Programming Constraint Services with Z3

A tutorial - Automata, Logic and Games, NUS

Nikolaj Bjørner
Microsoft Research

Contents

Slides

Overview

Goal of this tutorial is to give an overview of what you can do with Z3 from the perspectives of:

  • What is expressible: Logics and Theories.

  • Adaptability: Mapping logical queries to Z3.

  • Programmability: using the API.

  • Efficiency: Algorithms.

Z3

  • A state-of-art Satisfiability Modulo Theories (SMT) solver from Microsoft Research

  • Targets applications in software engineering

  • Leonardo de Moura, Nikolaj Bjørner, and Christoph Wintersteiger

    • Contributions from Ken McMillan, Mikolas Janota, Loris d'Antoni, George Karpenkov, Dan Lieuw and several others
    • Contributions are solicited

  • On github: https://github.com/Z3prover/z3.git

    • MIT open source license

Logical Queries

\[\begin{mdmathpre}%mdk \mathrm{Satisfiability}~~~&~\varphi \rightsquigarrow \mathid{sat},~\mathid{unsat},~\mathid{timeout}~\smallskip \\ \mathrm{Certificates}~~~~~&~\varphi \rightsquigarrow \mathid{model},~\mathid{proof},~\mathid{unsat}~\mathid{core}~\smallskip\\ \mathrm{Interpolation}~~~~&~\varphi[\mathid{x},\mathid{y}]~\rightarrow \mathid{I}[\mathid{x}]~\rightarrow \psi[\mathid{x},\mathid{z}]~\smallskip\\ \mathrm{Optimization}~~~~~&~\max \mathid{x}~\mid \varphi \smallskip \\ \mathrm{Consequences}~~~~~&~\varphi \rightarrow \varphi_1~\wedge \ldots \wedge \varphi_\mathid{n}\smallskip\\ \mathrm{Sat\ subsets}~~~~~&~\psi_1~\wedge \psi_2,\ \psi_1~\wedge \psi_3\smallskip\\ \mathrm{Unsat\ cores}~~~~~&~\neg(\psi_1~\wedge \psi_2),\ \neg(\psi_1~\wedge \psi_3)\medskip\\ \mathrm{Model\ counting}~~&~|\{~\mathid{x}~\mid \varphi\}|~\medskip\\ \mathrm{All\ models}~~~~~~&~\mathid{Ideal}(\varphi),~\mathid{M}_1~\models \varphi,~\mathid{M}_2~\models \varphi,~\ldots \medskip\\ \mathrm{Model\ probability}~&~\ldots \end{mdmathpre}%mdk \]

Logics and Theories


  • Terms
  • Logical Connectives
  • Quantifiers, Variables


  • Propositional logic
  • Theory of Equality
  • Uninterpreted Functions
  • Arrays
  • Arithmetic
  • Arrays
  • Algebraic Data-types
  • Bit-vectors, Floating points
  • Sequences, Strings

Basic SAT

\[\begin{mdmathpre}%mdk (\mathid{Tie}~\vee \mathid{Shirt})~\wedge (\neg \mathid{Tie}~\vee \mathid{Shirt})~\wedge (\neg \mathid{Tie}~\vee \neg \mathid{Shirt}) \end{mdmathpre}%mdk \]



  Tie, Shirt = Bools('Tie Shirt')
  s = Solver()
  s.add(Or(Tie, Shirt), Or(Not(Tie), Shirt), Or(Not(Tie), Not(Shirt)))
  print s.check()
  print s.model()

Basic SMT

I = IntSort()
f = Function('f', I, I)
x, y, z = Ints('x y z')
A = Array('A',I,I)

fml = Implies(x + 2 == y, f(Select(Store(A, x, 3), y - 2)) == f(y - x + 1))

s = Solver()
s.add(Not(fml))
print s.check()

Logical Language

  • Terms
  • Logical Connectives
  • Quantifiers, Variables

DPLL [20]

\[ \twodpstate{\underbrace{M}_{\mbox{partial assignment}}}{\underbrace{F}_{\mbox{clauses}}} \]



\[\begin{mdmathpre}%mdk \mathsf{Guess}~~~~~&~\twodpstate{\mathid{p}}{\mathid{p}~\vee \mathid{q},~\overline{\mathid{q}}~\vee \mathid{r}}~&~\Longrightarrow &~\twodpstate{\mathid{p},~\overline{\mathid{q}}}{\mathid{p}~\vee \mathid{q},~\overline{\mathid{q}}~\vee \mathid{r}}\\ \\ \mathsf{Deduce}~~~~&~\twodpstate{\mathid{q}}{\mathid{p}~\vee \mathid{q},~\overline{\mathid{q}}~\vee \mathid{r}}~&~\Longrightarrow &~\twodpstate{\mathid{q},~\mathid{r}}{\mathid{p}~\vee \mathid{q},~\overline{\mathid{q}}~\vee \mathid{r}}\\ \\ \mathsf{Backtrack}~&~\twodpstate{\mathid{p},~\overline{\mathid{s}},~\mathid{q}}{\mathid{s}~\vee \mathid{q},~\overline{\mathid{p}}~\vee \overline{\mathid{q}}}~&~\Longrightarrow &~\twodpstate{\mathid{p},~\mathid{s}}{\mathid{s}~\vee \mathid{q},~\overline{\mathid{p}}~\vee \overline{\mathid{q}}} \end{mdmathpre}%mdk \]

CDCL: Modern Search [50]

  • Efficient indexing (two-watch literal)

  • Non-chronological backtracking (backjumping)

  • Lemma learning

  • Variable and phase selection

  • Garbage collection, restarts

CDCL: State [45]

  • $\mathcal{A}$: Atomic predicates $p, q, r, \ldots$

  • $\ell\in\mathcal{L}$: Literals over atoms $p, \overline{q}, \overline{q}, \ldots$

  • $M \subseteq \mathcal{L}$: Partial assignment without complementary literals.

  • $C$: A clause - disjunction of literals.

  • $\ell^d$: a decision literal.

  • $\ell^C$: a literal with explanation clause $C$, where $\ell$ is a disjunct in $C$. The literal $\ell$ is assigned relative to partial assignment $M$ when all other literals in $C$ occur negatively in $M$.

  • $F$: A set of clauses.

CDCL: Formal System [6]

\[\begin{array}{lllll} {\sf Initialize} & & \Longrightarrow & \twodpstate{}{F} & \mbox{$F$ is a set of clauses} \\ {\sf Decide} & \twodpstate{M}{F} & \Longrightarrow & \twodpstate{M\ell^d}{F} & \left\{ \begin{array}{l} \mbox{$\ell$ or $\neg{\ell}$ occurs in $F$} \\ \mbox{$\ell$ unassigned in $M$} \end{array} \right. \\ {\sf Propagate} & \twodpstate{M}{F, C \vee \ell} & \Longrightarrow & \twodpstate{M\ell^{C\vee\ell}}{F, C \vee \ell} & \left\{ \begin{array}{l} \mbox{$\ell$ unassigned in $M$}, \\ \compl{C} \subseteq M \end{array} \right. \\ {\sf Conflict} & \twodpstate{M}{F,C} \ & \Longrightarrow & \conflstate{M}{F,C}{C} & \mbox{ $C$ is false under $M$} \\ {\sf Resolve} & \conflstate{M}{F}{C'\vee \neg{\ell}} \ & \Longrightarrow & \conflstate{M}{F}{C \vee C'} & \ell^{C\vee \ell} \in M \\ {\sf Backjump} & \conflstate{M\ell_0^dM'}{F}{C \vee \ell} \ & \Longrightarrow & \twodpstate{M\ell^{C\vee\ell}}{F, C\vee \ell} & \compl{C}\subseteq M, \neg\ell \subseteq \ell_0^dM' \\ {\sf Restart} & \twodpstate{M}{F} & \Longrightarrow & \twodpstate{}{F} \\ {\sf Unsat} & \conflstate{M}{F}{\emptyset} & \Longrightarrow & {\tt unsat} \\ {\sf Sat} & \twodpstate{M}{F} & \Longrightarrow & M & \left\{ \begin{array}{l} \mbox{$M$ is $T$ consistent} \\ \mbox{and is a model for $F$.} \end{array} \right. \end{array} \]

CDCL(T)

\[\begin{array}{llllll} {\sf T-Propagate} & \twodpstate{M}{F} & \Longrightarrow & \twodpstate{M\ell^{C\vee\ell}}{F} & \left\{ \begin{array}{l} \mbox{$\ell$ unassigned in $M$} \\ \mbox{$\ell$ or $\neg{\ell}$ occurs in $F$} \\ \mbox{$T \vdash C \vee \ell$}\\ \compl{C} \subseteq M \end{array} \right. \\ {\sf T-Conflict} & \twodpstate{M}{F} & \Longrightarrow & \conflstate{M}{F}{C} & \compl{C} \subseteq M,\ T \models C. \end{array} \]

CDCL(T) Example

BasicTheory

Models and Proofs

Theorem 1.
For every $\Model$, exactly one of the two conditions hold:

  • $\Model' \models F$ for some $\Model'$ where $\Model\subseteq \Model'$.
  • $F \vdash_{\Pi} \overline{\Model'}$ for some $\Model'$ where $\Model'\subseteq\Model$ and some resolution proof $\Pi$.

Corollary 1.
$\exists \Model \ . \ \Model \models F \ \ \mbox{xor} \ \ \exists \Pi \ . \ F \vdash_{\Pi} \emptyset$

CDCL realizes the dichotomy by interleaving model and consequence finding:

Corollary 2.
If $F \vdash_{\Pi} C$, then for every $\Model$ where $\overline{C} \subseteq \Model$: $\Model \not\models F$.

Corollary 3.
If $\Model \models\neg F$, i.e., $\overline{C}\subseteq \Model$ for some $C \in F$, then for every consequence $D$ from $C$ using forced literals in $\Model$ it is the case that $\overline{D} \subseteq \Model$ and there is no $\Model' \supseteq \overline{D}$ such that $\Model'\models F$.

Realizing the dichotomy

Main invariants preserved by CDCL:

  • Conflict state: For the state $\conflstate{\Model}{F}{C}$ it is the case that $\overline{C} \subseteq \Model$ and $F \vdash C$.
  • Propagation: For the state $\searchstate{\Model}{F}$ and $\conflstate{\Model}{F}{D}$, whenever $\Model = \Model_1\ell^{C\vee\ell}\Model_2$, then $\overline{C} \subseteq \Model_1$ and $F \vdash_{\Pi} C \vee \ell$.

Illustrating the invariants

${\sf Backjump}:$

\[ \conflstate{M\ell_0^dM'}{F}{C \vee \ell} \ \Longrightarrow \twodpstate{M\ell^{C\vee\ell}}{F, C\vee \ell} \]

if $\compl{C}\subseteq M, \neg\ell \subseteq \ell_0^dM'$

  • Finds First Unique Implication Point (FUIP)
    • minimizes number of decision literals in $M$.
    • maximizes propagated literals in $M$

Theories

Equality and Uninterpreted functions

EUF

  (declare-sort A)
  (declare-fun f (A) A)
  (declare-const x A)
  (assert (= (f (f x)) x))
  (assert (= (f (f (f x))) x))
  (check-sat)
  
  (assert (not (= (f x) x)))
  (check-sat)

Deciding Equality

\begin{tikzpicture} \matrix[nodes={draw},row sep=0.3cm,column sep=0.5cm] { \node [rectangle, draw=none] (eq) {:}; & \node [circle, draw] (a) {$a$}; & \node [circle, draw] (b) {$b$}; & \node [circle, draw] (c) {$c$}; & \node [circle, draw] (d) {$d$}; & \node [circle, draw] (e) {$e$}; & \node [circle, draw] (s) {$s$}; & \node [circle, draw] (t) {$t$}; \\ }; \end{tikzpicture}
\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [rectangle, draw=none] (eq) {$a = b: $}; & \node [circle, draw] (ab) {$a, b$}; & \node [circle, draw] (c) {$c$}; & \node [circle, draw] (d) {$d$}; & \node [circle, draw] (e) {$e$}; & \node [circle, draw] (s) {$s$}; & \node [circle, draw] (t) {$ t$}; \\ }; \end{tikzpicture}
\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [rectangle, draw=none] (eq) {$a = b, b = c: $}; & \node [circle, draw] (abc) {$a, b, c$}; & \node [circle, draw] (d) {$d$}; & \node [circle, draw] (e) {$e$}; & \node [circle, draw] (s) {$s$}; & \node [circle, draw] (t) {$t$}; \\ }; \end{tikzpicture}
\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [rectangle, draw=none] (eq) {$a = b, b = c, d = e: $}; & \node [circle, draw] (abc) {$a, b, c$}; & \node [circle, draw] (de) {$d, e$}; & \node [circle, draw] (s) {$s$}; & \node [circle, draw] (t) {$t$}; \\ }; \end{tikzpicture}
\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [rectangle, draw=none] (eq) {$a = b, b = c, d = e, b = s: $}; & \node [circle, draw] (abcs) {$a, b, c, s$}; & \node [circle, draw] (de) {$d, e$}; & \node [circle, draw] (t) {$t$}; \\ }; \end{tikzpicture}
\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [rectangle, draw=none] (eq) {$a = b, b = c, d = e, b = s, d = t: $}; & \node [circle, draw] (abcs) {$a, b, c, s$}; & \node [circle, draw] (det) {$d, e, t$}; \\ }; \end{tikzpicture}

Disequalities

\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [rectangle, draw=none] (eq) {$a = b, b = c, d = e, b = s, d = t, a \neq d: $}; & \node [circle, draw] (abcs) {$a, b, c, s$}; & \node [circle, draw] (det) {$d, e, t$}; \\ }; \end{tikzpicture}
\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [rectangle, draw=none] (eq) {$a = b, b = c, d = e, b = s, d = t, c \neq s: $}; & \node [circle, draw, color=red] (abcs) {$a, b, c, s$}; & \node [circle, draw] (det) {$d, e, t$}; \\ }; \end{tikzpicture}
\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [rectangle, draw=none] (eq) {$a = b, b = c, d = e, b = s, d = t, e \neq t: $}; & \node [circle, draw] (abcs) {$a, b, c, s$}; & \node [circle, draw, color=red] (det) {$d, e, t$}; \\ }; \end{tikzpicture}

Variants of union-find are effective to decide equality.

Free functions

$a = b, b = c, d = e, b = s, d = t, f(a, g(d)) \neq f(b, g(e))$

Congruence rule

\[ x_1 = y_1 \cdots x_n = y_n \ \Rightarrow \ f(x_1, \ldots, x_n) = f(y_1, \ldots, y_n) \]

Naming sub-terms

$a = b, b = c, d = e, b = s, d = t, f(a, g(d)) \neq f(b, {\color{red}v_1})$ ${\color{red}v_1 := g(e)}$


$a = b, b = c, d = e, b = s, d = t, f(a, {\color{red}v_2}) \neq f(b, v_1)$ $v_1 := g(e), {\color{red}v_2 := g(d)}$


$a = b, b = c, d = e, b = s, d = t, {\color{red}v_3} \neq f(b, v_1)$ $v_1 := g(e), v_2 := g(d), {\color{red}v_3 := f(a, v_2)}$


$a = b, b = c, d = e, b = s, d = t, v_3 \neq {\color{red}v_4}$ $v_1 := g(e), v_2 := g(d), v_3 := f(a, v_2), {\color{red}v_4 := f(b, v_1)}$

\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [circle, draw] (abcs) {$a, b, c, s$}; & \node [circle, draw] (det) {$d, e, t$}; & \node [circle, draw] (v1) {$v_1$}; & \node [circle, draw] (v2) {$v_2$}; & \node [circle, draw] (v3) {$v_3$}; & \node [circle, draw] (v4) {$v_4$}; \\ }; \end{tikzpicture}

Applying Congruence (1)

\[\begin{array}{l} a = b, b = c, d = e, b = s, d = t, v_3 \neq v_4 \\ v_1 := g(e), v_2 := g(d), v_3 := f(a, v_2), v_4 := f(b, v_1) \end{array} \]
\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [circle, draw] (abcs) {$a, b, c, s$}; & \node [circle, draw] (det) {$d, e, t$}; & \node [circle, draw] (v1) {$v_1$}; & \node [circle, draw] (v2) {$v_2$}; & \node [circle, draw] (v3) {$v_3$}; & \node [circle, draw] (v4) {$v_4$}; \\ }; \end{tikzpicture}
\[ e = d \ \Rightarrow \ g(e) = g(d) \]
\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [circle, draw] (abcs) {$a, b, c, s$}; & \node [circle, draw] (det) {$d, e, t$}; & \node [circle, draw, color=red] (v12) {$v_1, v_2$}; & \node [circle, draw] (v3) {$v_3$}; & \node [circle, draw] (v4) {$v_4$}; \\ }; \end{tikzpicture}

Applying Congruence (2)

\[\begin{array}{l} a = b, b = c, d = e, b = s, d = t, v_3 \neq v_4 \\ v_1 := g(e), v_2 := g(d), v_3 := f(a, v_2), v_4 := f(b, v_1) \end{array} \]

$a = b, b = c, d = e, b = s, d = t, f(a, g(d)) \neq f(b, g(e))$

\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [circle, draw] (abcs) {$a, b, c, s$}; & \node [circle, draw] (det) {$d, e, t$}; & \node [circle, draw] (v12) {$v_1, v_2$}; & \node [circle, draw] (v3) {$v_3$}; & \node [circle, draw] (v4) {$v_4$}; \\ }; \end{tikzpicture}
\[ a = b, v_2 = v_1 \Rightarrow \ f(a, v_2) = f(b, v_1) \]
\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [circle, draw] (abcs) {$a, b, c, s$}; & \node [circle, draw] (det) {$d, e, t$}; & \node [circle, draw] (v12) {$v_1, v_2$}; & \node [circle, draw, color=red] (v34) {$v_3, v_4$}; \\ }; \end{tikzpicture}

EUF Models

A satisfiable version:

$a = b, b = c, d = e, b = s, d = t, f(a, g(d)) \neq {\color{red}f(g(e), b)}$

$a = b, b = c, d = e, b = s, d = t, v_3 \neq v_4$
$v_1 := g(e), v_2 := g(d), v_3 := f(a, v_2), v_4 := f(v_1, b)$

\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [circle, draw] (abcs) {$a, b, c, s$}; & \node [circle, draw] (det) {$d, e, t$}; & \node [circle, draw] (v12) {$v_1, v_2$}; & \node [circle, draw] (v3) {$v_3$}; & \node [circle, draw] (v4) {$v_4$}; \\ }; \end{tikzpicture}

EUF Models (II)

  • Associate a distinct value with each equivalence class.
\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [circle, draw] (abcs) {$\diamond_1: a, b, c, s$}; & \node [circle, draw] (det) {$\diamond_2: d, e, t$}; & \node [circle, draw] (v12) {$\diamond_3: v_1, v_2$}; & \node [circle, draw] (v3) {$\diamond_4: v_3$}; & \node [circle, draw] (v4) {$\diamond_5: v_4$}; \\ }; \end{tikzpicture}
  • $M(a) = M(b) = M(c) = M(s) := \diamond_1$
  • $M(d) = M(e) = M(t) := \diamond_2$
  • $M(g) = \{ \diamond_1 \mapsto \diamond_3, \diamond_2 \mapsto \diamond_3, \mathrm{else} \mapsto \diamond_6 \}$
  • $M(f) = \{ (\diamond_1, \diamond_3) \mapsto \diamond_4, (\diamond_3, \diamond_2) \mapsto \diamond_5, \mathrm{else} \mapsto \diamond_7 \}$

Linear Arithmetic

Linear Arithmetic Example

(set-logic QF_IDL) ; optional in Z3
(declare-fun t11 () Int)
(declare-fun t12 () Int)
(declare-fun t21 () Int)
(declare-fun t22 () Int)
(declare-fun t31 () Int)
(declare-fun t32 () Int)

(assert (and (>= t11 0) (>= t12 (+ t11 2)) (<= (+ t12 1) 8)))
(assert (and (>= t21 0) (>= t22 (+ t21 3)) (<= (+ t22 1) 8)))
(assert (and (>= t31 0) (>= t32 (+ t31 2)) (<= (+ t32 3) 8)))
(assert (or (>= t11 (+ t21 3)) (>= t21 (+ t11 2))))
(assert (or (>= t11 (+ t31 2)) (>= t31 (+ t11 2))))
(assert (or (>= t21 (+ t31 2)) (>= t31 (+ t21 3))))
(assert (or (>= t12 (+ t22 1)) (>= t22 (+ t12 1))))
(assert (or (>= t12 (+ t32 3)) (>= t32 (+ t12 1))))
(assert (or (>= t22 (+ t32 3)) (>= t32 (+ t22 1))))
(check-sat)
(get-model) ; display the model

Algorithmic Fragments of Arithmetic

Logic Fragment Solver Example
LRA Linear Real Arithmetic Dual Simplex $x + \frac{1}{2}y \leq 3$
LIA Linear Integer Arithmetic CutSat $a + 3b \leq 3$
LIRA Mixed Real/Integer Cuts + Branch $x + a \geq 4$
IDL Integer Difference Logic Floyd-Warshall $a - b \leq 4$
RDL Real Difference Logic Bellman-Ford
UTVPI Unit two-variable per inequality $x + y \leq 4$
NRA Polynomial Real Arithmetic Model based CAD $x^2 + y^2 < 1$

Other Fragments of Arithmetic

  • NIA - There is no decision procedure for integer polynomial constraints

    • Z3 falls back to incomplete heuristics
    • NIA over bounded integers may get translated to bit-vector constraints


    Theories, where Z3 falls back to general solvers:

  • Bi-linear real arithmetic

  • Non-unit two-variable per inequality

  • At most one unit positive variable per inequality (Horn)

Bellman-Ford

Solve difference logic using graph $O(m\cdot n)$ Bellman-Ford network flow algorithm. Negative cycle $\Rightarrow$ unsat.

BellmanFord

General form Simplex [21]

General form $Ax = 0$ and $lo_j \leq x_j \leq hi_j$

\[ x \geq 0, (x + y \leq 2 \vee x + 2y \geq 6), (x + y = 2 \vee x + 2y > 4) \]

$\leadsto$

\[\begin{mdmathpre}%mdk \mdmathindent{2}\mathid{s}_1~:=~\mathid{x}~+~\mathid{y},~\mathid{s}_2~:=~\mathid{x}~+~2\mathid{y},\\ \mdmathindent{2}\mathid{x}~\geq 0,~(\mathid{s}_1~\leq 2~\vee \mathid{s}_2~\geq 6),~(\mathid{s}_1~=~2~\vee \mathid{s}_2~>~4) \end{mdmathpre}%mdk \]

Only bounds (e.g., $s_1 \leq 2$) are asserted during search.

From Definitions to a Tableau

${\color{red}s_1} := x + y, {\color{red}s_2} := x + 2y$



${\color{red}s_1} = x + y$
${\color{red}s_2} = x + 2y$



${\color{red}s_1} - x - y = 0$ - ${\color{red}s_1, s_2}$ are basic (dependent)
${\color{red}s_2} - x - 2y = 0$ - $x, y$ are non-basic

Pivoting

  • Value of non-basic variable $x_j$ can be chosen between $lo_j$ and $hi_j$.
  • Value of basic variable is a function of non-basic variable values.
  • Pivoting swaps basic and non-basic variables.
    • used to get values of basic variables within bounds.

Arrays

Arrays

; This example illustrates different uses of the arrays
; supported in Z3.
; This includes Combinatory Array Logic 
; (de Moura & Bjorner, FMCAD 2009).
;
(define-sort A () (Array Int Int))
(declare-fun x () Int)
(declare-fun y () Int)
(declare-fun z () Int)
(declare-fun a1 () A)
(declare-fun a2 () A)
(declare-fun a3 () A)
(push) ; illustrate select-store
(assert (= (select a1 x) x))
(assert (= (store a1 x y) a1))
(check-sat)
(get-model)
(assert (not (= x y)))
(check-sat)
(pop)
(define-fun all1_array () A ((as const A) 1))
(simplify (select all1_array x))
(define-sort IntSet () (Array Int Bool))
(declare-fun a () IntSet)
(declare-fun b () IntSet)
(declare-fun c () IntSet)
(push) ; illustrate map
(assert (not (= ((_ map and) a b) ((_ map not) ((_ map or) ((_ map not) b) ((_ map not) a))))))
(check-sat)
(pop)
(push) 
(assert (and (select ((_ map and) a b) x) (not (select a x))))
(check-sat)
(pop)
(push) 
(assert (and (select ((_ map or) a b) x) (not (select a x))))
(check-sat)
(get-model)
(assert (and (not (select b x))))
(check-sat)
;; unsat, so there is no model.
(pop)  
(push) ; illustrate default
(assert (= (default a1) 1))
(assert (not (= a1 ((as const A) 1))))  
(check-sat)
(get-model)
(assert (= (default a2) 1))
(assert (not (= a1 a2)))
(check-sat)
(get-model)
(pop)
(exit)

Arrays as Combinators [42]

  A = Array(Index, Elem) # array sort 
  
  a[i]             # index array 'a' at index 'i'
                   # Select(a, i)
  
  Store(a, i, v)   # update array 'a' with value 'v' at index 'i'
                   # = lambda j: If(i == j, v, a[j])
    
  Const(v, A)      # constant array
                   # = lambda j: v
  
  Map(f, a)        # map function 'f' on values of 'a'
                   # = lambda j: f(a[j])

  Ext(a, b)        # Extensionality
                   # Implies(a[Ext(a, b)] == b[Ext(a, b)], a == b)

Array Decision Procedure

Example Store(a, i, v)

  • Each occurrence of Store(a, i, v) and b[j],

    • Assert Store(a, i, v)[j] == If(i == j, v, a[j])
    • Assert Store(a, i, v)[i] == v

  • Each shared occurrences of $a, b$:

    • Assert $a[\mbox{Ext}(a, b)] = b[\mbox{Ext}(a,b)] \ \implies \ a = b$.

  • Suppose we are given a model $M$ satisfying all asserted equalities.

    • $M$ assigns values to $a[i]\in \mathcal{T}$ terms.
    • Extend: $M(a) := \left[ M(i) \mapsto M(a[i])\; \mid\; a[i] \in \mathcal{T}; \ \mbox{else}\ \mapsto \diamond_{\mbox{default}} \right]$.
    • Claim: $M(a)$ satisfies Store axioms.

Efficient Array Decision Procedures

  • Use current partial interpretation to guide axiom instantiation.

  • Rough sketch:

    • If $u := Sore(a, i, v), w := b[j], u \sim b$ (congruent) in current state
      • Assert $i = j \vee u[j] = a[j]$.
    • If $u := Store(a, i, v), w := b[j], a \sim b$ in current state
      • Assert $i = j \vee Store(a, i, v)[j] = a[j]$

  • Also important to limit set of $i, j$ pairs.

    • Z3 uses relevancy propagation to prune don't care literals
    • Boolector uses dual propagation to extract small implicant

Bit-Vectors

Bit-Vectors

(define-fun is-power-of-two ((x (_ BitVec 4))) Bool 
  (= #x0 (bvand x (bvsub x #x1))))
(declare-const a (_ BitVec 4))
(assert 
 (not (= (is-power-of-two a) 
         (or (= a #x0) 
             (= a #x1) 
             (= a #x2) 
             (= a #x4) 
             (= a #x8)))))
(check-sat)

Floating Points

Floating point example

(declare-fun X () (_ FloatingPoint 11 53))

(assert (fp.isNormal X))
(assert (not (fp.isSubnormal X)))
(assert (not (fp.isZero X)))
(assert (not (fp.isInfinite X)))
(assert (not (fp.isNaN X)))
(assert (not (fp.isNegative X)))
(assert (fp.isPositive X))

(check-sat)
(get-model)

Sequences and Strings

Sequence Example

(declare-const a String)
(declare-const b String)
(declare-const c String)
(assert (str.prefixof b a))
(assert (str.suffixof c a))
(assert (= (str.len a) (+ (str.len b) (str.len c))))
(assert (not (= a (str.++ b c))))
(check-sat)

Queues

\[\begin{mdmathpre}%mdk \mdmathindent{2}\mathid{xA}~=~\mathid{Bx}~\leftarrow \Gamma \\ \mdmathindent{6}\Rightarrow \mathid{A}~=~\mathid{B}_2\mathid{B}_1,~\mathid{ext}(\mathid{x},\mathid{B})~\leftarrow \Gamma,~\mathid{B}~=~\mathid{B}_1\mathid{B}_2\\ \\ \mdmathindent{2}\mathid{xA}~=~\mathid{By}~\leftarrow \Gamma\\ \mdmathindent{6}\Rightarrow \mathid{x}~=~\mathid{B}_1,~\mathid{A}~=~\mathid{B}_2\mathid{y}~\leftarrow \Gamma,~\mathid{B}~=~\mathid{B}_1\mathid{B}_2\\ \mdmathindent{6}\Rightarrow \mathid{y}~=~\mathid{A}_2,~\mathid{B}~=~\mathid{xA}_1~\leftarrow \Gamma,~\mathid{A}~=~\mathid{A}_1\mathid{A}_2\\ \mdmathindent{6}\Rightarrow \mathid{x}~=~\mathid{Bz},~\mathid{zA}~=~\mathid{y}~\leftarrow \Gamma,~\mathid{z}~\mathid{is}~\mathid{fresh}\\ \\ \mdmathindent{2}\mathid{ext}(\mathid{x},\mathid{A}),~\mathid{ext}(\mathid{x},\mathid{B})~\leftarrow \Gamma\\ \mdmathindent{6}\Rightarrow \mathid{compat}(\mathid{A},~\mathid{B},~|\mathid{x}|),~\mathid{ext}(\mathid{x},~\mathid{A})~\leftarrow \Gamma\\ \mdmathindent{5} \end{mdmathpre}%mdk \]

Algebraic Data-types

Non-linear Arithmetic

Decision Procedure Highlight [30]

nlsat

Quantifier Engines in Z3

  • [40] E-matching

  • [13, 24, 43, 52] Model-based Quantifier Instantiation (MBQI)

  • [5] Quantifier Elimination

  • [46] Alternating Quantified Satisfaction

  • [26] Horn Clauses

  • [11] Quantified Horn Clauses

  • [47] EPR (deprecated, covered by MBQI)

  • [41] Superposition (deprecated)

  • [9] QSAT - game based solving

E-matching and Pattern based quantifier instantiation [40]

  • $\underbrace{(\forall x \ . \ f(g(x,c)) = a)}_{p_\varphi}$

  • $\land b = c \land g(c,b) = c \land f(b) \neq a$

    • Smallest subterm containing $x$: $f({\color{red}g(x,c)}) = a$
    • Use ground equality $b = c$ to match ${\color{red}g(x,c)}$ with $g(c,b)$.

  • $\land (p_{\varphi} \rightarrow f(g(b,c)) = a)$

  • Formulas are ground unsatisfiable.

Model-based Quantifier Instantiation [13, 24, 43, 52]

Check $\psi \land \forall x \ . \ \varphi[{x}]$

while $\psi$ is SAT with model $M$:
   if $\neg \varphi^M[{x}]$ is UNSAT return SAT
   $M \leftarrow $ model for $\neg \varphi^M[{x}]$
   find $t$, such that $x \not\in t, t^M = x^M$.
   $\psi \leftarrow \psi \land \varphi[t]$
return UNSAT

Quite powerful when search space for $t$ is finite

  • EPR, QBV, Array property fragment, Essentially UF
  • Combine with template space

QSAT

The idea by example

\[\begin{mdmathpre}%mdk \mathid{G}~~=~~\forall \mathid{u}_1,\mathid{u}_2~\exists \mathid{e}_1,~\mathid{e}_2~\ .~\ \mathid{F}~\\\\ \mathid{F}~~=~~(\mathid{u}_1~\land \mathid{u}_2~\rightarrow \mathid{e}_1)~\land (\mathid{u}_1~\land \neg \mathid{u}_2~\rightarrow \mathid{e}_2)~\land(\mathid{e}_1~\land \mathid{e}_2~\rightarrow \neg \mathid{u}_1) \end{mdmathpre}%mdk \]
  • $\forall$: starts. $F \wedge u_1 \wedge u_2 \wedge \overline{e}_1 \wedge \overline{e}_2$ is false.
  • $\exists$: strikes back. $F \wedge u_1 \wedge u_2 \wedge e_1 \wedge \overline{e}_2$ is true.
  • $\forall$: has to backtrack. $F\land u_2 \land e_1 \land \overline{e}_2$ is already forced true.
  • $\forall$: learns $\neg u_2$.
  • $\forall$: $\overline{u}_2 \land F \land u_1 \land \overline{e}_1 \land \overline{e}_2$ is false.
  • $\exists$: counters - $\overline{u}_2 \land F \land u_1 \land \overline{e}_1 \land e_2$ is true.
  • $\forall$: has yet again to consider if it can change its guess for $u_1$. But $\overline{u}_2 \land \neg F \land \overline{e}_1 \land e_2$ is already unsatisfiable. The universal player has to give up and the existential player established that the formula is true.

Summary of approach

  • Two players try to find values

    • $\forall$ - to satisfy $\neg F$
    • $\exists$ - to satisfy $F$

  • Players control their variables

    • $\exists x_1 \forall x_2 \exists x_3 \forall x_4 \ldots F$ at round $2$:
      • value of $x_1$ is already fixed,
      • $\forall$ fixes value of $x_2$,
      • $\forall$ fixes value of $x_4$, but can change again it at round $4$,
      • $\forall$ can guess values of of $x_3$ to satisfy $\neg F$.

  • Some play loses at round $i + 2$.

    • Create succinct no-good to strengthen $F$ resp. $\neg F$.
    • Backjump to round $i$ (or below).

Finding small good no-goods

  • Player $\forall$ has lost at round $i+2$

    • Player $\exists$ found a model $M$ at round $i+1$, $M \models F$.

    • $M$ induces an evaluation on a subset of literals $\mathcal{L}$ in $F$, such that $\mathcal{L} \models F$.

    • $\mathcal{L}$ is an unsatisfiable core for $\neg F$.

  • Model Based Projection

    • Find a $\varphi$, such that Any $\varphi \rightarrow \exists x_{i+1}, x_{i+2}, \ldots \mathcal{L}$.

      • $\varphi$ should be weak.
      • $\varphi$ should be cheap to find.

    • Then $\neg \varphi$ can block $\mathcal{L}$.

    • Idea: Use $M$ to find a sufficient $\varphi$.

Model-based Projection

\[\begin{mdmathpre}%mdk \Mbp(\mathid{M},~\emptyset,~\varphi)~~~~~~~~=~~\varphi \\ \Mbp(\mathid{M},~\vec{\mathid{x}},~\varphi)~~~~~~~~~=~~\Mbp\left(\mathid{M},~\vec{\mathid{x}},~\bigwedge \{~\mathid{sign}(\mathid{M},~\mathid{a})~\;\mid\;~\mathid{a}~\mbox{ is an atom in }~\varphi \}\right)~\\ \Mbp(\mathid{M},~\mathid{x}\vec{\mathid{x}},~\varphi)~~~~~~~=~~\Mbp(\mathid{M},~\mathid{x},~\Mbp(\mathid{M},~\vec{\mathid{x}},~\varphi))~\\ \Mbp(\mathid{M},~\mathid{x},~\varphi \land \psi)~~=~~\Mbp(\mathid{M},~\mathid{x},~\varphi)~\land \psi \quad\quad \mathid{if}~\mathid{x}~\not\in \mathid{FV}(\psi)~ \end{mdmathpre}%mdk \]
   def sign(M,a): if M(a) return a else return $\neg$a

Model-based Projection for LRA

\[\begin{mdmathpre}%mdk \Mbp(\mathid{M},~\mathid{x},~\mathid{x}~\simeq \mathid{t}~\land \mathid{L})~~=~~\mathid{L}[\mathid{t}/\mathid{x}]~\\ \Mbp(\mathid{M},~\mathid{x},~\mathid{x}~\not\simeq \mathid{t}~\land \mathid{L})~=~~\Mbp(\mathid{M},~\mathid{x},~\mathid{x}~\geq \mathid{t}~+~\epsilon \land \mathid{L})~\quad \mbox{if}\quad \mathid{M}(\mathid{x})~>~\mathid{M}(\mathid{t})~\\ \Mbp(\mathid{M},~\mathid{x},~\mathid{x}~\not\simeq \mathid{t}~\land \mathid{L})~=~~\Mbp(\mathid{M},~\mathid{x},~\mathid{x}~+~\epsilon \leq \mathid{t}~\land \mathid{L})~\quad \mbox{if}\quad \mathid{M}(\mathid{x})~<~\mathid{M}(\mathid{t})~\\ \Mbp(\mathid{M},~\mathid{x},~\bigwedge_\mathid{i}~\mathid{t}_\mathid{i}~\leq \mathid{x}~\land \bigwedge_\mathid{j}~\mathid{x}~\leq \mathid{s}_\mathid{j})~=~~\bigwedge_\mathid{i}~\mathid{t}_\mathid{i}~\leq \mathid{t}_0~\land \bigwedge_\mathid{j}~\mathid{t}_0~\leq \mathid{s}_\mathid{j}~\\\\ \mdmathindent{13}\mathid{where}~\mathid{M}(\mathid{t}_0)~\geq \mathid{M}(\mathid{t}_\mathid{i})~\forall \mathid{i} \end{mdmathpre}%mdk \]

Model-based Projection for LIA

\[\begin{array}{l} \Mbp(M, x, \bigwedge_{i=1}^n d_i \mid (a_i x + t_i) \land L) = \\ \quad\quad\quad \Mbp\left(M, x', L[u + d\cdot x'/x]\right) \land \bigwedge_{i=1}^n d_i \mid (a_i u + t_i) \\ \\ \Mbp(M, x, \bigwedge_i t_i \leq a_ix \land \bigwedge_j b_jx \leq s_j) = \\ \quad\quad\quad \bigwedge_i t_i a_0 \leq t_0 a_i \land \bigwedge_j s_j b_0 \geq s_0 b_j \wedge resolve(M, a_0x \leq t_0, b_0 x \geq s_0) \\ \quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad \mathrm{if} M(t_0/a_0) \leq M(t_i/a_i), \forall i. \\ \quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad \mathrm{if} M(s_0/b_0) \geq M(s_j/b_j), \forall j. \\ \end{array} \]
\[\begin{mdmathpre}%mdk \mathid{resolve}(\mathid{M},~\mathid{ax}~\leq \mathid{t},~\mathid{bx}~\geq \mathid{s})~=~\\ \mdmathindent{4}\mathid{as}~+~(\mathid{a}-1)(\mathid{b}-1)~\leq \mathid{bt}~\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\mathid{if}~~(\mathid{a}-1)(\mathid{b}-1)~\leq \mathid{M}(\mathid{bt}-\mathid{as})~~\\ \mdmathindent{4}\mathid{as}~\leq \mathid{bt}~\land \mathid{b}~|~(\mathid{s}~+~\mathid{d})~\land \mathid{a}(\mathid{s}+\mathid{d})~\leq \mathid{bt})~~~~~~~\mathid{elif}~~\mathid{a}~\geq \mathid{b},~\mathid{d}~:=~\mathid{M}(-\mathid{s})~\mod \mathid{b}~\\ \mdmathindent{4}\mathid{as}~\leq \mathid{bt}~\land \mathid{a}~|~(\mathid{t}~-~\mathid{d})~\land \mathid{as}~\leq \mathid{b}(\mathid{t}-\mathid{d})~~~~~~~~\mathid{else}~~\mathid{b}~>~\mathid{a},~\mathid{d}~:=~\mathid{M}(\mathid{t})~\mod \mathid{a} \end{mdmathpre}%mdk \]

Model-based Projection for Term Algebras - Sketch

\[\begin{mdmathpre}%mdk \Mbp(\mathid{M},~\mathid{x},~\mathit{cons}(\mathid{t},\mathid{s})~\simeq \mathid{u}~\land \mathid{L})~~=~~\\ \mdmathindent{5}\mathit{cons?}(\mathid{u})~\land \Mbp(\mathid{M},~\mathid{x},~\mathid{t}~\simeq \mathit{car}(\mathid{u})~\land \mathid{s}~\simeq \mathit{cdr}(\mathid{u})~\land \mathid{L})~\\ \Mbp(\mathid{M},~\mathid{x},~\mathid{x}~\simeq \mathid{x}~\land \mathid{L})~~=~~\Mbp(\mathid{M},~\mathid{x},~\mathid{L})~\\ \Mbp(\mathid{M},~\mathid{x},~\mathid{u}~\simeq \mathid{x}~\land \mathid{L})~~=~~\mathid{L}[\mathid{u}/\mathid{x}]~\\ \Mbp(\mathid{M},~\mathid{x},~\mathit{cons}(\mathid{t},~\mathid{s})~\not\simeq \mathid{u}~\land \mathid{L})~~=~~\mathit{cons?}(\mathid{u})~\land \Mbp(\mathid{M},~\mathid{x},~\mathid{s}~\not\simeq \mathit{cdr}(\mathid{u})~\land \mathid{L})~\\ \mdmathindent{16}\mathid{if}~\mathid{M}(\mathid{s})~\neq \mathid{M}(\mathit{cdr}(\mathid{u})),~\mathid{M}(\mathit{cons?}(\mathid{u}))~\\ \Mbp(\mathid{M},~\mathid{x},~\mathit{cons}(\mathid{t},~\mathid{s})~\not\simeq \mathid{u}~\land \mathid{L})~~=~~\mathit{cons?}(\mathid{u})~\land \Mbp(\mathid{M},~\mathid{x},~\mathid{t}~\not\simeq \mathit{car}(\mathid{u})~\land \mathid{L})~\\ \mdmathindent{16}\mathid{if}~~\mathid{M}(\mathid{t})~\neq \mathid{M}(\mathit{car}(\mathid{u})),~\mathid{M}(\mathit{cons?}(\mathid{u}))~\\ \Mbp(\mathid{M},~\mathid{x},~\mathit{cons}(\mathid{t},~\mathid{s})~\not\simeq \mathid{u}~\land \mathid{L})~~=~~\neg \mathit{cons?}(\mathid{u})~\land \Mbp(\mathid{M},~\mathid{x},~\mathid{L})~\quad\mbox{if}\quad \mathid{M}(\neg\mathit{cons?}(\mathid{u}))\\ \Mbp(\mathid{M},~\mathid{x},~\mathid{t}_1~\not\simeq \mathid{x}~\land \ldots \land \mathid{t}_\mathid{n}~\not\simeq \mathid{x})~~=~~\top \end{mdmathpre}%mdk \]

Model-based projection for NRA

  • Theory: Non-linear polynomial arithmetic

  • Partial CAD - model-based projection [30]

    • Given model $M$, such that $M \models \forall x \ . \ p_1(x,y) \geq 0 \vee \ldots \vee p_n(x,y) > 0$
    • Find $q_1, \ldots, q_k$, such that
      • $q_1(y) < 0 \vee \ldots \vee q_k(y) > 0 \vee p_1(x,y) \geq 0 \vee \ldots \vee p_n(x,y) > 0$ is valid
      • $M \models q_1(y) \geq 0 \wedge \ldots \wedge q_k(y) \leq 0$

  • CAD decomposes $R^n$ into sign-invariant cylinders.

  • Choose the cylinder where $M$ is a member.

Model-based projections, two lenses

Sat based MBP:

  • Given: $M \models \ell_1[x] \wedge \ldots \wedge \ell_n[x]$

  • Find: $M \models s_1 \wedge \ldots \wedge s_m$, free for $x$

  • Such that: $ \models (s_1 \wedge\ldots \wedge s_m) \rightarrow \exists x \ . \ \ell_1[x] \wedge \ldots \wedge \ell_n[x]$

Contrast this with Core-based MBP:

  • Given: $M \models \forall x \ . \ \ell_1[x] \vee \ldots \vee \ell_n[x]$.

  • Find: $M \models s_1 \wedge \ldots \wedge s_m$, free for $x$

  • Such that: $\models (s_1 \wedge \ldots \wedge s_m) \rightarrow \forall x \ . \ \ell_1[x] \vee \ldots \vee \ell_n[x]$

Claim: the two compute the same solutions if the projection operators are independent of the value of $x$.

Initialization

\[\begin{mdmathpre}%mdk \mdmathindent{4}\exists \mathid{x}_{1},~\forall \mathid{x}_{2},~\exists \mathid{x}_{3},~\forall \mathid{x}_{4},~….,~\mathid{Q}~\mathid{x}_{\mathid{n}}~\mathid{F}[\mathid{x}_{1},~\mathid{x}_{2},~\ldots]\\ \mathid{Initialize}:\\ \mdmathindent{4}\mathid{F}_\mathid{j}~~~~~~~~~~~~~\leftarrow \mathid{F}~~~~~~~~~~~\mathid{if}~\mathid{j}~\mathid{is}~\mathid{odd}\\ \mdmathindent{4}\mathid{F}_\mathid{j}~~~~~~~~~~~~~\leftarrow \neg \mathid{F}~~~~~~~~\mathid{if}~\mathid{j}~\mathid{is}~\mathid{even} \end{mdmathpre}%mdk \]
   def level(j,a): return max level of bound variable in atom a of parity j
\[\begin{mdmathpre}%mdk \mdmathindent{3}\mathid{level}(1,~\mathid{z}~\geq 0)~=~\mathid{level}(3,~\mathid{z}~\geq 0)~=~3\\ \mdmathindent{3}\mathid{level}(2,~\mathid{z}~\geq 0)~=~0\\ \mdmathindent{3}\mathid{in}~\exists \mathid{x}~\forall \mathid{y}~\exists \mathid{z}~\mathid{z}~\geq 0~\land ((\mathid{x}~\geq 0~\land \mathid{y}~\geq 0)~\vee \mathid{y}~+~\mathid{z}~\leq 1) \end{mdmathpre}%mdk \]

Property Directed QSAT Algorithm

  def strategy(M,j): return $\bigwedge_{M \neq null, a \in Atoms, level(j, a) < j} sign(M,a) $
  def tailv(j): return $x_{j-1},x_j,x_{j+1},\ldots$
    
  j = 1
  M = null
  while True:
    if $F_{j}\ \ \wedge$ strategy(M, j) is unsat:
      if j == 1: 
        return F is unsat
      if j == 2:
        return F is sat
      C = Core($F_j$, strategy(M, j))
      J = Mbp(tailv(j), C)
      j = index of max variable in J $\cup\ \{ 1, 2 \}$ of same parity as j      
      $F_j$ = $F_j \wedge \neg $J
      M = null
    else:
      M = current model
      j = j + 1

Finding strategies

  • Other main ingredient of QSAT is option for players to narrow options of opponents by revealing a strategy

    • $\exists x_1 \forall x_2 \exists x_3 \forall x_4 \ldots F$ at round $2$:
      • value of $x_1$ is already fixed,
      • $\forall$ fixes value of $x_2$,
      • $\forall$ can make $x_4$ a function of $x_3$.

  • Developing practical strategies is work in progress

    • For QBF can use Q-resolution proofs as guide [10]

Programming Z3

Programmatic Interface

Solver methods 

s = Solver()


s.add($\varphi$)
s.assert_and_track($\varphi, \ell$)

s.push()
s.pop()

s.check()
s.check($[\ell_1,\ldots, \ell_n]$)

s.model()
s.proof()
s.unsat_core()   

s.statistics()


  • Create a solver

  • Add assertion to solver state

  • Create local scopes

  • Check satisfiability

  • Retrieve models, proofs, cores

  • Additional information

Assertions

Solver methods 

s.add($\varphi$)
s.assert_and_track($\varphi, \ell$)



Assert $\varphi$ to the solver state. Optionally, track the assertion $\varphi$ by a literal $\ell$.

Unsatisfiable cores contain tracked literals.

Scopes

Solver methods 

s.push()

s.pop()



Add or remove a scope from the solver.

Assertions added within a scope are removed when the scope is popped.

Check Satisfiability

Solver methods 

s.check()

s.check($[\ell_1,\ldots, \ell_n]$)


Is the solver state satisfiable?

Is the solver state satisfiable modulo the assumption literals $\ell_1, \ldots, \ell_n$.

The solver state is the conjunction of assumption literals and assertions that have been added to the solver in the current scope.

Certificates

Methods 


s.model()

s.proof()

s.unsat_core()


An interpretation satisfying current constraints.

A proof term certifying unsatisfiability of constraints.

A subset of assumptions/tracked assertions that suffice to establish unsatisfiability.

Cores, Correction Sets, Satisfying Assignments

  • (M)US (Minimal) unsatisfiable subset

    • (minimal) subset of assertions that are unsatisfiable. Also known as a core

  • (M)SS (Maximal) satisfiable subset

    • (maximal) subset of assertions that are satisfiable.

  • (M)CS (Minimal) correction set

    • complement of an (M)SS.

  • (Prime) implicant

    • $m \Rightarrow \phi$ iff $m$ is a core for $\neg \phi$.

A Duality: MUS $\sim$ MCS [49]

Reiter

All Cores and Correction Sets [34]


  • Given $\varphi_1, \ldots, \varphi_n$
    • Find all min unsat cores
    • Find all max satisfying subsets
  • Generate subset $S \subseteq \{1,\ldots, n\}$
    • Not a superset of old core
    • Not a subset of old sat subset
  • Is $\bigwedge_{j \in S} \varphi_j$ satisfiable?
    • If yes, find max sat $S' \supseteq S$
    • If no, find min unsat $S' \subseteq S$
  • Block $S'$ from next iteration
 


def ff(s, p): 
    return is_false(s.model().eval(p))

def marco(s, ps):
    map = Solver()
    while map.check() == sat:
        seed = {p for p in ps if not ff(map, p)}
        if s.check(seed) == sat:
           mss = get_mss(s, seed, ps)
           map.add(Or(ps - mss))
           yield "MSS", mss
        else:
           mus = get_mus(s, seed)
           map.add(Not(And(mus)))
           yield "MUS", mus

Maximizing Satisfying Assignments [39]

def tt(s, f): 
    return is_true(s.model().eval(f))

def get_mss(s, mss, ps):
    ps = ps - mss
    backbones = set([])
    while len(ps) > 0:
       p = ps.pop()
       if sat == s.check(mss | backbones | { p }):
          mss = mss | { p } | { q for q in ps if tt(s, q) }
          ps  = ps - mss
       else:
          backbones = backbones | { Not(p) }
    return mss

Minimizing Cores [2, 15, 31, 36]

Use built-in core minimization: 

s.set("sat.core.minimize","true")  # For Bit-vector theories
s.set("smt.core.minimize","true")  # For general SMT

Or roll your own: 

def quick_explain(s, mus):
    return qx(s, mus, set([]), False)

def qx(s, mus, S, has_support):
    if has_support:
       if s.check(S) == unsat:
          return set([]), { l for l in s.unsat_core() }
    if len(mus) == 1:
       return S, mus    
    mus1, mus2 = split(mus)
    mus2, S = qx(s, mus2, S | mus1, {} != mus1)
    mus1 = S & mus1
    mus2, S = qx(s, mus1, S | mus2 - mus1, {} != mus2)
    return S & mus, S - mus2
    
def split(S1):
    S1, S2 = S1.copy(), set([])
    for i in range(len(S1)/2):
        S2 |= { S1.pop() }
    return S1, S2

s = Solver()
a, b, c, d, e = Bools('a b c d e')
s.add(Or(a, b))
s.add(Or(Not(a), Not(b)))
s.add(Or(b, c))
s.add(Or(Not(c), Not(a)))

print s.check([a,b,c,d,e])
print s.unsat_core()

mus, S = quick_explain(s, {a,b,c,d})

All maximal satisfying sets (basic)

def all_mss(s, ps):
    while sat == s.check():
        mss = get_mss(s, { p for p in ps if tt(s, p) }, ps)
        s.add(Or(ps - mss))
        yield "MSS", mss
  • Inefficiency: Same unsat cores may be revisited.

All Correction Sets

Find all satisfying subsets among $\varphi_1, \ldots, \varphi_n$:

  • Initialize: $F_1 \leftarrow \varphi_1, \ldots, F_n \leftarrow \varphi_n$, $F \leftarrow \top$.
  • While $F$ is sat:
    • If $F \wedge F_1\wedge \ldots\wedge F_n$ is sat with model $M$
      • $\{ \varphi_j \mid M(\varphi_j) = \top \}$ is mss.
      • $F \leftarrow F \wedge \bigvee \{ \varphi_j \;\mid\; M(\varphi_j) = \bot \}$ add mcs
    • Else suppose $F_1,\ldots, F_k$ is a core
      • Replace by $F'_1, \ldots, F'_{k-1}$:
      • $F'_1 \leftarrow F_1 \vee F_2$, $F'_2 \leftarrow F_3 \vee (F_2 \wedge F_1)$,
        $\ldots$, $F'_{k-1} \leftarrow F_k \vee (F_{k-1} \wedge \ldots)$.

Optimization $\nu{Z}$

Three main SMT extensions 


    (maximize (+ x (* 2 y)))


    (minimize (bvadd u v))




    (assert-soft (> x y) :weight 4)


  • Maximize objective

    • linear arithmetic

  • Minimize objective

    • bit-vector

  • Add a soft constraint

    • optional weight

Soft constraints as 0-1 optimization

Equilvalent formulations 

   (assert-soft $\varphi$ :weight 3)
   (assert-soft $\psi$ :weight 4)
 
   (minimize (+ (if $\varphi$ 0 3) (if $\psi$ 0 4)))

Multiple Objectives
Box$(x,y)$ $v_x := \max \{ x \mid \varphi(x,y) \}$
$v_y := \max \{ y \mid \varphi(x,y) \}$
Lex$(x,y)$ $v_x := \max \{ x \mid \varphi(x,y) \}$
$v_y := \max \{ y \mid \varphi(v_x,y) \}$
Pareto$(x,y)$ $\left\{ (v_x, v_y) \mid \begin{array}{l}\varphi(v_x,v_y),\ \forall x, y . \\ \varphi(x,y) \rightarrow x \leq v_x \vee y \leq v_y \end{array}\right\}$

Optimization as an extension of core SMT solving

sysdiagram

Optimization Extensions

  • MaxSAT solver

  • Primal simplex optimization

    • Applied on feasible tableau

Basic Iterative Optimization

\begin{minipage}{1\linewidth} \begin{algorithm}[H] \normalsize \KwIn{Objective $t$ to maximize} \normalsize \KwIn{Formula $F$} \KwOut{Maximal value $v$, such that $v = t \land F$ is satisfiable} $v \leftarrow -\infty$ \\ \While{$F$ is satisfiable}{ Let $L$ be a set of literals (from $F$) that imply $F$. \\ \If{$t$ is unbounded in $L$} { \Return{$\infty$} } Let $M$ be an interpretation that satisfies $L$ and maximizes $t$ \\ $v \leftarrow \max(v, M(t))$ \\ $F \leftarrow F \land t > v \land \neg \bigwedge L$ \\ } \Return{$v$} \end{algorithm} \end{minipage}

Unbounded values and non-standard arithmetic

  • Local optimization over $L$ can determine if $t$ is unbounded

    • This is mostly enough

  • Alternatively use extended number field

    • Variables take values of form: $a\epsilon + b + c\infty$, where $a, b, c \in R$
    • Check if $F \wedge t \geq \infty$ is satisfiable

Pareto optimization [48]

\begin{algorithm}[H] \normalsize \KwIn{Objectives $t_1, t_2$ to maximize} \normalsize \KwIn{Formula $F$} \KwOut{Pareto maximal front} \While{$F$ is satisfiable}{ $G \leftarrow F$ \\ \While{$G$ is satisfiable}{ Let $L$ be a set of literals (from $G$) that imply $G$. \\ \If{either $t_1$ or $t_2$ is unbounded in $L$} { \Return{} } Let $M$ be an interpretation that satisfies $L$ and maximizes $t_1$ or $t_2$ \\ $v_1 \leftarrow M(t_1), v_2 \leftarrow M(t_2)$ \\ $G \leftarrow G \land t_1 \geq v_1 \land t_2 \geq v_2 \land (t_1 > v_1 \lor t_2 > v_2)$ \\ } $F \leftarrow F \land (t_1 > v_1 \lor t_2 > v_2)$ \\ {\bf yield} $\langle v_1, v_2 \rangle$ } \end{algorithm}

Box optimization [35]

\begin{algorithm}[H] \normalsize \KwIn{Objectives $t_1, t_2$ to maximize} \normalsize \KwIn{Formula $F$} \KwOut{Box-maximal front} $v_1 \leftarrow -\infty, v_2 \leftarrow -\infty$ \\ \While{$F$ is satisfiable}{ Let $L$ be a set of literals (from $F$) that imply $F$. \\ Let $M$ be an interpretation that satisfies $L$ and maximizes $t_1, t_2$ \\ $v_1 \leftarrow \max(v_1, M(t_1))$ \\ $v_2 \leftarrow \max(v_2, M(t_2))$ \\ $F \leftarrow F \land (t_1 > v_1 \lor t_2 > v_2) \land \neg \bigwedge L$ \\ } \Return{$\langle v_1, v_2\rangle$} \end{algorithm}

We assume $M(t) = \infty$ if $t$ is unbounded, so $t > \infty \equiv \false$.

Optimizer Interface

Optimization methods 

opt = Optimize()

opt.add($\varphi$)

opt.add_soft($\varphi$)
opt.add_soft($\varphi$, $weight$, $id$)

opt.maximize($t$)
opt.minimize($t$)

opt.check()

opt.model()

opt.fron_file($file.smt2$)
opt.fron_string($smt2\ spec$)
opt.sexpr()     # prints smt2 spec
opt.statistics()


  • Create an optimization solver

  • Add formula to solver state

  • Add soft constraints
  • Add optimization objectives

  • Check satisfiability

  • Retrieve models, proofs, cores

  • Additional information

Optimizing Assertions

x, y = Ints('x y')
opt = Optimize()
opt.set(priority='pareto')
opt.add(x + y == 10, x >= 0, y >= 0)
mx = opt.maximize(x)
my = opt.maximize(y)
while opt.check() == sat:
    print mx.value(), my.value()

MaxSMT

  • Typical definition: Minimize the number of violated soft assertions.

  • Is built-in, based on MaxSAT algorithms.

MaxSAT example

(declare-const a Bool)
(declare-const b Bool)
(declare-const c Bool)
(assert-soft a :weight 1)
(assert-soft b :weight 2)
(assert-soft c :weight 3)
(assert (= a c))
(assert (not (and a b)))
(check-sat)
(get-model)

MaxSAT with Cores [44]

A: $F, \underbrace{F_1, F_2, F_3, F_4 }_{core}, F_5$

A': $F, \ F_2 \vee F_1, F_3 \vee (F_2 \wedge F_1), F_4 \vee (F_3 \wedge (F_2 \wedge F_1)), F_5$

Lemma: for any model $M$ of $F$, $cost(M, A) = 1 + cost(M, A')$

Proof: $M(F_j) = \bot, j$ min: $ M(F'_i) = M(F_{i+1}) \vee i = j + 1, \forall i$

MaxSAT with Cores (python)

def add_def(s, fml):
    name = Bool("%s" % fml)
    s.add(name == fml)
    return name

def relax_core(s, core, Fs):
    prefix = BoolVal(True)
    Fs -= { f for f in core }
    for i in range(len(core)-1):
        prefix = add_def(s, And(core[i], prefix))
        Fs |= { add_def(s, Or(prefix, core[i+1])) }

def maxsat(s, Fs):
    cost = 0
    Fs0 = Fs.copy()
    while unsat == s.check(Fs):
        cost += 1
        relax_core(s, s.unsat_core(), Fs)    
    return cost, { f for f in Fs0 if tt(s, f) }

MaxSAT with MCS [12]

A: $F, \underbrace{F_1, F_2, F_3, F_4 }_{\mbox{correction set}}, F_5$

A': $\underbrace{ F \wedge (F_1 \vee F_2 \vee F_3 \vee F_4) }_{F`},$
$F_2 \wedge F_1,\ F_3 \wedge (F_2 \vee F_1), \ F_4 \wedge (F_3 \vee (F_2 \vee F_1)), \ F_5$

Lemma: for any model $M$ of $F'$, $cost(M, A) = cost(M, A')$

Proof: $M(F_j) = \top, j$ min:     $ M(F'_i) = M(F_{i+1}) \wedge (i \neq j \vee j = 1), \forall i$

MaxSAT with MCS (python)

def relax_mcs(s, mcs, Fs):
    prefix = BoolVal(False)
    Fs -= { f for f in mcs }
    s.add(Or(mcs))
    for i in range(len(mcs)-1):
        prefix = add_def(s, Or(mcs[i], prefix))
        Fs |= { add_def(s, And(prefix, mcs[i+1])) }

def maxsat(s, Fs0):
    Fs = Fs0.copy()
    cost = len(Fs)
    while s.check() == sat:
        mss = { f for f in Fs if tt(s, f) }
        model1 = get_mss(s, mss, Fs)
        mcs = Fs - mss
        if cost > len(mcs):
           cost = len(mcs)
           model = model1
        relax_mcs(s, [ f for f in mcs ], Fs)
    return cost, [ f for f in Fs0 if is_true(model.eval(f)) ]

MCS alone is inefficient. In [12] we combine MUS and MCS steps.

Backbones

  • Find all unit literals

  • Useful for finding fixed parameters [29]

  • Generalizes to Horn consequences:

    • Under assumptions $\mathcal{A}$
    • find unit literals
    • explained by subset of $\mathcal{A}$

Scoped Consequences

def scoped_consequence(phi, assumptions, terms):
    s = Solver()
    s.add(phi)
    if s.check(assumptions) == unsat:
        return unsat
    model = s.model()
    for t in terms:
        val = model.eval(t)
        s.push()
        s.add(t != val)
        if s.check(assumptions) == unsat:
            print Implies(And(s.unsat_core()), t == val)
        s.pop()
scoped_consequence(And(Implies(a, b), Implies(b, c)), [a,d], [b,c,d])
  
Implies(And(a), b == True)
Implies(And(a), c == True)
Implies(And(d), d == True)

Consequences From Assumptions

def assumption_consequence(phi, assumptions, ps):
    s = Solver()
    s.add(phi)
    if s.check(assumptions) == unsat:
        return unsat
    model = s.model()
    for p in ps:
        if is_true(model.eval(p)):
            np = Not(p)
            p = p
        else:
            np = p
            p = Not(p)
        if s.check(assumptions + [np]) == unsat:
            core = [a for a in s.unsat_core() if not eq(a, np)]
            print Implies(And(core), p)

Consequences from CDCL

def builtin_consequences(phi, assumptions, terms):
    s = Solver()
    s.add(phi)
    return s.consequences(assumptions, terms)
print builtin_consequences(And(Implies(a, b), Implies(b, c)), [a, d], [b, c, d])

Built-in consequence finding can be 100x faster than soft-coded versions.

Consequences from CDCL (algorithm)

  • Add assumptions at level 1.
  • Run CDCL.
  • Remove $terms$ that are fixed by unit literals at level 1.
  • Let $v \leftarrow $ current model
  • While $t \in terms \neq \{\}$

    • assert $t \neq v(t)$ at level 2.

    • Run CDCL.
    • If $t = v(t)$ is asserted above level 1, then repeat loop.
    • If $t \neq v(t)$ is asserted, then $terms \leftarrow terms\setminus \{t\}$
    • Remove $terms$ that are fixed by unit literals at level 1.
    • Optionally,
      • $v' \leftarrow $ current model
      • $terms \leftarrow \{ t \in terms \mid v(t) = v'(t)\}$

Implied Equalities [4]

Monadic Decomposition [51]

  • Given formula $\varphi[x,y]$ find smallest set of formulas $\psi_i[x], \theta_i[y]$ such that

    • $\varphi[x,y] \quad \equiv \quad \bigvee_i \psi_i[x] \wedge \theta_i[y]$

Interpolants [37]

Horn Clauses [2527, 38]

From Programs to Horn Clauses [8]

def mc(x):
    if x > 100:
       return x - 10
    else:
       return mc(mc(x + 11))

def contract(x):
    assert(x > 101 or mc(x) == 91)

   (set-logic HORN)
   (declare-fun mc (Int Int) Bool)
   (assert 
     (forall ((x Int)) 
          (=> (> x 100) 
              (mc x (- x 10)))))
   (assert 
     (forall ((x Int) (y Int) (z Int)) 
          (=> (and (<= x 100) (mc (+ x 11) y) (mc y z)) 
              (mc x z))))
   (assert 
     (forall ((x Int) (y Int)) 
          (=> (and (<= x 101) (mc x y)) 
              (= y 91))))
   (check-sat)
   (get-model)

Horn Clause Interface

Fixedpoint methods 

fp = Fixedpoint()

fp.add($\varphi$)
fp.add_rule()

fp.push()
fp.pop()

fp.query()

fp.model()
fp.proof()

fp.statistics()


  • Create a solver

  • Add assertion to solver state

  • Create local scopes

  • Check satisfiability

  • Retrieve models, proofs, cores

  • Additional information

Horn Clause Engines

  • PDR - IC3 inspired engine [26].
  • Duality - Interpolation based [38].
    • Use Duality or PDR if your Horn clauses use arithmetic variables.
  • Datalog - Bottom-up stratified Datalog engine for finite domains [27].
    • Use Datalog backened for Horn clauses over finite domains: bit-vectors and Booleans.
  • BMC - Bounded model checking, Tabulation, Symbolic Execution
    • Use BMC to unfold Horn clauses a la bounded model checking.

PDR/IC3 based Horn Clause Solving

SeaHorn

IC3

  • $\vec{x}$ are state variables.

  • $m$ is a monome (a conjunction of literals).

  • $\varphi$ is a clause (a disjunction of literals).

  • Convention: $m[\vec{x}]$ is a monome over variables $\vec{x}$, $m[\vec{x}_0]$ is a renaming of the same monome $m$ to variables $\vec{x}_0$.

IC3 recap

  • $\langle \vec{x}, \Init(\vec{x}), \rho(\vec{x_0},\vec{x}), \Safe(\vec{x})\rangle$ - a transition system.
  • $\Safe$ - good states.
  • $\cF(R)[\vec{x}_0,\vec{x}]$ - forward predicate transformer.
    • Given reachable states $R$, produce “states can be reached by including another step”.
    • From Transition System: $\Init[\vec{x}_0] \ \vee \ (R(\vec{x}_0) \wedge \rho[\vec{x}_0,\vec{x}])$
    • From Horn Clauses: $\bigvee_i Body_i[\vec{x}_0,\vec{x}]$, where
      \[ R(\vec{x}) \leftarrow Body_1[\vec{x}_0,\vec{x}] \vee \ldots\vee Body_k[\vec{x}_0,\vec{x}] \]

IC3 recap

  • $R_0, R_1, \ldots, R_N$ properties of states reachable within $i$ steps.
  • $R_i$ are sets of clauses.
  • Initially $R_0 = \Init$.
  • $\Queue$ a queue of counter-example trace properties. Initially $\Queue = \emptyset$.
  • $N$ a level indication. Initially $N = 0$.

Expanding Traces

repeat until

  • Candidate If for some $m$, $m \rightarrow R_N \land \neg \Safe$, then add $\langle m, N\rangle$ to $\Queue$.

  • Unfold If $R_N \rightarrow \Safe$, then set $N \leftarrow N + 1, R_{N} \leftarrow \true$.

Termination

repeat until

  • Unreachable For $i < N$, if $R_i \subseteq R_{i+1}$, return Unreachable.

  • Reachable If $\langle m, 0 \rangle \in \Queue$, return Reachable.

Backtracking

repeat until

  • Conflict Let $0 \leq i < N$: given a candidate model $\langle m, i+1\rangle\in\Queue$ and clause $\varphi$, such that

    • $\neg\varphi\subseteq m$,
    • $\cF(R_i \land \varphi) \rightarrow \varphi$,
      then conjoin $\varphi$ to $R_{j}$, for $j \leq i + 1$.

  • Leaf If $\langle m, i\rangle \in \Queue$, $0 < i < N$ and $m \land \cF(R_{i-1})$ is unsatisfiable, then add $\langle m, i + 1\rangle$ to $\Queue$.

Inductive Generalization

repeat until

  • Induction For $0 \leq i < N$, a clause $(\varphi \lor\psi)\ \in R_i$, $\varphi\not\in R_{i+1}$, if $\cF(R_i \wedge \varphi)\rightarrow \varphi$, then conjoin $\varphi$ to $R_{j}$, for each $j \leq i + 1$.

IC3 beyond SAT

Decide - Generalized form

Decide Add $\langle m_0[\vec{x}], i\rangle$ to $\Queue$ if $\langle m[\vec{x}], i+1\rangle \in \Queue$, $m' \land m_0[\vec{x}_0] \ \rightarrow \ \cF(R_{i})[\vec{x}_0,\vec{x}] \land m$.

  • [14, 22] Model from propositional SAT check for $m \land \cF(R_{i})[\vec{x}_0,\vec{x}]$ gives (near prime implicant) $m_0$.
  • [26] Model from SMT check for arithmetical $m \land \cF(R_{i})[\vec{x}_0,\vec{x}]$ produces numerical assignment $m_0$.
  • [18, 32] Partial quantifier elimination.
  • [33] $(\exists\vec{x} \ . \ m \land \cF(R_{i})[\vec{x}_0,\vec{x}]) \ \equiv\ \bigvee_i \psi_i[\vec{x}_0]$ where $\psi_i$ are quantifier-free. Use model for $m \land \cF(R_{i})[\vec{x}_0,\vec{x}]$ to compute $\psi_i$ without expanding full disjunction.
  • [19, 28] Keep vocabulary of literals fixed (= predicate abstraction).

Loos-Weispfenning QE

  • $\varphi$ in NNF
  • $E$ set of $x = t$ atoms in $\varphi$
  • $L$ set of $x > s$ atoms in $\varphi$
  • $U$ set of $x < t$ atoms in $\varphi$
  • there are no other occurrences of $x$ in $\varphi[x]$

\[\exists x \ . \ \varphi[x] \equiv \varphi[\infty] \vee \bigvee_{(x = t) \in E} \varphi[t] \vee \bigvee_{(x < t) \in U} \varphi[t - \epsilon] \]

  • Note: $(x < t')[t - \epsilon] \equiv t \leq t'$
  • Pick disjunction corresponding to satisfied equality or inequality.

Decide - Generalized form (II)

Pssst: I am replacing $m, m_0, m'$ by greek letters.

  • Decide Add $\langle \phidown[\vec{x}], i\rangle$ to $\Queue$, if
    • $\langle \varphi[\vec{x}], i+1\rangle \in \Queue$,
    • $\phidown[\vec{x}_0] \wedge \theta[\vec{x}]$ is consistent,
    • $\theta[\vec{x}] \rightarrow \varphi[\vec{x}]$, and
    • $\phidown[\vec{x}_0] \land \theta[\vec{x}] \ \rightarrow\ \cF(R_{i})(\vec{x}_0,\vec{x})$

Interpolating Conflict

Conflict Let $0 \leq i < N$: given a candidate model $\langle m, i+1\rangle\in\Queue$ and clause $\varphi$, such that $\neg\varphi\subseteq m$, if $\cF(R_i \land \varphi) \rightarrow \varphi$, then conjoin $\varphi$ to $R_{j}$, for $j \leq i + 1$.

  • Note: $(\neg\varphi\subseteq m)$ $\equiv$ $(\varphi \rightarrow \neg m)$.
  • By monotonicity: $(\cF(R_i) \rightarrow \varphi) \ \rightarrow \ (\cF(R_i \land \varphi) \rightarrow \varphi)$.
  • Interpolation as special case: $\cF(R_i) \rightarrow \varphi, \varphi \rightarrow \neg m.$
  • Overkill for SAT (use unsat core), but for SMT may supply candidate predicates.
  • For conjunction of inequalities $m$, interpolation is “simple”.

Farkas+T Lemmas

  • $m$ is conjunction of inequalities $x \geq 6 \land y \geq 7 \land \ldots$
  • $\cF(R_i)$ is quantifier-fee formula
  • $\cF(R_i) \land m$ is unsat
  • Let $C$ be a conflict that contains literals from $m$: $C := C_m \land C'$
  • Let $r := r_m r'$ be Farkas coefficients
  • So $r\cdot C \equiv 1 < 0$
  • So $m \rightarrow \neg r'C'$
  • Return $\bigwedge \neg r'_iC'_i$ instead of $m$

Interpolating Conflict (II)

Conflict Let $0 \leq i < N$: given a candidate model $\langle \varphi, i+1\rangle\in\Queue$ and a formula $\phiup$, such that $\cF(R_i) \to \phiup$, $\phiup \to \neg \varphi$, then conjoin $\phiup$ to $R_{j}$, for $j \leq i + 1$.

Branching

DAG Branching

Recall predicate transformer for McCarthy91:

$\cF(R_i)[x,z,r] := (x > 100 \land r = x - 10) \lor (x \leq 100 \land R_i(x+11,z) \land R_i(z,r))$


Decide now spawns two children.

Decide If $\langle \varphi[\vec{x}], i+1\rangle \in \Queue$ and there are consistent $\phidown[\vec{x}_0] \land \psidown[\vec{x}_1] \land \theta[\vec{x}]$ such that $\theta[\vec{x}] \rightarrow \varphi[\vec{x}]$ and $\phidown[\vec{x}_0] \land \psidown[\vec{x}_1] \land \theta[\vec{x}] \ \rightarrow\ \cF(R_{i})[\vec{x}_0,\vec{x}_1, \vec{x}]$, then add $\langle \phidown[\vec{x}], i\rangle$, $\langle \psidown[\vec{x}], i\rangle$ to $\Queue$.

Searching a DAG

We also have to take DAG unfolding into acount.

Base Mark $\langle \varphi[\vec{x}], i\rangle \in \Queue$ if $i = 0$ or if there is a consistent $\theta[\vec{x}]$ such that $\theta[\vec{x}] \rightarrow \varphi[\vec{x}]$ and $\theta[\vec{x}] \ \rightarrow\ \cF(R_{i})[\vec{x}_0,\vec{x}_1, \vec{x}]$.
Close Mark $\langle \varphi[\vec{x}], i+1\rangle$ if all children are marked.
Reachable If $\langle \varphi, 0 \rangle$ is marked, return Reachable.

Searching a DAG

  • Model from propositional SAT check for $m \land \cF(R_{i})[\vec{x}_0,\vec{x}_1, \vec{x}]$ gives us $\phidown, \psidown$.
  • Idea: Model from SMT check for arithmetical $m \land \cF(R_{i})[\vec{x}_0,\vec{x}]$ produces numerical assignments.
  • Effect: models explored in branches are far from prime $\Rightarrow$ lemmas become too weak.

Search with Under-approximations [33]

  • Instead of tracking progress using marking use under approximations.
  • Maintain $U_0 := \false, U_1, U_2, \ldots, U_N$ of under approximations.
  • Recall that $R_0 := \false, R_1, R_2, \ldots, R_N$ are over approximations.
  • Satisfying
    • $R_i \leftarrow U_i \rightarrow U_{i+1} \rightarrow \cF(U_i)$.

Search with Under-approximations

Decide and Conflict pushing a goal $\langle \varphi, i+1 \rangle$ over $\cF(\_,\_)$

\[\xymatrix @-0.5em{ & \cF(R_i,R_i) \\ \cF(U_i,R_i) \ar[ur] & & \cF(R_i,U_i) \ar[ul] \\ & \cF(U_i,U_i) \ar[ul] \ar[ur] } \]
  • If $\varphi \land \cF(R_i,R_i) \equiv \bot$, then goal cannot be reached.
  • If $\varphi \land \cF(U_i,U_i) \not\equiv \bot$, then goal can be reached.
  • Otherwise case split on $\varphi \land \cF(U_i,R_i)$.

Search with Under-approximations

Reachable If $U_N \land \neg\Safe$ is satisfiable, then return Reachable.
Decide$_1$ For $0 \leq i < N$ for $\langle \varphi, i+1\rangle \in \Queue$, add $\langle \phidown, i\rangle$ to $\Queue$ if:
- $\cF(U_i, U_i) \land \varphi \equiv \bot$.
- $\cF(R_i, U_i) \land \varphi \not\equiv \bot$.
- $\phidown[\vec{x}_0] \rightarrow \exists \vec{x}_1, \vec{x} \ . \ \cF(R_i,U_i) \land \varphi$ 
- $\phidown$ is disjoint from $\psi$ for every $\langle \psi, i\rangle \in \Queue$.
Decide$_2$ For $0 \leq i < N$ for $\langle \varphi, i+1\rangle \in \Queue$, add $\langle \phidown, i\rangle$ to $\Queue$ if:
- $\cF(R_i, U_i) \land \varphi \equiv \bot$ .
- $\cF(R_i, R_i) \land \varphi \not\equiv \bot$.
- $\phidown[\vec{x}_1] \rightarrow \exists \vec{x}_0, \vec{x} \ . \ \cF(R_i,R_i) \land \varphi$
- $\phidown$ is disjoint from $\psi$ for every $\langle \psi, i\rangle \in \Queue$.
Close For $0 \leq i < N$ for $\langle \varphi, i+1\rangle \in \Queue$, if $\cF(U_i,U_i) \land \varphi$ is satisfiable, but $U_{i+1} \land \varphi$ is unsatsifiable, then update $U_{i+1} := U_{i+1} \ \lor \ \psi$, where $\psi \ \rightarrow \ \exists \vec{x}_0, \vec{x}_1 \ . \ \cF(U_i,U_i) \land \varphi$.

Recursion-free Horn Clauses

  • Interpolation in standard form is a special case of Horn Clause solving.
    (1)
    \[A(\vec{a},\vec{x}) \rightarrow I(\vec{x}), \ \ \ I(\vec{x}) \rightarrow B(\vec{x},\vec{b}) \]
  • IC3 (sans Inductive Generalization) produces as side-effect solutions that are interpolants.
  • Interpolants are quaint, almost beautiful [1, 3, 17].

Quaint Interpolants [16]


def sign(s, x):
    if tt(s, x):
       return x 
    return Not(x)

def cute(A,B,xs):
    sA = Solver()
    sB = Solver()
    sA.add(A)
    sB.add(B)
    I = []
    while sat == sB.check():
        if unsat == sA.check([ sign(sB, x) for x in xs ]):
           I1 = Not(And(sA.unsat_core()))
           sB.add(I1)
           I += [I1]
        else:
           return None
   return And(I)

Can also be viewed as an iteration of IC3 steps. Generalization to EPR [7].

Duality

McMillan

Stratified Datalog

Bottom-up Datalog in $\mu{Z}$.

  • $p(0,1)$

    • Add row $(0,1)$ to $p$.

  • $p(x,y) \leftarrow q(y,x)$

    • $q' := \mathit{rename}_{[0\mapsto 1,1\mapsto 0]}(q)$
    • $p := p \cup q'$

  • $p(x,y) \leftarrow q(x), r(y).$

    • $p := p \cup \mathit{join}(q,r)$

  • $p(x,y) \leftarrow q(x,y,z)$

    • $p := p \cup \mathit{project}_z(q)$

Bottom-up Datalog in $\mu{Z}$

  • Clauses $\rightarrow$ instructions using relational algebra.
    • join
    • project $z$
    • rename $[0 \mapsto 1, 1\mapsto 0]$
    • select $x = y$, $x = 1$
    • filter $\varphi$
  • For efficiency allow combined operations
    • join-project
    • select-project
  • Implementation depends on table representation.

Network Optimized Datalog NoD

  • Option 1: use BDDs to represent tables.

  • Option 2: build tables from ternary bit-vectors.

    • $0{\color{red}{\ast}}10 \equiv 0{\color{red}{1}}10 \cup 0{\color{red}{0}}10$
    • Table is a union of differences of cubes
      • $0\ast\ast\ast\ast \setminus \{ 010\ast\ast, 001\ast\ast, 0\ast\ast10, 0\ast\ast01\}$
      • Same as 01100, 01111, 00011, 00000

  • Option 3,4,..: Use hash tables, B-trees, bit-maps

    • Work in some pointer-analysis applications, but not for header spaces

Network Optimized Datalog

\begin{picture}(100,70)(-10,0) \thicklines \put(0, 60){$A$} \put(7, 63){\vector(1,0){20}} \put(27, 60){$\router{1}$} \put(37, 63){\vector(1,0){60}} \put(100,60){$\router{2}$} \put(110,63){\vector(1,0){20}} \put(131,60){$B$} \put(32, 59){\vector(2,-3){30}} \put(68, 15){\vector(2, 3){30}} \put(60, 5){$\router{3}$} \put(70, 10){\vector(1,0){30}} \put(105, 5){$D$} \end{picture} $ \begin{array}{lllll} \mathit{in} & dst & src & \mathit{rewrite} & \mathit{out} \\ \hline \router{1} & 10\star & 01\star & & \router{2} \\ \router{1} & 1\star\star & \star\star\star & & \router{3} \\ \hline \router{2} & 10\star & \star\star\star & & B \\ \hline \router{3} & \star\star\star & 1\star\star & & D \\ \router{3} & 1\star\star & \star\star\star & dst[1] := 0 & \router{2} \end{array} $

Network Optimized Datalog

\[\begin{mdmathpre}%mdk \mathid{G}_{12}~~&~:=~&~~~~~~~\dst =~10\star \land\ \src =~01\star \\ \mathid{G}_{13}~~&~:=~&~~~~~~~\neg \mathid{G}_{12}\ \land\ \dst =~1\star\star\\ \mathid{G}_{2\mathid{B}}~~&~:=~&~~~~~~~\dst =~1~0~\star \\ \mathid{G}_{3\mathid{D}}~~&~:=~&~~~~~~~\src =~1\star\star \\ \mathid{G}_{32}~~&~:=~&~~~~~~~\neg \mathid{G}_{3\mathid{D}}~\ \land \ \dst =~1\star\star \\ \mathit{Id}~~&~:=~&~~\src'~=~\src \ \land \ \dst'~=~\dst \\ \mathit{Set0}~&~:=~&~\src'~=~\src \ \land \ \dst'~=~\dst[2]\ 0\ \dst[0]~ \end{mdmathpre}%mdk \]

Network Optimized Datalog

\[\begin{mdmathpre}%mdk \mdmathindent{4}&~&~\mathid{B}(\dst,\src)~\\ \mdmathindent{4}\router{1}(\dst,\src)~&~:-~&~~\mathid{G}_{12}~\land \mathit{Id}~\land \router{2}(\dst',\src')~\\ \mdmathindent{4}\router{1}(\dst,\src)~&~:-~&~~\mathid{G}_{13}~\land \mathit{Id}~\land \router{3}(\dst',\src')~\\ \mdmathindent{4}\router{2}(\dst,\src)~&~:-~&~~\mathid{G}_{2\mathid{B}}~\land \mathit{Id}~\land \mathid{B}(\dst',\src')~\\ \mdmathindent{4}\router{3}(\dst,\src)~&~:-~&~~\mathid{G}_{3\mathid{D}}~\land \mathit{Id}~\land \mathid{D}(\dst',\src')~\\ \mdmathindent{4}\router{3}(\dst,\src)~&~:-~&~~\mathid{G}_{32}~\land \mathit{Set0}~\land \router{2}(\dst',\src')\\ \mdmathindent{4}\mathid{A}(\dst,\src)~~~&~:-~&~~\router{1}(\dst,\src)~\\ \mdmathindent{9}&~?~&~~\mathid{A}(\dst,\src)~ \end{mdmathpre}%mdk \]

Madoko

  • Madoko is a A Fast Scholarly Markdown Processor,
  • intuitive and powerful integration of markdown and LaTeX,
  • browser and Azure based - no installation,
  • immediate preview,
  • real-time collaborative editing,
  • is written in Koka,
  • is by Daan Leijen, Microsoft Research daan

References

[1]Aws Albarghouthi, and Kenneth L. McMillan. “Beautiful Interpolants.” In CAV, 313–329. 2013. 🔎
[2]Fahiem Bacchus, and George Katsirelos. “Using Minimal Correction Sets to More Efficiently Compute Minimal   Unsatisfiable Sets.” In Computer Aided Verification - 27th International Conference, CAV   2015, San Francisco, CA, USA, July 18-24, 2015, Proceedings, Part II, 70–86. 2015. doi:10.1007/978-3-319-21668-3_5🔎
[3]Sam Bayless, Celina Val, Thomas Ball, Holger Hoos, and Alan Hu. “Efficient Modular SAT Solving for IC3.” In FMCAD. 2013. 🔎
[4]Josh Berdine, and Nikolaj Bjørner. “Computing All Implied Equalities via SMT-Based Partition Refinement.” In Automated Reasoning - 7th International Joint Conference, IJCAR   2014, Held as Part of the Vienna Summer of Logic, VSL 2014, Vienna, Austria, July 19-22, 2014. Proceedings, 168–183. 2014. doi:10.1007/978-3-319-08587-6_12🔎
[5]Nikolaj Bjørner. “Linear Quantifier-Elimination as an Abstract Decision Procedure.” In IJCAR. 2010. 🔎
[6]Nikolaj Bjørner. “Satisfiability Modulo Theories.” Edited by Javier Esparza, Orna Grumberg, and Salomon Sickert, in Esparza et al. [23]. 2016. 🔎
[7]Nikolaj Bjørner, Arie Gurfinkel, Konstantin Korovin, and Ori Lahav. “Instantiations, Zippers and EPR Interpolation.” In LPAR 2013, 19th International Conference on Logic for Programming,   Artificial Intelligence and Reasoning, December 12-17, 2013, Stellenbosch, South Africa, Short Papers Proceedings, 35–41. 2013. http://​www.​easychair.​org/​publications/?​page=​275044893🔎
[8]Nikolaj Bjørner, Arie Gurfinkel, Kenneth L. McMillan, and Andrey Rybalchenko. “Horn Clause Solvers for Program Verification.” In Fields of Logic and Computation II - Essays Dedicated to Yuri Gurevich   on the Occasion of His 75th Birthday, 24–51. 2015. doi:10.1007/978-3-319-23534-9_2🔎
[9]Nikolaj Bjørner, and Mikolás Janota. “Playing with Alternating Quantifier Satisfaction.” In LPAR Short Presentation Papers. 2015. 🔎
[10]Nikolaj Bjørner, Mikolás Janota, and William Klieber. “On Conflicts and Strategies in QBF.” In 20th International Conferences on Logic for Programming, Artificial   Intelligence and Reasoning - Short Presentations, LPAR 2015, Suva, Fiji, November 24-28, 2015., 28–41. 2015. http://​www.​easychair.​org/​publications/​paper/​On_​Conflicts_​and_​Strategies_​in_​QBF🔎
[11]Nikolaj Bjørner, Kenneth L. McMillan, and Andrey Rybalchenko. “On Solving Universally Quantified Horn Clauses.” In SAS, 105–125. 2013. 🔎
[12]Nikolaj Bjørner, and Nina Narodytska. “Maximum Satisfiability Using Cores and Correction Sets.” In Proceedings of the Twenty-Fourth International Joint Conference on   Artificial Intelligence, IJCAI 2015, Buenos Aires, Argentina, July 25-31, 2015, 246–252. 2015. http://​ijcai.​org/​Abstract/​15/​041🔎
[13]Maria Paola Bonacina, Christopher Lynch, and Leonardo Mendonça de Moura. “On Deciding Satisfiability by Theorem Proving with Speculative   Inferences.” J. Autom. Reasoning 47 (2): 161–189. 2011. 🔎
[14]Aaron R. Bradley. “SAT-Based Model Checking without Unrolling.” In VMCAI, 70–87. 2011. 🔎
[15]Aaron R. Bradley, and Zohar Manna. “Checking Safety by Inductive Generalization of Counterexamples to   Induction.” In Formal Methods in Computer-Aided Design, 7th International Conference,   FMCAD 2007, Austin, Texas, USA, November 11-14, 2007, Proceedings, 173–180. 2007. doi:10.1109/FAMCAD.2007.15🔎
[16]Hana Chockler, Alexander Ivrii, and Arie Matsliah. “Computing Interpolants without Proofs.” In Hardware and Software: Verification and Testing - 8th International   Haifa Verification Conference, HVC 2012, Haifa, Israel, November 6-8, 2012. Revised Selected Papers, 72–85. 2012. doi:10.1007/978-3-642-39611-3_12🔎
[17]Hana Chockler, Alexander Ivrii, and Arie Matsliah. “Computing Interpolants without Proofs.” In Hardware and Software: Verification and Testing, edited by Armin Biere, Amir Nahir, and Tanja Vos, 7857:72–85. Lecture Notes in Computer Science. Springer Berlin Heidelberg. 2013. 🔎
[18]Alessandro Cimatti, and Alberto Griggio. “Software Model Checking via IC3.” In CAV, 277–293. 2012. 🔎
[19]Alessandro Cimatti, Alberto Griggio, Sergio Mover, and Stefano Tonetta. “IC3 Modulo Theories via Implicit Predicate Abstraction.” In TACAS, 46–61. 2014. 🔎
[20]M. Davis, G. Logemann, and D. Loveland. “A Machine Program for Theorem Proving.” Communications of the ACM. 1962. 🔎
[21]B. Dutertre, and L. de Moura. “A Fast Linear-Arithmetic Solver for DPLL(T).” In CAV. 2006. 🔎
[22]Niklas Eén, Alan Mishchenko, and Robert K. Brayton. “Efficient Implementation of Property Directed Reachability.” In FMCAD, 125–134. 2011. 🔎
[23]Javier Esparza, Orna Grumberg, and Salomon Sickert, editors. Dependable Software Systems Engineering. Volume 45. NATO Science for Peace and Security Series - D: Information and   Communication Security. IOS Press. 2016. 🔎
[24]Yeting Ge, and Leonardo Mendonça de Moura. “Complete Instantiation for Quantified Formulas in Satisfiabiliby   Modulo Theories.” In CAV, 306–320. 2009. 🔎
[25]Sergey Grebenshchikov, Nuno P. Lopes, Corneliu Popeea, and Andrey Rybalchenko. “Synthesizing Software Verifiers from Proof Rules.” In ACM SIGPLAN Conference on Programming Language Design and Implementation,   PLDI ’12, Beijing, China - June 11 - 16, 2012, 405–416. 2012. doi:10.1145/2254064.2254112🔎
[26]Krystof Hoder, and Nikolaj Bjørner. “Generalized Property Directed Reachability.” In Theory and Applications of Satisfiability Testing - SAT 2012 - 15th   International Conference, Trento, Italy, June 17-20, 2012. Proceedings, 157–171. 2012. doi:10.1007/978-3-642-31612-8_13🔎
[27]Krystof Hoder, Nikolaj Bjørner, and Leonardo Mendonça de Moura. “μZ- An Efficient Engine for Fixed Points with Constraints.” In Computer Aided Verification - 23rd International Conference, CAV   2011, Snowbird, UT, USA, July 14-20, 2011. Proceedings, 457–462. 2011. doi:10.1007/978-3-642-22110-1_36🔎
[28]Shachar Itzhaky, Nikolaj Bjørner, Thomas W. Reps, Mooly Sagiv, and Aditya V. Thakur. “Property-Directed Shape Analysis.” In CAV, 35–51. 2014. 🔎
[29]Mikolás Janota, Inês Lynce, and Joao Marques-Silva. “Algorithms for Computing Backbones of Propositional Formulae.” AI Commun. 28 (2): 161–177. 2015. doi:10.3233/AIC-140640🔎
[30]Dejan Jovanovic, and Leonardo Mendonça de Moura. “Solving Non-Linear Arithmetic.” In Automated Reasoning - 6th International Joint Conference, IJCAR   2012, Manchester, UK, June 26-29, 2012. Proceedings, 339–354. 2012. doi:10.1007/978-3-642-31365-3_27🔎
[31]Ulrich Junker. “QUICKXPLAIN: Preferred Explanations and Relaxations for Over-Constrained   Problems.” In Proceedings of the Nineteenth National Conference on Artificial Intelligence,   Sixteenth Conference on Innovative Applications of Artificial Intelligence, July 25-29, 2004, San Jose, California, USA, 167–172. 2004. http://​www.​aaai.​org/​Library/​AAAI/​2004/​aaai04-​027.​php🔎
[32]Roland Kindermann, Tommi A. Junttila, and Ilkka Niemelä “SMT-Based Induction Methods for Timed Systems.” In FORMATS, 171–187. 2012. 🔎
[33]Anvesh Komuravelli, Arie Gurfinkel, and Sagar Chaki. “SMT-Based Model Checking for Recursive Programs.” In CAV, 17–34. 2014. 🔎
[34]Mark H Liffiton, Alessandro Previti, Ammar Malik, and Joao Marques-Silva. “Fast, Flexible MUS Enumeration.” Constraints 21 (2). Springer US: 223–250. 2016. 🔎
[35]Yi Li, Aws Albarghouthi, Zachary Kincaid, Arie Gurfinkel, and Marsha Chechik. “Symbolic Optimization with SMT Solvers.” In The 41st Annual ACM SIGPLAN-SIGACT Symposium on Principles of   Programming Languages, POPL ’14, San Diego, CA, USA, January 20-21, 2014, 607–618. 2014. doi:10.1145/2535838.2535857🔎
[36]João Marques-Silva, Mikolás Janota, and Anton Belov. “Minimal Sets over Monotone Predicates in Boolean Formulae.” In Computer Aided Verification - 25th International Conference, CAV   2013, Saint Petersburg, Russia, July 13-19, 2013. Proceedings, 592–607. 2013. doi:10.1007/978-3-642-39799-8_39🔎
[37]Kenneth L. McMillan. “Interpolants from Z3 Proofs.” In International Conference on Formal Methods in Computer-Aided Design,   FMCAD ’11, Austin, TX, USA, October 30 - November 02, 2011, 19–27. 2011. http://​dl.​acm.​org/​citation.​cfm?​id=​2157661🔎
[38]Kenneth L. McMillan. “Lazy Annotation Revisited.” In Computer Aided Verification - 26th International Conference, CAV   2014, Held as Part of the Vienna Summer of Logic, VSL 2014, Vienna, Austria, July 18-22, 2014. Proceedings, 243–259. 2014. doi:10.1007/978-3-319-08867-9_16🔎
[39]Carlos Mencía, Alessandro Previti, and João Marques-Silva. “Literal-Based MCS Extraction.” In Proceedings of the Twenty-Fourth International Joint Conference on   Artificial Intelligence, IJCAI 2015, Buenos Aires, Argentina, July 25-31, 2015, 1973–1979. 2015. http://​ijcai.​org/​Abstract/​15/​280🔎
[40]Leonardo Mendonça de Moura, and Nikolaj Bjørner. “Efficient E-Matching for SMT Solvers.” In CADE, 183–198. 2007. 🔎
[41]Leonardo Mendonça de Moura, and Nikolaj Bjørner. “Engineering DPLL(T) + Saturation.” In IJCAR, 475–490. 2008. 🔎
[42]Leonardo Mendonça de Moura, and Nikolaj Bjørner. “Generalized, Efficient Array Decision Procedures.” In Proceedings of 9th International Conference on Formal Methods in Computer-Aided   Design, FMCAD 2009, 15-18 November 2009, Austin, Texas, USA, 45–52. 2009. doi:10.1109/FMCAD.2009.5351142🔎
[43]Leonardo Mendonça de Moura, and Nikolaj Bjørner. “Bugs, Moles and Skeletons: Symbolic Reasoning for Software   Development.” In IJCAR, 400–411. 2010. 🔎
[44]Nina Narodytska, and Fahiem Bacchus. “Maximum Satisfiability Using Core-Guided MaxSAT Resolution.” In AAAI 2014, 2717–2723. 2014. 🔎
[45]R. Nieuwenhuis, A. Oliveras, and C. Tinelli. “Solving SAT and SAT Modulo Theories: From an Abstract Davis–Putnam–Logemann–Loveland Procedure to DPLL(T).” J. ACM 53 (6). 2006. 🔎
[46]Anh-Dung Phan, Nikolaj Bjørner, and David Monniaux. “Anatomy of Alternating Quantifier Satisfiability (Work in   Progress).” In SMT-IJCAR, 120–130. 2012. 🔎
[47]Ruzica Piskac, Leonardo Mendonça de Moura, and Nikolaj Bjørner. “Deciding Effectively Propositional Logic Using DPLL and   Substitution Sets.” J. Autom. Reasoning 44 (4): 401–424. 2010. 🔎
[48]Derek Rayside, H.-Christian Estler, and Daniel Jackson. The Guided Improvement Algorithm for Exact, General-Purpose, Many-Objective Combinatorial Optimization. {MIT-CSAIL-TR-2009-033}. Massachusetts Institute of Technology, Cambridge, MA 02139 USA. Jul. 2009. {.bib-url}. 🔎
[49]Raymond Reiter. “A Theory of Diagnosis from First Principles.” Artif. Intell. 32 (1): 57–95. 1987. doi:10.1016/0004-3702(87)90062-2🔎
[50]João P. Marques Silva, and Karem A. Sakallah. “GRASP: A Search Algorithm for Propositional Satisfiability.” IEEE Trans. Computers 48 (5): 506–521. 1999. 🔎
[51]Margus Veanes, Nikolaj Bjørner, Lev Nachmanson, and Lev Berk. “Monadic Decomposition.” In CAV. 2016. 🔎
[52]Christoph M. Wintersteiger, Youssef Hamadi, and Leonardo Mendonça de Moura. “Efficiently Solving Quantified Bit-Vector Formulas.” Formal Methods in System Design 42 (1): 3–23. 2013. 🔎