Nikolaj Bjørner Microsoft Research Lecture 3. DayTopicsLab 1Overview of SMT and applications. SAT...

SMT solvers in Program Analysis and Verification

Nikolaj BjørnerMicrosoft Research

Lecture 3

Overview of the lectures

Day Topics Lab

1 Overview of SMT and applications. SAT solving, Z3

Encoding combinatorial problems with Z3

2 Congruence closure Program exploration with Pex

3 A solver for arithmetic. Encoding arithmetic problems

4 Theory combination. Arrays (part 1)

Arrays

5 Arrays, (part 2) and quantifiers

Build a theory solver on top of Z3

Summary of Day 3

A solver for Arithmetic

Lab: Explore PexRush hour and bounded model checking

References

Slides for Lecture 5 contains a comprehensive list of references

Default pointer, with pointers to pointers: http://research.microsoft.com/projects/z3

http://research.microsoft.com/projects/z3

http://research.microsoft.com/projects/z3

Solvers for linear

arithmetic

Linear arithmetic?Find x, y such that:

For reals:Solution:

For integers:No solution

1 3 6 2x y

1, 03

x y

Linear arithmeticThe set of terms TLA and atoms ALA :

t TLA ::= r x x F r Int/Rational | t + t’ t, t’ TLA

Shorthand: x instead of 1 x

a ALA ::= t t’ t, t’ TLA

| t < t’ | t = t’

Difference LogicConstraints are of the form

x – y 4 y – z 7

Example unsatisfiable constraints:x1 - x2 -3, x2 - x3 1, x3 - x4 -2, x4 - x1 3

Proof: 0 = (x1 - x2)+(x2 - x3)+(x3 - x4)+(x4 - x1)= -3 + 1 – 2 + 3 = -1

Difference Logic

Graph interpretation:

Variables are nodes.Atoms x – y c are weighted edges A set of literals is satisfiable iff there is no negative cycle:

where C := c1 + c2 + c3 + c4 < 0. A negative cycle implies a contradiction 0 C < 0.

31 2 4

1 2 3 4 1

cc c c

x x x x x

c

x y

Difference logicHow to find negative cycles?

Bellman-Ford style algorithm O(nm), where

n – # vertices, m – # edges.

Floyd-Warshall O(n3), works OK when m n2for : cost[x,y] := c, else cost[x,y] =

for x V: for y V: for z V: cost[x,y] := min(cost[x,y], cost[x,z] + cost[z,y])

Check that x . cost[x,x] 0

c

x y

Difference Logic – strict inequalities

What about (x – y c) (y – x < -c)?

x, y integers: (y – x < -c) (y – x -c-1) x,y reals: Use infinitesimals .

(y – x < -c) (y – x -c- )Formally, constants are pairs c,c’

with interpretation c + c’

Sample negative cycle:

c

x y

3 3

x y x

General Linear Arithmetic

Not all linear arithmetic uses only two variables per inequality

Two approaches to arithmeticFourier-Motzkin:

Quantifier elimination procedurex (t ax t’ bx cx t’’) ct at’ ct’ bt’’

Polynomial for difference logic.Generally: exponential space, doubly exponential time.

Simplex:Worst-case exponential, butTime-tried practical efficiency.Linear space

Fast Linear arithmetic

Simplex general formPre-processing stepAlgorithm based on Dual SimplexEfficient backtrackingEfficient Theory propagation

The following material is from:Dutetre & de Moura CAV 2006

Fast Linear arithmetic: General Form

General form: Ax = s, lj xj , sj uj Example:

Only bounds (e.g., s1 0 ) are asserted during search.

1 2

1 2 1 2

0 ( 2 2 6) ( 2 2 4)

( 2 )

( 0 ( 2 6) ( 2 4))

x x y x y x y x y

s x y s x y

x s s s s

Fast Linear arithmetic - Search

Tableau Ax = s is built duringpre-processingBounds are asserted and un-asserted during search

1 2

1 2 1 2

0 ( 2 2 6) ( 2 2 4)

( 2 )

( 0 ( 2 6) ( 2 4))

x x y x y x y x y

s x y s x y

x s s s s

Fast Linear arithmetic - Search

Tableau Ax = s is built duringpre-processingBounds are asserted and un-asserted during search

Backtracking should be cheap – and it is:

Let (x1) = 0, (x2) = -1, (s2) = 0 satisfies x1 4 , x2 -1, -3 s2 then satisfies x1 4 , x2 -1

Fast Linear arithmetic – Dual Simplex

Tableau Ax = s from pre-processing. Initial assignment , where (xi) = 0, (si) = 0 satisfies tableau.

What do we do when bounds are asserted?

We pivot.


Terminology:Ax = sThe s variables are basic. The x variables are non-basic.

Invariant on Ax = s, :For non-basic variables: lj (xj) uj The role of pivoting: also satisfy bounds on non-basic variables.


New bound xj u is asserted.Set (xj) min((xj), u)Check each row with xj if bounds on non-basic variables are satisfied.

If not, pivot and update

ExampleAsserting

Assignment EquationsBounds

0

0

0

0

0

x

y

s

u

v

2

s x y

u x y

v x y

, 0

( 1 2),( 2 0

1

),( 2 1)

x

y v v

s

v v u

1s

ExampleAsserting assignment does not satisfy bounds

Assignment EquationsBounds 0

0

0

0

0

y

v

s

x

u

2

s x y

u x y

v x y

, 0

( 1 2),( 2 0

1

),( 2 1)

x

y v v

s

v v u

1s

1s

ExampleAsserting pivot s and x (s is a dependent variable)


0

0

0

0

y

v

s

x

u

2

y

u x y

v x y

s x

, 0

( 1 2),( 2 0

1

),( 2 1)

x

y v v

s

v v u

1s

1s



0

0

0

0

y

v

s

x

u

2

y

u x y

v x y

x s

, 0

( 1 2),( 2 0

1

),( 2 1)

x

y v v

s

v v u

1s

1s



0

0

0

0

y

v

s

x

u

2

x s

s y

s

y

u

v y

, 0

( 1 2),( 2 0

1

),( 2 1)

x

y v v

s

v v u

1s

1s

ExampleAsserting update dependent variable assignment


0

0

0

1

y

v

s

x

u

2

x s

s y

s

y

u

v y

, 0

( 1 2),( 2 0

1

),( 2 1)

x

y v v

s

v v u

1s

1s

ExampleAsserting update dependent variable assignment


0

1

1

1

1

x

s

v

y

u

2

x s

s y

s

y

u

v y

, 0

( 1 2),( 2 0

1

),( 2 1)

x

y v v

s

v v u

1s

1s

ExampleAsserting


1

0

1

1

1

x

y

s

u

v

2

x s y

u s y

v s y

,

( 1 2),(

1 0

2 0),( 2 1)y v v u

s x

v v

0x

1

0

s

x

ExampleAsserting assignment satisfies new bound


1

0

1

1

1

x

y

s

u

v

2

x s y

u s y

v s y

( 1 2),( 2 0

1

),

0

( 2 )

,

1

s x

y v v v v u

0x

1

0

s

x

ExampleCase split


1

0

1

1

1

x

y

s

u

v

2

x s y

u s y

v s y

1, 0

( 2),( 2 0)1 ,( 2 1)

s x

v vy v v u

( 1)y

1

1

0

y

s

x

ExampleCase split bounds do not satisfy assignment


0

1

1

1

1

x

s

v

y

u

2

x s y

u s y

v s y

( 2),( 2 0),

1,

21 )

0

( 1v v

s

y v v u

x

( 1)y

1

1

0

y

s

x

ExampleCase split update assignment


1

1

1

1

1

x

s

y

u

v

2

x s y

u s y

v s y

( 2),( 2 0),

1,

21 )

0

( 1v v

s

y v v u

x

( 1)y

1

1

0

y

s

x

ExampleCase split update dependent assignment


1

1

2

1 2

x

y

u

v

s

2

x s y

u s y

v s y

1, 0

( 2),( 2 0)1 ,( 2 1)

s x

v vy v v u

( 1)y

1

1

0

y

s

x

ExampleBound violation


1

1

2

1 2

x

y

u

v

s

2

x s y

u s y

v s y

( 2),( 2 0),

1,

21 )

0

( 1v v

s

y v v u

x

1

1

0

y

s

x

ExampleBound violation pivot x and s (x is a dependent variable)


1

2

1 2

x

y

s

u

v

2

y

u s y

v s

x s

y

1, 0

( 2),( 2 0)1 ,( 2 1)

s x

v vy v v u

0

1

1y

x

s



1

2

1 2

x

y

s

u

v

2

y

u s y

v s

x s

y

( 2),( 2 0),

1,

21 )

0

( 1v v

s

y v v u

x

0

1

1y

x

s



1

2

1 2

x

y

s

u

v

2

y

u

y

x

s

v s

s

y

( 2),( 2 0),

1,

21 )

0

( 1v v

s

y v v u

x

0

1

1y

x

s



1

2

1 2

x

y

s

u

v

2

y

u

x

y

v

s

x

x y

( 2),( 2 0),

1,

21 )

0

( 1v v

s

y v v u

x

0

1

1y

x

s

ExampleBound violation update assignment


1

0

1

2 2

1

x

y

s

u

v

2

y

u

x

y

v

s

x

x y

1, 0

( 2),( 2 0)1 ,( 2 1)

s x

v vy v v u

0

1

1y

x

s

ExampleTheory propagation:


1

0

1

2 2

1

x

y

s

u

v

2

y

u

x

y

v

s

x

x y

1, 0

( 2),( 2 0)1 ,( 2 1)

s x

v vy v v u

1

2

1

0

s

x

y

u

0, 1 2x y u



0

1

1

2 2

1

x

y

s

u

v

2

s x y

u x y

v x y

1, 0

( 2),( 2 0)1 , 2 1( )

s x

v vy uv v

1

0

1

2

s

x

y

u

2 ( 1)u u

ExampleBoolean propagation:


2

s x y

u x y

v x y

( ),( 2 0),( 2 1)

1,

21

0

vy

s

v

x

uvv

1

0

1

2

s

x

y

u

( 1) 2y v

0

1

1

2 2

1

x

y

s

u

v



0

1

1

2 2

1

x

y

s

u

v

2

s x y

u x y

v x y

1 2

1, 0

2( ),( 2 0),( )1v u

s

y v

x

vv

1

0

1

2

s

x

y

u

2 ( 2)v v

ExampleConflict


0

1

1

2 2

1

x

y

s

u

v

2

s x y

u x y

v x y

1 2

1, 0

2( ),( 2 0),( )1v u

s

y v

x

vv

1

0

1

2

s

x

y

u

ExampleBacktrack


0

1

1

2 2

1

x

y

s

u

v

2

s x y

u x y

v x y

( 2),( 2 0),

1,

21 )

0

( 1v v

s

y v v u

x

1

1

0

y

s

x

ExampleAssert y 1 assignment does not satisfy bound


0

1

1

2 2

1

x

y

s

u

v

2

s x y

u x y

v x y

( 2),( 2 0),

1,

21 )

0

( 1v v

s

y v v u

x

1

1

0

y

s

x

ExampleAssert y 1 update assignment


1

1

0

2

1

y

s

u

x

v

2

s x y

u x y

v x y

( 2),( 2 0),

1,

21 )

0

( 1v v

s

y v v u

x

1

1

0

y

s

x

ExampleTheory propagation


0

1

1

2

1

x

y

s

u

v

2

s x y

u x y

v x y

0, 1 1x y v

1

1

1

0

s

x

y

v

( 2),( 0),( 11 2

0

2

1,

)v v

s

v uy v

x

ExampleBoolean propagation


0

1

1

2

1

x

y

s

u

v

2

s x y

u x y

v x y

( 2) 0v v

1

0

1

0

s

x

y

v

( 2),( ),

1, 0

1 0 ( 22 1)v v

s

v u

x

y v

ExampleAssignment does not satisfy bounds


0

1

1

2

1

x

y

s

u

v

2

s x y

u x y

v x y

1

0

1

0

s

x

y

v

( 2),( ),

1, 0

1 0 2(2 1)v v

s

v u

x

y v

ExamplePivot v and x ( v is a dependent variable)


0

1

1

2

1

x

y

s

u

v

2

v x

s x y

u x y

y

1

0

1

0

s

x

y

v

( 2),( 0),( 11 2

0

2

1,

)v v

s

v uy v

x

ExamplePivot v and x ( v is a dependent variable)


0

1

1

2

1

x

y

s

u

v

2

3

s v y

u v y

x v y

1

0

1

0

s

x

y

v

( 2),( 0),( 11 2

0

2

1,

)v v

s

v uy v

x

ExampleUpdate assignment to v


0

1

1

2

0

x

y

s

v

u

2

3

s v y

u v y

x v y

1

0

1

0

s

x

y

v

( 2),( 0),( 11 2

0

2

1,

)v v

s

v uy v

x

ExampleUpdate all other assignments


1

1

2

3

0

x

s

y

v

u

2

3

s v y

u v y

x v y

1

0

1

0

s

x

y

v

( 2),( 0),( 11 2

0

2

1,

)v v

s

v uy v

x

ExampleBoolean propagation


1

3

1

2

0

x

y

s

v

u

2

3

s v y

u v y

x v y

1

0

1

0

1

s

x

y

v

u

( 2),( 0),

1, 0

1 1(2 2 )v v

s

vy uv

x

( 2) 1v u

ExampleBound violation assignment to u does not satisfy bounds.


1

3

1

2

0

x

y

s

v

u

2

3

s v y

u v y

x v y

( 2),( 0),

1, 0

1 1(2 2 )v v

s

vy uv

x

1

0

1

0

1

s

x

y

v

u

ExampleBound violation pivot u and v (u is a dependent variable)


1

3

1

2

0

x

y

s

v

u

2

3v u y

s v y

x v y

( 2),( 0),

1, 0

1 1(2 2 )v v

s

vy uv

x

1

0

1

0

1

s

x

y

v

u

ExampleBound violation pivot u and v (u is a dependent variable)


1

3

1

2

0

x

y

s

v

u

2

3v

u y

x u

u

s

y

y

( 2),( 0),

1, 0

1 1(2 2 )v v

s

vy uv

x

1

0

1

0

1

s

x

y

v

u

ExampleBound violation update assignment


1

1

2

1

0

u

x

y

s

v

2

3v

u y

x u

u

s

y

y

( 2),( 0),

1, 0

1 1(2 2 )v v

s

vy uv

x

1

0

1

0

1

s

x

y

v

u

ExampleBound violation update assignment on dependent variables


1

0

1

2

x

y

s

v

u

2

3v

u y

x u

u

s

y

y

( 2),( 0),

1, 0

1 1(2 2 )v v

s

vy uv

x

1

0

1

0

1

s

x

y

v

u

ExampleBound violation bounds on s are violated


1

1

1

2

0

s

x

y

u

v

3

2

s u y

v u y

x u y

( 2),( 0),

1, 0

1 1(2 2 )v v

s

vy uv

x

1

0

1

0

1

s

x

y

v

u

ExampleBound violation pivot s and y (s is a dependent variable)


1

1

2

0

s

x

y

u

v

3

2

v

u s

u

x u

y

y

y

( 2),( 0),

1, 0

1 1(2 2 )v v

s

vy uv

x

1

0

1

0

1

s

x

y

v

u

ExampleBound violation update value of s


1

2

1

0

1

y

u

v

s

x

3

2

v

u s

u

x u

y

y

y

( 2),( ),

1, 0

1 0 2(2 1)v v

s

v

x

y v u

1

0

1

0

1

s

x

y

v

u

ExamplePropagate pivot to other rows


2 3

2

v u s

x u

y u s

s

( 2),( ),

1, 0

1 0 2(2 1)v v

s

v

x

y v u

1

0

1

0

1

s

x

y

v

u

1

2

1

0

1

y

u

v

s

x

ExamplePropagate assignment to dependent variables


2 3

2

v u s

x u

y u s

s

( 2),( ),

1, 0

1 0 2(2 1)v v

s

v

x

y v u

1

0

1

0

1

s

x

y

v

u

3

2

1

5

1

y

u

v

s

x

ExampleTableau is feasible, constraints are satisfied


2 3

2

y u s

v u s

x u s

( 2),( ),

1, 0

1 0 2(2 1)v v

s

v

x

y v u

1

0

1

0

1

s

x

y

v

u

3

2

1

1

5

x

y

s

u

v

Fast Linear arithmetic – recap

New bound xj u is asserted.Set (xj) min((xj), u)Check each row with xj if bounds on non-basic variables are satisfied.Tableau is infeasible if some row:

s = 3x1 + 4x2 - 5x3

Either ls > 3ux1 + 4ux2 - 5lx3,Or us < 3lx1 + 4lx2 - 5ux3

A tableau may still be feasible even if on non-basic variable is not satisfied.

Fast Linear arithmetic – recap

New bound xj u is asserted.Set (xj) min((xj), u)A tableau may still be feasible even if on non-basic variable is not satisfied.

Restore feasible tableau: PivotingExchange basic and non-basic variables in row where basic variable can be fixed.Substitute new basic variable everywhere elseUpdate assignment

Integer Linear Arithmetic

GCD test

Gomory Cut

Branch and Bound

Non-linear arithmeticMostly encountered in SMT applications of Hybrid systems.Decision problem is doubly exponential.Tools:

CAD: Cylindric Algebraic DecompositionGröbner Basis computationSymbolic solutions (using non-standard numerals)

Precise explanations

TakeawaysChoice of solver (and when to apply it) depends on:

Problem characteristics:Difference logic

Dense difference logic – Floyd Warshall.

Full linear arithmetic

Solver must work in the context of:Backtracking search engineProducing succinct explanations

Application:Spec#/Boogie

http://research.microsoft.com/specsharp

Spec# Approach for a Verifying Compiler

Source Language

C# + goodies = Spec#Specifications

method contracts,invariants,field and type annotations.

Program Logic:

Dijkstra’s weakest preconditions.Automatic Verification

type checking,verification condition generation (VCG),automatic theorem proving (SMT)

Spec# (annotated C#)

Boogie PL

Spec# Compiler

VC Generator

Formulas

Automatic Theorem Prover

A short Demo

Spec#

Nikolaj Bjørner Microsoft Research Lecture 3. DayTopicsLab 1Overview of SMT and applications. SAT...

Documents

Transcript of Nikolaj Bjørner Microsoft Research Lecture 3. DayTopicsLab 1Overview of SMT and applications. SAT...