here the full SMT 2012 pre-proceedings

SMT Workshop 2012 10th International Workshop on Satisfiability Modulo Theories SMT-COMP 2012 June 30 & July 1, 2012 Affiliated with the 6th International Joint Conference on Automated Reasoning (IJCAR 2012) Manchester, United Kingdom http://smt2012.loria.fr/ Preface This volume contains the papers presented at the tenth edition of the International Workshop on Satisfiability Modulo Theories (SMT-2012). The workshop was held on June 30 and July 1, 2012, in Manchester, UK, in association with the Sixth International Joint Conference on Automated Reasoning (IJCAR-2012), as part of the Alan Turing Year 2012, held just after The Alan Turing Centenary Conference. After ten years of this series of workshops, the SMT paradigm for determining the satisfiability of first-order formulas modulo background theories is still developing fast, and interest in SMT solving is increasing, probably faster than ever. The SMT Workshop is certainly the main annual event of the community, where both researchers and users of SMT technology can meet and discuss new theoretical ideas, implementation and evaluation techniques, and applications. In order to facilitate more exploration and increased discussion of newer ideas, this year we invited submissions in three categories: • extended abstracts, to present preliminary reports of work in progress; • original papers, to describe original and mature research (simultaneous submissions were not allowed); • presentation-only papers, to provide additional access to important developments that SMT Workshop attendees may be unaware of. These works may have been recently published or submitted. Papers were solicited on topics that include all aspects of Satisfiability Modulo Theory solving. More specifically, some suggested topics were: • Decision procedures and theories of interest • Combinations of decision procedures • Novel implementation techniques • Benchmarks and evaluation methodologies • Applications and case studies • Theoretical results We received thirteen papers. Each submission was reviewed by three program committee members. Due to the quality of and interest in the submissions, and in keeping with the desire to encourage presentation and discussion of works in progress, we were able to accept all contributions for presentation at the workshop. We would like to thank the program committee and the reviewers for their work. We are very grateful to the IJCAR organizers for their support and for hosting the workshop, and are indebted to the EasyChair team for the availability of the EasyChair Conference System. June 2012 Pascal Fontaine and Amit Goel II Program Committee • Clark Barrett (New York University) • Nikolaj Bjørner (Microsoft) • Roberto Bruttomesso (Atrenta) • Sylvain Conchon (LRI & University of Paris-Sud) • Bruno Dutertre (SRI) • Pascal Fontaine (INRIA, University of Nancy), co-chair • Vijay Ganesh (MIT) • Amit Goel (Intel), co-chair • Franjo Ivančić (NEC) • Sava Krstic (Intel) • Viktor Kuncak (EPFL) • Shuvendu Lahiri (Microsoft) • Ken McMillan (Microsoft) • Roberto Sebastiani (University of Trento) • Cesare Tinelli (The University of Iowa) External reviewers • Kshitij Bansal • Scott Cotton • Morgan Deters • Liana Hadarean III Table of Contents Invited talks Practical Aspects of SAT Solving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Armin Biere 1 The Architecture of Inference from SMT to ETB . . . . . . . . . . . . . . . . . . . . . . . Natarajan Shankar 2 Original papers Program Verification as Satisfiability Modulo Theories . . . . . . . . . . . . . . . . . . . . Nikolaj Bjorner, Kenneth McMillan and Andrey Rybalchenko 3 Built-in Treatment of an Axiomatic Floating-Point Theory for SMT Solvers . . . . . . . . 12 Sylvain Conchon, Guillaume Melquiond, Cody Roux and Mohamed Iguernelala Reasoning with Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Claire Dross, Sylvain Conchon, Johannes Kanig and Andrei Paskevich SMT-Based System Verification with DVF . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Amit Goel, Sava Krstic, Rebekah Leslie and Mark Tuttle On the Complexity of Fixed-Size Bit-Vector Logics with Binary Encoded Bit-Width . . . 44 Gergely Kovásznai, Andreas Fröhlich and Armin Biere Extended abstracts and Works in progress A Machine Learning Technique for Hardness Estimation of QFBV SMT Problems . . . . 56 Mohammad Abdul Aziz, Amr Wassal and Nevine Darwish Reachability Modulo Theory Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Francesco Alberti, Roberto Bruttomesso, Silvio Ghilardi, Silvio Ranise and Natasha Sharygina An SMT-LIB Format for Sequences and Regular Expressions . . . . . . . . . . . . . . . . 76 Nikolaj Bjorner, Vijay Ganesh, Raphaël Michel and Margus Veanes Exotic Semi-Ring Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Michael Codish, Yoav Fekete, Carsten Fuhs, Jürgen Giesl and Johannes Waldmann A Theory of Arrays with set and copy Operations . . . . . . . . . . . . . . . . . . . . . . 97 Stephan Falke, Carsten Sinz and Florian Merz An SMT-based approach to automated configuration . . . . . . . . . . . . . . . . . . . . . 107 Raphaël Michel, Vijay Ganesh, Arnaud Hubaux and Patrick Heymans Anatomy of Alternating Quantifier Satisfiability . . . . . . . . . . . . . . . . . . . . . . . 118 Anh-Dung Phan, Nikolaj Bjørner and David Monniaux Presentation only Instantiation-Based Invariant Discovery Temesghen Kahsai, Yeting Ge and Cesare Tinelli IV Practical Aspects of SAT Solving Armin Biere Johannes-Kepler-Universität Linz, Austria Abstract SAT solving techniques are used in many automated reasoning engines. This talk gives an overview on recent developments in practical aspects of SAT solver development. Beside improvements of the basic conflict driven clause learning (CDCL) algorithm, we also discuss improving and integrating advanced preprocessing techniques as inprocessing during search. The talk concludes with a brief overview on current trends in parallelizing SAT. Pascal Fontaine, Amit Goel (eds.); SMT 2012, pp. 1–1 1 The Architecture of Inference from SMT to ETB Natarajan Shankar SRI International Computer Science Laboratory Abstract Modularity plays a central role in logical reasoning. We want to be able to reuse proofs, proof patterns, theories, and specialized reasoning procedures. Architectures that support modularity have been developed at all levels of inference: SAT solvers, theory solvers, combination solvers and rewriters, SMT solvers, simplifiers, rewriters, and tacticsbased interactive theorem provers. Prior work has mostly focused on fine-grained modular inference. However, with the availability of a diverse range of high-quality inference tools, it has become important to systematically integrate these big components into robust toolchains. At SRI, we have been developing a framework called the Evidential Tool Bus (ETB) as a distributed platform for the coarse-grained integration of inference components into flexible, scriptable workflows. The talk describes the architecture of ETB along with some motivating applications. 2 Pascal Fontaine, Amit Goel (eds.); SMT 2012, pp. 2–2 Program Verification as Satisfiability Modulo Theories Nikolaj Bjørner Microsoft Research Ken McMillan Microsoft Research Andrey Rybalchenko Technische Universität München Abstract A key driver of SMT over the past decade has been an interchange format, SMT-LIB, and a growing set of benchmarks sharing this common format. SMT-LIB captures very well an interface that is suitable for many tasks that reduce to solving first-order formulas modulo theories. Here we propose to extend these benefits into the domain of symbolic software model checking. We make a case that SMT-LIB can be used, and to a limited extent adapted, for exchanging symbolic software model checking benchmarks. We believe this layer facilitates dividing innovations in modeling, developing program logics and frontends, from developing algorithms for solving constraints over recursive predicates. 1 SMT and checking properties of recursive predicates Progress in modern SMT solvers has been driven by a large set of applications in diverse areas. Applications reduce problems to common first-order formats, SMT-LIB [5] and now also the THF [13] format in TPTP, for exchanging benchmarks. They benefit from the progress in automated deduction in SMT solvers and utilize the smorgasbord of theories that are supported with efficient and dedicated solvers. Common to SMT solvers is their support for simply typed first-order classical logic augmented with theories. They solve satisfiability of formulas over the supported language. When SMT solvers are used to discharge verification conditions from program verifiers, it is important to be able to check validity, or dually unsatisfiability. When SMT solvers are used in dynamic symbolic simulation, the more interesting question is to determine satisfiability and find a satisfying assignment to formulas. A key driver of progress in these applications has been the ability to exchange problems using standardized and welldefined logics, theories and syntax, especially as embodied in the SMT-LIB standard. Here we propose to extend these benefits into the domain of symbolic software model checking. This problem reduces to the problem of inference of the intermediate specifications required by various proof systems. These specifications can be, for example, loop invariants, procedure summaries, environment assumptions or dependent types. As observed in [6], the inference problem in turn reduces to the problem of satisfiability of a certain class of first-order constraints containing unknown relations. These constraints can be produced by existing verification condition generators, which already typically target the SMT-LIB standard. We will argue that, with very slight extensions, SMT-LIB can be adapted to be a standard interchange medium for software model checking and related problems. The advantage of such an approach is a clean separation of concerns: the interpretation of programming language is left to verification condition generators, while model checking is handled by purely logic-based tools. This separation could have several benefits. It relieves the algorithm implementer from the need to deal with the complexity of programming languages, it allows implementations to be easily re-targeted to different languages, and it allows algorithms to be compared directly, without concern for the ambiguity of how programming languages are modeled. At the very least it can be instrumental for comparing algorithms for checking recursive predicates whether they come from software model checking or not. Pascal Fontaine, Amit Goel (eds.); SMT 2012, pp. 3–11 3 Program Verification as SMT N. Bjørner, K. McMillan, A. Rybalchenko In this paper, we propose extensions to SMT-LIB to allow it to be used as an interchange format for software model checking benchmarks. We are not alone in suggesting ways of leveraging SMT-LIB for verifying reactive systems and software. The VMT 1 effort, see also the proceedings for this workshop (SMT 2012), proposes extending SMT-LIB with notation for transitions. Our suggestion is to utilize Horn clauses as a low-level, but uniform, exchange format. Transition systems and, more generally, push-down systems can be translated into Horn clauses. Of course, Horn clauses can be translated into transition systems by using a theory that can express stacks. The Numerical Transition Systems Library also aims to identify an interchange format for transition systems. We aim to provide a basis for comparing various tools that work on various incarnations of recursive predicates, such as [14, 2, 3, 8, 1]. 2 Program verification Tool work-flow A proof system gives us rules for decomposing the proof of a complex goal into proofs of simpler sub-goals. These rules are typically non-deterministic, requiring us to instantiate some auxiliary construct. Consider, for example, the proof rule for sequential compositions in Hoare logic: {P } s1 {Q} s2 {R} {P } s1 ; s2 {R} Here, the intermediate assertion Q is the auxiliary construct that must be instantiated in order to decompose the proof. The decomposition yields two sub-goals above the line, one involving s1 and the other involving s2 . The difficulty in this step is to infer the predicate Q. In software model checking we are concerned with the problem of automatically inferring these auxiliary proof constructs. Here we would like to argue that this inference problem can be handled in a generic way. That is, we are interested in methods that are to some extent independent of the proof system, and require only that the proof sub-goals can be expressed in a suitable logical form. In program proving, the translation of proof sub-goals into logic is commonly referred to as verification condition (VC) generation. For example, suppose in the above example that our program has one variable x. The VC’s can be written in this form: ∀x, x0 . (P (x) ∧ [s1 ](x, x0 ) ⇒ Q(x0 )) ∀x, x0 . (Q(x) ∧ [s2 ](x, x0 ) ⇒ R(x0 )) where [si ] is some relation representing the operational semantics of program statement si . If these two formulas are shown to be valid, then our proof sub-goals are discharged, and we know that {P } s1 ; s2 {R} holds. Notice though, that these VC’s contain one unknown relation Q that must be inferred. In a typical VC checking application, the user would provide the relation Q in logical form, and the task of the verification tool is to check that the two individual proof sub-goals are valid. On the other hand, the inference problem is to simultaneously solve the VC’s for a value of Q that makes both true. Both of these problems are satisfiability problems. In the former case, we separately check satisfiability of the negation of each condition, with a fixed value for Q, while in the latter, we check satisfiability of both constraints together, with an uninterpreted symbol standing in for Q. We will observe that the VC’s for a wide variety of proof systems have a particular form. That is, they are of the form ∀X. (B ⇒ H), where X is some set of first-order variables, H is 1 https://sites.google.com/site/torino2011ic0901/programme/talks 4 Program Verification as SMT N. Bjørner, K. McMillan, A. Rybalchenko an application of some (possibly unknown) relation, and B is a formula in which the unknown relations occur only positively (that is, under an even number of negations) and not under quantifiers. For example, the two VC’s above are of this form. We will refer to such formulas as generalized Horn formulas. We will say that H is the head of the generalized Horn formula, B is the body, and the arity of a generalized Horn formula is the number of occurrences of an unknown relation in the body. Quite a variety of proof systems produce VC’s as generalized Horn formulas. For example, within procedures, Hoare logic produces sub-goals of the form {P } s {Q}, which as we have seen yield generalized Horn formulas of arity one as VC’s. Now let’s consider procedure calls, in the way they are handled by the verification condition generator for the Boogie programming language [4]. A parameter-less procedure π in Boogie has the following form: procedure π: requires P (X); ensures Q(Xold , X); σ Here, formula P is a required precondition to enter the procedure, formula Q is the guaranteed post-condition and statement σ is the body of the procedure. The precondition is over the program variables X, while the post-condition refers to the program variables X and their entry procedure entry values Xold . To generate verification conditions, Boogie replaces each call to π with the following code: assert P (X); Xold := X; havoc X; assume Q(Xold , X); The havoc statement causes the variables X to take a non-deterministic value. Thus, the transformed call to π behaves as any code satisfying the specification of π. Now suppose the π is called in the following context: assert R(X); call π; assert S(X); After replacing the call to π, the verification conditions we obtain from the weakest precondition calculus are: ∀X. R(X) ⇒ P (X) ∀Xold , X. (R(Xold ) ∧ Q(Xold , X) ⇒ S(X)) Note that these formulas are also in generalized Horn formula form and that the second VC has arity two. That is, there are two unknown relations in the body of the second VC. A very simple modular proof system for concurrent programs is given in [7]. We are given a collection of N parallel process of the form: process πi : while * do ρi 5 Program Verification as SMT N. Bjørner, K. McMillan, A. Rybalchenko Each process πi has a set of local variables Xi . The processes share a set Y of global variables. We wish to prove in a modular way that, given some initial condition φinit (X1 , . . . , XN , Y ), some error condition φerror (X1 , . . . , XN , Y ) is never true. The relations to be inferred for each process i are Ri (Xi , Y ), which is the invariant of the loop, and Ei (Y, Y 0 ), which is the environment constraint. The verification conditions for process πi are: ∀X1 , . . . , XN , Y. φinit (X1 , . . . , XN , Y ) ⇒ Ri (Xi , Y ) ∀Xi , Y, Xi0 , Y 0 . Ri (Xi , Y ) ∧ [ρi ](Xi , Y, Xi0 , Y 0 ) ⇒ Ri (Xi0 , Y 0 ) ∀Xi , Y, Y 0 . Ri (Xi , Y ) ∧ Ei (Y, Y 0 ) ⇒ Ri (Xi , Y 0 ) ∀Xi , Y, Xi0 , Y 0 . Ri (Xi , Y ) ∧ [ρi ](Xi , Y, Xi0 , Y 0 ) ⇒ Ej (Y, Y 0 ) for j ∈ {1, . . . , N } \ {i} These conditions state respectively that the initial condition implies the loop invariant, the loop body preserves the loop invariant, environment transitions preserve the loop invariant, and the loop body (executed atomically) is an allowed environment transition for other processes. The global correctness condition is: ∀X1 , . . . , XN , Y. R1 (X1 , Y ) ∧ · · · ∧ RN (XN , Y ) ∧ φerror (X1 , . . . , XN , Y ) ⇒ False Note again that all these proof sub-goals are generalized Horn formulas. Another example is type checking of dependently typed functional programs. Consider the Liquid Types system [12]. In this system, a refinement type has the form {ν : β | P (ν, X)}, where β is a base type and P is a relation over the value ν and program variables X. For example, {ν : int | ν > x} is the type of integers greater than variable x. A type binding y : {ν : β | P (ν, X)} is translated to the logical constraint [[P (y, X)]], where [[·]] is a conservative embedding of program terms into the logic. The typing rules of Liquid Types produce type checking sub-goals of the form Γ ` {ν : β | P1 (ν, X)} ≺ {ν : β | P2 (ν, X)} where ≺ is the subtype relation and Γ is an environment consisting of type bindings and constraints on variables deriving from program guards. Logical verification conditions in the form of generalized Horn formulas are produced by the following rule: [[Γ]] ∧ [[P1 (ν, X)]] ⇒ [[P2 (ν, X)]] Γ ` {ν : β | P1 (ν, X)} ≺ {ν : β | P2 (ν, X)} Existence of a relational interpretation satisfying these conditions is a sufficient condition for type safety of the program (though not a necessary condition, since the typing rules are conservative). 3 SMT as a Logical Layer In the previous section we described how program verification tools produce verification conditions that can be viewed as a conjunction of Horn clauses. Program correctness reduces to finding a solution to the recursive predicates defined by the Horn clauses. We will here elaborate on what this problem means in terms of logical formulas. 3.1 From Recursive Predicates to SMT In its basic form, the problem posed by solving verification conditions is to determine whether there are solutions to recursive predicates, such that a conjunction of universally quantified Horn formulas is true. In other words, the query is whether a conjunction of formulas is satisfiable. 6 Program Verification as SMT N. Bjørner, K. McMillan, A. Rybalchenko This characterization side-steps the semantics of auxiliary functions, background theories and assertions, other than theories that are indigenous to SMT such as arithmetic. We claim that the appropriate semantics is to determine that for every interpretation of a given background theory there is a solution to the recursive predicates. Using logical notation, we check the truth values of formulas of the form: ^ ~ f~ . Background [R, ~ f~] ⇒ ∃P~ . ~ . P1 (X1 ) ∧ . . . ∧ PN (XN ) ∧ φ[R, ~ f~, X] ~ ⇒ P (X) (1) ∀R, ∀X This format is not directly supported by SMT-LIB. It includes universal quantification over relations and functions. The quantifier alternation is also inconvenient if we wish to refer to recursive predicates as free variables (recall that ∃P.ϕ[P ] is satisfiable if and only if ϕ[P ] is satisfiable, so it is typically more convenient to define P as an uninterpreted predicate). We can change the alternation of quantifiers by exchanging the two outer alternations: ^ ~ f~ . Background [R, ~ f~] ⇒ ~ . P1 (X1 , R, ~ f~) ∧ . . . ∧ PN (XN , R, ~ f~) ∧ φ[R, ~ f~, X] ~ ⇒ P (X, R, ~ f~) (2) ∃P~ . ∀R, ∀X The universal quantification over relations and functions is still present. Furthermore, P has additional arguments. Can we use SMT-LIB for higher-order problems? The theory of extensional arrays in SMT-LIB includes the function select. It corresponds to function application. This suggests the following approach: treat functions and relations as arrays, then use SMT solvers to check satisfiability of the resulting formula with arrays. The catch is that the model theory for this first-order reformulation does not correspond to the original second-order formulation. In the following, we will avoid these transformations and side-step having to deal with what are potentially adequate (higher-order or Henkin) theories for arrays. Instead we will augment SMT-LIB slightly. 3.2 From SMT to Solutions of Recursive Predicates Many applications of SMT solvers are only interested in checking validity of formulas. So, given a formula ϕ, they assert ¬ϕ and check if the SMT solver produces the answer unsat. Similar, in program verification, we are interested in checking a property. The most basic answer we would expect from a verification tool for programs is whether the property ϕ can be established. Dually, we can ask whether the property ¬ϕ is unreachable. More informative answers are possible. One may want a certificate for unreachability or a certificate for reachability. A certificate for reachability is in a nutshell a proof of unsatisfiability. The proof can be presented as a trace. A certificate for unreachability is in a nutshell a model for the recursive predicates. So what is a model? Saturation based theorem provers may be able to produce a set of saturated clauses that do not include the empty clause and such that any clause that can be deduced from the saturated set is subsumed. Checking that a set of first-order clauses is saturated is relatively straight-forward. Unfortunately, we are not aware of reasonable notions of saturation modulo theories. A different way to represent models is to produce a formula for each recursive predicate. The free variables in the produced formulas correspond to the arguments of the recursive predicate. So in a sense the formulas correspond to macro expansions of the recursive predicates. Checking such a solution requires theorem proving: Plug in the macro expansion for each of recursive predicates and check that the resulting formula is valid. The proof obligations are ground when the background is empty. Existing tools for generating interpolants and lifting PDR to theories 2 do produce such certificates that can be 2 In the case of PDR, we give a few small examples of such certificates on http://rise4fun.com/Z3Py/ tutorial/fixedpoints 7 Program Verification as SMT N. Bjørner, K. McMillan, A. Rybalchenko checked by SMT solvers for ground formulas. We speculate that finer-graned certificates are of potential useful: macros together with proof hints that are used for checking that the macros are indeed solutions. 3.3 Bloat in Translation? What is the cost of resorting to a logical encoding of programs and their control-flow graphs? We alluded to that a control flow graph (CFG) corresponds directly to a set of Horn clauses. Each node in the CFG is a predicate. Horn clauses encode Hoare triples between locations. In our experience, the main source of bloat is how variable scoping is handled: all local variables in scope have to be either directly arguments of the recursive predicates, or indirectly by using records or arrays that summarize variables. Current tools for solving predicates work with variables enumerated directly. Using records would require additions to SMT-LIB from its current form. In particular, it would be useful to have a way to update a record. One could also consider using arrays instead of records, but general purpose decision procedures for the theory of extensional arrays are not really well tuned for this special purpose usage. 3.4 Loss in Translation? A dual concern is whether this layer opens up for loss in translation. We argue not, as rules can be in one-to-one correspondence with CFG/abstract syntax tree representations of programs. 3.5 Dealing with Heap There are many possible ways to model and reason about heaps. Front-end tools may choose a model of their choice and encode the model in background axioms. Back-end solvers are also left open to detect heap operations and provide different abstractions, such as separation logics. Hence, it is also an area where solvers can compete on applying different abstractions. In summary, the approach (with encoding CFGs to SMT constraints) does not by itself require fixing one particular model of heaps. 4 Recursive predicates in Z3 ARMC [11] and HSF [6] encode recursive predicates as Horn formulas in Prolog syntax. In a similar style, µZ [10, 9] uses an extension of the SMT-LIB format for representing recursive predicates. Recursive predicates are treated differently from non-recursive predicates. Recursive predicates are defined in rules and checked in queries. Non-recursive predicates and functions may be used in rules and queries; they can be further constrained by background assertions. 4.1 Recursive predicates Z3 has four syntactic constructs for handling recursive predicates. We summarize these below. (rule rule ) declares a rule, where rule is an SMT-LIB expression expected to be of the form: rule ::= (forall (bound ) rule ) | (=> body rule ) | (R args ) 8 Program Verification as SMT N. Bjørner, K. McMillan, A. Rybalchenko The relation R in the head is expected to be declared as a recursive relation. The supported format for body is as a quantifier-free formula such that the recursive predicates (such as R ) occur positively. While the internal engine in µZ uses Horn clauses, rules are not required to be Horn clauses. Nested disjunctions in bodies are eliminated using a Tseitsin style transformation that produces a set of Horn clauses. (query query ) where query ::= (exists (bound ) query ) | body. (declare-rel R (S 1 . . . S n )) declares a recursive relation R. It takes n arguments of sort S 1 . . . S n respectively. (declare-var v S ) Rules and queries may reference variables declared using declare-var. When used in rules, the variables are universally quantified, when used in queries, the variables are existentially quantified. The declare-var construct is purely syntactic sugar. It makes writing rules more convenient because it saves the overhead of binding the same variables in different rules. A query is satisfiable if there are instances of the existential variables and a derivation of recursive rules that derives the query. Otherwise a query is unsatisfiable. This definition corresponds to checking queries with Prolog and Datalog. It is dual to how the semantics corresponds to SMT: when there is no instantiation of variables that satisfy a query it means that there is an interpretation of the recursive predicates that satisfy each rule, but satisfies the negation of the query. On the other hand, if a query has a solution, then the trace that corresponds to deriving the query is a proof: The trace provides quantifier instantiations of the Horn clauses and ∀~x . ¬query such that the resulting set of ground Horn clauses is unsatisfiable. Equation (3) summarizes this characterization. The formula in (3) is closed and the goal is to check if it is equivalent to true. The set rules contains the recursive Horn clauses defined by rule and query is a formula corresponding to a query, ~x are declared as variables and P~ are declared as recursive predicates: ! ∃P~ . ^ ∀~x . r(~x) ∧ ∀~x . ¬query (3) r∈rules Example 1. Suppose we are given a recursive program sum let rec sum n = if n <= 0 then 0 else n + sum (n-1) and we wish to establish that sum n >= n for every n. The input-output specification of sum is a relation with one argument for the input and one argument for the output. We can specify sum using a set of Horn rules and the assertion as a query: (declare-rel sum (Int Int)) (declare-var n Int) (declare-var m Int) (rule (=> (<= n 0) (sum n 0))) (rule (=> (and (> n 0) (sum (- n 1) m)) (sum n (+ m n)))) (query (and (sum n m) (< m n))) 9 Program Verification as SMT N. Bjørner, K. McMillan, A. Rybalchenko An interpretation for sum that satisfies the Horn clauses and the query is: (define-fun sum ((A Int) (B Int)) Bool (and (>= B 0) (<= (+ (* (- 1) B) A) 0))) 4.2 Background While currently unsupported in µZ, the format admits free functions and non-recursive predicates. It inter-operates with assertions over non-recursive predicates and functions. Example 2. One can assert that a free function f is injective with partial converse g using an axiom: (declare-fun f (Int) Int) (declare-fun g (Int) Int) (assert (forall ((x Int)) (= (g (f x)) x))) Then f can be used in rules. For example, (declare-rel R (declare-var x (declare-var y (rule (R 0 1)) (rule (=> (R x (query (and (R (Int Int)) Int) Int) y) (R (f x) (f y)))) x y) (= x y))) The query is unsatisfiable with the justification (define-fun R ((A Int) (B Int)) Bool (not (= A B))) Free functions and non-recursive predicates are treated logically different from recursive predicates. Their meaning is succinctly captured by extending (3) by taking background as~ f~ be the non-recursive sertions and auxiliary predicates and functions into account. Let R, predicates and functions, and asrts be the current assertions. Correspondence (4), derived from (1), characterizes the semantics in the context of auxiliary predicates, functions and assertions: ! ~ f~ . asrts ⇒ ∃P~ . ∀R, ^ ∀~x . r(~x) ∧ ∀~x . ¬query (4) r∈rules 5 Summary We made a case that SMT-LIB is a superb basis for exchanging benchmarks among symbolic software model checkers. As a side-effect we also introduced an approach to specify recursive relations modulo background assertions in the context of SMT-LIB. The format can be used in its own right. The proposed use of SMT-LIB uses a modest extension for describing rules and declaring recursive predicates. 10 Program Verification as SMT N. Bjørner, K. McMillan, A. Rybalchenko References [1] Akash Lal and Shaz Qadeer and Shuvendu Lahiri. Corral: A Solver for Reachability Modulo Theories. In CAV, July 2012. [2] Aws Albarghouthi, Arie Gurfinkel, and Marsha Chechik. From under-approximations to overapproximations and back. In TACAS, pages 157–172, 2012. [3] Aws Albarghouthi, Arie Gurfinkel, and Marsha Chechik. Whale: An interpolation-based algorithm for inter-procedural verification. In Viktor Kuncak and Andrey Rybalchenko, editors, VMCAI, volume 7148 of Lecture Notes in Computer Science, pages 39–55. Springer, 2012. [4] Michael Barnett, Bor-Yuh Evan Chang, Robert DeLine, Bart Jacobs, and K. Rustan M. Leino. Boogie: A Modular Reusable Verifier for Object-Oriented Programs. In FMCO, pages 364–387, 2005. [5] Clark Barrett, Aaron Stump, and Cesare Tinelli. The Satisfiability Modulo Theories Library (SMT-LIB). www.SMT-LIB.org, 2010. [6] Sergey Grebenshchikov, Nuno P. Lopes, Corneliu Popeea, and Andrey Rybalchenko. Synthesizing software verifiers from proof rules. In PLDI, 2012. [7] Ashutosh Gupta, Corneliu Popeea, and Andrey Rybalchenko. Predicate abstraction and refinement for verifying multi-threaded programs. In POPL, pages 331–344, 2011. [8] William R. Harris, Sriram Sankaranarayanan, Franjo Ivancic, and Aarti Gupta. Program analysis via satisfiability modulo path programs. In POPL, pages 71–82, 2010. [9] Kryštof Hoder and Nikolaj Bjørner. Generalized Property Directed Reachability. In SAT, 2012. [10] Kryštof Hoder, Nikolaj Bjørner, and Leonardo Mendonça de Moura. µZ- an efficient engine for fixed points with constraints. In CAV, pages 457–462, 2011. [11] Andreas Podelski and Andrey Rybalchenko. ARMC: The Logical Choice for Software Model Checking with Abstraction Refinement. In PADL, pages 245–259, 2007. [12] Patrick Maxim Rondon, Ming Kawaguchi, and Ranjit Jhala. Liquid types. In PLDI, pages 159– 169, 2008. [13] Geoff Sutcliffe, Stephan Schulz, Koen Claessen, and Peter Baumgartner. The TPTP Typed FirstOrder Form with Arithmetic. In LPAR, pages 406–419, 2012. [14] Philippe Suter, Ali Sinan Köksal, and Viktor Kuncak. Satisfiability modulo recursive programs. In SAS, pages 298–315, 2011. 11 Built-in Treatment of an Axiomatic Floating-Point Theory for SMT Solvers∗ Sylvain Conchon Guillaume Melquiond Cody Roux LRI, Université Paris Sud INRIA Saclay–Île-de-France LRI, Université Paris Sud Mohamed Iguernelala LRI, Université Paris Sud Abstract The treatment of the axiomatic theory of floating-point numbers is out of reach of current SMT solvers, especially when it comes to automatic reasoning on approximation errors. In this paper, we describe a dedicated procedure for such a theory, which provides an interface akin to the instantiation mechanism of an SMT solver. This procedure is based on the approach of the Gappa tool: it performs saturation of consequences of the axioms, in order to refine bounds on expressions. In addition to the original approach, bounds are further refined by a constraint solver for linear arithmetic. Combined with the natural support for equalities provided by SMT solvers, our approach improves the treatment of goals coming from deductive verification of numerical programs. We have implemented it in the Alt-Ergo SMT solver. 1 Introduction On modern computers, floating-point arithmetic is by far the most common way of approximating real arithmetic and hence performing numerical computations. This comes from its inherent mathematical simplicity (very large range and guaranteed precision) combined with a strong will to ensure portability of this arithmetic across all architectures without forsaking performance [11]. These properties usually make this arithmetic an obvious choice for building numerical software. In many cases, for instance in avionics, critical systems make heavy use of floating-point computations. But despite their simplicity, floating-point computations do not in general return the same result as ideal real computations. Indeed, while precision is guaranteed, accuracy is not: the negligible rounding errors caused by every operation might add up and cause the computed values to arbitrarily diverge from the expected values. In particular, floating-point arithmetic has some counter-intuitive properties when it comes to accuracy: the sum of two numbers that causes the biggest inaccuracy is the one that is the most precise (exact result). For example, take a and b to be the floating-point representations of 1.1 and 1, respectively. Then the floating-point number that is the result of a − b can be computed with perfect accuracy: there is no loss of digits. However it is not the floating-point number that is closest to the “desired” result 0.1. This discrepancy between computed and expected results has been the source of numerous software and hardware failures [13]. The Gappa tool replicates the kind of reasoning one would use to prove correctness of stateof-the-art floating-point hardware and software. It automatizes the proofs in a highly efficient way, as long as the verification conditions only deal with arithmetic constructs [6]. Unfortunately, some program constructs tend to leak into the verification conditions and obfuscate the arithmetic constructs Gappa relies on. For instance, programs might be using arrays, have lots ∗ Work 12 supported by the French ANR projects ANR-08-005 DeCert and ANR-11-INSE-03 Verasco. Pascal Fontaine, Amit Goel (eds.); SMT 2012, pp. 12–21 An Axiomatic Floating-Point Theory for SMT Solvers S. Conchon, G. Melquiond, C. Roux, M. Iguernelala of different execution paths; as a side-effect of their generation process, verification conditions might be littered with useless lemmas and equalities. All of these issues are the cause for extra work from the user and hence partly defeat the point of automatizing the process. On the other hand, SMT solvers, which are ubiquitous in deductive program verification, are especially designed to handle these issues. They have built-in theories of arrays and congruences and specialized algorithms for instantiating lemmas, they depend on SAT solvers for propositional logic, and so on. Floating-point numbers are not presently handled by most SMT solvers, although there is a proposal to add them to the SMT-LIB 2 standard [14]. This would allow a complete description of the bit-level representation of IEEE-754 floating-point numbers and operations, including exceptional values. However error analysis is out of the scope of such a description, as there is no way to embed floating-point values into real numbers. In this paper, we present a way to implement the proof mechanism of Gappa inside an SMT solver to allow reasoning on approximation errors in a theory of reals with floating-point operators. Section 2 describes the proof mechanism of the Gappa tool. Section 3 explains the limits of a purely axiomatic approach to integrating floating-point reasoning in an SMT solver. Section 4 presents a description of the integration of the procedure as a built-in instantiation based algorithm. Section 5 gives an example that uses the most salient features of the algorithm. 2 The Gappa Tool Gappa is a tool dedicated to proving the logical formulas that usually occur when verifying the numerical correctness of a program [5]. These formulas are described by the following simple grammar: prop ::= ¬prop | prop ∧ prop | prop ∨ prop | prop ⇒ prop | atom atom ::= expr ≤ number | expr ≥ number | expr = expr expr ::= ident | number | − expr | abs(expr ) | sqrt(expr ) | expr expr | rnd... (expr ) with ∈ {+, −, ×, /}. The semantics of these formulas is, for the most part, straightforward: identifiers are mapped to universally-quantified variables of real type, arithmetic operators and relations are mapped to the corresponding symbols of real arithmetic, and logical connectives are given their usual propositional meaning. 2.1 Rounding operators Rounding functions are sufficient to express computations that occur inside a numerical program, thanks to the philosophy that underlies most computer arithmetic. For instance, consider the IEEE-754 standard for floating-point arithmetic [11] that describes the behavior of most floating-point units you will find in modern processors. It states: “a floating-point operator shall behave as if it was first computing the infinitely-precise value and then rounding it so that it fits in the destination floating-point format”, assuming the inputs are not exceptional values. As a consequence, a floating-point addition between two floating-point numbers u and v should behave as if it was rnd... (u + v) for some properly parametrized rounding operator. For instance, if the destination format is binary32 from IEEE-754 and if the rounding direction is the default one, then rnd(x) satisfies the following properties: it is a real number y such that there are two integers m and e with y = m · 2e , |m| < 224 and e ≥ −149. Moreover, it 13 An Axiomatic Floating-Point Theory for SMT Solvers S. Conchon, G. Melquiond, C. Roux, M. Iguernelala is the number that minimizes the distance |y − x|. Finally, if there are several such numbers,1 then y is chosen so that it can be represented with a mantissa m that is an even integer while still preserving e ≥ −149. Note that there is no upper bound on e as overflow is generally handled by a separate analysis. Floating-point arithmetic is standardized in such a way that it is always the case that there exists one and only one such number. 2.2 Proof Mechanism When given a logical formula to prove, Gappa starts by performing some manipulations until it reaches an equivalent problem consisting of a disjunction of formulas of the following form: t1 ∈ I1 ∧ . . . ∧ tn ∈ In ⇒ ⊥. Terms t1 , . . . , tn are Gappa expressions, while I1 , . . . , In are intervals with numerical bounds. Actually, Gappa handles more predicates than just membership in an interval [6], but for the sake of simplicity, they will not be mentioned here.2 Gappa has a database of over 200 theorems which can be split into three categories. The first deals with real arithmetic, e.g. knowledge about square roots. The second category handles rounding operators and computer formats. The third category is composed of rewriting rules that simulate reasoning similar to that of forward error analysis. Gappa applies these theorems on the hypotheses of the logical formula by a saturation mechanism, in order to deduce new facts. It keeps going until a contradiction is deduced or no new facts are found. Note that the tool is not guaranteed to terminate, and even if it does, an absence of contradictions does not mean that the property is true. Theorems about real arithmetic and rounding operators have the following form: ∀~x, ∀I1 , . . . , In , I, f1 (~x) ∈ I1 ∧ . . . ∧ fn (~x) ∈ In ∧ P (I1 , . . . , In , I) ⇒ f (~x) ∈ I. Expressions f1 , . . . , fn , f are specific to a given theorem, and so is the relation P between intervals. Moreover, Gappa knows some partial function h such that P (I1 , . . . , In , h(I1 , . . . , In )). From the point of view of Gappa, even rewriting rules fit this model: n = 1, P is ⊆, and h is the identity. 2.3 Theorem Instantiation Gappa first performs symbolic backward reasoning for all the terms t1 , . . . , tn that appear on the left-hand side of the original formula. The heuristic is that, if a contradiction is to be found, then it will be with one of the original bounds. It therefore searches which theorems have a conclusion that could be used to compute a bound for one of the original terms. The hypotheses of these theorems are enclosures too, so Gappa searches recursively on their terms too. The search proceeds in a manner similar to Prolog, as the theorems have the form of Horn clauses. The procedure stops when it finds that it needs to bound one of the terms of the original formula. In practice, this backward search terminates since theorems have been chosen so that the terms on the left-hand side are somehow smaller than the term on the right-hand side. This solves the issue of the set of terms being unbounded, but not the issue of finding instances for every ~x, except that this time, the uninstantiated variables are on the left. Gappa relies on various heuristics to fill the holes. 1 In other words, x is the midpoint between two consecutive floating-point numbers. list of predicates and theorems that Gappa relies on are listed in its documentation: http://gappa. gforge.inria.fr/doc/index.html. 2 The 14 An Axiomatic Floating-Point Theory for SMT Solvers S. Conchon, G. Melquiond, C. Roux, M. Iguernelala Once Gappa has performed this step of backward reasoning, it knows which terms and theorems are potentially useful. It can therefore perform the actual saturation, which is now just reduced to numerical computations on the bounds of the intervals. 3 Handling Gappa Axioms with SMT Solvers SMT solvers are highly efficient tools for checking satisfiability of ground formulas from the combination of specific theories such as uninterpreted equality, linear arithmetic over rationals or integers, arrays and bit-vectors. SMT solvers may also handle quantified formulas[7, 2, 8, 4]. For that, they use heuristics to find good instances of universally-quantified lemmas present in the problem. These heuristics are usually guided by a set of instantiation patterns (also known as triggers) and a set of known terms, that is (ground) terms that appear in the facts assumed by the solver. Knowing how SMT solvers handle quantified formulas, a tempting approach would be to describe the Gappa floating-point theory by a set of first-order formulas annotated with relevant triggers. For instance, axioms like ∀x, y, z. y 6= z ⇒ x × (y − z) = x × y − x × z can be given to an SMT solver with x×(y−z) as a trigger (if it allows defined functions to appear in triggers). Other axioms can also just be ignored because they are directly implemented by the decision procedures of SMT solvers. For instance, axioms like ∀x, y. x − y = (x − rnd(y)) + (rnd(y) − y) are directly handled by the decision procedure for linear arithmetic. This category contains all the axioms for the free theory of equality, the linear theory of arithmetic, etc. Unfortunately, this solution does not apply to all Gappa axioms. For example, in the following quantified formula ∀i, p, e, x. |x| ≤ i ⇒ |float(p, e, NearE, x) − x| ≤ 2max(e,(ceil(log2 (i))−p)) a relevant trigger would be the term float(p, e, NearE, x). However, since it does not contain the bound variable i, the solver has to consider all reals as potential bounds for x, or it can restrict substitutions to syntactic bounds, i.e. bounds that occur in a syntactic ground predicate of the form |t| ≤ c. The first solution is impracticable. The main problem with the second solution is that relevant bounds do not usually occur in terms, but come from some deduction. Moreover, an effective implementation of the floating-point theory of Gappa also requires from SMT solvers the ability to compute bounds like 2max(b,(ceil(log2 (i))−a)) . 4 Gappa as a Matching Algorithm The floating-point module we describe here is based on an interval analysis and a saturation approach nearly identical to that which is implemented in Gappa [5]. We interact with the SMT solver using the following interface. We take as input • the set of terms considered by the solver that have as head symbol a symbol of arithmetic, such as x + y or float(t[i]), 15 An Axiomatic Floating-Point Theory for SMT Solvers S. Conchon, G. Melquiond, C. Roux, M. Iguernelala • the set of literals that involve arithmetic, such as t ≤ u, or t = u with t or u in the arithmetic theory, • the module for matching modulo the equalities deduced by the solver. The procedure returns in turn • the deduced bounds on the considered terms, • a set of equalities that are a consequence of these bounds, • a set of contradictory literals, if a contradiction is deduced from its input. We proceed as outlined in Section 2 and try to instantiate axioms of the database of axioms from the floating-point theory that are deemed relevant for finding interesting bounds on the considered terms. Note that the effectiveness of this approach is based in great part on the relevance of the axioms involved, which are based on the fine-tuned library of theorems found in Gappa. The lemmas generated by instantiation of the theorems are then applied to known bounds of terms until saturation, i.e. until there are no improvements on the bounds. The interface is generic: it can be integrated into a framework with an existing procedure for arithmetic. This may in fact be quite useful, as the procedure is far from complete for arithmetic expressions involving non-linear constructions. The floating-point module maintains internal information that is not directly expressible in most SMT solvers, such as the number of bits with which it is possible to represent a real number in a certain floating-point encoding. The set of lemmas will therefore be internal to the module, and computational instances are created when needed, by matching modulo equality on the considered terms. The procedure then checks which lemmas may actually be applied given the bound information on the terms, and applies these lemmas until no new consequences can be created. A simplex-based algorithm [3] then finds the optimal bounds by linear combination of these. Improved bounds may then lead to another round of saturation by application of the instantiated axioms. In the case where no contradictions (empty bounds) are found, then equalities that were deduced by the simplex algorithm are sent on to the main loop of the SMT solver. 4.1 Description of the algorithm The internal state of the module consists of the following data: • the set of all instantiated theorems, which we call lemmas, with the set of terms on which they depend, as well as the terms in the conclusion, • the set of all considered terms, along with the set of lemmas that allow a bound to be deduced for each term and the lemmas that depend on them, • the bounds that have already been deduced by the theory. The SAT solver sends literals to a theory solver that deduces initial bounds on the terms by linear combinations, and terms to the lemma generation which instantiates the axioms potentially necessary to infer bounds on terms and sub-terms that appear in the literals. The graph generated is in the form of that shown in Figure 2, where terms are linked with the lemmas that depend on them and lemmas are connected to the terms whose bounds they may 16 An Axiomatic Floating-Point Theory for SMT Solvers S. Conchon, G. Melquiond, C. Roux, M. Iguernelala ... float(x) + float(y) Match SAT literals terms match + Gen Lemmas Linear Bounds lemmas bounds float(x) float(y) float(x) × z f lt × y z x+y equalities, unsat Refine Bounds constraints f lt + Simplex x Figure 1: Description of the floating-point procedure. Figure 2: An example lemma dependency graph (with some cycle). improve. The theorems are instantiated using the matching mechanism already present in the SMT solver. The description of the process is outlined in Figure 1. Once we have computed the graph of lemmas that are potentially useful, we enter into the computational phase: we use the linear solver to infer initial bounds on some subset of the considered terms, and the lemmas are applied in succession, each new refined bound triggers the application of the lemmas that depend on it. Once a fixed point is reached (no bounds are improved), we use the deduced bounds to build constraints which are sent to a simplex algorithm, which refines the bounds of every term. To limit the calls to the simplex algorithm, we only refine the bounds of terms on which some computational lemma applies, and on terms that are known to not be constants. The alternation of calls between the simplex algorithm and the application of the lemmas continues until • either a contradiction is found, in which case the incriminating literals are identified and sent to the SAT module, which then chooses the next literals to send to the theory, • or no new bounds are computed yet no contradiction is found, and the equalities that can be deduced from the bounds are returned to the SAT solver. The simplex algorithm is incremental. This increases the performance of the procedure in subsequent calls by a factor of 5 to 10. However backtracking is not possible in the current version of the algorithm, which forces the whole process to be restarted at each call to the global decision procedure. At the end of the saturation process, an equality is deduced by examining the bounds which are trivial, i.e. t ∈ [i, i] in which case we deduce t = i. The use of the simplex algorithm ensures that all such equalities that are linear consequences of the deduced constraints will be found. Since the module considers terms that may not be terms (or sub-terms) that appear in the original problem, it may choose not to propagate such equalities to the other theories. 17 An Axiomatic Floating-Point Theory for SMT Solvers S. Conchon, G. Melquiond, C. Roux, M. Iguernelala Correctness of the algorithm depends on the correctness of each process. The crucial points are the validity of the theorems that are instantiated, the correctness of the simplex algorithm, and the fact that the literals identified in the unsatisfiability witnesses are a super-set of some minimal set of literals that lead to a contradiction. We take pains to apply only lemmas that are true of both the ring of real numbers and that of integers, with the computed bounds being represented by rational numbers. Of course there is no floating-point operator on integers, but certain operators are overloaded, like the arithmetic operators and absolute values. This means that the floating-point “box” is generic: the bounds deduced by it are valid in the case where terms denote integers, and can be subsequently refined by integer-specific methods; typically by performing case analysis on the bounds. Our system is not complete, as we are in a very expressive fragment of arithmetic, that includes integer arithmetic. Additionally, even the restriction of our theory to real arithmetic with a floating-point operator is likely to be either undecidable, or with a decision procedure of prohibitive complexity. We have tried to find the optimal trade-off between speed and expressiveness, with emphasis on proving error bounds. Termination is also not guaranteed, as it is easy to build a set of terms that satisfy the following relations: x ∈ [−1, 1] x = f (x) ∀y, f (y) ≤ k · y, k ∈]0, 1[ In which case each pass of the algorithm will scale the bounds for x by a factor k, without ever converging to the fixed point x ∈ [0, 0]. We adopt the simple solution of stopping the iteration after a fixed number of cycles. 5 Case Study We give an example application of our development by automatically deriving an error bound on a simple algorithm that computes the sum of the 10 elements of an array with values initialized to the floating-point approximation of 0.1. We give this code in Figure 3 using the Why3 specification and programming language [9], which allows us to write imperative code with Hoare-logic style annotations. The Why3 framework generates a number of proof obligations in the Alt-Ergo format, split into safety properties and properties given by the assertions. The rnd function performs the binary32 nearest-ties-to-even rounding of a real number, if this operation does not result in an overflow. The add function performs the addition as it is defined on floating-point numbers i.e. as the rounding of the infinite-precision addition on the floats seen as real numbers. Again, this function takes as precondition that the addition does not result in an overflow. i The invariant specifies that the partial sums at step i + 1 are at distance no more than 1000 i from 10 , which allows us to easily conclude that the sum is at distance less than 1/100 from 1 at the end of the loop. Our extension is able to prove the 10 generated properties, three of which are not proven by Alt-Ergo or Gappa as the former does not have knowledge of bounds on floating-point errors, and Gappa cannot perform reasoning on equality or general linear arithmetic. This stresses the necessity of combining the two solvers. The hardest goal generated by Why3 is given in 18 An Axiomatic Floating-Point Theory for SMT Solvers S. Conchon, G. Melquiond, C. Roux, M. Iguernelala module Sum let rnd x = { no_overflow NearestTiesToEven x } round NearestTiesToEven x {result = round NearestTiesToEven x} let add x y = { no_overflow NearestTiesToEven (x +. y) } round NearestTiesToEven (x +. y) { result = round NearestTiesToEven (x +. y)} let sum () = {} let a = make 10 (rnd 0.1) in let s = ref (rnd 0.) in for i = 0 to 9 do invariant { abs(!s -. 0.1 *. from_int i) <=. 0.001 *. from_int i } s := add !s a[i] done; !s { abs (result -. 1.) <=. 0.01 } end Figure 3: A simple imperative program using floats. goal WP_parameter_sum : abs(float(53,1074,ne,0.1)) <= 0x1.FFFFFFFFFFFFFp1023 -> 0 <= 10 -> abs(float(53,1074,ne,0.)) <= 0x1.FFFFFFFFFFFFFp1023 -> 0 <= 9 -> forall s:real. forall i:int. (0 <= i and i <= 9) -> i <= 10 and abs(s - (0.1 * real_of_int(i))) <= 0.001 * real_of_int(i)) -> (0 <= i and i < 10) and abs(float(53,1074,ne,s + const(float(53,1074,ne,0.1))[i])) <= 0x1.FFFFFFFFFFFFFp1023 and forall s1:real. s1 = float(53,1074,ne,s + const(float(53,1074,ne,0.1))[i]) -> i + 1 <= 10 and abs(s1 - (0.1 * real_of_int(i + 1))) <= 0.001 * real_of_int(i + 1) Figure 4: Loop invariant preservation. Figure 4; it specifies that the invariant is preserved by the operations performed in the loop, with additional non-overflow conditions. The expression float(p,e,m,x) denotes the floating-point approximation to x with round19 An Axiomatic Floating-Point Theory for SMT Solvers S. Conchon, G. Melquiond, C. Roux, M. Iguernelala ing mode m (ne is nearest float with even mantissa in case of tie), a mantissa of at most p bits, and an exponent greater than −e. The expression real of int(x) is simply a cast from the type of integers to that of real numbers. Our extension of Alt-Ergo handles this goal in 1.4 seconds (Intel Core 2.66 GHz, 2 GB RAM) by application of the error-bound theorems and the linear arithmetic solver. First 1 · real of int(i + 1) to be treated as note that real of int is a congruence, which allows 1000 real of int(i) 1 + . We split on the sign of terms t such that |t| appears in the goal. If t ≥ 0, 1000 1000 we add the equality t = |t| to the set of literals and t = −|t| otherwise. Then the equalities const(t)[i] = i are instantiated for each appropriate term. Finally linear arithmetic allows us to bound the terms t such that float(p, e, d, t) appears in the goal: 0.1 is bounded by definition, and s + float(53, 1074, ne, 0.1) can be derived from the bound on i and the inequality s − (0.1 × i) ≤ 0.001 × i. The theorem on absolute errors can then be instantiated by the floating-point module to generate a bound of the form: float(53, 1074, ne, s + float(53, 1074, ne, 0.1)) − (s + float(53, 1074, ne, 0.1)) ∈ [−ε, ε] A last step of linear arithmetic is required to conclude. A more realistic example entails proving the safety properties of a C program involving floating-point computations which was originally part of an avionics software system. Safety properties are generated by the Frama-C/Why3 tool-chain, and involve properties about integer and floating-point overflow, correctness of memory access, etc. Here also the Alt-Ergo extension manages to prove all 36 goals, 10 of which involve floating-point properties (Alt-Ergo proves 2 of those goals). However the added expressiveness comes at the cost of speed: on average AltErgo with the floating-point module is 5 times slower than Alt-Ergo alone, on goals involving real arithmetic. Gappa is able to prove the overflow properties, but at the cost of manually performing theorem instantiation, which Alt-Ergo handles on its own. 6 Conclusion and perspectives We have described an implementation of a theory of real numbers with floating-point operators by a dedicated matching procedure, which can be plugged into an SMT solver. Given terms and initial constraints, the procedure performs matching modulo ground equalities, saturation and calls to a linear solver to deduce bound information on terms. This framework is standalone. It can be integrated as-is, notwithstanding slight changes to the usual interface of the matching module: literals assumed by the solver need to be sent instead of just terms. A tighter integration would re-use the procedure for deciding linear arithmetic already present in the SMT solver, provided that it could be queried for the best possible bounds of a term. We have implemented this procedure in the Alt-Ergo SMT solver, replacing the part of the arithmetic module that deals with inequalities, as it became redundant with our work. The use of the simplex algorithm, while powerful, is also the source of the greatest performance penalty: it may be called many thousands of times on large goals. The theory of floats we describe here does not consider NaN or infinite values, unlike to the proposed addition to the SMT-LIB. However Ayad and Marché show [1] that it is possible to encode such floating-point data by a combination of algebraic data-types and cases on one hand, and an unbounded model of floating-point numbers as used in Gappa and in the present 20 An Axiomatic Floating-Point Theory for SMT Solvers S. Conchon, G. Melquiond, C. Roux, M. Iguernelala work on the other hand. One can then observe that the “exceptional” cases in which NaN or ±∞ appear are handled quite easily by the traditional theories in the SMT solver, and our addition is designed to solve the other cases. Future Work Clearly, our first goal is to improve performance of the procedure on large problems, allowing us to treat a wider range of examples from industrial software verification. Moreover we have not integrated all the theorems from Gappa, just those which were required for most immediate use. In particular, we only treat absolute error and not yet relative error. Similar work has been brought to our attention by the reviewers [12, 10]. In this work, the authors introduce a theory capable of handling general constraints on real numbers with floating-point constraints, as we are. The constraints are handled by their LRA+ICP algorithm (Linear Real Arithmetic and Interval Constraint Propagation) in a manner related to ours, though they do not have as general floating-point operators, nor do they have rewriting-based heuristics for transforming the non-linear constraints. They furthermore propose a mechanism based on successive interval refinements to avoid the cost of successive calls to a linear optimization algorithm. Further work is needed to understand whether such an approach is feasible in our framework. References [1] A. Ayad and C. Marché. Multi-prover verification of floating-point programs. In IJCAR 5, volume 6173 of LNAI, pages 127–141, Edinburgh, Scotland, July 2010. [2] C. Barrett and C. Tinelli. CVC3. In CAV, pages 298–302, 2007. [3] F. Bobot, S. Conchon, E. Contejean, M. Iguernelala, A. Mahboubi, A. Mebsout, and G. Melquiond. A simplex-based extension of Fourier-Motzkin for solving linear integer arithmetic. In IJCAR 6, volume 7364 of LNAI, Manchester, UK, 2012. [4] S. Conchon and E. Contejean. Alt-Ergo. Available at http://alt-ergo.lri.fr, 2006. [5] M. Daumas and G. Melquiond. Certification of bounds on expressions involving rounded operators. Transactions on Mathematical Software, 37(1):1–20, 2010. [6] F. de Dinechin, C. Lauter, and G. Melquiond. Certifying the floating-point implementation of an elementary function using Gappa. Transactions on Computers, 60(2):242–253, 2011. [7] L. de Moura and N. Bjørner. Z3: An efficient SMT solver. In TACAS, pages 337–340, 2008. [8] B. Dutertre and L. de Moura. Yices. Available at http://yices.csl.sri.com/tool-paper.pdf, 2006. [9] J.-C. Filliâtre and C. Marché. The Why/Krakatoa/Caduceus platform for deductive program verification. In CAV 19, volume 4590 of LNCS, pages 173–177, Berlin, Germany, 2007. [10] S. Gao, M. K. Ganai, F. Ivancic, A. Gupta, S. Sankaranarayanan, and E. M. Clarke. Integrating ICP and LRA solvers for deciding nonlinear real arithmetic problems. In FMCAD, pages 81–89, Lugano, Switzerland, 2010. [11] IEEE Computer Society. IEEE Standard for Floating-Point Arithmetic. 2008. [12] F. Ivancic, M. K. Ganai, S. Sankaranarayanan, and A. Gupta. Numerical stability analysis of floating-point computations using software model checking. In MEMOCODE, pages 49–58, Grenoble, France, 2010. [13] J.-M. Muller, N. Brisebarre, F. de Dinechin, C.-P. Jeannerod, V. Lefèvre, G. Melquiond, N. Revol, D. Stehlé, and S. Torres. Handbook of Floating-Point Arithmetic. Birkhäuser, 2010. [14] P. Rümmer and T. Wahl. An SMT-LIB theory of binary floating-point arithmetic. In SMT 8 at FLoC, Edinburgh, Scotland, 2010. 21 Reasoning with Triggers Claire Dross Sylvain Conchon Johannes Kanig LRI, Université Paris-Sud 11, CNRS, Orsay F-91405 INRIA Saclay-Île de France, ProVal, Orsay F-91893 AdaCore, Paris F-75009 LRI, Université Paris-Sud 11, CNRS, Orsay F-91405 INRIA Saclay-Île de France, ProVal, Orsay F-91893 AdaCore, Paris F-75009 Andrei Paskevich LRI, Université Paris-Sud 11, CNRS, Orsay F-91405 INRIA Saclay-Île de France, ProVal, Orsay F-91893 Abstract SMT solvers can decide the satisfiability of ground formulas modulo a combination of built-in theories. Adding a built-in theory to a given SMT solver is a complex and time consuming task that requires internal knowledge of the solver. However, many theories (arrays [13], reachability [11]), can be easily expressed using first-order formulas. Unfortunately, since universal quantifiers are not handled in a complete way by SMT solvers, these axiomatics cannot be used as decision procedures. In this paper, we show how to extend a generic SMT solver to accept a custom theory description and behave as a decision procedure for that theory, provided that the described theory is complete and terminating in a precise sense. The description language consists of first-order axioms with triggers, an instantiation mechanism that is found in many SMT solvers. This mechanism, which usually lacks a clear semantics in existing languages and tools, is rigorously defined here; this definition can be used to prove completeness and termination of the theory. We demonstrate using the theory of arrays, how such proofs can be achieved in our formalism. 1 Introduction SMT solvers are sound, complete, and efficient tools for deciding the satisfiability of ground formulas modulo combinations of built-in theories such as linear arithmetic, arrays, bit-vectors etc. Usually, they work on top of a SAT solver which handles propositional formulas. Assumed literals are then handed to dedicated solvers for theory reasoning. These solvers are complete. Adding a new theory to the framework is a complex and time consuming task that requires internal knowledge of the solver. For some theories however, it is possible to give a first-order axiomatization. Unfortunately, even if a few SMT solvers also handle first-order formulas, for example, Simplify [6], CVC3 [9], Z3 [5] and Alt-Ergo [2], these axiomatizations cannot be used as theories. Indeed, these solvers are not complete when quantifiers are involved, even in the absence of theory reasoning. SMT solvers handle universal quantifiers through an instantiation mechanism. They maintain a set of ground formulas (without quantifiers) on which theory reasoning is done. This set is periodically augmented by heuristically chosen instances of universally quantified formulas. The heuristics for choosing new instances differ between SMT solvers. Nevertheless, it is commonly admitted that user guidance is useful in this matter [6, 12]. The choice of instances can be influenced by manually adding instantiation patterns, also known as triggers. These patterns are used to restrict instantiation to known terms that have a given form. Here is an example of a universally quantified formula with a trigger in SMT-LIB [1] notation: (forall ((x Int)) (! (= (f x) c) :pattern ((g x)))) 22 Pascal Fontaine, Amit Goel (eds.); SMT 2012, pp. 22–31 Reasoning with Triggers C. Dross, S. Conchon, J. Kanig, A. Paskevich The syntax for triggers includes a bang (a general syntax for annotating formulas) before the restricted formula (= (f x) c) and the keyword :pattern to introduce the trigger (g x). The commonly agreed meaning of the above formula can be stated as follows: Assume (= (f t) c) only for terms t such that (g t) is known. Intuitively, a term is known when it appears in a ground fact assumed by the solver. However, that rule is quite vague and does not include answers to the following questions: when does a term become known? Is that notion to be considered modulo equality and modulo the builtin theories, and finally, when is this rule applied exactly, and to which formulas? Different provers have found different answers to these questions, consequence of the fact that triggers are considered a heuristics and not a language feature with precise semantics. We give a proper semantics for first-order formulas with triggers. In this semantics, instantiation of universally quantified formulas is restricted to known terms. This makes it possible to extend a generic SMT solver so that it behaves as a decision procedure on an axiomatization representing a custom theory, provided the theory is complete in our framework. This enables non-expert users to add their own decision procedure to SMT solvers. Unlike first-order axiomatization in SMT solvers handling quantifiers, a proof of completeness and termination of the decision procedure can be attempted and, unlike manual implementation of decision procedures inside SMT solvers, it does not require internal knowledge of the solver. In Sect. 2, we introduce a formal semantics for first-order logic with a notation for instantiation patterns that restrict instantiation. It formalizes both the notion of trigger and the dual notion of known term. We show that this extension of first-order logic is conservative: formulas without triggers preserve their satisfiability under this semantics. We present in Sect. 3 a theoretical way of extending a generic ground SMT solver so that it can turn an axiomatization T with triggers into a decision procedure, provided that T has some additional properties. Finally, in Sect. 4, we demonstrate on the non-extensional theory of arrays how our framework can be used to demonstrate that an axiomatization with triggers indeed fulfills its requirements. Related Work. Triggers are a commonly used heuristic in SMT solvers that handle quantifiers. User manuals usually explain how they should be used to achieve the best performance [6, 12, 9]. Triggers can be automatically computed by the solvers. A lot of work has also been done on defining an efficient mechanism for finding the instances allowed by a trigger. These techniques, called E-matching, are described in [6, 13] for Simplify, in [4] for Z3, and in [9] for CVC3. Other heuristics for generating instances include model-based quantifier instantiation [8] and saturation processes closed to the superposition calculus [3]. In this paper, triggers are not handled in the usual manner. On the one hand, since SMT solvers are not complete in general when quantifiers are involved, they favor efficiency over completeness in the treatment of triggers. For example, they usually do not attempt to match triggers modulo underlying theories. On the other hand, in our framework, triggers are used to define theories, and they need therefore to be handled in a complete way. Triggers can also be used in complete first-order theorem provers to guide the proof search and improve the solver’s efficiency. This is done on a complete solver for a subset of first-order logic with linear arithmetics based on a sequent calculus in [14]. As for using an SMT solver as a decision procedure, the related idea that a set of first-order formulas can be saturated with a finite set of ground instances has been explored previously. For example, in [10], decision procedures for universally quantified properties of functional programs are designed using local model reasoning. In the same way, Ge and de Moura describe fragments of first-order logic that can be decided modulo theory by saturation [8]. Both of these works 23 Reasoning with Triggers JF1 ∧ F2 K± , JF1 K± ∧ JF2 K± JF1 ∨ F2 K± , JF1 K± ∨ JF2 K± C. Dross, S. Conchon, J. Kanig, A. Paskevich Jhti F K± , known(T (t)) ∧ JF K± J[t] F K± , known(T (t)) → JF K± J∀x. F K± , ∀x. known(x) → JF K± J∃x. F K± , ∃x. known(x) ∧ JF K± JAK+ , known(T (A)) → A JAK− , known(T (A)) ∧ A J¬F K+ , ¬JF K− J¬F K− , ¬JF K+ Figure 1: Semantics of FOL? -formulas (J K± denotes either J K+ or J K− ) define a restricted class of universally quantified formulas that can be finitely instantiated. We do not impose such restrictions a priori but rather require a dedicated proof of completeness. 2 First-Order Logic with Triggers and Witnesses In this section, we extend classical first-order logic, denoted FOL, with constructions to specify instantiation patterns and known terms. The semantics of this extension, denoted FOL? , is defined through an encoding into usual first-order logic. In the rest of the article, we write formulas in standard mathematical notation. 2.1 Syntax Informally, a trigger is a guard that prevents the usage of a formula until the requested term is known. We write it [t] F , which should be read if the term t and all its sub-terms are known then assume F . Note that we do not require a trigger to be tied to a quantifier. We separate the actual instantiation of a universal formula from the decision to use its result. A dual construct for [t] F , which we call witness, is written hti F and is read assume that the term t and all its sub-terms are known and assume F . This new construction explicitly updates the set of known terms, something for which there is no proper syntax in existing languages. The extended syntax of formulas can be summarized as follows: F ::= A | F1 ∧ F2 | F1 ∨ F2 | ∀x. F | ∃x. F | hti F | [t] F | ¬F We treat implication (→) and equivalence (↔) as abbreviations, in a standard fashion. 2.2 Denotational Semantics We define the semantics of our language via two encodings J K+ and J K− into first-order language, given in Fig. 1. The notation J K± is used when the rule is the same for both polarities and the polarity of the sub-formulas does not change. We introduce a fresh unary predicate symbol known which denotes the fact that a term is known. Given a term t or an atomic formula A, we denote with T (t) (respectively, T (A)) the set of all the V non-variable sub-terms of t (resp. A). The expression known(T (t)) stands for the conjunction t0 ∈T (t) known(t0 ). We require universally quantified formulas to be instantiated with known terms. This is consistent with the standard use of triggers: indeed, SMT solvers require (or compute) a trigger containing each quantified variable for every universal quantifier. Then every term that replaces a universally quantified variable is necessarily known, since sub-terms of a known term are 24 Reasoning with Triggers C. Dross, S. Conchon, J. Kanig, A. Paskevich known, too. Dually, every existentially quantified variable is assumed to be known. This is necessary in order to allow instantiation with a witness from an existential formula. To maintain the invariant that the sub-terms of a known term are also known, our interpretation of hti F implies the presence of every non-variable sub-term of t (the presence of variables is assured by interpretation of the quantifiers). Dually, [t] F requires the presence of every non-variable sub-term of t; due to the mentioned invariant, this is not a restriction. Finally, whenever we encounter an atomic formula, regardless of its polarity, we assume the presence of its sub-terms. This is also in agreement with the standard use of triggers. We define entailment in FOL? as follows: F `? G , known(ω), JF K− ` JGK+ where ω is an arbitrary fresh constant supposed to be known a priori, and ` stands for entailment in FOL. A peculiar aspect of FOL? is the cut rule is not admissible in it. Indeed, one cannot prove ∀x . [f (x)] P (f (x)), ∀x . [f (g(x))] (P (f (g(x))) → Q(x)) `? Q(c), since the term f (g(c)) is not known and neither of the premises can be instantiated. However, Q(c) is provable via an intermediate lemma P (f (g(c))) → Q(c). 2.3 Example Consider the following set of formulas R from the previous section: R = { f (0) ≈ 0, f (1) 6≈ 1, ∀x.[f (x + 1)] f (x + 1) ≈ f (x) + 1 } We want to show that R is unsatisfiable in FOL? , that is to say, R `? ⊥. By have to prove that known(ω), JRK− ` ⊥.  known(T (f (0) ≈ 0)) ∧ f (0) ≈ 0,     known(T (f (1) 6≈ 1)) ∧ f (1) 6≈ 1, JRK− =  ∀x. known(x) → known(T (f (x + 1))) →    known(T (f (x + 1) ≈ f (x) + 1)) ∧ f (x + 1) ≈ f (x) + 1 definition, we          The set of formulas JRK− is unsatisfiable in first-order logic with arithmetic. Therefore, in our framework, the initial set R is unsatisfiable. 2.4 The Extension of First-Order Logic is Conservative Even if a formula does not contain triggers or witnesses, our encoding modifies it to restrict instantiation of universal formulas. However, it preserves satisfiability of formulas in classical first-order logic with equality. Theorem 2.1 (Soundness). For every first-order formula F , if we have F `? ⊥, then we also have F ` ⊥. Proof. Since known is a fresh predicate symbol, for every model M of F , there is a model M 0 of F such that M 0 only differs from M in the interpretation of known and M 0 ` ∀x.known(x). By immediate induction, (∀x.known(x)) ∧ F ` JF K− . As a consequence, M 0 is a model of JF K− and F 6`? ⊥. Thus, by contra-position, if F `? ⊥ then there is no model of F and F ` ⊥. Theorem 2.2 (Completeness). For any first-order formula F , if F ` ⊥ then F `? ⊥. The proof, based on inference trees in a certain paramodulation calculus, can be found in the technical report [7]. 25 Reasoning with Triggers 3 C. Dross, S. Conchon, J. Kanig, A. Paskevich Adding a Customizable Theory to a SMT Solver for Ground Formulas In this section, we define a wrapper over a generic SMT solver for ground formulas that accepts a theory written as a set of formulas with triggers. This solver is a theoretical model and it is not meant to be efficient. We prove it sound with respect to our framework. It is easy to show that conversion to NNF does not change the semantics of a FOL? -formula. Definition 3.1. We define a skolemization transformation Sko T for FOL? -formulas in negative normal form. Given a formula F = ∃x. G, we have Sko T (F ) , hc(y)i Sko T (G[x ← c(y)]), where y is the set of free variables of F , and c is a fresh function symbol. We put the witness hc(y)i to preserve satisfiability. Indeed, Sko(∃x. [x] ⊥) is [c] ⊥ which is satisfiable, while ∃x. [x] ⊥ is not. In the following, we work with FOL? -formulas in Skolem negative normal form. 3.1 A Solver for Ground Formulas To reason about FOL? -formulas, we use a solver S for ground formulas. Definition 3.2. We denote implication over ground formulas with theories ò to distinguish it from implication in first-order logic with theories `. We make a few assumptions about the interface of the ground solver S: • It returns Unsat(U ) when called on an unsatisfiable set of ground formulas R where U is an unsatisfiable core of R. We assume that U is a set of formulas that occur in R such that R ò U and U ò ⊥. • It returns Sat(M ) when called on a satisfiable set of ground formulas R where M is a model of R. We assume that M is a set of literals of R such that M ò R. We write R S Unsat(U ) (resp. R S Sat(M )) to express that the solver S returns Unsat(U ) (resp. Sat(M )) when launched on a set of ground formulas R. 3.2 Deduction Rules for First-Order Formulas with Triggers The solver Lift(S) takes a set of formulas with triggers T and a set of ground formulas S as input and decides whether S is satisfiable modulo T . It is constructed on top of a solver for ground formulas S and works on a set of ground formulas R that is augmented incrementally. While the solver S returns a model M of R, new facts are deduced from M and added to R. The set R initially contains the formulas from the input S as well as those from the theory T where literals, quantified formulas, and formulas with triggers or witnesses are replaced by fresh atoms. The atom replacing a formula F is written F and is called a protected formula. Definition 3.3. We say that a model M produces a pair F, t of a formula F and a term t if either F is the atom > and there is a literal L in M from S such that t ∈ T (L), F is a protected witness hsi G ∈ M and t ∈ T (s), or F a protected literal L ∈ M and t ∈ T (L). We write it M ↑ F, t. 26 Reasoning with Triggers C. Dross, S. Conchon, J. Kanig, A. Paskevich The following deduction rules are used to retrieve information from the protected formulas of a model M : Pos Unfold hti F ∈ M hti F → F Neg Unfold [t] F ∈ M M ↑ G, t0 Lit Unfold L ∈M L →L M ∪ {t 6≈ t0 } S Unsat(U ∪ {t 6≈ t0 }) [t] F ∧ G ∧ U → F Inst ∀x. F ∈ M M ↑ G, t M ∪ {¬F [x ← t]} S Sat(M 0 ) ∀x. F ∧ G → F [x ← t] Rule Inst adds to R an instantiation of a universal formula with a known term. It is restricted by the premise M ∪ {¬F [x ← t]} S Sat(M 0 ) so that it does not instantiate a quantified formula if the result of the instantiation is already known. Rule Pos Unfold (resp. Lit Unfold) unfolds formulas with witnesses (resp. literals). Rule Neg Unfold removes a trigger when it is equal to a known term. Note that every deduction rule returns an implication: in a model where, say, hti F is not true, F does not need to be true either. The solver for FOL? -formulas Lift(S) returns Unsat on R, as soon as S returns Unsat on the current set of formulas. It returns Sat on R if the ground solver S returns a model M from which nothing new can be deduced by the above deduction rules. Here is an example of execution of the solver Lift(S) on the set of ground formulas S modulo the theory T : S = {f (0) ≈ 0, f (1) 6≈ 1} T = {∀x.[f (x + 1)] f (x + 1) ≈ f (x) + 1} Let us show how the solver Lift(S) can deduce that ( ) f (0) ≈ 0, f (1) 6≈ 1, R0 = ∀x.[f (x + 1)] f (x + 1) ≈ f (x) + 1 is unsatisfiable. 1. The ground solver returns the only possible model M0 of R0 , namely R0 itself. Since f (0) ≈ 0 ∈ M0 , M0 produces the pair >, 0. As a consequence, the rule Inst can instantiate x with 0 in the universal formula:    ∀x. [f (x + 1)] f (x + 1) ≈ f (x) + 1 ∧ > →  R1 = R0 ∪   [f (0 + 1)] f (0 + 1) ≈ f (0) + 1 2. The solver returns the model M1 = M0 ∪ { [f (0 + 1)] f (0 + 1) ≈ f (0) + 1 } of R1 . Since f (1) 6≈ 1 ∈ M1 , M1 produces the pair >, f (1). Based on results from the theory of arithmetics, the ground solver can deduce that f (0 + 1) 6≈ f (1) is unsatisfiable. Thus the rule Neg Unfold can add another formula to R1 :    [f (0 + 1)] f (0 + 1) ≈ f (0) + 1 ∧ > →  R2 = R1 ∪   f (0 + 1) ≈ f (0) + 1 27 Reasoning with Triggers C. Dross, S. Conchon, J. Kanig, A. Paskevich 3. The ground solver returns the model M2 = M1 ∪ { f (0 + 1) ≈ f (0) + 1 } of R2 . The rule Lit Unfold can now unfold the protected literal f (0 + 1) ≈ f (0) + 1 : R3 = R2 ∪ { f (0 + 1) ≈ f (0) + 1 → f (0 + 1) ≈ f (0) + 1} 4. Any model of R3 contains f (0 + 1) ≈ f (0) + 1, f (0) ≈ 0 and f (1) 6≈ 1. The ground solver returns Unsat( ) on R3 . As expected, the initial set S is reported to be unsatisfiable modulo T . 3.3 Properties In this section, we prove that our solver is sound and complete on a particular class of axiomatics. In the following section, we demonstrate on an example how our framework can be used to check that a given axiomatics is in this class. Completeness We say that a set of formulas with triggers T is complete if, for every finite set of literals G, JG ∪ T K− and G ∪ T , triggers being ignored, are equisatisfiable in F OL. Termination We say that a set of formulas with triggers T is terminating if, from every finite set of literals G, there can only be a finite number of instances of formulas of T . In our framework, we enforce three rules to enable reasoning about termination: • instantiation is always done with known terms • new known terms cannot be deduced if they are protected by a trigger • an instance of a formula F with a term t is not generated if an instance of F has already been generated with t0 equal to t. Our solver is sound and complete if it works modulo a complete and terminating theory T : Theorem 3.1. If Lift(S) returns Unsat on a set of ground formulas S modulo a theory T then S ∪ T , triggers being ignored, is unsatisfiable in FOL. Theorem 3.2. If Lift(S) returns Sat on a set of ground formulas S modulo a complete theory T then S ∪ T , triggers being ignored, is satisfiable in FOL. Theorem 3.3. If the theory T is terminating, then the solver Lift(S) will terminate on any set of ground literal S. The proofs of these three theorems may be found in the technical report [7]. 4 Completeness and Termination of a theory Within our framework, we can reason about a theory T written as a set of formulas with triggers and demonstrate that it has the requested properties for our solver Lift(S) to be sound and complete. This section demonstrates how it can be done on an axiomatization of the non-extensional theory of arrays. We show that Greg Nelson’s proof of completeness for his decision procedure for arrays [13] can be turned into a proof of completeness of our solver on an axiomatization with carefully chosen triggers. Another example is given in the technical report [7]. For terms a, x and v, 28 Reasoning with Triggers C. Dross, S. Conchon, J. Kanig, A. Paskevich we write access(a, x) the access in the array a at the index x and update(a, x, v) the update of the array a by the element v at the index x. The following set of first-order formulas T is an axiomatization of the classical theory from McCarthy: ∀a, x, v. [update(a, x, v)] access(update(a, x, v), x) ≈ v (1) ∀a, x1 , x2 , v. [access(update(a, x1 , v), x2 )] x1 6≈ x2 → access(update(a, x1 , v), x2 ) ≈ access(a, x2 ) (2) ∀a, x1 , x2 , v. [access(a, x2 )] [update(a, x1 , v)] x1 6≈ x2 → access(update(a, x1 , v), x2 ) ≈ access(a, x2 ) (3) Note that (2) and (3) are in fact duplications of the same first order formula with different triggers1 . Both of them are needed for completeness. For example, without (2) (resp. (3)), the set of formulas {y 6≈ x, access(update(a, y, v1 ), x) 6≈ access(update(a, y, v2 ), x)} (resp. the set of formulas {y 6≈ x, access(a1 , x) 6≈ access(a2 , x), update(a1 , y, v) = update(a2 , y, v)}) cannot be proven unsatisfiable. We prove that this axiomatics is complete and terminating. Termination: If G is a set of ground literals, there can only be a finite number of instances from G and T . From (1), at most one access term access(update(a, x, v), x) can be created per update term update(a, x, v) of G. No new update term can be created, so there will be only one instantiation of (1) per update term of G. Equations (2) and (3) can create at most one access term per couple comprising an index term (sub-term of an access term at the rightmost position) and an update term. We deduce that at most one term per couple comprising the equality classes of an index term and an update term of G can be deduced. Completeness: The set of formulas T gives a complete axiomatics. We prove that for every set of ground formulas G such that JG ∪ T K− is satisfiable, JG ∪ T K− ∪ ∀t.known(t) is also satisfiable. Since assuming known(t) for every term t removes triggers and witnesses, this shows that G ∪ T is satisfiable, triggers being ignored. The proof is similar to the proof of Greg Nelson’s decision procedure for arrays [13]. We first define the set of every array term a0 such that access(a0 , x) is equated to a given term access(a, x) by (2) or (3): Definition 4.1. For a set of formulas S and two terms a and x known in S, we define the set Sa,x to be the smallest set of terms containing a and closed by (i) if a0 ∈ Sa,x then every known term update(a0 , y, v) such that S 0 y ≈ x is in Sa,x and (ii) for every term update(a0 , y, ) ∈ Sa,x , if S 0 y ≈ x then a0 is in Sa,x . We now prove that, for every access or update term t, if S is a satisfiable set of ground formulas saturated by T then it can be extended to another satisfiable V set S 0 saturated by T − − that contains t = t. Since, by definition of J K , Jt = tK is equivalent to t0 ∈T (t) known(t), this is enough to have the completeness of T . This proof is an induction over the size of t. We assume that every sub-term of t has already been added. If known(t) is already implied by JSK− , then we are done. If t is neither an access nor an update term, then assuming the presence of t does not allow any new deduction. 1 Most provers have a dedicated syntax for using several triggers for the same axiom. 29 Reasoning with Triggers C. Dross, S. Conchon, J. Kanig, A. Paskevich Assume t is an update term update(a, x, v). With the presence of t, (1) deduces the literal access(t, x) ≈ v. This cannot lead to an inconsistency since nothing can be known about t otherwise t would be known in JSK− . Equations (2) and (3) deduce access(t, y) = access(a0 , y) for all terms a0 and y such that JSK− ` known(access(a0 , y)) and t ∈ Sa0 ,y . Like the first one, this deductions cannot cause an inconsistency. The new set S 0 obtained by adding these literals to S is saturated by T . Indeed, if it is not, one of the formulas of T can deduce something that is not in S 0 . It cannot be (1) since we have applied it to the only new update term of S 0 . If it 0 is (2) or (3) then it comes from a term access(a0 , y) ∈ S 0 and St,y = Sa0 0 ,y . By construction of 0 0 S , the result is in S . Assume t is an access term access(a, x). With the presence of t, (2) and (3) deduce t = access(a0 , x) for every a0 ∈ Sa,x . This deduction cannot cause an inconsistency. Indeed, nothing can be known about access(a0 , x) otherwise t would have been known in S by (2) and (3). The new set S 0 obtained by adding these literals to S is saturated by T . Indeed, if it is not, one of the formulas of R can deduce something that is not in S 0 . It cannot be (1) since there is no new update term in S 0 . If it is (2) or (3) then it comes from a term access(a0 , y) ∈ S 0 and 0 = Sa0 0 ,y . By construction of S 0 , the result is in S 0 . Sa,y 5 Conclusion We have presented a new first-order logic with a syntax for triggers and given it a clear semantics. We have shown that a solver accepting a theory written as a set of formulas with triggers T can be implemented on top of an off-the-shelf SMT solver, and we have identified properties requested from T for the resulting solver to be sound and complete on ground formulas. Finally, we have demonstrated, on the non-extensional theory of arrays, that our framework can be used to prove that a theory expressed as a set of first-order formulas with triggers indeed has the requested properties. In future work, we would like to integrate our technique of quantifier handling directly inside a DPLL(T)-based solver. Once a solver implementing our semantics exists, a static analysis could be done to detect too restrictive or too permissive axiomatizations, and matching loops. We believe that such an analysis will help theory designers avoid common pitfalls when writing axiomatizations. References [1] Clark Barrett, Aaron Stump, and Cesare Tinelli. The SMT-LIB standard version 2.0. Technical report, University of Iowa, december 2010. [2] François Bobot, Sylvain Conchon, Évelyne Contejean, and Stéphane Lescuyer. Implementing polymorphism in SMT solvers. In SMT’08, volume 367 of ACM ICPS, pages 1–5, 2008. [3] L. de Moura and N. Bjørner. Engineering dpll (t)+ saturation. Automated Reasoning, pages 475–490, 2008. [4] Leonardo de Moura and Nikolaj Bjørner. Efficient E-matching for SMT solvers. CADE’07, 2007. [5] Leonardo de Moura and Nikolaj Bjørner. Z3: An efficient SMT solver. TACAS, 2008. [6] David Detlefs, Greg Nelson, and James B. Saxe. Simplify: a theorem prover for program checking. J. ACM, 52(3):365–473, 2005. [7] Claire Dross, Sylvain Conchon, Johannes Kanig, and Andrei Paskevich. Reasoning with triggers. Research Report RR-7986, INRIA, June 2012. 30 Reasoning with Triggers C. Dross, S. Conchon, J. Kanig, A. Paskevich [8] Y. Ge and L. De Moura. Complete instantiation for quantified formulas in satisfiabiliby modulo theories. In Computer Aided Verification, pages 306–320. Springer, 2009. [9] Yelting Ge, Clark Barrett, and Cesare Tinelli. Solving quantified verification conditions using satisfiability modulo theories. CADE, 2007. [10] Swen Jacobs and Viktor Kuncak. Towards complete reasoning about axiomatic specifications. In Proceedings of VMCAI, pages 278–293. Springer, 2011. [11] S. Lahiri and S. Qadeer. Back to the future: revisiting precise program verification using smt solvers. In ACM SIGPLAN Notices, volume 43, pages 171–182. ACM, 2008. [12] Michal Moskal. Programming with triggers. Proceedings of the 7th International Workshop on Satisfiability Modulo Theories, pages 20–29, 2009. [13] Greg Nelson. Techniques for program verification. Technical Report CSL81-10, Xerox Palo Alto Research Center, 1981. [14] P. Rümmer. E-matching with free variables. 2012. 31 SMT-Based System Verification with DVF Amit Goel, Sava Krstić, Rebekah Leslie, Mark R. Tuttle Intel Corporation Abstract We introduce the Deductive Verification Framework (DVF ), a language and a tool for verifying properties of transition systems. The language is procedural and the system transitions are a selected subset of procedures. The type system and built-in operations are consistent with SMT-LIB, as are the multisorted first-order logical formulas that may occur in DVF programs as pre- and post-conditions, assumptions, assertions, and goals. A template mechanism allows parametric specification of complex types within the confines of this logic. Verification conditions are generated from specified goals and passed to SMT engine(s). A general assume-guarantee scheme supports a thin layer of interactive proving. 1 Introduction This paper introduces the Deductive Verification Framework (DVF ), a language and automated proof-checker for the specification and verification of transition systems. In DVF , systems and their properties are modeled in an expressive language that enables a clean and efficient mapping of proof obligations into the multisorted first-order logic supported by modern SMT solvers. The design of the language and the automation from SMT solvers make DVF arguably easier to use than interactive theorem provers, while making it possible for us to verify systems that are out of the reach of model checkers. Over the last decade, research and validation groups at Intel have performed “high-level modeling” for several interesting examples, where protocols or architectural features were modeled, debugged, and verified in Murφ [9] or TLA+/TLC [12]. In both, transitions are conveniently presented as guarded commands. In our own experience, Murφ’s procedural style was most often fitting; however, its set of available types was constricting, and the state space of our models too large for Murφ (or other model checkers) to fully explore. When more naturally presented with datatypes such as sets, multisets and sequences, our models became more amenable to Hoare-style reasoning, but the hand-proofs of the generated verification conditions were large and ungainly—hardly counting as reliable proofs, despite their mathematical shallowness. Thus, a Hoare-style program analyzer supported by SMT-based proving of the generated conditions seemed to be better suited for our needs. From the class of existing tools of this kind, we picked Why [11] to experiment with. It worked on small examples, but was not a perfect fit. Why, like other tools in its class, is designed for analysis of traditional programs; our rule-based transition system descriptions required inelegant rewriting to become inputs for Why. Additionally, we were stymied by artifacts of the semantic translation(s) used by Why to create verification conditions for SMT from the source program and properties described in a polymorphic language. We designed DVF to overcome these difficulties. We strived for clarity and for keeping the semantic gap between our language and SMT-LIB small in order to minimize the translational overhead and to use SMT solvers efficiently. Our support for Hoare-style and assume-guarantee reasoning sets the foundation for further development of interactive proving features. Finally, DVF is conceived as a framework that will include additional tools such as simulators and model checkers. In this paper, we present the language and the tool on simple examples, but we have applied it to verify sizable cache-coherence and consensus protocols as well. In our industrial 32 Pascal Fontaine, Amit Goel (eds.); SMT 2012, pp. 32–43 The Deductive Verification Framework A. Goel, S. Krstić, R. Leslie, and M. R. Tuttle setting, DVF has been successfully used to reason about security properties of instruction-level architectural features. In an ongoing project, DVF is also being used to model and verify complex system-on-chip boot flows. The basic DVF language is explained in the following section. The form and use of templates are discussed in Section 3, and Section 4 expounds on proof decomposition in the assumeguarantee style. 2 The DVF Language Listing 1 shows a DVF program that models a mutual exclusion algorithm. DVF provides a simple procedural programming language for guarded transition systems. Procedures may be annotated with pre- and post-conditions. A DVF program can additionally be sprinkled with assertions, assumptions, and goal declarations. All of these formulas are written in a multisorted first-order logic. Listing 1 A two-process mutual exclusion algorithm 1 type process = enum {n1, n2} type processes = array(process, bool) 26 const processes empty = mk array[process](false) transition enter critical(process n) require (want[n]) require (¬critical[n]) require (my turn(n)) {call set critical(n,true);} 6 const process other(process n) = n=n1 ? n2 : n1 11 16 var process turn var processes want = empty var processes critical = empty def bool my turn(process n) = turn = n proc unit set critical(process n, bool v) ensure (critical[n]=v) {critical := store(critical, n, v); return (); 31 36 transition req critical(process n) require (¬want[n]) {want[n] := true;} } def bool mutex = ¬(critical[n1] ∧critical[n2]) 41 } 21 transition exit critical (process n) require (critical[n]) {call set critical(n,false); want[n] := false; turn := other(n); goal g0 = invariant mutex def bool aux = ∀(process n) (critical[n] ⇒my turn(n)) 46 goal g1 = invariant (mutex ∧aux) The state space of the transition system is defined by the global (state) variables. Initial states of the system are defined by initial values assigned to the state variables. Some procedures in the program are marked as transitions; the system can transition from a state s to a state s0 if and only if one of the procedures marked as a transition leads from s to s0 . The rest of this section describes the language in more detail. 33 The Deductive Verification Framework 2.1 A. Goel, S. Krstić, R. Leslie, and M. R. Tuttle Types and Expressions Booleans, mathematical integers and fixed-size bit-vectors are built-in, with their usual operators [2]. DVF also has the unit type, with the single value (), and tuples, with projection operators as in (1,true,3)#3 = 3. Arrays parametrized over their domain and range are also supported, with the read operator as in the expression want[n], and the write operator as in store(critical,n,v). In addition, arrays come equipped with a mk array constructor: for example, mk array[process m](m=n) can be used to characterize the set containing the single element n, and mk array[process](false) is the array mapping all processes to false. Since it can represent arbitrary functions as arrays, mk array is not supported by array decision procedures. For compilation to SMT problems, we introduce a fresh constant for each mk array term, and add a quantified assertion to specify its behavior; thus, the term mk array[process](false) would generate the assertion ∀(process n)(k[n]=false), where k is fresh. We can also declare enumerations, records, sums, and uninterpreted types. The uninterpreted types are useful for under-specification and for defining new types via axioms that constrain operations on the type. (For example, the type of naturals with the zero constant and the successor operator could be introduced this way.) Records are constructed by simultaneous assignment to all fields or by updating some of the fields of an existing record; record fields are accessed using dot notation. Sums are deconstructed using (exhaustive) match expressions. Since SMT solvers with support for sum types (or, more generally, algebraic data types) typically provide constructors and selectors, we compile pattern matches into variable bindings and expressions using those operators. Expressions in DVF are pure and statically typed. The language is designed to enable simple type inference. In keeping with this desire, enumerations, records and sums are typed nominally. We require annotations wherever it would not be possible to infer the type, say in mk array[process](false) to specify the type of the domain. All of the built-in DVF types and operators (with some translation as mentioned above) are supported by SMT solvers such as CVC3 [3], Yices [10] and Z3 [8]. 2.2 Variables, Constants and Definitions A DVF program’s global variables define the state of the transition system being modeled. Variable initialization serves to describe the initial state(s) of the system, with the understanding that when the initial value for a variable is not specified, it can be arbitrary. Thus, in Listing 1, want is initialized to empty and turn can initially be either n1 or n2. In addition to global variables, we can use local variables as temporary stores inside procedures and transitions. The const keyword introduces constants and (total) functions. See lines 4-5 and 6-7 in Listing 1 for examples of constant and function declarations. Constants and functions do not need to be defined; much like uninterpreted types, uninterpreted constants and functions are useful for under-specification and for specifying behavior with axioms. The def keyword is used to define state predicates and other functions that take the system state as an implicit argument. Note that the function my turn defined on line 13 of Listing 1 uses the state variable turn in its definition without having it as an explicit argument. We treat defs as macros to be inlined at points of use. 2.3 Statements, Procedures and Transitions DVF offers a standard set of statements: assignments, conditionals, while loops (annotated with loop invariants), procedure calls and returns. Statements may be grouped into blocks 34 The Deductive Verification Framework A. Goel, S. Krstić, R. Leslie, and M. R. Tuttle with local variables. The examples turn := other(n); want[n] := true; cache[i].c state := invalid; x[31:16] := y[15:0]; show assignments to a variable, a single array element, individual record field, and a bit-range in a bit-vector. The last three forms are syntactic sugar; for example want[n] := true abbreviates want := store(want,n,true). Parallel assignment via pattern matching on tuples is allowed, as in (x,y) := (y,x). In common with languages like Boogie [14], we have assert, assume and nondeterministic assignment statements. Procedures take a (possibly empty) list of typed arguments and have a return type; when the return type is omitted, it is assumed to be unit. All paths in a procedure must have a return statement unless the return type is unit, in which case a return () is implicitly assumed. The keywords require and ensure are used to annotate procedures with preconditions and postconditions. In postconditions, result refers to the procedure’s returned value. Transitions are procedures that are identified as such. The system executes transitions atomically, choosing non-deterministically from transitions whose requirements are satisfied by the current state for some choice of argument values. A system can transition from the state s to the state s0 if and only if one of the procedures marked as a transition is enabled in s for some values of its arguments, and when executed with these values, it terminates in s0 . 2.4 Goals A program in DVF entails a set of proof obligations, arising from the use of assert statements, require and ensure clauses, as well as from explicitly specified goals, as described below. We can ask DVF to prove the logical validity of formulas. State variables may occur in such formulas, in which case the validity of the formula establishes the property for all states, reachable or not. For example, a lemma in our proof of the German cache-coherence protocol from [5] is stated as follows.1 def bool coherence thm = ∀(node i, node j) (i6=j ∧cache[i].c state = exclusive ⇒cache[j].c state = invalid) def bool coherence cor = ∀(node i, node j) (i6=j ∧cache[i].c state=shared ⇒cache[j].c state = invalid ∨cache[j].c state = shared) goal thm implies cor = formula (coherence thm ⇒coherence cor) For a procedure or transition τ with arguments a1 , . . . , an , we can write Hoare triples {θ}τ (e1 , . . . , en ){φ}, where the triple stands for θ ⇒ wlp(τ [e1 /a1 , . . . , en /an ], φ) and wlp is the weakest-liberal precondition. For example, memory integrity could be specified with the three triples: goal wr1 = {true} write(i,v) {mem[i]=v} goal wr2 = {mem[i]=v ∧i6=j} write(j, v’) {mem[i]=v} goal rd = {mem[i]=v} read(i) {result=v} In triples, the arguments to the procedure may be omitted, in which case the condition is checked for all possible argument values. 1 The proof needs the fact that caches can be in one of three states, invalid, shared or exclusive. See Appendix A for the DVF encoding of the protocol and proof of coherence thm. 35 The Deductive Verification Framework A. Goel, S. Krstić, R. Leslie, and M. R. Tuttle The DVF goal initially φ states that φ is true in all initial states, and invariant φ states that φ is true in all reachable states. DVF attempts to prove invariants inductively. Thus, proving the goal g0 on line 41 of Listing 1 reduces to the proof obligations initially mutex, {mutex}req critical{mutex}, {mutex}enter critical{mutex}, and {mutex}exit critical{mutex}. Often, the invariants we want to prove are not inductive; in our example, {mutex}enter critical{mutex} is not valid. In such cases we interactively strengthen the invariant until it does become inductive. Strengthening mutex with an auxiliary property aux (line 42) creates mutex ∧aux, which is inductive and goal g1 in Listing 1 is easily discharged. In Section 4, we will describe the support DVF provides for managing invariance proofs for larger systems. 3 Axioms and Parametrized Templates Consider modeling a reference counting system, where there is a set of resources (with a special null resource) and a set of processes, each with a pointer to a resource. The system may allocate a free resource, at which point the resource becomes valid. A valid resource may be referenced by a process whose pointer is then set to the resource, and the resource’s reference counter goes up by 1. Processes may subsequently dereference the resource they point to, at the same time decrementing the counter for the resource. Finally, a resource with a count of 0 may be freed by the system, setting its status to invalid. A DVF model of this system is shown in Listing 2. Listing 2 Reference counting type process type resource const resource null 5 var array(resource, int) count var array(resource,bool) valid = mk array[resource](false) var array(process, resource) ptr = mk array[process](null) 25 30 } 35 transition free(resource r) require (valid[r]) require (count[r] = 0) {valid[r] := false;} 10 15 transition alloc(resource r) require (r 6=null) require (¬valid[r]) {valid[r] := true; count[r] := 0; } 20 transition ref(process p, resource r) require (valid[r]) require (ptr[p] = null) {ptr[p] := r; count[r] := count[r] + 1; } transition deref(process p) require (ptr[p] 6=null) {var resource r = ptr[p]; ptr[p] := null; count[r] := count[r] − 1; def bool prop = ∀(process p) (ptr[p]6=null ⇒valid[ptr[p]]) 40 def bool refs non zero = ∀(process p) (ptr[p]6=null ⇒count[ptr[p]] > 0) 45 goal g0 = invariant prop goal g1 = invariant (prop ∧refs non zero) We want to verify a basic property: if a process points to a non-null resource, then that resource must be valid. 36 The Deductive Verification Framework A. Goel, S. Krstić, R. Leslie, and M. R. Tuttle It turns out that this property is not inductive; in particular, one cannot prove the goal {prop}free{prop}. Insight into the failing proof leads to the consideration of an auxiliary property, refs non zero, which states that the reference count of a resource cannot be 0 if there is a process pointing to it. Attempting to prove the strengthened invariant (the conjunction of the two properties), we soon realize that it would be convenient to track the set of processes pointing to a resource, and to show that the cardinality of this set is equal to the reference count of the resource. DVF does not provide a built-in type for sets. We could represent sets using arrays that map elements to Booleans (e.g., valid in Listing 2), but that would still leave us wanting for a cardinality operator. Instead, we introduce a new type for sets, as well as constants for the empty set, set membership, adding and removing an element from a set, and cardinality. We then write axioms that constrain the behavior of these constants. At this point, crucially, we wish for some sort of parametricity to avoid having to encode sets for each new element type. Typically, and perhaps most naturally, parametricity is introduced via polymorphic type constructors in the language. However, this creates a discrepancy with the non-polymorphic logic of SMT solvers and would necessitate a logical translation between the front and the back end of the tool. This complication is avoided in DVF by the use of a template construct. Listing 3 shows the encoding of sets, parametrized by the type of elements, that we use in the next section to complete the proof of our reference counting example. In general, DVF templates may be parametrized by types and values; for instance, a template for bounded queues might include the type of elements and the depth of the queue as parameters. Templates are instantiated by modules where all parameters are replaced with concrete types and values. Thus, every DVF system description is essentially monomorphic, matching the SMT-LIB logic. Listing 3 Sets with cardinality template <type elem> Set { 5 // Signature type set const set empty const bool mem (elem x, set s) const set add (elem x, set s) const set del (elem x, set s) const int card (set s) 25 30 35 axiom card add = ∀(elem x, set s) (card(add(x,s)) = (mem(x,s) ? card(s) : card(s)+1)) 15 axiom mem add = ∀(elem x, elem y, set s) (mem(x,add(y,s)) = (x=y ∨mem(x,s))) 20 axiom mem del = ∀(elem x, elem y, set s) (mem(x,del(y,s)) = (x6=y ∧mem(x,s))) axiom card zero = ∀(set s) (card(s)=0 ⇒s = empty) axiom card non negative = ∀(set s) (card(s) ≥0) 10 // Axioms for set membership axiom mem empty = ∀(elem e) (¬mem(e,empty)) // Axioms for cardinality axiom card empty = card(empty) = 0 40 axiom card del = ∀(elem x, set s) (card(del(x,s)) = (mem(x,s) ? card(s)−1 : card(s))) 45 } 37 The Deductive Verification Framework 4 A. Goel, S. Krstić, R. Leslie, and M. R. Tuttle Compositional Reasoning Continuing with our reference counting example, we modify the system with an auxiliary variable, handles, that tracks the set of processes pointing to each resource. This allows us to state the property count eq card, asserting that the reference count of a resource is equal to the cardinality of its set of handles. Unfortunately, even with this strengthening we do not have an inductive invariant. We need two more properties of the system, ptr in handles and handle is ptr, to establish that the set of handles for a resource is precisely the set of processes pointing to the resource. Listing 4 shows the system with all these additions. This process of incrementally strengthening the invariant can quickly become unmanageable as more and more conjuncts are added. The proof goals become harder for the SMT solver and in case of proof failure, it is harder to diagnose the reason for the failure. Also, it is easy to lose track of an understanding for why the auxiliary invariants were necessary. Proofs of this kind are more easily carried out compositionally by breaking down the temporal induction step into separate proofs for each invariant, where each invariant is derived assuming: (1) some of the other invariants that have been proven for the previous time value, and (2) yet others that have been proven to hold now. This leads to potentially invalid circular reasoning. The following paragraph summarizes a well-known sound compositional reasoning scheme. Compositional proofs are conveniently represented in graphical form as in Figure 1, with purported invariants at the nodes, and with some edges marked as latched. For every node φ, let Aφ be the conjunction of all ψ such that there is a latched edge from ψ to φ. Similarly, let Bφ be the conjunction of all ψ such that there is an unlatched edge from ψ to φ. The set of proof obligations generated by the graph consists of conditions initially φ and triples {Aφ ∧ φ}τ {Bφ ⇒ φ}, for every node φ and every transition τ . If the graph contains no combinational cycles, then this set of initial conditions and triples implies invariance of all node formulas. This is a special case of McMillan’s result on assume-guarantee reasoning [15].2 To finish with our example, the goals main and aux1−aux4 in Listing 4 correspond to the five nodes in Figure 1, and are all provable. Notice that all edges coming into any particular node are of the same type: latched or non-latched. Restricting proof graphs so that all nodes are one of these two “pure” types does not lose generality.3 The “latched” nodes correspond to DVF goals of the form invariant φ assuming Aφ , which creates proof obligations initially φ and {Aφ ∧ φ}τ {φ}. The “unlatched” nodes correspond to formula (Bφ ⇒ φ), which is stronger than {φ}τ {Bφ ⇒ φ}, but is simpler and suffices in practice. 5 Related Work As a procedural system description language, DVF is most closely related to Murφ [9] which is designed for efficient explicit-state model checking. DVF , on the other hand, is an SMTbased deductive verification tool. Like DVF , the system verification tools UCLID [4] and SAL [17] are SMT based. UCLID’s modeling language is restricted by the decision procedure it relies on (for a logic that covers counter arithmetic, non-extensional arrays, and uninterpreted functions). With SAL we share reliance on full-blown SMT solving, but differ in the presentation of systems: SAL’s (and UCLID’s) system descriptions are relational, not procedural. While 2 McMillan’s technique applies to proving more general temporal formulas, not only invariants. If, for some φ, both Aφ and Bφ are non-empty, let φ0 be the formula Bφ ⇒ φ and modify the proof graph by adding the node φ0 to it with: (1) a latched edge from φ to φ0 ; (2) an unlatched edge from φ0 to φ; and (3) all latched edges into φ redirected to end in φ0 . In the new graph, Aφ and Bφ0 are empty. The proof obligations for φ0 in the new graph are weaker than the proof obligations for φ in the old graph, and φ follows by modus ponens from its predecessors in the new graph. 3 Proof. 38 The Deductive Verification Framework A. Goel, S. Krstić, R. Leslie, and M. R. Tuttle Listing 4 Reference Counting with a Compositional Proof 5 10 15 type resource type process const resource null module R = Set<type resource> module S = Set<type process> var R.set valid = R.empty var array(resource, int) count var array(process, resource) ptr = mk array[process](null) var array(resource, S.set) handles transition alloc(resource r) require (r 6=null) require (¬R.mem(r,valid)) {valid := R.add(r,valid); count[r] := 0; handles[r] := S.empty; } def bool prop = ∀(process p) (ptr[p]6=null ⇒R.mem(ptr[p],valid)) 45 def bool refs non zero = ∀(process p) (ptr[p]6=null ⇒count[ptr[p]] > 0) 50 55 60 20 25 transition ref(process p, resource r) require (R.mem(r,valid)) require (ptr[p] = null) {ptr[p] := r; count[r] := count[r] + 1; handles[r] := S.add(p, handles[r]); def bool count eq card = ∀(resource r) (r6=null ∧R.mem(r,valid) ⇒count[r] = S.card(handles[r])) def bool ptr in handles = ∀(process p) (ptr[p]6=null ⇒S.mem(p, handles[ptr[p]])) def bool handle is ptr = ∀(process p, resource r) (r6=null ∧R.mem(r,valid) ∧S.mem(p, handles[r]) ⇒ptr[p] = r) 65 goal main = invariant prop assuming refs non zero } 30 transition deref(process p) require (ptr[p] 6=null) {var resource r = ptr[p]; ptr[p] := null; count[r] := count[r] − 1; handles[r] := S.del(p, handles[r]); 35 } 40 transition free(resource r) require (R.mem(r,valid)) require (count[r] = 0) {valid := R.del(r, valid);} 70 75 goal aux1 = formula (count eq card ∧prop ∧ptr in handles ⇒refs non zero) goal aux2 = invariant count eq card assuming ptr in handles, handle is ptr goal aux3 = invariant ptr in handles assuming prop 80 goal aux4 = invariant handle is ptr 39 The Deductive Verification Framework A. Goel, S. Krstić, R. Leslie, and M. R. Tuttle ptr in handles count eq card prop refs non zero handle is ptr Figure 1: Proof Graph for Reference Counting Example SAL has features (notably, system composition) currently not available in DVF , it does not have the expressivity achieved in DVF by axiomatizations and parametrized templates. DVF uses Hoare-style verification techniques much like existing tools for program verification; for example, [1, 6, 13, 18]. However, these tools are not well suited for high-level modeling because of the limitations of their source languages. A better comparison is with the intermediate languages used by these tools. Boogie [14] and Why [11] have additional constructs (a richer set of types, polymorphism, the ability to add axioms) that make modeling easier, but they do not provide the support necessary for specification of systems and system properties. In fact, our work on DVF was motivated by the promise evident from our early experiments with Why, and was directed to overcome the limitations we faced. We found the threading of system invariants via contracts to be a major burden. We also found that the translations introduced to encode types from the polymorphic source language into terms in the multisorted language of SMT solvers made it harder to discharge the proofs. While there has been work [7, 14] on improving translations for subsequent proving efficiency, the parametricity enabled by DVF templates is a semantically cleaner solution. DVF is less expressive; for example, some aspects of memory encoding in Boogie would be difficult to mimic in DVF . In our experience this trade-off has been justified—we have found templates to work well for our system modeling tasks. Finally, we note that DVF templates are similar to parametrized theories in the interactive prover PVS [19]. 6 Conclusion We have presented DVF , a language and tool for the modeling and verification of transition systems. It is particularly suitable for systems that involve complex parametrized data types (like sets, multisets, sequences, queues, partial orders). Such types are represented axiomatically by means of a template construction, which allows all logical manipulations in DVF —from program annotation to the generation of verification conditions for SMT solvers—to cleanly stay within the multisorted first-order logic. The niche of DVF is systems beyond the capacity of model checkers and not readily admitting model-checkable finite-state abstractions as in, say, [16, 5]. Its primary application so far has been to verify new and complex architectural features in hardware systems where Hoarestyle reasoning has scaled well, requiring only seconds for verification tasks that generated up to a few hundred proof obligations. The human effort required to provide auxiliary proof artifacts has not been overwhelming. In fact, the auxiliary invariants have helped our and the designers’ understanding, providing valuable documentation as well as checks for implementations. Ignoring the logical matter, a DVF system description looks like an ordinary program with 40 The Deductive Verification Framework A. Goel, S. Krstić, R. Leslie, and M. R. Tuttle an interface defined by several named procedures (transitions). This syntactic closeness to common programming languages is a significant convenience in the industrial environment, where model development is done in collaboration with designers unfamiliar with formal languages. For future work, the diagnosis of proof failures is a priority; proof failures have been largely due to unprovable goals (rather than solvers’ capacity limits), so we need meaningful countermodel production for our SMT queries. At the language level, we will need to add some modularity mechanism for modeling larger and more complex systems. Human-assisted skeletal proof construction (Section 4) can use additional proof rules and “tactics” borrowed from interactive provers. Finally, even the least sophisticated model-checking back-end would help with early debugging of system models. References [1] M. Barnett, R. DeLine, M. Fähndrich, B. Jacobs, K. R. M. Leino, W. Schulte, and H. Venter. The Spec# programming system: Challenges and directions. In VSTTE, pages 144–152, 2005. [2] C. Barrett, A. Stump, and C. Tinelli. The SMT-LIB Standard: Version 2.0. In A. Gupta and D. Kroening, editors, SMT, 2010. [3] C. Barrett and C. Tinelli. CVC3. In CAV, pages 298–302, 2007. [4] R. E. Bryant, S. K. Lahiri, and S. A. Seshia. Modeling and verifying systems using a logic of counter arithmetic with lambda expressions and uninterpreted functions. In CAV, pages 78–92, 2002. [5] C.-T. Chou, P. K. Mannava, and S. Park. A simple method for parameterized verification of cache coherence protocols. In FMCAD, pages 382–398, 2004. [6] E. Cohen, M. Dahlweid, M. A. Hillebrand, D. Leinenbach, M. Moskal, T. Santen, W. Schulte, and S. Tobies. VCC: A practical system for verifying concurrent c. In TPHOLs, pages 23–42, 2009. [7] J.-F. Couchot and S. Lescuyer. Handling polymorphism in automated deduction. In CADE, pages 263–278, 2007. [8] L. M. de Moura and N. Bjørner. Z3: An efficient SMT solver. In TACAS, pages 337–340, 2008. [9] D. L. Dill, A. J. Drexler, A. J. Hu, and C. H. Yang. Protocol verification as a hardware design aid. In ICCD, pages 522–525, 1992. [10] B. Dutertre and L. D. Moura. The Yices SMT solver. Technical report, SRI, 2006. [11] J.-C. Filliâtre and C. Marché. The Why/Krakatoa/Caduceus platform for deductive program verification. In CAV, pages 173–177, 2007. [12] L. Lamport. Specifying Systems, The TLA+ Language and Tools for Hardware and Software Engineers. Addison-Wesley, 2002. [13] K. R. M. Leino. Dafny: An automatic program verifier for functional correctness. In LPAR (Dakar), pages 348–370, 2010. [14] K. R. M. Leino and P. Rümmer. A polymorphic intermediate verification language: Design and logical encoding. In TACAS, pages 312–327, 2010. [15] K. L. McMillan. Circular compositional reasoning about liveness. In CHARME, pages 342–345, 1999. [16] K. L. McMillan. Verification of infinite state systems by compositional model checking. In CHARME, pages 219–234, 1999. [17] L. D. Moura, S. Owre, and N. Shankar. The SAL language manual. Technical report, SRI, 2003. [18] Y. Moy and C. Marché. Jessie Plugin, Boron version. INRIA, 2010. http://frama-c.com/ jessie/jessie-tutorial.pdf. [19] S. Owre, J. M. Rushby, and N. Shankar. PVS: A Prototype Verification System. In CADE, pages 748–752, 1992. 41 The Deductive Verification Framework A A. Goel, S. Krstić, R. Leslie, and M. R. Tuttle Verification of the German Protocol Listing 5 shows a DVF translation of the German cache coherence protocol from its Murφ presentation in [5]. We have added an auxiliary variable, exnode, to store the node, if any, that has exclusive access. Figure 2 shows the proof graph for the control property using the following auxiliary invariants: def bool p1 = ∀(node n) (exgntd ⇒shrset[n] = (n = exnode)) def bool p2 = ∀(node n) (chan2[n].m cmd = gnte ∨cache[n].c state=exclusive ⇒exgntd) def bool p3 = ∀(node n) (¬shrset[n] ⇒cache[n].c state = invalid ∧chan2[n].m cmd = empty ∧chan3[n].m cmd = empty) def bool p4 = ∀(node n) (invset[n] ⇒shrset[n]) def bool p5 = ∀(node n) (chan3[n].m cmd = invack ⇒chan2[n].m cmd = empty ∧cache[n].c state = invalid) def bool p6 = ∀(node n) (chan2[n].m cmd = inv ∨chan3[n].m cmd = invack ⇒¬invset[n] ∧shrset[n]) def bool p7 = ∀(node n) (chan2[n].m cmd = inv ∨chan3[n].m cmd = invack ⇒(curcmd = reqs ∧exgntd) ∨curcmd = reqe) p7 p5 p2 p1 p6 p4 p3 coherence thm Figure 2: Proof Graph for the German Protocol 42 The Deductive Verification Framework A. Goel, S. Krstić, R. Leslie, and M. R. Tuttle Listing 5 German Cache Coherence Protocol 2 7 12 17 22 27 32 37 42 // Types type node type data type cache state = enum {invalid, shared, exclusive} type cache = struct {c state: cache state; c data: data} type msg cmd = enum {empty,reqs,reqe,inv,invack,gnts,gnte} type msg = struct {m cmd: msg cmd; m data: data} type chan = array(node, msg) type caches = array(node, cache) type nodes = array(node, bool) // Constants for initialization const data dummy const msg imsg = {m cmd = empty; m data = dummy} const cache icache = {c state = invalid; c data = dummy} // State variables var caches cache = mk array[node](icache) var chan chan1 = mk array[node](imsg) var chan chan2 = mk array[node](imsg) var chan chan3 = mk array[node](imsg) var nodes invset = mk array[node](false) var nodes shrset = mk array[node](false) var bool exgntd = false var node exnode var msg cmd curcmd = empty var node curptr var data memdata // Actions transition send req shared (node i) require (chan1[i].m cmd = empty) require (cache[i].c state = invalid) {chan1[i].m cmd := reqs;} transition send req exclusive(node i) require (chan1[i].m cmd = empty) require (cache[i].c state 6=exclusive) {chan1[i].m cmd := reqe;} transition recv req shared (node i) require (curcmd = empty) require (chan1[i].m cmd = reqs) {curcmd := reqs; curptr := i; chan1[i].m cmd := empty; invset := shrset;} 62 67 } 72 77 52 57 transition send inv (node i) require (chan2[i].m cmd = empty) require (invset[i]) require (curcmd=reqe ∨curcmd=reqs ∧exgntd) {chan2[i].m cmd:= inv; invset[i]:= false;} transition recv invack (node i) require (chan3[i].m cmd = invack) require (curcmd 6=empty) {chan3[i].m cmd := empty; shrset[i] := false; if (exgntd) { exgntd := false; memdata := chan3[i].m data;} } 82 transition send gnt shared () require (curcmd = reqs) require (¬exgntd) require (chan2[curptr].m cmd = empty) {chan2[curptr].m cmd := gnts; chan2[curptr].m data := memdata; shrset[curptr] := true; curcmd := empty;} 87 92 transition send gnt exclusive () require (curcmd = reqe) require (¬exgntd) require (chan2[curptr].m cmd = empty) require (∀ (node j) (¬shrset[j])) {chan2[curptr].m cmd := gnte; chan2[curptr].m data := memdata; shrset[curptr] := true; curcmd := empty; exgntd := true; exnode := curptr;} 97 102 47 transition recv req exclusive (node i) require (curcmd = empty) require (chan1[i].m cmd = reqe) {curcmd := reqe; invset := shrset; curptr := i; chan1[i].m cmd := empty;} transition send invack (node i) require (chan2[i].m cmd = inv) require (chan3[i].m cmd = empty) {chan2[i].m cmd := empty; chan3[i].m cmd := invack; if (cache[i].c state = exclusive) { chan3[i].m data := cache[i].c data;} cache[i].c state := invalid; 107 transition recv gnt shared (node i) require (chan2[i].m cmd = gnts) {cache[i].c state := shared; cache[i].c data := chan2[i].m data; chan2[i].m cmd := empty;} transition recv gnt exclusive (node i) require (chan2[i].m cmd = gnte) {cache[i].c state := exclusive; cache[i].c data := chan2[i].m data; chan2[i].m cmd := empty;} 112 transition store data (node i, data d) require (cache[i].c state = exclusive) {cache[i].c data := d;} 117 def bool coherence thm = ∀(node i, node j) (i6=j ∧cache[i].c state = exclusive ⇒cache[j].c state = invalid) 43 On the Complexity of Fixed-Size Bit-Vector Logics with Binary Encoded Bit-Width Gergely Kovásznai, Andreas Fröhlich, Armin Biere Institute for Formal Models and Verification Johannes Kepler University, Linz, Austria∗ Abstract Bit-precise reasoning is important for many practical applications of Satisfiability Modulo Theories (SMT). In recent years efficient approaches for solving fixed-size bit-vector formulas have been developed. From the theoretical point of view, only few results on the complexity of fixed-size bit-vector logics have been published. In this paper we show that some of these results only hold if unary encoding on the bit-width of bit-vectors is used. We then consider fixed-size bit-vector logics with binary encoded bit-width and establish new complexity results. Our proofs show that binary encoding adds more expressiveness to bit-vector logics, e.g. it makes fixed-size bit-vector logic even without uninterpreted functions nor quantification NExpTime-complete. We also show that under certain restrictions the increase of complexity when using binary encoding can be avoided. 1 Introduction Bit-precise reasoning over bit-vector logics is important for many practical applications of Satisfiability Modulo Theories (SMT), particularly for hardware and software verification. Syntax and semantics of fixed-size bit-vector logics do not differ much in the literature [9, 3, 4, 11, 6]. Concrete formats for specifying bit-vector problems also exist, like the SMT-LIB format or the BTOR format [5]. Working with non-fixed-size bit-vectors has been considered for instance in [4, 1] and more recently in [20], but will not be further discussed in this paper. Most industrial applications (and examples in the SMT-LIB) have fixed bit-width. We investigate the complexity of solving fixed-size bit-vector formulas. Some papers propose such complexity results, e.g. in [3] the authors consider quantifier-free bit-vector logic, and give an argument for NP-hardness of its satisfiability problem. In [6], a sublogic of the previous one is claimed to be NP-complete. In [23, 22], the quantified case is addressed, and the satisfiability of this logic with uninterpreted functions is proven to be NExpTime-complete. The proof holds only if we assume that the bit-widths of the bit-vectors in the input formula are written/encoded in unary form. We are not aware of any work that investigates how the particular encoding of the bit-widths in the input affects complexity (as an exception, see [8, Page 239, Footnote 3]). In practice a more natural and exponentially more succinct logarithmic encoding is used, such as in the SMT-LIB, the BTOR, and the Z3 format. We investigate how complexity varies if we consider either a unary or a logarithmic (actually without loss of generality) binary encoding. In practice state-of-the-art bit-vector solvers rely on rewriting and bit-blasting. The latter is defined as the process of translating a bit-vector resp. word-level description into a bit-level circuit, as in hardware synthesis. The result can then be checked by a (propositional) SAT solver. We give an example, why in general bit-blasting is not polynomial. Consider checking commutativity of bit-vector addition for two bit-vectors of size one million. Written to a file this formula in SMT2 syntax can be encoded with 138 bytes: ∗ This 44 work is partially supported by FWF, NFN Grant S11408-N23 (RiSE). Pascal Fontaine, Amit Goel (eds.); SMT 2012, pp. 44–55 Complexity of Bit-Vector Logics with Binary Encoded Bit-Width Kovásznai, Fröhlich, and Biere (set-logic QF_BV) (declare-fun x () (_ BitVec 1000000)) (declare-fun y () (_ BitVec 1000000)) (assert (distinct (bvadd x y) (bvadd y x))) Using Boolector [5] with rewriting optimizations switched off (except for structural hashing), bit-blasting produces a circuit of size 103 MB in AIGER format. Tseitin transformation results in a CNF in DIMACS format of size 1 GB. A bit-width of 10 million can be represented by two more bytes in the SMT2 input, but could not bit-blasted anymore with our tool-flow (due to integer overflow). As this example shows, checking bit-vector logics through bit-blasting can not be considered to be a polynomial reduction, which also disqualifies bit-blasting as a sound way to prove that the decision problem for (quantifier-free) bit-vector logics is in NP. We show that deciding bit-vector logics, even without quantifiers, is much harder: it is NExpTime-complete. Informally speaking, we show that moving from unary to binary encoding for bit-widths increases complexity exponentially and that binary encoding has at least as much expressive power as quantification. However we give a sufficient condition for bit-vector problems to remain in the “lower” complexity class, when moving from unary to binary encoding. We call them bit-width bounded problems. For such problems it does not matter, whether bit-width is encoded unary or binary. We also discuss some concrete examples from SMT-LIB. 2 Preliminaries We assume the common syntax for (fixed-size) bit-vector formulas, c.f. SMT-LIB and [9, 3, 4, 11, 6, 5]. Every bit-vector possesses a bit-width n, either explicit or implicit, where n is a natural number, n ≥ 1. We denote a bit-vector constant with c[n] , where c is a natural number, 0 ≤ c < 2n . A variable is denoted with x[n] , where x is an identifier. Let us note that no explicit bit-width belongs to bit-vector operators, and, therefore, the bit-width of a compound term is implicit, i.e., can be calculated. Let t[n] denote the fact that the bit-vector term t is of bit-width n. We even omit an explicit bit-width if it can be deduced from the context. In our proofs we use the following bit-vector operators: indexing (t[n] [i], 0 ≤ i < n), bit[n] [n] [n] [n] [n] [n] wise negation (∼ t[n] ), bitwise and (t1 & t2 ), bitwise or (t1 | t2 ), shift left (t1 t2 ), [n] [n] [n] [n] [n] [n] logical shift right (t1 t2 ), addition (t1 + t2 ), multiplication (t1 · t2 ), unsigned divi[n] [n] [n] [n] sion (t1 / t2 ), and equality (t1 = t2 ). Including other common operations (e.g., slicing, concatenation, extensions, arithmetic right shift, signed arithmetic and relational operators, rotations etc.) does not destroy the validity of our subsequent propositions, since they all can be bit-blasted polynomially in the bit-width of their operands. Uninterpreted functions will also be considered. They have an explicit bit-width for the result type. The application of such [n ] [n ] a function is written as f [n] (t1 , . . . , tm ), where f is an identifier, and t1 1 , . . . , tmm are terms. Let QF BV1 resp. QF BV2 denote the logics of quantifier-free bit-vectors with unary resp. binary encoded bit-width (without uninterpreted functions). As mentioned before, we prove that the complexity of deciding QF BV2 is exponentially higher than deciding QF BV1. This fact is, of course, due to the more succinct encoding. The logics we get by adding uninterpreted functions to these logics are denoted by QF UFBV1 resp. QF UFBV2. Uninterpreted functions are powerful tools for abstraction, e.g., they can formalize reads on arrays. When quantification is introduced, we get the logics BV1 resp. BV2 when uninterpreted functions are prohibited. When they are allowed, we get UFBV1 resp. UFBV2. These latter logics are expressive enough, for instance, to formalize reads and writes on arrays with quantified indices.1 1 Let us emphasize again that among all these logics the ones with binary encoding correspond to the logics 45 Complexity of Bit-Vector Logics with Binary Encoded Bit-Width 3 Kovásznai, Fröhlich, and Biere Complexity In this section we discuss the complexity of deciding the bit-vector logics defined so far. We first summarize our results, and then give more detailed proofs for the new non-trivial ones. The results are also summarized in a tabular form in Appendix A. First, consider unary encoding of bit-widths. Without uninterpreted functions nor quantification, i.e., for QF BV1, the following complexity result can be proposed (for partial results and related work see also [3] and [6]): Proposition 1. QF BV1 is NP-complete2 Proof. By bit-blasting, QF BV1 can be polynomially reduced to Boolean formulas, for which the satisfiability problem (SAT) is NP-complete. The other direction follows from the fact that Boolean formulas are actually QF BV1 formulas whose all terms are of bit-width 1. Adding uninterpreted functions to QF BV1 does not increase complexity: Proposition 2. QF UFBV1 is NP-complete. Proof. In a formula, uninterpreted functions can be eliminated by replacing each occurrence with a new bit-vector variable and adding (at most quadratic many) Ackermann constraints, e.g. [16, Chapter 3.3.1]. Therefore, QF UFBV1 can be polynomially translated to QF BV1. The other direction directly follows from the fact that QF BV1 ⊂ QF UFBV1. Adding quantifiers to QF BV1 yields the following complexity (see also [8]): Proposition 3. BV1 is PSpace-complete. Proof. By bit-blasting, BV1 can be polynomially reduced to Quantified Boolean Formulas (QBF), which is PSpace-complete. The other direction directly follows from the fact that QBF ⊂ BV1 (following the same argument as in Prop. 1). Adding quantifiers to QF UFBV1 increases complexity exponentially: Proposition 4 (see [22]). UFBV1 is NExpTime-complete. Proof. Effectively Propositional Logic (EPR), being NExpTime-complete, can be polynomially reduced to UFBV1 [22, Theorem 7]. For completing the other direction, apply the reduction in [22, Theorem 7] combined with the bit-blasting of the bit-vector operations. Our main contribution is to give complexity results for the more common logarithmic (actually without loss of generality) binary encoding. Even without uninterpreted functions nor quantification, i.e., for QF BV2, we obtain the same complexity as for UFBV1. Proposition 5. QF BV2 is NExpTime-complete. Proof. It is obvious that QF BV2 ∈ NExpTime, since a QF BV2 formula can be translated exponentially to QF BV1 ∈ NP (Prop. 1), by a simple unary re-encoding of all bit-widths. The proof that QF BV2 is NExpTime-hard is more complex and given in Sect. 3.1. Adding uninterpreted functions to QF BV2 does not increase complexity, again using Ackermann constraints, as in the proof for Prop. 2: QF BV, QF UFBV, BV, and UFBV used by the SMT community, e.g., in SMT-LIB. 2 This kind of result is often called unary NP-completeness [14]. 46 Complexity of Bit-Vector Logics with Binary Encoded Bit-Width Kovásznai, Fröhlich, and Biere Proposition 6. QF UFBV2 is NExpTime-complete. However, adding quantifiers to QF UFBV2 increases complexity exponentially: Proposition 7. UFBV2 is 2-NExpTime-complete. Proof. Similarly to the proof of Prop. 5, a UFBV2 formula can be exponentially translated to UFBV1 ∈ NExpTime (Prop. 4), simply by re-encoding all the bit-widths to unary. It is more difficult to prove that UFBV2 is 2-NExpTime-hard, which we show in Sect. 3.2. Notice that deciding QF BV2 has the same complexity as UFBV1. Thus, starting with QF BV1, re-encoding bit-widths to binary gives the same expressive power, in a precise complexity theoretical sense, as introducing uninterpreted functions and quantification all together. Thus it is important to differentiate between unary and binary encoding of bit-widths in bitvector logics. Our results show that binary encoding is at least as expressive as quantification, while only the latter has been considered in [23, 22]. 3.1 QF BV2 is NExpTime-hard In order to prove that QF BV2 is NExpTime-hard, we pick a NExpTime-hard problem and, then, we reduce it to QF BV2. Let us choose the satisfiability problem of Dependency Quantified Boolean Formulas (DQBF), which has been shown to be NExpTime-complete [2]. In DQBF, quantifiers are not forced to be totally ordered. Instead a partial order is explicitly expressed in the form e(u1 , . . . , um ), stating that an existential variable e depends on the universal variables u1 , . . . , um , where m ≥ 0. Given an existential variable e, we will use Deps(e) to denote the set of universal variables that e depends on. A more formal definition can be found in [2]. Without loss of generality, we can assume that a DQBF formula is in clause normal form. In the proof, we are going to apply bitmasks of the form 2n z }| { . . 0} 1| .{z . . 1} . . . 0| .{z . . 0} 1| .{z . . 1} |0 .{z 2i 2i 2i 2i Given n ≥ 1 and i, with 0 ≤ i < n, we denote such a bitmask with Min . Notice that these bitmasks correspond to the binary magic numbers [12] (see also Chpt. 7 of [21]), and, can thus arithmetically be calculated in the following way (actually as sum of a geometric series): n Min := 2(2 ) − 1 2(2i ) + 1 In order to reformulate this definition in terms of bit-vectors, the numerator can be written as n i ∼ 0[2 ] , and 2(2 ) as 1 (1 i), which results in the following bit-vector expression: n Min := ∼ 0[2 ] / (1 (1 i)) + 1 (1) Theorem 8. DQBF can be (polynomially) reduced to QF BV2. Proof. The basic idea is to use bit-vector logic to encode function tables in an exponentially more succinct way, which then allows to characterize independence of an existential variable from a particular universal variable polynomially. 47 Complexity of Bit-Vector Logics with Binary Encoded Bit-Width Kovásznai, Fröhlich, and Biere More precisely, we will use binary magic numbers, as constructed in Eqn. (1), to create a certain set of fully-specified exponential-size bit-vectors by using a polynomial expression, due to binary encoding. We will then formally point out the well-known fact that those bit-vectors correspond exactly to the set of all assignments. We can then use a polynomial-size bit-vector formula for cofactoring Skolem-functions in order to express independency constraints. First, we describe the reduction (c.f. an example in Appendix B), then show that the reduction is polynomial, and, finally, that it is correct. The reduction. Given a DQBF formula φ := Q.m consisting of a quantifier prefix Q and a Boolean CNF formula m called the matrix of φ. Let u0 , . . . , uk−1 denote all the universal variables that occur in φ. Translate φ to a QF BV2 formula Φ by eliminating the quantifier prefix and translating the matrix as follows: k k Step 1. Replace Boolean constants 0 and 1 with 0[2 ] resp. ∼ 0[2 ] and logical connectives with corresponding bitwise bit-vector operators (∨, ∧, ¬ with |, & , ∼ , resp.). k Let Φ0 denote the formula generated so far. Extend it to the formula Φ0 = ∼ 0[2 ] . Step 2. For each ui , [2k ] 1. translate (all the occurrences of) ui to a new bit-vector variable Ui ; 2. in order to assign the appropriate bitmask of Eqn. (1) to Ui , add the following equation (i.e., conjunct it with the current formula): Ui = Mik (2) For an optimization see Remark 9 further down. Step 3. For each existential variable e depending on universals Deps(e) ⊆ {u0 , . . . , uk−1 }, k 1. translate (all the occurrences of) e to a new bit-vector variable E [2 ] ; 2. for each ui ∈ / Deps(e), add the following equation: E (1 i) & Ui (E & Ui ) = (3) As it is going to be detailed in the rest of the proof, the above equations enforce the k corresponding bits of E [2 ] to satisfy the dependency scheme of φ. More precisely, Eqn. (3) makes sure that the positive and negative cofactors of the Skolem-function representing e with respect to an independent variable ui have the same value. Polynomiality. Let us recall that all the bit-widths are encoded binary in the formula Φ, and thus exponential bit-widths (2k ) are encoded into linear many (k) bits. We show now that each reduction step results in polynomial growth of the formula size. Step 1 may introduce additional bit-vector constants to the formula. Their bit-width is 2k , therefore, the resulting formula is bounded quadratically in the input size. Step 2 adds k [2k ] variables Ui for the original universal variables, as well as k equations as restrictions. The bit-widths of added variables and constants is 2k . Thus the size of the added constraints is k bounded quadratically in the input size. Step 3 adds one bit-vector variable E [2 ] and at most k constraints for each existential variable. Thus the size is bounded cubically in the input size. 48 Complexity of Bit-Vector Logics with Binary Encoded Bit-Width Kovásznai, Fröhlich, and Biere Correctness. We show the original φ and the result Φ of the translation to be equisatisfiable. Consider one bit-vector variable Ui introduced in Step 2. In the following, we formalize the well-known fact that all the Ui s correspond exactly to all assignments. By construction, all bits of Ui are fixed to some constant value. Additionally, for every bit-vector index bm ∈ [0, 2k − 1] there exists a bit-vector index bn ∈ [0, 2k − 1] such that Ui [bm ] 6= Ui [bn ] and (4a) Uj [bm ] = Uj [bn ], ∀j 6= i. (4b) Actually, let us define bn in the following way (considering the 0th bit the least significant): bm − 2i if Ui [bm ] = 0 bn := bm + 2i if Ui [bm ] = 1 By defining bn this way, Eqn. (4a) and (4b) both hold, which can be seen as follows. Let R(c, l) be the bit-vector of length l with each bit set to the Boolean constant c. Eqn. (4a) holds, since, due to construction, Ui consists of several (2k−1−i ) concatenated bit-vector fragments 0 . . . 01 . . . 1 = R(0, 2i )R(1, 2i ) (with both 2i zeros and 2i ones). Therefore it is easy to see that Ui [bm ] 6= Ui [bm − 2i ] (resp. Ui [bm ] 6= Ui [bm + 2i ]) holds if Ui [bm ] = 0 (resp. Ui [bm ] = 1). With a similar argument, we can show that Eqn. (4b) holds: Uj [bm ] = Uj [bm − 2i ] (resp. Uj [bm ] = Uj [bm + 2i ]) if Uj [bm ] = 0 (resp. Uj [bm ] = 1), since bm − 2i (resp. bm + 2i ) is located either still in the same half or already in a concatenated copy of a R(0, 2j )R(1, 2j ) fragment, if j 6= i. Now consider all possible assignments to the universal variables of our original DQBFformula φ. For a given assignment α ∈ {0, 1}k , the existence of such a previously defined bn for every Ui and bm allows us to iteratively find a bα such that (U0 [bα ], . . . , Uk−1 [bα ]) = α. Thus, we have a bijective mapping of every universal assignment α in φ to a bit-vector index bα in Φ. In Step 3 we first replace each existential variable e with a new bit-vector variable E, which k can take 2(2 ) different values. The value of each individual bit E[bα ] corresponds to the value e takes under a given assignment α ∈ {0, 1}k to the universal variables. Note that without any further restriction, there is no connection between the different bits in E and therefore the vector represents an arbitrary Skolem-function for an existential variable e. It may have different values for all universal assignments and thus would allow e to depend on all universals. If, however, e does not depend on a universal variable ui , we add the constraint of Eqn. (3). In DQBF, independence can be formalized in the following way: e does not depend on ui if e has to take the same value in the case of all pairs of universal assignments α, β ∈ {0, 1}k where α[j] = β[j] for all j 6= i. Exactly this is enforced by our constraint. We have already shown that for α we have a corresponding bit-vector index bα , and we have defined how we can construct a bit-vector index bβ for β. Our constraint for independence ensures that E[bα ] = E[bβ ]. Step 1 ensures that all logical connectives and all Boolean constants are consistent for each bit-vector index, i.e. for each universal assignment, and that the matrix of φ evaluates to 1 for each universal assignment. Remark 9. Using Eqn. (1) in Eqn. (2) seems to require the use of division, which, however, can easily be eliminated by rewriting Eqn. (2) to k Ui · (1 (1 i)) + 1 = ∼ 0[2 ] Multiplication in this equation can then be eliminated by rewriting it as follows: k (Ui (1 i)) + Ui = ∼ 0[2 ] 49 Complexity of Bit-Vector Logics with Binary Encoded Bit-Width 3.2 Kovásznai, Fröhlich, and Biere UFBV2 is 2-NExpTime-hard In order to prove that UFBV2 is 2-NExpTime-hard, we pick a 2-NExpTime-hard problem and then, we reduce it to UFBV2. We can find such a problem among the so-called domino tiling problems [7]. Let us first define what a domino system is, and then we specify a 2-NExpTimehard problem on such systems. Definition 10 (Domino System). A domino system is a tuple hT, H, V, ni, where • T is a finite set of tile types, in our case, T = [0, k − 1], where k ≥ 1; • H, V ⊆ T × T are the horizontal and vertical matching conditions, respectively; • n ≥ 1, encoded unary. Let us note that the above definition differs (but not substantially) from the classical one in [7], in the sense that we use sub-sequential natural numbers for identifying tiles, as it is common in recent papers. Similarly to [17] and [18], the size factor n, encoded unary, is part of the input. However while a start tile α and a terminal tile ω is used usually, in our case the starting tile is denoted by 0 and the terminal tile by k − 1, without loss of generality. There are different domino tiling problems examined in the literature. In [7] a classical tiling problems is introduced, namely the square tiling problem, which can be defined as follows. Definition 11 (Square Tiling). Given a domino system hT, H, V, ni, an f (n)-square tiling is a mapping λ : [0, f (n) − 1] × [0, f (n) − 1] 7→ T such that • the first row starts with the start tile: λ(0, 0) = 0 • the last row ends with the terminal tile: λ(f (n) − 1, f (n) − 1) = k − 1 • all horizontal matching conditions hold: λ(i, j), λ(i, j + 1) ∈ H ∀i < f (n), j < f (n) − 1 • all vertical matching conditions hold: λ(i, j), λ(i + 1, j) ∈ V ∀i < f (n) − 1, j < f (n) In [7], a general theorem on the complexity of domino tiling problems is proved: Theorem 12 (from [7]). The f (n)-square tiling problem is NTime (f (n))-complete. Since for completing our proof on UFBV2 we need a 2-NExpTime-hard problem, let us emphasize the following easy corollary: n Corollary 13. The 2(2 ) -square tiling problem is 2-NExpTime-complete. n Theorem 14. The 2(2 ) -square tiling problem can be (polynomially) reduced to UFBV2. Proof. Given a domino system hT = [0, k − 1], H, V, ni, let us introduce the following notations which we intend to use in the resulting UFBV2 formula. • Represent each tile in T with the corresponding bit-vector of bit-width l := dlog ke. • Represent the horizontal and vertical matching conditions with the uninterpreted func[l] [l] [l] [l] tions (predicates) h[1] (t1 , t2 ) and v [1] (t1 , t2 ), respectively. n n • Represent the tiling with an uninterpreted function λ[l] (i[2 ] , j [2 ] ). As it is obvious, λ represents the type of the tile in the cell at the row index i and column index j. Notice that the bit-width of i and j is exponential in the size of the domino system, but due to binary encoding it can represented polynomially. 50 Complexity of Bit-Vector Logics with Binary Encoded Bit-Width Kovásznai, Fröhlich, and Biere The resulting UFBV2 formula is the following: λ(0, 0) = 0 ∧ n n λ 2(2 ) − 1, 2(2 ) − 1 = k − 1 ^ ∧ h(t1 , t2 ) (t1 ,t2 )∈H − 1 ⇒ h λ(i, j), λ(i, j + 1)  ∧ ∀i, j   (2n ) i<2 − 1 ⇒ v λ(i, j), λ(i + 1, j)  ∧ n j < 2(2 ) ∧ ^ v(t1 , t2 ) (t1 ,t2 )∈V     n This formula contains four kinds of constants. Three can be encoded directly (0[2 ] , 0[l] , and n (k − 1)[l] ). However, the constant 2(2 ) − 1 has to be treated in a special way, in order to avoid n double exponential size, namely in the following form: ∼ 0[2 ] . The size of the resulting formula, due to binary encoding of the bit-width, is polynomial in the size of the domino system. 4 Problems Bounded in Bit-Width We are going to introduce a sufficient condition for bit-vector problems to remain in the “lower” complexity class, when re-encoding bit-width from unary to binary. This condition tries to capture the bounded nature of bit-width in certain bit-vector problems. In any bit-vector formula, there has to be at least one term with explicit specification of its bit-width. In the logics we are dealing with, only a variable, a constant, or an uninterpreted function can have explicit bit-width. Given a formula φ, let us denote the maximal explicit bit-width in φ with maxbw (φ). Furthermore, let sizebw (φ) denote the number of terms with explicit bit-width in φ. Definition 15 (Bit-Width Bounded Formula Set). An infinite set S of bit-vector formulas is (polynomially) bit-width bounded, if there exists a polynomial function p : N 7→ N such that ∀φ ∈ S. maxbw (φ) ≤ p(sizebw (φ)). Proposition 16. Given a bit-width bounded set S of formulas with binary encoded bit-width, any φ ∈ S grows polynomially when re-encoding the bit-widths to unary. Proof. Let φ0 denote the formula obtained through re-encoding bit-widths in φ to unary. For the size of φ0 the following upper bound can be shown: |φ0 | ≤ sizebw (φ) · maxbw (φ) + c. Notice that sizebw (φ) · maxbw (φ) is an upper bound on the sum over the sizes of all the terms with explicit bit-width in φ0 . The constant c represents the size of the rest of the formula. Since S is bit-width bounded, it holds that |φ0 | ≤ sizebw (φ) · maxbw (φ) + c ≤ sizebw (φ) · p(sizebw (φ)) + c ≤ |φ| · p(|φ|) + c where p is a polynomial function. Therefore, the size of φ0 is polynomial in the size of φ. By applying this proposition to the logics of Sect. 2 we get: Corollary 17. Let us assume a bit-width bounded set S of bit-vector formulas. If S ⊆ QF UFBV2 (and even if S ⊆ QF BV2), then S ∈ NP. If S ⊆ BV2, then S ∈ PSpace. If S ⊆ UFBV2, then S ∈ NExpTime. 51 Complexity of Bit-Vector Logics with Binary Encoded Bit-Width 4.1 Kovásznai, Fröhlich, and Biere Benchmark Problems In this section we discuss concrete SMT-LIB benchmark problems, and whether they are bitwidth bounded. Since in SMT-LIB bit-widths are encoded logarithmically and quantification on bit-vectors is not (yet) addressed, we have picked benchmarks from QF BV, which can be considered as QF BV2 formulas. First consider the benchmark family QF BV/brummayerbiere2/umulov2bwb, which represent instances of an unsigned multiplication overflow detection equivalence checking problem, and is parameterized by the bit-width of unsigned multiplicands (b). We show that the set of these benchmarks, with b ∈ N, is bit-width bounded, and therefore is in NP. This problem checks that a certain (unsigned) overflow detection unit, defined in [19], gives the same result as the following condition: if the b/2 most significant bits of the multiplicands are zero, then no overflow occurs. It requires 2 · (b − 2) variables and a fixed number of constants to formalize the overflow detection unit, as detailed in [19]. The rest of the formula contains only a fixed number of variables and constants. The maximal bit-width in the formula is b. Therefore, the (maximal explicit) bit-width is linearly bounded in the number of variables and constants. The benchmark family QF BV/brummayerbiere3/mulhsb represents instances of computing the high-order half of product problem, parameterized by the bit-width of unsigned multiplicands (b). In this problem the high-order b/2 bits of the product are computed, following an algorithm detailed in [21, Page 132]. The maximal bit-width is b and the number of variables and constants to formalize this problem is fixed, i.e., independent of b. Therefore, the (maximal explicit) bit-width is not bounded in the number of variables and constants. The family QF BV/bruttomesso/lfsr/lfsrt b n formalizes the behaviour of a linear feedback shift register [6]. Since, by construction, the bit-width (b) and the number (n) of registers do not correlate, and only n variables are used, this benchmark problem is not bit-width bounded. 5 Conclusion We discussed complexity of deciding various quantified and quantifier-free fixed-size bit-vector logics. In contrast to existing literature, where usually it is not distinguished between unary or binary encoding of the bit-width, we argued that it is important to make this distinction. Our new results apply to the actual much more natural binary encoding as it is also used in standard formats, e.g. in the SMT-LIB format. We proved that deciding QF BV2 is NExpTime-complete, which is the same complexity as for deciding UFBV1. This shows that binary encoding for bit-widths has at least as much expressive power as quantification does. We also proved that UFBV2 is 2-NExpTime-complete. The complexity of deciding BV2 remains unclear. While it is easy to show ExpSpace-inclusion for BV2 by bit-blasting to an exponential-size QBF, and NExpTime-hardness follows directly from QF BV2 ⊂ BV2, it is not clear whether QF BV2 is complete for any of these classes. We also showed that under certain conditions on bit-width the increase of complexity that comes with a binary encoding can be avoided. Finally, we gave examples of benchmark problems that do or do not fulfill this condition. As future work it might be interesting to consider our results in the context of parametrized complexity [10]. Our theoretical results give an argument for using more powerful solving techniques. Currently the most common approach used in state-of-the-art SMT solvers for bit-vectors is based on simple rewriting, bit-blasting, and SAT solving. We have shown this can possibly produce exponentially larger formulas when a logarithmic encoding is used as an input. Possible candidates are techniques used in EPR and/or (D)QBF solvers (see e.g. [13, 15]). 52 Complexity of Bit-Vector Logics with Binary Encoded Bit-Width Kovásznai, Fröhlich, and Biere References [1] Abdelwaheb Ayari, David A. Basin, and Felix Klaedtke. Decision procedures for inductive boolean functions based on alternating automata. In CAV, volume 1855 of LNCS. Springer, 2000. [2] Salman Azhar, Gary Peterson, and John Reif. Lower bounds for multiplayer non-cooperative games of incomplete information. Computers & Mathematics with Applications, 41:957–992, 2001. [3] Clark W. Barrett, David L. Dill, and Jeremy R. Levitt. A decision procedure for bit-vector arithmetic. In Proceedings of the 35th Design Automation Conference, pages 522–527, 1998. [4] Nikolaj Bjørner and Mark C. Pichora. Deciding fixed and non-fixed size bit-vectors. In TACAS, volume 1384 of LNCS, pages 376–392. Springer, 1998. [5] Robert Brummayer, Armin Biere, and Florian Lonsing. BTOR: bit-precise modelling of word-level problems for model checking. In Proc. 1st International Workshop on Bit-Precise Reasoning, pages 33–38, New York, NY, USA, 2008. ACM. [6] Roberto Bruttomesso and Natasha Sharygina. A scalable decision procedure for fixed-width bitvectors. In ICCAD, pages 13–20. IEEE, 2009. [7] Bogdan S. Chlebus. From domino tilings to a new model of computation. In Symposium on Computation Theory, volume 208 of LNCS. Springer, 1984. [8] Byron Cook, Daniel Kroening, Philipp Rümmer, and Christoph M. Wintersteiger. Ranking function synthesis for bit-vector relations. In TACAS, volume 6015 of LNCS. Springer, 2010. [9] David Cyrluk, Oliver Möller, and Harald Rueß. An efficient decision procedure for a theory of fixed-sized bitvectors with composition and extraction. In Computer-Aided Verification (CAV ’97), pages 60–71. Springer, 1997. [10] Rodney G. Downey and Michael R. Fellows. Parameterized Complexity. Springer, 1999. 530 pp. [11] Anders Franzén. Efficient Solving of the Satisfiability Modulo Bit-Vectors Problem and Some Extensions to SMT. PhD thesis, University of Trento, 2010. [12] Edwin E. Freed. Binary magic numbers – some applications and algorithms. Dr. Dobb’s Journal of Software Tools, 8(4):24–37, 1983. [13] Andreas Fröhlich, Gergely Kovásznai, and Armin Biere. A DPLL algorithm for solving DQBF. In Pragmatics of SAT 2012, 2012. to appear. [14] Michael R. Garey and David S. Johnson. “Strong” NP-completeness results: Motivation, examples, and implications. J. ACM, 25(3):499–508, July 1978. [15] Konstantin Korovin. iProver — an instantiation-based theorem prover for first-order logic (system description). In Proc. IJCAR’08, IJCAR ’08. Springer, 2008. [16] Daniel Kroening and Ofer Strichman. Decision Procedures: An Algorithmic Point of View. Texts in Theoretical Computer Science. Springer, 2008. [17] Maarten Marx. Complexity of modal logic. In Handbook of Modal Logic, volume 3 of Studies in Logic and Practical Reasoning, pages 139–179. Elsevier, 2007. [18] Matthias Niewerth and Thomas Schwentick. Two-variable logic and key constraints on data words. In ICDT, pages 138–149, 2011. [19] Michael J. Schulte, Mustafa Gok, Pablo I. Balzola, and Robert W. Brocato. Combined unsigned and two’s complement saturating multipliers. In Proceedings of SPIE : Advanced Signal Processing Algorithms, Architectures, and Implementations, pages 185–196, July 2000. [20] Andrej Spielmann and Viktor Kuncak. On synthesis for unbounded bit-vector arithmetic. Technical report, EPFL, Lausanne, Switzerland, February 2012. [21] Henry S. Warren. Hacker’s Delight. Addison-Wesley Longman, 2002. [22] Christoph M. Wintersteiger. Termination Analysis for Bit-Vector Programs. PhD thesis, ETH Zurich, Switzerland, 2011. [23] Christoph M. Wintersteiger, Youssef Hamadi, and Leonardo Mendonça de Moura. Efficiently solving quantified bit-vector formulas. In Proc. FMCAD, pages 239–246. IEEE, 2010. 53 Complexity of Bit-Vector Logics with Binary Encoded Bit-Width A Kovásznai, Fröhlich, and Biere Table: Completeness results for bit-vector logics encoding unary binary quantifiers no yes uninterpreted functions uninterpreted functions no yes no yes NP NP PSpace NExpTime NExpTime NExpTime ? 2-NExpTime Table 1: Completeness results for various bit-vector logics considering different encodings B Example: A reduction of DQBF to QF BV2 Consider the following DQBF formula: ∀u0 , u1 , u2 ∃x(u0 ), y(u1 , u2 ) . (x ∨ y ∨ ¬u0 ∨ ¬u1 ) ∧ (x ∨ ¬y ∨ u0 ∨ ¬u1 ∨ ¬u2 ) ∧ (x ∨ ¬y ∨ ¬u0 ∨ ¬u1 ∨ u2 ) ∧ (¬x ∨ y ∨ ¬u0 ∨ ¬u2 ) ∧ (¬x ∨ ¬y ∨ u0 ∨ u1 ∨ ¬u2 ) This DQBF formula is unsatisfiable. Let us note that by adding one more dependency for y, or even by making x and y dependent on all ui s, the resulting QBF formula becomes satisfiable. Using the reduction in Sect. 3.1, this formula is translated to the following QF BV2 formula: (X | Y |∼ U0 |∼ U1 ) & (X |∼ Y | U0 |∼ U1 |∼ U2 ) & (X |∼ Y |∼ U0 |∼ U1 | U2 ) & (∼ X | Y |∼ U0 |∼ U2 ) & (∼ X |∼ Y | U0 | U1 |∼ U2 ) =∼ 0[8] ∧ ^ (Ui (1 i)) + Ui = ∼ 0[8] ∧ (5) i∈{0,1,2} (X & U1 ) = (X (1 1)) & U1 ∧ (X & U2 ) = (X (1 2)) & U2 ∧ (Y & U0 ) = (Y (1 0)) & U0 [8] In the following, let us show that this formula is also unsatisfiable. Note that M03 = 5516 = [8] [8] [8] [8] [8] 010101012 , M13 = 3316 = 001100112 , and M23 = 0F16 = 000011112 , where “·16 ” resp. “·2 ” denotes hexadecimal resp. binary encoding of the binary magic numbers. In the following, let us show that the formula (5) is also unsatisfiable. First, we show how the bits of X get restricted by the constraints introduced above. Let us denote the originally unrestricted bits of X with x7 , x6 , . . . , x0 . Since the bit-vectors (X & U1 ) = 0, 0, X[5], X[4], 0, 0, X[1], X[0] and (X (1 1)) & U1 54 = 0, 0, X[7], X[6], 0, 0, X[3], X[2] Complexity of Bit-Vector Logics with Binary Encoded Bit-Width Kovásznai, Fröhlich, and Biere are forced to be equal, some bits of X should coincide, as follows: X := x5 , x4 , x5 , x4 , x1 , x0 , x1 , x0 Furthermore, considering also the equation of 0, 0, 0, 0, X[3], X[2], X[1], X[0] (X & U2 ) = and (X (1 2)) & U2 = 0, 0, 0, 0, X[7], X[6], X[5], X[4] results in X := x1 , x0 , x1 , x0 , x1 , x0 , x1 , x0 In a similar fashion, the bits of Y are constrained as follows: Y := y6 , y6 , y4 , y4 , y2 , y2 , y0 , y0 In order to show that the formula (5) is unsatisfiable, let us evaluate the “clauses” in the formula: (X | Y |∼ U0 |∼ U1 ) = 1 , 1 , 1 , x0 ∨ y4 , 1 , 1 , 1 , x0 ∨ y0 (X |∼ Y | U0 |∼ U1 |∼ U2 ) = 1 , 1 , 1 , 1 , 1 , 1 , x1 ∨ ¬y0 , 1 (X |∼ Y |∼ U0 |∼ U1 | U2 ) = 1 , 1 , 1 , x0 ∨ ¬y4 , 1 , 1 , 1 , 1 (∼ X | Y |∼ U0 |∼ U2 ) = 1 , 1 , 1 , 1 , 1 , ¬x0 ∨ y2 , 1 , ¬x0 ∨ y0 (∼ X |∼ Y | U0 | U1 |∼ U2 ) = 1 , 1 , 1 , 1 , ¬x1 ∨ ¬y2 , 1 , 1 , 1 By applying bitwise and to them, we get the bit-vector represented by the formula (5):     1 1     1 1         1 1       (x0 ∨ ¬y4 ) ∧ (x0 ∨ y4 )   x0  =      ¬x1 ∨ ¬y2   ¬x1 ∨ ¬y2       ¬x0 ∨ y2   ¬x0 ∨ y2      x1 ∨ ¬y0  x1 ∨ ¬y0 (x0 ∨ y0 ) ∧ (¬x0 ∨ y0 ) y0 In order to check if every bits of this bit-vector can evaluate to 1, it is sufficient to try to satisfy the set of the above (propositional) clauses. It is easy to see that this clause set is unsatisfiable, since by unit propagation x1 and y2 must be 1, which contradicts with the clause ¬x1 ∨ ¬y2 . 55 A Machine Learning Technique for Hardness Estimation of QFBV SMT Problems (Work in progress) Mohammad Abdul Aziz, Amr Wassal and Nevine Darwish Computer Engineering Department, Cairo University, Cairo, Egypt mohammad.abdulaziz8@gmail.com {a.wassal,ndarwish}@ieee.org Abstract In this paper, we present a new approach for measuring the expected runtimes (hardness) of SMT problems. The required features, the statistical hardness model used and the machine learning technique which we used are presented. The method is applied to estimate the hardness of problems in the Quantier Free Bit Vector (QFBV) theory and we used four of the contesting solvers in SMTCOMP2011 to demonstrate the technique. We have qualitatively expanded some propositional SAT features existing in the literature to directly work on general SMT problem instances without preprocessing. Experimental results with the standard set of benchmarks are promising and our implementation proves the concept. 1 Introduction Recently SMT has been attracting a lot of research interest because of the wide range of applications where it can be applied. It has been extensively used for formal verication of hardware, software, security protocols as well as other applications. Interest in SMT solvers research is increasing because of the expressive power they oer compared to SAT solvers. They allow easier ways to solve more complex problems. In addition, due to the theory specic decision procedures on which they are based they give a better performance than general rst order logic solvers. In [1] a very good treatment of dierent SMT solving techniques, applications and other issues is presented. Accurate hardness (i.e. solution runtime) evaluation of SMT problem instances will impact building SMT solvers portfolios, where it can help in choosing the solver having the least expected runtime, portfolios between SMT solvers and solvers of other types of encodings of the same problem, where it can be used to choose an SMT solver or another solver of a dierent encoding of the same problem whichever has less expected runtime. The proposed approach is also characterized by ecient feature extraction time. This is achieved by devising features that work directly on general problems without any need for the problem to be in a standard or normal form. In our research, we have used problem benchmarks from the SMT-Lib benchmarks repository. This constitutes a large variety of problems; from industrial problems to randomly generated problems to hand crafted problems. [11] is a good reference about the SMT-Lib initiative, the SMT-Lib v2 language, the logics it supports, the theories it supports and the compatible solvers. We have chosen QFBV logic because the largest repository of benchmarks is for that logic. It also has wide applications in the verication of systems such as software verication, hardware verication, cryptographic protocols verication and dierent encodings of various classical optimization problems. Nevertheless, the method that we propose can be generalized to other logics. In the next section we will refer to relevant work in the literature. In section 3 we will describe our main approach and our assumptions regarding the SMT problems and their hardness. In 56 Pascal Fontaine, Amit Goel (eds.); SMT 2012, pp. 5665 Hardness Estimation of QFBV SMT Problems M. Abdul Aziz, A. Wassal, N. Darwish section 4 we describe the features that we used to characterize the SMT problems. In section 5 we describe our experimental setup and the experimental results that we obtained. In sections 6 and 7 we conclude and state our suggested steps for future work. 2 Related Work The literature is rich with publications related to empirical hardness evaluation of problems in Articial Intelligence (AI). Other relevant eorts have been addressed in research related to algorithm selection. References like [2, 3, 4, 5, 6] address these questions in a statistical machine learning setting. Based on a training set of performance data for a large number of problem instances, a model is learned that maps (problem, algorithm) pairs to expected performance. The most relevant to our work is the Estimation of hardness of propositional SAT problems. This work is well established and has started early since [7] and [8], which considered the empirical performance analysis of DPLL-type SAT solvers running on uniform random k-SAT instances. Specically, it nds a strong correlation between the instance's hardness and the ratio of the number of clauses to the number of variables in the instance. For example, it is empirically well established that for random SAT problems the hardest clause to variable ratio. For instance, for random 3-SAT a clauses-to-variables ratio of roughly 4.26 corresponds to a phase transition in an algorithm-independent property of the instance. In other words, this transition is in the probability that a randomly generated formula having a given ratio will be satisable. This discovery and others such as islands of tractability in [18], search space topologies for stochastic local search algorithms in [16] and [17], backbones in [19], backdoors in [20] and random restarts in [15], prove that empirical complexity analysis of the problem is useful in discovering some inherent properties in the SAT problem instances independent of the solver's algorithm as well as deepen our understanding of the SAT problem in general. Most relevant to our approach is the work in [9], which is the approach that we have used as a starting point to our work. 3 Main Approach In this paper we try to devise a technique that can be used in estimating the hardness of SMT problems. Our technique deals directly with general SMT problems i.e. no preprocessing of the problem is required and the problem doesn't have to be in some normal form (such as 3-CNF). We will rst start with our the general model of the SMT problem that we chose. Next we describe how an SMT solver solves it and how should this aect the expected hardness model. The SMT problem can be modeled by the tree as shown in Fig. 1. In this model, the problems are made of a tree whose inner nodes are functions and the leaf nodes are uninterpreted constants. In the shown tree the white circular nodes are Boolean functions which belong to the core theory (for instance V W , , −→, etc. . . ), the grey rectangular nodes are theory T functions which have a Boolean codomain, and a theory sort domain (such as bvuge in the QFBV theory) and the grey triangular nodes are functions which have as a domain and a codomain T theory sorts (such as bvadd in the QFBV theory). The black and grey circular nodes are Boolean and theory T uninterpreted constants, respectively. An SMT solver of the lazy approach will solve this problem by dealing with the entire problem as a propositional SAT problem, where it will search for Boolean assignments of Boolean uninterpreted constants and the theory atoms (subtrees which have the rectangular nodes in the tree representation as their heads). After the SAT solver nds a model for this SAT problem, the assignments of the theory atoms are 57 Hardness Estimation of QFBV SMT Problems M. Abdul Aziz, A. Wassal, N. Darwish delivered to the theory specic decision procedure, which checks whether this assignment of the theory atoms is satisable or not according to the structure of the theory subtrees. It passes the justication in case of an unsatisable assignment, or it returns the model of the theory uninterpreted constants if the model is satisable. We hypothesize that the hardness H can be modeled as follows H = fa (HSAT , HT H , HHY BRID ). (1) Figure 1: A graphical representation of an SMT problem. The white circular nodes are boolean functions, the black circular nodes are boolean uninterpreted constants and the grey nodes are T theory functions or uninterpreted constants. where the variable HT H HSAT is the hardness of the propositional SAT structure of the SMT problem, is the hardness of the theory formula, which contains the conjunction of theory atoms in the SMT problem and the variable HHY BRID is the hardness introduced by the interactions and dependencies between the propositional SAT and the theory portions of the problem and fa () is a function that increases with HSAT , HT H and HHY BRID . According to the way we modeled the hardness of an SMT problem, a statistical hardness model should include three disjoint sets of features. Each of these sets should be estimating one part of the hardness of the problem. We assume that each of the parts of the problem hardness will be a linear combination of the set of its corresponding set of features. This means that each part of the hardness can be represented by this equation Hp = k p + np X αi xpi , [p : p ∈ [SAT, T H, HY BRID]], (2) i=1 where xp is a feature in the set of features of the hardness part features to represent the part p and kp is a constant. p and np is the number of We put this methodology in mind to devise features for each of the parts of the problem hardness. We follow the assumptions used by [4] to describe the model for the probability distribution of the average runtimes of a propositional SAT problems. In this model, a problem instance represented by a feature vector 58 xi i has a normal probability distribution for its expected runtime Hardness Estimation of QFBV SMT Problems with average M. Abdul Aziz, A. Wassal, N. Darwish fa (xi ) and unity variance, where fa () is the hardness model of the solver algorithm a. According to these assumptions from [4], the distribution of the runtime ti of the problem can be given by the equation P (ti |xi , a) = e −(ti −fa (xi ))2 2 √ . 2π (3) Therefore for predicting the expected runtime of an instance we will have to learn the hardness model fa () given the set of (feature vector, runtimes) mappings for a set of problem instances. We chose the model to predict the logarithm of the run time instead of the runtime itself to make training the model more ecient and easier due to the large variation in the runtimes that solvers experience according to [4]. fa () We chose the function multiplied by the feature vector to be a linear model, where a vector xi w, of coecients to be and a constant term, is used to get the expectation of the natural logarithm of the runtime. That is the expected logarithm yi of the runtime is given by yi = fa (xi ) = wT .xi . (4) According to this linear model, the expected runtime is a weighted linear combination the features that represent the problem instance and since this set of features is the union of the hardness parts sets of features, then the function fa () which is equivalent to the total expected hardness will be fa (HSAT , HT H , HHY BRID ) = H = α1 HSAT + α2 HT H + α3 HHY BRID . which is the weigthed sum of the dierent parts of the problem's hardness where (5) α1 ,α2 and α3 are the corresponding weights. To get the vector of coecients w, we used ridge regression. Specically to get w we will have to solve the matrix equation Xw = Y . where xi , Y X (6) is the matrix containing the concatenation of the feature vectors of the training set is the vector containing the concatenation of the runtimes feature vectors in X. yi corresponding to each of the We use ridge regression to get the solution for w, which is w = (X T X + αI)−1 X T Y . where α is the Tikhonov factor (Regularization Factor), I (7) is the identity matrix. Although it has a limited hypothesis space, we chose a linear model because of the eciency of learning it as well as using it to calculate the predicted runtimes which can be useful in applications such as portfolios. 4 Features Features chosen are to estimate the rst two components in the assumed model of the runtime, namely, HSAT and HT H . We assume that factor in the linear model. HHY BRID will be represented only in the constant For the features that represent the propositional SAT structure of the SMT problem, we have used some of the features in [9] as our starting point but after 59 Hardness Estimation of QFBV SMT Problems M. Abdul Aziz, A. Wassal, N. Darwish adapting them to suit the richer expressive power of SMT compared to conjunctive normal form (CNF) SAT problems treated in [9] as well as the general structured problems that we want to tackle. The rst set of features we used was the number of clauses, the number of variables, the ratio of clauses to variables and its reciprocal. The equivalent set of features we used for these were the following; associated with each of the modied features is a qualitative justication we used to derive it: I)For the number of clauses we used the following features: • NAN DS = The number of arguments to all the Justication: each • NA = V V functions in the SMT problem. function argument can be considered as a clause. The number of asserted Formulas Justication: because the SMT problem is equivalent to a clause containing the conjunction of all the assertions in the problem. • NEQU AL = The summation of the number of the arguments to all the = functions in the SMT problem. This includes those whose arguments are boolean variables only. Justication: we rst derive the number of clauses needed to represent a single equal statement. W V W (x2 ¬x1 ) (x1 ¬x2 ). An equal statement containing n arguments ( x1 = x2 = x3 = . . . = xn ) can be repreV sented by a conjunction of 2 argument equalities of the form (x1 = x2 x2 = x3 . . . xn−2 = V xn−1 xn−1 = xn ), which will be a conjuntion of (n − 1) corresponding 2 argument equality x1 = x2 is equivalent to two clauses which are statements. Since each 2 arguments equality is equivalent to a couple of binary clauses, then the n arguments equality statement can represented by 2(n − 1) binary clauses. • NDIST IN CT = The summation of the number of the arguments to all the distinct functions in the SMT problem (This has the same justications of the = function). • NIM P LY = The number of instances of −→ function in the SMT problem. The justication: a −→ b is equivalent to • NXOR = W V (¬a b) true, which is equivalent to one clause. The number of the xor functions in the SMT problem. The justication: xor(a, b) is equivalent to • NIT E = W V W (¬a ¬b) (b a), The number of instances of ite which is equivalent to two clauses. function. The justication: ite(a, b, c) is equivalent to W V W V W (b ¬a) (a c) (b c), which are 3 clauses. II)For the number of variables we used: • NBOOL = Number of Boolean uninterpreted constants( These are variables to nd a substitution for.) • NT HEORY −AT OM S = The number of theory atoms in the SMT problem(The justication for this is that; for the propositional SAT solver part of the SMT solver, the theory atoms are substituted and dealt with as if they are Boolean variables i.e. They are assigned the values either true or false). 60 Hardness Estimation of QFBV SMT Problems M. Abdul Aziz, A. Wassal, N. Darwish III)To measure the equivalent number of clauses, we have weigthed the number of instances of each of the boolean functions, and accordingly for the clauses to variables ratio and its reciprocal we used: • C/V = (NA + NAN DS + 2(NEQU AL − 1) + 2(NDIST IN CT − 1) + NIM P LY + NXOR + 3NIT E )/(NBOOL + NT HEORY −AT OM S ) • V /C The next two subsets of the features of the propositional SAT structure of SMT problems are adapted versions of the graphical representation of propositional SAT problems used in [9], namely; The Variable Clause Graph, and the Variables Graph. We have replaced the variableclause graph with three bipartite graphs. Each of these graphs contained a party for the boolean variables and another one for the instances of one of the functions that comprised the clauses in the SMT problem. An edge exists between a node in the variables party and a node in the function instances party if this variable is an argument for this function instance. three of these graphs; one for the distinct function. V function, another for the = We have function and a last for the We expect that most of the constraints in the propositional SAT problem are represented in those functions, due to their massive usage of them in the benchmarks. We also generalized the Variables Graph to a graph which has a node per Boolean uninterpreted constant, where an edge exists between any two nodes if they are common arguments for one or more Boolean function (given that the function is one of the functions which are considered in the number of clauses features set). For the features which we used to estimate the theory part of the SMT problem, which in our case was QFBV, we used the total number of bits in the problem (i.e. the summation of the lengths of the bitvector uninterpreted constants in the problem)VBIT −V ECT ORS , and the number of instances of QFBV functions used in the SMT problem. Fig. 2 shows a list of the 71 used features classied according to the category of the feature. 5 Experimental Setup and Results We use benchmarks on the QFBV benchmark repository of SMT-Lib. We chose this benchmark repository because it contains a wide variety of problems; industrial, randomly generated problems and handcrafted problems. We have used all the 33000 of these bechmarks for training and validation and to obtain the average of 10-fold validation root mean square error (RMSE). We used a feature extraction timeout of 20 seconds, which resulted in using 23433 problem instances in obtaining our results, with an average feature extraction time 2.453 seconds. Of these problems there was 10353 satisable instances and 13080 unsatisable instances. The only preprocessing step which we applied to the SMT problems was to remove the let bindings by substituting them with their corresponding bindings. For the runtimes, we have used the runtime data from the diculty-computation-2012 on the SMTEXEC cluster where a timeout of 1800 seconds limited the runtimes of the solvers. Interested readers can refer to [12] for more details regarding the benchmarks and the SMTEXEC cluster used for collecting the runtime data. We have also added 0.5 to all of the runtimes, because limits on the resolution of the runtimes reports by SMTEXEC have led to problem instances which have runtimes of zero seconds, which could have led to a logarithm of −∞. After extracting the features we normalized each of them to be between 0 and 1. For learning the linear model, we used ridge regression with a Tikhonov factor of 0.05 (as recommended in the work of [9]). 61 Hardness Estimation of QFBV SMT Problems M. Abdul Aziz, A. Wassal, N. Darwish I. Propositional SAT features 1. Boolean variables and Clauses features: 3. Boolean Variables- V function graph features: NDIST IN CT -Boolean variables nodes degree average, entropy, maximum, minimum and variation coecient. -Vfunction node degree average, entropy, maximum, minimum and variation coecient. NIM P LY 4. Boolean Variables-distinct function graph features: NA NAN DS NEQU AL NT HEORY −AT OM S -Boolean variables nodes degree average, entropy, maximum, minimum and variation coecient. -distinct function node degree average, entropy, maximum, minimum and variation coecient. V /C 5. Boolean Variables-= function graph features: NXOR NIT E NBOOL C/V 2. Boolean Variables graph features: -Boolean variables nodes degree average, entropy, maximum, minimum and variation coecient. -Boolean variables nodes degree average, entropy, maximum, minimum and variation coecient. -=function node degree average, entropy, maximum, minimum and variation coecient. II. QFBV theory specic features 1. Number of theory variables: VBIT −V ECT ORS 2. Instances of QFBV theory functions: bvand, bvsub, bvuge,bvugt, bvxor, bvnot, bvneg, bvor, bvadd, bvmul, bvudiv, bvxor, bvsle, shlok, addok, bvashr, bvsdiv, bvurem, bvshl, bvlshr, bvult, bvslt, bvule. Figure 2: A list of the features used for estimating the hardness of SMT problems, classied according to their category. Solver/Model BOOLECTOR MATHSAT SONOLAR STP2 SAT UNSAT SAT/UNSAT 0.1494 0.3082 0.2672 0.1353 0.5851 0.2155 0.1920 0.3877 0.2320 0.1346 0.3442 0.3166 Figure 3: The RMSE of the prediction of the logarithms of the runtimes for dierent models for the dierent solvers. The solvers which were used to get these runtimes were Boolector, MATHSAT, STP2 and SONOLAR. These solvers are based on dierent approaches for solving the QFBV problems. Boolector, SONOLAR and STP2 use bit-blasting to solve QFBV SMT problems ([13], [14] and [22]). Mathsat, on the other hand, uses the lazy approach to solve the QFBV SMT problems ([21]). We have used directly all the features demonstrated in gure 2, except for the features that were representing unused functions in all the problem instances (e.g. the XOR function). Using Ridge regression, we learnt a model for each of the previously stated solvers that predicted the logarithms of the runtimes. Figure 4 shows the correlation between the predicted logarithm of runtimes and the actual logarithms of runtimes. The 10-fold cross validation RMSE of the 62 Hardness Estimation of QFBV SMT Problems M. Abdul Aziz, A. Wassal, N. Darwish prediction of the runtimes logarithm for each of the solvers' model are in the third column of the table in gure 3. According to [9], the prediction performance of a propositional SAT problem instance hardness model will signicantly improve if a model was devised for satisable problems and another for unsatisable problems. We tried this for QFBV SMT problems, and the results were an improvement in the RMSE of the satisable problems model. On the other hand, a detorioration has happened to the RMSE of the models of the unsatisable problems. Figure 5 shows the correlation of the predicted and the actual runtimes for the satisable and the unsatisable problem instances for the dierent solver models. The rst and second columns in the table in gure 3 show the RMSE of the satisable and unsatisable instances respectively for the dierent solvers. However, these results for the SMT problems at hand contradict with the results reached in [9], where here the satisable problems are more correlated with the prediction unlike the results reached in [9], where the unsatisable problems were the more correlated. One possible explanation of the uncertainty of the predictions of the unsatisable problem instances, is that we did not use any of the DPLL probing features, which were the most important in predicting the runtimes of unsatisable problem instances according to [9]. This seems reasonable, because the runtimes of the unsatisable problem instances will most probably be discriminated with reasonable certainty by having a low number of assigned variables by applying a probing technique for a xed time. 6 Conclusion To conclude, we have devised a technique for the hardness estimation of SMT problems, which up to our knowledge, is the rst trial of its kind. We achieved relatively good results with cheeply computed features on a large variety of problems and solvers. Although our approach was based on an approach targeting random SAT problems and was based on a linear model, it worked on problems whose majority are industrial. both its simplicity and generality. The main advantages of our work are It can be used for general SMT problems. It provides a general technique which is based on the structure of the SMT problem independent of the underlying logic(s). The features we used spared us from any preprocessing of the problems, such as the conversion of the problem to k-CNF or any other standard form, which helps saving time making them more usable in applications such as portfolios. Although our model of the problem hardness assumed that the solver will use the lazy approach in solving the SMT problem, it worked with signicant accuracy for both types of solvers. This means that the features suggested by us extract problem inherent properties that represent the hardness of the problem and are solver independent. 7 Future Work This research is a promising prototype and a proof of concept. We recommend trying it on dierent theories and to try it on problems made of theory combinations and expect it will perform well. For the features, we think that incorporating a probing technique (for instance an SMT solver can be run for a xed period, and statistics such as number of restarts, conicts, binary propagations, etc...) would signicantly improve the preformance of the prediction, escpecially for the unsatisable instances. We also recommend further research to nd some adaptation of the Clauses Graph ([9]) and check how this would aect the prediction eciency. We also 63 Hardness Estimation of QFBV SMT Problems M. Abdul Aziz, A. Wassal, N. Darwish recommend to explore more features and check the eect of adding features related to the interaction part such as theory variables- theory functions graphs, and theory variables- clauses graphs. Another approach for dealing with the let bindings can lead to great savings in the features extraction time (Currently we are experimenting with the DAG representation of SMT problems instead of the tree representation which we used). References [1] Biere, A., Huele, M., Maaren, V., Walsh, T.: The Handbook Of Satisability, chapter 25, Satisability Modulo Theory (2009) [2] Rice, J.R.: The algorithm selection problem. Advances in computers. 15, 65-118. Academic Press, New York (1976) [3] Gogiolo, M., Schmidthuber, J.: Learning Dynamic Algorithm Portfolios. Annals of Mathematics and Articial Intelligence, Volume 47 Issue 3-4, August 2006 [4] Xu, L., Hutter, F., Hoos, H.H., Leyton-Brown, K.: SATzilla Portfolio-based Algorithm Selection for SAT. J. of Articial Intelligence Research 32, 565-606 (2008) [5] The portfolio based rst order logic theorem prover E-SETHEO, http://www4.informatik. tu-muenchen.de/schulz/WORK/e-setheo.html [6] Gomes, C., Selman, S.: Algorithm Portfolios. Articial Intelligence Journal, Vol. 126, 43-62 (2001) [7] Selman, B., Mitchell, D., Levesque, H.J.: Generating hard satisability problems. Articial Intelligence, 81(1-2):17.29 (1996) [8] P. Cheeseman, B. Kanefsky, and W. M. Taylor. Where the Really Hard Problems Are. In: Proc. IJCAI-1991, pages 331.337 (1991) [9] Nudelman, E., Leyton-Brown, K., Hoos, H.H., Devkar, A., Shoham, Y.:Understanding Random SAT: Beyond the Clauses-to-Variables Ratio. In: Principles and Practice of Constraint Programming - CP 2004, 10th International Conference, CP 2004, Toronto, Canada, September 27 October 1, 2004, Proceedings, Vol. 3258, pp. 438-452 (2004) [10] Guyon, I., Gunn, S., Nikravesh, M., Zadeh, L.: Feature Extraction, Foundations and Applications. Springer. (2006) [11] Barrett, C., Stump, A., Tinelli, C.: The SMT-LIBv2 Language and Tools: A Tutorial (2010) [12] The SMTEXEC website, http://www.smtexec.org/ [13] Brummayer,R., and Biere, A.: Boolector: An Ecient SMT Solver for Bit-Vectors and Arrays. In: Proc. 15th Intl. Conf. on Tools and Algorithms for the Construction and Analysis of Systems (TACAS'09), Lecture Notes in Computer Science (LNCS), vol. 5505, pages 174-177, Springer (2009) [14] Biere, A.: PicoSAT Essentials. Journal on Satisability, Boolean Modeling and Computation 4 75-97 (2008) [15] Gomes, C., Selman, B., Crato, N., and Kautz, H.: Heavy-tailed phenomena in satisability and constraint satisfaction problems. J. of Automated Reasoning, 24(1):67100 (2000) [16] Hoos, H., and Stutzle, T.: Stochastic Local SearchFoundations and Applications. Morgan Kaufmann (2004) [17] Hoos, H.: SAT-encodings, search space structure, and local search performance. In: Proc. IJCAI99, pages 296302. Morgan Kaufmann (1999) [18] Phokion Kolaitis: Constraint satisfaction, databases and logic. In: Proc. IJCAI-2003, pages 15871595 (2003) [19] Monasson, R., Zecchina, R., Kirkpatrick, S., Selman, B., and Troyansky, L.: Determining computational complexity from characteristic 'phase transitions'. Nature, 400:133137 (1999) 64 Hardness Estimation of QFBV SMT Problems M. Abdul Aziz, A. Wassal, N. Darwish Figure 4: The results for a single model for both satisable and unsatisable problems show noisy correlation between actual and predicted logarithms of runtimes. The shown gures from left to right are for Boolector, MATHSAT, SONOLAR and STP2. Figure 5: The results for a seperate model for satisiable and unsatisable problems. The upper four graphs are for the models of the satisable instances, and the lower are for the unsatisable instances. The shown gures from left to right are for Boolector, MATHSAT, SONOLAR and STP2. The models for the satisable models show better correlation results than the unsatisable models. [20] Williams, R., Gomes, C., and Selman, B.: Backdoors to typical case complexity. In: Proc. IJCAI2003, pages 11731178 (2003) [21] Bruttomesso, R. ,Cimatti, A., Franz, A.,Griggio , A., Hanna, Z., Nadel, A., Palti, A. , and Sebastiani, R.: A Lazy and Layered SMT(BV ) Solver for Hard Industrial Verication Problems. In proc. International Conference on Computer-Aided Verication, CAV 2007 (2007) [22] Ganesh, V., and Dill, D.: A Decision Procedure for Bit-Vectors and Arrays. In proc. International Conference on Computer-Aided Verication, CAV 2007 (2007) 65 Reachability Modulo Theory Library (Extended Abstract) Francesco Alberti Roberto Bruttomesso Formal Verification and Security Lab. University of Lugano, Switzerland francesco.alberti@usi.ch Atrenta Grenoble, France roberto@atrenta.com Silvio Ghilardi Silvio Ranise Natasha Sharygina Università degli Studi di Milano Milan, Italy ghilardi@dsi.unimi.it FBK - Irst Trento, Italy ranise@fbk.eu Formal Verification and Security Lab. University of Lugano, Switzerland natasha.sharygina@usi.ch Abstract Reachability analysis of infinite-state systems plays a central role in many verification tasks. In the last decade, SMT-Solvers have been exploited within many verification tools to discharge proof obligations arising from reachability analysis. Despite this, as of today there is no standard language to deal with transition systems specified in the SMT-LIB format. This paper is a first proposal for a new SMT-based verification language that is suitable for defining transition systems and safety properties. 1 Introduction Reachability analysis plays a central role in many verification tasks. This kind of analysis addresses the problem of verifying if a given system can reach a particular configuration of interest, representing, e.g., the violation of properties which should be satisfied by every state reachable by the system, a goal that should be always reachable, etc. While a finite-state representation is well-suited to formally represent hardware systems, it fails to deal with several aspects of software systems, because they give rise to infinite state spaces. Examples of such aspects include parameterization, i.e., systems with an unbounded numbers of components, systems handling variables defined over unbounded domains, dynamic processes creation and memory allocation, etc. The reachability problem for infinite-state systems is, in general, undecidable. Nonetheless it received—and still is receiving—a lot of attention, as many verification tasks of real systems can be reduced to it. For example, think about a protocol ensuring the mutual exclusion in a multi-agent system. The configuration of interest is that in which at least two agents are, at the same time, in the critical section. It is not difficult to see that the class of infinite-state systems is huge, ranging from imperative programs to parameterized protocols, access control policies, timed automata, etc. Each class of systems requires ad hoc techniques, heuristics, algorithms and arrangements to effectively perform a reachability analysis. Since there is no standard for the specification of infinite-state systems, it is extremely difficult to evaluate and compare different tools solving the same problems. Furthermore, there is no collection of benchmarks which would be extremely useful in helping developers in advancing the performance of their tools. Three notable exceptions are (1) the Intermediate Verification Languages (IVLs) for program verification such as Boogie [3] and Why [9], (2) the Numerical Transition Systems (NTSs) Library (richmodels.epfl.ch/ntscomp) whose aim is to provide a common general format and a open library of benchmarks for NTSs, i.e. simple models of computation involving infinite (or very large) data domains, such as integers, rationals or reals, and (3) the Verification Modulo Theories (VMT) Initiative (www.vmt-lib.org) whose ambitious goal is to provide a common format 66 Pascal Fontaine, Amit Goel (eds.); SMT 2012, pp. 66–75 Reachability Modulo Theory Library F. Alberti et al. and a library of verification problems for transition systems symbolically described in the SMTLIB standard. The aim of this paper is to propose a new language for the specification of an important class of reachability problems for infinite-state systems, represented in an extension of the SMT-LIB language, so that a collection of benchmarks can be built and verification tools can be compared meaningfully. On the one hand, our aim is more general than IVLs and the NTS Library since we consider a larger class of systems; e.g., not only programs or counter automata but also distributed systems and timed networks. On the other hand, we are more focused than the VMT Initiative since we consider only reachability problems based on our experience with the tools mcmt [13] and Safari [1]. For the sake of simplicity and uniformity in presenting our language, we do not consider ad-hoc constructs (e.g., abstract reachability trees) for structure preserving abstractions of the control-flow, the recursive or the multi-procedure calls of (imperative) programs that are important ingredients of many software verification techniques for reachability problems. The study of how to combine our proposal with such constructs is left to future work. Some preliminary investigations to represent imperative programs (without recursion and procedures) in a declarative framework similar to the one proposed here have been done in [1]. We hope that this paper can contribute to the debate about the representation of benchmarks for verification problems and advance the state of the art in the field, as happened for, e.g., the SMT-LIB library [18] for SMT-Solvers, TPTP library [20] for theorem proving, or SATLIB library [15] for propositional satisfiability solvers. Outline of the paper. We introduce an overall description of transition systems modulo theories and the related reachability problem in Section 2. Section 3 presents a suitable language for the definition of transition systems and reachability problems as an extension of the SMTLIB. We conclude in Section 4. An extended version of this report as well as examples written in the proposed language can be found at http://www.oprover.org/rmt-lib. 2 SMT-based Transition Systems We assume the usual first-order syntactic notions of signature, term, formula, and so on. Following the SMT-LIB tradition, a theory is a pair T = (Σ, C) where Σ is a signature and C a set of Σ-structures which are called models of T . Given a theory T = (Σ, C) and a set v of “fresh” constant, function, or predicate symbols (i.e. v ∩ Σ = ∅), a T -formula φ(v) is a formula built out of the symbols in v ∪ Σ. The formula φ can be seen as a T v -formula where T v = (Σ0 , C 0 ) with Σ0 = Σ ∪ v and C 0 contains all the Σ0 -structures whose reduct to Σ is a model of T .1 We say that a T -formula φ(v) is T -satisfiable iff φ is T v -satisfiable, i.e. if there exists a model M of T v such that φ is true in M. If v and v0 are two sets of fresh symbols, then v, v0 denotes their union v ∪ v0 and φ(v, v0 ) is the formula built out of the symbols in v ∪ v0 ∪ Σ. In our framework, a transition system over a background theory T = (Σ, C) is defined in a completely declarative way as a tuple ST = (v, I(v), τ (v, v0 )). The set v of fresh symbols is called the set of state variables of ST ; a formula φ(v) is called a state formula. I(v) is a state formula representing the set of initial states. We assume the availability of the set v0 of primed copies of the state variables in v; a formula τ (v, v0 ) is called a transition formula. The transition formula τ (v, v0 ) represents the transition relation, defining an association between 1 Let Σ and Σ0 be two signatures such that Σ ⊆ Σ0 . If M is a Σ0 -structure, then its reduct to Σ is obtained from M by forgetting the interpretations of the symbols in Σ0 \ Σ. 67 Reachability Modulo Theory Library F. Alberti et al. the state variables v immediately before the execution of the transition, i.e. in the actual state, and the state variables v0 immediately after the execution of the transition, i.e. in the next state. The nature of T determines if ST is a finite- or infinite-state system. Let ST = (v, I(v), τ (v, v0 )) be a transition system over a background theory T and vn be obtained from the set v by renaming a copy of each state variable in v with n primes. The (unbounded) reachability problem for ST is defined as a pair (ST , F (v)) where F (v) is a state formula describing a (possibly infinite) set of states, called final, error or goal states. The solution of this problem exists, i.e., a set of states represented by F (v) is reachable by ST if it exists n ≥ 0 such that I(v(0) ) ∧ τ (v(0) , v(1) ) ∧ · · · ∧ τ (v(n−1) , v(n) ) ∧ F (v(n) ) (1) is T -satisfiable. When, besides the transition system ST and the final formula F (v), a bound n ≥ 0 is known, we speak of the bounded reachability problem for ST . A solution to this problem exists if there exists 0 ≤ n ≤ n such that (1) is T -satisfiable. In the following, we focus on unbounded reachability problems since their bounded version has received a lot of attention in the SMT literature; e.g., [16] discusses the problem of using the SMT-LIB language to specify transition systems in the context of Bounded Model Checking (BMC) and, more recently, [17] puts forward the need for a common standard for BMC problems. Indeed, our proposal can be easily adapted to bounded reachability problems. A well-known method (see, e.g., [19]) to solve the reachability problem amounts to repeatedly computing pre-images (post-images) of a final (initial) formula with respect to the transition formula. Formally, given a set s(v) of states and a transition formula τ (v, v0 ), the post-image of s(v) w.r.t. τ (v, v0 ) is the formula ∃v0 .(s(v0 ) ∧ τ (v0 , v)), while the pre-image is the formula ∃v0 .(s(v0 ) ∧ τ (v, v0 )). The reachability procedure terminates in two cases. The former is when a fix-point is reached, i.e. when the set of states described by the pre-image (post-image, resp.) computed at the n-th iteration is a sub-set of the set of states represented by the union of all the pre-images (post-image, resp.) computed in previous iterations (this is called a fix-point test). The latter is when the intersection of the currently computed pre-image (post-image, resp.) with the set of initial (final, resp.) states is non-empty (this is called a safety test). Roughly, the idea is to unwind the transition formula until either all reachable states of ST have been explored or an instance of (1) is found to be satisfiable for a certain n.2 Formally, the intersection between two set s1 (v) and s2 (v) of states is empty iff the state formula s1 (v) ∧ s2 (v) is T unsatisfiable and the set s1 (v) is a sub-set of the set s2 (v) iff the state formula s1 (v) ∧ ¬s2 (v) is T -unsatisfiable. We observe that, when the set v of state variables contains function and predicate symbols, the formulae defining post- and pre-images are second-order formulae. To avoid T -satisfiability checks involving second-order formulae, we assume that it is possible to compute first-order formulae that are equivalent to the second order post- or pre-images so that safety and fix-point tests can be mechanized by currently available SMT solvers. In many cases of practical interest, this assumption holds as there is a close relationship between second order logic and many-sorted first-order logic (see [8] for details). An alternative to stay in the realm of first-order logic is to encode functions and predicates into the theory of arrays as done, for example, in [12]. A naive implementation of the reachability procedure is based on a client-server architecture. The client repeatedly computes pre- or post-images and generates the proof obligations encoding fix-point and safety checks. The server is an SMT solver capable of discharging the proof obligations generated by the client. In theory, suitable constraints on the background theories and the shape of the formulæ in the SMT-based transition system should be identified to 2 Other 68 techniques based on overapproximations of reachable states have been recently proposed [5]. Reachability Modulo Theory Library F. Alberti et al. guarantee the effectiveness of the reachability procedure, such as decidability of the satisfiability problems encoding safety and fix-point tests, and representability of the fix-point within a class of formulæ for termination. In practice, suitable algorithms and heuristics are needed to scale up to the verification of interesting systems. In these respects, a classification of SMTbased transition systems would be extremely helpful to help tools select the right techniques to efficiently explore the search space of a reachability problem. Example 1. Consider a simplified variant of the Bakery algorithm in which a finite (but unknown) number of processes should be granted mutual exclusion to a critical section by using tickets that uniquely identify processes. Processes are arranged in an array whose indexes (i.e. tickets) are linearly ordered and each process can be in one of three states: idle, wait, critical. At the beginning, all processes are in the idle state. There are three possible transitions involving a single process with index z (in all transitions, the processes with index different from z remain in the same state): (τ1 ) z is in idle, all the processes to its left are idle, and z moves to wait; (τ2 ) z is in wait, all the processes to its right are idle, and z moves to critical; and (τ3 ) z is in critical and moves to idle. The system should satisfy the following mutual exclusion property: there are no two distinct processes in the critical section at the same time. We define a background theory TB = (ΣB , CB ) as follows. ΣB contains Ind and Loc as sort symbols, three constant symbols i, w, and c of sort Loc, and a predicate symbol < (written infix) of arity Ind × Ind . A model in CB interprets < as a linear order over the elements in the interpretation of Ind and Loc is a set of three elements, the interpretations of the constants i, w, and c. The SMT-based symbolic transition system (vB , IB , τB ) is defined as follows: vB is a singleton containing the function symbol a of arity Ind → Loc, IB is the formula ∀z.a(z) = i, and τB is the disjunction of the following three formulae: τ1 (a, a0 ) := ∃z. ( τ2 (a, a0 ) := ∃z. ( τ3 (a, a0 ) := ∃z. ( a(z) = i a(z) = w a(z) = c ∧ ∧ ∀w.w < z → a(w) = i ∀w.z < w → a(w) = i ∧ ∧ ∧ ∀j.a0 (j) = ite(j = z, w, a(j) ) ∀j.a0 (j) = ite(j = z, c, a(j) ) ∀j.a0 (j) = ite(j = z, i, a(j) ), where z, w, j are variables of sort Ind . Finally, the error formula F can be written as ∃z1 , z2 .(z1 6= z2 ∧ a(z1 ) = c ∧ a(z2 ) = c), where z1 , z2 are variables of sort Ind . {a} Notice that TB is the theory obtained by extending TB with the function symbol a that is to be interpreted as a function mapping elements of the interpretation of Ind to elements of the interpretation of Loc. Alternative formalization are possible. For example, we could have used the theory of arrays whose indexes are of sort Ind and whose elements are of sort Loc. The state variable a is simply an array constant and an expression of the form ∀j.a0 (j) = ite(j = z, c, a(j)) in the τj ’s above could be written as a0 = store(a, j, c) for c a constant of sort Loc. 3 Proposal We describe an extension of the SMT-LIB language that is suitable for specifying reachability problems along the lines of Section 2. Our proposal extends the set of SMT-LIB v.2 script commands in order to define the background theory, the state variables, the initial, transition, and goal formulae that together uniquely identify a reachability problem. As in the SMT-LIB standard, a script is used to communicate with a tool in a read-eval-print loop in such a way that the next command is parsed, executed, and a response message printed until all commands are considered. Possible responses may vary from a single symbol (e.g., reachable, unreachable, 69 Reachability Modulo Theory Library F. Alberti et al. or unknown) to complex expressions like a (finite) sequence of formulae encoding the run of the system leading it from a state satisfying the initial formula to one satisfying the final formula. In the following, we fix an SMT-based symbolic transition system S = (v, I(v), τ (v, v0 )) over a background theory T = (Σ, C) and a final formula F (v). Below, we let hsymboli, hnumerali, hsorti, hsorted vari, and htermi be syntactic categories inherited from the SMTLIB v.2 standard (see [4] for the definition). The background theory. The command (set-theory hsymboli ) allows us to specify the “kernel” of the background theory T identified by hsymboli and available among those defined in the SMT-LIB v.2 standard, e.g., Core, Ints, and ArraysEx. Remark 1. In the SMT-LIB standard, a benchmark problem is associated with a logic that identifies both a class of models and a set of formulae. The main reason is that there may exist sets of formulae of a theory that admits more efficient satisfiability procedures than other sets. For example, the satisfiability of conjunctions of difference logic constraints over the integers in which no negated equalities occur can be checked in polynomial time whereas the satisfiability of arbitrary difference logic constraints becomes NP-complete. Instead, for a reachability problem we specify a background theory (via the command set-theory) according to Section 2. Our motivation is the following: there exist techniques (see, e.g., [2] for an example in a framework which is similar to the one proposed here) to over-approximate the set of reachable states with simple formulae (e.g., containing only existential quantifiers) despite the fact that the formulae in the SMT-based transition system are more complex (e.g., they contain both existential and universal quantifiers as the disjuncts τ1 and τ2 of the transition formula in Example 1). If we used such an over-approximation of the fix-point in the safety test and this is negative (i.e. the intersection is empty), we are entitled to conclude that also the safety test with the exact fix-point is negative and the final formula is unreachable. Other techniques (see, e.g., [7, 14]) allows one to transform a complex reachability problem expressed with formulae containing quantifiers into one in which only quantifier-free formulae occur and such that the former admits a solution if the latter does so. For example, the counting abstraction technique in [7] transforms the formulae of cache coherence protocols into quantifier-free formulae of Linear Arithmetic over the integers. The crucial advantage of this kind of techniques is a dramatic simplification of the formulae encoding both the safety and the fix-point tests. As a consequence, the satisfiability problems may become significantly simpler (sometimes, the result is even to transform the problem into an equivalent one falling into a decidable class). From the viewpoint of the specification of reachability problems, it is difficult (if possible at all) to foresee if the techniques discussed above can be applied and even what kind of transition system they produce. In fact, not only the shape of the formulae may change but also the background theory of the transformed transition system can be different as the example of the counting abstraction shows. Deeper insights into the techniques used by reachability procedures based on SMT techniques must be gained in order to design a more precise specification language. The kernel theory can be extended by declaring additional sort and function symbols by using standard SMT-LIB v.2 commands, such as declare-sort, define-sort, declare-fun, and define-fun (see [4] for their definition). The declared additional symbols are indeed uninterpreted and to constrain their interpretations, we introduce the command (declare-axiom htermi ) that defines the axiom encoded by the Boolean term term and extends the kernel theory. We assume term to be a sentence of the background theory of the transition system, i.e. it contains 70 Reachability Modulo Theory Library F. Alberti et al. no state variables. Example 2. Consider the theory TB in Example 1. It can be seen as an extension of the theory Core with the sort symbols Ind and Loc, the weak leq and strict le predicate symbols for the linear order, and four axioms to constrain their interpretation: (set-theory Core) (declare-sort Ind) (declare-fun leq (Ind Ind) Bool) (declare-fun le (Ind Ind) Bool) (declare-axiom (forall ((?x Ind)) (leq ?x ?x))) (declare-axiom (forall ((?x Ind) (?y Ind)) (=> (and (leq ?x ?y) (leq ?y ?x)) (= ?x ?y)))) (declare-axiom (forall ((?x Ind) (?y Ind) (?z Ind)) (=> (and (leq ?x ?y) (leq ?y ?z)) (leq ?x ?z)))) (declare-axiom (forall ((?x Ind) (?y Ind)) (or (leq ?x ?y) (leq ?y ?x)))) (declare-axiom (forall ((?x Ind) (?y Ind)) (= (le ?x ?z) (and (leq ?x ?y) (not (= ?x ?y)))))) (declare-sort Loc) (declare-fun i () Loc) (declare-fun w () Loc) (declare-fun c () Loc) (declare-axiom (and (not (= i w)) (not (= i c)) (not (= w c)))) (declare-axiom (forall ((?x Loc)) (or (= ?x i) (= ?x w) (= ?x c)))) The first three axioms express the fact that leq is a linear order and the fourth axiom defines its strict version le. The last two axioms above constrain the interpretation of Loc to be a set containing exactly the interpretation of the constants i, w, and c. Since constraining the interpretation of a sort to be a finite set (as it is the case of Loc in the example above) is quite common, we introduce the command (define-subrange hsymboli (hnumeral1 i hnumeral2 i )) that introduces the sort symbol and the numerals in the interval [numeral1 . . . numeral2 ] as constants of that sort that are to be interpreted as distinct elements. For instance, we can replace the declarations of the sort Loc, the constants i, w, c, and the two axioms in the example above with (define-subrange Loc (1 3)) and assume that the constant i is mapped to the numeral 1, w to 2, and c to 3. In other words, the command define-subrange defines an enumerated datatype over a certain sort whose constants are identified as the numerals in a contiguous sub-set of the naturals. An alternative would be a command to define an enumerated datatype by listing all its elements. In case of large sets of elements, the drawback is that explicit enumerations can be rather tedious. Instead, the corresponding definition by the define-subrange command is very compact. Remark 2. The possibility of defining theories by using finitely many axioms was available in SMT-LIB v.1.2 [18] but is no more so in SMT-LIB v.2 [4]. This is justified by the observation that many theories in the standard require infinitely many axioms [4]. In our experience with the model checker mcmt [13] and its successor Safari [1], the flexibility of defining theories by finitely many axioms is crucial to identify classes of the reachability problem that guarantee the decidability of the satisfiability problems encoding safety and fix-point tests or the termination of the reachability procedure. Our experience was driven by the theoretical framework developed in [12] that allowed us to identify sufficient conditions for the mechanization and termination of a class of SMT-based transition systems, called array-based systems. A key ingredient of such conditions is a class of background theories that are (i ) expressive enough to encode practically interesting transition systems and (ii ) “simple” enough to guarantee both the decidability of the safety and fix-point tests and sometimes also the termination of (backward) reachability. Roughly, the axioms needed for such “simple” background theories require 71 Reachability Modulo Theory Library F. Alberti et al. just a finite set of predicate symbols and a finite set of universal sentences (i.e. sentences of the form ∀x.ϕ(x) for x a finite tuple of variables of appropriate sort and ϕ a quantifier-free formula). The theory TB in Example 1 (see also the box in Example 2) is an instance of a “simple” theory in this sense. From a practical point of view, an obvious question arises: can available SMT solvers cope with such a flexible way of defining theories? The answer is offered by the proposal of several quantifier instantiation procedures (see, e.g., [10] and the references therein) that are quite successful in checking the satisfiability of formulae containing quantifiers. An ad hoc technique combining quantifier instantiation and quantifier-free reasoning has been proposed together with some heuristics [11] to discharge the proof obligations arising in the backward reachability of array-based systems. An alternative to quantifier instantiation procedures would be to encode the additional symbols in complex theories for which satisfiability procedures are available. For instance, the standard less-than relation in the theory Ints of the standard SMT-LIB v.2 (see page 31 of [18]) can be taken as the linear order < of Example 1; many state-of-the-art SMT solvers provide support for the fragment of Ints containing the less-than relation. To summarize, a careful use of the command declare-axiom can have two advantages. First, it is possible to precisely define background theories that allow for proving important properties of classes of reachability problems. Second, reasoning modulo such background theories can be efficiently supported by available SMT solvers when the declared axioms allow the maximal reuse of available procedures, possibly leveraging recent advances in quantifier instantiation procedures. The SMT-based transition system. Once the background theory T has been declared, we need to specify the SMT-based transition system S = (v, I(v), τ (v, v0 )). The command (declare-state-var hsymboli ( hsorti∗ ) hsorti ) declares the state variable symbol together with its arity. This is similar to the behavior of the command declare-fun in the SMT-LIB v.2 standard with a key difference: declare-state-var also declares a composed symbol (primed hsymboli) with the same arity of symbol. This is the crucial syntactic extension to the SMT-LIB v.2 standard, required to create a relationship between the state variable symbol in v and its copy symbol0 in v0 . The former identifies the value of the state variable immediately before the execution of a transition whereas the latter the value immediately after. The command (declare-initial htermi ) defines the state formula encoded by the Boolean term term characterizing the set of initial states, and the command (declare-transition htermi ) defines one disjunct of the transition formula encoded by the Boolean term term. For the command declare-initial, the term term may contain symbols of the background theory and the state variables; for the command declare-transition, the term may also contain the primed version of the state variables. Example 3. Let us consider the SMT-based transition system in Example 1. The state variable a in the example of Section 1 can be declared as (declare-state-var a (Ind) Loc). 72 Reachability Modulo Theory Library F. Alberti et al. As a consequence of the execution of this command, not only the function symbol a of arity (Ind) Loc will be available but also the (atomic) symbol (primed a) with the same arity. The state formula IB in Example 1 can be declared as (declare-initial (forall ((?z Ind)) (= (a ?z) i))) and (declare-transition (exists ((?z Ind)) (and (= (a ?z) c) (forall ((?w Ind)) (= ((primed a) ?w) (ite (= ?w ?z) i (a ?w))))))) . is the disjunct τ3 of the transition formula τB . In our experience with mcmt and Safari, we have found it useful to describe the behavior of a transition system not only by transition formulae but also by system constraints, i.e. formulae that must be satisfied in every state of a run of the system. Intuitively, constraints usually encode invariants of the transition system that are enforced by the environment in which the system evolves or by the way in which the state variables are updated. For example, it is well-known that a Petri net can be specified by a SMT-based transition system over integer state variables counting the number of tokens in each place; a system constraint is that each state variable must be non-negative. For this reason, we introduce the command (declare-system-constraint htermi ) that adds the constraint encoded by the Boolean term term to the specification of the transition system. We assume term to be a state formulae. The final formula. Now that the transition system S = (v, I(v), τ (v, v0 )) has been specified, we are ready to specify the final formula F (v) to complete the specification of a reachability problem (S, F ). The command (declare-goal htermi ) sets the state formula encoded by the Boolean term term as the final (error or goal) formula. Example 4. The final formula in Example 1 can be given as (declare-goal (exists ((?z1 Ind) (?z2 Ind)) (and (not (= ?z1 ?z2)) (= (a ?z1) c) (= (a ?z2) c)))). When there more than one declare-goal command in a script, the goal formula is obtained by taking the disjunction of all their arguments. Other commands. The command (check-reachability) actually tells the tool to check if the goal formula is reachable or not. The response to this command can be reachable, unreachable, or unknown. The last symbol can be returned when the tool has used over-approximation techniques. When there are more than one declare-goal command, it is left to the tool to decide to consider each goal separately, all of them together, or some subset. It is known that it is usually better to consider several goals at the same time. Sometimes, the reachability problem is so complex that it is better to guide the tool towards the fact that a certain goal is unreachable by constructing an appropriate sequence (S, F1 ), ..., (S, Fn−1 ), (S, Fn ) of reachability problems where Fn encodes the complement of the safety property that S should satisfy while the complement of F1 , ..., Fn−1 are invariants of S that may hopefully contribute to show that Fn is unreachable. For example, if F1 has been found unreachable, then its negation can be used in the fix-point tests when trying to establish 73 Reachability Modulo Theory Library F. Alberti et al. the unreachability of F2 by checking the satisfiability of s1 (v) ∧ ¬F1 (v) ∧ ¬s2 (v) rather than simply s1 (v) ∧ ¬s2 (v) for s1 , s2 state formulae describing the sets of reachable states at two successive iterations of the reachability procedure. Example of this technique can be found in [2, 6]. Indeed, building the right sequence of reachability problems that allow one to prove a certain safety problem is a difficult task that may well depend on the heuristics used by a tool to exploit previously solved reachability problems. To simplify this kind of interaction, we believe it is useful to have commands push and pop as in the SMT-LIB v.2 standard that allows one to handle a stack of reachability problems. In order to keep those goals whose negation will constitute a useful invariant for the proof of a certain safety property, we provide the command (save-verified-goals) that permits to save the goals that have been shown unreachable so as to prevent their deletion by some pop command. We also envisage other commands for setting the parameters of reachability solver. The command (set-option hreachability optioni ) may set how the search space should be computed (e.g., depth- or breadth-first) or heuristics for the synthesis of invariants should be turned on. A value for reachability option can be :produce-counterexample hb valuei that tells the prover to return (or not according to the fact that b value is true or false) a sequence of transition formulae that leads the system from a state satisfying the inital formula to one satisfying the final formula. Indeed, every tool may define its own set of reachability options. The command (set-smt-option hoptioni ) may suggest a set the options to the background SMT solver that should be used to discharge the proof obligations encoding the safety or the fix-point tests where hoptioni is inherited from the SMT-LIB v.2 standard. Every reachability problem must end with the command (exit) 4 Conclusion We have presented an extension of the SMT-LIB which is suitable for the description of reachability problems for a large class of heterogeneous transition systems. The problem of finding a common standard is in dire need of solutions for many reasons, most importantly the inability in performing comparison between competitor systems and the lack of a library for collecting benchmarks. Further discussions on this problem are surely needed, and we hope the SMT community will benefit from the ideas presented in this paper. References [1] Francesco Alberti, Roberto Bruttomesso, Silvio Ghilardi, Silvio Ranise, and Natasha Sharygina. Lazy abstraction with interpolants for arrays. In LPAR, pages 46–61, 2012. [2] Francesco Alberti, Silvio Ghilardi, Elena Pagani, Silvio Ranise, and Gian Paolo Rossi. Universal guards, relativization of quantifiers, and failure models in model checking modulo theories. JSAT, 8(1/2):29–61, 2012. 74 Reachability Modulo Theory Library F. Alberti et al. [3] Michael Barnett, Bor-Yuh Evan Chang, Robert DeLine, Bart Jacobs, and K. Rustan M. Leino. Boogie: A modular reusable verifier for object-oriented programs. In FMCO, pages 364–387, 2005. [4] Clark Barrett, Aaron Stump, and Cesare Tinelli. The SMT-LIB Standard: Version 2.0. www.SMT-LIB.org, 2010. [5] Aaron R. Bradley and Zohar Manna. Checking safety by inductive generalization of counterexamples to induction. In FMCAD, pages 173–180. IEEE Computer Society, 2007. [6] Roberto Bruttomesso, Alessandro Carioni, Silvio Ghilardi, and Silvio Ranise. Automated analysis of timing based mutual exclusion algorithms. In NASA FM, 2012. [7] Giorgio Delzanno. Automatic Verification of Parameterized Cache Coherence Protocols. In CAV, LNCS, 2000. [8] Herbert B. Enderton. A mathematical introduction to logic. Harcourt/Academic Press, 2001. [9] Jean-Christophe Filliâtre and Claude Marché. The Why/Krakatoa/Caduceus Platform for Deductive Program Verification. In CAV, pages 173–177, 2007. [10] Yeting Ge and Leonardo de Moura. Complete instantiation for quantified SMT formulas. In Conference on Computer Aided Verification (CAV), 2009. [11] Silvio Ghilardi and Silvio Ranise. Model Checking Modulo Theory at work: the integration of Yices in MCMT. In AFM, 2009. [12] Silvio Ghilardi and Silvio Ranise. Backward Reachability of Array-based Systems by SMT solving: Termination and Invariant Synthesis. LMCS, 6(4), 2010. [13] Silvio Ghilardi and Silvio Ranise. MCMT: A Model Checker Modulo Theories. In IJCAR, pages 22–29, 2010. [14] Sumit Gulwani and Madan Musuvathi. Cover Algorithms and their Combination. In ESOP, LNCS, 2008. [15] Holger H. Hoos and Thomas Stützle. SATLIB: An Online Resource for Research on SAT. In I. P. Gent, H. v. Maaren, and T. Walsh, editors, SAT, pages 283–292. IOS Press, 2000. [16] Tim King and Clark Barrett. Exploring and Categorizing Error Spaces using BMC and SMT. In Proc. of the 9th Int. Workshop on Satisfiability Modulo Theories (SMT), 2011. [17] Akash Lal, Shaz Qadeer, and Shuvendu K. Lahiri. Corral: A Solver for Reachability Modulo Theories. In Proc. of Computer-Aided Verification (CAV), 2012. [18] Silvio Ranise and Cesare Tinelli. The Satisfiability Modulo Theories Library (SMT-LIB). www.SMT-LIB.org, 2006. [19] Tatiana Rybina and Andrei Voronkov. A logical reconstruction of reachability. In Ershov Memorial Conf., volume 2890 of LNCS, pages 222–237. Springer, 2003. [20] Geoff Sutcliffe. The TPTP Problem Library and Associated Infrastructure: The FOF and CNF Parts, v3.5.0. Journal of Automated Reasoning, 43(4):337–362, 2009. 75 An SMT-LIB Format for Sequences and Regular Expressions (Extended Abstract) Nikolaj Bjørner Microsoft Research Vijay Ganesh MIT Raphaël Michel University of Namur Margus Veanes Microsoft Research Abstract Strings are ubiquitous in software. Tools for verification and testing of software rely in various degrees on reasoning about strings. Web applications are particularly important in this context since they tend to be string-heavy and have large number security errors attributable to improper string sanitzation and manipulations. In recent years, many string solvers have been implemented to address the analysis needs of verification, testing and security tools aimed at string-heavy applications. These solvers support a basic representation of strings, functions such as concatenation, extraction, and predicates such as equality and membership in regular expressions. However, the syntax and semantics supported by the current crop of string solvers are mutually incompatible. Hence, there is an acute need for a standardized theory of strings (i.e., SMT-LIBization of a theory of strings) that supports a core set of functions, predicates and string representations. This paper presents a proposal for exactly such a standardization effort, i.e., an SMTLIBization of strings and regular expressions. It introduces a theory of sequences generalizing strings, and builds a theory of regular expressions on top of sequences. The proposed logic QF BVRE is designed to capture a common substrate among existing tools for string constraint solving. 1 Introduction This paper is a design proposal for an SMT-LIB format for a theory of strings and regular expressions. The aim is to develop a set of core operations capturing the needs of verification, analysis, security and testing applications that use string constraints. The standardized theory should be rich enough to support a variety of existing and as-yet-unknown new applications. More complex functions/predicates should be easily definable in it. On the other hand, the theory should be as minimal as possible in order for the corresponding solvers to be relatively easy to write and maintain. Strings can be viewed as monoids (sequences) where the main operations are creating the empty string, the singleton string and concatentation of strings. Unification algorithms for strings have been subject to extensive theoretical advances over several decades. Modern programming environments support libraries that contain a large set of string operations. Applications arising from programming analysis tools use the additional vocabulary available in libraries. A realistic interchange format should therefore support operations that are encountered in applications. The current crop of string solvers [9, 12, 3] have incompatible syntax and semantics. Hence, the objective of creating an SMT-LIB format for string and regular expression constraints is to identify a uniform format that can be targeted by applications and consumed by solvers. The paper is organized as follows. Section 2 introduces the theory Seq of sequences. The theory RegEx of regular expressions in Section 3 is based on Seq. The theories admit sequences and regular expressions over any type of finite alphabet. The characters in the alphabet are 76 Pascal Fontaine, Amit Goel (eds.); SMT 2012, pp. 76–86 SMT-LIB Sequences and Regular Expressions N. Bjørner, V. Ganesh, R. Michel, M. Veanes defined over the theory of bit-vectors (Section 4). Section 5 surveys the state of string-solving tools. Section 6 describes benchmark sets made available for QF BVRE and a prototype. We provide a summary in Section 7. 2 Seq: A Theory of Sequences In the following, we develop Seq as a theory of sequences. It has a sort constructor Seq that takes the sort of the alphabet as argument. 2.1 The Signature of Seq (par (A) (seq-unit (A) (Seq A))) ; String consisting of a single character (par (A) (seq-empty (Seq A))) ; The empty string (par (A) (seq-concat ((Seq A) (Seq A)) (Seq A))) ; String concatentation (par (par (par (par (par (par (A) (A) (A) (A) (A) (A) (seq-cons (A (Seq A)) (Seq A))) ; pre-pend a character to a seq (seq-rev-cons ((Seq A) A) (Seq A))) ; post-pend a characeter (seq-head ((Seq A)) A)) ; retrieve first character (seq-tail ((Seq A)) (Seq A))) ; retrieve tail of seq (seq-last ((Seq A)) A)) ; retrieve last character (seq-first ((Seq A)) (Seq A))) ; retrieve all but the last char (par (A) (seq-prefix-of ((Seq A) (Seq A)) Bool)) (par (A) (seq-suffix-of ((Seq A) (Seq A)) Bool)) (par (A) (seq-subseq-of ((Seq A) (Seq A)) Bool)) ; test for seq prefix ; test for postfix ; sub-sequence test (par (A) (seq-extract ((Seq A) Num Num) (Seq A))) (par (A) (seq-nth ((Seq A) Num) A)) (par (A) (seq-length ((Seq A)) Int) ; extract sub-sequence parametric in Num ; extract n’th character parametric in Num ; retrieve length of sequence The sort Num can be either an integer or a bit-vector. The logic QF BVRE instantiates the sort Num to bit-vectors, and not to an integer. 2.2 Semantics Seq The constant seq-empty and function seq-concat satisfy the axioms for monoids. That is, seq-empty is an identity of seq-concat and seq-concat is associative. (seq-concat seq-empty x) = (seq-concat x seq-empty) = x (seq-concat x (seq-concat y z)) = (seq-concat (seq-concat x y) z) Furthermore, Seq is the theory all of whose models are an expansion to the free monoid generated by seq-unit and seq-empty. 77 SMT-LIB Sequences and Regular Expressions 2.2.1 N. Bjørner, V. Ganesh, R. Michel, M. Veanes Derived operations All other functions (except extraction and lengths) are derived. They satisfy the axioms: (seq-cons x y) = (seq-concat (seq-unit x) y) (seq-rev-cons y x) = (seq-concat y (seq-unit x)) (seq-head (seq-cons x y)) = x (seq-tail (seq-cons x y)) = y (seq-last (seq-rev-cons x y)) = y (seq-first (seq-rev-cons x y)) = x (seq-prefix-of x y) ⇔ ∃z . (seq-concat x z) = y (seq-suffix-of x y) ⇔ ∃z . (seq-concat z x) = y (seq-subseq-of x y) ⇔ ∃z, u . (seq-concat u x z) = y Observe that the value of (seq-head seq-empty) is undetermined. Similarly for seq-tail, seq-first and seq-last. Their meaning is under-specified. Thus, the theory Seq admits all interpretations that satisfy the free monoid properties and the axioms above. 2.2.2 Extraction and lengths It remains to provide semantics for sequence extraction and length functions. We will here describe these informally. (seq-length s) The length of sequence s. Seq satisfies the monoid axioms and is freely generated by unit and concatenation. So every sequence is a finite concatenation of units (i.e., characters in the alphabet). The length of a sequence is the number of units in the concatenation. (seq-extract seq lo hi) produces the sub-sequence of characters between lo and hi-1. If the length of seq is less than lo, then the produced subsequence is empty. If the bitvector hi is smaller than lo the result is, once again, the empty sequence. If the length of seq is larger than lo, but less than hi, then the result is truncated to the length of seq. In other words, seq-extract satisfies the equation (The length function is abbreviated as l(s)):  seq-empty if l(s) < lo      seq-empty if hi < lo      if hi < 0 seq-empty (seq-extract s lo hi) = (seq-extract (seq-tail s) (lo − 1) (hi − 1)) if 0 < lo    (seq-extract (seq-first s) (0) (m)) if 0 < m      m = l(s) − hi + 1    s otherwise (seq-nth s n) Extract the n’th character of sequence s. Indexing starts at 0, so for example is c (where Num ranges over Int). 78 SMT-LIB Sequences and Regular Expressions N. Bjørner, V. Ganesh, R. Michel, M. Veanes (seq-nth (seq-cons c s) 0) 3 RegEx: A Theory of Regular Expressions We summarize a theory of regular expressions over sequences. It includes the usual operations over regular expressions, but also a few operations that we found useful from applications when modeling recognizers of regular expressions. It has a sort constructor RegEx that takes a sort of the alphabet as argument. 3.1 The Signature of RegEx (par (par (par (par (par (A) (A) (A) (A) (A) (re-empty-set () (RegEx A))) ; Empty set (re-full-set () (RegEx A))) ; Univeral set (re-concat ((RegEx A) (RegEx A)) (RegEx A))) ; Concatenation (re-of-seq ((Seq A)) (RegEx A))) ; Regular expression of sequence (re-empty-seq () (RegEx A))) ; same as (re-of-seq seq-empty) (par (par (par (par (par (A) (A) (A) (A) (A) (re-star ((RegEx A)) (RegEx A))) ; Kleene star ((_ re-loop i j) ((RegEx A)) (RegEx A))) ; Bounded star, i,j >= 0 (re-plus ((RegEx A)) (RegEx A))) ; Kleene plus (re-option ((RegEx A)) (RegEx A))) ; Option regular expression (re-range (A A) (RegEx A))) ; Character range (par (par (par (par (A) (A) (A) (A) (re-union (re-difference (re-intersect (re-complement ((RegEx ((RegEx ((RegEx ((RegEx A) (RegEx A)) (RegEx A))) ; Union A) (RegEx A)) (RegEx A))) ; Difference A) (RegEx A)) (RegEx A))) ; Intersection A)) (RegEx A))) ; Complement language (par (A) (re-of-pred ((Array A Bool)) (RegEx A))) (par (A) (re-member ((Seq A) (RegEx A)) Bool)) ; Range of predicate ; Membership test Note the following. The function re-range is defined modulo an ordering over the character sort. The ordering is bound in the logic. For example, in the QF BVRE logic, the corresponding ordering is unsigned bit-vector comparison bvule. While re-range could be defined using re-of-pred, we include it because it is pervasively used in regular expressions. The function re-of-pred takes an array as argument. The array encodes a predicate. No other features of arrays are used, and the intent is that benchmarks that use re-of-pred also include axioms that define the values of the arrays on all indices. For example we can constrain p using an axiom of the form (assert (forall ((i (_ BitVec 8))) (iff (select p i) (bvule #0A i)))) 3.2 Semantics of RegEx Regular expressions denote sets of sequences. Assuming a denotation [[s]] for sequence expressions, we can define a denotation function of regular expressions: 79 SMT-LIB Sequences and Regular Expressions [[re-empty-set]] [[re-full-set]] [[(re-concat x y)]] [[(re-of-seq s)]] [[re-empty-seq]] [[(re-star x)]] [[(re-plus x)]] N. Bjørner, V. Ganesh, R. Michel, M. Veanes = ∅ = {s | s is a sequence} = {s · t | s ∈ [[x]], t ∈ [[y]]} = {[[s]]} = {[[seq-empty]]} ω [ [[x]]i = [[x]]∗ = = [[x]]+ = i=0 ω [ [[x]]i i=1 [[(re-option x)]] [[(( re-loop l u) x)]] = [[x]] ∪ {[[seq-empty]]} u [ = [[x]]i i=l [[(re-union x y)]] = [[x]] ∪ [[y]] [[(re-difference x y)]] [[(re-intersect x y)]] = [[x]] \ [[y]] = [[x]] ∩ [[y]] [[(re-complement x)]] = [[x]] [[(re-range a z)]] = {[[(seq-unit x)]] | a ≤ x ≤ z} [[re-of-pred p]] = {[[(seq-unit x)]] | p[x]} [[(re-member s x)]] = [[s]] ∈ [[x]] 3.3 Anchors Most regular expression libraries include anchors. They are usually identified using regular expression constants ^ (match the beginning of the string) and $ (match the end of a string). We were originally inclined to include operators corresponding these constants. In the end, we opted to not include anchors as part of the core. The reasons were that it is relatively straightforward to convert regular expressions with anchor semantics into regular expressions without anchor semantics. The conversion increases the size of the regular expression at most linearly, but in practice much less. If we were to include anchors, the semantics of regular expression containment would also have to take anchors into account. The denotation of regular expressions would then be context dependent and not as straightforward. We embed regular expressions with anchor semantics into regular expressions with “regular” semantics using the funnction complete. It takes three regular expressions as arguments, and it is used to convert the regular expression e with anchors by calling it with the arguments complete(e, ⊤, ⊤). Note that the symbol ⊤ corresponds to re-full-set, and ǫ corresponds to re-empty-set. 80 SMT-LIB Sequences and Regular Expressions complete(string, e1 , e2 ) = complete(x · y, ⊤, ⊤) = N. Bjørner, V. Ganesh, R. Michel, M. Veanes e1 · string · e2 complete(x, ⊤, ǫ) complete(y, ǫ, ⊤) complete(x · y, ⊤, ǫ) = complete(x, ⊤, ǫ) y complete(x · y, ǫ, ⊤) = complete($, e1 , e2 ) = x complete(y, ǫ, ⊤) ǫ complete(^, e1 , e2 ) = complete(x + y, e1 , e2 ) = ǫ complete(x, e1 , e2 ) + complete(y, e1 , e2 ) We will not define complete for Kleene star, complement or difference. Such regular expressions are normally considered malformed and are rejected by regular expression tools. 4 The logic QF BVRE The logic QF BVRE uses the theory of sequences and regular expressions. It includes the SMTLIB theory of bit-vectors as well. Formulas are subject to the following constraints: • Sequences and regular expressions are instantiated to bit-vectors. • The sort Num used for extraction and indexing is a bit-vector. • re-range assumes the comparison predicate bvule. • Length functions can only occur in comparisons with other lengths or numerals obtained from bit-vectors. So while the range of seq-length is Int, it is only used in relative comparisons or in comparisons with a number over a bounded range. In other words, we admit the following comparisons (where n is an integer constant): ({<, <=, =, >=, >} (seq-length x) (seq-length y)) ({<, <=, =, >=, >} (seq-length x) n) To maintain decidability, we also require that whenever a benchmark contains (seq-length x) it also contains an assertion of the form (assert (<= (seq-length x) n)). • The sequence operations seq-prefix-of, seq-suffix-of and seq-subseq-of are excluded. 5 String solvers String analysis has recently received increased attention, with several automata-based analysis tools. Besides differences in notation, which the current proposal addresses, the tools also differ in expressiveness and succinctness of representation for various fragments of (extended) regular expressions. The tools also use different representations and algorithms for dealing with the underlying automata theoretic operations. A comparison of the basic tradeoffs between 81 SMT-LIB Sequences and Regular Expressions N. Bjørner, V. Ganesh, R. Michel, M. Veanes automata representations and the algorithms for product and difference is studied in [11], where the benchmarks originate from a case study in [19]. The Java String Analyzer (JSA) [7] uses finite automata internally to represent strings with the dk.brics.automaton library, where automata are directed graphs whose edges represent contiguous character ranges. Epsilon moves are not preserved in the automata but are eliminated upon insertion. This representation is optimized for matching strings rather than finding strings. The Hampi tool [16] uses an eager bitvector encoding from regular expressions to bitvector logic. The Kudzu/Kaluza framework extends this approach to systems of constraints with multiple variables and supports concatenation [22]. The original Hampi format does not directly support regular expression quantifiers “at least m times” and “at most n times”, e.g., a regex a{1,3} would need to be expanded to a|aa|aaa. The same limitation is true for the core constraint language of Kudzu [22] that extends Hampi. The tool presented in [14] uses lazy search algorithms for solving regular subset constraints, intersection and determinization. The automaton representation is based on the Boost Graph Library [23] and uses a range representation of character intervals that is similar to JSA. The lazy algorithms produce significant performance benefits relative to DPRLE [13] and the original Rex [27] implementation. DPRLE [13] has a fully verified core specification written in Gallina [8], and an OCaml implementation that is used for experiments. Rex [27] uses a symbolic representation of automata where labels are represented by predicates. Such automata were initially studied in the context of natural language processing [21]. Rex uses symbolic language acceptors, that are first-order encodings of symbolic automata into the theory of algebraic datatypes. The initial Rex work [27] explores various optimizations of symbolic automata, such as minimization, that make use of the underlying SMT solver to eliminate inconsistent conditions. Subsequent work [26] explores trade-offs between the language acceptor based encoding and the use of automata-specific algorithms for language intersection and language difference. The Symbolic Automata library [25] implements the algebra of symbolic automata and transducers [24]. Symbolic Automata is the backbone of Rex and Bek.1 JSA Hampi Kudzu/Kaluza Symbolic Automata/Rex Kleene X X X X Boole X X X X re-range X re-of-pred re-loop X X X seq-concat seq-length X X Σ BV16 BV8 BV8 ALL Table 1: Expressivity of string tools. Table 1 compares expressivity of the tools with an emphasis on regular expression constraints. Columns represent supported features. Kleene stands for the operations re-empty-set, re-empty-seq, re-concat, re-union, and re-star. Boole stands for re-intersect and re-complement. Σ refers to supported alphabet theories. In Hampi and Kudzu the Boolean operations over languages can be encoded through membership constraints and Boolean operations over formulas. In the Symbolic Automata Toolkit, automata are generic and support all SMT theories as alphabets. A typical use of re-range is to succinctly describe a contiguous range of characters, such as all upper case letters or [A-Z]. Similarly, re-of-pred can be used to define a character class such as \W (all non-word-letter characters) through a predicate (represented as an array). For 1 http://research.microsoft.com/bek/ 82 SMT-LIB Sequences and Regular Expressions N. Bjørner, V. Ganesh, R. Michel, M. Veanes example, provided that W is defined as follows ∀x(W [x] ⇔ ¬((‘A’ ≤ x ≤ ‘Z’) ∨ (‘a’ ≤ x ≤ ‘z’) ∨ (‘0’ ≤ x ≤ ‘9’) ∨ x = ‘_’)) then (re-of-pred W) is the regex that matches all non-word-letter characters. Finally, re-loop is a succinct shorthand for bounded loops that is used very frequently in regular expressions. MONA [10, 17] provides decision procedures for several varieties of monadic second–order logic (M2L) that can be used to express regular expressions over words as well as trees. MONA relies on a highly-optimized multi-terminal BDD-based representation for deterministic automata. Mona is used in the PHP string analysis tool Stranger [29] through a string manipulation library. Other tools include custom domain-specific string solvers [20, 28]. There is also a wide range of application domains that rely on automata based methods: strings constraints with length bounds [30]; automata for arithmetic constraints [6]; automata in explicit state model checking [5]; word equations [1, 18]; construction of automata from regular expressions [15]. Moreover, certain string constraints based on common string library functions [4] (not using regular expressions) can be directly encoded using a combination of existing theories provided by an SMT solver. 6 A prototype for QF BVRE based on the Symbolic Automata Toolkit This section describes a prototype implementation for QF BVRE. It is based on the Symbolic Automata Toolkit [25] powered by Z3. The description sidesteps the current limitation that all terms s of sort (Seq σ) are converted to terms of sort (List σ). While lists in Z3 satisfy all the algebraic properties of sequences, only the operations equivalent to seq-empty, seq-cons, seq-head, and seq-tail are (directly) supported in the theory of lists. This also explains why seq-concat and seq-length (as is also noted in Table 1) are currently not supported in this prototype. To start with, the benchmark file is parsed by using Z3’s API method ParseSmtlib2File providing a Z3 Term object ϕ that represents the AST of the assertion contained in the file. The assertion ϕ is converted into a formula Conv (ϕ) where each occurrence of a membership constraint (re-member s r) has been replaced by an atom (Acc r s), where Acc r is a new uninterpreted function symbol called the symbolic languge acceptor for r. The symbol Acc r is associated with a set of axioms Th(r) such that, (Acc r s) holds modulo Th(r) iff s is a sequence that matches the regular expression r. The converted formula Conv (ϕ) as well as all the axioms Th(r) are asserted to Z3 and checked for satisfiability. The core of the translation is in converting r into a Symbolic Finite Automaton SFA(r) and then defining Th(r) as the theory of SFA(r) [26]. The translation uses closure properties of symbolic automata under the following (effective) Kleene and Boolean operations: • If A and B are SFAs then there is an SFA A · B such that L(A · B) = L(A) · L(B). • If A and B are SFAs then there is an SFA A ∪ B such that L(A ∪ B) = L(A) ∪ L(B). • If A and B are SFAs then there is an SFA A ∩ B such that L(A ∩ B) = L(A) ∩ L(B). • If A is an SFAs then there is an SFA A∗ such that L(A∗ ) = L(A)∗ . 83 SMT-LIB Sequences and Regular Expressions N. Bjørner, V. Ganesh, R. Michel, M. Veanes • If A is an SFAs then there is an SFA A such that L(A) = L(A). The effectiveness of the above operations does not depend on the theory of the alphabet. In SFAs all transitions are labeled by predicates. In particular, a bit-vector range (re-range m n) is mapped into an anonymous predicate λx.(m ≤ x ≤ n) over bit-vectors and a predicate (re-of-pred p) is just mapped to p. The overall translation SFA(r) now follows more-or-less directly by induction of the structure of r. The loop construct (re-loop m n r) is unfolded by using re-concat and re-union. Several optimizatons are possible that have been omitted here. As a simple example of the above translation, consider the regex utf16 = ^([\0-\uD7FF\uE000-\uFFFF]|([\uD800-\uDBFF][\uDC00-\uDFFF]))*$ that describes valid UTF16 encoded strings. Using the SMT2 format and assuming the defined sort as (_ BitVec 16) the regex is (re-star (re-union (re-union (re-range #x0000 #xD7FF) (re-range #xE000 #xFFFF)) (re-concat (re-range #xD800 #xDBFF) (re-range #xDC00 #xDFFF)))) The resulting SFA(utf16) can be depicted as follows: λx.(x ≤ #xD7FF ∨ #xE000 ≤ x) λx.#xD800 ≤ x ≤ #xDBFF q0 q0 q1 λx.#xDC00 ≤ x ≤ #xDFFF and the theory Th(utf16) contains the following axioms: ∀y(Acc utf16 (y) ⇔ (y = ǫ ∨ (y 6= ǫ ∧ (head (y) ≤ #xD7FF ∨ #xE000 ≤ head (y)) ∧ Acc utf16 (tail (y)))∨ (y 6= ǫ ∧ #xD800 ≤ head (y) ≤ #xDBFF ∧ Acc 1 (tail (y))))) ∀y(Acc 1 (y) ⇔ (y 6= ǫ ∧ #xDC00 ≤ head (y) ≤ #xDFFF ∧ Acc utf16 (tail (y)))) Benchmarks in the proposed SMT-LIB format that are handled by the tool are available2 . 7 Summary We proposed an interchange format for sequences and regular expressions. It is based on the features of strings and regular expressions used in current main solvers for regular expressions. There are many possible improvements and extensions to this proposed format. For example, it is tempting to leverage that SMT-LIB already allows string literals. The first objective is to identify a logic that allows to exchange meaningful benchmarks between solvers and enable comparing techniques that are currently being developed for solving sequence and regular expression constraints. 7.1 Contributors Several people contributed to discussions about SMTization of strings, including Nikolaj Bjørner, Vijay Ganesh, Tim Hinrichs, Pieter Hooimeijer, Raphaël Michel, Ruzica Piskac, Cesare Tinelli, Margus Veanes, Andrei Voronkov and Ting Zhang. This effort grew out from discussions at Dagstuhl seminar [2] and was followed up at strings-smtization@googlegroups.com. 2 84 http://research.microsoft.com/~ nbjorner/microsoft.automata.smtbenchmarks.zip SMT-LIB Sequences and Regular Expressions N. Bjørner, V. Ganesh, R. Michel, M. Veanes References [1] Sebastian Bala. Regular language matching and other decidable cases of the satisfiability problem for constraints between regular open terms. In STACS, pages 596–607, 2004. [2] Nikolaj Bjørner, Robert Nieuwenhuis, Helmut Veith, and Andrei Voronkov. Decision Procedures in Soft, Hard and Bio-ware - Follow Up (Dagstuhl Seminar 11272). Dagstuhl Reports, 1(7):23–35, 2011. [3] Nikolaj Bjørner, Nikolai Tillmann, and Andrei Voronkov. Path feasibility analysis for stringmanipulating programs. In TACAS, 2009. [4] Nikolaj Bjørner, Nikolai Tillmann, and Andrei Voronkov. Path feasibility analysis for stringmanipulating programs. In TACAS, 2009. [5] Stefan Blom and Simona Orzan. Distributed state space minimization. J. Software Tools for Technology Transfer, 7(3):280–291, 2005. [6] Bernard Boigelot and Pierre Wolper. Representing arithmetic constraints with finite automata: An overview. In ICLP 2002: Proceedings of The 18th International Conference on Logic Programming, pages 1–19, 2002. [7] Aske Simon Christensen, Anders Møller, and Michael I. Schwartzbach. Precise Analysis of String Expressions. In SAS, 2003. [8] Thierry Coquand and Gérard P. Huet. The calculus of constructions. Information and Computation, 76(2/3):95–120, 1988. [9] Vijay Ganesh, Adam Kiezun, Shay Artzi, Philip J. Guo, Pieter Hooimeijer, and Michael D. Ernst. Hampi: A string solver for testing, analysis and vulnerability detection. In Ganesh Gopalakrishnan and Shaz Qadeer, editors, CAV, volume 6806 of Lecture Notes in Computer Science, pages 1–19. Springer, 2011. [10] J.G. Henriksen, J. Jensen, M. Jørgensen, N. Klarlund, B. Paige, T. Rauhe, and A. Sandholm. Mona: Monadic second-order logic in practice. In TACAS’95, volume 1019 of LNCS, 1995. [11] Pieter Hooimeijer and Margus Veanes. An evaluation of automata algorithms for string analysis. In VMCAI’11, volume 6538 of LNCS, pages 248–262. Springer, 2011. [12] Pieter Hooimeijer and Westley Weimer. A decision procedure for subset constraints over regular languages. In PLDI, 2009. [13] Pieter Hooimeijer and Westley Weimer. A decision procedure for subset constraints over regular languages. In PLDI, 2009. [14] Pieter Hooimeijer and Westley Weimer. Solving string constraints lazily. In ASE, 2010. [15] Lucian Ilie and Sheng Yu. Follow automata. Information and Computation, 186(1):140–162, 2003. [16] Adam Kiezun, Vijay Ganesh, Philip J. Guo, Pieter Hooimeijer, and Michael D. Ernst. HAMPI: a solver for string constraints. In ISSTA, 2009. [17] Nils Klarlund, Anders Møller, and Michael I. Schwartzbach. MONA implementation secrets. International Journal of Foundations of Computer Science, 13(4):571–586, 2002. [18] Michal Kunc. What do we know about language equations? In Developments in Language Theory, pages 23–27, 2007. [19] Nuo Li, Tao Xie, Nikolai Tillmann, Peli de Halleux, and Wolfram Schulte. Reggae: Automated test generation for programs using complex regular expressions. In ASE’09, 2009. [20] Yasuhiko Minamide. Static approximation of dynamically generated web pages. In WWW ’05, pages 432–441, 2005. [21] Gertjan Van Noord and Dale Gerdemann. Finite state transducers with predicates and identities. Grammars, 4:263–286, 2001. [22] Prateek Saxena, Devdatta Akhawe, Steve Hanna, Feng Mao, Stephen McCamant, and Dawn Song. A Symbolic Execution Framework for JavaScript, Mar 2010. [23] Jeremy G. Siek, Lie-Quan Lee, and Andrew Lumsdaine. The Boost Graph Library: User Guide 85 SMT-LIB Sequences and Regular Expressions N. Bjørner, V. Ganesh, R. Michel, M. Veanes and Reference Manual (C++ In-Depth Series). Addison-Wesley Professional, December 2001. [24] M. Veanes, P. Hooimeijer, B. Livshits, D. Molnar, and N. Bjørner. Symbolic finite state transducers: Algorithms and applications. In POPL’12, 2012. [25] Margus Veanes and Nikolaj Bjørner. Symbolic automata: The toolkit. In C. Flanagan and B. König, editors, TACAS’12, volume 7214 of LNCS, pages 472–477. Springer, 2012. [26] Margus Veanes, Nikolaj Bjørner, and Leonardo de Moura. Symbolic automata constraint solving. In C. Fermüller and A. Voronkov, editors, LPAR-17, volume 6397 of LNCS/ARCoSS, pages 640– 654. Springer, 2010. [27] Margus Veanes, Peli de Halleux, and Nikolai Tillmann. Rex: Symbolic Regular Expression Explorer. In ICST’10. IEEE, 2010. [28] Gary Wassermann and Zhendong Su. Sound and precise analysis of web applications for injection vulnerabilities. In PLDI, 2007. [29] Fang Yu, Muath Alkhalaf, and Tevfik Bultan. Stranger: An automata-based string analysis tool for PHP. In TACAS’10, LNCS. Springer, 2010. [30] Fang Yu, Tevfik Bultan, and Oscar H. Ibarra. Symbolic String Verification: Combining String Analysis and Size Analysis. In TACAS, pages 322–336, 2009. 86 Exotic Semiring Constraints (Extended Abstract) Michael Codish∗ Yoav Fekete∗ Carsten Fuhs† Johannes Waldmann§ Jürgen Giesl‡ Abstract Exotic semiring constraints arise in a variety of applications and in particular in the context of automated termination analysis. We propose two techniques to solve such constraints: (a) to model them using Boolean functions and integer linear arithmetic and solve them using an SMT solver (QF LIA, in certain cases also QF IDL); and (b) to seek finite domain solutions by applying unary bit-blasting and solve them using a SAT solver. In this note, we show the structure of such systems of constraints, and report on the performance of SMT solvers and SAT encodings when solving them. In particular, we observe that good results are obtained by unary bit-blasting, improving on previous proposals to apply binary bit-blasting. Moreover, our results indicate that, for our benchmarks, unary bit-blasting leads to better results than the ones directly obtained by an SMT solver. 1 Introduction Exotic semirings [DK09] are idempotent semirings where the elements are certain subsets of numbers (possibly including −∞ and/or +∞) and where the sum and product operations are min, max, or +. For example, in the tropical semiring the elements are N ∪ {+∞} and the sum and product operations are min and +, respectively. In the arctic semiring the elements are N ∪ {−∞} and the sum and product operations are max and +, respectively. The tropical semiring is allegedly named as such to honor Imre Simon, one of its pioneers, who comes from tropical Brazil. Correspondingly, in [Goo98] the arctic semiring is named as such because arctic latitudes are located “opposite” to tropical latitudes and “max” is the “opposite” operation to “min”. Exotic semiring constraints are just like Boolean formula except that the atoms are either propositional variables or inequalities between expressions of an exotic semiring. For example, as we will formalize in the sequel, the following is an arctic semiring constraint (a11 ≥ 0) ∧(b11 ≥ 0) ∧ (cij = (ai1 ⊗ b1j ) ⊕ (ai2 ⊗ b2j )) ∧    ^ (((ai1 ⊗ a1j ) ⊕ (ai2 ⊗ a2j ) > (ci1 ⊗ a1j ) ⊕ (ci2 ⊗ a2j )) ∨ (((ai1 ⊗ a1j ) ⊕ (ai2 ⊗ a2j ) = −∞) ∧ ((ci1 ⊗ a1j ) ⊕ (ci2 ⊗ a2j ) = −∞))) ∧   i ∈ {1, 2}  (bij ≥ bi1 ⊗ b1j ⊕ bi2 ⊗ b2j ) j ∈ {1, 2} (1) where ⊕ and ⊗ correspond to max and sum. All variables are existentially quantified and the constraint is solved for example if a11 = a12 = b11 = b21 = c11 = c11 = 0, a21 = a22 = c12 = 1, and b12 = b22 = c21 = c22 = −∞. Exotic semirings and constraints come up in a variety of applications such as formal languages, as described in [Sim88], and optimization problems, idempotent analysis, and disjunctive invariants in static analysis as described in [GKS11]. Exotic semirings constraints have ∗ Department of Computer Science, Ben-Gurion University of the Negev, Israel of Computer Science, University College London, United Kingdom ‡ LuFG Informatik 2, RWTH Aachen University, Germany § Fakultät IMN, HTWK Leipzig, Germany † Department Pascal Fontaine, Amit Goel (eds.); SMT 2012, pp. 87–96 87 Exotic Semiring Constraints M. Codish, Y. Fekete, C. Fuhs, J. Giesl, J. Waldmann recently proven to be very useful in the context of termination analysis for string [Wal07] and term rewriting [KW09, ST10]. To simplify the presentation, we focus in this paper on the application to string rewriting, however the techniques carry over to term rewriting as well. In string rewriting, the state of a computation is represented by a word s over an alphabet Σ. The program underlying the state transitions is a string rewrite system (SRS), i.e., a set R of rewrite rules ` → r where ` and r are words over Σ. A transition then corresponds to a rewrite step u`v →R urv for some rule ` → r and words u, v (i.e., we replace the substring ` by r). We say that R is terminating if no infinite sequence of rewrite steps s0 →R s1 →R s2 →R . . . exists. To prove termination, a classic method is to use interpretations, i.e., to map letters a to elements aD of a well-founded carrier (D, >) and then to extend this mapping to words s = a1 . . . an by multiplication sD = a1 D . . . an D . Then R is terminating if all rules are oriented (strictly), namely `D > rD holds for all rules ` → r ∈ R. For example, termination of the system R = a b → b c , can be shown with an interpretation to the well-founded carrier (N, >) where aN = 2 and bN = cN = 1 since 2 · 1 > 1 · 1 (using the standard multiplication on N). Such a termination proof could be found automatically by again fixing the carrier (N, >), but leaving the interpretation for the letters open, i.e., using an interpretation template. This yields a constraint problem over the well-founded carrier. So we seek an interpretation which orients all of the rules (strictly). For our example we get the constraint aN · bN > bN · cN over the (positive) natural numbers, for which the above interpretation is indeed a solution. Recently, termination techniques using interpretations to exotic semirings [Wal07, KW09, ST10], and their extensions to exotic (square) matrices (cf. also [EWZ08]) have been shown to be very powerful. The extension of multiplication to exotic matrices is analogous to standard matrix multiplication, where the operations on matrix entries have the semantics induced by the underlying semiring for the entries. To compare two matrices A and B, we extend > component-wise. With these techniques, we are typically given two sets of rewrite rules, R and S, and required to find an interpretation which orients all rules in R ∪ S weakly, and at least one rule in R strictly. We will formalize this in the sequel. To solve the resulting template constraints over exotic matrices, [Wal07, KW09] suggest to model the operations at the binary level and to apply binary bit-blasting. Binary bit-blasting of arithmetic is convenient because of its compactness. However, size is not the only metric to regard for SAT encodings. Instead, in other applications [TTKB09, MCLS11] unary bitblasting has been shown to result in encodings which often lead to smaller runtimes of the SAT solver. In this paper, we propose a unary encoding based on the, so-called, order encoding (see e.g. [CB94, BB03]) which has proven useful in a variety of applications involving arithmetic with small integer values (see e.g. [TTKB09]). We also investigate the application of SMT solvers. We observe that good results are obtained using the unary encoding, typically outperforming binary bit-blasting as well as SMT solvers. 2 Preliminaries: Exotic Semirings A semiring consists of a domain D equipped with operations ⊕, ⊗ (addition, multiplication) and elements 0D , 1D ∈ D such that (D, ⊕, 0D ) is a commutative monoid (i.e., ⊕ is associative and 0D is its neutral element), (D, ⊗, 1D ) is a monoid, ⊕ distributes over ⊗ from both sides, and 0D is annihilating on both sides of ⊗. The standard example of a semiring is (N, +, ·, 0, 1). We will focus on idempotent semirings, where addition is idempotent: x ⊕ x = x. 88 Exotic Semiring Constraints M. Codish, Y. Fekete, C. Fuhs, J. Giesl, J. Waldmann Definition 1. The following idempotent semirings are collectively called exotic: • A = ({−∞} ∪ N, max, +, −∞, 0), the arctic semiring, • T = (N ∪ {+∞}, min, +, +∞, 0), the tropical semiring, • F = ({−∞} ∪ N ∪ {+∞}, min, max, +∞, −∞), the fuzzy semiring, • P = ({−∞} ∪ Z, max, +, −∞, 0), the Z-arctic semiring (also known as arctic below zero) cf. [Kro98] (where arctic is called polar). We assume, for each of the exotic semirings, D, an order extending the standard order on N (or Z), namely, −∞ < 0 < 1 < . . . < +∞. We denote the reflexive closure of < by ≤, and we write x <0 y for (x < y) ∨ (x = 0D = y), where 0D denotes the zero element of D. For the fuzzy semiring, we also need the following notation: x <1 y iff (x <0 y) ∨ (x = 1D = y). For any (exotic) semiring D, and n ∈ N, the set Mn (D) of n × n-matrices with entries from D is again a semiring, with addition and multiplication defined in the standard way, using ⊕ and ⊗ on the elements. If D is idempotent, then Mn (D) is idempotent. The orders ≤, <0 , <1 are extended from D to Mn (D) component-wise. We call an element x ∈ D positive if x ≥ 1D . A matrix A ∈ Mn (D) is called positive, denoted positive(A), if A1,1 (the top left element) is positive. An exotic semiring constraint is a Boolean formula in which all atoms are either propositional variables or exotic semiring inequalities. We say that a constraint is satisfiable if there exists an assignment of exotic values to exotic variables such that replacing inequalities by their implied Boolean values results in a satisfiable Boolean formula. In the context of automated termination analysis we typically need to solve exotic termination constraints where given two sets of rewrite rules, R and S, we need to find an interpretation to orient all rules ` → r in R ∪ S such that ` ≥ r (resp. >1 , for the fuzzy semiring) and at least one rule ` → r in R such that ` >0 r. In this setting the matrices are required to be positive. For example, assuming the arctic semiring, if R = a2 → a b a and S = b → b2 with aD = A and bD = B the constraint system for the unknown matrices A, B that make up the interpretation is positive(A) ∧ positive(B) ∧ (A2 >0 ABA) ∧ (B ≥ B 2 ). To seek a solution of dimension 2, we obtain the exotic semiring constraint from Eq. 1, where the auxiliary variables cij indicate the contents of matrix C = AB and the solution is given by 0 0 0 −∞ A= ,B = . 1 1 0 −∞ 3 From Exotic to LIA/IDL constraints In this section we show that exotic constraints can be faithfully translated into logic over theories that are standardized within SMT-LIB. In particular, arctic and tropical constraints can be encoded into QF LIA, and fuzzy numbers constraints can be encoded into QF IDL. With this new formalization we generalize the binary SAT encoding for arctic constraints proposed in [KW09]. As an application, we consider a selection of termination problems from the International Termination Competition 1 where for each instance we select an exotic semiring and a 1 http://www.termination-portal.org/wiki/Termination_Competition 89 Exotic Semiring Constraints M. Codish, Y. Fekete, C. Fuhs, J. Giesl, J. Waldmann matrix dimension to generate exotic constraints. We then model these using LIA/IDL to obtain a selection of instances2 that have been submitted to the SMT (2012) competition. To model exotic domains we represent arctic and tropical numbers as pairs Boolean × N. For an arctic a represented by (m, i), if m is true then a = −∞ and otherwise a = i, and for a tropical t represented by (p, i), if p is true then t = +∞ and otherwise t = i. Similarly, a fuzzy number f is represented as a triplet (m, i, p) where m is true iff f = −∞, p is true iff f = +∞ and f = i iff m = p = false. (We denote truth values by true/false or 1/0 depending on the context.) L To encode the “maximum” operation for k arctic elements we have (m, i) = k (mk , ik ) iff (m = ^ ^ _ (¬mk → i ≥ ik )) ∧ (¬m → (¬mk ∧ i = ik )). mk ) ∧ (¬m → k k k Namely, the maximum of k arctic numbers is −∞ if all k numbers are, else it is greater than or equal to each finite number,N and equal to one finite number. To encode arctic semiring multiplication we have (m, i) = k (mk , ik ) iff (m = _ mk ) ∧ (¬m → (i = k X ik )). k As the formulas show, the target of the translation is the theory of integers with addition, as defined in QF LIA. This encoding can also be used for the Z-arctic semiring (Z-arctic numbers are modeled as pairs Boolean × Z). Symmetric formulae as for the arctic semiring hold for the tropical semiring operations and are not detailed here. The fuzzy semiring has the minimum and maximum operations. This implies that we do not need addition, so the constraints can be formulated as difference constraints. In fact, we are working within the “theory of linear order” (a subset of QF IDL, where full QF IDL would also allow addition of constants). 4 Exotic Order Encoding The order encoding (see e.g. [CB94, BB03]) is a unary representation for natural numbers. In this representation the bit vector x̄ = hx1 , . . . , xk i constitutes a monotonic decreasing sequence and represents values between 0 and k. For example, the value 3 in 5 bits is represented as h1, 1, 1, 0, 0i. The bit xi (for 1 ≤ i ≤ k) is interpreted as the statement x̄ ≥ i. An important property of a Boolean representation for finite domain integers is the ability to represent changes in the set of values a variable can take. It is well-known that the order encoding facilitates the propagation of bounds. Consider an order encoding variable x̄ = hx1 , . . . , xk i with values in the interval [0, k]. To restrict x̄ to take values in the range [a, b] (for 1 ≤ a ≤ b ≤ k), it is sufficient to assign xa = 1 and xb+1 = 0 (if b < k). The variables xa0 for 1 ≤ a0 < a and b < b0 ≤ k are then determined true and false, respectively, by unit propagation. For example, given x̄ = hx1 , . . . , x9 i, assigning x3 = 1 and x6 = 0 propagates to give x̄ = h1, 1, 1, x4 , x5 , 0, 0, 0, 0i, signifying that x̄ can take values in the interval [3, 5]. This property is exploited in Sugar [TTKB09] which also applies the order encoding. In [MCLS11], the authors observe an additional property of the order encoding: its ability to specify that a variable cannot take a specific value 1 ≤ v ≤ k in its domain by equating two variables: xv = xv+1 . This indicates that the order encoding is well-suited not only to propagate lower and upper bounds, but also to represent integer variables with an arbitrary 2 http://www.imn.htwk-leipzig.de/ 90 ~waldmann/draft/2012/smt-benchmarks/real/ Exotic Semiring Constraints M. Codish, Y. Fekete, C. Fuhs, J. Giesl, J. Waldmann finite domain. For example, for x̄ = hx1 , . . . , x9 i, equating x2 = x3 imposes that x̄ 6= 2. Likewise x5 = x6 and x7 = x8 impose that x̄ 6= 5 and x̄ 6= 7. Applying these equalities to x̄ gives, x̄ = hx1 , x2 , x2 , x4 , x5 , x5 , x7 , x7 , x9 i, signifying that x̄ can take values from the set {0, 1, 3, 4, 6, 8, 9}. In the remainder of this section we present the standard order encoding for natural numbers and describe how we extend it, first to integers and then to arctic integers. Finally we state that the order encoding is extended to tropical and fuzzy domains in a similar way. Encoding Naturals: Let ā = ha1 , . . . , ak i denote V a tuple of k bits. To encodethat ā is in the order encoding we introduce clauses: unaryN (ā) = ai+1 → ai 0 < i < k . We say that ā is a k-bit natural number in the order encoding (or “natural” for short). It can take values between 0 and k. Let ā and b̄ be k-bit and k 0 -bit naturals. Their sum, c̄ = hc1 , . . . , ck+k0 i is defined by the clauses: ^ (ai → ci ) ∧ (¬ai → ¬ck0 +i ) ∧ (ai ∧ bj → ci+j ) ∧ 0 < i ≤ k, sumN (ā, b̄) = (bj → cj ) ∧ (¬bj → ¬ck+j ) ∧ (¬ai ∧ ¬bj → ¬ci+j−1 ) 0 < j ≤ k 0 Let ā = ha1 , . . . , ak i be a k-bit natural and k 0 > k. Then the following is the corresponding k 0 -bit natural obtained by padding with k 0 − k zeros: extendN (ā, k 0 ) = ha1 , . . . , ak , 0, . . . , 0i. Assume that ā and b̄ are k-bitVnaturals (if they are not in the same range then apply extendN ). We define max(ā, b̄) = ci ↔ ai ∨ bj 0 < i ≤ k . The bits hc1 , . . . , ck i are a V k-bit natural representing the maximum. We define (ā ≥ b̄) = bi → ai 0 < i ≤ k and V (ā > b̄) = a1 ∧ ¬bk ∧ bi → ai+1 0 < i < k . Encoding Integers: We propose a representation for integers in the same spirit as that for the naturals. It facilitates an encoding which is almost identical to the order encoding of the naturals. The key design decision is to represent integers in the range (−k, +k) as a 2k-bit monotonic decreasing sequence. So, for x̄ = hx1 , . . . , x2k i, the bit xi (for 1 ≤ i ≤ 2k) is interpreted as the statement x̄ ≥ −k + i. For example, h0, 0i, h1, 0, 0, 0i, h1, 1, 0, 0, 0, 0i all represent −1 in different bit lengths; h1, 0i, h1, 1, 0, 0i, h1, 1, 1, 0, 0, 0i all represent 0 in different bit lengths; and h1, 1i, h1, 1, 1, 0i, h1, 1, 1, 1, 0, 0i all represent +1 in different bit lengths. Given this representation, all operations are (almost) the same as for naturals. Let ā = ha1 , . . . , a2k i denote a tuple of 2k bits. To encode that ā is an integer in the order encoding we introduce clauses: unaryZ (ā) = unaryN (ā) Let ā and b̄ be 2k-bit and 2k 0 -bit unary order encoding integers. Their sum, c̄ = hc1 , . . . , c2(k+k0 ) i is defined exactly the same as for the unary case by adding the clauses sumZ (ā, b̄) = sumN (ā, b̄). Namely, simply by viewing ā and b̄ as if they were natural numbers. For example, h0, 0i+h1, 0, 0, 0i = h1, 0, 0, 0, 0, 0i (for −1+−1 = −2) or h1, 0, 0, 0i + h1, 1i = h1, 1, 1, 0, 0, 0i (for −1 + 1 = 0). Let ā = ha1 , . . . , a2k i be a 2k-bit integer and k 0 > k. Then the following is the corresponding 0 2k -bit integer: extendZ (ā, k 0 ) = h1, . . . , 1, a1 , . . . , ak , 0, . . . , 0i where the original bits are padded by (k 0 − k) ones on the left and (k 0 − k) zeros on the right. Now we will assume that ā and b̄ are 2k-bit unary order encoding integers (if they are not in the same range then apply extendZ ). In this setting, max, >, ≥ are implemented exactly the same as their natural number counterparts. Encoding Arctic Integers: We propose the following representation for arctic integers. Obviously, we require an extra bit to capture the case where ā = −∞. To facilitate an encoding which is similar to the order encoding for naturals and integers, we position this extra bit as the leftmost in a (2k + 1)-bit monotonic decreasing sequence. So, for ā = ha0 , a1 , . . . , a2k i, the 91 Exotic Semiring Constraints M. Codish, Y. Fekete, C. Fuhs, J. Giesl, J. Waldmann bit a0 is false when ā = −∞ (and then also all other bits are zero). And, just like for integers, the bit ai (for 1 ≤ i ≤ 2k) is interpreted as the statement ā ≥ −k + i. To encode that ā is an arctic integer in the order encoding we introduce clauses: unaryP (ā) = unaryN (ā) (reusing the definition for naturals). We say that ā is a (2k + 1)-bit unary order encoding integer. It can take values between −k and +k or −∞. Let ā = ha0 , a1 , a2k i and b̄ = hb0 , b1 , b2k0 i denote 2k+1 and 2k 0 +1 order encoding arctics. Let c0 = a0 ∧ b0 and let hc1 , . . . , c2(k+k0 ) i denote the usual integer (or natural) sum of ha1 , . . . , a2k i and hb1 , . . . , b2k0 i (each without its first bit). Then, the arctic sum ā + b̄ is hc0 , c0 ∧ c1 , . . . , c0 ∧ c2(k+k0 ) i. Let ā = ha0 , a1 , . . . , a2k i be a unary arctic number in 2k + 1 bits. Its extension to 2k 0 + 1 bits for k 0 > k is obtained as extendP (ā, k 0 ) = ha0 , . . . , a0 , a1 , . . . , a2k , 0, . . . , 0i (padding by (k 0 − k) times the a0 bit on the left and (k 0 − k) times a 0 bit on the right). Assume that ā and b̄ are (2k+1)-bit arctic integers (if they are not in the same range then apply extendP ). Now, max, >, ≥ are implemented directly using their natural number counterparts. about the V So everything encoding is “for free”. Encoding >0 is like this: (ā >0 b̄) = ¬bk ∧ bi → ai+1 0 < i < k . Encoding Tropical and Fuzzy Integers: Tropical numbers are handled in much the same way as arctics: with an “infinity bit”, and an unary encoding of the finite value, but we put the infinity bit in the rightmost position. That way, we can use the standard “minimum” operation for unary integers, and get the correct result also for the case that some arguments are infinite. For fuzzy numbers, we represent “minus infinity” by 0, and “plus infinity” by B (the bit width). The semiring operations are standard minimum and maximum operations with the usual unary encodings. 5 A Knockout Example The termination status of problem SRS/Gebhardt/19 has been open since it was posed in 2006. Using the methods from this paper, we obtain a tropical matrix interpretation to prove its termination. A key step in the proof involves the setting where (the alphabet is Σ = 0, 1, 0# , 1# ): R= 0# 0 0 0 → 1# 0 1 1, 1# 0 0 1 → 0# 0 1 0 S= 0 0 0 0 → 1 0 1 1, 1001 → 0010 So we seek a tropical matrix interpretation which satisfies the constraints 0# 03 ≥ 1# 012 , 1# 02 1 ≥ 0# 010, 04 ≥ 1012 , 102 1 ≥ 02 10 and also (04 >0 1012 ) ∨ (102 1 >0 02 10). In approximately one hour of SAT solving time, using the order encoding with five bits per tropical unknown we obtain the following tropical interpretation (where + indicates +∞) which allows to remove the second rule from R to render a proof of termination.        0 7→        92 4 + 3 3 4 0 2 2 + 0 4 + 0 2 2 0 4 + 3 + + + 0 + 0 3 + + + 2 + + 3 4 0 + 4 0 3 + 4 4 + + + 4 + 4 0 + + 0 + + 4 + 3 + + 3 + 0 + 4 4 + 0 + + 2 + + + + + + + 3 3 + 0                      1 7→        2 + + 0 2 0 0 + + + 3 2 4 + 4 + 0 + + 0 0 + + + + 0 + 4 2 4 + + 0 + 0 + 3 2 0 3 4 0 + + + 4 0 + 3 4 2 + + + + 4 0 4 + 1 3 2 + + + 3 4 + + + 0 + + + + + + 3 + 1 0               Exotic Semiring Constraints  0# 6       7→        0 + 0 1 0 0 0 2 + 1 + + + + 1 + 4 + 1 + 0 1 1 + 0 + + 2 + 1 2 1 3 3 4 + M. Codish, Y. Fekete, C. Fuhs, J. Giesl, J. Waldmann 0 + + + + + + 2 + 0 + + + + 3 + + + 3 + + + + 2 + 4 + 0 + + + 1 + 2 + + 2 + 2 3 2 4 2 4 0                      7→        1# 0 + 0 2 0 + + 4 + 4 + 2 + + + + + + 1 + 0 2 4 2 + 4 + 1 + 1 2 1 + 1 3 + 0 + 1 1 2 0 0 4 + 1 + + + 2 3 + 4 + 0 + + 2 2 1 + 2 + + + + 4 + + + + + + + + 4 3 + 3 + 0               Tools and Experiments To assess our contributions empirically, we conducted several preliminary experiments. We use three tools (1) satchmo-smt—Johannes Waldmann enhanced his satchmo-smt [Wal] solver, which uses a binary encoding of QF LIA (cf. e.g. [EWZ08, FGM+ 07]), to perform also a unary encoding similar to Sect. 4. The solver satchmo-smt makes use of the solver MiniSAT [ES03] (development version based on version 2.2). So for arctic constraints, the binary encoding essentially corresponds to that proposed in [KW09], whereas the unary encoding is new. (2) BEE—Yoav Fekete enhanced the BEE constraint solver developed at Ben-Gurion University to compile arctic constraints to CNF. It combines constraint and CNF simplification techniques to provide a concise CNF representation [MCLS11]. BEE uses the SAT solver CryptoMiniSAT [SNC09], version 2.5.1, as a back-end solver; (3) Z3, version 3.2—This SMT solver [dB08] is developed at MS Research and can handle QF LIA end QF IDL theories (among others). Our experimentation initiates a comparison of these tools when solving exotic semiring constraints. We view this experimentation as a proof of concept and starting point for a more thorough investigation on how to solve exotic semiring constraints using SMT solvers and SAT encodings. As the benchmark set, we generated exotic termination constraints with matrix dimension up to 5 from the string rewriting problems of the Termination Problem Data Base (TPDB) 3 , selected those that were solvable by satchmo-smt within 10 minutes, and removed those that were solvable quickly (< 2 seconds). Exotic constraints were given directly to BEE, and for satchmo-smt and Z3 they were being translated to QF LIA as described in Sect. 3. The benchmark runs were performed on a Quad-core Intel i5-2400 at 3.1 GHz with 4 GB RAM. We conducted the following experiments which are summarized in Table 1. All times are in seconds. The timeout is 1800 sec. The rows of the table were selected from 194 instances. The average, max and number of timeout information in the last 3 rows is a statistic on all 194 instances. Experiment 1: We apply satchmo-smt to compare binary and unary encodings for LIA constraints that stem from arctic constraints. So while here we do not directly take optimizations by dedicated domain knowledge of the arctic semiring into account, this experiment still allows us to make observations on performance of binary vs. unary bit-blasting. Here (arctic) variables 3 http://termination-portal.org/wiki/TPDB 93 Exotic Semiring Constraints instance S2.1 S2.2 S2.3 S2.4 S3.1 S3.2 S3.3 S3.4 S3.5 S3.6 S3.7 S4.0 S4.1 S4.2 S4.3 S5.1 S5.2 S5.3 S5.4 S5.5 S6.1 S6.2 S6.3 S6.4 S6.5 average max timeouts M. Codish, Y. Fekete, C. Fuhs, J. Giesl, J. Waldmann Experiment 1 Experiment 2 Experiment 3 satchmob (3) satchmou (7) BEE (it) Z3 BEE (4) satchmou (4) 55.09 0.81 11.82 2.81 1.51 4.31 4.81 71.41 108.97 TimeOut 2.31 2.41 4.91 6.11 TimeOut 51.69 TimeOut TimeOut TimeOut 18.93 4.61 7.32 9.82 169.98 TimeOut 61.58 1800 6 1.20 4.91 7.11 2.81 84.34 23.34 24.14 8.42 16.63 TimeOut 8.82 4.71 26.04 4.31 172.18 19.33 46.18 TimeOut 725.44 17.33 9.72 4.41 8.02 47.58 1408.21 5.44 1800 2 0.73 0.66 12.94 11.6 1.62 4.15 2.10 0.97 0.60 9.13 9.43 2.15 6.00 3.68 2.55 17.92 2.33 3.40 4.16 3.45 9.05 4.30 8.57 1.62 6.80 2.22 17.92 0 112.39 411.13 111.38 891.97 1754.24 428.24 199.43 472.16 359.24 305.49 TimeOut 6.69 610.73 27.06 TimeOut 1550.72 TimeOut TimeOut TimeOut TimeOut 45.33 41.10 84.25 138.57 TimeOut 224.64 1800 15 3.74 7.31 2.02 2.23 9.58 6.55 3.94 1.66 1.24 2.13 1.82 21.31 8.83 26.94 35.68 15.23 85.44 20.59 160.79 6.5 27.22 29.64 21.10 31.04 731.93 10.83 731.93 0 0.70 11.72 154.74 219.14 1.21 2.61 3.31 0.70 0.60 123.59 128.1 1.50 3.51 2.21 7.71 4.11 77.92 28.85 44.07 13.12 4.21 2.61 4.31 4.41 TimeOut 14.94 1800 1 Table 1: results from 3 experiments take values {−∞, 0, . . . , 7}. This means 3 bits for the binary representation and 7 bits for the unary as indicated in the headers of these two rows. Despite the significantly more verbose representation in the unary encoding, the corresponding average runtime is lower by an order of magnitude in comparison to the average runtime for the binary encoding. Also the worst-case behavior of unary bit-blasting is better (only 2 timeouts instead of 6 for binary bit-blasting). Experiment 2: Here we compare unary bit-blasting as in Sect. 4 using BEE [MCLS11] with SMT solving using Z3. SMT solvers with a dedicated theory solver like Z3 natively support all natural numbers as search space for the input constraint. For bit-blasting with BEE, we use an iterative deepening approach which doubles n for the search space {−∞, 0, . . . , n} until a solution is found or n reaches a specified upper bound. This is indicated by “(it)” on the corresponding column. Here we can show satisfiability of all instances using at most 4 bits. With BEE, we observe an improvement in the average runtime by two orders of magnitude over Z3. Also in the worst case BEE performs significantly better (max. runtime of less than 18 94 Exotic Semiring Constraints M. Codish, Y. Fekete, C. Fuhs, J. Giesl, J. Waldmann seconds, whereas Z3 shows 15 timeouts after 1800 seconds each). Experiment 3: Here we compare unary bit-blasting using BEE and using satchmo-smt, each with 4 bits for the numbers (4). Here BEE and satchmo show similar performance (where BEE is slightly faster on average). While satchmo-smt has an approach of directly bit-blasting LIA constraints “as is” (and not taking the underlying arctic domain into account), BEE has a certain overhead due to the simplifications applied in the SAT compilation phase, which may not always pay out. Moreover, the two solvers use different SAT solvers (CryptoMiniSAT and MiniSAT) for the resulting CNFs, which may also lead to differences in runtime. Here investigations with different SAT solvers as back-ends would be interesting. 7 Discussion In this paper, we formalize exotic semiring constraints and discuss several new ways of solving them. In addition to the existing approach based on binary bit-blasting, we also provide new approaches based on SMT-LIA and unary bit-blasting with order encoding. We have applied these techniques to solve exotic semiring constraints that come up in the context of automated termination analysis. The LIA and IDL constraints derived from exotic termination constraints all share the property that the only numerical constant that appears anywhere, is the number zero. Higher numbers (than zero) may of course appear in the solution, but only as consequences of strict equalities. It appears that long chains of strict inequalities are “quite unlikely”, so if an exotic termination constraint has a solution at all, then it typically also has a solution that uses only small numbers, and this explains the effectiveness of unary bit-blasting solver methods. For more information on our experiments, we refer to our evaluation web page at the following URL: http://www.cs.bgu.ac.il/~mcodish/Benchmarks/SMT2012/ Ongoing research aims to provide a powerful solver for exotic semiring constraints that arise in the context of termination analysis. Here we plan to investigate the application of SMT and SAT solvers with unary encodings, where also applications other than termination analysis may benefit. References [BB03] [CB94] [dB08] [DK09] Olivier Bailleux and Yacine Boufkhad. Efficient CNF encoding of boolean cardinality constraints. In Francesca Rossi, editor, CP, volume 2833 of Lecture Notes in Computer Science, pages 108–122. Springer, 2003. James M. Crawford and Andrew B. Baker. Experimental results on the application of satisfiability algorithms to scheduling problems. In Barbara Hayes-Roth and Richard E. Korf, editors, AAAI, pages 1092–1097. AAAI Press / The MIT Press, 1994. Leonardo de Moura and Nikolaj Bjørner. Z3: An efficient SMT solver. In C. R. Ramakrishnan and Jakob Rehof, editors, TACAS, volume 4963 of Lecture Notes in Computer Science, pages 337–340. Springer, 2008. Manfred Droste and Werner Kuich. Semirings and formal power series. In Manfred Droste, Werner Kuich, and Heiko Vogler, editors, Handbook of Weighted Automata, pages 3–28. Springer, 2009. 95 Exotic Semiring Constraints [ES03] M. Codish, Y. Fekete, C. Fuhs, J. Giesl, J. Waldmann Niklas Eén and Niklas Sörensson. An extensible SAT-solver. In Enrico Giunchiglia and Armando Tacchella, editors, SAT, volume 2919 of Lecture Notes in Computer Science, pages 502–518. Springer, 2003. [EWZ08] Jörg Endrullis, Johannes Waldmann, and Hans Zantema. Matrix interpretations for proving termination of term rewriting. J. Autom. Reasoning, 40(2-3):195–220, 2008. [FGM+ 07] Carsten Fuhs, Jürgen Giesl, Aart Middeldorp, Peter Schneider-Kamp, René Thiemann, and Harald Zankl. SAT solving for termination analysis with polynomial interpretations. In João Marques-Silva and Karem A. Sakallah, editors, SAT, volume 4501 of Lecture Notes in Computer Science, pages 340–354. Springer, 2007. [GKS11] Stéphane Gaubert, Ricardo Katz, and Sergei Sergeev. Tropical linear-fractional programming and parametric mean payoff games. ArXiv e-prints, 2011. Available from http://arxiv.org/abs/1101.3431, extended version of a workshop paper at the Workshop on Invariant Generation (WING 2010) http://research.microsoft.com/en-us/events/ wing2010/ at FLoC ’10. [Goo98] Joshua T. Goodman. Parsing inside-out. PhD thesis, Harvard University, 1998. [Kro98] Daniel Krob. Some automata-theoretic aspects of min-max-plus semirings. In Jeremy Gunawardena, editor, Idempotency, pages 70–79. Cambridge University Press, 1998. [KW09] Adam Koprowski and Johannes Waldmann. Max/plus tree automata for termination of term rewriting. Acta Cybern., 19(2):357–392, 2009. [MCLS11] Amit Metodi, Michael Codish, Vitaly Lagoon, and Peter J. Stuckey. Boolean equipropagation for optimized SAT encoding. In Jimmy Ho-Man Lee, editor, CP, volume 6876 of Lecture Notes in Computer Science, pages 621–636. Springer, 2011. [Sim88] Imre Simon. Recognizable sets with multiplicities in the tropical semiring. In Michal Chytil, Ladislav Janiga, and Václav Koubek, editors, MFCS, volume 324 of Lecture Notes in Computer Science, pages 107–120. Springer, 1988. [SNC09] Mate Soos, Karsten Nohl, and Claude Castelluccia. Extending SAT solvers to cryptographic problems. In Oliver Kullmann, editor, SAT, volume 5584 of Lecture Notes in Computer Science, pages 244–257. Springer, 2009. [ST10] Christian Sternagel and René Thiemann. Certification extends termination techniques. In Proc. 11th International Workshop on Termination (WST ’10), 2010. [TTKB09] Naoyuki Tamura, Akiko Taga, Satoshi Kitagawa, and Mutsunori Banbara. Compiling finite linear CSP into SAT. Constraints, 14(2):254–272, 2009. [Wal] Johannes Waldmann. satchmo-smt. https://github.com/jwaldmann/satchmo-smt. [Wal07] Johannes Waldmann. Weighted automata for proving termination of string rewriting. Journal of Automata, Languages and Combinatorics, 12(4):545–570, 2007. 96 A Theory of Arrays with set and copy Operations∗ (Extended Abstract) Stephan Falke Carsten Sinz Florian Merz Institute for Theoretical Computer Science Karlsruhe Institute of Technology (KIT), Germany {stephan.falke, carsten.sinz, florian.merz}@kit.edu http://verialg.iti.kit.edu Abstract The theory of arrays is widely used in order to model main memory in program analysis, software verification, bounded model checking, symbolic execution, etc. Nonetheless, the basic theory as introduced by McCarthy is not expressive enough for important practical cases, since it only supports array updates at single locations. In programs, memory is often modified using functions such as memset or memcpy/memmove, which modify a userspecified range of locations whose size might not be known statically. In this paper we present an extension of the theory of arrays with set and copy operations which make it possible to reason about such functions. We also discuss further applications of the theory. 1 Introduction The theory of arrays is widely used in order to model main memory in formal methods such as program analysis, software verification, bounded model checking, or symbolic execution. In the simplest case, main memory is modelled using a one-dimensional array, but the use of the theory of arrays goes beyond such flat memory models. Reasoning about arrays is thus an essential part of systems that are based on the aforementioned methods. Since the basic theory of arrays is quite simple, it is insufficient (or at least inconvenient to use) in many application cases. While it supports storing and retrieving of data at specific locations, it does not support the functionality provided by C library functions such as memset or memcpy/memmove which operate on regions of locations. While these region-based operations can be broken down into operations on single locations in many cases (e.g., a memcpy operation of size 10 can be simulated using 10 read and 10 write operations), this approach does not scale if the involved regions are large. Even worse, the sizes of the affected regions might not be statically known, making it more complicated to break the region-based operation into operations on single locations. These limitations of the theory of arrays also manifest themselves in tools implementing the formal methods mentioned above. In software bounded model checking tools such as CBMC [7] and ESBMC [8], calls to memset and memcpy/memmove are handled by including an implementation of these methods and unrolling the loop contained in the implementations. Due to this unrolling, CBMC and ESBMC are incomplete in their treatment of memset and memcpy/memmove.1 Our own software bounded model checking tool LLBMC [20, 22] was equally incomplete since it relied on user-provided implementations of memset and memcpy/memmove until we implemented the approach discussed in this work. In this paper we present an extension of the theory of arrays with set and copy operations which make it possible to reason about memset and memcpy/memmove. We discuss several ∗ This work was supported in part by the “Concept for the Future” of Karlsruhe Institute of Technology within the framework of the German Excellence Initiative. 1 The situation is similar in symbolic execution tools such as EXE [6] or KLEE [5]. Pascal Fontaine, Amit Goel (eds.); SMT 2012, pp. 97–106 97 A Theory of Arrays with set and copy Operations S. Falke, C. Sinz, F. Merz implementations of satisfiability solvers for this theory in the context of LLBMC and show with an empirical evaluation that these implementations outperform the unrolling based approach as used in CBMC and ESBMC in all but the most trivial cases. 2 The Theory of Arrays The (non-extensional) theory of arrays (TA ), as introduced by McCarthy in his seminal paper of 1962 [19], is given by the following signature and axioms: Sorts Functions element index array read write : : : : : elements indices arrays array × index → element array × index × element → array Objects of sort array denote arrays, i.e., maps from indices of sort index to elements of sort element. The write function is used to store an element in an array. Its counter-part, the read function, is used to retrieve an element from an array. The semantics of read and write is given be the following read-over-write axioms:2 p=r ¬(p = r) =⇒ read(write(a, p, v), r) = v (1) =⇒ read(write(a, p, v), r) = read(a, r) (2) These axioms state that storing the value v into an array a at index p and subsequently reading a’s value at index q results in the value v if the indices p and q are identical. Otherwise, the write operation does not influence the result of the read operation. In a simple implementation of a decision procedure for the theory of arrays, the read-overwrite axioms could be applied from left to right using the if-then-else operator ITE, i.e., a term read(write(a, p, v), q) is replaced by ITE(p = q, v, read(a, q)). After this transformation has been applied exhaustively, only read operations remain. These can then be treated as uninterpreted functions. Alternatively the resulting formula can be further transformed into pure equality logic using Ackermann’s construction: for all array variables a, let Pa be the set of all index arguments that occur in a read operation for a. Then, each occurrence of read(a, p) is replaced by a fresh variable Ap , and consistency constraints of the form p1 = p2 =⇒ Ap1 = Ap2 for all p1 , p2 ∈ Pa are added as constraints to the formula. Instead of this eager and expensive approach, modern SMT-solvers use abstraction refinement loops applying lazy axiom instantiation or lemma-on-demand techniques, see, e.g., [12, 4], to efficiently support the theory of arrays. 3 The Theory of Arrays with set and copy In order to extend TA with set and copy operations we restrict index to a linear arithmetical theory containing +, −, ≤, and <. Similar to [13], this section is based on the assumption that index = N. Furthermore, +, −, ≤, and < are interpreted in the expected way. Necessary changes in order to replace N by fixed-width bitvectors are discussed in Section 4. 2 Here and in the following, all variables are implicitly universally quantified. Also, variables a, b range over arrays, variables p, q, r, s range over indices, and the variable v ranges over elements. 98 A Theory of Arrays with set and copy Operations S. Falke, C. Sinz, F. Merz a q b copy(a, p, b, q, s) p q+s p+s Figure 1: Graphical illustration of copy. The theory of arrays with set and copy operations (TASC ) extends TA by the following sorts, functions and axioms. The sort size is used for the sizes of set and copy operations. It is introduced as an alias for the sort index since the axioms contain arithmetical operations that combine terms of sort index with terms of sort size. Sorts Functions size set set∞ copy copy∞ = : : : : index array × index × element × size → array array × index × element → array array × index × array × index × size → array array × index × array × index → array The informal semantics of set(a, p, v, s) is to set all entries of a that are between p and p + s − 1 to the value v. Similarly, set∞ (a, p, v) sets all entries from p on upwards to v. Formally, the semantics of set is given by the following read-over-set axioms: p≤r <p+s ¬(p ≤ r < p + s) =⇒ read(set(a, p, v, s), r) = v (3) =⇒ read(set(a, p, v, s), r) = read(a, r) (4) Similarly, the read-over-set∞ axioms give a semantics to set∞ : p≤r ¬(p ≤ r) =⇒ read(set∞ (a, p, v), r) = v (5) =⇒ read(set∞ (a, p, v), r) = read(a, r) (6) The axioms have some similarity to the read-over-write axioms (1) and (2), but the simple equality comparison in the read-over-write axioms has been replaced by a more complex check for containment in a region of indices. Informally, copy and copy∞ are used in order to copy a range of values from one array to another array. This copying process may also involve a shift, i.e., the ranges in the arrays do not need to start at the same index position. See Figure 1 for a graphical illustration of copy. The semantics of copy is given by the read-over-copy axioms p≤r <p+s ¬(p ≤ r < p + s) =⇒ read(copy(a, p, b, q, s), r) = read(b, q + (r − p)) (7) =⇒ read(copy(a, p, b, q, s), r) = read(a, r) (8) and the semantics of copy∞ is specified using the the read-over-copy∞ axioms p≤r ¬(p ≤ r) =⇒ read(copy∞ (a, p, b, q), r) = read(b, q + (r − p)) =⇒ read(copy∞ (a, p, b, q), r) = read(a, r) (9) (10) 99 A Theory of Arrays with set and copy Operations S. Falke, C. Sinz, F. Merz Example 1. Consider the formula s > 0 ∧ b = copy(a, p, a, q, s) ∧ o < s ∧ read(b, p + o) 6= read(a, q + o) in TASC . It is intuitively unsatisfiable since the copy operation ensures that read(b, p + o) and read(a, q + o) are identical for all o < s. The unsatisfiability can formally be shown using reasoning w.r.t. the axioms of TASC . 4 Using Bitvectors as Indices In principle, the natural numbers used as indices in Section 3 can readily be replaced by fixedwidth bitvectors if + and − are replaced by bitvector addition (bvadd) and bitvector subtraction (bvsub) and ≤ and < are replaced by unsigned less-than-or-equal (bvule) and less-than (bvult) operations, respectively. In the following discussion, we only consider set and copy. For the read-over-set axioms (3) this results in the following axioms for the set operation: bvule(p, r) ∧ bvult(r, bvadd(p, s)) =⇒ read(set(a, p, v, s), r) = v ¬(bvule(p, r) ∧ bvult(r, bvadd(p, s))) =⇒ read(set(a, p, v, s), r) = read(a, r) The read-over-copy axioms for copy now read as follows: bvule(p, r) ∧ bvult(r, bvadd(p, s)) =⇒ read(copy(a, p, b, q, s), r) = read(b, bvadd(q, bvsub(r, p))) ¬(bvule(p, r) ∧ bvult(r, bvadd(p, s))) =⇒ read(copy(a, p, b, q, s), r) = read(a, r) Notice that the wrap-around behavior of bitvector arithmetic that is caused by overflows leads to subtle semantic differences compared to the case of natural numbers. There are two cases in which a wrap-around can occur: (a) in the target range of a set or copy operation, i.e., in the computation of bvadd(p, s), or (b) in the source range of a copy operation, i.e., in the computation of bvadd(q, bvsub(r, p)). A target range overflow (a) causes the left-hand side of the implication to be always false for the first axiom and always true for the second axiom for both set and copy. This means that an overflow in the target range of any of the operations turns it into a no-op. In contrast to target range overflows, source range overflows (b) of a copy operation behave as expected, i.e., the indices from which the values are copied wrap around.3 5 Applications As already mentioned in Section 1, the most immediate use of TASC is to precisely and succinctly model library functions such as memset or memcpy/memmove in C. There are, however, several further applications of the theory for reasoning about programs which we would like to explore in future work: • Zero-initialization of global variables (as required by the C standard) can be achieved using the set operation. • Operating systems zero-initialize new memory pages before handing them to a process. This can again be achieved using an appropriate set operation. 3 If consistency of the two overflow cases is desired, an overflow in the source destination could be ruled out by adding an overflow check ¬bvuaddo(q, s) to the left-hand side of the implication in the second read-over-copy axiom. This turns the copy operation into a no-op, just like a target overflow does. 100 A Theory of Arrays with set and copy Operations S. Falke, C. Sinz, F. Merz • If a memory region should be set to unconstrained values (havocked ), this can be done using a copy operation from a fresh array variable. Similarly, the same approach could be used in order to model memory-mapped I/O. • Tracking metadata for memory addresses. For instance, allocation information can be modeled using an array containing information on the allocation state of the locations. Memory allocation and memory de-allocation can then be modelled using the set operation. This makes it possible to develop an alternative to the SMT theory of memory allocation presented in [11] and the memory model presented in [21]. 6 Satisfiability Solving Current SMT-solvers do not support TASC yet. There are, however, several possibilities to reduce the satisfiability problem for quantifier-free TASC formulas to the satisfiability problem for a theory that is supported by existing SMT-solvers. In the following we only consider the set and copy operations, the set∞ and copy∞ operations are similar. Eager Encoding. In this setting, the axioms are applied in a pre-processing step before the resulting formula is passed to an SMT-solver. This pre-processing is done similarly to the case of TA as discussed in Section 2 by applying the axioms from left to right using the ITE operator. The main disadvantage of this approach is that the read-over-write axioms have to be applied eagerly as well in the pre-processing in order to eliminate writes that are “between” a read operation and a set or copy operation. The main advantage of the eager encoding is that any SMT-solver that can handle TA in combination with the index theory can be used. Example 2. For the formula from Example 1, the eager encoding produces the formula s > 0 ∧ o < s ∧ ITE(p < p + o < p + s, read(a, q + o), read(a, p + o)) 6= read(a, q + o) which can easily be seen to be unsatisfiable. Fully Quantified Axioms. In this approach, set and copy are added as interpreted function symbols whose semantics is given by explicitly stating the quantified axioms. As an example, the fully quantified axiom for set has the form ∀a : array, p : index, v : element, s : size, r : index. read(set(a, p, v, s), r) = ITE(p ≤ r < p + s, v, read(a, r)) The use of quantifiers makes the satisfiability problem hard, but it remains (in principle) decidable if bitvectors are used as indices. Quantified Axioms Instantiated for Arrays. As in the previous approach, set and copy are added as interpreted function symbols but the fully quantified axiom is partially instantiated for those arrays to which the operators are applied in the formula. Furthermore, each occurrence of, e.g., set is replaced by a fresh interpreted function symbol whose arity coincides with the number of arguments that are still quantified. Then, suitable constraints on this function symbol are added. If the formula contains, e.g., a term of the form set(a0 , p0 , v 0 , s0 ), then the constraint ∀p : index, v : element, s : size, r : index. read(seta0 (p, v, s), r) = ITE(p ≤ r < p + s, v, read(a0 , r)) 101 A Theory of Arrays with set and copy Operations S. Falke, C. Sinz, F. Merz is added to the formula. Quantified Axioms Instantiated for all Arguments. Here, the fully quantified axiom is instantiated even further using all arguments occurring in applications to set and copy. Concretely, if the formula contains a term of the form set(a0 , p0 , v 0 , s0 ), then the following constraint is added to the formula: ∀r : index. read(seta0 ,p0 ,v0 ,s0 , r) = ITE(p0 ≤ r < p0 + s0 , v 0 , read(a0 , r)) Notice that the interpreted function symbol for seta0 ,p0 ,v0 ,s0 is now just a constant symbol. Instantiation-Based Approach. As in the previous approach, each occurrence of set and copy in the formula is replaced by a fresh constant symbol and constraints on this constant are added. In contrast to the three aforementioned approaches, these constraints do not contain any quantifier. Instead, an instantiation of the quantified constraint from the previous approach is added for all needed read indices. Here, the needed read indices are the (potentially) observed entries of the array produced by the set or copy operation (i.e., entries of the array that are read later on). They are determined by the following algorithm, in which we assume formulas to be represented as terms. Moreover, root(x) denotes the root symbol of a term x and y array x (y array x) denotes that x is a (non-strict) subterm of y such that the path leading from the root of y to the root of x contains only function symbols of sort array: /* x is a subterm of the complete formula ϕ with root(x) = copy or root(x) = set */ function GetNeededReadIndices(ϕ, x) N =∅ /* compute the set of minimal copy superterms of x in ϕ */ C = {y | y array x ∧ root(y) = copy ∧ ¬∃z. (y array z array x ∧ root(z) = copy)} for c := copy(a, p, b, q, s) ∈ C do if a array x then /* add recursively computed indices */ N = N ∪ GetNeededReadIndices(ϕ, c) end if if b array x then /* apply “pointer arithmetic” to the recursively computed indices */ N = N ∪ {q + (r − p) | p ∈ GetNeededReadIndices(ϕ, c)} end if end for /* compute the set and write superterms “between” x and C */ A = {y | y array x ∧ ¬∃z ∈ C. y array z array x} /* compute the indices used in reads of elements from A */ N 0 = {y | ∃z ∈ A. read(z, y) occurs in ϕ} return N ∪ N 0 end function Since the final formula does not contain quantifiers, any SMT-solver that can handle TA in combination with the index theory can be applied. Example 3. For the formula from Example 1, the instantiation-based approach produces the formula s > 0 ∧ read(b, p + o) = ITE(p < p + o < p + s, read(a, q + o), read(a, p + o)) ∧ o < s ∧ read(b, p + o) 6= read(a, q + o) 102 A Theory of Arrays with set and copy Operations S. Falke, C. Sinz, F. Merz which again can easily be seen to be unsatisfiable. For the construction of the formula, notice that p + o is the only read index that is needed as an instantiation. 7 Evaluation We have experimented with all possible implementations described in Section 6 for determining the satisfiability of quantifier-free formulas in TASC . Since our motivation was the application in our bounded model checking tool LLBMC [20, 22], we have restricted attention to the case where index consists of bitvectors. The bounded model checking tool LLBMC is a bounded model checker for C and (to some extent) C++ programs. In order to support the complex and intricate syntax and semantics of these programming languages, LLBMC uses the LLVM compiler framework [17] in order to translate C and C++ programs into LLVM’s intermediate representation (IR). This IR is then converted into a logical representation and simplified using an extensive set of rewrite rules. The simplified formula is finally passed to an SMT-solver. Distinguishing features of LLBMC in comparison with related tools such as CBMC [7] and ESBMC [8] are its use of a flat, bit-precise memory model, its exhaustive set of built-in checks, and its performance (see [20]). Within LLBMC, we evaluated the following approaches for TASC satisfiability: 1. The eager encoding and the instantiation-based approach were evaluated in combination with the SMT-solver STP (SVN revision 1625) [12] (alternatively, any other SMT-solver for the logic QF ABV could be applied, e.g., Boolector [3] or Z3 [9]). 2. The approaches based on fully quantified or partially instantiated axioms have been evaluated in combination with the SMT-solver Z3 (version 3.2) [9], because STP does not support quantifiers. 3. set and copy are simulated using loops on the level of LLVM’s IR. Consequently, the boundedness restriction inherent to bounded model checking applies to these loops. This approach was again evaluated in combination with STP. These approaches have been evaluated on a collection of 55 C and C++ programs (19 programs from LLBMC’s test suite that were not specifically written for TASC , 19 programs from LLBMC’s test suite that were specifically written for TASC , and 17 programs from other sources (16 programs from [1] and one program from the KLEE distribution)). Notice that the logical encoding of these programs may contain a set or copy operation for one of several reasons: • The source code contains an explicit call to memset or memcpy/memmove. • The compiler may introduce a call to memset in order to initialize global variables. • Compiler optimizations may detect user-written functionality that essentially constitutes a re-implementation of memset or memcpy/memmove and replace the code by calls to the respective library functions. • Library-specific implementation details included through header files may result in calls to memset or memcpy/memmove. This is in particular true for C++ programs that use the container classes of the standard template library (STL). • Default implementations of C++ constructors, especially the copy constructor, may make use of memcpy operations to initialize the memory. 103 A Theory of Arrays with set and copy Operations Approach Instantiation-Based Approach Eager Encoding Built-In Loops Axioms Instantiated for all Arguments Axioms Instantiated for Arrays Fully Quantified Axioms S. Falke, C. Sinz, F. Merz SMT-solver STP STP STP Z3 Z3 Z3 Total Time 25.368 64.008 225.673 339.676 420.876 449.767 # Solved Formulas 55 54 50 45 42 42 Table 1: Times and success rates for the different approaches. Figure 2: Scatterplot comparing the instantiation-based approach to the other approaches. For the purpose of this evaluation, also memset and memcpy/memmove with a statically known size were not broken into operations on single locations. The results of LLBMC on the collection of examples are summarized in Table 1. The reported times are in seconds and only record the time needed for solving the simplified formula, i.e., the time needed for the logical encoding and the simplification of the formula are not included. A timeout of 30 seconds was imposed for each formula and timeouts are contained in the total R times. The experiments where performed on an Intel CoreTM 2 Duo 2.4GHz with 4GB RAM. These results indicate that the instantiation-based approach achieves the best performance, which can also be observed in the scatterplot contained in Figure 2. Notice that Z3 in combination with fully quantified or partially instantiated axioms is significantly slower and less powerful than the approaches that do not involve quantified formulas. Also, the approaches without quantifiers perform better than the naı̈ve implementation using loops on the level of LLVM’s IR, where the latter is furthermore incomplete due to the bounded number of loop iterations that can be considered.4 4 This incompleteness does not manifest itself in the evaluation since the number of loop iterations was chosen sufficiently large for each example. 104 A Theory of Arrays with set and copy Operations 8 S. Falke, C. Sinz, F. Merz Related Work Decidable extensions of the theory of arrays have been considered before. Suzuki and Jefferson [24] have studied the extension of TA with a restricted use of a permutation predicate. Mateti [18] has described a theory of arrays where entries of an array can be exchanged. Jaffar [16] has investigated reading of array segments but does not discuss writing array segments as needed for set and copy. Ghilardi et al. [13] have considered the addition of axioms specifying the dimension of arrays, injectivity of arrays, arrays with domains, array prefixes, array iterators, and sorted arrays. All of these extensions are orthogonal to the set and copy operations considered in this paper. A theory of arrays with constant-valued arrays has been proposed by Stump et al. [23]. Our set and set∞ operators can be seen as proper generalizations of constant-valued arrays. De Moura and Bjørner [10] have introduced combinatory array logic, which extends TA by constant-valued arrays and a map combinator. The satisfiability problem for restricted classes of quantified formulas in the theory of arrays has been investigated as well. The work by Bradley et al. [2] identifies the array property fragment, where value constraints are restricted by index guards in universally quantified subformulas. Notice that copy and copy∞ cannot be expressed in the array property fragment due to the “pointer arithmetic” q + (r − p). The set and set∞ operators, on the other hand, can be defined in the array property fragment. The array property fragment was later extended by Habermehl et al. [15, 14], but the “pointer arithmetic” needed for copy and copy∞ is still not permitted. Finally, Zhou et al. [25] have investigated a first-order array theory where the array elements are taken from a finite set. 9 Conclusions We have presented an extension of the theory of arrays with set and copy operations that can be used in order to model library functions such as C’s memset and memcpy/memmove in formal methods such as program analysis, software verification, bounded model checking, or symbolic execution. We have discussed several possible implementations of satisfiability solvers for this theory and have reported on an evaluation in our bounded model checking tool LLBMC [20, 22]. In future work, we are particularly interested in adding “native” support for TASC in SMTsolvers such as STP [12] or Boolector [3]. For this, it is necessary to investigate lazy axiom instantiation or lemma-on-demand techniques for TASC since these techniques have been fundamental for the performance gain that SMT-solvers for TA have experienced in recent years. Furthermore, we will formally prove soundness and completeness of the satisfiability solvers discussed in Section 6, in particular for the instantiation-based approach. Finally, we will investigate the complexity of satisfiability solving for quantifier-free TASC formulas and of the possible solvers discussed in Section 6. References [1] A. Armando, J. Mantovani, and L. Platania. Bounded model checking of software using SMT solvers instead of SAT solvers. STTT, 11(1):69–83, 2009. [2] A. R. Bradley, Z. Manna, and H. B. Sipma. What’s decidable about arrays? In Proc. VMCAI 2006, volume 3855 of LNCS, pages 427–442, 2006. [3] R. Brummayer and A. Biere. Boolector: An efficient SMT solver for bit-vectors and arrays. In Proc. TACAS 2009, volume 5505 of LNCS, pages 174–177, 2009. 105 A Theory of Arrays with set and copy Operations S. Falke, C. Sinz, F. Merz [4] R. Brummayer and A. Biere. Lemmas on demand for the extensional theory of arrays. JSAT, 6:165–201, 2009. [5] C. Cadar, D. Dunbar, and D. R. Engler. KLEE: Unassisted and automatic generation of highcoverage tests for complex systems programs. In Proc. OSDI 2008, pages 209–224, 2008. [6] C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. EXE: Automatically generating inputs of death. TISSEC, 12(2):10:1–10:38, 2008. [7] E. M. Clarke, D. Kroening, and F. Lerda. A tool for checking ANSI-C programs. In Proc. TACAS 2004, volume 2988 of LNCS, pages 168–176, 2004. [8] L. Cordeiro, B. Fischer, and J. Marques-Silva. SMT-based bounded model checking for embedded ANSI-C software. In Proc. ASE 2009, pages 137–148, 2009. [9] L. de Moura and N. Bjørner. Z3: An efficient SMT solver. In Proc. TACAS 2008, volume 4963 of LNCS, pages 337–340, 2008. [10] L. de Moura and N. Bjørner. Generalized, efficient array decision procedures. In Proc. FMCAD 2009, pages 45–52, 2009. [11] S. Falke, F. Merz, and C. Sinz. A theory of C-style memory allocation. In Proc. SMT 2011, pages 71–80, 2011. [12] V. Ganesh and D. L. Dill. A decision procedure for bit-vectors and arrays. In Proc. CAV 2007, volume 4590 of LNCS, pages 519–531, 2007. [13] S. Ghilardi, E. Nicolini, S. Ranise, and D. Zucchelli. Decision procedures for extensions of the theory of arrays. AMAI, 50(3–4):231–254, 2007. [14] P. Habermehl, R. Iosif, and T. Vojnar. A logic of singly indexed arrays. In Proc. LPAR 2008, volume 5330 of LNCS, pages 558–573, 2008. [15] P. Habermehl, R. Iosif, and T. Vojnar. What else is decidable about integer arrays? In Proc. FoSSaCS 2008, volume 4962 of LNCS, pages 474–489, 2008. [16] J. Jaffar. Presburger arithmetic with array segments. IPL, 12(2):79–82, 1981. [17] C. Lattner and V. S. Adve. LLVM: A compilation framework for lifelong program analysis & transformation. In Proc. CGO 2004, pages 75–88, 2004. [18] P. Mateti. A decision procedure for the correctness of a class of programs. JACM, 28:215–232, 1981. [19] J. McCarthy. Towards a mathematical science of computation. In Proc. IFIP Congress 1962, pages 21–28, 1962. [20] F. Merz, S. Falke, and C. Sinz. LLBMC: Bounded model checking of C and C++ programs using a compiler IR. In Proc. VSTTE 2012, volume 7152 of LNCS, pages 146–161, 2012. [21] C. Sinz, S. Falke, and F. Merz. A precise memory model for low-level bounded model checking. In Proc. SSV 2010, 2010. [22] C. Sinz, F. Merz, and S. Falke. LLBMC: A bounded model checker for LLVM’s intermediate representation (competition contribution). In Proc. TACAS 2012, volume 7214 of LNCS, pages 542–544, 2012. [23] A. Stump, C. W. Barrett, D. L. Dill, and J. R. Levitt. A decision procedure for an extensional theory of arrays. In Proc. LICS 2001, pages 29–37, 2001. [24] N. Suzuki and D. Jefferson. Verification decidability of Presburger array programs. JACM, 27:191– 205, 1980. [25] M. Zhou, F. He, B.-Y. Wang, and M. Gu. On array theory of bounded elements. In Proc. CAV 2010, volume 6174 of LNCS, pages 570–584, 2010. 106 An SMT-based Approach to Automated Configuration (Extended abstract) Raphaël Michel Arnaud Hubaux Vijay Ganesh CETIC Research Center Belgium PReCISE Research Center University of Namur Belgium Massachusetts Institute of Technology USA Patrick Heymans PReCISE Research Center University of Namur Belgium Abstract In this paper, we explore a novel application domain for SMT solvers: configuration problems. Configuration problems are everywhere and particularly in product lines, where different yet similar products (e.g., cars or customizable software) are built from a shared set of assets. Designing a product line requires enumerating the different product features and the constraints that determine their valid combinations. Various categories of constraint solvers exist, but SMT solvers appear to be a solution of choice for configuration problems. This is mostly due to their high efficiency and expressiveness which have already proved useful in a variety of practical applications. In this paper, we recall what configuration problems are, describe a language to represent them, and map from configuration problems to the satisfiability problem over SMT theories. 1 Variability Modelling and Configuration Problem Product lines have become an integral part of modern industry, be it in the manufacturing, the service or the software sectors [20]. Many kinds of products such as cars, insurance contracts or operating systems are developed as assemblies and customizations of reusable components, called configurations. Some configurations are valid, some are not, depending on numerous constraints including physical, mechanical, business, legal and design constraints. Moreover, manufacturers have an economic incentive, often dubbed with a legal obligation, in making sure that every possible configuration will result in a viable, safe, secure and useable product. Languages exist in which configuration problems can be encoded. These are often called variability modeling languages. Software tools have been built to automate all sorts of reasoning on variability models so as to uncover errors and inconsistencies [2]. Cars are probably the most well-known example of a configurable product. Cars can be equipped with different types of engines, transmissions and gearboxes. Similarly, different bodyworks (sedan, break, sport, cabriolet, etc.), paints, wheel types, and dozens of other options are available for most recent models. When designing a new car model, the manufacturer has to establish a list the various possible options and all the applicable configuration constraints. Some options are obviously incompatible (e.g. a cabriolet cannot have a moonroof), but dependencies among certain options can be subtle (e.g. an integrated GPS requires a color screen, which in turn requires a multifunction steering wheel). To build a car configurator similar to those found on the websites of car manufacturers, all these constraints need to be taken into account in order to guarantee that the final configuration Pascal Fontaine, Amit Goel (eds.); SMT 2012, pp. 107–117 107 An SMT-based Approach to Automated Configuration R. Michel et al. will correspond to a car (1) that can actually be built and (2) that the manufacturer wishes to sell. When the variability model of a new car has been produced, the manufacturer can use it to verify properties of the products that can be derived, e.g., “Do all LPG cars also include a regular gas tank?”, “Is there any equipment presented to the buyer as an option that is in fact available in all models by default anyways?”, etc. Configurators are interactive software tools that record user choices and compute their implications automatically, e.g. update the price of the car, or automatically select / disable related options. For example, if the user selects ‘cabriolet’, the moonroof option should be either hidden or grayed out. Some configurators even provide a short explanation telling why the option is unavailable. All this needs to be done efficiently in order not to annoy users. The aforementioned configurator features are often referred to as choice propagation and conflict explanation. Systematic solutions based on constraint solvers exist to handle these problems. However, constraint handling in configurators is still often developed in ad-hoc manner, i.e. without the help of a solver. This is time-consuming and error-prone. Moreover, maintaining ad-hoc configurators is difficult as the constraints evolve and these are often scattered in many different parts of the code. Variability modelling languages can be seen as high-level constraint programming languages that address this challenge. They allow one to describe components and constraints in a declarative and natural way. Variability models are then handled by provably reliable constraint solvers to check that the requested configurations are valid. Over the years, researchers have come up with different approaches to that problem using different types of solvers (SAT, BDD, CSP, etc.) and techniques which we describe in the next section. To the best of our knowledge, SMT solvers have never been used for interactive configuration. Most configuration problems are decisional, i.e., users have to decide whether a given option should be selected or not. However, sometimes configuration problems also involve objective functions for optimizing a certain feature or attribute, e.g., minimize the memory footprint of an operating system running on a mobile device. This paper only sets out to build the foundation for SMT-based decisional configuration and leaves the possible extensions thereof (e.g., SMT with optimization [19]) for future work. 2 Motivation for an SMT-based Approach Over the years, different technologies have been studied to reason about configuration problems. The simplest forms of decisional configuration problems are defined as sets of binary decisions governed by basic constraints such as implication and exclusion. Given their nature, these problems are usually modelled and encoded in plain propositional logic. As a result, their verification and the propagation of decisions during interactive configuration can be very efficiently handled by modern SAT solvers [3]. However, casting configuration problems into purely Boolean formulas is often too restrictive. Many problems actually impose constraints over integer, real or string types. Using the higher expressiveness of constraint satisfaction problem solvers (CSPs) [22] is a very common way to address this issue. Standard CSP solvers allow to use several variable types, including Boolean and numerical variables, but some also implement string constraints using regular expressions [12]. Moreover, configuration problems often include variables which can either be activated or deactivated depending on the value of other variables. This need led to the use of Conditional CSPs [7]. Another extension to CSPs, called Generative CSP (GCSP) [7] handles the problem differently by generating variables on the fly during the search process, allowing infinite 108 An SMT-based Approach to Automated Configuration R. Michel et al. configurations to be constructed [1]. Gebser et al. [10] and Friedrich et al. [8] proposed the use Answer Set Programming (ASP), a technology very similar to SAT, based on the stable model semantics of logic programming. Several ASP solvers are based on SAT solvers (e.g. ASSAT [15], SModels-cc [18], and Sup) and others like Clasp and CModels use well-known SAT solving techniques (e.g. Incremental SAT, nogoods, conflict driven). Despite their Boolean nature, their convenient prolog-like syntax allows one to easily handle cardinalities (e.g.: 1a,b,c2 means that at least one and at most two of the three variables must be true). Some ASP solvers like DLV and Clasp [11] also allow one to perform optimizations (#minimize, #maximize). Other techniques based on knowledge compilation have also been used to handle configuration problems effectively by trading space for performance. Binary Decision Diagrams (BDDs) are one such space efficient data-structure for handling Boolean models. BDDs can be efficient in certain cases where SAT solvers are not. However, beyond a certain threshold the size of the data structure produced during the compilation phase makes this approach intractable for large problems [16]. DNNF, much like BDD is a form of knowledge compilation [6]. BDDs are a special case of DNNF. In their work on enumerating partial configurations, Voronov and al. also consider DNNF algorithms [23]. Dominant approaches to automated configuration are based on SAT, BDD and CSP solvers [22]. In [21], Pohl et al. carried out a performance comparison of such solvers. They selected three different solvers per category. Each solver had to complete a given set of operations on 90 feature diagrams, the most common type of variability models. The largest model contained 287 options. All these models were encoded in propositional logic. Without surprise, SAT solvers performed better for simple validation tasks whereas for more demanding operations such as product enumeration, differences are less clear. BDD solvers typically tend to perform better on larger examples, for instance. Yet, for much larger models (2000+ options), Mendonça et al. [17] show that BDD solvers suffer from intractability while SAT solvers manage to successfully complete a satisfiability check. Regarding expressiveness, SAT is limited due to its Boolean-only nature. CSP-based approaches offer more expressiveness and support various data types, but they are usually less efficient. Since SMT solvers are often SAT-based, our working hypothesis is that an SMT-based approach will retain the efficiency of modern SAT solvers while being much more expressive. Xiong et al. [24], for instance, have already demonstrated the applicability and high efficiency of SMT for conflict resolution in software configuration. Besides performance, the authors chose to use an SMT solver for its higher expressiveness. Indeed, to apply their approach to operating system configuration, support for arithmetic, inequality, and string operators was required. In [4], Bofill and Palah compare CSP and SMT solvers for a variety of practical applications and show that most of the time SMT solvers are faster. Hence, we propose a novel configuration approach whose reasoning engine builds upon an SMT solver. 3 Modeling a Configuration Problem: The Audi Example Software engineers rarely encode configuration options and their constraints in a solver-processable format such as SMT-Lib. They rather use higher-level languages like variability models, which are then translated into some solver format. Before delving into this translation, let us first introduce the basic building blocks of a variability model on a concrete example: The Audi car configurator. Audi is a German car manufacturer. Nowadays, Audi offers 12 different model lines, each available in different body styles with different engines and equipment. We present in Listing 1 a 109 An SMT-based Approach to Automated Configuration R. Michel et al. variability model that contains a sample of all the options available in the Audi car configurator.1 This model is written in TVL [5], a text-based feature modeling language. TVL may be seen as the last generation of feature diagrams (FD), a notation first introduced in [13]. FDs are now the de facto standard variability modelling language. They are usually depicted as trees and capture the commonalities and differences among products in a product family. Listing 1: Sample TVL model of the Audi car configurator. root AudiCar { group allof{ ModelLine, BodyStyle, Engine, Exterior, Model} } 1 2 ModelLine { group oneof { AudiA4 { AudiA4 -> (A4Saloon || A4Avant || S4Saloon || S4Avant) }, AudiA6 { AudiA6 -> (A6Saloon || A6Avant) } } 3 4 5 6 7 8 BodyStyle { group oneof { Saloon { Saloon -> (A4Saloon || S4Saloon || A6Saloon) }, Avant { Avant -> (A4Avant || S4Avant || A6Avant) } } Engine{ group allof{ WheelDrive, DriveTrain} } 9 10 11 12 13 14 15 WheelDrive{ group oneof{ Quatro, FrontWheelDrive, RearWheelDrive } } 16 17 DriveTrain{ group oneof{ Automatic, Manual, STronic } } 18 19 Gas{ group oneof{ Diesel, Petrol } } 20 21 Exterior{ group allof{ Color, Wheel, opt ExteriorPackage group someof{ BlackStyling, ContrastRoof } } } 22 23 24 25 26 27 28 29 Color{ group oneof{ Metallic, PearlEffect, Other } } 30 31 Wheel{ group allof{ Size { enum size in {s15, s16, s17, s18, s19, s20} }, TypeWheel } } 32 33 34 35 36 37 38 TypeWheel{ group oneof{ Spoke5, Spoke6, Harm7, Hole6} } 39 40 Model{ group oneof{A4Saloon, A4Avant, S4Saloon, S4Avant, A6Saloon, A6Avant} } 41 In Listing 1, the root of the FD is labelled AudiCar and has four child features: ModelLine, BodyStyle, Engine, and Exterior (line 1). The selection of these child features is determined by the operator allof (and -decomposition), which means that all the features must be selected; they are thus mandatory. Each of these features is then further refined in the rest of the model. The ModelLine (line 3), for instance, has two child features (AudiA4 and AudiA6 ) whose selection is determined by the oneof operator (xor -decomposition) at line 4. This operator means that one and only one of the child features can be selected. Each of its child features further constrains the selection of possible options. For instance, the selection of the AudiA6 implies the selection of the A6Saloon or A6Avant bodystyle (line 6). Such constraints are called crosscutting constraints. The Exterior feature (line 22) introduces two new concepts. First, its child feature ExteriorPackage is preceded by the keyword opt which means that the feature is optional. The 1 http://configurator.audi.co.uk/ 110 An SMT-based Approach to Automated Configuration R. Michel et al. children of this feature are determined by the someof operator (or -decomposition), which means that at least one option must be selected. TVL also supports generic cardinalities (not illustrated here) of the form [i..j], where i is the minimum number of selectable features and j the maximum. Finally, the Size feature of Wheel (line 34) adds another important concept: the attribute. In this example, the type of the attribute size is an enumeration of values which denotes the possible wheel sizes. In other words, the value of size must be one of those listed in the enumeration. Note that this is only one possible type of attributes. An attribute can also be a Boolean, an integer or a string. Furthermore, constraints over these attributes can be defined and include arithmetic (e.g., + or −), comparison (e.g., ≤ or ≥), and aggregation (e.g., min or max ) operators. Armed with this intuitive understanding of FDs, we are now set to formally define their fundamentals and their translation into an SMT problem. 4 Feature Diagram Language TVL provides a concrete syntax for the FD language we use. However, to properly define the translation of TVL into a solver format, we need a mathematical definition of the underlying concepts, irrespective of the concrete representation. In this section, we thus recall the essence of the abstract syntax of TVL from [5]. It will be useful to understand the translation presented in the next section. For brevity, here we do not present the formal semantics but the interested reader can refer to [5] From an abstract point of view, any FD can be seen as a tree of features, containing a single root, and where each feature is decomposed in one or more features, except for the leaves. Features can be labeled as optional and cardinalities can be used to define the decomposition type of a feature. Features can also have attributes. Attributes of features can be of different types: Boolean, numerical or “enum” (one value among a set of values). As we said previously, FDs are trees, in which features can have “children” features, and a “parent” feature (except for the root). In this context, a “justification rule” stipulates that if a feature is included in the product, then its parent feature must also be included. Then the translation will include the following implication : B ⇒ A Definition 1 (Syntactic domain LF D (Adapted from [5])). A TVL model d ∈ LF D is a tuple (F, r, ω, DE, λ, A, ρ, τ, V, ι, Φ) such that: • F is the (non empty) set of features (nodes). • r ∈ F is the root. • ω : F → {0, 1} labels optional features with a 0. • DE ⊆ F × F is the decomposition relation between features which forms a tree. For convenience, we will use children(f ) to denote {g | (f, g) ∈ DE}, the set of all direct sub-features of f , and write n → n0 sometimes instead of (n, n0 ) ∈ DE. • λ : F → N × N indicates the decomposition type of a feature, represented as a cardinality [i..j] where i indicates the minimum number of children required in a product and j the maximum. Note that and-, or-, and xor-decompositions are particular cases of cardinalities. For f ∈ N , they are respectively represented by [n..n], [1..n], and [1..1], where n = |children(f )|. 111 An SMT-based Approach to Automated Configuration R. Michel et al. • A is the set of attributes. • ρ : A → F is a total function that gives the feature declaring the attribute. • τ : A → {int, enum, bool} assigns a type to each attribute. • V is the set of possible values for enumerated attributes. • ι : {a ∈ A|τ (a) = enum} → P(V ) defines the domain of each enum. • Φ is a formula that captures crosscutting constraints. Without loss of generality, we consider Φ to be a conjunction of formulae on features and attributes. Furthermore, each d ∈ LF D must satisfy the following well-formedness rules: • r is the root: ∀f ∈ F (@f 0 ∈ F • • DE is acyclic: @f1 , .., fk ∈ F f1 → .. → fk → f1 , • f 0 → f ) ⇔ f = r, • Leaves are h0..0i-decomposed. • Except for the root, each node has a single parent: ∀f ∈ F \ r : ∃!f 0 ∈ F • f0 → f Constraints found in FDs are Boolean expressions over features and attributes that must remain true. These expressions include common Boolean operators (and, or, not, xor, implies). Common arithmetic operators are also available for numerical attributes (“+””, “-”, “*”, “/”, “abs”, “≤”, “≥”, “<”, “>”, “==”, “!=”). Comparison operations yield Boolean results that can be combined using the Boolean operators. These expressions are rather straightforward to translate to their equivalent in the solver’s input language. In abstract syntax form, the Audi example from Listing 1 becomes: F = {AudiCar, ModelLine, BodyStyle, Engine, Exterior, . . . } r = AudiCar ω(AudiCar) = 1, ω(ModelLine) = 1, . . . , ω(ExteriorPackage) = 0, . . . (AudiCar, ModelLine) ∈ DE, (AudiCar, BodyStyle) ∈ DE, . . . , (ModelLine, AudiA4) ∈ DE, . . . λ(AudiCar) = [4..4], λ(ModelLine) = [1..1], . . . , λ(ExteriorPackage) = [1..2], . . . A = {size} ρ(size) = Size τ (size) = enum V = {s15, s16, s17, s18, s19, s20} ι(size) = {s15, s16, s17, s18, s19, s20} Φ = AudiA4 ⇒ (A4Saloon ∨ A4Avant ∨ S4Saloon ∨ S4Avant)∧ AudiA6 ⇒ (A6Saloon ∨ A6Avant)∧ Saloon ⇒ (A4Saloon ∨ S4Saloon ∨ A6Saloon)∧ Avant ⇒ (A4Avant ∨ S4Avant ∨ A6Avant) 5 Details of the translation from FD to STP Features, attributes, and constraints over them are the core of an FD. In this section, we present how these constructs are translated into the STP SMT solver’s input language [9]. STP is a state-of-the-art SMT solver for a quantifier-free theory of bit-vectors and arrays. The translation from constructs of the FD language (see Definition 1) to STP is described in Table 1. F , the set of all features defined in the FD is encoded into an array of one-bit bitvectors, where each entry (or index) into the array represents a feature. If the bitvector corresponding 112 An SMT-based Approach to Automated Configuration R. Michel et al. Table 1: Mapping from FDs to STP FD construct STP Equivalent Comment F : set of features F: ARRAY BITVECTOR(N) OF BITVECTOR(1) N = log(|F |) Every feature in F is an entry in the array F r∈F r: BITVECTOR(N) Root feature r of F indexes the zeroth position of array F ω : {i|i ∈ F } ASSERT(F[i] = 0bin1) The ith feature in F is not optional (f, g) ∈ F f,g : BITVECTOR(N) Features f, g are converted into indices into array F For every pair (f, g) ∈ DE ASSERT( (F[g] = 0bin1) ⇒ (F[f] = 0bin1)) f is a parent of feature g (f, lo, hi) ∈ λ means ∀i ∈ [1, k] : (f, gi ) ∈ DE ASSERT(lo ≤ F [g1 ] + F [g2 ] + ... + F [gk ] ≤ hi) The cardinality of the set of features gi is between lo and hi for every attribute a of type int over finite range a : BITVECTOR(N) Attributes are bitvectors Arithmetic and logic operations over attributes Arithmetic and logic operations over corresponding bitvectors Translation is straightforward For each pair (feature,attribute) M: ARRAY BITVECTOR(L) OF BITVECTOR(1) ASSERT(M[i] = 0bin1) Feature has attribute i Constraints over features and attributes Constraints over corresponding bitvectors and arrays Translation is straightforward to a feature equals 1, then the feature is included in the FD. Only log(|F |) bits are required 113 An SMT-based Approach to Automated Configuration R. Michel et al. to address this array since any index can be encoded in binary notation. The index of the root feature, named r, is kept in a separate bitvector, of size log(|F |), the same size as any other index. Optional and mandatory features are addressed through the set ω. ω contains all mandatory features, those that are not optional. For each of these features, we force the corresponding bitvector in the array F to be equal to 1, meaning that the feature is included in the product. FD’s are represented as trees. Features have a parent feature (except for the root) and can have children features. Each feature is represented by its index into the F array. Concretely, features are converted to bitvectors of size log(|F |). When a feature is included, its parent must be included as well. This constraint is translated by a group of “assert” statements, each of which handles a pair of features (f, g) where f is the parent of g. If g is included in the product then f must be included as well, meaning that if the g th element of F equals 1, then the f th element must also be equal to 1. The set of children of a feature form a group, with which a cardinality can be associated, indicating the number of features in F that can be selected. This cardinality is the sum of the corresponding bitvectors in F and must be between the bounds of the cardinality. This is captured by an inequality as shown in Table 1. Attributes of features are encoded as bit-vector variables whose size depends on the type of the attribute. All the common arithmetic and logic operations on attributes have a straightforward translation to their corresponding operation on bitvectors. Attributes and features are connected using arrays indexed by bit-vectors of suitable length and whose entries are one bit bit-vectors. Each such array corresponds to a feature, and each index in the array corresponds to an attribute. If the ith bitvector of an array equals to 1, then the corresponding feature has the ith value of the corresponding attribute. Note that we assume here that all attributes can be linearly ordered. Finally, additional FD constraints over features and attributes are usually (in)-equality comparisons indicating presence or absence of an attribute or feature. Additionally there can be numeric constraints. All such constraints have a straightforward translation to STP constraints over the corresponding bitvectors and arrays. 6 Preliminary Results In this section we provide some preliminary results of the STP-based interactive configuration tool that we are developing. 6.1 Benchmarks We developed the following benchmarks to evaluate our hypothesis: a configuration problem for the Audi car product line and another for the Skoda car product line. The Audi TVL sample was built from their online car configurator2 . It contains the most common options available including engines, wheels, infotainment, navigation, etc. We also added constraints among these options such as those described in Section 1. We did a similar exercise with the Skoda car configurator3 . The TVL models of the Audi and Skoda car configurators respectively contain 154 and 253 features with 67 and 179 constraints. In both cases cases, most of these constraints (135 for the Audi example and all for the Skoda example) were expressed in plain propositional logic. 2 http://configurator.audi.co.uk/ 3 http://www.skoda.co.uk/ 114 An SMT-based Approach to Automated Configuration 6.2 R. Michel et al. Experimental Setup All experiments were performed on a MacBook Pro 2.4 GHz, 64 bit and 4 GBytes of RAM. The translation from our FD language to STP is written in Java. We compared performance results between a SAT (CryptoMiniSAT [14]) and an SMT solver (STP). The TVL models were first translated to their equivalent form in STP’s input language. Then we compared the performance of the SMT solver using the command stp -t (-t tells stp to output the execution time) against the performances of CryptoMiniSAT, STP’s default backend SAT solver, using stp -t -r -a -w. These switches on the command line disable the optimisations and simplifications performed by STP before running CryptoMiniSAT. 6.3 Results and Discussion STP is approximately twice as fast as pure SAT on our benchmarks. We note that these examples are relatively simple, and as we move to more complex applications we expect SMT solvers to outperform SAT by a significant margin. We are in the process of translating many other configuration problems into SMT problems that are far more complex. For these small models which are mostly Boolean, we observe no significant difference (no more than 2X) between the execution times of STP with and without SMT optimizations. For Boolean models, using an SMT solver offers more expressiveness without additional performance cost. 7 Conclusions and Future Work In this paper, we proposed a new application for SMT solvers: the configuration problem. While the problem of configuration has already been studied for years using SAT and CSP solvers, each of these solvers have certain limitations which motivate our work. In particular, while SAT solvers are very efficient, their input language is not expressive enough for many kinds of configuration problems. On the other hand, CSP solvers have expressive input languages but are not as efficient as SAT solvers. SMT solvers, a new breed of solvers, are efficient and expressive for many practical application including configuration problems and hence can be a viable alternative to SAT and CSP solvers. What we reported here is preliminary work on using SMT solvers for solving configuration problems. Specifically, we present a mapping from TVL, a modern variability modelling language, to STP, our SMT solver of choice. Future work will include: (1) Describing how we interact with an SMT solver to perform other interactive configuration tasks such as propagating user choices or explaining conflicts and providing alternatives to solve them; (2) Validating our claim that SMT solvers are more efficient than other types of solvers with similar expressiveness. References [1] M. Aschinger, C. Drescher, and G. Gottlob. Introducing loco, a logic for configuration problems. In Proceedings of the 2nd Workshop on Logics for Component Configuration (LoCoCo’11), pages 36–45, Perugia, Italy, 2011. [2] D. Benavides, S. Segura, and A. Ruiz-Cortes. Automated analysis of feature models 20 years later: A literature reviews. Information Systems, 35(6), 2010. [3] A. Biere, M. Heule, H. van Maaren, and T. Walsh, editors. Handbook of Satisfiability, volume 185 of Frontiers in Artificial Intelligence and Applications. IOS Press, 2009. 115 An SMT-based Approach to Automated Configuration R. Michel et al. [4] M. Bofill, M. Palahı́, J. Suy, and M. Villaret. SIMPLY: a Compiler from a CSP Modeling Language to the SMT-LIB Format. In Proceedings of the 8th International Workshop on Constraint Modelling and Reformulation (ModRef ’09), pages 30–44, Lisbon, Portugal, 2009. [5] A. Classen, Q. Boucher, and P. Heymans. A text-based approach to feature modelling : Syntax and semantics of TVL. Science of Computer Programming, 76:1130–1143, 2011. [6] A. Darwiche. Compiling knowledge into decomposable negation normal form. In Proceedings of the 16th international joint conference on Artifical intelligence - Volume 1 (IJCAI’99), pages 284–289, Stockholm, Sweden, 1999. Morgan Kaufmann Publishers Inc. [7] G. Fleischanderl, G. E. Friedrich, A. Haselböck, H. Schreiner, and M. Stumptner. Configuring large systems using generative constraint satisfaction. IEEE Intelligent Systems, 13:59–68, July 1998. [8] G. Friedrich, A. A. Falkner, A. Haselböck, G. Schenner, H. Schreiner, and S. A. G. Österreich. ( Re ) configuration using Answer Set Programming. In Proceedings of the 12th Workshop on Configuration (ConfWS’11), pages 26–35, Barcelona, Spain, 2011. [9] V. Ganesh and D. L. Dill. A decision procedure for bit-vectors and arrays. In Proceedings of the 19th international conference on Computer Aided Verification (CAV’07), pages 519–531, Berlin, Germany, 2007. Springer-Verlag. [10] M. Gebser, R. Kaminski, and T. Schaub. aspcud: A Linux Package Configuration Tool Based on Answer Set Programming. In Proceedings of the 2nd Workshop on Logics for Component Configuration (LoCoCo’11), pages 12–25, Perugia, Italy, 2011. [11] M. Gebser, B. Kaufmann, and T. Schaub. The conflict-driven answer set solver clasp: Progress report. In Proceedings of the 10th International Conference on Logic Programming and Nonmonotonic Reasoning (LPNMR’09), pages 509–514, Potsdam, Germany, 2009. Springer-Verlag. [12] K. Golden and W. Pang. Constraint reasoning over strings. In Proceedings of the Ninth International Conference on Principles and Practice of Constraint Programming (CP’03), pages 377–391, Kinsale, County Cork, Ireland, 2003. Springer-Verlag. [13] K. Kang, S. G. Cohen, J. A. Hess, W. E. Novak, and A. S. Peterson. Feature-Oriented Domain Analysis (FODA) Feasibility Study. Technical report, Software Engineering Institute, Carnegie Mellon University, 1990. [14] O. Kullmann, editor. Theory and Applications of Satisfiability Testing - SAT 2009, 12th International Conference, SAT 2009, Swansea, UK, June 30 - July 3, 2009. Proceedings, volume 5584 of Lecture Notes in Computer Science. Springer, 2009. [15] F. Lin and Y. Zhao. Assat: computing answer sets of a logic program by sat solvers. Artif. Intell., 157(1-2):115–137, 2004. [16] M. Mendonca and A. Wasowski. SAT-based analysis of feature models is easy. In Proceedings of the 13th International Software Product Line Conference, pages 231–240, San Francisco, USA, 2009. Carnegie Mellon University. [17] M. Mendonça. Efficient reasoning techniques for large scale feature models. PhD thesis, 2009. [18] I. Niemelä, P. Simons, and T. Syrjänen. Smodels: A system for answer set programming. CoRR, cs.AI/0003033, 2000. [19] R. Nieuwenhuis and A. Oliveras. On SAT Modulo Theories and Optimization Problems. In A. Biere and C. P. Gomes, editors, Proceedings of the 9th International Conference on Theory and Applications of Satisfiability Testing (SAT’06), volume 4121 of Lecture Notes in Computer Science, pages 156–169. Springer, 2006. [20] K. Pohl, G. Böckle, and F. J. van der Linden. Software Product Line Engineering: Foundations, Principles and Techniques. Springer-Verlag New York, Inc., Secaucus, NJ, USA, 2005. [21] R. Pohl, K. Lauenroth, and K. Pohl. A performance comparison of contemporary algorithmic approaches for automated analysis operations on feature models. In Proceedings of the 26th IEEE/ACM International Conference on Automated Software Engineering (ASE’11), ASE ’11, pages 313–322, Washington, DC, USA, 2011. IEEE Computer Society. 116 An SMT-based Approach to Automated Configuration R. Michel et al. [22] F. Rossi, P. v. Beek, and T. Walsh. Handbook of Constraint Programming (Foundations of Artificial Intelligence). Elsevier Science Inc., New York, NY, USA, 2006. [23] A. Voronov, K. Å kesson, and F. Ekstedt. Enumeration of valid partial configurations. In Proceedings of the 12th Workshop on Configuration (ConfWS’11), pages 25–31, Barcelona, Spain, 2011. [24] Y. Xiong, A. Hubaux, S. She, and K. Czarnecki. Generating range fixes for software configuration. In Proceedings of the 34th International Conference on Software Engineering (ICSE’12), Zurich, Switzerland, 2012. IEEE Computer Society. (To appear). 117 Anatomy of Alternating Quantifier Satisfiability (Work in progress) Anh-Dung Phan Technical University of Denmark Nikolaj Bjørner Microsoft Research David Monniaux Verimag Abstract We report on work in progress to generalize an algorithm recently introduced in [10] for checking satisfiability of formulas with quantifier alternation. The algorithm uses two auxiliary procedures: a procedure for producing a candidate formula for quantifier elimination and a procedure for eliminating or partially eliminating quantifiers. We also apply the algorithm for Presburger Arithmetic formulas and evaluate it on formulas from a model checker for Duration Calculus [8]. We report on experiments on different variants of the auxiliary procedures. So far, there is an edge to applying SMT-TEST proposed in [10], while we found that a simpler approach which just eliminates quantified variables per round is almost as good. Both approaches offer drastic improvements to applying default quantifier elimination. 1 Introduction Can formulas with nested quantifiers be checked effectively for satisfiability? Several algorithms exist in the context of Quantified Boolean Formulas that handle alternation of quantifiers [12, 1]. They are specialized for eliminating variables over Booleans. An algorithm for alternating quantifier satisfiability was given in [10] for the case of linear arithmetic over the Reals. It integrates tightly an All-SMT loop and projection based on Fourier-Motzkin elimination or Chernikov projection. A question arises whether the ideas lift to other projection procedures. Also, are there reasonable alternatives to All-SMT and how do they compare? This ongoing work presents a generalized algorithm of that presented in [10] which abstracts the auxiliary procedures. We instantiate the generalization to projection functions based on virtual substitutions, i.e. substitution methods that replace quantifiers by disjunctions of bounded variables. The specialization is for Linear Integer Arithmetic based on Cooper’s procedure and used for formulas that arise from Duration Calculus Model Checker (DCMC). Linear Integer Arithmetic (LIA) or Presburger Arithmetic, introduced by Mojzaesz Presburger in 1929, is a first-order theory of integer which accepts + as its only operation. A classic example of representing some amount of money by 3-cent coins and 5-cent coins appears in LIA as follows: ∀z (z ≥ 8 → ∃x ∃y (3x + 5y = z)) After Presburger proved decidability of LIA [14], LIA attracted a lot of attention due to applications in different areas. Cooper’s algorithm [4] is a substitution-based decision procedure. The Omega Test is a projection-based decision procedure for LIA and employed in dependence analysis of compilers [13]. A variant that integrates elements from both Cooper’s method and the Omega Test is implemented in Z3 [2]. While Z3 can handle non-trivial LIA problems, applications from DCMC also expose limitations of using quantifier elimination alone. The time complexity of all procedures for Presburger Arithmetic is high. Let n denote the length of cn a LIA formula; running time of any decision procedure is at least 22 for some constant c > 0 2cn [6]. Moreover, Oppen proved a triply exponential upper bound 22 for worst-case running time of Cooper’s algorithm [11]. 118 Pascal Fontaine, Amit Goel (eds.); SMT 2012, pp. 118–128 Anatomy of Alternating Quantifier Satisfiability A.-D. Phan, N. Bjørner, D. Monniaux This paper is organized as follows. Section 2 presents the generalized algorithm with a few supporting procedures. Section 3 presents different methods for producing candidate formulas. Section 4 instantiates the algorithm with a concrete procedure for virtual substitutions. We discuss implementation details and benchmarks in Section 5 and Section 6 concludes the paper. 2 Alternating Quantifier Satisfiability This section develops an algorithm that is an abstraction of the alternating quantifier satisfiability algorithm presented for Linear Real Arithmetic in [10]. The abstraction is formulated such that various quantifier elimination methods can be plugged in, including virtual substitutions. 2.1 Definitions The algorithm being developed relies on two procedures for extrapolation and projection. We first describe the requirements for these procedures and discuss the main algorithm later. Definition 1 (Extrapolant). Given two formulas A and B, a formula C is an extrapolant of A and B if the following conditions are satisfied: A ∧ B is unsat then C = f alse A ∧ B is sat then A ∧ C is sat, ¬B ∧ C is unsat We use hA, Bi to denote an extrapolant. Extrapolation is typically understood as finding new data points outside a set of existing points. Intuitively, C has empty intersection with ¬B and non-empty intersection with A. There are many possible extrapolants for each pair of formulas, and the definition here does not specify how to compute an extrapolant. An example of a trivial extrapolant is described in the following procedure: when A ∧ B is satisfiable we can take B as an extrapolant, otherwise take false. Definition 2 (Projection πx.(C|M )). Let M and C be quantifier-free formulas where variable x only occurs in C (x ∈ / F V (M ) where F V (M ) denotes the set of free variables in M ). Assume C ∧ M is satisfiable. A projection procedure πx.(C|M ) computes a quantifier-free formula satisfying the conditions: 1. F V (πx.(C|M )) ⊆ F V (C) \ {x} 2. πx.(C|M ) is sat 3. (M ∧ πx.(C|M )) → ∃x C Similar to extrapolation we only gave the conditions that projection functions have to satisfy for the developing algorithm to be sound. There is a choice of algorithms for implementing πx.(C|M ). A possible way is to use virtual substitutions, where we derive a quantifier-free formulas by substituting variables by one or more disjunctions. Virtual substitutions will be presented with more details in Section 4. 2.2 Quantifier Test: algorithm QT QT is defined as a recursive function in Algorithm 1. The four arguments of QT can be explained in the following way: C is a context formula which reflects collected information at 119 Anatomy of Alternating Quantifier Satisfiability Algorithm 1: QT (i, C, x, M ) if C ∧ M i is unsat then return (f alse, M ) end if i = n then return (hC, M i i, M ) end (C 0 , M 0 ) ← QT (i + 1, hC, M i i, x, M ); if C 0 = f alse then return (hC, M i i, M 0 ) end M 00 k ← M 0 k , ∀ k 6= i; M 00 i ← M 0 i ∧ ¬(πxi .(C 0 |M 0 i )); return QT (i, C, x, M 00 ); A.-D. Phan, N. Bjørner, D. Monniaux Algorithm 2: QE(x, F n ) M k ← true, ∀ k < n; M n ← F n; C ← false; C 0 ← true; while C 0 6= false do (C 0 , M ) ← QT (1, ¬C, x, M ); C ← C ∨ C 0; end return C; current iteration; x and M are vectors of quantified variables and formulas respectively, and i is the index to access current elements in the above vectors. We use the notation M i to refer to the i-th element of vector M and imply the same notation for other vectors. Given any nested quantified formula F 1 in the form of Q1 x01 Q2 x02 ...Qk x0k F 0 where Qi ∈ {∀, ∃} and F 0 is a quantifier-free formula, we can convert F 1 into a form of ∀x1 ¬∀x2 ...¬∀xn ¬F n where F n is also quantifier-free. This leads to a sequence of formulas F i such that: F i ≡ ∀xi ¬F i+1 for i < n. Before QT is called, the initial values of M i are initialized to true for i < n and M n is initialized to F n , The final value of M 1 is false if and only if F 1 is unsatisfiable. Theorem 1 (Partial Correctness). Assume C is satisfiable. The algorithm QT (i, C, x, M ) returns a pair of the form (C 0 , M 0 ) where C 0 is an extrapolant of hC, F i i. We do not provide a detailed proof, but we briefly discuss correctness and the invariant F i V M i , that are mutually inductive. The main idea is that F i V M i holds for the initialization step for QT, and F i ⇒ ¬(πxi .(C 0 |M i )) also holds for each QT iteration; therefore, we strengthen M i in the end of QT and preserve the invariant at the same time. The if branches of QT return hC, M i i when M i cannot be strengthened any more. Moreover, QT also ensures that hC, M i i ∧ F i is unsat. Therefore, the last hC, M i i (corresponding to the strongest version of M i ) is also an extrapolant of hC, F i i. Termination: Algorithm QT does not terminate for arbitrary instantiations of projection and extrapolation. The projection and extrapolation operators we examine here are well-behaved (with respect to termination) in the following sense: (1) The extrapolation procedures do not introduce new atoms, so there will be only a finite number of new extrapolants one can make. (2) The projection procedures are also finitary: they produce only a finite set of projections for the case of linear arithmetic. 2.3 Quantifier Elimination: algorithm QE A quantifier-free version of F 1 is obtained by executing QT until saturation in Algorithm 2. The algorithm initializes a vector of formulas M and strengthens these formulas as much as 120 Anatomy of Alternating Quantifier Satisfiability A.-D. Phan, N. Bjørner, D. Monniaux possible in a loop. The intuition of QE is described as follows: • Run QT (1, ¬f alse, x, M ), we obtain a formula C1 where C1 V F 1 . • Execute QT (1, ¬C1 , x, M ), we get C2 , a disjoint formula of C1 , where C2 V F 1 . • Run QT (1, ¬(C1 ∨ C2 ), x, M ), we obtain a next formula C3 where C3 V F 1 . • When QT (1, ¬C, x, M ) returns false, we get C as a disjunction of disjoint formulas where C ≡ C1 ∨ C2 ∨ ... ∨ Ck and C V F 1 . 2.4 Algorithm QT by example We use a small example to illustrate the algorithm QT : ∀y ∃z (z ≥ 0 ∧ ((x ≥ 0 ∧ y ≥ 0) ∨ −y − z + 1 ≥ 0)) (1) The formulas corresponding to (1) are: F 1 = ∀y ¬F 2 , F 2 = ∀z ¬F3 , F 3 = z ≥ 0 ∧ ((x ≥ 0 ∧ y ≥ 0) ∨ −y − z + 1 ≥ 0) and quantifiers are: x1 = y, x2 = z Algorithm QT also maintains formulas M 1 , M 2 and M 3 that are initialized as follows: M 1 = true, M 2 = true, M 3 = F 3 = z ≥ 0 ∧ ((x ≥ 0 ∧ y ≥ 0) ∨ −y − z + 1 ≥ 0) It maintains the invariants: F i V M i , F V (M i ) ⊆ {x1 , . . . , xi−1 } for i = 1, 2, 3 (2) Finally, the algorithm propagates a context formula Ci between levels. The context formula is updated during propagation. When Ci is propagated from level i to i + 1 or i − 1, it results in a formula (Ci+1 or Ci−1 ) that has non-empty intersection with Ci and is implied by M i . This formula is an extrapolant of Ci and M i as defined in Definition 1. The extrapolant Ci on level i satisfies: F V (Ci ) ⊆ {x1 , . . . , xi−1 } (3) It contains only variables that are free above level i. Let us run QT on the sample formula. In the initial state, vector M = htrue, true, F 3 i, C1 = true, i = 1. 1. C1 ∧ M 1 is true ∧ true. It is satisfiable, so let us choose an extrapolant C2 for C1 and M 1 . C2 := true is an extrapolant because C1 ∧ C1 is satisfiable and ¬M 1 ∧ C2 is unsatisfiable. Set i := 2. 2. C2 ∧ M 2 is also satisfiable and similarly we set C3 := true, i := 3. 3. C3 ∧ M 3 , which is C3 ∧ F 3 , is satisfiable as well. In this case we will propagate back to level 2 a formula that intersects with C3 and implies F 3 . So let us return C3 := z ≥ 0 ∧ x ≥ 0 ∧ y ≥ 0 and update the level i := 2. 121 Anatomy of Alternating Quantifier Satisfiability A.-D. Phan, N. Bjørner, D. Monniaux 4. Now F 2 ≡ ∀z.¬F 3 implies that ∀z.¬C3 ≡ ¬∃z.C3 . So we can strengthen M 2 with the negation of any formula that implies ∃z.C3 . This is a projection as denoted by the notation πz.(C3 |M 2 ) in Definition 2. It can take the current state of M 2 into account. In this case we set πz.(C3 |M 2 ) to x ≥ 0 ∧ y ≥ 0 and update M 2 := ¬(x ≥ 0 ∧ y ≥ 0). 5. C2 ∧ M 2 , which is ¬(x ≥ 0 ∧ y ≥ 0), remains satisfiable. Let us set C3 := ¬(y ≥ 0), i := 3. C3 satisfies the conditions for being an extrapolant. 6. C3 ∧M 3 (= C3 ∧F 3 ) is still satisfiable. We return the extrapolant C3 := z ≥ 0∧−y−z+1 ≥ 0 and set i := 2. 7. The formula y ≤ 1 implies ∃z.C3 (they are actually equivalent), so we can update M 2 := M 2 ∧ ¬(y ≤ 1) and maintain the invariant F2 V M2 . Let us simplify M 2 , ¬(x ≥ 0 ∧ y ≥ 0) ∧ ¬(y ≤ 1), to x < 0 ∧ y > 1. 8. At this point M 2 implies x < 0. So the next extrapolant C3 will also imply x < 0. However, M 3 cannot be satisfiable with C3 . We are done with level 3 and return false to level 2. In response, level 2 propagates the extrapolant C2 := (x < 0 ∧ y > 1) up to level 1. 9. Similar to step 4, F 1 ≡ ∀y.¬F 2 implies that ∀y.¬C2 ≡ ¬∃y.C2 . So if we take πy.(C2 |M 1 ) to be x < 0, then we can update M1 := ¬(x < 0), which is x ≥ 0. 10. At this point let us check the levels below using x ≥ 0. Then M 2 ∧ x ≥ 0 is unsatisfiable, so there is no refinement under this assumption. Return false to level 1. Level 1 is done, and we conclude the formula is satisfiable and an output quantifier-free formula is x ≥ 0. 3 Extrapolation A trivial extrapolant has been described in Section 2.1. We will here discuss two other versions of computing extrapolants hA, Bi. 3.1 SMT-TEST The approach used in [9, 10] is to enumerate conjunctions of literals that satisfy A ∧ B. Suppose L := `1 , . . . , `n are the literals in the satisfying assignment for A ∧ B. An extrapolant is the intersection of L and an unsatisfiable core of L ∧ ¬B. Our implementation of SMTTEST extrapolation is using a single satisfiability check to extract a (not necessarily minimal) unsatisfiable core. 3.2 NNF strengthening NNF strengthening is a process of deriving a stronger formula by replacing literals by f alse. We start with a formula C which is a transformation of B to NNF. For each literal in C in order, replace that literal by f alse and check the conditions for extrapolation so that ¬B ∧ C is unsat and A ∧ C is sat. The first check is redundant (which holds by construction) and the second is not redundant. An extrapolant C = hA, Bi is computed according to Algorithm 3. NNF strengthening gives us stronger formulas which potentially help reduce the number of iterations in procedure QT. We currently check satisfiability in each round during NNF strengthening. Another approach is to evaluate C[l/ false] using a model for C. 122 Anatomy of Alternating Quantifier Satisfiability Algorithm 3: NNF extrapolant C ← N N F (B); foreach literal ` ∈ C do C 0 ← C[l/ false]; if A ∧ C 0 is sat then C ← C0 end end return C A.-D. Phan, N. Bjørner, D. Monniaux 4 Projection specialized to Linear Integer Arithmetic We are here interested in LIA since LIA decision procedure is used as the core of DCMC and plays a central role in feasibility of the model-checking approach [8]. Duration Calculus (DC) is an extension of Interval Temporal Logic with the notion of accumulated durations allowing succinct formulation of real-time problems. Chop (_) is the only modality appearing in DC; however, the modelchecking problem in DC is transformed to satisfiabilitychecking of a LIA formula in size exponential to the chop-depth [7]. Cooper’s algorithm for Presburger Arithmetic corresponds to quantifier elimination using virtual substitutions, and besides SMT-TEST for extrapolation we also consider strengthening formulas in negation normal form (NNF) by replacing literals by false. Virtual substitution methods work directly on formulas in NNF, so SMT-TEST is potentially not required. 4.1 Virtual substitutions Virtual substitutions on LIA are performed by means of Cooper’s algorithm. The algorithm removes quantifiers in the inside-out order using the following transformation: ∃x. φ ⇐⇒ φ[>/ax < t, ⊥/ax > t] ∨ δ _ _ φ[t + i/ax] ∧ δ 0 | t + i i=1 ax<t where δ is the least common multiple of all divisors d in divisibility constraints d | t and δ 0 is the least common multiple of all coefficients a in comparison constraints ax ./ t where a > 0 and ./ ∈ {<, ≤, =, ≥, >}. A quantified formula is transformed to a disjunction by a series of substitution steps. The disjunction can be represented symbolically (it corresponds to an existential quantifier over a finite domain) and may contain redundant disjuncts. The new divisibility constraint δ 0 | t + i could be replaced by many divisibility constraints of small divisors a in each substitution. In this setting, smaller divisors of inner formulas lead to fewer number of case splits for the next quantifier alternation. 4.2 Contextual simplification Our projection procedure πx.(C|M ) admits using a context M when processing C. The simplification depends on the strength of M and it helps to trim down unnecessary cases in a virtual substitution method later. This process is called contextual simplification which is easy to implement in an SMT solver. Algorithm 4 contains a procedure for contextual simplification of formula ϕ. It works with a logical context, asserts that ϕ is unequal to p and recurses over sub-formulas of ϕ to replace them by true or false. The approach also applies to non-Boolean domains (although this generalization is not required for QT ): the auxiliary algorithm then takes terms of arbitrary types and checks if 123 Anatomy of Alternating Quantifier Satisfiability Algorithm 4: CS(ϕ) if ϕ is unsat then return false end let M be a model for ϕ; let p be a fresh propositional variable; assert p 6= ϕ; return CS(ϕ, M, p) A.-D. Phan, N. Bjørner, D. Monniaux Algorithm 5: Auxiliary algorithm CS(ϕ, M, p) if (p = M(ϕ)) is unsat in current context then return M(ϕ) end foreach immediate subformula ψi in ϕ[ψ1 , . . . , ψk ] do push; let pi be a fresh propositional variable; assert ϕ[ψ1 , . . . , ψi−1 , pi , ψi+1 , . . . , ψk ] = p; ψi ← CS(ψi , M, pi ); pop; end return ϕ[ψ1 , . . . , ψk ] the terms are forced equal to the value provided in the model M. Instead of recursing on sub-formulas it can recurse on sub-terms of arbitrary types. When ϕ is represented as a DAG and has exponentially many sub-formulas, the result can in fact get much larger than the input. A practical implementation of CS should therefore impose limits on how many times a sub-formula is traversed. Contextual simplification is used in STeP [3] for simplifying formulas produced from verification condition generators and [5] develops a routine that works on formula trees in NNF, where it is used to speed up abstract interpreters that propagate formulas. Algorithm 4 is used in Z3 with the observation that a model M for ϕ can be used to prune checks for value forcing and it applies to subterms of arbitrary type. Z3 also contains cheaper contextual simplification routines that rely on accumulating equalities during a depth-first traversal. While this cheaper algorithm can replace sub-terms by constants, it is not necessarily an advantage to use in context of SMT solving: a non-constant sub-term can be much more useful for learning general purpose lemmas during search. 5 Evaluation We implemented different combinations for the instantiated algorithm in the preview version of Z3 4.0. Projection procedures have been used including (A) - full quantifier elimination and (B) - partial quantifier elimination. There are three variants of extrapolation: (0) - trivial extrapolation, (1) - NNF strengthening and (2) SMT-TEST. Furthermore, we also implemented (X) - contextual simplification and (Y) - no contextual simplification. These components in order constitute 12 different combinations which are named in short as aix where a ∈ {A, B}, i ∈ {0, 1, 2} and x ∈ {X, Y }. For example, A0Y denotes a combination of trivial extrapolation, full quantifier elimination and no contextual simplification. We attempt to compare our algorithm (from now on called AQS algorithm) with Z3’s quantifier elimination algorithm. Non-random benchmarks are collected from DCMC. Not only is the huge size (exponential to the chop-depth of DC formulas) of LIA formulas problematic, the nested nature between universal and existential quantifiers makes the problems even harder [8]. We divided benchmarks into two sets. Set 1 consists of 32 easy formulas having from 56 to 94 quantifiers with file sizes ranging from 15KB to 33KB in SMT-LIB format. Z3’s quantifier elimination can process these formulas within a few seconds. They are chosen for the 124 Anatomy of Alternating Quantifier Satisfiability A.-D. Phan, N. Bjørner, D. Monniaux purpose of recognizing incompetent candidates in 12 combinations above. Set 2 have 64 hard instances with 69-768 quantifiers and take 50-500KB in SMT-LIB format. They are beyond the scope of Z3’s quantifier elimination algorithm. We use them to test scalability of different combinations. Benchmarks and experimental results are available on the Z3 website 1 . The benchmark sets have some specific characteristics: coefficients are quite small and constraints are sparse (consisting of a few variables). These features help limit the number of disjunctions in virtual substitutions. 180 A0X A0Y A1X A1Y A2X A2Y B0X B0Y B1X B1Y B2X B2Y Z3 160 140 CPU Time (seconds) 120 100 80 60 40 20 0 0 5 10 15 20 25 30 35 Number of problems solved Figure 1: Accumulated running time of AQS vs. Z3 on benchmark set 1 Figure 1 summarizes the running time of different configurations of AQS as well as Z3’s quantifier elimination algorithm. Each benchmark is given a 30-second timeout. The graph shows the accumulated running-time for solving all 32 problems. The winner is the configuration A0Y which means running AQS with projection implemented as full quantifier elimination and using trivial extrapolation. This configuration solves all benchmarks within 20 seconds. The configuration A2Y (using SMT-TEST instead of trivial extrapolation) is a close runner-up. It also solves all benchmarks, but requires 35 seconds. This benchmark set is simply too small to draw clear conclusions between these approaches. Partial quantifier elimination (configurations 1 http://research.microsoft.com/projects/z3/qt2012.zip 125 Anatomy of Alternating Quantifier Satisfiability A.-D. Phan, N. Bjørner, D. Monniaux with prefix B) is bad on all configurations. The experiments also suggest that strong context simplification is pure overhead in all configurations. In an earlier prototype outside of Z3, however, strong context simplification was an advantage. We attribute this to how constraints get simplified and subsumed when being passed between AQS and Z3’s quantifier elimination procedure. Z3’s built-in quantifier elimination procedure has a slower ramp up time and is able to solve all problems within 175 seconds. 4500 A0X 4000 A0Y A1X 3500 A1Y A2X CPU Time (seconds) 3000 A2Y 2500 2000 1500 1000 500 0 0 10 20 30 40 50 Number of problems solved 60 70 Figure 2: Accumulated running time of AQS on benchmark set 2 Experiment 2 was performed on Set 2 for all configurations of AQS with timeout of 300 seconds. Experimental results are shown in Figure 2. We omit running time for configurations with partial quantifier elimination, they solve almost no problems, and we also omit running time for the default quantifier elimination routine that also does not solve any problem. The experimental results indicate that AQS algorithm performs well on formulas with many blocks of nested quantifiers. We have gained an order of magnitude speedup for Duration Calculus application. The A2Y (using full projection and SMT-TEST ) configuration scales well on our benchmarks although A0Y (using full projection and trivial extrapolation) comes intriguingly close. 126 Anatomy of Alternating Quantifier Satisfiability 6 A.-D. Phan, N. Bjørner, D. Monniaux Conclusions We presented an anatomy of the algorithm proposed in [10] for checking satisfiability of formulas with alternating quantification. We proposed a set of generalizations, applied them to Presburger Arithmetic, and evaluated the generalizations to benchmarks from a model checker for Duration Calculus. So far the experience has been that the satisfiability algorithms, when instantiated with SMT-TEST (and to some extent trivial extrapolation) perform orders of magnitude better than general purpose quantifier elimination. We are currently investigating additional alternatives to the algorithms presented here. One alternative is to instantiate quantifiers incrementally using virtual substitutions. The idea is similar to how quantifiers are instantiated using E-matching in SMT solvers. SMT solvers create a propositional abstraction of formulas, including quantifiers. If there is a satisfying assignment to the abstracted formula that does not depend on the quantified sub-formulas, then the formula is satisfiable. Otherwise, quantified formulas are model-checked with respect to the current model and only instantiated (by axioms of the form “(∀xϕ[x]) ⇒ ϕ[t]”) when the interpretation for free variables cannot be extended to an interpretation that satisfies the quantified formulas. Acknowledgments This work grew out of a course on SMT solving organized by Flemming Nielson and Hanne R. Nielson. We are grateful for valuable comments and permission of using DCMC benchmarks from Michael R. Hansen. Anh-Dung Phan is supported by the IDEA4CPS project granted by the Danish Research Foundation for Basic Research. References [1] Armin Biere. Resolve and Expand. In Holger H. Hoos and David G. Mitchell, editors, SAT (Selected Papers, volume 3542 of Lecture Notes in Computer Science, pages 59–70. Springer, 2004. [2] Nikolaj Bjørner. Linear Quantifier Elimination as an Abstract Decision Procedure. In Jürgen Giesl and Reiner Hähnle, editors, IJCAR, volume 6173 of Lecture Notes in Computer Science, pages 316–330. Springer, 2010. [3] Nikolaj Bjørner, Anca Browne, Edward Y. Chang, Michael Colón, Arjun Kapur, Zohar Manna, Henny Sipma, and Tomás E. Uribe. STeP: Deductive-Algorithmic Verification of Reactive and Real-Time Systems. In Rajeev Alur and Thomas A. Henzinger, editors, CAV, volume 1102 of Lecture Notes in Computer Science, pages 415–418. Springer, 1996. [4] D. Cooper. Theorem proving in arithmetic without multiplication. In Machine Intelligence, 1972. [5] Isil Dillig, Thomas Dillig, and Alex Aiken. Small formulas for large programs: On-line constraint simplification in scalable static analysis. In Radhia Cousot and Matthieu Martel, editors, SAS, volume 6337 of Lecture Notes in Computer Science, pages 236–252. Springer, 2010. [6] Michael J. Fischer and Michael O. Rabin. Super-Exponential Complexity of Presburger Arithmetic. In Proceedings of the SIAM-AMS Symposium in Applied Mathematics, 1974. [7] Martin Fränzle and Michael R. Hansen. Efficient Model Checking for Duration Calculus? Int. J. Software and Informatics, 3(2-3):171–196, 2009. [8] Michael R. Hansen and Aske Wiid Brekling. On Tool Support for Duration Calculus on the basis of Presburger Arithmetic. In Carlo Combi, Martin Leucker, and Frank Wolter, editors, TIME, pages 115–122. IEEE, 2011. [9] David Monniaux. A Quantifier Elimination Algorithm for Linear Real Arithmetic. In Iliano Cervesato, Helmut Veith, and Andrei Voronkov, editors, LPAR, volume 5330 of Lecture Notes in Computer Science, pages 243–257. Springer, 2008. 127 Anatomy of Alternating Quantifier Satisfiability A.-D. Phan, N. Bjørner, D. Monniaux [10] David Monniaux. Quantifier Elimination by Lazy Model Enumeration. In Tayssir Touili, Byron Cook, and Paul Jackson, editors, CAV, volume 6174 of Lecture Notes in Computer Science, pages 585–599. Springer, 2010. 2pn [11] Derek C. Oppen. A 22 Upper Bound on the Complexity of Presburger Arithmetic. J. Comput. Syst. Sci., 16(3):323–332, 1978. [12] David A. Plaisted, Armin Biere, and Yunshan Zhu. A satisfiability procedure for quantified Boolean formulae. Discrete Applied Mathematics, 130(2):291–328, 2003. [13] William Pugh. The Omega test: a fast and practical integer programming algorithm for dependence analysis. In Proceedings of the 1991 ACM/IEEE conference on Supercomputing, Supercomputing ’91, pages 4–13, New York, NY, USA, 1991. ACM. [14] Ryan Stansifer. Presburgerś Article on Integer Airthmetic: Remarks and Translation. Technical report, Cornell University, Computer Science Department, September 1984. 128

here the full SMT 2012 pre-proceedings

Related documents

Products

Support

here the full SMT 2012 pre-proceedings

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib