Quantifiers in Satisfiability Modulo Theoriesregerg/ssa/SMT-Quantifiers.pdf · 1/53 Quanti ers in...

transcript

Quantifiers in Satisfiability Modulo Theories

Pascal Fontaine

Univ. of Lorraine, CNRS, Inria, LORIA

SAT/SMT/AR Summer School

Manchester, 4 July 2018

Thanks!Slides are based on the work and material of many. Among others:

I Andrew J. Reynolds

I Haniel Barbosa

I Leonardo de Moura

I Bruno Dutertre

I . . .

SMT = SAT + expressiveness

I SAT solvers

(p⇒ q)⇒[

(¬p⇒ q)⇒ q]]

I Congruence closure (uninterpreted symbols + equality)

a = b ∧[f(a) 6= f(b) ∨ (q(a) ∧ ¬q(b))

]I adding arithmetic

a ≤ b∧ b ≤ a+x∧x = 0∧[f(a) 6= f(b)∨ (q(a)∧¬q(b+x))

]I . . .

I What about quantifiers?

Quantifiers in SMT

I SMT theories are often not sufficientWhat if you need your own ones?

I Verification: e.g. reasoning about all processes (∀p)

I Expressivity

This talk could include (but does not):

I quantifier elimination, e.g. for Presburger or real closed fieldsSee Matthew England’s talk on Friday

I SMT finite model finding [Reynolds13]

I superpositionFull day tomorrow

I extensions of SAT/ground SMT towards full FOL and a longlist of works in between FOL ATP and SMT, e.g.Avatar [Voronkov14], Inst-Gen [Korovin13], SGGS [Bonacina17],Model-Evolution [Baumgartner14], SUP(LA) [Althaus09],. . .

I . . .

Quantifiers in SMT

/ Full first-order logic is undecidablethere is no decision procedure that always terminates, andalways provide a SAT or UNSAT answer

, First-order logic is semi-decidablerefutationally complete procedures terminate on UNSAT

, if finite model property, then decidable

/ Presburger with even one unary predicate is not evensemi-decidable [Halper91]

, Pragmatic approaches are quite successful

Why does the pragmatic SMT approach work?

I Verification problems are big and shallow

I FOL provers more suitable to find intricate proofs

I SMT solvers good to deal with long, mostly ground, reasoning

Working hypothesis

Quantifier handling for pure FOL will work well enough for SMT

Outline

Introduction

Theoretical foundations and basicsTheoretical foundationsSAT, SMT and quantifiers

Instantiation techniquesE-matching/trigger-based instantiation (e)Conflict-based instantiation (c)Model-based instantiation (m)Enumerative instantiation (u)Experimental evaluation

Conclusion

References

Outline

Introduction

Conclusion

References

Outline

Introduction

Conclusion

References

Getting rid of (some) quantifiers: prenex and Skolem form

In satisfiability (vs. validity) checking context:I Rewrite ∃xP (x) to P (a) with a new

That is, name the x for which P (x) exists

I Rewrite ∀y∃xP (x) to ∀y P (f(y)) with f new

In general: Skolem form transformationI Prenex form move quantifiers to front

e.g. A ∨ ∀xB −→ ∀x .A ∨B (x not in A)

I Eliminate existential quantifiers by “naming theirvariable”

1887-1963

Skolem formI A Skolem formula is a prenex formula with no existential

quantifier

I For each (set of) formula(s) there is a easily computableequisatisfiable (set of) Skolem formula(s)

See Handbook of Automated Reasoning [Baaz01, Nonnengart01]

Herbrand

1908-1931

Herbrand instance of a Skolem formula ∀xϕ(x): anyground formula ϕ(t), where t are terms in the lan-guage

Theorem (Herbrand)

A finite set of Skolem formulas is unsatisfiable ifand only if there exists a finite unsatisfiable set ofHerbrand instances

Caveats

I there should be at least one constant available for every sort

I holds for pure FOL, might not in presence of theories

Example

Is this syllogism correct?

All humans are mortalAll Greeks are humansThen all Greeks are mortal

Translate to FOL∀x.H(x)⇒M(x)∀x.G(x)⇒ H(x)∀x.G(x)⇒M(x)

Artistotle384–322 BC

I Checking the validity of this formula((∀x.H(x)⇒M(x)

)∧(∀x.G(x)⇒ H(x)

))⇒ ∀x.G(x)⇒M(x)

I Checking the unsatisfiability of∀x.H(x)⇒M(x),∀x.G(x)⇒ H(x),¬∀x.G(x)⇒M(x)

I Skolemize∀x.H(x)⇒M(x),∀x.G(x)⇒ H(x),¬(G(s)⇒M(s))

I Instantiate: add the two formulas (Herbrand instances)H(s)⇒M(s), G(s)⇒ H(s)

I A ground (SAT/SMT) solver will deduce unsatisfiability.

Example

Translate to FOL

∀x.H(x)⇒M(x)∀x.G(x)⇒ H(x)∀x.G(x)⇒M(x)

)∧(∀x.G(x)⇒ H(x)

))⇒ ∀x.G(x)⇒M(x)

Example

)∧(∀x.G(x)⇒ H(x)

))⇒ ∀x.G(x)⇒M(x)

Example

)∧(∀x.G(x)⇒ H(x)

))⇒ ∀x.G(x)⇒M(x)

Example

)∧(∀x.G(x)⇒ H(x)

))⇒ ∀x.G(x)⇒M(x)

Example

)∧(∀x.G(x)⇒ H(x)

))⇒ ∀x.G(x)⇒M(x)

Example

)∧(∀x.G(x)⇒ H(x)

))⇒ ∀x.G(x)⇒M(x)

Example

)∧(∀x.G(x)⇒ H(x)

))⇒ ∀x.G(x)⇒M(x)

Outline

Introduction

Conclusion

References

From SAT to SMT,. . . and then to quantified SMT

SMT formula

SMT solver

Input: a ≤ b ∧ b ≤ a+ x ∧ x = 0 ∧[f(a) 6= f(b) ∨ (q(a) ∧ ¬q(b+ x))

To SAT solver: pa≤b ∧ pb≤a+x ∧ px=0 ∧[¬pf(a)=f(b) ∨ (pq(a) ∧ ¬pq(b+x))

]Boolean model: pa≤b, pb≤a+x, px=0,¬pf(a)=f(b)

Theory reasoner: a ≤ b, b ≤ a+ x, x = 0, f(a) 6= f(b) unsatisfiable

New clause: ¬pa≤b ∨ ¬pb≤a+x ∨ ¬px=0 ∨ pf(a)=f(b)

Conflict clauses are negation of unsatisfiable conjunctive sets of literals

SMT formula

SMT solver

SAT solver

]To SAT solver: pa≤b ∧ pb≤a+x ∧ px=0 ∧

[¬pf(a)=f(b) ∨ (pq(a) ∧ ¬pq(b+x))

Boolean model: pa≤b, pb≤a+x, px=0,¬pf(a)=f(b)

SMT formula

SMT solver

SAT solver

Boolean Model

[¬pf(a)=f(b) ∨ (pq(a) ∧ ¬pq(b+x))

SMT formula

SMT solver

SAT solver

Boolean Model

Theoryreasoner

[¬pf(a)=f(b) ∨ (pq(a) ∧ ¬pq(b+x))

SMT formula

SMT solver

SAT solver

Boolean Model

Theoryreasoner

Conflict clause

[¬pf(a)=f(b) ∨ (pq(a) ∧ ¬pq(b+x))

SMT formula

SMT solver

SAT solver

Boolean Model

Theoryreasoner

Conflict clause

Ground SMT solver

[¬pf(a)=f(b) ∨ (pq(a) ∧ ¬pq(b+x))

SMT formula

SMT solver

SAT solver

Boolean Model

Theoryreasoner

Conflict clause

Ground SMT solver

Assignment

[¬pf(a)=f(b) ∨ (pq(a) ∧ ¬pq(b+x))

SMT formula

SMT solver

SAT solver

Boolean Model

Theoryreasoner

Conflict clause

Ground SMT solver

Assignment

Instantiationmodule

Instance

[¬pf(a)=f(b) ∨ (pq(a) ∧ ¬pq(b+x))

SMT formula

SMT solver

SAT solver

Boolean Model

Theoryreasoner

Conflict clause

Ground SMT solver

Assignment

Instantiationmodule

Instance

Model UNSAT (proof/core)

[¬pf(a)=f(b) ∨ (pq(a) ∧ ¬pq(b+x))

SMT formula

SMT solverGround SMT solver

Assignment

Instantiationmodule

Instance

[¬pf(a)=f(b) ∨ (pq(a) ∧ ¬pq(b+x))

SMT formula

SMT solver

Assignment

Instantiationmodule

Instance

GroundSMT solver

[¬pf(a)=f(b) ∨ (pq(a) ∧ ¬pq(b+x))

SMT formulaModel

SMT solverInstantiation

module

InstanceAssignment

GroundSMT solver

[¬pf(a)=f(b) ∨ (pq(a) ∧ ¬pq(b+x))

Instance?

SMT formulaModel

module

InstanceAssignment

GroundSMT solver

Input: a = b ∧ S(b) ∧ ¬Q(a) ∧ ¬R(a) ∧[∀xQ(x) ∨ ∀x . S(x) ≡ R(x)

]To SAT solver: pa=b ∧ pS(b) ∧ ¬pQ(a) ∧ ¬pR(a) ∧

[p ∀xQ(x) ∨ p ∀x . S(x)≡R(x)

]Boolean model: pa=b, pS(b),¬pQ(a),¬pR(a), p ∀x . S(x)≡R(x)

Theory reasoner: fine! . . . but does not understand ∀x . S(x) ≡ R(x)

Instantiation module: there is something to do with ∀x . S(x) ≡ R(x)

New clause:¬pa=b,¬pS(b) ∨ pR(a) ∨ ¬p ∀x . S(x)≡R(x)

. . . too complicated to find/generate

What is the right formula to generate?

Instance?

SMT formulaModel

module

InstanceAssignment

GroundSMT solver

To SAT solver: pa=b ∧ pS(b) ∧ ¬pQ(a) ∧ ¬pR(a) ∧[p ∀xQ(x) ∨ p ∀x . S(x)≡R(x)

Instance?

SMT formulaModel

module

InstanceAssignment

GroundSMT solver

[p ∀xQ(x) ∨ p ∀x . S(x)≡R(x)

Boolean model: pa=b, pS(b),¬pQ(a),¬pR(a), p ∀x . S(x)≡R(x)

Instance?

SMT formulaModel

module

InstanceAssignment

GroundSMT solver

[p ∀xQ(x) ∨ p ∀x . S(x)≡R(x)

Instance?

SMT formulaModel

module

InstanceAssignment

GroundSMT solver

[p ∀xQ(x) ∨ p ∀x . S(x)≡R(x)

Instance?

SMT formulaModel

module

InstanceAssignment

GroundSMT solver

[p ∀xQ(x) ∨ p ∀x . S(x)≡R(x)

Instance?

SMT formulaModel

module

InstanceAssignment

GroundSMT solver

[p ∀xQ(x) ∨ p ∀x . S(x)≡R(x)

Instance?

SMT formulaModel

module

InstanceAssignment

GroundSMT solver

[p ∀xQ(x) ∨ p ∀x . S(x)≡R(x)

Instance?

SMT formulaModel

module

InstanceAssignment

GroundSMT solver

[p ∀xQ(x) ∨ p ∀x . S(x)≡R(x)

Instance?

SMT formulaModel

module

InstanceAssignment

GroundSMT solver

[p ∀xQ(x) ∨ p ∀x . S(x)≡R(x)

S(a) ≡ R(a) is not right

We want S(a) ≡ R(a) whenever p ∀x . S(x)≡R(x) is in the Boolean model

(∀x . S(x) ≡ R(x))⇒ (S(a) ≡ R(a)) would do

¬p∀x . S(x)≡R(x) ∨(pS(a) ≡ pR(a)

)at the propositional level

Together with ∀xQ(x)⇒ Q(a), this grounds the problem

Instance?

SMT formulaModel

module

InstanceAssignment

GroundSMT solver

[p ∀xQ(x) ∨ p ∀x . S(x)≡R(x)

¬p∀x . S(x)≡R(x) ∨(pS(a) ≡ pR(a)

Instance?

SMT formulaModel

module

InstanceAssignment

GroundSMT solver

[p ∀xQ(x) ∨ p ∀x . S(x)≡R(x)

¬p∀x . S(x)≡R(x) ∨(pS(a) ≡ pR(a)

Instance?

SMT formulaModel

module

InstanceAssignment

GroundSMT solver

[p ∀xQ(x) ∨ p ∀x . S(x)≡R(x)

¬p∀x . S(x)≡R(x) ∨(pS(a) ≡ pR(a)

Instance?

SMT formulaModel

module

InstanceAssignment

GroundSMT solver

[p ∀xQ(x) ∨ p ∀x . S(x)≡R(x)

¬p∀x . S(x)≡R(x) ∨(pS(a) ≡ pR(a)

Instance?

SMT formulaModel

module

InstanceAssignment

GroundSMT solver

[p ∀xQ(x) ∨ p ∀x . S(x)≡R(x)

¬p∀x . S(x)≡R(x) ∨(pS(a) ≡ pR(a)

Instance in an SMT context

∀x ϕ(x)⇒ ϕσ

where σ is a ground substitution for variables xE.g. ∀x ϕ(x) is ∀x . S(x) ≡ R(x), σ is x 7→ a, ϕσ is S(a) ≡ R(a)

RemarksI Above formula is a FOL tautology. E.g. (∀x . S(x) ≡ R(x))⇒ (S(a) ≡ R(a))

I ∀x ϕ(x) gets abstracted as a propositional variable in the SAT solver,that has a meaning only for the instantiation module

I ϕσ gets abstracted as a Boolean combination of propositional variables. . .

I . . . that have meaning at the level of the ground theory reasoner

I ϕσ gets “activated”/relevant only in the models where p∀x ϕ(x) is true.

We might refer to ϕσ as the instance, but remember: all is fine atthe level of the SAT solver/ground SMT solver

Outline

Introduction

Conclusion

References

Outline

Introduction

Conclusion

References

Instantiation techniquesThe framework

SMT formulaModel

module

InstanceAssignment

GroundSMT solver

Ground SMT solver enumerates assignments E ∪QE set of ground literals

Q set of quantified clauses

Instantiation module generates instances of Q that will further feed E

classic Herbrand Theorem: instantiate with all possible terms in language

Outline

Introduction

Conclusion

References

E-matching/Trigger-based instantiation (e) [Detlefs05]

Search for relevant instances according to a set of triggers andE-matching

I E = {¬P (a),¬P (b), P (c),¬R(b)} andQ = {∀x. P (x) ∨R(x)}

I Assume trigger P (x)

I Find substitution σ for x such P (x) is a know term (in E)

I Suitable substitutions are x 7→ a, x 7→ b, or x 7→ cE.g. E |= P (x)[x/a] = P (a) and P (a) ∈ E

I Formally

e(E, ∀x. ϕ) 1. Select a set of triggers {t1, . . . tn} for ∀x. ϕ2. For each i = 1, . . . , n, select a set of substitutions Si s.t

for each σ ∈ Si, E |= tiσ = gi for some tuple gi ∈ TE .

3. Return⋃n

i=1 Si

E-matching/Trigger-based instantiation (e) [Detlefs05]

Search for relevant instances according to a set of triggers andE-matching

I Assume trigger P (x)

I Find substitution σ for x such P (x) is a know term (in E)

I Suitable substitutions are x 7→ a, x 7→ b, or x 7→ cE.g. E |= P (x)[x/a] = P (a) and P (a) ∈ E

I Formally

e(E, ∀x. ϕ) 1. Select a set of triggers {t1, . . . tn} for ∀x. ϕ2. For each i = 1, . . . , n, select a set of substitutions Si s.t

for each σ ∈ Si, E |= tiσ = gi for some tuple gi ∈ TE .

3. Return⋃n

i=1 Si

E-matching/Trigger-based instantiation

Ideal for expanding definitions/rewriting rules

I Example

∀x∀y . sister(x, y) ≡(female(x) ∧mother(x) = mother(y) ∧ father(x) = father(y))

sister(Eliane,Eloıse)

sister(Eloıse,Elisabeth)

¬sister(Eliane,Elisabeth)

I Adding trigger sister(x, y) to quantified formula suffices forSMT solver to prove unsatisfiability

Remarks

I Decision procedure for, e.g., expressive arrays, lists [Dross16]

I Mostly efficient (see later evaluation)

I But can easily blow or avoid the right instances

I Requires triggers (human or auto-generated)

Outline

Introduction

Conclusion

References

Conflict-based instantiation (c) [Reynolds14]

Search for one instance of one quantified formula in Q that makesE unsatisfiable

I Since E, P (b) ∨R(b) |= ⊥, this strategy returns x 7→ b

I Formally

c(E, ∀x. ϕ) Either return σ where E |= ¬ϕσ, or return ∅

Conflict-based instantiation (c) [Reynolds14]

Search for one instance of one quantified formula in Q that makesE unsatisfiable

I Since E, P (b) ∨R(b) |= ⊥, this strategy returns x 7→ b

I Formally

c(E, ∀x. ϕ) Either return σ where E |= ¬ϕσ, or return ∅

c: solving the problem

E |= ¬ψσ, for some ∀x ψ ∈ Q

f(a) = f(b) ∧ g(b) 6= h(c) |= (f(x) = f(z) ∧ h(y) 6= g(z))σ

I Each literal in the right hand side restricts σ

I f(x) = f(z): either x = z or x = a ∧ z = b or x = b ∧ z = a

I h(y) 6= g(z): y = c ∧ z = b

σ = {x 7→ b, y 7→ c, z 7→ b}or

σ = {x 7→ a, y 7→ c, z 7→ b}

E = {f(a) = f(b), g(b) 6= h(c)}, Q = {∀xyz. f(x) = f(z)→ h(y) = g(z)}

I h(y) 6= g(z): y = c ∧ z = b

σ = {x 7→ b, y 7→ c, z 7→ b}or

σ = {x 7→ a, y 7→ c, z 7→ b}

I h(y) 6= g(z): y = c ∧ z = b

σ = {x 7→ b, y 7→ c, z 7→ b}or

σ = {x 7→ a, y 7→ c, z 7→ b}

I h(y) 6= g(z): y = c ∧ z = b

σ = {x 7→ b, y 7→ c, z 7→ b}or

σ = {x 7→ a, y 7→ c, z 7→ b}

I h(y) 6= g(z): y = c ∧ z = b

σ = {x 7→ b, y 7→ c, z 7→ b}or

σ = {x 7→ a, y 7→ c, z 7→ b}

I h(y) 6= g(z): y = c ∧ z = b

σ = {x 7→ b, y 7→ c, z 7→ b}or

σ = {x 7→ a, y 7→ c, z 7→ b}

I h(y) 6= g(z): y = c ∧ z = b

σ = {x 7→ b, y 7→ c, z 7→ b}

orσ = {x 7→ a, y 7→ c, z 7→ b}

I h(y) 6= g(z): y = c ∧ z = b

σ = {x 7→ b, y 7→ c, z 7→ b}or

σ = {x 7→ a, y 7→ c, z 7→ b}

I h(y) 6= g(z): y = c ∧ z = b

σ = {x 7→ b, y 7→ c, z 7→ b}or

σ = {x 7→ a, y 7→ c, z 7→ b}

c: solving the problem with E-ground (dis)unification

Given conjunctive sets of equality literals E and L, with E ground,find substitution σ s.t. E |= Lσ

I Variant of classic (non-simultaneous) rigid E-unificationI NP-complete

I NP: solutions can be restricted to ground terms in E ∪ LI NP-hard: reduction of 3-SAT

I CCFV: congruence closure with free variables [Barbosa17]

I sound, complete and terminating calculus for solving E-ground(dis)unification

I goal orientedI efficient in practice

I Variant of classic (non-simultaneous) rigid E-unification

I NP-completeI NP: solutions can be restricted to ground terms in E ∪ LI NP-hard: reduction of 3-SAT

I Variant of classic (non-simultaneous) rigid E-unificationI NP-complete

I NP: solutions can be restricted to ground terms in E ∪ LI NP-hard: reduction of 3-SAT

c evaluation (1/2) [Reynolds14]

I Evaluation onSMT-LIB, TPTP,Isabelle benchmarks

I Using conflict-basedinstantiation(cvc4+ci), require anorder of magnitudefewer instances toprove unsatisfiabilityw.r.t. E-matchingalone

c evaluation (2/2) [Barbosa17]

0.1 1 10

Efficiency scatter plot

0.1 1 10

veriT: + 800 out of 1 785 unsolved problems

CVC4:+ 200 out of 745 unsolved problems

* experiments in the “UF”, “UFLIA”, “UFLRA” and “UFIDL” categories of SMT-LIB, which have 10 495

benchmarks annotated as unsatisfiable, with 30s timeout.

Outline

Introduction

Conclusion

References

Model-based instantiation/MBQI (m) [Ge09]

Build a candidate model for E ∪Q and instantiate withcounter-examples from model checking

I Assume that PM = λx. ite(x = c, >, ⊥) and RM = λx.⊥

I Since M |= ¬ (P (a) ∨R(a)), this strategy may return x 7→ a

I Formally

m(E, ∀x. ϕ) 1. Construct a model M for E

2. Return x 7→ t where t ∈ T (E) and M |= ¬ϕ[x/t],or ∅ if none exists

Model-based instantiation/MBQI (m) [Ge09]

Build a candidate model for E ∪Q and instantiate withcounter-examples from model checking

I Assume that PM = λx. ite(x = c, >, ⊥) and RM = λx.⊥

I Since M |= ¬ (P (a) ∨R(a)), this strategy may return x 7→ a

I Formally

m(E, ∀x. ϕ) 1. Construct a model M for E

2. Return x 7→ t where t ∈ T (E) and M |= ¬ϕ[x/t],or ∅ if none exists

Outline

Introduction

Conclusion

References

Why can’t we directly use Herbrand instantiation?

Theorem (Herbrand)

A finite set of Skolem formulas is unsatisfiable if and only if thereexists a finite unsatisfiable set of Herbrand instances

I The earliest theorem provers relied on Herbrand instantiationI Instantiate with all possible terms in the language

I Enumerating all instances is unfeasible in practice!

I Enumerative instantiation was then discarded

Revisiting enumerative instantiation with benefits:

I strengthening of Herbrand theorem

I efficient implementation techniques

Theorem (Herbrand)

Theorem (Strengthened Herbrand)

If R is a (possibly infinite) set of instances of Q closed underQ-instantiation w.r.t. itself and if E ∪R is satisfiable, then E ∪Qis satisfiable.

Direct application to

SMT formulaModel

module

InstanceAssignment

GroundSMT solver

I Ground solver enumerates assignments E ∪QI Instantiation module generates instances of Q

If there exists an infinite sequence of finite satisfiable sets of groundliterals Ei and of finite sets of ground instances Qi of Q such that

I Qi ={ϕσ | ∀x. ϕ ∈ Q, dom(σ) = {x} ∧ ran(σ) ⊆ T (Ei)

I E0 = E, Ei+1 |= Ei ∪Qi;

then E ∪Q is satisfiable in the empty theory with equality

SMT formulaModel

module

InstanceAssignment

GroundSMT solver

If there exists an infinite sequence of finite satisfiable sets of groundliterals Ei and of finite sets of ground instances Qi of Q such that

I Qi ={ϕσ | ∀x. ϕ ∈ Q, dom(σ) = {x} ∧ ran(σ) ⊆ T (Ei)

I E0 = E, Ei+1 |= Ei ∪Qi;

then E ∪Q is satisfiable in the empty theory with equality

SMT formulaModel

module

InstanceAssignment

GroundSMT solver

Enumerative instantiation (u) [Reynolds18]

u(E, ∀x. ϕ)1. Choose an ordering � on tuples of ground terms2. Return x 7→ t where t is a minimal tuple of terms w.r.t �,

such that t ∈ T (E) and E 6|= ϕ[x/t], or ∅ if none exist

I u chooses an ordering on tuples of terms, e.g. a ≺ b ≺ c

I Since E 6|= P (a) ∨R(a), enumerative instantiation returnsx 7→ a

u as an alternative for m

I Enumerative instantiation plays a similar role to m

I It can also serve as a “completeness fallback” to c and e

I However, u has advantages over m for UNSAT problems

I And it is significantly simpler to implementI no model buildingI no model checking

Example

E = {¬P (a), R(b), S(c)}Q = {∀x. R(x) ∨ S(x), ∀x. ¬R(x) ∨ P (x), ∀x. ¬S(x) ∨ P (x)}

PM = λx.⊥,RM = λx. ite(x = b, >, ⊥),SM = λx. ite(x = c, >, ⊥)

, a ≺ b ≺ c

ϕ x s.t. M |= ¬ϕ x s.t. E 6|= ϕ m(E,∀x. ϕ) u(E,∀x. ϕ)

R(x) ∨ S(x) a a x 7→ a x 7→ a¬R(x) ∨ P (x) b a, b, c x 7→ b x 7→ a¬S(x) ∨ P (x) c a, b, c x 7→ c x 7→ a

I u instantiates uniformly so that less new terms are introduced

I m instantiates depending on how model was built

I u directly leads to E ∧Q[x/a] |= ⊥

Advanced u: restricting enumeration space

I Strengthened Herbrand Theorem allows restriction to T (E)

I Sort inference reduces instantiation space by computing moreprecise sort information

I E ∪Q = {a 6= b, f(a) = c} ∪ {P (f(x))}I a, b, c, x : τI f : τ → τ and P : τ → Bool

I This is equivalent toEs ∪Qs = {a1 6= b1, f12(a1) = c2} ∪ {P2(f12(x1))}

I a1, b1, x1 : τ1I c2 : τ2I f12 : τ1 → τ2 and P : τ2 → Bool

I u would derive e.g. x 7→ c for E ∪Q, while for Es ∪Qs theinstantiation x1 7→ c2 is not well-sorted

Advanced u: entailment checks

Two-layered method for checking whether E |= ϕ[x/t] holds

I cache of instances already derived

I on-the-fly rewriting of ϕ[x/t] modulo Ewith extension to other theories through theory-specific rewriting

Advanced u: term orderingInstances are enumerated according to the order

(t1, . . . , tn) ≺ (s1, . . . , sn) if

i=1 ti ≺ maxni=1 si, or

maxni=1 ti = maxn

i=1 si and

(t1, . . . , tn) ≺lex (s1, . . . , sn)

for a given order � on ground terms.

If a ≺ b ≺ c, then

(a, a) ≺ (a, b) ≺ (b, a) ≺ (b, b) ≺ (a, c) ≺ (c, b) ≺ (c, c)

I instances with c considered only after considering all caseswith a and b

I goal is to introduce new terms less oftenI order on T (E) fixed for finite set of terms t1 ≺ . . . ≺ tn

I instantiate in order with t1, . . . , tnI then choose new non-congruent term t ∈ T (E) and havetn ≺ t

Outline

Introduction

Conclusion

References

Experimental evaluation (UNSAT)

CVC4 configurations on unsatisfiable benchmarks

6000 8000 10000 12000 14000 16000 18000 2000010−1

e+ue;ue+me;meum

I 42 065 benchmarks: 14 731 TPTP + 27 334 SMT-LIB

I e+u: interleave e and u

I e;u: apply e first, then u if it fails

I All CVC4 configurations have c; as prefix

Experimental evaluation (SAT)

Library # u e;u e+u e m e;m e+m

TPTP 14731 471 492 464 17 930 808 829UF 7293 39 42 42 0 70 69 65

Theories 20041 3 3 3 3 350 267 267

Total 42065 513 537 509 20 1350 1144 1161

Outline

Introduction

Conclusion

References

Outline

Introduction

Conclusion

References

Conclusion

I Quantifiers in SMT: handled in an ad hoc manner

I Techniques presented here are pure FOL with equality(i.e. not “Modulo Theories”)

I Reasonably effective nonetheless

Coarse algorithm

I Skolemize (in a more or less clever way)

I solve ground part of the problem

I eliminate irrelevant information from ground assignment

I conflict-based instantiation

I e-matching/trigger-based instantiation

I model-based instantiation

I enumerative instantiation

Perspectives

I New instantiation techniquesE.g. currently investigating machine learning (will that work?)

I More convergence with state-of-the-art FOL techniques fromsaturation theorem proving

I Symbiosis with quantifier elimination for theory reasoning

Unsatisfiability modulo combination of theories. . .

. . . cannot be complete (as soon as we mix UF and lineararithmetic), but can we be complete with SMT techniques at leastfor, e.g., the FOL theory of Presburger extended with UF?(needs induction however)

Keep in mind, for quantifier handling:

I innovative 6= improving over the best

I innovative = solving what other techniques do not

I best solvers are portfolios

Finding out more about SMT / SMT-LIB

I Andrew Reynolds, VTSA 2017

I Web site of the SMT-LIB initiative:http://www.smtlib.org/

I Web site of the SMT-COMP:http://www.smtcomp.org/

I Getting the SMT-LIB input language standard:http://www.smtlib.org/language.shtml

I Getting some examples of input language:http://www.smtlib.org/examples.shtml

Outline

Introduction

Conclusion

References

Outline

Introduction

Conclusion

References

References I

[Althaus09] Ernst Althaus, Evgeny Kruglov, and Christoph Weidenbach.Superposition modulo linear arithmetic SUP(LA).In Silvio Ghilardi and Roberto Sebastiani, editors, Frontiers of CombiningSystems (FroCoS), volume 5749 of Lecture Notes in Computer Science,pages 84–99. Springer, 2009.

[Baaz01] Matthias Baaz, Uwe Egly, and Alexander Leitsch.Normal form transformations.In John Alan Robinson and Andrei Voronkov, editors, Handbook ofAutomated Reasoning, volume I, chapter 5, pages 273–333. ElsevierScience B.V., 2001.

[Barbosa17] Haniel Barbosa, Pascal Fontaine, and Andrew Reynolds.Congruence closure with free variables.In Axel Legay and Tiziana Margaria, editors, Tools and Algorithms forConstruction and Analysis of Systems (TACAS), volume 10206 ofLecture Notes in Computer Science, pages 214–230. Springer, 2017.

[Baumgartner14] Peter Baumgartner.Model evolution-based theorem proving.IEEE Intelligent Systems, 29(1):4–10, 2014.

References II

[Bonacina17] Maria Paola Bonacina and David A. Plaisted.Semantically-guided goal-sensitive reasoning: Inference system andcompleteness.J. Autom. Reasoning, 59(2):165–218, 2017.

[Detlefs05] David Detlefs, Greg Nelson, and James B. Saxe.Simplify: A Theorem Prover for Program Checking.J. ACM, 52(3):365–473, 2005.

[Dross16] Claire Dross, Sylvain Conchon, Johannes Kanig, and Andrei Paskevich.Adding decision procedures to SMT solvers using axioms with triggers.J. Autom. Reasoning, 56(4):387–457, 2016.

[Ge09] Yeting Ge and Leonardo Mendonca de Moura.Complete instantiation for quantified formulas in satisfiabiliby modulotheories.In Ahmed Bouajjani and Oded Maler, editors, Computer AidedVerification (CAV), volume 5643 of Lecture Notes in Computer Science,pages 306–320. Springer, 2009.

[Halper91] Joseph Y. Halpern.Presburger arithmetic with unary predicates is Π1

1 complete.The Journal of Symbolic Logic, 56(2):637–642, June 1991.

References III

[Korovin13] Konstantin Korovin.Inst-gen - A modular approach to instantiation-based automatedreasoning.In Andrei Voronkov and Christoph Weidenbach, editors, ProgrammingLogics - Essays in Memory of Harald Ganzinger, volume 7797 of LectureNotes in Computer Science, pages 239–270. Springer, 2013.

[Nonnengart01] Andreas Nonnengart and Christoph Weidenbach.Computing small clause normal forms.In John Alan Robinson and Andrei Voronkov, editors, Handbook ofAutomated Reasoning, volume I, chapter 6, pages 335–367. ElsevierScience B.V., 2001.

[Reynolds18] Andrew Reynolds, Haniel Barbosa, and Pascal Fontaine.Revisiting enumerative instantiation.In Dirk Beyer and Marieke Huisman, editors, Tools and Algorithms forConstruction and Analysis of Systems (TACAS), volume 10806 ofLecture Notes in Computer Science, pages 112–131. Springer, 2018.

[Reynolds14] Andrew Reynolds, Cesare Tinelli, and Leonardo Mendonca de Moura.Finding conflicting instances of quantified formulas in SMT.In Formal Methods In Computer-Aided Design (FMCAD), pages195–202. IEEE, 2014.

References IV

[Reynolds13] Andrew Reynolds, Cesare Tinelli, Amit Goel, Sava Krstic, MorganDeters, and Clark Barrett.Quantifier Instantiation Techniques for Finite Model Finding in SMT.In MariaPaola Bonacina, editor, Proc. Conference on AutomatedDeduction (CADE), volume 7898 of Lecture Notes in Computer Science,pages 377–391. Springer, 2013.

[Voronkov14] Andrei Voronkov.AVATAR: the architecture for first-order theorem provers.In Armin Biere and Roderick Bloem, editors, Computer AidedVerification (CAV), volume 8559 of Lecture Notes in Computer Science,pages 696–710. Springer, 2014.

Quantifiers in Satisfiability Modulo Theoriesregerg/ssa/SMT-Quantifiers.pdf · 1/53 Quanti ers in...

Documents