Topics in SMT

TU Wien Guest Lectures October 2025

Nikolaj Bjørner
Microsoft Research

Contents

Terms and values

\[\begin{mdmathpre}%mdk \mathid{s},~\mathid{t},~\varphi,~\mathid{x},~\mathid{y},~\mathid{z}~&~\in &~~~\termsort &~::=~&~\mathid{f}(\termsort^*)~&~&~\mbox{function applied to terms}\\\\ \mdmathindent{23}&~~~~~&~~~\mathcal{M}~~~~&~:~&~\Functions \times \values^*~\rightarrow \values &~&~\mbox{operator semantics}~\\\\ \mdmathindent{23}&~~~~~&~~~\Range &~:~&~\termsort \rightarrow 2^\values &~&~\mbox{non-empty viable range}~\\\\ \mdmathindent{23}&~~~~~&~~~\terms &~\subset &~\termsort &~&~\mbox{a finite set of terms, closed under sub-terms}~\\ \end{mdmathpre}%mdk \]

Terms and Values Examples

\[\begin{mdmathpre}%mdk \mdmathindent{2}\mathid{x},~\mathid{y},~\mathid{x}~+~\mathid{y}~~~~~~&~\in &~~~\termsort \\ \mdmathindent{2}\mathcal{M}(\mathid{v}_1~+~\mathid{v}_2)~~~~~&~~=~~~&~~\mathid{v}_1~+~\mathid{v}_2\\ \mdmathindent{2}\Range(\mathid{x})~~~~~~~~&~~=~~&~~\{~0,~1~\}~~&~\mbox{if given the constraint }~0~\leq \mathid{x}~\leq 1\\ \mdmathindent{2}\terms &~~:~~&~\{~\mathid{x},~\mathid{y},~\mathid{x}~+~\mathid{y},~0,~1,~0~\leq \mathid{x},~\mathid{x}~\leq 1,~0~\leq \mathid{x}~+~\mathid{y}~\}~~~~~~~~~~~~~~~~~ \end{mdmathpre}%mdk \]

Interpretations

\[\begin{mdmathpre}%mdk \mdmathindent{2}\Value &~:~&~\termsort \rightarrow \values &~&~\mbox{value assignment}\\\\ %~~\evalone &~:~&~\termsort \rightarrow \values &~&~\mbox{one step evaluation}\\\\ \mdmathindent{2}\evalone(\mathid{f}(\vec{\mathid{t}}))~~~&~:=~&~\Sem{\mathid{f}(\Value(\vec{\mathid{t}}))}~&~&~\mbox{one step local evaluation}\\\\ \mdmathindent{2}\evalstar{\mathid{f}(\vec{\mathid{t}})}~&~:=~&~\Sem{\mathid{f}(\evalstar{\vec{\mathid{t}}})}~&~&~\mbox{full evaluation}\\~ \end{mdmathpre}%mdk \]

Interpretations - Examples

\[\begin{mdmathpre}%mdk \mdmathindent{2}\values &~:~&~[\mathid{x}~\mapsto 0,~\mathid{y}~\mapsto -1,~\mathid{x}~+~\mathid{y}~\mapsto 0~]\\ \mdmathindent{2}\evalone(0~\leq \mathid{x}~+~\mathid{y})~&~\equiv &~0~\leq 0~\equiv \true\\ \mdmathindent{2}\evalstar{0~\leq \mathid{x}~+~\mathid{y}}~&~\equiv &~0~\leq -1~\equiv \false \end{mdmathpre}%mdk \]

Coherence

Given a formula $\varphi$, fix

  • $\Value(\varphi) := \true, \Range(\varphi) := \{ \true \}$.

Proposition 1.
Let $\terms$ be the subterms in formula $\varphi$. If $\evalone(t) = \Value(t) \in \Range(t)$ for every $t \in \terms$ then $\evalstar{\varphi} = \true$.

Invertible functions

Recall global pre-processing rules: If $F[x + y]$ contains the subterm $x + y$ and this is the only occurrence of $x$ simplify to $F[x]$ and remember that interpretation for $x$ should be repaired to $\Model(x) := \Model(x) - \Model(y)$.

  • Many operators are invertible.

  • Sometimes operators are not invertible, but weakly invertible: If $\Model(x \cdot y) = 1, \Model(x) = \Model(y) = 0$. We cannot solve for $x$ or $y$. But we can reset both $x, y$ to some values that solve for 1.

Repair by invertibility

Rehash
If $\evalone(t) \not\in \Range(t)$, set $\Value(t) := $ to a new random value in $\Range(t)$.
Strong invertibility
If there is a value $v_1 \in \Range(t_1)$, such that $\Value(t) = \Sem{f(v_1, \Value(t_2))}$, then set $\Value(t_1) := v_1$.
Symmetric for $v_2$.
Weak invertibility
If there are values $v_1 \in \Range(t_1), v_2 \in \Range(t_2)$ with $v_1\neq\Value(t_1)$, such that $\Value(t) = \Sem{f(v_1, v_2)}$, set $\Value(t_1) := v_1$.
Symmetric for $v_2$.
No invertibility
If there are no values $v_1, v_2$, such that $\Value(t) = \Sem{f(v_1,v_2)}$, then set $\Value(t)$ to a new random value in $\Range(t)$.
Revert to Up
is allowed if $\evalone(t) \in \Range(t)$.

Repair by gradients

  • Compute a scoring function based on $\evalone$:

    • Number of false clauses
    • Distance $|\evalone(t)|$ for $t \geq 0$ but $\evalone(t) < 0$.

  • Pick false literal $\ell$ in false clause.

    • Compute moves for all variables in $\ell$ (moves for $x,y$ in literal $x + y \geq 0$).
    • Prefer move with best global score

I found that using gradients is not as brittle as local repair. Gradients can exploit derivatives. But local repair is useful when there is not clear derivative for functions.

Challenges and Opportunities

  • Combine Theory local search with Boolean local search (Zhang et al.2024)

    • Best current solution runs Boolean SLS (in z3 it is ddfw) in alternation with theory repair.
    • Theory local search solvers are clause-aware structures.

  • Use information from local search to speed up complete search

    • Variable priorties: keep track of frequency of variable flips
    • Variable phases:
      • For SAT: set the phase (and values of arithmetic variables) to the best model so far
      • For UNSAT: I haven't addressed this seriously yet

Project Topic

  • Add a local theory search solver for finite sets.
  • Z3 contains a plugin model for theory local search engines.
  • The engine can add or remove elements to sets.
    • Added eleements can come from a pre-existing finite set of candidates.
    • Maybe grow the candidate set dynamically
  • Add a range at a time for large sets?
  • Initial metric for success: solve random benchmarks better than the complete solver.

Equality Saturation modulo Theories

  • A fresh topic

  • Egglog:

    • E-saturation modulo ground equalities and E-matching rules.
    • Datalog-like bottom-up saturation.

  • Equality saturation in First-Order (Vampire):

    • E-matching is $\forall\times$ ground equality
    • Superposition works for $\forall\times\forall$.
    • $x x^{-1} = 1, x (yz) = (xy)z$ then $x^{-1}1 = x^{-1}(xx^{-1}) = (x^{-1}x)x^{-1}$

Congruence Closure Modulo Theories

If we merge

  • $A \cup B \cup C \simeq D \cup E$
  • $A \cup B \cup E \simeq F$

We can infer that $D \cup E \simeq F \cup C$.

  • Augment E-graph merge by ACI completion.

ACI completion

  • A little subroutine that sits as a callback from E-graph merge.
  • Maintains a work list of AC equations that have not been processed.
  • Finds critical pairs, superposes, and adds new equalities.
  • Reduces existing equalities modulo oriented equations.

Bit-vector equalities

  • $x[10:3] = x[8:1] \Rightarrow x[10:9] = x[8:7] = x[6:5] = x[4:3] = x[2:1]$

  • “Cut, dice, and slice” extract, concat, and bit-wise: $x[hi:lo] \simeq y \& x$ (Bruttomesso and Sharygina2009)

E-matching Modulo Theories

  • Matching modulo AC and ACI

  • Matching modulo Higher-Order functions

Both topics have established solutions.

For E-matching:

  • Basic solutions: to implement top-down algorithm with the additional feature that you can iterate over an equivalence class of ground terms in each step.

CDCL(T) proofs

Theory solver offers two main services

\[\begin{array}{llllll} {\sf T-Propagate} & \twodpstate{M}{F} & \Longrightarrow & \twodpstate{M\ell^{C\vee\ell}}{F} & \left\{ \begin{array}{l} \mbox{$\ell$ unassigned in $M$} \\ \mbox{$\ell$ or $\neg{\ell}$ occurs in $F$} \\ \mbox{$T \models C \vee \ell$}\\ \compl{C} \subseteq M \end{array} \right. \\[4em] {\sf T-Conflict} & \twodpstate{M}{F} & \Longrightarrow & \conflstate{M}{F}{C} & \compl{C} \subseteq M,\ T \models C. \end{array} \]

CDCL(T) proofs (II)

Both cases rely on establishing $T$-tautologies

\[ T \models C \]

  • $T$ tautologies are justified using theory specific rules

  • $T$ tautologies can be added to propositional RUP proofs as trusted assumptions

CDCL(T) proofs - justifying inferences

  • EUF - we show how to justify EUF tautologies found by congruence closure

  • Arithmetic - we illustrate extracting Farkas proofs

    • Many other inferences

  • Other theories - many rely on instantiating axioms.

    • Trusted base (verified using ITP) using many axioms vs. trusted base with powerful checkers.

Combining Theory Solvers

  • SMT solvers combine multiple $T$-solvers into a single solver.

  • Example: EUF + Arithmetic

  • For proof generation, we have a nested scenario:

    • use $T$-lemmas in CDCL solver
    • combine multiple $T$ lemmas into a $T$ lemma used by the SAT solver.

Using $T$-lemmas in CDCL

  • The CDCL solver by default logs $T$-clauses after false unit literals have been removed

  • Steps required to verify $T$-clause $\mathcal{C}$:

    • Map $\Justification$ to original $T$-clause $\mathcal{C}_0$.
    • Verify $\mathcal{C}_0$ is a $T$ tautology
    • Verify that $\mathcal{C}$ follows from $\mathcal{C}_0$ using RUP.

Combining $T$ lemmas (I)

CDCLTarch

T-solvers share and propagate equalities

Combining $T$ lemmas (II)

  • Each internal $T$-propagation is logged as a lemma.

  • Assumed and propagated equalities are not known by CDCL(T) solver.

  • Equality reasoning leaks to $T$-solvers

\[\begin{array}{cc} \AxiomC{$C[t,t]$} \UnaryInfC{$s \not\simeq t \lor C[t, s]$} \DisplayProof & \begin{array}{l} \mbox{$T$-axiom} \\ \mbox{$T$-lemma as generated by solver} \end{array} \end{array} \]
  • $\Rightarrow$ Checking $T$-lemmas requires equality reasoning.

A brief overview of some efforts

References

R - LFSC - Logical Framework with Side Conditions (Stump2002)

  • Variant of dependent type theory with built-ins for exceptions

    • Proof rules are described as dependent types
    • Proof terms are type checked

  • First described in 2002, then several 2008, 2013, ..

  • Noteworthy:

    • Integration with RUP (Oe2011)
    • On-the-fly checking theory lemmas
    • Part of CVC (Fx7, SVC) certification tool chain(s)

R - VeriT (Fontaine et al.2006; Bouton et al.2009; Barbosa and Other2020)

Pre-processing

  • A general contextual rewrite functor

    • plug in transforms for let, var, bind, app

  • So far unexplored in this work:

    • Global rewrites
    • Fixed to post-order traversals

R - CVC (Barbosa et al.2022; Ozdemir et al.2019; Hadarean et al.2015; Katz et al.2016; Stump et al.2002; Barrett et al.2014)

  • Wide set of theories

    • Supported include: EUF, Arithmetic, ADT, Arrays, Strings, others

    • Unsupported only: Floats, sets, sequences

  • Target a variety of backends

    • LFSC, L$\exists\forall$N, Coq, Isabelle

  • Pre-processing proofs

R - SMTInterpol (Hoenicke and Schindler2022a)

  • Trusted base of proof rules, see SMT Workshop 2022 paper.

  • Proof rules for linear arithmetic, arrays, ADTs, EUF.

  • Proof rules formulated mild extension of SMT3

  • Self-contained checker

R - Z3 - existing (Moura and Bjørner2008)

R - Z3 - existing - limitations

  • Many built-in proof term constructors. Does not parse back.
  • Not easy to maintain/extend when adding new pre-processing or inference rules
  • Built-in proof tooling limited to normalization for SPACER
  • Many bugs related to details
    • or is both a term builder and creates a clause. Sometimes a unit literal is an or.
    • Proofs are optional code paths and weave many places. Forget to weave and proofs go poof.
    • lack of lambda when proofs were first introduced leads to broken handling of nested quantifiers
    • SPACER includes band-aid for incomplete arithmetic proof terms

R - Z3 - RUP(T) for a new core

  • Preference towards coarse-grained inferences
  • Integrated self-checker
  • Wishfull plans:
    • trim(T)
    • integrate with profiling tools (AxiomProfiler based on proof logs)
    • bridges to external formats and checkers (L$\exists\forall$N?)

Proof Formats

F - veriT proof format (Schurr et al.2021)

(assume a0 (exists ((x A)) (f x)))
(anchor :step t1 :args (:= x vr))
(step t1.t1 (cl (= x vr)) :rule cong)
(step t1.t2 (cl (= (f x) (f vr))) :rule cong)
(step t1 (cl (= (exists ((x A)) (f x))
(exists ((vr A)) (f vr)))) :rule bind)
(step t2 (cl (not (= (exists ((vr A)) (f x)) 
             (exists ((vr A)) (f vr)))) (not (exists ((vr A)) (f x)))
(exists ((vr A)) (f vr))) :rule equiv_pos1)
(step t3 (cl (exists ((vr A)) (f vr))) :premises (a0 t1 t2) :rule resolution)
(define-fun X () A (choice ((vr A)) (f vr)))
(step t4 (cl (= (exists ((vr A)) (f vr)) (f X))) :rule sko_ex)
(step t5 (cl (not (= (exists ((vr A)) (f vr)) (f X))) 
             (not (exists ((vr A)) (f vr))) (f X)) :rule equiv_pos1)
(step t6 (cl (f X)) :premises (t3 t4 t5) :rule resolution)

F - CVC4 - LFSC

CVC4Proof

F - SMTInterpol (Hoenicke and Schindler2022a)

SMTInterpolExample

F - Z3 proof format (Moura and Bjørner2008)

(set-option :proof true)
(declare-fun f (Int) Int)
(declare-const x Int)
(assert (or (= (f (f (f x))) x) (= (f (f x)) x)))
(assert (not (= (f (f (f (f (f (f x)))))) x)))
(check-sat)
(get-proof)

F - Z3 proof format (II)

((proof
(let ((?x25 (f x)))
 (let ((?x26 (f ?x25)))
 (let ((?x27 (f ?x26)))
 (let ((?x32 (f ?x27)))
 (let ((?x33 (f ?x32)))
 (let ((?x34 (f ?x33)))
 (let (($x35 (= ?x34 x)))
 (let (($x29 (= ?x26 x)))
 (let (($x28 (= ?x27 x)))
 (let ((@x47 (hypothesis $x28)))
 (let ((@x53 (monotonicity (monotonicity (monotonicity @x47 (= ?x32 ?x25)) (= ?x33 ?x26)) (= ?x34 ?x27))))
 (let (($x36 (not $x35)))
 (let ((@x37 (asserted $x36)))
 (let ((@x57 (lemma (unit-resolution @x37 (trans* @x53 @x47 $x35) false) (not $x28))))
 (let (($x30 (or $x28 $x29)))
 (let ((@x39 (rewrite (= $x30 $x30))))
 (let ((@x58 (unit-resolution (mp (mp (mp (asserted $x30) @x39 $x30) @x39 $x30) @x39 $x30) @x57 $x29)))
 (let ((@x64 (trans* (monotonicity (monotonicity @x58 (= ?x27 ?x25)) (= ?x32 ?x26)) @x58 (= ?x32 x))))
 (let ((@x69 (trans* (monotonicity (monotonicity @x64 (= ?x33 ?x25)) (= ?x34 ?x26)) @x58 $x35)))
 (unit-resolution @x37 @x69 false))))))))))))))))))))))

F - new Z3 proof format

\[\begin{array}{ll} ( \mathbf{assume}\ \Literal^*) & \mbox{input assumption} \\[1.5em] ( \mathbf{infer}\ \Literal^*\ \Justification) & \mbox{inferred clause with optional justification} \\[1.5em] ( \mathbf{delete}\ \Literal^*) & \mbox{deleted clause} \end{array} \]
\[\begin{mdmathpre}%mdk \mdmathindent{2}\Justification &~::=~&~\mathbf{rup}~\mid (\mathbf{euf}~\Literal^*~\mathcal{CC}^*)~\mid (\mathbf{farkas}~(\mathcal{Z}~\times \Literal)^*)~|~\mathit{inst}~|\ldots\\ \mdmathindent{2}\mathcal{CC}~~~~~&~::=~&~(\mathbf{cc}~(=~(\mathid{f}~\mathid{ts})~(\mathid{f}~\mathid{ts}')))\\ \mdmathindent{2}\mathit{inst}~~~~&~::=~&~(\mathbf{inst}~\Literal^*\;(\mathbf{bind}~\mathid{t}_1~\ldots \mathid{t}_\mathid{n})) \end{mdmathpre}%mdk \]

F - new Z3 proof format - Input

(set-option :sat.smt true)
(set-option :solver.proof.log proof-log.smt2)
(declare-fun f (Int) Int)
(declare-const x Int)
(assert (or (= (f (f (f x))) x) (= (f (f x)) x)))
(assert (not (= (f (f (f (f (f (f x)))))) x)))
(check-sat)

F - new Z3 proof format (II)

Pretty printed from Python: 

assume(Or(f(f(f(x))) == x, f(f(x)) == x))
assume(Not(f(f(f(f(f(f(x)))))) == x))
infer(rup, Not(f(f(f(f(f(f(x)))))) == x))
infer(euf(Not(f(f(f(f(f(f(x)))))) == x),
          f(f(x)) == x,
          cc(f(x) == f(f(f(x)))),
          cc(f(f(f(f(x)))) == f(f(x))),
          cc(f(f(f(f(f(x))))) == f(x)),
          cc(f(f(f(f(f(f(x)))))) == f(f(f(f(x)))))),
      Or(Not(f(f(x)) == x), f(f(f(f(f(f(x)))))) == x))
infer(rup, Not(f(f(x)) == x))
infer(rup, f(f(f(x))) == x)
infer(euf(Not(f(f(f(f(f(f(x)))))) == x),
          f(f(f(x))) == x,
          cc(f(x) == f(f(f(f(x))))),
          cc(f(f(f(f(f(x))))) == f(f(x))),
          cc(f(f(f(f(f(f(x)))))) == f(f(f(x))))),
      f(f(f(f(f(f(x)))))) == x)
infer(rup, False)

F - new Z3 proof format (III)

From SMTLIB: 

(declare-fun f (Int) Int)
(define-const $24 Int (f x))
(define-const $25 Int (f $24))
(define-const $26 Int (f $25))
(define-const $27 Bool (= $26 x))
(define-const $28 Bool (= $25 x))
(assume $27 $28)
(define-const $30 Int (f $26))
(define-const $31 Int (f $30))
(define-const $32 Int (f $31))
(define-const $33 Bool (= $32 x))
(assume (not $33))
(declare-fun rup () Proof)
(infer (not $33) rup)
(declare-fun euf (Bool Bool Proof Proof Proof Proof) Proof)
(declare-fun cc (Bool) Proof)
(define-const $42 Bool (= $32 $30))
(define-const $43 Proof (cc $42))
(define-const $40 Bool (= $31 $24))
(define-const $41 Proof (cc $40))
(define-const $38 Bool (= $30 $25))
(define-const $39 Proof (cc $38))
(define-const $36 Bool (= $24 $26))
(define-const $37 Proof (cc $36))
(define-const $34 Bool (not $33))
(define-const $44 Proof (euf $34 $28 $37 $39 $41 $43))
(infer (not $28) $33 $44)
(infer (not $28) rup)
(infer $27 rup)
(declare-fun euf (Bool Bool Proof Proof Proof) Proof)
(define-const $49 Bool (= $32 $26))
(define-const $50 Proof (cc $49))
(define-const $47 Bool (= $31 $25))
(define-const $48 Proof (cc $47))
(define-const $45 Bool (= $24 $30))
(define-const $46 Proof (cc $45))
(define-const $51 Proof (euf $34 $27 $46 $48 $50))
(infer $33 $51)
(infer rup)

EUF - SMT $>$ SAT

The empty theory of first-order logic.

\[\begin{array}{ccc} \AxiomC{\mbox{}} \RightLabel{refl} \UnaryInfC{$s \simeq s$} \DisplayProof & \ \ & \AxiomC{$s \simeq t$} \AxiomC{$t \simeq u$} \RightLabel{trans} \BinaryInfC{$s \simeq u$} \DisplayProof \\[2em] \AxiomC{$t \simeq s$} \RightLabel{symm} \UnaryInfC{$s \simeq t$} \DisplayProof & & \AxiomC{$ts_1 \simeq ts'_1, \ldots, ts_k \simeq ts'_k$} \RightLabel{cong} \UnaryInfC{$f(ts) \simeq f(ts')$} \DisplayProof \end{array} \]

EUF - Decision Procedure

EUFDecisionProcedure

EUF - Data-structures

  • E-Node:
    \[\begin{mdmathpre}%mdk \mdmathindent{2}\mathid{n}~:~&~\langle &~\mathid{f}:~&~\mathid{Func}~~&~\mbox{function symbol}\\ \mdmathindent{6}&~~~~~~&~\mathid{ts}:~&~\mathid{N}^*~&~\mbox{arguments}\\ \mdmathindent{6}&~~~~~~&~\mathid{find}:~&~\mathid{N}~~&~\mbox{link to representative}\\ \mdmathindent{6}&~~~~~~&~\mathid{P}:~~~~&~\mathid{N}^*~~~&~\mbox{list of parents}~~~~~~~~~~~~\\ \mdmathindent{6}&~~~~~~&~\mathid{cg}:~~~&~\mathid{N}~~~~&~\mbox{congruence representative}\\ \mdmathindent{6}&~~~~~~&~\mathid{j}:~~~~&~\mathid{null}~|~\mathid{Just}~\times \mathid{N}~&~\mbox{pointer to justification and node}\\ \mdmathindent{6}&~\rangle \end{mdmathpre}%mdk \]
  • Union-find: $find(n)$ - set $n \leftarrow n.\find$ until $n = n.\find$.
  • etable: $(n.f, find(n.ts)) \mapsto cg$

EUF - algorithm merge

merge($n_1, n_2$) 

Roots:        n1 := find(n1), r2 := find(n2)
              assume (r1 != r2)
Erase:        for each p in r1.P such that p.cg == p:
                 erase from table        
Update root:  r1.find := r2
Justify:      ....
Insert:       for each p in r1.P:
                 p.cg = insert p in etable
                 if p.cg == p:
                   append p to r2.P
                 else 
                   add (p.cg == p) to "to_merge"

EUF - algorithm - unmerge

unmerge($r_1, r_2$): 

Erase:        for each p in r2.P added from r1.P:
                 erase p from table 
Unjustify:    ....
Revert root:  r1.find := r1
Insert:       for each p in r1.P:
                 insert p if n was cc root before merge

condition for being cc root before merge:
  p.cg == p or !congruent(p, p.cg)

congruent(p,q) := roots of p.ts = roots of q.ts

EUF - justifications (I)

A justification is a reason for merging two nodes. There are two possible reasons for merging nodes:

  1. A literal $\ell: s \simeq t$ is asserted. The justification is the literal $\ell$.
  2. Nodes are merged due to congruence closure.
\[\begin{mdmathpre}%mdk \mdmathindent{3}\mathid{Justification}~::=~\ell:~\mathid{s}~\simeq \mathid{t}~|~\mathid{cc}:~\mathid{f}(\mathid{ts})~\simeq \mathid{f}(\mathid{ts}') \end{mdmathpre}%mdk \]

NB: $cc: f(ts) \simeq f(ts')$ is justified recursively by justifying $ts \simeq ts'$.

EUF - justifications (II)

Invariant: Every non-root node points to a linked list of justifications leading to the root

NB The linked list does not follow direction of union-find.

\[\begin{mdmathpre}%mdk \mdmathindent{4}\mathid{r}_1~\leftarrow \mathid{find}(\mathid{n}_1)\\ \mdmathindent{4}\mathid{r}_2~\leftarrow \mathid{find}(\mathid{n}_2)\\ \mdmathindent{4}\mathid{r}_1.\find \leftarrow \mathid{r}_2\\ \mdmathindent{4}\mathid{old}~\mathid{justification}:~\mathid{n}_1~\stackrel{\mathid{j}_1}{\rightarrow}~\mathid{n}^1_1~\stackrel{\mathid{j}_2}{\rightarrow}~\mathid{n}^2_1~\cdots \stackrel{\mathid{j}_\mathid{m}}{\rightarrow}~\mathid{r}_1\\ \mdmathindent{4}\mathid{new}~\mathid{justification}:~\mathid{n}_1~\stackrel{\mathid{j}_1}{\leftarrow}~\mathid{n}^1_1~\stackrel{\mathid{j}_2}{\leftarrow}~\mathid{n}^2_1~\cdots \stackrel{\mathid{j}_\mathid{m}}{\leftarrow}~\mathid{r}_1\\ \mdmathindent{4}\mathid{add}~\mathid{justification}:~\mathid{n}_1~\stackrel{\mathid{j}}{\rightarrow}~\mathid{n}_2 \end{mdmathpre}%mdk \]

EUF - justifications (III)

justificationunionfind

EUF - justifications are not unique

  • Missed justifications:

    • If $\find(n_1) = \find(n_2)$ then merge is a no-op.

  • egg (Flatt et al.2022) keeps track of potential extra paths to find short proofs.

  • for SMT: data-structure overhead vs. amortized effect of backtracking?

EUF - from justifications to proofs

  • Suppose $\find(s) = \find(t)$ follows from
    • merge($s_1, t_1$), merge($s_2, t_2$),$\ldots$, merge($s_k, t_k$).
    • Proof of $s \simeq t$:
\[\begin{array}{ll} \proof(s \simeq t) & = \begin{array}{c} \AxiomC{$\proof(s \stackrel{j}{\rightarrow} \cdots a)$} \AxiomC{$\proof(t \stackrel{j'}{\rightarrow} \cdots a)$} \RightLabel{symm} \UnaryInfC{$a \simeq t$} \RightLabel{trans} \BinaryInfC{$s \simeq t$} \DisplayProof\\[2em] \mbox{$a$ is a least common $\rightarrow$ ancestor of $s, t$} \end{array} \end{array} \]

EUF - from justifications to proofs (II)

\[\begin{array}{ll} \proof(s \stackrel{j}{\rightarrow} t \stackrel{j'}{\rightarrow} \cdots u) & = \begin{array}{c} \AxiomC{$\proof(j, s \simeq t)$} \AxiomC{$\proof(t \stackrel{j'}{\rightarrow} \cdots u)$} \RightLabel{trans} \BinaryInfC{$s \simeq u$} \DisplayProof \end{array} \\[1.5em] \proof(s) & = \begin{array}{c} \AxiomC{\mbox{}} \RightLabel{refl} \UnaryInfC{$s \simeq s$} \DisplayProof \end{array} \\[1.5em] \proof(\ell : s \simeq t, s \simeq t) & = \ell \\[1.5em] \proof(\ell : t \simeq s, s \simeq t) & = \begin{array}{c} \AxiomC{$\ell$} \RightLabel{symm} \UnaryInfC{$s \simeq t$} \DisplayProof \end{array} \\[1.5em] \proof(cc: f(ts) \simeq f(ts'), f..) & = \begin{array}{c} \AxiomC{$\proof(ts_1 \simeq ts'_1), \ldots, \proof(ts_k \simeq ts'_k)$} \RightLabel{cong} \UnaryInfC{$f(ts) \simeq f(ts')$} \DisplayProof \end{array} \end{array} \]

EUF - coarse- or fine-grained proofs

  • Fine-grained proofs - pro/cons:

    • Proof checker is simple. Just needs to check proof rules.
    • Requires building proof terms.
    • $\proof$ produces proofs of size $O(n^2)$. Can be tuned to $O(n)$.

  • A coarse-grained proof object (N. Shankar chat @ FLoC):

    • Just list set of input literals $\ell$ and congruences $cc$ used.
    • Sort $cc$ starting from leaves in $\pi$ (z3 sorts on a global timestamp).
    • Proof checker: union-find + processing $cc$ into union-find.

EUF - Example

(set-option :sat.euf true)
(set-option :sat.smt.proof eufproof.smt2)
(declare-fun f (Int) Int)
(declare-const x Int)
(assert (or (= (f (f (f x))) x) (= (f (f x)) x)))
(assert (not (= (f (f (f (f (f (f x)))))) x)))
(check-sat)

EUF - Example (II)

assume(Or(f(f(f(x))) == x, f(f(x)) == x))
assume(Not(f(f(f(f(f(f(x)))))) == x))
infer(rup, Not(f(f(f(f(f(f(x)))))) == x))
infer(euf(Not(f(f(f(f(f(f(x)))))) == x),
          f(f(x)) == x,
          cc(f(x) == f(f(f(x)))),
          cc(f(f(f(f(x)))) == f(f(x))),
          cc(f(f(f(f(f(x))))) == f(x)),
          cc(f(f(f(f(f(f(x)))))) == f(f(f(f(x)))))),
      Or(Not(f(f(x)) == x), f(f(f(f(f(f(x)))))) == x))
infer(rup, Not(f(f(x)) == x))
infer(rup, f(f(f(x))) == x)
infer(euf(Not(f(f(f(f(f(f(x)))))) == x),
          f(f(f(x))) == x,
          cc(f(x) == f(f(f(f(x))))),
          cc(f(f(f(f(f(x))))) == f(f(x))),
          cc(f(f(f(f(f(f(x)))))) == f(f(f(x))))),
      f(f(f(f(f(f(x)))))) == x)
infer(rup, False)

A - Arithmetic

A - Farkas and Dual Simplex

SMT solving based on Dual Simplex maintain a tableau of the form:

\[\begin{array}{ll} x_i = \sum_{x_j \in \nonbasicvars} a_{ij} x_j & x_i \in \basicvars \\ l_j \leq x_j \leq u_j & x_j \in \nonbasicvars \cup \basicvars \\ val : x_j \mapsto {\mathcal R} & \forall x_j \in \nonbasicvars \\ nval : x_i \mapsto \sum_{x_j \in \nonbasicvars} a_{ij} val(x_j) & \forall x_i \in \basicvars \end{array} \]

where $\basicvars$ are basic and $\nonbasicvars$ are non-basic variables.

A - Compiling into tableau

  x, y = Reals('x y')
  solve([x >= 0, Or(x + y <= 2, x + 2*y >= 6), 
                 Or(x + y >= 2, x + 2*y > 4)])

Introduce slacks to define terms

\[\begin{mdmathpre}%mdk \mdmathindent{2}\mathid{s}_1~=~\mathid{x}~+~\mathid{y},~\mathid{s}_2~=~\mathid{x}~+~2\mathid{y},~\mathid{s}_1,~\mathid{s}_2~\in \basicvars,~\mathid{x},~\mathid{y}~\in \nonbasicvars \end{mdmathpre}%mdk \]

Formula using slacks:

\[\begin{mdmathpre}%mdk \mdmathindent{2}\mathid{x}~\geq 0,~(\mathid{s}_1~\leq 2~\vee \mathid{s}_2~\geq 6),~(\mathid{s}_1~\geq 2~\vee \mathid{s}_2~>~4) \end{mdmathpre}%mdk \]

Only bounds (e.g., $s_1 \leq 2$) are asserted during search.

A - Infeasible Tableau

A tableau is infeasible if there is a row $x_i = \sum_{x_j \in \nonbasicvars} a_{ij} x_j$ such that

\[\begin{array}{lll} & a_{ij} < 0 \implies val(x_j) = l_j, & \forall x_j \\ & a_{ij} > 0 \implies val(x_j) = u_j, & \forall x_j \\ & nval(x_i) < l_i % \\ %or \\ % & a_{ij} > 0 \implies val(x_j) = l_j, & \forall x_j \\ % & a_{ij} < 0 \implies val(x_j) = u_j, & \forall x_j \\ % & nval(x_i) > u_i \end{array} \]

(We omit the symmetric case for upper bounds, $nval(x_i) > u_i$)

The explanation for infeasibility are the literals $l_j \leq x_j$ or $x_j \leq u_j$, respectively $l_i \leq x_i$ or $x_i \leq u_i$.

Slack variables are unfolded into their definitions.

The justification are the coefficients $a_{ij}$

A - Inferences

  • Dual simplex infeasibility

  • Bounds propagation

  • Equality propagation

  • Properties of div, mod, rem, to_int

  • Cuts

  • GCD tests

  • Non-linear arithmetic

    • NLSat
    • Incremental Linearization
    • Gröbner basis computation
    • Interval reasoning

A - Towards Generic Inferences

   (farkas c1 (<=? g1 g1') c2 (<=? g2 g2') ... cn (<=? gn gn'))
   (bound c1 (<=? g1 g1') c2 (<=? g2 g2') ... cn (<=? gn gn') (not (<= e1 e2)))
   (implied-eq c0 c1 (<=? g1 g1') c2 (<=? g2 g2') ... cn (<=? gn gn') (not (= e1 e2)))

where <=? is <=, <, > >=, =, and their negations; and $c_i$ are integer constants.

  • All inferences
    • Apply Gauss-Jordan elimination to equalities
    • Substitute result into remaining inequalities

A - Towards Generic Inferences - bounds

   (bound c1 (<=? g1 g1') (<=? g2 g2') ... (<=? gn gn') (not (<= e1 e2)))
  • Apply Cut to the first $n$ bounds.
  • Remaining inequalities are $ax \leq b$ and $\neg(a'x \leq b')$
  • Check $\exists k \geq 0. kax = a'x \land kb \leq b'$.

A - Towards Generic Inferences - implied equalities

   (implied-eq c0 c1 (<=? g1 g1') c2 (<=? g2 g2') ... cn (<=? gn gn') (not (= e1 e2)))

Check:

  • Linear combination of first c0 inequalities implies one side of equality.
  • Linear combination of remaining inequalities implies the other side.

Quantifiers and other theories

T - Skolem functions

Use Skolem functions, not fresh constants (Katz et al.2016), when instantiating existentials 

    (=> (forall ((x I)) (= (A i) (B i))) (= A B))

is instantiated as 

   A = B or select(A, diff(A,B)) != select(B, diff(A, B))

Use Skolem functions to replace extended operators 

(assert (contains a b))

Is rewritten into 

(assert (= a (str.++ (contains.left a b) b (contains.right a b))))

T - Hilbert Choice

   (choose ((x T)) (p x))

Used in proof generating systems (veriT, SMTInterpol).

T - Quantifiers

  • Mainstream SMT solvers are (still) Instantiation Based

Standardization?

  • SMTLIB Google Group (Hoenicke, Reynolds, others active)

  • Some diversity in formats generated by provers and not clear the format from provers should/can be aligned.

S - Farkas with SMTInterpol

SMTInterpolArithProofs

S - Farkas with Z3

   (farkas c1 (<=? g1 g1') c2 (<=? g2 g2') ... cn (<=? gn gn'))

where <=? is <=, <, > >=, =, and their negations; and $c_i$ are integer constants.

Define normalization function: 

   ci * (>= gi gi')       ->  -ci * (<= gi gi')
   ci * (< gi gi')        ->   ci * (<= (+ 1 gi) gi')        if gi is Int
   ci * (> gi gi')        ->  -ci * (< gi gi')
   ci * (not (<= gi gi')) ->  -ci * (< gi gi')
   ci * (<= gi gi')       ->  -ci * (<= gi' gi)              if ci < 0
   etc

Let $I$ be indices of inequalities, $E$ equalities, $s := \sum_{i \in I} c_i(g_i - g_i')$ and reduce $s$ using the equalities $E$. Then $s$ is non-negative if $I$ contains a strict inequality, or negative if it only contains weak inequalities.

S - some impressions

  • Tradeoff between generic rules and simpler rules.

    • Shifts work between proof logger and proof checker

  • Unclear if added complexity of checking generic rules provides return on investment.

  • A proof checker could map to nucleus of SMTInterpol format before validating premises.

    • Each normalization step maps to a justification

Several Directions

  • Model transformers, dual to proofs

    • undo effect of model transformers for incrementality

  • Pre and in-processing proofs

    • proofs for global inferences

  • Sustainable proofs

    • proof/life balance

Several Directions (II)

  • Beyond the power of regular resolution

    • for EUF
    • for EPR

  • Proofs for

    • word-level bit-vectors
    • CP domains within CDCL(T) solvers
    • PB/Cardinality proofs for CDCL(T)
      • Specifically extract PB justification as coarse/fine-grained proofs

Bibliography

Andrew W. Appel, Neophytos G. Michael, Aaron Stump, and Roberto Virga. “A Trustworthy Proof Checker.” J. Autom. Reason. 31 (3-4): 231–260. 2003. doi:10.1023/B:JARS.0000021013.61329.58🔎
Haniel Barbosa, and Other. “Scalable Fine-Grained Proofs for Formula Processing.” J. Autom. Reason. 64 (3): 485–510. 2020. 🔎
Haniel Barbosa, Andrew Reynolds, Gereon Kremer, Hanna Lachnitt, Aina Niemetz, Andres Nötzli, Alex Ozdemir, et al. “Flexible Proof Production in an Industrial-Strength SMT Solver.” In Automated Reasoning - 11th International Joint Conference, IJCAR   2022, Haifa, Israel, August 8-10, 2022, Proceedings, edited by Jasmin Blanchette, Laura Kovács, and Dirk Pattinson, 13385:15–35. Lecture Notes in Computer Science. Springer. 2022. doi:10.1007/978-3-031-10769-6_3🔎
Clark W. Barrett, Leonardo Mendonça de Moura, and Pascal Fontaine. “Proofs in Satisfiability modulo Theories.” In . 2014. 🔎
Frédéric Besson, Pierre-Emmanuel Cornilleau, and David Pichardie. “Modular SMT Proofs for Fast Reflexive Checking Inside Coq.” In Certified Programs and Proofs, edited by Jean-Pierre Jouannaud and Zhong Shao, 151–166. Springer Berlin Heidelberg, Berlin, Heidelberg. 2011. 🔎
Frédéric Besson, Pascal Fontaine, and Laurent Théry. “A Flexible Proof Format for SMT: A Proposal.” In PxTP 2011: First International Workshop on Proof eXchange for Theorem   Proving, Wrocław, Poland, August 1, 2011, edited by Pascal Fontaine and Aaron Stump, 15–26. 2011. https://​pxtp2011.​loria.​fr/​PxTP2011.​pdf\#​page=​19🔎
Jasmin Christian Blanchette, Sascha Böhme, and Lawrence C. Paulson. “Extending Sledgehammer with SMT Solvers.” J. Autom. Reason. 51 (1): 109–128. 2013. doi:10.1007/s10817-013-9278-5🔎
Sascha Böhme, Anthony C. J. Fox, Thomas Sewell, and Tjark Weber. “Reconstruction of Z3’s Bit-Vector Proofs in HOL4 and Isabelle/HOL.” In Certified Programs and Proofs - First International Conference, CPP   2011, Kenting, Taiwan, December 7-9, 2011. Proceedings, edited by Jean-Pierre Jouannaud and Zhong Shao, 7086:183–198. Lecture Notes in Computer Science. Springer. 2011. doi:10.1007/978-3-642-25379-9_15🔎
Thomas Bouton, Diego Caminha Barbosa De Oliveira, David Déharbe, and Pascal Fontaine. “veriT: An Open, Trustable and Efficient SMT-Solver.” In Automated Deduction - CADE-22, 22nd International Conference on Automated   Deduction, Montreal, Canada, August 2-7, 2009. Proceedings, edited by Renate A. Schmidt, 5663:151–156. Lecture Notes in Computer Science. Springer. 2009. doi:10.1007/978-3-642-02959-2_12🔎
Chad E. Brown, Mikolás Janota, and Cezary Kaliszyk. “Abstract: Challenges and Solutions for Higher-Order SMT Proofs.” In Proceedings of the 20th Internal Workshop on Satisfiability Modulo   Theories Co-Located with the 11th International Joint Conference on Automated Reasoning (IJCAR 2022) Part of the 8th Federated Logic Conference (FLoC 2022), Haifa, Israel, August 11-12, 2022, edited by David Déharbe and Antti E. J. Hyvärinen, 3185:128. CEUR Workshop Proceedings. CEUR-WS.org. 2022. http://​ceur-​ws.​org/​Vol-​3185/​abstract697.​pdf🔎
Roberto Bruttomesso, and Natasha Sharygina. “A Scalable Decision Procedure for Fixed-Width Bit-Vectors.” In 2009 International Conference on Computer-Aided Design, ICCAD 2009,   San Jose, CA, USA, November 2-5, 2009, edited by Jaijeet S. Roychowdhury, 13–20. ACM. 2009. doi:10.1145/1687399.1687403🔎
Burak Ekici, Alain Mebsout, Cesare Tinelli, Chantal Keller, Guy Katz, Andrew Reynolds, and Clark W. Barrett. “SMTCoq: A Plug-In for Integrating SMT Solvers into Coq.” In Computer Aided Verification - 29th International Conference, CAV   2017, Heidelberg, Germany, July 24-28, 2017, Proceedings, Part II, edited by Rupak Majumdar and Viktor Kuncak, 10427:126–133. Lecture Notes in Computer Science. Springer. 2017. doi:10.1007/978-3-319-63390-9_7🔎
Katalin Fazekas. “Proofs for SMT4J.” Mathesis, Linz. https://​kfazekas.​github.​io/​papers/​Fazekas-​MasterThesis-​2015.​pdf🔎
Oliver Flatt, Samuel Coward, Max Willsey, Zachary Tatlock, and Pavel Panchekha. “Small Proofs from Congruence Closure.” In FMCAD 2022. 2022. 🔎
Pascal Fontaine, Jean-Yves Marion, Stephan Merz, Leonor Prensa Nieto, and Alwen Fernanto Tiu. “Expressiveness + Automation + Soundness: Towards Combining SMT Solvers   and Interactive Proof Assistants.” In Tools and Algorithms for the Construction and Analysis of Systems,   12th International Conference, TACAS 2006 Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2006, Vienna, Austria, March 25 - April 2, 2006, Proceedings, edited by Holger Hermanns and Jens Palsberg, 3920:167–181. Lecture Notes in Computer Science. Springer. 2006. doi:10.1007/11691372_11🔎
Liana Hadarean, Clark W. Barrett, Andrew Reynolds, Cesare Tinelli, and Morgan Deters. “Fine Grained SMT Proofs for the Theory of Fixed-Width Bit-Vectors.” In Logic for Programming, Artificial Intelligence, and Reasoning - 20th   International Conference, LPAR-20 2015, Suva, Fiji, November 24-28, 2015, Proceedings, edited by Martin Davis, Ansgar Fehnker, Annabelle McIver, and Andrei Voronkov, 9450:340–355. Lecture Notes in Computer Science. Springer. 2015. doi:10.1007/978-3-662-48899-7_24🔎
Jochen Hoenicke, and Tanja Schindler. “A Simple Proof Format for SMT.” In Proceedings of the 20th Internal Workshop on Satisfiability Modulo   Theories Co-Located with the 11th International Joint Conference on Automated Reasoning (IJCAR 2022) Part of the 8th Federated Logic Conference (FLoC 2022), Haifa, Israel, August 11-12, 2022, edited by David Déharbe and Antti E. J. Hyvärinen, 3185:54–70. CEUR Workshop Proceedings. CEUR-WS.org. 2022. http://​ceur-​ws.​org/​Vol-​3185/​paper9527.​pdf🔎
Jochen Hoenicke, and Tanja Schindler. “A Simple Proof Format for SMT.” In Proceedings of the 20th Internal Workshop on Satisfiability Modulo   Theories Co-Located with the 11th International Joint Conference on Automated Reasoning (IJCAR 2022) Part of the 8th Federated Logic Conference (FLoC 2022), Haifa, Israel, August 11-12, 2022, edited by David Déharbe and Antti E. J. Hyvärinen, 3185:54–70. CEUR Workshop Proceedings. CEUR-WS.org. 2022. http://​ceur-​ws.​org/​Vol-​3185/​paper9527.​pdf🔎
Guy Katz, Clark W. Barrett, Cesare Tinelli, Andrew Reynolds, and Liana Hadarean. “Lazy Proofs for DPLL(T)-Based SMT Solvers.” In 2016 Formal Methods in Computer-Aided Design, FMCAD 2016, Mountain   View, CA, USA, October 3-6, 2016, edited by Ruzica Piskac and Muralidhar Talupur, 93–100. IEEE. 2016. doi:10.1109/FMCAD.2016.7886666🔎
Robert Klapper, and Aaron Stump. “Validated Proof-Producing Decision Procedures.” Electron. Notes Theor. Comput. Sci. 125 (3): 53–68. 2005. doi:10.1016/j.entcs.2004.06.067🔎
Kenneth L. McMillan. “Interpolants from Z3 Proofs.” In International Conference on Formal Methods in Computer-Aided Design,   FMCAD ’11, Austin, TX, USA, October 30 - November 02, 2011, 19–27. 2011. http://​dl.​acm.​org/​citation.​cfm?​id=​2157661🔎
Leonardo Mendonça de Moura, and Nikolaj Bjørner. “Model-Based Theory Combination.” Electron. Notes Theor. Comput. Sci. 198 (2): 37–49. 2008. doi:10.1016/j.entcs.2008.04.079🔎
Duckki Oe. “Extended Abstract: Combining a Logical Framework with an RUP Checker for SMT Proofs.” In . 2011. 🔎
Alex Ozdemir, Aina Niemetz, Mathias Preiner, Yoni Zohar, and Clark W. Barrett. “DRAT-Based Bit-Vector Proofs in CVC4.” In Theory and Applications of Satisfiability Testing - SAT 2019 - 22nd   International Conference, SAT 2019, Lisbon, Portugal, July 9-12, 2019, Proceedings, edited by Mikolás Janota and Inês Lynce, 11628:298–305. Lecture Notes in Computer Science. Springer. 2019. doi:10.1007/978-3-030-24258-9_21🔎
Hans-Jörg Schurr, Mathias Fleury, Haniel Barbosa, and Pascal Fontaine. “Alethe: Towards a Generic SMT Proof Format (extended Abstract).” In Proceedings Seventh Workshop on Proof eXchange for Theorem Proving,   PxTP 2021, Pittsburg, PA, USA, July 11, 2021, edited by Chantal Keller and Mathias Fleury, 336:49–54. EPTCS. 2021. doi:10.4204/EPTCS.336.6🔎
Aaron Stump. “Checking Validities and Proofs with CVC and Flea.” Phdthesis, Stanford University, USA. 2002. https://​searchworks.​stanford.​edu/​view/​5417778🔎
Aaron Stump. “Proof Checking Technology for Satisfiability Modulo Theories.” Electron. Notes Theor. Comput. Sci. 228: 121–133. 2009. doi:10.1016/j.entcs.2008.12.121🔎
Aaron Stump, Clark W. Barrett, and David L. Dill. “Producing Proofs from an Arithmetic Decision Procedure in Elliptical   LF.” Electron. Notes Theor. Comput. Sci. 70 (2): 29–41. 2002. doi:10.1016/S1571-0661(04)80504-8🔎
Aaron Stump, and David L. Dill. “Faster Proof Checking in the Edinburgh Logical Framework.” In Automated Deduction - CADE-18, 18th International Conference on Automated   Deduction, Copenhagen, Denmark, July 27-30, 2002, Proceedings, edited by Andrei Voronkov, 2392:392–407. Lecture Notes in Computer Science. Springer. 2002. doi:10.1007/3-540-45620-1_32🔎
Aaron Stump, Duckki Oe, Andrew Reynolds, Liana Hadarean, and Cesare Tinelli. “SMT Proof Checking Using a Logical Framework.” Formal Methods Syst. Des. 42 (1): 91–118. 2013. doi:10.1007/s10703-012-0163-3🔎
Aaron Stump, and Li-Yang Tan. “The Algebra of Equality Proofs.” In Term Rewriting and Applications, 16th International Conference, RTA   2005, Nara, Japan, April 19-21, 2005, Proceedings, edited by Jürgen Giesl, 3467:469–483. Lecture Notes in Computer Science. Springer. 2005. doi:10.1007/978-3-540-32033-3_34🔎
Dinghao Wu, Andrew W. Appel, and Aaron Stump. “Foundational Proof Checkers with Small Witnesses.” In Proceedings of the 5th International ACM SIGPLAN Conference on   Principles and Practice of Declarative Programming, 27-29 August 2003, Uppsala, Sweden, 264–274. ACM. 2003. doi:10.1145/888251.888276🔎
Xindi Zhang, Bohan Li, and Shaowei Cai. “Deep Combination of CDCL(T) and Local Search for Satisfiability Modulo Non-Linear Integer Arithmetic Theory.” In Proceedings of the IEEE/ACM 46th International Conference on Software Engineering. ICSE ’24. Association for Computing Machinery, New York, NY, USA. 2024. doi:10.1145/3597503.3639105🔎