Presentation is loading. Please wait.

Presentation is loading. Please wait.

Leonardo de Moura Microsoft Research. Quantifiers in Satisfiability Modulo Theories Logic is “The Calculus of Computer Science” (Z. Manna). High computational.

Published byEileen Pearson Modified over 8 years ago

Similar presentations

Presentation on theme: "Leonardo de Moura Microsoft Research. Quantifiers in Satisfiability Modulo Theories Logic is “The Calculus of Computer Science” (Z. Manna). High computational."— Presentation transcript:

1 Leonardo de Moura Microsoft Research

2 Quantifiers in Satisfiability Modulo Theories Logic is “The Calculus of Computer Science” (Z. Manna). High computational complexity

3 Quantifiers in Satisfiability Modulo Theories Is formula F satisfiable modulo theory T ? SMT solvers have specialized algorithms for T

4 Quantifiers in Satisfiability Modulo Theories b + 2 = c and f(read(write(a,b,3), c-2) ≠ f(c-b+1)

5 Quantifiers in Satisfiability Modulo Theories ArithmeticArithmetic b + 2 = c and f(read(write(a,b,3), c-2) ≠ f(c-b+1)

6 Quantifiers in Satisfiability Modulo Theories ArithmeticArithmetic Array Theory b + 2 = c and f(read(write(a,b,3), c-2) ≠ f(c-b+1)

7 Quantifiers in Satisfiability Modulo Theories ArithmeticArithmetic Array Theory Uninterpreted Functions b + 2 = c and f(read(write(a,b,3), c-2) ≠ f(c-b+1)

8 A Theory is a set of sentences Alternative definition: A Theory is a class of structures Th(M) is the set of sentences that are true in the structure M Quantifiers in Satisfiability Modulo Theories

9 VCC Hyper-V Terminator T-2 NModel HAVOC F7 SAGE Vigilante SpecExplorer

10 Quantifiers in Satisfiability Modulo Theories Z3 is a new solver developed at Microsoft Research. Development/Research driven by internal customers. Free for academic research. Interfaces: http://research.microsoft.com/projects/z3 Z3 TextC/C++.NETOCaml

11 Quantifiers in Satisfiability Modulo Theories F  TF  T First-order Theorem Prover T may not have a finite axiomatization

12 Quantifiers in Satisfiability Modulo Theories For some theories, SMT can be reduced to SAT bvmul 32 (a,b) = bvmul 32 (b,a) Higher level of abstraction

13 For most SMT solvers: F is a set of ground formulas Quantifiers in Satisfiability Modulo Theories Many Applications Bounded Model Checking Test-Case Generation

14 M | F Quantifiers in Satisfiability Modulo Theories Partial model Set of clauses

15 Guessing Quantifiers in Satisfiability Modulo Theories p,  q | p  q,  q  r p | p  q,  q  r

16 Deducing Quantifiers in Satisfiability Modulo Theories p, s| p  q,  p  s p | p  q,  p  s

17 Backtracking Quantifiers in Satisfiability Modulo Theories p, s| p  q, s  q,  p   q p,  s, q | p  q, s  q,  p   q

18 Efficient decision procedures for conjunctions of ground atoms. Quantifiers in Satisfiability Modulo Theories a=b, a 10 Difference LogicBelmann-Ford Uninterpreted functionsCongruence closure Linear arithmeticSimplex Efficient algorithms

19 How to represent the model of satisfiable formulae? Functor: Given a model M for T Generate a model M’ for F (modulo T) Example: F: f(a) = 0 and a > b and f(b) > f(a) + 1 Quantifiers in Satisfiability Modulo Theories SymbolInterpretation a1 b0 fite(x=1, 0, 2) M’:

20 How to represent the model of satisfiable formulae? Functor: Given a model M for T Generate a model M’ for F (modulo T) Example: F: f(a) = 0 and a > b and f(b) > f(a) + 1 Quantifiers in Satisfiability Modulo Theories SymbolInterpretation a1 b0 fite(x=1, 0, 2) Interpretation is given using T-symbols M’:

21 How to represent the model of satisfiable formulae? Functor: Given a model M for T Generate a model M’ for F (modulo T) Example: F: f(a) = 0 and a > b and f(b) > f(a) + 1 Quantifiers in Satisfiability Modulo Theories SymbolInterpretation a1 b0 fite(x=1, 0, 2) Non ground term (lambda expression) Non ground term (lambda expression) M’:

22 Quantifiers in Satisfiability Modulo Theories SymbolInterpretation a1 b0 fite(x=1, 0, 2) M’: Is  x: f(x) > 0 satisfied by M’? Yes, not (ite(k=1,0,2) > 0) is unsatisfiable

23 SymbolInterpretation a1 b0 fite(x=1, 0, 2) M’: Is  x: f(x) > 0 satisfied by M’? Yes, not (ite(k=1,0,2) > 0) is unsatisfiable Negated quantifier Replaced f by its interpretation Replaced x by fresh constant k Negated quantifier Replaced f by its interpretation Replaced x by fresh constant k

24 Quantifiers in Satisfiability Modulo Theories Annotated Program Verification Condition F pre/post conditions invariants and other annotations pre/post conditions invariants and other annotations

25 BIG and-or tree (ground) BIG and-or tree (ground)  Axioms ( (non-ground)  Axioms ( (non-ground) Control & Data Flow

26 Quantifiers, quantifiers, quantifiers, … Modeling the runtime  h,o,f: IsHeap(h)  o ≠ null  read(h, o, alloc) = t  read(h,o, f) = null  read(h, read(h,o,f),alloc) = t Quantifiers in Satisfiability Modulo Theories

27 Quantifiers, quantifiers, quantifiers, … Modeling the runtime Frame axioms  o, f: o ≠ null  read(h 0, o, alloc) = t  read(h 1,o,f) = read(h 0,o,f)  (o,f)  M Quantifiers in Satisfiability Modulo Theories

28 Quantifiers, quantifiers, quantifiers, … Modeling the runtime Frame axioms User provided assertions  i,j: i  j  read(a,i)  read(b,j) Quantifiers in Satisfiability Modulo Theories

29 Quantifiers, quantifiers, quantifiers, … Modeling the runtime Frame axioms User provided assertions Theories  x: p(x,x)  x,y,z: p(x,y), p(y,z)  p(x,z)  x,y: p(x,y), p(y,x)  x = y Quantifiers in Satisfiability Modulo Theories

30 Quantifiers, quantifiers, quantifiers, … Modeling the runtime Frame axioms User provided assertions Theories Solver must be fast in satisfiable instances. Quantifiers in Satisfiability Modulo Theories We want to find bugs!

31 Grand challenge: Microsoft Hypervisor 70k lines of dense C code VCs have several Mb Thousands of non ground clauses Developers are willing to wait at most 5 min per VC Quantifiers in Satisfiability Modulo Theories

32 Heuristic quantifier instantiationCombining SMT with Saturation proversComplete quantifier instantiationDecidable fragmentsModel based quantifier instantiation Quantifiers in Satisfiability Modulo Theories

33 SMT solvers use heuristic quantifier instantiation. E-matching (matching modulo equalities). Example:  x: f(g(x)) = x { f(g(x)) } a = g(b), b = c, f(a)  c Trigger

34 Quantifiers in Satisfiability Modulo Theories SMT solvers use heuristic quantifier instantiation. E-matching (matching modulo equalities). Example:  x: f(g(x)) = x { f(g(x)) } a = g(b), b = c, f(a)  c x=b f(g(b)) = b Equalities and ground terms come from the partial model M

35 Quantifiers in Satisfiability Modulo Theories Integrates smoothly with DPLL. Software verification problems are big & shallow. Decides useful theories: Arrays Partial orders …

36 Quantifiers in Satisfiability Modulo Theories E-matching is NP-Hard. In practice

37 Quantifiers in Satisfiability Modulo Theories Trigger: f(x1, g(x1, a), h(x2), b) Trigger: f(x1, g(x1, a), h(x2), b) Instructions: 1.init(f, 2) 2.check(r4, b, 3) 3.bind(r2, g, r5, 4) 4.compare(r1, r5, 5) 5.check(r6, a, 6) 6.bind(r3, h, r7, 7) 7.yield(r1, r7) Instructions: 1.init(f, 2) 2.check(r4, b, 3) 3.bind(r2, g, r5, 4) 4.compare(r1, r5, 5) 5.check(r6, a, 6) 6.bind(r3, h, r7, 7) 7.yield(r1, r7) CompilerCompiler Similar triggers share several instructions. Combine code sequences in a code tree

38 Quantifiers in Satisfiability Modulo Theories E-matching needs ground seeds.  x: p(x),  x: not p(x)

39 Quantifiers in Satisfiability Modulo Theories E-matching needs ground seeds. Bad user provided triggers:  x: f(g(x))=x { f(g(x)) } g(a) = c, g(b) = c, a  b Trigger is too restrictive

40 Quantifiers in Satisfiability Modulo Theories E-matching needs ground seeds. Bad user provided triggers:  x: f(g(x))=x { g(x) } g(a) = c, g(b) = c, a  b More “liberal” trigger More “liberal” trigger

41 Quantifiers in Satisfiability Modulo Theories E-matching needs ground seeds. Bad user provided triggers:  x: f(g(x))=x { g(x) } g(a) = c, g(b) = c, a  b, f(g(a)) = a, f(g(b)) = b a=b

42 Quantifiers in Satisfiability Modulo Theories E-matching needs ground seeds. Bad user provided triggers. It is not refutationally complete. False positives

43 Quantifiers in Satisfiability Modulo Theories Tight integration: DPLL + Saturation solver. BIG and-or tree (ground) BIG and-or tree (ground) Axioms ( (non-ground) Axioms ( (non-ground) Saturation Solver DPLL + Theories

44 Quantifiers in Satisfiability Modulo Theories Inference rule: DPLL(  ) is parametric. Examples: Resolution Superposition calculus …

45 Quantifiers in Satisfiability Modulo Theories M | F Partial model Set of clauses

46 Quantifiers in Satisfiability Modulo Theories p(a) | p(a)  q(a),  x:  p(x)  r(x),  x: p(x)  s(x)

47 Quantifiers in Satisfiability Modulo Theories p(a) | p(a)  q(a),  p(x)  r(x), p(x)  s(x)

48 Quantifiers in Satisfiability Modulo Theories p(a) | p(a)  q(a),  p(x)  r(x), p(x)  s(x) p(a) | p(a)  q(a),  p(x)  r(x), p(x)  s(x), r(x)  s(x) Resolution

49 Using ground atoms from M: M | F Main issue: backtracking. Hypothetical clauses: H  C Quantifiers in Satisfiability Modulo Theories (regular) Clause (hypothesis) Ground literals (hypothesis) Ground literals Track literals from M used to derive C

50 Quantifiers in Satisfiability Modulo Theories p(a) | p(a)  q(a),  p(x)  r(x) p(a) | p(a)  q(a),  p(x)  r(x), p(a)  r(a) p(a),  p(x)  r(x) r(a)

51 Quantifiers in Satisfiability Modulo Theories p(a), r(a) | p(a)  q(a),  p(a)  r(a), p(a)  r(a), …

52 Quantifiers in Satisfiability Modulo Theories p(a), r(a) | p(a)  q(a),  p(a)  r(a), p(a)  r(a), … p(a) is removed from M  p(a) | p(a)  q(a),  p(a)  r(a), …

53 Quantifiers in Satisfiability Modulo Theories Saturation solver ignores non-unit ground clauses. p(a) | p(a)  q(a),  p(x)  r(x)

54 Quantifiers in Satisfiability Modulo Theories Saturation solver ignores non-unit ground clauses. It is still refutanionally complete if:  has the reduction property. BIG and-or tree (ground) BIG and-or tree (ground) Axioms ( (non-ground) Axioms ( (non-ground) Saturation Solver DPLL + Theories

55 DPLL + Theories DPLL + Theories Saturation Solver Saturation Solver Quantifiers in Satisfiability Modulo Theories Saturation solver ignores non-unit ground clauses. It is still refutanionally complete if:  has the reduction property. Ground literals Ground clauses

56 Quantifiers in Satisfiability Modulo Theories Interpreted symtbols  (f(a) > 2), f(x) > 5 It is refutationally complete if Interpreted symbols only occur in ground clauses Non ground clauses are variable inactive “Good” ordering is used

57 Quantifiers in Satisfiability Modulo Theories There is no sound and refutationally complete procedure for linear arithmetic + unintepreted function symbols

58 Quantifiers in Satisfiability Modulo Theories Universal variables only occur as arguments of uninterpreted symbols.  x: f(x) + 1 > g(f(x))  x,y: f(x+y) = f(x) + f(y)

59 Quantifiers in Satisfiability Modulo Theories Relax restriction on the occurrence of universal variables. not (x  y) not (x  t) f(x + c) x = c t …

60 Quantifiers in Satisfiability Modulo Theories If F is in the almost uninterpreted fragment Convert F into an equisatisfiable (modulo T) set of ground clauses F* F* may be infinite It is a decision procedure if F* is finite Subsumes EPR, Array Property Fragment, Stratified Vocabularies for Many Sorted Logic

61 Quantifiers in Satisfiability Modulo Theories F induces a system  F of set constraints S k,i set of ground instances for variable x i in clause C k A f,j set of ground j-th arguments of f j-th argument of f in clause C k Set Constraint a ground term t t  A f,j t [x 1,…,x n ] t [S k,1,…,S k,n ]  A f,j xixi S k,i  A f,j F* is generated using the least solution of  F F* = { C k [S k,1,…,S k,n ] | C k  F }

62 Quantifiers in Satisfiability Modulo Theories F induces a system  F of set constraints S k,i set of ground instances for variable x i in clause C k A f,j set of ground j-th arguments of f j-th argument of f in clause C k Set Constraint a ground term t t  A f,j t [x 1,…,x n ] t [S k,1,…,S k,n ]  A f,j xixi S k,i  A f,j F* is generated using the least solution of  F F* = { C k [S k,1,…,S k,n ] | C k  F } We assume the least solution is not empty

63 Quantifiers in Satisfiability Modulo Theories g(x 1, x 2 ) = 0  h(x 2 ) = 0, g(f(x 1 ),b) + 1 < f(x 1 ), h(b) = 1, f(a) = 0 S 1,1 = A g,1 = { f(a) } S 1,2 = A g,2 = A h,1 = {b} S 2,1 = A f,1 = {a} S 1,1 = A g,1, S 1,2 = A g,2, S 1,2 = A h,1 S 2,1 = A f,1, f(S 2,1 )  A g,1, b  A g,2 b  A h,1, a  A f,1 Least solution F FF g(f(a), b) = 0  h(b) = 0, g(f(a),b) + 1 < f(a), h(b) = 1, f(a) = 0 F*

64 Quantifiers in Satisfiability Modulo Theories Compactness A set F of first order sentences is unsatisifiable iff it contains an unsatisfiable finite subset If we view T as a set of sentences Apply compactness to T  F*

65 Quantifiers in Satisfiability Modulo Theories  x: f(f(x)) > f(x)  x: f(x) < a f(0) = 0 f(f(0)) > f(0), f(f(f(0))) > f(f(0)), … f(0) < a, f(f(0)) < a, … f(0) = 0 Satisfiable if T is Th(Z), but unsatisfiable T is the the class of structures Exp(Z)

66 Quantifiers in Satisfiability Modulo Theories Generate candidate model Model check Instantiate quantifiers

67 Quantifiers in Satisfiability Modulo Theories There is no winner Portfolio of algorithms/techniques

68 Joint work with Y. Hamadi (MSRC) and C. Wintersteiger Multi-core & Multi-node (HPC) Different strategies in parallel Collaborate exchanging lemmas Quantifiers in Satisfiability Modulo Theories Strategy 1 Strategy 2 Strategy 3 Strategy 4 Strategy 5

69 Quantifiers in Satisfiability Modulo Theories Some VCs produced by verifying compilers are very challenging Most VCs contain many non ground formulas Z3 2.0 won all  -divisions in SMT-COMP’08 Many challenges Many approaches/algorithms Thank You!

Download ppt "Leonardo de Moura Microsoft Research. Quantifiers in Satisfiability Modulo Theories Logic is “The Calculus of Computer Science” (Z. Manna). High computational."

Similar presentations

SMELS: Sat Modulo Equality with Lazy Superposition Christopher Lynch – Clarkson Duc-Khanh Tran - MPI.

SMELS: Sat Modulo Equality with Lazy Superposition Christopher Lynch – Clarkson Duc-Khanh Tran - MPI.
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Automated Theorem Proving

Automated Theorem Proving
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
The Model Evolution Calculus with Built-in Theories Peter Baumgartner MPI Informatik, Saarbrücken www.mpi-sb.mpg.de/~baumgart/

The Model Evolution Calculus with Built-in Theories Peter Baumgartner MPI Informatik, Saarbrücken
Inference Rules Universal Instantiation Existential Generalization

Inference Rules Universal Instantiation Existential Generalization
50.530: Software Engineering

50.530: Software Engineering
SLD-resolution Introduction Most general unifiers SLD-resolution

SLD-resolution Introduction Most general unifiers SLD-resolution
Satisfiability Modulo Theories (An introduction)

Satisfiability Modulo Theories (An introduction)
SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀

SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀
Verification of Functional Programs in Scala Philippe Suter (joint work w/ Ali Sinan Köksal and Viktor Kuncak) ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE,

Verification of Functional Programs in Scala Philippe Suter (joint work w/ Ali Sinan Köksal and Viktor Kuncak) ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE,
Linked List Implementation class List { private List next; private Object data; private static List root; private static int size; public static void addNew(Object.

Linked List Implementation class List { private List next; private Object data; private static List root; private static int size; public static void addNew(Object.
UIUC CS 497: Section EA Lecture #2 Reasoning in Artificial Intelligence Professor: Eyal Amir Spring Semester 2004.

UIUC CS 497: Section EA Lecture #2 Reasoning in Artificial Intelligence Professor: Eyal Amir Spring Semester 2004.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Interpolants from Z3 proofs Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Interpolants from Z3 proofs Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
CSC 685 Logic Review. Logic: Modeling Human Reasoning syllogistic logic Syllogistic Logic (Aristotle). all/some X are/not Y Propositional Logic (Boole).

CSC 685 Logic Review. Logic: Modeling Human Reasoning syllogistic logic Syllogistic Logic (Aristotle). all/some X are/not Y Propositional Logic (Boole).
Leonardo de Moura and Nikolaj Bjørner Microsoft Research.

Leonardo de Moura and Nikolaj Bjørner Microsoft Research.
Proof translation from CVC3 to Hol light Yeting Ge Acsys Mar 5, 2008.

Proof translation from CVC3 to Hol light Yeting Ge Acsys Mar 5, 2008.
Leonardo de Moura Microsoft Research. Satisfiability Modulo Theories: A Calculus of Computation Verification/Analysis tools need some form of Symbolic.

Leonardo de Moura Microsoft Research. Satisfiability Modulo Theories: A Calculus of Computation Verification/Analysis tools need some form of Symbolic.

Similar presentations

Ads by Google