Formal Methods in Software Development - SMT Solving · Formal Methods in Software Development...

Formal Methods in Software DevelopmentSMT Solving

Mădălina Eraşcu

West University of TimişoaraFaculty of Mathematics and Informatics

Department of Computer Science

Based on slides of the lecture Satisfiability Checking (Erika Ábrahám), RTWH Aachen

WS 2019/2020

Formal Methods in Software Development — Mădălina Eraşcu (WUT - FMI) WS 2019/2020 1 / 30

SMT solving

We want to extend propositional logic with theories.

For satisfiability checking, SAT-solving will be extended toSAT-modulo-theories (SMT) solving.SMT-LIB: language, benchmarks, tutorials, ...SMT-COMP: performance and capabilities of toolsSMT Workshop: held annually


SMT solving

We want to extend propositional logic with theories.For satisfiability checking, SAT-solving will be extended toSAT-modulo-theories (SMT) solving.

SMT-LIB: language, benchmarks, tutorials, ...SMT-COMP: performance and capabilities of toolsSMT Workshop: held annually


SMT solving

We want to extend propositional logic with theories.For satisfiability checking, SAT-solving will be extended toSAT-modulo-theories (SMT) solving.SMT-LIB: language, benchmarks, tutorials, ...SMT-COMP: performance and capabilities of toolsSMT Workshop: held annually


SMT solving

How can such an extension to SMT solving look like?

There are basically two different approaches:Eager SMT solving transforms logical formulas over some theories intosatisfiability-equivalent propositional logic formulas and applies SATsolving. (“Eager” means theory first)Lazy SMT solving uses a SAT solver to find solutions for the Booleanskeleton of the formula, and a theory solver to check satisfiability in theunderlying theory. (“Lazy” means theory later)

Today we will have a closer look at the lazy approach.


SMT solving

How can such an extension to SMT solving look like?There are basically two different approaches:

Eager SMT solving transforms logical formulas over some theories intosatisfiability-equivalent propositional logic formulas and applies SATsolving. (“Eager” means theory first)Lazy SMT solving uses a SAT solver to find solutions for the Booleanskeleton of the formula, and a theory solver to check satisfiability in theunderlying theory. (“Lazy” means theory later)

Today we will have a closer look at the lazy approach.


The Xmas problem

There are three types of Xmas presents Santa Claus can make.Santa Claus wants to reduce the overhead by making only two types.He needs at least 100 presents.He needs at least 5 of either type 1 or type 2.He needs at least 10 of the third type.Each present of type 1, 2, and 3 need 1, 2, resp. 5 minutes to make.Santa Claus is late, and he has only 3 hours left.Each present of type 1, 2, and 3 costs 3, 2, resp. 1 EUR.He has 300 EUR for presents in total.

(p1 = 0 ∨ p2 = 0 ∨ p3 = 0) ∧ p1 + p2 + p3 ≥ 100 ∧(p1 ≥ 5 ∨ p2 ≥ 5) ∧ p3 ≥ 10 ∧ p1 + 2p2 + 5p3 ≤ 180 ∧

3p1 + 2p2 + p3 ≤ 300

Logic: First-order logic over the integers with addition.


The Xmas problem


(p1 = 0 ∨ p2 = 0 ∨ p3 = 0) ∧ p1 + p2 + p3 ≥ 100 ∧(p1 ≥ 5 ∨ p2 ≥ 5) ∧ p3 ≥ 10 ∧ p1 + 2p2 + 5p3 ≤ 180 ∧

3p1 + 2p2 + p3 ≤ 300

Logic:

First-order logic over the integers with addition.


The Xmas problem


(p1 = 0 ∨ p2 = 0 ∨ p3 = 0) ∧ p1 + p2 + p3 ≥ 100 ∧(p1 ≥ 5 ∨ p2 ≥ 5) ∧ p3 ≥ 10 ∧ p1 + 2p2 + 5p3 ≤ 180 ∧

3p1 + 2p2 + p3 ≤ 300

Logic: First-order logic over the integers with addition.Formal Methods in Software Development — Mădălina Eraşcu (WUT - FMI) WS 2019/2020 4 / 30

Lazy SMT-solving

SAT-solver

ϕ

(In)equation set Explanation

Theory solver

UNSAT

SAT

Boolean abstraction

satisfiable

unsatisfiable

unsatisfiable

satisfiable


Boolean abstraction

(p1 = 0︸︷︷︸a1

∨ p2 = 0︸︷︷︸a2

∨ p3 = 0︸︷︷︸a3

) ∧ p1 + p2 + p3 ≥ 100︸︷︷︸a4

∧

(p1 ≥ 5︸︷︷︸a5

∨ p2 ≥ 5︸︷︷︸a6

) ∧ p3 ≥ 10︸︷︷︸a7

∧ p1 + 2p2 + 5p3 ≤ 180︸︷︷︸a8

∧

3p1 + 2p2 + p3 ≤ 300︸︷︷︸a9

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9


Lazy SMT-solving

SAT-solver

ϕ


Theory solver

UNSAT

SAT

Boolean abstraction

satisfiable

unsatisfiable

unsatisfiable

satisfiable


SAT-solving

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9

Assume a fixed variable order: a1, . . . , a9Assignment to decision variables: false

DL0 : a4 : 1, a7 : 1, a8 : 1, a9 : 1DL1 : a1 : 0DL2 : a2 : 0, a3 : 1DL3 : a5 : 0, a6 : 1

Solution found for the Boolean abstraction.


SAT-solving

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9


DL0 :

a4 : 1, a7 : 1, a8 : 1, a9 : 1DL1 : a1 : 0DL2 : a2 : 0, a3 : 1DL3 : a5 : 0, a6 : 1



SAT-solving

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9


DL0 : a4 : 1

, a7 : 1, a8 : 1, a9 : 1DL1 : a1 : 0DL2 : a2 : 0, a3 : 1DL3 : a5 : 0, a6 : 1



SAT-solving

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9


DL0 : a4 : 1, a7 : 1

, a8 : 1, a9 : 1DL1 : a1 : 0DL2 : a2 : 0, a3 : 1DL3 : a5 : 0, a6 : 1



SAT-solving

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9


DL0 : a4 : 1, a7 : 1, a8 : 1

, a9 : 1DL1 : a1 : 0DL2 : a2 : 0, a3 : 1DL3 : a5 : 0, a6 : 1



SAT-solving

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9


DL0 : a4 : 1, a7 : 1, a8 : 1, a9 : 1

DL1 : a1 : 0DL2 : a2 : 0, a3 : 1DL3 : a5 : 0, a6 : 1



SAT-solving

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9


DL0 : a4 : 1, a7 : 1, a8 : 1, a9 : 1DL1 :

a1 : 0DL2 : a2 : 0, a3 : 1DL3 : a5 : 0, a6 : 1



SAT-solving

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9


DL0 : a4 : 1, a7 : 1, a8 : 1, a9 : 1DL1 : a1 : 0

DL2 : a2 : 0, a3 : 1DL3 : a5 : 0, a6 : 1



SAT-solving

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9


DL0 : a4 : 1, a7 : 1, a8 : 1, a9 : 1DL1 : a1 : 0DL2 :

a2 : 0, a3 : 1DL3 : a5 : 0, a6 : 1



SAT-solving

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9


DL0 : a4 : 1, a7 : 1, a8 : 1, a9 : 1DL1 : a1 : 0DL2 : a2 : 0

, a3 : 1DL3 : a5 : 0, a6 : 1



SAT-solving

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9


DL0 : a4 : 1, a7 : 1, a8 : 1, a9 : 1DL1 : a1 : 0DL2 : a2 : 0, a3 : 1

DL3 : a5 : 0, a6 : 1



SAT-solving

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9


DL0 : a4 : 1, a7 : 1, a8 : 1, a9 : 1DL1 : a1 : 0DL2 : a2 : 0, a3 : 1DL3 :

a5 : 0, a6 : 1



SAT-solving

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9


DL0 : a4 : 1, a7 : 1, a8 : 1, a9 : 1DL1 : a1 : 0DL2 : a2 : 0, a3 : 1DL3 : a5 : 0

, a6 : 1



SAT-solving

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9





Lazy SMT-solving

SAT-solver

ϕ


Theory solver

UNSAT

SAT

Boolean abstraction

satisfiable

unsatisfiable

unsatisfiable

satisfiable


Theory solving

DL0 : a4 : 1, a7 : 1, a8 : 1, a9 : 1 DL1 : a1 : 0DL2 : a2 : 0, a3 : 1 DL3 : a5 : 0, a6 : 1

True theory constraints: a4, a7, a8, a9, a3, a6

(p1 = 0︸︷︷︸a1

∨ p2 = 0︸︷︷︸a2

∨ p3 = 0︸︷︷︸a3

) ∧ p1 + p2 + p3 ≥ 100︸︷︷︸a4

∧

(p1 ≥ 5︸︷︷︸a5

∨ p2 ≥ 5︸︷︷︸a6

) ∧ p3 ≥ 10︸︷︷︸a7

∧ p1 + 2p2 + 5p3 ≤ 180︸︷︷︸a8

∧

3p1 + 2p2 + p3 ≤ 300︸︷︷︸a9

Encoding:a4 :p1 + p2 + p3 ≥ 100 a7 :p3 ≥ 10 a8 :p1 + 2p2 + 5p3 ≤ 180a9 :3p1 + 2p2 + p3 ≤ 300 a3 :p3 = 0 a6 :p2 ≥ 5


Theory solving

Is the conjunction of the following constraints satisfiable?a4 :p1 + p2 + p3 ≥ 100a7 :p3 ≥ 10a8 :p1 + 2p2 + 5p3 ≤ 180a9 :3p1 + 2p2 + p3 ≤ 300a3 :p3 = 0a6 :p2 ≥ 5

No.Reason: p3 = 0︸︷︷︸

a3

∧ p3 ≥ 10︸︷︷︸a7

are conflicting.


Theory solving


No.

Reason: p3 = 0︸︷︷︸a3

∧ p3 ≥ 10︸︷︷︸a7

are conflicting.


Theory solving


No.Reason:

p3 = 0︸︷︷︸a3

∧ p3 ≥ 10︸︷︷︸a7

are conflicting.


Theory solving



a3

∧ p3 ≥ 10︸︷︷︸a7

are conflicting.


Lazy SMT-solving

SAT-solver

ϕ


Theory solver

UNSAT

SAT

Boolean abstraction

satisfiable

unsatisfiable

unsatisfiable

satisfiable


SAT-solving

Add clause (¬a3 ∨ ¬a7).

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9 ∧ (¬a3 ∨ ¬a7)



SAT-solving

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9 ∧ (¬a3 ∨ ¬a7)

DL0 : a4 : 1, a7 : 1, a8 : 1, a9 : 1

, a3 : 0DL1 : a1 : 0, a2 : 1DL2 : a5 : 0, a6 : 1



SAT-solving

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9 ∧ (¬a3 ∨ ¬a7)

DL0 : a4 : 1, a7 : 1, a8 : 1, a9 : 1, a3 : 0

DL1 : a1 : 0, a2 : 1DL2 : a5 : 0, a6 : 1



SAT-solving

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9 ∧ (¬a3 ∨ ¬a7)

DL0 : a4 : 1, a7 : 1, a8 : 1, a9 : 1, a3 : 0DL1 :

a1 : 0, a2 : 1DL2 : a5 : 0, a6 : 1



SAT-solving

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9 ∧ (¬a3 ∨ ¬a7)

DL0 : a4 : 1, a7 : 1, a8 : 1, a9 : 1, a3 : 0DL1 : a1 : 0

, a2 : 1DL2 : a5 : 0, a6 : 1



SAT-solving

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9 ∧ (¬a3 ∨ ¬a7)

DL0 : a4 : 1, a7 : 1, a8 : 1, a9 : 1, a3 : 0DL1 : a1 : 0, a2 : 1

DL2 : a5 : 0, a6 : 1



SAT-solving

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9 ∧ (¬a3 ∨ ¬a7)

DL0 : a4 : 1, a7 : 1, a8 : 1, a9 : 1, a3 : 0DL1 : a1 : 0, a2 : 1DL2 :

a5 : 0, a6 : 1



SAT-solving

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9 ∧ (¬a3 ∨ ¬a7)

DL0 : a4 : 1, a7 : 1, a8 : 1, a9 : 1, a3 : 0DL1 : a1 : 0, a2 : 1DL2 : a5 : 0

, a6 : 1



SAT-solving

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9 ∧ (¬a3 ∨ ¬a7)

DL0 : a4 : 1, a7 : 1, a8 : 1, a9 : 1, a3 : 0DL1 : a1 : 0, a2 : 1DL2 : a5 : 0, a6 : 1



Lazy SMT-solving

SAT-solver

ϕ


Theory solver

UNSAT

SAT

Boolean abstraction

satisfiable

unsatisfiable

unsatisfiable

satisfiable


Theory solving

DL0 : a4 : 1, a7 : 1, a8 : 1, a9 : 1, a3 : 0 DL1 : a1 : 0, a2 : 1DL2 : a5 : 0, a6 : 1


(p1 = 0︸︷︷︸a1

∨ p2 = 0︸︷︷︸a2

∨ p3 = 0︸︷︷︸a3

) ∧ p1 + p2 + p3 ≥ 100︸︷︷︸a4

∧

(p1 ≥ 5︸︷︷︸a5

∨ p2 ≥ 5︸︷︷︸a6

) ∧ p3 ≥ 10︸︷︷︸a7

∧ p1 + 2p2 + 5p3 ≤ 180︸︷︷︸a8

∧

3p1 + 2p2 + p3 ≤ 300︸︷︷︸a9

∧(¬a3 ∨ ¬a7)



Theory solving



a2

∧ p2 ≥ 5︸︷︷︸a6

are conflicting.


Theory solving


No.

Reason: p2 = 0︸︷︷︸a2

∧ p2 ≥ 5︸︷︷︸a6

are conflicting.


Theory solving


No.Reason:

p2 = 0︸︷︷︸a2

∧ p2 ≥ 5︸︷︷︸a6

are conflicting.


Theory solving



a2

∧ p2 ≥ 5︸︷︷︸a6

are conflicting.


Lazy SMT-solving

SAT-solver

ϕ


Theory solver

UNSAT

SAT

Boolean abstraction

satisfiable

unsatisfiable

unsatisfiable

satisfiable


SAT-solving

Add clause (¬a2 ∨ ¬a6).

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9 ∧ (¬a3 ∨ ¬a7) ∧(¬a2 ∨ ¬a6)

DL0 : a4 : 1, a7 : 1, a8 : 1, a9 : 1, a3 : 0DL1 : a1 : 0, a2 : 1DL2 : a5 : 0, a6 : 1


SAT-solving

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9 ∧ (¬a3 ∨ ¬a7) ∧(¬a2 ∨ ¬a6)

DL0 : a4 : 1, a7 : 1, a8 : 1, a9 : 1, a3 : 0DL1 : a1 : 0, a2 : 1

, a6 : 0, a5 : 1



SAT-solving

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9 ∧ (¬a3 ∨ ¬a7) ∧(¬a2 ∨ ¬a6)

DL0 : a4 : 1, a7 : 1, a8 : 1, a9 : 1, a3 : 0DL1 : a1 : 0, a2 : 1, a6 : 0

, a5 : 1



SAT-solving

(a1 ∨ a2 ∨ a3) ∧ a4 ∧ (a5 ∨ a6) ∧ a7 ∧ a8 ∧ a9 ∧ (¬a3 ∨ ¬a7) ∧(¬a2 ∨ ¬a6)

DL0 : a4 : 1, a7 : 1, a8 : 1, a9 : 1, a3 : 0DL1 : a1 : 0, a2 : 1, a6 : 0, a5 : 1



Lazy SMT-solving

SAT-solver

ϕ


Theory solver

UNSAT

SAT

Boolean abstraction

satisfiable

unsatisfiable

unsatisfiable

satisfiable


Theory solving

DL0 : a4 : 1, a7 : 1, a8 : 1, a9 : 1, a3 : 0 DL1 : a1 : 0, a2 : 1, a6 : 0, a5 : 1


(p1 = 0︸︷︷︸a1

∨ p2 = 0︸︷︷︸a2

∨ p3 = 0︸︷︷︸a3

) ∧ p1 + p2 + p3 ≥ 100︸︷︷︸a4

∧

(p1 ≥ 5︸︷︷︸a5

∨ p2 ≥ 5︸︷︷︸a6

) ∧ p3 ≥ 10︸︷︷︸a7

∧ p1 + 2p2 + 5p3 ≤ 180︸︷︷︸a8

∧

3p1 + 2p2 + p3 ≤ 300︸︷︷︸a9

∧(¬a3 ∨ ¬a7) ∧ (¬a2 ∨ ¬a6)



Theory solving


Yes. E.g., p1 = 90, p2 = 0, p3 = 10 is a solution.


Theory solving


Yes.

E.g., p1 = 90, p2 = 0, p3 = 10 is a solution.


Theory solving


Yes. E.g.,

p1 = 90, p2 = 0, p3 = 10 is a solution.


Theory solving


Yes. E.g., p1 = 90, p2 = 0, p3 = 10 is a solution.


Lazy SMT-solving

SAT-solver

ϕ


Theory solver

UNSAT

SAT

Boolean abstraction

satisfiable

unsatisfiable

unsatisfiable

satisfiable


Lazy SMT-solving

Input: Quantifier-free FO logic formula ϕ over some theories in CNF without anynegationOutput: Is ϕ SAT (+model) or UNSAT?Let C be the set of all theory constraints in ϕLet P = {pc |c ∈ C} be a set of fresh atomic propositions (fresh means not appearingin ϕ)Let µ : C → P be the bijective function with µ(c) = pc and µ−1(pc) = c

For each formula ϕ′ with constraints from C we define the Boolean abstraction (orBoolean skeleton) µ(ϕ′) of ϕ′ under µ to be the propositional logic formula we get byreplacing each theory constraint c in ϕ′ by µ(c)


Lazy SMT-solving

Input: Quantifier-free FO logic formula ϕ over some theories in CNF without anynegationOuput: Is ϕ SAT (+model) or UNSAT?

1 Build the Boolean skeleton (also called Boolean abstraction) ϕabs of the inputformula ϕ by replacing each theory constraint c ∈ C in ϕ by µ(c)

2 Search for a solution for ϕabs (using SAT solving)3 If there is no solution for ϕabs then the input formula ϕ is unsatisfiable4 Otherwise, given a solution α : P → {0, 1} for ϕabs, check the set of all true theory

constraints Cµ := {c ∈ C |α(µ(c)) = 1} for consistency5 If they are consistent then input formula is satisfiable6 Otherwise, compute an explanation for the inconsistency in form of CNF formula with

constraints from C implying that the constraints in Cµ cannot be all true7 Learn the Boolean abstraction E of the theory lemma by setting ϕabs := ϕabs ∧ E8 Apply conflict resolution if the learnt clause is not asserting9 Goto 2


Less lazy SMT-solving

SAT solver

input formula in CNF

(in)equation set (partial) SAT orunsat + explanation

theory solver(s)

solution orunsat

SAT orUNSAT

Boolean abstraction

(partial) solution


Requirements on the theory solver

1 Incrementality: In less lazy solving we extend the set of constraints.The solver should make use of the previous satisfiability check for thecheck of the extended set.

2 (Preferably minimal) infeasible subsets: Compute a reason forunsatisfaction

3 Backtracking: The theory solver should be able to remove constraintsin inverse chronological order.


More involved SMT-structures

This approach strictly divides between logical (Boolean) structure andtheory constraints.There are other approaches, which do not divide Boolean and theorysolving so strictly.One idea: Propagate in the SAT-solver bounds on theory variables.


Exercise

Decide if the following formula is SAT or UNSAT:(x1 > 0 ∨ x4 > 0) ∧ (x1 > 0 ∨ ¬x3 > 0 ∨ ¬x8 > 0) ∧ (x1 > 0 ∨ x8 >0 ∨ x12 > 0) ∧ (x2 > 0 ∨ x11 > 0) ∧ (¬x7 > 0 ∨ ¬x3 > 0 ∨ x9 >0) ∧ (¬x7 > 0 ∨ x8 ∨ ¬x9 > 0) ∧ (x7 > 0 ∨ x8 > 0 ∨ ¬x10 > 0) ∧ (x7 >0 ∨ x10 > 0 ∨ ¬x12 > 0)


Formal Methods in Software Development - SMT Solving · Formal Methods in Software Development...

Documents

Transcript of Formal Methods in Software Development - SMT Solving · Formal Methods in Software Development...