Lazy Proofs for DPLL(T)-Based SMT Solvers Guy Katz Schloss Dagstuhl, October 2016

Acknowledgements Based on joint work with Clark Barrett, Cesare Tinelli, Andrew Reynolds and Liana Hadarean (FMCAD’16) Stanford University The University of Iowa Synopsys

Producing Checkable Artifacts SMT solvers used in verification & analysis tools Verifying safety-critical systems Increase reliability by producing checkable artifacts Input Query SMT Solver Result 𝑥⋅2>6 𝑥<5 SAT Check Model: 𝑥 = 4

The UNSAT Case No satisfying model exists Input Query SMT Solver Result ? 𝑥⋅2>11 𝑥<5 UNSAT Check Proof Certificate 𝑥⋅2>11 𝑥<5 ⊥

SMT Proofs: Use Cases Increase confidence in verification tools Interpolant generation Skeptical Proof-Assistants (Coq, Isabelle/HOL) Discharge goals using SMT-Solver Reconstruct internal proof from certificate

Agenda Background: SAT Solvers and Proofs SMT Solvers and Proofs Theory-Specific Proofs Lazy Proof Production Experimental Results

Agenda Background: SAT Solvers and Proofs SMT Solvers and Proofs Theory-Specific Proofs Lazy Proof Production Experimental Results

Boolean Resolution The Boolean Resolution rule: A proof of unsatisfiability: Start with input clauses Apply resolution Derive empty clause Can always do this for UNSAT formulas 𝑝 1 ∨ 𝑝 2 ∨…∨ 𝑝 𝑛 ∨𝑐 ~𝑐∨ 𝑞 1 ∨ 𝑞 2 ∨…∨ 𝑞 𝑚 𝑝 1 ∨…∨ 𝑝 𝑛 ∨ 𝑞 1 ∨…∨ 𝑞 𝑚 Heule & Biere. Proofs for Satisfiability Problems. APPA, 2015

The DPLL Architecture An abstract algorithm for solving SAT Incrementally assign variables to true/false Decide assignments Deduce assignments If formula is satisfied, done If a conflict is found, backjump Undo previous decisions, try something else Davis & Putnam. A Computing Procedure for Quantification Theory. JACM, 1960 Davis, Logemann & Loveland. A Machine Program for Theorem Proving. CACM, 1962

Conflict: ~3∨2 Not satisfied by assignment DPLL: Example Input clauses (CNF): 1∨~2, ~1∨~2, 2∨3, ~3∨2 Partial Assignment Formula Conflict Rule Being Applied 1∨~2, ~1∨~2, 2∨3, ~3∨2 Decide 1 𝑑 1∨~2, ~1∨~2, 2∨3, ~3∨2 Propagate ~1∨~2 1 𝑑 , ~2 1∨~2, ~1∨~2, 2∨3, ~3∨2 Propagate (2∨3) 1 𝑑 , ~2, 3 1∨~2, ~1∨~2, 2∨3, ~3∨2 Conflict (~3∨2) 1 𝑑 , ~2, 3 1∨~2, ~1∨~2, 2∨3, ~3∨2 ~3∨2 Explain (2∨3) 1 𝑑 , ~2, 3 1∨~2, ~1∨~2, 2∨3, ~3∨2 2 Explain (~1∨~2) 1 𝑑 , ~2, 3 1∨~2, ~1∨~2, 2∨3, ~3∨2 ~1 Learn (~1) Clause: ~1∨~2 1 is true ⇒2 is false 2 ~3∨2 2∨3 Conflict: ~3∨2 Not satisfied by assignment 1 𝑑 , ~2, 3 1∨~2, ~1∨~2, 2∨3, ~3∨2,~1 ~1 Backjump ~1 1∨~2, ~1∨~2, 2∨3, ~3∨2,~1 Propagate (1∨~2)

DPLL: Example (cnt’d) 2 ~3∨2 2∨3 Partial Assignment Formula Conflict Rule Being Applied ~1 1∨~2, ~1∨~2, 2∨3, ~3∨2,~1 Propagate (1∨~2) ~1, ~2 1∨~2, ~1∨~2, 2∨3, ~3∨2,~1 Propagate 2∨3 ~1, ~2, 3 1∨~2, ~1∨~2, 2∨3, ~3∨2,~1 Conflict ~3∨2 ~1, ~2, 3 1∨~2, ~1∨~2, 2∨3, ~3∨2,~1 ~3∨2 Explain (2∨3) ~1, ~2, 3 1∨~2, ~1∨~2, 2∨3, ~3∨2,~1 2 Explain (1∨~2) ~1, ~2, 3 1∨~2, ~1∨~2, 2∨3, ~3∨2,~1 1 Explain (~1) ~1, ~2, 3 1∨~2, ~1∨~2, 2∨3, ~3∨2,~1 ⊥ Fail 2 ~3∨2 2∨3

Constructing a Proof Input clauses: 1∨~2, ~1∨~2, 2∨3, ~3∨2 ~3∨2 2∨3 2 ~1, ~2, 3 1∨~2, ~1∨~2, 2∨3, ~3∨2,~1 ~3∨2 Explain (2∨3) 2 Explain (1∨~2) 1 Explain (~1) ⊥ Fail 1 𝑑 , ~2, 3 1∨~2, ~1∨~2, 2∨3, ~3∨2 ~3∨2 Explain (2∨3) 2 Explain (~1∨~2) ~1 Learn (~1) ~3∨2 2∨3 2 ~1∨~2 ~3∨2 2∨3 ~1 2 1∨~2 1 ~1 ⊥

Agenda Background: SAT Solvers and Proofs SMT Solvers and Proofs Theory-Specific Proofs Lazy Proof Production Experimental Results

Satisfiability Modulo Theories Input: a first order logic formula In general, undecidable Focus on decidable fragments Uninterpreted functions, arithmetic, bitvectors, arrays 𝑔 𝑎 =𝑐 ∧ 𝑓 𝑔 𝑎 ≠𝑓 𝑐 ∨𝑔 𝑎 =𝑑 ∧(𝑐≠𝑑) Is there a model that satisfies the formula?

The DPLL(T) Architecture Arithmetic Uninterpreted Functions Sets SAT Solver Bitvectors Arrays Nieuwenhuis, Oliveras & Tinelli. Solving SAT and SAT Modulo Theories: From an abstract Davis-Putnam-Logemann-Loveland procedure to DPLL(T). JACM, 2006

Adding the Theory Solvers DPLL(T): DPLL + Background theory T T can represent multiple theories Theory atoms mapped to Boolean atoms SAT solver constructs (partial) assignment Theory solver checks if it is T-consistent Theory solvers can: Report conflicts (T-conflict) Propagate literals (T-propagate) Learn new clauses (T-Learn) Justified by Theory Lemmas

Example: Uninterpreted Functions 𝑔 𝑎 =𝑐, 𝑓 𝑔 𝑎 ≠𝑓 𝑐 ∨𝑔 𝑎 =𝑑, 𝑐≠𝑑 1 ~2 3 ~4 Partial Assignment Formula Conflict Rule Being Applied 1, ~2∨3, ~4 Propagate 1 , (~4) 1, ~4 1, ~2∨3, ~4 Decide 1, ~4, ~ 2 𝑑 1, ~2∨3, ~4 T-Conflict (~1∨2) 1, ~4, ~ 2 𝑑 1, ~2∨3, ~4 ~1∨2 Explain (1) 1 is true: 𝑔 𝑎 =𝑐 3 is true: 𝑔 𝑎 =𝑑 4 is false: 𝑐≠𝑑 1, ~4, ~ 2 𝑑 1, ~2∨3, ~4 2 Learn (2) 1 is true: 𝑔 𝑎 =𝑐 Congruence: 𝑓 𝑔 𝑎 =𝑓(𝑐) Contradicts ~2 1, ~4, ~ 2 𝑑 1, ~2∨3, ~4, 2 2 Backjump 1, ~4, 2 1, ~2∨3, ~4, 2 Propagate ~2∨3 1, ~4, 2, 3 1, ~2∨3, ~4, 2 T-Conflict (~1∨~3∨4) Explain 1, ~4, 2, 3 1, ~2∨3, ~4, 2 ⊥ Fail

Example: Uninterpreted Functions 𝑔 𝑎 =𝑐, 𝑓 𝑔 𝑎 ≠𝑓 𝑐 ∨𝑔 𝑎 =𝑑, 𝑐≠𝑑 1 ~2 3 ~4 1, ~4, ~ 2 𝑑 1, ~2∨3, ~4 T-Conflict (~1∨2) 1, ~4, 2, 3 1, ~2∨3, ~4, 2 T-Conflict (~1∨~3∨4) Theory Proof Theory Proof ~1∨~3∨4 ~2∨3 2 ~1∨2 1 ~1∨~2∨4 1 ~2∨4 ~4 ~2 2 ⊥

Proofs with Theory Lemmas Construct refutation tree as before Leaves may be theory lemmas T-solver needs to support a produceProof() method Use sub-proof to justify the lemma Each theory-lemma owned by a specific T-solver Complex lemmas may have multiple steps Invoke produceProof() for each step Combine with Boolean resolution

Example: A Complex Lemma Partial assignment: T-Propagation from uninterpreted functions: T-Propagation from arrays: T-Conflict from uninterpreted functions: The resulting learned clause: ~1: 𝑔 𝑥, 𝑓 𝑥 , 𝑧 𝑓 𝑥 := 𝑥 𝑓 𝑦 ≠𝑔 𝑦, 𝑓 𝑦 , 𝑦 2: 𝑥=𝑦 3: 𝑓(𝑥)=𝑓(𝑦) Cause: 2 4: 𝑧 𝑓 𝑥 := 𝑥 𝑓 𝑦 =𝑦 Cause: 2∧3 1∨~2∨~3∨~4 1∨~2

Example: A Complex Lemma Goal: prove 1∨~2 Uninterpreted functions conflict: 1∨~2∨~3∨~4 Array propagation: 2∧3⇒4 Uninterpreted functions propagation: 2⇒3 Uninterpreted Functions proof Array proof Uninterpreted Functions proof 1∨~2∨~3∨~4 ~2∨~3∨4 1∨~2∨~3 ~2∨3 1∨~2

Agenda Background: SAT Solvers and Proofs SMT Solvers and Proofs Theory-Specific Proofs Lazy Proof Production Experimental Results

Theory-Specific Proofs For SAT proofs, Boolean Resolution is enough For background theories, need additional rules Proof rules correspond to theory solver’s decision procedure

Uninterpreted Functions Axioms: Reflexivity: 𝑥=𝑥 Symmetry: (𝑥=𝑦)⇒(𝑦=𝑥) Transitivity: (𝑥=𝑦)∧(𝑦=𝑧)⇒(𝑥=𝑧) Congruence: (𝑥=𝑦)⇒(𝑓 𝑥 =𝑓 𝑦 ) Decision procedure: congruence closure Construct equivalence class of terms If two terms are equal, merge their classes Proof rules: symmetry, transitivity and congruence Fontaine, Marion, Merz, Nieto & Tiu. Expressiveness + Automation + Soundness: Towards Combining SMT Solvers and Interactive Proof Assistants. TACAS, 2006

Uninterpreted Functions (cnt’d) Example: 𝑥=𝑦 ∧ 𝑧=𝑓 𝑦 ∧ 𝑓 𝑥 ≠𝑧 𝑥=𝑦 𝑧=𝑓(𝑦) Congruence Symmetry 𝑓 𝑥 =𝑓(𝑦) 𝑓 𝑦 =𝑧 Transitivity 𝑓 𝑥 ≠𝑧 𝑓 𝑥 =𝑧 ⊥

Arrays with Extensionality Axioms: Read-over-Write 1: i≠𝑗⇒ 𝑎 𝑖 ≔𝑥 𝑗 =𝑎 𝑗 Read-over-Write 2: 𝑎 𝑖 ≔𝑥 𝑖 =𝑥 Extensionality: 𝑎≠𝑏⇒∃𝑘.𝑎 𝑘 ≠𝑏[𝑘] NP-complete Decision procedure: similar to congruence closure

Arrays (cnt’d) Example: 𝑖≠𝑗 ∧ 𝑎 𝑗 ≔𝑦 𝑖 =𝑥 ∧(𝑎 𝑖 ≠𝑥) 𝑖≠𝑗 𝑎 𝑗 ≔𝑦 𝑖 =𝑥 𝑎 𝑗 ≔𝑦 𝑖 =𝑥 Read-over-Write 1 𝑎 𝑖 =𝑥 𝑎 𝑖 ≠𝑥 ⊥

Fixed-Width Bitvectors Axioms for: Bit-wise operation: and, not, xor Bitvector arithmetic: +, -, ∗, / Concatenation, shifts NP-complete Decision procedure: Bitblasting, with some word-level reasoning

Fixed-Width Bitvectors (cnt’d) Example: 𝑏 1 ≠ 𝑏 2 ∨ 𝑏 2 ≠10 ∨( 𝑏 1 ≠00) 𝑏 1 = 𝑏 2 𝑏 2 =10 BB BB 𝑏 1 1 = 𝑏 2 1 𝑏 2 1 =1 𝑏 1 =00 Transitivity BB 𝑏 1 1 =1 𝑏 1 1 =0 ⊥ Hadarean, Barrett, Reynolds, Tinelli & Deters. Fine-grained SMT Proofs for the Theory of Fixed-width Bitvectors. LPAR, 2015

Agenda Background: SAT Solvers and Proofs SMT Solvers and Proofs Theory-Specific Proofs Lazy Proof Production Experimental Results

The Eager Approach When should we prove theory lemmas? Eagerly: when lemma is generated Easy to produce a proof Many lemmas generated during search Not all are needed!

The Lazy Approach No proof production during search Produce proofs on demand When theory lemma encountered in refutation tree Fewer theory proofs generated But, need to redo some theory reasoning

So, Eager or Lazy? Eager: more lemmas, less work for each lemma Lazy: fewer lemmas, each lemma more expensive Can differ between theory solvers! Evaluation: For uninterpreted functions: Lazy For arrays: Lazy

Lazily Proving Lemmas Theory lemmas: Lemmas are disjunctions: ⇒ 𝑇 𝑙 1 ∨ 𝑙 2 ∨…∨ 𝑙 𝑛 To prove a previous lemma: Create a fresh theory solver Assert: ~ 𝑙 1 , ~ 𝑙 2 ,…, ~ 𝑙 𝑛 When ⊥ is derived, call produceProof() T-Propagation 𝑝 1 ∧ 𝑝 2 ⇒ 𝑇 𝑝 3 ⇒ 𝑇 ~ 𝑝 1 ∨~ 𝑝 2 ∨ 𝑝 3 T-Conflict 𝑝 1 ∧ 𝑝 2 ⇒ 𝑇 ⊥ ⇒ 𝑇 ~ 𝑝 1 ∨~ 𝑝 2 T-Learn ⇒ 𝑇 𝑝 1 ∨ 𝑝 2

Storing “Hints” Sometimes a fresh solver isn’t enough Array theory: extensionality 𝑎≠𝑏⇒∃𝑘.𝑎 𝑘 ≠𝑏 𝑘 Need to remember this specific 𝑘 Allow bookkeeping during search

Handling Rewrites Array solver generates a lemma: 𝑏+1≠1⇒ 𝑎 𝑏+1 ≔𝑥 1 =𝑎 1 Bitvector solver performs a rewrite: 𝑏≠0⇒ 𝑎 𝑏+1 ≔𝑥 1 =𝑎 1 Later: ask array solver to prove ℓ 2 Error! ℓ 1 : 𝑇 𝐴𝑋 -valid ℓ 2 : not 𝑇 𝐴𝑋 -valid

Handling Rewrites (cnt’d) Solution: track rewrites Remember a recipe for proving ℓ 2 : Prove ℓ 1 Prove rewrite: 𝑏+1≠1 →(𝑏≠0) Prove rewrites lazily, with lemmas

Agenda Background: SAT Solvers and Proofs SMT Solvers and Proofs Theory-Specific Proofs Lazy Proof Production Experimental Results

Implementation Implemented this technique in CVC4 A state-of-the-art SMT solver, available online Currently supported theories: Uninterpreted functions Arrays with extensionality Fixed-width Bitvectors And combinations thereof… Proofs generated in LFSC format

Generate and Check Proof Evaluation on SMT-LIB Tested relevant families from SMT-LIB: QF_UF, QF_AX, QF_BV QF_UFBV, QF_ABV, QF_AUFBV Benchmark Category Default Solved Time Generate Proof Generate and Check Proof QF_UF 4083 7523 4067 19097 4029 61650 QF_AX 277 450 264 3170 260 3193 QF_BV 20517 49884 20430 67072 17602 132975 QF_UFBV 12 1391 2623 4 170 QF_ABV 4487 16223 4410 19900 4127 22768 QF_AUFBV 31 93 245 30 1751 Symbolic Execution 94 1735 89 4364 71 2348 Total Solved 100% 99% 88%

Eager VS Lazy On average, the lazy approach is: 23% faster for uninterpreted functions 20% faster for arrays Bitvectors: work in progress

Conclusion Proof production increases confidence in SMT solvers An extension to DPLL(T) that supports proofs Extensible, modular and robust The lazy approach: prove only as needed

Next Steps Support additional theory solvers: arithmetic, strings Support quantified formulas Rewrites and preprocessing

Thank You! Questions