Z3: A Decision Engine for Software
description
Transcript of Z3: A Decision Engine for Software
Title of Presentation
Z3: A Decision Engine for SoftwareNikolaj Bjrner and Leonardo de MouraMicrosoft ResearchTCN Programming Languages event, January 31st Slides: http://my/sites/redmond_nbjorner/ 1/31/2011 10:43 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
1
RiSERiSE a primerSymbolic ReasoningEngines using Z3What is SMT?Little Engines of ProofSolver: InteractionDirections
Extra: Nuts and BoltsMicrosoft Research RedmondRiSE: Research in Software Engineering
http://rise4fun.com/AGL/rise
AGL Automatic Graph Layout
Lev NachmansonTim DwyerTed HartAlexander HolroydApplications:Dev10 ProgressionDev11TuvaluSpecExplorerMany others
CCI and ERSMT@Microsoft
HeapDbg uses CCI+AGLManuel FndrichMark MarronCCI2:Common Compiler Infrastructure v2Herman Venter
ER: Extended ReflectionNikolai TillmannCuzz: Concurrency Fuzzingvoid* p = 0; CreateThd(child);p = malloc();Init();DoMoreWork();p->f ++;ParentChildInstrument calls to Cuzz
Insert random delays
Use the Cuzz algorithm to determine when and by how much to delay
void* p = 0;CallCuzz(); CreateThd(child);CallCuzz();p = malloc();Init();CallCuzz();DoMoreWork();CallCuzz();p->f ++;void* p = 0;RandDelay(); CreateThd(child);RandDelay();p = malloc();Init();RandDelay();DoMoreWork();RandDelay();p->f ++;void* p = 0;RandDelay(); CreateThd(child);RandDelay();p = malloc();Init();RandDelay();DoMoreWork();RandDelay();p->f ++;
This is where all the magic (probabilistic analysis) isCuzz by Madan Musuvathi, Sebastian Burckhardt- in AppVerifier, used to find bugs in SQL, IE, ACPI, Kernel6SymbolicReasoningRiSE - a primerSymbolic ReasoningEngines using Z3What is SMT?Little Engines of ProofSolver: InteractionDirections
Extra: Nuts and BoltsTools using the Z3 Decision Engine
http://research.microsoft.com/projects/z3 Symbolic ReasoningVerification/Analysis tools need some form of Symbolic Reasoning1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
9What is logic?Logic is the science of effective symbolic reasoning.How can we draw general and reliable conclusions from a collection of facts?Formal logic: Precise, syntactic characterizations of well-formed expressions and valid deductions.Formal logic makes it possible to calculate consequences at the symbolic level.
Computers can be used to automate such symbolic calculations.Symbolic ReasoningPSpace-complete(QBF)Semi-decidable(First-order logic)NP-complete(Propositional logic)NEXPTime-complete(EPR)P-time(Equality)Logic is The Calculus of Computer Science (Z. Manna).
Succinct: High computational complexityUndecidable(FOL + LA)11Symbolic Engines: SAT, FTP and SMT SAT: Propositional Satisfiability.(Tie Shirt) (Tie Shirt) (Tie Shirt)
FTP: First-order Theorem Proving.X,Y,Z [X*(Y*Z) = (X*Y)*Z] X [X*inv(X) = e] X [X*e = e]
SMT: Satisfiability Modulo background Theoriesb + 2 = c A[3] A[c-b+1]SAT - MilestonesyearMilestone1960Davis-Putnam procedure1962Davis-Logeman-Loveland1984Binary Decision Diagrams 1992DIMACS SAT challenge1994SATO: clause indexing1997GRASP: conflict clause learning1998Search Restarts2001zChaff: 2-watch literal, VSIDS2005Preprocessing techniques2007Phase caching2008Cache optimized indexing2009In-processing, clause management2010Blocked clause elimination
20022010Problems impossible 10 years ago are trivial todayConceptMillions of variables from HW designsFTP - MilestonesYearMilestoneWhoYearMilestoneWho1930 Hebrand's theorem Herbrand1970 Completion and saturation procedures many people and provers1934 Sequent calculi Gentzen1970 Knuth-Bendix ordering Knuth; Bendix1934 Inverse method Gentzen1971 Selection function Kowalski; Kuehner1955 Semantic tableaux Beth1972 Built-in equational theories Plotkin1960 Herbrand-based theorem proving Wang Hao1972 Prolog Colmerauer1960 Ordered resolution Davis; Putnam1974 Saturation algorithms Overbeek1962 DLL Davis; Logemann; Loveland1975 Completeness of paramodulation Brand1963 First-order inverse method Maslov1975 AC-unification Stickel1965 Unification J. Robinson1976 Resolution as a decision procedure Joyner1965 First-order resolution J. Robinson1979 Basic paramodulation Degtyarev1965 Subsumption J. Robinson1980 Lexicographic path orderings Kamin; Levy1967 Orderings Slagle1985 Theory resolution Stickel1967 Demodulation or rewriting Wos; G. Robinson; Carson; Shalla1986 Definitional clause form transformation Plaisted; Greenbaum1968 Model elimination Loveland1988 Superposition Zhang1969 Paramodulation G. Robinson; Wos1988 Model construction Zhang1989 Term indexing Stickel; Overbeek1990 General theory of redundancy Bachmair; Ganzinger1992 Basic superposition Nieuwenhuis; Rubio1993 First instance-based methods Billon; Plaisted1993 Discount saturation algorithm Avenhaus; Denzinger1998 Finite model finding using SAT McCune2000 First-order DPLL Baumgartner2003 iProver method Ganzinger; Korovin2008 Sine selection HoderSome success stories:Open Problems (of 25 years):XCB: X ((X Y) (Z Y)) Z)is a single axiom for equivalenceKnowledge Ontologies GBs of formulas
Courtesy Andrei Voronkov, Manchester USMT - MilestonesyearMilestone1977Efficient Equality Reasoning1979Theory Combination Foundations1979Arithmetic + Functions 1982Combining Canonizing Solvers1992-8Systems: PVS, Simplify, STeP, SVC2002Theory Clause Learning2005SMT competition2006Efficient SAT + Simplex2007Efficient Equality Matching2009Combinatory Array Logic, 15KLOC + 215KLOC = Z3 Includes progress from SAT:
Simplify (of 01) time1secZ3TimeOn VCCRegressionNov 08March 09Z3(of 07)TimeOn BoogieRegressionZ3 participates in and wins SMT competitions
Engines UsingZ3RiSE - a primerSymbolic ReasoningEngines using Z3What is SMT?Little Engies of ProofSolver: InteractionDirections
Extra: Nuts and Bolts
Microsoft Researchers using Symbolic Logic Engines
Domains from programsBits and bytes
Numbers
Arrays
Records
Heaps
Data-types
Object inheritance
Applications1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
20Some Microsoft Engines using Z3SDV: The Static Driver VerifierPex: Program EXploration for .NETSAGE: Scalable Automated Guided Execution Spec#: C# + contractsVCC: Verifying C Compiler for the Viridian Hyper-VisorHAVOC: Heap-Aware Verification of C-codeSpecExplorer: Model-based testing of protocol specsYogi: Dynamic symbolic execution + abstractionFORMULA:Model-based DesignPREfix: The Static Analysis Engine for C/C++F7: Refinement types for security protocolsRex: Regular Expressions and formal languagesVS3:Abstract interpretation and SynthesisVERVE: Verified operating system FINE: Proof carrying certified codeSLAyer: Separation Logic-based Static Analysis
Test case generationunsigned GCD(x, y) { requires(y > 0); while (true) {unsigned m = x % y; if (m == 0) return y; x = y; y = m; }}We want a trace where the loop is executed twice.(y0 > 0) and(m0 = x0 % y0) andnot (m0 = 0) and(x1 = y0) and(y1 = m0) and(m1 = x1 % y1) and(m1 = 0)Solverx0 = 2y0 = 4m0 = 2x1 = 4y1 = 2m1 = 0SSA22Pex Program Exploration
Rex Regular Expression Exploration
Bek Symbolic Transducers
FINE: F# with Refinement Types Signature:div : int, { x : int | x 0 } intSubtypeCall site:if a 1 and a b thenreturn div(a, b)Verification conditiona 1 and a b implies b 026FORMULA: Design Space Exploration
Use Design Space Exploration to identify valid candidate architecturesExtended Static Checking and VerificationVCCBoogie
Hyper-VNTFS, SymDiffVerification conditionBug path
HAVOCF7/FINE1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
28What isSMT?RiSE - a primerSymbolic ReasoningEngines using Z3What is SMT?Little Engines of ProofSolver: InteractionSolver: Nuts and BoltsDirections
Satisfiability Modulo Theories (SMT)b + 2 = c and f(read(write(a,b,3), c-2)) f(c-b+1)1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
30Satisfiability Modulo Theories (SMT)Arithmeticb + 2 = c and f(read(write(a,b,3), c-2)) f(c-b+1)1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
31Satisfiability Modulo Theories (SMT)ArithmeticArray Theoryb + 2 = c and f(read(write(a,b,3), c-2)) f(c-b+1)1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
32Satisfiability Modulo Theories (SMT)ArithmeticArray TheoryUninterpreted Functionsb + 2 = c and f(read(write(a,b,3), c-2)) f(c-b+1)1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
33Satisfiability Modulo Theories (SMT)b + 2 = c and f(read(write(a,b,3), c-2)) f(c-b+1)
Substituting c by b+21/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
34Satisfiability Modulo Theories (SMT)b + 2 = c and f(read(write(a,b,3), b+2-2)) f(b+2-b+1)
Simplifying1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
35Satisfiability Modulo Theories (SMT)b + 2 = c and f(read(write(a,b,3), b)) f(3)
1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
36Satisfiability Modulo Theories (SMT)b + 2 = c and f(read(write(a,b,3), b)) f(3)
Applying array theory axiom forall a,i,v: read(write(a,i,v), i) = v
1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
37Satisfiability Modulo Theories (SMT)b + 2 = c and f(3) f(3)
Inconsistent/Unsatisfiable
1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
38SMT by Example: Job Shop Scheduling
MachinesJobs
P = NP?Laundry
TasksJob Shop SchedulingConstraints:Precedence: between two tasks of the same job
Resource: Machines execute at most one job at a time4132Job Shop Scheduling4132Not convexJob Shop Scheduling
From Constraints
ToModelsLittleEngines of ProofRiSE - a primerSymbolic ReasoningEngines using Z3What is SMT?Little Engines of ProofSolver: InteractionDirections
Extra: Nuts and BoltsLittle Engines of ProofAn SMT Solver is a collection ofLittle Engines of Proof
45Little Engines of ProofAn SMT Solver is a collection ofLittle Engines of Proof
Examples:SAT SolverEquality solverArithmetic solver
46SMT : Basic ArchitectureEquality + UFArithmeticBit-vectorsData-types Case Analysis15KLOC + 215KLOC = Z31/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
47TheoriesUninterpreted functionsArithmetic (linear)Bit-vectorsAlgebraic data-typesArraysUser-defined
Uninterpreted functionsArithmetic (linear)Bit-vectorsAlgebraic data-typesArraysUser-defined
TheoriesTheoriesUninterpreted functionsArithmetic (linear)Bit-vectorsAlgebraic data-typesArraysUser-defined
TheoriesUninterpreted functionsArithmetic (linear)Bit-vectorsAlgebraic data-typesArraysUser-defined
TheoriesUninterpreted functionsArithmetic (linear)Bit-vectorsAlgebraic data-typesArraysUser-defined
Solver:InteractionRiSE - a primerSymbolic ReasoningEngines using Z3What is SMT?Little Engines of ProofSolver: InteractionDirections
Extra: Nuts and Bolts
InteractionText: SMT-LIB1.2SMT-LIB2Native Z3 (low-level)SimplifyProgrammatic APIs: C.NET, F#, LINQOcamlPython, ..open Microsoft.Z3open Microsoft.Z3.Quotations
do Solver.prove not ((t11 >= 0I) && (t12 >= t11 + 2I) && (t12 + 1I = 0I) && (t22 >= t21 + 3I) && (t32 + 1I = 0I) && (t32 >= t31 + 2I) && (t32 + 3I = t21 + 3I || t21 >= t11 + 2I) && (t11 >= t31 + 2I || t31 >= t11 + 2I) && (t21 >= t31 + 2I || t31 >= t21 + 3I) && (t12 >= t22 + 1I || t22 >= t12 + 1I) && (t12 >= t32 + 3I || t32 >= t12 + 1I) && (t22 >= t32 + 3I || t32 >= t22 + 1I) ) ) @>Example: Quotations in F#Interaction - modelsLogical FormulaSat/Model
Interaction proof objectsLogical FormulaUnsat/Proof
Interaction - simplification
SimplifyLogical FormulaInteraction - equalitiesImpliedEqualities
x and y are equalz + y and x + z are equalLogical FormulaInteraction quantifier eliminationQuantifierEliminationLogical Formula
Interaction unsat coresLogical FormulaUnsat. Core
DirectionsRiSE - a primerSymbolic ReasoningEngines using Z3What is SMT?Little Engines of ProofSolver: InteractionDirections
Extra: Nuts and BoltsResearch around Z3. . . Decision ProceduresModular Difference Logic is Hard TR 08 B, Blass Gurevich, Muthuvathi.Linear Functional Fixed-points. CAV 09 B. & Hendrix. A Priori Reductions to Zero for Strategy-Independent Grbner Bases SYNASC 09 M& Passmore. Efficient, Generalized Array Decision Procedures FMCAD 09 M & BCombining Decision ProceduresModel-based Theory Combination SMT 07 M & B. . Accelerating Lemma learning using DPLL(U)LPAR 08 B, Dutetre & MProofs, Refutations and Z3IWIL 08 M & BOn Locally Minimal Nullstellensatz Proofs.SMT 09 M & Passmore. A Concurrent Portfolio Approach to SMT SolvingCAV 09 Wintersteiger, Hamadi & MQuantifiers, quantifiers, quantifiersEfficient E-matching for SMT Solvers. . CADE 07 M & B. Relevancy Propagation. TR 07 M & B. Deciding Effectively Propositional Logic using DPLL(Sx) IJCAR 08 M & B.Engineering DPLL(T) + saturation. IJCAR 08 M & B. Complete instantiation for quantified SMT formulasCAV 09 Ge & M. On deciding satisfiability by DPLL(+ T). CADE 09 Bonachina, M & Lynch.Linear Quantifier Elimination as Abstract Decision Proc.IJCAR 10, B. Efficiently Solving Quantified Bit-Vector FormulasFMCAD 10, Wintersteiger, Hamadi, M.Current EffortsModel-based Quantifier Elimination
Theories + Quantifiers from ModelsZ An Efficient Engine For Fixed-points
Datalog + Abstract Constraints
Points-to analysis, Knowledge bases, ..
ConclusionsSMT solvers are a great fit for software tools
Current main applications:Test-case generation.Verifying compilers.Model Checking & Predicate Abstraction.Model-based testing and development
New applications keep appearing:Synthesis, Compiler optimization, Trace-based optimization,..Extra:Nuts and BoltsRiSE - a primerSymbolic ReasoningEngines using Z3What is SMT?Little Engines of ProofSolver: InteractionDirections
Extra: Nuts and Bolts
Model-based Theory Combination1979 Nelson, Oppen - Framework
1996 Tinelli & Harindi. N.O Fix
2000 Barrett et.al N.O + Rewriting
2002 Zarba & Manna. Nice Theories
2004 Ghilardi et.al. N.O. Generalized2007 de Moura & B. Model-based Theory Combination2006 Bruttomesso et.al. Delayed Theory Combination1984 Shostak. Theory solvers
1996 Cyrluk et.al Shostak Fix #1
1998 B. Shostak with Constraints
2001 Rue & Shankar Shostak Fix #2
2004 Ranise et.al. N.O + SuperpositionFoundationsEfficiency using rewriting2001: Moskewicz et.al. Efficient DPLL made guessing cheap2010 Jovanovic & Barrett. Sharing is CaringCombinatory Array LogicA basis of operations
[FMCAD 2009]Efficient E-graph Matching Match: read(write(A,I,V),I) = read(write(a,g(c),c),f(d,a))AssumingE = { g(a) = f(b, c), b = d, a = c }
Efficiency through:Code trees: Runtime program specialization.Inverted path indexing: When new equality enters, walk from sub-terms upwards to roots in index.[CADE 2007]Efficient E-graph Matching Match: read(write(A,I,V),I) = read(write(a,g(c),c),f(b,a))AssumingE = { g(a) = f(b, c), b = d, a = c }
Efficiency through:Code trees: Runtime program specialization.Inverted path indexing: When new equality enters, walk from sub-terms upwards to roots in index.[CADE 2007]Efficient E-graph Matching Match: read(write(A,I,V),I) = read(write(a,g(c),c),f(b,c))AssumingE = { g(a) = f(b, c), b = d, a = c }
Efficiency through:Code trees: Runtime program specialization.Inverted path indexing: When new equality enters, walk from sub-terms upwards to roots in index.[CADE 2007]Efficient E-graph Matching Match: read(write(A,I,V),I) = read(write(a,g(c),c),g(a))AssumingE = { g(a) = f(b, c), b = d, a = c }
Efficiency through:Code trees: Runtime program specialization.Inverted path indexing: When new equality enters, walk from sub-terms upwards to roots in index.[CADE 2007]Efficient E-graph Matching Match: read(write(A,I,V),I) = read(write(a,g(c),c),g(c))AssumingE = { g(a) = f(b, c), b = d, a = c }
Efficiency through:Code trees: Runtime program specialization.Inverted path indexing: When new equality enters, walk from sub-terms upwards to roots in index.[CADE 2007]Linear quantifier Elimination as an Abstract Decision ProcedureSMT for QE has some appeal:Just use SMT(LA/LIA) for closed formulas.Algorithms:
[IJCAR 2010]FourierMotzkinOmega TestLoos-WeispheningCooperResolutionCase split+ Virtual substAbstract Decision ProcAbstract Decision ProcCase split+ ResolutionDPLLM | F
Partial modelSet of clauses1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
74DPLLGuessing p, q | p q, q r p | p q, q r
1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
75DPLLDeducing p, s| p q, p s p | p q, p s
1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
76DPLLBacktracking p, s| p q, s q, p q p, s, q | p q, s q, p q
1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
77Modern DPLLEfficient indexing (two-watch literal)Non-chronological backtracking (backjumping)Lemma learning
1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
78SAT + Theory solversBasic Ideax 0, y = x + 1, (y > 2 y < 1) p1, p2, (p3 p4)Abstract (aka naming atoms)p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
79SAT + Theory solversBasic Ideax 0, y = x + 1, (y > 2 y < 1) p1, p2, (p3 p4)Abstract (aka naming atoms)p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)SAT Solver1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
80SAT + Theory solversBasic Ideax 0, y = x + 1, (y > 2 y < 1) p1, p2, (p3 p4)Abstract (aka naming atoms)p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)SAT SolverAssignmentp1, p2, p3, p41/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
81SAT + Theory solversBasic Ideax 0, y = x + 1, (y > 2 y < 1) p1, p2, (p3 p4)Abstract (aka naming atoms)p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)SAT SolverAssignmentp1, p2, p3, p4x 0, y = x + 1, (y > 2), y < 11/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
82SAT + Theory solversBasic Ideax 0, y = x + 1, (y > 2 y < 1) p1, p2, (p3 p4)Abstract (aka naming atoms)p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)SAT SolverAssignmentp1, p2, p3, p4x 0, y = x + 1, (y > 2), y < 1TheorySolverUnsatisfiablex 0, y = x + 1, y < 11/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
83SAT + Theory solversBasic Ideax 0, y = x + 1, (y > 2 y < 1) p1, p2, (p3 p4)Abstract (aka naming atoms)p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)SAT SolverAssignmentp1, p2, p3, p4x 0, y = x + 1, (y > 2), y < 1TheorySolverUnsatisfiablex 0, y = x + 1, y < 1New Lemmap1p2p4
1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
84SAT + Theory solversTheorySolverUnsatisfiablex 0, y = x + 1, y < 1New Lemmap1p2p4
AKATheory conflict1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
85SAT + Theory solvers: Main loopprocedure SmtSolver(F)(Fp, M) := Abstract(F)loop(R, A) := SAT_solver(Fp)if R = UNSAT then return UNSATS := Concretize(A, M)(R, S) := Theory_solver(S)if R = SAT then return SATL := New_Lemma(S, M)Add L to Fp1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
86SAT + Theory solversBasic IdeaF: x 0, y = x + 1, (y > 2 y < 1) Fp : p1, p2, (p3 p4)Abstract (aka naming atoms)M: p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)SAT SolverA: Assignmentp1, p2, p3, p4S: x 0, y = x + 1, (y > 2), y < 1TheorySolverS: Unsatisfiablex 0, y = x + 1, y < 1L: New Lemmap1p2p4
1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
87SAT + Theory solversF: x 0, y = x + 1, (y > 2 y < 1) Fp : p1, p2, (p3 p4)Abstract (aka naming atoms)M: p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)SAT SolverA: Assignmentp1, p2, p3, p4S: x 0, y = x + 1, (y > 2), y < 1TheorySolverS: Unsatisfiablex 0, y = x + 1, y < 1L: New Lemmap1p2p4
procedure SMT_Solver(F)(Fp, M) := Abstract(F)loop(R, A) := SAT_solver(Fp)if R = UNSAT then return UNSATS = Concretize(A, M)(R, S) := Theory_solver(S)if R = SAT then return SATL := New_Lemma(S, M)Add L to FpLazy translation to DNF1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
88SAT + Theory solversState-of-the-art SMT solvers implement many improvements.1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
89SAT + Theory solversIncrementalitySend the literals to the Theory solver as they are assigned by the SAT solverp1, p2, p4 | p1, p2, (p3 p4), (p5 p4)p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1), p5 (x < 2), Partial assignment is already Theory inconsistent.1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
90SAT + Theory solversEfficient BacktrackingWe dont want to restart from scratch after each backtracking operation.1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
91SAT + Theory solversEfficient Lemma Generation (computing a small S)Avoid lemmas containing redundant literals.p1, p2, p3, p4 | p1, p2, (p3 p4), (p5 p4)p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1), p5 (x < 2), p1p2 p3 p4Imprecise Lemma1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
92SAT + Theory solversTheory PropagationIt is the SMT equivalent of unit propagation.p1, p2 | p1, p2, (p3 p4), (p5 p4)p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1), p5 (x < 2), p1, p2 imply p4 by theory propagationp1, p2 , p4 | p1, p2, (p3 p4), (p5 p4)1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
93SAT + Theory solversTheory PropagationIt is the SMT equivalent of unit propagation.p1, p2 | p1, p2, (p3 p4), (p5 p4)p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1), p5 (x < 2), p1, p2 imply p4 by theory propagationp1, p2 , p4 | p1, p2, (p3 p4), (p5 p4)Tradeoff between precision performance.1/31/2011 9:50 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
94Core An Architecture: the coreSAT SolverEqualityUninterpreted FunctionsArithmeticBit-VectorsScalar Values95Core An Architecture: the coreSAT SolverEqualityUninterpreted FunctionsArithmeticBit-VectorsScalar ValuesCase Analysis96Core An Architecture: the coreSAT SolverEqualityUninterpreted FunctionsArithmeticBit-VectorsScalar ValuesBlackboard:equalities, disequalities,predicates97