Presentation is loading. Please wait.

Presentation is loading. Please wait.

Leonardo de Moura and Nikolaj Bjørner Microsoft Research.

Published byCandice Warren Modified over 9 years ago

Similar presentations

Presentation on theme: "Leonardo de Moura and Nikolaj Bjørner Microsoft Research."— Presentation transcript:

1 Leonardo de Moura and Nikolaj Bjørner Microsoft Research

2 Verification/Analysis tools need some form of Symbolic Reasoning

3 Logic is “The Calculus of Computer Science” (Z. Manna). High computational complexity

4 Test case generationVerifying CompilersPredicate Abstraction Invariant Generation Type Checking Model Based Testing

5 VCC Hyper-V Terminator T-2 NModel HAVOC F7 SAGE Vigilante SpecExplorer

6 unsigned GCD(x, y) { requires(y > 0); while (true) { unsigned m = x % y; if (m == 0) return y; x = y; y = m; } We want a trace where the loop is executed twice. (y 0 > 0) and (m 0 = x 0 % y 0 ) and not (m 0 = 0) and (x 1 = y 0 ) and (y 1 = m 0 ) and (m 1 = x 1 % y 1 ) and (m 1 = 0) SolverSolver x 0 = 2 y 0 = 4 m 0 = 2 x 1 = 4 y 1 = 2 m 1 = 0 SSASSA

7 Signature: div : int, { x : int | x  0 }  int Subtype Call site: if a  1 and a  b then return div(a, b) Verification condition a  1 and a  b implies b  0

8 Logic is the art and science of effective reasoning. How can we draw general and reliable conclusions from a collection of facts? Formal logic: Precise, syntactic characterizations of well-formed expressions and valid deductions. Formal logic makes it possible to calculate consequences at the symbolic level. Computers can be used to automate such symbolic calculations.

9 Logic studies the relationship between language, meaning, and (proof) method. A logic consists of a language in which (well-formed) sentences are expressed. A semantic that distinguishes the valid sentences from the refutable ones. A proof system for constructing arguments justifying valid sentences. Examples of logics include propositional logic, equational logic, first-order logic, higher-order logic, and modal logics.

10 A language consists of logical symbols whose interpretations are fixed, and non-logical ones whose interpretations vary. These symbols are combined together to form well- formed formulas. In propositional logic PL, the connectives , , and  have a fixed interpretation, whereas the constants p, q, r may be interpreted at will.

11 Formulas:  := p |  1  2 |  1  2 |  1 |  1   2 Examples: p  q  q  p p   q  (  p  q) We say p and q are propositional variables.

12 An interpretation M assigns values {true, false} to propositional variables. Let F and G range over PL formulas.

13 A formula is satisfiable if it has an interpretation that makes it logically true. In this case, we say the interpretation is a model. A formula is unsatisfiable if it does not have any model. A formula is valid if it is logically true in any interpretation. A propositional formula is valid if and only if its negation is unsatisfiable.

14 p  q  q  p p  q  q p   q  (  p  q)

15 p  q  q  p VALID p  q  q SATISFIABLE p   q  (  p  q) UNSATISFIABLE

16 We say two formulas F and G are equivalent if and only if they evaluate to the same value (true or false) in every interpretation

17 We say formulas A and B are equisatisfiable if and only if A is satisfiable if and only if B is. During this tutorial, we will describe transformations that preserve equivalence and equisatisfiability.

18

19 NNF? (p   q)  (q   (r   p))

20 NNF? NO (p   q)  (q   (r   p))

21 NNF? NO (p   q)  (q   (r   p))

22 NNF? NO (p   q)  (q   (r   p))  (p   q)  (q  (  r   p))

23 NNF? NO (p   q)  (q   (r   p))  (p   q)  (q  (  r   p))  (p   q)  (q  (  r  p))

24 CNF? ((p  s)  (  q  r))  (q   p  s)  (  r  s)

25 CNF? NO ((p  s)  (  q  r))  (q   p  s)  (  r  s)

26 CNF? NO ((p  s)  (  q  r))  (q   p  s)  (  r  s) Distributivity 1. A  (B  C)  (A  B)  (A  C) 2. A  (B  C)  (A  B)  (A  C)

27 CNF? NO ((p  s)  (  q  r))  (q   p  s)  (  r  s)  ((p  s)   q))  ((p  s)  r))  (q   p  s)  (  r  s) Distributivity 1. A  (B  C)  (A  B)  (A  C) 2. A  (B  C)  (A  B)  (A  C)

28 CNF? NO ((p  s)  (  q  r))  (q   p  s)  (  r  s)  ((p  s)   q))  ((p  s)  r))  (q   p  s)  (  r  s)  (p   q)  (s   q)  ((p  s)  r))  (q   p  s)  (  r  s) Distributivity 1. A  (B  C)  (A  B)  (A  C) 2. A  (B  C)  (A  B)  (A  C)

29 CNF? NO ((p  s)  (  q  r))  (q   p  s)  (  r  s)  ((p  s)   q))  ((p  s)  r))  (q   p  s)  (  r  s)  (p   q)  (s   q)  ((p  s)  r))  (q   p  s)  (  r  s)  (p   q)  (s   q)  (p  r)  (s  r)  (q   p  s)  (  r  s)

30 DNF? p  (  p  q)  (  q  r)

31 DNF? NO, actually this formula is in CNF p  (  p  q)  (  q  r)

32 DNF? NO, actually this formula is in CNF p  (  p  q)  (  q  r) Distributivity 1. A  (B  C)  (A  B)  (A  C) 2. A  (B  C)  (A  B)  (A  C)

33 DNF? NO, actually this formula is in CNF p  (  p  q)  (  q  r)  ((p   p)  (p  q))  (  q  r) Distributivity 1. A  (B  C)  (A  B)  (A  C) 2. A  (B  C)  (A  B)  (A  C)

34 DNF? NO, actually this formula is in CNF p  (  p  q)  (  q  r)  ((p   p)  (p  q))  (  q  r)  (p  q)  (  q  r) Distributivity 1. A  (B  C)  (A  B)  (A  C) 2. A  (B  C)  (A  B)  (A  C) Other Rules 1.A  A   2.A   A

35 DNF? NO, actually this formula is in CNF p  (  p  q)  (  q  r)  ((p   p)  (p  q))  (  q  r)  (p  q)  (  q  r)  ((p  q)   q)  ((p  q)  r) Distributivity 1. A  (B  C)  (A  B)  (A  C) 2. A  (B  C)  (A  B)  (A  C) Other Rules 1.A  A   2.A   A

36

37

38

39

40

41 DPLL

42 A literal is pure if only occurs positively or negatively.

43

44

45 Is formula F satisfiable modulo theory T ? SMT solvers have specialized algorithms for T

46 b + 2 = c and f(read(write(a,b,3), c-2) ≠ f(c-b+1)

47 ArithmeticArithmetic

48 ArithmeticArithmetic Array Theory b + 2 = c and f(read(write(a,b,3), c-2) ≠ f(c-b+1)

49 ArithmeticArithmetic Array Theory Uninterpreted Functions b + 2 = c and f(read(write(a,b,3), c-2) ≠ f(c-b+1)

50 b + 2 = c and f(read(write(a,b,3), c-2)) ≠ f(c-b+1) Substituting c by b+2

51 b + 2 = c and f(read(write(a,b,3), b+2-2)) ≠ f(b+2-b+1) Simplifying

52 b + 2 = c and f(read(write(a,b,3), b)) ≠ f(3)

53 Applying array theory axiom forall a,i,v: read(write(a,i,v), i) = v

54 b + 2 = c and f(3) ≠ f(3) Inconsistent/Unsatisfiable

55 For most SMT solvers: F is a set of ground formulas Many Applications Bounded Model Checking Test-Case Generation

56 An SMT Solver is a collection of Little Engines of Proof

57 An SMT Solver is a collection of Little Engines of Proof Examples: SAT Solver Equality solver Examples: SAT Solver Equality solver

58 Z3 is a new solver developed at Microsoft Research. Development/Research driven by internal customers. Free for academic research. Interfaces: http://research.microsoft.com/projects/z3 Z3 TextC/C++.NETOCaml

59 a = b, b = c, d = e, b = s, d = t, a  e, a  s a a b b c c d d e e s s t t

60 a a b b c c d d e e s s t t

61 c c d d e e s s t t a,ba,b a,ba,b

62 c c d d e e s s t t a,b

63 a = b, b = c, d = e, b = s, d = t, a  e, a  s d d e e s s t t a,b,c

64 a = b, b = c, d = e, b = s, d = t, a  e, a  s d d e e s s t t a,b,c

65 d,ed,e d,ed,e a = b, b = c, d = e, b = s, d = t, a  e, a  s s s t t a,b,c

66 a = b, b = c, d = e, b = s, d = t, a  e, a  s s s t t a,b,c d,e

67 a,b,c,s a = b, b = c, d = e, b = s, d = t, a  e, a  s t t d,e

68 a = b, b = c, d = e, b = s, d = t, a  e, a  s t t d,e a,b,c,s

69 a = b, b = c, d = e, b = s, d = t, a  e, a  s a,b,c,s d,e,t

70 a = b, b = c, d = e, b = s, d = t, a  e, a  s a,b,c,s d,e,t

71 a = b, b = c, d = e, b = s, d = t, a  e, a  s a,b,c,s d,e,t Unsatisfiable

72 a = b, b = c, d = e, b = s, d = t, a  e a,b,c,s d,e,t Model construction

73 a = b, b = c, d = e, b = s, d = t, a  e a,b,c,s d,e,t Model construction |M| = {  1,  2 } (universe, aka domain) 11 22

74 a = b, b = c, d = e, b = s, d = t, a  e a,b,c,s d,e,t Model construction |M| = {  1,  2 } (universe, aka domain) M(a) =  1 (assignment) 11 22

75 a = b, b = c, d = e, b = s, d = t, a  e a,b,c,s d,e,t Model construction |M| = {  1,  2 } (universe, aka domain) M(a) =  1 (assignment) 11 22 Alternative notation: a M =  1 Alternative notation: a M =  1

76 a = b, b = c, d = e, b = s, d = t, a  e a,b,c,s d,e,t Model construction |M| = {  1,  2 } (universe, aka domain) M(a) = M(b) = M(c) = M(s) =  1 M(d) = M(e) = M(t) =  2 11 22

77 Termination: easy Soundness Invariant: all constants in a “ball” are known to be equal. The “ball” merge operation is justified by: Transitivity and Symmetry rules. Completeness We can build a model if an inconsistency was not detected. Proof template (by contradiction): Build a candidate model. Assume a literal was not satisfied. Find contradiction.

78 Completeness We can build a model if an inconsistency was not detected. Instantiating the template for our procedure: Assume some literal c = d is not satisfied by our model. That is, M(c) ≠ M(d). This is impossible, c and d must be in the same “ball”. c,d,… ii M(c) = M(d) =  i

79 Completeness We can build a model if an inconsistency was not detected. Instantiating the template for our procedure: Assume some literal c ≠ d is not satisfied by our model. That is, M(c) = M(d). Key property: we only check the disequalities after we processed all equalities. This is impossible, c and d must be in the different “balls” c,… M(c) =  i M(d) =  j ii d,… jj

80 a = b, b = c, d = e, b = s, d = t, f(a, g(d))  f(b, g(e)) Congruence Rule: x 1 = y 1, …, x n = y n implies f(x 1, …, x n ) = f(y 1, …, y n )

81 a = b, b = c, d = e, b = s, d = t, f(a, g(d))  f(b, g(e)) First Step: “Naming” subterms Congruence Rule: x 1 = y 1, …, x n = y n implies f(x 1, …, x n ) = f(y 1, …, y n )

82 a = b, b = c, d = e, b = s, d = t, f(a, v 1 )  f(b, g(e)) v 1  g(d) First Step: “Naming” subterms Congruence Rule: x 1 = y 1, …, x n = y n implies f(x 1, …, x n ) = f(y 1, …, y n )

83 a = b, b = c, d = e, b = s, d = t, f(a, v 1 )  f(b, g(e)) v 1  g(d) First Step: “Naming” subterms Congruence Rule: x 1 = y 1, …, x n = y n implies f(x 1, …, x n ) = f(y 1, …, y n )

84 a = b, b = c, d = e, b = s, d = t, f(a, v 1 )  f(b, v 2 ) v 1  g(d), v 2  g(e) First Step: “Naming” subterms Congruence Rule: x 1 = y 1, …, x n = y n implies f(x 1, …, x n ) = f(y 1, …, y n )

85 a = b, b = c, d = e, b = s, d = t, f(a, v 1 )  f(b, v 2 ) v 1  g(d), v 2  g(e) First Step: “Naming” subterms Congruence Rule: x 1 = y 1, …, x n = y n implies f(x 1, …, x n ) = f(y 1, …, y n )

86 a = b, b = c, d = e, b = s, d = t, v 3  f(b, v 2 ) v 1  g(d), v 2  g(e), v 3  f(a, v 1 ) First Step: “Naming” subterms Congruence Rule: x 1 = y 1, …, x n = y n implies f(x 1, …, x n ) = f(y 1, …, y n )

87 a = b, b = c, d = e, b = s, d = t, v 3  f(b, v 2 ) v 1  g(d), v 2  g(e), v 3  f(a, v 1 ) First Step: “Naming” subterms Congruence Rule: x 1 = y 1, …, x n = y n implies f(x 1, …, x n ) = f(y 1, …, y n )

88 a = b, b = c, d = e, b = s, d = t, v 3  v 4 v 1  g(d), v 2  g(e), v 3  f(a, v 1 ), v 4  f(b, v 2 ) First Step: “Naming” subterms Congruence Rule: x 1 = y 1, …, x n = y n implies f(x 1, …, x n ) = f(y 1, …, y n )

89 a = b, b = c, d = e, b = s, d = t, v 3  v 4 v 1  g(d), v 2  g(e), v 3  f(a, v 1 ), v 4  f(b, v 2 ) Congruence Rule: x 1 = y 1, …, x n = y n implies f(x 1, …, x n ) = f(y 1, …, y n ) a,b,c,s d,e,t v1v1 v1v1 v2v2 v2v2 v3v3 v3v3 v4v4 v4v4

90 a = b, b = c, d = e, b = s, d = t, v 3  v 4 v 1  g(d), v 2  g(e), v 3  f(a, v 1 ), v 4  f(b, v 2 ) Congruence Rule: x 1 = y 1, …, x n = y n implies f(x 1, …, x n ) = f(y 1, …, y n ) d = e implies g(d) = g(e) a,b,c,s d,e,t v1v1 v1v1 v2v2 v2v2 v3v3 v3v3 v4v4 v4v4

91 a = b, b = c, d = e, b = s, d = t, v 3  v 4 v 1  g(d), v 2  g(e), v 3  f(a, v 1 ), v 4  f(b, v 2 ) Congruence Rule: x 1 = y 1, …, x n = y n implies f(x 1, …, x n ) = f(y 1, …, y n ) d = e implies v 1 = v 2 a,b,c,s d,e,t v1v1 v1v1 v2v2 v2v2 v3v3 v3v3 v4v4 v4v4

92 a = b, b = c, d = e, b = s, d = t, v 3  v 4 v 1  g(d), v 2  g(e), v 3  f(a, v 1 ), v 4  f(b, v 2 ) Congruence Rule: x 1 = y 1, …, x n = y n implies f(x 1, …, x n ) = f(y 1, …, y n ) d = e implies v 1 = v 2 a,b,c,s d,e,t v1,v2v1,v2 v1,v2v1,v2 v3v3 v3v3 v4v4 v4v4 We say: v 1 and v 2 are congruent. We say: v 1 and v 2 are congruent.

93 a = b, b = c, d = e, b = s, d = t, v 3  v 4 v 1  g(d), v 2  g(e), v 3  f(a, v 1 ), v 4  f(b, v 2 ) Congruence Rule: x 1 = y 1, …, x n = y n implies f(x 1, …, x n ) = f(y 1, …, y n ) a = b, v 1 = v 2 implies f(a, v 1 ) = f(b, v 2 ) a,b,c,s d,e,t v1,v2v1,v2 v1,v2v1,v2 v3v3 v3v3 v4v4 v4v4

94 a = b, b = c, d = e, b = s, d = t, v 3  v 4 v 1  g(d), v 2  g(e), v 3  f(a, v 1 ), v 4  f(b, v 2 ) Congruence Rule: x 1 = y 1, …, x n = y n implies f(x 1, …, x n ) = f(y 1, …, y n ) a = b, v 1 = v 2 implies v 3 = v 4 a,b,c,s d,e,t v1,v2v1,v2 v1,v2v1,v2 v3v3 v3v3 v4v4 v4v4

95 a = b, b = c, d = e, b = s, d = t, v 3  v 4 v 1  g(d), v 2  g(e), v 3  f(a, v 1 ), v 4  f(b, v 2 ) Congruence Rule: x 1 = y 1, …, x n = y n implies f(x 1, …, x n ) = f(y 1, …, y n ) a = b, v 1 = v 2 implies v 3 = v 4 a,b,c,s d,e,t v1,v2v1,v2 v1,v2v1,v2 v3,v4v3,v4 v3,v4v3,v4

96 a = b, b = c, d = e, b = s, d = t, v 3  v 4 v 1  g(d), v 2  g(e), v 3  f(a, v 1 ), v 4  f(b, v 2 ) Congruence Rule: x 1 = y 1, …, x n = y n implies f(x 1, …, x n ) = f(y 1, …, y n ) a,b,c,s d,e,t v 1,v 2 v3,v4v3,v4 v3,v4v3,v4 Unsatisfiable

97 a = b, b = c, d = e, b = s, d = t, a  v 4, v 2  v 3 v 1  g(d), v 2  g(e), v 3  f(a, v 1 ), v 4  f(b, v 2 ) Congruence Rule: x 1 = y 1, …, x n = y n implies f(x 1, …, x n ) = f(y 1, …, y n ) a,b,c,s d,e,t v 1,v 2 v 3, v 4 Changing the problem

98 a = b, b = c, d = e, b = s, d = t, a  v 4, v 2  v 3 v 1  g(d), v 2  g(e), v 3  f(a, v 1 ), v 4  f(b, v 2 ) Congruence Rule: x 1 = y 1, …, x n = y n implies f(x 1, …, x n ) = f(y 1, …, y n ) a,b,c,s d,e,t v 1,v 2 v 3, v 4

99 a = b, b = c, d = e, b = s, d = t, a  v 4, v 2  v 3 v 1  g(d), v 2  g(e), v 3  f(a, v 1 ), v 4  f(b, v 2 ) Congruence Rule: x 1 = y 1, …, x n = y n implies f(x 1, …, x n ) = f(y 1, …, y n ) a,b,c,s d,e,t v1,v2v1,v2 v1,v2v1,v2 v3,v4v3,v4 v3,v4v3,v4

100 a = b, b = c, d = e, b = s, d = t, a  v 4, v 2  v 3 v 1  g(d), v 2  g(e), v 3  f(a, v 1 ), v 4  f(b, v 2 ) Model construction: |M| = {  1,  2,  3,  4 } M(a) = M(b) = M(c) = M(s) =  1 M(d) = M(e) = M(t) =  2 M(v 1 ) = M(v 2 ) =  3 M(v 3 ) = M(v 4 ) =  4 a,b,c,s d,e,t v 1,v 2 v 3, v 4 11 22 33 44

101 a = b, b = c, d = e, b = s, d = t, a  v 4, v 2  v 3 v 1  g(d), v 2  g(e), v 3  f(a, v 1 ), v 4  f(b, v 2 ) Model construction: |M| = {  1,  2,  3,  4 } M(a) = M(b) = M(c) = M(s) =  1 M(d) = M(e) = M(t) =  2 M(v 1 ) = M(v 2 ) =  3 M(v 3 ) = M(v 4 ) =  4 a,b,c,s d,e,t v 1,v 2 v 3, v 4 11 22 33 44 Missing: Interpretation for f and g. Missing: Interpretation for f and g.

102 Building the interpretation for function symbols M(g) is a mapping from |M| to |M| Defined as: M(g)(  i ) =  j if there is v  g(a) s.t. M(a) =  i M(v) =  j =  k, otherwise (  k is an arbitrary element) Is M(g) well-defined?

103 Building the interpretation for function symbols M(g) is a mapping from |M| to |M| Defined as: M(g)(  i ) =  j if there is v  g(a) s.t. M(a) =  i M(v) =  j =  k, otherwise (  k is an arbitrary element) Is M(g) well-defined? Problem: we may have v  g(a) and w  g(b) s.t. M(a) = M(b) =  1 and M(v) =  2 ≠  3 = M(w) So, is M(g)(  1 ) =  2 or M(g)(  1 ) =  3 ?

104 Building the interpretation for function symbols M(g) is a mapping from |M| to |M| Defined as: M(g)(  i ) =  j if there is v  g(a) s.t. M(a) =  i M(v) =  j =  k, otherwise (  k is an arbitrary element) Is M(g) well-defined? Problem: we may have v  g(a) and w  g(b) s.t. M(a) = M(b) =  1 and M(v) =  2 ≠  3 = M(w) So, is M(g)(  1 ) =  2 or M(g)(  1 ) =  3 ? This is impossible because of the congruence rule! a and b are in the same “ball”, then so are v and w This is impossible because of the congruence rule! a and b are in the same “ball”, then so are v and w

105 a = b, b = c, d = e, b = s, d = t, a  v 4, v 2  v 3 v 1  g(d), v 2  g(e), v 3  f(a, v 1 ), v 4  f(b, v 2 ) Model construction: |M| = {  1,  2,  3,  4 } M(a) = M(b) = M(c) = M(s) =  1 M(d) = M(e) = M(t) =  2 M(v 1 ) = M(v 2 ) =  3 M(v 3 ) = M(v 4 ) =  4 a,b,c,s d,e,t v 1,v 2 v 3, v 4 11 22 33 44

106 a = b, b = c, d = e, b = s, d = t, a  v 4, v 2  v 3 v 1  g(d), v 2  g(e), v 3  f(a, v 1 ), v 4  f(b, v 2 ) Model construction: |M| = {  1,  2,  3,  4 } M(a) = M(b) = M(c) = M(s) =  1 M(d) = M(e) = M(t) =  2 M(v 1 ) = M(v 2 ) =  3 M(v 3 ) = M(v 4 ) =  4 M(g)(  i ) =  j if there is v  g(a) s.t. M(a) =  i M(v) =  j =  k, otherwise

107 a = b, b = c, d = e, b = s, d = t, a  v 4, v 2  v 3 v 1  g(d), v 2  g(e), v 3  f(a, v 1 ), v 4  f(b, v 2 ) Model construction: |M| = {  1,  2,  3,  4 } M(a) = M(b) = M(c) = M(s) =  1 M(d) = M(e) = M(t) =  2 M(v 1 ) = M(v 2 ) =  3 M(v 3 ) = M(v 4 ) =  4 M(g) = {  2 →  3 } M(g)(  i ) =  j if there is v  g(a) s.t. M(a) =  i M(v) =  j =  k, otherwise

108 a = b, b = c, d = e, b = s, d = t, a  v 4, v 2  v 3 v 1  g(d), v 2  g(e), v 3  f(a, v 1 ), v 4  f(b, v 2 ) Model construction: |M| = {  1,  2,  3,  4 } M(a) = M(b) = M(c) = M(s) =  1 M(d) = M(e) = M(t) =  2 M(v 1 ) = M(v 2 ) =  3 M(v 3 ) = M(v 4 ) =  4 M(g) = {  2 →  3 } M(g)(  i ) =  j if there is v  g(a) s.t. M(a) =  i M(v) =  j =  k, otherwise

109 a = b, b = c, d = e, b = s, d = t, a  v 4, v 2  v 3 v 1  g(d), v 2  g(e), v 3  f(a, v 1 ), v 4  f(b, v 2 ) Model construction: |M| = {  1,  2,  3,  4 } M(a) = M(b) = M(c) = M(s) =  1 M(d) = M(e) = M(t) =  2 M(v 1 ) = M(v 2 ) =  3 M(v 3 ) = M(v 4 ) =  4 M(g) = {  2 →  3, else →  1 } M(g)(  i ) =  j if there is v  g(a) s.t. M(a) =  i M(v) =  j =  k, otherwise

110 a = b, b = c, d = e, b = s, d = t, a  v 4, v 2  v 3 v 1  g(d), v 2  g(e), v 3  f(a, v 1 ), v 4  f(b, v 2 ) Model construction: |M| = {  1,  2,  3,  4 } M(a) = M(b) = M(c) = M(s) =  1 M(d) = M(e) = M(t) =  2 M(v 1 ) = M(v 2 ) =  3 M(v 3 ) = M(v 4 ) =  4 M(g) = {  2 →  3, else →  1 } M(f) = { (  1,  3 ) →  4, else →  1 } M(g)(  i ) =  j if there is v  g(a) s.t. M(a) =  i M(v) =  j =  k, otherwise

111 What about predicates? p(a, b),  p(c, b)

112 What about predicates? p(a, b),  p(c, b) f p (a, b) = T, f p (c, b) ≠ T

113 It is possible to implement our procedure in O(n log n)

114 Many verification/analysis problems require: case-analysis x  0, y = x + 1, (y > 2  y < 1)

115 Many verification/analysis problems require: case-analysis x  0, y = x + 1, (y > 2  y < 1) Naïve Solution: Convert to DNF (x  0, y = x + 1, y > 2)  (x  0, y = x + 1, y < 1)

116 Many verification/analysis problems require: case-analysis x  0, y = x + 1, (y > 2  y < 1) Naïve Solution: Convert to DNF (x  0, y = x + 1, y > 2)  (x  0, y = x + 1, y < 1) Too Inefficient! (exponential blowup) Too Inefficient! (exponential blowup)

117 SAT Theory Solvers SMT Equality + UF Arithmetic Bit-vectors … Case Analysis

118 M | F Partial model Set of clauses

119 Guessing p,  q | p  q,  q  r p | p  q,  q  r

120 Deducing p, s| p  q,  p  s p | p  q,  p  s

121 Backtracking p, s| p  q, s  q,  p   q p,  s, q | p  q, s  q,  p   q

122 Efficient indexing (two-watch literal) Non-chronological backtracking (backjumping) Lemma learning

123 Basic Idea x  0, y = x + 1, (y > 2  y < 1) p 1, p 2, (p 3  p 4 ) Abstract (aka “naming” atoms) p 1  (x  0), p 2  (y = x + 1), p 3  (y > 2), p 4  (y < 1)

124 Basic Idea x  0, y = x + 1, (y > 2  y < 1) p 1, p 2, (p 3  p 4 ) Abstract (aka “naming” atoms) p 1  (x  0), p 2  (y = x + 1), p 3  (y > 2), p 4  (y < 1) SAT Solver SAT Solver

125 Basic Idea x  0, y = x + 1, (y > 2  y < 1) p 1, p 2, (p 3  p 4 ) Abstract (aka “naming” atoms) p 1  (x  0), p 2  (y = x + 1), p 3  (y > 2), p 4  (y < 1) SAT Solver SAT Solver Assignment p 1, p 2,  p 3, p 4

126 Basic Idea x  0, y = x + 1, (y > 2  y < 1) p 1, p 2, (p 3  p 4 ) Abstract (aka “naming” atoms) p 1  (x  0), p 2  (y = x + 1), p 3  (y > 2), p 4  (y < 1) SAT Solver SAT Solver Assignment p 1, p 2,  p 3, p 4 x  0, y = x + 1,  (y > 2), y < 1

127 Basic Idea x  0, y = x + 1, (y > 2  y < 1) p 1, p 2, (p 3  p 4 ) Abstract (aka “naming” atoms) p 1  (x  0), p 2  (y = x + 1), p 3  (y > 2), p 4  (y < 1) SAT Solver SAT Solver Assignment p 1, p 2,  p 3, p 4 x  0, y = x + 1,  (y > 2), y < 1 Theory Solver Theory Solver Unsatisfiable x  0, y = x + 1, y < 1

128 Basic Idea x  0, y = x + 1, (y > 2  y < 1) p 1, p 2, (p 3  p 4 ) Abstract (aka “naming” atoms) p 1  (x  0), p 2  (y = x + 1), p 3  (y > 2), p 4  (y < 1) SAT Solver SAT Solver Assignment p 1, p 2,  p 3, p 4 x  0, y = x + 1,  (y > 2), y < 1 Theory Solver Theory Solver Unsatisfiable x  0, y = x + 1, y < 1 New Lemma  p 1  p 2  p 4

129 Theory Solver Theory Solver Unsatisfiable x  0, y = x + 1, y < 1 New Lemma  p 1  p 2  p 4 AKA Theory conflict AKA Theory conflict

130 procedure SmtSolver(F) (F p, M) := Abstract(F) loop (R, A) := SAT_solver(F p ) if R = UNSAT then return UNSAT S := Concretize(A, M) (R, S’) := Theory_solver(S) if R = SAT then return SAT L := New_Lemma(S’, M) Add L to F p

131 Basic Idea F: x  0, y = x + 1, (y > 2  y < 1) F p : p 1, p 2, (p 3  p 4 ) Abstract (aka “naming” atoms) M: p 1  (x  0), p 2  (y = x + 1), p 3  (y > 2), p 4  (y < 1) SAT Solver SAT Solver A: Assignment p 1, p 2,  p 3, p 4 S: x  0, y = x + 1,  (y > 2), y < 1 Theory Solver Theory Solver S’: Unsatisfiable x  0, y = x + 1, y < 1 L: New Lemma  p 1  p 2  p 4

132 F: x  0, y = x + 1, (y > 2  y < 1) F p : p 1, p 2, (p 3  p 4 ) Abstract (aka “naming” atoms) M: p 1  (x  0), p 2  (y = x + 1), p 3  (y > 2), p 4  (y < 1) SAT Solver SAT Solver A: Assignment p 1, p 2,  p 3, p 4 S: x  0, y = x + 1,  (y > 2), y < 1 Theory Solver Theory Solver S’: Unsatisfiable x  0, y = x + 1, y < 1 L: New Lemma  p 1  p 2  p 4 procedure SMT_Solver(F) (F p, M) := Abstract(F) loop (R, A) := SAT_solver(F p ) if R = UNSAT then return UNSAT S = Concretize(A, M) (R, S’) := Theory_solver(S) if R = SAT then return SAT L := New_Lemma(S, M) Add L to F p “Lazy translation” to DNF “Lazy translation” to DNF

133 State-of-the-art SMT solvers implement many improvements.

134 Incrementality Send the literals to the Theory solver as they are assigned by the SAT solver p 1, p 2, p 4 | p 1, p 2, (p 3  p 4 ), (p 5   p 4 ) p 1  (x  0), p 2  (y = x + 1), p 3  (y > 2), p 4  (y < 1), p 5  (x < 2), Partial assignment is already Theory inconsistent. Partial assignment is already Theory inconsistent.

135 Efficient Backtracking We don’t want to restart from scratch after each backtracking operation.

136 Efficient Lemma Generation (computing a small S’) Avoid lemmas containing redundant literals. p 1, p 2, p 3, p 4 | p 1, p 2, (p 3  p 4 ), (p 5   p 4 ) p 1  (x  0), p 2  (y = x + 1), p 3  (y > 2), p 4  (y < 1), p 5  (x < 2),  p 1  p 2  p 3  p 4 Imprecise Lemma

137 Theory Propagation It is the SMT equivalent of unit propagation. p 1, p 2 | p 1, p 2, (p 3  p 4 ), (p 5   p 4 ) p 1  (x  0), p 2  (y = x + 1), p 3  (y > 2), p 4  (y < 1), p 5  (x < 2), p 1, p 2 imply  p 4 by theory propagation p 1, p 2,  p 4 | p 1, p 2, (p 3  p 4 ), (p 5   p 4 )

138 Theory Propagation It is the SMT equivalent of unit propagation. p 1, p 2 | p 1, p 2, (p 3  p 4 ), (p 5   p 4 ) p 1  (x  0), p 2  (y = x + 1), p 3  (y > 2), p 4  (y < 1), p 5  (x < 2), p 1, p 2 imply  p 4 by theory propagation p 1, p 2,  p 4 | p 1, p 2, (p 3  p 4 ), (p 5   p 4 ) Tradeoff between precision  performance.

139 Core SAT Solver Equality Uninterpreted Functions Equality Uninterpreted Functions Arithmetic Bit-Vectors Scalar Values

140 Core SAT Solver Equality Uninterpreted Functions Equality Uninterpreted Functions Arithmetic Bit-Vectors Scalar Values Case Analysis

141 Core SAT Solver Equality Uninterpreted Functions Equality Uninterpreted Functions Arithmetic Bit-Vectors Scalar Values Blackboard: equalities, disequalities, predicates Blackboard: equalities, disequalities, predicates

142 Many approaches Graph-based for difference logic: a – b  3 Fourier-Motzkin elimination: Standard Simplex General Form Simplex

143 Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1 x 1 = x 0 + 1 x 1 - x 0  1, x 0 - x 1  - 1

144

145 Chasing negative cycles! Algorithms based on Bellman-Ford (O(mn)).

146

147 s 1  x + y, s 2  x + 2y

148 s 1 = x + y, s 2 = x + 2y

149 s 1  x + y, s 2  x + 2y s 1 = x + y, s 2 = x + 2y s 1 - x - y = 0 s 2 - x - 2y = 0

150 s 1  x + y, s 2  x + 2y s 1 = x + y, s 2 = x + 2y s 1 - x - y = 0 s 2 - x - 2y = 0 s 1, s 2 are basic (dependent) x,y are non-basic

151 A way to swap a basic with a non-basic variable! It is just equational reasoning. Key invariant: a basic variable occurs in only one equation. Example: swap s 1 and y s 1 - x - y = 0 s 2 - x - 2y = 0

152 A way to swap a basic with a non-basic variable! It is just equational reasoning. Key invariant: a basic variable occurs in only one equation. Example: swap s 1 and y s 1 - x - y = 0 s 2 - x - 2y = 0 -s 1 + x + y = 0 s 2 - x - 2y = 0

153 A way to swap a basic with a non-basic variable! It is just equational reasoning. Key invariant: a basic variable occurs in only one equation. Example: swap s 1 and y s 1 - x - y = 0 s 2 - x - 2y = 0 -s 1 + x + y = 0 s 2 - x - 2y = 0 -s 1 + x + y = 0 s 2 - 2s 1 + x = 0

154 A way to swap a basic with a non-basic variable! It is just equational reasoning. Key invariant: a basic variable occurs in only one equation. Example: swap s 1 and y s 1 - x - y = 0 s 2 - x - 2y = 0 -s 1 + x + y = 0 s 2 - x - 2y = 0 -s 1 + x + y = 0 s 2 - 2s 1 + x = 0 It is just substituting equals by equals.

155 A way to swap a basic with a non-basic variable! It is just equational reasoning. Key invariant: a basic variable occurs in only one equation. Example: swap s 1 and y s 1 - x - y = 0 s 2 - x - 2y = 0 -s 1 + x + y = 0 s 2 - x - 2y = 0 -s 1 + x + y = 0 s 2 - 2s 1 + x = 0 It is just substituting equals by equals. Definition: An assignment (model) is a mapping from variables to values Definition: An assignment (model) is a mapping from variables to values Key Property: If an assignment satisfies the equations before a pivoting step, then it will also satisfy them after! Key Property: If an assignment satisfies the equations before a pivoting step, then it will also satisfy them after!

156 A way to swap a basic with a non-basic variable! It is just equational reasoning. Key invariant: a basic variable occurs in only one equation. Example: swap s 2 and y s 1 - x - y = 0 s 2 - x - 2y = 0 -s 1 + x + y = 0 s 2 - x - 2y = 0 -s 1 + x + y = 0 s 2 - 2s 1 + x = 0 It is just substituting equals by equals. Definition: An assignment (model) is a mapping from variables to values Definition: An assignment (model) is a mapping from variables to values Key Property: If an assignment satisfies the equations before a pivoting step, then it will also satisfy them after! Key Property: If an assignment satisfies the equations before a pivoting step, then it will also satisfy them after! Example: M(x) = 1 M(y) = 1 M(s 1 ) = 2 M(s 2 ) = 3 Example: M(x) = 1 M(y) = 1 M(s 1 ) = 2 M(s 2 ) = 3

157

158 If the assignment of a non-basic variable does not satisfy a bound, then fix it and propagate the change to all dependent variables. a = c – d b = c + d M(a) = 0 M(b) = 0 M(c) = 0 M(d) = 0 1  c a = c – d b = c + d M(a) = 1 M(b) = 1 M(c) = 1 M(d) = 0 1  c

159 If the assignment of a non-basic variable does not satisfy a bound, then fix it and propagate the change to all dependent variables. Of course, we may introduce new “problems”. a = c – d b = c + d M(a) = 0 M(b) = 0 M(c) = 0 M(d) = 0 1  c a  0 a = c – d b = c + d M(a) = 1 M(b) = 1 M(c) = 1 M(d) = 0 1  c a  0

160 If the assignment of a basic variable does not satisfy a bound, then pivot it, fix it, and propagate the change to its new dependent variables. a = c – d b = c + d M(a) = 0 M(b) = 0 M(c) = 0 M(d) = 0 1  a c = a + d b = a + 2d M(a) = 0 M(b) = 0 M(c) = 0 M(d) = 0 1  a c = a + d b = a + 2d M(a) = 1 M(b) = 1 M(c) = 1 M(d) = 0 1  a

161 Sometimes, a model cannot be repaired. It is pointless to pivot. a = b – c a  0, 1  b, c  0 M(a) = 1 M(b) = 1 M(c) = 0 The value of M(a) is too big. We can reduce it by: - reducing M(b) not possible b is at lower bound - increasing M(c) not possible c is at upper bound The value of M(a) is too big. We can reduce it by: - reducing M(b) not possible b is at lower bound - increasing M(c) not possible c is at upper bound

162 s 1  a + d, s 2  c + d a = s 1 – s 2 + c a  0, 1  s 1, s 2  0, 0  c M(a) = 1 M(s 1 ) = 1 M(s 2 ) = 0 M(c) = 0 Extracting proof from failed repair attempts is easy.

163 s 1  a + d, s 2  c + d a = s 1 – s 2 + c a  0, 1  s 1, s 2  0, 0  c M(a) = 1 M(s 1 ) = 1 M(s 2 ) = 0 M(c) = 0 Extracting proof from failed repair attempts is easy. { a  0, 1  s 1, s 2  0, 0  c } is inconsistent

164 s 1  a + d, s 2  c + d a = s 1 – s 2 + c a  0, 1  s 1, s 2  0, 0  c M(a) = 1 M(s 1 ) = 1 M(s 2 ) = 0 M(c) = 0 Extracting proof from failed repair attempts is easy. { a  0, 1  s 1, s 2  0, 0  c } is inconsistent { a  0, 1  a + d, c + d  0, 0  c } is inconsistent

165 In practice, we need a combination of theories. b + 2 = c and f(read(write(a,b,3), c-2)) ≠ f(c-b+1) A theory is a set (potentially infinite) of first-order sentences. Main questions: Is the union of two theories T1  T2 consistent? Given a solvers for T1 and T2, how can we build a solver for T1  T2?

166 Two theories are disjoint if they do not share function/constant and predicate symbols. = is the only exception. Example: The theories of arithmetic and arrays are disjoint. Arithmetic symbols: {0, -1, 1, -2, 2, …, +, -, *, >, <, ≥,  } Array symbols: { read, write }

167 It is a different name for our “naming” subterms procedure. b + 2 = c, f(read(write(a,b,3), c-2)) ≠ f(c-b+1) b + 2 = c, v 6 ≠ v 7 v 1  3, v 2  write(a, b, v 1 ), v 3  c-2, v 4  read(v 2, v 3 ), v 5  c-b+1, v 6  f(v 4 ), v 7  f(v 5 )

168 It is a different name for our “naming” subterms procedure. b + 2 = c, f(read(write(a,b,3), c-2)) ≠ f(c-b+1) b + 2 = c, v 6 ≠ v 7 v 1  3, v 2  write(a, b, v 1 ), v 3  c-2, v 4  read(v 2, v 3 ), v 5  c-b+1, v 6  f(v 4 ), v 7  f(v 5 ) b + 2 = c, v 1  3, v 3  c-2, v 5  c-b+1, v 2  write(a, b, v 1 ), v 4  read(v 2, v 3 ), v 6  f(v 4 ), v 7  f(v 5 ), v 6 ≠ v 7

169 A theory is stably infinite if every satisfiable QFF is satisfiable in an infinite model. EUF and arithmetic are stably infinite. Bit-vectors are not.

170 The union of two consistent, disjoint, stably infinite theories is consistent.

171 A theory T is convex iff for all finite sets S of literals and for all a 1 = b 1  …  a n = b n S implies a 1 = b 1  …  a n = b n iff S implies a i = b i for some 1  i  n

172 Every convex theory with non trivial models is stably infinite. All Horn equational theories are convex. formulas of the form s 1 ≠ r 1  …  s n ≠ r n  t = t’ Linear rational arithmetic is convex.

173 Linear integer arithmetic is not convex 1  a  2, b = 1, c = 2 implies a = b  a = c Nonlinear arithmetic a 2 = 1, b = 1, c = -1 implies a = b  a = c Theory of bit-vectors Theory of arrays c 1 = read(write(a, i, c 2 ), j), c 3 = read(a, j) implies c 1 = c 2  c 1 = c 3

174 EUF is convex (O(n log n)) IDL is non-convex (O(nm)) EUF  IDL is NP-Complete Reduce 3CNF to EUF  IDL For each boolean variable p i add 0  a i  1 For each clause p 1   p 2  p 3 add f(a 1, a 2, a 3 ) ≠ f(0, 1, 0)

175 EUF is convex (O(n log n)) IDL is non-convex (O(nm)) EUF  IDL is NP-Complete Reduce 3CNF to EUF  IDL For each boolean variable p i add 0  a i  1 For each clause p 1   p 2  p 3 add f(a 1, a 2, a 3 ) ≠ f(0, 1, 0) a 1 ≠ 0  a 2 ≠ 1  a 3 ≠ 0 implies

176

177

178

179

180

181

182 b + 2 = c, f(read(write(a,b,3), c-2)) ≠ f(c-b+1) Arithmetic b + 2 = c, v 1  3, v 3  c-2, v 5  c-b+1 Arrays v 2  write(a, b, v 1 ), v 4  read(v 2, v 3 ) EUF v 6  f(v 4 ), v 7  f(v 5 ), v 6 ≠ v 7

183 b + 2 = c, f(read(write(a,b,3), c-2)) ≠ f(c-b+1) Arithmetic b + 2 = c, v 1  3, v 3  c-2, v 5  c-b+1 Arrays v 2  write(a, b, v 1 ), v 4  read(v 2, v 3 ) EUF v 6  f(v 4 ), v 7  f(v 5 ), v 6 ≠ v 7 Substituting c

184 b + 2 = c, f(read(write(a,b,3), c-2)) ≠ f(c-b+1) Arithmetic b + 2 = c, v 1  3, v 3  b, v 5  3 Arrays v 2  write(a, b, v 1 ), v 4  read(v 2, v 3 ), EUF v 6  f(v 4 ), v 7  f(v 5 ), v 6 ≠ v 7 Propagating v 3 = b

185 b + 2 = c, f(read(write(a,b,3), c-2)) ≠ f(c-b+1) Arithmetic b + 2 = c, v 1  3, v 3  b, v 5  3 Arrays v 2  write(a, b, v 1 ), v 4  read(v 2, v 3 ), v 3 = b EUF v 6  f(v 4 ), v 7  f(v 5 ), v 6 ≠ v 7, v 3 = b Deducing v 4 = v 1

186 b + 2 = c, f(read(write(a,b,3), c-2)) ≠ f(c-b+1) Arithmetic b + 2 = c, v 1  3, v 3  b, v 5  3 Arrays v 2  write(a, b, v 1 ), v 4  read(v 2, v 3 ), v 3 = b, v 4 = v 1 EUF v 6  f(v 4 ), v 7  f(v 5 ), v 6 ≠ v 7, v 3 = b Propagating v 4 = v 1

187 b + 2 = c, f(read(write(a,b,3), c-2)) ≠ f(c-b+1) Arithmetic b + 2 = c, v 1  3, v 3  b, v 5  3, v 4 = v 1 Arrays v 2  write(a, b, v 1 ), v 4  read(v 2, v 3 ), v 3 = b, v 4 = v 1 EUF v 6  f(v 4 ), v 7  f(v 5 ), v 6 ≠ v 7, v 3 = b, v 4 = v 1 Propagating v 5 = v 1

188 b + 2 = c, f(read(write(a,b,3), c-2)) ≠ f(c-b+1) Arithmetic b + 2 = c, v 1  3, v 3  b, v 5  3, v 4 = v 1 Arrays v 2  write(a, b, v 1 ), v 4  read(v 2, v 3 ), v 3 = b, v 4 = v 1 EUF v 6  f(v 4 ), v 7  f(v 5 ), v 6 ≠ v 7, v 3 = b, v 4 = v 1, v 5 = v 1 Congruence: v 6 = v 7

189 b + 2 = c, f(read(write(a,b,3), c-2)) ≠ f(c-b+1) Arithmetic b + 2 = c, v 1  3, v 3  b, v 5  3, v 4 = v 1 Arrays v 2  write(a, b, v 1 ), v 4  read(v 2, v 3 ), v 3 = b, v 4 = v 1 EUF v 6  f(v 4 ), v 7  f(v 5 ), v 6 ≠ v 7, v 3 = b, v 4 = v 1, v 5 = v 1, v 6 = v 7 Unsatisfiable

190 Deterministic procedure may fail for non-convex theories. 0  a  1, 0  b  1, 0  c  1, f(a) ≠ f(b), f(a) ≠ f(c), f(b) ≠ f(c)

191

192

193

194

195

196

197

198

199

200

201

202

Download ppt "Leonardo de Moura and Nikolaj Bjørner Microsoft Research."

Similar presentations

Model Checking Base on Interoplation

Model Checking Base on Interoplation
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Completeness and Expressiveness

Completeness and Expressiveness
SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀

SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀
Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 

Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 
Proofs from SAT Solvers Yeting Ge ACSys NYU Nov 20 2007.

Proofs from SAT Solvers Yeting Ge ACSys NYU Nov
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Methods of Proof Chapter 7, second half.. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound)

Methods of Proof Chapter 7, second half.. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound)
Interpolants from Z3 proofs Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Interpolants from Z3 proofs Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
Leonardo de Moura and Nikolaj Bjørner Microsoft Research.

Leonardo de Moura and Nikolaj Bjørner Microsoft Research.
Nikolaj Bjørner Microsoft Research Lecture 4. DayTopicsLab 1Overview of SMT and applications. SAT solving, Z3 Encoding combinatorial problems with Z3.

Nikolaj Bjørner Microsoft Research Lecture 4. DayTopicsLab 1Overview of SMT and applications. SAT solving, Z3 Encoding combinatorial problems with Z3.
Plan for today Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search.

Plan for today Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search.
Nikolaj Bjørner Microsoft Research Lecture 3. DayTopicsLab 1Overview of SMT and applications. SAT solving, Z3 Encoding combinatorial problems with Z3.

Nikolaj Bjørner Microsoft Research Lecture 3. DayTopicsLab 1Overview of SMT and applications. SAT solving, Z3 Encoding combinatorial problems with Z3.
Interpolants [Craig 1957] G(y,z) F(x,y)

Interpolants [Craig 1957] G(y,z) F(x,y)
1 Satisfiability Modulo Theories Sinan Hanay. 2 Boolean Satisfiability (SAT) Is there an assignment to the p 1, p 2, …, p n variables such that  evaluates.

1 Satisfiability Modulo Theories Sinan Hanay. 2 Boolean Satisfiability (SAT) Is there an assignment to the p 1, p 2, …, p n variables such that  evaluates.
Automated Theorem Proving Lecture 4.   Formula := A |  |    A  Atom := b | t = 0 | t < 0 | t  0 t  Term := c | x | t + t | t – t | ct | Select(m,t)

Automated Theorem Proving Lecture 4.   Formula := A |  |    A  Atom := b | t = 0 | t < 0 | t  0 t  Term := c | x | t + t | t – t | ct | Select(m,t)
Yeting Ge Leonardo de Moura New York University Microsoft Research.

Yeting Ge Leonardo de Moura New York University Microsoft Research.
Search in the semantic domain. Some definitions atomic formula: smallest formula possible (no sub- formulas) literal: atomic formula or negation of an.

Search in the semantic domain. Some definitions atomic formula: smallest formula possible (no sub- formulas) literal: atomic formula or negation of an.
Last time Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search strategy.

Last time Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search strategy.
ECI 2007: Specification and Verification of Object- Oriented Programs Lecture 4.

ECI 2007: Specification and Verification of Object- Oriented Programs Lecture 4.

Similar presentations

Ads by Google