tutorial 1: modern smt solvers and verification · tutorial 1: modern smt solvers and verification...
TRANSCRIPT
-
Tutorial1:ModernSMTSolversandVerification
SayanMitraElectrical&ComputerEngineeringCoordinatedScienceLaboratory
UniversityofIllinoisatUrbanaChampaign
University of Illinoisat Urbana-Champaign
-
Tutorial1:ModernSMTSolversandVerification
SayanMitra
slidesadaptedfromalecturebyClarkBarrett
-
Plan
• SATproblem– Logicandcircuitrepresentation– ConversiontoCNF– DPLL–ModelingandBMCusingSAT(Z3)
• SMT– Architecture– Theories– Examples
LectureSlidesbySayanMitra [email protected]
-
ThesatisfiabilityproblemSATProblem: Givenawell-formedformula𝛼inpropositionallogic,decidewhetherthereexistsasatisfyingsolutionfor𝛼.
Example:𝛼 𝑥%, 𝑥', … , 𝑥) ≔ 𝑥% ∧ 𝑥' ∨ 𝑥- ∧ 𝑥% ∧ ¬𝑥- ∨ 𝑥'
Satisfyingsolution:(𝑥% = 1; 𝑥' = 1; 𝑥- = 0)
Complexity:2)
FirstproblemshowntobeNP-complete[Cook’71]
Thoughexponential,makessensetobuildSAT-solversand30+yearsofengineeringhasledtosolversthatcansolvepracticalproblems
LectureSlidesbySayanMitra [email protected]
-
SATinVerificationReachabilityandinvariancequestionsautomatacanbeencodedasSATquestions
Q.𝑈 is(not)reachablefrom𝑄8 in𝑛 steps:
𝐹;< 𝑋8 ∧ 𝐹> 𝑋8, 𝑋% ∧ 𝐹> 𝑋%, 𝑋' ∧ 𝐹> 𝑋', 𝑋- ∧ ⋯∧ 𝐹> 𝑋)@%, 𝑋) ∧ 𝐹A(𝑋))SATiff 𝑈 isreachable(UNSATiff notreachable)
Q.𝐼 is(not)aninductiveinvariant:
𝐹;< 𝑋 → 𝐹D 𝑋 ∧ 𝐹D 𝑋 ∧ 𝐹> 𝑋, 𝑋E → 𝐹D(𝑋E)
SlidesbySayanMitra([email protected])
-
Terminologyvariables:𝑥%, 𝑥'
literals:positiveornegativeappearanceofvariablesinaformula,e.g.,𝑥%, ¬𝑥',
clause:disjunctionofliterals,e.g.(𝑥% ∨ ¬𝑥' ∨ 𝑥-)
conjunctivenormalform(CNF)formula:E.g.,𝑥% ∨ 𝑥' ∨ ¬𝑥- ∧ (¬𝑥' ∨ 𝑥%)
wewillassume𝛼 tobeinCNFLectureSlidesbySayanMitra [email protected]
-
Propositionallogicandcircuits
SlidesbySayanMitra([email protected])
𝐵
𝐴
𝐶
𝐷 𝐷 ∧ (𝐴 ∧ 𝐵)
¬𝐶 ∧ (𝐴 ∧ 𝐵)
𝐼 ≡ 𝐷 ∧ (𝐴 ∧ 𝐵) ∨ ¬𝐶 ∧ (𝐴 ∧ 𝐵)
-
Propositionallogicandcircuits
SlidesbySayanMitra([email protected])
𝐵
𝐴
𝐶
𝐷 𝐷 ∧ (𝐴 ∧ 𝐵)
¬𝐶 ∧ (𝐴 ∧ 𝐵)
𝐼 ≡ 𝐷 ∧ (𝐴 ∧ 𝐵) ∨ ¬𝐶 ∧ (𝐴 ∧ 𝐵)
OvercomeinefficiencybyrenamingsubexpressionsTautologicallyequivalent:Everysatisfyingsolutionof𝐼 isasatisfyingsolutionof𝐼E
Equisatisfiable: 𝐼 issatisfiable iff 𝐼E issatisfiable𝐴 ∧ 𝐵 ↔ 𝐸𝐼E ≡ 𝐷 ∧ 𝐸 ∨ ¬𝐶 ∧ 𝐸 ∧ ( 𝐴 ∧ 𝐵 ↔ 𝐸)𝐼E and 𝐼 arenottautologicallyequivalent,butareequisatisfiable (e.g.,𝐶 =0; 𝐴 = 𝐵 = 1; 𝐸 = 0 satisfies𝐼)
-
ConvertingtoCNF
SlidesbySayanMitra([email protected])
𝐵
𝐴
𝐶
𝐷 𝐺
𝐻
𝐼
Viewformulaasacircuit1. Givenewnamestonon-leafnodes2. Foreachnon-leafaddconjunction
ofI/Oclauses3. Takeconjunctionofeverything
𝐸 ↔ 𝐴 ∧ 𝐵≡ ¬ 𝐴 ∧ 𝐵 ∨ 𝐸 ∧ ¬𝐸 ∨ 𝐴 ∧ 𝐵≡ ¬𝐴 ∨ ¬𝐵 ∨ 𝐸 ∧ ¬𝐸 ∨ 𝐴) ∧ ¬𝐸 ∨ 𝐵𝐺 ↔ 𝐷 ∧ 𝐸¬𝐹 ↔ 𝐶𝐻 ↔ 𝐹 ∧ 𝐸𝐼 ↔ (𝐻 ∨ 𝐺)
𝐸
𝐹
-
SMTformats
Alternativenotations
• ¬𝐴 ∨ ¬𝐵 ∨ 𝐸 ∧ ¬𝐸 ∨ 𝐴 ∧ ¬𝐸 ∨ 𝐵 ∧ ¬𝐷 ∨ 𝐸
• 𝐴′ ∨ 𝐵′ ∨ 𝐸 𝐸′ ∨ 𝐴 𝐸′ ∨ 𝐵 𝐷′ ∨ 𝐸
• −1 − 25 −51 ∧ −52 ∧ −45 [DIMACS]
SlidesbySayanMitra([email protected])
-
SATsolvingalgorithms
• DavisPutnamLogemann Loveland(DPLL)1962• DavisPutnamalgorithm(DP)1960
Basicidea:Given𝛼 performasequenceofsatisfiabilitypreservingtransformations;ifthisendswithemptyclausethenUNSATandifthisendswithnoclausesthenSAT
SlidesbySayanMitra([email protected])
-
TheDPrules1. Unitpropagation: Ifaclausehasasingleliteral𝑝 then
– removeallinstancesof¬𝑝 fromallclauses– removeallclauseswith𝑝
2. Pureliteral: Ifavariableappearsonlypositivelyornegativelyinallclausesthendeleteallclausescontainingthatliteral
3. Resolution: Chooseliteral𝑝 (appearsbothpositivelyandnegatively)– LetPbethesetofclausesinwhich𝑝 is+ve– LetNbethesetofclausesinwhich𝑝 is–ve– ReplaceP,Nwithclausesobtainedbyresolving𝑝 inallpairs– Forasinglepair 𝑝 ∨ ℓ% ∨ ℓ' …ℓU ; (¬𝑝 ∨ 𝑘% ∨ 𝑘' …𝑘)) resolved
clauseis(ℓ% ∨ ℓ' …ℓU ∨ 𝑘% ∨ 𝑘' …𝑘))– Quadraticblow-upinsizeofformula
SlidesbySayanMitra([email protected])
-
Someexperimentalresults
SlidesbySayanMitra([email protected])FromtalkbyClarkBarrett
-
Example∅|1 ∨ 2Y, 1Y ∨ 2Y, 2 ∨ 3, 3Y ∨ 2, 1 ∨ 4 ⇒(Pureliteral 4)4|1 ∨ 2Y, 1Y ∨ 2Y, 2 ∨ 3, 3Y ∨ 2, 1 ∨ 4 ⇒ (Decide 1)41\|1 ∨ 2Y, 1Y ∨ 2Y, 2 ∨ 3, 3Y ∨ 2, 1 ∨ 4 ⇒ (Unitprop 2Y)41\2Y|1 ∨ 2Y, 1Y ∨ 2Y, 2 ∨ 3, 3Y ∨ 2, 1 ∨ 4 ⇒ (Unitprop 3)41\2Y3|1 ∨ 2Y, 1Y ∨ 2Y, 2 ∨ 3, 3Y ∨ 2, 1 ∨ 4 ⇒ (Backtrack)41Y|1 ∨ 2Y, 1Y ∨ 2Y, 2 ∨ 3, 3Y ∨ 2, 1 ∨ 4 ⇒ (Unitprop)41Y2Y3Y|1 ∨ 2Y, 1Y ∨ 2Y, 2 ∨ 3, 3Y ∨ 2, 1 ∨ 4 ⇒ (Fail)
failResult:Unsatisfiable
SlidesbySayanMitra([email protected])
-
ModelingforSAT
Input:𝒜 = 𝑄,𝑄8, 𝑇 ⊆ 𝑄×𝑄 , Invariant𝐼 orunsafeset𝑈
Output:𝐼 is(not)aninvariantof𝒜𝑈 is(not)reachablefrom𝑄8𝑈 is(not)reachablefrom𝑄8 in𝑛 steps
SlidesbySayanMitra([email protected])
-
ModelingforSAT(2)𝒜 = 𝑄,𝑄8, 𝑇 ⊆ 𝑄×𝑄 , Invariant𝐼 orunsafeset𝑈Assume𝑄 isfiniteSelect𝑘 suchthat 𝑄 ≤ 2bDefinestatevariablesX = 𝑥%, 𝑥', … , 𝑥b , 𝑡𝑦𝑝𝑒 𝑥g = 0,1Then,𝑄 = 𝑣𝑎𝑙(𝑋)𝑄8 ⟼ 𝐹;
-
Boundedmodelchecking𝑄8 ⟼ 𝐹;(𝑋, 𝑌) aformulaencodingtransitionrelationWeneed𝑛 + 1 copiesofvariables:𝑋8 = 𝑥8%, 𝑥8', … 𝑥8b , 𝑋% =𝑥%%, 𝑥%', … 𝑥%b , … , 𝑋)
Q.𝑈 is(not)reachablefrom𝑄8 in𝑛 steps:𝐹;< 𝑋8 ∧ 𝐹> 𝑋8, 𝑋% ∧ 𝐹> 𝑋%, 𝑋' ∧ 𝐹> 𝑋', 𝑋- ∧ ⋯∧𝐹> 𝑋)@%, 𝑋) ∧ 𝐹A(𝑋))SATiff 𝑈 isreachable(UNSATiff notreachable)
SlidesbySayanMitra([email protected])
-
FROMSATTOSMTTutorial1
SlidesbySayanMitra([email protected])
-
ArchitectureofSMTSolvers
Question:Input𝛼(𝑥) formulainsomesetoflogicaltheories,∃𝑥, 𝑥 ⊨ 𝛼?
SlidesbySayanMitra([email protected])
Theories
Arithmetic,Arrays,UF,Bitvectors,…
Core DPLL
Decisionproceduresideally:incremental,backtrackable,
conflictgenerating
assertions
booleanskeletonofproblem
CNFformulaintheoryofArrays
solution/CE
-
Theoriesandterminology• Signature:functionsymbol,predicate
symbol,arity,setofvariables• 𝑇𝑒𝑟𝑚𝑠 Σ, 𝑉 :
– 𝑣 𝑓 𝑡8,.., 𝑡b– groundterms
• Atomicformula𝐴𝐹 Σ, 𝑉 :– T,F, 𝑝 𝑡8, . . , 𝑡b– literal:AForitsnegation
• 𝑄𝐹𝐹 Σ, 𝑉 : 𝜙, ¬𝜙, 𝜙% ∧ 𝜙', 𝜙% ∨𝜙', 𝜙% → 𝜙',where𝜙, 𝜙% ∈ 𝐴𝐹
• 𝐹𝑂𝐹 Σ, 𝑉 :– QFFunderuniversalandexistential
quantifiers– Freeandboundvariables
• Sentence:FOFwithnofreevariables• 𝑇ℎ𝑒𝑜𝑟𝑦 Σ, 𝑉 : setofallsentences
SlidesbySayanMitra([email protected])
• Σ:= 0, + , Σ: = < , 𝑎𝑟𝑖𝑡𝑦 0 :=0, 𝑎𝑟𝑖𝑡𝑦 + := 2, 𝑎𝑟𝑖𝑡𝑦 < :=2, 𝑉:= {𝑥, 𝑦, 𝑧}
• Terms:𝑥, 𝑦, 𝑧, 0, + 𝑥, 𝑦 , +(+ 𝑥, 𝑦 , 0)
• AF:𝑥 < 𝑦,+ 𝑥, 𝑦 = +(𝑦, 𝑥)
• QFF:+ 𝑥, 𝑦 = 0 ∧ 𝑥 > 𝑦
• FOF:∀𝑥, ∃𝑦:+ 𝑥, 𝑦 = 0 ∧ 𝑥 > 𝑦
-
Decisionprocedures
Modelsgivemeaningtosymbolsandformula
Amodel𝑀 forΣ, 𝑉 definesadomain,givesinterpretationtoallsymbolsandassignmenttoallthevariables
GivenatheoryTatheorysolver(decisionprocedure)takesasinputasetofliteralsΦ anddetermineswhetherΦ is𝑇-satisfiable,i.e.,doesthereexistamodel𝑀, suchthat𝑀 ⊨ Φ?
SlidesbySayanMitra([email protected])
-
ExampletheoriesUninterpretedfunctions(UF)Σ = 𝑓, 𝑔, . . , Σ = = , 𝑉 = 𝑥g𝑥% ≠ 𝑥' ∧ 𝑥- ≠ 𝑥' ∧ 𝑓 𝑥- = 𝑓(𝑥')ArithmeticΣ = ,≤,≥,=DifferencelogicΣ = − , Σ = ,≤,≥,=𝑥% − 𝑥' > 𝑘Lineararithmetic: 7𝑥% − 3𝑥' + 6𝑥- ≤ 10Nonlineararithmetic:7𝑥%' − 3𝑥'𝑥% + 6𝑥-- ≤ 1ArraysBitvectors
SlidesbySayanMitra([email protected])
-
AdecisionprocedureforUF
Rules:1. Putallvariablesandfunction
instancesintheirownclasses2. if𝑡g = 𝑡 isthepredicatethenmerge
thecontainingclasses;repeat3. If𝑡g and𝑡 areinthesameclass,then
merge𝐹 𝑡g and𝐹(𝑡);repeat4. If𝑡g ≠ 𝑡 isinΦ suchthat𝑡g and𝑡
areinthesameclassthenreturnUNSATelsereturnSAT
SlidesbySayanMitra([email protected])
Φ ≔ 𝑥% = 𝑥' ∧ 𝑥' = 𝑥- ∧ 𝑥 = 𝑥 ∧ 𝑥 ≠ 𝑥% ∧ 𝐹 𝑥% ≠ 𝐹 𝑥-
{𝑥%}{𝑥'} {𝑥-} {𝑥} 𝑥 𝐹(𝑥% }{𝐹 𝑥- }{𝑥%, 𝑥'} {𝑥-} {𝑥, 𝑥} 𝐹(𝑥% }{𝐹 𝑥- }{𝑥%, 𝑥', 𝑥-} {𝑥, 𝑥} 𝐹(𝑥% }{𝐹 𝑥- }{𝑥%, 𝑥', 𝑥-} 𝑥, 𝑥 𝐹(𝑥% , 𝐹 𝑥- }UNSAT
-
BacktoSMT
Twoapproaches• Eager:Translatetoequisatisfiablepropositionalformula
• Lazy:Abstracttopropositionalform,feedtoDPLL,refine
SlidesbySayanMitra([email protected])
-
SMTsolverexample
Φ ≔ 𝑔 𝑎 = 𝑐 ∧ 𝑓 𝑔 𝑎 ≠ 𝑓 𝑐 ∨ 𝑔 𝑎 = 𝑑 ∧ 𝑐 ≠ 𝑑
Send{1, 2Y ∨ 3, 4Y} toSATSATsolverreturnsmodel{1, 2Y, 4Y}UF-solverfindsconcretizationof{1, 2Y, 4Y} UNSATSend{1, 2Y ∨ 3, 4Y, ¬(1 ∧ 2Y ∧ 4Y)} toSATSend{1, 2Y ∨ 3, 4Y, 1Y ∨ 2 ∨ 4)} toSATSATsolverreturnsmodel{1,3, 4Y}UF-solverfindsconcretizationof{1,3, 4Y} UNSATSend{1, 2Y ∨ 3, 4Y, 1Y ∨ 2 ∨ 4, 1Y ∨ 3Y ∨ 4} toSATSATsolverreturnsUNSAT;OriginalformulaisUNSATinUF
SlidesbySayanMitra([email protected])
1 2Y 3 4Y
-
Summary
ThiswasjustanintroductiontoSMTsolvers
ModernsolversZ3,CVC4,Chaff,havebeenusedtosolvepracticalverificationproblems
Many,manytoolsuseSATsolversforverification,synthesis,symbolicsimulation,etc.
SMTcompetitions:http://www.satcompetition.org/
SlidesbySayanMitra([email protected])