Quantified Satisfiability Modulo Theories

TU Wien Guest Lectures October 2025

Nikolaj Bjørner
Microsoft Research

Contents

Quantifier Engines in Z3

E-matching and Pattern based quantifier instantiation (Moura and Bjørner2007)

  • $\underbrace{(\forall x \ . \ f(g(x,c)) = a)}_{p_\varphi}$

  • $\land b = c \land g(c,b) = c \land f(b) \neq a$

    • Smallest subterm containing $x$: $f({\color{red}g(x,c)}) = a$
    • Use ground equality $b = c$ to match ${\color{red}g(x,c)}$ with $g(c,b)$.

  • $\land (p_{\varphi} \rightarrow f(g(b,c)) = a)$

  • Formulas are ground unsatisfiable.

E-matching - efficiency

  • Secret sauce is to find instantiations
    • quickly,
    • across large sets of terms, and
    • incrementally.

E-matching - basic algorithm

Takes

  • a ground term,
  • a pattern that may contain variables, and
  • a congruence closure structre cc that for each ground term represents an equivalence class of terms that are congruet in the current context.

E-matching - a primer on congruence closure

  • Let $\mathcal{T}$ be a set of terms and $\mathcal{E}$ set of equalities over $\mathcal{T}$.

  • A congruence closure over $\mathcal{T}$ modulo $\mathcal{E}$ is the finest a partition of $\mathcal{T}$, cc, such that:

    • if $s = t \in \mathcal{E}$, then $s, t$ are in the same partition in cc.

    • for $s := f(s_1, \ldots, s_k), t := f(t_1, \ldots, t_k) \in \mathcal{T}$,

      • if $s_i,t_i$ are in same partition of cc for each $i = 1, \ldots k$, then
      • $s, t$ are in the same partition under cc.

    • Convention: $cc: \mathcal{T} \rightarrow 2^{\mathcal{T}}$, maps term to its equivalence class.

E-matching - basic algorithm, code

def match(pattern, term, $\theta$, cc):
    pattern = pattern$\theta$
    if pattern == term:
       yield $\theta$
    elif is_var(pattern):
       yield $\theta[$pattern$\mapsto$ term$]$
    else:
       f(patterns) = pattern
       for f(terms) in cc(term):  
          # e.g., with same head function symbol f
          for $\theta'$ in matches(patterns, terms, $\theta$, cc):
            yield $\theta'$

def matches(patterns, terms, $\theta$, cc):
    if not patterns:
       yield $\theta$
       return
    for $\theta'$ in match(patterns[0], terms[0], $\theta$, cc):
        for $\theta''$ in matches(patterns[1:], terms[1:], $\theta'$, cc):
            yield $\theta''$

E-matching - basic algorithm, equational form

\[\begin{mdmathpre}%mdk \\ \mdmathindent{1}\mathid{match}(\mathid{x},~\mathid{t},~\mathid{S})~~~~~&~~=~~~~&~\{~\theta[\mathid{x}~\mapsto \mathid{t}]~\;\mid\;~\theta \in \mathid{S},~\mathid{x}~\not\in \theta \}~\\ \mdmathindent{20}&~~~~~~~&~\cup \{~\theta \;\mid\;~\theta \in \mathid{S},~\mathid{x}~\in \theta,~\theta(\mathid{x})~\in \mathid{cc}(\mathid{t})~\}\\ \mdmathindent{1}\mathid{match}(\mathid{c},~\mathid{t},~\mathid{S})~~~~~&~~=~~~~&~\emptyset\ ~~~~~~~~~~~~~~~~\mathsf{if}~\mathid{c}~\not\in \mathid{cc}(\mathid{t})\\ \mdmathindent{1}\mathid{match}(\mathid{c},~\mathid{t},~\mathid{S})~~~~~&~~=~~~~&~\mathid{S}~~~~~~~~~~~~~~~~~\mathsf{if}~\mathid{c}~\in \mathid{cc}(\mathid{t})\\ \mdmathindent{1}\mathid{match}(\mathid{f}(\mathid{ps}),~\mathid{t},~\mathid{S})~&~~=~~~~&~\bigcup_{\mathid{f}(\mathid{ts})~\in \mathid{cc}(\mathid{t})}~\mathid{match}(\mathid{ps}_\mathid{n},~\mathid{ts}_\mathid{n},~\ldots,~\\ \mdmathindent{20}&~~~~~~~&~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\mathid{match}(\mathid{ps}_1,~\mathid{ts}_\mathid{n},~\mathid{S})) \end{mdmathpre}%mdk \]

E-matching - beyond the basic algorithm

  • Match is invoked for every pattern in database.
  • To avoid common work:
    • Compile set of patterns into instructions.
      • By partial evaluation of naive algorithm
    • Instruction sequences share common sub-terms.
    • Substitutions are stored in registers,
      backtracking just updates the registers.

E-matching - code trees (0)

\[ f(X, g(X,a), h(Y), b) \]
PC Instruction
$pc_0$ init(f, $pc_1$) add arguments of $f$ to registers 1-4
$pc_1$ check(4,$b$,$pc_2$) check if $reg[4]$ is congruent to $b$
$pc_2$ bind(2, $g$, 5, $pc_3$) bind terms in $reg[2]$ with $g$ to $5-6$
$pc_3$ compare(1, 5, $pc_4$ ) check if $reg[1]$ equals $reg[5]$
$pc_4$ check(6, $a$, $pc_5$) check if $reg[6]$ is congruent to $a$
$pc_5$ bind(3, $h$, 7, $pc_6$) bind terms in $reg[3]$ with $h$ to $7$
$pc_6$ yield(1,7) output binding from $reg[1], reg[7]$

E-matching - code trees (1)

\[ f(X, g(X,a), h(Y), b) \]
PC Instruction $f(h(a),g(h({\color{red}{c}}), a), h(c),b)$
$pc_0$ init(f, $pc_1$) $reg[1:4] \leftarrow h(a), g(h({\color{red}{c}}),a), h(c), b$
$pc_1$ check(4,$b$,$pc_2$) $reg[4] = b$
$pc_2$ bind(2, $g$, 5, $pc_3$) $reg[5:6] \leftarrow h({\color{red}{c}}), a$
$pc_3$ compare(1, 5, $pc_4$ ) $reg[1] = h(a) \neq h({\color{red}{c}}) = reg[5]$
$pc_4$ check(6, $a$, $pc_5$)
$pc_5$ bind(3, $h$, 7, $pc_6$)
$pc_6$ yield(1,7)

E-matching - code trees (2)

\[ f(X, g(X,a), h(Y), b) \]
PC Instruction $f(h(a),g(h({\color{blue}{a}}), a), h(c),b)$
$pc_0$ init(f, $pc_1$) $reg[1:4] \leftarrow h(a), g(h({\color{blue}{a}}),a), h(c), b$
$pc_1$ check(4,$b$,$pc_2$) $reg[4] = b$
$pc_2$ bind(2, $g$, 5, $pc_3$) $reg[5:6] \leftarrow h({\color{blue}{a}}), a$
$pc_3$ compare(1, 5, $pc_4$ ) $reg[1] = h(a) = h({\color{blue}{a}}) = reg[5] $
$pc_4$ check(6, $a$, $pc_5$) $reg[6] = a$
$pc_5$ bind(3, $h$, 7, $pc_6$) $reg[7] \leftarrow c$
$pc_6$ yield(1,7) $X \leftarrow h(a) = reg[1], Y \leftarrow c = reg[7]$

E-matching abstract machine

mam

E-matching abstract machine - NB

  • Patterns that share common (top-down) term structure can share code sequences.

    • This saves on common work.

    • Use the choice instruction to branch when patterns end up having different sub-terms.

  • Other instructions are possible,

    • forward pruning: lookahead multiple function symbols in immediate subterms before diving into any subterm.

    • to deal with multi-patterns, when maching more than one pattern at a time.

Inverted path indexing

  • During search, congruence classes are merged.

  • Q: Which merges could enable pattern to be matched?

  • A: When pattern contains term $f(\ldots, g(\ldots),\ldots)$, and

    • a node $n_1$ is in in the same class as a node labeled by $g$,

    • a node $n_2$ is an argument of $f$ in the same position as $g$,

    • $n_1$, $n_2$ are merged

  • Idea: Build an index of all $\langle f, g\rangle$ pairs from patterns.

    • during a merge with $n_1, n_2$ look for matches in index.

Model-based Quantifier Instantiation (Ge and Moura2009; Moura and Bjørner2010; Bonacina et al.2011; Wintersteiger et al.2013)

Check $\psi \land \forall x \ . \ \varphi[{x}]$

while $\psi$ is SAT with model $M$:
   if $\neg \varphi^M[{x}]$ is UNSAT return SAT
   $M \leftarrow $ model for $\neg \varphi^M[{x}]$
   find $t$, such that $x \not\in t, t^M = x^M$.
   $\psi \leftarrow \psi \land \varphi[t]$
return UNSAT

where $t^M$ is $t$ partially evaluated using interpretation $M$.

Partial model evaluation

  • $t^M$ is $t$ partially evaluated using interpretation $M$.

Example:

  • $M := [y \mapsto 3, f(x) \mapsto \mathit{if}\ x = 1\ \mathit{then}\ 3\ \mathit{else} \ 5]$

  • $t := y + f(y) + f(z)$

  • $t^M = 3 + 5 + \mathit{if}\ z = 1\ \mathit{then}\ 3\ \mathit{else} \ 5$

Model-based Quantifier Instantiation - scope

Quite powerful when search space for instantiation terms is finite

  • EPR, UFBV, Array property fragment, Essentially UF
  • Combine with template space
  • See also CEGIS

EPR

\[\begin{mdmathpre}%mdk \mathid{EPR}~&~::=~\exists \mathid{e}_1\ldots \mathid{e}_\mathid{n}~\forall \mathid{u}_1\ldots \mathid{u}_\mathid{m}~\mathid{F}\\ \mathid{F}~~~&~::=~\bigwedge_\mathid{i}~\mathid{C}_\mathid{i}\\ \mathid{C}~~~&~::=~\bigvee_\mathid{j}~\mathid{L}_\mathid{i}\\ \mathid{L}~~~&~::=~\mathid{A}~|~\neg \mathid{A}\\ \mathid{A}~~~&~::=~\mathid{p}(\vec{\mathid{V}})~|~\mathid{V}~=~\mathid{V}'\\ \mathid{V}~~~&~::=~\mathid{e}_\mathid{i}~|~\mathid{u}_\mathid{j} \end{mdmathpre}%mdk \]

Also known as Bernays-Schoenfinkel-Ramsey class.

Same complexity as DQBF.

EPR Example

(declare-sort T) 

(declare-fun subtype (T T) Bool)

;; subtype is reflexive
(assert (forall ((x T)) (subtype x x)))

;; subtype is antisymmetric
(assert (forall ((x T) (y T))  (=> (and (subtype x y) (subtype y x)) (= x y))))

;; subtype is transitive
; ...

;; subtype has the tree-property
(assert (forall ((x T) (y T) (z T)) 
  (=> (and (subtype x z) (subtype y z)) (or (subtype x y) (subtype y x)))))

;; we have an additional axiom: every type is a subtype of obj-type
(declare-const obj-type T) ....
(assert (forall ((x T)) (subtype x obj-type)))

(assert (subtype int-type real-type))
(assert (subtype real-type complex-type))
(assert (not (subtype string-type real-type)))

EPR Example - online

EPR decidability

  • Skolemize
    • $\forall u_1\ldots u_m F$, the $e_1, \ldots, e_n$ are free constants
  • Instantiate
    • $\bigwedge_{\theta} F\theta$
    • where $\theta$ ranges over all bindings of $u_i$ to $e_j$.
  • Check ground SAT
  • Ground SAT implies finite model of size at most $n$.

EPR using MBQI

  • Skolemize

    • $\forall u_1\ldots u_m F$, the $e_1, \ldots, e_n$ are free constants

  • Models for $\neg F$ bind variables $u_1, \ldots, u_m$ to free constants

  • The number of possible such models is bounded by $m^n$.

UFBV (Wintersteiger et al.2013)

\[\begin{mdmathpre}%mdk \mathid{F}~~~&~::=~\exists \mathid{e}~:~\mathid{bv}[\mathid{n}]~.~\mathid{F}~|~\exists \mathid{u}~:~\mathid{bv}[\mathid{n}]~.~\mathid{F}~|~\mathid{F}~\wedge \mathid{F}~|~\mathid{C}\\ \mathid{C}~~~&~::=~\bigvee_\mathid{j}~\mathid{L}_\mathid{i}\\ \mathid{L}~~~&~::=~\mathid{A}~|~\neg \mathid{A}\\ \mathid{A}~~~&~::=~\mathid{p}(\vec{\mathid{T}})~|~\mathid{T}~=~\mathid{T}'~|~\mathtt{bvle}(\mathid{T},~\mathid{T}')~|~\ldots\\ \mathid{T}~~~&~::=~\mathid{f}(\vec{\mathid{T}})~|~\mathid{u}~|~\mathid{v}~|~\mbox{bit-vector expression}\\ \mathid{bv}[\mathid{n}]~&~::=~\mbox{bit-vector of length $n$} \end{mdmathpre}%mdk \]

UFBV Example

(set-option :smt.mbqi true)
(define-sort Char () (_ BitVec 8))

(declare-fun f  (Char) Char)
(declare-fun f1 (Char) Char)
(declare-const a Char)

(assert (bvugt a #x00))
(assert (= (f1 (bvadd a #x01)) #x00))
(assert (forall ((x Char)) (or (= x (bvadd a #x01)) (= (f1 x) (f x)))))

(check-sat)
(get-model)

UFBV decidability

  • All variables range over finite domains.

  • Quantifier-free fragment is not only NP hard, it is NEXPTIME hard.

  • Quantified fragment is another complexity jump.

  • BV - quantifier elimination (John and Chakraborty201620132011)

  • UFBV using MBQI (Wintersteiger et al.2013)

    • Use templates to find general instances

Map Property Fragment (Bradley et al.2006)

\[\begin{mdmathpre}%mdk \mathid{MP}~~~~&~::=~\exists \vec{\mathid{e}}~.~\forall \vec{\mathid{u}}~.~\bigwedge (\mathid{G}~\Rightarrow \mathid{F})\\ \mathid{G}~~~~~&~::=~\mathid{G}~\wedge \mathid{G}~|~\mathid{A}_\mathid{G}\\ \mathid{A}_\mathid{G}~~~&~::=~\mathid{T}[\mathid{u}]~\simeq \mathid{T}[\mathid{u}]~|~\mathid{T}[]~\not\simeq \mathid{T}[\mathid{u}]\\ \mathid{T}[\mathid{x}]~~&~::=~\mathid{x}~|~\mathid{e}\\ \mathid{F}~~~~~&~::=~\mathid{F}~\vee \mathid{F}~|~\mathid{A}_\mathid{F}~|~\neg \mathid{A}_\mathid{F}\\ \mathid{A}_\mathid{F}~~~&~::=~\mathid{T}[\mathid{a}[\mathid{u}]]~\simeq \mathid{T}[\mathid{a}[\mathid{u}]]~ \end{mdmathpre}%mdk \]

Map Property Fragment - Example

  • $a$ is equal to $b$ except at index $e$.

  • $c$ can only have two values, $e_1$ or $e_2$.

\[\begin{mdmathpre}%mdk \mdmathindent{2}\forall \mathid{u}~\ .~\ \mathid{a}[\mathid{u}]~\simeq \mathid{e}\\ \mdmathindent{2}\forall \mathid{u}~\ .~\ \mathid{u}~\not\simeq \mathid{e}~\ \Rightarrow \mathid{a}[\mathid{u}]~\simeq \mathid{b}[\mathid{u}]\\ \mdmathindent{2}\forall \mathid{u}~\ .~\ \mathid{c}[\mathid{u}]~\simeq \mathid{e}_1~\ \vee \mathid{c}[\mathid{u}]~\simeq \mathid{e}_2 \end{mdmathpre}%mdk \]

Array Property Fragment (Bradley et al.2006)

\[\begin{mdmathpre}%mdk \mathid{AP}~~~&~::=~\exists \vec{\mathid{e}}~.~\forall \vec{\mathid{u}}~.~\bigwedge (\mathid{G}~\Rightarrow \mathid{F})\\ \mathid{G}~~~~&~::=~\mathid{G}~\wedge \mathid{G}~|~\mathid{A}_\mathid{G}\\ \mathid{A}_\mathid{G}~~&~::=~\mathid{T}_\mathid{G}~\geq \mathid{T}_\mathid{G}\\ \mathid{T}_\mathid{G}~~&~::=~\mathid{u}~|~\mathid{T}[]\\ \mathid{T}[\mathid{x}]~~&~::=~\mathid{x}~|~\mathid{e}~|~\mathid{k}\times \mathid{T}[\mathid{x}]~|~\mathid{T}[\mathid{x}]~+~\mathid{T}[\mathid{x}]\\ \mathid{F}~~~~&~::=~\mathid{F}~\vee \mathid{F}~|~\mathid{A}_\mathid{F}~|~\neg \mathid{A}_\mathid{F}\\ \mathid{A}_\mathid{F}~~&~::=~\mathid{T}_\mathid{F}~\geq \mathid{T}_\mathid{F}~|~\mathid{R}(\mathid{T}_\mathid{F},~\ldots,~\mathid{T}_\mathid{F})~\\ \mathid{T}_\mathid{F}~~&~::=~\mathid{T}[\mathid{a}[\mathid{u}]]\\ \mathid{k}~~~~&~::=~\mbox{a numeric constant}\\ \mathid{R}~~~~&~::=~\mbox{a predicate} \end{mdmathpre}%mdk \]

Array Property Example

(set-option :smt.mbqi true)
(set-option :model.compact true)

;; A0, A1, A2, A3, A4 are "arrays" from Integers to Integers.
(declare-fun A0 (Int) Int) (declare-fun A1 (Int) Int)
(declare-fun A2 (Int) Int) (declare-fun A3 (Int) Int)
(declare-fun A4 (Int) Int) 
(declare-const n Int) (declare-const l Int)
(declare-const k Int) (declare-const x Int)
(declare-const y Int) (declare-const w Int)
(declare-const z Int)

;; A1 = A0[k <- w]
(assert (= (A1 k) w))
(assert (forall ((x Int)) (or (= x k) (= (A1 x) (A0 x)))))

;; A2 = A1[l <- x] = A0[k <- w][l <- x]
(assert (= (A2 l) x))
(assert (forall ((x Int)) (or (= x l) (= (A2 x) (A1 x)))))

;; A3 = A0[k <- y]
(assert (= (A3 k) y))
(assert (forall ((x Int)) (or (= x k) (= (A3 x) (A0 x)))))

;; A4 = A3[l <- z] = A0[k <- y][l <- z] 
(assert (= (A3 l) z))
(assert (forall ((x Int)) (or (= x l) (= (A4 x) (A3 x)))))

(assert (and (< w x) (< x y) (< y z)))
(assert (and (< 0 k) (< k l) (< l n)))
(assert (> (- l k) 1))

;; A2 is sorted in the interval [0,n-1]
(assert (forall ((i Int) (j Int))
                (=> (and (<= 0 i) (<= i j) (<= j (- n 1)))
                    (<= (A2 i) (A2 j)))))

(check-sat)
(get-model)

;; A4 is sorted in the interval [0,n-1]
(assert (forall ((i Int) (j Int))
                (=> (and (<= 0 i) (<= i j) (<= j (- n 1)))
                    (<= (A4 i) (A4 j)))))

(check-sat)

Array property Fragment - sufficient instantiations

  • Given formula $\varphi := \forall \vec{u} . \bigwedge (G \Rightarrow F)$ with $\vec{e}$ free.

  • Let $\mathcal{I} = \{ c_1, \ldots, c_m \}$ be set of a set of $T[] \cup \{ 0 \}$ from $\varphi$.

Definition 1.
The set $\mathcal{I}$ is a sufficient set of instances for $\varphi$, if
$\forall u \ . \ \bigvee_{c \in \mathcal{I}} \bigwedge_{A_G} (A_G \Rightarrow A_G[c/u])$

  • In other words, for every possible instantiation of $u$ there is a $c$ that satisfies at least the same combination of guards.

Array Property Fragment - arithmetic

Proposition 1.
If $\varphi$ admits a finite sufficient set of instances $\mathcal{I}$, it can be evaluated using those.

Proposition 2.
Formulas in the array and map property fragments admit a sufficient set of instantiations.

Proposition 3.
MBQI is a decision procedure the array and map property fragments by using the instantiation sets computed from the formulas.

Essentially Uninterpreted Fragment (Ge and Moura2009)

Synthesize generalized instantiation sets using grammar rules.

Applies to winder range of formulas than the syntactic array property fragment.

  • list property fragment by McPeak and Necula
  • several locally finite theories - Stokkermans et. al.

Essentially Uninterpreted Example

(set-option :smt.mbqi true)
;; f an g are "streams"
(declare-fun f (Int) Int)
(declare-fun g (Int) Int)

;; the segment [a, n + a] of stream f is equal to the segment [0, n] of stream g.
(declare-const n Int)
(declare-const a Int)
(assert (forall ((x Int)) (=> (and (<= 0 x) (<= x n))
                              (= (f (+ x a)) (g x)))))

;; adding some constraints to a
(assert (> a 10))
(assert (>= (f a) 2))
(assert (<= (g 3) (- 10)))

(check-sat)
(get-model)

Instantiation sets and Quantifiers

  • As pursued in (Reynolds et al.2017)

  • The notion of instantiation set can be extended along a different dimension of virtual substitutions.

  • Several theories admit quantifier elimination by virtual substitutions.

  • Example $(2x \geq 3)[(y-\epsilon)/x]$ $\equiv$ $(2(y-\epsilon) \geq 3)$ $\equiv$ $2y > 3$.

  • Tricky part: ensure that set of virtual substitutions does not grow unbounded.

QSAT (Bjørner and Janota2015)

Instantiations from repeated SMT calls (Monniaux2008)

Goal: To find a quantifier free $G$, such that $G \equiv \exists \vec{v} \ . \ F$

Tool: project that eliminates $\vec{v}$ from a conjunction $M$
         that is, project($\vec{v}, M$) $\Rightarrow \ \exists\vec{v} \ . \ M$.

Initialize: $G \leftarrow \bot$

Repeatedly: find conjunctions $M$ that imply $F \wedge \neg G$

Update: $G \leftarrow G \vee $ project($\vec{v}, M$).

Instantiations - Algorithm

def qe($\exists \vec{v} \ . \ F$):                   
    e, a = Solver(), Solver()
    e.add($F$)                        
    a.add($\neg F$)
    $G$ = False
    while sat == e.check():
       $M_0$ = e.model()
       $M_1$ = $\{ \mbox{literal }\ell \in F \;\mid\; M_0.\mathsf{eval}(\ell) = \true \}$  # assume $F$ is in negation normal form
       assert unsat == a.check($M_1$) 
       $M_2$ = a.unsat_core()
       $\pi$ = project($M_2$, $\vec{v}$)
       $G$ = $G \vee \pi$
       e.add($\neg\pi$)
    return $G$

From SMT to QBF and back

Example game (Janota and Marques-Silva2015)

\[\begin{mdmathpre}%mdk \mathid{G}~~=~~\forall \mathid{u}_1,\mathid{u}_2~\exists \mathid{e}_1,~\mathid{e}_2~\ .~\ \mathid{F}~\\\\ \mathid{F}~~=~~(\mathid{u}_1~\land \mathid{u}_2~\rightarrow \mathid{e}_1)~\land (\mathid{u}_1~\land \neg \mathid{u}_2~\rightarrow \mathid{e}_2)~\land(\mathid{e}_1~\land \mathid{e}_2~\rightarrow \neg \mathid{u}_1) \end{mdmathpre}%mdk \]
  • $\forall$: starts. $u_1, u_2, \overline{e}_1, \overline{e}_2 \models \neg F$.
  • $\exists$: strikes back. ${\color{blue}{u_1, u_2}}, e_1, \overline{e}_2 \models F$.
  • $\forall$: has to backtrack. Already $u_2, e_1, \overline{e}_2 \models F$.
  • $\forall$: learns $\neg u_2$.
  • $\forall$: ${\color{red}{\overline{u}_2}}, u_1, \overline{e}_1, \overline{e}_2 \models \neg F$.
  • $\exists$: counters - ${\color{red}{\overline{u}_2}}, {\color{blue}{u_1}}, \overline{e}_1, e_2 \models F$.
  • $\forall$: has lost!. Already ${\color{red}{\overline{u}_2}}, \overline{e}_1, e_2 \models F$.

Summary of approach

  • Two players try to find values

    • $\forall$ - to satisfy $\neg F$
    • $\exists$ - to satisfy $F$

  • Players control their variables

    • $\exists x_1 \forall x_2 \exists x_3 \forall x_4 \ldots F$ at round $2$:
      • value of $x_1$ is already fixed,
      • $\forall$ fixes value of $x_2$,
      • $\forall$ fixes value of $x_4$, but can change again it at round $4$,
      • $\forall$ can guess values of of $x_3$ to satisfy $\neg F$.

  • Some player loses at round $i + 2$.

    • Create succinct no-good to strengthen $F$ resp. $\neg F$.
    • Backjump to round $i$ (or below).

Main ingredients: Projection and Strategies



  • Projections are added to learn from mistakes.

    • Player avoids repeating same losing moves.

  • Strategies prune moves from opponent.

    • Prevent opponent player from moves.

Finding small good no-goods

  • Player $\forall$ has lost at round $i+2$

    • Player $\exists$ found a model $M$ at round $i+1$, $M \models F$.

    • $M$ induces an evaluation on a subset of literals $\mathcal{L}$ in $F$, such that $\mathcal{L} \models F$.

    • $\mathcal{L}$ is an unsatisfiable core for $\neg F$.

  • Model Based Projection

    • Find a $\varphi$, such that $\varphi \rightarrow \exists x_{i+1}, x_{i+2}, \ldots \mathcal{L}$.

      • $\varphi$ should be weak, so $\neg\varphi$ is a strong blocker.
      • $\varphi$ should be cheap to find and avoid space overhead.

    • Then $\neg \varphi$ can block $\mathcal{L}$.

    • Idea: Use $M$ to find a sufficient $\varphi$.

Initialization

\[\begin{mdmathpre}%mdk \mdmathindent{4}\exists \mathid{x}_{1},~\forall \mathid{x}_{2},~\exists \mathid{x}_{3},~\forall \mathid{x}_{4},~..,~\mathid{Q}~\mathid{x}_{\mathid{n}}~\mathid{F}[\mathid{x}_{1},~\mathid{x}_{2},~\ldots]\\ \mathid{Initialize}:\\ \mdmathindent{4}\mathid{F}_\mathid{j}~~~~~~~~~~~~~\leftarrow \mathid{F}~~~~~~~~~~~\mbox{if $j$ is odd}\\ \mdmathindent{4}\mathid{F}_\mathid{j}~~~~~~~~~~~~~\leftarrow \neg \mathid{F}~~~~~~~~\mbox{if $j$ is even} \end{mdmathpre}%mdk \]
   def level(j,a): return max level of bound variable in atom a of parity j
\[\begin{mdmathpre}%mdk \mdmathindent{3}\mathid{level}(1,~\mathid{z}~\geq 0)~=~\mathid{level}(3,~\mathid{z}~\geq 0)~=~3\\ \mdmathindent{3}\mathid{level}(2,~\mathid{z}~\geq 0)~=~0\\ \mdmathindent{3}\mbox{for }~\exists \mathid{x}~\forall \mathid{y}~\exists \mathid{z}~\mathid{z}~\geq 0~\land ((\mathid{x}~\geq 0~\land \mathid{y}~\geq 0)~\vee \mathid{y}~+~\mathid{z}~\leq 1) \end{mdmathpre}%mdk \]

QSAT Algorithm

  def strategy(M,j): return $\bigwedge_{M \neq null, a \in Atoms, level(j, a) < j} sign(M,a) $
  def tailv(j): return $x_{j-1},x_j,x_{j+1},\ldots$
    
  j = 1
  M = null
  while True:
    if $F_{j}\ \ \wedge$ strategy(M, j) is unsat:
      if j == 1: 
        return F is unsat
      if j == 2:
        return F is sat
      C = Core($F_j$, strategy(M, j))
      J = Mbp(tailv(j), C)
      j = index of max variable in J $\cup\ \{ 1, 2 \}$ of same parity as j      
      $F_j$ = $F_j \wedge \neg $J
      M = null
    else:
      M = current model
      j = j + 1

Projection and Strategies



  • Projections learn from mistakes, avoids similar mistakes in future rounds.

  • Strategies prune moves from opponent.

Model-based projection - Example

  • Want to compute small $\exists x \ . \ (2y \leq x \wedge y - z \leq x \wedge x \leq z)$.

  • Note

    \[\begin{mdmathpre}%mdk \mdmathindent{3}\exists \mathid{x}~\ .~\ (2\mathid{y}~\leq \mathid{x}~\wedge \mathid{y}~-~\mathid{z}~\leq \mathid{x}~\wedge \mathid{x}~\leq \mathid{z})~\equiv \\ \mdmathindent{19}(\mathid{y}~-~\mathid{z}~\leq 2\mathid{y}~\leq \mathid{z})~\vee (2\mathid{y}~\leq \mathid{y}~-~\mathid{z}~\leq \mathid{z}) \end{mdmathpre}%mdk \]

  • Say $M = [x \mapsto 3, y \mapsto 1, z \mapsto 6]$

  • $\Mbp(M, x, 2y \leq x \wedge y - z \leq x \wedge x \leq z)$

  • $2y^M = 2$

  • $(y-z)^M = -5$

  • So $2y > y - z$

  • $\Mbp(M, x, 2y \leq x \wedge y - z \leq x \wedge x \leq z) = y - z \leq 2y \leq z$

  • $y - z \leq 2y \leq z \ \Rightarrow \ \exists x \ . \ (2y \leq x \wedge y - z \leq x \wedge x \leq z)$

Model-based Projection for LRA

Eliminate $\simeq, \not\simeq$ from conjunction of literals $L$:

\[\begin{mdmathpre}%mdk \Mbp(\mathid{M},~\mathid{x},~\mathid{x}~\simeq \mathid{t}~\land \mathid{L})~=~~\mathid{L}[\mathid{t}/\mathid{x}]~\quad\quad \mathid{if}~\mathid{x}~\not\in \mathid{FV}(\mathid{t})~\\ \Mbp(\mathid{M},~\mathid{x},~\mathid{x}~\not\simeq \mathid{t}~\land \mathid{L})~~=~~\Mbp(\mathid{M},~\mathid{x},~\mathid{x}~>~\mathid{t}~\land \mathid{L})~~~\\ \mdmathindent{41}\mbox{where}\quad \mathid{M}(\mathid{x})~>~\mathid{M}(\mathid{t})~ \end{mdmathpre}%mdk \]



Trick: Use $\epsilon$ to turn $>$ into $\geq$.

\[\begin{mdmathpre}%mdk \Mbp(\mathid{M},~\mathid{x},~\mathid{x}~>~\mathid{t}~\land \mathid{L})~~=~~\Mbp(\mathid{M},~\mathid{x},~(\mathid{x}~\geq \mathid{t}~+~\epsilon)~\land \mathid{L}) \end{mdmathpre}%mdk \]


Model-based Projection for LRA - resolution

Can now assume $x$ occurs only as upper or lower bounds:

\[\begin{mdmathpre}%mdk \Mbp(\mathid{M},~\mathid{x},~\bigwedge_\mathid{i}~\mathid{t}_\mathid{i}~\leq \mathid{x}~\land \bigwedge_\mathid{j}~\mathid{x}~\leq \mathid{s}_\mathid{j})~~=~~\bigwedge_\mathid{i}~\mathid{t}_\mathid{i}~\leq \mathid{t}_0~\land \bigwedge_\mathid{j}~\mathid{t}_0~\leq \mathid{s}_\mathid{j}\\ \mdmathindent{17}\mbox{where}~\mathid{M}(\mathid{t}_0)~\geq \mathid{M}(\mathid{t}_\mathid{i})~\forall \mathid{i} \end{mdmathpre}%mdk \]

Model-based Projection on formulas

\[\begin{mdmathpre}%mdk \Mbp(\mathid{M},~\emptyset,~\varphi)~~~~~~~~=~~\varphi \\ \Mbp(\mathid{M},~\vec{\mathid{x}},~\varphi)~~~~~~~~~=~~\Mbp\left(\mathid{M},~\vec{\mathid{x}},~\bigwedge \{~\mathid{sign}(\mathid{M},~\mathid{a})~\;\mid\;~\mathid{a}~\in \mbox{Atoms}(\varphi)~\}\right)~\\ \Mbp(\mathid{M},~\mathid{x}\vec{\mathid{x}},~\varphi)~~~~~~~=~~\Mbp(\mathid{M},~\mathid{x},~\Mbp(\mathid{M},~\vec{\mathid{x}},~\varphi))~\\ \Mbp(\mathid{M},~\mathid{x},~\varphi \land \psi)~~=~~\Mbp(\mathid{M},~\mathid{x},~\varphi)~\land \psi \quad\quad \mathid{if}~\mathid{x}~\not\in \mathid{FV}(\psi)~ \end{mdmathpre}%mdk \]
   def sign(M,a): if M(a) return a else return $\neg$a

Model-based Projection for LIA

For LIA, cannot just assume equalities are of the form $t \leq x$ or $x \leq s$. Generally, $x$ has a coefficient, that we cannot remove.

Example: $3y + z \leq 2x, 3x \leq 7u + v$.

  • What could go wrong if we just reduce to $3\cdot(3y + z) \leq 2 \cdot(7u + v)$?

  • Suppose $3y + z = 3$, $7u + v = 5$. So $3 \leq 2x, 3x \leq 5$.

  • Cross-multiplying gives $3\cdot 3 \leq 5 \cdot 2$, which is feasible, but $3 \leq 2x, 3x\leq 5$ is infeasible.

Model-based Projection for LIA - integer resolution

Solution: Combine inequalities using resolution

\[\begin{array}{l} \Mbp(M, x, \bigwedge_i t_i \leq a_ix \land \bigwedge_j b_jx \leq s_j) = \\ \quad\quad\quad \bigwedge_i t_i a_0 \leq t_0 a_i \land \bigwedge_{j} resolve(M, t_0 \leq a_0x, b_j x \leq s_j) \\ \quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad \mathrm{if} M(t_0/a_0) \geq M(t_i/a_i), \forall i. \end{array} \]

Model-based Projection for LIA - resolution (Pugh1991)

$resolve(M, t \leq ax , bx \leq s) = $

  • $ bt + (a-1)(b-1) \leq as$  if $(a-1)(b-1) \leq M(bt-as)$

  • $ bt \leq as \land a | (t + d) \land b(t+d) \leq as)$
    else if $b \geq a, d := M(-t) \mod a$

  • $bt \leq as \land b | (s - d) \land bt \leq a(s-d)$
    otherwise, $a > b, d := M(s) \mod b$

  • satisfies $resolve(M, t \leq ax, bx \leq s) \Rightarrow \exists x \ . \ t \leq ax \land bx \leq t$, and

Model-based Projection for LIA - divisiblity

Resolution introduced divisibility constraints.

So now we also have to eliminate $x$ under divisions.

\[\begin{mdmathpre}%mdk \Mbp(\mathid{M},~\mathid{x},~\bigwedge_{\mathid{i}=1}^\mathid{n}~\mathid{d}_\mathid{i}~\mid (\mathid{a}_\mathid{i}~\mathid{x}~+~\mathid{t}_\mathid{i})~\land \mathid{L})~~=~\\~~\\ \quad\quad\quad \Mbp\left(\mathid{M},~\mathid{x}',~\mathid{L}[\mathid{u}~+~\mathid{d}\cdot \mathid{x}'/\mathid{x}]\right)~\land \bigwedge_{\mathid{i}=1}^\mathid{n}~\mathid{d}_\mathid{i}~\mid (\mathid{a}_\mathid{i}~\mathid{u}~+~\mathid{t}_\mathid{i})~\\ \end{mdmathpre}%mdk \]

where

  • $d = \mathrm{lcm}(d_1, \ldots, d_n)$,
  • $u = M(x) \mod d$

Model-based Projection for Term Algebras

S-expressions: A generic term algebra

\[\begin{mdmathpre}%mdk \mdmathindent{2}\mathid{SExpr}~::=~\mathid{nil}~|~\mathid{cons}(\mathid{car}~:~\mathid{SExpr},~\mathid{cdr}~:~\mathid{SExpr}) \end{mdmathpre}%mdk \]

  • An s-expression is either a nil or a cons.

  • Access arguments of cons using car and cdr.

  • Test terms using cons?($t$), or nil?($t$)

Model-based Projection for Term Algebras - $\simeq$

\[\begin{mdmathpre}%mdk \mathid{x}~\simeq \mathid{x}~\land \mathid{L}~~\leadsto \mathid{L}~\\ \ \\ \mathid{u}~\simeq \mathid{x}~\land \mathid{L}~~\leadsto \mathid{L}[\mathid{u}/\mathid{x}]~~~~\mathsf{if}~\mathid{x}~\not\in \mathid{u}\\ \ \\ \mathid{u}~\simeq \mathid{x}~\land \mathid{L}~~\leadsto \false\ ~~~\mathsf{if}~\mathid{x}~\in \mathid{u}\\ \ \\ \mathit{cons}(\mathid{t},\mathid{s})~\simeq \mathit{cons}(\mathid{u},\mathid{v})~\land \mathid{L}~~\leadsto \mathid{t}~\simeq \mathid{u}~\land \mathid{s}~\simeq \mathid{v}~\land \mathid{L}\\ \ \mdmathindent{5}\\ \mathit{cons}(\mathid{t},\mathid{s})~\simeq \mathid{u}~\land \mathid{L}~~\leadsto \ \mathit{cons?}(\mathid{u})~\land \mathid{t}~\simeq \mathit{car}(\mathid{u})~\land \mathid{s}~\simeq \mathit{cdr}(\mathid{u})~\land \mathid{L}~ \end{mdmathpre}%mdk \]

amounts to unification

Model-based Projection for Term Algebras - $\not\simeq$

\[\begin{mdmathpre}%mdk \Mbp(\mathid{M},~\mathid{x},~\mathit{cons}(\mathid{t},~\mathid{s})~\not\simeq \mathid{u}~\land \mathid{L})~~=~~\\ \mdmathindent{5}\quad \quad \quad \quad \quad \mathit{cons?}(\mathid{u})~\land \Mbp(\mathid{M},~\mathid{x},~\mathid{s}~\not\simeq \mathit{cdr}(\mathid{u})~\land \mathid{L})~\\ \mdmathindent{5}\quad \mbox{if}\quad \mathid{x}~\in \mathid{s},~\quad \mathid{M}(\mathit{cons?}(\mathid{u})),~\quad \mathid{M}(\mathid{s})~\neq \mathid{M}(\mathit{cdr}(\mathid{u}))~ \end{mdmathpre}%mdk \]

Case for $M(t) \neq M(\mathit{car}(u))$ is symmetric.

\[\begin{mdmathpre}%mdk \Mbp(\mathid{M},~\mathid{x},~\mathit{cons}(\mathid{t},~\mathid{s})~\not\simeq \mathid{u}~\land \mathid{L})~~=~~\neg \mathit{cons?}(\mathid{u})~\land \Mbp(\mathid{M},~\mathid{x},~\mathid{L})\\ \mdmathindent{5}\quad\mbox{if}\quad \mathid{x}~\in \mathid{s}~\mbox{ or }~\mathid{x}~\in \mathid{t},~\quad \mathid{M}(\neg\mathit{cons?}(\mathid{u}))\\ \end{mdmathpre}%mdk \]
\[\begin{mdmathpre}%mdk \mdmathindent{1}\Mbp(\mathid{M},~\mathid{x},~\mathid{t}_1~\not\simeq \mathid{x}~\land \ldots \land \mathid{t}_\mathid{n}~\not\simeq \mathid{x})~~=~~\top \end{mdmathpre}%mdk \]

Since there is an infinite number of cons-terms.

Model-based projection Term Algebras - adequacy

  • New terms are created during $\Mbp$

  • but they are of the form $\mathit{car}, \mathit{cdr}$ following shape of original constructor terms.

  • and they occur in conjunctions with $\mathit{cons}?(..)$.

  • so $\Mbp$ produces finite set of projections.

Model-based projection for NRA

  • Theory: Non-linear polynomial arithmetic

  • Partial CAD - model-based projection (Jovanovic and Moura2012)

    • Given model $M$, such that $M \models \forall x \ . \ p_1(x,y) \geq 0 \vee \ldots \vee p_n(x,y) > 0$
    • Find $q_1, \ldots, q_k$, such that
      • $q_1(y) < 0 \vee \ldots \vee q_k(y) > 0 \vee p_1(x,y) \geq 0 \vee \ldots \vee p_n(x,y) > 0$ is valid
      • $M \models q_1(y) \geq 0 \wedge \ldots \wedge q_k(y) \leq 0$

  • CAD decomposes $R^n$ into sign-invariant cylinders.

  • Choose the cylinder where $M$ is a member.

Model-based projections, two lenses

Sat based MBP (Komuravelli et al.2014):

  • Given: $M \models \ell_1[x] \wedge \ldots \wedge \ell_n[x]$

  • Find: $M \models s_1 \wedge \ldots \wedge s_m$, free for $x$

  • Such that: $ \models (s_1 \wedge\ldots \wedge s_m) \rightarrow \exists x \ . \ \ell_1[x] \wedge \ldots \wedge \ell_n[x]$

Contrast this with Core-based MBP (Moura and Jovanovic2013):

  • Given: $M \models \forall x \ . \ \ell_1[x] \vee \ldots \vee \ell_n[x]$.

  • Find: $M \models s_1 \wedge \ldots \wedge s_m$, free for $x$

  • Such that: $\models (s_1 \wedge \ldots \wedge s_m) \rightarrow \forall x \ . \ \ell_1[x] \vee \ldots \vee \ell_n[x]$

Claim: (Roughly) The same projection operator can be used in both cases if $x$ occurs in all literals and the operator is stable under changes to the value of $x$.

Finding strategies

  • Other main ingredient of QSAT is option for players to narrow options of opponents by revealing a strategy

    • $\exists x_1 \forall x_2 \exists x_3 \forall x_4 \ldots F$ at round $2$:
      • value of $x_1$ is already fixed,
      • $\forall$ fixes value of $x_2$,
      • $\forall$ can make $x_4$ a function of $x_3$.

  • Developing practical strategies is work in progress

    • For QBF can use Q-resolution proofs as guide (Bjørner et al.2015)

    • Method by Markus Rabe can be seen as a strategy.

Horn Clauses (Hoder et al.2011; Grebenshchikov et al.2012; Hoder and Bjørner2012; McMillan2014)

def mc(x):
    if x > 100:
       return x - 10
    else:
       return mc(mc(x + 11))

def contract(x):
    assert(x > 101 or mc(x) == 91)

   (set-logic HORN)
   (declare-fun mc (Int Int) Bool)
   (assert 
     (forall ((x Int)) 
          (=> (> x 100) 
              (mc x (- x 10)))))
   (assert 
     (forall ((x Int) (y Int) (z Int)) 
          (=> (and (<= x 100) (mc (+ x 11) y) (mc y z)) 
              (mc x z))))
   (assert 
     (forall ((x Int) (y Int)) 
          (=> (and (<= x 101) (mc x y)) 
              (= y 91))))
   (check-sat)
   (get-model)

Horn Clause Engines

  • PDR, SPACER - IC3 inspired engine (Hoder and Bjørner2012; Komuravelli et al.2013).
  • Duality - Interpolation based (McMillan2014).
    • Use Duality, PDR, or SPACER if your Horn clauses use arithmetic variables.
  • Datalog - Bottom-up stratified Datalog engine for finite domains (Hoder et al.2011).
    • Use Datalog backened for Horn clauses over finite domains: bit-vectors and Booleans.
  • BMC - Bounded model checking, Tabulation, Symbolic Execution
    • Use BMC to unfold Horn clauses a la bounded model checking.

IC3

  • $\vec{x}$ are state variables.

  • $m$ is a monome (a conjunction of literals).

  • $\varphi$ is a clause (a disjunction of literals).

  • Convention: $m[\vec{x}]$ is a monome over variables $\vec{x}$, $m[\vec{x}_0]$ is a renaming of the same monome $m$ to variables $\vec{x}_0$.

IC3 recap

  • $\langle \vec{x}, \Init(\vec{x}), \rho(\vec{x_0},\vec{x}), \Safe(\vec{x})\rangle$ - a transition system.
  • $\Safe$ - good states.
  • $\cF(R)[\vec{x}_0,\vec{x}]$ - forward predicate transformer.
    • Given reachable states $R$, produce “states can be reached by including another step”.
    • From Transition System: $\Init[\vec{x}_0] \ \vee \ (R(\vec{x}_0) \wedge \rho[\vec{x}_0,\vec{x}])$
    • From Horn Clauses: $\bigvee_i Body_i[\vec{x}_0,\vec{x}]$, where
      \[ R(\vec{x}) \leftarrow Body_1[\vec{x}_0,\vec{x}] \vee \ldots\vee Body_k[\vec{x}_0,\vec{x}] \]

IC3 recap (2)

  • $R_0, R_1, \ldots, R_N$ properties of states reachable within $i$ steps.
  • $R_i$ are sets of clauses.
  • Initially $R_0 = \Init$.
  • $\Queue$ a queue of counter-example trace properties. Initially $\Queue = \emptyset$.
  • $N$ a level indication. Initially $N = 0$.

Expanding Traces

repeat until

  • Candidate If for some $m$, $m \rightarrow R_N \land \neg \Safe$, then add $\langle m, N\rangle$ to $\Queue$.

  • Unfold If $R_N \rightarrow \Safe$, then set $N \leftarrow N + 1, R_{N} \leftarrow \true$.

Termination

repeat until

  • Unreachable For $i < N$, if $R_i \subseteq R_{i+1}$, return Unreachable.

  • Reachable If $\langle m, 0 \rangle \in \Queue$, return Reachable.

Backtracking

repeat until

  • Conflict Let $0 \leq i < N$: given a candidate model $\langle m, i+1\rangle\in\Queue$ and clause $\varphi$, such that

    • $\neg\varphi\subseteq m$,
    • $\cF(R_i \land \varphi) \rightarrow \varphi$,
      then conjoin $\varphi$ to $R_{j}$, for $j \leq i + 1$.

  • Leaf If $\langle m, i\rangle \in \Queue$, $0 < i < N$ and $m \land \cF(R_{i-1})$ is unsatisfiable, then add $\langle m, i + 1\rangle$ to $\Queue$.

Inductive Generalization

repeat until

  • Induction For $0 \leq i < N$, a clause $(\varphi \lor\psi)\ \in R_i$, $\varphi\not\in R_{i+1}$, if $\cF(R_i \wedge \varphi)\rightarrow \varphi$, then conjoin $\varphi$ to $R_{j}$, for each $j \leq i + 1$.

IC3 beyond SAT

Decide - Generalized form

Decide Add $\langle m_0[\vec{x}], i\rangle$ to $\Queue$ if $\langle m[\vec{x}], i+1\rangle \in \Queue$, $m' \land m_0[\vec{x}_0] \ \rightarrow \ \cF(R_{i})[\vec{x}_0,\vec{x}] \land m$.

  • (Bradley2011; Eén et al.2011) Model from propositional SAT check for $m \land \cF(R_{i})[\vec{x}_0,\vec{x}]$ gives (near prime implicant) $m_0$.
  • (Hoder and Bjørner2012) Model from SMT check for arithmetical $m \land \cF(R_{i})[\vec{x}_0,\vec{x}]$ produces numerical assignment $m_0$.
  • (Kindermann et al.2012; Cimatti and Griggio2012) Partial quantifier elimination.
  • (Komuravelli et al.2014) $(\exists\vec{x} \ . \ m \land \cF(R_{i})[\vec{x}_0,\vec{x}]) \ \equiv\ \bigvee_i \psi_i[\vec{x}_0]$ where $\psi_i$ are quantifier-free. Use model for $m \land \cF(R_{i})[\vec{x}_0,\vec{x}]$ to compute $\psi_i$ without expanding full disjunction.
  • (Cimatti et al.2014; Itzhaky et al.2014) Keep vocabulary of literals fixed (= predicate abstraction).

References

Nikolaj Bjørner. “Linear Quantifier-Elimination as an Abstract Decision Procedure.” In IJCAR. 2010. 🔎
Nikolaj Bjørner, and Mikolás Janota. “Playing with Alternating Quantifier Satisfaction.” In LPAR Short Presentation Papers. 2015. 🔎
Nikolaj Bjørner, Mikolás Janota, and William Klieber. “On Conflicts and Strategies in QBF.” In 20th International Conferences on Logic for Programming, Artificial   Intelligence and Reasoning - Short Presentations, LPAR 2015, Suva, Fiji, November 24-28, 2015., 28–41. 2015. http://​www.​easychair.​org/​publications/​paper/​On_​Conflicts_​and_​Strategies_​in_​QBF🔎
Nikolaj Bjørner, Kenneth L. McMillan, and Andrey Rybalchenko. “On Solving Universally Quantified Horn Clauses.” In SAS, 105–125. 2013. 🔎
Maria Paola Bonacina, Christopher Lynch, and Leonardo Mendonça de Moura. “On Deciding Satisfiability by Theorem Proving with Speculative   Inferences.” J. Autom. Reasoning 47 (2): 161–189. 2011. 🔎
Aaron R. Bradley. “SAT-Based Model Checking without Unrolling.” In VMCAI, 70–87. 2011. 🔎
Aaron R. Bradley, Zohar Manna, and Henny B. Sipma. “What’s Decidable About Arrays?” In Verification, Model Checking, and Abstract Interpretation, 7th International   Conference, VMCAI 2006, Charleston, SC, USA, January 8-10, 2006, Proceedings, 427–442. 2006. doi:10.1007/11609773_28🔎
Alessandro Cimatti, and Alberto Griggio. “Software Model Checking via IC3.” In CAV, 277–293. 2012. 🔎
Alessandro Cimatti, Alberto Griggio, Sergio Mover, and Stefano Tonetta. “IC3 Modulo Theories via Implicit Predicate Abstraction.” In TACAS, 46–61. 2014. 🔎
Niklas Eén, Alan Mishchenko, and Robert K. Brayton. “Efficient Implementation of Property Directed Reachability.” In FMCAD, 125–134. 2011. 🔎
Yeting Ge, and Leonardo Mendonça de Moura. “Complete Instantiation for Quantified Formulas in Satisfiabiliby   Modulo Theories.” In CAV, 306–320. 2009. 🔎
Sergey Grebenshchikov, Nuno P. Lopes, Corneliu Popeea, and Andrey Rybalchenko. “Synthesizing Software Verifiers from Proof Rules.” In ACM SIGPLAN Conference on Programming Language Design and Implementation,   PLDI ’12, Beijing, China - June 11 - 16, 2012, 405–416. 2012. doi:10.1145/2254064.2254112🔎
Krystof Hoder, and Nikolaj Bjørner. “Generalized Property Directed Reachability.” In Theory and Applications of Satisfiability Testing - SAT 2012 - 15th   International Conference, Trento, Italy, June 17-20, 2012. Proceedings, 157–171. 2012. doi:10.1007/978-3-642-31612-8_13🔎
Krystof Hoder, Nikolaj Bjørner, and Leonardo Mendonça de Moura. “μZ- An Efficient Engine for Fixed Points with Constraints.” In Computer Aided Verification - 23rd International Conference, CAV   2011, Snowbird, UT, USA, July 14-20, 2011. Proceedings, 457–462. 2011. doi:10.1007/978-3-642-22110-1_36🔎
Shachar Itzhaky, Nikolaj Bjørner, Thomas W. Reps, Mooly Sagiv, and Aditya V. Thakur. “Property-Directed Shape Analysis.” In CAV, 35–51. 2014. 🔎
Mikolás Janota, and Joao Marques-Silva. “Solving QBF by Clause Selection.” In Proceedings of the Twenty-Fourth International Joint Conference on   Artificial Intelligence, IJCAI 2015, Buenos Aires, Argentina, July 25-31, 2015, 325–331. 2015. http://​ijcai.​org/​Abstract/​15/​052🔎
Ajith K. John, and Supratik Chakraborty. “A Quantifier Elimination Algorithm for Linear Modular Equations and   Disequations.” In Computer Aided Verification - 23rd International Conference, CAV   2011, Snowbird, UT, USA, July 14-20, 2011. Proceedings, 486–503. 2011. doi:10.1007/978-3-642-22110-1_39🔎
Ajith K. John, and Supratik Chakraborty. “Extending Quantifier Elimination to Linear Inequalities on Bit-Vectors.” In Tools and Algorithms for the Construction and Analysis of Systems   - 19th International Conference, TACAS 2013, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2013, Rome, Italy, March 16-24, 2013. Proceedings, 78–92. 2013. doi:10.1007/978-3-642-36742-7_6🔎
Ajith K. John, and Supratik Chakraborty. “A Layered Algorithm for Quantifier Elimination from Linear Modular   Constraints.” Formal Methods in System Design 49 (3): 272–323. 2016. doi:10.1007/s10703-016-0260-9🔎
Dejan Jovanovic, and Leonardo Mendonça de Moura. “Solving Non-Linear Arithmetic.” In Automated Reasoning - 6th International Joint Conference, IJCAR   2012, Manchester, UK, June 26-29, 2012. Proceedings, 339–354. 2012. doi:10.1007/978-3-642-31365-3_27🔎
Roland Kindermann, Tommi A. Junttila, and Ilkka Niemelä “SMT-Based Induction Methods for Timed Systems.” In FORMATS, 171–187. 2012. 🔎
Anvesh Komuravelli, Arie Gurfinkel, and Sagar Chaki. “SMT-Based Model Checking for Recursive Programs.” In CAV, 17–34. 2014. 🔎
Anvesh Komuravelli, Arie Gurfinkel, Sagar Chaki, and Edmund M. Clarke. “Automatic Abstraction in SMT-Based Unbounded Software Model   Checking.” In CAV, 846–862. 2013. 🔎
Kenneth L. McMillan. “Lazy Annotation Revisited.” In Computer Aided Verification - 26th International Conference, CAV   2014, Held as Part of the Vienna Summer of Logic, VSL 2014, Vienna, Austria, July 18-22, 2014. Proceedings, 243–259. 2014. doi:10.1007/978-3-319-08867-9_16🔎
David Monniaux. “A Quantifier Elimination Algorithm for Linear Real Arithmetic.” In LPAR (Logic for Programming Artificial Intelligence and Reasoning), 243–257. Lecture Notes in Computer Science 5330. Springer Verlag. 2008. doi:10.1007/978-3-540-89439-1_18🔎
David Monniaux. “Quantifier Elimination by Lazy Model Enumeration.” In Computer-Aided Verification (CAV), 585–599. Lecture Notes in Computer Science 6174. Springer Verlag. 2010. doi:10.1007/978-3-642-14295-6_51🔎
Leonardo Mendonça de Moura, and Nikolaj Bjørner. “Efficient E-Matching for SMT Solvers.” In CADE, 183–198. 2007. 🔎
Leonardo Mendonça de Moura, and Nikolaj Bjørner. “Engineering DPLL(T) + Saturation.” In IJCAR, 475–490. 2008. 🔎
Leonardo Mendonça de Moura, and Nikolaj Bjørner. “Bugs, Moles and Skeletons: Symbolic Reasoning for Software   Development.” In IJCAR, 400–411. 2010. 🔎
Leonardo Mendonça de Moura, and Dejan Jovanovic. “A Model-Constructing Satisfiability Calculus.” In Verification, Model Checking, and Abstract Interpretation, 14th International   Conference, VMCAI 2013, Rome, Italy, January 20-22, 2013. Proceedings, 1–12. 2013. doi:10.1007/978-3-642-35873-9_1🔎
Anh-Dung Phan, Nikolaj Bjørner, and David Monniaux. “Anatomy of Alternating Quantifier Satisfiability (Work in   Progress).” In SMT-IJCAR, 120–130. 2012. 🔎
Ruzica Piskac, Leonardo Mendonça de Moura, and Nikolaj Bjørner. “Deciding Effectively Propositional Logic Using DPLL and   Substitution Sets.” J. Autom. Reasoning 44 (4): 401–424. 2010. 🔎
William Pugh. “The Omega Test: A Fast and Practical Integer Programming Algorithm   for Dependence Analysis.” In Proceedings Supercomputing ’91, Albuquerque, NM, USA, November 18-22,   1991, 4–13. 1991. doi:10.1145/125826.125848🔎
Andrew Reynolds, Tim King, and Viktor Kuncak. “Solving Quantified Linear Arithmetic by Counterexample-Guided Instantiation.” Formal Methods in System Design 51 (3): 500–532. 2017. doi:10.1007/s10703-017-0290-y🔎
Martina Seidl, Florian Lonsing, and Armin Biere. “qbf2epr: A Tool for Generating EPR Formulas from QBF.” In Third Workshop on Practical Aspects of Automated Reasoning, PAAR-2012,   Manchester, UK, June 30 - July 1, 2012, 139–148. 2012. http://​www.​easychair.​org/​publications/​paper/​145184🔎
Christoph M. Wintersteiger, Youssef Hamadi, and Leonardo Mendonça de Moura. “Efficiently Solving Quantified Bit-Vector Formulas.” Formal Methods in System Design 42 (1): 3–23. 2013. 🔎