1. Satisfiability Modulo Theories (An introduction)
Magnus Madsen

2. What are SMT solvers? How are they used in practice?
Todays Talk
What are SMT solvers? How are they used in practice?

3. Knowledge of prop. logic
Motivation
Find 𝒙 and 𝒚 s.t.:
𝑥≥3∧ 𝑥≤0∨𝑦≥0
𝑥≥3∧𝑥≤0 ∨ 𝑥≥3∧𝑦≥0
𝑥=3∧𝑦=0
Knowledge of prop. logic
Knowledge of integers
Knowledge of integers
Solution

4. What is SMT?
Satisfiability
Modulo
Theories +

5. What is a SMT instance? A logical formula built using
negation, conjunction and disjuction
e.g. 𝑎∧ 𝑏∨𝑐
e.g. 𝑎∨¬𝑏∨𝑐 ∧ ¬𝑏∨¬𝑥∨𝑦 ∧ 𝑏∨𝑏∨𝑥
theory specific operators
e.g. 𝑥≤5, 𝑦≠𝑧
e.g. 𝑚⊕𝑛 ⊕𝑛=𝑚
e.g. 𝑓 𝑥 =𝑓(𝑦)∧𝑓(𝑓 𝑥 )≠𝑓(𝑓 𝑦 )
k-SAT
theory of bitwise operators
theory of integers
theory of uninterpreted functions

6. Recall k-SAT The Boolean SATisfiability Problem:
𝑎∨¬𝑏∨𝑐 ∧ ¬𝑏∨¬𝑥∨𝑦 ∧ 𝑏∨𝑏∨𝑥 ∧…
2SAT is solveable in polynomial time
3SAT is NP-complete (solveable in exponential time)
clause
literal or
negated literal

7. Q: Why not encode every formula in SAT?
A: Theory solvers have very efficient algorithms
Graph Problems:
Shortest-Path
Minimum Spanning Tree
Optimization:
Max-Flow
Linear Programming
(just to name a few)

8. Q: But then, Why not get rid of the SAT solver?
A: SAT solvers are very good at case analysis

9. SAT Theory Formula 𝑥≥3∧ 𝑥≤0∨𝑦≥0 SMT Solver 𝑥≥3∧𝑥≤0 𝑎∧ 𝑏∨𝑐 𝑥≥3∧𝑦≥0 𝑎∧𝑏
YES
𝑎∧𝑐 NO NO
YES
𝑥=3
𝑦=0
add clause: ¬ 𝑎∧𝑏

10. Important Properties Efficiency of both SAT and Theory solver!
SAT Solver
Incremental (supports adding new clauses)
Theory Solver
Ability to construct blocking clauses
Ability to create so-called "theory lemmas"

11. Theories Theory of: Difference Arithemetic Linear Arithmetic Arrays
Bit Vectors
Algebraic Datatypes
Uninterpreted Functions

12. SMT-LIB A modeling language for SMT instances
A declarative language with Lisp-like syntax
Defines common/shared terminology
e.g. LRA = Closed linear formulas in linear real arithmetic
e.g. QF_BC = Closed quantifier-free formulas over the theory of fixed-size bitvectors.

13. Example 1
𝒙=𝟑∧𝒚=𝟎
Solution

14. Example 2

15. Applications Dynamic Symbolic Execution Program Verification
Extended Static Checking
Model Checking
Termination Analysis
See Also: Tapas: Theory Combinations and Practical Applications

16. Dynamic Symbolic Execution
combines dynamic and symbolic execution
step 1: execute the program recording the branches taken and their symbolic constraints
step 2: negate one constraint
step 3: solve the constraints to generate new input to the program (e.g. by using a SMT solver)
step 4: if a solution exists then execute the program on the new input

17. Program Path
¬𝑐 1
Negate ¬𝑐 3
𝑐 2
¬𝑐 3
Run SMT Solver
𝑐 4

18. New Program Path
¬𝑐 1
𝑐 2
𝑐 3
𝑐 5

19. Example: Greatest Common Divisor
Original program
SSA unfolding
int gcd(int x, int y) { while (true) { int m = x % y; if (m == 0) return y; x = y; y = m; } int result = gcd(2, 4)
int gcd(int x0, int y0) { while (true) { int m0 = x0 % y0; assert(m0 != 0) if (m0 == 0) return y0; x1 = y0; y1 = m0; int m1 = x1 % y1; assert(m1 == 0) if (m1 == 0) return y1; }

20. Collecting Constraints
Collected constraints
SSA unfolding
int result = gcd(2, 4) (assert (= m0 (mod x0 y0))) (assert (not (= m0 0))) (assert (= x1 y0)) (assert (= y1 m0)) (assert (= m1 (mod x1 y1))) (assert (= m1 0))
int gcd(int x0, int y0) { while (true) { int m0 = x0 % y0; assert(m0 != 0) if (m0 == 0) return y0; x1 = y0; y1 = m0; int m1 = x1 % y1; assert(m1 == 1) if (m1 == 0) return y1; }
(assert (not (= m1 0)))

21. Computing a new path Solution: x = 2 and y = 3
int gcd(int x, int y) { while (true) { int m = x % y; if (m == 0) return y; x = y; y = m; }
Solution:
x = 2 and y = 3
Iteration 1: x = 2 & y = 3
Iteration 2: x = 3 & y = 2
Iteration 3: x = 2 & y = 1

22. Program Verification Assertion Violation: low = 230, high = 230+1
int binary_search(int[] arr, int low, int height, int key) { assert(low > high || 0 <= < high); while (low <= high) { // Find middle value int mid = (low + high) / 2; assert(0 <= mid < high); int val = arr[mid]; // Refine range if (key == val) return mid; if (val > key) low = mid + 1; else high = mid – 1; } return -1;
Assertion Violation:
low = 230, high = 230+1

23. SMT Solvers Z3 MathSAT5 CVC4 Many more Microsoft Research
University of Trento
CVC4
New York University
Many more

24. SMT-COMP
A yearly competition between SMT solvers Z3

25. Research Directions in SMT
Improving the efficiency of SAT/Theory solvers
Improving the interplay between the SAT solver and the theory solver
e.g. "online" solvers (partial truth assignment)
Developing solvers for new theories
Combining different theories

26. With Thanks to Evan Driscoll

27. References
Satisfiability Modulo Theories: Introduction and Applications
Leonardo De Moura & Nikolaj Bjørner
Tapas: Theory Combinations and Practical Applications
Z3 Tutorial Guide

28. Summary Satisfiability Modulo Theory (SMT):
constraint systems involving SAT + Theory
SMT solvers combine the best of:
SAT solvers and theory solvers
SMTs have applications in program analysis

29. More Work To Be Done?