Upload
jamel-clayson
View
225
Download
0
Embed Size (px)
Citation preview
Satisfiability Modulo Theories(An introduction)
Magnus Madsen
Todays Talk
What are SMT solvers?
How are they used in practice?
Motivation
Find and s.t.:
Solution
Knowledge of prop. logic
Knowledge of integers Knowledge of
integers
What is SMT?
Satisfiability Modulo Theories
+
What is a SMT instance?
A logical formula built using– negation, conjunction and disjuction• e.g. • e.g.
– theory specific operators• e.g. , • e.g. • e.g.
k-SAT
theory of integers
theory of bitwise
operators
theory of uninterpreted
functions
Recall k-SAT
The Boolean SATisfiability Problem:
• 2SAT is solveable in polynomial time• 3SAT is NP-complete (solveable in exponential
time)
clause literal or negated literal
Q: Why not encode every
formula in SAT?A: Theory
solvers have very efficient
algorithmsGraph Problems:• Shortest-Path• Minimum Spanning Tree
Optimization:• Max-Flow• Linear Programming
(just to name a few)
Q: But then, Why not get rid
of the SAT solver?
A: SAT solvers are very good at
case analysis
SAT Theory
Formula
NO
YES
𝑥≥3∧ (𝑥≤0∨ 𝑦 ≥0 )
𝑎∧ (𝑏∨𝑐 )
𝑎∧𝑏
NO
add clause:
𝑎∧𝑐
𝑥≥3∧𝑥≤0𝑥≥3∧ 𝑦 ≥0
YES
SMT Solver
Important Properties
• Efficiency of both SAT and Theory solver!• SAT Solver– Incremental (supports adding new clauses)
• Theory Solver– Ability to construct blocking clauses– Ability to create so-called "theory lemmas"
Theories
Theory of:– Difference Arithemetic– Linear Arithmetic– Arrays– Bit Vectors– Algebraic Datatypes– Uninterpreted Functions
SMT-LIB
• A modeling language for SMT instances– A declarative language with Lisp-like syntax– Defines common/shared terminology• e.g. LRA = Closed linear formulas in linear real
arithmetic• e.g. QF_BC = Closed quantifier-free formulas over the
theory of fixed-size bitvectors.
– http://www.smtlib.org/
Example 1
Solution
𝒙=𝟑∧𝒚=𝟎
Example 2
Applications
• Dynamic Symbolic Execution• Program Verification• Extended Static Checking• Model Checking• Termination Analysis
See Also: Tapas: Theory Combinations and Practical Applications
Dynamic Symbolic Execution
• combines dynamic and symbolic execution– step 1: execute the program recording the
branches taken and their symbolic constraints– step 2: negate one constraint– step 3: solve the constraints to generate new input
to the program (e.g. by using a SMT solver)– step 4: if a solution exists then execute the
program on the new input
Program Path¬𝑐1
𝑐2
¬𝑐3
𝑐4
Negate
Run SMT Solver
New Program Path¬𝑐1
𝑐2
𝑐3
𝑐5
Example: Greatest Common Divisor
Original programint gcd(int x, int y) { while (true) { int m = x % y; if (m == 0) return y; x = y; y = m; }}
int result = gcd(2, 4)
SSA unfoldingint gcd(int x0, int y0) {
while (true) { int m0 = x0 % y0;
assert(m0 != 0)
if (m0 == 0) return y0;
x1 = y0;
y1 = m0;
int m1 = x1 % y1;
assert(m1 == 0)
if (m1 == 0) return y1;
}}
Collecting Constraints
Collected constraintsint result = gcd(2, 4)
(assert (= m0 (mod x0 y0)))(assert (not (= m0 0)))
(assert (= x1 y0))(assert (= y1 m0))(assert (= m1 (mod x1 y1)))(assert (= m1 0))
SSA unfoldingint gcd(int x0, int y0) {
while (true) { int m0 = x0 % y0;
assert(m0 != 0)
if (m0 == 0) return y0;
x1 = y0;
y1 = m0;
int m1 = x1 % y1;
assert(m1 == 1)
if (m1 == 0) return y1;
}}
(assert (not (= m1 0)))
Computing a new pathint gcd(int x, int y) { while (true) { int m = x % y; if (m == 0) return y; x = y; y = m; }}
Solution:x = 2 and y = 3
Iteration 1: x = 2 & y = 3Iteration 2: x = 3 & y = 2Iteration 3: x = 2 & y = 1
Program Verificationint binary_search(int[] arr, int low, int height, int key) { assert(low > high || 0 <= < high); while (low <= high) { // Find middle value int mid = (low + high) / 2; assert(0 <= mid < high); int val = arr[mid]; // Refine range if (key == val) return mid; if (val > key) low = mid + 1; else high = mid – 1; } return -1;}
Assertion Violation:
low = 230, high = 230+1
SMT Solvers
• Z3– Microsoft Research
• MathSAT5– University of Trento
• CVC4 – New York University
• Many more
SMT-COMP
• A yearly competition between SMT solvers
Z3
Research Directions in SMT
• Improving the efficiency of SAT/Theory solvers• Improving the interplay between the SAT
solver and the theory solver– e.g. "online" solvers (partial truth assignment)
• Developing solvers for new theories• Combining different theories
With Thanks to Evan Driscoll
References
• Satisfiability Modulo Theories: Introduction and Applications– Leonardo De Moura & Nikolaj Bjørner
• Tapas: Theory Combinations and Practical Applications– Leonardo De Moura & Nikolaj Bjørner
• Z3 Tutorial Guide– http://rise4fun.com/z3/tutorial/guide
Summary
Satisfiability Modulo Theory (SMT):– constraint systems involving SAT + Theory
SMT solvers combine the best of:– SAT solvers and theory solvers
SMTs have applications in program analysis
More Work To Be Done?