Satisfiability Modulo Theories Sinan Hanay

Boolean Satisfiability (SAT) Is there an assignment to the p1, p2, …, pn variables such that  evaluates to 1? Slide taken from [Barret09] Taken from [Barret09]

Satisfiability Modulo Theories (SMT) Is there an assignment to the x,y,z,w variables s.t.  evaluates to 1? Slide taken from [Barret09]

SAT vs SMT SMT extends SAT solving by adding extensions An SMT solver can solve a SAT problem, but not vice-versa. SMT Applications Analog Circuit Verification RTL Verification Software Model Checking

Overview Introduction SMT Theories Example: Difference Logic Combining Theories SMT Solvers and SMT Libraries. Conclusion

SMT Theories Real or Integer Arithmetic Equality and Uninterpreted Functions Example: If x1 = x2, then f(x1) = f(x2) else f(x1) ≠ f(x2) Bitvectors and Arrays Properties: Decidable: An effective procedure exists to check if a formula is a member of a theory T. Often Quantifier-free: Free from quantifiers such as (∃, ∀ )

SMT Theories Core Theory Type: Boolean Constants: {TRUE, FALSE} Functions: {AND, OR, XOR} Functions: Implication (=>) Integer Theory (Ints) Type: Int All numerals are Int constants Functions: { + , - , x, mod, div, abs}

SMT Theories Reals Theory Type: Real Functions: { +, -, x, / } Arrays with Extentionality Theory (ArraysEx) Type: type of index and type of values Functions: {select, store}

Overview Introduction SMT Theories Case Study: Difference Logic Theory SMT Solvers SMT-LIB Conclusion

SMT Example I– Difference Logic Can solve problems such as: Is there a solution {x,y} satisfying x-y < 20 and x -y > 4 x,y can be integers or reals If x,y are integers (QF_IDL: Integer Difference Logic) If x,y are reals (QF_RDL : Real Difference Logic) QF: Quantifier-free

SMT Theories– Difference Logic In difference logic [NO05], we are interested in the satisfiability of a conjunction of arithmetic atoms. Each atom is of the form x − y OP c, where x and y are variables, c is a numeric constant, and OP ∈ {=,<,≤,>,≥}. Examples: x-y > 10, y-x < 12 The variables can range over either the integers (QF_IDL) or the reals (QF_RDL). Slide taken from [Barret09]

Difference Logic The first step is to rewrite everything in terms of ≤: x − y = c ⇒ x − y ≤ c ∧ x − y ≥ c x − y ≥ c ⇒ y − x ≤ −c x − y > c ⇒ y − x < −c x − y < c ⇒ x − y ≤ c − 1 (integers) x − y < c ⇒ x − y ≤ c − δ (reals) Slide adopted from [Barret09]

Difference Logic Now we have a conjunction of literals, all of the form x − y ≤ c. From these literals, we form a weighted directed graph with a vertex for each variable. For each literal x − y ≤ c, create an edge The set of literals is satisfiable iff there is no cycle for which the sum of the weights on the edges is negative. There are a number of efficient algorithms for detecting negative cycles in graphs [CG96]. x c y Slide adopted from [Barret09]

Difference Logic x−y = 5 ∧ z −y ≥ 2 ∧ z −x > 2 ∧ w −x = 2 ∧ z −w < 0 x− y = 5 z − y ≥ 2 z − x > 2 w − x = 2 z − w < 0 x − y ≤ 5 ∧ y − x ≤ −5 y − z ≤ −2 x − z ≤ −3 w − x ≤ 2 ∧ x − w ≤ −2 z − w ≤ −1 Transform to a-b ≤ c Slide adopted from [Barret09]

Difference Logic Is there a negative cycle? Satisfiable if there is not any. Slide taken from [Barret09]

Combining Theories QF_UFLIA How to Combine Theory Solvers? 1 ≤ x ∧ x ≤ 2 ∧ f(x) ≠ f(1) ∧ f(x) ≠ f(2) Linear Integer Arithmetic (LIA) Uninterpreted Functions(UF)

Combining Theory Solvers Theory solvers become much more useful if they can be used together. mux_sel = 0 → mux_out = select(regfile, addr) mux_sel = 1 → mux_out = ALU(alu0, alu1) For such formulas, we are interested in satisfiability with respect to a combination of theories. Fortunately, there exist methods for combining theory solvers. The standard technique for this is the Nelson-Oppen method [NO79, TH96]. Slide taken from [Barret09]

The Nelson-Oppen Method Suppose that T1 and T2 are theories and that Sat 1 is a theory solver for T1-satisfiability and Sat 2 for T2-satisfiability. We wish to determine if φ is T1∪T2-satisfiable. Convert φ to its separate form φ1 ∧ φ2. Let S be the set of variables shared between φ1 and φ2. For each arrangement D of S: Run Sat 1 on φ1 ∪ D . Run Sat 2 on φ2 ∪ D. Slide taken from [Barret09]

Combining Theories QF_UFLIA φ =1 ≤ x ∧ x ≤ 2 ∧ f(x) ≠ f(1) ∧ f(x) ≠ f(2) We first convert φ to a separate form: φUF = f(x) ≠ f(y) ∧ f(x) ≠ f(z) φLIA = 1 ≤ x ∧ x ≤ 2 ∧ y = 1 ∧ z = 2 Slide taken from [Barret09]

Combining Theories φUF = f(x) ≠ f(y) ∧ f(x) ≠ f(z) φLIA = 1 ≤ x ∧ x ≤ 2 ∧ y = 1 ∧ z = 2 {x, y, z} can have 5 possible arrangements based on equivalence classes of x, y, and z Assume All Variables Equal: {x = y, x = z, y = z} inconsistent with φUF Assume Two Variables Equal, One Different {x = y, x ≠ z, y ≠ z} inconsistent with φUF {x ≠ y, x = z, y ≠ z} inconsistent with φUF {x ≠ y, x ≠ z, y = z} inconsistent with φLIA Assume All Variables Different: {x ≠ y, x ≠ z, y ≠ z} inconsistent with φLIA Φ IS UNSAT Slide adopted from [Barret09]

Overview Introduction SMT Theories Case Study: Difference Logic Theory SMT Solvers and Libraries Summary

SMT-LIB SMT Library Provides standard rigorous descriptions of background theories Common input and output languages for SMT solvers Provides a library of benchmarks Ref: The SMT-LIB Standard

SMT Solvers Proprietary Open Source Z3, Yices, Barcelogic, MathSAT Open Source Open-SMT, CVC3, Boolector Some SMT-LIB Compatibility Solvers (Even partially) CVC3, Open-SMT, MathSAT5, Sonolar

SMT-LIB Example Check if (p AND p’) is satisfiable? UNINTERPRETED FUNCTIONS UNSATISFIABLE Ref: SMT-LIB Tutorial by David R. Cok and GrammaTech Inc.

SMT-LIB Example Is there a solution to x+2y = 20 and x-y = 2 x=8, y= 6 LINEAR INTEGER ARITHMETIC x=8, y= 6 SATISFIABLE

SUMMARY SMT problems include a wider range of problems than SAT. SMT-LIB initiative to bring standards to solvers. SMT Applications Include: Analog, Mixed-Signal Circuit Checker [Walter07] Software Testing RTL Verification Nelson-Oppen Method for Combining Theory Solvers

Trivia SMT Competition (SMT-COMP) SMT Solvers Competition Since 2005 2010 Winners: CVC3, OpenSMT, MathSAT 5, test_pmathsat, MiniSmt, simplifyingSTP. First International SAT/SMT Solver Summer School 2011 June 12- 17 at MIT. Free for students.

References [Barret09] Clark Barrett, Sanjit A. Seshia, ICCAD Tutorial 2009 [NO79] Greg Nelson and Derek C. Oppen. Simplification by cooperating decision procedures. ACM Trans. on Programming Languages and Systems, 1(2):245–257, October 1979 [Walter07] David Walter, Scott Little, Chris Meyers, “Bounded model checking of analog and mixed-signal circuits using an SMT solver”, Proceeding ATVA'07.

Questions Thank you.

Equivalence Checking of Programs int fun1(int y) { int x, z; z = y; y = x; x = z; return x*x; } SMT formula  Satisfiable iff programs non-equivalent ( z = y ∧ y1 = x ∧ x1 = z ∧ ret1 = x1*x1) ∧ ( ret2 = y*y ) ( ret1  ret2 ) Using SAT to check equivalence (w/ Minisat) 32 bits for y: Did not finish in over 5 hours 16 bits for y: 37 sec. 8 bits for y: 0.5 sec. SMT: Using EUF solver: 0.01 sec What if we use SAT to check equivalence? int fun2(int y) { return y*y; } Slide adopted from [Barret09]