Overview of Models in Yices Bruno Dutertre SRI International - - PowerPoint PPT Presentation

overview of models in yices
SMART_READER_LITE
LIVE PREVIEW

Overview of Models in Yices Bruno Dutertre SRI International - - PowerPoint PPT Presentation

Dec 07, 2022 48 likes •293 views

Computer Science Laboratory, SRI International Overview of Models in Yices Bruno Dutertre SRI International Dagstuhl Seminar 15381, September 2015 Computer Science Laboratory, SRI International Models in Yices Internal Use SMT solvers

slide-1
SLIDE 1

Computer Science Laboratory, SRI International

Overview of Models in Yices

Bruno Dutertre SRI International Dagstuhl Seminar 15381, September 2015

slide-2
SLIDE 2

Computer Science Laboratory, SRI International

Models in Yices

Internal Use

  • SMT solvers search for models for a formula Φ in some theory T
  • In many cases, T is the union of disjoint theories T1 and T2 (e.g., linear

arithmetic + arrays)

  • Relevant techniques: Nelson-Oppen method and extensions/variations

including Model-based Theory Combination Operations on Models

  • Many applications require more than producing models
  • Examples of useful operations:

– evaluate a term in a model – compute implicants for Φ from a model – generalize a model: model-based projection

1

slide-3
SLIDE 3

Computer Science Laboratory, SRI International

Theory Combination

Problem

  • Given two formulas Φ1 and Φ2 in two disjoint theories T1 and T2, if Φ1 is

satisfiable in T1 and Φ2 is satisfiable in T2, is Φ1 ∧ Φ2 satisfiable in T1 ∪ T2?

  • Φ1 and Φ2 share some interface variables x1, . . . , xn but nothing else
  • The answer is yes if we can construct two models M1 and M2 such that

– M1 | = Φ1 (in T1) and M2 | = Φ2 (in T2) – M1 and M2 have the same cardinality – M1 and M2 agree on equalities between interface variables: M1 | = (xi = xj) iff M2 | = (xi = xj)

  • Note: For many practical theories (e.g., QF UF) the cardinality constraint is

easily satisfied.

2

slide-4
SLIDE 4

Computer Science Laboratory, SRI International

Nelson-Oppen

Φ1 Φ2

x_i = x_j x_k = x_j

Method

  • Combine two decision procedures for T1 and T2
  • Exchange implied interface equalities to force both sides to agree.
  • This works for convex theories. For non-convex theories (e.g., integer

arithmetic), we need more: either propagate disjunctions of interface equalities

  • r guess a variable arrangement.

3

slide-5
SLIDE 5

Computer Science Laboratory, SRI International

Practical Issues With Nelson-Oppen

Finding All Implied Equalities

  • For QF UF

, decision procedures based on congruence closure give implied equalities for free.

  • It’s much harder and more expensive for other theories (e.g., linear arithmetic,

bitvectors).

  • It gets worse for non-convex theories.

Better Methods: use the models

  • The decision procedures construct models M1 and M2 but Nelson-Oppen

does not use them.

4

slide-6
SLIDE 6

Computer Science Laboratory, SRI International

Model-Based Theory Combination

General Approach

  • Given models M1 and M2, search for conflicts between them: shared

variables such that M1 | = (xi = xj) and M2 | = (xi = xj) (or the other way around).

  • if there are none, return SAT
  • otherwise

– try to modify the models to fix the conflicts (optional) – add interface lemmas, then backtrack to search for different models.

5

slide-7
SLIDE 7

Computer Science Laboratory, SRI International

Interface Lemmas

Lemma to Remove a Conflict

  • For a pair (xi, xj) such that M1 |

= (xi = xj) and M2 | = (xi = xj), we add a constraint that encodes “(xi = xj) in T1” ⇒ “(xi = xj) in T2.”

  • The precise formulation depends on the implementation and theories involved.
  • Example

– for UF + arithmetic in Yices, we can add the clause (eq xi xj) ∨ (xi < xj) ∨ (xj < xi). – (eq xi xj) is an atom added to the UF solver – (xi < xj) and (xj < xi) are arithmetic atoms

  • Adding this lemma forces the SMT solver to backtrack and search for other

models.

  • This can be seen as a lazy way of searching for an adequate arrangement of

the interface variables (sometimes called delayed theory combination).

6

slide-8
SLIDE 8

Computer Science Laboratory, SRI International

Theory Solvers in Yices

CDCL SAT Solver UF Solver Array Solver Arithmetic Solver Bitvector Solver

Features

  • Shared variables always involve the UF solver + another solver (either

arithmetic or bitvector).

  • All interface equalities found by the UF solver are propagated to the other

solver (not the other way around).

7

slide-9
SLIDE 9

Computer Science Laboratory, SRI International

Theory Combination in Yices

Possible Conflicts Between Models

  • all conflicts are of the form

MT | = (xi = xj) and MUF | = (xi = xj) two shared variables are equal in the arithmetic or bitvector model but not in UF . Reconciliation: attempt to modify MUF to remove the conflict, while keeping MT frozen.

  • tentatively merge the equivalence classes of xi and xj in the UF solver, then

propagate consequences by congruence closure.

  • accept the merge unless either it causes a conflict in the UF solver or it would

propagate more equalities to theory T.

8

slide-10
SLIDE 10

Computer Science Laboratory, SRI International

Other Tricks

Model Mutation (de Moura & Bjørner, 2007)

  • Exploit flexibility in the Simplex-based arithmetic solver.
  • There may be many solutions to a set of linear arithmetic constraints.
  • Mutation: modify the Simplex model to give distinct values to distinct interface

variables.

  • This reduces the chance of conflicts with the UF model.

More Than Interface Lemmas

  • Dynamic addition of Ackermann lemmas (`

a la Z3)

  • When we add an interface lemma in a direction, we also add the reverse

implication

  • Example: for arithmetic

– interface lemma: (eq xi xj) ∨ (xi < xj) ∨ (xj < xi) – reverse: (xi < xj) ⇒ ¬(eq xi xj) and (xj < xi) ⇒ ¬(eq xi xj)

9

slide-11
SLIDE 11

Computer Science Laboratory, SRI International

Experiments: Arrays + Bitvectors

0.001 0.01 0.1 1 10 100 1000 10000 100000 2000 4000 6000 8000 10000 12000 14000 16000 cumulative time problems solved Yices-2.2 CVC-4 Mathsat-5 Z3 Boolector-1.5 Sonolar TdW 100 1000 10000 100000 14000 14050 14100 14150 14200 14250 14300 cumulative time problems solved Yices-2.2 CVC-4 Mathsat-5 Z3 Boolector-1.5 Sonolar TdW

10

slide-12
SLIDE 12

Computer Science Laboratory, SRI International

Experiments: UF + Linear Integer Arithmetic

yices-pessimistic yices-optimistic 0.1 1 10 100 timeout abort 0.1 1 10 100 1200

It’s not always better: On the QF UFLIA Benchmarks of SMT-LIB, model reconciliation gives worse results than just generating interface lemmas.

11

slide-13
SLIDE 13

Computer Science Laboratory, SRI International

Model Generalization

Generalizing a Model

  • Many applications use SMT solvers to find one solution to some sets of

constraints (i.e., one model)

  • It’s often useful to generalize from this to a set of solutions
  • The typical setting (e.g., in IC3):

– we have a model M for Φ(X, Y ) – a generalization is a formula G(X) such that

  • 1. M |

= G(X)

  • 2. we have G(X) ⇒ (∃Y Φ(X, Y ))

– This also called model-based projection.

12

slide-14
SLIDE 14

Computer Science Laboratory, SRI International

Implementation

Three Methods Implemented in Yices

  • baseline: no generalization: G(X) := (X = X0) where X0 = value of X in M.
  • generalize by substitution: G(X) := Φ(X, Y0) where Y0 = value of Y in M.
  • better: local quantifier elimination

– find an implicant J(X, Y ) for Φ(X, Y ) using X0 and Y0:

  • J(X, Y ) is a conjunction of literals
  • J(X, Y ) ⇒ Φ(X, Y ) holds
  • J(X0, Y0) is true

– construct G(X) by eliminating the Y variables from J(X, Y )

13

slide-15
SLIDE 15

Computer Science Laboratory, SRI International

Variable Elimination

Goal

  • We have an implicant J(x, y) that is true in a model M
  • We want to eliminate the variables y from J(x, y)
  • We could try to construct a G(x) that’s equivalent to ∃y : J(x, y)
  • In our context, it is enough to obtain an under-approximation:

G(x) ⇒ ∃y : J(x, y) such that M | = G(x) For linear (and non-linear) arithmetic, we can do this efficiently using Model-Guided Virtual Term Substitution

14

slide-16
SLIDE 16

Computer Science Laboratory, SRI International

Virtual Term Substitution for Linear Arithmetic

Weispfenning, 1988, Loos & Weispfenning, 1993

  • To eliminate y from a linear arithmetic formula ∃y : φ(x, y), construct an

elimination set for y in φ(x, y)

  • An elimination set is a finite set T of terms that do not contain y and such that

(∃y : φ(x, y)) ⇔

  • t∈T

φ(x, t)

  • T can be constructed syntactically from the atoms of φ

Example

  • For (∃y : 3x + 1 < y ∧ y < x + 2), Weispfenning’s procedure gives

T =

  • 3x, 3x + 1, 3x + 2, x + 1, x + 2, x + 3, (3x + 1) + (x + 2)

2

  • 15
slide-17
SLIDE 17

Computer Science Laboratory, SRI International

Model-Guided Virtual Term Substitution

Idea

  • We start from an elimination set T such that

(∃y : φ(x, y)) ⇔

  • t∈T

φ(x, t)

  • Since we can under-approximate, it’s enough for us to pick a single term t0 in T

φ(x, t0) ⇒ (∃y : φ(x, y))

  • We also have a model M of φ(x, y) so we use M to find a suitable t0

16

slide-18
SLIDE 18

Computer Science Laboratory, SRI International

Example

∃y : 3x + 1 < y ∧ y < x + 2 T =

  • 3x, 3x + 1, 3x + 2, x + 1, x + 2, x + 3, (3x + 1) + (x + 2)

2

  • Model: x → 0 and y → 1.5
  • We pick

t0 = (3x + 1) + (x + 2) 2 then φ(x, t0) reduces to x < 1/2

17

slide-19
SLIDE 19

Computer Science Laboratory, SRI International

Variable Elimination as Implemented in Yices

Input

  • The implicant construction produces a conjunction of arithmetic inequalities

and equalities Hybrid Approach

  • eliminate variables that occur in equalities (Gaussian elimination)
  • use Fourier-Motzkin if it’s cheap
  • use virtual-term substitution as a last step.

18

slide-20
SLIDE 20

Computer Science Laboratory, SRI International

Application: Exists/Forall Problems

Example Synthesis Problem

  • Find a function f such that ∀y : Φ(y, f(y))

(Φ specifies the properties we want for f) Parameterization

  • Look at a collection of functions fx defined by a template parameterized by

variables x. Example: linear functions fa,b,c(y1, y2) = a + by1 + cy2

  • The synthesis problem is now: find parameters x such that ∀y : Φ(y, fx(y))

This is an exists/forall problem: check the satisfiability of ∃x : ∀y : Φ(y, fx(y))

19

slide-21
SLIDE 21

Computer Science Laboratory, SRI International

EF-Solver Algorithm

i := 0 C0(x) := initial constraints on x repeat find xi that satisfies Ci(x) [E-Solver] if no xi is found, return unsat search for yi that satisfies ¬Φ(xi, y) [F-Solver] if no yi is found, then xi is a solution; return sat generalize from yi: compute a constraint G(x) such that 1) G(xi) is true 2) G(x) ⇒ (∃y : ¬Φ(x, y)) Ci+1(x) := Ci(x) ∧ ¬G(x) i := i + 1 end

20

slide-22
SLIDE 22

Computer Science Laboratory, SRI International

EF-Solving

Model Generalization is Critical

  • Termination guarantees:

– if the Y variables have a finite domain, then generalization by substitution ensures termination – for infinite domains: some form of quantifier elimination is required

  • Performance depends on how good the generalization is (number of iterations).

Some Bad Cases

  • For some formulas, we have no good model-generalization procedures.
  • Example: ∃X.∀Y.X = h(Y ) where h is a bitvector function
  • We can only use generalization by substitution and in this case it doesn’t

generalize: G(X) is X = h(Y0), which is the same as X = X0.

21

slide-23
SLIDE 23

Computer Science Laboratory, SRI International

Experiments on Exists/Forall BV Problems

yices-abfac509-2015-08-13.txt.ef Z3 0.1 1 10 100 timeout abort 0.1 1 10 100 1200

22

slide-24
SLIDE 24

Computer Science Laboratory, SRI International

Conclusion

SMT Solving

  • All about building models (at least in the quantifier-free case)
  • Model-based theory combination is a key procedure in most SMT solvers

Uses of SMT

  • Many applications require functions for exploring models
  • Like to know which features users want.

23