Satisfiability Modulo Theories and Network Verification

Satisfiability Modulo Theories and Network Verification Nikolaj Bjørner Microsoft Research Formal Methods and Networks Summer School Ithaca, June 10-14 2013


Satisfiability Modulo Theories and Network Verification. Nikolaj Bjørner Microsoft Research Formal Methods and Networks Summer School Ithaca, June 10-14 2013. Lectures. Wednesday 2:00pm-2:45pm : An Introduction to SMT with Z3 Thursday 11:00am-11:45am - PowerPoint PPT Presentation

Transcript of Satisfiability Modulo Theories and Network Verification

Page 1: Satisfiability  Modulo Theories and  Network Verification

Satisfiability Modulo Theoriesand

Network Verification

Nikolaj Bjørner Microsoft Research

Formal Methods and Networks Summer School Ithaca, June 10-14 2013

Page 2: Satisfiability  Modulo Theories and  Network Verification


Wednesday 2:00pm-2:45pm: An Introduction to SMT with Z3

Thursday 11:00am-11:45amAlgorithmic underpinnings of SAT/SMT

Friday 9:00am-9:45amTheories, Solvers and Applications

Page 3: Satisfiability  Modulo Theories and  Network Verification


1. Progress in automated reasoningSAT, Automated Theorem Proving, SMT

2. An abstract account for SMT search (DPLL+T)

3. Integrating Theories

Takeaway: Theorem Proving is cool and beautiful

Page 4: Satisfiability  Modulo Theories and  Network Verification

Symbolic Engines: SAT, FTP and SMT

SAT: Propositional Satisfiability.(Tie Shirt) (Tie Shirt) (Tie Shirt)

FTP: First-order Theorem Proving.X,Y,Z [X*(Y*Z) = (X*Y)*Z] X [X*inv(X) = e] X [X*e = e]

SMT: Satisfiability Modulo background Theoriesb + 2 = c A[3] ≠ A[c-b+1]

Page 5: Satisfiability  Modulo Theories and  Network Verification

SAT - Milestonesyear Milestone

1960 Davis-Putnam procedure

1962 Davis-Logeman-Loveland

1984 Binary Decision Diagrams

1992 DIMACS SAT challenge

1994 SATO: clause indexing

1997 GRASP: conflict clause learning

1998 Search Restarts

2001 zChaff: 2-watch literal, VSIDS

2005 Preprocessing techniques

2007 Phase caching

2008 Cache optimized indexing

2009 In-processing, clause management

2010 Blocked clause elimination

2002 2010

Problems impossible 10 years ago are trivial today


Millions of variables from HW designs Courtesy Daniel le Berre

Page 6: Satisfiability  Modulo Theories and  Network Verification

FTP - MilestonesYear Milestone Who Year Milestone Who

1930 Hebrand's theorem Herbrand 1970 Completion and saturation procedures

many people and provers

1934 Sequent calculi Gentzen 1970 Knuth-Bendix ordering Knuth; Bendix1934 Inverse method Gentzen 1971 Selection function Kowalski; Kuehner1955 Semantic tableaux Beth 1972 Built-in equational theories Plotkin

1960 Herbrand-based theorem proving Wang Hao 1972 Prolog Colmerauer

1960 Ordered resolution Davis; Putnam 1974 Saturation algorithms Overbeek

1962 DLL Davis; Logemann; Loveland 1975 Completeness of paramodulation Brand

1963 First-order inverse method Maslov 1975 AC-unification Stickel1965 Unification J. Robinson 1976 Resolution as a decision procedure Joyner1965 First-order resolution J. Robinson 1979 Basic paramodulation Degtyarev1965 Subsumption J. Robinson 1980 Lexicographic path orderings Kamin; Levy1967 Orderings Slagle 1985 Theory resolution Stickel

1967 Demodulation or rewriting Wos; G. Robinson; Carson; Shalla 1986

Definitional clause form transformation Plaisted; Greenbaum

1968 Model elimination Loveland 1988 Superposition Zhang1969 Paramodulation G. Robinson; Wos 1988 Model construction Zhang

1989 Term indexing Stickel; Overbeek

1990 General theory of redundancy Bachmair; Ganzinger1992 Basic superposition Nieuwenhuis; Rubio1993 First instance-based methods Billon; Plaisted1993 Discount saturation algorithm Avenhaus; Denzinger1998 Finite model finding using SAT McCune2000 First-order DPLL Baumgartner2003 iProver method Ganzinger; Korovin2008 Sine selection Hoder

Some success stories:- Open Problems (of 25 years):

XCB: X ((X Y) (Z Y)) Z)is a single axiom for equivalence

- Knowledge Ontologies GBs of formulas Courtesy Andrei Voronkov, U of Manchester

Page 7: Satisfiability  Modulo Theories and  Network Verification

SMT - Milestonesyear Milestone

1977 Efficient Equality Reasoning

1979 Theory Combination Foundations

1979 Arithmetic + Functions

1982 Combining Canonizing Solvers

1992-8 Systems: PVS, Simplify, STeP, SVC

2002 Theory Clause Learning

2005 SMT competition

2006 Efficient SAT + Simplex

2007 Efficient Equality Matching

2009 Combinatory Array Logic, …




15KLOC + 285KLOC = Z3

Includes progress from SAT:

Simplify (of ’01) time






Z3TimeOn VCCRegression

Nov 08 March 09

Z3(of ’07)TimeOn BoogieRegression

Page 8: Satisfiability  Modulo Theories and  Network Verification

News: SolvingR EfficientlyA key idea: Use partial solution to guide the search

𝑥3+2𝑥2+3 𝑦 2−5<0

𝑥2+ 𝑦2<1

−4 𝑥𝑦−4 𝑥+ 𝑦>1

Feasible Region

Extract small core

Dejan Jojanovich & Leonardo de Moura, IJCAR 2012

x = 0.5

Page 9: Satisfiability  Modulo Theories and  Network Verification

mc(x) = x-10 if x > 100mc(x) = mc(mc(x+11)) if x 100 assert (x ≤ 101 mc(x) = 91)

News: Horn Clause Satisfiability

mc() mc() mc() mc() mc() Solver finds solution for mc Krystof Hoder & Nikolaj Bjorner, SAT 2012

Bjorner, McMillan, Rybalchenko, SMT 2012

Page 10: Satisfiability  Modulo Theories and  Network Verification


Page 11: Satisfiability  Modulo Theories and  Network Verification



SMT : Basic Architecture

Equality + UFArithmeticBit-vectors…

Case Analysis

Page 12: Satisfiability  Modulo Theories and  Network Verification

SAT + Theory solvers

Basic Ideax 0, y = x + 1, (y > 2 y < 1)

p1, p2, (p3 p4)

Abstract (aka “naming” atoms)

p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)

Page 13: Satisfiability  Modulo Theories and  Network Verification

SAT + Theory solvers

Basic Ideax 0, y = x + 1, (y > 2 y < 1)

p1, p2, (p3 p4)

Abstract (aka “naming” atoms)

p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)

SAT Solver

Page 14: Satisfiability  Modulo Theories and  Network Verification

SAT + Theory solvers

Basic Ideax 0, y = x + 1, (y > 2 y < 1)

p1, p2, (p3 p4)

Abstract (aka “naming” atoms)

p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)

SAT Solver

Assignmentp1, p2, p3, p4

Page 15: Satisfiability  Modulo Theories and  Network Verification

SAT + Theory solversBasic Idea

x 0, y = x + 1, (y > 2 y < 1)

p1, p2, (p3 p4)

Abstract (aka “naming” atoms)

p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)

SAT Solver

Assignmentp1, p2, p3, p4

x 0, y = x + 1, (y > 2), y < 1

Page 16: Satisfiability  Modulo Theories and  Network Verification

SAT + Theory solvers

Basic Ideax 0, y = x + 1, (y > 2 y < 1)

p1, p2, (p3 p4)

Abstract (aka “naming” atoms)

p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)

SAT Solver

Assignmentp1, p2, p3, p4

x 0, y = x + 1, (y > 2), y < 1


Unsatisfiablex 0, y = x + 1, y <


Page 17: Satisfiability  Modulo Theories and  Network Verification

SAT + Theory solvers

Basic Ideax 0, y = x + 1, (y > 2 y < 1)

p1, p2, (p3 p4)

Abstract (aka “naming” atoms)

p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)

SAT Solver

Assignmentp1, p2, p3, p4

x 0, y = x + 1, (y > 2), y < 1


Unsatisfiablex 0, y = x + 1, y <


New Lemmap1p2p4

Page 18: Satisfiability  Modulo Theories and  Network Verification

SAT + Theory solvers


Unsatisfiablex 0, y = x + 1, y <


New Lemmap1p2p4

AKATheory conflict

Page 19: Satisfiability  Modulo Theories and  Network Verification



Page 20: Satisfiability  Modulo Theories and  Network Verification


Formula must be in CNF

Resolution rule:


The result of resolution is the resolvent (clause).Original clauses are kept (not deleted).Duplicate literals are deleted from the resolvent.

Note: No branching.

Termination: Only finite number of possible derived clauses.

Page 21: Satisfiability  Modulo Theories and  Network Verification

Resolution (example)

Page 22: Satisfiability  Modulo Theories and  Network Verification

Unit & Input Resolution

Unit resolution: (is subsumed by

Input resolution: ( member of input F).

Exercise: Set of clauses F:

F has an input refutation iff F has a unit refutation.

Page 23: Satisfiability  Modulo Theories and  Network Verification


DPLL: David Putnam Logeman Loveland = Unit resolution + split rule.



Ingredient of most efficient SAT solvers

Page 24: Satisfiability  Modulo Theories and  Network Verification

Pure Literals

A literal is pure if only occurs positively or negatively.

Page 25: Satisfiability  Modulo Theories and  Network Verification

DPLL (as a procedure)

Page 26: Satisfiability  Modulo Theories and  Network Verification


M | F

Partial model Set of clauses

Page 27: Satisfiability  Modulo Theories and  Network Verification



p, q | p q, q r

p | p q, q r

Page 28: Satisfiability  Modulo Theories and  Network Verification



p, s| p q, p s

p | p q, p s

Page 29: Satisfiability  Modulo Theories and  Network Verification



p, s | p q, s q, p q

p, s, q | p q, s q, p q

Page 30: Satisfiability  Modulo Theories and  Network Verification

Modern DPLL

• Non-chronological backtracking (backjumping)• Lemma learning

and • Efficient indexing (two-watch literal)• …

Page 31: Satisfiability  Modulo Theories and  Network Verification

CDCL – Conflict Directed Clause Learning

Lemma learning

t, p, q, s | t p q, q s, p s |p s

t, p, q, s | t p q, q s, p s

t, p, q, s | t p q, q s, p s |p q

t, p, q, s | t p q, q s, p s |p t

Page 32: Satisfiability  Modulo Theories and  Network Verification

Core Engine in Z3: Modern DPLL/CDCL




Sat Conflict





Forget is a learned clause

Restart [Nieuwenhuis, Oliveras, Tinelli J.ACM 06] customized




“It took me a year to understand the Mini-SAT FUIP code”Mate Soos to Niklas Sörenson over ice-cream in Trento

We will now motivate the CDCL algorithm

as a cooperative procedure between

model and proof search

Page 33: Satisfiability  Modulo Theories and  Network Verification

ProofsConflict Clauses







tsConflict Resolution





Mile High: Modern SAT/SMT search

Page 34: Satisfiability  Modulo Theories and  Network Verification

The Farkas Lemma Dichotomy

1. There is an such that:

2. There is a such that:

For every matrix , vector it is the case thateither (1) or (2) holds (and not both).

Page 35: Satisfiability  Modulo Theories and  Network Verification

A Dichotomy of Models and Proofs

1. There is a model M such that

2. There is a proof such that

For every formula F (set of clauses) it is the case thateither (1) or (2) holds (and not both).

Page 36: Satisfiability  Modulo Theories and  Network Verification

A Dichotomy of Models and Proofs

1. There is such that

2. There is and proof such that

For every formula F (set of clauses) and partial model it is the case that either (1) or (2) holds (and not both).

Page 37: Satisfiability  Modulo Theories and  Network Verification

A Dichotomy of Models and Proofs

1. There is such that

2. There is and proof such that

Given can it be extended to ’ to satisfy (1)?If not, find subset to establish (2). (that is inconsistent with F)

Page 38: Satisfiability  Modulo Theories and  Network Verification

A Dichotomy of Models and Proofs

Corollary: If then it is not possible to extend to satisfy

Corollary: If then - for some (or contains )- for every , where

- , -

it is not possible to extend to satisfy

Page 39: Satisfiability  Modulo Theories and  Network Verification

CDCL Search – Data structures


For state :


For states and where :

𝑀∨𝐹 Formula: set of clauses

Partial Model: Sequence of literalsDecision lits: case splitsPropagation lits: only one case makes sense.

Proof: ImplicitConsequences added to F

Page 40: Satisfiability  Modulo Theories and  Network Verification

CDCL steps


No model candidate has been fixed

Page 41: Satisfiability  Modulo Theories and  Network Verification

CDCL steps


Case split on If can be extended to satisfy , then the extension contains or

Page 42: Satisfiability  Modulo Theories and  Network Verification

CDCL stepsPropagate

must be true if has any chance of being a model for

Page 43: Satisfiability  Modulo Theories and  Network Verification

CDCL stepsSat Unsat

Page 44: Satisfiability  Modulo Theories and  Network Verification

CDCL stepsConflict

is a sufficient explanation why is not a model of

Page 45: Satisfiability  Modulo Theories and  Network Verification

CDCL stepsResolve

Corollary: If then - for some (or contains )- for every , where

- , -

it is not possible to extend to satisfy


is a sufficient and earlier explanation why is not a model of

Page 46: Satisfiability  Modulo Theories and  Network Verification

CDCL stepsBackjump

- is a sufficient explanation why is not a model of

- Prefixes of that contain cannot become a model of

FUIP First Unique Implication Point strategy when # of decision literals in is minimal.

Why is FUIP better? - Minimizes # of backtracking points before learned fact - What if implies negation of removed backtracking point?

- We would forget the learned fact during backjumping.- … only to then re-learn it.

Page 47: Satisfiability  Modulo Theories and  Network Verification

CDCL stepsLearn

Re-use proof step for later: build DAG proof instead of TREE proof

Page 48: Satisfiability  Modulo Theories and  Network Verification

CDCL stepsForget is a learned clause

Don’t forget to forget: - Learned clauses could turn out to be useless.- They could hog resources

Blocked Clause Elimination:- Remove clauses that will not be used in proofs

Page 49: Satisfiability  Modulo Theories and  Network Verification

CDCL stepsRestart

Avoid getting trapped in one part of search space

𝑆1,𝑆2 ,….=1,1,2,1,1,2,4,1,1,2,1,1,2,4,8,1,1,2,1,1,2,4,1,1,2,4,8,1 ,…

(𝑢𝑛+1 ,𝑣𝑛+1 )=(𝑢𝑛∧−𝑢𝑛? (𝑢𝑛+1,1 ) : (𝑢𝑛 ,2𝑣𝑛) ) .Generating function[fasc6adraft chapteron SAT]

[Reluctant doubling sequence: Luby, Sinclair, Zuckerman, IPL 47]

Page 50: Satisfiability  Modulo Theories and  Network Verification

Modern DPLL - tuning

• Restart frequency– Why is restarting good?– Efficient replay trick for frequent restart

• Which variable to split on• Which branch to explore first• Which lemmas to learn• Blocked clause elimination• Cache binary propagations

– This is just scratching the surface

Page 51: Satisfiability  Modulo Theories and  Network Verification

DPLL(T) solver interaction

Page 52: Satisfiability  Modulo Theories and  Network Verification

Challenge:• Solvers need to exchange what is

equal.• Computing all implied equalities is


Idea: • Have solvers produce models.• Use models to introduce equalities on

demand.If then guess

Model based Theory Combination

Page 53: Satisfiability  Modulo Theories and  Network Verification


1. Progress in automated reasoningSAT, Automated Theorem Proving, SMT

2. An abstract account for SMT search (DPLL+T)

3. Integrating Theories

Takeaway: Theorem Proving is cool and beautiful