Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands...
Transcript of Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands...
![Page 1: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/1.jpg)
Quantifiers
Bruno Dutertre
SRI International
Leonardo de Moura
Microsoft Research
![Page 2: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/2.jpg)
Verification Tools need Quantifiers
Modeling the Runtime
h,o,f: IsHeap(h) o ≠ null read(h, o, alloc) = t read(h,o, f) = null read(h, read(h,o,f),alloc) =
![Page 3: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/3.jpg)
Verification Tools need Quantifiers
Frame Axioms
o, f: o ≠ null read(h0, o, alloc) = t read(h1,o,f) = read(h0,o,f) (o,f) M
![Page 4: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/4.jpg)
Verification Tools need Quantifiers
User provided assertions
i,j: i j read(a,i) read(b,j)
![Page 5: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/5.jpg)
Verification Tools need Quantifiers
Extra Theories
x: p(x,x)
x,y,z: p(x,y), p(y,z) p(x,z)
x,y: p(x,y), p(y,x) x = y
![Page 6: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/6.jpg)
Verification Tools need Quantifiers
Main Challenge
Solver must be fast is satisfiable instances
![Page 7: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/7.jpg)
Verifying Compilers
Annotated Program
Verification Condition F
pre/post conditions invariants and other annotations
![Page 8: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/8.jpg)
Verification Condition: Structure
BIG and-or
tree (ground)
Axioms (non-ground)
Control & Data Flow
![Page 9: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/9.jpg)
VCC: Verifying C Compiler
![Page 10: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/10.jpg)
BAD NEWS
First-order logic (FOL) is semi-decidable
Quantifiers + EUF
![Page 11: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/11.jpg)
BAD NEWS
FOL + Linear Integer Arithmetic is undecidable
Quantifiers + EUF + LIA
![Page 12: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/12.jpg)
Hypervisor
Hardware
Hypervisor
Challenges: VCs have several Megabytes Thousands universal quantifiers Developers are willing at most 5 min per VC
![Page 13: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/13.jpg)
Verification Attempt Time vs. Satisfaction and Productivity
![Page 14: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/14.jpg)
NNF: Negation Normal Form
![Page 15: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/15.jpg)
NNF: Negation Normal Form
![Page 16: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/16.jpg)
Skolemization
![Page 17: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/17.jpg)
Skolemization
![Page 18: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/18.jpg)
- Many Approaches
Heuristic quantifier instantiation
SMT + Saturation provers
Complete quantifier instantiation
Decidable fragments
Model based quantifier instantiation
Quantifier Elimination
![Page 19: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/19.jpg)
Heuristic Quantifier Instantiation
E-matching (matching modulo equalities).
Example:
x: f(g(x)) = x { f(g(x)) }
a = g(b),
b = c,
f(a) c
Pattern/Trigger
![Page 20: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/20.jpg)
Heuristic Quantifier Instantiation
E-matching (matching modulo equalities).
Example:
x: f(g(x)) = x { f(g(x)) }
a = g(b),
b = c,
f(a) c
x=b f(g(b)) = b
![Page 21: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/21.jpg)
E-matching problem
![Page 22: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/22.jpg)
E-matching Challenge
Number of matches can be exponential
It is not refutationally complete
The real challenge is finding new matches:
Incrementally during backtracking search
Large database of patterns
![Page 23: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/23.jpg)
EUF Solver: Review
![Page 24: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/24.jpg)
EUF Solver: Review
![Page 25: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/25.jpg)
EUF Solver: Review
![Page 26: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/26.jpg)
EUF Solver: Review
![Page 27: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/27.jpg)
EUF Solver: Review
![Page 28: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/28.jpg)
EUF Solver: Review
![Page 29: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/29.jpg)
EUF Solver: Review
![Page 30: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/30.jpg)
EUF Solver: Review
![Page 31: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/31.jpg)
EUF Solver: Review
![Page 32: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/32.jpg)
EUF Solver: Review
![Page 33: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/33.jpg)
E-matching
![Page 34: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/34.jpg)
E-matching: Example
![Page 35: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/35.jpg)
E-matching: Example
![Page 36: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/36.jpg)
E-matching: Example
![Page 37: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/37.jpg)
E-matching: Example
![Page 38: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/38.jpg)
E-matching: Example
![Page 39: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/39.jpg)
E-matching: Example
![Page 40: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/40.jpg)
E-matching: Example
![Page 41: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/41.jpg)
E-matching: Example
![Page 42: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/42.jpg)
E-matching: Example
![Page 43: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/43.jpg)
E-matching: Example
![Page 44: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/44.jpg)
E-matching: Example
![Page 45: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/45.jpg)
E-matching: Example
![Page 46: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/46.jpg)
E-matching: Example
![Page 47: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/47.jpg)
E-matching: Example
![Page 48: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/48.jpg)
E-matching: Example
![Page 49: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/49.jpg)
E-matching: Example
![Page 50: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/50.jpg)
E-matching: Example
![Page 51: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/51.jpg)
Efficient E-matching
Problem Indexing Technique
Fast retrieval
E-matching code trees
Incremental E-Matching Inverted path index
![Page 52: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/52.jpg)
E-matching: code trees
Trigger: f(x1, g(x1, a), h(x2), b)
Instructions: 1. init(f, 2) 2. check(r4, b, 3) 3. bind(r2, g, r5, 4) 4. compare(r1, r5, 5) 5. check(r6, a, 6) 6. bind(r3, h, r7, 7) 7. yield(r1, r7)
Compiler
Similar triggers share several instructions.
Combine code sequences in a code tree
![Page 53: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/53.jpg)
E-matching limitations
E-matching needs ground seeds.
x: p(x),
x: not p(x)
![Page 54: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/54.jpg)
E-matching limitations
Bad user provided triggers:
x: f(g(x))=x { f(g(x)) }
g(a) = c,
g(b) = c,
a b
Trigger is too restrictive
![Page 55: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/55.jpg)
E-matching limitations
Bad user provided triggers:
x: f(g(x))=x { g(x) }
g(a) = c,
g(b) = c,
a b
More “liberal” trigger
![Page 56: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/56.jpg)
E-matching limitations
Bad user provided triggers:
x: f(g(x))=x { g(x) }
g(a) = c,
g(b) = c,
a b,
f(g(a)) = a,
f(g(b)) = b
a=b
![Page 57: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/57.jpg)
E-matching limitations
It is not refutationally complete
False positives
![Page 58: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/58.jpg)
E-matching: why do we use it?
Integrates smoothly with current SMT Solvers design.
Proof finding.
Software verification problems are big & shallow.
![Page 59: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/59.jpg)
Decidable Fragments &
Complete Quantifier Instatiation
![Page 60: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/60.jpg)
+ theories
There is no sound and refutationally complete
procedure for
linear arithmetic + unintepreted function symbols
![Page 61: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/61.jpg)
Model Generation
How to represent the model of satisfiable formulas?
Functor:
Given a model M for T
Generate a model M’ for F (modulo T)
Example: F: f(a) = 0 and a > b and f(b) > f(a) + 1
Symbol Interpretation
a 1
b 0
f ite(x=1, 0, 2)
M’:
![Page 62: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/62.jpg)
Model Generation
How to represent the model of satisfiable formulas?
Functor:
Given a model M for T
Generate a model M’ for F (modulo T)
Example: F: f(a) = 0 and a > b and f(b) > f(a) + 1
Symbol Interpretation
a 1
b 0
f ite(x=1, 0, 2)
M’:
Interpretation is given using T-symbols
![Page 63: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/63.jpg)
Model Generation
How to represent the model of satisfiable formulas?
Functor:
Given a model M for T
Generate a model M’ for F (modulo T)
Example: F: f(a) = 0 and a > b and f(b) > f(a) + 1
Symbol Interpretation
a 1
b 0
f ite(x=1, 0, 2)
M’:
Non ground term (lambda expression)
![Page 64: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/64.jpg)
Models as Functional Programs
![Page 65: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/65.jpg)
Model Checking
Symbol Interpretation
a 1
b 0
f ite(x=1, 0, 2)
M’:
Is x: f(x) ≥ 0 satisfied by M’?
Yes, not (ite(k=1,0,2) ≥ 0) is unsatisfiable
![Page 66: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/66.jpg)
Model Checking
Symbol Interpretation
a 1
b 0
f ite(x=1, 0, 2)
M’:
Is x: f(x) ≥ 0 satisfied by M’?
Yes, not (ite(k=1,0,2) ≥ 0) is unsatisfiable
Negated quantifier Replaced f by its interpretation Replaced x by fresh constant k
![Page 67: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/67.jpg)
Essentially uninterpreted fragment
Variables appear only as arguments of uninterpreted symbols.
f(g(x1) + a) < g(x1) h(f(x1), x2) = 0
f(x1+x2) f(x1) + f(x2)
![Page 68: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/68.jpg)
Basic Idea
Given a set of formulas F, build an equisatisfiable set of quantifier-free formulas F*
Suppose 1. We have a clause C[f(x)] containing f(x). 2. We have f(t). Instantiate x with t: C[f(t)].
“Domain” of f is the set of ground terms Af
t Af if there is a ground term f(t)
![Page 69: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/69.jpg)
Example
g(x1, x2) = 0 h(x2) = 0, g(f(x1),b) + 1 f(x1), h(c) = 1, f(a) = 0
F F*
![Page 70: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/70.jpg)
Example
g(x1, x2) = 0 h(x2) = 0, g(f(x1),b) + 1 f(x1), h(c) = 1, f(a) = 0
F F* h(c) = 1, f(a) = 0
Copy quantifier-free formulas
“Domains”: Af: { a } Ag: { } Ah: { c }
![Page 71: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/71.jpg)
Example
g(x1, x2) = 0 h(x2) = 0, g(f(x1),b) + 1 f(x1), h(c) = 1, f(a) = 0
F F* h(c) = 1, f(a) = 0,
“Domains”: Af : { a } Ag : { } Ah : { c }
![Page 72: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/72.jpg)
Example
g(x1, x2) = 0 h(x2) = 0, g(f(x1),b) + 1 f(x1), h(c) = 1, f(a) = 0
F F* h(c) = 1, f(a) = 0, g(f(a),b) + 1 f(a)
“Domains”: Af : { a } Ag : { [f(a), b] } Ah : { c }
![Page 73: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/73.jpg)
Example
g(x1, x2) = 0 h(x2) = 0, g(f(x1),b) + 1 f(x1), h(c) = 1, f(a) = 0
F F* h(c) = 1, f(a) = 0, g(f(a),b) + 1 f(a),
“Domains”: Af : { a } Ag : { [f(a), b] } Ah : { c }
![Page 74: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/74.jpg)
Example
g(x1, x2) = 0 h(x2) = 0, g(f(x1),b) + 1 f(x1), h(c) = 1, f(a) = 0
F F* h(c) = 1, f(a) = 0, g(f(a),b) + 1 f(a), g(f(a), b) = 0 h(b) = 0
“Domains”: Af : { a } Ag : { [f(a), b] } Ah : { c, b }
![Page 75: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/75.jpg)
Example
g(x1, x2) = 0 h(x2) = 0, g(f(x1),b) + 1 f(x1), h(c) = 1, f(a) = 0
F F* h(c) = 1, f(a) = 0, g(f(a),b) + 1 f(a), g(f(a), b) = 0 h(b) = 0
“Domains”: Af : { a } Ag : { [f(a), b]} Ah : { c, b }
![Page 76: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/76.jpg)
Example
g(x1, x2) = 0 h(x2) = 0, g(f(x1),b) + 1 f(x1), h(c) = 1, f(a) = 0
F F* h(c) = 1, f(a) = 0, g(f(a),b) + 1 f(a), g(f(a), b) = 0 h(b) = 0, g(f(a), c) = 0 h(c) = 0
“Domains”: Af : { a } Ag : { [f(a), b], [f(a), c] } Ah : { c, b }
![Page 77: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/77.jpg)
Example
g(x1, x2) = 0 h(x2) = 0, g(f(x1),b) + 1 f(x1), h(c) = 1, f(a) = 0
F F* h(c) = 1, f(a) = 0, g(f(a),b) + 1 f(a), g(f(a), b) = 0 h(b) = 0, g(f(a), c) = 0 h(c) = 0
a 2, b 2, c 3 f { 2 0, …} h { 2 0, 3 1, …} g { [0,2] -1, [0,3] 0, …}
M
![Page 78: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/78.jpg)
Basic Idea
Given a model M for F*, Build a model M for F
Define a projection function f s.t. range of f is M(Af), and f (v) = v if v M(Af) Then, M(f)(v) = M(f)(f(v))
![Page 79: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/79.jpg)
Basic Idea
M(Af) M(f(Af))
M(Af)
M(f(Af))
M(f) M(Af)
f
M(f)
M(f)
![Page 80: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/80.jpg)
Basic Idea
Given a model M for F*, Build a model M for F
In our example, we have: h(b) and h(c) Ah = { b, c }, and M(Ah) = { 2, 3 }
h = { 2 2, 3 3, else 3 }
M(h) { 2 0, 3 1, …}
M(h) { 2 0, 3 1, else 1}
M(h) = x. if(x=2, 0, 1)
![Page 81: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/81.jpg)
Example
g(x1, x2) = 0 h(x2) = 0, g(f(x1),b) + 1 f(x1), h(c) = 1, f(a) = 0
F F* h(c) = 1, f(a) = 0, g(f(a),b) + 1 f(a), g(f(a), b) = 0 h(b) = 0, g(f(a), c) = 0 h(c) = 0
M
a 2, b 2, c 3 f x. 2 h x. if(x=2, 0, 1) g x,y. if(x=0y=2,-1, 0)
M a 2, b 2, c 3 f { 2 0, …} h { 2 0, 3 1, …} g { [0,2] -1, [0,3] 0, …}
![Page 82: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/82.jpg)
Example : Model Checking M
a 2, b 2, c 3 f x. 2 h x. if(x=2, 0, 1) g x,y. if(x=0y=2,-1, 0)
x1, x2: if(x1=0x2=2,-1,0) = 0 if(x2=2,0,1) = 0 is valid
Does M satisfies? x1, x2 : g(x1, x2) = 0 h(x2) = 0
x1, x2: if(x1=0x2=2,-1,0) 0 if(x2=2,0,1) 0 is unsat
if(s1=0s2=2,-1,0) 0 if(s2=2,0,1) 0 is unsat
![Page 83: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/83.jpg)
Why does it work?
Suppose M does not satisfy C[f(x)].
Then for some value v, M{x v} falsifies C[f(x)].
M{x f(v)} also falsifies C[f(x)].
But, there is a term t Af s.t. M(t) = f(v) Moreover, we instantiated C[f(x)] with t.
So, M must not satisfy C[f(t)]. Contradiction: M is a model for F*.
![Page 84: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/84.jpg)
Refinement: Lazy construction
F* may be very big (or infinite).
Lazy-construction Build F* incrementally, F* is the limit of the sequence
F0 F1 … Fk …
If Fk is unsat then F is unsat.
If Fk is sat, then build (candidate) M
If M satisfies all quantifiers in F then return sat.
![Page 85: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/85.jpg)
Refinement: Model-based instantiation
Suppose M does not satisfy a clause C[f(x)] in F.
Add an instance C[f(t)] which “blocks” this spurious model. Issue: how to find t?
Use model checking, and the “inverse” mapping f
-1 from values to terms (in Af). f
-1(v) = t if M(t) = f(v)
![Page 86: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/86.jpg)
Example: Model-based instantiation
F x1: f(x1) < 0, f(a) = 1, f(b) = -1
F0
f(a) = 1,
f(b) = -1
M
a2, b3
f x. if(x = 2, 1, -1)
Model Checking x1: f(x1) < 0
not if(s1= 2, 1, -1) < 0
s1 2
f-1(2) = a
F1
f(a) = 1,
f(b) = -1
f(a) < 0
unsat
![Page 87: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/87.jpg)
Infinite F*
Is refutationally complete?
FOL Compactness A set of sentences is unsatisfiable
iff
it contains an unsatisfiable finite subset.
A theory T is a set of sentences, then
apply compactness to F*T
![Page 88: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/88.jpg)
Infinite F* : Example
F x1: f(x1) < f(f(x1)), x1: f(x1) < a, 1 < f(0).
F*
f(0) < f(f(0)), f(f(0)) < f(f(f(0))), …
f(0) < a, f(f(0)) < a, …
1 < f(0) Every finite subset of F* is satisfiable.
Unsatisfiable
![Page 89: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/89.jpg)
Infinite F* : What is wrong?
Theory of linear arithmetic TZ is the set of all first-order sentences that are true in the standard structure Z. Tz has non-standard models. F and F* are satisfiable in a non-standard model.
Alternative: a theory is a class of structures.
Compactness does not hold.
F and F* are still equisatisfiable.
![Page 90: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/90.jpg)
Extensions
Shifting
(0 x1) (x1 n) f(x1) = g(x1+2)
![Page 91: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/91.jpg)
Extensions
Many-sorted logic Pseudo-Macros
0 g(x1) f(g(x1)) = x1, 0 g(x1) h(g(x1)) = 2x1, g(a) < 0
![Page 94: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/94.jpg)
Related work
Bernays-Schönfinkel class.
Stratified Many-Sorted Logic.
Array Property Fragment.
Local theory extensions.
![Page 95: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/95.jpg)
SMT + Saturation
![Page 96: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/96.jpg)
CDCL/DPLL : Review
M | F
Partial model Set of clauses
![Page 97: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/97.jpg)
CDCL/DPLL : Review
Guessing
p, q | p q, q r
p | p q, q r
![Page 98: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/98.jpg)
CDCL/DPLL : Review
Deducing
p, s| p q, p s
p | p q, p s
![Page 99: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/99.jpg)
CDCL/DPLL : Review
Backtracking
p, s| p q, s q, p q
p, s, q | p q, s q, p q
![Page 100: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/100.jpg)
DPLL()
Tight integration: DPLL + Saturation solver.
BIG and-or
tree (ground)
Axioms (non-ground)
![Page 101: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/101.jpg)
DPLL()
Inference rule:
DPLL() is parametric.
Examples:
Resolution
Superposition calculus
…
![Page 102: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/102.jpg)
DPLL()
M | F
Partial model Set of clauses
![Page 103: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/103.jpg)
DPLL() : Deduce I
p(a) | p(a)q(a), x: p(x)r(x), x: p(x)s(x)
![Page 104: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/104.jpg)
DPLL() : Deduce I
p(a) | p(a)q(a), p(x)r(x), p(x)s(x)
![Page 105: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/105.jpg)
DPLL() : Deduce I
p(a) | p(a)q(a), p(x)r(x), p(x)s(x)
p(a) | p(a)q(a), p(x)r(x), p(x)s(x), r(x)s(x)
Resolution
![Page 106: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/106.jpg)
DPLL() : Deduce II
Using ground atoms from M: M | F
Main issue: backtracking.
Hypothetical clauses:
H C
(regular) Clause (hypothesis) Ground literals
Track literals from M used to derive C
![Page 107: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/107.jpg)
DPLL() : Deduce II
p(a) | p(a)q(a), p(x)r(x)
p(a) | p(a)q(a), p(x)r(x), p(a)r(a)
p(a), p(x)r(x) r(a)
![Page 108: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/108.jpg)
DPLL() : Backtracking
p(a), r(a) | p(a)q(a), p(a)r(a), p(a)r(a), …
![Page 109: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/109.jpg)
DPLL() : Backtracking
p(a), r(a) | p(a)q(a), p(a)r(a), p(a)r(a), …
p(a) is removed from M
p(a) | p(a)q(a), p(a)r(a), …
![Page 110: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/110.jpg)
DPLL() : Improvement
Saturation solver ignores non-unit ground clauses.
p(a) | p(a)q(a), p(x)r(x)
![Page 111: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/111.jpg)
DPLL() : Improvement
Saturation solver ignores non-unit ground clauses.
It is still refutanionally complete if: has the reduction property.
BIG and-or tree
(ground)
Axioms (non-ground)
![Page 112: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/112.jpg)
DPLL() : Improvement
DPLL +
Theories
Saturation Solver
Saturation solver ignores non-unit ground clauses.
It is still refutanionally complete if: has the reduction property.
Ground literals
Ground clauses
![Page 113: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/113.jpg)
DPLL() : Problem
Interpreted symtbols
(f(a) > 2), f(x) > 5
It is refutationally complete if
Interpreted symbols only occur in ground clauses
Non ground clauses are variable inactive
“Good” ordering is used
![Page 114: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/114.jpg)
Summary
E-matching
proof finding
fast
shallow proofs in big formulas
not refutationally complete
regularly solves VCs with more than 5 Mb
![Page 115: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/115.jpg)
Summary
Complete instantiation + MBQI
decides several useful fragments
model & proof finding
slow
complements E-matching
![Page 116: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/116.jpg)
Summary
SMT + Saturation
refutationally complete for pure first-order
proof finding
slow
![Page 117: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/117.jpg)
Not covered
Quantifier elimination
Fourier-Motzkin (Linear Real Arithmetic)
Cooper (Linear Integer Arithmetic)
CAD (Nonlinear Real Arithmetic)
Algebraic Datatypes (Hodges)
Finite model finding
Many Decidable Fragments
![Page 118: Quantifiers - SRI Internationalfm.csl.sri.com/SSFT12/quantifiers.pdf · 2020-03-17 · Thousands universal quantifiers Developers are willing at most 5 min per VC . Verification Attempt](https://reader034.fdocuments.us/reader034/viewer/2022042416/5f3249d403d3070d9018fe61/html5/thumbnails/118.jpg)
Challenge
New and efficient procedures capable of producing models for satisfiable instances.