Decision Procedures Christoph M. Wintersteiger 9/11/2017 3:14 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Definition Problem Decision Procedure Yes Unknown No

The plan SMT (and Z3) Floating-point approximation Bit-vectors in mcSAT Open problems/future work

Formal reasoning engine Formal verification Program Bug (+ Description) Verifier Properties (Specification) OK (+ Proof) Formal reasoning engine

Formal reasoning engine Formal verification Difficult problems Loops Non-determinism Undecidability Complexity of loop-free segments A very coarse overview Verifier creates sub-problems (e.g., gets rid of loops) Reasoning engine formally decides each sub-problem Returns bug-descriptions (sometimes also proofs of bug-freeness) Today: quantifiers and/or recursive clauses inside some reasoning engines Verifier Formal reasoning engine

Verification applications Software, Hardware, Drivers Does program P have property Q? Often only reachability Sometimes also liveness (and termination) General formal reasoning System exploration Program synthesis Optimization unsigned int x; while (x != 0) x = x & (x-1); assert(x == 0);

Programs Programs are everywhere Automated reasoning is… Synthesized, man-made Abstraction of naturally occurring behavior Physics Chemistry Biology (and CS) Automated reasoning is… Becoming indispensable Not only for verification System exploration, optimization

Satisfiability The satisfiability problem Microsoft Research 2013 9/11/2017 3:14 PM Satisfiability The satisfiability problem Determine whether a formula 𝜙 has a model 𝜙 is propositional truth assignment to Boolean variables 𝜙 is a first-order formula assigns values to variables (+ interpretations to function and predicate symbols) 𝑎∨𝑏 1∨0 𝑥+𝑦=3 1+2=3 © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Satisfiability tools SAT Solvers SMT Solvers (Theorem provers) Check satisfiability of propositional formulas Prototypical NP-complete problem SMT Solvers Check satisfiability of first-order formulas (where decidable) Including propositional formulas Aiming for full automation (vs. interactive theorem provers) (Theorem provers) 𝑎∨𝑏 1∨0 𝑥+𝑦=3 1+2=3

What is SMT? Satisfiability Modulo Theories SMT Theories Decision procedures for pre-defined theories/logics Theory combination strategy Language standard Benchmark library http://www.smtlib.org/ SMT Theories Booleans Uninterpreted functions Integers (linear & non-linear) Reals (linear & non-linear) Bit-vectors Arrays Floating-point numbers (Datatypes, Strings, Probabilities, … )

SMT solving Lift assertions Run a SAT solver Theory solvers 𝑥, 𝑦∈ 𝔹 32 ,𝑧∈ℤ Lift assertions Run a SAT solver Obtain (possibly partial) model Theory solvers Solve conjunctions of atoms If not satisfied Construct a lemma Implications, learned clauses, or theory lemmas 𝑥=𝑦 ∧(𝑧≠1) 𝑞∧𝑟 ∧[𝑞= 𝑥=𝑦 ∧𝑟= 𝑧≠1 ] 𝑞=𝑇𝑟𝑢𝑒,𝑟=𝑇𝑟𝑢𝑒 𝔹: 𝑥=𝑦 ℤ: 𝑧≠1 𝑥=𝑦= 0 32 𝑧=2 Note: cross-theory terms, e.g., 𝑥=𝑦 ∧𝑦=𝑓(𝑧)

Theory combination Nelson-Oppen theory combination Find all implied equalities in each theory Propagate them to other theories “pessimistic” Model-based theory combination Find all implied equalities according to the current (partial) model Propagate only those “optimistic” 𝑥=5∧𝑦=∗ ∧𝑓 𝑥 ≠𝑓(𝑦) Suppose 𝑦=5 then 𝑥=𝑦 𝑥=𝑦 ∧𝑓 𝑥 ≠𝑓(𝑦) unsat Nelson, Oppen: Simplification by cooperating decision procedures. ACM Trans. On Prog. Lang. and Systems 1(2), 1979 De Moura, Bjørner: Model-based theory combination. SMT 2007, ENTCS 198(2)

What is Z3? SMT solver Theorem prover Verifier What is Z3? SMT solver Supports all SMT theories And combinations thereof Theorem prover Supports (sub)goals, tactics, probes Large collection of decision procedures

(Some) applications at Microsoft Terminator T2 HAVOC Comp. Bio. Z34Bio Hyper-V RE:IN BMA VCC SLAyer NModel Vigilante SpecExplorer F7 F* SAGE Q/Corral SymDiff

Contributing to Z3 License: MIT Accepts external contributions Various contribution flavors Bugs & fixes Theories, tactics, features Examples, tutorials, documentation https://github.com/Z3Prover/z3 https://github.com/Z3Prover/z3/wiki/Contribution-Guidelines

Floating-point arithmetic Verifier Floating-point arithmetic Types Half (16), Float (32), Double (64), … Operations +, −, ∗, /,%, 𝑎𝑏𝑠, , 𝑓𝑚𝑎, 𝑚𝑖𝑛, 𝑚𝑎𝑥 ≤, <, =, >, ≥ Special values: ±0, ±∞, 𝑁𝑎𝑁 5 Rounding Modes Ties toward odd, Ties toward even, to negative, to positive, to zero 𝑥≠ −∞

FPA semantics Operations are based on operations over reals Rounding only when necessary (predefined rounding modes only) E.g. (fp.add rm a b)=𝑟𝑜𝑢𝑛𝑑(𝑟𝑚, 𝑎+𝑏) Verification Rounding introduces error Unintuitive and unexpected results Lacks `nice’ mathematical properties (e.g. associativity) Many special cases, e.g. (fp.min …-zero … +zero…)

SMT floating-point arithmetic Types Any combination sbits/ebits: (_ FloatingPoint ebits sbits) (define-sort myFloat () (_ FloatingPoint 6 26)) Single: (_ FloatingPoint 8 24), also Float32 Double: (_ FloatingPoint 11 53), also Float64 Variables (define-fun x () (_ FloatingPoint 8 24)) (define-fun y () Float32)

FPA representation Standards: IEEE754 vs SMT Special numbers (IEEE754) = 0…0 for ±zero and denormal/subnormal numbers = 1…1 for ±oo and NaN (no SNaN/QNaN in SMT) sign exponent significand −1 sign ⋅significand⋅ 2 exponent

SMT floating-point arithmetic (fp.add rm x y) (fp.sub rm x y) (fp.mul rm x y) (fp.div rm x y) (fp.sqrt rm x) (fp.rem x y) (fp.fma rm x y z) … (fp.leq x y) (fp.lt x y) (fp.geq x y) (fp.gt x y) (fp.eq x y) (fp.isNormal x) (fp.isSubnormal x) (fp.isZero x) (fp.isInfinite x) (fp.isNegative x) … Fused Multiply-Add: round(rm, 𝑥∗𝑦 +𝑧)

SMT floating-point arithmetic Special values 𝑁𝑎𝑁: ±0.0: ±∞: Rounding modes RNE, roundNearestTiesToEven RNA, roundNearestTiesToAway RTP, roundTowardPositive RTN, roundTowardNegative RTZ, roundTowardZero (_ NaN ebits sbits) (_ -zero ebits sbits), (_ +zero ebits sbits) (_ -oo ebits sbits), (_ +oo ebits sbits)

An example double Kp=1.0, Ki=0.25; double set_point=20.0, integral=0.0; double error, in, out; for (int i=0; i < N; i++) { in = read_input(); error = set_point – in; integral = integral + error; out = Kp*error + Ki*integral; set_output(out); } If in ∈ 18.0, 22.0 then out ∈ −3.0,+3.0 ?

Example strategy Verification Convert Good approximations Unwind loops No quantifiers Convert QF_FP -> QF_BV QF_BV -> SAT Good approximations Real arithmetic Fixed-point arithmetic Reduced precision FPA Interval analysis Precise techniques Exist, e.g., bit-blasting Can be expensive

An example in SMT2 (declare-fun Kp () (_ FloatingPoint 5 11)) (declare-fun Ki () (_ FloatingPoint 5 11)) (declare-fun … (define-fun rm () RoundingMode RNE) (assert (= c18 (fp #b0 #b10011 #b0010000000))) ;; = 18.0 (assert (= c22 (fp #b0 #b10011 #b0110000000))) ;; = 22.0 (assert (= cp3 (fp #b0 #b10000 #b1000000000))) ;; = +3.0 (assert (= cn3 (fp #b1 #b10000 #b1000000000))) ;; = -3.0 (assert (= Kp (fp #b0 #b01111 #b0000000000))) ;; = 1.0 (assert (= Ki (fp #b0 #b01101 #b0000000000))) ;; = 0.25 (assert (= set_point (fp #b0 #b10011 #b0100000000))) ;; = 20.0 (assert (= integral (_ +zero 5 11))) ;; = +0.0

An example in SMT2 Precondition Property (assert (not (=> (and (fp.leq c18 in) (fp.leq in c22) (fp.eq error_post (fp.sub rm set_point in)) (fp.eq integral_post (fp.add rm integral error_post)) (fp.eq out (fp.add rm (fp.mul rm Kp error_post) (fp.mul rm Ki integral_post)))) (and (fp.leq cn3 out) (fp.leq out cp3)) ))) > z3 pi_controller_1.smt2 unsat Precondition Property

Checking properties fp.add is commutative? fp.add is associative? (assert (not (fp.eq (fp.add RNE x y) (fp.add RNE y x)))) > z3 add_is_commutative.smt2 unsat fp.add is associative? (assert (not (fp.eq (fp.add RNE (fp.add RNE x y) z) (fp.add RNE x (fp.add RNE y z))))) > z3 add_is_associative.smt2 sat model (define-fun z () (_ FloatingPoint 5 11) (fp #b0 #b11010 #b1101111011)) ;; 1.8701171875 * 2^11 …

Related techniques Approximations Precise Theorem prover-based (Gappa) Real arithmetic Fixed-point arithmetic Reduced precision FPA Abstract interpretation-based (Astrée) Precise Translation to bit-vectors and/or SAT (MathSAT, Z3, Sonolar, CBMC) Mixed abstractions (CBMC) Abstract CDCL (MathSAT) Translation to reals (Realizer) Theorem prover-based (Gappa) Proof assistants (Coq, HOL) Often unsound or incomplete

Solving QF_FP via SAT Translate to QF_BV (build circuits) Microsoft Research 2013 9/11/2017 3:14 PM Solving QF_FP via SAT Translate to QF_BV (build circuits) Translate to SAT (e.g., Tseitin translation, bit-blasting) Run SAT Solver Convert models/proofs (back to QF_BV, then QF_FP) Circuit for and method of providing a floating-point adder US 8463835 B1 (Xilinx) © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Example performance Conversion QF_FP -> QF_BV -> SAT Bad

Approximation framework 𝑀 ⊨ 𝑇 Φ reconstruct lift No implication! May fail 𝑀 ⊨ 𝑇 Φ Zeljic, Wintersteiger, Rümmer: Approximations for Model Construction. IJCAR 2014

Small-float approximation RM sign exponent significand RM sign exponent significand Zeljic, Wintersteiger, Rümmer: Approximations for Model Construction. IJCAR 2014

Approximation theory 𝑇= 𝛴, 𝑀 𝛴= 𝑆, 𝐹, 𝑃, 𝛼 𝑆 =𝑆∪{ 𝑠 𝑝 } 𝑃 =𝑃∪{≼} Precision ordering (wf.) Precision sort 𝑇= 𝛴, 𝑀 𝛴= 𝑆, 𝐹, 𝑃, 𝛼 𝑆 =𝑆∪{ 𝑠 𝑝 } 𝑃 =𝑃∪{≼} 𝐹 =𝐹∪{𝜔} 𝛼 (𝑔)=( 𝑠 𝑝 , 𝛼(𝑔)) 𝛴 = 𝑆 , 𝐹 , 𝑃 , 𝛼 Every term 𝑡(…) is now 𝑡( 𝑠 𝑝 , …) Max. precision 𝑇 = 𝛴 , 𝑀

Example precision terms 𝑡=(fp.op a_1 … a_n) 𝑡 = (fp.op p a_1 … a_n) And p=𝜔⇒ 𝑡 =𝑡

Lifting 𝑦=𝑥+1.75∧𝑦>0∧(𝑥=2.0∨𝑥=−4.0) ∧ = < ∨ 𝑡 =𝑡⇐ 𝜔 𝑝 0 𝑦 + 𝑝 1 𝑦 = = 𝑝 3 𝑥 2.0 𝑝 4 𝑥 −4.0 𝑝 2 𝑥 1.75

Small-floats inclusion For the theory of floating-point numbers, we have 𝑠≤ 𝑠 ′ ∧𝑒≤ 𝑒 ′ ⇒𝐹 𝑃 𝑠,𝑒 ⊆𝐹 𝑃 𝑠 ′ , 𝑒 ′ Smaller bit-width makes subsets of numbers.

Refinement scheme unsat sat Approximate Model Construction Proof-guided Approximation Refinement Proof unsat failed sat Model-guided Approximation Refinement failed Precise Model Reconstruction Model

Approximate model construction Search for Approximate model With all precisions assigned to values (not necessarily the same) Implementation: precision 0 = 𝐹 𝑃 3,3 Could also Optimize toward fewer rounding occurrences Search for small values first Use real numbers And many more…

Model reconstruction 𝑦=𝑥+1.75∧𝑦>0∧(𝑥=2.0∨𝑥=−4.0) ∧ = < ∨ 𝜔 𝑦 + 𝜔 𝑦 + 𝜔 𝑦 = = 𝑦≔3.5 𝜔 𝜔 𝑥 𝜔 𝑥 −4.0 𝑥 1.75 2.0 (𝐹 𝑃 3,3 ) 2.0 3.5 3.75

Model-guided refinement Choose terms to refine Check which terms introduce imprecision |𝑡 𝑝,… −𝑡 𝜔, … |>0 Increase precision of highest ranked term(s) Error propagated from a term’s children or newly introduced by the term

Refinement scheme unsat sat Approximate Model Construction Proof-guided Approximation Refinement Proof unsat sat Model-guided Approximation Refinement failed failed Precise Model Reconstruction Model

Proof-guided refinement Various levels of granularity Increase precision of all terms … those that appear in the unsat core … those that appear in the proof … as expensive as you like Trade-off between precision and efficiency

Algorithm properties Built upon existing decision procedure Preserves: soundness, completeness (if ≼ is well-founded) Sub-problems Solved faster But more of them Hints for the refinement Candidate models Proofs & unsat cores

QF_FP solving techniques (Bit-blasting: MathSAT, Sonolar, CBMC, Z3, …) Mixed abstractions (CBMC) Abstraction into interval arithmetic (MathSAT) Translation into non-linear reals (Realizer) Non-conservative approximations (Z3)

Mixed abstractions RM sign exponent significand ORM URM sign exponent Brillout, Kroening, Wahl: Mixed Abstractions for Floating-Point Arithmetic. FMCAD 2009

Mixed abstractions Abstract the problem (Conservative) Approximations By reduction of significand precision Adjust rounding modes Replacing by fresh Boolean yields over-approximation Restrict to non-rounded results yields under-approximation (Conservative) Approximations Solve them at the same time Refinement Removal of under-approximation constraints Increase of significand precision Brillout, Kroening, Wahl: Mixed Abstractions for Floating-Point Arithmetic. FMCAD 2009

Abstract CDCL Decision procedure framework For FP-ACDCL Concepts from abstract interpretation Abstract values from abstract domains Fixed-point computation over abstract values Meet irreducibles (~ invertible constraints) Very nice theory For FP-ACDCL Half-open floating-point intervals, e.g., 𝑥 ≼1.5 Combined into intervals, e.g., 𝑥∈ 1.5, 2.0 MathSAT Brain, D’Silva, Griggio, Haller, Kroening: Interpolation-Based Verification of Floating-Point Programs with Abstract CDCL. SAS 2013 Brain, D’Silva, Griggio, Haller, Kroening: Deciding floating-point logic with abstract conflict driven clause learning. FMSD 45(2) 2014

FP-ACDCL 𝑥∈[1.0, 2.0] … →𝑦∈[4.0, 5.0] 𝑥 (… ∧𝑥)→𝑦 Decision Propagation Analysis … →¬𝑥 … →𝑥∈[2.0, 3.0]

Realizer Translates QF_FP into QF_NIRA Satisfiability-equivalent Microsoft Research 2013 9/11/2017 3:14 PM Realizer Translates QF_FP into QF_NIRA Satisfiability-equivalent Eliminates all floating-point terms Uses ∗,/, 𝑥 , 𝑥 for real-valued Variables Normalization Rounding Leeser, Mukherjee, Ramachandran, Wahl: Make it real: Effective floating-point reasoning via exact arithmetic. DATE 2014 © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Experimental evaluation Microsoft Research 2013 9/11/2017 3:14 PM Experimental evaluation Comparison Bit-blasting (in Z3) FP-ACDCL (MathSAT) Small-float approximation (in Z3) Benchmark sets Verification of C programs Randomly generated systems of polynomial inequalities SAT UNSAT Z3 76 56 MathSAT Small-float Z3 86 46 © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data (SAT) Microsoft Research 2013 9/11/2017 3:14 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data (UNSAT) Microsoft Research 2013 9/11/2017 3:14 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Non-conservative approximation Microsoft Research 2013 9/11/2017 3:14 PM Non-conservative approximation Crucial for success “Close” models Effective model reconstruction Incomplete solvers Can be efficient when starting “close” to a solution Can find solutions quickly (or we abort them early) Examples: Local-search, “cheap” optimization Perhaps Horn or 2-CNF abstractions Fröhlich, Biere, Wintersteiger, Hamadi: Stochastic Local Search for Satisfiability Modulo Theories. AAAI 2015 © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Conclusion SMT2 Floating-point standard Solvers are starting to support it Various solving approaches Near future: challenging problems Out-of-the-box performance Theory combination Quantifiers Real error bounds Non-linearity

The big picture mcSAT DP Nelson/Oppen T/C ADPLL (with learning) DPLL ADPLL(T) Model-based T/C CDCL ACDCL Abstract interpretation B-CSP CSP R. Nieuwenhuis, A. Oliveras, C. Tinelli: Solving SAT and SAT Modulo Theories: From an abstract Davis-Putnam-Logemann-Loveland procedure to DPLL(T). J. ACM 53(6) 2006. R. Nieuwenhuis, A. Oliveras, C. Tinelli: Abstract DPLL and Abstract DPLL Modulo Theories. LPAR 2004. V. D'Silva, L. Haller, D. Kroening: Abstract conflict driven learning. POPL 2013. L. de Moura, D. Jovanović: A Model-Constructing Satisfiability Calculus. VMCAI 2013. N. Creignou, H. Vollmer: Boolean Constraint Satisfaction Problems: When Does Post's Lattice Help? Complexity of Constraints 2008.

Abstract DPLL 𝑀∥𝐹, 𝐶∨𝑙 ⇒ 𝑀𝑙∥𝐹,𝐶∨𝑙 Start at ∅∥𝐹 UnitPropagate: If 𝑀⊨¬𝐶 and 𝑙 is undefined in 𝑀 R. Nieuwenhuis, A. Oliveras, C. Tinelli: Solving SAT and SAT Modulo Theories: From an abstract Davis-Putnam-Logemann-Loveland procedure to DPLL(T). J. ACM 53(6) 2006

Abstract DPLL(T) (One theory; combinations hidden) 𝑀∥𝐹 ⇒ 𝑀∥𝐹, 𝐶 T-Learn: 𝑀∥𝐹 ⇒ 𝑀∥𝐹, 𝐶 If each atom of 𝐶 occurs in 𝐹 or in 𝑀 and 𝐹 ⊨ 𝑇 𝐶. R. Nieuwenhuis, A. Oliveras, C. Tinelli: Solving SAT and SAT Modulo Theories: From an abstract Davis-Putnam-Logemann-Loveland procedure to DPLL(T). J. ACM 53(6) 2006

mcSAT (clausal) Abstract transition system Start at 𝑀 ,𝐶 Apply rules Decide: 𝑀,𝐶 ⇒ 𝑀,𝐿 ,𝐶 If 𝐿∈𝔹, 𝑣𝑎𝑙𝑢𝑒 𝐿,𝑀 =𝑢𝑛𝑑𝑒𝑓 L. de Moura, D. Jovanović: A Model-Constructing Satisfiability Calculus. VMCAI 2013.

Model-constructing satisfiability calculus Microsoft Research 2013 9/11/2017 3:14 PM Model-constructing satisfiability calculus Abstract solver model Finite basis 𝔹 A finite number of predicates/terms (termination trivial; cf. completeness) Pick a new predicate at any time Explanations Explain conflicts, implications (usually clauses), (sub-)proofs Performance depends on Good basis exploration (and coverage?) Good decision making Efficient domain representation L. de Moura, D. Jovanović: A Model-Constructing Satisfiability Calculus. VMCAI 2013. © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

mcSAT (theories) L. de Moura, D. Jovanović: A Model-Constructing Satisfiability Calculus. VMCAI 2013.

mcSAT crucials Pick any 𝐿∈𝔹 Assign variables T-Backjump-Decide rule All theories on one trail Assign variables Boolean or other theories Such that the trail stays consistent T-Backjump-Decide rule Non-asserting clauses Tricky termination arguments explain(…) Contains magic

A word on ACDCL Based on Abstract Interpretation (A different “abstract”) Roughly: abstract domains implement theories Greatest fix-point implements (Boolean) constraint propagation Least fix-point implements conflict resolution Theory combination Adapted Nelson/Oppen Cartesian product of domains V. D'Silva, L. Haller, D. Kroening: Abstract conflict driven learning. POPL 2013

A bit-blasting challenge (set-logic QF_BV) (declare-fun x () (_ BitVec 29980)) (declare-fun y () (_ BitVec 29980)) (assert (and (bvuge x y) (bvule (bvadd x (_ bv1 29980)) y))) 𝑥 ≥ 𝑢 𝑦 ∧ 𝑥+1 ≤ 𝑢 𝑦 (QF_BV/pspace/ndist.b.29980.smt2; SAT; model: x=1…1, y=0…0)

mcBV Decision procedure for the theory of bit-vectors based on mcSAT Microsoft Research 2013 9/11/2017 3:14 PM mcBV Decision procedure for the theory of bit-vectors based on mcSAT avoids bit-blasting (often) preserves word-level structure using tailor-made conflict driven learning theory lemmas ~ conflict explanations A. Zeljić, C. M. Wintersteiger, P. Rümmer: Deciding Bit-Vector Formulas with mcSAT. SAT 2016. © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

mcSAT requirements for mcBV Finite basis of literals/predicates B For bit-vectors huge Explain function Returns a clause that is implied by the (original) problem Literals are not necessarily on the trail, but must be from B May not be asserting Value function Can evaluate any literal/predicate Definition affects the strength of propagation

mcBV projections Theory decisions Projections Decide on theory variables, e.g., 𝑥=0𝑥𝐹3 Projections 𝑥 7:4 =0𝑥𝐹

mcBV model assignment representations Run-length encoded bit-patterns 𝑥= 1 3 0 4 ∗ 2 0 1 Sound & complete Bounds 1<𝑥<42 Sound, not complete Cross-theory Propagation Conflicts Explanations, (some) generalization

Experiments I Factorial example, 150 unwinding of for (int i=n; i>0; i--) f = f*i;

Experiments II

Lessons learned Implementation complexity Heuristics Explanations Underestimated by all involved parties Abstract rules cannot be implemented directly Efficient data structures yet to be discovered Heuristics Unclear what works And what should work Explanations Generalization very tricky But very powerful F#; lines of code: …> cat *.fs | wc -l 10633 …> cat *.fs | sed "/^\s*$/d" | wc -l 8846 (cf. Boolector 2.2.0: ~95k)

Theory combination in mcSAT Nelson/Oppen Theory solvers deduce and exchange (disjunctions of) interface equalities (Can be delayed) Model-based theory combination “Optimistic approach” Propagates/exchanges all equalities implied by a candidate model (Craig) Interpolation Cross-products of Abstract domains Finite bases

Future I Add quantifiers to Instantiation strategy SAT -> QBF (appears to be inefficient) SMT QF_BV -> SMT BV (sometimes more efficient) SMT QF_FP -> SMT BV (efficient enough?) Instantiation strategy Model-based quantifier instantiation Based on a core SMT engine Decomposes the problem into many simple queries Enjoys increased expressivity (UFs) Lots of unexplored territory Wintersteiger, Hamadi, de Moura: Efficiently Solving Quantified Bit-Vector Formulas. Formal Meth. in Sys. Design 42:1, 2013.

Future II Escape into higher complexity UFBV For instance, translate SAT (NP) into BV (w/ quantifiers) (NEXPTIME) Allows us to say in a more expressive logic for longer More general lemmas can be learned Extended resolution Adds function definitions 𝑥=𝑓 … Can have exponential (and more) impact Quantifiers allow us to learn functions E.g., ∀𝑦∃𝑥 . 𝑥=𝑓 𝑦 is always sound for fresh 𝑓 For arbitrary functions (non-linear prefix, Henkin, Hintikka) 2-NEXPTIME and harder BV QF_BV QBF SAT

Future III mcBV (Lazy) data structures Regular expressions over bit-vectors Extensions; at least some sub-class of Theory and understanding of heuristics Logic fragments/theory classes, sub-theories, finite bases Cross-theory interpolation/extensions Complexity theory needs adjusting (Lazy) data structures Critical for any implementation Parallel/Distributed solvers Decomposition (ideally cross-theory)

9/11/2017 3:14 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Programs Programs are everywhere Automated reasoning is… Synthesized, man-made Abstraction of naturally occurring behavior Physics Chemistry Biology (and CS) Automated reasoning is… Becoming indispensable Not only for verification System exploration, optimization

GRNs Gene Regulatory Networks a 𝑓 𝑐 𝑎, 𝑐, … ≔𝑎∧¬𝑐 … b c 9/11/2017 GRNs Gene Regulatory Networks Abstraction of interaction between genes Often Boolean (on/off) Discrete Time Update function for each gene a 𝑓 𝑐 𝑎, 𝑐, … ≔𝑎∧¬𝑐 … b c © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Essential bio-computational problems Analysis/Verification Given a GRN, what is the behavior? Gene is knocked out, what happens? Starting from some (class of) initial state(s), what will happen? Synthesis Given experimental data (or desired behavior) construct a program, e.g., CRN, GRN, DNA that describes observed (or desired) behaviour

Peter, Faure, Davidson: Predictive computation of genomic logic processing functions in embryonic development, PNAS 109(41), 2012.

Sea urchin model limitations Based on simulation only Doesn’t explain large parts of the data No update functions for 6/45 genes Discrepancies on 25/45 genes Contains patches E.g., 𝑤𝑛𝑡8 ≔ …∧¬(>18∧ <24)

Experimental data 𝑐 𝑜𝑏𝑠 ≔𝑎𝑙𝑥1 1 =0∧ 𝑏𝑙𝑖𝑚𝑝1𝑏 7 =1∧ … 9/11/2017 Experimental data 𝑐 𝑜𝑏𝑠 ≔𝑎𝑙𝑥1 1 =0∧ 𝑏𝑙𝑖𝑚𝑝1𝑏 7 =1∧ … Peter, Faure, Davidson: Predictive computation of genomic logic processing functions in embryonic development, PNAS 109(41), 2012. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Sea urchin model encoding Genes Finite number, Boolean values Update Functions Boolean Use (simple) temporal operators Heavily constrained by templates Experimental data/observations Finite number, finite and discrete time, Boolean values SMT encoding Bit-vectors + uninterpreted functions (SMT QF_UFBV) (fairly) efficient decision procedures

Sea urchin model New model Consistent with Unmodified behavior 3 perturbations No discrepancies 25 new update functions 𝑑𝑟𝑖 ≔ AT−2 alx1 ∧AT−6 IN CC V2Meso ets1 AT−3 alx1 ∧ AT−3 ets1 Paoletti, Yordanov, Hamadi, Wintersteiger, Kugler: Analyzing and Synthesizing Genomic Logic Functions, CAV 2014.

FPA Related work Approximations Precise Real arithmetic Fixed-point arithmetic Reduced precision FPA Abstract interpretation-based (Astrée) Theorem prover-based (Gappa) Proof assistants (Coq, HOL) Often not sound or complete Precise Translation to SAT MathSAT, Sonolar, CBMC, Z3 Mixed abstractions CBMC Abstract CDCL MathSAT

Example precision terms 𝑡=𝑜𝑝( 𝑎 1 ,…, 𝑎 𝑖 ) 𝑡 =𝑜𝑝(𝑝, 𝑎 1 ,…, 𝑎 𝑖 ) And 𝑝=𝜔⇒ 𝑡 =𝑡

Square root DNA circuit L. Qian, E. Winfree: Scaling Up Digital Circuit Computation with DNA Strand Displacement Cascades, Science 332/6034, 2011.

Update Functions Boolean logic Delays/History Spatial domains 𝑥 𝑡 = 𝑥 𝑡−1 ∧ 𝑦 𝑡−1 The usual operators ¬, ∧, ∨, etc Delays/History 𝑥 𝑡 = 𝑥 𝑡−2 ∧ 𝑦 𝑡−3 Peter et al. suggest additional operators <t, >t, AT-n, AFTER-n, PERM-n Spatial domains Select functions depending on spatial position Genes are in all domains IN d (…), IN CC d (…), IN NCC d (…)

Limitations Based on simulation only Doesn’t explain large parts of the data No update functions for 6/45 genes Discrepancies on 25/45 genes Contains patches E.g., 𝑤𝑛𝑡8 ≔ …∧¬(>18∧ <24∧𝐼𝑁 𝑉2𝐸𝑛𝑑𝑜)

Basic Interaction Template 𝑓 ≔ 𝑜𝑝 𝑡 𝑑 𝑟 𝑔 Can avoid non-determinism, e.g., AT-0 (…) Multiple levels via temporaries 𝑓 𝑓𝑜𝑥𝑎 ≔ 𝑡 1 ∨ 𝑡 2 𝑓 𝑡 1 ≔ …ℎ𝑜𝑥11/13𝑏∧𝑡𝑐𝑓… {𝐴𝑇,𝐴𝐹𝑇𝐸𝑅,𝑃𝐸𝑅𝑀,…} {delta, foxa, tgif, …} [1, 7] {=,CC,NCC} {𝑆𝑘𝑒𝑙, 𝑉2𝑀𝐸𝑆𝑂,…}

BV SLS performance Benchmarks Queries from SAGE Much slower Benchmarks Queries from SAGE Meant to be solved in seconds Satisfiable Speaker Notes: A comparison of performance on satisfiable benchmarks that stem from the SAGE whitebox fuzzer (RiSE, Godefroid, used in Windows). These problems are meant to be solved within seconds (otherwise SAGE assumes unsatisfiability and continues without a result). Our experiments show that a large number of these problems are solved many orders of magnitude faster using our SLS approach, while other classes that were previously solved quickly are not solved at all. On average, the two techniques complement each other nicely, one being strong where the other is weak. Much faster Fröhlich, Biere, Wintersteiger, Hamadi: Stochastic Local Search for Satisfiability Modulo Theories, AAAI 2015

The future of SAT Problem size increasing FPA remainder Escape routes Decompose! FPA remainder double precision z= 𝑥 % 𝑦 takes >2GB Escape routes Problem decomposition Parallelism Bit-vectors Aggressive Simplification Pre- & in-processing

Problem decomposition 𝜙 𝑥, 𝑦 ∧𝜓(𝑦, 𝑧) Expensive, e.g., quantifier elimination 𝜙 𝑥 ∧𝜓(𝑧) Independent parts

Problem decomposition Γ (Craig) Interpolants Assignments 𝜙 1 𝜙 2 … 𝜙 𝑛

A taste of decomposition

Portfolio solvers The basics 𝜙 Make 𝑛 copies of 𝜙 Make 𝑛 different SAT solvers Quickest one wins 𝜙 𝜙 DPLL(𝐻1) DPLL(𝐻2) ? SAT

Portfolio knowledge sharing 𝜙 Conflict lemmas are implied 𝜙⇒𝐶 in all solvers we can share them 𝜙 𝜙 DPLL(𝐻1) DPLL(𝐻2) 𝑐 1 𝑐 2 ? SAT

Portfolio knowledge sharing 𝜙 Suppose that Core #0 derives 𝐶 𝑖 in time 2 𝑖 Core #1 derives 𝐶 𝑖 in time 𝑖 By sharing 𝐶 𝑖 core #0 can be exponentially faster Portfolios with sharing Better than the best (potentially) Heuristics balance between Diversification Intensification 𝜙 𝜙 DPLL(𝐻1) DPLL(𝐻2) 𝑐 1 𝑐 2 ? SAT Wintersteiger, Hamadi, and de Moura: A Concurrent Portfolio Approach to SMT Solving. CAV 2009

The parallel SAT challenge Challenge 7. Devise a parallel algorithm for SAT which is not based on a reduction to a (set of) P-complete problem(s) and that performs en par with or better than parallelizations of CDCL.  Hamadi, Wintersteiger: Seven challenges in parallel SAT solving. AI Magazine 34(2), 2013

A note on complexity QF_FP: (NEXPTIME) ∃ 𝑥 𝑓 ∈𝐹𝑃𝐴(11, 53) . 𝜙(𝑥) 𝑛 ∃ 𝑥 𝑓 ∈𝐹𝑃𝐴(11, 53) . 𝜙(𝑥) 𝑛 QF_BV: NEXPTIME ∃ 𝑥 𝑏𝑣 ∈𝐵𝑉64 . 𝜙′(𝑥) 𝑛 SAT: NP ∃ 𝑥 0 ,…, 𝑥 31 ∈𝔹 . 𝜙′′( 𝑥 0 ,…, 𝑥 31 ) 2 𝑛 Fröhlich, Kovásznai, Biere: More on the Complexity of Quantifier-Free Fixed-Size Bit-Vector Logics with Binary Encoding. CSR 2013 Kovásznai, Fröhlich, Biere: On the Complexity of Fixed-Size Bit-Vector Logics with Binary Encoded Bit-Width. SMT 2012

Complexity of operations 5.3 Homogeneous general-computational operations 5.3.0 5.3.1 General operations 5.3.1.0 Implementations shall provide the following homogeneous general-computational operations for all supported arithmetic formats; … ― sourceFormat remainder(source, source) When y ≠ 0, the remainder r = remainder(x, y) is defined for finite x and y regardless of the … … FPREM1 … can reduce the exponent of ST(0) by no more than 63 in one execution of the instruction … Software can re-execute the instruction (using the partial remainder in ST(0) as the dividend) until … IEEE 754-2008, Sec 5.3. Intel® 64 and IA-32 Architectures Software Developer’s Manual. May 2012

Demo files