Satisfiability Modulo Theories

advertisement
Satisfiability Modulo Theories
(An introduction)
Magnus Madsen
Todays Talk
What are SMT solvers?
How are they used in practice?
Motivation
Find 𝒙 and 𝒚 s.t.:
𝑥 ≥3∧ 𝑥 ≤0∨𝑦 ≥0
Knowledge of
prop. logic
𝑥 ≥3∧𝑥 ≤0 ∨ 𝑥 ≥3∧𝑦 ≥0
Knowledge of
integers
𝑥 =3∧𝑦 =0
Solution
Knowledge of
integers
What is SMT?
Satisfiability
Modulo
+
Theories
What is a SMT instance?
A logical formula built using
– negation, conjunction and disjuction
k-SAT
• e.g. 𝑎 ∧ 𝑏 ∨ 𝑐
• e.g. 𝑎 ∨ ¬𝑏 ∨ 𝑐 ∧ ¬𝑏 ∨ ¬𝑥 ∨ 𝑦 ∧ 𝑏 ∨ 𝑏 ∨ 𝑥
theory of
theory of
– theory
bitwise specific operators
integers
operators
• e.g. 𝑥 ≤ 5, 𝑦 ≠ 𝑧
• e.g. 𝑚 ⊕ 𝑛 ⊕ 𝑛 = 𝑚
• e.g. 𝑓 𝑥 = 𝑓(𝑦) ∧ 𝑓(𝑓 𝑥 ) ≠ 𝑓(𝑓 𝑦 )
theory of
uninterpreted
functions
Recall k-SAT
The Boolean SATisfiability Problem:
𝑎 ∨ ¬𝑏 ∨ 𝑐 ∧ ¬𝑏 ∨ ¬𝑥 ∨ 𝑦 ∧ 𝑏 ∨ 𝑏 ∨ 𝑥 ∧ ⋯
clause
literal or
negated literal
• 2SAT is solveable in polynomial time
• 3SAT is NP-complete (solveable in exponential
time)
Q: Why not
encode every
formula in SAT?
Graph Problems:
• Shortest-Path
• Minimum Spanning Tree
Optimization:
• Max-Flow
• Linear Programming
(just to name a few)
A: Theory
solvers have
very efficient
algorithms
Q: But then,
Why not get rid
of the SAT
solver?
A: SAT solvers
are very good at
case analysis
Formula
𝑥 ≥3∧ 𝑥 ≤0∨𝑦 ≥0
SMT Solver
𝑥 ≥3∧𝑥 ≤0
𝑎∧ 𝑏∨𝑐
𝑥 ≥3∧𝑦 ≥0
SAT
NO
YES
𝑎∧𝑏
𝑎∧𝑐
Theory
NO
add clause: ¬ 𝑎 ∧ 𝑏
YES
𝑥=3
𝑦=0
Important Properties
• Efficiency of both SAT and Theory solver!
• SAT Solver
– Incremental (supports adding new clauses)
• Theory Solver
– Ability to construct blocking clauses
– Ability to create so-called "theory lemmas"
Theories
Theory of:
– Difference Arithemetic
– Linear Arithmetic
– Arrays
– Bit Vectors
– Algebraic Datatypes
– Uninterpreted Functions
SMT-LIB
• A modeling language for SMT instances
– A declarative language with Lisp-like syntax
– Defines common/shared terminology
• e.g. LRA = Closed linear formulas in linear real
arithmetic
• e.g. QF_BC = Closed quantifier-free formulas over the
theory of fixed-size bitvectors.
– http://www.smtlib.org/
Example 1
𝒙=𝟑∧𝒚=𝟎
Solution
Example 2
Applications
•
•
•
•
•
Dynamic Symbolic Execution
Program Verification
Extended Static Checking
Model Checking
Termination Analysis
See Also: Tapas: Theory Combinations and Practical Applications
Dynamic Symbolic Execution
• combines dynamic and symbolic execution
– step 1: execute the program recording the
branches taken and their symbolic constraints
– step 2: negate one constraint
– step 3: solve the constraints to generate new
input to the program (e.g. by using a SMT solver)
– step 4: if a solution exists then execute the
program on the new input
Program Path
Negate ¬𝑐3
¬𝑐1
𝑐2
¬𝑐3
𝑐4
Run SMT
Solver
New Program Path
¬𝑐1
𝑐2
𝑐3
𝑐5
Example: Greatest Common Divisor
Original program
SSA unfolding
int gcd(int x, int y) {
while (true) {
int m = x % y;
if (m == 0) return y;
x = y;
y = m;
}
}
int gcd(int x0, int y0) {
while (true) {
int m0 = x0 % y0;
assert(m0 != 0)
if (m0 == 0) return y0;
x1 = y0;
y1 = m0;
int m1 = x1 % y1;
assert(m1 == 0)
if (m1 == 0) return y1;
}
}
int result = gcd(2, 4)
Collecting Constraints
Collected constraints
SSA unfolding
int result = gcd(2, 4)
int gcd(int x0, int y0) {
while (true) {
int m0 = x0 % y0;
assert(m0 != 0)
if (m0 == 0) return y0;
x1 = y0;
y1 = m0;
int m1 = x1 % y1;
assert(m1 == 1)
if (m1 == 0) return y1;
}
}
(assert (= m0 (mod x0 y0)))
(assert (not (= m0 0)))
(assert
(assert
(assert
(assert
(=
(=
(=
(=
x1
y1
m1
m1
y0))
m0))
(mod x1 y1)))
0))
(assert (not (= m1 0)))
Computing a new path
int gcd(int x, int y) {
while (true) {
int m = x % y;
if (m == 0) return y;
x = y;
y = m;
}
Iteration 1: x =
}
Iteration 2: x =
2&y=3
3&y=2
Iteration 3: x = 2 & y = 1
Solution:
x = 2 and y = 3
Program Verification
int binary_search(int[] arr, int low, int height, int key) {
assert(low > high || 0 <= < high);
while (low <= high) {
// Find middle value
int mid = (low + high) / 2;
assert(0 <= mid < high);
Assertion Violation:
int val = arr[mid];
low = 230, high = 230+1
// Refine range
if (key == val) return mid;
if (val > key)
low = mid + 1;
else
high = mid – 1;
}
return -1;
}
SMT Solvers
• Z3
– Microsoft Research
• MathSAT5
– University of Trento
• CVC4
– New York University
• Many more
SMT-COMP
• A yearly competition between SMT solvers
Z3
Research Directions in SMT
• Improving the efficiency of SAT/Theory solvers
• Improving the interplay between the SAT
solver and the theory solver
– e.g. "online" solvers (partial truth assignment)
• Developing solvers for new theories
• Combining different theories
With Thanks to Evan Driscoll
References
• Satisfiability Modulo Theories: Introduction
and Applications
– Leonardo De Moura & Nikolaj Bjørner
• Tapas: Theory Combinations and Practical
Applications
– Leonardo De Moura & Nikolaj Bjørner
• Z3 Tutorial Guide
– http://rise4fun.com/z3/tutorial/guide
Summary
Satisfiability Modulo Theory (SMT):
– constraint systems involving SAT + Theory
SMT solvers combine the best of:
– SAT solvers and theory solvers
SMTs have applications in program analysis
More Work To Be Done?
Download