An Introduction to Satisfjability Modulo Theories Philipp Rmmer - PowerPoint PPT Presentation

An Introduction to Satisfjability Modulo Theories Philipp Rümmer Uppsala University Philipp.Ruemmer@it.uu.se February 11, 2020 1/41

Outline ● From theory ... ● From DPLL to DPLL(T) ● Slides courtesy of Alberto Griggio, http://www.cs.nyu.edu/~barrett/summerschool/griggio.pdf ● … to practice ● SMT-LIB and some common theories ● http://rise4fun.com/z3 ● http://logicrunch.it.uu.se:4096/~wv/princess/ 2/41

Typical Applications of SMT ● Deductive verifjcation ● Correctness of contracts, invariants ● Testing, symbolic execution ● Path feasibility ● Bounded model checking ● Reachability of errors within k steps ● Model checking ● Finite-state abstraction of programs 3/41

Broader Applications i = 0; x = j; while (i < 50) { i++; x++; } if (j == 0) assert (x >= 50); 4/41

ATP and SMT 5/41

ATP and SMT ATP: Classical methods: ”Big Resolution, Engines Superposition, Tableaux, of Proof” Model Evolution, etc. 6/41

ATP and SMT ATP: Classical methods: ”Big Resolution, Engines Superposition, Tableaux, of Proof” Model Evolution, etc. SMT: Collaborative meth.: “little Propositional → SAT Lin. arithmetic → Simplex engines” Functions → EUF ... 7/41

ATP and SMT ATP: Classical methods: ”Big Resolution, Engines Superposition, Tableaux, of Proof” Model Evolution, etc. SMT: Collaborative meth.: ? “little Propositional → SAT Lin. arithmetic → Simplex engines” Functions → EUF ... 8/41

We know how to … Solve Boolean formulas effjciently: ● DPLL, CDLL ● Implemented in SAT solvers Solve conjunctive constr. effjciently: ● Linear arithmetic: LP, ILP, MIP ● Finite domains: CP, local search ● etc. 9/41

We know how to … ??? Solve Boolean formulas effjciently: ● DPLL, CDLL ● Implemented in SAT solvers Solve conjunctive constr. effjciently: ● Linear arithmetic: LP, ILP, MIP ● Finite domains: CP, local search ● etc. 10/41

Example! 11/41

SAT and SMT Def.: SAT Solver Input: Propositional formula C in n variables Output: C sat + satisfying assignment (model) C unsat [+ Proof] Def.: SAT Modulo Theories Solver Input: First-order formula C in n variables and theories T 1 , …, T m Output: C sat + satisfying assignment (model) C unsat [+ Proof] 12/41

SAT and SMT Def.: SAT Solver Input: Propositional formula C in n variables Output: C sat + satisfying assignment (model) C unsat [+ Proof] Also called a solution Def.: SAT Modulo Theories Solver Input: First-order formula C in n variables and theories T 1 , …, T m Output: C sat + satisfying assignment (model) C unsat [+ Proof] 13/41

Some SMT solvers ● Z3 ● CVC4 ● MathSAT ● Yices ● OpenSMT ● Boolector ● SMTInterpol 14/41

SMT in Uppsala TRAU Z3-TRAU Norn TRAU+ Sloth Ostrich Ostrich+ Princess ePrincess UppSAT Z3 mcBV 15

SMT in Uppsala TRAU Z3-TRAU Norn TRAU+ General-purpose Sloth Ostrich Ostrich+ Princess ePrincess UppSAT Z3 Just mcBV 16 contributing ...

SMT in Uppsala String TRAU Z3-TRAU solvers Norn TRAU+ Sloth Ostrich Ostrich+ Princess ePrincess UppSAT Z3 mcBV 17

SMT in Uppsala TRAU Z3-TRAU Norn TRAU+ Sloth Ostrich Ostrich+ First-order Princess ePrincess UppSAT Z3 mcBV 18

SMT in Uppsala TRAU Z3-TRAU Norn TRAU+ Sloth Ostrich Ostrich+ Princess Low-level machine ePrincess UppSAT arithmetic Z3 mcBV 19

Typical Architecture Queries Verifjer, model SAT/SMT checker, solver etc. Answer (model, proof) 20/41

21/41

SMT-LIB ● Standardised interface for SMT solvers, supported by most tools ● Rich set of features, many theories ● Comes with a large library of benchmarks; yearly competition SMT-COMP → Organiser until 2018: Tjark Weber ! ● http://www.smtlib.org 22/41

Tutorial ... 23/41

Tutorial ... ● Every 32bit number x that is a power of 2 has the property that x & (x – 1) == 0 (and vice versa) 24/41

Important SMT-LIB commands ● (set-logic QF_BV) (set-option …) ● (declare-const b (_ BitVec 8)) (declare-fun f ((x (_ BitVec 2))) Bool) ● (assert (= b #b10100011)) ● (check-sat) ● (get-value (b)), (get-model) ● (get-unsat-core) ● (push 1), (pop 1) ● (reset), (exit) 25/41

Important SMT-LIB commands Z3, and many ● (set-logic QF_BV) solvers don't care ... (set-option …) ● (declare-const b (_ BitVec 8)) (declare-fun f ((x (_ BitVec 2))) Bool) ● (assert (= b #b10100011)) ● (check-sat) ● (get-value (b)), (get-model) ● (get-unsat-core) ● (push 1), (pop 1) ● (reset), (exit) 26/41

Important SMT-LIB commands Z3, and many ● (set-logic QF_BV) solvers don't care ... (set-option …) ● (declare-const b (_ BitVec 8)) (declare-fun f ((x (_ BitVec 2))) Bool) ● (assert (= b #b10100011)) ● (check-sat) In CP or MIP, this would be called ● (get-value (b)), (get-model) assume or constraint ● (get-unsat-core) ● (push 1), (pop 1) ● (reset), (exit) 27/41

The assertion stack ● Holds both assertions and declarations, but no options ● Important for incremental use of solver ● (push n ) → add n new frames to the stack ● (pop n ) → pop n frames from the stack 28/41

General SMT-LIB constructors ● (and …), (or …), (not …), (=> …) ● (= b c) ● (ite (= b c) #b101 #b011) ● (let ((a #b001) (b #b010)) (= a b)) ● (exists ((x (_ BitVec 2))) (= #b101 x)) (forall …) ● (! (= b c) :named X) 29/41

Main SMT-LIB Bit-vector ops. http://smtlib.cs.uiowa.edu/logics-all.shtml#QF_BV ● (_ BitVec 8) ● #b1010, #xff2a, (_ bv42 32) ● (= (concat #b1010 #b0011) #b10100011) ● (= ((_ extract 1 3) #b10100011) #b010) ● Unary: bvnot, bvneg ● Binary: bvand, bvor, bvadd, bvmul, bvudiv, bvurem, bvshl, bvlshr ● (bvult #b0100 #b0110) ● And many more derived operators ... 30/41

BMC: straight-line programs int x, y; x = x * x; y = x + 1; assert(y > 0); 31/41

BMC: straight-line programs Z3-specifjc int x, y; x = x * x; (set-option :pp.bv-literals false) y = x + 1; (declare-const x0 (_ BitVec 32)) (declare-const y0 (_ BitVec 32)) assert(y > 0); (declare-const x1 (_ BitVec 32)) (declare-const y1 (_ BitVec 32)) (assert (= x1 (bvmul x0 x0))) (assert (= y1 (bvadd x1 (_ bv1 32)))) (assert (not (bvsgt y1 (_ bv0 32)))) (check-sat) (get-model) Signed comparison 32/41

Modelling of Program Variables ● An SMT-LIB constant represents a single value ● Just like mathematical variables ● Program variables can be reassigned … how to model computations? ● Main idea: every assignment creates a new “version” of a variable ● x0 / y0 vs. x1 / y1 in example 33/41

Modelling of Program Variables ● An SMT-LIB constant represents a single value ● Just like mathematical variables ● Program variables In compilers, this is called can be reassigned … how “Single Static Assignment” to model computations? form (SSA) ● Main idea: every assignment creates a new “version” of a variable ● x0 / y0 vs. x1 / y1 in example 34/41

BMC: conditional branching int x, y; if (x > 0) y = x; else y = -x; assert(y >= 0); 35/41

BMC: conditional branching int x, y; (set-option :pp.bv-literals false) (declare-const x0 (_ BitVec 32)) if (x > 0) (declare-const y0 (_ BitVec 32)) (declare-const y1a (_ BitVec 32)) y = x; (declare-const y1b (_ BitVec 32)) else (declare-const y2 (_ BitVec 32)) (declare-const b Bool) y = -x; (assert (= b (bvsgt x0 (_ bv0 32)))) assert(y >= 0); (assert (=> b (= y1a x0))) (assert (=> (not b) (= y1b (bvneg x0)))) (assert (= y2 (ite b y1a y1b))) (assert (not (bvsge y2 (_ bv0 32)))) (check-sat) (get-model) 36/41

Alternative method: path-wise exploration int x, y x > 0 !(x > 0) y = x y = -x assert(...) 37/41

Alternative method: path-wise exploration ● Each query int x, y smaller, but possibly x > 0 !(x > 0) exponentially many paths y = x y = -x ● Learning similar to CDCL can be used to avoid analysing all paths assert(...) 38/41

Conclusions ● Most important idea in this lecture: Lazy encoding of formulas to SAT ● SMT solvers are ... ● Usually optimised for verifjcation: Good at proving unsat ● Able to handle infjnite domains: Arithmetic, arrays, strings, etc. ● Side-efgect: restricted set of operators: Capture decidable domains ● Good at propositional reasoning 39/41

Conclusions Compare to relaxations ● Most important idea in this lecture: Lazy encoding of formulas to SAT ● SMT solvers are ... ● Usually optimised for verifjcation: Good at proving unsat ● Able to handle infjnite domains: Arithmetic, arrays, strings, etc. ● Side-efgect: restricted set of operators: Capture decidable domains ● Good at propositional reasoning 40/41

Outlook ● Various further topics: ● More theories: ADTs, fmoats, strings, etc. ● Handling of quantifjers ● Fixed-point computation ● MaxSAT/MaxSMT ● Optimising SMT ● More lecture slides: ● http://ssa-school-2016.it.uu.se/ ● http://www.sc-square.org/CSA/school/ ● http://ssa-school-2018.cs.manchester.ac.uk/ 41/41