Satisfiability Modulo Theories

Nikolaj Bjørner
Microsoft Research

Contents

Lectures

  1. An Introduction to Satisfiability Modulo Theories

  2. SMT Solving Algorithms

  3. Quantifier Reasoning Engines

  4. Optimization with MaxSAT

Bio

  • 90's: DTU, DIKU, Stanford
  • This is me a week before fixing my thesis topic Baby
  • Late 90's: Kestrel Institute
  • Early 2000s: XDegrees (file sharing startup)
  • 2002-06: Distributed File Replication @ Microsoft
  • 2006: MSR: Z3, Network Verification SecGuru

Four Dimensions to SMT solvers


Applications: what is it for?



Queries: what kind of formulas?



Theories: what can expressed?



Algorithms: how are answers found?

Z3

  • A state-of-art Satisfiability Modulo Theories (SMT) solver



  • On github: https://github.com/Z3prover/z3.git
    • MIT open source license
    • Developments: Scalable simplex solver, Strings, Horn clauses, floating points, SAT extensions

Some Z3 Applications

  • Program Verification
    • VCC, Everest, Dafny, Havoc, Leon

  • Symbolic Execution
    • SAGE, Pex, KLEE

  • Software Model Checking
    • Static Driver Verifier, Smash, SeaHorn

  • Configurations
    • Network Verification with SecGuru
    • Dynamics Product Configuration

Basic SAT

\[\begin{mdmathpre}%mdk (\mathid{Tie}~\vee \mathid{Shirt})~\wedge (\neg \mathid{Tie}~\vee \mathid{Shirt})~\wedge (\neg \mathid{Tie}~\vee \neg \mathid{Shirt}) \end{mdmathpre}%mdk \]



  Tie, Shirt = Bools('Tie Shirt')
  s = Solver()
  s.add(Or(Tie, Shirt), Or(Not(Tie), Shirt), Or(Not(Tie), Not(Shirt)))
  print s.check()
  print s.model()

Basic SMT

I = IntSort()
f = Function('f', I, I)
x, y, z = Ints('x y z')
A = Array('A',I,I)

fml = Implies(x + 2 == y, f(Select(Store(A, x, 3), y - 2)) == f(y - x + 1))

s = Solver()
s.add(Not(fml))
print s.check()

SAT/SMT

SATSMT

Logical Queries - SAT+



$\hspace{2cm}$ sat $\hspace{1.3cm}$ $\varphi$ $\hspace{1.3cm}$ unsat


$\hspace{1.6cm}$ model $\hspace{1.3cm}$ $\varphi$ $\hspace{1.3cm}$ (clausal) proof


$\hspace{0.6cm}$ correction set $\hspace{0.3cm}$ $\subseteq \varphi_1, \ldots, \varphi_n \supseteq $ $\hspace{0.2cm}$ core


local min correction set $\hspace{0.05cm}$ $ \subseteq \varphi_1, \ldots, \varphi_n \supseteq$ $\hspace{0.2cm}$ local min core


min correction set $\hspace{0.35cm}$ $ \subseteq \varphi_1, \ldots, \varphi_n \supseteq$ $\hspace{0.2cm}$ min core


$\hspace{3.2cm}$ $\max x \varphi(x)$

Logical Queries

\[\begin{mdmathpre}%mdk \mathrm{Satisfiability}~~~&~\varphi \rightsquigarrow \mathid{sat},~\mathid{unsat},~\mathid{timeout}~\smallskip \\ \mathrm{Certificates}~~~~~&~\varphi \rightsquigarrow \mathid{model},~\mathid{proof},~\mathid{unsat}~\mathid{core}~\smallskip\\ \mathrm{Interpolation}~~~~&~\varphi[\mathid{x},\mathid{y}]~\rightarrow \mathid{I}[\mathid{x}]~\rightarrow \psi[\mathid{x},\mathid{z}]~\smallskip\\ \mathrm{Optimization}~~~~~&~\max \mathid{x}~\mid \varphi \smallskip \\ \mathrm{Consequences}~~~~~&~\varphi \rightarrow \varphi_1~\wedge \ldots \wedge \varphi_\mathid{n}\smallskip\\ \mathrm{Sat\ subsets}~~~~~&~\psi_1~\wedge \psi_2,\ \psi_1~\wedge \psi_3\smallskip\\ \mathrm{Unsat\ cores}~~~~~&~\neg(\psi_1~\wedge \psi_2),\ \neg(\psi_1~\wedge \psi_3)\medskip\\ \mathrm{Model\ counting}~~&~|\{~\mathid{x}~\mid \varphi\}|~\medskip\\ \mathrm{All\ models}~~~~~~&~\mathid{Ideal}(\varphi),~\mathid{M}_1~\models \varphi,~\mathid{M}_2~\models \varphi,~\ldots \medskip\\ \mathrm{Model\ probability}~&~\ldots \end{mdmathpre}%mdk \]

Theories

Equality and Uninterpreted functions

EUF

  (declare-sort A)
  (declare-fun f (A) A)
  (declare-const x A)
  (assert (= (f (f x)) x))
  (assert (= (f (f (f x))) x))
  (check-sat)
  
  (assert (not (= (f x) x)))
  (check-sat)

Deciding Equality

\begin{tikzpicture} \matrix[nodes={draw},row sep=0.3cm,column sep=0.5cm] { \node [rectangle, draw=none] (eq) {:}; & \node [circle, draw] (a) {$a$}; & \node [circle, draw] (b) {$b$}; & \node [circle, draw] (c) {$c$}; & \node [circle, draw] (d) {$d$}; & \node [circle, draw] (e) {$e$}; & \node [circle, draw] (s) {$s$}; & \node [circle, draw] (t) {$t$}; \\ }; \end{tikzpicture}
\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [rectangle, draw=none] (eq) {$a = b: $}; & \node [circle, draw] (ab) {$a, b$}; & \node [circle, draw] (c) {$c$}; & \node [circle, draw] (d) {$d$}; & \node [circle, draw] (e) {$e$}; & \node [circle, draw] (s) {$s$}; & \node [circle, draw] (t) {$ t$}; \\ }; \end{tikzpicture}
\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [rectangle, draw=none] (eq) {$a = b, b = c: $}; & \node [circle, draw] (abc) {$a, b, c$}; & \node [circle, draw] (d) {$d$}; & \node [circle, draw] (e) {$e$}; & \node [circle, draw] (s) {$s$}; & \node [circle, draw] (t) {$t$}; \\ }; \end{tikzpicture}
\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [rectangle, draw=none] (eq) {$a = b, b = c, d = e: $}; & \node [circle, draw] (abc) {$a, b, c$}; & \node [circle, draw] (de) {$d, e$}; & \node [circle, draw] (s) {$s$}; & \node [circle, draw] (t) {$t$}; \\ }; \end{tikzpicture}
\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [rectangle, draw=none] (eq) {$a = b, b = c, d = e, b = s: $}; & \node [circle, draw] (abcs) {$a, b, c, s$}; & \node [circle, draw] (de) {$d, e$}; & \node [circle, draw] (t) {$t$}; \\ }; \end{tikzpicture}
\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [rectangle, draw=none] (eq) {$a = b, b = c, d = e, b = s, d = t: $}; & \node [circle, draw] (abcs) {$a, b, c, s$}; & \node [circle, draw] (det) {$d, e, t$}; \\ }; \end{tikzpicture}

Disequalities

\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [rectangle, draw=none] (eq) {$a = b, b = c, d = e, b = s, d = t, a \neq d: $}; & \node [circle, draw] (abcs) {$a, b, c, s$}; & \node [circle, draw] (det) {$d, e, t$}; \\ }; \end{tikzpicture}
\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [rectangle, draw=none] (eq) {$a = b, b = c, d = e, b = s, d = t, c \neq s: $}; & \node [circle, draw, color=red] (abcs) {$a, b, c, s$}; & \node [circle, draw] (det) {$d, e, t$}; \\ }; \end{tikzpicture}
\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [rectangle, draw=none] (eq) {$a = b, b = c, d = e, b = s, d = t, e \neq t: $}; & \node [circle, draw] (abcs) {$a, b, c, s$}; & \node [circle, draw, color=red] (det) {$d, e, t$}; \\ }; \end{tikzpicture}

Variants of union-find are effective to decide equality.

Free functions

$a = b, b = c, d = e, b = s, d = t, f(a, g(d)) \neq f(b, g(e))$

Congruence rule

\[ x_1 = y_1 \cdots x_n = y_n \ \Rightarrow \ f(x_1, \ldots, x_n) = f(y_1, \ldots, y_n) \]

Naming sub-terms

$a = b, b = c, d = e, b = s, d = t, f(a, g(d)) \neq f(b, {\color{red}v_1})$ ${\color{red}v_1 := g(e)}$


$a = b, b = c, d = e, b = s, d = t, f(a, {\color{red}v_2}) \neq f(b, v_1)$ $v_1 := g(e), {\color{red}v_2 := g(d)}$


$a = b, b = c, d = e, b = s, d = t, {\color{red}v_3} \neq f(b, v_1)$ $v_1 := g(e), v_2 := g(d), {\color{red}v_3 := f(a, v_2)}$


$a = b, b = c, d = e, b = s, d = t, v_3 \neq {\color{red}v_4}$ $v_1 := g(e), v_2 := g(d), v_3 := f(a, v_2), {\color{red}v_4 := f(b, v_1)}$

\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [circle, draw] (abcs) {$a, b, c, s$}; & \node [circle, draw] (det) {$d, e, t$}; & \node [circle, draw] (v1) {$v_1$}; & \node [circle, draw] (v2) {$v_2$}; & \node [circle, draw] (v3) {$v_3$}; & \node [circle, draw] (v4) {$v_4$}; \\ }; \end{tikzpicture}

Applying Congruence (1)

\[\begin{array}{l} a = b, b = c, d = e, b = s, d = t, v_3 \neq v_4 \\ v_1 := g(e), v_2 := g(d), v_3 := f(a, v_2), v_4 := f(b, v_1) \end{array} \]
\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [circle, draw] (abcs) {$a, b, c, s$}; & \node [circle, draw] (det) {$d, e, t$}; & \node [circle, draw] (v1) {$v_1$}; & \node [circle, draw] (v2) {$v_2$}; & \node [circle, draw] (v3) {$v_3$}; & \node [circle, draw] (v4) {$v_4$}; \\ }; \end{tikzpicture}
\[ e = d \ \Rightarrow \ g(e) = g(d) \]
\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [circle, draw] (abcs) {$a, b, c, s$}; & \node [circle, draw] (det) {$d, e, t$}; & \node [circle, draw, color=red] (v12) {$v_1, v_2$}; & \node [circle, draw] (v3) {$v_3$}; & \node [circle, draw] (v4) {$v_4$}; \\ }; \end{tikzpicture}

Applying Congruence (2)

\[\begin{array}{l} a = b, b = c, d = e, b = s, d = t, v_3 \neq v_4 \\ v_1 := g(e), v_2 := g(d), v_3 := f(a, v_2), v_4 := f(b, v_1) \end{array} \]

$a = b, b = c, d = e, b = s, d = t, f(a, g(d)) \neq f(b, g(e))$

\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [circle, draw] (abcs) {$a, b, c, s$}; & \node [circle, draw] (det) {$d, e, t$}; & \node [circle, draw] (v12) {$v_1, v_2$}; & \node [circle, draw] (v3) {$v_3$}; & \node [circle, draw] (v4) {$v_4$}; \\ }; \end{tikzpicture}
\[ a = b, v_2 = v_1 \Rightarrow \ f(a, v_2) = f(b, v_1) \]
\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [circle, draw] (abcs) {$a, b, c, s$}; & \node [circle, draw] (det) {$d, e, t$}; & \node [circle, draw] (v12) {$v_1, v_2$}; & \node [circle, draw, color=red] (v34) {$v_3, v_4$}; \\ }; \end{tikzpicture}

EUF Models

A satisfiable version:

$a = b, b = c, d = e, b = s, d = t, f(a, g(d)) \neq {\color{red}f(g(e), b)}$

$a = b, b = c, d = e, b = s, d = t, v_3 \neq v_4$
$v_1 := g(e), v_2 := g(d), v_3 := f(a, v_2), v_4 := f(v_1, b)$

\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [circle, draw] (abcs) {$a, b, c, s$}; & \node [circle, draw] (det) {$d, e, t$}; & \node [circle, draw] (v12) {$v_1, v_2$}; & \node [circle, draw] (v3) {$v_3$}; & \node [circle, draw] (v4) {$v_4$}; \\ }; \end{tikzpicture}

EUF Models (II)

  • Associate a distinct value with each equivalence class.
\begin{tikzpicture} \matrix[nodes={draw}, row sep=0.3cm,column sep=0.5cm] { \node [circle, draw] (abcs) {$\diamond_1: a, b, c, s$}; & \node [circle, draw] (det) {$\diamond_2: d, e, t$}; & \node [circle, draw] (v12) {$\diamond_3: v_1, v_2$}; & \node [circle, draw] (v3) {$\diamond_4: v_3$}; & \node [circle, draw] (v4) {$\diamond_5: v_4$}; \\ }; \end{tikzpicture}
  • $M(a) = M(b) = M(c) = M(s) := \diamond_1$
  • $M(d) = M(e) = M(t) := \diamond_2$
  • $M(g) = \{ \diamond_1 \mapsto \diamond_3, \diamond_2 \mapsto \diamond_3, \mathrm{else} \mapsto \diamond_6 \}$
  • $M(f) = \{ (\diamond_1, \diamond_3) \mapsto \diamond_4, (\diamond_3, \diamond_2) \mapsto \diamond_5, \mathrm{else} \mapsto \diamond_7 \}$

Linear Arithmetic

(set-logic QF_IDL) ; optional in Z3
(declare-fun t11 () Int)
(declare-fun t12 () Int)
(declare-fun t21 () Int)
(declare-fun t22 () Int)
(declare-fun t31 () Int)
(declare-fun t32 () Int)

(assert (and (>= t11 0) (>= t12 (+ t11 2)) (<= (+ t12 1) 8)))
(assert (and (>= t21 0) (>= t22 (+ t21 3)) (<= (+ t22 1) 8)))
(assert (and (>= t31 0) (>= t32 (+ t31 2)) (<= (+ t32 3) 8)))
(assert (or (>= t11 (+ t21 3)) (>= t21 (+ t11 2))))
(assert (or (>= t11 (+ t31 2)) (>= t31 (+ t11 2))))
(assert (or (>= t21 (+ t31 2)) (>= t31 (+ t21 3))))
(assert (or (>= t12 (+ t22 1)) (>= t22 (+ t12 1))))
(assert (or (>= t12 (+ t32 3)) (>= t32 (+ t12 1))))
(assert (or (>= t22 (+ t32 3)) (>= t32 (+ t22 1))))
(check-sat)
(get-model) ; display the model

Linear Arithmetic Example

Algorithmic Fragments of Arithmetic

Logic Fragment Solver Example
LRA Linear Real Arithmetic Dual Simplex $x + \frac{1}{2}y \leq 3$
LIA Linear Integer Arithmetic CutSat $a + 3b \leq 3$
LIRA Mixed Real/Integer Cuts + Branch $x + a \geq 4$
IDL Integer Difference Logic Floyd-Warshall $a - b \leq 4$
RDL Real Difference Logic Bellman-Ford
UTVPI Unit two-variable per inequality $x + y \leq 4$
NRA Polynomial Real Arithmetic Model based CAD $x^2 + y^2 < 1$

Other Fragments of Arithmetic

  • NIA - There is no decision procedure for integer polynomial constraints

    • Z3 falls back to incomplete heuristics
    • NIA over bounded integers may get translated to bit-vector constraints


    Other theories that admit custom solvers:

  • Bi-linear real arithmetic $\vec{x}A\vec{y} \leq \vec{b}$

  • Non-unit two-variable per inequality $ax + by \leq c$

  • At most one unit positive variable per inequality (Horn)

Bellman-Ford - a selection

(set-logic QF_IDL) ; optional in Z3
(declare-fun t11 () Int)
(declare-fun t12 () Int)
(declare-fun t21 () Int)
(declare-fun t22 () Int)
(declare-fun t31 () Int)
(declare-fun t32 () Int)

(assert (and (>= t11 0) ...))
(assert (and (>= t21 0) ...))
(assert (and (>= t31 0) (>= t32 (+ t31 2)) (<= (+ t32 3) 8)))
(assert (or ... (>= t21 (+ t11 2))))
(assert (or (>= t21 (+ t31 2)) ...))
(check-sat)
(get-model) ; display the model

Bellman-Ford

Solve difference logic using graph $O(m\cdot n)$ Bellman-Ford network flow algorithm. Negative cycle $\Rightarrow$ unsat.

BellmanFord

General form Simplex [20]

General form $Ax = 0$ and $lo_j \leq x_j \leq hi_j$

\[ x \geq 0, (x + y \leq 2 \vee x + 2y \geq 6), (x + y \geq 2 \vee x + 2y > 4) \]

$\leadsto$

\[\begin{mdmathpre}%mdk \mdmathindent{2}\mathid{s}_1~:=~\mathid{x}~+~\mathid{y},~\mathid{s}_2~:=~\mathid{x}~+~2\mathid{y},\\ \mdmathindent{2}\mathid{x}~\geq 0,~(\mathid{s}_1~\leq 2~\vee \mathid{s}_2~\geq 6),~(\mathid{s}_1~\geq 2~\vee \mathid{s}_2~>~4) \end{mdmathpre}%mdk \]

Only bounds (e.g., $s_1 \leq 2$) are asserted during search.

From Definitions to a Tableau

${\color{red}s_1} := x + y, {\color{red}s_2} := x + 2y$



${\color{red}s_1} = x + y$
${\color{red}s_2} = x + 2y$



${\color{red}s_1} - x - y = 0$ - ${\color{red}s_1, s_2}$ are basic (dependent)
${\color{red}s_2} - x - 2y = 0$ - $x, y$ are non-basic

Pivoting

  • Value of non-basic variable $x_j$ can be chosen between $lo_j$ and $hi_j$.
  • Value of basic variable is a function of non-basic variable values.
  • Pivoting swaps basic and non-basic variables.
    • used to get values of basic variables within bounds.

Pivoting example

${\color{red}s_1} - x - y = 0$ - ${\color{red}s_1, s_2}$ are basic (dependent)
${\color{red}s_2} - x - 2y = 0$ - $x, y$ are non-basic $x \geq 0, (s_1 \leq 2 \vee s_2 \geq 6), (s_1 \geq 2 \vee s_2 > 4)$


Initial values: $x = y = s_1 = s_2 = 0$


Bounds $x \geq 0, s_1 \leq 2, s_1 \geq 2$:


$s_1 := 2$, make $s_1$ non-basic.
${\color{red}y} + x - s_1 = 0$ - ${\color{red}y, s_2}$ are basic (dependent)
${\color{red}s_2} + x - 2s_1 = 0$ - $s_1, y$ are non-basic

Arrays

(define-sort A () (Array Int Int))
(declare-fun x () Int)
(declare-fun y () Int)
(declare-fun a1 () A)

(push)
(assert (= (select a1 x) x))
(assert (= (store a1 x y) a1))
(check-sat)
(get-model)
(assert (not (= x y)))
(check-sat)
(pop)

(define-fun all1_array () A ((as const A) 1))
(simplify (select all1_array x))

(define-sort IntSet () (Array Int Bool))
(declare-fun a () IntSet)
(declare-fun b () IntSet)
(declare-fun c () IntSet)
(push) ; illustrate map
(assert (not (= ((_ map and) a b) ((_ map not) ((_ map or) ((_ map not) b) ((_ map not) a))))))
(check-sat)
(pop)

Arrays

Arrays as Combinators [39]

  A = Array(Index, Elem) # array sort 
  
  a[i]             # index array 'a' at index 'i'
                   # Select(a, i)
  
  Store(a, i, v)   # update array 'a' with value 'v' at index 'i'
                   # = lambda j: If(i == j, v, a[j])
    
  Const(v, A)      # constant array
                   # = lambda j: v
  
  Map(f, a)        # map function 'f' on values of 'a'
                   # = lambda j: f(a[j])

  Ext(a, b)        # Extensionality
                   # Implies(a[Ext(a, b)] == b[Ext(a, b)], a == b)

Array Decision Procedure

Example Store(a, i, v)

  • Each occurrence of Store(a, i, v) and b[j],
    • Assert Store(a, i, v)[j] == If(i == j, v, a[j])

    • Assert Store(a, i, v)[i] == v

  • Each shared occurrences of $a, b$:
    • Assert $a[\mbox{Ext}(a, b)] = b[\mbox{Ext}(a,b)] \ \implies \ a = b$.

Array Decision Procedure (2)

Example Store(a, i, v)

  • Each occurrence of Store(a, i, v) and b[j],
    • Assert Store(a, i, v)[j] == If(i == j, v, a[j])

    • Assert Store(a, i, v)[i] == v

  • Each shared occurrences of $a, b$:

    • Assert $a[\mbox{Ext}(a, b)] = b[\mbox{Ext}(a,b)] \ \implies \ a = b$.

  • Suppose we are given a model $M$ satisfying all asserted equalities.
    • $M$ assigns values to $a[i]\in \mathcal{T}$ terms.
    • Extend: $M(a) := \left[ M(i) \mapsto M(a[i])\; \mid\; a[i] \in \mathcal{T}; \ \mbox{else}\ \mapsto \diamond_{\mbox{default}} \right]$
    • Claim: $M(a)$ satisfies Store axioms.

Efficient Array Decision Procedures

  • Use current partial interpretation to guide axiom instantiation.

  • Rough sketch:

    • If $u := Sore(a, i, v), w := b[j], u \sim b$ (congruent) in current state
      • Assert $i = j \vee u[j] = a[j]$.
    • If $u := Store(a, i, v), w := b[j], a \sim b$ in current state
      • Assert $i = j \vee Store(a, i, v)[j] = a[j]$

  • Also important to limit set of $i, j$ pairs.

    • Z3 uses relevancy propagation to prune don't care literals
    • Boolector uses dual propagation to extract small implicant

Bit-Vectors

(define-fun is-power-of-two ((x (_ BitVec 4))) Bool 
  (= #x0 (bvand x (bvsub x #x1))))
(declare-const a (_ BitVec 4))
(assert 
 (not (= (is-power-of-two a) 
         (or (= a #x0) 
             (= a #x1) 
             (= a #x2) 
             (= a #x4) 
             (= a #x8)))))
(check-sat)

Bit-Vectors

Floating point example

(declare-fun X () (_ FloatingPoint 11 53))

(assert (fp.isNormal X))
(assert (not (fp.isSubnormal X)))
(assert (not (fp.isZero X)))
(assert (not (fp.isInfinite X)))
(assert (not (fp.isNaN X)))
(assert (not (fp.isNegative X)))
(assert (fp.isPositive X))

(check-sat)
(get-model)

Floating Points demo

Sequence Example

(declare-const a String)
(declare-const b String)
(declare-const c String)
(assert (str.prefixof b a))
(assert (str.suffixof c a))
(assert (= (str.len a) (+ (str.len b) (str.len c))))
(assert (not (= a (str.++ b c))))
(check-sat)

Sequences and Strings

Queues

\[\begin{mdmathpre}%mdk \mdmathindent{2}\mathid{xA}~=~\mathid{Bx}~\leftarrow \Gamma \\ \mdmathindent{6}\Rightarrow \mathid{A}~=~\mathid{B}_2\mathid{B}_1,~\mathid{ext}(\mathid{x},\mathid{B})~\leftarrow \Gamma,~\mathid{B}~=~\mathid{B}_1\mathid{B}_2\\ \\ \mdmathindent{2}\mathid{xA}~=~\mathid{By}~\leftarrow \Gamma\\ \mdmathindent{6}\Rightarrow \mathid{x}~=~\mathid{B}_1,~\mathid{A}~=~\mathid{B}_2\mathid{y}~\leftarrow \Gamma,~\mathid{B}~=~\mathid{B}_1\mathid{B}_2\\ \mdmathindent{6}\Rightarrow \mathid{y}~=~\mathid{A}_2,~\mathid{B}~=~\mathid{xA}_1~\leftarrow \Gamma,~\mathid{A}~=~\mathid{A}_1\mathid{A}_2\\ \mdmathindent{6}\Rightarrow \mathid{x}~=~\mathid{Bz},~\mathid{zA}~=~\mathid{y}~\leftarrow \Gamma,~\mathid{z}~\mathid{is}~\mathid{fresh}\\ \\ \mdmathindent{2}\mathid{ext}(\mathid{x},\mathid{A}),~\mathid{ext}(\mathid{x},\mathid{B})~\leftarrow \Gamma\\ \mdmathindent{6}\Rightarrow \mathid{compat}(\mathid{A},~\mathid{B},~|\mathid{x}|),~\mathid{ext}(\mathid{x},~\mathid{A})~\leftarrow \Gamma\\ \mdmathindent{5} \end{mdmathpre}%mdk \]

Algebraic Data-types

   (declare-datatypes () ((Tree Empty (Node (left Tree) (data Int) (right Tree)))))

   (declare-const t Tree)
   (assert (not (= t Empty)))
   (check-sat)
   (get-model)
sat
(model 
  (define-fun t () Tree
    (Node Empty 0 Empty))
)

Algebraic Data-types demo

Non-linear Arithmetic [29]

nlsat

NLSAT demo

Open Challenges

  • Strings: Decidability and efficiency.

  • Certificates: Modular, Clausal

  • New, non-disjoint, theories

Lecture 2: SAT and SMT Algorithms

Duality - model/proof repair

ProofModel

Duality - connecting glue

ProofModelConflict

Duality - propagation

ProofModelConflictBackjumpPropagate

CDCL(T) by example

BasicTheory1

CDCL(T) by example (2)

BasicTheory2

CDCL(T) by example (3)

BasicTheory3

CDCL(T) by example (4)

BasicTheory

Modern SAT solving

Anatomy of conflict directed clause learning SAT solving.

DPLL [19]

\[ \twodpstate{\underbrace{M}_{\mbox{partial assignment}}}{\underbrace{F}_{\mbox{clauses}}} \]



$\mathsf{Decide}$     $\twodpstate{p}{p \vee q, \overline{q} \vee r} \Longrightarrow \twodpstate{p, \overline{q}}{p \vee q, \overline{q} \vee r}$


$\mathsf{Deduce}$     $\twodpstate{q}{p \vee q, \overline{q} \vee r} \Longrightarrow \twodpstate{q, r}{p \vee q, \overline{q} \vee r}$


$\mathsf{Backtrack}$   $\twodpstate{p, \overline{s}, q}{s \vee q, \overline{p} \vee \overline{q}} \Longrightarrow \twodpstate{p, s}{s \vee q, \overline{p} \vee \overline{q}}$

CDCL: Modern Search [46]

  • Efficient indexing (two-watch literal)

  • Non-chronological backtracking (backjumping)

  • Lemma learning

  • Variable and phase selection

  • Garbage collection, restarts

CDCL Milestones

SatMilestones

CDCL: State [42]

\[ \twodpstate{p, \overline{q}, r}{p \vee q, \overline{q} \vee r} \]

$p, q, r, \ldots \in \mathcal{A}$ - atomic predicates.


$p, q, \overline{p}, \overline{q}, \ldots, \ell \in\mathcal{L}$ - literals over atoms.


$M := p, \overline{q}, r \subseteq \mathcal{L}$ - partial consistent assignment.


$C := p \vee q$ - a clause - disjunction of literals.


$p^d$ - a decision literal.


$r^{\overline{q} \vee r}$ - ($\ell^C$) - a literal with explanation $C$.


$F := p \vee q, \overline{q} \vee r$ - a set of clauses.

CDCL lemma learning .

$\hspace{3cm}\twodpstate{\epsilon}{t \vee \overline{p} \vee q,\ \overline{q} \vee s,\ {\overline{p} \vee \overline{s}}}$

$\mathsf{Decide}$

$\hspace{3cm}\twodpstate{\overline{t}^d}{t \vee \overline{p} \vee q,\ \overline{q} \vee s,\ {\overline{p} \vee \overline{s}}}$

$\mathsf{Decide}$

$\hspace{3cm}\twodpstate{\overline{t}^d, p^d}{{\color{red}{t \vee \overline{p} \vee q}},\ \overline{q} \vee s,\ {\overline{p} \vee \overline{s}}}$

$\mathsf{Propagate}$

$\hspace{3cm}\twodpstate{\overline{t}^d, p^d, q^{t \vee \overline{p} \vee q}}{t \vee \overline{p} \vee q,\ {\color{red}{\overline{q} \vee s}},\ {\overline{p} \vee \overline{s}}}$

CDCL lemma learning ..

$\hspace{3cm}\twodpstate{\overline{t}^d}{t \vee \overline{p} \vee q,\ \overline{q} \vee s,\ {\overline{p} \vee \overline{s}}}$

$\mathsf{Decide}$

$\hspace{3cm}\twodpstate{\overline{t}^d, p^d}{{\color{red}{t \vee \overline{p} \vee q}},\ \overline{q} \vee s,\ {\overline{p} \vee \overline{s}}}$

$\mathsf{Propagate}$

$\hspace{3cm}\twodpstate{\overline{t}^d, p^d, q^{t \vee \overline{p} \vee q}}{t \vee \overline{p} \vee q,\ {\color{red}{\overline{q} \vee s}},\ {\overline{p} \vee \overline{s}}}$

$\mathsf{Propagate}$

$\hspace{3cm}\twodpstate{\overline{t}^d, p^d, q^{t \vee \overline{p} \vee q}, s^{\overline{q} \vee s}}{t \vee \overline{p} \vee q,\ \overline{q} \vee s,\ {\color{red}{\overline{p} \vee \overline{s}}}}$

CDCL lemma learning …

$\hspace{3cm}\twodpstate{\overline{t}^d, p^d}{{\color{red}{t \vee \overline{p} \vee q}},\ \overline{q} \vee s,\ {\overline{p} \vee \overline{s}}}$

$\mathsf{Propagate}$

$\hspace{3cm}\twodpstate{\overline{t}^d, p^d, q^{t \vee \overline{p} \vee q}}{t \vee \overline{p} \vee q,\ {\color{red}{\overline{q} \vee s}},\ {\overline{p} \vee \overline{s}}}$

$\mathsf{Propagate}$

$\hspace{3cm}\twodpstate{\overline{t}^d, p^d, q^{t \vee \overline{p} \vee q}, s^{\overline{q} \vee s}}{t \vee \overline{p} \vee q,\ \overline{q} \vee s,\ {\color{red}{\overline{p} \vee \overline{s}}}}$

$\mathsf{Conflict}$

$\hspace{3cm}\conflstate{\overline{t}^d, p^d, q^{t \vee \overline{p} \vee q}, s^{\overline{q} \vee s}}{t \vee \overline{p} \vee q,\ \overline{q} \vee {\color{red}{s}},\ \overline{p} \vee \overline{s}}{\overline{p} \vee \overline{s}}$

CDCL lemma learning ….

$\hspace{3cm}\twodpstate{\overline{t}^d, p^d, q^{t \vee \overline{p} \vee q}}{t \vee \overline{p} \vee q,\ {\color{red}{\overline{q} \vee s}},\ {\overline{p} \vee \overline{s}}}$

$\mathsf{Propagate}$

$\hspace{3cm}\twodpstate{\overline{t}^d, p^d, q^{t \vee \overline{p} \vee q}, s^{\overline{q} \vee s}}{t \vee \overline{p} \vee q,\ \overline{q} \vee s,\ {\color{red}{\overline{p} \vee \overline{s}}}}$

$\mathsf{Conflict}$

$\hspace{3cm}\conflstate{\overline{t}^d, p^d, q^{t \vee \overline{p} \vee q}, s^{\overline{q} \vee s}}{t \vee \overline{p} \vee q,\ \overline{q} \vee {\color{red}{s}},\ \overline{p} \vee \overline{s}}{\overline{p} \vee \overline{s}}$

$\mathsf{Resolve}$

$\hspace{3cm}\conflstate{\overline{t}^d, p^d, q^{t \vee \overline{p} \vee q}, s^{\overline{q} \vee s}}{t \vee \overline{p} \vee {\color{red}{q}},\ \overline{q} \vee s,\ \overline{p} \vee \overline{s}}{\overline{p} \vee \overline{q}}$

CDCL lemma learning …..

$\hspace{3cm}\twodpstate{\overline{t}^d, p^d, q^{t \vee \overline{p} \vee q}, s^{\overline{q} \vee s}}{t \vee \overline{p} \vee q,\ \overline{q} \vee s,\ {\color{red}{\overline{p} \vee \overline{s}}}}$

$\mathsf{Conflict}$

$\hspace{3cm}\conflstate{\overline{t}^d, p^d, q^{t \vee \overline{p} \vee q}, s^{\overline{q} \vee s}}{t \vee \overline{p} \vee q,\ \overline{q} \vee {\color{red}{s}},\ \overline{p} \vee \overline{s}}{\overline{p} \vee \overline{s}}$

$\mathsf{Resolve}$

$\hspace{3cm}\conflstate{\overline{t}^d, p^d, q^{t \vee \overline{p} \vee q}, s^{\overline{q} \vee s}}{t \vee \overline{p} \vee {\color{red}{q}},\ \overline{q} \vee s,\ \overline{p} \vee \overline{s}}{\overline{p} \vee \overline{q}}$

$\mathsf{Resolve}$

$\hspace{3cm}\conflstate{\overline{t}^d, p^d, q^{t \vee \overline{p} \vee q}, s^{\overline{q} \vee s}}{t \vee \overline{p} \vee q,\ \overline{q} \vee s,\ \overline{p} \vee \overline{s}}{\overline{p} \vee t}$

CDCL lemma learning ……

$\hspace{3cm}\conflstate{\overline{t}^d, p^d, q^{t \vee \overline{p} \vee q}, s^{\overline{q} \vee s}}{t \vee \overline{p} \vee q,\ \overline{q} \vee {\color{red}{s}},\ \overline{p} \vee \overline{s}}{\overline{p} \vee \overline{s}}$

$\mathsf{Resolve}$

$\hspace{3cm}\conflstate{\overline{t}^d, p^d, q^{t \vee \overline{p} \vee q}, s^{\overline{q} \vee s}}{t \vee \overline{p} \vee {\color{red}{q}},\ \overline{q} \vee s,\ \overline{p} \vee \overline{s}}{\overline{p} \vee \overline{q}}$

$\mathsf{Resolve}$

$\hspace{3cm}\conflstate{\overline{t}^d, p^d, q^{t \vee \overline{p} \vee q}, s^{\overline{q} \vee s}}{t \vee \overline{p} \vee q,\ \overline{q} \vee s,\ \overline{p} \vee \overline{s}}{\overline{p} \vee t}$

$\mathsf{Backjump}$

$\hspace{3cm}\twodpstate{\overline{t}^d, \overline{p}^{\overline{p} \vee t}}{t \vee \overline{p} \vee q,\ \overline{q} \vee s,\ \overline{p} \vee \overline{s}}$

CDCL: as rewrites [5]

\[\begin{array}{lllll} {\sf Initialize} & & \Longrightarrow & \twodpstate{}{F} & \mbox{$F$ is a set of clauses} \\ {\sf Decide} & \twodpstate{M}{F} & \Longrightarrow & \twodpstate{M\ell^d}{F} & \left\{ \begin{array}{l} \mbox{$\ell$ or $\neg{\ell}$ occurs in $F$} \\ \mbox{$\ell$ unassigned in $M$} \end{array} \right. \\ {\sf Propagate} & \twodpstate{M}{F, C \vee \ell} & \Longrightarrow & \twodpstate{M\ell^{C\vee\ell}}{F, C \vee \ell} & \left\{ \begin{array}{l} \mbox{$\ell$ unassigned in $M$}, \\ \compl{C} \subseteq M \end{array} \right. \\ {\sf Conflict} & \twodpstate{M}{F,C} \ & \Longrightarrow & \conflstate{M}{F,C}{C} & \mbox{ $C$ is false under $M$} \\ {\sf Resolve} & \conflstate{M}{F}{C'\vee \neg{\ell}} \ & \Longrightarrow & \conflstate{M}{F}{C \vee C'} & \ell^{C\vee \ell} \in M \\ {\sf Backjump} & \conflstate{M\ell_0^dM'}{F}{C \vee \ell} \ & \Longrightarrow & \twodpstate{M\ell^{C\vee\ell}}{F, C\vee \ell} & \compl{C}\subseteq M, \neg\ell \subseteq \ell_0^dM' \\ {\sf Restart} & \twodpstate{M}{F} & \Longrightarrow & \twodpstate{}{F} \\ {\sf Unsat} & \conflstate{M}{F}{\emptyset} & \Longrightarrow & {\tt unsat} \\ {\sf Sat} & \twodpstate{M}{F} & \Longrightarrow & M & \left\{ \begin{array}{l} \mbox{$M$ is $T$ consistent} \\ \mbox{and is a model for $F$.} \end{array} \right. \end{array} \]

CDCL(T)

\[\begin{array}{llllll} {\sf T-Propagate} & \twodpstate{M}{F} & \Longrightarrow & \twodpstate{M\ell^{C\vee\ell}}{F} & \left\{ \begin{array}{l} \mbox{$\ell$ unassigned in $M$} \\ \mbox{$\ell$ or $\neg{\ell}$ occurs in $F$} \\ \mbox{$T \vdash C \vee \ell$}\\ \compl{C} \subseteq M \end{array} \right. \\ {\sf T-Conflict} & \twodpstate{M}{F} & \Longrightarrow & \conflstate{M}{F}{C} & \compl{C} \subseteq M,\ T \models C. \end{array} \]

Models and Proofs

Theorem 1.
For every $\Model$, exactly one of the two conditions hold:

  • $\Model' \models F$ for some $\Model'$ where $\Model\subseteq \Model'$.
  • $F \vdash_{\Pi} \overline{\Model'}$ for some $\Model'$ where $\Model'\subseteq\Model$ and some resolution proof $\Pi$.

Corollary 1.
$\exists \Model \ . \ \Model \models F \ \ \mbox{xor} \ \ \exists \Pi \ . \ F \vdash_{\Pi} \emptyset$

CDCL realizes the dichotomy by interleaving model and consequence finding:

Corollary 2.
If $F \vdash_{\Pi} C$, then for every $\Model$ where $\overline{C} \subseteq \Model$: $\Model \not\models F$.

Corollary 3.
If $\Model \models\neg F$, i.e., $\overline{C}\subseteq \Model$ for some $C \in F$, then for every consequence $D$ from $C$ using forced literals in $\Model$ it is the case that $\overline{D} \subseteq \Model$ and there is no $\Model' \supseteq \overline{D}$ such that $\Model'\models F$.

Realizing the dichotomy

Main invariants preserved by CDCL:

  • Conflict state: For the state $\conflstate{\Model}{F}{C}$ it is the case that $\overline{C} \subseteq \Model$ and $F \vdash C$.
  • Propagation: For the state $\searchstate{\Model}{F}$ and $\conflstate{\Model}{F}{D}$, whenever $\Model = \Model_1\ell^{C\vee\ell}\Model_2$, then $\overline{C} \subseteq \Model_1$ and $F \vdash_{\Pi} C \vee \ell$.

Illustrating the invariants

${\sf Backjump}:$

\[ \conflstate{M\ell_0^dM'}{F}{C \vee \ell} \ \Longrightarrow \twodpstate{M\ell^{C\vee\ell}}{F, C\vee \ell} \]

if $\compl{C}\subseteq M, \neg\ell \subseteq \ell_0^dM'$

  • Finds First Unique Implication Point (FUIP)
    • minimizes number of decision literals in $M$.
    • maximizes propagated literals in $M$

Next frontiers:

ScalingSat

Lecture 3: Optimization and MaxSAT

Objectives

  • Optimization as SMT with preferred models

  • An introduction to cores and correction sets

  • Show examples of algorithms on top of SMT/Z3

An invitation to optimization

Flow

\[\begin{array}{lll} \max \sum_d \sum_{r \in R_d} f_r & & \mbox{maximize overall throughput of} \\ & & \mbox{network for all demands} \\ \sum_{ r \ni l} f_r \leq c_l & \forall \mathit{links}\ l & \mbox{flows through each link stays within capacity} \\ \sum_{ r \in R_d} f_r \leq d & \forall \mathit{demands}\ d & \mbox{flows are allocated up to demand} \end{array} \]

Type error localization using MaxSMT

ZvonimirProfile

ZvonimirMovie

Optimization $\nu{Z}$

Three main SMT extensions 


    (maximize (+ x (* 2 y)))


    (minimize (bvadd u v))




    (assert-soft (> x y) :weight 4)


  • Maximize objective

    • linear arithmetic

  • Minimize objective

    • bit-vector

  • Add a soft constraint

    • optional weight

Soft constraints as 0-1 optimization

Equilvalent formulations 

   (assert-soft $\varphi$ :weight 3)
   (assert-soft $\psi$ :weight 4)
 
   (minimize (+ (if $\varphi$ 0 3) (if $\psi$ 0 4)))

Optimizing Assertions

x, y = Ints('x y')
opt = Optimize()
opt.set(priority='pareto')
opt.add(x + y == 10, x >= 0, y >= 0)
mx = opt.maximize(x)
my = opt.maximize(y)
while opt.check() == sat:
    print mx.value(), my.value()

Optimization Extensions

  • MaxSAT solver

  • Primal simplex optimization

    • Applied on feasible tableau

Multiple Objectives
Box$(x,y)$ $v_x := \max \{ x \mid \varphi(x,y) \}$
$v_y := \max \{ y \mid \varphi(x,y) \}$
Lex$(x,y)$ $v_x := \max \{ x \mid \varphi(x,y) \}$
$v_y := \max \{ y \mid \varphi(v_x,y) \}$
Pareto$(x,y)$ $\left\{ (v_x, v_y) \mid \begin{array}{l}\varphi(v_x,v_y),\ \forall x, y . \\ \varphi(x,y) \rightarrow x \leq v_x \vee y \leq v_y \end{array}\right\}$

Optimization as an extension of core SMT solving

sysdiagram

MaxSMT

  • Typical definition: Minimize the number of violated soft assertions.

  • Is built-in, based on MaxSAT algorithms.

MaxSAT example

(declare-const a Bool)
(declare-const b Bool)
(declare-const c Bool)
(assert-soft a :weight 1)
(assert-soft b :weight 2)
(assert-soft c :weight 3)
(assert (= a c))
(assert (not (and a b)))
(check-sat)
(get-model)

MaxSAT flattened

(declare-const a Bool)
(declare-const b Bool)
(declare-const c Bool)
(assert-soft a :weight 1)
(assert-soft b :weight 1) (assert-soft b :weight 1)
(assert-soft c :weight 1) (assert-soft c :weight 1) (assert-soft c :weight 1) 
(assert (= a c))
(assert (not (and a b)))
(check-sat)
(get-model)
  • NB. Implementations of MaxSAT typically flatten weights on demand.

MaxSAT flat form

\[ \underbrace{(a \equiv c) \wedge \neg (a \wedge b)}_{F}, \underbrace{a}_{F_1} \underbrace{b}_{F_2} \underbrace{b}_{F_3} \underbrace{c}_{F_4} \underbrace{c}_{F_5} \underbrace{c}_{F_6} \]

  • $F$ - hard constraints

  • $F_1, F_2, \ldots, F_6$ - soft constraints

MaxSAT with Cores [41]

A: $F, \underbrace{F_1, F_2, F_3, F_4 }_{core}, F_5$

A': $F, \ F_2 \vee F_1, F_3 \vee (F_2 \wedge F_1), F_4 \vee (F_3 \wedge (F_2 \wedge F_1)), F_5$

Lemma: for any model $M$ of $F$, $cost(M, A) = 1 + cost(M, A')$

Proof: $M(F_j) = \bot, j$ min: $ M(F'_i) = M(F_{i+1}) \vee i = j + 1, \forall i$

MaxSAT with MCS [11]

A: $F, \underbrace{F_1, F_2, F_3, F_4 }_{\mbox{correction set}}, F_5$

A': $\underbrace{ F \wedge (F_1 \vee F_2 \vee F_3 \vee F_4) }_{F`},$
$F_2 \wedge F_1,\ F_3 \wedge (F_2 \vee F_1), \ F_4 \wedge (F_3 \vee (F_2 \vee F_1)), \ F_5$

Lemma: for any model $M$ of $F'$, $cost(M, A) = cost(M, A')$

Proof: $M(F_j) = \top, j$ min:     $ M(F'_i) = M(F_{i+1}) \wedge (i \neq j \vee j = 1), \forall i$

MaxSAT with Cores (python)

def add_def(s, fml):
    name = Bool("%s" % fml)
    s.add(name == fml)
    return name

def relax_core(s, core, Fs):
    prefix = BoolVal(True)
    Fs -= { f for f in core }
    for i in range(len(core)-1):
        prefix = add_def(s, And(core[i], prefix))
        Fs |= { add_def(s, Or(prefix, core[i+1])) }

def maxsat(s, Fs):
    cost = 0
    Fs0 = Fs.copy()
    while unsat == s.check(Fs):
        cost += 1
        relax_core(s, s.unsat_core(), Fs)    
    return cost, { f for f in Fs0 if tt(s, f) }

MaxSAT with MCS (python)

def relax_mcs(s, mcs, Fs):
    prefix = BoolVal(False)
    Fs -= { f for f in mcs }
    s.add(Or(mcs))
    for i in range(len(mcs)-1):
        prefix = add_def(s, Or(mcs[i], prefix))
        Fs |= { add_def(s, And(prefix, mcs[i+1])) }

def maxsat(s, Fs0):
    Fs = Fs0.copy()
    cost = len(Fs)
    while s.check() == sat:
        mss = { f for f in Fs if tt(s, f) }
        model1 = get_mss(s, mss, Fs)
        mcs = Fs - mss
        if cost > len(mcs):
           cost = len(mcs)
           model = model1
        relax_mcs(s, [ f for f in mcs ], Fs)
    return cost, [ f for f in Fs0 if is_true(model.eval(f)) ]

MCS alone is inefficient. In [11] we combine MUS and MCS steps.

Cores, Correction Sets, Satisfying Assignments

  • (M)US (Minimal) unsatisfiable subset

    • (minimal) subset of assertions that are unsatisfiable. Also known as a core

  • (M)SS (Maximal) satisfiable subset

    • (maximal) subset of assertions that are satisfiable.

  • (M)CS (Minimal) correction set

    • complement of an (M)SS.

  • (Prime) implicant

    • $m \Rightarrow \phi$ iff $m$ is a core for $\neg \phi$.

A Duality: MUS $\sim$ MCS [45]

Reiter

All Cores and Correction Sets [33]


  • Given $\varphi_1, \ldots, \varphi_n$
    • Find all min unsat cores
    • Find all max satisfying subsets
  • Generate subset $S \subseteq \{1,\ldots, n\}$
    • Not a superset of old core
    • Not a subset of old sat subset
  • Is $\bigwedge_{j \in S} \varphi_j$ satisfiable?
    • If yes, find max sat $S' \supseteq S$
    • If no, find min unsat $S' \subseteq S$
  • Block $S'$ from next iteration
 


def ff(s, p): 
    return is_false(s.model().eval(p))

def marco(s, ps):
    map = Solver()
    while map.check() == sat:
        seed = {p for p in ps if not ff(map, p)}
        if s.check(seed) == sat:
           mss = get_mss(s, seed, ps)
           map.add(Or(ps - mss))
           yield "MSS", mss
        else:
           mus = get_mus(s, seed)
           map.add(Not(And(mus)))
           yield "MUS", mus

Cores and Correction sets Algorithm

def ff(s, p): 
    return is_false(s.model().eval(p))

def marco(s, ps):
    map = Solver()
    while map.check() == sat:
        seed = {p for p in ps if not ff(map, p)}
        if s.check(seed) == sat:
           mss = get_mss(s, seed, ps)
           map.add(Or(ps - mss))
           yield "MSS", mss
        else:
           mus = get_mus(s, seed)
           map.add(Not(And(mus)))
           yield "MUS", mus

Maximizing Satisfying Assignments [36]

def tt(s, f): 
    return is_true(s.model().eval(f))

def get_mss(s, mss, ps):
    ps = ps - mss
    backbones = set([])
    while len(ps) > 0:
       p = ps.pop()
       if sat == s.check(mss | backbones | { p }):
          mss = mss | { p } | { q for q in ps if tt(s, q) }
          ps  = ps - mss
       else:
          backbones = backbones | { Not(p) }
    return mss

Minimizing Cores [2, 14, 30, 34]

Use built-in core minimization: 

s.set("sat.core.minimize","true")  # For Bit-vector theories
s.set("smt.core.minimize","true")  # For general SMT

Or roll your own: 


def quick_explain(test, sub):
    return qx(test, set([]), set([]), sub)

def qx(test, B, D, C):
    if {} != D:
       if test(B):
          return set([])
    if len(C) == 1:
       return C
    C1, C2 = split(C)
    D1 = qx(test, B | C1, C1, C2)
    D2 = qx(test, B | D1, D1, C1)
    return D1 | D2
    
def test(s):
    return lambda S: s.check([f for f in S]) == unsat


s = Solver()
a, b, c, d, e = Bools('a b c d e')
s.add(Or(a, b))
s.add(Or(Not(a), Not(b)))
s.add(Or(b, c))
s.add(Or(Not(c), Not(a)))

print s.check([a,b,c,d,e])
print s.unsat_core()

mus = quick_explain(test(s), {a,b,c,d})

All maximal satisfying sets (basic)

def all_mss(s, ps):
    while sat == s.check():
        mss = get_mss(s, { p for p in ps if tt(s, p) }, ps)
        s.add(Or(ps - mss))
        yield "MSS", mss
  • Inefficiency: Same unsat cores may be revisited.

All Correction Sets

Find all satisfying subsets among $\varphi_1, \ldots, \varphi_n$:

  • Initialize: $F_1 \leftarrow \varphi_1, \ldots, F_n \leftarrow \varphi_n$, $F \leftarrow \top$.
  • While $F$ is sat:
    • If $F \wedge F_1\wedge \ldots\wedge F_n$ is sat with model $M$
      • $\{ \varphi_j \mid M(\varphi_j) = \top \}$ is mss.
      • $F \leftarrow F \wedge \bigvee \{ \varphi_j \;\mid\; M(\varphi_j) = \bot \}$ add mcs
    • Else suppose $F_1,\ldots, F_k$ is a core
      • Replace by $F'_1, \ldots, F'_{k-1}$:
      • $F'_1 \leftarrow F_1 \vee F_2$, $F'_2 \leftarrow F_3 \vee (F_2 \wedge F_1)$,
        $\ldots$, $F'_{k-1} \leftarrow F_k \vee (F_{k-1} \wedge \ldots)$.

Application: Product Configuration

ProductConfig

Query

  • Find all unit literals - with explanations
  • Useful for finding fixed parameters [28] 
a, b, c, d = Bools('a b c d')

s = Solver()
s.add(Implies(a, b), Implies(c, d))   # background formula
print s.consequences([a, c],          # assumptions
                     [b, c, d])       # what is implied?

(sat, [Implies(c, c), Implies(a, b), Implies(c, d)])

Algorithm

  1. Assert hard constraints $\varphi$
  2. Add assumptions $\mathcal{A}$ at $level = 1$
  3. Let $M = $ model of $\varphi \wedge \mathcal{A}$
  4. Case splits: $\{ \neg v \mid v \in V, M(v) \} \cup \{ v \mid v \in V, \neg M(v) \}$
  5. Unit propagation
    • if conflict, remove fixed variable with explanation from $V$
  6. Run CDCL until next restart or sat
    • if sat: use resulting model to remove non-fixed from $V$
    • if $V = \emptyset$, exit, else goto 4

Lecture 4: Quantifiers

Quantifier Engines in Z3

  • [37] E-matching

  • [12, 23, 40, 47] Model-based Quantifier Instantiation (MBQI)

  • [4] Quantifier Elimination

  • [43] Alternating Quantified Satisfaction

  • [25] Horn Clauses

  • [10] Quantified Horn Clauses

  • [44] EPR (deprecated, covered by MBQI)

  • [38] Superposition (deprecated)

  • [8] QSAT - game based solving

E-matching and Pattern based quantifier instantiation [37]

  • $\underbrace{(\forall x \ . \ f(g(x,c)) = a)}_{p_\varphi}$

  • $\land b = c \land g(c,b) = c \land f(b) \neq a$

    • Smallest subterm containing $x$: $f({\color{red}g(x,c)}) = a$
    • Use ground equality $b = c$ to match ${\color{red}g(x,c)}$ with $g(c,b)$.

  • $\land (p_{\varphi} \rightarrow f(g(b,c)) = a)$

  • Formulas are ground unsatisfiable.

Model-based Quantifier Instantiation [12, 23, 40, 47]

Check $\psi \land \forall x \ . \ \varphi[{x}]$

while $\psi$ is SAT with model $M$:
   if $\neg \varphi^M[{x}]$ is UNSAT return SAT
   $M \leftarrow $ model for $\neg \varphi^M[{x}]$
   find $t$, such that $x \not\in t, t^M = x^M$.
   $\psi \leftarrow \psi \land \varphi[t]$
return UNSAT

Quite powerful when search space for $t$ is finite

  • EPR, QBV, Array property fragment, Essentially UF
  • Combine with template space

Horn Clauses [2426, 35]

def mc(x):
    if x > 100:
       return x - 10
    else:
       return mc(mc(x + 11))

def contract(x):
    assert(x > 101 or mc(x) == 91)

   (set-logic HORN)
   (declare-fun mc (Int Int) Bool)
   (assert 
     (forall ((x Int)) 
          (=> (> x 100) 
              (mc x (- x 10)))))
   (assert 
     (forall ((x Int) (y Int) (z Int)) 
          (=> (and (<= x 100) (mc (+ x 11) y) (mc y z)) 
              (mc x z))))
   (assert 
     (forall ((x Int) (y Int)) 
          (=> (and (<= x 101) (mc x y)) 
              (= y 91))))
   (check-sat)
   (get-model)

QSAT

The idea by example

\[\begin{mdmathpre}%mdk \mathid{G}~~=~~\forall \mathid{u}_1,\mathid{u}_2~\exists \mathid{e}_1,~\mathid{e}_2~\ .~\ \mathid{F}~\\\\ \mathid{F}~~=~~(\mathid{u}_1~\land \mathid{u}_2~\rightarrow \mathid{e}_1)~\land (\mathid{u}_1~\land \neg \mathid{u}_2~\rightarrow \mathid{e}_2)~\land(\mathid{e}_1~\land \mathid{e}_2~\rightarrow \neg \mathid{u}_1) \end{mdmathpre}%mdk \]
  • $\forall$: starts. $u_1, u_2, \overline{e}_1, \overline{e}_2 \models \neg F$.
  • $\exists$: strikes back. ${\color{blue}{u_1, u_2}}, e_1, \overline{e}_2 \models F$.
  • $\forall$: has to backtrack. Already $u_2, e_1, \overline{e}_2 \models F$.
  • $\forall$: learns $\neg u_2$.
  • $\forall$: ${\color{red}{\overline{u}_2}}, u_1, \overline{e}_1, \overline{e}_2 \models \neg F$.
  • $\exists$: counters - ${\color{red}{\overline{u}_2}}, {\color{blue}{u_1}}, \overline{e}_1, e_2 \models F$.
  • $\forall$: has lost!. Already ${\color{red}{\overline{u}_2}}, \overline{e}_1, e_2 \models F$.

Summary of approach

  • Two players try to find values

    • $\forall$ - to satisfy $\neg F$
    • $\exists$ - to satisfy $F$

  • Players control their variables

    • $\exists x_1 \forall x_2 \exists x_3 \forall x_4 \ldots F$ at round $2$:
      • value of $x_1$ is already fixed,
      • $\forall$ fixes value of $x_2$,
      • $\forall$ fixes value of $x_4$, but can change again it at round $4$,
      • $\forall$ can guess values of of $x_3$ to satisfy $\neg F$.

  • Some player loses at round $i + 2$.

    • Create succinct no-good to strengthen $F$ resp. $\neg F$.
    • Backjump to round $i$ (or below).

Finding small good no-goods

  • Player $\forall$ has lost at round $i+2$

    • Player $\exists$ found a model $M$ at round $i+1$, $M \models F$.

    • $M$ induces an evaluation on a subset of literals $\mathcal{L}$ in $F$, such that $\mathcal{L} \models F$.

    • $\mathcal{L}$ is an unsatisfiable core for $\neg F$.

  • Model Based Projection

    • Find a $\varphi$, such that Any $\varphi \rightarrow \exists x_{i+1}, x_{i+2}, \ldots \mathcal{L}$.

      • $\varphi$ should be weak.
      • $\varphi$ should be cheap to find.

    • Then $\neg \varphi$ can block $\mathcal{L}$.

    • Idea: Use $M$ to find a sufficient $\varphi$.

Model-based Projection

\[\begin{mdmathpre}%mdk \Mbp(\mathid{M},~\emptyset,~\varphi)~~~~~~~~=~~\varphi \\ \Mbp(\mathid{M},~\vec{\mathid{x}},~\varphi)~~~~~~~~~=~~\Mbp\left(\mathid{M},~\vec{\mathid{x}},~\bigwedge \{~\mathid{sign}(\mathid{M},~\mathid{a})~\;\mid\;~\mathid{a}~\mbox{ is an atom in }~\varphi \}\right)~\\ \Mbp(\mathid{M},~\mathid{x}\vec{\mathid{x}},~\varphi)~~~~~~~=~~\Mbp(\mathid{M},~\mathid{x},~\Mbp(\mathid{M},~\vec{\mathid{x}},~\varphi))~\\ \Mbp(\mathid{M},~\mathid{x},~\varphi \land \psi)~~=~~\Mbp(\mathid{M},~\mathid{x},~\varphi)~\land \psi \quad\quad \mathid{if}~\mathid{x}~\not\in \mathid{FV}(\psi)~ \end{mdmathpre}%mdk \]
   def sign(M,a): if M(a) return a else return $\neg$a

Model-based Projection for LRA

\[\begin{mdmathpre}%mdk \Mbp(\mathid{M},~\mathid{x},~\mathid{x}~\simeq \mathid{t}~\land \mathid{L})~~=~~\mathid{L}[\mathid{t}/\mathid{x}]~\\ \Mbp(\mathid{M},~\mathid{x},~\mathid{x}~\not\simeq \mathid{t}~\land \mathid{L})~=~~\Mbp(\mathid{M},~\mathid{x},~\mathid{x}~\geq \mathid{t}~+~\epsilon \land \mathid{L})~\quad \mbox{if}\quad \mathid{M}(\mathid{x})~>~\mathid{M}(\mathid{t})~\\ \Mbp(\mathid{M},~\mathid{x},~\mathid{x}~\not\simeq \mathid{t}~\land \mathid{L})~=~~\Mbp(\mathid{M},~\mathid{x},~\mathid{x}~+~\epsilon \leq \mathid{t}~\land \mathid{L})~\quad \mbox{if}\quad \mathid{M}(\mathid{x})~<~\mathid{M}(\mathid{t})~\\ \Mbp(\mathid{M},~\mathid{x},~\bigwedge_\mathid{i}~\mathid{t}_\mathid{i}~\leq \mathid{x}~\land \bigwedge_\mathid{j}~\mathid{x}~\leq \mathid{s}_\mathid{j})~=~~\bigwedge_\mathid{i}~\mathid{t}_\mathid{i}~\leq \mathid{t}_0~\land \bigwedge_\mathid{j}~\mathid{t}_0~\leq \mathid{s}_\mathid{j}~\\\\ \mdmathindent{13}\mathid{where}~\mathid{M}(\mathid{t}_0)~\geq \mathid{M}(\mathid{t}_\mathid{i})~\forall \mathid{i} \end{mdmathpre}%mdk \]

Model-based Projection for LIA

\[\begin{array}{l} \Mbp(M, x, \bigwedge_i t_i \leq a_ix \land \bigwedge_j b_jx \leq s_j) = \\ \quad\quad\quad \bigwedge_i t_i a_0 \leq t_0 a_i \land \bigwedge_{j} resolve(M, a_0x \leq t_0, b_j x \geq s_j) \\ \quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad \mathrm{if} M(t_0/a_0) \geq M(t_i/a_i), \forall i. \end{array} \]
\[\begin{mdmathpre}%mdk \mathid{resolve}(\mathid{M},~\mathid{ax}~\leq \mathid{t},~\mathid{bx}~\geq \mathid{s})~=~\\ \mdmathindent{4}\mathid{as}~+~(\mathid{a}-1)(\mathid{b}-1)~\leq \mathid{bt}~\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\mathid{if}~~(\mathid{a}-1)(\mathid{b}-1)~\leq \mathid{M}(\mathid{bt}-\mathid{as})~~\\ \mdmathindent{4}\mathid{as}~\leq \mathid{bt}~\land \mathid{b}~|~(\mathid{s}~+~\mathid{d})~\land \mathid{a}(\mathid{s}+\mathid{d})~\leq \mathid{bt})~~~~~~~\mathid{elif}~~\mathid{a}~\geq \mathid{b},~\mathid{d}~:=~\mathid{M}(-\mathid{s})~\mod \mathid{b}~\\ \mdmathindent{4}\mathid{as}~\leq \mathid{bt}~\land \mathid{a}~|~(\mathid{t}~-~\mathid{d})~\land \mathid{as}~\leq \mathid{b}(\mathid{t}-\mathid{d})~~~~~~~~\mathid{else}~~\mathid{b}~>~\mathid{a},~\mathid{d}~:=~\mathid{M}(\mathid{t})~\mod \mathid{a} \end{mdmathpre}%mdk \]
\[\begin{mdmathpre}%mdk \Mbp(\mathid{M},~\mathid{x},~\bigwedge_{\mathid{i}=1}^\mathid{n}~\mathid{d}_\mathid{i}~\mid (\mathid{a}_\mathid{i}~\mathid{x}~+~\mathid{t}_\mathid{i})~\land \mathid{L})~~=~\\~~\\ \quad\quad\quad \Mbp\left(\mathid{M},~\mathid{x}',~\mathid{L}[\mathid{u}~+~\mathid{d}\cdot \mathid{x}'/\mathid{x}]\right)~\land \bigwedge_{\mathid{i}=1}^\mathid{n}~\mathid{d}_\mathid{i}~\mid (\mathid{a}_\mathid{i}~\mathid{u}~+~\mathid{t}_\mathid{i})~\\ \end{mdmathpre}%mdk \]

Model-based Projection for Term Algebras - Sketch

\[\begin{mdmathpre}%mdk \Mbp(\mathid{M},~\mathid{x},~\mathit{cons}(\mathid{t},\mathid{s})~\simeq \mathid{u}~\land \mathid{L})~~=~~\\ \mdmathindent{5}\mathit{cons?}(\mathid{u})~\land \Mbp(\mathid{M},~\mathid{x},~\mathid{t}~\simeq \mathit{car}(\mathid{u})~\land \mathid{s}~\simeq \mathit{cdr}(\mathid{u})~\land \mathid{L})~\\ \Mbp(\mathid{M},~\mathid{x},~\mathid{x}~\simeq \mathid{x}~\land \mathid{L})~~=~~\Mbp(\mathid{M},~\mathid{x},~\mathid{L})~\\ \Mbp(\mathid{M},~\mathid{x},~\mathid{u}~\simeq \mathid{x}~\land \mathid{L})~~=~~\mathid{L}[\mathid{u}/\mathid{x}]~\\ \Mbp(\mathid{M},~\mathid{x},~\mathit{cons}(\mathid{t},~\mathid{s})~\not\simeq \mathid{u}~\land \mathid{L})~~=~~\mathit{cons?}(\mathid{u})~\land \Mbp(\mathid{M},~\mathid{x},~\mathid{s}~\not\simeq \mathit{cdr}(\mathid{u})~\land \mathid{L})~\\ \mdmathindent{16}\mathid{if}~\mathid{M}(\mathid{s})~\neq \mathid{M}(\mathit{cdr}(\mathid{u})),~\mathid{M}(\mathit{cons?}(\mathid{u}))~\\ \Mbp(\mathid{M},~\mathid{x},~\mathit{cons}(\mathid{t},~\mathid{s})~\not\simeq \mathid{u}~\land \mathid{L})~~=~~\mathit{cons?}(\mathid{u})~\land \Mbp(\mathid{M},~\mathid{x},~\mathid{t}~\not\simeq \mathit{car}(\mathid{u})~\land \mathid{L})~\\ \mdmathindent{16}\mathid{if}~~\mathid{M}(\mathid{t})~\neq \mathid{M}(\mathit{car}(\mathid{u})),~\mathid{M}(\mathit{cons?}(\mathid{u}))~\\ \Mbp(\mathid{M},~\mathid{x},~\mathit{cons}(\mathid{t},~\mathid{s})~\not\simeq \mathid{u}~\land \mathid{L})~~=~~\neg \mathit{cons?}(\mathid{u})~\land \Mbp(\mathid{M},~\mathid{x},~\mathid{L})~\quad\mbox{if}\quad \mathid{M}(\neg\mathit{cons?}(\mathid{u}))\\ \Mbp(\mathid{M},~\mathid{x},~\mathid{t}_1~\not\simeq \mathid{x}~\land \ldots \land \mathid{t}_\mathid{n}~\not\simeq \mathid{x})~~=~~\top \end{mdmathpre}%mdk \]

Model-based projection for NRA

  • Theory: Non-linear polynomial arithmetic

  • Partial CAD - model-based projection [29]

    • Given model $M$, such that $M \models \forall x \ . \ p_1(x,y) \geq 0 \vee \ldots \vee p_n(x,y) > 0$
    • Find $q_1, \ldots, q_k$, such that
      • $q_1(y) < 0 \vee \ldots \vee q_k(y) > 0 \vee p_1(x,y) \geq 0 \vee \ldots \vee p_n(x,y) > 0$ is valid
      • $M \models q_1(y) \geq 0 \wedge \ldots \wedge q_k(y) \leq 0$

  • CAD decomposes $R^n$ into sign-invariant cylinders.

  • Choose the cylinder where $M$ is a member.

Model-based projections, two lenses

Sat based MBP:

  • Given: $M \models \ell_1[x] \wedge \ldots \wedge \ell_n[x]$

  • Find: $M \models s_1 \wedge \ldots \wedge s_m$, free for $x$

  • Such that: $ \models (s_1 \wedge\ldots \wedge s_m) \rightarrow \exists x \ . \ \ell_1[x] \wedge \ldots \wedge \ell_n[x]$

Contrast this with Core-based MBP:

  • Given: $M \models \forall x \ . \ \ell_1[x] \vee \ldots \vee \ell_n[x]$.

  • Find: $M \models s_1 \wedge \ldots \wedge s_m$, free for $x$

  • Such that: $\models (s_1 \wedge \ldots \wedge s_m) \rightarrow \forall x \ . \ \ell_1[x] \vee \ldots \vee \ell_n[x]$

Claim: the two compute the same solutions if the projection operators are independent of the value of $x$.

Initialization

\[\begin{mdmathpre}%mdk \mdmathindent{4}\exists \mathid{x}_{1},~\forall \mathid{x}_{2},~\exists \mathid{x}_{3},~\forall \mathid{x}_{4},~….,~\mathid{Q}~\mathid{x}_{\mathid{n}}~\mathid{F}[\mathid{x}_{1},~\mathid{x}_{2},~\ldots]\\ \mathid{Initialize}:\\ \mdmathindent{4}\mathid{F}_\mathid{j}~~~~~~~~~~~~~\leftarrow \mathid{F}~~~~~~~~~~~\mathid{if}~\mathid{j}~\mathid{is}~\mathid{odd}\\ \mdmathindent{4}\mathid{F}_\mathid{j}~~~~~~~~~~~~~\leftarrow \neg \mathid{F}~~~~~~~~\mathid{if}~\mathid{j}~\mathid{is}~\mathid{even} \end{mdmathpre}%mdk \]
   def level(j,a): return max level of bound variable in atom a of parity j
\[\begin{mdmathpre}%mdk \mdmathindent{3}\mathid{level}(1,~\mathid{z}~\geq 0)~=~\mathid{level}(3,~\mathid{z}~\geq 0)~=~3\\ \mdmathindent{3}\mathid{level}(2,~\mathid{z}~\geq 0)~=~0\\ \mdmathindent{3}\mathid{in}~\exists \mathid{x}~\forall \mathid{y}~\exists \mathid{z}~\mathid{z}~\geq 0~\land ((\mathid{x}~\geq 0~\land \mathid{y}~\geq 0)~\vee \mathid{y}~+~\mathid{z}~\leq 1) \end{mdmathpre}%mdk \]

Property Directed QSAT Algorithm

  def strategy(M,j): return $\bigwedge_{M \neq null, a \in Atoms, level(j, a) < j} sign(M,a) $
  def tailv(j): return $x_{j-1},x_j,x_{j+1},\ldots$
    
  j = 1
  M = null
  while True:
    if $F_{j}\ \ \wedge$ strategy(M, j) is unsat:
      if j == 1: 
        return F is unsat
      if j == 2:
        return F is sat
      C = Core($F_j$, strategy(M, j))
      J = Mbp(tailv(j), C)
      j = index of max variable in J $\cup\ \{ 1, 2 \}$ of same parity as j      
      $F_j$ = $F_j \wedge \neg $J
      M = null
    else:
      M = current model
      j = j + 1

Finding strategies

  • Other main ingredient of QSAT is option for players to narrow options of opponents by revealing a strategy

    • $\exists x_1 \forall x_2 \exists x_3 \forall x_4 \ldots F$ at round $2$:
      • value of $x_1$ is already fixed,
      • $\forall$ fixes value of $x_2$,
      • $\forall$ can make $x_4$ a function of $x_3$.

  • Developing practical strategies is work in progress

    • For QBF can use Q-resolution proofs as guide [9]

Pub Quiz

Satisfiability Modulo Theories is

  1. a programming language for probabilistic programming

  2. solving formulas where some functions and predicates have built-in meaning

  3. propositional satisfiability

Symbolic Execution is

  1. a cult ritual that involves sacrificing a virtual lamb

  2. a method to explore sets of feasible program executions

  3. how CakeML compiled programs behave

The End

Programming Z3

Solver methods 

s = Solver()


s.add($\varphi$)
s.assert_and_track($\varphi, \ell$)

s.push()
s.pop()

s.check()
s.check($[\ell_1,\ldots, \ell_n]$)

s.model()
s.proof()
s.unsat_core()   

s.statistics()


  • Create a solver

  • Add assertion to solver state

  • Create local scopes

  • Check satisfiability

  • Retrieve models, proofs, cores

  • Additional information

Assertions

Solver methods 

s.add($\varphi$)
s.assert_and_track($\varphi, \ell$)



Assert $\varphi$ to the solver state. Optionally, track the assertion $\varphi$ by a literal $\ell$.

Unsatisfiable cores contain tracked literals.

Scopes

Solver methods 

s.push()

s.pop()



Add or remove a scope from the solver.

Assertions added within a scope are removed when the scope is popped.

Check Satisfiability

Solver methods 

s.check()

s.check($[\ell_1,\ldots, \ell_n]$)


Is the solver state satisfiable?

Is the solver state satisfiable modulo the assumption literals $\ell_1, \ldots, \ell_n$.

The solver state is the conjunction of assumption literals and assertions that have been added to the solver in the current scope.

Certificates

Methods 


s.model()

s.proof()

s.unsat_core()


An interpretation satisfying current constraints.

A proof term certifying unsatisfiability of constraints.

A subset of assumptions/tracked assertions that suffice to establish unsatisfiability.

Horn Clauses [2426, 35]

From Programs to Horn Clauses [7]

def mc(x):
    if x > 100:
       return x - 10
    else:
       return mc(mc(x + 11))

def contract(x):
    assert(x > 101 or mc(x) == 91)

   (set-logic HORN)
   (declare-fun mc (Int Int) Bool)
   (assert 
     (forall ((x Int)) 
          (=> (> x 100) 
              (mc x (- x 10)))))
   (assert 
     (forall ((x Int) (y Int) (z Int)) 
          (=> (and (<= x 100) (mc (+ x 11) y) (mc y z)) 
              (mc x z))))
   (assert 
     (forall ((x Int) (y Int)) 
          (=> (and (<= x 101) (mc x y)) 
              (= y 91))))
   (check-sat)
   (get-model)

Horn Clause Interface

Fixedpoint methods 

fp = Fixedpoint()

fp.add($\varphi$)
fp.add_rule()

fp.push()
fp.pop()

fp.query()

fp.model()
fp.proof()

fp.statistics()


  • Create a solver

  • Add assertion to solver state

  • Create local scopes

  • Check satisfiability

  • Retrieve models, proofs, cores

  • Additional information

Horn Clause Engines

  • PDR - IC3 inspired engine [25].
  • Duality - Interpolation based [35].
    • Use Duality or PDR if your Horn clauses use arithmetic variables.
  • Datalog - Bottom-up stratified Datalog engine for finite domains [26].
    • Use Datalog backened for Horn clauses over finite domains: bit-vectors and Booleans.
  • BMC - Bounded model checking, Tabulation, Symbolic Execution
    • Use BMC to unfold Horn clauses a la bounded model checking.

SeaHorn

SeaHorn

~ Begin Vertical

PDR/IC3 based Horn Clause Solving

  • $\vec{x}$ are state variables.

  • $m$ is a monome (a conjunction of literals).

  • $\varphi$ is a clause (a disjunction of literals).

  • Convention: $m[\vec{x}]$ is a monome over variables $\vec{x}$, $m[\vec{x}_0]$ is a renaming of the same monome $m$ to variables $\vec{x}_0$.

IC3 recap

  • $\langle \vec{x}, \Init(\vec{x}), \rho(\vec{x_0},\vec{x}), \Safe(\vec{x})\rangle$ - a transition system.
  • $\Safe$ - good states.
  • $\cF(R)[\vec{x}_0,\vec{x}]$ - forward predicate transformer.
    • Given reachable states $R$, produce “states can be reached by including another step”.
    • From Transition System: $\Init[\vec{x}_0] \ \vee \ (R(\vec{x}_0) \wedge \rho[\vec{x}_0,\vec{x}])$
    • From Horn Clauses: $\bigvee_i Body_i[\vec{x}_0,\vec{x}]$, where
      \[ R(\vec{x}) \leftarrow Body_1[\vec{x}_0,\vec{x}] \vee \ldots\vee Body_k[\vec{x}_0,\vec{x}] \]

IC3 recap

  • $R_0, R_1, \ldots, R_N$ properties of states reachable within $i$ steps.
  • $R_i$ are sets of clauses.
  • Initially $R_0 = \Init$.
  • $\Queue$ a queue of counter-example trace properties. Initially $\Queue = \emptyset$.
  • $N$ a level indication. Initially $N = 0$.

Expanding Traces

repeat until

  • Candidate If for some $m$, $m \rightarrow R_N \land \neg \Safe$, then add $\langle m, N\rangle$ to $\Queue$.

  • Unfold If $R_N \rightarrow \Safe$, then set $N \leftarrow N + 1, R_{N} \leftarrow \true$.

Termination

repeat until

  • Unreachable For $i < N$, if $R_i \subseteq R_{i+1}$, return Unreachable.

  • Reachable If $\langle m, 0 \rangle \in \Queue$, return Reachable.

Backtracking

repeat until

  • Conflict Let $0 \leq i < N$: given a candidate model $\langle m, i+1\rangle\in\Queue$ and clause $\varphi$, such that

    • $\neg\varphi\subseteq m$,
    • $\cF(R_i \land \varphi) \rightarrow \varphi$,
      then conjoin $\varphi$ to $R_{j}$, for $j \leq i + 1$.

  • Leaf If $\langle m, i\rangle \in \Queue$, $0 < i < N$ and $m \land \cF(R_{i-1})$ is unsatisfiable, then add $\langle m, i + 1\rangle$ to $\Queue$.

Inductive Generalization

repeat until

  • Induction For $0 \leq i < N$, a clause $(\varphi \lor\psi)\ \in R_i$, $\varphi\not\in R_{i+1}$, if $\cF(R_i \wedge \varphi)\rightarrow \varphi$, then conjoin $\varphi$ to $R_{j}$, for each $j \leq i + 1$.

IC3 beyond SAT

Decide - Generalized form

Decide Add $\langle m_0[\vec{x}], i\rangle$ to $\Queue$ if $\langle m[\vec{x}], i+1\rangle \in \Queue$, $m' \land m_0[\vec{x}_0] \ \rightarrow \ \cF(R_{i})[\vec{x}_0,\vec{x}] \land m$.

  • [13, 21] Model from propositional SAT check for $m \land \cF(R_{i})[\vec{x}_0,\vec{x}]$ gives (near prime implicant) $m_0$.
  • [25] Model from SMT check for arithmetical $m \land \cF(R_{i})[\vec{x}_0,\vec{x}]$ produces numerical assignment $m_0$.
  • [17, 31] Partial quantifier elimination.
  • [32] $(\exists\vec{x} \ . \ m \land \cF(R_{i})[\vec{x}_0,\vec{x}]) \ \equiv\ \bigvee_i \psi_i[\vec{x}_0]$ where $\psi_i$ are quantifier-free. Use model for $m \land \cF(R_{i})[\vec{x}_0,\vec{x}]$ to compute $\psi_i$ without expanding full disjunction.
  • [18, 27] Keep vocabulary of literals fixed (= predicate abstraction).

Loos-Weispfenning QE

  • $\varphi$ in NNF
  • $E$ set of $x = t$ atoms in $\varphi$
  • $L$ set of $x > s$ atoms in $\varphi$
  • $U$ set of $x < t$ atoms in $\varphi$
  • there are no other occurrences of $x$ in $\varphi[x]$

\[\exists x \ . \ \varphi[x] \equiv \varphi[\infty] \vee \bigvee_{(x = t) \in E} \varphi[t] \vee \bigvee_{(x < t) \in U} \varphi[t - \epsilon] \]

  • Note: $(x < t')[t - \epsilon] \equiv t \leq t'$
  • Pick disjunction corresponding to satisfied equality or inequality.

Decide - Generalized form (II)

Pssst: I am replacing $m, m_0, m'$ by greek letters.

  • Decide Add $\langle \phidown[\vec{x}], i\rangle$ to $\Queue$, if
    • $\langle \varphi[\vec{x}], i+1\rangle \in \Queue$,
    • $\phidown[\vec{x}_0] \wedge \theta[\vec{x}]$ is consistent,
    • $\theta[\vec{x}] \rightarrow \varphi[\vec{x}]$, and
    • $\phidown[\vec{x}_0] \land \theta[\vec{x}] \ \rightarrow\ \cF(R_{i})(\vec{x}_0,\vec{x})$

Interpolating Conflict

Conflict Let $0 \leq i < N$: given a candidate model $\langle m, i+1\rangle\in\Queue$ and clause $\varphi$, such that $\neg\varphi\subseteq m$, if $\cF(R_i \land \varphi) \rightarrow \varphi$, then conjoin $\varphi$ to $R_{j}$, for $j \leq i + 1$.

  • Note: $(\neg\varphi\subseteq m)$ $\equiv$ $(\varphi \rightarrow \neg m)$.
  • By monotonicity: $(\cF(R_i) \rightarrow \varphi) \ \rightarrow \ (\cF(R_i \land \varphi) \rightarrow \varphi)$.
  • Interpolation as special case: $\cF(R_i) \rightarrow \varphi, \varphi \rightarrow \neg m.$
  • Overkill for SAT (use unsat core), but for SMT may supply candidate predicates.
  • For conjunction of inequalities $m$, interpolation is “simple”.

Farkas+T Lemmas

  • $m$ is conjunction of inequalities $x \geq 6 \land y \geq 7 \land \ldots$
  • $\cF(R_i)$ is quantifier-fee formula
  • $\cF(R_i) \land m$ is unsat
  • Let $C$ be a conflict that contains literals from $m$: $C := C_m \land C'$
  • Let $r := r_m r'$ be Farkas coefficients
  • So $r\cdot C \equiv 1 < 0$
  • So $m \rightarrow \neg r'C'$
  • Return $\bigwedge \neg r'_iC'_i$ instead of $m$

Interpolating Conflict (II)

Conflict Let $0 \leq i < N$: given a candidate model $\langle \varphi, i+1\rangle\in\Queue$ and a formula $\phiup$, such that $\cF(R_i) \to \phiup$, $\phiup \to \neg \varphi$, then conjoin $\phiup$ to $R_{j}$, for $j \leq i + 1$.

Branching

DAG Branching

Recall predicate transformer for McCarthy91:

$\cF(R_i)[x,z,r] := (x > 100 \land r = x - 10) \lor (x \leq 100 \land R_i(x+11,z) \land R_i(z,r))$


Decide now spawns two children.

Decide If $\langle \varphi[\vec{x}], i+1\rangle \in \Queue$ and there are consistent $\phidown[\vec{x}_0] \land \psidown[\vec{x}_1] \land \theta[\vec{x}]$ such that $\theta[\vec{x}] \rightarrow \varphi[\vec{x}]$ and $\phidown[\vec{x}_0] \land \psidown[\vec{x}_1] \land \theta[\vec{x}] \ \rightarrow\ \cF(R_{i})[\vec{x}_0,\vec{x}_1, \vec{x}]$, then add $\langle \phidown[\vec{x}], i\rangle$, $\langle \psidown[\vec{x}], i\rangle$ to $\Queue$.

Searching a DAG

We also have to take DAG unfolding into acount.

Base Mark $\langle \varphi[\vec{x}], i\rangle \in \Queue$ if $i = 0$ or if there is a consistent $\theta[\vec{x}]$ such that $\theta[\vec{x}] \rightarrow \varphi[\vec{x}]$ and $\theta[\vec{x}] \ \rightarrow\ \cF(R_{i})[\vec{x}_0,\vec{x}_1, \vec{x}]$.
Close Mark $\langle \varphi[\vec{x}], i+1\rangle$ if all children are marked.
Reachable If $\langle \varphi, 0 \rangle$ is marked, return Reachable.

Searching a DAG

  • Model from propositional SAT check for $m \land \cF(R_{i})[\vec{x}_0,\vec{x}_1, \vec{x}]$ gives us $\phidown, \psidown$.
  • Idea: Model from SMT check for arithmetical $m \land \cF(R_{i})[\vec{x}_0,\vec{x}]$ produces numerical assignments.
  • Effect: models explored in branches are far from prime $\Rightarrow$ lemmas become too weak.

Search with Under-approximations [32]

  • Instead of tracking progress using marking use under approximations.
  • Maintain $U_0 := \false, U_1, U_2, \ldots, U_N$ of under approximations.
  • Recall that $R_0 := \false, R_1, R_2, \ldots, R_N$ are over approximations.
  • Satisfying
    • $R_i \leftarrow U_i \rightarrow U_{i+1} \rightarrow \cF(U_i)$.

Search with Under-approximations

Decide and Conflict pushing a goal $\langle \varphi, i+1 \rangle$ over $\cF(\_,\_)$

\[\xymatrix @-0.5em{ & \cF(R_i,R_i) \\ \cF(U_i,R_i) \ar[ur] & & \cF(R_i,U_i) \ar[ul] \\ & \cF(U_i,U_i) \ar[ul] \ar[ur] } \]
  • If $\varphi \land \cF(R_i,R_i) \equiv \bot$, then goal cannot be reached.
  • If $\varphi \land \cF(U_i,U_i) \not\equiv \bot$, then goal can be reached.
  • Otherwise case split on $\varphi \land \cF(U_i,R_i)$.

Search with Under-approximations

Reachable If $U_N \land \neg\Safe$ is satisfiable, then return Reachable.
Decide$_1$ For $0 \leq i < N$ for $\langle \varphi, i+1\rangle \in \Queue$, add $\langle \phidown, i\rangle$ to $\Queue$ if:
- $\cF(U_i, U_i) \land \varphi \equiv \bot$.
- $\cF(R_i, U_i) \land \varphi \not\equiv \bot$.
- $\phidown[\vec{x}_0] \rightarrow \exists \vec{x}_1, \vec{x} \ . \ \cF(R_i,U_i) \land \varphi$ 
- $\phidown$ is disjoint from $\psi$ for every $\langle \psi, i\rangle \in \Queue$.
Decide$_2$ For $0 \leq i < N$ for $\langle \varphi, i+1\rangle \in \Queue$, add $\langle \phidown, i\rangle$ to $\Queue$ if:
- $\cF(R_i, U_i) \land \varphi \equiv \bot$ .
- $\cF(R_i, R_i) \land \varphi \not\equiv \bot$.
- $\phidown[\vec{x}_1] \rightarrow \exists \vec{x}_0, \vec{x} \ . \ \cF(R_i,R_i) \land \varphi$
- $\phidown$ is disjoint from $\psi$ for every $\langle \psi, i\rangle \in \Queue$.
Close For $0 \leq i < N$ for $\langle \varphi, i+1\rangle \in \Queue$, if $\cF(U_i,U_i) \land \varphi$ is satisfiable, but $U_{i+1} \land \varphi$ is unsatsifiable, then update $U_{i+1} := U_{i+1} \ \lor \ \psi$, where $\psi \ \rightarrow \ \exists \vec{x}_0, \vec{x}_1 \ . \ \cF(U_i,U_i) \land \varphi$.

Recursion-free Horn Clauses

  • Interpolation in standard form is a special case of Horn Clause solving.
    (1)
    \[A(\vec{a},\vec{x}) \rightarrow I(\vec{x}), \ \ \ I(\vec{x}) \rightarrow B(\vec{x},\vec{b}) \]
  • IC3 (sans Inductive Generalization) produces as side-effect solutions that are interpolants.
  • Interpolants are quaint, almost beautiful [1, 3, 16].

Quaint Interpolants [15]


def sign(s, x):
    if tt(s, x):
       return x 
    return Not(x)

def cute(A,B,xs):
    sA = Solver()
    sB = Solver()
    sA.add(A)
    sB.add(B)
    I = []
    while sat == sB.check():
        if unsat == sA.check([ sign(sB, x) for x in xs ]):
           I1 = Not(And(sA.unsat_core()))
           sB.add(I1)
           I += [I1]
        else:
           return None
   return And(I)

Can also be viewed as an iteration of IC3 steps. Generalization to EPR [6].

Stratified Datalog

Bottom-up Datalog in $\mu{Z}$.

  • $p(0,1)$

    • Add row $(0,1)$ to $p$.

  • $p(x,y) \leftarrow q(y,x)$

    • $q' := \mathit{rename}_{[0\mapsto 1,1\mapsto 0]}(q)$
    • $p := p \cup q'$

  • $p(x,y) \leftarrow q(x), r(y).$

    • $p := p \cup \mathit{join}(q,r)$

  • $p(x,y) \leftarrow q(x,y,z)$

    • $p := p \cup \mathit{project}_z(q)$

Bottom-up Datalog in $\mu{Z}$

  • Clauses $\rightarrow$ instructions using relational algebra.
    • join
    • project $z$
    • rename $[0 \mapsto 1, 1\mapsto 0]$
    • select $x = y$, $x = 1$
    • filter $\varphi$
  • For efficiency allow combined operations
    • join-project
    • select-project
  • Implementation depends on table representation.

Network Optimized Datalog

\begin{picture}(100,70)(-10,0) \thicklines \put(0, 60){$A$} \put(7, 63){\vector(1,0){20}} \put(27, 60){$\router{1}$} \put(37, 63){\vector(1,0){60}} \put(100,60){$\router{2}$} \put(110,63){\vector(1,0){20}} \put(131,60){$B$} \put(32, 59){\vector(2,-3){30}} \put(68, 15){\vector(2, 3){30}} \put(60, 5){$\router{3}$} \put(70, 10){\vector(1,0){30}} \put(105, 5){$D$} \end{picture} $ \begin{array}{lllll} \mathit{in} & dst & src & \mathit{rewrite} & \mathit{out} \\ \hline \router{1} & 10\star & 01\star & & \router{2} \\ \router{1} & 1\star\star & \star\star\star & & \router{3} \\ \hline \router{2} & 10\star & \star\star\star & & B \\ \hline \router{3} & \star\star\star & 1\star\star & & D \\ \router{3} & 1\star\star & \star\star\star & dst[1] := 0 & \router{2} \end{array} $

Network Optimized Datalog

\[\begin{mdmathpre}%mdk \mathid{G}_{12}~~&~:=~&~~~~~~~\dst =~10\star \land\ \src =~01\star \\ \mathid{G}_{13}~~&~:=~&~~~~~~~\neg \mathid{G}_{12}\ \land\ \dst =~1\star\star\\ \mathid{G}_{2\mathid{B}}~~&~:=~&~~~~~~~\dst =~1~0~\star \\ \mathid{G}_{3\mathid{D}}~~&~:=~&~~~~~~~\src =~1\star\star \\ \mathid{G}_{32}~~&~:=~&~~~~~~~\neg \mathid{G}_{3\mathid{D}}~\ \land \ \dst =~1\star\star \\ \mathit{Id}~~&~:=~&~~\src'~=~\src \ \land \ \dst'~=~\dst \\ \mathit{Set0}~&~:=~&~\src'~=~\src \ \land \ \dst'~=~\dst[2]\ 0\ \dst[0]~ \end{mdmathpre}%mdk \]

Network Optimized Datalog

\[\begin{mdmathpre}%mdk \mdmathindent{4}&~&~\mathid{B}(\dst,\src)~\\ \mdmathindent{4}\router{1}(\dst,\src)~&~:-~&~~\mathid{G}_{12}~\land \mathit{Id}~\land \router{2}(\dst',\src')~\\ \mdmathindent{4}\router{1}(\dst,\src)~&~:-~&~~\mathid{G}_{13}~\land \mathit{Id}~\land \router{3}(\dst',\src')~\\ \mdmathindent{4}\router{2}(\dst,\src)~&~:-~&~~\mathid{G}_{2\mathid{B}}~\land \mathit{Id}~\land \mathid{B}(\dst',\src')~\\ \mdmathindent{4}\router{3}(\dst,\src)~&~:-~&~~\mathid{G}_{3\mathid{D}}~\land \mathit{Id}~\land \mathid{D}(\dst',\src')~\\ \mdmathindent{4}\router{3}(\dst,\src)~&~:-~&~~\mathid{G}_{32}~\land \mathit{Set0}~\land \router{2}(\dst',\src')\\ \mdmathindent{4}\mathid{A}(\dst,\src)~~~&~:-~&~~\router{1}(\dst,\src)~\\ \mdmathindent{9}&~?~&~~\mathid{A}(\dst,\src)~ \end{mdmathpre}%mdk \]

Network Optimized Datalog NoD

  • Option 1: use BDDs to represent tables.

  • Option 2: build tables from ternary bit-vectors.

    • $0{\color{red}{\ast}}10 \equiv 0{\color{red}{1}}10 \cup 0{\color{red}{0}}10$
    • Table is a union of differences of cubes
      • $0\ast\ast\ast\ast \setminus \{ 010\ast\ast, 001\ast\ast, 0\ast\ast10, 0\ast\ast01\}$
      • Same as 01100, 01111, 00011, 00000

  • Option 3,4,..: Use hash tables, B-trees, bit-maps

    • Work in some pointer-analysis applications, but not for header spaces

Summary

We looked at:

Applications: configuration, model checking, scheduling



Queries: MaxSAT, backbones



Theories: a rough overview



Algorithms: as extensions or layers over SAT/SMT

Madoko

  • Madoko is a A Fast Scholarly Markdown Processor,
  • intuitive and powerful integration of markdown and LaTeX,
  • browser and Azure based - no installation,
  • immediate preview,
  • real-time collaborative editing,
  • is written in Koka,
  • is by Daan Leijen, Microsoft Research daan

References

[1]Aws Albarghouthi, and Kenneth L. McMillan. “Beautiful Interpolants.” In CAV, 313–329. 2013. 🔎
[2]Fahiem Bacchus, and George Katsirelos. “Using Minimal Correction Sets to More Efficiently Compute Minimal   Unsatisfiable Sets.” In Computer Aided Verification - 27th International Conference, CAV   2015, San Francisco, CA, USA, July 18-24, 2015, Proceedings, Part II, 70–86. 2015. doi:10.1007/978-3-319-21668-3_5🔎
[3]Sam Bayless, Celina Val, Thomas Ball, Holger Hoos, and Alan Hu. “Efficient Modular SAT Solving for IC3.” In FMCAD. 2013. 🔎
[4]Nikolaj Bjørner. “Linear Quantifier-Elimination as an Abstract Decision Procedure.” In IJCAR. 2010. 🔎
[5]Nikolaj Bjørner. “Satisfiability Modulo Theories.” Edited by Javier Esparza, Orna Grumberg, and Salomon Sickert, in Esparza et al. [22]. 2016. 🔎
[6]Nikolaj Bjørner, Arie Gurfinkel, Konstantin Korovin, and Ori Lahav. “Instantiations, Zippers and EPR Interpolation.” In LPAR 2013, 19th International Conference on Logic for Programming,   Artificial Intelligence and Reasoning, December 12-17, 2013, Stellenbosch, South Africa, Short Papers Proceedings, 35–41. 2013. http://​www.​easychair.​org/​publications/?​page=​275044893🔎
[7]Nikolaj Bjørner, Arie Gurfinkel, Kenneth L. McMillan, and Andrey Rybalchenko. “Horn Clause Solvers for Program Verification.” In Fields of Logic and Computation II - Essays Dedicated to Yuri Gurevich   on the Occasion of His 75th Birthday, 24–51. 2015. doi:10.1007/978-3-319-23534-9_2🔎
[8]Nikolaj Bjørner, and Mikolás Janota. “Playing with Alternating Quantifier Satisfaction.” In LPAR Short Presentation Papers. 2015. 🔎
[9]Nikolaj Bjørner, Mikolás Janota, and William Klieber. “On Conflicts and Strategies in QBF.” In 20th International Conferences on Logic for Programming, Artificial   Intelligence and Reasoning - Short Presentations, LPAR 2015, Suva, Fiji, November 24-28, 2015., 28–41. 2015. http://​www.​easychair.​org/​publications/​paper/​On_​Conflicts_​and_​Strategies_​in_​QBF🔎
[10]Nikolaj Bjørner, Kenneth L. McMillan, and Andrey Rybalchenko. “On Solving Universally Quantified Horn Clauses.” In SAS, 105–125. 2013. 🔎
[11]Nikolaj Bjørner, and Nina Narodytska. “Maximum Satisfiability Using Cores and Correction Sets.” In Proceedings of the Twenty-Fourth International Joint Conference on   Artificial Intelligence, IJCAI 2015, Buenos Aires, Argentina, July 25-31, 2015, 246–252. 2015. http://​ijcai.​org/​Abstract/​15/​041🔎
[12]Maria Paola Bonacina, Christopher Lynch, and Leonardo Mendonça de Moura. “On Deciding Satisfiability by Theorem Proving with Speculative   Inferences.” J. Autom. Reasoning 47 (2): 161–189. 2011. 🔎
[13]Aaron R. Bradley. “SAT-Based Model Checking without Unrolling.” In VMCAI, 70–87. 2011. 🔎
[14]Aaron R. Bradley, and Zohar Manna. “Checking Safety by Inductive Generalization of Counterexamples to   Induction.” In Formal Methods in Computer-Aided Design, 7th International Conference,   FMCAD 2007, Austin, Texas, USA, November 11-14, 2007, Proceedings, 173–180. 2007. doi:10.1109/FAMCAD.2007.15🔎
[15]Hana Chockler, Alexander Ivrii, and Arie Matsliah. “Computing Interpolants without Proofs.” In Hardware and Software: Verification and Testing - 8th International   Haifa Verification Conference, HVC 2012, Haifa, Israel, November 6-8, 2012. Revised Selected Papers, 72–85. 2012. doi:10.1007/978-3-642-39611-3_12🔎
[16]Hana Chockler, Alexander Ivrii, and Arie Matsliah. “Computing Interpolants without Proofs.” In Hardware and Software: Verification and Testing, edited by Armin Biere, Amir Nahir, and Tanja Vos, 7857:72–85. Lecture Notes in Computer Science. Springer Berlin Heidelberg. 2013. 🔎
[17]Alessandro Cimatti, and Alberto Griggio. “Software Model Checking via IC3.” In CAV, 277–293. 2012. 🔎
[18]Alessandro Cimatti, Alberto Griggio, Sergio Mover, and Stefano Tonetta. “IC3 Modulo Theories via Implicit Predicate Abstraction.” In TACAS, 46–61. 2014. 🔎
[19]M. Davis, G. Logemann, and D. Loveland. “A Machine Program for Theorem Proving.” Communications of the ACM. 1962. 🔎
[20]B. Dutertre, and L. de Moura. “A Fast Linear-Arithmetic Solver for DPLL(T).” In CAV. 2006. 🔎
[21]Niklas Eén, Alan Mishchenko, and Robert K. Brayton. “Efficient Implementation of Property Directed Reachability.” In FMCAD, 125–134. 2011. 🔎
[22]Javier Esparza, Orna Grumberg, and Salomon Sickert, editors. Dependable Software Systems Engineering. Volume 45. NATO Science for Peace and Security Series - D: Information and   Communication Security. IOS Press. 2016. 🔎
[23]Yeting Ge, and Leonardo Mendonça de Moura. “Complete Instantiation for Quantified Formulas in Satisfiabiliby   Modulo Theories.” In CAV, 306–320. 2009. 🔎
[24]Sergey Grebenshchikov, Nuno P. Lopes, Corneliu Popeea, and Andrey Rybalchenko. “Synthesizing Software Verifiers from Proof Rules.” In ACM SIGPLAN Conference on Programming Language Design and Implementation,   PLDI ’12, Beijing, China - June 11 - 16, 2012, 405–416. 2012. doi:10.1145/2254064.2254112🔎
[25]Krystof Hoder, and Nikolaj Bjørner. “Generalized Property Directed Reachability.” In Theory and Applications of Satisfiability Testing - SAT 2012 - 15th   International Conference, Trento, Italy, June 17-20, 2012. Proceedings, 157–171. 2012. doi:10.1007/978-3-642-31612-8_13🔎
[26]Krystof Hoder, Nikolaj Bjørner, and Leonardo Mendonça de Moura. “μZ- An Efficient Engine for Fixed Points with Constraints.” In Computer Aided Verification - 23rd International Conference, CAV   2011, Snowbird, UT, USA, July 14-20, 2011. Proceedings, 457–462. 2011. doi:10.1007/978-3-642-22110-1_36🔎
[27]Shachar Itzhaky, Nikolaj Bjørner, Thomas W. Reps, Mooly Sagiv, and Aditya V. Thakur. “Property-Directed Shape Analysis.” In CAV, 35–51. 2014. 🔎
[28]Mikolás Janota, Inês Lynce, and Joao Marques-Silva. “Algorithms for Computing Backbones of Propositional Formulae.” AI Commun. 28 (2): 161–177. 2015. doi:10.3233/AIC-140640🔎
[29]Dejan Jovanovic, and Leonardo Mendonça de Moura. “Solving Non-Linear Arithmetic.” In Automated Reasoning - 6th International Joint Conference, IJCAR   2012, Manchester, UK, June 26-29, 2012. Proceedings, 339–354. 2012. doi:10.1007/978-3-642-31365-3_27🔎
[30]Ulrich Junker. “QUICKXPLAIN: Preferred Explanations and Relaxations for Over-Constrained   Problems.” In Proceedings of the Nineteenth National Conference on Artificial Intelligence,   Sixteenth Conference on Innovative Applications of Artificial Intelligence, July 25-29, 2004, San Jose, California, USA, 167–172. 2004. http://​www.​aaai.​org/​Library/​AAAI/​2004/​aaai04-​027.​php🔎
[31]Roland Kindermann, Tommi A. Junttila, and Ilkka Niemelä “SMT-Based Induction Methods for Timed Systems.” In FORMATS, 171–187. 2012. 🔎
[32]Anvesh Komuravelli, Arie Gurfinkel, and Sagar Chaki. “SMT-Based Model Checking for Recursive Programs.” In CAV, 17–34. 2014. 🔎
[33]Mark H Liffiton, Alessandro Previti, Ammar Malik, and Joao Marques-Silva. “Fast, Flexible MUS Enumeration.” Constraints 21 (2). Springer US: 223–250. 2016. 🔎
[34]João Marques-Silva, Mikolás Janota, and Anton Belov. “Minimal Sets over Monotone Predicates in Boolean Formulae.” In Computer Aided Verification - 25th International Conference, CAV   2013, Saint Petersburg, Russia, July 13-19, 2013. Proceedings, 592–607. 2013. doi:10.1007/978-3-642-39799-8_39🔎
[35]Kenneth L. McMillan. “Lazy Annotation Revisited.” In Computer Aided Verification - 26th International Conference, CAV   2014, Held as Part of the Vienna Summer of Logic, VSL 2014, Vienna, Austria, July 18-22, 2014. Proceedings, 243–259. 2014. doi:10.1007/978-3-319-08867-9_16🔎
[36]Carlos Mencía, Alessandro Previti, and João Marques-Silva. “Literal-Based MCS Extraction.” In Proceedings of the Twenty-Fourth International Joint Conference on   Artificial Intelligence, IJCAI 2015, Buenos Aires, Argentina, July 25-31, 2015, 1973–1979. 2015. http://​ijcai.​org/​Abstract/​15/​280🔎
[37]Leonardo Mendonça de Moura, and Nikolaj Bjørner. “Efficient E-Matching for SMT Solvers.” In CADE, 183–198. 2007. 🔎
[38]Leonardo Mendonça de Moura, and Nikolaj Bjørner. “Engineering DPLL(T) + Saturation.” In IJCAR, 475–490. 2008. 🔎
[39]Leonardo Mendonça de Moura, and Nikolaj Bjørner. “Generalized, Efficient Array Decision Procedures.” In Proceedings of 9th International Conference on Formal Methods in Computer-Aided   Design, FMCAD 2009, 15-18 November 2009, Austin, Texas, USA, 45–52. 2009. doi:10.1109/FMCAD.2009.5351142🔎
[40]Leonardo Mendonça de Moura, and Nikolaj Bjørner. “Bugs, Moles and Skeletons: Symbolic Reasoning for Software   Development.” In IJCAR, 400–411. 2010. 🔎
[41]Nina Narodytska, and Fahiem Bacchus. “Maximum Satisfiability Using Core-Guided MaxSAT Resolution.” In AAAI 2014, 2717–2723. 2014. 🔎
[42]R. Nieuwenhuis, A. Oliveras, and C. Tinelli. “Solving SAT and SAT Modulo Theories: From an Abstract Davis–Putnam–Logemann–Loveland Procedure to DPLL(T).” J. ACM 53 (6). 2006. 🔎
[43]Anh-Dung Phan, Nikolaj Bjørner, and David Monniaux. “Anatomy of Alternating Quantifier Satisfiability (Work in   Progress).” In SMT-IJCAR, 120–130. 2012. 🔎
[44]Ruzica Piskac, Leonardo Mendonça de Moura, and Nikolaj Bjørner. “Deciding Effectively Propositional Logic Using DPLL and   Substitution Sets.” J. Autom. Reasoning 44 (4): 401–424. 2010. 🔎
[45]Raymond Reiter. “A Theory of Diagnosis from First Principles.” Artif. Intell. 32 (1): 57–95. 1987. doi:10.1016/0004-3702(87)90062-2🔎
[46]João P. Marques Silva, and Karem A. Sakallah. “GRASP: A Search Algorithm for Propositional Satisfiability.” IEEE Trans. Computers 48 (5): 506–521. 1999. 🔎
[47]Christoph M. Wintersteiger, Youssef Hamadi, and Leonardo Mendonça de Moura. “Efficiently Solving Quantified Bit-Vector Formulas.” Formal Methods in System Design 42 (1): 3–23. 2013. 🔎