Nikolaj Bjørner Microsoft Research Lecture 3. DayTopicsLab 1Overview of SMT and applications. SAT solving, Z3 Encoding combinatorial problems with Z3.

SMT solvers in Program Analysis and Verification

Nikolaj BjørnerMicrosoft Research

Lecture 3

Overview of the lectures

Day Topics Lab

1 Overview of SMT and applications. SAT solving, Z3

Encoding combinatorial problems with Z3

2 Congruence closure Program exploration with Pex

3 A solver for arithmetic. Encoding arithmetic problems

4 Theory combination. Arrays (part 1)

Arrays

5 Arrays, (part 2) and quantifiers

Build a theory solver on top of Z3

Summary of Day 3

A solver for Arithmetic

Lab: Explore PexRush hour and bounded model checking

References

Slides for Lecture 5 contains a comprehensive list of references

Default pointer, with pointers to pointers: http://research.microsoft.com/projects/z3

http://research.microsoft.com/projects/z3

http://research.microsoft.com/projects/z3

Solvers for linear

arithmetic

Linear arithmetic?Find x, y such that:

For reals:Solution:

For integers:No solution

1 3 6 2x y

1, 03

x y

Linear arithmeticThe set of terms TLA and atoms ALA :

t TLA ::= r x x F r Int/Rational | t + t’ t, t’ TLA

Shorthand: x instead of 1 x

a ALA ::= t t’ t, t’ TLA

| t < t’ | t = t’

Difference LogicConstraints are of the form

x – y 4 y – z 7

Example unsatisfiable constraints:x1 - x2 -3, x2 - x3 1, x3 - x4 -2, x4 - x1 3

Proof: 0 = (x1 - x2)+(x2 - x3)+(x3 - x4)+(x4 - x1)= -3 + 1 – 2 + 3 = -1

Difference Logic

Graph interpretation:

Variables are nodes.Atoms x – y c are weighted edges A set of literals is satisfiable iff there is no negative cycle:

where C := c1 + c2 + c3 + c4 < 0. A negative cycle implies a contradiction 0 C < 0.

31 2 4

1 2 3 4 1

cc c c

x x x x x

c

x y

Difference logicHow to find negative cycles?

Bellman-Ford style algorithm O(nm), where

n – # vertices, m – # edges.

Floyd-Warshall O(n3), works OK when m n2for : cost[x,y] := c, else cost[x,y] =

for x V: for y V: for z V: cost[x,y] := min(cost[x,y], cost[x,z] + cost[z,y])

Check that x . cost[x,x] 0

c

x y

Difference Logic – strict inequalities

What about (x – y c) (y – x < -c)?

x, y integers: (y – x < -c) (y – x -c-1) x,y reals: Use infinitesimals .

(y – x < -c) (y – x -c- )Formally, constants are pairs c,c’

with interpretation c + c’

Sample negative cycle:

c

x y

3 3

x y x

General Linear Arithmetic

Not all linear arithmetic uses only two variables per inequality

Two approaches to arithmeticFourier-Motzkin:

Quantifier elimination procedurex (t ax t’ bx cx t’’) ct at’ ct’ bt’’

Polynomial for difference logic.Generally: exponential space, doubly exponential time.

Simplex:Worst-case exponential, butTime-tried practical efficiency.Linear space

Fast Linear arithmetic

Simplex general formPre-processing stepAlgorithm based on Dual SimplexEfficient backtrackingEfficient Theory propagation

The following material is from:Dutetre & de Moura CAV 2006

Fast Linear arithmetic: General Form

General form: Ax = s, lj xj , sj uj Example:

Only bounds (e.g., s1 0 ) are asserted during search.

1 2

1 2 1 2

0 ( 2 2 6) ( 2 2 4)

( 2 )

( 0 ( 2 6) ( 2 4))

x x y x y x y x y

s x y s x y

x s s s s

Fast Linear arithmetic - Search

Tableau Ax = s is built duringpre-processingBounds are asserted and un-asserted during search

1 2

1 2 1 2

0 ( 2 2 6) ( 2 2 4)

( 2 )

( 0 ( 2 6) ( 2 4))

x x y x y x y x y

s x y s x y

x s s s s

Fast Linear arithmetic - Search

Tableau Ax = s is built duringpre-processingBounds are asserted and un-asserted during search

Backtracking should be cheap – and it is:

Let (x1) = 0, (x2) = -1, (s2) = 0 satisfies x1 4 , x2 -1, -3 s2 then satisfies x1 4 , x2 -1

Fast Linear arithmetic – Dual Simplex

Tableau Ax = s from pre-processing. Initial assignment , where (xi) = 0, (si) = 0 satisfies tableau.

What do we do when bounds are asserted?

We pivot.


Terminology:Ax = sThe s variables are basic. The x variables are non-basic.

Invariant on Ax = s, :For non-basic variables: lj (xj) uj The role of pivoting: also satisfy bounds on non-basic variables.


New bound xj u is asserted.Set (xj) min((xj), u)Check each row with xj if bounds on non-basic variables are satisfied.

If not, pivot and update

ExampleAsserting

Assignment EquationsBounds

0

0

0

0

0

x

y

s

u

v

2

s x y

u x y

v x y

, 0

( 1 2),( 2 0

1

),( 2 1)

x

y v v

s

v v u

1s

ExampleAsserting assignment does not satisfy bounds

Assignment EquationsBounds 0

0

0

0

0

y

v

s

x

u

2

s x y

u x y

v x y

, 0

( 1 2),( 2 0

1

),( 2 1)

x

y v v

s

v v u

1s

1s

ExampleAsserting pivot s and x (s is a dependent variable)


0

0

0

0

y

v

s

x

u

2

y

u x y

v x y

s x

, 0

( 1 2),( 2 0

1

),( 2 1)

x

y v v

s

v v u

1s

1s



0

0

0

0

y

v

s

x

u

2

y

u x y

v x y

x s

, 0

( 1 2),( 2 0

1

),( 2 1)

x

y v v

s

v v u

1s

1s



0

0

0

0

y

v

s

x

u

2

x s

s y

s

y

u

v y

, 0

( 1 2),( 2 0

1

),( 2 1)

x

y v v

s

v v u

1s

1s

ExampleAsserting update dependent variable assignment


0

0

0

1

y

v

s

x

u

2

x s

s y

s

y

u

v y

, 0

( 1 2),( 2 0

1

),( 2 1)

x

y v v

s

v v u

1s

1s

ExampleAsserting update dependent variable assignment


0

1

1

1

1

x

s

v

y

u

2

x s

s y

s

y

u

v y

, 0

( 1 2),( 2 0

1

),( 2 1)

x

y v v

s

v v u

1s

1s

ExampleAsserting


1

0

1

1

1

x

y

s

u

v

2

x s y

u s y

v s y

,

( 1 2),(

1 0

2 0),( 2 1)y v v u

s x

v v

0x

1

0

s

x

ExampleAsserting assignment satisfies new bound


1

0

1

1

1

x

y

s

u

v

2

x s y

u s y

v s y

( 1 2),( 2 0

1

),

0

( 2 )

,

1

s x

y v v v v u

0x

1

0

s

x

ExampleCase split


1

0

1

1

1

x

y

s

u

v

2

x s y

u s y

v s y

1, 0

( 2),( 2 0)1 ,( 2 1)

s x

v vy v v u

( 1)y

1

1

0

y

s

x

ExampleCase split bounds do not satisfy assignment


0

1

1

1

1

x

s

v

y

u

2

x s y

u s y

v s y

( 2),( 2 0),

1,

21 )

0

( 1v v

s

y v v u

x

( 1)y

1

1

0

y

s

x

ExampleCase split update assignment


1

1

1

1

1

x

s

y

u

v

2

x s y

u s y

v s y

( 2),( 2 0),

1,

21 )

0

( 1v v

s

y v v u

x

( 1)y

1

1

0

y

s

x

ExampleCase split update dependent assignment


1

1

2

1 2

x

y

u

v

s

2

x s y

u s y

v s y

1, 0

( 2),( 2 0)1 ,( 2 1)

s x

v vy v v u

( 1)y

1

1

0

y

s

x

ExampleBound violation


1

1

2

1 2

x

y

u

v

s

2

x s y

u s y

v s y

( 2),( 2 0),

1,

21 )

0

( 1v v

s

y v v u

x

1

1

0

y

s

x

ExampleBound violation pivot x and s (x is a dependent variable)


1

2

1 2

x

y

s

u

v

2

y

u s y

v s

x s

y

1, 0

( 2),( 2 0)1 ,( 2 1)

s x

v vy v v u

0

1

1y

x

s



1

2

1 2

x

y

s

u

v

2

y

u s y

v s

x s

y

( 2),( 2 0),

1,

21 )

0

( 1v v

s

y v v u

x

0

1

1y

x

s



1

2

1 2

x

y

s

u

v

2

y

u

y

x

s

v s

s

y

( 2),( 2 0),

1,

21 )

0

( 1v v

s

y v v u

x

0

1

1y

x

s



1

2

1 2

x

y

s

u

v

2

y

u

x

y

v

s

x

x y

( 2),( 2 0),

1,

21 )

0

( 1v v

s

y v v u

x

0

1

1y

x

s

ExampleBound violation update assignment


1

0

1

2 2

1

x

y

s

u

v

2

y

u

x

y

v

s

x

x y

1, 0

( 2),( 2 0)1 ,( 2 1)

s x

v vy v v u

0

1

1y

x

s

ExampleTheory propagation:


1

0

1

2 2

1

x

y

s

u

v

2

y

u

x

y

v

s

x

x y

1, 0

( 2),( 2 0)1 ,( 2 1)

s x

v vy v v u

1

2

1

0

s

x

y

u

0, 1 2x y u



0

1

1

2 2

1

x

y

s

u

v

2

s x y

u x y

v x y

1, 0

( 2),( 2 0)1 , 2 1( )

s x

v vy uv v

1

0

1

2

s

x

y

u

2 ( 1)u u

ExampleBoolean propagation:


2

s x y

u x y

v x y

( ),( 2 0),( 2 1)

1,

21

0

vy

s

v

x

uvv

1

0

1

2

s

x

y

u

( 1) 2y v

0

1

1

2 2

1

x

y

s

u

v



0

1

1

2 2

1

x

y

s

u

v

2

s x y

u x y

v x y

1 2

1, 0

2( ),( 2 0),( )1v u

s

y v

x

vv

1

0

1

2

s

x

y

u

2 ( 2)v v

ExampleConflict


0

1

1

2 2

1

x

y

s

u

v

2

s x y

u x y

v x y

1 2

1, 0

2( ),( 2 0),( )1v u

s

y v

x

vv

1

0

1

2

s

x

y

u

ExampleBacktrack


0

1

1

2 2

1

x

y

s

u

v

2

s x y

u x y

v x y

( 2),( 2 0),

1,

21 )

0

( 1v v

s

y v v u

x

1

1

0

y

s

x

ExampleAssert y 1 assignment does not satisfy bound


0

1

1

2 2

1

x

y

s

u

v

2

s x y

u x y

v x y

( 2),( 2 0),

1,

21 )

0

( 1v v

s

y v v u

x

1

1

0

y

s

x

ExampleAssert y 1 update assignment


1

1

0

2

1

y

s

u

x

v

2

s x y

u x y

v x y

( 2),( 2 0),

1,

21 )

0

( 1v v

s

y v v u

x

1

1

0

y

s

x

ExampleTheory propagation


0

1

1

2

1

x

y

s

u

v

2

s x y

u x y

v x y

0, 1 1x y v

1

1

1

0

s

x

y

v

( 2),( 0),( 11 2

0

2

1,

)v v

s

v uy v

x

ExampleBoolean propagation


0

1

1

2

1

x

y

s

u

v

2

s x y

u x y

v x y

( 2) 0v v

1

0

1

0

s

x

y

v

( 2),( ),

1, 0

1 0 ( 22 1)v v

s

v u

x

y v

ExampleAssignment does not satisfy bounds


0

1

1

2

1

x

y

s

u

v

2

s x y

u x y

v x y

1

0

1

0

s

x

y

v

( 2),( ),

1, 0

1 0 2(2 1)v v

s

v u

x

y v

ExamplePivot v and x ( v is a dependent variable)


0

1

1

2

1

x

y

s

u

v

2

v x

s x y

u x y

y

1

0

1

0

s

x

y

v

( 2),( 0),( 11 2

0

2

1,

)v v

s

v uy v

x

ExamplePivot v and x ( v is a dependent variable)


0

1

1

2

1

x

y

s

u

v

2

3

s v y

u v y

x v y

1

0

1

0

s

x

y

v

( 2),( 0),( 11 2

0

2

1,

)v v

s

v uy v

x

ExampleUpdate assignment to v


0

1

1

2

0

x

y

s

v

u

2

3

s v y

u v y

x v y

1

0

1

0

s

x

y

v

( 2),( 0),( 11 2

0

2

1,

)v v

s

v uy v

x

ExampleUpdate all other assignments


1

1

2

3

0

x

s

y

v

u

2

3

s v y

u v y

x v y

1

0

1

0

s

x

y

v

( 2),( 0),( 11 2

0

2

1,

)v v

s

v uy v

x

ExampleBoolean propagation


1

3

1

2

0

x

y

s

v

u

2

3

s v y

u v y

x v y

1

0

1

0

1

s

x

y

v

u

( 2),( 0),

1, 0

1 1(2 2 )v v

s

vy uv

x

( 2) 1v u

ExampleBound violation assignment to u does not satisfy bounds.


1

3

1

2

0

x

y

s

v

u

2

3

s v y

u v y

x v y

( 2),( 0),

1, 0

1 1(2 2 )v v

s

vy uv

x

1

0

1

0

1

s

x

y

v

u

ExampleBound violation pivot u and v (u is a dependent variable)


1

3

1

2

0

x

y

s

v

u

2

3v u y

s v y

x v y

( 2),( 0),

1, 0

1 1(2 2 )v v

s

vy uv

x

1

0

1

0

1

s

x

y

v

u

ExampleBound violation pivot u and v (u is a dependent variable)


1

3

1

2

0

x

y

s

v

u

2

3v

u y

x u

u

s

y

y

( 2),( 0),

1, 0

1 1(2 2 )v v

s

vy uv

x

1

0

1

0

1

s

x

y

v

u

ExampleBound violation update assignment


1

1

2

1

0

u

x

y

s

v

2

3v

u y

x u

u

s

y

y

( 2),( 0),

1, 0

1 1(2 2 )v v

s

vy uv

x

1

0

1

0

1

s

x

y

v

u

ExampleBound violation update assignment on dependent variables


1

0

1

2

x

y

s

v

u

2

3v

u y

x u

u

s

y

y

( 2),( 0),

1, 0

1 1(2 2 )v v

s

vy uv

x

1

0

1

0

1

s

x

y

v

u

ExampleBound violation bounds on s are violated


1

1

1

2

0

s

x

y

u

v

3

2

s u y

v u y

x u y

( 2),( 0),

1, 0

1 1(2 2 )v v

s

vy uv

x

1

0

1

0

1

s

x

y

v

u

ExampleBound violation pivot s and y (s is a dependent variable)


1

1

2

0

s

x

y

u

v

3

2

v

u s

u

x u

y

y

y

( 2),( 0),

1, 0

1 1(2 2 )v v

s

vy uv

x

1

0

1

0

1

s

x

y

v

u

ExampleBound violation update value of s


1

2

1

0

1

y

u

v

s

x

3

2

v

u s

u

x u

y

y

y

( 2),( ),

1, 0

1 0 2(2 1)v v

s

v

x

y v u

1

0

1

0

1

s

x

y

v

u

ExamplePropagate pivot to other rows


2 3

2

v u s

x u

y u s

s

( 2),( ),

1, 0

1 0 2(2 1)v v

s

v

x

y v u

1

0

1

0

1

s

x

y

v

u

1

2

1

0

1

y

u

v

s

x

ExamplePropagate assignment to dependent variables


2 3

2

v u s

x u

y u s

s

( 2),( ),

1, 0

1 0 2(2 1)v v

s

v

x

y v u

1

0

1

0

1

s

x

y

v

u

3

2

1

5

1

y

u

v

s

x

ExampleTableau is feasible, constraints are satisfied


2 3

2

y u s

v u s

x u s

( 2),( ),

1, 0

1 0 2(2 1)v v

s

v

x

y v u

1

0

1

0

1

s

x

y

v

u

3

2

1

1

5

x

y

s

u

v

Fast Linear arithmetic – recap

New bound xj u is asserted.Set (xj) min((xj), u)Check each row with xj if bounds on non-basic variables are satisfied.Tableau is infeasible if some row:

s = 3x1 + 4x2 - 5x3

Either ls > 3ux1 + 4ux2 - 5lx3,Or us < 3lx1 + 4lx2 - 5ux3

A tableau may still be feasible even if on non-basic variable is not satisfied.

Fast Linear arithmetic – recap

New bound xj u is asserted.Set (xj) min((xj), u)A tableau may still be feasible even if on non-basic variable is not satisfied.

Restore feasible tableau: PivotingExchange basic and non-basic variables in row where basic variable can be fixed.Substitute new basic variable everywhere elseUpdate assignment

Integer Linear Arithmetic

GCD test

Gomory Cut

Branch and Bound

Non-linear arithmeticMostly encountered in SMT applications of Hybrid systems.Decision problem is doubly exponential.Tools:

CAD: Cylindric Algebraic DecompositionGröbner Basis computationSymbolic solutions (using non-standard numerals)

Precise explanations

Precise explanations

TakeawaysChoice of solver (and when to apply it) depends on:

Problem characteristics:Difference logic

Dense difference logic – Floyd Warshall.

Full linear arithmetic

Solver must work in the context of:Backtracking search engineProducing succinct explanations

Application:Spec#/Boogie

http://research.microsoft.com/specsharp

Spec# Approach for a Verifying Compiler

Source Language

C# + goodies = Spec#Specifications

method contracts,invariants,field and type annotations.

Program Logic:

Dijkstra’s weakest preconditions.Automatic Verification

type checking,verification condition generation (VCG),automatic theorem proving (SMT)

Spec# (annotated C#)

Boogie PL

Spec# Compiler

VC Generator

Formulas

Automatic Theorem Prover

A short Demo

Spec#

Nikolaj Bjørner Microsoft Research Lecture 3. DayTopicsLab 1Overview of SMT and applications. SAT solving, Z3 Encoding combinatorial problems with Z3.

Documents