Satisfiability Modulo Theories (An introduction) Magnus Madsen

What are SMT solvers? How are they used in practice? Todays Talk What are SMT solvers? How are they used in practice?

Knowledge of prop. logic Motivation Find 𝒙 and 𝒚 s.t.: 𝑥≥3∧ 𝑥≤0∨𝑦≥0 𝑥≥3∧𝑥≤0 ∨ 𝑥≥3∧𝑦≥0 𝑥=3∧𝑦=0 Knowledge of prop. logic Knowledge of integers Knowledge of integers Solution

What is SMT? Satisfiability Modulo Theories +

What is a SMT instance? A logical formula built using negation, conjunction and disjuction e.g. 𝑎∧ 𝑏∨𝑐 e.g. 𝑎∨¬𝑏∨𝑐 ∧ ¬𝑏∨¬𝑥∨𝑦 ∧ 𝑏∨𝑏∨𝑥 theory specific operators e.g. 𝑥≤5, 𝑦≠𝑧 e.g. 𝑚⊕𝑛 ⊕𝑛=𝑚 e.g. 𝑓 𝑥 =𝑓(𝑦)∧𝑓(𝑓 𝑥 )≠𝑓(𝑓 𝑦 ) k-SAT theory of bitwise operators theory of integers theory of uninterpreted functions

Recall k-SAT The Boolean SATisfiability Problem: 𝑎∨¬𝑏∨𝑐 ∧ ¬𝑏∨¬𝑥∨𝑦 ∧ 𝑏∨𝑏∨𝑥 ∧… 2SAT is solveable in polynomial time 3SAT is NP-complete (solveable in exponential time) clause literal or negated literal

Q: Why not encode every formula in SAT? A: Theory solvers have very efficient algorithms Graph Problems: Shortest-Path Minimum Spanning Tree Optimization: Max-Flow Linear Programming (just to name a few)

Q: But then, Why not get rid of the SAT solver? A: SAT solvers are very good at case analysis

SAT Theory Formula 𝑥≥3∧ 𝑥≤0∨𝑦≥0 SMT Solver 𝑥≥3∧𝑥≤0 𝑎∧ 𝑏∨𝑐 𝑥≥3∧𝑦≥0 𝑎∧𝑏 YES 𝑎∧𝑐 NO NO YES 𝑥=3 𝑦=0 add clause: ¬ 𝑎∧𝑏

Important Properties Efficiency of both SAT and Theory solver! SAT Solver Incremental (supports adding new clauses) Theory Solver Ability to construct blocking clauses Ability to create so-called "theory lemmas"

Theories Theory of: Difference Arithemetic Linear Arithmetic Arrays Bit Vectors Algebraic Datatypes Uninterpreted Functions

SMT-LIB A modeling language for SMT instances A declarative language with Lisp-like syntax Defines common/shared terminology e.g. LRA = Closed linear formulas in linear real arithmetic e.g. QF_BC = Closed quantifier-free formulas over the theory of fixed-size bitvectors. http://www.smtlib.org/

Example 1 𝒙=𝟑∧𝒚=𝟎 Solution

Example 2

Applications Dynamic Symbolic Execution Program Verification Extended Static Checking Model Checking Termination Analysis See Also: Tapas: Theory Combinations and Practical Applications

Dynamic Symbolic Execution combines dynamic and symbolic execution step 1: execute the program recording the branches taken and their symbolic constraints step 2: negate one constraint step 3: solve the constraints to generate new input to the program (e.g. by using a SMT solver) step 4: if a solution exists then execute the program on the new input

Program Path ¬𝑐 1 Negate ¬𝑐 3 𝑐 2 ¬𝑐 3 Run SMT Solver 𝑐 4

New Program Path ¬𝑐 1 𝑐 2 𝑐 3 𝑐 5

Example: Greatest Common Divisor Original program SSA unfolding int gcd(int x, int y) { while (true) { int m = x % y; if (m == 0) return y; x = y; y = m; } int result = gcd(2, 4) int gcd(int x0, int y0) { while (true) { int m0 = x0 % y0; assert(m0 != 0) if (m0 == 0) return y0; x1 = y0; y1 = m0; int m1 = x1 % y1; assert(m1 == 0) if (m1 == 0) return y1; }

Collecting Constraints Collected constraints SSA unfolding int result = gcd(2, 4) (assert (= m0 (mod x0 y0))) (assert (not (= m0 0))) (assert (= x1 y0)) (assert (= y1 m0)) (assert (= m1 (mod x1 y1))) (assert (= m1 0)) int gcd(int x0, int y0) { while (true) { int m0 = x0 % y0; assert(m0 != 0) if (m0 == 0) return y0; x1 = y0; y1 = m0; int m1 = x1 % y1; assert(m1 == 1) if (m1 == 0) return y1; } (assert (not (= m1 0)))

Computing a new path Solution: x = 2 and y = 3 int gcd(int x, int y) { while (true) { int m = x % y; if (m == 0) return y; x = y; y = m; } Solution: x = 2 and y = 3 Iteration 1: x = 2 & y = 3 Iteration 2: x = 3 & y = 2 Iteration 3: x = 2 & y = 1

Program Verification Assertion Violation: low = 230, high = 230+1 int binary_search(int[] arr, int low, int height, int key) { assert(low > high || 0 <= < high); while (low <= high) { // Find middle value int mid = (low + high) / 2; assert(0 <= mid < high); int val = arr[mid]; // Refine range if (key == val) return mid; if (val > key) low = mid + 1; else high = mid – 1; } return -1; Assertion Violation: low = 230, high = 230+1

SMT Solvers Z3 MathSAT5 CVC4 Many more Microsoft Research University of Trento CVC4 New York University Many more

SMT-COMP A yearly competition between SMT solvers Z3

Research Directions in SMT Improving the efficiency of SAT/Theory solvers Improving the interplay between the SAT solver and the theory solver e.g. "online" solvers (partial truth assignment) Developing solvers for new theories Combining different theories

With Thanks to Evan Driscoll

References Satisfiability Modulo Theories: Introduction and Applications Leonardo De Moura & Nikolaj Bjørner Tapas: Theory Combinations and Practical Applications Z3 Tutorial Guide http://rise4fun.com/z3/tutorial/guide

Summary Satisfiability Modulo Theory (SMT): constraint systems involving SAT + Theory SMT solvers combine the best of: SAT solvers and theory solvers SMTs have applications in program analysis

More Work To Be Done?