Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lazy Proofs for DPLL(T)-Based SMT Solvers

Published byNigel Lee Modified over 6 years ago

Similar presentations

Presentation on theme: "Lazy Proofs for DPLL(T)-Based SMT Solvers"— Presentation transcript:

1 Lazy Proofs for DPLL(T)-Based SMT Solvers
Guy Katz Schloss Dagstuhl, October 2016

2 Acknowledgements Based on joint work with Clark Barrett, Cesare Tinelli, Andrew Reynolds and Liana Hadarean (FMCAD’16) Stanford University The University of Iowa Synopsys

3 Producing Checkable Artifacts
SMT solvers used in verification & analysis tools Verifying safety-critical systems Increase reliability by producing checkable artifacts Input Query SMT Solver Result 𝑥⋅2>6 𝑥<5 SAT Check Model: 𝑥 = 4

4 The UNSAT Case No satisfying model exists Input Query SMT Solver
Result ? 𝑥⋅2>11 𝑥<5 UNSAT Check Proof Certificate 𝑥⋅2>11 𝑥<5

5 SMT Proofs: Use Cases Increase confidence in verification tools
Interpolant generation Skeptical Proof-Assistants (Coq, Isabelle/HOL) Discharge goals using SMT-Solver Reconstruct internal proof from certificate

6 Agenda Background: SAT Solvers and Proofs SMT Solvers and Proofs
Theory-Specific Proofs Lazy Proof Production Experimental Results

7 Agenda Background: SAT Solvers and Proofs SMT Solvers and Proofs
Theory-Specific Proofs Lazy Proof Production Experimental Results

8 Boolean Resolution The Boolean Resolution rule:
A proof of unsatisfiability: Start with input clauses Apply resolution Derive empty clause Can always do this for UNSAT formulas 𝑝 1 ∨ 𝑝 2 ∨…∨ 𝑝 𝑛 ∨𝑐 ~𝑐∨ 𝑞 1 ∨ 𝑞 2 ∨…∨ 𝑞 𝑚 𝑝 1 ∨…∨ 𝑝 𝑛 ∨ 𝑞 1 ∨…∨ 𝑞 𝑚 Heule & Biere. Proofs for Satisfiability Problems. APPA, 2015

9 The DPLL Architecture An abstract algorithm for solving SAT
Incrementally assign variables to true/false Decide assignments Deduce assignments If formula is satisfied, done If a conflict is found, backjump Undo previous decisions, try something else Davis & Putnam. A Computing Procedure for Quantification Theory. JACM, 1960 Davis, Logemann & Loveland. A Machine Program for Theorem Proving. CACM, 1962

10 Conflict: ~3∨2 Not satisfied by assignment
DPLL: Example Input clauses (CNF): 1∨~2, ~1∨~2, 2∨3, ~3∨2 Partial Assignment Formula Conflict Rule Being Applied 1∨~2, ~1∨~2, 2∨3, ~3∨2 Decide 1 𝑑 1∨~2, ~1∨~2, 2∨3, ~3∨2 Propagate ~1∨~2 1 𝑑 , ~2 1∨~2, ~1∨~2, 2∨3, ~3∨2 Propagate (2∨3) 1 𝑑 , ~2, 3 1∨~2, ~1∨~2, 2∨3, ~3∨2 Conflict (~3∨2) 1 𝑑 , ~2, 3 1∨~2, ~1∨~2, 2∨3, ~3∨2 ~3∨2 Explain (2∨3) 1 𝑑 , ~2, 3 1∨~2, ~1∨~2, 2∨3, ~3∨2 2 Explain (~1∨~2) 1 𝑑 , ~2, 3 1∨~2, ~1∨~2, 2∨3, ~3∨2 ~1 Learn (~1) Clause: ~1∨~2 1 is true ⇒2 is false 2 ~3∨2 2∨3 Conflict: ~3∨2 Not satisfied by assignment 1 𝑑 , ~2, 3 1∨~2, ~1∨~2, 2∨3, ~3∨2,~1 ~1 Backjump ~1 1∨~2, ~1∨~2, 2∨3, ~3∨2,~1 Propagate (1∨~2)

11 DPLL: Example (cnt’d) 2 ~3∨2 2∨3 Partial Assignment Formula Conflict
Rule Being Applied ~1 1∨~2, ~1∨~2, 2∨3, ~3∨2,~1 Propagate (1∨~2) ~1, ~2 1∨~2, ~1∨~2, 2∨3, ~3∨2,~1 Propagate 2∨3 ~1, ~2, 3 1∨~2, ~1∨~2, 2∨3, ~3∨2,~1 Conflict ~3∨2 ~1, ~2, 3 1∨~2, ~1∨~2, 2∨3, ~3∨2,~1 ~3∨2 Explain (2∨3) ~1, ~2, 3 1∨~2, ~1∨~2, 2∨3, ~3∨2,~1 2 Explain (1∨~2) ~1, ~2, 3 1∨~2, ~1∨~2, 2∨3, ~3∨2,~1 1 Explain (~1) ~1, ~2, 3 1∨~2, ~1∨~2, 2∨3, ~3∨2,~1 Fail 2 ~3∨2 2∨3

12 Constructing a Proof Input clauses: 1∨~2, ~1∨~2, 2∨3, ~3∨2 ~3∨2 2∨3 2
~1, ~2, 3 1∨~2, ~1∨~2, 2∨3, ~3∨2,~1 ~3∨2 Explain (2∨3) 2 Explain (1∨~2) 1 Explain (~1) Fail 1 𝑑 , ~2, 3 1∨~2, ~1∨~2, 2∨3, ~3∨2 ~3∨2 Explain (2∨3) 2 Explain (~1∨~2) ~1 Learn (~1) ~3∨2 2∨3 2 ~1∨~2 ~3∨2 2∨3 ~1 2 1∨~2 1 ~1

13 Agenda Background: SAT Solvers and Proofs SMT Solvers and Proofs
Theory-Specific Proofs Lazy Proof Production Experimental Results

14 Satisfiability Modulo Theories
Input: a first order logic formula In general, undecidable Focus on decidable fragments Uninterpreted functions, arithmetic, bitvectors, arrays 𝑔 𝑎 =𝑐 ∧ 𝑓 𝑔 𝑎 ≠𝑓 𝑐 ∨𝑔 𝑎 =𝑑 ∧(𝑐≠𝑑) Is there a model that satisfies the formula?

15 The DPLL(T) Architecture
Arithmetic Uninterpreted Functions Sets SAT Solver Bitvectors Arrays Nieuwenhuis, Oliveras & Tinelli. Solving SAT and SAT Modulo Theories: From an abstract Davis-Putnam-Logemann-Loveland procedure to DPLL(T). JACM, 2006

16 Adding the Theory Solvers
DPLL(T): DPLL + Background theory T T can represent multiple theories Theory atoms mapped to Boolean atoms SAT solver constructs (partial) assignment Theory solver checks if it is T-consistent Theory solvers can: Report conflicts (T-conflict) Propagate literals (T-propagate) Learn new clauses (T-Learn) Justified by Theory Lemmas

17 Example: Uninterpreted Functions
𝑔 𝑎 =𝑐, 𝑓 𝑔 𝑎 ≠𝑓 𝑐 ∨𝑔 𝑎 =𝑑, 𝑐≠𝑑 1 ~2 3 ~4 Partial Assignment Formula Conflict Rule Being Applied 1, ~2∨3, ~4 Propagate 1 , (~4) 1, ~4 1, ~2∨3, ~4 Decide 1, ~4, ~ 2 𝑑 1, ~2∨3, ~4 T-Conflict (~1∨2) 1, ~4, ~ 2 𝑑 1, ~2∨3, ~4 ~1∨2 Explain (1) 1 is true: 𝑔 𝑎 =𝑐 3 is true: 𝑔 𝑎 =𝑑 4 is false: 𝑐≠𝑑 1, ~4, ~ 2 𝑑 1, ~2∨3, ~4 2 Learn (2) 1 is true: 𝑔 𝑎 =𝑐 Congruence: 𝑓 𝑔 𝑎 =𝑓(𝑐) Contradicts ~2 1, ~4, ~ 2 𝑑 1, ~2∨3, ~4, 2 2 Backjump 1, ~4, 2 1, ~2∨3, ~4, 2 Propagate ~2∨3 1, ~4, 2, 3 1, ~2∨3, ~4, 2 T-Conflict (~1∨~3∨4) Explain 1, ~4, 2, 3 1, ~2∨3, ~4, 2 Fail

18 Example: Uninterpreted Functions
𝑔 𝑎 =𝑐, 𝑓 𝑔 𝑎 ≠𝑓 𝑐 ∨𝑔 𝑎 =𝑑, 𝑐≠𝑑 1 ~2 3 ~4 1, ~4, ~ 2 𝑑 1, ~2∨3, ~4 T-Conflict (~1∨2) 1, ~4, 2, 3 1, ~2∨3, ~4, 2 T-Conflict (~1∨~3∨4) Theory Proof Theory Proof ~1∨~3∨4 ~2∨3 2 ~1∨2 1 ~1∨~2∨4 1 ~2∨4 ~4 ~2 2

19 Proofs with Theory Lemmas
Construct refutation tree as before Leaves may be theory lemmas T-solver needs to support a produceProof() method Use sub-proof to justify the lemma Each theory-lemma owned by a specific T-solver Complex lemmas may have multiple steps Invoke produceProof() for each step Combine with Boolean resolution

20 Example: A Complex Lemma
Partial assignment: T-Propagation from uninterpreted functions: T-Propagation from arrays: T-Conflict from uninterpreted functions: The resulting learned clause: ~1: 𝑔 𝑥, 𝑓 𝑥 , 𝑧 𝑓 𝑥 := 𝑥 𝑓 𝑦 ≠𝑔 𝑦, 𝑓 𝑦 , 𝑦 2: 𝑥=𝑦 3: 𝑓(𝑥)=𝑓(𝑦) Cause: 2 4: 𝑧 𝑓 𝑥 := 𝑥 𝑓 𝑦 =𝑦 Cause: 2∧3 1∨~2∨~3∨~4 1∨~2

21 Example: A Complex Lemma
Goal: prove 1∨~2 Uninterpreted functions conflict: 1∨~2∨~3∨~4 Array propagation: 2∧3⇒4 Uninterpreted functions propagation: 2⇒3 Uninterpreted Functions proof Array proof Uninterpreted Functions proof 1∨~2∨~3∨~4 ~2∨~3∨4 1∨~2∨~3 ~2∨3 1∨~2

22 Agenda Background: SAT Solvers and Proofs SMT Solvers and Proofs
Theory-Specific Proofs Lazy Proof Production Experimental Results

23 Theory-Specific Proofs
For SAT proofs, Boolean Resolution is enough For background theories, need additional rules Proof rules correspond to theory solver’s decision procedure

24 Uninterpreted Functions
Axioms: Reflexivity: 𝑥=𝑥 Symmetry: (𝑥=𝑦)⇒(𝑦=𝑥) Transitivity: (𝑥=𝑦)∧(𝑦=𝑧)⇒(𝑥=𝑧) Congruence: (𝑥=𝑦)⇒(𝑓 𝑥 =𝑓 𝑦 ) Decision procedure: congruence closure Construct equivalence class of terms If two terms are equal, merge their classes Proof rules: symmetry, transitivity and congruence Fontaine, Marion, Merz, Nieto & Tiu. Expressiveness + Automation + Soundness: Towards Combining SMT Solvers and Interactive Proof Assistants. TACAS, 2006

25 Uninterpreted Functions (cnt’d)
Example: 𝑥=𝑦 ∧ 𝑧=𝑓 𝑦 ∧ 𝑓 𝑥 ≠𝑧 𝑥=𝑦 𝑧=𝑓(𝑦) Congruence Symmetry 𝑓 𝑥 =𝑓(𝑦) 𝑓 𝑦 =𝑧 Transitivity 𝑓 𝑥 ≠𝑧 𝑓 𝑥 =𝑧

26 Arrays with Extensionality
Axioms: Read-over-Write 1: i≠𝑗⇒ 𝑎 𝑖 ≔𝑥 𝑗 =𝑎 𝑗 Read-over-Write 2: 𝑎 𝑖 ≔𝑥 𝑖 =𝑥 Extensionality: 𝑎≠𝑏⇒∃𝑘.𝑎 𝑘 ≠𝑏[𝑘] NP-complete Decision procedure: similar to congruence closure

27 Arrays (cnt’d) Example: 𝑖≠𝑗 ∧ 𝑎 𝑗 ≔𝑦 𝑖 =𝑥 ∧(𝑎 𝑖 ≠𝑥) 𝑖≠𝑗 𝑎 𝑗 ≔𝑦 𝑖 =𝑥
𝑎 𝑗 ≔𝑦 𝑖 =𝑥 Read-over-Write 1 𝑎 𝑖 =𝑥 𝑎 𝑖 ≠𝑥

28 Fixed-Width Bitvectors
Axioms for: Bit-wise operation: and, not, xor Bitvector arithmetic: +, -, ∗, / Concatenation, shifts NP-complete Decision procedure: Bitblasting, with some word-level reasoning

29 Fixed-Width Bitvectors (cnt’d)
Example: 𝑏 1 ≠ 𝑏 2 ∨ 𝑏 2 ≠10 ∨( 𝑏 1 ≠00) 𝑏 1 = 𝑏 2 𝑏 2 =10 BB BB 𝑏 1 1 = 𝑏 2 1 𝑏 2 1 =1 𝑏 1 =00 Transitivity BB 𝑏 1 1 =1 𝑏 1 1 =0 Hadarean, Barrett, Reynolds, Tinelli & Deters. Fine-grained SMT Proofs for the Theory of Fixed-width Bitvectors. LPAR, 2015

30 Agenda Background: SAT Solvers and Proofs SMT Solvers and Proofs
Theory-Specific Proofs Lazy Proof Production Experimental Results

31 The Eager Approach When should we prove theory lemmas?
Eagerly: when lemma is generated Easy to produce a proof Many lemmas generated during search Not all are needed!

32 The Lazy Approach No proof production during search
Produce proofs on demand When theory lemma encountered in refutation tree Fewer theory proofs generated But, need to redo some theory reasoning

33 So, Eager or Lazy? Eager: more lemmas, less work for each lemma
Lazy: fewer lemmas, each lemma more expensive Can differ between theory solvers! Evaluation: For uninterpreted functions: Lazy For arrays: Lazy

34 Lazily Proving Lemmas Theory lemmas:
Lemmas are disjunctions: ⇒ 𝑇 𝑙 1 ∨ 𝑙 2 ∨…∨ 𝑙 𝑛 To prove a previous lemma: Create a fresh theory solver Assert: ~ 𝑙 1 , ~ 𝑙 2 ,…, ~ 𝑙 𝑛 When ⊥ is derived, call produceProof() T-Propagation 𝑝 1 ∧ 𝑝 2 ⇒ 𝑇 𝑝 3 ⇒ 𝑇 ~ 𝑝 1 ∨~ 𝑝 2 ∨ 𝑝 3 T-Conflict 𝑝 1 ∧ 𝑝 2 ⇒ 𝑇 ⊥ ⇒ 𝑇 ~ 𝑝 1 ∨~ 𝑝 2 T-Learn ⇒ 𝑇 𝑝 1 ∨ 𝑝 2

35 Storing “Hints” Sometimes a fresh solver isn’t enough
Array theory: extensionality 𝑎≠𝑏⇒∃𝑘.𝑎 𝑘 ≠𝑏 𝑘 Need to remember this specific 𝑘 Allow bookkeeping during search

36 Handling Rewrites Array solver generates a lemma: 𝑏+1≠1⇒ 𝑎 𝑏+1 ≔𝑥 1 =𝑎 1 Bitvector solver performs a rewrite: 𝑏≠0⇒ 𝑎 𝑏+1 ≔𝑥 1 =𝑎 1 Later: ask array solver to prove ℓ 2 Error! ℓ 1 : 𝑇 𝐴𝑋 -valid ℓ 2 : not 𝑇 𝐴𝑋 -valid

37 Handling Rewrites (cnt’d)
Solution: track rewrites Remember a recipe for proving ℓ 2 : Prove ℓ 1 Prove rewrite: 𝑏+1≠1 →(𝑏≠0) Prove rewrites lazily, with lemmas

38 Agenda Background: SAT Solvers and Proofs SMT Solvers and Proofs
Theory-Specific Proofs Lazy Proof Production Experimental Results

39 Implementation Implemented this technique in CVC4
A state-of-the-art SMT solver, available online Currently supported theories: Uninterpreted functions Arrays with extensionality Fixed-width Bitvectors And combinations thereof… Proofs generated in LFSC format

40 Generate and Check Proof
Evaluation on SMT-LIB Tested relevant families from SMT-LIB: QF_UF, QF_AX, QF_BV QF_UFBV, QF_ABV, QF_AUFBV Benchmark Category Default Solved Time Generate Proof Generate and Check Proof QF_UF 4083 7523 4067 19097 4029 61650 QF_AX 277 450 264 3170 260 3193 QF_BV 20517 49884 20430 67072 17602 132975 QF_UFBV 12 1391 2623 4 170 QF_ABV 4487 16223 4410 19900 4127 22768 QF_AUFBV 31 93 245 30 1751 Symbolic Execution 94 1735 89 4364 71 2348 Total Solved 100% 99% 88%

41 Eager VS Lazy On average, the lazy approach is:
23% faster for uninterpreted functions 20% faster for arrays Bitvectors: work in progress

42 Conclusion Proof production increases confidence in SMT solvers
An extension to DPLL(T) that supports proofs Extensible, modular and robust The lazy approach: prove only as needed

43 Next Steps Support additional theory solvers: arithmetic, strings
Support quantified formulas Rewrites and preprocessing

44 Thank You! Questions

Download ppt "Lazy Proofs for DPLL(T)-Based SMT Solvers"

Similar presentations

SMELS: Sat Modulo Equality with Lazy Superposition Christopher Lynch – Clarkson Duc-Khanh Tran - MPI.

SMELS: Sat Modulo Equality with Lazy Superposition Christopher Lynch – Clarkson Duc-Khanh Tran - MPI.
Automated Theorem Proving

Automated Theorem Proving
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Satisfiability modulo the Theory of Bit Vectors

Satisfiability modulo the Theory of Bit Vectors
Boolean Satisfiability

Boolean Satisfiability
50.530: Software Engineering

50.530: Software Engineering
Satisfiability Modulo Theories (An introduction)

Satisfiability Modulo Theories (An introduction)
SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀

SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀
UIUC CS 497: Section EA Lecture #2 Reasoning in Artificial Intelligence Professor: Eyal Amir Spring Semester 2004.

UIUC CS 497: Section EA Lecture #2 Reasoning in Artificial Intelligence Professor: Eyal Amir Spring Semester 2004.
Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 

Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 
Proofs from SAT Solvers Yeting Ge ACSys NYU Nov 20 2007.

Proofs from SAT Solvers Yeting Ge ACSys NYU Nov
Methods of Proof Chapter 7, second half.. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound)

Methods of Proof Chapter 7, second half.. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound)
Interpolants from Z3 proofs Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Interpolants from Z3 proofs Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.

Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Proof translation from CVC3 to Hol light Yeting Ge Acsys Mar 5, 2008.

Proof translation from CVC3 to Hol light Yeting Ge Acsys Mar 5, 2008.
PROOF TRANSLATION AND SMT LIB CERTIFICATION Yeting Ge Clark Barrett SMT 2008 July 7 Princeton.

PROOF TRANSLATION AND SMT LIB CERTIFICATION Yeting Ge Clark Barrett SMT 2008 July 7 Princeton.
Willis Lemasters Grant Conklin. Searching a tree recursively one branch at a time, abandoning any branch which does not satisfy the search constraints.

Willis Lemasters Grant Conklin. Searching a tree recursively one branch at a time, abandoning any branch which does not satisfy the search constraints.
Plan for today Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search.

Plan for today Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search.
Interpolants [Craig 1957] G(y,z) F(x,y)

Interpolants [Craig 1957] G(y,z) F(x,y)

Similar presentations

Ads by Google