Recent advances in SMT

ATVA 2018

Nikolaj Bjørner
Microsoft Research

Contents

Ingredients of SMT Solving

SAT SAT + Theories
     
Theories Theories + Theories
Programmability


SAT: Search Techniques

Theories: Solving Constraints over a theory

Theories + Theories: Integration of Theories

SAT + Theories: Integration of Theory Solvers with Search

Programmability: Programming Z3

Z3 on GitHub

Z3GitHub

Material

http://​theory.​stanford.​edu/​~nikolaj/​programmingz3.​html

Recent developments in Z3



Current pre-release 4.8.0.0, July 3


A parallel cube & conquer mode

$\lambda$ binding support

SAT solver with XOR, Cardinality and PB theories

SAT solver in-processing (ATE, ALA, ACCE, HBCA)

Model preservation across search resumption

SPACER/Horn engine by Arie Gurfinkel

New ILP engine by Lev Nachmanson

Programming Z3

System Overview

Z3Overall

Figure 1. Overall system architecture of Z3

SAT

  from z3 import *
  Tie, Shirt = Bools('Tie Shirt')
  s = Solver()
  s.add(Or(Tie, Shirt), 
        Or(Not(Tie), Shirt), 
        Or(Not(Tie), Not(Shirt)))
  print(s.check())
  print(s.model())

SMT

  Z = IntSort()
  f = Function('f', Z, Z)
  x, y, z = Ints('x y z')
  A = Array('A',Z,Z)
  fml = Implies(x + 2 == y, f(Store(A, x, 3)[y - 2]) == f(y - x + 1))
  solve(Not(fml))

SMT-LIB and Python

 (set-logic QF_LIA)
 (declare-const x Int)
 (declare-const y Int)
 (assert (> (+ (mod x 4) (* 3 (div y 2))) (- x y)))
 (check-sat)

Python version: 

 solve((x % 4) + 3 * (y / 2) > x - y)

Python and SMT-LIB

It is also possible to extract an SMT-LIB2 representation of a solver state. 

from z3 import *
x, y = Ints('x y')
s = Solver()
s.add((x % 4) + 3 * (y / 2) > x - y)
print(s.sexpr())

produces the output 

(declare-fun y () Int)
(declare-fun x () Int)
(assert (> (+ (mod x 4) (* 3 (div y 2))) (- x y)))

Accessing Expressions

x = Int('x')
y = Int('y')
n = x + y >= 3
print("num args: ", n.num_args())
print("children: ", n.children())
print("1st child:", n.arg(0))
print("2nd child:", n.arg(1))
print("operator: ", n.decl())
print("op name:  ", n.decl().name())
('num args: ', 2)
('children: ', [x + y, 3])
('1st child:', x + y)
('2nd child:', 3)
('operator: ', >=)
('op name:  ', '>=')

Quantifiers

solve(y == x + 1, ForAll([y], Implies(y <= 0, x < y)))
  • Is this satisfiable?

Lambdas

m, m1 = Array('m', Z, Z), Array('m1', Z, Z)
def memset(lo,hi,y,m):
    return Lambda([x], If(And(lo <= x, x <= hi), y, Select(m, x)))
solve([m1 == memset(1, 700, z, m), Select(m1, 6) != z])
Q = Array('Q', Z, B)
prove(Implies(ForAll(Q, Implies(Select(Q, x), Select(Q, y))), x == y))

SMT Theories

SMTCore

Figure 2. Architecture of Z3's SMT Core solver.

SAT + Theories

  • Mainstream SMT solver architecture based on co-processor architecture to CDCL.

  • Alternatives:

    • Model Constructing SAT - instantiate values of non-Booleans
    • MIP(T) - MIP solver is main engine
    • Super-position

CDCL(T) by example

BasicTheory1

CDCL(T) by example (2)

BasicTheory2

CDCL(T) by example (3)

BasicTheory3

CDCL(T) by example (4)

BasicTheory4

CDCL(T) by example (5)

BasicTheory5

CDCL(T) by example (6)

BasicTheory6

EUF

  S = DeclareSort('S')
  f = Function('f', S, S)
  x = Const('x', S)
  solve(f(f(x)) == x, f(f(f(x))) == x)
  solve(f(f(x)) == x, f(f(f(x))) == x, f(x) != x)

Arithmetic

  x, y = Reals('x y')
  solve([x >= 0, Or(x + y <= 2, x + 2*y >= 6), 
                 Or(x + y >= 2, x + 2*y > 4)])

Bit-vectors

def is_power_of_two(x):
    return And(x != 0, 0 == (x & (x - 1)))
x = BitVec('x', 4)
prove(is_power_of_two(x) == Or([x == 2**i for i in range(4)]))

The absolute value of a variable can be obtained using addition and xor with a sign bit. 

v = BitVec('v',32)
mask = v >> 31
prove(If(v > 0, v, -v) == (v + mask) ^ mask)

Algebraic Datatypes

Tree = Datatype('Tree')
Tree.declare('Empty')
Tree.declare('Node', ('left', Tree), ('data', Z), ('right', Tree))
Tree = Tree.create()
t = Const('t', Tree)
solve(t != Tree.Empty)

may produce the solution 

[t = Node(Empty, 0, Empty)]

Similarly, one can prove that a tree cannot be a part of itself. 

prove(t != Tree.Node(t, 0, t))

Floating Point Arithmetic

Floating points are bit-vectors with an interpretation specified by the IEEE floating point standard. 

from z3 import *
x = FP('x', FPSort(3, 4))
y = FP('y', FPSort(3, 4))
solve(10 * x == y, x != 0)
[y = -0.0, x = -0.0]

Sequences and Strings

s, t, u = Strings('s t u')
prove(Implies(And(PrefixOf(s, t), SuffixOf(u, t), 
                  Length(t) == Length(s) + Length(u)), 
             t == Concat(s, u)))

One can concatenate single elements to a sequence as units: 

s, t = Consts('s t', SeqSort(IntSort()))
solve(Concat(s, Unit(IntVal(2))) == Concat(Unit(IntVal(1)), t))
prove(Concat(s, Unit(IntVal(2))) != Concat(Unit(IntVal(1)), s))

Interfacing with Solvers

Scopes

p, q, r = Bools('p q r')
s = Solver()
s.add(Implies(p, q))
s.add(Not(q))
print(s.check())
s.push()
s.add(p)
print(s.check())
s.pop()
print(s.check())

Assumptions

Alternative to scopes, it is possible to check satisfiability under the assumption of a set of literals. 

s.add(Implies(p, q))
s.add(Not(q))
print(s.check(p))

Cores

p, q, r, v = Bools('p q r v')
s = Solver()
s.add(Not(q))
s.assert_and_track(q, p)
s.assert_and_track(r, v)
print(s.check())
print(s.unsat_core())

Models

When s.check() returns sat Z3 can provide a model. 

f = Function('f', Z, Z)
x, y = Ints('x y')
s.add(f(x) > y, f(f(y)) == y)
print(s.check())
print(s.model())

A possible model for s is: 

[y = 0, x = 2, f = [0 -> 3, 3 -> 0, else -> 1]]

Using Solvers

Blocking Previous Models



I would like to enumerate more than one model.

Blocking Previous Models (II)

def block_model(s):
    m = s.model()
    s.add(Or([ f() != m[f] for f in m.decls() if f.arity() == 0]))

Maximal Satisfying Subsets

I am given a solver s and set ps of formulas.

  • Find a largest possible subset of ps that is satisfiable with s.

Maximal Satisfying Subsets (II)

def tt(s, f): 
    return is_true(s.model().eval(f))

def get_mss(s, ps):
    if sat != s.check():
       return []
    mss = { q for q in ps if tt(s, q) }
    return get_mss(s, mss, ps)

def get_mss(s, mss, ps):
    ps = ps - mss
    backbones = set([])
    while len(ps) > 0:
       p = ps.pop()
       if sat == s.check(mss | backbones | { p }):
          mss = mss | { p } | { q for q in ps if tt(s, q) }
          ps  = ps - mss
       else:
          backbones = backbones | { Not(p) }
    return mss

All Cores and Correction Sets

I am given a solver s and set ps of formulas.

  • Enumerate all unsatisfiable subsets of ps

  • Enumerate all maximal satisfiable subsets of ps.

All Cores and Correction Sets (II)

Idea:

  • use a map solver to enumerate substs of ps that

    • neither contain a core

    • nore is contained is a satisfiable subset

  • Given a core

    • Add negation to map.

  • Given a satisfiable subset

    • Add parts of ps that are not in subset
    • Known as correction set

All Cores and Correction Sets (III)

def ff(s, p): 
    return is_false(s.model().eval(p))

def marco(s, ps):
    map = Solver()
    while map.check() == sat:
        seed = {p for p in ps if not ff(map, p)}
        if s.check(seed) == sat:
           mss = get_mss(s, seed, ps)
           map.add(Or(ps - mss))
           yield "MSS", mss
        else:
           mus = s.unsat_core()
           map.add(Not(And(mus)))
           yield "MUS", mus

Propositional Interpolation

I am given solvers A and B

  • A.add(B.assertions()) is unsat

  • A, B share propositional atoms xs

  • Compute reverse interpolant I

    • Implies(B, I)

    • Implies(A, Not(I))

Propositional Interpolation (II)

def mk_lit(m, x):
    if is_true(m.eval(x)):
       return x
    else:
       return Not(x)

def pogo(A, B, xs):   
    while sat == A.check():
       m = A.model()
       L = [mk_lit(m, x) for x in xs]
       if unsat == B.check(L):
          notL = Not(And(B.unsat_core()))
          yield notL
          A.add(notL)
       else:
          print("expecting unsat")
          break

Propositional Interpolation (III)

A = SolverFor("QF_FD")
B = SolverFor("QF_FD")
a1, a2, b1, b2, x1, x2 = Bools('a1 a2 b1 b2 x1 x2')
A.add(a1 == x1, a2 != a1, a2 != x2)
B.add(b1 == x1, b2 != b1, b2 == x2)
print(list(pogo(A, B, [x1, x2])))
    [Not(And(Not(x2), Not(x1))), Not(And(x2, x1))]

SAT Core

SATCore

Figure 3. Architecture of Z3's SAT Solver

QF_FD

from z3 import *
s = SolverFor("QF_FD")
Color, (red, green, blue) = EnumSort('Color', ['red','green','blue'])
clr = Const('clr', Color)
u, v = BitVecs('u v', 32)
s.add(u >= v,
      If(v > u + 1, clr != red, clr != green),
      clr == green,
      AtLeast(u + v <= 3, v <= 20, u <= 10, 2))
print(s.check())
print(s.model())

is satisfiable, and a possible model is: 

[v = 4, u = 2147483647, clr = green]

Cardinality and Pseudo-Boolean Constraints

p, q, r, u = Bools('p q r u')
solve(AtMost(p, q, r, 1), u, 
      Implies(u, AtLeast(And(p, r), Or(p, q), r, 2)))

Branching

  1. Literal selection: Which choice to make?

  2. Phase selection: Which direction to make the choice?


Cube and Conquer arguably a main development in scaling SAT.


What do SMT solvers do?

Backdoors

Fix subset of variables, such that reduced problem is easy (polynomial).

Backdoors

Literal Selection

  • Lots in MIP community for branch and bound [1]

    • Most fractional branch on $x$ with current solution furthest away from integral

    • Progress towards optimal: $Score(LP_{\max} - LP_{\max}[x \mapsto 0], LP_{\max} - LP_{\max}[x \mapsto 1])$

      • $Score(a,b) := \mu \max(a,b) + (1-\mu) \min(a,b)$
      • $Score(a,b) := \max(a,10^{-6})\cdot \max(b,10^{-6})$.

  • CSP:

    • branch on variable with smallest current domain.

    • branch on variable with smallest ratio of constraint occurrences to domain size.

  • Not much I know of in SMT, mostly piggyback on VSIDS (+ new friends), Lookahead or “steal” from MIP.

Phase selection

  • Yices, MathSAT - model-based branching:

    • Candidate model $M = [x \mapsto 2, y \mapsto 0, z \mapsto 1]$

    • Branches

      • $x \geq 2$,
      • $\neg (y \geq 3)$.

  • Strings [3] - Theory-aware branching.

    • Branches $x y = z u$:
      • $ x = z, y = u$
      • $ x = zv, vy = u$ where $v$ is fresh
      • $ xw = z, y = wu$, where $w$ is fresh

The Cube, the cloud, and Z3

CubeZ3

Cube and Conquer

s = SolverFor("QF_FD")
s.add($F$)
s.set("sat.restart.max", 100)
def cube_and_conquer(s):
    for cube in s.cube():
       if len(cube) == 0:
          return unknown
       if is_true(cube[0]):
          return sat     
       is_sat = s.check(cube):
       if is_sat == unknown:
          s1 = s.translate(s.ctx)
          s1.add(cube)
          is_sat = cube_and_conquer(s1)
       if is_sat != unsat:
          return is_sat
    return unsat

Arithmetical theories

  • Arithmetic is everywhere

  • Cyber-physical systems, DNNs, axiomatic economy.

Casey1

Linear Arithmetic

(set-logic QF_IDL) ; optional in Z3
(declare-fun t11 () Int)
(declare-fun t12 () Int)
(declare-fun t21 () Int)
(declare-fun t22 () Int)
(declare-fun t31 () Int)
(declare-fun t32 () Int)

(assert (and (>= t11 0) (>= t12 (+ t11 2)) (<= (+ t12 1) 8)))
(assert (and (>= t21 0) (>= t22 (+ t21 3)) (<= (+ t22 1) 8)))
(assert (and (>= t31 0) (>= t32 (+ t31 2)) (<= (+ t32 3) 8)))
(assert (or (>= t11 (+ t21 3)) (>= t21 (+ t11 2))))
(assert (or (>= t11 (+ t31 2)) (>= t31 (+ t11 2))))
(assert (or (>= t21 (+ t31 2)) (>= t31 (+ t21 3))))
(assert (or (>= t12 (+ t22 1)) (>= t22 (+ t12 1))))
(assert (or (>= t12 (+ t32 3)) (>= t32 (+ t12 1))))
(assert (or (>= t22 (+ t32 3)) (>= t32 (+ t22 1))))
(check-sat)
(get-model) ; display the model

Linear Arithmetic Example

Some Arithmetical Theories

ArithmeticTheories

Algorithmic Fragments of Arithmetic

Logic Fragment Solver Example
LRA Linear Real Arithmetic Dual Simplex $x + \frac{1}{2}y \leq 3$
LIA Linear Integer Arithmetic CutSat $a + 3b \leq 3$
LIRA Mixed Real/Integer Cuts + Branch $x + a \geq 4$
IDL Integer Difference Logic Floyd-Warshall $a - b \leq 4$
RDL Real Difference Logic Bellman-Ford
UTVPI Unit two-variable per inequality $x + y \leq 4$
NRA Polynomial Real Arithmetic Model based CAD $x^2 + y^2 < 1$

Non-linear Arithmetic [19]

nlsat

NLSAT demo

NIA

Hilbert's 10th.

  • Z3 falls back to incomplete heuristics
  • NIA over bounded integers may get translated to bit-vector constraints
  • Z3 and Yices [17]: NLSAT + branching
    • thus, create $x \leq k \lor x \geq k + 1$
    • for $val(x) \in (k,k+1)$
  • MathSAT [9]: incremental linearization
    • $x > 3 \land y < 2 \ \rightarrow \ x \cdot y < 2x + 3y - 2\cdot 3$
    • Follows from $x > a \land y < b \ \rightarrow (x - a) \cdot (b - y) > 0$

Other theories

Cardinality and Pseudo-Boolean theories (2-3 other talks here)


Modular arithmetic (linear, LIAMC and non-linear with Groebner)


Bi-linear real arithmetic $\vec{x}A\vec{y} \leq \vec{b}$


Non-unit two-variable per inequality $ax + by \leq c$


At most one (unit) positive variable per inequality (Horn) $x - 3y - 2z \leq 2$. What is the non-unit complexity?


max-atom: $\max(x,y) + k \geq z$. In NP $\cap$ co-NP, local strategy/policy iteration [4, 10, 15, 20, 21]


Knapsack theories: all variables with positive coefficients, except for one inequality where all variables have negative coefficients.

Bellman-Ford - a selection

(set-logic QF_IDL) ; optional in Z3
(declare-fun t11 () Int)
(declare-fun t12 () Int)
(declare-fun t21 () Int)
(declare-fun t22 () Int)
(declare-fun t31 () Int)
(declare-fun t32 () Int)

(assert (and (>= t11 0) ...))
(assert (and (>= t21 0) ...))
(assert (and (>= t31 0) (>= t32 (+ t31 2)) (<= (+ t32 3) 8)))
(assert (or ... (>= t21 (+ t11 2))))
(assert (or (>= t21 (+ t31 2)) ...))
(check-sat)
(get-model) ; display the model

Bellman-Ford

Solve difference logic using graph $O(m\cdot n)$ Bellman-Ford network flow algorithm. Negative cycle $\Rightarrow$ unsat.

BellmanFord

General form Simplex [12]

General form $Ax = 0$ and $lo_j \leq x_j \leq hi_j$

\[ x \geq 0, (x + y \leq 2 \vee x + 2y \geq 6), (x + y \geq 2 \vee x + 2y > 4) \]

$\leadsto$

\[\begin{mdmathpre}%mdk \mdmathindent{2}\mathid{s}_1~:=~\mathid{x}~+~\mathid{y},~\mathid{s}_2~:=~\mathid{x}~+~2\mathid{y},\\ \mdmathindent{2}\mathid{x}~\geq 0,~(\mathid{s}_1~\leq 2~\vee \mathid{s}_2~\geq 6),~(\mathid{s}_1~\geq 2~\vee \mathid{s}_2~>~4) \end{mdmathpre}%mdk \]

Only bounds (e.g., $s_1 \leq 2$) are asserted during search.

From Definitions to a Tableau

${\color{red}s_1} := x + y, {\color{red}s_2} := x + 2y$



${\color{red}s_1} = x + y$
${\color{red}s_2} = x + 2y$



${\color{red}s_1} - x - y = 0$ - ${\color{red}s_1, s_2}$ are basic (dependent)
${\color{red}s_2} - x - 2y = 0$ - $x, y$ are non-basic

Pivoting

  • Value of non-basic variable $x_j$ can be chosen between $lo_j$ and $hi_j$.
  • Value of basic variable is a function of non-basic variable values.
  • Pivoting swaps basic and non-basic variables.
    • used to get values of basic variables within bounds.

Pivoting example

${\color{red}s_1} - x - y = 0$ - ${\color{red}s_1, s_2}$ are basic (dependent)
${\color{red}s_2} - x - 2y = 0$ - $x, y$ are non-basic $x \geq 0, (s_1 \leq 2 \vee s_2 \geq 6), (s_1 \geq 2 \vee s_2 > 4)$


Initial values: $x = y = s_1 = s_2 = 0$


Bounds $x \geq 0, s_1 \leq 2, s_1 \geq 2$:


$s_1 := 2$, make $s_1$ non-basic.
${\color{red}y} + x - s_1 = 0$ - ${\color{red}y, s_2}$ are basic (dependent)
${\color{red}s_2} + x - 2s_1 = 0$ - $s_1, y$ are non-basic

Cubes [6]

Proposition: If $Ax \leq b - \frac{1}{2} \onenorm{A}$ has a solution over the reals, then $Ax \leq b$ has an integer solution obtained by rounding.

Example: Given

\[3x + y \leq 9 \wedge - 3y \leq -2 \]

Solve instead

\[3x + y \leq \underbrace{9 - \frac{1}{2}(3 + 1)}_{7} \wedge -3y \leq \underbrace{-2 - \frac{1}{2}3}_{-3.5} \]

Real solution $y = \frac{7}{6}, x = \frac{35}{18}$. Then $y = 1, x = 2$ is an integer solution.

Cubes [5]

Observation: One can often avoid strengthening inequalities.


bounds on variables $x \leq 4$.


differences between variables $x - y \leq 6$ need not be strengthened to $x - y \leq 5$.


octagon inequalities $x + y \leq 5$ can be strengthened to $x + y < 5$, or solutions can be patched.


unit horn inequalities $x \geq 5y + 6z + 3$

Cuts from Hermite Matrices [8, 11]

Constraints: $Ax \leq b$.


Assume $A$ is square and a tight non-integral solution $Ax_0 = b$.


Find Hermite $H$, unimodular $U$, s.t. $AU = H$. $\left(\begin{array}{rrrr}1 & 0 & 0 & 0 \\-1 & 2 & 0 & 0 \\-3 & -1 & 3 & 0 \\-1 & 0 & -2 & 4 \\\end{array}\right)$


Then $Ax \leq b \Leftrightarrow \exists y \ . \ Hy \leq b \land y = U^{-1}x$


Then $y_0 = U^{-1}x_0$ is not integral either.


Branch on some non-integral $y_{0i}$: $y_i \leq \lfloor y_{0i} \rfloor$.

Arithmetic for DNN analysis

  • ReLu [22]:

    • Dual Simplex based on floats (sacrifice numeric stability).
    • Extra inequalities $y \geq \min(x, 0)$ solved by local search before branching.

  • SHERLOCK [13]: Help Gurobi (MIP) solver using local search.

  • Lipschitz bounded functions [24]:

    • Check that $x \in IBox \wedge f(x) \not\in OBox$ is unsat.
    • Exploit Lipschitz bound $\frac{\delta f}{\delta x} \leq K$. Limits samples in $IBox$.
    • $O((\frac{K}{\epsilon})^{dim(x)})$, where $\epsilon$ is error tolerance.

  • An opportunity to revisit SMT and global optimization?

Strategy/Policy iteration [10]

Goal is to find minimal $x_i$ such that:

\[\begin{mdmathpre}%mdk \mdmathindent{3}\mathid{x}_\mathid{i}~\geq \mathid{e}_\mathid{i}~~\mathid{for}~\mathid{each}~\mathid{x}_\mathid{i}\\ \mdmathindent{3}\mathid{where}~\mathid{e}~::=~\mathid{x}_\mathid{j}~|~\mathid{a}\cdot \mathid{e}~|~\mathid{e}~+~\mathid{e}~|~\min(\mathid{e},\mathid{e})~|~\max(\mathid{e},\mathid{e})\\ \mdmathindent{3}\mathid{where}~\mathid{a}~>~0~\mathid{is}~\mathid{a}~\mathid{constant} \end{mdmathpre}%mdk \]


Policy Initially $\pi$ replaces $\min(e_1,e_2)$ by $e_1$ (arbitrary choice).


Solve the resulting unit-Horn system with solution $M$.


Evaluate each $\min(e_1, e_2)$ subterm wrt. $M$ to check if it preserves $\min$.


Repeat For each $\min(e_1, e_2)$, if $M(e_1) > M(e_2)$, but $\pi(\min(e_1,e_2)) = e_1$, then update $\pi(\min(e_1,e_2)) := e_2$.

Combining Theories

In practice, we need a combination of theories.

\[\begin{mdmathpre}%mdk \mdmathindent{2}\mathid{b}~+~2~=~\mathid{c}~~\mathid{and}~~\mathid{f}(\mathid{read}(\mathid{write}(\mathid{a},\mathid{b},3),~\mathid{c}-2))~\neq \mathid{f}(\mathid{c}-\mathid{b}+1) \end{mdmathpre}%mdk \]

A theory is a set (potentially infinite) of first-order sentences.

Main questions: Is the union of two theories $T_1 \cup T_2$ consistent? Given a solvers for $T_1$ and $T_2$, how can we build a solver for $T_1 \cup T_2$?

Combining Theories In a Nutshell



\[\xymatrix @-0.5em{ & T_1 \cup T_2 \\ T_1 \ar@{.>}[ur] & & T_2 \ar@{.>}[ul] \\ & T_0 \ar[ul] \ar[ur] } \]

Is there an effective $T_0$ over shared signature, that when embeddable into $T_1, T_2$ implies $T_1 \cup T_2$ is consistent?

A Combination History

Foundations Efficiency using rewriting
1979 Nelson & Oppen - Framework 1984 Shostak Theory
1996 Tinelli et al: N.O Fix 1996 Cyrluk et al: Shostak fix 1
2000 Barrett et al: N.O + Rewriting 1998 B: Shostak + Constraints
2002 Zarba & Manna: “Nice” theories 2001 Rues & Shankar: Shostak fix 2
2004 Ghilardi: N.O. as Amalgamation 2004 Ranise et al: N.O. + Superposition
       GRASP, Chaff: efficient backjumping
2006 Bruttomesso et al: Delayed Theory Combination
2007 de Moura & B: Model-based Theory Combination
2013 Jovanovich: overlapping, polite, shiny theories

Disjoint Theories

  • Two theories are disjoint if they do not share function/constant and predicate symbols. $=$ is the only exception.

  • Example:

    • The theories of arithmetic and arrays are disjoint.

    • Arithmetic symbols: $\{0, -1, 1, -2, 2, \ldots, +, -, \times, >, <, =, \geq \}$.

    • Array symbols: $\{ read, write \}$

Purification


\[ \color{red}{b + 2 = c},\ \color{blue}{f}(\color{green}{read}(\color{green}{write}\color{red}{(a,b,3), c-2})) \neq \color{blue}{f}(\color{red}{c-b+1}) \]


becomes

\[\begin{array}{l} \color{red}{b + 2 + c}, \color{blue}{f(v_1) \neq f(v_2)} \\ \color{green}{v_1 \equiv read(v_3, v_4)}\\ \color{red}{v_2 \equiv c - b + 1}\\ \color{green}{v_3 \equiv write(a,b,v_5)}\\ \color{red}{v_4 \equiv c-2}\\ \color{red}{v_5 \equiv 2}\\ \end{array} \]

Purification (2)

\[ \color{red}{b + 2 = c},\ \color{blue}{f}(\color{green}{read}(\color{green}{write}\color{red}{(a,b,3), c-2})) \neq \color{blue}{f}(\color{red}{c-b+1}) \]

becomes

\[\begin{array}{ll} \mathrm{Arithmetic:} & \color{red}{b + 2 + c, v_2 \equiv c - b + 1, v_4 \equiv c-2, v_5 \equiv 2}\\[2em] \mathrm{EUF:} & \color{blue}{f(v_1) \neq f(v_2)}\\[2em] \mathrm{Arrays:} & \color{green}{v_1 \equiv read(v_3, v_4), v_3 \equiv write(a,b,v_5)} \end{array} \]

Stably Infinite Theories

  • A theory is stably infinite if every satisfiable QFF is satisfiable in an infinite model.

  • EUF and arithmetic are stably infinite.

  • Bit-vectors are not

Stably Infinite Theories - Result

The union of two consistent, disjoint, stably infinite theories is consistent.

Beyond Disjointness - Amalgamation [16]

\[\xymatrix @-0.5em{ & T_1 \cup T_2 \\ T_1 \cup T_0^* \ar@{.>}[ur] & & T_2 \cup T_0^* \ar@{.>}[ul] \\ & T_0^* \ar[ul] \ar[ur] \\ T_1 \ar[uu] & & T_2 \ar[uu] \\ & T_0 \ar[uu] } \]

Amalgamation [16]

  1. there is a universal theory $T_0$ in the shared signature $\Sigma_0$ that is contained in both $T_1$ and $T_2$
    • $T_0$ is universal = axioms of $T_0$ use only $\forall$.
  2. $T_0$ admits model-completion $T^*_0$
    • Every model of $T_0$ embeds into $T^*_0$.
    • $T^*_0$ admits quantifier elimination.
  3. every model of $T_i$ embeds into a model of $T_i \cup T^*_0$
    • $M \models T_i$ iff $\mu(M) \models T_i \cup T^*_0$
  4. $T_0$ is effectively locally finite.
    • For every set of constants $\overline{a}$, there is a finite, computable, set $t_1, \ldots, t_k$ over $\Sigma_0^{\overline{a}}$ s.t. $T_0 \models \forall u \ . \bigvee_i \ . \ t_i = u$.

Signature non-disjoint theories


Ingredient: establish homomorphism from theory $\mathcal{T}$ to $\mathcal{T}_A$, such that consistency of $\mathcal{T}$ is reduced to consistency of $\mathcal{T}_{A} \cup Arith$.



Local Theory Extensions, Bridge Functions, Surjective Homomorphisms [25], [14], [28], [27], [7], [2]

\[\begin{mdmathpre}%mdk \mdmathindent{4}\mathid{type}~\mathid{tree}~=~\mathid{node}_{2}(\mathid{tree},~\mathid{tree})~|~\mathid{leaf}\\ \mdmathindent{4}\mathid{x},~\mathid{y}~:~\mathid{tree}\\ \mdmathindent{4}\mathid{length}(\mathid{node}(\mathid{x},\mathid{y}))~=~1~+~\mathid{length}(\mathid{x})~+~\mathid{length}(\mathid{y})\\ \mdmathindent{4}\mathid{length}(\mathid{leaf})~=~1\\ \\ \mdmathindent{4}\mathid{length}(\mathid{x})~=~2\cdot \mathid{length}(\mathid{y})~~ \end{mdmathpre}%mdk \]

Nelson-Oppen combination

Let $\mathcal{T}_1$ and $\mathcal{T}_2$ be consistent, stably infinite theories over disjoint (countable) signatures. Assume satisfiability of conjunction of literals can be decided in $O(\mathcal{T}_1(n))$ and $O(\mathcal{T}_2(n))$ time respectively. Then

  1. The combined theory $\mathcal{T}$ is consistent and stably infinite.

  2. Satisfiability of quantifier free conjunction of literals can be decided in $O(2^{n^2} \times (\mathcal{T}_1(n) + \mathcal{T}_2(n)))$.

  3. If $\mathcal{T}_1$ and $\mathcal{T}_2$ are convex, then so is $\mathcal{T}$ and satisfiability in $\mathcal{T}$ is in $O(n^3 \times (\mathcal{T}_1(n) + \mathcal{T}_2(n)))$.

Convexity

A theory $T$ is convex iff:

  • For all finite sets $S$ of literals
  • For every disjunction $a_1 = b_1 \vee \ldots \vee a_n = b_n$
    • $S \models a_1 = b_1 \vee \ldots \vee a_n = b_n$
    • iff
    • $S \models a_i = b_i$ for some $1 \leq i \leq n$.

Convexity: Positive Results

  • Every convex theory with non trivial models is stably infinite.

  • Horn equational theories are convex.

    • Horn equations are formulas of the form $a_1 \neq b_1 \vee \ldots a_n \neq b_n \vee a = b$.

Convexity: Negative Results

  • Integer arithmetic is not convex.

    • $1 \leq a \leq 2, b = 1, c = 2$ implies $a = b \vee a = c$.

  • Real non-linear arithmetic

    • $a^2 = 1, b = 1, c = -1$ implies $a = b \vee a = c$.

Combination of non-convex theories

  • EUF is convex $O(n \log n)$

  • IDL is non-convex $O(n\cdot m)$

  • $EUF \cup IDL$ is NP-complete

    • Reduce 3-CNF to EUF+ IDL:
      • $0 \leq a_i \leq 1$ for each Boolean variable.
      • For each clause $a_i \vee \neg a_j \vee a_k$: $f(a_i,a_j,a_k) \neq f(0,1,0)$.

A Reduction Approach to Combination [23, 29]

Theory Combination in Z3:

  • Core Theories = Arithmetic + EUF + SAT

  • Bit-vectors, Finite domains = SAT

  • Other theories reduced to Core Theories

    • Arrays, Datatypes, ..: Instantiate Theory Axioms
      • each index $j$, each occurrence $\color{green}{write(a,i,v)}$.
      • add $\color{green}{read(write(a,i,v),i) = v}$
      • add $\color{green}{read(write(a,i,v),j) = read(a,j) \lor i = j}$

Gentle, smooth, polite theory combinations [18]

  • Filtering rules on when shared variables matter.

  • $x, y$ are shared, but

    • $x$ occurs only in $f(x), g(x,z)$

    • $y$ occurs only in $h(y), g(z,y)$

  • We don't care if $x = y$ or $x \neq y$.

Combining Theories in Practice

Propagate all implied equalities.

  • Deterministic Nelson-Oppen.

  • Complete only for convex theories.

  • It may be expensive for some theories.

Delayed Theory Combination.

  • Deterministic Nelson-Oppen.

  • Create set of interface equalities $(x = y)$ between shared variables.

  • Use SAT solver to guess the partition.

  • Disadvantage: the number of additional equalities is quadratic in the number of shared variables.

Combining Theories in Practice (2)

Common to these methods is that they are pessimistic about which equalities are propagated.

Model-based Theory Combination:

  • Optimistic approach.

  • Use a candidate model $M_i$ for one of the theories $\mathcal{T}_i$ and propagate all equalities implied by the candidate model hedging that other theories will agree.

    \[ \mathrm{if}\ M_i \models \mathcal{T}_i \cup \Gamma_i \cup \{ u = v \}\ \mathrm{then\ propagate}\ u = v \]

  • If not, use backtracking on choices $\Gamma$ to fix the model.

  • It is cheaper to enumerate equalities that are implied in a particular model than of all models.

Model-Based Theory Combination - Example

\[\begin{mdmathpre}%mdk \mdmathindent{2}\mathid{x}~=~\mathid{f}(\mathid{y}-1),~\mathid{f}(\mathid{x})~\neq \mathid{f}(\mathid{y}),~0~\leq \mathid{x}~\leq 1,~0~\leq \mathid{y}~\leq 1 \end{mdmathpre}%mdk \]

purify

\[ {\color{blue}{x = f(z), f(x) \neq f(y)}}, {\color{red}{0 \leq x \leq 1, 0 \leq y \leq 1, z = y - 1}} \]

Model-Based Theory Combination (1)

MBTCombination1

Model-Based Theory Combination (2)

MBTCombination2

Model-Based Theory Combination (3)

MBTCombination3

Model-Based Theory Combination (4)

MBTCombination4

Model-Based Theory Combination (5)

MBTCombination5

Model-Based Theory Combination (6)

MBTCombination6

Model-Based Theory Combination (7)

MBTCombination7

Madoko

  • Madoko is a A Fast Scholarly Markdown Processor,
  • intuitive and powerful integration of markdown and LaTeX,
  • browser and Azure based - no installation,
  • immediate preview,
  • real-time collaborative editing,
  • is written in Koka,
  • is by Daan Leijen, Microsoft Research daan

References

[1]Maria-Florina Balcan, Travis Dick, Tuomas Sandholm, and Ellen Vitercik. “Learning to Branch.” In Proceedings of the 35th International Conference on Machine Learning,   ICML 2018, Stockholmsmässan, Stockholm, Sweden, July 10-15, 2018, 353–362. 2018. http://​proceedings.​mlr.​press/​v80/​balcan18a.​html🔎
[2]Raphaël Berthon, and Christophe Ringeissen. “Satisfiability Modulo Free Data Structures Combined with Bridging   Functions.” In Proceedings of the 14th International Workshop on Satisfiability Modulo   Theories Affiliated with the International Joint Conference on Automated Reasoning, SMT@IJCAR 2016, Coimbra, Portugal, July 1-2, 2016., 71–80. 2016. http://​ceur-​ws.​org/​Vol-​1617/​paper7.​pdf🔎
[3]Murphy Berzish, Vijay Ganesh, and Yunhui Zheng. “Z3str3: A String Solver with Theory-Aware Heuristics,” in Stewart and Weissenbacher [26], 55–59. 2017. doi:10.23919/FMCAD.2017.8102241🔎
[4]Marc Bezem, Robert Nieuwenhuis, and Enric Rodríguez-Carbonell. “The Max-Atom Problem and Its Relevance.” In Logic for Programming, Artificial Intelligence, and Reasoning, 15th   International Conference, LPAR 2008, Doha, Qatar, November 22-27, 2008. Proceedings, 47–61. 2008. doi:10.1007/978-3-540-89439-1_4🔎
[5]Nikolaj Bjorner, and Lev Nachmanson. “Theorem Recycling for Theorem Proving.” In Vampire 2017. Proceedings of the 4th Vampire Workshop, edited by Laura Kov\’acs and Andrei Voronkov, 53:1–8. EPiC Series in Computing. EasyChair. 2018. doi:10.29007/r58f🔎
[6]Martin Bromberger, and Christoph Weidenbach. “New Techniques for Linear Arithmetic: Cubes and Equalities.” Formal Methods in System Design 51 (3): 433–461. 2017. doi:10.1007/s10703-017-0278-7🔎
[7]Paula Chocron, Pascal Fontaine, and Christophe Ringeissen. “A Polite Non-Disjoint Combination Method: Theories with Bridging Functions   Revisited,” in @DBLP:conf/cade/2015, 9195:419–433. 2015. doi:10.1007/978-3-319-21401-6_29🔎
[8]Jürgen Christ, and Jochen Hoenicke. “Cutting the Mix,” in @DBLP:conf/cav/2015, 9207:37–52. 2015. doi:10.1007/978-3-319-21668-3_3🔎
[9]Alessandro Cimatti, Alberto Griggio, Ahmed Irfan, Marco Roveri, and Roberto Sebastiani. “Experimenting on Solving Nonlinear Integer Arithmetic with Incremental   Linearization,” in @DBLP:conf/sat/2018, 10929:383–398. 2018. doi:10.1007/978-3-319-94144-8_23🔎
[10]Alexandru Costan, Stephane Gaubert, Eric Goubault, Matthieu Martel, and Sylvie Putot. “A Policy Iteration Algorithm for Computing Fixed Points in Static   Analysis of Programs,” in @DBLP:conf/cav/2005, 3576:462–475. 2005. doi:10.1007/11513988_46🔎
[11]Isil Dillig, Thomas Dillig, and Alex Aiken. “Cuts from Proofs: A Complete and Practical Technique for Solving   Linear Inequalities over Integers,” in @DBLP:conf/cav/2009, 5643:233–247. 2009. doi:10.1007/978-3-642-02658-4_20🔎
[12]B. Dutertre, and L. de Moura. “A Fast Linear-Arithmetic Solver for DPLL(T).” In CAV. 2006. 🔎
[13]Souradeep Dutta, Susmit Jha, Sriram Sankaranarayanan, and Ashish Tiwari. “Output Range Analysis for Deep Feedforward Neural Networks,” in @DBLP:conf/nfm/2018, 10811:121–138. 2018. doi:10.1007/978-3-319-77935-5_9🔎
[14]Pascal Fontaine, and E. Pascal Gribomont. “Combining Non-Stably Infinite, Non-First Order Theories.” Electr. Notes Theor. Comput. Sci. 125 (3): 37–51. 2005. doi:10.1016/j.entcs.2004.06.066🔎
[15]Thomas Gawlitza, and Helmut Seidl. “Precise Relational Invariants Through Strategy Iteration,” in @DBLP:conf/csl/2007, 4646:23–40. 2007. doi:10.1007/978-3-540-74915-8_6🔎
[16]Silvio Ghilardi. “Model-Theoretic Methods in Combined Constraint Satisfiability.” J. Autom. Reasoning 33 (3-4): 221–249. 2004. doi:10.1007/s10817-004-6241-5🔎
[17]Dejan Jovanovic. “Solving Nonlinear Integer Arithmetic with MCSAT,” in @DBLP:conf/vmcai/2017, 10145:330–346. 2017. doi:10.1007/978-3-319-52234-0_18🔎
[18]Dejan Jovanovic, and Clark Barrett. “Sharing Is Caring: Combination of Theories.” In Frontiers of Combining Systems, 8th International Symposium, FroCoS   2011, Saarbrücken, Germany, October 5-7, 2011. Proceedings, 195–210. 2011. doi:10.1007/978-3-642-24364-6_14🔎
[19]Dejan Jovanovic, and Leonardo Mendonça de Moura. “Solving Non-Linear Arithmetic.” In Automated Reasoning - 6th International Joint Conference, IJCAR   2012, Manchester, UK, June 26-29, 2012. Proceedings, 339–354. 2012. doi:10.1007/978-3-642-31365-3_27🔎
[20]Egor George Karpenkov. “Finding Inductive Invariants Using Satisfiability modulo Theories   and Convex Optimization. (Recherche D’invariants Inductifs Par Satisfiabilité modulo Théorie et Optimisation Convexe).” Phdthesis, Grenoble Alpes University, France. 2017. https://​tel.​archives-​ouvertes.​fr/​tel-​01681555🔎
[21]Egor George Karpenkov, David Monniaux, and Philipp Wendler. “Program Analysis with Local Policy Iteration,” in @DBLP:conf/vmcai/2016, 9583:127–146. 2016. doi:10.1007/978-3-662-49122-5_6🔎
[22]Guy Katz, Clark W. Barrett, David L. Dill, Kyle Julian, and Mykel J. Kochenderfer. “Reluplex: An Efficient SMT Solver for Verifying Deep Neural Networks,” in @DBLP:conf/cav/2017-1, 10426:97–117. 2017. doi:10.1007/978-3-319-63387-9_5🔎
[23]Leonardo Mendonça de Moura, and Nikolaj Bjørner. “Generalized, Efficient Array Decision Procedures.” In Proceedings of 9th International Conference on Formal Methods in Computer-Aided   Design, FMCAD 2009, 15-18 November 2009, Austin, Texas, USA, 45–52. 2009. doi:10.1109/FMCAD.2009.5351142🔎
[24]Wenjie Ruan, Xiaowei Huang, and Marta Kwiatkowska. “Reachability Analysis of Deep Neural Networks with Provable Guarantees,” in @DBLP:conf/ijcai/2018, 2651–2659. 2018. doi:10.24963/ijcai.2018/368🔎
[25]Viorica Sofronie-Stokkermans. “Hierarchic Reasoning in Local Theory Extensions.” In Automated Deduction - CADE-20, 20th International Conference on Automated   Deduction, Tallinn, Estonia, July 22-27, 2005, Proceedings, 219–234. 2005. doi:10.1007/11532231_16🔎
[26]Daryl Stewart, and Georg Weissenbacher, editors. 2017 Formal Methods in Computer Aided Design, FMCAD 2017, Vienna,   Austria, October 2-6, 2017. IEEE. 2017. http://​ieeexplore.​ieee.​org/​xpl/​mostRecentIssue.​jsp?​punumber=​8093672🔎
[27]Philippe Suter, Mirco Dotta, and Viktor Kuncak. “Decision Procedures for Algebraic Data Types with Abstractions,” in @DBLP:conf/popl/2010, 199–210. 2010. doi:10.1145/1706299.1706325🔎
[28]Ting Zhang, Henny B. Sipma, and Zohar Manna. “Decision Procedures for Term Algebras with Integer Constraints.” Inf. Comput. 204 (10): 1526–1574. 2006. doi:10.1016/j.ic.2006.03.004🔎