Quantified Satisfiability Modulo Theories

2nd SAT+SMT School, Mysore, December 2017

Nikolaj Bjørner
Microsoft Research

Contents

Z3

  • A state-of-art Satisfiability Modulo Theories (SMT) solver



  • On github: https://github.com/Z3prover/z3.git
    • MIT open source license
    • Developments: Scalable simplex solver, Strings, Horn clauses, floating points, SAT extensions

Some Z3 Applications

  • Program Verification

    • VCC, Everest, Dafny, Havoc, Leon

  • Symbolic Execution

    • SAGE, Pex, KLEE

  • Software Model Checking

    • Static Driver Verifier, Smash, SeaHorn

  • Configurations

    • Network Verification with SecGuru
    • Dynamics Product Configuration

Quantifier Engines in Z3

  • [27] E-matching

  • [5, 11, 29, 36] Model-based Quantifier Instantiation (MBQI)

  • [1, 2, 31] Quantifier Elimination and Satifiability

  • [4, 13] Horn Clauses

  • Deprecated: [32] EPR using relational algebra, [28] Superposition, see also VampireZ3

E-matching and Pattern based quantifier instantiation [27]

  • $\underbrace{(\forall x \ . \ f(g(x,c)) = a)}_{p_\varphi}$

  • $\land b = c \land g(c,b) = c \land f(b) \neq a$

    • Smallest subterm containing $x$: $f({\color{red}g(x,c)}) = a$
    • Use ground equality $b = c$ to match ${\color{red}g(x,c)}$ with $g(c,b)$.

  • $\land (p_{\varphi} \rightarrow f(g(b,c)) = a)$

  • Formulas are ground unsatisfiable.

E-matching - efficiency

  • Secret sauce is to find instantiations
    • quickly,
    • across large sets of terms, and
    • incrementally.

E-matching - basic algorithm

Takes

  • a ground term,
  • a pattern that may contain variables, and
  • a congruence closure structre cc that for each ground term represents an equivalence class of terms that are congruet in the current context.

E-matching - a primer on congruence closure

  • Let $\mathcal{T}$ be a set of terms and $\mathcal{E}$ set of equalities over $\mathcal{T}$.

  • A congruence closure over $\mathcal{T}$ modulo $\mathcal{E}$ is the finest a partition of $\mathcal{T}$, cc, such that:

    • if $s = t \in \mathcal{E}$, then $s, t$ are in the same partition in cc.

    • for $s := f(s_1, \ldots, s_k), t := f(t_1, \ldots, t_k) \in \mathcal{T}$,

      • if $s_i,t_i$ are in same partition of cc for each $i = 1, \ldots k$, then
      • $s, t$ are in the same partition under cc.

    • Convention: $cc: \mathcal{T} \rightarrow 2^{\mathcal{T}}$, maps term to its equivalence class.

E-matching - basic algorithm, code

def match(pattern, term, $\theta$, cc):
    pattern = pattern$\theta$
    if pattern == term:
       yield $\theta$
    elif is_var(pattern):
       yield $\theta[$pattern$\mapsto$ term$]$
    else:
       f(patterns) = pattern
       for f(terms) in cc(term):  
          # e.g., with same head function symbol f
          for $\theta'$ in matches(patterns, terms, $\theta$, cc):
            yield $\theta'$

def matches(patterns, terms, $\theta$, cc):
    if not patterns:
       yield $\theta$
       return
    for $\theta'$ in match(patterns[0], terms[0], $\theta$, cc):
        for $\theta''$ in matches(patterns[1:], terms[1:], $\theta'$, cc):
            yield $\theta''$

E-matching - basic algorithm, equational form

\[\begin{mdmathpre}%mdk \\ \mdmathindent{1}\mathid{match}(\mathid{x},~\mathid{t},~\mathid{S})~~~~~&~~=~~~~&~\{~\theta[\mathid{x}~\mapsto \mathid{t}]~\;\mid\;~\theta \in \mathid{S},~\mathid{x}~\not\in \theta \}~\\ \mdmathindent{20}&~~~~~~~&~\cup \{~\theta \;\mid\;~\theta \in \mathid{S},~\mathid{x}~\in \theta,~\theta(\mathid{x})~\in \mathid{cc}(\mathid{t})~\}\\ \mdmathindent{1}\mathid{match}(\mathid{c},~\mathid{t},~\mathid{S})~~~~~&~~=~~~~&~\emptyset\ ~~~~~~~~~~~~~~~~\mathsf{if}~\mathid{c}~\not\in \mathid{cc}(\mathid{t})\\ \mdmathindent{1}\mathid{match}(\mathid{c},~\mathid{t},~\mathid{S})~~~~~&~~=~~~~&~\mathid{S}~~~~~~~~~~~~~~~~~\mathsf{if}~\mathid{c}~\in \mathid{cc}(\mathid{t})\\ \mdmathindent{1}\mathid{match}(\mathid{f}(\mathid{ps}),~\mathid{t},~\mathid{S})~&~~=~~~~&~\bigcup_{\mathid{f}(\mathid{ts})~\in \mathid{cc}(\mathid{t})}~\mathid{match}(\mathid{ps}_\mathid{n},~\mathid{ts}_\mathid{n},~\ldots,~\\ \mdmathindent{20}&~~~~~~~&~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\mathid{match}(\mathid{ps}_1,~\mathid{ts}_\mathid{n},~\mathid{S})) \end{mdmathpre}%mdk \]

E-matching - beyond the basic algorithm

  • Match is invoked for every pattern in database.
  • To avoid common work:
    • Compile set of patterns into instructions.
      • By partial evaluation of naive algorithm
    • Instruction sequences share common sub-terms.
    • Substitutions are stored in registers,
      backtracking just updates the registers.

E-matching - code trees (0)

\[ f(X, g(X,a), h(Y), b) \]
PC Instruction
$pc_0$ init(f, $pc_1$) add arguments of $f$ to registers 1-4
$pc_1$ check(4,$b$,$pc_2$) check if $reg[4]$ is congruent to $b$
$pc_2$ bind(2, $g$, 5, $pc_3$) bind terms in $reg[2]$ with $g$ to $5-6$
$pc_3$ compare(1, 5, $pc_4$ ) check if $reg[1]$ equals $reg[5]$
$pc_4$ check(6, $a$, $pc_5$) check if $reg[6]$ is congruent to $a$
$pc_5$ bind(3, $h$, 7, $pc_6$) bind terms in $reg[3]$ with $h$ to $7$
$pc_6$ yield(1,7) output binding from $reg[1], reg[7]$

E-matching - code trees (1)

\[ f(X, g(X,a), h(Y), b) \]
PC Instruction $f(h(a),g(h({\color{red}{c}}), a), h(c),b)$
$pc_0$ init(f, $pc_1$) $reg[1:4] \leftarrow h(a), g(h({\color{red}{c}}),a), h(c), b$
$pc_1$ check(4,$b$,$pc_2$) $reg[4] = b$
$pc_2$ bind(2, $g$, 5, $pc_3$) $reg[5:6] \leftarrow h({\color{red}{c}}), a$
$pc_3$ compare(1, 5, $pc_4$ ) $reg[1] = h(a) \neq h({\color{red}{c}}) = reg[5]$
$pc_4$ check(6, $a$, $pc_5$)
$pc_5$ bind(3, $h$, 7, $pc_6$)
$pc_6$ yield(1,7)

E-matching - code trees (2)

\[ f(X, g(X,a), h(Y), b) \]
PC Instruction $f(h(a),g(h({\color{blue}{a}}), a), h(c),b)$
$pc_0$ init(f, $pc_1$) $reg[1:4] \leftarrow h(a), g(h({\color{blue}{a}}),a), h(c), b$
$pc_1$ check(4,$b$,$pc_2$) $reg[4] = b$
$pc_2$ bind(2, $g$, 5, $pc_3$) $reg[5:6] \leftarrow h({\color{blue}{a}}), a$
$pc_3$ compare(1, 5, $pc_4$ ) $reg[1] = h(a) = h({\color{blue}{a}}) = reg[5] $
$pc_4$ check(6, $a$, $pc_5$) $reg[6] = a$
$pc_5$ bind(3, $h$, 7, $pc_6$) $reg[7] \leftarrow c$
$pc_6$ yield(1,7) $X \leftarrow h(a) = reg[1], Y \leftarrow c = reg[7]$

E-matching abstract machine

mam

E-matching abstract machine - NB

  • Patterns that share common (top-down) term structure can share code sequences.

    • This saves on common work.

    • Use the choice instruction to branch when patterns end up having different sub-terms.

  • Other instructions are possible,

    • forward pruning: lookahead multiple function symbols in immediate subterms before diving into any subterm.

    • to deal with multi-patterns, when maching more than one pattern at a time.

Inverted path indexing

  • During search, congruence classes are merged.

  • Q: Which merges could enable pattern to be matched?

  • A: When pattern contains term $f(\ldots, g(\ldots),\ldots)$, and

    • a node $n_1$ is in in the same class as a node labeled by $g$,

    • a node $n_2$ is an argument of $f$ in the same position as $g$,

    • $n_1$, $n_2$ are merged

  • Idea: Build an index of all $\langle f, g\rangle$ pairs from patterns.

    • during a merge with $n_1, n_2$ look for matches in index.

Model-based Quantifier Instantiation [5, 11, 29, 36]

Check $\psi \land \forall x \ . \ \varphi[{x}]$

while $\psi$ is SAT with model $M$:
   if $\neg \varphi^M[{x}]$ is UNSAT return SAT
   $M \leftarrow $ model for $\neg \varphi^M[{x}]$
   find $t$, such that $x \not\in t, t^M = x^M$.
   $\psi \leftarrow \psi \land \varphi[t]$
return UNSAT

where $t^M$ is $t$ partially evaluated using interpretation $M$.

Partial model evaluation

  • $t^M$ is $t$ partially evaluated using interpretation $M$.

Example:

  • $M := [y \mapsto 3, f(x) \mapsto \mathit{if}\ x = 1\ \mathit{then}\ 3\ \mathit{else} \ 5]$

  • $t := y + f(y) + f(z)$

  • $t^M = 3 + 5 + \mathit{if}\ z = 1\ \mathit{then}\ 3\ \mathit{else} \ 5$

Model-based Quantifier Instantiation - scope

Quite powerful when search space for instantiation terms is finite

  • EPR, UFBV, Array property fragment, Essentially UF
  • Combine with template space
  • See also CEGIS

EPR

\[\begin{mdmathpre}%mdk \mathid{EPR}~&~::=~\exists \mathid{e}_1\ldots \mathid{e}_\mathid{n}~\forall \mathid{u}_1\ldots \mathid{u}_\mathid{m}~\mathid{F}\\ \mathid{F}~~~&~::=~\bigwedge_\mathid{i}~\mathid{C}_\mathid{i}\\ \mathid{C}~~~&~::=~\bigvee_\mathid{j}~\mathid{L}_\mathid{i}\\ \mathid{L}~~~&~::=~\mathid{A}~|~\neg \mathid{A}\\ \mathid{A}~~~&~::=~\mathid{p}(\vec{\mathid{V}})~|~\mathid{V}~=~\mathid{V}'\\ \mathid{V}~~~&~::=~\mathid{e}_\mathid{i}~|~\mathid{u}_\mathid{j} \end{mdmathpre}%mdk \]

Also known as Bernays-Schoenfinkel-Ramsey class.

Same complexity as DQBF.

EPR Example

(declare-sort T) 

(declare-fun subtype (T T) Bool)

;; subtype is reflexive
(assert (forall ((x T)) (subtype x x)))

;; subtype is antisymmetric
(assert (forall ((x T) (y T))  (=> (and (subtype x y) (subtype y x)) (= x y))))

;; subtype is transitive
; ...

;; subtype has the tree-property
(assert (forall ((x T) (y T) (z T)) 
  (=> (and (subtype x z) (subtype y z)) (or (subtype x y) (subtype y x)))))

;; we have an additional axiom: every type is a subtype of obj-type
(declare-const obj-type T) ....
(assert (forall ((x T)) (subtype x obj-type)))

(assert (subtype int-type real-type))
(assert (subtype real-type complex-type))
(assert (not (subtype string-type real-type)))

EPR Example - online

EPR decidability

  • Skolemize
    • $\forall u_1\ldots u_m F$, the $e_1, \ldots, e_n$ are free constants
  • Instantiate
    • $\bigwedge_{\theta} F\theta$
    • where $\theta$ ranges over all bindings of $u_i$ to $e_j$.
  • Check ground SAT
  • Ground SAT implies finite model of size at most $n$.

EPR using MBQI

  • Skolemize

    • $\forall u_1\ldots u_m F$, the $e_1, \ldots, e_n$ are free constants

  • Models for $\neg F$ bind variables $u_1, \ldots, u_m$ to free constants

  • The number of possible such models is bounded by $m^n$.

UFBV [36]

\[\begin{mdmathpre}%mdk \mathid{F}~~~&~::=~\exists \mathid{e}~:~\mathid{bv}[\mathid{n}]~.~\mathid{F}~|~\exists \mathid{u}~:~\mathid{bv}[\mathid{n}]~.~\mathid{F}~|~\mathid{F}~\wedge \mathid{F}~|~\mathid{C}\\ \mathid{C}~~~&~::=~\bigvee_\mathid{j}~\mathid{L}_\mathid{i}\\ \mathid{L}~~~&~::=~\mathid{A}~|~\neg \mathid{A}\\ \mathid{A}~~~&~::=~\mathid{p}(\vec{\mathid{T}})~|~\mathid{T}~=~\mathid{T}'~|~\mathtt{bvle}(\mathid{T},~\mathid{T}')~|~\ldots\\ \mathid{T}~~~&~::=~\mathid{f}(\vec{\mathid{T}})~|~\mathid{u}~|~\mathid{v}~|~\mbox{bit-vector expression}\\ \mathid{bv}[\mathid{n}]~&~::=~\mbox{bit-vector of length $n$} \end{mdmathpre}%mdk \]

UFBV Example

(set-option :smt.mbqi true)
(define-sort Char () (_ BitVec 8))

(declare-fun f  (Char) Char)
(declare-fun f1 (Char) Char)
(declare-const a Char)

(assert (bvugt a #x00))
(assert (= (f1 (bvadd a #x01)) #x00))
(assert (forall ((x Char)) (or (= x (bvadd a #x01)) (= (f1 x) (f x)))))

(check-sat)
(get-model)

UFBV Example - Online

UFBV decidability

  • All variables range over finite domains.

  • Quantifier-free fragment is not only NP hard, it is NEXPTIME hard.

    • QF-UFBV can be encoded into EPR. [35]

  • Quantified fragment is another complexity jump.

  • BV - quantifier elimination [1719]

  • UFBV using MBQI [36]

    • Use templates to find general instances

Map Property Fragment [7]

\[\begin{mdmathpre}%mdk \mathid{MP}~~~~&~::=~\exists \vec{\mathid{e}}~.~\forall \vec{\mathid{u}}~.~\bigwedge (\mathid{G}~\Rightarrow \mathid{F})\\ \mathid{G}~~~~~&~::=~\mathid{G}~\wedge \mathid{G}~|~\mathid{A}_\mathid{G}\\ \mathid{A}_\mathid{G}~~~&~::=~\mathid{T}[\mathid{u}]~\simeq \mathid{T}[\mathid{u}]~|~\mathid{T}[]~\not\simeq \mathid{T}[\mathid{u}]\\ \mathid{T}[\mathid{x}]~~&~::=~\mathid{x}~|~\mathid{e}\\ \mathid{F}~~~~~&~::=~\mathid{F}~\vee \mathid{F}~|~\mathid{A}_\mathid{F}~|~\neg \mathid{A}_\mathid{F}\\ \mathid{A}_\mathid{F}~~~&~::=~\mathid{T}[\mathid{a}[\mathid{u}]]~\simeq \mathid{T}[\mathid{a}[\mathid{u}]]~ \end{mdmathpre}%mdk \]

Map Property Fragment - Example

  • $a$ is equal to $b$ except at index $e$.

  • $c$ can only have two values, $e_1$ or $e_2$.

\[\begin{mdmathpre}%mdk \mdmathindent{2}\forall \mathid{u}~\ .~\ \mathid{a}[\mathid{u}]~\simeq \mathid{e}\\ \mdmathindent{2}\forall \mathid{u}~\ .~\ \mathid{u}~\not\simeq \mathid{e}~\ \Rightarrow \mathid{a}[\mathid{u}]~\simeq \mathid{b}[\mathid{u}]\\ \mdmathindent{2}\forall \mathid{u}~\ .~\ \mathid{c}[\mathid{u}]~\simeq \mathid{e}_1~\ \vee \mathid{c}[\mathid{u}]~\simeq \mathid{e}_2 \end{mdmathpre}%mdk \]

Array Property Fragment [7]

\[\begin{mdmathpre}%mdk \mathid{AP}~~~&~::=~\exists \vec{\mathid{e}}~.~\forall \vec{\mathid{u}}~.~\bigwedge (\mathid{G}~\Rightarrow \mathid{F})\\ \mathid{G}~~~~&~::=~\mathid{G}~\wedge \mathid{G}~|~\mathid{A}_\mathid{G}\\ \mathid{A}_\mathid{G}~~&~::=~\mathid{T}_\mathid{G}~\geq \mathid{T}_\mathid{G}\\ \mathid{T}_\mathid{G}~~&~::=~\mathid{u}~|~\mathid{T}[]\\ \mathid{T}[\mathid{x}]~~&~::=~\mathid{x}~|~\mathid{e}~|~\mathid{k}\times \mathid{T}[\mathid{x}]~|~\mathid{T}[\mathid{x}]~+~\mathid{T}[\mathid{x}]\\ \mathid{F}~~~~&~::=~\mathid{F}~\vee \mathid{F}~|~\mathid{A}_\mathid{F}~|~\neg \mathid{A}_\mathid{F}\\ \mathid{A}_\mathid{F}~~&~::=~\mathid{T}_\mathid{F}~\geq \mathid{T}_\mathid{F}~|~\mathid{R}(\mathid{T}_\mathid{F},~\ldots,~\mathid{T}_\mathid{F})~\\ \mathid{T}_\mathid{F}~~&~::=~\mathid{T}[\mathid{a}[\mathid{u}]]\\ \mathid{k}~~~~&~::=~\mbox{a numeric constant}\\ \mathid{R}~~~~&~::=~\mbox{a predicate} \end{mdmathpre}%mdk \]

Array Property Example

(set-option :smt.mbqi true)
(set-option :model.compact true)

;; A0, A1, A2, A3, A4 are "arrays" from Integers to Integers.
(declare-fun A0 (Int) Int) (declare-fun A1 (Int) Int)
(declare-fun A2 (Int) Int) (declare-fun A3 (Int) Int)
(declare-fun A4 (Int) Int) 
(declare-const n Int) (declare-const l Int)
(declare-const k Int) (declare-const x Int)
(declare-const y Int) (declare-const w Int)
(declare-const z Int)

;; A1 = A0[k <- w]
(assert (= (A1 k) w))
(assert (forall ((x Int)) (or (= x k) (= (A1 x) (A0 x)))))

;; A2 = A1[l <- x] = A0[k <- w][l <- x]
(assert (= (A2 l) x))
(assert (forall ((x Int)) (or (= x l) (= (A2 x) (A1 x)))))

;; A3 = A0[k <- y]
(assert (= (A3 k) y))
(assert (forall ((x Int)) (or (= x k) (= (A3 x) (A0 x)))))

;; A4 = A3[l <- z] = A0[k <- y][l <- z] 
(assert (= (A3 l) z))
(assert (forall ((x Int)) (or (= x l) (= (A4 x) (A3 x)))))

(assert (and (< w x) (< x y) (< y z)))
(assert (and (< 0 k) (< k l) (< l n)))
(assert (> (- l k) 1))

;; A2 is sorted in the interval [0,n-1]
(assert (forall ((i Int) (j Int))
                (=> (and (<= 0 i) (<= i j) (<= j (- n 1)))
                    (<= (A2 i) (A2 j)))))

(check-sat)
(get-model)

;; A4 is sorted in the interval [0,n-1]
(assert (forall ((i Int) (j Int))
                (=> (and (<= 0 i) (<= i j) (<= j (- n 1)))
                    (<= (A4 i) (A4 j)))))

(check-sat)

Array Property Example - Online

Array property Fragment - sufficient instantiations

  • Given formula $\varphi := \forall \vec{u} . \bigwedge (G \Rightarrow F)$ with $\vec{e}$ free.

  • Let $\mathcal{I} = \{ c_1, \ldots, c_m \}$ be set of a set of $T[] \cup \{ 0 \}$ from $\varphi$.

Definition 1.
The set $\mathcal{I}$ is a sufficient set of instances for $\varphi$, if
$\forall u \ . \ \bigvee_{c \in \mathcal{I}} \bigwedge_{A_G} (A_G \Rightarrow A_G[c/u])$

  • In other words, for every possible instantiation of $u$ there is a $c$ that satisfies at least the same combination of guards.

Array Property Fragment - arithmetic

Proposition 1.
If $\varphi$ admits a finite sufficient set of instances $\mathcal{I}$, it can be evaluated using those.

Proposition 2.
Formulas in the array and map property fragments admit a sufficient set of instantiations.

Proposition 3.
MBQI is a decision procedure the array and map property fragments by using the instantiation sets computed from the formulas.

Essentially Uninterpreted Fragment [11]

Synthesize generalized instantiation sets using grammar rules.

Applies to winder range of formulas than the syntactic array property fragment.

  • list property fragment by McPeak and Necula
  • several locally finite theories - Stokkermans et. al.

Essentially Uninterpreted Example

(set-option :smt.mbqi true)
;; f an g are "streams"
(declare-fun f (Int) Int)
(declare-fun g (Int) Int)

;; the segment [a, n + a] of stream f is equal to the segment [0, n] of stream g.
(declare-const n Int)
(declare-const a Int)
(assert (forall ((x Int)) (=> (and (<= 0 x) (<= x n))
                              (= (f (+ x a)) (g x)))))

;; adding some constraints to a
(assert (> a 10))
(assert (>= (f a) 2))
(assert (<= (g 3) (- 10)))

(check-sat)
(get-model)

Essentially Uninterpreted Example - Online

Instantiation sets and Quantifiers

  • As pursued in [34]

  • The notion of instantiation set can be extended along a different dimension of virtual substitutions.

  • Several theories admit quantifier elimination by virtual substitutions.

  • Example $(2x \geq 3)[(y-\epsilon)/x]$ $\equiv$ $(2(y-\epsilon) \geq 3)$ $\equiv$ $2y > 3$.

  • Tricky part: ensure that set of virtual substitutions does not grow unbounded.

QSAT [2]

Instantiations from repeated SMT calls [25]

Goal: To find a quantifier free $G$, such that $G \equiv \exists \vec{v} \ . \ F$

Tool: project that eliminates $\vec{v}$ from a conjunction $M$
         that is, project($\vec{v}, M$) $\Rightarrow \ \exists\vec{v} \ . \ M$.

Initialize: $G \leftarrow \bot$

Repeatedly: find conjunctions $M$ that imply $F \wedge \neg G$

Update: $G \leftarrow G \vee $ project($\vec{v}, M$).

Instantiations - Algorithm

def qe($\exists \vec{v} \ . \ F$):                   
    e, a = Solver(), Solver()
    e.add($F$)                        
    a.add($\neg F$)
    $G$ = False
    while sat == e.check():
       $M_0$ = e.model()
       $M_1$ = $\{ \mbox{literal }\ell \in F \;\mid\; M_0.\mathsf{eval}(\ell) = \true \}$  # assume $F$ is in negation normal form
       assert unsat == a.check($M_1$) 
       $M_2$ = a.unsat_core()
       $\pi$ = project($M_2$, $\vec{v}$)
       $G$ = $G \vee \pi$
       e.add($\neg\pi$)
    return $G$

From SMT to QBF and back

  • The approach we illustrated was used by Monniaux'08 [25].

  • QESTO [16] generalizes to nested QBF.

  • We generalize QESTO to SMT; improving [25, 26, 31]

Example game [16]

\[\begin{mdmathpre}%mdk \mathid{G}~~=~~\forall \mathid{u}_1,\mathid{u}_2~\exists \mathid{e}_1,~\mathid{e}_2~\ .~\ \mathid{F}~\\\\ \mathid{F}~~=~~(\mathid{u}_1~\land \mathid{u}_2~\rightarrow \mathid{e}_1)~\land (\mathid{u}_1~\land \neg \mathid{u}_2~\rightarrow \mathid{e}_2)~\land(\mathid{e}_1~\land \mathid{e}_2~\rightarrow \neg \mathid{u}_1) \end{mdmathpre}%mdk \]
  • $\forall$: starts. $u_1, u_2, \overline{e}_1, \overline{e}_2 \models \neg F$.
  • $\exists$: strikes back. ${\color{blue}{u_1, u_2}}, e_1, \overline{e}_2 \models F$.
  • $\forall$: has to backtrack. Already $u_2, e_1, \overline{e}_2 \models F$.
  • $\forall$: learns $\neg u_2$.
  • $\forall$: ${\color{red}{\overline{u}_2}}, u_1, \overline{e}_1, \overline{e}_2 \models \neg F$.
  • $\exists$: counters - ${\color{red}{\overline{u}_2}}, {\color{blue}{u_1}}, \overline{e}_1, e_2 \models F$.
  • $\forall$: has lost!. Already ${\color{red}{\overline{u}_2}}, \overline{e}_1, e_2 \models F$.

Summary of approach

  • Two players try to find values

    • $\forall$ - to satisfy $\neg F$
    • $\exists$ - to satisfy $F$

  • Players control their variables

    • $\exists x_1 \forall x_2 \exists x_3 \forall x_4 \ldots F$ at round $2$:
      • value of $x_1$ is already fixed,
      • $\forall$ fixes value of $x_2$,
      • $\forall$ fixes value of $x_4$, but can change again it at round $4$,
      • $\forall$ can guess values of of $x_3$ to satisfy $\neg F$.

  • Some player loses at round $i + 2$.

    • Create succinct no-good to strengthen $F$ resp. $\neg F$.
    • Backjump to round $i$ (or below).

Main ingredients: Projection and Strategies



  • Projections are added to learn from mistakes.

    • Player avoids repeating same losing moves.

  • Strategies prune moves from opponent.

    • Prevent opponent player from moves.

Finding small good no-goods

  • Player $\forall$ has lost at round $i+2$

    • Player $\exists$ found a model $M$ at round $i+1$, $M \models F$.

    • $M$ induces an evaluation on a subset of literals $\mathcal{L}$ in $F$, such that $\mathcal{L} \models F$.

    • $\mathcal{L}$ is an unsatisfiable core for $\neg F$.

  • Model Based Projection

    • Find a $\varphi$, such that $\varphi \rightarrow \exists x_{i+1}, x_{i+2}, \ldots \mathcal{L}$.

      • $\varphi$ should be weak, so $\neg\varphi$ is a strong blocker.
      • $\varphi$ should be cheap to find and avoid space overhead.

    • Then $\neg \varphi$ can block $\mathcal{L}$.

    • Idea: Use $M$ to find a sufficient $\varphi$.

Initialization

\[\begin{mdmathpre}%mdk \mdmathindent{4}\exists \mathid{x}_{1},~\forall \mathid{x}_{2},~\exists \mathid{x}_{3},~\forall \mathid{x}_{4},~..,~\mathid{Q}~\mathid{x}_{\mathid{n}}~\mathid{F}[\mathid{x}_{1},~\mathid{x}_{2},~\ldots]\\ \mathid{Initialize}:\\ \mdmathindent{4}\mathid{F}_\mathid{j}~~~~~~~~~~~~~\leftarrow \mathid{F}~~~~~~~~~~~\mbox{if $j$ is odd}\\ \mdmathindent{4}\mathid{F}_\mathid{j}~~~~~~~~~~~~~\leftarrow \neg \mathid{F}~~~~~~~~\mbox{if $j$ is even} \end{mdmathpre}%mdk \]
   def level(j,a): return max level of bound variable in atom a of parity j
\[\begin{mdmathpre}%mdk \mdmathindent{3}\mathid{level}(1,~\mathid{z}~\geq 0)~=~\mathid{level}(3,~\mathid{z}~\geq 0)~=~3\\ \mdmathindent{3}\mathid{level}(2,~\mathid{z}~\geq 0)~=~0\\ \mdmathindent{3}\mbox{for }~\exists \mathid{x}~\forall \mathid{y}~\exists \mathid{z}~\mathid{z}~\geq 0~\land ((\mathid{x}~\geq 0~\land \mathid{y}~\geq 0)~\vee \mathid{y}~+~\mathid{z}~\leq 1) \end{mdmathpre}%mdk \]

QSAT Algorithm

  def strategy(M,j): return $\bigwedge_{M \neq null, a \in Atoms, level(j, a) < j} sign(M,a) $
  def tailv(j): return $x_{j-1},x_j,x_{j+1},\ldots$
    
  j = 1
  M = null
  while True:
    if $F_{j}\ \ \wedge$ strategy(M, j) is unsat:
      if j == 1: 
        return F is unsat
      if j == 2:
        return F is sat
      C = Core($F_j$, strategy(M, j))
      J = Mbp(tailv(j), C)
      j = index of max variable in J $\cup\ \{ 1, 2 \}$ of same parity as j      
      $F_j$ = $F_j \wedge \neg $J
      M = null
    else:
      M = current model
      j = j + 1

Projection and Strategies



  • Projections learn from mistakes, avoids similar mistakes in future rounds.

  • Strategies prune moves from opponent.

Model-based projection - Example

  • Want to compute small $\exists x \ . \ (2y \leq x \wedge y - z \leq x \wedge x \leq z)$.

  • Note

    \[\begin{mdmathpre}%mdk \mdmathindent{3}\exists \mathid{x}~\ .~\ (2\mathid{y}~\leq \mathid{x}~\wedge \mathid{y}~-~\mathid{z}~\leq \mathid{x}~\wedge \mathid{x}~\leq \mathid{z})~\equiv \\ \mdmathindent{19}(\mathid{y}~-~\mathid{z}~\leq 2\mathid{y}~\leq \mathid{z})~\vee (2\mathid{y}~\leq \mathid{y}~-~\mathid{z}~\leq \mathid{z}) \end{mdmathpre}%mdk \]

  • Say $M = [x \mapsto 3, y \mapsto 1, z \mapsto 6]$

  • $\Mbp(M, x, 2y \leq x \wedge y - z \leq x \wedge x \leq z)$

  • $2y^M = 2$

  • $(y-z)^M = -5$

  • So $2y > y - z$

  • $\Mbp(M, x, 2y \leq x \wedge y - z \leq x \wedge x \leq z) = y - z \leq 2y \leq z$

  • $y - z \leq 2y \leq z \ \Rightarrow \ \exists x \ . \ (2y \leq x \wedge y - z \leq x \wedge x \leq z)$

Model-based Projection for LRA

Eliminate $\simeq, \not\simeq$ from conjunction of literals $L$:

\[\begin{mdmathpre}%mdk \Mbp(\mathid{M},~\mathid{x},~\mathid{x}~\simeq \mathid{t}~\land \mathid{L})~=~~\mathid{L}[\mathid{t}/\mathid{x}]~\quad\quad \mathid{if}~\mathid{x}~\not\in \mathid{FV}(\mathid{t})~\\ \Mbp(\mathid{M},~\mathid{x},~\mathid{x}~\not\simeq \mathid{t}~\land \mathid{L})~~=~~\Mbp(\mathid{M},~\mathid{x},~\mathid{x}~>~\mathid{t}~\land \mathid{L})~~~\\ \mdmathindent{41}\mbox{where}\quad \mathid{M}(\mathid{x})~>~\mathid{M}(\mathid{t})~ \end{mdmathpre}%mdk \]



Trick: Use $\epsilon$ to turn $>$ into $\geq$.

\[\begin{mdmathpre}%mdk \Mbp(\mathid{M},~\mathid{x},~\mathid{x}~>~\mathid{t}~\land \mathid{L})~~=~~\Mbp(\mathid{M},~\mathid{x},~(\mathid{x}~\geq \mathid{t}~+~\epsilon)~\land \mathid{L}) \end{mdmathpre}%mdk \]


Model-based Projection for LRA - resolution

Can now assume $x$ occurs only as upper or lower bounds:

\[\begin{mdmathpre}%mdk \Mbp(\mathid{M},~\mathid{x},~\bigwedge_\mathid{i}~\mathid{t}_\mathid{i}~\leq \mathid{x}~\land \bigwedge_\mathid{j}~\mathid{x}~\leq \mathid{s}_\mathid{j})~~=~~\bigwedge_\mathid{i}~\mathid{t}_\mathid{i}~\leq \mathid{t}_0~\land \bigwedge_\mathid{j}~\mathid{t}_0~\leq \mathid{s}_\mathid{j}\\ \mdmathindent{17}\mbox{where}~\mathid{M}(\mathid{t}_0)~\geq \mathid{M}(\mathid{t}_\mathid{i})~\forall \mathid{i} \end{mdmathpre}%mdk \]

Model-based Projection on formulas

\[\begin{mdmathpre}%mdk \Mbp(\mathid{M},~\emptyset,~\varphi)~~~~~~~~=~~\varphi \\ \Mbp(\mathid{M},~\vec{\mathid{x}},~\varphi)~~~~~~~~~=~~\Mbp\left(\mathid{M},~\vec{\mathid{x}},~\bigwedge \{~\mathid{sign}(\mathid{M},~\mathid{a})~\;\mid\;~\mathid{a}~\in \mbox{Atoms}(\varphi)~\}\right)~\\ \Mbp(\mathid{M},~\mathid{x}\vec{\mathid{x}},~\varphi)~~~~~~~=~~\Mbp(\mathid{M},~\mathid{x},~\Mbp(\mathid{M},~\vec{\mathid{x}},~\varphi))~\\ \Mbp(\mathid{M},~\mathid{x},~\varphi \land \psi)~~=~~\Mbp(\mathid{M},~\mathid{x},~\varphi)~\land \psi \quad\quad \mathid{if}~\mathid{x}~\not\in \mathid{FV}(\psi)~ \end{mdmathpre}%mdk \]
   def sign(M,a): if M(a) return a else return $\neg$a

Model-based Projection for LIA

For LIA, cannot just assume equalities are of the form $t \leq x$ or $x \leq s$. Generally, $x$ has a coefficient, that we cannot remove.

Example: $3y + z \leq 2x, 3x \leq 7u + v$.

  • What could go wrong if we just reduce to $3\cdot(3y + z) \leq 2 \cdot(7u + v)$?

  • Suppose $3y + z = 3$, $7u + v = 5$. So $3 \leq 2x, 3x \leq 5$.

  • Cross-multiplying gives $3\cdot 3 \leq 5 \cdot 2$, which is feasible, but $3 \leq 2x, 3x\leq 5$ is infeasible.

Model-based Projection for LIA - integer resolution

Solution: Combine inequalities using resolution

\[\begin{array}{l} \Mbp(M, x, \bigwedge_i t_i \leq a_ix \land \bigwedge_j b_jx \leq s_j) = \\ \quad\quad\quad \bigwedge_i t_i a_0 \leq t_0 a_i \land \bigwedge_{j} resolve(M, t_0 \leq a_0x, b_j x \leq s_j) \\ \quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad \mathrm{if} M(t_0/a_0) \geq M(t_i/a_i), \forall i. \end{array} \]

Model-based Projection for LIA - resolution [33]

$resolve(M, t \leq ax , bx \leq s) = $

  • $ bt + (a-1)(b-1) \leq as$  if $(a-1)(b-1) \leq M(bt-as)$

  • $ bt \leq as \land a | (t + d) \land b(t+d) \leq as)$
    else if $b \geq a, d := M(-t) \mod a$

  • $bt \leq as \land b | (s - d) \land bt \leq a(s-d)$
    otherwise, $a > b, d := M(s) \mod b$

  • satisfies $resolve(M, t \leq ax, bx \leq s) \Rightarrow \exists x \ . \ t \leq ax \land bx \leq t$, and

Model-based Projection for LIA - divisiblity

Resolution introduced divisibility constraints.

So now we also have to eliminate $x$ under divisions.

\[\begin{mdmathpre}%mdk \Mbp(\mathid{M},~\mathid{x},~\bigwedge_{\mathid{i}=1}^\mathid{n}~\mathid{d}_\mathid{i}~\mid (\mathid{a}_\mathid{i}~\mathid{x}~+~\mathid{t}_\mathid{i})~\land \mathid{L})~~=~\\~~\\ \quad\quad\quad \Mbp\left(\mathid{M},~\mathid{x}',~\mathid{L}[\mathid{u}~+~\mathid{d}\cdot \mathid{x}'/\mathid{x}]\right)~\land \bigwedge_{\mathid{i}=1}^\mathid{n}~\mathid{d}_\mathid{i}~\mid (\mathid{a}_\mathid{i}~\mathid{u}~+~\mathid{t}_\mathid{i})~\\ \end{mdmathpre}%mdk \]

where

  • $d = \mathrm{lcm}(d_1, \ldots, d_n)$,
  • $u = M(x) \mod d$

Model-based Projection for Term Algebras

S-expressions: A generic term algebra

\[\begin{mdmathpre}%mdk \mdmathindent{2}\mathid{SExpr}~::=~\mathid{nil}~|~\mathid{cons}(\mathid{car}~:~\mathid{SExpr},~\mathid{cdr}~:~\mathid{SExpr}) \end{mdmathpre}%mdk \]

  • An s-expression is either a nil or a cons.

  • Access arguments of cons using car and cdr.

  • Test terms using cons?($t$), or nil?($t$)

Model-based Projection for Term Algebras - $\simeq$

\[\begin{mdmathpre}%mdk \mathid{x}~\simeq \mathid{x}~\land \mathid{L}~~\leadsto \mathid{L}~\\ \ \\ \mathid{u}~\simeq \mathid{x}~\land \mathid{L}~~\leadsto \mathid{L}[\mathid{u}/\mathid{x}]~~~~\mathsf{if}~\mathid{x}~\not\in \mathid{u}\\ \ \\ \mathid{u}~\simeq \mathid{x}~\land \mathid{L}~~\leadsto \false\ ~~~\mathsf{if}~\mathid{x}~\in \mathid{u}\\ \ \\ \mathit{cons}(\mathid{t},\mathid{s})~\simeq \mathit{cons}(\mathid{u},\mathid{v})~\land \mathid{L}~~\leadsto \mathid{t}~\simeq \mathid{u}~\land \mathid{s}~\simeq \mathid{v}~\land \mathid{L}\\ \ \mdmathindent{5}\\ \mathit{cons}(\mathid{t},\mathid{s})~\simeq \mathid{u}~\land \mathid{L}~~\leadsto \ \mathit{cons?}(\mathid{u})~\land \mathid{t}~\simeq \mathit{car}(\mathid{u})~\land \mathid{s}~\simeq \mathit{cdr}(\mathid{u})~\land \mathid{L}~ \end{mdmathpre}%mdk \]

amounts to unification

Model-based Projection for Term Algebras - $\not\simeq$

\[\begin{mdmathpre}%mdk \Mbp(\mathid{M},~\mathid{x},~\mathit{cons}(\mathid{t},~\mathid{s})~\not\simeq \mathid{u}~\land \mathid{L})~~=~~\\ \mdmathindent{5}\quad \quad \quad \quad \quad \mathit{cons?}(\mathid{u})~\land \Mbp(\mathid{M},~\mathid{x},~\mathid{s}~\not\simeq \mathit{cdr}(\mathid{u})~\land \mathid{L})~\\ \mdmathindent{5}\quad \mbox{if}\quad \mathid{x}~\in \mathid{s},~\quad \mathid{M}(\mathit{cons?}(\mathid{u})),~\quad \mathid{M}(\mathid{s})~\neq \mathid{M}(\mathit{cdr}(\mathid{u}))~ \end{mdmathpre}%mdk \]

Case for $M(t) \neq M(\mathit{car}(u))$ is symmetric.

\[\begin{mdmathpre}%mdk \Mbp(\mathid{M},~\mathid{x},~\mathit{cons}(\mathid{t},~\mathid{s})~\not\simeq \mathid{u}~\land \mathid{L})~~=~~\neg \mathit{cons?}(\mathid{u})~\land \Mbp(\mathid{M},~\mathid{x},~\mathid{L})\\ \mdmathindent{5}\quad\mbox{if}\quad \mathid{x}~\in \mathid{s}~\mbox{ or }~\mathid{x}~\in \mathid{t},~\quad \mathid{M}(\neg\mathit{cons?}(\mathid{u}))\\ \end{mdmathpre}%mdk \]
\[\begin{mdmathpre}%mdk \mdmathindent{1}\Mbp(\mathid{M},~\mathid{x},~\mathid{t}_1~\not\simeq \mathid{x}~\land \ldots \land \mathid{t}_\mathid{n}~\not\simeq \mathid{x})~~=~~\top \end{mdmathpre}%mdk \]

Since there is an infinite number of cons-terms.

Model-based projection Term Algebras - adequacy

  • New terms are created during $\Mbp$

  • but they are of the form $\mathit{car}, \mathit{cdr}$ following shape of original constructor terms.

  • and they occur in conjunctions with $\mathit{cons}?(..)$.

  • so $\Mbp$ produces finite set of projections.

Model-based projection for NRA

  • Theory: Non-linear polynomial arithmetic

  • Partial CAD - model-based projection [20]

    • Given model $M$, such that $M \models \forall x \ . \ p_1(x,y) \geq 0 \vee \ldots \vee p_n(x,y) > 0$
    • Find $q_1, \ldots, q_k$, such that
      • $q_1(y) < 0 \vee \ldots \vee q_k(y) > 0 \vee p_1(x,y) \geq 0 \vee \ldots \vee p_n(x,y) > 0$ is valid
      • $M \models q_1(y) \geq 0 \wedge \ldots \wedge q_k(y) \leq 0$

  • CAD decomposes $R^n$ into sign-invariant cylinders.

  • Choose the cylinder where $M$ is a member.

Model-based projections, two lenses

Sat based MBP [22]:

  • Given: $M \models \ell_1[x] \wedge \ldots \wedge \ell_n[x]$

  • Find: $M \models s_1 \wedge \ldots \wedge s_m$, free for $x$

  • Such that: $ \models (s_1 \wedge\ldots \wedge s_m) \rightarrow \exists x \ . \ \ell_1[x] \wedge \ldots \wedge \ell_n[x]$

Contrast this with Core-based MBP [30]:

  • Given: $M \models \forall x \ . \ \ell_1[x] \vee \ldots \vee \ell_n[x]$.

  • Find: $M \models s_1 \wedge \ldots \wedge s_m$, free for $x$

  • Such that: $\models (s_1 \wedge \ldots \wedge s_m) \rightarrow \forall x \ . \ \ell_1[x] \vee \ldots \vee \ell_n[x]$

Claim: (Roughly) The same projection operator can be used in both cases if $x$ occurs in all literals and the operator is stable under changes to the value of $x$.

Finding strategies

  • Other main ingredient of QSAT is option for players to narrow options of opponents by revealing a strategy

    • $\exists x_1 \forall x_2 \exists x_3 \forall x_4 \ldots F$ at round $2$:
      • value of $x_1$ is already fixed,
      • $\forall$ fixes value of $x_2$,
      • $\forall$ can make $x_4$ a function of $x_3$.

  • Developing practical strategies is work in progress

    • For QBF can use Q-resolution proofs as guide [3]

    • Method by Markus Rabe can be seen as a strategy.

Horn Clauses [1214, 24]

def mc(x):
    if x > 100:
       return x - 10
    else:
       return mc(mc(x + 11))

def contract(x):
    assert(x > 101 or mc(x) == 91)

   (set-logic HORN)
   (declare-fun mc (Int Int) Bool)
   (assert 
     (forall ((x Int)) 
          (=> (> x 100) 
              (mc x (- x 10)))))
   (assert 
     (forall ((x Int) (y Int) (z Int)) 
          (=> (and (<= x 100) (mc (+ x 11) y) (mc y z)) 
              (mc x z))))
   (assert 
     (forall ((x Int) (y Int)) 
          (=> (and (<= x 101) (mc x y)) 
              (= y 91))))
   (check-sat)
   (get-model)

Horn Clause Engines

  • PDR, SPACER - IC3 inspired engine [13, 23].
  • Duality - Interpolation based [24].
    • Use Duality, PDR, or SPACER if your Horn clauses use arithmetic variables.
  • Datalog - Bottom-up stratified Datalog engine for finite domains [14].
    • Use Datalog backened for Horn clauses over finite domains: bit-vectors and Booleans.
  • BMC - Bounded model checking, Tabulation, Symbolic Execution
    • Use BMC to unfold Horn clauses a la bounded model checking.

IC3

  • $\vec{x}$ are state variables.

  • $m$ is a monome (a conjunction of literals).

  • $\varphi$ is a clause (a disjunction of literals).

  • Convention: $m[\vec{x}]$ is a monome over variables $\vec{x}$, $m[\vec{x}_0]$ is a renaming of the same monome $m$ to variables $\vec{x}_0$.

IC3 recap

  • $\langle \vec{x}, \Init(\vec{x}), \rho(\vec{x_0},\vec{x}), \Safe(\vec{x})\rangle$ - a transition system.
  • $\Safe$ - good states.
  • $\cF(R)[\vec{x}_0,\vec{x}]$ - forward predicate transformer.
    • Given reachable states $R$, produce “states can be reached by including another step”.
    • From Transition System: $\Init[\vec{x}_0] \ \vee \ (R(\vec{x}_0) \wedge \rho[\vec{x}_0,\vec{x}])$
    • From Horn Clauses: $\bigvee_i Body_i[\vec{x}_0,\vec{x}]$, where
      \[ R(\vec{x}) \leftarrow Body_1[\vec{x}_0,\vec{x}] \vee \ldots\vee Body_k[\vec{x}_0,\vec{x}] \]

IC3 recap (2)

  • $R_0, R_1, \ldots, R_N$ properties of states reachable within $i$ steps.
  • $R_i$ are sets of clauses.
  • Initially $R_0 = \Init$.
  • $\Queue$ a queue of counter-example trace properties. Initially $\Queue = \emptyset$.
  • $N$ a level indication. Initially $N = 0$.

Expanding Traces

repeat until

  • Candidate If for some $m$, $m \rightarrow R_N \land \neg \Safe$, then add $\langle m, N\rangle$ to $\Queue$.

  • Unfold If $R_N \rightarrow \Safe$, then set $N \leftarrow N + 1, R_{N} \leftarrow \true$.

Termination

repeat until

  • Unreachable For $i < N$, if $R_i \subseteq R_{i+1}$, return Unreachable.

  • Reachable If $\langle m, 0 \rangle \in \Queue$, return Reachable.

Backtracking

repeat until

  • Conflict Let $0 \leq i < N$: given a candidate model $\langle m, i+1\rangle\in\Queue$ and clause $\varphi$, such that

    • $\neg\varphi\subseteq m$,
    • $\cF(R_i \land \varphi) \rightarrow \varphi$,
      then conjoin $\varphi$ to $R_{j}$, for $j \leq i + 1$.

  • Leaf If $\langle m, i\rangle \in \Queue$, $0 < i < N$ and $m \land \cF(R_{i-1})$ is unsatisfiable, then add $\langle m, i + 1\rangle$ to $\Queue$.

Inductive Generalization

repeat until

  • Induction For $0 \leq i < N$, a clause $(\varphi \lor\psi)\ \in R_i$, $\varphi\not\in R_{i+1}$, if $\cF(R_i \wedge \varphi)\rightarrow \varphi$, then conjoin $\varphi$ to $R_{j}$, for each $j \leq i + 1$.

IC3 beyond SAT

Decide - Generalized form

Decide Add $\langle m_0[\vec{x}], i\rangle$ to $\Queue$ if $\langle m[\vec{x}], i+1\rangle \in \Queue$, $m' \land m_0[\vec{x}_0] \ \rightarrow \ \cF(R_{i})[\vec{x}_0,\vec{x}] \land m$.

  • [6, 10] Model from propositional SAT check for $m \land \cF(R_{i})[\vec{x}_0,\vec{x}]$ gives (near prime implicant) $m_0$.
  • [13] Model from SMT check for arithmetical $m \land \cF(R_{i})[\vec{x}_0,\vec{x}]$ produces numerical assignment $m_0$.
  • [8, 21] Partial quantifier elimination.
  • [22] $(\exists\vec{x} \ . \ m \land \cF(R_{i})[\vec{x}_0,\vec{x}]) \ \equiv\ \bigvee_i \psi_i[\vec{x}_0]$ where $\psi_i$ are quantifier-free. Use model for $m \land \cF(R_{i})[\vec{x}_0,\vec{x}]$ to compute $\psi_i$ without expanding full disjunction.
  • [9, 15] Keep vocabulary of literals fixed (= predicate abstraction).

Madoko

  • Madoko is a A Fast Scholarly Markdown Processor,
  • intuitive and powerful integration of markdown and LaTeX,
  • browser and Azure based - no installation,
  • immediate preview,
  • real-time collaborative editing,
  • is written in Koka,
  • is by Daan Leijen, Microsoft Research daan

References

[1]Nikolaj Bjørner. “Linear Quantifier-Elimination as an Abstract Decision Procedure.” In IJCAR. 2010. 🔎
[2]Nikolaj Bjørner, and Mikolás Janota. “Playing with Alternating Quantifier Satisfaction.” In LPAR Short Presentation Papers. 2015. 🔎
[3]Nikolaj Bjørner, Mikolás Janota, and William Klieber. “On Conflicts and Strategies in QBF.” In 20th International Conferences on Logic for Programming, Artificial   Intelligence and Reasoning - Short Presentations, LPAR 2015, Suva, Fiji, November 24-28, 2015., 28–41. 2015. http://​www.​easychair.​org/​publications/​paper/​On_​Conflicts_​and_​Strategies_​in_​QBF🔎
[4]Nikolaj Bjørner, Kenneth L. McMillan, and Andrey Rybalchenko. “On Solving Universally Quantified Horn Clauses.” In SAS, 105–125. 2013. 🔎
[5]Maria Paola Bonacina, Christopher Lynch, and Leonardo Mendonça de Moura. “On Deciding Satisfiability by Theorem Proving with Speculative   Inferences.” J. Autom. Reasoning 47 (2): 161–189. 2011. 🔎
[6]Aaron R. Bradley. “SAT-Based Model Checking without Unrolling.” In VMCAI, 70–87. 2011. 🔎
[7]Aaron R. Bradley, Zohar Manna, and Henny B. Sipma. “What’s Decidable About Arrays?” In Verification, Model Checking, and Abstract Interpretation, 7th International   Conference, VMCAI 2006, Charleston, SC, USA, January 8-10, 2006, Proceedings, 427–442. 2006. doi:10.1007/11609773_28🔎
[8]Alessandro Cimatti, and Alberto Griggio. “Software Model Checking via IC3.” In CAV, 277–293. 2012. 🔎
[9]Alessandro Cimatti, Alberto Griggio, Sergio Mover, and Stefano Tonetta. “IC3 Modulo Theories via Implicit Predicate Abstraction.” In TACAS, 46–61. 2014. 🔎
[10]Niklas Eén, Alan Mishchenko, and Robert K. Brayton. “Efficient Implementation of Property Directed Reachability.” In FMCAD, 125–134. 2011. 🔎
[11]Yeting Ge, and Leonardo Mendonça de Moura. “Complete Instantiation for Quantified Formulas in Satisfiabiliby   Modulo Theories.” In CAV, 306–320. 2009. 🔎
[12]Sergey Grebenshchikov, Nuno P. Lopes, Corneliu Popeea, and Andrey Rybalchenko. “Synthesizing Software Verifiers from Proof Rules.” In ACM SIGPLAN Conference on Programming Language Design and Implementation,   PLDI ’12, Beijing, China - June 11 - 16, 2012, 405–416. 2012. doi:10.1145/2254064.2254112🔎
[13]Krystof Hoder, and Nikolaj Bjørner. “Generalized Property Directed Reachability.” In Theory and Applications of Satisfiability Testing - SAT 2012 - 15th   International Conference, Trento, Italy, June 17-20, 2012. Proceedings, 157–171. 2012. doi:10.1007/978-3-642-31612-8_13🔎
[14]Krystof Hoder, Nikolaj Bjørner, and Leonardo Mendonça de Moura. “μZ- An Efficient Engine for Fixed Points with Constraints.” In Computer Aided Verification - 23rd International Conference, CAV   2011, Snowbird, UT, USA, July 14-20, 2011. Proceedings, 457–462. 2011. doi:10.1007/978-3-642-22110-1_36🔎
[15]Shachar Itzhaky, Nikolaj Bjørner, Thomas W. Reps, Mooly Sagiv, and Aditya V. Thakur. “Property-Directed Shape Analysis.” In CAV, 35–51. 2014. 🔎
[16]Mikolás Janota, and Joao Marques-Silva. “Solving QBF by Clause Selection.” In Proceedings of the Twenty-Fourth International Joint Conference on   Artificial Intelligence, IJCAI 2015, Buenos Aires, Argentina, July 25-31, 2015, 325–331. 2015. http://​ijcai.​org/​Abstract/​15/​052🔎
[17]Ajith K. John, and Supratik Chakraborty. “A Quantifier Elimination Algorithm for Linear Modular Equations and   Disequations.” In Computer Aided Verification - 23rd International Conference, CAV   2011, Snowbird, UT, USA, July 14-20, 2011. Proceedings, 486–503. 2011. doi:10.1007/978-3-642-22110-1_39🔎
[18]Ajith K. John, and Supratik Chakraborty. “Extending Quantifier Elimination to Linear Inequalities on Bit-Vectors.” In Tools and Algorithms for the Construction and Analysis of Systems   - 19th International Conference, TACAS 2013, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2013, Rome, Italy, March 16-24, 2013. Proceedings, 78–92. 2013. doi:10.1007/978-3-642-36742-7_6🔎
[19]Ajith K. John, and Supratik Chakraborty. “A Layered Algorithm for Quantifier Elimination from Linear Modular   Constraints.” Formal Methods in System Design 49 (3): 272–323. 2016. doi:10.1007/s10703-016-0260-9🔎
[20]Dejan Jovanovic, and Leonardo Mendonça de Moura. “Solving Non-Linear Arithmetic.” In Automated Reasoning - 6th International Joint Conference, IJCAR   2012, Manchester, UK, June 26-29, 2012. Proceedings, 339–354. 2012. doi:10.1007/978-3-642-31365-3_27🔎
[21]Roland Kindermann, Tommi A. Junttila, and Ilkka Niemelä “SMT-Based Induction Methods for Timed Systems.” In FORMATS, 171–187. 2012. 🔎
[22]Anvesh Komuravelli, Arie Gurfinkel, and Sagar Chaki. “SMT-Based Model Checking for Recursive Programs.” In CAV, 17–34. 2014. 🔎
[23]Anvesh Komuravelli, Arie Gurfinkel, Sagar Chaki, and Edmund M. Clarke. “Automatic Abstraction in SMT-Based Unbounded Software Model   Checking.” In CAV, 846–862. 2013. 🔎
[24]Kenneth L. McMillan. “Lazy Annotation Revisited.” In Computer Aided Verification - 26th International Conference, CAV   2014, Held as Part of the Vienna Summer of Logic, VSL 2014, Vienna, Austria, July 18-22, 2014. Proceedings, 243–259. 2014. doi:10.1007/978-3-319-08867-9_16🔎
[25]David Monniaux. “A Quantifier Elimination Algorithm for Linear Real Arithmetic.” In LPAR (Logic for Programming Artificial Intelligence and Reasoning), 243–257. Lecture Notes in Computer Science 5330. Springer Verlag. 2008. doi:10.1007/978-3-540-89439-1_18🔎
[26]David Monniaux. “Quantifier Elimination by Lazy Model Enumeration.” In Computer-Aided Verification (CAV), 585–599. Lecture Notes in Computer Science 6174. Springer Verlag. 2010. doi:10.1007/978-3-642-14295-6_51🔎
[27]Leonardo Mendonça de Moura, and Nikolaj Bjørner. “Efficient E-Matching for SMT Solvers.” In CADE, 183–198. 2007. 🔎
[28]Leonardo Mendonça de Moura, and Nikolaj Bjørner. “Engineering DPLL(T) + Saturation.” In IJCAR, 475–490. 2008. 🔎
[29]Leonardo Mendonça de Moura, and Nikolaj Bjørner. “Bugs, Moles and Skeletons: Symbolic Reasoning for Software   Development.” In IJCAR, 400–411. 2010. 🔎
[30]Leonardo Mendonça de Moura, and Dejan Jovanovic. “A Model-Constructing Satisfiability Calculus.” In Verification, Model Checking, and Abstract Interpretation, 14th International   Conference, VMCAI 2013, Rome, Italy, January 20-22, 2013. Proceedings, 1–12. 2013. doi:10.1007/978-3-642-35873-9_1🔎
[31]Anh-Dung Phan, Nikolaj Bjørner, and David Monniaux. “Anatomy of Alternating Quantifier Satisfiability (Work in   Progress).” In SMT-IJCAR, 120–130. 2012. 🔎
[32]Ruzica Piskac, Leonardo Mendonça de Moura, and Nikolaj Bjørner. “Deciding Effectively Propositional Logic Using DPLL and   Substitution Sets.” J. Autom. Reasoning 44 (4): 401–424. 2010. 🔎
[33]William Pugh. “The Omega Test: A Fast and Practical Integer Programming Algorithm   for Dependence Analysis.” In Proceedings Supercomputing ’91, Albuquerque, NM, USA, November 18-22,   1991, 4–13. 1991. doi:10.1145/125826.125848🔎
[34]Andrew Reynolds, Tim King, and Viktor Kuncak. “Solving Quantified Linear Arithmetic by Counterexample-Guided Instantiation.” Formal Methods in System Design 51 (3): 500–532. 2017. doi:10.1007/s10703-017-0290-y🔎
[35]Martina Seidl, Florian Lonsing, and Armin Biere. “qbf2epr: A Tool for Generating EPR Formulas from QBF.” In Third Workshop on Practical Aspects of Automated Reasoning, PAAR-2012,   Manchester, UK, June 30 - July 1, 2012, 139–148. 2012. http://​www.​easychair.​org/​publications/​paper/​145184🔎
[36]Christoph M. Wintersteiger, Youssef Hamadi, and Leonardo Mendonça de Moura. “Efficiently Solving Quantified Bit-Vector Formulas.” Formal Methods in System Design 42 (1): 3–23. 2013. 🔎