Binary: bvand, bvor, bvadd, bvmul, bvudiv,

bvurem, bvshl, bvlshr

  • (bvult #b0100 #b0110)
  • And many more derived operators ...
slide-31
SLIDE 31

31/41

BMC: straight-line programs

int x, y; x = x * x; y = x + 1; assert(y > 0);

slide-32
SLIDE 32

32/41

BMC: straight-line programs

int x, y; x = x * x; y = x + 1; assert(y > 0);

(set-option :pp.bv-literals false) (declare-const x0 (_ BitVec 32)) (declare-const y0 (_ BitVec 32)) (declare-const x1 (_ BitVec 32)) (declare-const y1 (_ BitVec 32)) (assert (= x1 (bvmul x0 x0))) (assert (= y1 (bvadd x1 (_ bv1 32)))) (assert (not (bvsgt y1 (_ bv0 32)))) (check-sat) (get-model)

Z3-specifjc Signed comparison

slide-33
SLIDE 33

33/41

Modelling of Program Variables

  • An SMT-LIB constant represents a

single value

  • Just like mathematical variables
  • Program variables

can be reassigned … how to model computations?

  • Main idea: every assignment creates a

new “version” of a variable

  • x0/y0 vs. x1/y1 in example
slide-34
SLIDE 34

34/41

Modelling of Program Variables

  • An SMT-LIB constant represents a

single value

  • Just like mathematical variables
  • Program variables

can be reassigned … how to model computations?

  • Main idea: every assignment creates a

new “version” of a variable

  • x0/y0 vs. x1/y1 in example

In compilers, this is called “Single Static Assignment” form (SSA)

slide-35
SLIDE 35

35/41

BMC: conditional branching

int x, y; if (x > 0) y = x; else y = -x; assert(y >= 0);

slide-36
SLIDE 36

36/41

BMC: conditional branching

int x, y; if (x > 0) y = x; else y = -x; assert(y >= 0);

(set-option :pp.bv-literals false) (declare-const x0 (_ BitVec 32)) (declare-const y0 (_ BitVec 32)) (declare-const y1a (_ BitVec 32)) (declare-const y1b (_ BitVec 32)) (declare-const y2 (_ BitVec 32)) (declare-const b Bool) (assert (= b (bvsgt x0 (_ bv0 32)))) (assert (=> b (= y1a x0))) (assert (=> (not b) (= y1b (bvneg x0)))) (assert (= y2 (ite b y1a y1b))) (assert (not (bvsge y2 (_ bv0 32)))) (check-sat) (get-model)

slide-37
SLIDE 37

37/41

Alternative method: path-wise exploration

int x, y x > 0 !(x > 0) y = -x y = x assert(...)

slide-38
SLIDE 38

38/41

Alternative method: path-wise exploration

int x, y x > 0 !(x > 0) y = -x y = x assert(...)

  • Each query

smaller, but possibly exponentially many paths

  • Learning similar to

CDCL can be used to avoid analysing all paths

slide-39
SLIDE 39

39/41

Conclusions

  • Most important idea in this lecture:

Lazy encoding of formulas to SAT

  • SMT solvers are ...
  • Usually optimised for verifjcation:

Good at proving unsat

  • Able to handle infjnite domains:

Arithmetic, arrays, strings, etc.

  • Side-efgect: restricted set of operators:

Capture decidable domains

  • Good at propositional reasoning
slide-40
SLIDE 40

40/41

Conclusions

  • Most important idea in this lecture:

Lazy encoding of formulas to SAT

  • SMT solvers are ...
  • Usually optimised for verifjcation:

Good at proving unsat

  • Able to handle infjnite domains:

Arithmetic, arrays, strings, etc.

  • Side-efgect: restricted set of operators:

Capture decidable domains

  • Good at propositional reasoning

Compare to relaxations

slide-41
SLIDE 41

41/41

Outlook

  • Various further topics:
  • More theories: ADTs, fmoats, strings, etc.
  • Handling of quantifjers
  • Fixed-point computation
  • MaxSAT/MaxSMT
  • Optimising SMT
  • More lecture slides:
  • http://ssa-school-2016.it.uu.se/
  • http://www.sc-square.org/CSA/school/
  • http://ssa-school-2018.cs.manchester.ac.uk/