Satisfiability Modulo Theories and Network Verification
description
Transcript of Satisfiability Modulo Theories and Network Verification
![Page 1: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/1.jpg)
Satisfiability Modulo Theoriesand
Network Verification
Nikolaj Bjørner Microsoft Research
Formal Methods and Networks Summer School Ithaca, June 10-14 2013
![Page 2: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/2.jpg)
Lectures
Wednesday 2:00pm-2:45pm: An Introduction to SMT with Z3
Thursday 11:00am-11:45amAlgorithmic underpinnings of SAT/SMT
Friday 9:00am-9:45amTheories, Solvers and Applications
![Page 3: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/3.jpg)
Plan
1. Progress in automated reasoningSAT, Automated Theorem Proving, SMT
2. An abstract account for SMT search (DPLL+T)
3. Integrating Theories
Takeaway: Theorem Proving is cool and beautiful
![Page 4: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/4.jpg)
Symbolic Engines: SAT, FTP and SMT
SAT: Propositional Satisfiability.(Tie Shirt) (Tie Shirt) (Tie Shirt)
FTP: First-order Theorem Proving.X,Y,Z [X*(Y*Z) = (X*Y)*Z] X [X*inv(X) = e] X [X*e = e]
SMT: Satisfiability Modulo background Theoriesb + 2 = c A[3] ≠ A[c-b+1]
![Page 5: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/5.jpg)
SAT - Milestonesyear Milestone
1960 Davis-Putnam procedure
1962 Davis-Logeman-Loveland
1984 Binary Decision Diagrams
1992 DIMACS SAT challenge
1994 SATO: clause indexing
1997 GRASP: conflict clause learning
1998 Search Restarts
2001 zChaff: 2-watch literal, VSIDS
2005 Preprocessing techniques
2007 Phase caching
2008 Cache optimized indexing
2009 In-processing, clause management
2010 Blocked clause elimination
2002 2010
Problems impossible 10 years ago are trivial today
Concept
Millions of variables from HW designs Courtesy Daniel le Berre
![Page 6: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/6.jpg)
FTP - MilestonesYear Milestone Who Year Milestone Who
1930 Hebrand's theorem Herbrand 1970 Completion and saturation procedures
many people and provers
1934 Sequent calculi Gentzen 1970 Knuth-Bendix ordering Knuth; Bendix1934 Inverse method Gentzen 1971 Selection function Kowalski; Kuehner1955 Semantic tableaux Beth 1972 Built-in equational theories Plotkin
1960 Herbrand-based theorem proving Wang Hao 1972 Prolog Colmerauer
1960 Ordered resolution Davis; Putnam 1974 Saturation algorithms Overbeek
1962 DLL Davis; Logemann; Loveland 1975 Completeness of paramodulation Brand
1963 First-order inverse method Maslov 1975 AC-unification Stickel1965 Unification J. Robinson 1976 Resolution as a decision procedure Joyner1965 First-order resolution J. Robinson 1979 Basic paramodulation Degtyarev1965 Subsumption J. Robinson 1980 Lexicographic path orderings Kamin; Levy1967 Orderings Slagle 1985 Theory resolution Stickel
1967 Demodulation or rewriting Wos; G. Robinson; Carson; Shalla 1986
Definitional clause form transformation Plaisted; Greenbaum
1968 Model elimination Loveland 1988 Superposition Zhang1969 Paramodulation G. Robinson; Wos 1988 Model construction Zhang
1989 Term indexing Stickel; Overbeek
1990 General theory of redundancy Bachmair; Ganzinger1992 Basic superposition Nieuwenhuis; Rubio1993 First instance-based methods Billon; Plaisted1993 Discount saturation algorithm Avenhaus; Denzinger1998 Finite model finding using SAT McCune2000 First-order DPLL Baumgartner2003 iProver method Ganzinger; Korovin2008 Sine selection Hoder
Some success stories:- Open Problems (of 25 years):
XCB: X ((X Y) (Z Y)) Z)is a single axiom for equivalence
- Knowledge Ontologies GBs of formulas Courtesy Andrei Voronkov, U of Manchester
![Page 7: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/7.jpg)
SMT - Milestonesyear Milestone
1977 Efficient Equality Reasoning
1979 Theory Combination Foundations
1979 Arithmetic + Functions
1982 Combining Canonizing Solvers
1992-8 Systems: PVS, Simplify, STeP, SVC
2002 Theory Clause Learning
2005 SMT competition
2006 Efficient SAT + Simplex
2007 Efficient Equality Matching
2009 Combinatory Array Logic, …
SAT
TheorySolvers
SMT
15KLOC + 285KLOC = Z3
Includes progress from SAT:
Simplify (of ’01) time
1sec
1
10
100
1000
Z3TimeOn VCCRegression
Nov 08 March 09
Z3(of ’07)TimeOn BoogieRegression
![Page 8: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/8.jpg)
News: SolvingR EfficientlyA key idea: Use partial solution to guide the search
𝑥3+2𝑥2+3 𝑦 2−5<0
𝑥2+ 𝑦2<1
−4 𝑥𝑦−4 𝑥+ 𝑦>1
Feasible Region
Extract small core
Dejan Jojanovich & Leonardo de Moura, IJCAR 2012
x = 0.5
![Page 9: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/9.jpg)
mc(x) = x-10 if x > 100mc(x) = mc(mc(x+11)) if x 100 assert (x ≤ 101 mc(x) = 91)
News: Horn Clause Satisfiability
mc() mc() mc() mc() mc() Solver finds solution for mc Krystof Hoder & Nikolaj Bjorner, SAT 2012
Bjorner, McMillan, Rybalchenko, SMT 2012
![Page 10: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/10.jpg)
SMT SOLVING
![Page 11: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/11.jpg)
SATTheorySolvers
SMT
SMT : Basic Architecture
Equality + UFArithmeticBit-vectors…
Case Analysis
![Page 12: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/12.jpg)
SAT + Theory solvers
Basic Ideax 0, y = x + 1, (y > 2 y < 1)
p1, p2, (p3 p4)
Abstract (aka “naming” atoms)
p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)
![Page 13: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/13.jpg)
SAT + Theory solvers
Basic Ideax 0, y = x + 1, (y > 2 y < 1)
p1, p2, (p3 p4)
Abstract (aka “naming” atoms)
p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)
SAT Solver
![Page 14: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/14.jpg)
SAT + Theory solvers
Basic Ideax 0, y = x + 1, (y > 2 y < 1)
p1, p2, (p3 p4)
Abstract (aka “naming” atoms)
p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)
SAT Solver
Assignmentp1, p2, p3, p4
![Page 15: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/15.jpg)
SAT + Theory solversBasic Idea
x 0, y = x + 1, (y > 2 y < 1)
p1, p2, (p3 p4)
Abstract (aka “naming” atoms)
p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)
SAT Solver
Assignmentp1, p2, p3, p4
x 0, y = x + 1, (y > 2), y < 1
![Page 16: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/16.jpg)
SAT + Theory solvers
Basic Ideax 0, y = x + 1, (y > 2 y < 1)
p1, p2, (p3 p4)
Abstract (aka “naming” atoms)
p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)
SAT Solver
Assignmentp1, p2, p3, p4
x 0, y = x + 1, (y > 2), y < 1
TheorySolver
Unsatisfiablex 0, y = x + 1, y <
1
![Page 17: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/17.jpg)
SAT + Theory solvers
Basic Ideax 0, y = x + 1, (y > 2 y < 1)
p1, p2, (p3 p4)
Abstract (aka “naming” atoms)
p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)
SAT Solver
Assignmentp1, p2, p3, p4
x 0, y = x + 1, (y > 2), y < 1
TheorySolver
Unsatisfiablex 0, y = x + 1, y <
1
New Lemmap1p2p4
![Page 18: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/18.jpg)
SAT + Theory solvers
TheorySolver
Unsatisfiablex 0, y = x + 1, y <
1
New Lemmap1p2p4
AKATheory conflict
![Page 19: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/19.jpg)
SAT/SMT SOLVING USING DPLL(T)
[DAVIS PUTNAM LOGEMAN LOVELAND MODULO THEORIES]
![Page 20: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/20.jpg)
Resolution
Formula must be in CNF
Resolution rule:
Example:
The result of resolution is the resolvent (clause).Original clauses are kept (not deleted).Duplicate literals are deleted from the resolvent.
Note: No branching.
Termination: Only finite number of possible derived clauses.
![Page 21: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/21.jpg)
Resolution (example)
![Page 22: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/22.jpg)
Unit & Input Resolution
Unit resolution: (is subsumed by
Input resolution: ( member of input F).
Exercise: Set of clauses F:
F has an input refutation iff F has a unit refutation.
![Page 23: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/23.jpg)
DPLL
DPLL: David Putnam Logeman Loveland = Unit resolution + split rule.
split
unit
Ingredient of most efficient SAT solvers
![Page 24: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/24.jpg)
Pure Literals
A literal is pure if only occurs positively or negatively.
![Page 25: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/25.jpg)
DPLL (as a procedure)
![Page 26: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/26.jpg)
DPLL
M | F
Partial model Set of clauses
![Page 27: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/27.jpg)
DPLL
Guessing
p, q | p q, q r
p | p q, q r
![Page 28: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/28.jpg)
DPLL
Deducing
p, s| p q, p s
p | p q, p s
![Page 29: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/29.jpg)
DPLL
Backtracking
p, s | p q, s q, p q
p, s, q | p q, s q, p q
![Page 30: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/30.jpg)
Modern DPLL
• Non-chronological backtracking (backjumping)• Lemma learning
and • Efficient indexing (two-watch literal)• …
![Page 31: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/31.jpg)
CDCL – Conflict Directed Clause Learning
Lemma learning
t, p, q, s | t p q, q s, p s |p s
t, p, q, s | t p q, q s, p s
t, p, q, s | t p q, q s, p s |p q
t, p, q, s | t p q, q s, p s |p t
![Page 32: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/32.jpg)
Core Engine in Z3: Modern DPLL/CDCL
Initialize
Decide
Propagate
Sat Conflict
Learn
Unsat
Backjump
Resolve
Forget is a learned clause
Restart [Nieuwenhuis, Oliveras, Tinelli J.ACM 06] customized
Model
Proof
ConflictResolution
“It took me a year to understand the Mini-SAT FUIP code”Mate Soos to Niklas Sörenson over ice-cream in Trento
We will now motivate the CDCL algorithm
as a cooperative procedure between
model and proof search
![Page 33: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/33.jpg)
ProofsConflict Clauses
Mod
els
liter
al
assig
nmen
tsConflict Resolution
Backjump
Prop
agat
e
Mile High: Modern SAT/SMT search
![Page 34: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/34.jpg)
The Farkas Lemma Dichotomy
1. There is an such that:
2. There is a such that:
For every matrix , vector it is the case thateither (1) or (2) holds (and not both).
![Page 35: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/35.jpg)
A Dichotomy of Models and Proofs
1. There is a model M such that
2. There is a proof such that
For every formula F (set of clauses) it is the case thateither (1) or (2) holds (and not both).
![Page 36: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/36.jpg)
A Dichotomy of Models and Proofs
1. There is such that
2. There is and proof such that
For every formula F (set of clauses) and partial model it is the case that either (1) or (2) holds (and not both).
![Page 37: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/37.jpg)
A Dichotomy of Models and Proofs
1. There is such that
2. There is and proof such that
Given can it be extended to ’ to satisfy (1)?If not, find subset to establish (2). (that is inconsistent with F)
![Page 38: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/38.jpg)
A Dichotomy of Models and Proofs
Corollary: If then it is not possible to extend to satisfy
Corollary: If then - for some (or contains )- for every , where
- , -
it is not possible to extend to satisfy
![Page 39: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/39.jpg)
CDCL Search – Data structures
Invariant:
For state :
Invariant:
For states and where :
𝑀∨𝐹 Formula: set of clauses
Partial Model: Sequence of literalsDecision lits: case splitsPropagation lits: only one case makes sense.
Proof: ImplicitConsequences added to F
![Page 40: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/40.jpg)
CDCL steps
Initialize
No model candidate has been fixed
![Page 41: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/41.jpg)
CDCL steps
Decide
Case split on If can be extended to satisfy , then the extension contains or
![Page 42: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/42.jpg)
CDCL stepsPropagate
must be true if has any chance of being a model for
![Page 43: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/43.jpg)
CDCL stepsSat Unsat
![Page 44: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/44.jpg)
CDCL stepsConflict
is a sufficient explanation why is not a model of
![Page 45: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/45.jpg)
CDCL stepsResolve
Corollary: If then - for some (or contains )- for every , where
- , -
it is not possible to extend to satisfy
Recall
is a sufficient and earlier explanation why is not a model of
![Page 46: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/46.jpg)
CDCL stepsBackjump
- is a sufficient explanation why is not a model of
- Prefixes of that contain cannot become a model of
FUIP First Unique Implication Point strategy when # of decision literals in is minimal.
Why is FUIP better? - Minimizes # of backtracking points before learned fact - What if implies negation of removed backtracking point?
- We would forget the learned fact during backjumping.- … only to then re-learn it.
![Page 47: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/47.jpg)
CDCL stepsLearn
Re-use proof step for later: build DAG proof instead of TREE proof
![Page 48: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/48.jpg)
CDCL stepsForget is a learned clause
Don’t forget to forget: - Learned clauses could turn out to be useless.- They could hog resources
Blocked Clause Elimination:- Remove clauses that will not be used in proofs
![Page 49: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/49.jpg)
CDCL stepsRestart
Avoid getting trapped in one part of search space
𝑆1,𝑆2 ,….=1,1,2,1,1,2,4,1,1,2,1,1,2,4,8,1,1,2,1,1,2,4,1,1,2,4,8,1 ,…
(𝑢𝑛+1 ,𝑣𝑛+1 )=(𝑢𝑛∧−𝑢𝑛? (𝑢𝑛+1,1 ) : (𝑢𝑛 ,2𝑣𝑛) ) .Generating function[fasc6adraft chapteron SAT]
[Reluctant doubling sequence: Luby, Sinclair, Zuckerman, IPL 47]
![Page 50: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/50.jpg)
Modern DPLL - tuning
• Restart frequency– Why is restarting good?– Efficient replay trick for frequent restart
• Which variable to split on• Which branch to explore first• Which lemmas to learn• Blocked clause elimination• Cache binary propagations
– This is just scratching the surface
![Page 51: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/51.jpg)
DPLL(T) solver interaction
![Page 52: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/52.jpg)
Challenge:• Solvers need to exchange what is
equal.• Computing all implied equalities is
expensive.
Idea: • Have solvers produce models.• Use models to introduce equalities on
demand.If then guess
Model based Theory Combination
![Page 53: Satisfiability Modulo Theories and Network Verification](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681607d550346895dcfa6a5/html5/thumbnails/53.jpg)
Summary
1. Progress in automated reasoningSAT, Automated Theorem Proving, SMT
2. An abstract account for SMT search (DPLL+T)
3. Integrating Theories
Takeaway: Theorem Proving is cool and beautiful