Introduction to Satisfiability Modulo Theories (SMT) - PowerPoint PPT Presentation

1 / 65

About This Presentation

Title:

Introduction to Satisfiability Modulo Theories (SMT)

Description:

... (Boolean) logic only involves propositional symbols and operators ... (non-logical symbols) and their meanings ... can take any meaning ... – PowerPoint PPT presentation

Number of Views:481

Avg rating:3.0/5.0

Slides: 66

Provided by: eecsBe

Learn more at: https://people.eecs.berkeley.edu

Category:

more less

Transcript and Presenter's Notes

Title: Introduction to Satisfiability Modulo Theories (SMT)

1
Introduction to
Satisfiability Modulo Theories(SMT)

Clark Barrett, NYU
Sanjit A. Seshia, UC Berkeley

ICCAD Tutorial November 2, 2009
2
Boolean Satisfiability (SAT)
p1
Ç
Æ
p2
?

. . .
Æ
Ç
Ç
pn
Is there an assignment to the p1, p2, , pn
variables such that ? evaluates to 1?
3
Satisfiability Modulo Theories
p1
x y
Ç
Æ
p2
x 2 z 1
?

. . .
Æ
Ç
w 0xFFFF x
Ç
x 26 v
pn
Is there an assignment to the x,y,z,w variables
s.t. ? evaluates to 1?
4
Satisfiability Modulo Theories

Given a formula in first-order logic, with
associated background theories, is the formula
satisfiable?
Yes return a satisfying solution
No generate a proof of unsatisfiability

5
Applications of SMT

Hardware verification at higher levels of
abstraction (RTL and above)
Verification of analog/mixed-signal circuits
Verification of hybrid systems
Software model checking
Software testing
Security Finding vulnerabilities, verifying
electronic voting machines,
Program synthesis

6
References

Satisfiability Modulo Theories
Clark Barrett, Roberto Sebastiani, Sanjit A.
Seshia, and Cesare Tinelli.
Chapter 8 in the Handbook of Satisfiability,
Armin Biere, Hans van Maaren, and Toby Walsh,
editors, IOS Press, 2009.
(available from our webpages)
SMTLIB A repository for SMT formulas (common
format) and tools
SMTCOMP An annual competition of SMT solvers

7
Roadmap for this Tutorial

Background and Notation
Survey of Theories
Theory Solvers
Approaches to SMT Solving
Lazy Encoding to SAT
Eager Encoding to SAT
Conclusion

8
Roadmap for this Tutorial

Background and Notation
Survey of Theories
Theory Solvers
Approaches to SMT Solving
Lazy Encoding to SAT
Eager Encoding to SAT
Conclusion

9
First-Order Logic

A formal notation for mathematics, with
expressions involving
Propositional symbols
Predicates
Functions and constant symbols
Quantifiers
In contrast, propositional (Boolean) logic only
involves propositional symbols and operators

10
First-Order Logic Syntax

As with propositional logic, expressions in
first-order logic are made up of sequences of
symbols.
Symbols are divided into logical symbols and
non-logical symbols or parameters.
Example
(x y) Æ (y z) Æ (f(z) f(x)1)

11
First-Order Logic Syntax

Logical Symbols
Propositional connectives Ç, Æ, , !,
Variables v1, v2, . . .
Quantifiers 8, 9
Non-logical symbols/Parameters
Equality
Functions , -, , bit-wise , f(), concat,
Predicates , is_substring,
Constant symbols 0, 1.0, null,

12
Quantifier-free Subset

We will largely restrict ourselves to formulas
without quantifiers (8, 9)
This is called the quantifier-free
subset/fragment of first-order logic with the
relevant theory

13
Logical Theory

Defines a set of parameters (non-logical symbols)
and their meanings
This definition is called a signature.
Example of a signature
Theory of linear arithmetic over integers
Signature is (0,1,,-,) interpreted over Z

14
Roadmap for this Tutorial

Background and Notation
Survey of Theories
Theory Solvers
Two Approaches to SMT Solving
Lazy Encoding to SAT
Eager Encoding to SAT
Conclusion

15
Some Useful Theories

Equality (with uninterpreted functions)
Linear arithmetic (over Q or Z)
Difference logic (over Q or Z)
Finite-precision bit-vectors
integer or floating-point
Arrays / memories
Misc. Non-linear arithmetic, strings, inductive
datatypes (e.g. lists), sets,

16
Theory of Equality and Uninterpreted Functions
(EUF)

Also called the free theory
Because function symbols can take any meaning
Only property required is congruence that these
symbols map identical arguments to identical
values i.e., x y ) f(x) f(y)
SMTLIB name QF_UF

17
Data and Function Abstraction
with EUF
Common Operations

p
x
1 0
ITE(p, x, y)
y
If-then-else
x

x y
y
Test for equality
18
Hardware Abstraction with EUF
F1
F2
F3

For any Block that Transforms or Evaluates Data
Replace with generic, unspecified function
Also view instruction memory as function

19
Example QF_UF (EUF) Formula

(x y) Æ (y z) Æ (f(x) ? f(z))
Transitivity
(x y) Æ (y z) ) (x z)
Congruence
(x z) ) (f(x) f(z))

20
Equivalence Checking of
Program Fragments
int fun1(int y) int x, z z y y
x x z return xx
SMT formula ? Satisfiable iff programs
non-equivalent ( z y Æ y1 x Æ x1 z Æ
ret1 x1x1) Æ ( ret2 yy ) Æ (
ret1 ? ret2 )
int fun2(int y) return yy
What if we use SAT to check equivalence?
21
Equivalence Checking of
Program Fragments
SMT formula ? Satisfiable iff programs
non-equivalent ( z y Æ y1 x Æ x1 z Æ
ret1 x1x1) Æ ( ret2 yy ) Æ (
ret1 ? ret2 )
int fun1(int y) int x, z z y y
x x z return xx
Using SAT to check equivalence (w/ Minisat)
32 bits for y Did not finish in over 5 hours
16 bits for y 37 sec. 8 bits for y 0.5
sec.
int fun2(int y) return yy
22
Equivalence Checking of
Program Fragments
int fun1(int y) int x, z z y y
x x z return xx
SMT formula ? ( z y Æ y1 x Æ x1 z Æ
ret1 sq(x1) ) Æ ( ret2 sq(y) )
Æ ( ret1 ? ret2 )
int fun2(int y) return yy
Using EUF solver 0.01 sec
23
Equivalence Checking of
Program Fragments
int fun1(int y) int x x x y y
x y x x y return xx
Does EUF still work?
No! Must reason about bit-wise XOR. Need a
solver for bit-vector arithmetic. Solvable in
less than a sec. with a current bit-vector solver.
int fun2(int y) return yy
24
Finite-Precision Bit-Vector Arithmetic (QF_BV)

Fixed width data words
Can model int, short, long, etc.
Arithmetic operations
E.g., add/subtract/multiply/divide comparisons
Twos complement and unsigned operations
Bit-wise logical operations
E.g., and/or/xor, shift/extract and equality
Boolean connectives

25
Linear Arithmetic
(QF_LRA, QF_LIA)

Boolean combination of linear constraints of the
form
(a1 x1 a2 x2 an xn b)
xis could be in Q or Z , 2 ,gt,,lt,
Many applications, including
Verification of analog circuits
Software verification, e.g., of array bounds

26
Difference Logic (QF_IDL,
QF_RDL)

Boolean combination of linear constraints of the
form
xi - xj cij or xi ci
2 ,gt,,lt,, xis in Q or Z
Applications
Software verification (most linear constraints
are of this form)
Processor datapath verification
Job shop scheduling / real-time systems
Timing verification for circuits

27
Arrays/Memories

SMT solvers can also be very effective in
modeling data structures in software and hardware
Arrays in programs
Memories in hardware designs e.g. instruction
and data memories, CAMs, etc.

28
Theory of Arrays (QF_AX)Select and Store

Two interpreted functions select and store
select(A,i) Read from A at index i
store(A,i,d) Write d to A at index i
Two main axioms
select(store(A,i,d), i) d
select(store(A,i,d), j) select(A,j) for i ? j
One other axiom
(8 i. select(A,i) select(B,i)) ) A B

29
Equivalence Checking of
Program Fragments
int fun1(int y) int x2 x0 y
y x1 x1 x0 return x1x1
SMT formula ? x1 store(x,0,y) Æ y1
select(x1,1) Æ x2 store(x1,1,select(x1,0))
Æ ret1 sq(select(x2,1))
Æ ( ret2 sq(y) ) Æ ( ret1 ? ret2 )
int fun2(int y) return yy
30
Roadmap for this Tutorial

Background and Notation
Survey of Theories
Theory Solvers
Two Approaches to SMT Solving
Lazy Encoding to SAT
Eager Encoding to SAT
Conclusion

Over to Clark

32
Roadmap for this Tutorial

Background and Notation
Survey of Theories
Theory Solvers
Approaches to SMT Solving
Lazy Encoding to SAT
Eager Encoding to SAT
Conclusion

33
Eager Approach to SMT
SAT Solver involved in Theory Reasoning

Key Ideas
Small-domain encoding
Constrain model search
Rewrite rules
Abstraction-based methods (eager lazy)
Example Solvers
UCLID, STP, Spear, Boolector, Beaver,

34
Theories

Eager Encoding Methods have been demonstrated for
the following Theories
Equality Uninterpreted Functions
Integer Linear Arithmetic
Restricted Lambda expressions
Arrays, memories, etc.
Finite-precision Bit-Vector Arithmetic
Strings

35
UCLID Operation
Input Formula
Lambda Expansion for Arrays
?-free Formula

Operation
Series of transformations leading to Boolean
formula
Each step is validity (satisfiability) preserving
Each step performs optimizations

Function Predicate Elimination
Linear/ Bitvector ArithmeticFormula
Encoding Arithmetic
Boolean Formula
Boolean Satisfiability
http//uclid.eecs.berkeley.edu
36
Rewrites Eliminating Function Applications

Two applications of an uninterpreted function f
in a formula
f(x1) and f(x2)

37
Small-Domain Encoding

Consider an SMT formula ?(x1, x2, , xn) where xi
2 Di
Small-domain encoding/Finite instantiation
Derive finite set Si ½
Di s.t. Si Di
In some cases, Si is finite where Di is infinite
Encode each xi to take values only in Si
Could be done by encoding to SAT
Example Integer Linear Arithmetic (QF_LIA)

38
Solving QF_LIA is NP-complete

In NP
If a satisfying solution exists, then one exists
within a bound d
log d is polynomial in input size
Expression for d Papadimitriou, 82
(nm) (bmax 1) ( m amax ) 2m3
Input size
m constraints
n variables
bmax largest constant (absolute value)
amax largest coefficient (absolute value)

39
Small-domain encoding / Finite Instantiation
Naïve approach

Steps
Calculate the solution bound d
Encode each integer variable with d log d e bits
translate to Boolean formula
Run SAT solver
Problem For QF_LIA, d is W( m m )
W( m log m ) bits per variable
Solution Exploit special-cases and
domain-specific structure

40
Special Case 1 Equality Logic

Linear constraints are equalities xi xj
Result d n

x1 ? x2 Æ x2 ? x3 Æ x1 ? x3 3-valued domain
is needed 1, 2, 3
41
Special Case 2 Difference Logic

Boolean combination of difference-bound
constraints
xi xj b, xi b
Result d n (bmax 1)
Bryant, Lahiri, Seshia, CAV02
Proof sketch satisfying solution corresponds to
shortest path in constraint graph
Longest such path has length n (bmax 1)
Tighter formula-specific bounds possible

42
Special Case 3 Generalized 2SAT

Generalized 2SAT constraints
xi xj b, - xi - xj b, xi - xj b,
xi b
d 2 n (bmax 1) Seshia, Subramani,
Bryant,04

43
Full Integer Linear Arithmetic

Can we avoid the mm blow-up?
In fact, yes. The idea is to derive a new
parameterized solution bound d
Formalize parameters that the bound really
depends on
Parameters characterize sparse structure
Occurs especially in software verification also
in many high-level hardware models
Seshia Bryant, LICS04, LMCS05

44
Structure of Linear Constraints in Software
Verification

Characteristics of studied benchmarks
Mostly difference constraints
Only 3 of constraints were NOT difference
constraints
Non-difference constraints are sparse
At most 6 variables per constraint (total number
of variables in 1000s)
Some similar observations Pratt77,
ESC/Java-Simplify-TR03

45
Parameterized Solution Bound

New parameters
k non-difference constraints,
w variables per constraint (width)

m constraints
n variables
bmax max constant
amax max coefficient
46
Example
m constraints 3
k non-difference 1
n variables 4
w width 3
bmax max constant 3
amax max coefficient 2
47
Summary of d Values
Logic Solution Bound d
Equality logic n
Difference logic n ( bmax 1 )
Generalized 2SAT logic 2 n ( bmax 1 )
Full Integer Linear Arithmetic n (bmax 1) (amaxk w k)
48
Abstraction-Based Methods

For some logics, one cannot easily compute a
closed-form expression for the small domain
Example Bit-Vector Arithmetic
In such cases, an abstraction-refinement approach
can be used to compute formula-specific small
domains

49
Bit-Vector Arithmetic Some History

B.C. (Before Chaff)
String operations (concatenate, field extraction)
Linear arithmetic with bounds checking
Modular arithmetic
SAT-Based Bit Blasting
Generate Boolean circuit based on bit-level
behavior of operations
Handles arbitrary operations
Check with best available SAT solver
Effective in many applications
CBMC Clarke, Kroening, Lerda, TACAS 04
Microsoft Cogent SLAM Cook, Kroening,
Sharygina, CAV 05

50
Research Challenge

Is there a better way than bit blasting?
Requirements
Provide same functionality as with bit blasting
Must support all bit-vector operators
Exploit word-level structure
Improve on performance of bit blasting
Current Approaches based on two core ideas
Simplification Simplify input formula using
word-level rewrite rules and solvers
Abstraction Can use automatic abstraction-refinem
ent to solve simplified formula

51
Bit-Vector SMT Solvers, circa Spr.2009

Current Techniques with Sample Tools
Proof-based abstraction-refinement UCLID
Bryant et al., TACAS 07
Solver for linear modular arithmetic to simplify
the formula STP Ganesh Dill, CAV07
Automatic parameter tuning for SAT Spear Hutter
et al., FMCAD 07
Rewrites, underapproximation, efficient SAT
engine Boolector Brummayer Biere, TACAS09
Equality/constant propagation, logic
optimization, special rules for non-linear ops -
Beaver Jha et al., CAV09
DPLL(T) framework Layered approach, rewriting
CVC3 Barrett et al., MathSAT Bruttomesso et
al, Yices Dutertre et al., Z3 de Moura et al

52
Abstraction-Refinement

Deciding Bit-Vector Arithmetic with Abstraction
Bryant et al., TACAS 07, STTT 09
Use bit blasting as core technique
Apply to simplified versions of formula under
and over approximations
Generate successive approximations until a
solution is found or formula shown unsatisfiable
Inspired by McMillan Amlas proof-based
abstraction for finite-state model checking
Small Motivating Example
(x y ? y x) Æ (x y ? y x)
Sufficient to prove the left-hand conjunct unsat

53
Approximations to Formula
?
Original Formula

Example Approximation Techniques
Underapproximating
Restrict word-level variables to smaller ranges
of values
Overapproximating
Replace subformula with Boolean variable

54
Starting Iterations
?
?1-

Initial Underapproximation
(Greatly) restrict ranges of word-level variables
Intuition Satisfiable formula often has
small-domain solution

55
First Half of Iteration
?
?1-

SAT Result for ?1-
Satisfiable
Then have found solution for ?
Unsatisfiable
Use UNSAT proof to generate overapproximation ?1

56
Second Half of Iteration
?1
?
?1-

SAT Result for ?1
Unsatisfiable then have shown ? unsatisfiable
Satisfiable solution indicates variable ranges
that must be expanded
Generate refined underapproximation

57
Example
?1 (x y2)
? (x y2) Æ (x2 gt y2)
?2- (x2 y22) Æ (x22 gt y22)
?1- (x1 y12) Æ (x12 gt y12)
58
Iterative Behavior

Underapproximations
Successively more precise abstractions of ?
Allow wider variable ranges
Overapproximations
No predictable relation
UNSAT proof not unique

?2
?1
? ? ?
?k
?
?k-
? ? ?
?2-
?1-
59
Overall Effect

Soundness
Only terminate with solution on
underapproximation
Only terminate as UNSAT on overapproximation
Completeness
Successive underapproximations approach ?
Finite variable ranges guarantee termination
In worst case, get ?k- ? ?

?2
?1
? ? ?
?k
?
?k-
? ? ?
?2-
?1-
60
Roadmap for this Tutorial

Background and Notation
Survey of Theories
Theory Solvers
Approaches to SMT Solving
Lazy Encoding to SAT
Eager Encoding to SAT
Conclusion

61
Summary of Ideas Modeling

Philosophy Model systems in first-order logic
suitable theories
Widely-used theories
Equality and uninterpreted functions
Linear arithmetic
Bit-vector arithmetic
Arrays

62
Summary of Ideas Lazy Methods

Philosophy Extend DPLL framework from SAT to SMT
Literals assigned by SAT are sent to Theory
Solver
Theory Solver determines if literals are
satisfiable in the theory
Key optimizations small explanations, early
conflict detection, theory propagation

C. Barrett S. A. Seshia
62
ICCAD 2009 Tutorial
63
Summary of Ideas Eager Methods