Overview of Models in Yices Bruno Dutertre SRI International - PowerPoint PPT Presentation

Computer Science Laboratory, SRI International Overview of Models in Yices Bruno Dutertre SRI International Dagstuhl Seminar 15381, September 2015

Computer Science Laboratory, SRI International Models in Yices Internal Use ◦ SMT solvers search for models for a formula Φ in some theory T ◦ In many cases, T is the union of disjoint theories T 1 and T 2 (e.g., linear arithmetic + arrays) ◦ Relevant techniques: Nelson-Oppen method and extensions/variations including Model-based Theory Combination Operations on Models ◦ Many applications require more than producing models ◦ Examples of useful operations: – evaluate a term in a model – compute implicants for Φ from a model – generalize a model: model-based projection 1

Computer Science Laboratory, SRI International Theory Combination Problem ◦ Given two formulas Φ 1 and Φ 2 in two disjoint theories T 1 and T 2 , if Φ 1 is satisfiable in T 1 and Φ 2 is satisfiable in T 2 , is Φ 1 ∧ Φ 2 satisfiable in T 1 ∪ T 2 ? ◦ Φ 1 and Φ 2 share some interface variables x 1 , . . . , x n but nothing else ◦ The answer is yes if we can construct two models M 1 and M 2 such that – M 1 | = Φ 1 (in T 1 ) and M 2 | = Φ 2 (in T 2 ) – M 1 and M 2 have the same cardinality – M 1 and M 2 agree on equalities between interface variables: M 1 | = ( x i = x j ) iff M 2 | = ( x i = x j ) ◦ Note: For many practical theories (e.g., QF UF) the cardinality constraint is easily satisfied. 2

Computer Science Laboratory, SRI International Nelson-Oppen x_i = x_j Φ 1 Φ 2 x_k = x_j Method ◦ Combine two decision procedures for T 1 and T 2 ◦ Exchange implied interface equalities to force both sides to agree. ◦ This works for convex theories. For non-convex theories (e.g., integer arithmetic), we need more: either propagate disjunctions of interface equalities or guess a variable arrangement. 3

Computer Science Laboratory, SRI International Practical Issues With Nelson-Oppen Finding All Implied Equalities ◦ For QF UF , decision procedures based on congruence closure give implied equalities for free. ◦ It’s much harder and more expensive for other theories (e.g., linear arithmetic, bitvectors). ◦ It gets worse for non-convex theories. Better Methods: use the models ◦ The decision procedures construct models M 1 and M 2 but Nelson-Oppen does not use them. 4

Computer Science Laboratory, SRI International Model-Based Theory Combination General Approach ◦ Given models M 1 and M 2 , search for conflicts between them: shared variables such that M 1 | = ( x i = x j ) and M 2 | = ( x i � = x j ) (or the other way around). ◦ if there are none, return SAT ◦ otherwise – try to modify the models to fix the conflicts (optional) – add interface lemmas, then backtrack to search for different models. 5

Computer Science Laboratory, SRI International Interface Lemmas Lemma to Remove a Conflict ◦ For a pair ( x i , x j ) such that M 1 | = ( x i = x j ) and M 2 | = ( x i � = x j ) , we add a constraint that encodes “ ( x i = x j ) in T 1 ” ⇒ “ ( x i = x j ) in T 2 .” ◦ The precise formulation depends on the implementation and theories involved. ◦ Example – for UF + arithmetic in Yices, we can add the clause ( eq x i x j ) ∨ ( x i < x j ) ∨ ( x j < x i ) . – ( eq x i x j ) is an atom added to the UF solver – ( x i < x j ) and ( x j < x i ) are arithmetic atoms ◦ Adding this lemma forces the SMT solver to backtrack and search for other models. ◦ This can be seen as a lazy way of searching for an adequate arrangement of the interface variables (sometimes called delayed theory combination). 6

Computer Science Laboratory, SRI International Theory Solvers in Yices Arithmetic Solver CDCL UF Array SAT Solver Solver Solver Bitvector Solver Features ◦ Shared variables always involve the UF solver + another solver (either arithmetic or bitvector). ◦ All interface equalities found by the UF solver are propagated to the other solver (not the other way around). 7

Computer Science Laboratory, SRI International Theory Combination in Yices Possible Conflicts Between Models ◦ all conflicts are of the form M T | = ( x i = x j ) and M UF | = ( x i � = x j ) two shared variables are equal in the arithmetic or bitvector model but not in UF . Reconciliation: attempt to modify M UF to remove the conflict, while keeping M T frozen. ◦ tentatively merge the equivalence classes of x i and x j in the UF solver, then propagate consequences by congruence closure. ◦ accept the merge unless either it causes a conflict in the UF solver or it would propagate more equalities to theory T . 8

Computer Science Laboratory, SRI International Other Tricks Model Mutation (de Moura & Bjørner, 2007) ◦ Exploit flexibility in the Simplex-based arithmetic solver. ◦ There may be many solutions to a set of linear arithmetic constraints. ◦ Mutation: modify the Simplex model to give distinct values to distinct interface variables. ◦ This reduces the chance of conflicts with the UF model. More Than Interface Lemmas ◦ Dynamic addition of Ackermann lemmas (` a la Z3) ◦ When we add an interface lemma in a direction, we also add the reverse implication ◦ Example: for arithmetic – interface lemma: ( eq x i x j ) ∨ ( x i < x j ) ∨ ( x j < x i ) – reverse: ( x i < x j ) ⇒ ¬ ( eq x i x j ) and ( x j < x i ) ⇒ ¬ ( eq x i x j ) 9

Computer Science Laboratory, SRI International Experiments: Arrays + Bitvectors 100000 100000 Yices-2.2 CVC-4 10000 Mathsat-5 Z3 Boolector-1.5 1000 Sonolar TdW 10000 100 cumulative time cumulative time 10 1 1000 Yices-2.2 CVC-4 0.1 Mathsat-5 Z3 Boolector-1.5 0.01 Sonolar TdW 0.001 100 0 2000 4000 6000 8000 10000 12000 14000 16000 14000 14050 14100 14150 14200 14250 14300 problems solved problems solved 10

Computer Science Laboratory, SRI International Experiments: UF + Linear Integer Arithmetic abort timeout 100 yices-pessimistic 10 1 0.1 0.1 1 10 100 1200 yices-optimistic It’s not always better: On the QF UFLIA Benchmarks of SMT-LIB, model reconciliation gives worse results than just generating interface lemmas. 11

Computer Science Laboratory, SRI International Model Generalization Generalizing a Model ◦ Many applications use SMT solvers to find one solution to some sets of constraints (i.e., one model) ◦ It’s often useful to generalize from this to a set of solutions ◦ The typical setting (e.g., in IC3): – we have a model M for Φ( X, Y ) – a generalization is a formula G ( X ) such that 1. M | = G ( X ) 2. we have G ( X ) ⇒ ( ∃ Y Φ( X, Y )) – This also called model-based projection. 12

Computer Science Laboratory, SRI International Implementation Three Methods Implemented in Yices ◦ baseline: no generalization: G ( X ) := ( X = X 0 ) where X 0 = value of X in M . ◦ generalize by substitution: G ( X ) := Φ( X, Y 0 ) where Y 0 = value of Y in M . ◦ better: local quantifier elimination – find an implicant J ( X, Y ) for Φ( X, Y ) using X 0 and Y 0 : - J ( X, Y ) is a conjunction of literals - J ( X, Y ) ⇒ Φ( X, Y ) holds - J ( X 0 , Y 0 ) is true – construct G ( X ) by eliminating the Y variables from J ( X, Y ) 13

Computer Science Laboratory, SRI International Variable Elimination Goal ◦ We have an implicant J ( x, y ) that is true in a model M ◦ We want to eliminate the variables y from J ( x, y ) ◦ We could try to construct a G ( x ) that’s equivalent to ∃ y : J ( x, y ) ◦ In our context, it is enough to obtain an under-approximation: G ( x ) ⇒ ∃ y : J ( x, y ) such that M | = G ( x ) For linear (and non-linear) arithmetic, we can do this efficiently using Model-Guided Virtual Term Substitution 14

Computer Science Laboratory, SRI International Virtual Term Substitution for Linear Arithmetic Weispfenning, 1988, Loos & Weispfenning, 1993 ◦ To eliminate y from a linear arithmetic formula ∃ y : φ ( x, y ) , construct an elimination set for y in φ ( x, y ) ◦ An elimination set is a finite set T of terms that do not contain y and such that � ( ∃ y : φ ( x, y )) ⇔ φ ( x, t ) t ∈ T ◦ T can be constructed syntactically from the atoms of φ Example ◦ For ( ∃ y : 3 x + 1 < y ∧ y < x + 2) , Weispfenning’s procedure gives � 3 x, 3 x + 1 , 3 x + 2 , x + 1 , x + 2 , x + 3 , (3 x + 1) + ( x + 2) � T = 2 15

Computer Science Laboratory, SRI International Model-Guided Virtual Term Substitution Idea ◦ We start from an elimination set T such that � ( ∃ y : φ ( x, y )) ⇔ φ ( x, t ) t ∈ T ◦ Since we can under-approximate, it’s enough for us to pick a single term t 0 in T φ ( x, t 0 ) ⇒ ( ∃ y : φ ( x, y )) ◦ We also have a model M of φ ( x, y ) so we use M to find a suitable t 0 16

Computer Science Laboratory, SRI International Example ∃ y : 3 x + 1 < y ∧ y < x + 2 � � 3 x, 3 x + 1 , 3 x + 2 , x + 1 , x + 2 , x + 3 , (3 x + 1) + ( x + 2) T = 2 Model: x �→ 0 and y �→ 1 . 5 ◦ We pick t 0 = (3 x + 1) + ( x + 2) 2 then φ ( x, t 0 ) reduces to x < 1 / 2 17

Computer Science Laboratory, SRI International Variable Elimination as Implemented in Yices Input ◦ The implicant construction produces a conjunction of arithmetic inequalities and equalities Hybrid Approach ◦ eliminate variables that occur in equalities (Gaussian elimination) ◦ use Fourier-Motzkin if it’s cheap ◦ use virtual-term substitution as a last step. 18