Quantifiers, Arithmetic and Fixed-points

Quantifier Elimination Procedures in Z3

Support for Non-linear arithmetic

Fixed-points – features and a preview

Quantifier EliminationOption: ELIM_QUANTIFIERS=true

LRA – Linear real arithmeticLIA – Linear integer arithemticD – Algebraic DatatypesBooleans & Bit-vectors – (All-SAT)NRA2 – Quadratic (using virtual substitutions)Arrays – ad hoc

LRA

Terms

Atoms

Formulas

Quantifier Elimination Samples

LIATerms

Atoms

Formulas

D – algebraic data-types

Domain Closure:

Eliminate accessors:

Solve equalities:

Virtual substitution:

∃𝑥 .𝜑 [ 𝑥 ]≡¿ 𝑖∃𝑥 . 𝐼𝑠𝐶𝑖 (𝑥 )∧𝜑 [𝑥 ]∃𝑥𝐼𝑠𝐶 (𝑥 )∧𝜑 [𝑎𝑐𝑐 𝑗 (𝑥 ) ,𝑥 ]≡∃𝑦𝜑 ¿

∃𝑥 . 𝐼𝑠𝐶𝑖 (𝑥 )∧𝜑 [ 𝐼𝑠𝐶 𝑗 (𝑥 ) ]≡∃𝑥 . 𝐼𝑠𝐶𝑖 (𝑥 )∧𝜑 [ 𝑓𝑎𝑙𝑠𝑒 ] 𝑓𝑜𝑟 𝐶𝑖≠𝐶 𝑗

NRAVirtual substitutions for second-degree polynomials

Method by Weispfenning et.al. (Redlog)Used both as quantifier elimination (all SAT) and ground decision procedure (first SAT)

….

Analysis Tool

LogicEngine Z3

𝜇𝑍

Tool EncodingsSLAyer

SAGE

Predicate Based MC

Sep. Logic

Interpolating MC

BDD MC

Fixed-PointMethodology

Abstract Interpretatio

n

SimulationRelation

Logic Programmin

g

HavocHoudini

Datalog

GateKeeper

Summaries

Abstraction

Refinement

The Z ToolShips with Z3

Online demo

BDD tablesample in distribution

Mostly developed by Krystof Hoder

Why fixed-pointsRecall the basic sausage* rule: Variant for Connoisseurs:

In a nutshell:

Aim of Satisfiability Modulo Fixed-points and Theories.

Is valid?

Is satisfiable?

* “sausage” terminology by Andrey Rybalchenko

Portfolio approach to fix-points

Efficient Datalog EngineFinite TablesSymbolic Tables

Composable Abstract Relations:Use abstract interpretation domains.Use SMT as a domain.Reduced product operators for sharing

Efficient Algorithms from Symbolic MC Modulo Theories

I will give a taste of this later.

Is satisfiable?

BDD packages

Abstract Domains

Interpolation Tools

Core Engine

Results

Execution

Compilation

Rule transformationsEarly

preprocessingRule

normalizationLate

preprocessing

Parser

Rest

arts

Compilation

RelationalAlgebraAbstractMachine

Core Engine

Results

Execution

Compilation

Rule transformationsEarly

preprocessingRule

normalizationLate

preprocessing

Parser

Rest

arts

Plugin architecture:

New domains added using plugins implementing

Relational Algebra

operations.

Relation representation

Tables

Hash-table

BDD

Bit-vectors

Relations

SMT

Explanations

External

Abstractions

Intervals

Bounds

Compositions

Finiteproduct

Relation product

xy

z10

10

+ =

Intervals Bounds

Pentagons = +

Relation representation

Tables

Hash-table

BDD

Bit-vectors

Relations

SMT

Explanations

External

Abstractions

Intervals

Bounds

Compositions

Finiteproduct

Relation product

xy

z10

10

Intervals Bounds

Product: Table x TableIndexed Relation: Table x RelationReduced Product: Relation x Relation

Preview – Generalized PDRIs valid?

Is satisfiable?

PDR: Property Directed ReachabilityA new Algorithm For Symbolic Model Checking of Hardwareby Aaron Bradley.

In - Lift it to procedures multiple operators, non-linear- Lift beyond propositional logic Theories, non-ground

Simple sample demo

GeneralizationsPDR works for linear Transformers

Generalize to non-linear

PDR works with a single TransformerWork with multiple transformers. A Solver for Datalog/Boolean Programs

PDR is for propositional logicSearch Modulo Theories

(with McMillan’s FociZ3 and other methods)