Counterexample-Guided Quantifjer Instantiation for Synthesis in SMT - PowerPoint PPT Presentation

Counterexample-Guided Quantifjer Instantiation for Synthesis in SMT Andrew Reynolds, Morgan Deters, Viktor Kuncak, Cesare Tinelli, and Clark Barrett Kumar Madhukar TCS Research, Pune Formal Methods Update Meet, IIT Mandi, 17-18 July, 2017

Outline ▶ The Problem ▶ Restrictions ▶ Solutions

The (Synthesis) Problem reactive systems, etc. ▶ Synthesize a function that meets a given specifjcations. ▶ Example - Synthesize f such that: ▶ f ( x 1 , x 2 ) ≥ x 1 ∧ ▶ f ( x 1 , x 2 ) ≥ x 2 ∧ ▶ f ( x 1 , x 2 ) ≈ x 1 ∨ f ( x 1 , x 2 ) ≈ x 2 ▶ Applicable in synthesis of functional programs, program sketching, synthesis of

If P is a formula that encodes the specifjcation, then we must have And the question that we are asking is P [ f , x 1 , x 2 ] = f ( x 1 , x 2 ) ≥ x 1 ∧ f ( x 1 , x 2 ) ≥ x 2 ∧ ( f ( x 1 , x 2 ) ≈ x 1 ∨ f ( x 1 , x 2 ) ≈ x 2 ) ∀ x 1 x 2 . P [ f , x 1 , x 2 ] ∃ f . ∀ x 1 x 2 . P [ f , x 1 , x 2 ]

x . x ) is true x . ▶ Or, more generally, ∃ f . Exists a function s.t. ∀ x 1 , x 2 , ... x n . P ( f , x 1 , x 2 , ... x n ) � �� � � �� � for all ¯ x , P(f, ¯ ▶ An SMT solver may treat f as an uninterpreted function, but the real challenge here is the universal quantifjcation over ¯ ▶ The solver must construct (a fjnite representation of) an interpretation for f which is true for all ¯

quantifjed formulas. refutation is found. ▶ In contrast, there are efgective techniques to show un satisfjability of universally ▶ SMT solvers use instantiation-based methods - generate ground instances until a ▶ Can we transform our problem into one of checking unsatisfjability? If satisfjability ( F ) ⇒ validity ( F ), ( F is sat) ⇔ ( ¬ F is not valid) ⇔ ( ¬ F is unsatisfjable)

Restriction formulas we are interested in. datatypes, bit-vectors, etc.) are satisfaction complete wrt the class of closed fjrst-order formulas. 1. Satisfjability ⇒ Validity ▶ In other words, we will only consider theories that are satisfaction complete wrt the ▶ Most theories used in SMT (e.g. various theories of integers, reals, strings, algebraic

(over function f ). sat ∃ f . ∀ ¯ x . P ( f , ¯ x ) ↓ negate ¬ ∃ f . ∀ ¯ x . P ( f , ¯ x ) unsat ↓ push ¬ ∀ f . ∃ ¯ x . ¬ P ( f , ¯ x ) unsat ▶ Another challenge: Negation introduces second-order universal quantifjcation ∃ f . ∀ ¯ x . P [ f , ¯ x ] , ▶ What if we restrict ourselves to the class of synthesis problems where every occurrence of f in P is of the form f (¯ x ) . ▶ In that case, we can transform the synthesis problem to: ∀ ¯ x . ∃ y . Q [¯ x , y ] .

Restrictions formulas we are interested in datatypes, bit-vectors, etc.) are satisfaction complete wrt the class of closed fjrst-order formulas. 2. P consists of single-invocation properties 1. Satisfjability ⇒ Validity ▶ In other words, we will only consider theories that are satisfaction complete wrt the ▶ Most theories used in SMT (e.g. various theories of integers, reals, strings, algebraic f ( x 1 , x 2 ) ≥ x 1 ∧ f ( x 1 , x 2 ) ≥ x 2 ∧ ( f ( x 1 , x 2 ) ≈ x 1 ∨ f ( x 1 , x 2 ) ≈ x 2 ) c ( x 1 , x 2 ) ≈ c ( x 2 , x 1 )

Recall Synthesis conjecture: one. ∃ f . ∀ x 1 ... x n . P [ f , x 1 , ..., x n ] ▶ avoid second-order quantifjcation, and ▶ solve an unsatisfjability (universal quantifjcation) problem instead of a satisfjability

So far.. ∃ f . ∀ ¯ x . P ( f , ¯ x ) sat ↓ (single-invocation property) ∀ ¯ x . ∃ g . P ( g , ¯ x ) sat ↓ (satisfaction-complete theory) ∀ ¯ x . ∃ g . P ( g , ¯ x ) valid ↓ (negate) ¬∀ ¯ x . ∃ g . P ( g , ¯ x ) unsat ↓ (push ¬ ) ∃ ¯ x . ∀ g . ¬ P ( g , ¯ x ) unsat

Our fjrst example ∃ f . ∀ x 1 x 2 . ( f ( x 1 , x 2 ) ≥ x 1 ∧ f ( x 1 , x 2 ) ≥ x 2 ∧ ( f ( x 1 , x 2 ) ≈ x 1 ∨ f ( x 1 , x 2 ) ≈ x 2 )) sat ↓ (single-invocation property) ∀ x 1 x 2 . ∃ g . ( g ≥ x 1 ∧ g ≥ x 2 ∧ ( g ≈ x 1 ∨ g ≈ x 2 )) sat ↓ negate (satisfaction-complete theory) ∃ x 1 x 2 . ∀ g . ( g < x 1 ∨ g < x 2 ∨ ( g ̸≈ x 1 ∧ g ̸≈ x 2 )) unsat ↓ Skolemize, for fresh a, b ∀ g . ( g < a ∨ g < b ∨ ( g ̸≈ a ∧ g ̸≈ b )) unsat

Solving Max Example  g.(g<a  g<b  (g ≠a  g ≠b )) Quantifiers Ground Module solver

Solving Max Example ( a <a  a <b  ( a ≠a  a ≠b ))   g.(g<a  g<b  (g ≠a  g ≠b )) ( b <a  b <b  ( b ≠ a  b ≠ b))  Quantifiers instances Ground a /g, b /g Module solver

Solving Max Example a<b   g.(g<a  g<b  (g ≠a  g ≠b )) simplify b<a  Quantifiers Ground Module solver

Solving Max Example a<b   g.(g<a  g<b  (g ≠a  g ≠b )) b<a  Quantifiers Ground Module solver   g.(g<a  g<b  ( g≠a  g≠b )) is unsatisfable, unsat implies original synthesis conjecture has a solution

 f.  x .P(f( x ), x ) How do we get solutions? negate, translate to FO  P(t 1 , k ),…,  P(t n , k )  g.  P(g, k ) Quantifiers instances Ground Module solver unsat  P(t 1 , k ),…,  P(t n , k )|= false

 f.  x .P(f( x ), x ) How do we get solutions? negate, translate to FO  P(t 1 , k ),…,  P(t n , k )  g.  P(g, k ) Quantifiers instances Ground Module solver Claim the following is a solution for f : l x . ite( P(t 1 , k ), t 1 , unsat ite( P(t 2 , k ), t 2 , …  P(t 1 , k ),…,  P(t n , k )|= false ite( P(t n-1 , k ), t n-1 , t n )…)[ x / k ]

Why is this a solution?  f.  x .P(f( x ), x ) Given  P(t 1 , k ),…,  P(t n , k )|= false Found Claim the following is a solution for f : l x . ite( P(t 1 , k ), t 1 , ite( P(t 2 , k ), t 2 , … ite( P(t n-1 , k ), t n-1 , t n )…)[ x / k ]

Why is this a solution?  f.  x .P(f( x ), x ) Given  P(t 1 , k ),…,  P(t n , k )|= false Found Claim the following is a solution for f : l x . ite( P(t 1 , k ), t 1 , If P holds for t 1 , return t 1 ite( P(t 2 , k ), t 2 , … ite( P(t n-1 , k ), t n-1 , t n )…)[ x / k ]

Why is this a solution?  f.  x .P(f( x ), x ) Given  P(t 1 , k ),…,  P(t n , k )|= false Found Claim the following is a solution for f : l x . ite( P(t 1 , k ), t 1 , ite( P(t 2 , k ), t 2 , If P holds for t 2 , return t 2 … ite( P(t n-1 , k ), t n-1 , t n )…)[ x / k ]

Why is this a solution?  f.  x .P(f( x ), x ) Given  P(t 1 , k ),…,  P(t n , k )|= false Found Claim the following is a solution for f : l x . ite( P(t 1 , k ), t 1 , ite( P(t 2 , k ), t 2 , … ite( P(t n-1 , k ), t n-1 , If P holds for t n-1 , return t n-1 t n )…)[ x / k ]

Why is this a solution?  f.  x .P(f( x ), x ) Given  P(t 1 , k ),…,  P(t n , k )|= false Found Claim the following is a solution for f : l x . ite( P(t 1 , k ), t 1 , ite( P(t 2 , k ), t 2 , … ite( P(t n-1 , k ), t n-1 , t n )…)[ x / k ] Why does P(t n , k ) hold?

Solution for Max Example  f.  xy.(f(x,y )≥x  f(x,y) ≥y  (f(x,y)=x  f(x,y)=y)) Given Found  (a ≥a  a ≥b  (a=a  a=b)), |= false  (b ≥a  b ≥b  (b=a  b=b)) Claim the following is a solution for f : l xy. ite( a≥a  a ≥b  (a=a  a=b), a, b)…)[x/a][y/b]

Solution for Max Example  f.  xy.(f(x,y )≥x  f(x,y) ≥y  (f(x,y)=x  f(x,y)=y)) Given Found  (a ≥a  a ≥b  (a=a  a=b)), |= false  (b ≥a  b ≥b  (b=a  b=b)) Claim the following is a solution for f : l xy. ite( x ≥ x  x ≥y  (x=x  x=y), x, y)…)

Solution for Max Example  f.  xy.(f(x,y )≥x  f(x,y) ≥y  (f(x,y)=x  f(x,y)=y)) Given Found  (a ≥a  a ≥b  (a=a  a=b)), |= false  (b ≥a  b ≥b  (b=a  b=b)) Claim the following is a solution for f : l xy. ite( x ≥y , x, y )

Lifting the single-invocation property restriction ▶ Can we still refute negated synthesis conjectures? ▶ Yes, under syntactic restrictions.

Int : embedding S in Int. Bool : embedding C in Bool. Example: Syntax-Guided Synthesis And an interpretation of these datatypes in terms of the original theory. 1. ev S Int Int 2. ev C Int Int ▶ Syntactic restriction for the solution space, expressed by these algebraic datatypes: S := t 1 | t 2 | zero | one | plus ( S , S ) | minus ( S , S ) | if ( C , S , S ) C := leq ( S , S ) | eq ( S , S ) | and ( C , C ) | not ( C )

Example: Syntax-Guided Synthesis ▶ Syntactic restriction for the solution space, expressed by these algebraic datatypes: S := t 1 | t 2 | zero | one | plus ( S , S ) | minus ( S , S ) | if ( C , S , S ) C := leq ( S , S ) | eq ( S , S ) | and ( C , C ) | not ( C ) ▶ And an interpretation of these datatypes in terms of the original theory. 1. ev S × Int × Int → Int : embedding S in Int. 2. ev C × Int × Int → Bool : embedding C in Bool.

The evaluation operators ev ( t 1 , x , y ) ≈ x ev ( zero , x , y ) ≈ 0 ev ( not ( c ) , x , y ) ≈ ¬ ev ( c , x , y ) ev ( and ( c 1 , c 2 ) , x , y ) ≈ ev ( c 1 , x , y ) ∧ ev ( c 2 , x , y ) ev ( plus ( s 1 , s 2 ) , x , y ) ≈ ev ( s 1 , x , y ) + ev ( s 2 , x , y ) ev ( if ( c , s 1 , s 2 ) , x , y ) ≈ ite ( ev ( c , x , y ) , ev ( s 1 , x , y ) , ev ( s 2 , x , y ))