Satisfiability Modulo Theories

SETSS 2018

Nikolaj Bjørner

Microsoft Research

nbjorner@microsoft.com

Sections

An Introduction to Satisfiability Modulo Theories and Z3
Theory Solvers
SAT and SMT Algorithms
Optimization with MaxSAT
Quantifier Reasoning

Bio

90's: DTU, DIKU, Stanford
This is me a week before fixing my thesis topic
Late 90's: Kestrel Institute
Early 2000s: XDegrees (file sharing startup)
2002-06: Distributed File Replication @ Microsoft
2006: MSR: , Network Verification

Section 1

An Introduction to Satisfiability Modulo Theories and Z3

Z3

A state-of-art Satisfiability Modulo Theories (SMT) solver
On GitHub: https://github.com/Z3prover/z3.git
- MIT open source license
- Developments: Scalable simplex solver, Strings, Horn clauses, floating points, SAT extensions

Some Z3 Applications

Program Verification
- VCC, Everest, Dafny, Havoc, Leon
Symbolic Execution
- SAGE, Pex, KLEE
Software Model Checking
- Static Driver Verifier, Smash, SeaHorn
Configurations
- Network Verification with SecGuru
- Dynamics Product Configuration

Microsoft Tools using Z3

MicrosoftToolsBasedOnZ3

SAT/SMT examples

Book draft by Dennis Yurichev

Basic SAT

  Tie, Shirt = Bools('Tie Shirt')
  s = Solver()
  s.add(Or(Tie, Shirt), Or(Not(Tie), Shirt), Or(Not(Tie), Not(Shirt)))
  print s.check()
  print s.model()

Basic SMT

I = IntSort()
f = Function('f', I, I)
x, y, z = Ints('x y z')
A = Array('A',I,I)

fml = Implies(x + 2 == y, f(Select(Store(A, x, 3), y - 2)) == f(y - x + 1))

s = Solver()
s.add(Not(fml))
print s.check()

SMT in a nutshell

Is formula satisfiable under theory ?

SMT solvers use specialized algorithms for .

Complexity

SAT/SMT

SATSMT

Logics and Theories

Terms
Logical Connectives
Quantifiers, Variables

Propositional logic
Theory of Equality
Uninterpreted Functions
Arrays
Arithmetic
Arrays
Algebraic Data-types
Bit-vectors, Floating points
Sequences, Strings

Logics

Sorts -
- signature of sorted constant, functions
- Functions are sorted .
- Constants are nullary functions
- Predicates are functions with range
Terms and predicates are built from functions over
Connectives and Quantifiers
- - and, - or
- - negation, - implication
- - quantifiers

Extended SAT queries

Silva

Slide is by Joao Marques-Silva

Logical Queries - SAT+

sat unsat

model (clausal) proof

correction set core

local min correction set local min core

min correction set min core

Logical Queries

Progress in SAT, SMT, and ATP

Progress in SAT Solving

SatMilestones

Progress in ATP

ATPMilestones

Progress in SMT Solving

SMTMilestones

Section 2

Theory Solvers

Equality and Uninterpreted functions

EUF

  (declare-sort A)
  (declare-fun f (A) A)
  (declare-const x A)
  (assert (= (f (f x)) x))
  (assert (= (f (f (f x))) x))
  (check-sat)
  
  (assert (not (= (f x) x)))
  (check-sat)

Deciding Equality

Disequalities

Variants of union-find are effective to decide equality.

Free functions

Congruence rule

Naming sub-terms

Applying Congruence (1)

Applying Congruence (2)

EUF Models

A satisfiable version:

EUF Models (II)

Associate a distinct value with each equivalence class.

Linear Arithmetic

(set-logic QF_IDL) ; optional in Z3
(declare-fun t11 () Int)
(declare-fun t12 () Int)
(declare-fun t21 () Int)
(declare-fun t22 () Int)
(declare-fun t31 () Int)
(declare-fun t32 () Int)

(assert (and (>= t11 0) (>= t12 (+ t11 2)) (<= (+ t12 1) 8)))
(assert (and (>= t21 0) (>= t22 (+ t21 3)) (<= (+ t22 1) 8)))
(assert (and (>= t31 0) (>= t32 (+ t31 2)) (<= (+ t32 3) 8)))
(assert (or (>= t11 (+ t21 3)) (>= t21 (+ t11 2))))
(assert (or (>= t11 (+ t31 2)) (>= t31 (+ t11 2))))
(assert (or (>= t21 (+ t31 2)) (>= t31 (+ t21 3))))
(assert (or (>= t12 (+ t22 1)) (>= t22 (+ t12 1))))
(assert (or (>= t12 (+ t32 3)) (>= t32 (+ t12 1))))
(assert (or (>= t22 (+ t32 3)) (>= t32 (+ t22 1))))
(check-sat)
(get-model) ; display the model

Linear Arithmetic Example

Algorithmic Fragments of Arithmetic


Logic	Fragment	Solver	Example

LRA	Linear Real Arithmetic	Dual Simplex

LIA	Linear Integer Arithmetic	CutSat
LIRA	Mixed Real/Integer	Cuts + Branch

IDL	Integer Difference Logic	Floyd-Warshall
RDL	Real Difference Logic	Bellman-Ford
UTVPI	Unit two-variable per inequality

NRA	Polynomial Real Arithmetic	Model based CAD

Other Fragments of Arithmetic

NIA - There is no decision procedure for integer polynomial constraints
- Z3 falls back to incomplete heuristics
- NIA over bounded integers may get translated to bit-vector constraints
Other theories that admit custom solvers:
Bi-linear real arithmetic
Non-unit two-variable per inequality
At most one unit positive variable per inequality (Horn)

An Overview of Arithmetic Theories

ArithmeticTheories

Bellman-Ford - a selection

(set-logic QF_IDL) ; optional in Z3
(declare-fun t11 () Int)
(declare-fun t12 () Int)
(declare-fun t21 () Int)
(declare-fun t22 () Int)
(declare-fun t31 () Int)
(declare-fun t32 () Int)

(assert (and (>= t11 0) ...))
(assert (and (>= t21 0) ...))
(assert (and (>= t31 0) (>= t32 (+ t31 2)) (<= (+ t32 3) 8)))
(assert (or ... (>= t21 (+ t11 2))))
(assert (or (>= t21 (+ t31 2)) ...))
(check-sat)
(get-model) ; display the model

Bellman-Ford

Solve difference logic using graph Bellman-Ford network flow algorithm. Negative cycle unsat.

BellmanFord

General form Simplex [21]

General form and

Only bounds (e.g., ) are asserted during search.

From Definitions to a Tableau

- are basic (dependent)
- are non-basic

Pivoting

Value of non-basic variable can be chosen between and .
Value of basic variable is a function of non-basic variable values.
Pivoting swaps basic and non-basic variables.
- used to get values of basic variables within bounds.

Pivoting example

- are basic (dependent)
- are non-basic

Initial values:

Bounds :

, make non-basic.
- are basic (dependent)
- are non-basic

Arrays

(define-sort A () (Array Int Int))
(declare-fun x () Int)
(declare-fun y () Int)
(declare-fun a1 () A)

(push)
(assert (= (select a1 x) x))
(assert (= (store a1 x y) a1))
(check-sat)
(get-model)
(assert (not (= x y)))
(check-sat)
(pop)

(define-fun all1_array () A ((as const A) 1))
(simplify (select all1_array x))

(define-sort IntSet () (Array Int Bool))
(declare-fun a () IntSet)
(declare-fun b () IntSet)
(declare-fun c () IntSet)
(push) ; illustrate map
(assert (not (= ((_ map and) a b) ((_ map not) ((_ map or) ((_ map not) b) ((_ map not) a))))))
(check-sat)
(pop)

Arrays

Arrays as Combinators [46]

  A = Array(Index, Elem) # array sort 
  
  a[i]             # index array 'a' at index 'i'
                   # Select(a, i)
  
  Store(a, i, v)   # update array 'a' with value 'v' at index 'i'
                   # = lambda j: If(i == j, v, a[j])
    
  Const(v, A)      # constant array
                   # = lambda j: v
  
  Map(f, a)        # map function 'f' on values of 'a'
                   # = lambda j: f(a[j])

  Ext(a, b)        # Extensionality
                   # Implies(a[Ext(a, b)] == b[Ext(a, b)], a == b)

Array Decision Procedure

Example Store(a, i, v)

Each occurrence of Store(a, i, v) and b[j],
- Assert Store(a, i, v)[j] == If(i == j, v, a[j])
- Assert Store(a, i, v)[i] == v
Each shared occurrences of :
- Assert .

Array Decision Procedure (2)

Example Store(a, i, v)

Each occurrence of Store(a, i, v) and b[j],
- Assert Store(a, i, v)[j] == If(i == j, v, a[j])
- Assert Store(a, i, v)[i] == v
Each shared occurrences of :
- Assert .
Suppose we are given a model satisfying all asserted equalities.
- assigns values to terms.
- Extend:
- Claim: satisfies Store axioms.

Efficient Array Decision Procedures

Use current partial interpretation to guide axiom instantiation.
Rough sketch:
- If (congruent) in current state
  - Assert .
- If in current state
  - Assert
Also important to limit set of pairs.
- Z3 uses relevancy propagation to prune don't care literals
- Boolector uses dual propagation to extract small implicant

Bit-Vectors

(define-fun is-power-of-two ((x (_ BitVec 4))) Bool 
  (= #x0 (bvand x (bvsub x #x1))))
(declare-const a (_ BitVec 4))
(assert 
 (not (= (is-power-of-two a) 
         (or (= a #x0) 
             (= a #x1) 
             (= a #x2) 
             (= a #x4) 
             (= a #x8)))))
(check-sat)

Bit-Vector demo

Bit-Vector Adder Encoding

BitVectorAdder

Bit-Vector Multiplier Encoding

Floating point example

(declare-fun X () (_ FloatingPoint 11 53))

(assert (fp.isNormal X))
(assert (not (fp.isSubnormal X)))
(assert (not (fp.isZero X)))
(assert (not (fp.isInfinite X)))
(assert (not (fp.isNaN X)))
(assert (not (fp.isNegative X)))
(assert (fp.isPositive X))

(check-sat)
(get-model)

Floating Points demo

Sequence Example

(declare-const a String)
(declare-const b String)
(declare-const c String)
(assert (str.prefixof b a))
(assert (str.suffixof c a))
(assert (= (str.len a) (+ (str.len b) (str.len c))))
(assert (not (= a (str.++ b c))))
(check-sat)

Queues

Algebraic Data-types

   (declare-datatypes () ((Tree Empty (Node (left Tree) (data Int) (right Tree)))))

   (declare-const t Tree)
   (assert (not (= t Empty)))
   (check-sat)
   (get-model)

sat
(model 
  (define-fun t () Tree
    (Node Empty 0 Empty))
)

Algebraic Data-types demo

Non-linear Arithmetic [34]

nlsat

NLSAT example

; Code written by TheoryGuru
(declare-fun v1 () Real)
(declare-fun v2 () Real)
(declare-fun v3 () Real)
(declare-fun v4 () Real)
(declare-fun v5 () Real)
(declare-fun v6 () Real)
(declare-fun v7 () Real)
(declare-fun v8 () Real)
(declare-fun v9 () Real)
(declare-fun v10 () Real)
(declare-fun v11 () Real)
(declare-fun v12 () Real)

; define true assumption
(assert (and 
(> (* 2 v11 v6 v9) (+ (* v12 (^ v6 2)) (* v8 (^ v9 2))))
(> (+ (* 2 v10 v11 v4 v6) (* v12 v5 (^ v6 2)) (* -2 v12 v4 v6 v7) (* v12 (^ v4 2) v8) (* -2 v11 v5 v6 v9) (* 2 v11 v4 v7 v9) (* 2 v10 v6 v7 v9) (* v5 v8 (^ v9 2))) (+ (* (^ v11 2) (^ v4 2)) (* (^ v10 2) (^ v6 2)) (* 2 v10 v4 v8 v9) (* (^ v7 2) (^ v9 2))))
(> v1 0)
(> v2 0)
(> v3 0)
(> v4 0)
(> v6 0)
(> v9 0)
(= (+ (* v1 v11) (* v3 v7) (* v2 v8)) 0)
(= (+ (* v1 v12) (* v11 v2) (* v10 v3)) 0)
(= (+ (* v1 v10) (* v3 v5) (* v2 v7)) 0)
))

; define negative of the hypothesis
(assert (not (>= (* v5 v8) (^ v7 2))))

(check-sat)
(exit)

NLSAT demo

Open Challenges

Strings: Decidability and efficiency.
Certificates: Modular, Clausal
New, non-disjoint, theories

Section 3

SAT and SMT Algorithms

Duality - model/proof repair

ProofModel

Duality - connecting glue

ProofModelConflict

Duality - propagation

ProofModelConflictBackjumpPropagate

CDCL(T) by example

BasicTheory1

CDCL(T) by example (2)

BasicTheory2

CDCL(T) by example (3)

BasicTheory3

CDCL(T) by example (4)

BasicTheory

Modern SAT solving

Anatomy of conflict directed clause learning SAT solving.

DPLL [20]

CDCL: Modern Search [57]

Efficient indexing (two-watch literal)
Non-chronological backtracking (backjumping)
Lemma learning
Variable and phase selection
Garbage collection, restarts

CDCL Milestones

SatMilestones

CDCL: State [50]

- atomic predicates.

- literals over atoms.

- partial consistent assignment.

- a clause - disjunction of literals.

- a decision literal.

- () - a literal with explanation .

- a set of clauses.

CDCL lemma learning .

CDCL lemma learning ..

CDCL lemma learning …

CDCL lemma learning ….

CDCL lemma learning …..

CDCL lemma learning ……

CDCL: as rewrites [5]

CDCL: as rewrites (2)

ModernCDCL

CDCL(T)

Models and Proofs

Theorem 1.
For every , exactly one of the two conditions hold:

for some where .
for some where and some resolution proof .

Corollary 1.

CDCL realizes the dichotomy by interleaving model and consequence finding:

Corollary 2.
If , then for every where : .

Corollary 3.
If , i.e., for some , then for every consequence from using forced literals in it is the case that and there is no such that .

Realizing the dichotomy

Main invariants preserved by CDCL:

Conflict state: For the state it is the case that and .

Propagation: For the state and , whenever , then and .

Illustrating the invariants

Finds First Unique Implication Point (FUIP)
- minimizes number of decision literals in .
- maximizes propagated literals in

Global Methods

CDCL searches for local inferences.
- A local inference only depends on a subset of clauses and is independent of other clauses.
Significant progress in SAT has been around global inferences.
- Blocked Clause Elimination
- Asymmetric Literal Addition
- Asymmetric Covered Clause Elimination
- Blocked Clause Addition

Blocked Clause Elimination

is blocked on literal in set of clauses if
for every clause in :
is a tautology.

Blocked clauses can be eliminated from without changing Satisfiability.

A model for may not satisfy .
Models can be fixed by swapping truth assignment of .

Asymmetric Literal Addition (ALA)

Asymmetric Tautology Elimination
- Remove clauses that become tautologies after ALA
Asymmetric Blocked Clause Elimination
- Remove clauses that become blocked after ALA

Resolution Intersection

Claim: adding to does not change satisfiability of .
Clauses that become blocked after adding Resolution Intersection can be removed.
ACCE: expand clause using
- resolution intersection
- asymmetric literal addition
- eliminate the resulting clause if it is blocked.
- Q: what should be done to preserve models?

Combining Theories

In practice, we need a combination of theories.

A theory is a set (potentially infinite) of first-order sentences.
Main questions:
- Is the union of two theories consistent?
- Given a solvers for and , how can we build a solver for ?

A Combination History

CombinationHistory

Disjoint Theories

Two theories are disjoint if they do not share function/constant and predicate symbols. is the only exception.
Example:
- The theories of arithmetic and arrays are disjoint.
- Arithmetic symbols: .
- Array symbols:

Purification

It is a different name for our naming subterms procedure.

becomes

Purification (2)

becomes

Stably Infinite Theories

A theory is stably infinite if every satisfiable QFF is satisfiable in an infinite model.
EUF and arithmetic are stably infinite.
Bit-vectors are not

Stably Infinite Theories - Result

The union of two consistent, disjoint, stably infinite theories is consistent.

Convexity

A theory is convex iff:

For all finite sets of literals
For every disjunction
- iff
- for some .

Convexity: Positive Results

Every convex theory with non trivial models is stably infinite.
Horn equational theories are convex.
- Horn equations are formulas of the form .

Convexity: Negative Results

Integer arithmetic is not convex.
- implies .
Real non-linear arithmetic
- implies .

Combination of non-convex theories

EUF is convex
IDL is non-convex
is NP-complete
- Reduce 3-CNF to EUF+ IDL:
  - for each Boolean variable.
  - For each clause : .

Nelson-Oppen combination

NelsonOppen

Combining Theories in Practice

CombiningTheoriesInPractice

Combining Theories in Practice (2)

CombiningTheoriesInPractice2

Model-Based Theory Combination - Example

purify

Model-Based Theory Combination (1)

MBTCombination1

Model-Based Theory Combination (2)

MBTCombination2

Model-Based Theory Combination (3)

MBTCombination3

Model-Based Theory Combination (4)

MBTCombination4

Model-Based Theory Combination (5)

MBTCombination5

Model-Based Theory Combination (6)

MBTCombination6

Model-Based Theory Combination (7)

MBTCombination7

Next frontiers:

Section 4

Optimization and MaxSAT

Objectives

Optimization as SMT with preferred models
An introduction to cores and correction sets
Show examples of algorithms on top of SMT/Z3

An invitation to optimization

Flow

Optimization

Three main SMT extensions


    (maximize (+ x (* 2 y)))


    (minimize (bvadd u v))




    (assert-soft (> x y) :weight 4)

Maximize objective
- linear arithmetic
Minimize objective
- bit-vector
Add a soft constraint
- optional weight

Soft constraints as 0-1 optimization

Equilvalent formulations

   (assert-soft  :weight 3)
   (assert-soft  :weight 4)

   (minimize (+ (if  0 3) (if  0 4)))

Optimizing Assertions

x, y = Ints('x y')
opt = Optimize()
opt.set(priority='pareto')
opt.add(x + y == 10, x >= 0, y >= 0)
mx = opt.maximize(x)
my = opt.maximize(y)
while opt.check() == sat:
    print mx.value(), my.value()

Optimization Extensions

MaxSAT solver
Primal simplex optimization
- Applied on feasible tableau

Multiple Objectives



Box


Lex


Pareto

Optimization as an extension of core SMT solving

sysdiagram

Cores, Correction Sets, Satisfying Assignments

(M)US (Minimal) unsatisfiable subset
- (minimal) subset of assertions that are unsatisfiable. Also known as a core
(M)SS (Maximal) satisfiable subset
- (maximal) subset of assertions that are satisfiable.
(M)CS (Minimal) correction set
- complement of an (M)SS.
(Prime) implicant
- iff is a core for .

A Duality: MUS MCS [54]

Reiter

All Cores and Correction Sets [38]

Given
- Find all min unsat cores
- Find all max satisfying subsets
Generate subset
- Not a superset of old core
- Not a subset of old sat subset
Is satisfiable?
- If yes, find max sat
- If no, find min unsat
Block from next iteration

def ff(s, p): 
    return is_false(s.model().eval(p))

def marco(s, ps):
    map = Solver()
    while map.check() == sat:
        seed = {p for p in ps if not ff(map, p)}
        if s.check(seed) == sat:
           mss = get_mss(s, seed, ps)
           map.add(Or(ps - mss))
           yield "MSS", mss
        else:
           mus = get_mus(s, seed)
           map.add(Not(And(mus)))
           yield "MUS", mus

Cores and Correction sets Algorithm

def ff(s, p): 
    return is_false(s.model().eval(p))

def marco(s, ps):
    map = Solver()
    while map.check() == sat:
        seed = {p for p in ps if not ff(map, p)}
        if s.check(seed) == sat:
           mss = get_mss(s, seed, ps)
           map.add(Or(ps - mss))
           yield "MSS", mss
        else:
           mus = get_mus(s, seed)
           map.add(Not(And(mus)))
           yield "MUS", mus

Maximizing Satisfying Assignments [41]

def tt(s, f): 
    return is_true(s.model().eval(f))

def get_mss(s, mss, ps):
    ps = ps - mss
    backbones = set([])
    while len(ps) > 0:
       p = ps.pop()
       if sat == s.check(mss | backbones | { p }):
          mss = mss | { p } | { q for q in ps if tt(s, q) }
          ps  = ps - mss
       else:
          backbones = backbones | { Not(p) }
    return mss

Minimizing Cores [2, 14, 35, 39]

Use built-in core minimization:

s.set("sat.core.minimize","true")  # For Bit-vector theories
s.set("smt.core.minimize","true")  # For general SMT

Or roll your own:


def quick_explain(test, sub):
    return qx(test, set([]), set([]), sub)

def qx(test, B, D, C):
    if {} != D:
       if test(B):
          return set([])
    if len(C) == 1:
       return C
    C1, C2 = split(C)
    D1 = qx(test, B | C1, C1, C2)
    D2 = qx(test, B | D1, D1, C1)
    return D1 | D2
    
def test(s):
    return lambda S: s.check([f for f in S]) == unsat


s = Solver()
a, b, c, d, e = Bools('a b c d e')
s.add(Or(a, b))
s.add(Or(Not(a), Not(b)))
s.add(Or(b, c))
s.add(Or(Not(c), Not(a)))

print s.check([a,b,c,d,e])
print s.unsat_core()

mus = quick_explain(test(s), {a,b,c,d})

All maximal satisfying sets (basic)

def all_mss(s, ps):
    while sat == s.check():
        mss = get_mss(s, { p for p in ps if tt(s, p) }, ps)
        s.add(Or(ps - mss))
        yield "MSS", mss

Inefficiency: Same unsat cores may be revisited.

All Correction Sets

Find all satisfying subsets among :

Initialize: , .
While is sat:
- If is sat with model
  - is mss.
  - add mcs
- Else suppose is a core
  - Replace by :
  - , ,
    , .

MaxSMT

Typical definition: Minimize the number of violated soft assertions.
Is built-in, based on MaxSAT algorithms.

MaxSAT example

(declare-const a Bool)
(declare-const b Bool)
(declare-const c Bool)
(assert-soft a :weight 1)
(assert-soft b :weight 2)
(assert-soft c :weight 3)
(assert (= a c))
(assert (not (and a b)))
(check-sat)
(get-model)

MaxSAT flattened

(declare-const a Bool)
(declare-const b Bool)
(declare-const c Bool)
(assert-soft a :weight 1)
(assert-soft b :weight 1) (assert-soft b :weight 1)
(assert-soft c :weight 1) (assert-soft c :weight 1) (assert-soft c :weight 1) 
(assert (= a c))
(assert (not (and a b)))
(check-sat)
(get-model)

NB. Implementations of MaxSAT typically flatten weights on demand.

MaxSAT flat form

- hard constraints
- soft constraints

MaxSAT with Cores [49]

A:

A':

Lemma: for any model of ,

Proof: min:

A Duality: MUS MCS [54]

Reiter

MaxSAT with MCS [11]

A:

A':

Lemma: for any model of ,

Proof: min:

MaxSAT with Cores (python)

def add_def(s, fml):
    name = Bool("%s" % fml)
    s.add(name == fml)
    return name

def relax_core(s, core, Fs):
    prefix = BoolVal(True)
    Fs -= { f for f in core }
    for i in range(len(core)-1):
        prefix = add_def(s, And(core[i], prefix))
        Fs |= { add_def(s, Or(prefix, core[i+1])) }

def maxsat(s, Fs):
    cost = 0
    Fs0 = Fs.copy()
    while unsat == s.check(Fs):
        cost += 1
        relax_core(s, s.unsat_core(), Fs)    
    return cost, { f for f in Fs0 if tt(s, f) }

MaxSAT with MCS (python)

def relax_mcs(s, mcs, Fs):
    prefix = BoolVal(False)
    Fs -= { f for f in mcs }
    s.add(Or(mcs))
    for i in range(len(mcs)-1):
        prefix = add_def(s, Or(mcs[i], prefix))
        Fs |= { add_def(s, And(prefix, mcs[i+1])) }

def maxsat(s, Fs0):
    Fs = Fs0.copy()
    cost = len(Fs)
    while s.check() == sat:
        mss = { f for f in Fs if tt(s, f) }
        model1 = get_mss(s, mss, Fs)
        mcs = Fs - mss
        if cost > len(mcs):
           cost = len(mcs)
           model = model1
        relax_mcs(s, [ f for f in mcs ], Fs)
    return cost, [ f for f in Fs0 if is_true(model.eval(f)) ]

MCS alone is inefficient. In [11] we combine MUS and MCS steps.

Application: Product Configuration

$ProductConfig$

Query

Find all unit literals - with explanations
Useful for finding fixed parameters [29]

a, b, c, d = Bools('a b c d')

s = Solver()
s.add(Implies(a, b), Implies(c, d))   # background formula
print s.consequences([a, c],          # assumptions
                     [b, c, d])       # what is implied?

(sat, [Implies(c, c), Implies(a, b), Implies(c, d)])

Algorithm

Assert hard constraints
Add assumptions at
Let model of
Case splits:
Unit propagation
- if conflict, remove fixed variable with explanation from
Run CDCL until next restart or sat
- if sat: use resulting model to remove non-fixed from
- if , exit, else goto 4

Section 5

Quantifier Reasoning

Quantifier Engines in Z3

[44] E-matching
[12, 24, 47, 58] Model-based Quantifier Instantiation (MBQI)
[4, 8, 51] Quantifier Elimination and Satifiability
[10, 26] Horn Clauses
Deprecated: [52] EPR using relational algebra, [45] Superposition, see also VampireZ3

E-matching and Pattern based quantifier instantiation [44]

- Smallest subterm containing :
- Use ground equality to match with .
Formulas are ground unsatisfiable.

E-matching - efficiency

Secret sauce is to find instantiations
- quickly,
- across large sets of terms, and
- incrementally.

E-matching - basic algorithm

Takes

a ground term,
a pattern that may contain variables, and
a congruence closure structre cc that for each ground term represents an equivalence class of terms that are congruet in the current context.

E-matching - a primer on congruence closure

Let be a set of terms and set of equalities over .
A congruence closure over modulo is the finest a partition of , cc, such that:
- if , then are in the same partition in cc.
- for ,
  - if are in same partition of cc for each , then
  - are in the same partition under cc.
- Convention: , maps term to its equivalence class.

E-matching - basic algorithm, code

def match(pattern, term, , cc):
    pattern = pattern
    if pattern == term:
       yield 
    elif is_var(pattern):
       yield pattern term
    else:
       f(patterns) = pattern
       for f(terms) in cc(term):  
          # e.g., with same head function symbol f
          for  in matches(patterns, terms, , cc):
            yield 

def matches(patterns, terms, , cc):
    if not patterns:
       yield 
       return
    for  in match(patterns[0], terms[0], , cc):
        for  in matches(patterns[1:], terms[1:], , cc):
            yield

E-matching - basic algorithm, equational form

E-matching - beyond the basic algorithm

Match is invoked for every pattern in database.
To avoid common work:
- Compile set of patterns into instructions.
  - By partial evaluation of naive algorithm
- Instruction sequences share common sub-terms.
- Substitutions are stored in registers,
  backtracking just updates the registers.

E-matching - code trees (0)


PC	Instruction

	init(f, )	add arguments of to registers 1-4

	check(4,,)	check if is congruent to

	bind(2, , 5, )	bind terms in with to

	compare(1, 5, )	check if equals

	check(6, , )	check if is congruent to

	bind(3, , 7, )	bind terms in with to

	yield(1,7)	output binding from

E-matching - code trees (1)


PC	Instruction

	init(f, )

	check(4,,)

	bind(2, , 5, )

	compare(1, 5, )

	check(6, , )

	bind(3, , 7, )

	yield(1,7)

E-matching - code trees (2)


PC	Instruction

	init(f, )

	check(4,,)

	bind(2, , 5, )

	compare(1, 5, )

	check(6, , )

	bind(3, , 7, )

	yield(1,7)

E-matching abstract machine

mam

E-matching abstract machine - NB

Patterns that share common (top-down) term structure can share code sequences.
- This saves on common work.
- Use the choice instruction to branch when patterns end up having different sub-terms.
Other instructions are possible,
- forward pruning: lookahead multiple function symbols in immediate subterms before diving into any subterm.
- to deal with multi-patterns, when maching more than one pattern at a time.

Inverted path indexing

During search, congruence classes are merged.
Q: Which merges could enable pattern to be matched?
A: When pattern contains term , and
- a node is in in the same class as a node labeled by ,
- a node is an argument of in the same position as ,
- , are merged
Idea: Build an index of all pairs from patterns.
- during a merge with look for matches in index.

Model-based Quantifier Instantiation [12, 24, 47, 58]

Check

while is SAT with model :
   if is UNSAT return SAT
   model for
   find , such that .

return UNSAT

where is partially evaluated using interpretation .

Partial model evaluation

is partially evaluated using interpretation .

Example:

Model-based Quantifier Instantiation - scope

Quite powerful when search space for instantiation terms is finite

EPR, UFBV, Array property fragment, Essentially UF
Combine with template space
See also CEGIS

EPR

Also known as Bernays-Schoenfinkel-Ramsey class.

Same complexity as DQBF.

EPR Example

(declare-sort T) 

(declare-fun subtype (T T) Bool)

;; subtype is reflexive
(assert (forall ((x T)) (subtype x x)))

;; subtype is antisymmetric
(assert (forall ((x T) (y T))  (=> (and (subtype x y) (subtype y x)) (= x y))))

;; subtype is transitive
; ...

;; subtype has the tree-property
(assert (forall ((x T) (y T) (z T)) 
  (=> (and (subtype x z) (subtype y z)) (or (subtype x y) (subtype y x)))))

;; we have an additional axiom: every type is a subtype of obj-type
(declare-const obj-type T) ....
(assert (forall ((x T)) (subtype x obj-type)))

(assert (subtype int-type real-type))
(assert (subtype real-type complex-type))
(assert (not (subtype string-type real-type)))

EPR Example - online

EPR decidability

Skolemize
- , the are free constants
Instantiate
- where ranges over all bindings of to .
Check ground SAT
Ground SAT implies finite model of size at most .

EPR using MBQI

Skolemize
- , the are free constants
Models for bind variables to free constants
The number of possible such models is bounded by .

UFBV [58]

UFBV Example

(set-option :smt.mbqi true)
(define-sort Char () (_ BitVec 8))

(declare-fun f  (Char) Char)
(declare-fun f1 (Char) Char)
(declare-const a Char)

(assert (bvugt a #x00))
(assert (= (f1 (bvadd a #x01)) #x00))
(assert (forall ((x Char)) (or (= x (bvadd a #x01)) (= (f1 x) (f x)))))

(check-sat)
(get-model)

UFBV Example - Online

UFBV decidability

All variables range over finite domains.
Quantifier-free fragment is not only NP hard, it is NEXPTIME hard.
- QF-UFBV can be encoded into EPR. [56]
Quantified fragment is another complexity jump.
BV - quantifier elimination [31–33]
UFBV using MBQI [58]
- Use templates to find general instances

Map Property Fragment [15]

Map Property Fragment - Example

is equal to except at index .
can only have two values, or .

Array Property Fragment [15]

Array Property Example

(set-option :smt.mbqi true)
(set-option :model.compact true)

;; A0, A1, A2, A3, A4 are "arrays" from Integers to Integers.
(declare-fun A0 (Int) Int) (declare-fun A1 (Int) Int)
(declare-fun A2 (Int) Int) (declare-fun A3 (Int) Int)
(declare-fun A4 (Int) Int) 
(declare-const n Int) (declare-const l Int)
(declare-const k Int) (declare-const x Int)
(declare-const y Int) (declare-const w Int)
(declare-const z Int)

;; A1 = A0[k <- w]
(assert (= (A1 k) w))
(assert (forall ((x Int)) (or (= x k) (= (A1 x) (A0 x)))))

;; A2 = A1[l <- x] = A0[k <- w][l <- x]
(assert (= (A2 l) x))
(assert (forall ((x Int)) (or (= x l) (= (A2 x) (A1 x)))))

;; A3 = A0[k <- y]
(assert (= (A3 k) y))
(assert (forall ((x Int)) (or (= x k) (= (A3 x) (A0 x)))))

;; A4 = A3[l <- z] = A0[k <- y][l <- z] 
(assert (= (A3 l) z))
(assert (forall ((x Int)) (or (= x l) (= (A4 x) (A3 x)))))

(assert (and (< w x) (< x y) (< y z)))
(assert (and (< 0 k) (< k l) (< l n)))
(assert (> (- l k) 1))

;; A2 is sorted in the interval [0,n-1]
(assert (forall ((i Int) (j Int))
                (=> (and (<= 0 i) (<= i j) (<= j (- n 1)))
                    (<= (A2 i) (A2 j)))))

(check-sat)
(get-model)

;; A4 is sorted in the interval [0,n-1]
(assert (forall ((i Int) (j Int))
                (=> (and (<= 0 i) (<= i j) (<= j (- n 1)))
                    (<= (A4 i) (A4 j)))))

(check-sat)

Array Property Example - Online

Array property Fragment - sufficient instantiations

Given formula with free.
Let be set of a set of from .

Definition 1.
The set is a sufficient set of instances for , if

In other words, for every possible instantiation of there is a that satisfies at least the same combination of guards.

Array Property Fragment - arithmetic

Proposition 1.
If admits a finite sufficient set of instances , it can be evaluated using those.

Proposition 2.
Formulas in the array and map property fragments admit a sufficient set of instantiations.

Proposition 3.
MBQI is a decision procedure the array and map property fragments by using the instantiation sets computed from the formulas.

Essentially Uninterpreted Fragment [24]

Synthesize generalized instantiation sets using grammar rules.

Applies to winder range of formulas than the syntactic array property fragment.

list property fragment by McPeak and Necula
several locally finite theories - Stokkermans et. al.

Essentially Uninterpreted Example

(set-option :smt.mbqi true)
;; f an g are "streams"
(declare-fun f (Int) Int)
(declare-fun g (Int) Int)

;; the segment [a, n + a] of stream f is equal to the segment [0, n] of stream g.
(declare-const n Int)
(declare-const a Int)
(assert (forall ((x Int)) (=> (and (<= 0 x) (<= x n))
                              (= (f (+ x a)) (g x)))))

;; adding some constraints to a
(assert (> a 10))
(assert (>= (f a) 2))
(assert (<= (g 3) (- 10)))

(check-sat)
(get-model)

Essentially Uninterpreted Example - Online

Instantiation sets and Quantifiers

As pursued in [55]
The notion of instantiation set can be extended along a different dimension of virtual substitutions.
Several theories admit quantifier elimination by virtual substitutions.
Example .
Tricky part: ensure that set of virtual substitutions does not grow unbounded.

Horn Clauses [25–27, 40]

def mc(x):
    if x > 100:
       return x - 10
    else:
       return mc(mc(x + 11))

def contract(x):
    assert(x > 101 or mc(x) == 91)

   (set-logic HORN)
   (declare-fun mc (Int Int) Bool)
   (assert 
     (forall ((x Int)) 
          (=> (> x 100) 
              (mc x (- x 10)))))
   (assert 
     (forall ((x Int) (y Int) (z Int)) 
          (=> (and (<= x 100) (mc (+ x 11) y) (mc y z)) 
              (mc x z))))
   (assert 
     (forall ((x Int) (y Int)) 
          (=> (and (<= x 101) (mc x y)) 
              (= y 91))))
   (check-sat)
   (get-model)

QSAT [8]

Instantiations from repeated SMT calls [42]

Goal: To find a quantifier free , such that

Tool: project that eliminates from a conjunction
that is, project() .

Initialize:

Repeatedly: find conjunctions that imply

Update: project().

Instantiations - Algorithm

def qe():                   
    e, a = Solver(), Solver()
    e.add()                        
    a.add()
     = False
    while sat == e.check():
        = e.model()
        =   # assume  is in negation normal form
       assert unsat == a.check() 
        = a.unsat_core()
        = project(, )
        = 
       e.add()
    return

From SMT to QBF and back

The approach we illustrated was used by Monniaux'08 [42].
QESTO [30] generalizes to nested QBF.
We generalize QESTO to SMT; improving [42, 43, 51]

Example game [30]

: starts. .
: strikes back. .
: has to backtrack. Already .
: learns .
: .
: counters - .
: has lost!. Already .

Summary of approach

Two players try to find values
- - to satisfy
- - to satisfy
Players control their variables
- at round :
  - value of is already fixed,
  - fixes value of ,
  - fixes value of , but can change again it at round ,
  - can guess values of of to satisfy .
Some player loses at round .
- Create succinct no-good to strengthen resp. .
- Backjump to round (or below).

Main ingredients: Projection and Strategies

Projections are added to learn from mistakes.
- Player avoids repeating same losing moves.
Strategies prune moves from opponent.
- Prevent opponent player from moves.

Finding small good no-goods

Player has lost at round
- Player found a model at round , .
- induces an evaluation on a subset of literals in , such that .
- is an unsatisfiable core for .
Model Based Projection
- Find a , such that .
  - should be weak, so is a strong blocker.
  - should be cheap to find and avoid space overhead.
- Then can block .
- Idea: Use to find a sufficient .

Initialization

   def level(j,a): return max level of bound variable in atom a of parity j

QSAT Algorithm

  def strategy(M,j): return 
  def tailv(j): return 
    
  j = 1
  M = null
  while True:
    if  strategy(M, j) is unsat:
      if j == 1: 
        return F is unsat
      if j == 2:
        return F is sat
      C = Core(, strategy(M, j))
      J = Mbp(tailv(j), C)
      j = index of max variable in J  of same parity as j      
       = J
      M = null
    else:
      M = current model
      j = j + 1

Projection and Strategies

Projections learn from mistakes, avoids similar mistakes in future rounds.
Strategies prune moves from opponent.

Model-based projection - Example

Want to compute small .
Note

Model-based Projection for LRA

Eliminate from conjunction of literals :

Trick: Use to turn into .

Model-based Projection for LRA - resolution

Can now assume occurs only as upper or lower bounds:

Model-based Projection on formulas

   def sign(M,a): if M(a) return a else return a

Model-based Projection for LIA

For LIA, cannot just assume equalities are of the form or . Generally, has a coefficient, that we cannot remove.

Example: .

What could go wrong if we just reduce to ?
Suppose , . So .
Cross-multiplying gives , which is feasible, but is infeasible.

Model-based Projection for LIA - integer resolution

Solution: Combine inequalities using resolution

Model-based Projection for LIA - resolution [53]

if
else if
otherwise,
satisfies , and …

Model-based Projection for LIA - divisiblity

Resolution introduced divisibility constraints.

So now we also have to eliminate under divisions.

where

Model-based Projection for Term Algebras

S-expressions: A generic term algebra

An s-expression is either a nil or a cons.
Access arguments of cons using car and cdr.
Test terms using cons?(), or nil?()

Model-based Projection for Term Algebras -

amounts to unification

Model-based Projection for Term Algebras -

Case for is symmetric.

Since there is an infinite number of cons-terms.

Model-based projection Term Algebras - adequacy

New terms are created during
but they are of the form following shape of original constructor terms.
and they occur in conjunctions with .
so produces finite set of projections.

Model-based projection for NRA

Theory: Non-linear polynomial arithmetic
Partial CAD - model-based projection [34]
- Given model , such that
- Find , such that
  - is valid
CAD decomposes into sign-invariant cylinders.
Choose the cylinder where is a member.

Model-based projections, two lenses

Sat based MBP [37]:

Given:
Find: , free for
Such that:

Contrast this with Core-based MBP [48]:

Given: .
Find: , free for
Such that:

Claim: (Roughly) The same projection operator can be used in both cases if occurs in all literals and the operator is stable under changes to the value of .

Finding strategies

Other main ingredient of QSAT is option for players to narrow options of opponents by revealing a strategy
- at round :
  - value of is already fixed,
  - fixes value of ,
  - can make a function of .
Developing practical strategies is work in progress
- For QBF can use Q-resolution proofs as guide [9]
- Method by Markus Rabe can be seen as a strategy.

Horn Clauses [25–27, 40]

From Programs to Horn Clauses [7]

def mc(x):
    if x > 100:
       return x - 10
    else:
       return mc(mc(x + 11))

def contract(x):
    assert(x > 101 or mc(x) == 91)

   (set-logic HORN)
   (declare-fun mc (Int Int) Bool)
   (assert 
     (forall ((x Int)) 
          (=> (> x 100) 
              (mc x (- x 10)))))
   (assert 
     (forall ((x Int) (y Int) (z Int)) 
          (=> (and (<= x 100) (mc (+ x 11) y) (mc y z)) 
              (mc x z))))
   (assert 
     (forall ((x Int) (y Int)) 
          (=> (and (<= x 101) (mc x y)) 
              (= y 91))))
   (check-sat)
   (get-model)

Horn Clause Interface

Fixedpoint methods

fp = Fixedpoint()

fp.add()
fp.add_rule()

fp.push()
fp.pop()

fp.query()

fp.model()
fp.proof()

fp.statistics()

Create a solver
Add assertion to solver state
Create local scopes
Check satisfiability
Retrieve models, proofs, cores
Additional information

Horn Clause Engines

PDR - IC3 inspired engine [26].
Duality - Interpolation based [40].
- Use Duality or PDR if your Horn clauses use arithmetic variables.
Datalog - Bottom-up stratified Datalog engine for finite domains [27].
- Use Datalog backened for Horn clauses over finite domains: bit-vectors and Booleans.
BMC - Bounded model checking, Tabulation, Symbolic Execution…
- Use BMC to unfold Horn clauses a la bounded model checking.

SeaHorn

~ Begin Vertical

PDR/IC3 based Horn Clause Solving

are state variables.
is a monome (a conjunction of literals).
is a clause (a disjunction of literals).
Convention: is a monome over variables , is a renaming of the same monome to variables .

IC3 recap

- a transition system.
- good states.
- forward predicate transformer.
- Given reachable states , produce “states can be reached by including another step”.
- From Transition System:
- From Horn Clauses: , where

IC3 recap

properties of states reachable within steps.
are sets of clauses.
Initially .
a queue of counter-example trace properties. Initially .
a level indication. Initially .

Expanding Traces

repeat until ∞

Candidate If for some , , then add to .
Unfold If , then set .

Termination

repeat until ∞

Unreachable For , if , return Unreachable.
Reachable If , return Reachable.

Search

repeat until ∞

Decide Add to if
- ,
- is consistent, and

Backtracking

repeat until ∞

Conflict Let : given a candidate model and clause , such that
- ,
- ,
  then conjoin to , for .
Leaf If , and is unsatisfiable, then add to .

Inductive Generalization

repeat until ∞

Induction For , a clause , , if , then conjoin to , for each .

IC3 beyond SAT

Decide - Generalized form

Decide Add to if , .

[13, 22] Model from propositional SAT check for gives (near prime implicant) .
[26] Model from SMT check for arithmetical produces numerical assignment .
[18, 36] Partial quantifier elimination.
[37] where are quantifier-free. Use model for to compute without expanding full disjunction.
[19, 28] Keep vocabulary of literals fixed (= predicate abstraction).

Loos-Weispfenning QE

in NNF
set of atoms in
set of atoms in
set of atoms in
there are no other occurrences of in

Note:
Pick disjunction corresponding to satisfied equality or inequality.

Decide - Generalized form (II)

Pssst: I am replacing by greek letters.

Decide Add to , if
- ,
- is consistent,
- , and

Interpolating Conflict

Conflict Let : given a candidate model and clause , such that , if , then conjoin to , for .

Note: .
By monotonicity: .
Interpolation as special case:
Overkill for SAT (use unsat core), but for SMT may supply candidate predicates.
For conjunction of inequalities , interpolation is “simple”.

Farkas+T Lemmas

is conjunction of inequalities
is quantifier-fee formula
is unsat
Let be a conflict that contains literals from :
Let be Farkas coefficients
So
So
Return instead of

Interpolating Conflict (II)

Conflict Let : given a candidate model and a formula , such that , , then conjoin to , for .

Branching

DAG Branching

Recall predicate transformer for McCarthy91:

Decide now spawns two children.

Decide If and there are consistent such that and , then add , to .

Searching a DAG

We also have to take DAG unfolding into acount.

Base Mark if or if there is a consistent such that and .
Close Mark if all children are marked.
Reachable If is marked, return Reachable.

Searching a DAG

Model from propositional SAT check for gives us .
Idea: Model from SMT check for arithmetical produces numerical assignments.
Effect: models explored in branches are far from prime lemmas become too weak.

Search with Under-approximations [37]

Instead of tracking progress using marking use under approximations.
Maintain of under approximations.
Recall that are over approximations.
Satisfying
- .

Search with Under-approximations

Decide and Conflict pushing a goal over

If , then goal cannot be reached.
If , then goal can be reached.
Otherwise case split on .

Search with Under-approximations

Reachable If is satisfiable, then return Reachable.
Decide For for , add to if:
- .
- .
-
- is disjoint from for every .
Decide For for , add to if:
- .
- .
-
- is disjoint from for every .
Close For for , if is satisfiable, but is unsatsifiable, then update , where .

Recursion-free Horn Clauses

Interpolation in standard form is a special case of Horn Clause solving.
(1)
IC3 (sans Inductive Generalization) produces as side-effect solutions that are interpolants.
Interpolants are quaint, almost beautiful [1, 3, 17].

Quaint Interpolants [16]


def sign(s, x):
    if tt(s, x):
       return x 
    return Not(x)

def cute(A,B,xs):
    sA = Solver()
    sB = Solver()
    sA.add(A)
    sB.add(B)
    I = []
    while sat == sB.check():
        if unsat == sA.check([ sign(sB, x) for x in xs ]):
           I1 = Not(And(sA.unsat_core()))
           sB.add(I1)
           I += [I1]
        else:
           return None
   return And(I)

Can also be viewed as an iteration of IC3 steps. Generalization to EPR [6].

Stratified Datalog

Bottom-up Datalog in .

- Add row to .

Bottom-up Datalog in

Clauses instructions using relational algebra.
- join
- project
- rename
- select ,
- filter
For efficiency allow combined operations
- join-project
- select-project
Implementation depends on table representation.

Network Optimized Datalog

Network Optimized Datalog NoD

Option 1: use BDDs to represent tables.
Option 2: build tables from ternary bit-vectors.
- Table is a union of differences of cubes
  - Same as 01100, 01111, 00011, 00000
Option 3,4,..: Use hash tables, B-trees, bit-maps
- Work in some pointer-analysis applications, but not for header spaces

Programming Z3

Solver methods

s = Solver()


s.add()
s.assert_and_track()

s.push()
s.pop()

s.check()
s.check()

s.model()
s.proof()
s.unsat_core()   

s.statistics()

Create a solver
Add assertion to solver state
Create local scopes
Check satisfiability
Retrieve models, proofs, cores
Additional information

Assertions

Solver methods

s.add()
s.assert_and_track()

Assert to the solver state. Optionally, track the assertion by a literal .

Unsatisfiable cores contain tracked literals.

Scopes

Solver methods

s.push()

s.pop()

Add or remove a scope from the solver.

Assertions added within a scope are removed when the scope is popped.

Check Satisfiability

Solver methods

s.check()

s.check()

Is the solver state satisfiable?

Is the solver state satisfiable modulo the assumption literals .

The solver state is the conjunction of assumption literals and assertions that have been added to the solver in the current scope.

Certificates

Methods


s.model()

s.proof()

s.unsat_core()

An interpretation satisfying current constraints.

A proof term certifying unsatisfiability of constraints.

A subset of assumptions/tracked assertions that suffice to establish unsatisfiability.

Summary

We looked at:

Applications: configuration, model checking, scheduling

Queries: MaxSAT, backbones

Theories: a rough overview

Algorithms: as extensions or layers over SAT/SMT

Madoko

Madoko is a A Fast Scholarly Markdown Processor,
intuitive and powerful integration of markdown and LaTeX,
browser and Azure based - no installation,
immediate preview,
real-time collaborative editing,
is written in Koka,
is by Daan Leijen, Microsoft Research

References

[1]Aws Albarghouthi, and Kenneth L. McMillan. “Beautiful Interpolants.” In CAV, 313–329. 2013. 🔎

[2]Fahiem Bacchus, and George Katsirelos. “Using Minimal Correction Sets to More Efficiently Compute Minimal Unsatisfiable Sets.” In Computer Aided Verification - 27th International Conference, CAV 2015, San Francisco, CA, USA, July 18-24, 2015, Proceedings, Part II, 70–86. 2015. doi:10.1007/978-3-319-21668-3_5. 🔎

[3]Sam Bayless, Celina Val, Thomas Ball, Holger Hoos, and Alan Hu. “Efficient Modular SAT Solving for IC3.” In FMCAD. 2013. 🔎

[4]Nikolaj Bjørner. “Linear Quantifier-Elimination as an Abstract Decision Procedure.” In IJCAR. 2010. 🔎

[5]Nikolaj Bjørner. “Satisfiability Modulo Theories.” Edited by Javier Esparza, Orna Grumberg, and Salomon Sickert, in Esparza et al. [23]. 2016. 🔎

[6]Nikolaj Bjørner, Arie Gurfinkel, Konstantin Korovin, and Ori Lahav. “Instantiations, Zippers and EPR Interpolation.” In LPAR 2013, 19th International Conference on Logic for Programming, Artificial Intelligence and Reasoning, December 12-17, 2013, Stellenbosch, South Africa, Short Papers Proceedings, 35–41. 2013. http://www.easychair.org/publications/?page=275044893. 🔎

[7]Nikolaj Bjørner, Arie Gurfinkel, Kenneth L. McMillan, and Andrey Rybalchenko. “Horn Clause Solvers for Program Verification.” In Fields of Logic and Computation II - Essays Dedicated to Yuri Gurevich on the Occasion of His 75th Birthday, 24–51. 2015. doi:10.1007/978-3-319-23534-9_2. 🔎

[8]Nikolaj Bjørner, and Mikolás Janota. “Playing with Alternating Quantifier Satisfaction.” In LPAR Short Presentation Papers. 2015. 🔎

[9]Nikolaj Bjørner, Mikolás Janota, and William Klieber. “On Conflicts and Strategies in QBF.” In 20th International Conferences on Logic for Programming, Artificial Intelligence and Reasoning - Short Presentations, LPAR 2015, Suva, Fiji, November 24-28, 2015., 28–41. 2015. http://www.easychair.org/publications/paper/On_Conflicts_and_Strategies_in_QBF. 🔎

[10]Nikolaj Bjørner, Kenneth L. McMillan, and Andrey Rybalchenko. “On Solving Universally Quantified Horn Clauses.” In SAS, 105–125. 2013. 🔎

[11]Nikolaj Bjørner, and Nina Narodytska. “Maximum Satisfiability Using Cores and Correction Sets.” In Proceedings of the Twenty-Fourth International Joint Conference on Artificial Intelligence, IJCAI 2015, Buenos Aires, Argentina, July 25-31, 2015, 246–252. 2015. http://ijcai.org/Abstract/15/041. 🔎

[12]Maria Paola Bonacina, Christopher Lynch, and Leonardo Mendonça de Moura. “On Deciding Satisfiability by Theorem Proving with Speculative Inferences.” J. Autom. Reasoning 47 (2): 161–189. 2011. 🔎

[13]Aaron R. Bradley. “SAT-Based Model Checking without Unrolling.” In VMCAI, 70–87. 2011. 🔎

[14]Aaron R. Bradley, and Zohar Manna. “Checking Safety by Inductive Generalization of Counterexamples to Induction.” In Formal Methods in Computer-Aided Design, 7th International Conference, FMCAD 2007, Austin, Texas, USA, November 11-14, 2007, Proceedings, 173–180. 2007. doi:10.1109/FAMCAD.2007.15. 🔎

[15]Aaron R. Bradley, Zohar Manna, and Henny B. Sipma. “What’s Decidable About Arrays?” In Verification, Model Checking, and Abstract Interpretation, 7th International Conference, VMCAI 2006, Charleston, SC, USA, January 8-10, 2006, Proceedings, 427–442. 2006. doi:10.1007/11609773_28. 🔎

[16]Hana Chockler, Alexander Ivrii, and Arie Matsliah. “Computing Interpolants without Proofs.” In Hardware and Software: Verification and Testing - 8th International Haifa Verification Conference, HVC 2012, Haifa, Israel, November 6-8, 2012. Revised Selected Papers, 72–85. 2012. doi:10.1007/978-3-642-39611-3_12. 🔎

[17]Hana Chockler, Alexander Ivrii, and Arie Matsliah. “Computing Interpolants without Proofs.” In Hardware and Software: Verification and Testing, edited by Armin Biere, Amir Nahir, and Tanja Vos, 7857:72–85. Lecture Notes in Computer Science. Springer Berlin Heidelberg. 2013. 🔎

[18]Alessandro Cimatti, and Alberto Griggio. “Software Model Checking via IC3.” In CAV, 277–293. 2012. 🔎

[19]Alessandro Cimatti, Alberto Griggio, Sergio Mover, and Stefano Tonetta. “IC3 Modulo Theories via Implicit Predicate Abstraction.” In TACAS, 46–61. 2014. 🔎

[20]M. Davis, G. Logemann, and D. Loveland. “A Machine Program for Theorem Proving.” Communications of the ACM. 1962. 🔎

[21]B. Dutertre, and L. de Moura. “A Fast Linear-Arithmetic Solver for DPLL(T).” In CAV. 2006. 🔎

[22]Niklas Eén, Alan Mishchenko, and Robert K. Brayton. “Efficient Implementation of Property Directed Reachability.” In FMCAD, 125–134. 2011. 🔎

[23]Javier Esparza, Orna Grumberg, and Salomon Sickert, editors. Dependable Software Systems Engineering. Volume 45. NATO Science for Peace and Security Series - D: Information and Communication Security. IOS Press. 2016. 🔎

[24]Yeting Ge, and Leonardo Mendonça de Moura. “Complete Instantiation for Quantified Formulas in Satisfiabiliby Modulo Theories.” In CAV, 306–320. 2009. 🔎

[25]Sergey Grebenshchikov, Nuno P. Lopes, Corneliu Popeea, and Andrey Rybalchenko. “Synthesizing Software Verifiers from Proof Rules.” In ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’12, Beijing, China - June 11 - 16, 2012, 405–416. 2012. doi:10.1145/2254064.2254112. 🔎

[26]Krystof Hoder, and Nikolaj Bjørner. “Generalized Property Directed Reachability.” In Theory and Applications of Satisfiability Testing - SAT 2012 - 15th International Conference, Trento, Italy, June 17-20, 2012. Proceedings, 157–171. 2012. doi:10.1007/978-3-642-31612-8_13. 🔎

[27]Krystof Hoder, Nikolaj Bjørner, and Leonardo Mendonça de Moura. “μZ- An Efficient Engine for Fixed Points with Constraints.” In Computer Aided Verification - 23rd International Conference, CAV 2011, Snowbird, UT, USA, July 14-20, 2011. Proceedings, 457–462. 2011. doi:10.1007/978-3-642-22110-1_36. 🔎

[28]Shachar Itzhaky, Nikolaj Bjørner, Thomas W. Reps, Mooly Sagiv, and Aditya V. Thakur. “Property-Directed Shape Analysis.” In CAV, 35–51. 2014. 🔎

[29]Mikolás Janota, Inês Lynce, and Joao Marques-Silva. “Algorithms for Computing Backbones of Propositional Formulae.” AI Commun. 28 (2): 161–177. 2015. doi:10.3233/AIC-140640. 🔎

[30]Mikolás Janota, and Joao Marques-Silva. “Solving QBF by Clause Selection.” In Proceedings of the Twenty-Fourth International Joint Conference on Artificial Intelligence, IJCAI 2015, Buenos Aires, Argentina, July 25-31, 2015, 325–331. 2015. http://ijcai.org/Abstract/15/052. 🔎

[31]Ajith K. John, and Supratik Chakraborty. “A Quantifier Elimination Algorithm for Linear Modular Equations and Disequations.” In Computer Aided Verification - 23rd International Conference, CAV 2011, Snowbird, UT, USA, July 14-20, 2011. Proceedings, 486–503. 2011. doi:10.1007/978-3-642-22110-1_39. 🔎

[32]Ajith K. John, and Supratik Chakraborty. “Extending Quantifier Elimination to Linear Inequalities on Bit-Vectors.” In Tools and Algorithms for the Construction and Analysis of Systems - 19th International Conference, TACAS 2013, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2013, Rome, Italy, March 16-24, 2013. Proceedings, 78–92. 2013. doi:10.1007/978-3-642-36742-7_6. 🔎

[33]Ajith K. John, and Supratik Chakraborty. “A Layered Algorithm for Quantifier Elimination from Linear Modular Constraints.” Formal Methods in System Design 49 (3): 272–323. 2016. doi:10.1007/s10703-016-0260-9. 🔎

[34]Dejan Jovanovic, and Leonardo Mendonça de Moura. “Solving Non-Linear Arithmetic.” In Automated Reasoning - 6th International Joint Conference, IJCAR 2012, Manchester, UK, June 26-29, 2012. Proceedings, 339–354. 2012. doi:10.1007/978-3-642-31365-3_27. 🔎

[35]Ulrich Junker. “QUICKXPLAIN: Preferred Explanations and Relaxations for Over-Constrained Problems.” In Proceedings of the Nineteenth National Conference on Artificial Intelligence, Sixteenth Conference on Innovative Applications of Artificial Intelligence, July 25-29, 2004, San Jose, California, USA, 167–172. 2004. http://www.aaai.org/Library/AAAI/2004/aaai04-027.php. 🔎

[36]Roland Kindermann, Tommi A. Junttila, and Ilkka Niemelä “SMT-Based Induction Methods for Timed Systems.” In FORMATS, 171–187. 2012. 🔎

[37]Anvesh Komuravelli, Arie Gurfinkel, and Sagar Chaki. “SMT-Based Model Checking for Recursive Programs.” In CAV, 17–34. 2014. 🔎

[38]Mark H Liffiton, Alessandro Previti, Ammar Malik, and Joao Marques-Silva. “Fast, Flexible MUS Enumeration.” Constraints 21 (2). Springer US: 223–250. 2016. 🔎

[39]João Marques-Silva, Mikolás Janota, and Anton Belov. “Minimal Sets over Monotone Predicates in Boolean Formulae.” In Computer Aided Verification - 25th International Conference, CAV 2013, Saint Petersburg, Russia, July 13-19, 2013. Proceedings, 592–607. 2013. doi:10.1007/978-3-642-39799-8_39. 🔎

[40]Kenneth L. McMillan. “Lazy Annotation Revisited.” In Computer Aided Verification - 26th International Conference, CAV 2014, Held as Part of the Vienna Summer of Logic, VSL 2014, Vienna, Austria, July 18-22, 2014. Proceedings, 243–259. 2014. doi:10.1007/978-3-319-08867-9_16. 🔎

[41]Carlos Mencía, Alessandro Previti, and João Marques-Silva. “Literal-Based MCS Extraction.” In Proceedings of the Twenty-Fourth International Joint Conference on Artificial Intelligence, IJCAI 2015, Buenos Aires, Argentina, July 25-31, 2015, 1973–1979. 2015. http://ijcai.org/Abstract/15/280. 🔎

[42]David Monniaux. “A Quantifier Elimination Algorithm for Linear Real Arithmetic.” In LPAR (Logic for Programming Artificial Intelligence and Reasoning), 243–257. Lecture Notes in Computer Science 5330. Springer Verlag. 2008. doi:10.1007/978-3-540-89439-1_18. 🔎

[43]David Monniaux. “Quantifier Elimination by Lazy Model Enumeration.” In Computer-Aided Verification (CAV), 585–599. Lecture Notes in Computer Science 6174. Springer Verlag. 2010. doi:10.1007/978-3-642-14295-6_51. 🔎

[44]Leonardo Mendonça de Moura, and Nikolaj Bjørner. “Efficient E-Matching for SMT Solvers.” In CADE, 183–198. 2007. 🔎

[45]Leonardo Mendonça de Moura, and Nikolaj Bjørner. “Engineering DPLL(T) + Saturation.” In IJCAR, 475–490. 2008. 🔎

[46]Leonardo Mendonça de Moura, and Nikolaj Bjørner. “Generalized, Efficient Array Decision Procedures.” In Proceedings of 9th International Conference on Formal Methods in Computer-Aided Design, FMCAD 2009, 15-18 November 2009, Austin, Texas, USA, 45–52. 2009. doi:10.1109/FMCAD.2009.5351142. 🔎

[47]Leonardo Mendonça de Moura, and Nikolaj Bjørner. “Bugs, Moles and Skeletons: Symbolic Reasoning for Software Development.” In IJCAR, 400–411. 2010. 🔎

[48]Leonardo Mendonça de Moura, and Dejan Jovanovic. “A Model-Constructing Satisfiability Calculus.” In Verification, Model Checking, and Abstract Interpretation, 14th International Conference, VMCAI 2013, Rome, Italy, January 20-22, 2013. Proceedings, 1–12. 2013. doi:10.1007/978-3-642-35873-9_1. 🔎

[49]Nina Narodytska, and Fahiem Bacchus. “Maximum Satisfiability Using Core-Guided MaxSAT Resolution.” In AAAI 2014, 2717–2723. 2014. 🔎

[50]R. Nieuwenhuis, A. Oliveras, and C. Tinelli. “Solving SAT and SAT Modulo Theories: From an Abstract Davis–Putnam–Logemann–Loveland Procedure to DPLL(T).” J. ACM 53 (6). 2006. 🔎

[51]Anh-Dung Phan, Nikolaj Bjørner, and David Monniaux. “Anatomy of Alternating Quantifier Satisfiability (Work in Progress).” In SMT-IJCAR, 120–130. 2012. 🔎

[52]Ruzica Piskac, Leonardo Mendonça de Moura, and Nikolaj Bjørner. “Deciding Effectively Propositional Logic Using DPLL and Substitution Sets.” J. Autom. Reasoning 44 (4): 401–424. 2010. 🔎

[53]William Pugh. “The Omega Test: A Fast and Practical Integer Programming Algorithm for Dependence Analysis.” In Proceedings Supercomputing ’91, Albuquerque, NM, USA, November 18-22, 1991, 4–13. 1991. doi:10.1145/125826.125848. 🔎

[54]Raymond Reiter. “A Theory of Diagnosis from First Principles.” Artif. Intell. 32 (1): 57–95. 1987. doi:10.1016/0004-3702(87)90062-2. 🔎

[55]Andrew Reynolds, Tim King, and Viktor Kuncak. “Solving Quantified Linear Arithmetic by Counterexample-Guided Instantiation.” Formal Methods in System Design 51 (3): 500–532. 2017. doi:10.1007/s10703-017-0290-y. 🔎

[56]Martina Seidl, Florian Lonsing, and Armin Biere. “qbf2epr: A Tool for Generating EPR Formulas from QBF.” In Third Workshop on Practical Aspects of Automated Reasoning, PAAR-2012, Manchester, UK, June 30 - July 1, 2012, 139–148. 2012. http://www.easychair.org/publications/paper/145184. 🔎

[57]João P. Marques Silva, and Karem A. Sakallah. “GRASP: A Search Algorithm for Propositional Satisfiability.” IEEE Trans. Computers 48 (5): 506–521. 1999. 🔎

[58]Christoph M. Wintersteiger, Youssef Hamadi, and Leonardo Mendonça de Moura. “Efficiently Solving Quantified Bit-Vector Formulas.” Formal Methods in System Design 42 (1): 3–23. 2013. 🔎

Satisfiability Modulo Theories

SETSS 2018

Contents

Sections

Bio

Section 1

Z3

Some Z3 Applications

Microsoft Tools using Z3

SAT/SMT examples

Basic SAT

Basic SMT

SMT in a nutshell

Complexity

SAT/SMT

Logics and Theories

Logics

Extended SAT queries

Logical Queries - SAT+

Logical Queries

Progress in SAT, SMT, and ATP

Progress in SAT Solving

Progress in ATP

Progress in SMT Solving

Section 2

Equality and Uninterpreted functions

EUF

Deciding Equality

Disequalities

Free functions

Naming sub-terms

Applying Congruence (1)

Applying Congruence (2)

EUF Models

EUF Models (II)

Linear Arithmetic

Linear Arithmetic Example

Algorithmic Fragments of Arithmetic

Other Fragments of Arithmetic

An Overview of Arithmetic Theories

Bellman-Ford - a selection

Bellman-Ford

General form Simplex [21]

From Definitions to a Tableau

Pivoting

Pivoting example

Arrays

Arrays

Arrays as Combinators [46]

Array Decision Procedure

Array Decision Procedure (2)

Efficient Array Decision Procedures

Bit-Vectors

Bit-Vector demo

Bit-Vector Adder Encoding

Bit-Vector Multiplier Encoding

Floating point example

Floating Points demo

Sequence Example

Sequences and Strings

Queues

Algebraic Data-types

Algebraic Data-types demo

Non-linear Arithmetic [34]

NLSAT example

NLSAT demo

Open Challenges

Section 3

Duality - model/proof repair

Duality - connecting glue

Duality - propagation

CDCL(T) by example

CDCL(T) by example (2)

CDCL(T) by example (3)

CDCL(T) by example (4)

Modern SAT solving

DPLL [20]

CDCL: Modern Search [57]

CDCL Milestones

CDCL: State [50]

Optimization

A Duality: MUS MCS [54]

A Duality: MUS MCS [54]